Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

IBFW with a MS terminal server


Does someone know how to implement IBFW with a Microsoft Terminal server.

I'm trying to install this in my LAB. (

But it doesn't seem to be working well with the cisco AD agent.



I had a working situation with all Windows 2008 servers.

But the AD Agent couldn't work with different users on the MS terminal server.

It attaches the user to an IP. If more then one user connects via the same IP the ACL rules don't work anymore.


We found this as a possible solution.

But after upgrade DMZ server to win2k8r2 it doesn't work at all, when connecting from the DMZ.

Stange IP connectivity. (ping to IIS on the inside works / http-https not. And this did work before implementing IP virt.)

Also a strange ipconfig in the RDP session:

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . :
   Subnet Mask . . . . . . . . . . . :
   IPv4 Address. . . . . . . . . . . :
   Subnet Mask . . . . . . . . . . . :
   IPv4 Address. . . . . . . . . . . :
   Subnet Mask . . . . . . . . . . . :
   Default Gateway . . . . . . . . . :

And the AD client doesn't see the user's logged in....

Can anyone help with this.

Do you have this working? Or another Cisco solution? F.e. a MS terminal server AD agent like SonicWall can do.

Regards, Peter

New Member

IBFW with a MS terminal server

Installed the DHCP server role on the TS.

It gives the user a address from the pool (.11 - .254), but the AD agent can't correlate this to the user.

There is only one user active and not with the pool address, but with the TS address.

With 2 users with a TS session the ipconfig shows:

TS IP and two pool addresses .11 and .12

This does the ASA see:

New Member

IBFW with a MS terminal server

Wireshark in the TS session shows that the session uses different source addresses.

F.e. I'm seeing source to And to the internet / and to (IIS) it uses source address!???

New Member

IBFW with a MS terminal server

Answer Cisco:

If you mean that CDA is used for identity FW and you also are using sessions from a TS through the ASA... this won't work. As discussed above: the TS users, use the same source IP. The CDA can't make a user-IP mapping.

IBFW on the ASA works only for users, logged on to PC's in a MS domain.

CreatePlease to create content