12-13
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 12 Administrators and Administrative Policy
Access Policy
Cisco Secure ACS uses port 2002 to start all administrative sessions. You
do not need to include port 2002 in the port range. Also, Cisco Secure
ACS does not allow you to define an HTTP port range that consists only
of port 2002. Your port range must consist of at least one port other than
port 2002.
A firewall configured to permit HTTP traffic over the Cisco Secure ACS
administrative port range must also permit HTTP traffic through port
2002, because this is the port a web browser must address to initiate an
administrative session.
Note We do not recommend allowing administration of Cisco Secure ACS
from outside a firewall. If you do choose to allow access to the HTML
interface from outside a firewall, keep the HTTP port range as narrow
as possible. This can help prevent accidental discovery of an active
administrative port by unauthorized users. An unauthorized user
would have to impersonate, or “spoof,” the IP address of a legitimate
host to make use of the active administrative session HTTP port.
–
Secure Socket Layer Setup—The Use HTTPS Transport for
Administration Access check box defines whether Cisco Secure ACS
uses secure socket layer protocol to encrypt HTTP traffic between the
CSAdmin service and a web browser used to access the HTML interface.
When this option is enabled, all HTTP traffic between the browser and
Cisco Secure ACS is encrypted, as reflected by the URLs, which begin
with HTTPS. Additionally, most browsers include an indicator for when
a connection is SSL-encrypted.
To enable SSL, you must have completed the steps in Installing a
Cisco Secure ACS Server Certificate, page 10-35, and Adding a
Certificate Authority Certificate, page 10-37.