02-26-2010 06:15 AM
Hello,
we have a cisco asa 5520. We have remote users that vpn into this device and once connected use microsoft office communicator for IM.
The issue is with sharing desktops. When users are inside the network they can share. When a user is inside the net. they can share with a user that is VPN'd in.
The issue is when two users are remotely connected via VPN they can IM but unable to share their desktop.
I would just like to know if this is possible (two remote vpn connections to share a desktop) and if so, would it be an acl issue that would probably be preventing?
Thanks any suggestions would be appreciated
02-26-2010 09:34 AM
HI,
Quick answer is yes it is possible, but it may ultimately depend on your OCS configuration.
Like most microsoft apps out the box it uses random ports (1024-65535) for a large portion of it communications, which hopefully your server guys are locking down to smaller more managable range.
First thing I would try on your ASA though is to enable hairpinning so the vpn users can communcate with each other.
This is done using:
same-security-traffic permit intra-interface
Basically allowing traffic to enter and exit the same interface, which is denied by default.
If this still doesnt work you may have to liaise with your OCS team to assist.
If you sharing between just 2 users the traffic primarily should be peer to peer.
You may want to try sharing to multiple users in a conference for instane, which forces the traffic for all users through the edge servers instead of peer to peer, this should work.
Unless your firewalling the vpn traffic i wouldnt expect you have to enable rules on the ASA.
HTH
Stu
02-28-2010 05:28 AM
03-01-2010 12:08 AM
Hi,
Did it fix your issue?
On the ASA traffic is prohibited from entering and exiting the same interface by default.
This command permits this behavior.
For you i expect that both vpn's are terminating on the same interface (maybe the outside for example) so as the connection comes in from one vpn it needs to exit the same interface to reach the other vpn. This by default would be denied.
This is a global command so will effect all interfaces. Shouldnt cause any issues with existing traffic etc.
Stu
03-01-2010 12:37 PM
Hello,
I haven’t tried it yet as I was a little cautious as to what it may affect/break if anything.
I will have to run this by a few teams before any changes are made to this device.
But you do say that by enabling "same-security-traffic permit intra-interface" it does not affect any existing vpns or communications correct?
Thanks for all you information.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide