cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6526
Views
0
Helpful
20
Replies

Cisco CSC SSM to Active directory integration issue

madhankumar.g
Level 1
Level 1

Hi,

I have configured ASA CSC SSM module for AD integration for user based access control. The domain controller Agent has been installed in AD server. But the Agent is not able to communicate to CSC module. There are errors getting generated in AD and CSC.

There are no network layer issues between AD server and CSC. All the frewalls have been turned off. I suspect some configuration changes to be done on AD or with the Agent installation file. I have followed the configuration steps recommended by Cisco in configuring AD server and CSC module. I have attached the Log files.

Please suggest solution for this issue. Thank you.

With Regards,

Madhan kumar G.

20 Replies 20

Jennifer Halim
Cisco Employee
Cisco Employee

Seems to be problem with Windows server interaction with the TrendMicro IdAgent itself.

Here is the error message (from syscsv):

The Trend Micro IdAgent service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

And also the following (from apcsv):

Windows Installer reconfigured the product. Product Name: Trend Micro IdAgent. Product Version: 1.0.0.0. Product Language: 1033. Reconfiguration success or error status: 1602.
Product: Trend Micro IdAgent -- Configuration failed.

Please check your Microsoft Server machine itself and/or try to uninstall the Trend Micro IdAgent and reinstall it again, or try to install the agent on a different Windows machine.

Hope that helps.

Hi Jennifer,

Thanks for your suggestion. I am trying to understand the communication pattern between CSC module and Domain controller server. Please comment on following queries.

1. My CSC SSM management ip is in WAN segment and cannot reach AD server. Is that a problem for LDAP integration?

2. How does the CSC finds the host with domain controller agent. Obviously we are giving the ip of the host, at userid configuration of CSC. But how does the traffic flow occur. what will be the source ip, when trying to access the machine hosting the agent?

3. Can I have the agent software in the domain controller server itself?

4.  My Domain controller server is a Microsoft windows server 2008. Does LDAP integration with CSC module supports this version?

5. Does the agent software automatically binds itself with the IP address of the hosting machine. Because, after installing the agent in the windows server, I gave 'netstat' command to check the port binding. The port binding was "0.0.0.0:65015 listening". Whether there is a issue here, that the port is not binded with the ip of the windows server?

Please reply back on these queries.

Thanks and Regards,

Madhan kumar G.

Hi,

I am facing one more problem with CSC integration with AD. Now the integration is fine and all configurations are done. Still user based access control is not working.

I am testing with a Linux based client machine..Whether there is an issue with that?

Regards,

Madhan kumar G

Hi,

In continuity with the previous post, I could see in the dubug file the following line "Query Id for (10.10.10.2) but not found".

I have attached the Debug output of Id Agent.

Regards,

Madhan kumar G

mirober2
Cisco Employee
Cisco Employee

Hi Madhan,

The error you see in the Event Viewer for the IDAgent service looks to be caused by the configuration of the service in Windows. Here is a link from Microsoft TechNet that explains how to allow the service to run interactively:

http://technet.microsoft.com/en-us/library/cc756339(WS.10).aspx

Hope that helps.

-Mike

Hi Mike,

Thanks for your suggestion. I am trying to understand the communication pattern between CSC module and Domain controller server. Please comment on following queries.

1. My CSC SSM management ip is in WAN segment and cannot reach AD server. Is that a problem for LDAP integration?

2. How does the CSC finds the host with domain controller agent. Obviously we are giving the ip of the host, at userid configuration of CSC. But how does the traffic flow occur. what will be the source ip, when trying to access the machine hosting the agent?

3. Can I have the agent software in the domain controller server itself?

4.  My Domain controller server is a Microsoft windows server 2008. Does LDAP integration with CSC module supports this version?

5. Does the agent software automatically binds itself with the IP address of the hosting machine. Because, after installing the agent in the windows server, I gave 'netstat' command to check the port binding. The port binding was "0.0.0.0:65015 listening". Whether there is a issue here, that the port is not binded with the ip of the windows server?

Please reply back on these queries.

Thanks and Regards,

Madhan kumar G.

Hi,

I have found the answers for  my queries.

1. The AD integration issue was because, my CSC SSM management ip couldnot reach Active directory.

2. There should be ip reachability from CSC SSM management ip to Active directory.

3. The Agent software can be installed in the domain controller itself(recommended procedure).

4. Domain controller can be Microsoft windows 2008 server. In such case, the agent should also recide in a Windows 2008 machine only.

5. The agent automatically binds itself with the ip of the hosting machine.

Thankyou.

Regards,

Madhan kumar G.

Hi all,

I have as well an issue with the connection with the domain controller server.

The connectivity with the domain controller agent is working fine. LDAP lookup is working as well.

Here is the set up:

- Domain controller agent is installed on a Windows 2003 32bit AD-Member

- The domain controller server is/are Windows 2008 64bit (There is no 32bit server to get a try)

- Auto detect is showing up all AD-Servers, but not connected

I tried to install the agent on a Windows 2008 64bit but without luck.

Can it be an issue with the AD-Server (Windows 2008 64bit)? Can the domain controller agent only work on 32bit environment?

Thanks,

Norbert

Hi,

I am using a Microsoft Windows 2008 server, 64 bit version. My CSC is connected to AD. I hope you have provided the AD admin user credentials in the "Domain controller server credentials" space in the userid settings page. If not, Provide the same and try. Use the combination of "\" format for username.

Hope that helps.

Regards,

Madhan kumar G.

Hi,

Thanks for the reply. Which CSC-Version do you have?

I could not build up a connection between CSC and Windows 2008 (64bit) through the Domain Controller Agent...

Thanks,

Norbert

Hi Norbert,

Is the "Trend Micro IdAgent" service started on the Windows server? Check the output of 'netstat -anb | more' on the Windows server to make sure that the ID Agent process is listening on the same port that is configured on the Administration > User ID Settings tab on the CSC admin page. Also, double check that there is no firewall enabled on the Windows server that would block access on this port.

The steps defined in this troubleshooting guide may help you find the problem as well:

http://www.cisco.com/en/US/docs/security/csc/csc63/administration/guide/csc8.html#wp1147111

Hope that helps.

-Mike

Hi Mike,

The connection between CSC and the TrendMicro Agent is fine.

I can do the auto discovery to get the AD-controllers as well, but this connection isn't working.

The weird thing is, it can get connected to an "old" Windows 2000 AD-Controller but not to the Windows 2008 (64bit) AD-Controller.

I will do the debug on the TrendMicro Agent, to track it down....

Greets,

Norbert

Dear All,

I am also facing the same issue I was tried with windows 2003 it was working but when i installed on windows 2008 64bit no success.

I define some exception on CSC which is not working if i define userid while if i define workstation ip it start working.

Is it issue of windows 2008 or different agent is required  for windows 2008 R2 64bit.

Regads,

Azhar

Hi,

Below are the suggestions from TAC engineer, which rectified issue in my case. Hope this helps your scenario.

Ø  Verify the following

Ø  1. The client machines should be part of the windows domain

Ø 

Ø  2. File Sharing should be enabled on the client machine

Ø 

Ø  3."Remote Registry" Service should be enabled

Ø 

Ø  4. On the windows firewall, select "Windows Management Instrumentation

Ø 

Ø  (WMI)" as exception program to allow in bound WMI calls.

Ø 

Ø  Also, make sure the "File and Printer Sharing" is part of the exception list.

Ø 

Ø  5. The client is able to ping the Agent and the Domain Controllers.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: