Inter-work between WAAS and Microsoft Firewall/VPN device?

Unanswered Question
Jul 26th, 2010

I'm going to implement WAE (274, 474, 574, and 674) in inline mode at remote locations where the WAN devices are a server running Microsoft Firewall and VPN software. The Microsoft server functions as WAN firewall device and also VPN termination device.

Remote site:   LAN switch ---- WAE (inline) ---- Microsoft Server (WAN firewall & VPN) ---- WAN cloud

Should I enable directed mode on the WAE? In using DM, the Microsoft Firewall will see the connection as a UDP instead of TCP. In that case, do I still need to disable Microsoft firewall's TCP options removal and enable it to allow shifted TCP sequence number?

Another question: how to configure Microsoft firewall so that it does not removal TCP options and also allow shifted TCP sequence numbers?

Thanks a lot

Gary

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Michael Korenbaum Tue, 07/27/2010 - 06:01

Gary,

For your scenario if you can configure the Microsoft firewall to allow TCP options for TFO auto-discovery then you can enable directed mode.  If you are using directed mode then there is no need to disable sequence number checking on the firewall.

As for the specific configuration on the Microsoft firewall I'd suggest you consult the documentation that came with your Microsoft software. 

Cheers,

Mike Korenbaum

Cisco WAAS PDI Help Desk

http://www.cisco.com/go/pdihelpdesk

gwhuang5398 Tue, 07/27/2010 - 13:02

Thanks Michael:

Just want to confirm: what I need to do is to enable TCP options on the Microsoft firewall and enable WAE into Directed Mode. Correct?

If I just use DM on WAE without making any change on the firewall, would the firewall see the connection as just UDP or still check into TCP fields?

Thanks

Gary

Michael Korenbaum Tue, 07/27/2010 - 13:38

Gary,

Yes you just need to configuring your firewall to allow TCP options (specifically option 33 (0x21 in HEX)), then configure the WAEs for directed mode.

The firewall will see a TCP 3-way handshake at first so the two WAEs can auto discover each other and negotiate a UDP directed mode tunnel.

Once the auto discovery phase is complete traffic traffic sent over the WAN side of the connection will be encapsulated in the UDP 4050 tunnel (so your firewall must allow this traffic through as well).

Please see the configuration guide section on directed mode here which explains in more detail, and let me know if you have other questions.

http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v421/configuration/guide/network.html#wpxref53362

Cheers,

Mike

gwhuang5398 Mon, 08/02/2010 - 20:03

Thanks Mike:

In the Cisco config document, it says "When using directed mode with inline mode, you must configure the Cisco WAE Inline Network Adapter with routable IP addresses on its interfaces or traffic is black holed".

Is the interface here referred to "interface inlinegroup"? I would guess most people configure IP address on the GigE interface for management rather than the inlinegroup interface.

Thanks again

Gary

Michael Korenbaum Tue, 08/03/2010 - 04:55

Yes they are referring to the inlinegroup interface.

Ex.

interface InlineGroup 1/1

ip address 14.110.3.84 255.255.255.240

no autosense

bandwidth 100

full-duplex

exit

Cheers,
Mike

Actions

This Discussion