Cisco NAC3350-PROF-K9 Hardware Installation Guide - Page 104
Cisco NAC Appliance Connectivity Across a Firewall
View all Cisco NAC3350-PROF-K9 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 104 highlights
Cisco NAC Appliance Connectivity Across a Firewall Chapter 3 Installing the Clean Access Manager and Clean Access Server 4. Before deploying the CAS in a production environment, Cisco Strongly recommends acquiring a trusted certificate from a third-party Certificate Authority to replace the temporary certificate (in order to avoid the security warning that is displayed to end users during user login). For further details, see the "Manage CAS SSL Certificates" and "Synchronize System Time" sections of the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3). For details on CAM certificates, see the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3). Cisco NAC Appliance Connectivity Across a Firewall The Clean Access Manager (CAM) uses Java Remote Method Invocation (RMI) for parts of its communication with the Clean Access Server (CAS), which means it uses dynamically allocated ports for this purpose. If your deployment has a firewall between the CAS and the CAM, you will need to set up rules in the firewall to allow communication between the CAS and CAM machines, that is, a rule that allows traffic originating from the CAM destined to the CAS and vice versa. Note If there is a NAT router between the CAS and CAM, also refer to section "Configuring the CAS Behind a NAT Firewall" in the Installation chapter of the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3) for additional details. Table 3-1 lists the ports that are required for communication between the CAS and the CAM (per version of Cisco NAC Appliance). Table 3-1 Port Connectivity for CAM/CAS Cisco NAC Appliance Version Required Ports 4.8 4.7(x) 4.6(1) 4.5(x) 4.1(x) 4.0(x) TCP ports 443, 1099, and 8995~8996 3.6(x) TCP ports 80, 443, 1099, and 8995~8996 3.5(x) TCP ports 80, 443, 1099, and 32768~61000 (usually 32768~32999 are sufficient). For example, for Single Sign-On (SSO) capabilities, additional ports must be opened on the CAS and firewall (if any) to allow communication between the Agent and the Active Directory Server, as shown in Table 3-2. Table 3-2 provides further details about communicating devices, the ports affected, and the purpose of each port. 3-34 Cisco NAC Appliance Hardware Installation Guide OL-20326-01