This week we started getting problems from users being rejected by the Ironport S650. This was after correcting a misconfiguration that had the final policy allowing access instead of a global BLOCK access. What we found was that user's were sending the machine account instead of the user's AD account name. We did find some hits on allowing winupdate, etc that the machine apparently attempts on bootup and did that. We are still seeing the problem. One user especially, starts on wireless OK for <1hr, no access for 18 min. (timeout is 15 min) and the next request sends the machine name. User switches to a wired connection and sends AD user name. Then there is a 8 minute break and the user is sending the machine name again. This is happening for about 6 users out of 900. Is there anyway to get the Ironport to ignore machine accounts (no $@AD allowed?)
We are on 7.1.3-014 on the Ironport, AD is 2008R2. users are XP and Windows7
If you are able/willing to move to 7.5, there's a new feature that allows you to define a timeout value for how long the WSA uses the machine credentials. After the timeout, it prompts users to enter their own credentials. This is a way to work around Windows' NCSI feature. You can read about this feature/enhancement in the 7.5 release notes here:
And that references where you can read about the feature in the 7.5 user guide. (The “Working with Windows 7 and Windows Vista” section in the “Authentication” chapter of the Cisco IronPort AsyncOS for Web User Guide.)
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...