Security

Reply
Occasional Contributor I

Re: Clearpass V6.6.2 SMB version supported

Atleast in 1 of the reported cases CPPM and the DC are in the same VLAN ..so that cant be the issue. When you say high ports you mean high source ports ? As I am assuming it still uses the same destination ports ? 

 

I am waiting for my colleagure to update me on the TAC case numbers

Occasional Contributor II

Re: Clearpass V6.6.2 SMB version supported

It was from CPPM to AD. Destination ports. After the patch we saw a lot of new session trying to be established from ClearPass to DC with destination ports (49152 to 65535 ). All of them dropped. After modifying the rule all worked again.

Best Regards

 

Occasional Contributor I

Re: Clearpass V6.6.2 SMB version supported

Thanks..this is going to be fun ..tell me the firewall rules you need for CPPM "Yes please allow some random ports" :)

 

Can someone from engineering actually tell us what was done to samba to add support for the v2/v3 was it simply upgraded or specific changes where done on smb.conf, so atleast I can make sense of whats going on.

 

 

Occasional Contributor I

Re: Clearpass V6.6.2 SMB version supported


PAVAN wrote:

Could you share TAC ticket details.

 

Regards,

Pavan


Hi Pavan the TAC case is 5322012059. Thanks

Guru Elite

Re: Clearpass V6.6.2 SMB version supported

After opening the required ports for SMBv2/v3, is everything working for you now?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: Clearpass V6.6.2 SMB version supported

Hi Tim,

Ok it seems like if the primary DNS server is down cppm doesn't failover to the secondary. Also had to remove firewall rules completely for things to work.

Can you guys please clarify what ports should be open between cppm and AD as like previously pointed out this seems to be root of the problem something has changed in terms of required traffic that needs allowing.
Guru Elite

Re: Clearpass V6.6.2 SMB version supported

Here is the list of required ports for Active Directory from the Microsoft knowledgebase.

https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Clearpass V6.6.2 SMB version supported

For us adding the firewall rule as application based instead port based solved the issue. One of the app service posted on this image contains the high ports i mentioned on my previous posts which we didn't have on the old rule. If i am not wrong it is ms-netlogon.

Regards

 

Guru Elite

Re: Clearpass V6.6.2 SMB version supported

We'll be updating the release notes and user guide with a link to Microsoft's documentation for their implementation.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: