LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

April 2009

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS April 2009

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: CLEANACCESS Digest - 23 Apr 2009 to 24 Apr 2009 (#2009-77)
From:	Daniel Sichel <[log in to unmask]>
Reply To:	Cisco Clean Access Users and Administrators <[log in to unmask]>
Date:	Mon, 27 Apr 2009 08:42:37 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (60 lines)

>Does anyone have a list of TCP\UDP ports that need to be allowed for a
>PC to be part of a Windows domain.  The PCs are behind Clean Access and
>are filtered in a group.  The DC is not behind CA so we've created a
>rule to allow certain ports to be open to communicate back and forth
>with the DC's subnet.  Joining the domain has been remedied but we are
>not getting Group Policies and other domain functions to propagate
>properly.  Anyone who can shed some light would be much appreciated.


I believe the following is recommended
Port 88 tcp and udp
Port 389 tcp and udp
Port 445 tcp and udp
Port 135 tcp and udp
Port 139 tcp

Cisco also lists port 1025 TCP and 3268 tcp and udp, I  am not sure why.
I would also add ports 137 and 138 TCP and UDP, plus, as discussed
below, ICMP traffic to DCs.

You will not get group policies to propagate properly even using the
Cisco
provided checkbox to do a policy update (at least in version 4.5). The
only solution
that we have found is to allow all ip traffic to our DCs. I cannot find
what 
exactly Microsoft is doing even using packet traces, but I did see that
you MUST allow ICMP traffic to the DC
for group policy to happen. Heaven knows why. Also don't forget your
WSUS server. This all means you can't use
Cisco's solution for delaying login (which doesn't really work anyway,
so small loss there). I really wish that I 
Could also get a list of traffic GENUINELY REQUIRED for AD stuff to
work. My guess is that there is a bug in
Clean Access that is not really letting through traffic correctly when
specific ports are delineated, but that
Works fine with the wildcard. However there are not enough hours in the
day to do even more testing for Cisco. 

It is quite clear that their testing of Clean Access in an AD
environment is completely inadequate. Don't expect
That to change any time soon. 

Another thing I just found out (last week) is that netbios (even over
tcp/ip) takes a VERY long time to
Discover shares, so you have to allow a LONG time after the workstation
comes onto the access VLAN
For some shares to appear. This has caused us significant pain and on
top of that, many shortcuts, 
(especially in toolbars for some reason) seem to break.

I have been fighting this for three years, and only recently have I
finally got this working well enough 
To turn my users loose on it. If you use roaming profiles, you will have
even more headaches.

Cheers,

Dan Sichel

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU