Cisco ACE 20 - sticky radius attribute not working
Hello to you all
I need your help. I´m trying to create a sticky group applied to my auth serverfarm based on the calling-station-id attribute, but for some reason when I apply the configs, I get not replies from my rservers. I´ve checked the radius servers, and no packets are getting to them. For some reason, when I create the sticky group the ACE 20 doesn´t distribute the traffic at all.
The service-policy is inservice, all the rservers are operational, but there´s no replies to my authentication requests, and no entries in the sticky database.
My current configs:
ADMIN context:
resource-class RADIUS-STICKY
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 10.00 maximum unlimited
context context-radius
member RADIUS-STICKY
CONTEXT-RADIUS context:
serverfarm host RADIUS-AUTH
predictor leastconns
probe RADIUS-PROBE-AUTH
rserver RADIUS-01
inservice
rserver RADIUS-02
inservice
rserver RADIUS-03
inservice
sticky radius framed-ip calling-station-id RADIUS-AUTH
serverfarm RADIUS-AUTH
timeout 5
policy-map type loadbalance first-match RADIUS-AUTH
class class-default
sticky-serverfarm RADIUS-AUTH
Am I missing anything?
Best wishes
I figured it out
The loadbalance policy-map has to be set has a L7 Radius policy map:
policy-map type loadbalance radius first-match RADIUS-AUTH
class class-default
sticky-serverfarm RADIUS-AUTH
It now inspects the Radius packets and is able to apply stickiness.
Similar Messages
-
Parse Error: Reason - Radius attribute not outbound
I am trying to add the RADIUS IETF Attribute - 'Login-LAT-Group' to a user using RDBMS sync but unable to do so.
I see the below error in the ACS logs -
Parse Error: Reason - Radius attribute not outbound
What am I missing ?Refer " outbound radius attributes"
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/user/guide/ad.html -
ACE - SSL Termination is not working
HTTPS is not working from official IE browser but it is working from test Firefox browser. However HTTP is working with both IE and Firefox browsers. This is true for multiple implementations on the ACE service module with SSL termination.
ACE software 3.0(0)A1(4a)
IE v6 SP3 Cipher 128
Firefox v3.6.3
Sample configuration:
access-list FT ethertype permit bpdu
access-list ALL-ACCESS extended permit icmp any any
access-list ALL-ACCESS extended permit ip any any
crypto chaingroup ROOT-CERT
cert abc.PEM
cert xyz.PEM
parameter-map type ssl SSL-PARAMETER-1
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_AES_128_CBC_SHA priority 2
cipher RSA_WITH_AES_256_CBC_SHA
cipher RSA_EXPORT1024_WITH_DES_CBC_SHA
parameter-map type ssl SSL-PARAMETER-2
cipher RSA_WITH_AES_128_CBC_SHA priority 2
ssl-proxy service SSL-1
key KEY-1.PEM
cert CERT-1.PEM
chaingroup ROOT-CERT
ssl advanced-options SSL-PARAMETER-1
ssl-proxy service SSL-2
key KEY-1.PEM
cert CERT-1.PEM
chaingroup ROOT-CERT
ssl advanced-options SSL-PARAMETER-2
ssl-proxy service SSL-3
key KEY-1.PEM
cert CERT-1.PEM
chaingroup ROOT-CERT
rserver host server1
ip address 10.100.15.89
inservice
rserver host server2
ip address 10.100.15.121
inservice
probe http PROBE-1
interval 30
faildetect 2
request method get url /keepalive.htm
expect status 200 200
serverfarm host SERVERFARM-1
probe PROBE-1
rserver server1 80
inservice
rserver server2 80
inservice
sticky ip-netmask 255.255.255.255 address both STICKY-1
timeout 30
replicate sticky
serverfarm SERVERFARM-1
class-map type management match-any REMOTE-ACCESS
match protocol icmp any
match protocol snmp any
match protocol ssh any
match protocol https any
class-map match-all VIP-1
match virtual-address 10.100.15.140 tcp eq https
class-map match-all VIP-2
match virtual-address 10.100.15.140 tcp eq www
policy-map type management first-match REMOTE-ACCESS
class REMOTE-ACCESS
permit
policy-map type loadbalance first-match POLICY-1
class class-default
sticky-serverfarm STICKY-1
policy-map multi-match LB-1
class VIP-1
loadbalance vip inservice
loadbalance vip icmp-reply active
loadbalance policy POLICY-1
ssl-proxy server SSL-1
(i have tried with ssl-proxy server SSL-2 and ssl-proxy server SSL-3 but did not helP)
policy-map multi-match LB-2
class VIP-2
loadbalance vip inservice
loadbalance vip icmp-reply active
loadbalance policy POLICY-1
interface vlan 15
description client vlan
bridge-group 15
mac-sticky enable
access-group input FT
access-group input ALL-ACCESS
access-group output ALL-ACCESS
service-policy input REMOTE-ACCESS
service-policy input LB-1
service-policy input LB-2
no shutdown
interface vlan 2015
description server vlan
bridge-group 15
mac-sticky enable
access-group input FT
access-group input ALL-ACCESS
access-group output ALL-ACCESS
service-policy input REMOTE-ACCESS
no shutdown
interface bvi 15
description bridge group
ip address 10.100.15.5 255.255.255.0
peer ip address 10.100.15.6 255.255.255.0
alias 10.100.15.4 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.100.15.1
note: Subnet, Server Name, Certificate Name and Key Name are modified for security reason.Hello,
We will not be able to determine why your SSL terminated connections fail with only your config. You may want to take a look at a similar thread where someone else was having problems with IE and SSL termination, but Firefox worked fine. It also includes a solid action plan you can use to gather data needed to diagnose root cause. That thread can be viewed at the following link:
https://supportforums.cisco.com/thread/2025417?tstart=0
Also, the ACE software you are running is extremely old now and very buggy. I would strongly urge you to upgrade to A2(2.4) as soon as possible. It will help you avoid some headaches as you move forward.
Hope this helps,
Sean -
ACS 5.5 Radius Attribute not listed in Radius Directory
Hello Community,
iam on the evaluation on Cisco ACS 5.5, and iam trying some scenarios for my company.
I have to authenticate a ip phone . here i need one VLan tagged and one vlan untagged.
In the authorization profile u can add the Radius Attributes, we got hp switches and i need the attribute with the ID-56, but this ID ist not listed in the Authorization Profiles--> Radius Attributes-->select Part.
But it is listed under system-administration->Configuration-->dictionaries-->Protocols->Radius--> Radius IETF
come somebody tell me how i can selct this Attributes under Authorization Profiles--> Radius Attributes-->select Part. ??
Thanks a lot
regardsHi
As you are using HP switches, certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality, and are therefore not supported with non-Cisco devices.
For more information regarding Authorization profile configuration, please go through the following link:
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/pol_elem.html -
Cisco css http keepalive is not working with GET command
Dear all
i have Cisco Css connected to Dell Server (via switch)
Cisco CSS - 192.168.1.3 and Dell Server - 192.168.1.5
Dell server is setup with windows 2009R2 and Apache HTTPD is version 2.2
This server is dedicated to host multiple doamins with Apache lik
www.abc.co.uk
www.xyz.co.uk
Now the clinet wants to setup the http keepalive with specfic web page like /testpage.html for all these domains. i have teseed with single URI. it is working the comamnds are
config)# service serv1
(config-service[serv1])# ip address 192.168.1.5
(config-service[serv1])# keepalive type http
(config-service[serv1])# keepalive method head ( get i have not used due to hash mismatch with apche server, if i use GET it is not working)
(config-service[serv1])# keepalive uri "/testpage.html"
(config-service[serv1])# active
It is working with single URI. but how can i do the same thing for multiple doamins ?
for multiple doamins do i need use script ? or can i use with commands ?
if i need to use script the script is
!no echo
! Filename: httptag-test
! Parameters: HostName WebPage HostTag
! Description:
! This script will connect to the remote host and do an HTTP
! GET method upon the web page that the user has asked for.
! This script also adds a host tag to the GET request.
! Failure Upon:
! 1. Not establishing a connection with the host.
! 2. Not receiving an HTTP status "200 OK"
if ${ARGS}[#] "NEQ" "3"
echo "Usage: httptag-test \'Hostname WebPage HostTag\'"
exit script 1
endbranch
! Defines:
set HostName "${ARGS}[1]"
set WebPage "${ARGS}[2]"
set HostTag "${ARGS}[3]"
! Connect to the remote Host
set EXIT_MSG "Connection Failure"
socket connect host ${HostName} port 80 tcp
! Send the GET request for the web page
set EXIT_MSG "Send: Failed"
socket send ${SOCKET} "GET ${WebPage} HTTP/1.1\nHost: ${HostTag}\n\n"
! Send the HEAD request for the web page
set EXIT_MSG "Send: Failed"
socket send ${SOCKET} "HEAD ${WebPage} HTTP/1.1\nHost: ${HostTag}\n\n"
! Wait for a good status code
set EXIT_MSG "Waitfor: Failed"
socket waitfor ${SOCKET} "200 OK"
no set EXIT_MSG
socket disconnect ${SOCKET}sh w
exit script 0
in the script i have not used GET becasue, when CSS send GET request to apache it use hash, but apache is not able to respond with same hash and it shows that website is down. more information- click below url
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/command/reference/CmdKeepC.html#wp1139668
(config-keepalive) method
I have uploaded in CSS with httptag-test file and applied these commands
service comp.brit.co.uk-80
keepalive port 80
ip address 192.168.1.5
keepalive frequency 10
keepalive maxfailure 2
keepalive retryperiod 10
keepalive type script httptag-test "192.168.1.5 /testpage.html www.abc.co.uk
keepalive type script httptag-test "192.168.1.5 /testpage.html www.xyz.co.uk
but this script is not working
my question is:
1.do i need use script only to setup http keepalvie with webpage for multiple domains ?
2.with out using script is there any solution like CICSCO CSS commands to setup http uril for multiple domains which are on 1 singl server.
please help me asapHello Muhammad,
If you wish to use multiple domains for a URI keep-alive check, and perform a HEAD request what Daniel mentioned is correct. You have to use a scripted keep-alive check on the service. However, you should not use the default "ap-kal-httptag" script to do so as it's limited to only 1 website (unless you modify the script). You're best bet would be using the "ap-kal-httplist" script on the CSS as it allows the checking of 2 different websites along with a webpage to check for each site using HTTP HEAD method.
!no echo
! Filename: ap-kal-httplist
! Parameters: Site1 WebPage1 Site2 WebPage2 [...]
! Description:
! This script will connect a list of sites/webpage pairs. The
! user must simply supply the site, and then the webpage and
! we'll attempt to do an HTTP HEAD on that page.
! Failure Upon:
! 1. Not establishing a connection with the host.
! 2. Not receiving a status code 200 on the HEAD request on any
! one site. If one fails, the script fails.
! Make sure the user has a qualified number of arguments
if ${ARGS}[#] "LT" "2"
echo "Usage: ap-kal-httplist \'WebSite1 WebPage1 WebSite2 WebPage2 ...'"
exit script 1
endbranch
while ${ARGS}[#] "GT" "0"
set Site "${ARGS}[1]"
var-shift ARGS
if ${ARGS}[#] "==" "0"
set EXIT_MSG "Parameter mismatch: hostname present but webpage was not"
exit script 1
endbranch
set Page "${ARGS}[1]"
var-shift ARGS
no set EXIT_MSG
function HeadUrl call "${Site} ${Page}"
endbranch
exit script 0
function HeadUrl begin
! Connect to the remote Host
set EXIT_MSG "Connect: Failed to connect to ${ARGS}[1]"
socket connect host ${ARGS}[1] port 80 tcp 2000
! Send the head request
set EXIT_MSG "Send: Failed to send to ${ARGS}[1]"
socket send ${SOCKET} "HEAD ${ARGS}[2] HTTP/1.0\n\n"
! Wait for the status code 200 to be given to us
set EXIT_MSG "Waitfor: Failed to wait for '200' on ${ARGS}[1]"
socket waitfor ${SOCKET} " 200 " 2000
no set EXIT_MSG
socket disconnect ${SOCKET}
function HeadUrl end
Rather then modify the default "ap-kal-httplist" script on the CSS I would simply define the arguments within the service configuration itself. Something like the following (using your service example):
service dell-192.168.1.5
ip address 192.168.1.5
keepalive type script ap-kal-httplist "www.abc.co.uk /testpage.html www.xyz.co.uk /testpage.html"
active
As long as the server is configured to reply to host headers, and the page is configured to retuen a "200 OK" the above service configuration should work. If there are any errors simply run "show service " to view why there was a failure. If there is a failure, and the output from the command specified shows a line number run the following command against the script to view at what point (line) did the failure occur:
show script ap-kal-httplist line-numbers
Hope this helps!
- Jason Espino -
Key figure Attributes not working
Hi ALL,
We have an isuue with one of our Planning book. Key figures which are supposed to be open for editing are showing as output only and key figures which are for output only are showing as open for editing.
I went to design mode to tried to change in manually , if I chane one row attribute all rows are getting changed.
I found a macro which assigns Key figure attributes which I tried to activate but still not working. We are using SAP SCM 4.1 Version.
Can any advice on this?
SivaramaThanks Problem is now solved. Looks like some has made changes in the design and there are macros which are working and as you said they might be conflicting. I changed the design which was working weired yesterday when I tried to cande one row attribute and all rows are getting applied, this worked fine today. And I deactivated the macro which is working on some row attributes and activated again.
I am not very clear what went right but working.
Sivarama -
Cisco Ise Central Web authentication not working
Hello Guys,
CWA is not working. It says that authentication suceeded but posture status is pending. No error in my Monitor--authentication. Checking it in my Windows 7, it does not shows the CWA portal.
What might be the possible problem of this.?
thanksKindly review the below links:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml -
Container-Managed Transaction Type Attributes not working as expected
I am having a problem with the container-managed transactions not working as expected. I have 2 methods that work as follows:
MethodA{
for(a lot)
call MethodB;
@Transaction Type = RequiresNew
MethodB{
EntityManager Persist to database
I want the code in MethodB to be committed to the database when methodB returns. The problem is that I am running out of memory and MethodA is failing. When methodA fails after numerous calls to MethodB nothing is persisted to the database.
It is my understanding that when using requires new transactions that a new transaction is started for each call to the method and ends when the method returns while the calling method transaction is suspended.
How am I misunderstanding the requiresNew transaction attribute. What can I do to make a batch insert into my database that will not run out of memory (commit when a methodB returns)?
Thanks in advance.The problem is that EJB invocation semantics for security, container-managed transactions, etc.
only apply when an invocation is made through an EJB reference. In your case, you are directly
invoking the implementation method from within the bean. The EJB container has no idea that's
happening. It's no different than invoking a utility method.
In order to get the behavior you'd like, you need to retrieve a reference to your own bean and invoke
through that. You can use SessionContext.getBusinessObject() to get the EJB reference for the
business interface through which the method in question is exposed.
--ken -
5.5.2 'Paste Attributes' not working?
I just upgraded to Premiere Pro 5.5.2, I'm on Mac OS 10.6.8, now paste attributes has no effect on the target clip in the timeline. Any clues?
Hi Chris
I don't have an answer with you, I just did some more comparisons, creating a completely new project with EX1, JVC HM100 (also the EX1 codec, I suspect same as yours) and Canon 7D H.264 MOV wrapped files.
I could not reproduce the problem on this new 'test' project.
So I went back to the Project I was having problems with, and the problem for that sequence can be narrowed down to: copying a clip from Sequence B, pasting attributes to a clip in Sequence A, does not work with my EX1 .MP4 files. However within the same sequence copying and pasting to the EX1 clips works. No other file types are affected and work as expected.
I then tried to duplicate the problem in my new 'test' project between 2 sequences. I can't get it to fail. So the problem isn't consistent. My real problem project is pretty complex, with a lot of sequences. The file size is approximately 200MB. Not sure if the complexity of the project causes the problem. Try creating a new simple sequence with some test files and see if you can repro the problem, also see if you were copying and pasting within a sequence, or from one sequence's clips to another. I'm wondering if 5.5.2 introduced some issues like this, it doesn't make too much sense but it is real.
But for now, the problem is slightly solved, I just have to copy a clip into the destination sequence, then copy and paste attributes to other clips. Annoying, but workable. Good luck. -
Refine Edge Radius Tool Not working
Hi
Today my refine edge is not working, although it used to work. When I select with the quick selection tool and click refine edge, when I pick the radius to smooth it out ,it makes a strange thing
Please Help
I made a screenshot for the screen,Note this is still, although I change anything in the Refine Edge Options
thnx in advanceI ran into the same problem using the image you posted. Although there was something not right about the edge sharpness and color density where the car met the white surround I was able to get the result you are after.
This was the sequence:
1. Toss the Background layer lock in the trash. It becomes Layer 0
2. Cmd + new layer symbol to place a blank layer below Layer 0
Then, Edit > Fill the blank layer with white
3, Choose Layer 0 and use the Quick Selection tool to select the car
4. Choose Refine Edge in the Options bar:
View Mode > View Mode > Marching Ants
Brush Size (Options Bar): 200 This is humongous and counter-inuititve, but hang in there.
Radius 0, Smart Radius
Paint the white area keeping the + marker a fair distance from the marching ants
Output: Decontaminate colors (50) New Layer with Layer Mask
The result is a vastly improved result but the mask is a bit weak in the troubled area. sL
Option click on the the mask in the Layers panel to reveal the mask
Curves > Move straight line of Curve to increase contrast via black endpoint
I think the root of the problem is the lack of edge sharpness in the image. Using Refine Edge when the edge is soft can be pain. -
Scale Attribute Times and Paste Attributes not working as did before
Using Copy and then Paste Attributes as I have done many times before upgrading the FCP 5, the option to "Scale Attribute Times" is grayed out and the keyframes are not placed correctly. This happens even if the cips are the exact same duration. I read a post from November that states that this feature is not working is FCP 5. If that is so, has anybody found a work-around or know of a fix?
Dual 1.25 G4 Mac OS X (10.3.9) FCP 5.0.1The problem is that the content is replaced correctly but the keyframes move (they were originally at the beginning and end and now they are not). The "Scale Attribute times" box is grayed out.
I just tested this out and, from what I can tell, FCP (5) now needs Timecode to match in order for Paste Attributes > Content (with keyframes intact) to work as we'd like.
I placed a 10 sec image - with (the default settings of) In at 1:00:00;00 and Out at 1:00:09;29 - in the Timeline. I set keyframes for Scale & Rotation at the In and Out points (100% & 0 degrees -> 200% & 360 degrees)
When using the Paste Attributes > Content method with a second image having identical timecode In & Out, it works fine.
However, if the second clip's timecode is not the same - say In is set at 1:00:02;00 and Out set at 1:00:11;29 - then the content will be pasted but the keyframes will not adjust for the new timecode. They remain at the first clip's points (that is,1:00:00;00 and 1:00:09;29).
So, you can try to match timecode (which isn't always convenient) or you can...
Select the first clip & copy
Overwrite/replace the (first) clip with the second clip
Paste Attributes > Basic Motion (or whatever attributes you're pasting, except Content)
Or was that a workflow you were hoping to avoid? -
Cisco Unified CM Administration is not working in RDP sessions .
Dear all.,
Cisco unified cm administration we are working in sandbox labs connected through vpn of Cisco. But we are not able to access through remote desktop sessions. is it any possible to access through remote desktp sessions..?Hi
We are getting Cisco Unified CM Administration using sandbox labs. we are having a product for telecommunication . The name is CADEBILL. we are implementing the process from that product. we installed that product in a server. We have VPN through that sandboxlabs. That vpn is installed in local pc. From that local pc we will access the server in Remote desktop . in that server we are not able to install the anyconnect vpn . So this problem.
This is cisco unified CM version. System version: 8.6.1.20000-1 -
The "readonly" attribute not working in Firefox 4.0
the readonly implementation in actually applications and sites not working how in previous versions. The Navigator not block the input text.
The same problem is in Firefox 5.0 version too
-
Table Attribute not working with MVC5 and EF6
Hello,
Having an issue with a project I am working on. I have a web project and portable classes. I am using Entity Framework 6, and MVC 5. Everything was working when I had all the classes in the Web side,
but once I moved them to the Portable side, I began to have an issue with the data annotation. Here is the code from one of the classes:
namespace Inventory.Entities
using System;
using System.Collections.Generic;
using System.ComponentModel.DataAnnotations;
using System.ComponentModel.DataAnnotations.Schema;
using System.Linq;
[Table("Common.Location")]
public class Location
public Location()
Assets = new HashSet<Asset>();
[Key]
public int LocationID { get; set; }
[Required]
[Display(Name = "Location Name")]
public string LocationName { get; set; }
public virtual ICollection<Asset> Assets { get; set;}
Now the issue is that Table has a red squiggle and I am getting the following error: Error 43 The type or namespace name 'TableAttribute' could not be found (are you missing a using directive or an assembly reference?)
As far as I can tell everything is set up correctly, but this just does not want to work. It is not only this class, but all of my classes. The only reference I have in the portable classes is .Net with a target of 4.5. Everything I read
says this should work, but clearly it is not working. I have also uninstalled and installed the entity framework, did a clean and build but with no luck. Any thoughts?
Michael R. Mastro IIHello Michael,
>>but once I moved them to the Portable side, I began to have an issue with the data annotation.
This is by designed, please check the namespace “System.ComponentModel.DataAnnotations.Schema”:
https://msdn.microsoft.com/en-us/library/system.componentmodel.dataannotations.schema(v=vs.110).aspx, as you can see, only the DatabaseGeneratedAttribute is supported in Portable Class Library.(If a class is supported in PCL, there should be a
symbol).
Regards.
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Sticky load balancing not working because of Address Translation
This came up before - see below. I don't understand what the
soltion is/was.
WL Server puts it's ip address in the WebLogicSession cookie
which is an internal address 192.168.201.41
WL proxy knows WL Server only by an external address like 139.141.38.21. Since
it does not know of any WLS with an IP
address of 192.168.201.41, it round-robins the request instead
of sending it to the primary WLS.
Any help is much appreciated.
Mike Reiche
Robert Patrick <[email protected]> wrote:
>Hi,
>
>A very typical configuration is to put the web server in the DMZ (i.e.,
>between
>an outer and inner firewall) and proxy the requests from the web server
>to the
>WebLogic server (which sits behind the inner firewall). Since all of
>these
>proxied requests use HTTP and a single port, the only port that needs
>to be
>opened in the inner firewall is an HTTP port (the outer firewall will
>only need
>an HTTP and/or HTTPS port opened).
>
>Hope this helps,
>Robert
>
>Eytan Ben-Meir wrote:
>
>> Thanks Patrick,
>>
>> May be you can suggest options for securing a WLS behind a firewall?
>>
>> Thanks again,
>>
>> Eytan
>>
>> Robert Patrick wrote:
>>
>> > Hi,
>> >
>> > The problem is that we encode location information (e.g., IP address(es))
>> > in the session id. If the plugin sees a session id, it decodes the
>> > session id to find out where to route the request (i.e., which server
>in
>> > the cluster contains the HttpSession object for that session). Since
>the
>> > plugin cannot find the machine whose IP address is encoded in the
>session
>> > id (because of the network address translation), this will not work.
> In
>> > general, distributed application software needs to be modified to
>be
>> > capable of handling network address translation -- to my knowledge,
>> > WebLogic Server has not been modified to support this feature (though
>the
>> > Enterprise version of the product has had this support for years).
>> >
>> > Hope this helps,
>> > Robert
>> >
>> > Eytan Ben-Meir wrote:
>> >
>> > > Hi,
>> > >
>> > > Configuration:
>> > > WLS 4.5.1 on Solaris 2.7 inside a firewall.
>> > > SonicWall firewall with NAT (Network Address Translation).
>> > > Netscape Enterprise Server 4.0 outside the firewall with Weblogic
>> > > NSAPI-BRIDGE (sp 5)
>> > >
>> > > The problem:
>> > > When a browser request is sent to the NE web-erver (directed to
>the
>> > > firewall who then redirects to a Weblogic servlet).
>> > > IF The servlet creates a httpsession (with or without cookies)
>the
>> > > request fails (the firewall blocks a request directed directly
>at the
>> > > non-routable ip address of the Weblogic machine inside the firewall.
>> > > IF on the other hand the servlet does not create a http session,
>all
>> > > works fine.??????????
>> > > Does any body know something about this????
>> > >
>> > > Thanks,
>> > >
>> > > Eytan
>
This isn't my problem.
"Mike Reiche" <[email protected]> wrote:
>
>This came up before - see below. I don't understand what the
>soltion is/was.
>
>WL Server puts it's ip address in the WebLogicSession cookie
> which is an internal address 192.168.201.41
>
>WL proxy knows WL Server only by an external address like 139.141.38.21.
> Since
>it does not know of any WLS with an IP
>address of 192.168.201.41, it round-robins the request instead
>of sending it to the primary WLS.
>
>Any help is much appreciated.
>
>Mike Reiche
>
>Robert Patrick <[email protected]> wrote:
>>Hi,
>>
>>A very typical configuration is to put the web server in the DMZ (i.e.,
>>between
>>an outer and inner firewall) and proxy the requests from the web server
>>to the
>>WebLogic server (which sits behind the inner firewall). Since all of
>>these
>>proxied requests use HTTP and a single port, the only port that needs
>>to be
>>opened in the inner firewall is an HTTP port (the outer firewall will
>>only need
>>an HTTP and/or HTTPS port opened).
>>
>>Hope this helps,
>>Robert
>>
>>Eytan Ben-Meir wrote:
>>
>>> Thanks Patrick,
>>>
>>> May be you can suggest options for securing a WLS behind a firewall?
>>>
>>> Thanks again,
>>>
>>> Eytan
>>>
>>> Robert Patrick wrote:
>>>
>>> > Hi,
>>> >
>>> > The problem is that we encode location information (e.g., IP address(es))
>>> > in the session id. If the plugin sees a session id, it decodes
>the
>>> > session id to find out where to route the request (i.e., which server
>>in
>>> > the cluster contains the HttpSession object for that session).
>Since
>>the
>>> > plugin cannot find the machine whose IP address is encoded in the
>>session
>>> > id (because of the network address translation), this will not work.
>> In
>>> > general, distributed application software needs to be modified to
>>be
>>> > capable of handling network address translation -- to my knowledge,
>>> > WebLogic Server has not been modified to support this feature (though
>>the
>>> > Enterprise version of the product has had this support for years).
>>> >
>>> > Hope this helps,
>>> > Robert
>>> >
>>> > Eytan Ben-Meir wrote:
>>> >
>>> > > Hi,
>>> > >
>>> > > Configuration:
>>> > > WLS 4.5.1 on Solaris 2.7 inside a firewall.
>>> > > SonicWall firewall with NAT (Network Address Translation).
>>> > > Netscape Enterprise Server 4.0 outside the firewall with Weblogic
>>> > > NSAPI-BRIDGE (sp 5)
>>> > >
>>> > > The problem:
>>> > > When a browser request is sent to the NE web-erver (directed to
>>the
>>> > > firewall who then redirects to a Weblogic servlet).
>>> > > IF The servlet creates a httpsession (with or without cookies)
>>the
>>> > > request fails (the firewall blocks a request directed directly
>>at the
>>> > > non-routable ip address of the Weblogic machine inside the firewall.
>>> > > IF on the other hand the servlet does not create a http session,
>>all
>>> > > works fine.??????????
>>> > > Does any body know something about this????
>>> > >
>>> > > Thanks,
>>> > >
>>> > > Eytan
>>
>
Maybe you are looking for
-
Client Certificate Mapping authentication using Active Directory across trusted forests
Hi, We currently have a setup where the on-premises environment and the cloud environment are based on two separate forests linked by a 1-way trust, i.e., the exist in the on-premises AD and the 1-way trust allows them to use their credentials to log
-
my pc computer crashed so I bought a new one and autorized it. Downloaded itunes, synced my ipad and it only copied some of my sngs and no apps. How can I download my ipad to my new computer
-
Why is the screen of my iphone 4 has no light
Hi There, I have and Iphone 4 and, I was finish a call when the screen become black like it showted down and sence then I can turn it on again and I know wverything is working well bit sence the screen is black I can't see anything! Please help me to
-
Hy everyone, is it possible to set dialog mode in webdynpro's window for adapting to screen resolution. In gui you can set dialog mode for a dynpro, is it possible also for webdynpro ? Thank you !
-
Reading list for Chrome extension not working...
I installed ICloud for Windows and the extension for Chrome. I can see my bookmarks in Chrome are working fine, but no sign of my reading list. Has any one made this work? Thanks in advance