Solved

Cisco NAC Firewall Ports Required

Posted on 2010-09-23
4
853 Views
Last Modified: 2012-06-21
Hi,
I was wondering if anyone may have any documents on the firewall ports required for NAC profiler server and collector as well as NAC manager and server? I am trying to determine what ports are required as this is being implemented on a Layer 3 OOB real ip. Any help is appreciated.

Thanks.
0
Comment
Question by:cwtang
  • 2
4 Comments
 
LVL 3

Expert Comment

by:guitar7man
ID: 33753736
0
 

Author Comment

by:cwtang
ID: 33753952
Hi,
Thanks for pointing out the link, however I have come across it before putting up the question. I have tried to search on the internet, but I am not able to find any documents on the Cisco NAC profiler server/collector on the firewall ports. Would you know of any documents describing the ports required for Cisco NAC profiler server and collector?

Thanks.
0
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
ID: 33764029
The initial document is correct NAS / NAM communication.  You also need to look at what's required for AD single sign-on if you're using that.  See http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_adsso.html specifically in the section "Required TCP Ports".

It looks to me from the documentation that Profiler and Collector use 31416, but so far I haven't found anything that explicitly states that.  I'm sure that has to be TCP.

There's another aspect dealing with the direction of the traffic.  Normally the Collector initiates the connection back to the Profiler as a client -> server connection.  Cisco's documentation recommends that if there's a firewall in between them it may be better to reverse the direction and have the Profiler act as the client and initiate the connection to the Collector (as the server) so a stateful firewall in between would allow the traffic through.  See http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/218/p_cfgpser.html#wp1057949

From the documentation:

"In environments where a firewall is in place between the Remote Collector Service and the NAC Profiler maintaining the endpoint database and providing system management, the Remote Collector service will likely be unable to initiate a TCP communication through the firewall back to the Server. In this case, the Remote Collector service should be configured with the Server Connection Type option selected to ensure that the Forwarder module on the Remote Collection service waits for the NAC Profiler to initiate TCP communications through the firewall, opening the port and enabling firewall traversal. Use this option if necessary, remembering that the NAC Profiler for the system will have to have a Network Connection added to the configuration for each Remote Collection service configured as a Server. Connection Type is Client. See Chapter 6, "Cisco NAC Profiler Server Configuration" for instructions on adding Network Connection to the Profiler Server Module."

-John
0
 

Author Closing Comment

by:cwtang
ID: 33766343
Thanks for the great information. That was what  I was looking for even though I have opened a tac case.

Thank you.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
jump server vs push server 6 153
SSL RA VPN 7 104
EIGRP Load sharing 12 60
Possible RST Flood on IF X0 Sonicwall 6 187
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now