Solved: Re: user based content filtering on terminal server. can CSC han

alig.norbert · ‎10-26-2012

Hi all,
Can CSC Trend Micro ASA module handle AD user/group based filtering on a multi-user server(eg. MS Terminal, Citrix)?
Or is there another solution?

Thank's
Norbert

Sent from Cisco Technical Support iPad App

Julio Carvajal · ‎10-27-2012

Hello Alig,

Hmmm.. Is that maybe the answer?

It would be the same limitation that I am telling you. Different words

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎10-26-2012

Hello,

The only restriction is that should run over a Windows server 2003-2008 ( 2003-R2 not supported)

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

alig.norbert · ‎10-27-2012

Hi there,
Tanks for the reply.
As in the admin guide written:
..
The Trend Micro Domain Controller Agent queries each domain controller for user login sessions every seven seconds by default, obtaining the user name and workstation name for each login session. For each login session identified, the Domain Controller Agent performs a DNS lookup to resolve the workstation name to an IP address, and records the resulting user name/IP address pair....

So I guess, there will be a problem on a MS Terminal /Citrix with the username/IP address pare, b'cause all users have the same IP address (multiple user server eg. Citirx).
Or do I miss something?

http://www.cisco.com/en/US/docs/security/csc/csc66/administration/guide/csc6.html#wp1064372

Hmmm.. Is that maybe the answer?
https://supportforums.cisco.com/thread/228748

Thank you,
Greets Norbert

Julio Carvajal · ‎10-27-2012

Hello,

Yes, it will be a problem as the AD agent will need to log every single time a user logs into a PC, then it will create a map ( username to Ip) In this case that will be the problem as all of them will have the same one.

Regards,

Remember to rate all of the helpful posts, if you need assistance on how to rate a post just let me know

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio Carvajal · ‎10-27-2012

Hello Alig,

Hmmm.. Is that maybe the answer?

It would be the same limitation that I am telling you. Different words

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

alig.norbert · ‎10-27-2012

Hi Julio,

Has IronPort such a function/service?

Julio Carvajal · ‎10-27-2012

Hello Alig,

To be honest with you I am not 100% sure of that.

I have found the following information:

Powerful and flexible authentication ensures seamless integration with corporate environments. Administrators can create policies based on existing LDAP-based or Active Directory-based directory structures. Single sign-on capabilities provide a seamless end-user experience while surfing the Web. Administrators can also create authentication exemptions based on source or destination traffic profiles.

Granular policy creation using IronPort Web Security Manager™ allows administrators to create and manage policies on a per-user and per-group basis — thereby providing tremendous flexibility and control. IronPort Web Security Manager enables automatic sync-up with existing authentication directories to provide a list of active groups. This enables administrators to further refine pre-existing LDAP-based or Active Directory-based groups. Administrators can define groups using network segments, IP addresses, subnet or CIDR ranges, as well as combine multiple network segments or separate groups into a single unit.

So it looks like it could handle this but just to be sure I will recommend you to open a new discussion into the IronPort board.

Please come back with the answer so we can learn from that as well

Remember to rate all of the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

user based content filtering on terminal server. can CSC handle this?