Solved

microsoft KMS server activations through Cisco ASA5525

Posted on 2015-02-03
6
170 Views
Last Modified: 2015-06-22
We had to secure our MS 2008 KMS server from the internet and implement a IPSEC policy for KMS office activations. This does not appear to be working, and was wondering if anyone had any luck putting a KMS server behind a Cisco ASA5525  9.1(5). have been able to see packets getting to and from the client, through the ASA and to the 2008 serve with acknowledgements from the server but no activations. Turn off IPSEC and presto, activations are working.
Possibly IPSEC is not the answer. Tried both with Kerberos and pre-shared key, same result.
0
Comment
Question by:ramseyjack
  • 3
  • 2
6 Comments
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 40588605
easier to just on the kms server to block port 1688 from all but the local network
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40588848
Are you trying to prevent KMS from being contacted over the Internet, or are you trying to get KMS to work over the Internet?

I have KMS working from DMZ through ASA to inside network. Just allow the proper port. You can't do the same over the Internet so Microsoft requires that the KMS server not be available to the public.
0
 

Author Comment

by:ramseyjack
ID: 40588867
We are attempting to get KMS to work from the internet. We were contacted by MS to close down our outward facing port 1688 to the internet and complied. We then thought that by implementing via group policy an IPSEC policy that only allowed domain computers access to the KMS that it might work. The implemented process works flawlessly on the network, but it appears the ASA possibly changes the header or something in the IPSEC packets. Cisco no help, but have not escalated to a level that has more than google experience.
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40588910
Okay, makes perfect sense. So you have IPSec working on the local LAN? That would be the first thing you would need to have working. After that, escalate with Cisco.
0
 

Accepted Solution

by:
ramseyjack earned 0 total points
ID: 40835005
The issue was with the fact that the windows boxes were attempting to negotiate a Kerberos session and had an error out on it. once we disabled the Kerberos, all worked well.
0
 

Author Closing Comment

by:ramseyjack
ID: 40843110
that was what fixed it
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question