Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco NAC Firewall Ports Required

Posted on 2010-09-23
4
Medium Priority
?
918 Views
Last Modified: 2012-06-21
Hi,
I was wondering if anyone may have any documents on the firewall ports required for NAC profiler server and collector as well as NAC manager and server? I am trying to determine what ports are required as this is being implemented on a Layer 3 OOB real ip. Any help is appreciated.

Thanks.
0
Comment
Question by:cwtang
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 3

Expert Comment

by:guitar7man
ID: 33753736
0
 

Author Comment

by:cwtang
ID: 33753952
Hi,
Thanks for pointing out the link, however I have come across it before putting up the question. I have tried to search on the internet, but I am not able to find any documents on the Cisco NAC profiler server/collector on the firewall ports. Would you know of any documents describing the ports required for Cisco NAC profiler server and collector?

Thanks.
0
 
LVL 18

Accepted Solution

by:
jmeggers earned 2000 total points
ID: 33764029
The initial document is correct NAS / NAM communication.  You also need to look at what's required for AD single sign-on if you're using that.  See http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_adsso.html specifically in the section "Required TCP Ports".

It looks to me from the documentation that Profiler and Collector use 31416, but so far I haven't found anything that explicitly states that.  I'm sure that has to be TCP.

There's another aspect dealing with the direction of the traffic.  Normally the Collector initiates the connection back to the Profiler as a client -> server connection.  Cisco's documentation recommends that if there's a firewall in between them it may be better to reverse the direction and have the Profiler act as the client and initiate the connection to the Collector (as the server) so a stateful firewall in between would allow the traffic through.  See http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/218/p_cfgpser.html#wp1057949

From the documentation:

"In environments where a firewall is in place between the Remote Collector Service and the NAC Profiler maintaining the endpoint database and providing system management, the Remote Collector service will likely be unable to initiate a TCP communication through the firewall back to the Server. In this case, the Remote Collector service should be configured with the Server Connection Type option selected to ensure that the Forwarder module on the Remote Collection service waits for the NAC Profiler to initiate TCP communications through the firewall, opening the port and enabling firewall traversal. Use this option if necessary, remembering that the NAC Profiler for the system will have to have a Network Connection added to the configuration for each Remote Collection service configured as a Server. Connection Type is Client. See Chapter 6, "Cisco NAC Profiler Server Configuration" for instructions on adding Network Connection to the Profiler Server Module."

-John
0
 

Author Closing Comment

by:cwtang
ID: 33766343
Thanks for the great information. That was what  I was looking for even though I have opened a tac case.

Thank you.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question