Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IBFW with a MS terminal server

Hello,

Does someone know how to implement IBFW with a Microsoft Terminal server.

I'm trying to install this in my LAB. (https://supportforums.cisco.com/docs/DOC-20366)

But it doesn't seem to be working well with the cisco AD agent.

Network.jpg

TS.jpg                  

I had a working situation with all Windows 2008 servers.

But the AD Agent couldn't work with different users on the MS terminal server.

It attaches the user to an IP. If more then one user connects via the same IP the ACL rules don't work anymore.

Rules.jpg

We found this as a possible solution.

http://blogs.msdn.com/b/rds/archive/2009/07/09/configuring-remote-desktop-ip-virtualization-part-1.aspx

But after upgrade DMZ server to win2k8r2 it doesn't work at all, when connecting from the DMZ.

Stange IP connectivity. (ping to IIS on the inside works / http-https not. And this did work before implementing IP virt.)

Also a strange ipconfig in the RDP session:

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.173.10
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   IPv4 Address. . . . . . . . . . . : 169.254.57.119
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   IPv4 Address. . . . . . . . . . . : 169.254.150.193
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 192.168.173.1

And the AD client doesn't see the user's logged in....

Can anyone help with this.

Do you have this working? Or another Cisco solution? F.e. a MS terminal server AD agent like SonicWall can do.

Regards, Peter

3 REPLIES
New Member

IBFW with a MS terminal server

Installed the DHCP server role on the TS.

It gives the user a address from the pool (.11 - .254), but the AD agent can't correlate this to the user.

There is only one user active and not with the pool address, but with the TS address.

With 2 users with a TS session the ipconfig shows:

TS IP 192.168.173.10 and two pool addresses .11 and .12

This does the ASA see:

New Member

IBFW with a MS terminal server

Wireshark in the TS session shows that the session uses different source addresses.

F.e. I'm seeing source 192.168.173.10 to 10.192.142.29. And to the internet / and to 10.192.142.28 (IIS) it uses source address 192.168.173.13!???

New Member

IBFW with a MS terminal server

Answer Cisco:

If you mean that CDA is used for identity FW and you also are using sessions from a TS through the ASA... this won't work. As discussed above: the TS users, use the same source IP. The CDA can't make a user-IP mapping.

IBFW on the ASA works only for users, logged on to PC's in a MS domain.

412
Views
0
Helpful
3
Replies
CreatePlease to create content