01-28-2015 06:35 AM - edited 02-21-2020 05:23 AM
Hello,
I am trying to install the Cisco CDA (Context Directory Agent) to bridge the windows identity gap between Active Directory and Cisco IronPort WSA and eventually ASA.
I followed all the rules in the deployment instructions and I still cannot get this to connect. With a Domain Admin it always refuses the password. I then decided to try creating a new account as a domain user called CDAService and I followed the extra steps required to grant this user the proper access to the specific registry keys, DCOM and WMI, and they were added to the Event Log Readers group in AD. Though the error with this new user account is this:
exception- | org.jinterop.dcom.common.JIRuntimeException: The RPC server is unavailable. Please check if the COM server is up and running and that route to the COM Server is accessible (A simple " |
wmi- | Win32_NTDomain |
exception- | The RPC server is unavailable. Please check if the COM server is up and running and that route to the COM Server is accessible (A simple " |
wmi- | DomainName |
dc- | CDAService |
I logged onto the console of our CDA virtual machine and I was able to ping the DC by name. I also used wbemtest utility on my workstation and used the CDAService account to connect to the \root\cim2 namespace and I was able to pull Win32_ComputerSystem attributes from WMI with that account. I am on the same subnet as the CDA appliance.
I double checked the Windows Server 2008 R2 firewall on this DC and inbound rules that have to do with WMI are ASync-In, DCOM-In WMI-In all set to allow inbound.
Any ideas how to get this to work? Its a Server 2008 R2 level domain.
01-28-2015 07:31 AM
Oh I also turned on Windows Firewall logging and I see the ip address of the CDA ALLOW TCP to the DC IP address port 135. So its getting in.
01-28-2015 09:06 AM
Ok with the windows firewall off for the domain profile, it works. However we want the firewall on.
I ran this command just like the instructions said, but I guess there is something else the firewall is blocking?
netsh advfirewall firewall set rule group=”Windows Management Instrumentation (WMI)" new enable=yes
Here is the installation guide I am following:
01-28-2015 09:30 AM
Ok no idea what is blocking it, so I created a new rule for any protocol in from the IP address of the CDA appliance, to allow this connection.
It seems to be communicating to my DC's now.
The documentation needs to be updated because its more than just 4 WMI (Async-In, WMI-In, DCOM-In, WMI-Out) rules.
03-05-2015 08:47 AM
HI mate can you please look at my post and suggest me something on CDA-WSA here is the link
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide