Our users private devices are on a separate subnet/vlan and a separate PA zone using the Google DNS servers. I have been forcing a captive portal in order to enable user ID for these devices. This has been working fine.
I have set a rule so that these devices can access our exchange server via OWA/activesync by going out to the internet and hitting the external OWA IP address. Problem is the User-IP mapping can't occur, except via captive portal, because of the NAT.
Is there any down side to:
In the old days (ports only) this would be unwise at best. Given the ability to only allow by appid, it seems like a reasonable idea.
Special note: The only devices on this "personal device" vlan/subnet are private devices owned by students which we would have at least a little bit of control over.
I don't really have an answer for you, your policy should be what you need it to be. I think your question begs others: Do you have different policies for different users? If its a BYOD vlan and everyone gets outbound 80/443, is the UID relevant? Do you want to get rid of the captive portal?
For me, I'm not sure I'd bother with it, just tie down the web services the way you want and call it good. If your wifi environment supports it, you can use some sort of EAP to see the real UID behind the IP if anything interesting were to occur.
Sorry I didn't answer your question.
I guess I had an epiphany of sorts and wanted some verification.
Traffic between zones used to be a big negative. With app level filtering, it seems it can be pretty darned safe. Especially considering the applications I am talking about are published to the untrust zone anyway (activsync and OWA). Currently the private devices are getting NATed and coming back in to do activesync. Given appid publishing it seems rather silly to go through all of that AND Yes, you nailed it that I am interested in getting around the captive portal. If they have activesync, and the IP is not NATed, I should be able to run rules without captive portal.
So I guess your post, at least verified with me that it i not a "bad" idea....given Appid publishing rules and all I am letting is activesync.
Thanks for listening.
I believe you can allow the devices in the private zone to use your internal DNS servers and DMZ servers. If you are allowing these devices to reach internet via your PAN, I believe you do have some control over these devices ( unless you are giving internet access to unknown/unlimited number of devices through your network) and you can identify the users using them via user-id agent. Also since you are allowing traffic based on applications this should not be a problem.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!