Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
429
Views
5
Helpful
5
Replies

csa ports to open

shawn.s
Level 1
Level 1

‎10-04-2004 10:07 AM - edited ‎03-09-2019 08:58 AM

I have my "field laptops" communicating to the management server through my firewall on tcp port 5401. I was wondering if this is a best practice, I have thought about having them just vpn in to communicate with the management server. What are the pro's/cons to this?. Is the communication on tcp 5401 secure?.

Labels:
0 Helpful
5 Replies 5

tsteger1
Level 8
Level 8

‎10-04-2004 12:04 PM

We chose to use our DMZ instead of coming all the way in through the firewall. We didn't go the vpn route because they'd need to be connected to talk to the MC. Now they can always talk whether or not the are connected to us. I think that is also what Cisco recommends.

pcomeaux
Cisco Employee
Cisco Employee

‎10-04-2004 06:57 PM

Yes - TCP 5401 is the default port that the clients use to communicate to the CSA MC over SSL with. If 5401 is not available, the agent tries 443, still using SSL. A certificate of the CSA MC is provided to the Agent to for securing the conversation at install.

So the conversation is as secure as SSL offers, which most of us count on for securing our on-line transactions, etc.

I agree that placing the server on a DMZ reduces risk as mentioned in the other post.

thanks for using CSA -

peter

0 Helpful

rvaguilera
Level 1
Level 1
In response to pcomeaux

‎10-06-2004 07:21 AM

Does CSA also need ports opened for DNS to resolve the CSA MC computer name?

For example, in an environment where the client is in a segment of the network that only has access to the CSA MC and nothing else.

0 Helpful

tsteger1
Level 8
Level 8
In response to rvaguilera

‎10-06-2004 09:25 AM

Any type of name resolution should work but DNS is preferred. I have a test MC on the same segment as a client and it uses NetBIOS to find the MC.

0 Helpful

pcomeaux
Cisco Employee
Cisco Employee
In response to rvaguilera

‎10-06-2004 04:51 PM

Yes - CSA does require name resolution to reach the CSA MC.

So if clients are located outside of the network, say at home on a high speed link, the CSA MC would need to be configured in the externally advertised DNS server with an address that is translated to the inside network. Besides the translation, the firewall would need to have the ports I mentioned above open (tcp 5401 or tcp 443).

If the users are inside the network, then DNS should resolve them to an internal address for the CSA MC.

This is a good reason why DNS is preferred in lieu of hosts files.

Hope this helps,

peter

0 Helpful
Customers Also Viewed These Support Documents