Disabling directory non-secure port

Similar Messages

• How to disable non secure port on Sun Java System Directory Server 5.2

  Hi, can someone tell me how to disable the non secure port 389 on the SJS Directory Server 5.2? I only see two options for the directory server to listen on the non secure port or both secure and non secure ports. I see that someone mentioned to change the port the loopback ip address but the gui doesn't allow that.
  Any help is appreciated.
  Thanks,
  Mike

  Yep! You can add the loopback address to the listen host attr, directly to the dse.ldif (insntace stopped of course) or ldapmodify the config entry

• Dsee 6.3.1 - disable non-secure port

  I disabled access to the non-secure port on my ldapserver as I only want clients to talk to my server using ssl (tls:simple)
  root@ldapserver#/> dsconf set-server-prop ldap-port:disabled
  After the compulsory restart, I was no longer able to bind a client (even if I tell it to connect on port 636) :
  root@ldapclient #/> ldapclient init -v -a profileName=SB -a domainName=unix.mydomain.com -a proxyDN=cn=proxyagent,ou=profile,dc=unix,dc=mydomain
  ,dc=com ldapserver.mydomain.com:636
  Parsing profileName=SB
  Parsing proxyDN=cn=proxyagent,ou=profile,dc=unix,dc=mydomain,dc=com
  Arguments parsed:
  proxyDN: cn=proxyagent,ou=profile,dc=unix,dc=mydomain,dc=com
  profileName: SB
  defaultServerList: ldapserver.mydomain.com:636
  Handling init option
  About to configure machine by downloading a profile
  findBaseDN: begins
  findBaseDN: ldap not running
  findBaseDN: calling __ns_ldap_default_config()
  __ns_ldap_list return NULL resultp
  findBaseDN: Err exit
  LDAP ERROR (85): Error occurred during receiving results. Timed out.
  Failed to find defaultSearchBase for domain unix.mydomain.com
  I know my certs are good as ldapsearch returns data as I would expect...
  root@ldapclient #/> ldapsearch -Z -p 636 -h ldapserver.mydomain.com -P /var/ldap -b dc=unix,dc=mydomain,dc=com uid=myuser
  returns my userid.
  There is an anonymous read only ACI in place:
  root@ldapclient #/> ldapsearch -Z -p 636 -h ldapserver.mydomain.com -P /var/ldap -b dc=unix,dc=mydomain,dc=com -s base "(objectclass=*)" aci
  aci: (target ="ldap:///dc=unix,dc=mydomain,dc=com")(targetattr!="userPassword")(
  version 3.0;acl "Anonymous read-search access";allow (read, search, compare)
  (userdn = "ldap:///anyone");)
  As soon as I re-enable standard 389 access the client init works fine again....
  Am I missing something here?
  Does the `ldapclient init` command need to make a 389 connection first before it downloads the profile which tells it to use tls:simple and therefore port 636 from then onwards?

  quote:
  SSL enables support for the Start TLS extended operation that provides security on a regular LDAP connection. Clients can bind to the non-SSL port and then use the Transport Layer Security protocol to initiate an SSL connection. The Start TLS operation allows more flexibility for clients, and can help simplify port allocation.
  [http://docs.sun.com/app/docs/doc/820-2765/gdzdc?l=en&a=view]

• Disable non secure items alert in apex

  Hi
  every time when a page in apex loads i see an alret
  This page contiains both secure and non secure items !! do yiu wnt to display non secure items ?
  Button Options ( Yes <> No <> Cancel )
  i dont wnt this to be happen , imean i would like to disable this alert
  pls advice
  thanks in advance
  Raj

  user13316561 wrote:
  Hi
  every time when a page in apex loads i see an alret
  This page contiains both secure and non secure items !! do yiu wnt to display non secure items ?
  Button Options ( Yes <> No <> Cancel )
  i dont wnt this to be happen , imean i would like to disable this alert
  pls advice
  thanks in advance
  Raj This is definitely a browser alert not an APEX one, essentially you have some component urls using HTTP and some using HTTPS, I've seen this with the standard Flash chart substitution strings, you will need to edit these to ensure they are consistent to your HTTPS domain.

• In FireFox 9, loading secure web pages running on non-standard ports works just fine. In FireFox 10, those same pages do not load and a "The connection was reset" message is displayed.

  How can this be fixed so functionality returns as per FF9 and below?
  This occurs on any secured website running on a non-standard port, with FF10.

  < X-Post from https://support.mozilla.org/en-US/questions/917315#answer-315144 >
  I don't think this is restricted to Firefox. I've noted this behaviour with IE9, Firefox 10.0.2, Opera Mobile (on my phone) and Chrome(latest version) with my Linksys E3000 router (I access it from https://<IP>) and my 3ware RAID card management suite, 3DM2 (I access it from https://localhost:888 ).
  Notably, the only thing amiss that I've been able to see in the certificates (I'm no expert) is that the one from Linksys has issue and expiry dates in 1969 and 1970 respectively. However, I don't think this is the cause since 3DM2 has proper looking issue dates and has the identical problem.
  Coincidentally, I noticed this happening after a fresh reinstall of Windows 7 x64 with virtually nothing installed on it (FF, Office 2007), so I don't think it's something wrong with the other software on the machine.

• WRT54G Ver. 6 Help Disable Three Security Ports

  I have the WRT54g Ver. 6 Wireless router and the Xbox 360 Wireless adapter. To get onto LIVE I need to disable three security ports. UDP 88, UDP 3074, and TCP 3074. How do I do this? Any help would be appriciated. Thanks.
                                                   Zcarp

  Hi,
  You can try to forward those ports. Under Applications & Games->Port Range Forward. Give the port numbers and your device ip address.

• Connecting to non-secure listener port over TCPS

  Hi,
  I am trying to connect to non-SSL port over TCPS.
  When I use tnsping, it hangs.
  When I do an OCIServerAttach, it hangs.
  Client is 10.2
  And Database server is 9.2 and higher..
  Any way I can find out why this is happening??
  -Harsha

  Maybe I'm not getting the point, but when you do not use SSL on this port, why do you want to use TCPS. Wouldn't TPC be a better choice?
  cu
  Andreas

• Cisco Secure ACS 5.6 Backup to FTP server listening on non-standard ports

  When defining a software repository from CLI or GUI, I have not been able to define the custom port that our FTP server is listening on.  Does ACS support the use of custom ports for FTP?

  Hi Anthony,
  I don't thing so it will support non-standard ports as the options are only Disk,FTP,SFTP,TFTP and NFS.
  Regards,
  Chris

• Disable Security  Alert while redirecting for secure to non secure mode.

  Hi Experts,
  I am new to the portal and came accross a very different kind of requirement for which i need you advice.
  On pressing the Logout button on the portal, the navigation/control is redirecting to the non secure Http website. My portal is on Https site. Now the issue is upon logging out I am getting the security Alert " You are about to direct to a connection that is non secure. Do you want to continue? "
  Now I have a requirement to suppress or remove this pop up. I do understand that this is the IE functionality to show the pop message and I have already uncheck the check box under Internet Options -> Advanced -> miscellaneous -> Warn if changiung between Secure to non secure.
  Please suggest !
  Thanks
  Shobhit Taggar

  Shobhit,
  Which version of IE?
  Regards,
  Sandeep Tudumu

• Disable security Alert while redirecting from secure to non secure mode

  Hi Experts,
  I am new to the portal and came accross a very different kind of requirement for which i need you advice.
  On pressing the Logout button on the portal, the navigation/control is redirecting to the non secure Http website. My portal is on Https site. Now the issue is upon logging out I am getting the security Alert " You are about to direct to a connection that is non secure. Do you want to continue? "
  Now I have a requirement to suppress or remove this pop up. I do understand that this is the IE functionality to show the pop message and I have already uncheck the check box under Internet Options -> Advanced -> miscellaneous -> Warn if changiung between Secure to non secure.
  Please suggest !
  Thanks
  Shobhit Taggar

  Shobhit,
  Which version of IE?
  Regards,
  Sandeep Tudumu

• How to use non default port 1521 while 11.2.0.1 grid upgrade to 11.2.0.2

  Hi Team ,
  We are planning 11.2.0.1 Grid infra rolling upgrade to 11.2.0.2 with out any downtime.
  But while up gradation due to default scan port 1521 , 11.2.0.1 databases are not able to connect (remote connections)
  We are using 1900 port for existing 11.2.0.1 grid infra scan.
  While up gradation it is taking default port of 1521 insted of existing port 1900.
  Please provide the solution to use non default port while 11.2.0.2 up gradation.
  After upgrade the status as below.
  grdoratst104:/apps/grid/grdhome:+ASM4> srvctl config scan_listener
  SCAN Listener LISTENER_SCAN1 exists. Port: TCP:1521
  SCAN Listener LISTENER_SCAN2 exists. Port: TCP:1521
  SCAN Listener LISTENER_SCAN3 exists. Port: TCP:1521
  Here I was getting TNS:no Listener errors from the client connections.
  I have modifyed the scan port then it is working fine.
  grdoratst104:/apps/grid/grdhome:+ASM4> srvctl modify scan_listener -p TCP:1800
  grdoratst104:/apps/grid/grdhome:+ASM4> srvctl config scan_listener
  SCAN Listener LISTENER_SCAN1 exists. Port: TCP:1800
  SCAN Listener LISTENER_SCAN2 exists. Port: TCP:1800
  SCAN Listener LISTENER_SCAN3 exists. Port: TCP:1800
  grdoratst104:/apps/grid/grdhome:+ASM4>
  Here the problem is we need to do the grid infra upgrade with out downtime,but due this default port issue clients are not able to connect to the database.
  Thanks
  Bala
  Edited by: user12032334 on May 31, 2011 11:46 AM

  Why are you using a non default port? It does not improve security. It makes network management more complex. And causes the type of issues that you are facing now.
  So before changing defaults, make sure that your reasons are technically sound. And using port 1900 when 1521 is available, is not technically sound by any means.
  As for addressing the problem you have created for yourself by mucking around with port numbers. Use a NAT firewall (on each RAC node) to rewrite packets headers received on port 1900 and send these to the server's port 1521 instead (on the VIP or static IP as required).
  This can be fairly easily done using iptables if your o/s is Linux. You need to:
  a) create a pre-routing NAT rule
  b) create a post-routing NAT rule
  c) create a forwarding filter rule for port 1900/tcp
  d) create an input filter rule to accept traffic on 1900/tcp

• How to use non-standard port for vnc?

  Our Windows users who use RDC to connect to their desktops from off-site come in on a non-standard port number. Part of our security setup.
  I'd like to do the same with Mac users who use screen sharing and vnc to connect remotely.
  How can I specify another port number at both ends to accomplish this?
  I can find nothing in the Network Utility app, or in the KB.
  Surely there's a short sequence of Terminal commands that will do this?

  I haven't tried this so don't know whether it will work. But I think it will. Presuming the target machine is a Mac, see if editing its /etc/services file will do it. Find the two lines that start with "vnc-server" and change the port number there. Launch Terminal.app as an administratively privileged user, sudo pico /etc/services, ^w to search for vnc-server, make the changes, ^x to exit, y to save and overwrite. Also, you will need to have screen sharing enabled in the target machine's System Preferences' Sharing, and the authorized users defined there, too. Reboot. Now, on the remote client, assuming it is also a Mac, the user would type ⌘k in the Finder (or mouse to Finder > Go > Connect to Server), and enter something like vnc://123.45.67.89:55900 where you substitute the actual IP address or host name for where I have entered 123.45.67.89, and where you substitute the actual alternate port number where I have entered 55900. Of course, in the clients' Screen Sharing's Preferences, they should choose to encrypt the entire session, not just the login. Like I said, I haven't tried this because I just tunnel my vnc stuff through ssh, but I'm thinking that this should work.

• CSS 11501 ftp server setup problem using non-standard port

  Dear Expert,
  we would like to setup FTP server over CSS where our member sever use non-std-port to open both control/data channel (i.e. 6370 as ctrl and 6369 as data this case.) but seems we only get Passive mode FTP mode work only but not for Active mode FTP case for data channel establishement for server back to client...is there any professional advise can help on this case...? here is our setup info FYI
  #  sh ver
  Version:               sg0820501 (08.20.5.01)
  Flash (Locked):        08.10.1.06
  Flash (Operational):   08.20.5.01
  Type:                  PRIMARY
  Licensed Cmd Set(s):   Standard Feature Set
                         Secure Management
  CVDM Version:          cvdm-css-1.0_K9
  !*************** Global
  ftp data-channel-timeout 10
    ftp non-standard-ports
  !************************** SERVICE **************************
  service ftp_ftpgtw
    keepalive maxfailure 2
    keepalive frequency 15
    keepalive retryperiod 2
    keepalive type tcp
    ip address 192.168.52.170
    protocol tcp
    keepalive port 6370
    port 6370
    active
  # sh run group drfusegtwftp_grp 
  !*************************** GROUP ***************************
  group gtwftp_grp
    vip address 192.168.52.28
    add service ftp_ftpgtw
    active
    content ftp_gtwpkg-ftpgtw
      add service ftp_ftpgtw
      vip address 192.168.52.28
      port 21
      protocol tcp
      application ftp-control
      active

  Thanks for your confirmation on no prob found in config level 1st..:P..as to save us a lot of time in isolating problem at this level.
  What we can notice is seems the data port connection is fail to open  for server back to client....for our general sense..... the flow expected should be:
  TCP session A -- Client:1234 --> VIP:21 --> member svr:6370
  TCP session B -- Client: 5678 <--> VIP:20 <--> member Svr: 6379 [on demand generated between server/client]
  but we can only see session B fail  to setup when client side access VIP site on CSS..even we try to put the most standard case as below
  TCP session A -- Client:1234 --> VIP:21 --> member svr:21
  TCP session B -- Client: 5678 <--> VIP:20 <--> member Svr: 20
  we still unable to make the Active mode FTP access work either...hence we got no idea on how CSS handle FTP access when it involve services over multiple tcp ports..
  and from CSS xlate view...the problem is we can only see what NAT IP that used in CSS connect to client...but no way to confirm for which port for VIP using outgoing to client. neither it is dropped by CSS..nor it is never setup from VIP to Client side.

• Isakmp peers using non-standard port 4500

  Hello,
  I have a remote site using the Internet to access corporate networks over IPSEC. Set-up is as below:
  Remote Router uses public IP across internet --> hits corporate untrusted nework FW --> NAT'ed to private 10.x.x.x IP --> reaches trusted network router.
  The problem is that the peer keeps hanging and the only way to reset it is to issue 'clear crypto session' on the central trusted router. I have added isakmp keepalives with the aim of forcing some keepalive traffic:
  crypto isakmp keepalive 90 30 periodic
  ...and this works to some degree (with DPD are u there keepalives). However I have noticed that the far end router uses non-standard ports when trying to set up phase-1 tunnel:
  BEVRLY_D_CR184_01#sh crypto isa pee
  Peer: 161.x.x.x Port: 4500 Local: 77.x.x.x
  Phase1 id: 10.2.0.92
  Peer: 161.x.x.x Port: 10456 Local: 77.x.x.x
  Phase1 id: 10.2.0.92
  Peer: 161.x.x.x Port: 10554 Local: 77.x.x.x
  Phase1 id: 10.2.0.92
  Peer: 161.x.x.x Port: 10557 Local: 77.x.x.x
  Phase1 id: 10.2.0.92
  Peer: 161.x.x.x Port: 10580 Local: 77.x.x.x
  Phase1 id: 10.2.0.92
  Peer: 161.x.x.x Port: 10589 Local: 77.x.x.x
  Phase1 id: 10.2.0.92
  Peer: 161.x.x.x Port: 10596 Local: 77.x.x.x
  Phase1 id: 10.2.0.92
  Peer: 161.x.x.x Port: 10600 Local: 77.x.x.x
  Phase1 id: 10.2.0.92
  These ports (non-4500) will be blocked by our firewalls. Why does it use these, and is there a way of stopping the router using anything other than port 4500?
  Thanks
  Phil

  Hello,
  Yes - there's NAT at the trusted central router end our side of the firewall... the config used is below:
  Remote Router end:
  crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
  lifetime 180
  crypto isakmp key address
  crypto isakmp invalid-spi-recovery
  crypto isakmp keepalive 90 30 periodic
  crypto ipsec security-association idle-time 300
  crypto ipsec transform-set BEVERLEY_Transform esp-3des esp-md5-hmac
  crypto ipsec profile VTI
  set security-association lifetime seconds 1800
  set transform-set BEVERLEY_Transform
  interface Tunnel1
  description BEVRLY_CC296_01 F0/8 (10.30.45.29)
  ip address x.x.x.x 255.255.255.252
  ip helper-address 10.91.6.30
  ip helper-address 10.4.162.92
  ip mtu 1400
  ip ospf message-digest-key 1 md5
  load-interval 30
  tunnel source Dialer1
  tunnel destination
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile VTI
  Central Router:
  crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
  lifetime 180
  crypto isakmp key address
  crypto isakmp invalid-spi-recovery
  crypto isakmp keepalive 90 30 periodic
  crypto ipsec security-association idle-time 300
  crypto ipsec transform-set BEVERLEY_Transform esp-3des esp-md5-hmac
  crypto ipsec profile VTI
  set security-association lifetime seconds 1800
  set transform-set BEVERLEY_Transform
  interface Tunnel1
  description link to Beverley via internet (BEVERLY_CR184_01 Tun1)
  ip address x.x.x.x 255.255.255.252
  ip mtu 1400
  ip ospf message-digest-key 1 md5
  load-interval 30
  tunnel source FastEthernet0/1
  tunnel destination
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile VTI
  I believe the DPD keepalives ensure NAT is known and compatible (crypto isakmp keepalive 90 30 periodic) between the peers....
  Any help gladly appreciated....
  thanks
  Phil

• Version 8 blocks http on non standard ports i.e. 8080

  Version 7 handled http on both port 8080,8081 and 8082 but only text is passed after version 8 update. Is there a way to re-enable http on non standard ports? If you save the text file to the desktop and load it from there the html is processed correctly? Is there a directive besides "html" that could be place on the web pages to force html rendering on the odd ports. Version 8 works with port 4135 from Jefferson labs speed test.

  See:
  *http://www.mozilla.org/projects/netlib/PortBanning.html
  *http://kb.mozillazine.org/network.security.ports.banned.override