ACS 5.1 & Tons of Domain Controllers Behind Firewalls

AJ Cruz — Mon, 11 Mar 2019 00:53:57 GMT

We have ACS 5.1 deployed in a large environment where we have two local domain controllers and boat loads of other domain controllers outside of our administrative domain behind multiple firewalls. When joining ACS to the domain we had troubles. Debugs were showing the system attempting connection to a bunch of DCs outside of us before eventually timing out. I decided to click the "Test Connectivity" button and let it sit. About 20 minutes later the page finally popped up the box that said the connection was successful. At that point I was able to save the config, the status showed connected, and I was even able to enumerate the directory groups.

However, when I go to do actual testing I keep getting EAP-TLS timeouts that I suspect are due to the million other DCs its trying to talk to. Additionally, now when I go back to the "directory groups" tab it no longer pulls groups even though the status still shows "connected."

Is there any way to limit which domain controllers we talk to? Or should I just switch to a generic LDAP store? If I switch to LDAP, do I lose any functionality?

Thanks.

Re: ACS 5.1 & Tons of Domain Controllers Behind Firewalls

dchamorro — Sun, 13 Mar 2011 18:56:52 GMT

Hi,

We had the same issue in our environment, where we have over 100 DC's located across the US and each behind series of firewalls. We ended up going to LDAP and eventually LDAP-S as we were able to point the ACS machines to a specific set of servers. With AD, we would constantly see our ACS boxes trying to contact every GC server and if it failed to reach a few it would time out and disconnect.

Hopefully that helps.

topic Re: ACS 5.1 & Tons of Domain Controllers Behind Firewalls in Network Access Control

ACS 5.1 & Tons of Domain Controllers Behind Firewalls

Re: ACS 5.1 & Tons of Domain Controllers Behind Firewalls