Solved

microsoft KMS server activations through Cisco ASA5525

Posted on 2015-02-03
6
174 Views
Last Modified: 2015-06-22
We had to secure our MS 2008 KMS server from the internet and implement a IPSEC policy for KMS office activations. This does not appear to be working, and was wondering if anyone had any luck putting a KMS server behind a Cisco ASA5525  9.1(5). have been able to see packets getting to and from the client, through the ASA and to the 2008 serve with acknowledgements from the server but no activations. Turn off IPSEC and presto, activations are working.
Possibly IPSEC is not the answer. Tried both with Kerberos and pre-shared key, same result.
0
Comment
Question by:ramseyjack
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40588605
easier to just on the kms server to block port 1688 from all but the local network
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40588848
Are you trying to prevent KMS from being contacted over the Internet, or are you trying to get KMS to work over the Internet?

I have KMS working from DMZ through ASA to inside network. Just allow the proper port. You can't do the same over the Internet so Microsoft requires that the KMS server not be available to the public.
0
 

Author Comment

by:ramseyjack
ID: 40588867
We are attempting to get KMS to work from the internet. We were contacted by MS to close down our outward facing port 1688 to the internet and complied. We then thought that by implementing via group policy an IPSEC policy that only allowed domain computers access to the KMS that it might work. The implemented process works flawlessly on the network, but it appears the ASA possibly changes the header or something in the IPSEC packets. Cisco no help, but have not escalated to a level that has more than google experience.
0
Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40588910
Okay, makes perfect sense. So you have IPSec working on the local LAN? That would be the first thing you would need to have working. After that, escalate with Cisco.
0
 

Accepted Solution

by:
ramseyjack earned 0 total points
ID: 40835005
The issue was with the fact that the windows boxes were attempting to negotiate a Kerberos session and had an error out on it. once we disabled the Kerberos, all worked well.
0
 

Author Closing Comment

by:ramseyjack
ID: 40843110
that was what fixed it
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question