Xdmcp Inspection - Cisco PIX 500 Series Configuration Manual

Chapter 25 Configuring Application Layer Protocol Inspection

XDMCP Inspection

Figure 25-9 CTL Client TLS Proxy Features — CTL File Installed on the ASA
The security appliance does not store the raw CTL file in the flash, rather, it parses the CTL file and
installs appropriate trustpoints. Figure 25-9 indicates the installation was successful.
XDMCP Inspection
XDMCP inspection is enabled by default; however, the XDMCP inspection engine is dependent upon
proper configuration of the established command.
XDMCP is a protocol that uses UDP port 177 to negotiate X sessions, which use TCP when established.
For successful negotiation and start of an XWindows session, the security appliance must allow the TCP
back connection from the Xhosted computer. To permit the back connection, use the established
command on the security appliance. Once XDMCP negotiates the port to send the display, The
established command is consulted to verify if this back connection should be permitted.
During the XWindows session, the manager talks to the display Xserver on the well-known port 6000 |
n. Each display has a separate connection to the Xserver, as a result of the following terminal setting.
setenv DISPLAY Xserver:n
where n is the display number.
When XDMCP is used, the display is negotiated using IP addresses, which the security appliance can
NAT if needed. XDCMP inspection does not support PAT.
Cisco Security Appliance Command Line Configuration Guide
25-90
OL-12172-03