asked on

microsoft KMS server activations through Cisco ASA5525

We had to secure our MS 2008 KMS server from the internet and implement a IPSEC policy for KMS office activations. This does not appear to be working, and was wondering if anyone had any luck putting a KMS server behind a Cisco ASA5525 9.1(5). have been able to see packets getting to and from the client, through the ASA and to the 2008 serve with acknowledgements from the server but no activations. Turn off IPSEC and presto, activations are working.
Possibly IPSEC is not the answer. Tried both with Kerberos and pre-shared key, same result.

David Johnson, CD

easier to just on the kms server to block port 1688 from all but the local network

kevinhsieh

Are you trying to prevent KMS from being contacted over the Internet, or are you trying to get KMS to work over the Internet?

I have KMS working from DMZ through ASA to inside network. Just allow the proper port. You can't do the same over the Internet so Microsoft requires that the KMS server not be available to the public.

ramseyjack

ASKER

We are attempting to get KMS to work from the internet. We were contacted by MS to close down our outward facing port 1688 to the internet and complied. We then thought that by implementing via group policy an IPSEC policy that only allowed domain computers access to the KMS that it might work. The implemented process works flawlessly on the network, but it appears the ASA possibly changes the header or something in the IPSEC packets. Cisco no help, but have not escalated to a level that has more than google experience.

kevinhsieh

Okay, makes perfect sense. So you have IPSec working on the local LAN? That would be the first thing you would need to have working. After that, escalate with Cisco.

ASKER CERTIFIED SOLUTION

ramseyjack

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ramseyjack

ASKER

that was what fixed it