Administrative sessions through firewalls, Administrative sessions through a nat gateway – Cisco 3.3 User Manual

1-31

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 1 Overview

Cisco Secure ACS HTML Interface

Also, IP filtering of proxied administrative sessions has to be based on the IP
address of the proxy server rather than the IP address of the computer. This
conflicts with administrative session communication that does use the actual IP
address of the computer. For more information about IP filtering of administrative
sessions, see

Access Policy, page 12-11

.

For these reasons, we do not recommend performing administrative sessions
using a web browser that is configured to use a proxy server. Administrative
sessions using a proxy-enabled web browser is not tested. If your web browser is
configured to use a proxy server, disable HTTP proxying when attempting
Cisco Secure ACS administrative sessions.

Administrative Sessions through Firewalls

In the case of firewalls that do not perform network address translation (NAT),
administrative sessions conducted across the firewall can require additional
configuration of Cisco Secure ACS and the firewall. This is because Cisco Secure
ACS assigns a random HTTP port at the beginning of an administrative session.

To allow administrative sessions from browsers outside a firewall that protects
Cisco Secure ACS, the firewall must permit HTTP traffic across the range of ports
that Cisco Secure ACS is configured to use. You can control the HTTP port range
using the HTTP port allocation feature. For more information about the HTTP
port allocation feature, see

HTTP Port Allocation for Administrative Sessions,

page 1-23

.

While administering Cisco Secure ACS through a firewall that is not performing
NAT is possible, we do not recommend that you administer Cisco Secure ACS
through a firewall. For more information, see

HTTP Port Allocation for

Administrative Sessions, page 1-23

.

Administrative Sessions through a NAT Gateway

We do not recommend conducting administrative sessions across a network
device performing NAT. If the administrator runs a browser on a computer behind
a NAT gateway, Cisco Secure ACS receives the HTTP requests from the public IP
address of the NAT device, which conflicts with the computer private IP address,
included in the content of the HTTP requests. Cisco Secure ACS does not permit
this.