Cisco NAC3350-PROF-K9 Hardware Installation Guide - Page 106
Configuring the CAS Behind a NAT Firewall
View all Cisco NAC3350-PROF-K9 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 106 highlights
Cisco NAC Appliance Connectivity Across a Firewall Chapter 3 Installing the Clean Access Manager and Clean Access Server Table 3-2 Device CAS and firewall (if any) Port Usage (continued) Communicating Devices Ports to Open Agent (Windows OS) and Active Directory (AD) Server TCP 88, 135, 389, 445, 1025, 1026 UDP 88, 389 Purpose AD SSO requires the following ports to be open: • TCP 88 (Kerberos) • TCP 135 (RPC) • TCP 389 (LDAP) or TCP 636 (LDAP with SSL) Note When using LDAP to connect to the AD server, Cisco recommends using TCP/UDP port 3268 (the default Microsoft Global Catalog port) instead of the default port 389. This allows for a more efficient search of all directory partitions in both single and multi domain environments. • TCP 445 (Microsoft-SMB; e.g. needed for password change notices from DC to PC) • TCP 1025 (RPC)-non-standard • TCP 1026 (RPC)-non-standard If it is not known whether the AD server is using Kerberos, you must open the following UDP ports instead: • UDP 88 (Kerberos) • UDP 389 (LDAP) or UDP 636 (LDAP with SSL) Note When using LDAP to connect to the AD server, Cisco recommends using TCP/UDP port 3268 (the default Microsoft Global Catalog port) instead of the default port 389. This allows for a more efficient search of all directory partitions in both single and multi domain environments. If your deployment requires LDAP services, use TCP/UDP 636 (LDAP with SSL encryption) instead of TCP/UDP 389 (plain text). For more information on AD SSO, see the Cisco NAC Appliance Clean Access Server Configuration Guide, Release 4.8(3). Configuring the CAS Behind a NAT Firewall Caution If deploying a NAT firewall between the CAS and the CAM, the CAS must be in Standalone mode. Cisco NAC Appliance does not support High Availability CAS pairs when a NAT firewall is deployed on the trusted side of the CAS HA pair. If deploying the Clean Access Server behind a firewall (there is a NAT router between CAS and CAM), you will need to perform the following steps to make the CAS accessible: Step 1 Connect to the CAS by SSH or use a serial console. Log in as root user. 3-36 Cisco NAC Appliance Hardware Installation Guide OL-20326-01