09-25-2010 10:13 AM - edited 03-11-2019 11:45 AM
Hi,
I have configured ASA CSC SSM module for AD integration for user based access control. The domain controller Agent has been installed in AD server. But the Agent is not able to communicate to CSC module. There are errors getting generated in AD and CSC.
There are no network layer issues between AD server and CSC. All the frewalls have been turned off. I suspect some configuration changes to be done on AD or with the Agent installation file. I have followed the configuration steps recommended by Cisco in configuring AD server and CSC module. I have attached the Log files.
Please suggest solution for this issue. Thank you.
With Regards,
Madhan kumar G.
09-25-2010 05:14 PM
Seems to be problem with Windows server interaction with the TrendMicro IdAgent itself.
Here is the error message (from syscsv):
The Trend Micro IdAgent service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
And also the following (from apcsv):
Windows Installer reconfigured the product. Product Name: Trend Micro IdAgent. Product Version: 1.0.0.0. Product Language: 1033. Reconfiguration success or error status: 1602.
Product: Trend Micro IdAgent -- Configuration failed.
Please check your Microsoft Server machine itself and/or try to uninstall the Trend Micro IdAgent and reinstall it again, or try to install the agent on a different Windows machine.
Hope that helps.
09-26-2010 10:13 PM
Hi Jennifer,
Thanks for your suggestion. I am trying to understand the communication pattern between CSC module and Domain controller server. Please comment on following queries.
1. My CSC SSM management ip is in WAN segment and cannot reach AD server. Is that a problem for LDAP integration?
2. How does the CSC finds the host with domain controller agent. Obviously we are giving the ip of the host, at userid configuration of CSC. But how does the traffic flow occur. what will be the source ip, when trying to access the machine hosting the agent?
3. Can I have the agent software in the domain controller server itself?
4. My Domain controller server is a Microsoft windows server 2008. Does LDAP integration with CSC module supports this version?
5. Does the agent software automatically binds itself with the IP address of the hosting machine. Because, after installing the agent in the windows server, I gave 'netstat' command to check the port binding. The port binding was "0.0.0.0:65015 listening". Whether there is a issue here, that the port is not binded with the ip of the windows server?
Please reply back on these queries.
Thanks and Regards,
Madhan kumar G.
10-19-2010 06:22 AM
Hi,
I am facing one more problem with CSC integration with AD. Now the integration is fine and all configurations are done. Still user based access control is not working.
I am testing with a Linux based client machine..Whether there is an issue with that?
Regards,
Madhan kumar G
10-19-2010 06:35 AM
09-25-2010 05:18 PM
Hi Madhan,
The error you see in the Event Viewer for the IDAgent service looks to be caused by the configuration of the service in Windows. Here is a link from Microsoft TechNet that explains how to allow the service to run interactively:
http://technet.microsoft.com/en-us/library/cc756339(WS.10).aspx
Hope that helps.
-Mike
09-26-2010 10:11 PM
Hi Mike,
Thanks for your suggestion. I am trying to understand the communication pattern between CSC module and Domain controller server. Please comment on following queries.
1. My CSC SSM management ip is in WAN segment and cannot reach AD server. Is that a problem for LDAP integration?
2. How does the CSC finds the host with domain controller agent. Obviously we are giving the ip of the host, at userid configuration of CSC. But how does the traffic flow occur. what will be the source ip, when trying to access the machine hosting the agent?
3. Can I have the agent software in the domain controller server itself?
4. My Domain controller server is a Microsoft windows server 2008. Does LDAP integration with CSC module supports this version?
5. Does the agent software automatically binds itself with the IP address of the hosting machine. Because, after installing the agent in the windows server, I gave 'netstat' command to check the port binding. The port binding was "0.0.0.0:65015 listening". Whether there is a issue here, that the port is not binded with the ip of the windows server?
Please reply back on these queries.
Thanks and Regards,
Madhan kumar G.
10-05-2010 11:18 PM
Hi,
I have found the answers for my queries.
1. The AD integration issue was because, my CSC SSM management ip couldnot reach Active directory.
2. There should be ip reachability from CSC SSM management ip to Active directory.
3. The Agent software can be installed in the domain controller itself(recommended procedure).
4. Domain controller can be Microsoft windows 2008 server. In such case, the agent should also recide in a Windows 2008 machine only.
5. The agent automatically binds itself with the ip of the hosting machine.
Thankyou.
Regards,
Madhan kumar G.
10-18-2010 12:10 PM
Hi all,
I have as well an issue with the connection with the domain controller server.
The connectivity with the domain controller agent is working fine. LDAP lookup is working as well.
Here is the set up:
- Domain controller agent is installed on a Windows 2003 32bit AD-Member
- The domain controller server is/are Windows 2008 64bit (There is no 32bit server to get a try)
- Auto detect is showing up all AD-Servers, but not connected
I tried to install the agent on a Windows 2008 64bit but without luck.
Can it be an issue with the AD-Server (Windows 2008 64bit)? Can the domain controller agent only work on 32bit environment?
Thanks,
Norbert
10-19-2010 06:43 AM
Hi,
I am using a Microsoft Windows 2008 server, 64 bit version. My CSC is connected to AD. I hope you have provided the AD admin user credentials in the "Domain controller server credentials" space in the userid settings page. If not, Provide the same and try. Use the combination of "
Hope that helps.
Regards,
Madhan kumar G.
10-19-2010 10:41 AM
Hi,
Thanks for the reply. Which CSC-Version do you have?
I could not build up a connection between CSC and Windows 2008 (64bit) through the Domain Controller Agent...
Thanks,
Norbert
10-19-2010 11:39 AM
Hi Norbert,
Is the "Trend Micro IdAgent" service started on the Windows server? Check the output of 'netstat -anb | more' on the Windows server to make sure that the ID Agent process is listening on the same port that is configured on the Administration > User ID Settings tab on the CSC admin page. Also, double check that there is no firewall enabled on the Windows server that would block access on this port.
The steps defined in this troubleshooting guide may help you find the problem as well:
http://www.cisco.com/en/US/docs/security/csc/csc63/administration/guide/csc8.html#wp1147111
Hope that helps.
-Mike
10-20-2010 11:35 AM
Hi Mike,
The connection between CSC and the TrendMicro Agent is fine.
I can do the auto discovery to get the AD-controllers as well, but this connection isn't working.
The weird thing is, it can get connected to an "old" Windows 2000 AD-Controller but not to the Windows 2008 (64bit) AD-Controller.
I will do the debug on the TrendMicro Agent, to track it down....
Greets,
Norbert
05-30-2011 10:06 AM
Dear All,
I am also facing the same issue I was tried with windows 2003 it was working but when i installed on windows 2008 64bit no success.
I define some exception on CSC which is not working if i define userid while if i define workstation ip it start working.
Is it issue of windows 2008 or different agent is required for windows 2008 R2 64bit.
Regads,
Azhar
05-31-2011 07:58 AM
Hi,
Below are the suggestions from TAC engineer, which rectified issue in my case. Hope this helps your scenario.
Ø Verify the following
Ø 1. The client machines should be part of the windows domain
Ø
Ø 2. File Sharing should be enabled on the client machine
Ø
Ø 3."Remote Registry" Service should be enabled
Ø
Ø 4. On the windows firewall, select "Windows Management Instrumentation
Ø
Ø (WMI)" as exception program to allow in bound WMI calls.
Ø
Ø Also, make sure the "File and Printer Sharing" is part of the exception list.
Ø
Ø 5. The client is able to ping the Agent and the Domain Controllers.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: