With Prashanth Goutham R.
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Configuring, Troubleshooting & Best Practices on Adaptive Security Appliances (ASA) & Firewall Services Module (FWSM) Failover with Prashanth Goutham.
Firewall Services Module (FWSM) is a high-performance stateful-inspection firewall that integrates into the Cisco® 6500 switch and 7600 router chassis. The FWSM monitors traffic flows using application inspection engines to provide a strong level of network security. Cisco ASA protects networks of all sizes with MultiScale performance and a comprehensive suite of highly integrated, market-leading security services.
Prashanth Goutham is an experienced support engineer with the High Touch Technical Support (HTTS) Security team, covering all Cisco security technologies. During his four years with Cisco, he has worked with Cisco's major customers, troubleshooting routing, LAN switching, and security technologies. He is also qualified as a GIAC Certified Incident Handler (GCIH) by the SANS Institute.
Remember to use the rating system to let Prashanth know if you have received an adequate response.
Prashanth might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community forum shortly after the event. This event lasts through July 13, 2012. Visit this forum often to view responses to your questions and the questions of other community members.
I've setup a ASA 5505 with 3 servers behind it. Riunning Exchange 2007 and RD Gateway behind NAT.
Port 443 is opened to allow Outlook Anywhere so the Domain users can access mail from outside the office without setting up a VPN tunnel. Also I use the RD Gateway so the users can access their worksations in the LAN and also the TS server (remote desktop)
This was working with the old firewall (D-Link Netdefend) but now the users get prompted with user/password popup from Outlook. The RD Gateway has also stopped working only telling the users "Logon Attempt Failed".
That means that Outlook failed to access the server using NTLM auth. and need to use "basic auth" instead.
So my question:
Does the ASA 5505 allow NTLM Passthrough? If not, what will I need to buy ?
This forum is specifically for the Failover Discussion on Cisco Firewalls, however to answer your question, Yes ASA supports NTLM Passthrough:
The ASA supports the following Single Sign On (SSO) methods:
Do let me know what troubleshooting you have done so far... Hope that helps.
As I can read on the provided URL those auth methods is supported on the "Single sign-on (SSO) for clientless SSL VPN users" section...
And I am not talking about building any VPN solution.
But can that be the issue? That the ASA is picking up the NTLM for the VPN? Not possible to disable the VPN feature somehow?
With D-Lnk it works. With Cisco it doesn't.
(Both devices redirects the TCP 443 to the internal IP of the server. Nothing else done)