Cisco Cisco NAC Appliance 4.1.0
4-19
Cisco NAC Appliance - Clean Access Server Installation and Administration Guide
OL-12213-01
Chapter 4 Installing the Clean Access Server NAC Appliance
CAM/CAS Connectivity Across a Firewall
CAM/CAS Connectivity Across a Firewall
See the Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide for details
on which ports to open in a firewall to allow communication between the Clean Access Manager and
Clean Access Server(s).
on which ports to open in a firewall to allow communication between the Clean Access Manager and
Clean Access Server(s).
Configuring the CAS Behind a NAT Firewall
If deploying the Clean Access Server behind a firewall (there is a NAT router between CAS and CAM),
you will need to perform the following steps to make the CAS accessible:
you will need to perform the following steps to make the CAS accessible:
1.
Connect to the CAS by SSH or use a serial console. Log in as root user.
2.
Change directories to
/perfigo/agent/bin/
.
3.
Edit the file
startagent
.
4.
Locate the
JAVA_OPTS
variable definition in the file.
5.
Add
-Djava.rmi.server.hostname=<
caserver1_hostname>
to the variable, replacing
caserver1_hostname
with the host name of the server you are modifying. For example:
JAVA_OPTS=”-server
-Djava.util.logging.config.file=/perfigo/agent/conf/logging.properties
-Dperfigo.jmx.context= ${PERFIGO_SECRET} -Xms40m -Xmx40m -Xincgc
-Djava.rmi.server.hostname=caserver1”
6.
Restart the CAS by entering the
service perfigo restart
command.
7.
Repeat the preceding steps for each Clean Access Server in your deployment.
8.
Connect to the Clean Access Manager by SSH or using a serial console. Login as
root
.
9.
Change directories to
/etc/
.
10.
Edit the hosts file by appending the following line:
<public_IP_address> <caserver1_hostname> <caserver2_hostname>
where:
–
<
public_IP_address
>
– The address that is accessible outside the firewall.
–
<
caservern_hostname
>
– The host name of each Clean Access Server behind the firewall.
The CASes should now be addressable behind the firewall.