07-04-2013 05:21 AM - edited 03-10-2019 08:37 PM
Hello,
Does someone know how to implement IBFW with a Microsoft Terminal server.
I'm trying to install this in my LAB. (https://supportforums.cisco.com/docs/DOC-20366)
But it doesn't seem to be working well with the cisco AD agent.
I had a working situation with all Windows 2008 servers.
But the AD Agent couldn't work with different users on the MS terminal server.
It attaches the user to an IP. If more then one user connects via the same IP the ACL rules don't work anymore.
We found this as a possible solution.
But after upgrade DMZ server to win2k8r2 it doesn't work at all, when connecting from the DMZ.
Stange IP connectivity. (ping to IIS on the inside works / http-https not. And this did work before implementing IP virt.)
Also a strange ipconfig in the RDP session:
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.173.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IPv4 Address. . . . . . . . . . . : 169.254.57.119
Subnet Mask . . . . . . . . . . . : 255.255.255.255
IPv4 Address. . . . . . . . . . . : 169.254.150.193
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 192.168.173.1
And the AD client doesn't see the user's logged in....
Can anyone help with this.
Do you have this working? Or another Cisco solution? F.e. a MS terminal server AD agent like SonicWall can do.
Regards, Peter
07-05-2013 12:24 AM
Installed the DHCP server role on the TS.
It gives the user a address from the pool (.11 - .254), but the AD agent can't correlate this to the user.
There is only one user active and not with the pool address, but with the TS address.
With 2 users with a TS session the ipconfig shows:
TS IP 192.168.173.10 and two pool addresses .11 and .12
This does the ASA see:
07-05-2013 05:44 AM
Wireshark in the TS session shows that the session uses different source addresses.
F.e. I'm seeing source 192.168.173.10 to 10.192.142.29. And to the internet / and to 10.192.142.28 (IIS) it uses source address 192.168.173.13!???
07-16-2013 05:57 AM
Answer Cisco:
If you mean that CDA is used for identity FW and you also are using sessions from a TS through the ASA... this won't work. As discussed above: the TS users, use the same source IP. The CDA can't make a user-IP mapping.
IBFW on the ASA works only for users, logged on to PC's in a MS domain.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide