Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1967
Views
10
Helpful
7
Replies

Terminal Server / URL Filtering / ASA Firepower

Christopher Bell
Level 4
Level 4

‎01-12-2016 05:19 AM - edited ‎03-12-2019 05:52 AM

I've seen a few posts that skim around this but I want to get a clear answer.  We are trying to figure out two things:

  1. Can the Firepower URL filter on an ASA (when properly licensed) do user based URL filtering for Terminal Server users.
    1. If it can, is some sort of agent or proxy needed on the Terminal Server or possibly between the Terminal Server and the SFR module?
  2. Assuming it can't, is it possible to configure a separate URL filtering policy that will be applied to a source IP address regardless of the user?  
  3. If number one is 'no', is this planned for a future release?  
If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
1 person had this problem
Labels:
0 Helpful
7 Replies 7

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-13-2016 12:21 AM

(1) No.  "Users" are associated with IP addresses.

(2). Not completely sure.  75% yes.

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-13-2016 07:18 AM

1. If you do a captive portal (FirePOWER 6.0) you can require users (terminal server-based or otherwise) to provide their credentials to the FirePOWER module to access web-based resources.

2. You can alternatively create a URL Filtering policy with "networks" (could be individual /32s) as one of the criteria for the policy.

Christopher Bell
Level 4
Level 4
In response to Marvin Rhoads

‎01-18-2016 10:07 AM

The captive portal suggestion is an interesting idea, but the little I've read about it suggests that the purpose wasn't to distinguish users who utilize a single IP (Terminal Server Clients) but rather to supplement the SFUA.  [@mrhoads-cco]  do you happen to have a link to some literature that supports that? I'd love to read it. 

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Christopher Bell

‎01-18-2016 01:45 PM

Christopher,

I see your point about TS users using a single IP address. that may break tha captive portal assumption that once as user authenticated via the portal that links the IP address with the identity. I'm not sure how the details work - the configuraiton guide is silent on that detail. 

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/User_Identity_Sources.html#concept_6E7BBA97DD5D4883AA55185B6FEEE9BA

Also, captive portal requires a routed mode IPS whereas most deployments I've seen are inline (transparent).

I was thinking more along the lines of a Citrix VDI infrastructure where the users get desktops with individual unique IP addresses. Fro that use case, we can differentiate access as we do with ISE per the following Guide:

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/CMWSwC/CMWSwCConfig.html 

0 Helpful

Guillaume BARBEROT
Level 1
Level 1
In response to Marvin Rhoads

‎10-13-2016 09:49 AM

Hello

i am looking for TS agent on version 6.1 

http://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/User_Identity_Sources.html#task_70A1D11CEE7E4F7F84CF90777F8E195F__step_CC061C4B3251440EBF5DD66D471889FC

says : ... see the Cisco Terminal Services (TS) Agent Guide => which i cannot find anywhere

i have also found that : The TS Agent feature (VDI Identity Support) is available in a limited availability program adjacent to Version 6.1. 

Does anyone managed to find some docs and ressources ?

Thanks

Guillaume

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Guillaume BARBEROT

‎10-13-2016 09:52 AM

[@guillaume.barberot]  ,

The supporting documentation for the limited availability is only available to the customers participating in the program.

Once it is opened up (hopefully with 6.2 in the next month or so), it will be made publicly available.

0 Helpful

Jetsy Mathew
Cisco Employee
Cisco Employee
In response to Guillaume BARBEROT

‎10-13-2016 10:40 PM

Hello Team,

It is in limited availability.

You have to contact the accounts team who should be able to help them out.

If your are interested in being beta customers,you have to contact the Accounts team.

Rate and mark if the post helps you.

Regards

Jetsy

 

0 Helpful
Review Cisco Networking for a $25 gift card
li.common.scroll-to.top