Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Cisco NAC Firewall Ports Required

Posted on 2010-09-23
4
855 Views
Last Modified: 2012-06-21
Hi,
I was wondering if anyone may have any documents on the firewall ports required for NAC profiler server and collector as well as NAC manager and server? I am trying to determine what ports are required as this is being implemented on a Layer 3 OOB real ip. Any help is appreciated.

Thanks.
0
Comment
Question by:cwtang
  • 2
4 Comments
 
LVL 3

Expert Comment

by:guitar7man
ID: 33753736
0
 

Author Comment

by:cwtang
ID: 33753952
Hi,
Thanks for pointing out the link, however I have come across it before putting up the question. I have tried to search on the internet, but I am not able to find any documents on the Cisco NAC profiler server/collector on the firewall ports. Would you know of any documents describing the ports required for Cisco NAC profiler server and collector?

Thanks.
0
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
ID: 33764029
The initial document is correct NAS / NAM communication.  You also need to look at what's required for AD single sign-on if you're using that.  See http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_adsso.html specifically in the section "Required TCP Ports".

It looks to me from the documentation that Profiler and Collector use 31416, but so far I haven't found anything that explicitly states that.  I'm sure that has to be TCP.

There's another aspect dealing with the direction of the traffic.  Normally the Collector initiates the connection back to the Profiler as a client -> server connection.  Cisco's documentation recommends that if there's a firewall in between them it may be better to reverse the direction and have the Profiler act as the client and initiate the connection to the Collector (as the server) so a stateful firewall in between would allow the traffic through.  See http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/218/p_cfgpser.html#wp1057949

From the documentation:

"In environments where a firewall is in place between the Remote Collector Service and the NAC Profiler maintaining the endpoint database and providing system management, the Remote Collector service will likely be unable to initiate a TCP communication through the firewall back to the Server. In this case, the Remote Collector service should be configured with the Server Connection Type option selected to ensure that the Forwarder module on the Remote Collection service waits for the NAC Profiler to initiate TCP communications through the firewall, opening the port and enabling firewall traversal. Use this option if necessary, remembering that the NAC Profiler for the system will have to have a Network Connection added to the configuration for each Remote Collection service configured as a Server. Connection Type is Client. See Chapter 6, "Cisco NAC Profiler Server Configuration" for instructions on adding Network Connection to the Profiler Server Module."

-John
0
 

Author Closing Comment

by:cwtang
ID: 33766343
Thanks for the great information. That was what  I was looking for even though I have opened a tac case.

Thank you.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Getting locked out and can't access Cisco via the web 18 76
BGP Network restrictions 6 45
How can I measure the quality of my Internet access? 2 72
Dlink-DIR 816 router 4 20
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question