Firewall Devices
Firewalls implementing NAT would fall into the last section. For firewalls not
performing NAT, remote ACS administrative sessions conducted across the firewall
will require additional configuration of both the ACS software and the firewall.
This is necessary because ACS assigns a random HTTP port at the beginning of a
remote administrative session.
The firewall must be configured to allow HTTP traffic across the
range of ports ACS is configured to use. This can be configured using the HTTP
port allocation feature to configure the range of TCP ports to be used by Cisco
Secure ACS for remote administrative HTTP sessions. The firewall must also be
configured to permit HTTP traffic through port 2002 because this is the port a
remote web browser must access to initiate an administrative session.
To reduce the risk of malicious discovery of an active
administrative port by an unauthorized user, keep the HTTP port range as narrow
as possible. Any unauthorized user would have to impersonate, or “spoof,” the IP
address of the legitimate remote host to use the active administrative session
HTTP port.
Sections
Comments (0 posted)
Syndication
