Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 922
  • Last Modified:

Cisco NAC Firewall Ports Required

Hi,
I was wondering if anyone may have any documents on the firewall ports required for NAC profiler server and collector as well as NAC manager and server? I am trying to determine what ports are required as this is being implemented on a Layer 3 OOB real ip. Any help is appreciated.

Thanks.
0
cwtang
Asked:
cwtang
  • 2
1 Solution
 
cwtangAuthor Commented:
Hi,
Thanks for pointing out the link, however I have come across it before putting up the question. I have tried to search on the internet, but I am not able to find any documents on the Cisco NAC profiler server/collector on the firewall ports. Would you know of any documents describing the ports required for Cisco NAC profiler server and collector?

Thanks.
0
 
jmeggersCommented:
The initial document is correct NAS / NAM communication.  You also need to look at what's required for AD single sign-on if you're using that.  See http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_adsso.html specifically in the section "Required TCP Ports".

It looks to me from the documentation that Profiler and Collector use 31416, but so far I haven't found anything that explicitly states that.  I'm sure that has to be TCP.

There's another aspect dealing with the direction of the traffic.  Normally the Collector initiates the connection back to the Profiler as a client -> server connection.  Cisco's documentation recommends that if there's a firewall in between them it may be better to reverse the direction and have the Profiler act as the client and initiate the connection to the Collector (as the server) so a stateful firewall in between would allow the traffic through.  See http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/218/p_cfgpser.html#wp1057949

From the documentation:

"In environments where a firewall is in place between the Remote Collector Service and the NAC Profiler maintaining the endpoint database and providing system management, the Remote Collector service will likely be unable to initiate a TCP communication through the firewall back to the Server. In this case, the Remote Collector service should be configured with the Server Connection Type option selected to ensure that the Forwarder module on the Remote Collection service waits for the NAC Profiler to initiate TCP communications through the firewall, opening the port and enabling firewall traversal. Use this option if necessary, remembering that the NAC Profiler for the system will have to have a Network Connection added to the configuration for each Remote Collection service configured as a Server. Connection Type is Client. See Chapter 6, "Cisco NAC Profiler Server Configuration" for instructions on adding Network Connection to the Profiler Server Module."

-John
0
 
cwtangAuthor Commented:
Thanks for the great information. That was what  I was looking for even though I have opened a tac case.

Thank you.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now