Overview Of Integrity Server And Security Appliance Interaction; Configuring Integrity Server Support - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 13
Configuring AAA Servers and the Local Database
Overview of Integrity Server and Security Appliance Interaction
The VPN client software and the Integrity client software are co-resident on a remote PC. The following
steps summarize the actions of the remote PC, security appliance, and Integrity server in the
establishment of a session between the PC and the enterprise private network:
1.
2.
3.
4.
5.
6.
Note
The current release of the security appliance supports one Integrity Server at a time even though the user
interfaces support the configuration of up to five Integrity Servers. If the active Server fails, configure
another Integrity Server on the security appliance and then reestablish the client VPN session.
Configuring Integrity Server Support
This section describes an example procedure for configuring the security appliance to support the Zone
Labs Integrity Servers. The procedure involves configuring address, port, connection fail timeout and
fail states, and SSL certificate parameters.
First, you must configure the hostname or IP address of the Integrity server. The following example
commands, entered in global configuration mode, configure an Integrity server using the IP address
10.0.0.5. They also specify port 300 (the default port is 5054) and the inside interface for
communications with the Integrity server.
hostname(config)# zonelabs-integrity server-address 10.0.0.5
hostname(config)# zonelabs-integrity port 300
hostname(config)# zonelabs-integrity interface inside
hostname(config)#
If the connection between the security appliance and the Integrity server fails, the VPN client
connections remain open by default so that the enterprise VPN is not disrupted by the failure of an
Integrity server. However, you may want to close the VPN connections if the Zone Labs Integrity Server
fails. The following commands ensure that the security appliance waits 12 seconds for a response from
either the active or standby Integrity servers before declaring an the Integrity server as failed and closing
the VPN client connections:
hostname(config)# zonelabs-integrity fail-timeout 12
hostname(config)# zonelabs-integrity fail-close
hostname(config)#
OL-10088-01
The VPN client software (residing on the same remote PC as the Integrity client software) connects
to the security appliance and tells the security appliance what type of firewall client it is.
Once it approves the client firewall type, the security appliance passes Integrity server address
information back to the Integrity client.
With the security appliance acting as a proxy, the Integrity client establishes a restricted connection
with the Integrity server. A restricted connection is only between the Integrity client and server.
The Integrity server determines if the Integrity client is in compliance with the mandated security
policies. If the client is in compliance with security policies, the Integrity server instructs the
security appliance to open the connection and provide the client with connection details.
On the remote PC, the VPN client passes connection details to the Integrity client and signals that
policy enforcement should begin immediately and the client can no enter the private network.
Once the connection is established, the server continues to monitor the state of the client using client
heartbeat messages.
Cisco Security Appliance Command Line Configuration Guide
Supporting a Zone Labs Integrity Server
13-17
Advertisement
Table of Contents
Troubleshooting
