Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
657
Views
0
Helpful
4
Replies

remote vpn question

cstpierre4
Level 1
Level 1

‎02-26-2010 06:15 AM

Hello,

we have a cisco asa 5520. We have remote users that vpn into this device and once connected use microsoft office communicator for IM.


The issue is with sharing desktops. When users are inside the network they can share. When a user is inside the net. they can share with a user that is VPN'd in.

The issue is when two users are remotely connected via VPN they can IM but unable to share their desktop.

I would just like to know if this is possible (two remote vpn connections to share a desktop) and if so, would it be an acl issue that would probably be preventing?

Thanks any suggestions would be appreciated

Labels:
0 Helpful
4 Replies 4

stuart
Level 1
Level 1

‎02-26-2010 09:34 AM

HI,

Quick answer is yes it is possible, but it may ultimately depend on your OCS configuration.

Like most microsoft apps out the box it uses random ports (1024-65535) for a large portion of it communications, which hopefully your server guys are locking down to smaller more managable range.

First thing I would try on your ASA though is to enable hairpinning so the vpn users can communcate with each other.

This is done using:

same-security-traffic permit intra-interface

Basically allowing traffic to enter and exit the same interface, which is denied by default.

If this still doesnt work you may have to liaise with your OCS team to assist.

If you sharing between just 2 users the traffic primarily should be peer to peer.

You may want to try sharing to multiple users in a conference for instane, which forces the traffic for all users through the edge servers instead of peer to peer, this should work.

Unless your firewalling the vpn traffic i wouldnt expect you have to enable rules on the ASA.

HTH

Stu

0 Helpful

cstpierre4
Level 1
Level 1
In response to stuart

‎02-28-2010 05:28 AM

Great. thank you.

So by enabling this feature - "same-security-traffic permit intra-interface" how does it affect any of the existing traffic or the existing vpn traffic?

Thanks


0 Helpful

stuart
Level 1
Level 1
In response to cstpierre4

‎03-01-2010 12:08 AM

Hi,

Did it fix your issue?

On the ASA traffic is prohibited from entering and exiting the same interface by default.

This command permits this behavior.

For you i expect that both vpn's are terminating on the same interface (maybe the outside for example) so as the connection comes in from one vpn it needs to exit the same interface to reach the other vpn. This by default would be denied.

This is a global command so will effect all interfaces. Shouldnt cause any issues with existing traffic etc.

Stu

0 Helpful

cstpierre4
Level 1
Level 1
In response to stuart

‎03-01-2010 12:37 PM

Hello,


I haven’t tried it yet as I was a little cautious as to what it may affect/break if anything.

I will have to run this by a few teams before any changes are made to this device.

But you do say that by enabling "same-security-traffic permit intra-interface" it does not affect any existing vpns or communications correct?

Thanks for all you information.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents