Cisco Systems CL-28826-01

13-5

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter1 3 Managing Identity-Aware Firewall Policies

Overview of Identity-Aware Firewall Policies

NetBIOS logout probing

(Optional.)

If you enable NetBIOS logout probing, the ASA can use NetBIOS to

determine if an inactive user is logged off so the user can be removed

from the database. The probe uses UDP-encapsulated NetBIOS traffic.

Thus, you must ensure that access rules allow the following traffic on

the networks between the ASA, AD agent, and user workstations:

•Query packets: any UDP source port to UDP port 137 (UDP/137).

•Query responses: UDP/137 source to any UDP port.

In addition, you must configure workstations to provide user name

information in NetBIOS reply packets. For Windows workstations, you

need to enable the messenger service and configure WINS. If the

messenger service is not turned on, the response from the workstation

is the same whether the user is logged on or off.

Tips

•The NetBIOS logout probe is never used with VPN or cut-through

proxy users.

•The ASA has an inactive user timeout that is also used to remove

users from the database. The timer applies to all user types. Thus,

implementing NetBIOS probing is not required to remove inactive

users from the database.

Table13-1 Requirements for Identity-Aware Firewall Policies (Continued)

Requirement Description