5-7
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 5 Identity Firewall
Guidelines for the Identity Firewall
Figure 5-6 WAN-based Deployment with Remote AD Agent
The following figure shows an expanded remote site installation. An AD Agent and Active Directory
servers are installed at the remote site. The clients access these components locally when logging into
network resources located at the main site. The remote Active Directory server must synchronize its data
with the central Active Directory servers located at the main site.
Figure 5-7 WAN-based Deployment with Remote AD Agent and AD Servers
Guidelines for the Identity Firewall
This section describes the guidelines and limitations that you should check before configuring the
Identity Firewall.
Failover
• The Identity Firewall supports user identity-IP address mapping and AD Agent status replication
from active to standby when Stateful Failover is enabled. However, only user identity-IP address
mapping, AD Agent status, and domain status are replicated. User and user group records are not
replicated to the standby ASA.
• When failover is configured, the standby ASA must also be configured to connect to the AD Agent
directly to retrieve user groups. The standby ASA does not send NetBIOS packets to clients even
when the NetBIOS probing options are configured for the Identity Firewall.
Client
ASA
AD ServersAD Agent
304006
Remote Site Enterprise Main Site
RADIUS
mkg.example.com
10.1.1.2
WMI
Login/Authentication
LDAP
WAN
Client
ASA
AD Servers
AD ServersAD Agent
304007
Remote Site Enterprise Main Site
RADIUS
mkg.example.com
10.1.1.2
LDAP
WMI
Directory Sync
WAN
To Next Page
Loading...
Need help?
General