Cisco Cisco Clean Access 3.5
3-13
Cisco Clean Access Server Installation and Administration Guide
OL-7045-01
Chapter 3 Install the Clean Access Server
CAM/CAS Connectivity Across a Firewall
CAM/CAS Connectivity Across a Firewall
The Clean Access Manager uses RMI for parts of its communication with the Clean Access Server,
which means it uses dynamically allocated ports for this purpose. For customer deployments that have
firewalls between the CAS and the CAM, Cisco recommends setting up rules in the firewall that allow
communication between the CAS and CAM machines, that is, a rule that allows traffic originating from
the CAM destined to the CAS (and vice versa).
which means it uses dynamically allocated ports for this purpose. For customer deployments that have
firewalls between the CAS and the CAM, Cisco recommends setting up rules in the firewall that allow
communication between the CAS and CAM machines, that is, a rule that allows traffic originating from
the CAM destined to the CAS (and vice versa).
For release 3.5(x), TCP ports 80, 443, 1099, and 32768~61000 (usually 32768~32999 are sufficient) are
required.
required.
Configuring the CAS Behind a NAT Firewall
If deploying the Clean Access Server behind a firewall (there is a NAT router between CAS and CAM),
you will need to perform the following steps to make the CAS accessible:
you will need to perform the following steps to make the CAS accessible:
1.
Connect to the CAS by SSH or use a serial console. Log in as root user.
2.
Change directories to
/perfigo/agent/bin/
.
3.
Edit the file
startagent
.
4.
Locate the
JAVA_OPTS
variable definition in the file.
5.
Add
-Djava.rmi.server.hostname=<
caserver1_hostname>
to the variable, replacing
caserver1_hostname
with the host name of the server you are modifying. For example:
JAVA_OPTS="-server
-Djava.util.logging.config.file=/perfigo/agent/conf/logging.properties
-Dperfigo.jmx.context= ${PERFIGO_SECRET} -Xms40m -Xmx40m -Xincgc
-Djava.rmi.server.hostname=caserver1"
6.
Restart the CAS by entering the
service perfigo restart
command.
7.
Repeat the preceding steps for each Clean Access Server in your deployment.
8.
Connect to the Clean Access Manager by SSH or using a serial console. Login as
root
.
9.
Change directories to
/etc/
.
10.
Edit the hosts file by appending the following line:
<public_IP_address> <caserver1_hostname> <caserver2_hostname>
where:
–
<
public_IP_address
>
– The address that is accessible outside the firewall.
–
<
caservern_hostname
>
– The host name of each Clean Access Server behind the firewall.
The CASes should now be addressable behind the firewall.