1-25
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Chapter1 Overview of Cisco Secure ACS CiscoSecure ACS HTML Interface
For these reasons, we do not recommend performing administrative sessions
using a web browser that is configured to use a proxy server. Administrative
sessions using a proxy-enabled web browser is not tested. If your web browser is
configured to use a proxy server, disable HTTP proxying when attempting remote
Cisco Secure ACS administrative sessions.
Remote Administrative Sessions through Firewalls
In the case of firewalls that do no perform network address translation (NAT),
remote administrative sessions conducted across the firewall can require
additional configuration of Cisco Secure ACS and the firewall. This is because
Cisco Secure ACS assigns a random HTTP port at the beginning of a remote
administrative session.
To allow remote administrative sessions from browsers outside a firewall that
protects a Cisco Secure ACS server, the firewall must allow HTTP traffic across
the range of ports that Cisco Secure ACS is configured to use. You can control the
HTTP port range using the HTTP port allocation feature. For more information
about the HTTP port allocation feature, see the HTTP Port Allocation for
Remote Administrative Sessions section on page 1-19.
While administering Cisco Secure ACS through a firewall that is not performing
NAT is possible, we do not recommend that you administer CiscoSecure ACS
through a firewall. For more information, see the HTTP Port Allocation for
Remote Administrative Sessions section on page 1-19.
Remote Administrative Sessions through a NAT Gateway
We do not recommend conducting remote administrative sessions across a
network device performing NAT. If the administrator runs a browser on a
workstation behind a NAT gateway, Cisco Secure ACS receives the HTTP
requests from the NAT devices public IP address, which conflicts with the
workstations private IP address, included in the content of the HTTP requests.
Cisco Secure ACS does not permit this.
If the Cisco Secure ACS server is behind a NAT gateway , you could conf igure the
gateway to forward all connections to port 2002 to the Cisco Secure ACS server,
using the same port. Additionally, all the ports allowed using the HTTP port
allocation feature would have to be similarly mapped. We have not tested such a
configuration and do not recommend implementing it.