• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 938
  • Last Modified:

Cisco NAC Firewall Ports Required

Hi,
I was wondering if anyone may have any documents on the firewall ports required for NAC profiler server and collector as well as NAC manager and server? I am trying to determine what ports are required as this is being implemented on a Layer 3 OOB real ip. Any help is appreciated.

Thanks.
0
cwtang
Asked:
cwtang
  • 2
1 Solution
 
cwtangAuthor Commented:
Hi,
Thanks for pointing out the link, however I have come across it before putting up the question. I have tried to search on the internet, but I am not able to find any documents on the Cisco NAC profiler server/collector on the firewall ports. Would you know of any documents describing the ports required for Cisco NAC profiler server and collector?

Thanks.
0
 
John MeggersNetwork ArchitectCommented:
The initial document is correct NAS / NAM communication.  You also need to look at what's required for AD single sign-on if you're using that.  See http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_adsso.html specifically in the section "Required TCP Ports".

It looks to me from the documentation that Profiler and Collector use 31416, but so far I haven't found anything that explicitly states that.  I'm sure that has to be TCP.

There's another aspect dealing with the direction of the traffic.  Normally the Collector initiates the connection back to the Profiler as a client -> server connection.  Cisco's documentation recommends that if there's a firewall in between them it may be better to reverse the direction and have the Profiler act as the client and initiate the connection to the Collector (as the server) so a stateful firewall in between would allow the traffic through.  See http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/218/p_cfgpser.html#wp1057949

From the documentation:

"In environments where a firewall is in place between the Remote Collector Service and the NAC Profiler maintaining the endpoint database and providing system management, the Remote Collector service will likely be unable to initiate a TCP communication through the firewall back to the Server. In this case, the Remote Collector service should be configured with the Server Connection Type option selected to ensure that the Forwarder module on the Remote Collection service waits for the NAC Profiler to initiate TCP communications through the firewall, opening the port and enabling firewall traversal. Use this option if necessary, remembering that the NAC Profiler for the system will have to have a Network Connection added to the configuration for each Remote Collection service configured as a Server. Connection Type is Client. See Chapter 6, "Cisco NAC Profiler Server Configuration" for instructions on adding Network Connection to the Profiler Server Module."

-John
0
 
cwtangAuthor Commented:
Thanks for the great information. That was what  I was looking for even though I have opened a tac case.

Thank you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now