Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2416
Views
0
Helpful
7
Replies

Loadbalancing TMG 2010 with ACE 4710

BrandonNC
Level 1
Level 1

‎09-09-2011 06:37 PM

Hello all,

We have a pair of ACE 4710 devices in front of a TMG 2010 array (3 members) and are having some issues.  We have a nat pool on the ACE and need to be able to use integrated authentication in TMG since we are filtering URLs based on user ID.  For example some users might have access to certain websites that other users do not have access to.  TMG does all this fine when we send traffic directly to one of the TMG servers and it can successfully authenticate the user using the active directory username that was passed through.  The problem occurs when we send traffic through the ACE first, upon which time the user credentials are no longer appearing to TMG and the user is getting prompted for a username/password whenever they try to access a website.  Even when they do enter their username and password (which they shouldn't have to do) the request is still denied by TMG since it is coming from "anonymous" instead of their actual username.

Another problem we seem to be having which isn't as important right now is the fact that since we are using a nat pool on the ACE, every web request to the TMG servers comes from one of the NAT addresses, rather than the original client IP.  Is there any way to get around this and have the actual client IP show up instead?

Thanks,

Brandon

Labels:
0 Helpful
7 Replies 7

Marko Leopold
Level 1
Level 1

‎09-12-2011 03:47 AM

For the other problem i recommend you this article:

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3041.shtml

0 Helpful

Marko Leopold
Level 1
Level 1

‎09-12-2011 03:49 AM

For the first problem, I have a question. Do you loadbalance on L7? If yes, what is the header-size? Do you come over the default max-parse-length?

0 Helpful

BrandonNC
Level 1
Level 1
In response to Marko Leopold

‎09-12-2011 11:58 AM

Marko,

I am not sure how to determine the header siz however we have increased the max-parse-length to 4096 (from the default 2048) just to be sure.

The ACE is still not passing the NTLM/Integrated authentication credentials through to the proxy server.

0 Helpful

Marko Leopold
Level 1
Level 1
In response to BrandonNC

‎09-12-2011 10:38 PM

Hello Brandon!

Please look at show stats http. Are the counters for Max parselen errors increasing? If yes, your header will be stil lmuch bigger. To determine the size you can use a sniffer-tool like wireshark or tcpdump and just count the bytes in the header.

Another way is to use the command length-exceed  continue in a http parameter-map.

0 Helpful

BrandonNC
Level 1
Level 1
In response to Marko Leopold

‎09-13-2011 10:54 AM

Marko,

It looks like the size of the headers was indeed greater than the allowed size.  After increasing the max header size in the parameter-map we are no longer seeing the Max parselen errors counter increase, however credentials are still not passing through the ACE.

Any other ideas?

Thanks for your time,

Brandon

0 Helpful

Marko Leopold
Level 1
Level 1
In response to BrandonNC

‎09-13-2011 11:50 PM

I guess it is time to provide some config now. Everything else would be just playing an oracle :-)

0 Helpful

Rafael Mendes
Level 2
Level 2
In response to Marko Leopold

‎04-26-2012 01:25 PM

Brandon,

Can post your configuration for this?

I trying configure too...

Tks!

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card