Acces to only SSL

Similar Messages

• Require Only SSL/TLS Connections

  I would like to require that only SSL/TLS connections be allowed to my server. This is not to be confused with wanting SSL client authentication. I had initially thought I could do this with ACI using the authmethod="ssl", however after looking at the documentation closely and experimentation this refers to do client based SSL authentication as well. I do have SSL/TLS set up correctly, I just want to disallow non-encrypted traffic.
  In OpenLDAP I would merely state "security ssf=128" to require SSL/TLS only connections.
  Anyone know how to do this in Sun's Directory Server?

  The reason I don't use a firewall (presumedly to block port 389) or set the non-secure port to 0 is that this would disallow TLS on port 389. Hence all I could do is SSL and only 636. I would like to be able to allow only TLS on 389 and not allow non-TLS traffic.

• Unable to view local HTML content from "Help Content Only" SSL  iFrame

  Hi
  Can anyone confirm whether it is possible to view local HTML files within an iFrame when generating Help Content Only SSL content which is also locally deployed?
  I have had no problem viewing local html files from within an iFrame with a locally viewed Browser-Based Help project but despite trying a number of variations on the syntax, I simply cannot obtain the same result from a Help Content Only SSL that is then incorporated within a merged help system. I can however create hyperlinks to view local content using the following syntax (file:/C:\folderName\fileName.html - the only drawback for local preview is that you must right-click and select "open in new tab"). Essentially, I am trying to eliminate the requirement to have to right-click and open in new tab to view local html files.
  The project I am working on is deployed both locally and remotely and this whole process is necessary for emergency management and business continuity purposes.
  I hope my explanation isn't too convoluted and would be glad to clarify it further if required. I would appreciate any assistance!

  Hi John
  I appreciate you and Peter obtaining this  information from Adobe and I appreciate your continuing patience in  trying to understand what I am doing.
  I will start  from the beginning and hopefully clarify my process when deploying my  application locally (my remote process differs somewhat but is not  germane to this discussion). Obviously this will contain some repetition from previous posts but I hope it helps...
  The project itself integrates content created from Adobe RoboHelp with content created within Adobe Dreamweaver
  First, I should mention that I am using RoboHelp 8 as I don't believe I have addressed which version I am using. There's nothing particularly unusual about the project itself.
  Utilizing Dreamweaver I have created a self-contained HTML-only (no server-side functionality) website which is placed at the root level of the C: drive
  Within the RoboHelp project I create a hyperlink to access the local HTML files from the RoboHelp topic pages. The process I use to do so is from within the HTML view of the specific topic page and I use the following file path: "file:/C:\folderName\fileName.html". The only end-user requirement is that they must right-click and select "open in new tab", otherwise the link does not work. Please note, this is ONLY required for accessing the local HTML files.
  I output my RoboHelp project using the Adobe Air SSL, with the output type set to "Help Only Content" which creates the .rha files. I utilize multiple .rha files within my project as each .rha file constitutes a module specific to an individual municipality (in my particular instance)
  I use the Help Viewer Wizard from the RoboHelp "Toolbox" pod to create what I refer to as the "shell" .air file. Once the "shell" .air file created from the Help Viewer Wizard is  installed, it creates a shortcut on my desktop.
  I place an XML .helpcfg file within the directory on C:Program Files where my "shell" .air file has been installed to reference each .rha module which must be placed at the root level of the C: drive in order to be properly referenced by the .helpcfg file
  By double-clicking on the desktop shortcut created in Step 6 it opens the "shell" module which, in turn, loads in each individual .rha file which can be accessed individually from the drop-down menu in the top-right corner
  Why do I do it this way?? My organization severely restricts admin privileges on our workstations. We have one IT person / several hundred officers so I needed to create a system where the only time we need IT assistance is in the initial installation of the "shell" .air file created from the Help Viewer Wizard and placement of the .helpcfg file within the C: Programs folder. Once this is done, because the .rha files are on the C: drive, I can swap these out and update as necessary (we currently have an annual renewal cycle) and we require no further IT intervention. The local system I have just described has hyperlinks to the online browser-based help so that users can also access it and see any content updates made throughout the course of the school year
  Having said all that, based on the model I have just described, I have been trying to create iFrames from within my RoboHelp 8 topic pages (placed on my C: drive) to access the local HTML Dreamweaver site (also on my C: drive). The problem I have been having is that the resultant iFrames display only a blank white page and I have tried a number of variations on the syntax of the file path without success.
  The process I have been using to create the iFrame is as follows:
  In Design view, select Insert >> HTML >> iFrame
  In the iFrame dialog box, provide a name for the iFrame and then navigate to the local file on my C: drive level Dreamweaver HTML-only website that I want to link to.
  Click "Apply" and from the resulting dialog box states that "This action will create an external link to the help system... Do you want to continue?", I click "Yes"
  The resultant file path is "../../../../../folderName/fileName.html" which obviously won't work but I have created the iFrame and now I switch over to HTML view and insert the file path that I have been using for the hyperlinks ("file:/C:\folderName\fileName.html"). I also modify the width to 100% and the height to 1000 px
  The user is not being directed to a different domain. So, if as Adobe states, that iFrames are "supported in local AIR Help (.rha) as well" then I don't know why it will not work for me. Again, this is the file path that allows me to create a hyperlink which will access my local Dreamweaver HTML files: "file:/C:\folderName\fileName.html" so if that syntax works for a hyperlink, why will it not work for the iFrame?
  The videos I referenced are also contained within the local Dreamweaver HTML site
  My usage of the term "merged help" may have been unclear and hopefully steps 1-8 outline what I am doing
  Again, I am very grateful to all who have joined this discussion to try to help me! I think it should be manifestly evident by now that I am self-taught and basically that's the only excuse I can offer in my defense for my poor articulation. Not too many years ago I wanted nothing whatsoever to do with computers!

• OHS VirtualHost only SSL - redirect to equivalent of IIS HTTP Error 403.4 - Forbidden: SSL is required to view this resource

  Hi,
  I'm completely new to OHS and have been asked to ensure that a URL that goes to OHS should only be accessible on HTTPS, if accessed by HTTP it should go to the equivalent of IISs
  HTTP Error 403.4 - Forbidden: SSL is required to view this resource.
  As OHS is the frontend to our SOA installation we have specific files under /moduleconf/ for the virtualhosts, an example of one is below. 
  Can anyone give me any clues/best practice to only allow this VirtualHost to be allowed on HTTPS/SSL and to not redirect non SSL to SSL but to an error page like the equivalent mentioned above.
  Any guidance would be greatly appreciated.  Many thanks
  <VirtualHost *:443>
    ServerName testhub.example.com:443
    RewriteEngine On
    RewriteOptions inherit
    RewriteRule ^$ /osb/hub.asmx [NC,P]
    RewriteRule ^/$ /osb/hub.asmx [NC,P]
    RewriteRule ^/hub\.asmx$ /osb/hub.asmx [NC,P]
  <Location /sbinspection.wsil >
    SetHandler weblogic-handler
    WebLogicCluster OSB1:8011,OSB2:8011
  </Location>
  <Location /sbresource >
    SetHandler weblogic-handler
    WebLogicCluster OSB1:8011,OSB2:8011
  </Location>
  <Location /osb >
    SetHandler weblogic-handler
    WebLogicCluster OSB1:8011,OSB2:8011
  </Location>
  <Location /alsb >
    SetHandler weblogic-handler
    WebLogicCluster OSB1:8011,OSB2:8011
  </Location>
  <IfModule ossl_module>
    SSLEngine on
    SSLProtocol nzos_Version_1_0 nzos_Version_3_0_With_2_0_Hello nzos_Version_3_0
    SSLCipherSuite SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,TLS_RSA_WITH_AE
  S_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
    SSLVerifyClient none
    SSLWallet  "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/host"
    SSLProxyEngine On
    SSLProxyWallet  "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/host"
    SSLCRLCheck Off
  </IfModule>
  </VirtualHost>

  Use https://221.135.134.52/vodacts/
  That gives me a certificate error because the server doesn't send an intermediate certificate that chains to a build-in root certificate.

• Only SSL in web AS 6.40

  Hi everyone!
  How do I prohibit access to the webAS6.40 through any other socket than SSL? I.e. I do only want users to access my webAS through port 5<instanceNo>001 ?
  I have looked in the HTTP Provider and updated the value from
  Ports = (Port:58100,Type:http)(Port:58101,Type:ssl)
  to
  Ports = (Port:58101,Type:ssl)
  What else do I need to do?
  Best regards, Peter

  Hi everyone!
  How do I prohibit access to the webAS6.40 through any other socket than SSL? I.e. I do only want users to access my webAS through port 5<instanceNo>001 ?
  I have looked in the HTTP Provider and updated the value from
  Ports = (Port:58100,Type:http)(Port:58101,Type:ssl)
  to
  Ports = (Port:58101,Type:ssl)
  What else do I need to do?
  Best regards, Peter

• ACE - Balance HTTP and sticky only SSL/TLS

  Hi there,
  I have a situation that I am trying to solve. We have lot of services trough ACE, but now I have to modify one of them, PROXY servers. 
  I have six (6) servers working with Sticky, but with a MASK 255.255.255.0, which produce an unbalanced situation some times, and that affect some servers on depending of how many users connected to that server. We have between 40K and 50K conns in that serverfarm, but in Sticky terms we have arround 700 /24 subnets.
  I want to modify the configuration, specificaly the MASK to 255.255.255.255, which is going to increase a lot Sticky resources. But thinking in optimize Sticky resources, I want to know if there is a way to select only e-commerce, Home Banking or other kind of SSL/TSL traffic (always using port 80 trough proxy servers), so I could use Sticky only  for connections that need it, and leave other HTTP traffic without this feature.
  I´m sorry, may be I'm doing a silly question, but don´t have the experience to make this configuration, and I will apreciate your help.
  Here is the actual configuration:
  probe tcp HTTP
    description Keepalive web servers
    interval 20
    passdetect interval 30
  rserver host Server1
    ip address 10.1.1.1
    inservice
  rserver host Server2
    ip address 10.1.1.2
    inservice
  rserver host Server3
    ip address 10.1.1.3
    inservice
  rserver host Server4
    ip address 10.1.1.4
    inservice
  rserver host Server5
    ip address 10.1.1.5
    inservice
  rserver host Server6
    ip address 10.1.1.6
    inservice
  serverfarm host PRX
    failaction purge
    predictor leastconns
    probe HTTP
    rserver Server1
      inservice
    rserver Server2
       inservice
    rserver Server3
      inservice
    rserver Server4
      inservice
    rserver Server5
      inservice
    rserver Server6
      inservice
  sticky ip-netmask 255.255.255.0 address source sticky-PRX
    timeout 60
    serverfarm PRX
  class-map match-any VIP-PRX
    2 match virtual-address 10.10.10.101 tcp eq www
  policy-map type loadbalance first-match POLICY-L7-PRX
    class class-default
      sticky-serverfarm sticky-PRX
  policy-map multi-match PRX-Balance
    class VIP-PRX
      loadbalance vip inservice
      loadbalance policy POLICY-L7-PRX
      loadbalance vip icmp-reply
  interface vlan 100
    ip address 10.10.10.11 255.255.255.0
    alias 10.10.10.10 255.255.255.0
    peer ip address 10.10.10.12 255.255.255.0
    no normalization
    access-group output SOLO-SLB
    service-policy input PRX-Balance
  Thanks
  Alexis

  You might want to check out this new product called ITD.
  Simple and faster solution:
  ITD provides :
  ASIC based multi-terabit/s L3/L4 load-balancing at line-rate
  No service module or external L3/L4 load-balancer needed. Every N7k port can be used as load-balancer.
  Redirect line-rate traffic to any devices, for example web cache engines, Web Accelerator Engines (WAE), video-caches, etc.
  Capability to create clusters of devices, for example, Firewalls, Intrusion Prevention System (IPS), or Web Application Firewall (WAF), Hadoop cluster
  IP-stickiness
  Resilient (like resilient ECMP)
  VIP based L4 load-balancing
  NAT (available for EFT/PoC). Allows non-DSR deployments.
  Weighted load-balancing
  Load-balances to large number of devices/servers
  ACL along with redirection and load balancing simultaneously.
  Bi-directional flow-coherency. Traffic from A-->B and B-->A goes to same node.
  Order of magnitude OPEX savings : reduction in configuration, and ease of deployment
  Order of magnitude CAPEX savings : Wiring, Power, Rackspace and Cost savings
  The servers/appliances don’t have to be directly connected to N7k
  Monitoring the health of servers/appliances.
  N + M redundancy.
  Automatic failure handling of servers/appliances.
  VRF support, vPC support, VDC support
  Supported on both Nexus 7000 and Nexus 7700 series.
  Supports both IPv4 and IPv6
  N5k / N6k support : coming soon
  Blog
  At a glance
  ITD config guide
  Email Query or feedback:[email protected]

• Is there any way to config iws6.0 to connect to LDAP directory using SSL client and server authentication.  Only SSL server authentication worked when I tried.

  As my previous question, I followed the following instructions to setup up connection between iws and an LDAP server.
  "Using SSL to Communicate with LDAP
  You should require your Administration Server to communicate with LDAP using SSL. To enable SSL on your Administration Server, perform the following steps:
  1.Access the Administration Server and choose the Global Settings tab.
  2.Click the Configure Directory Service link.
  3.Select Yes to use Secure Sockets Layer (SSL) for connections.
  4.Click Save Changes.
  5.Click OK to change your port to the standard port for LDAP over SSL. "
  Q1. Any other steps needed to setup client authentication (or mutual authentication)?
  Q2. Do I need to enable security for connection groups in order to have this setup to work?

  Check out:
  http://docs.iplanet.com/docs/manuals/enterprise/60sp1/ag/esecurty.htm#1008113
  You will need to turn on Client Auth as described above. Hope it helps.

• No Internet acces or only one computer at the time

  Hi everybody,
  I'm a freelance IT supported and I'm new to Apple. I studied and always worked with PC but with people having more and more Mac at home I had to adapte.
  I have a problem at a customer's place which is kinda hard to explain. I'm unable to get Internet access on any devices connected to the WIFI. I tryed sevral setup and the best I can get is "one-device-at-the-time" (the last device that connects to the WIFI). I did screen captures of this setup.
  The setup isD-Link DSL-320B Modem (set as DHCP) --> AirPort Extreme (WAN Port) --> wireless devices (iMac, iPad, iPhone, PC, etc.)
  Unfortunatly, all the screen captures are in French (I'm in Switzerland) but since it's not literature, I think you can all get what's writen bellow.
  mode pont = bridge mode (I think this is how I actualy got one computer to access the web)
  I don't understand why the address is 169.254.xx.xx. Shouldn't it get a 192.168.1.x since the D-Link is setup as DHCP (see next screen capt) ? The DNS servers are the ones provided on the ISP info sheet but I don't think it's necessary to put them here, right ?
  strangely, the IP range didn't show up when I did the screen capture but it's 192.168.1.2 to 192.168.1.254
  I spent two unsuccessful hours last time, i'd realy like to make it right next time so I can actualy send them an invoice and eat more than pastas ;-)
  thanks for your help,
  Julien

  Hiya.. thanks for the lovely screen shots.. this is hard and would be impossible without them.
  Something odd is happening... I don't see anything wrong with your setup.
  What I do see is dlink doing its dinky toy dlink type stuff.
  The AE should have got an IP from the dlink. 192.168.1.x and as you have it bridged it should also pass packets to the dlink which would get IP for the wireless.. nothing wrong in any of that.
  It is failing .. and obviously not passing packets correctly on the ethernet link to the Dlink.
  DHCP discovery at the very least is failing..
  Look at your last screenshot of the dlink setup. Look at the IP handed to the AE. 83.79.62.39
  Where did that come from.. it says the AE is a client but the IP is some odd thing.
  Now did you happen to set the AE in DMZ of the dlink or did you use some other method to try and force this to work.. at some point it is passing .. perhaps an old public IP to the AE.. which is not correct.
  Your tech-it-easy computer plugged into the dlink is getting the correct LAN ip 192.168.1.2 clearly the AE has failed.
  I recommend you reset the Dlink to factory and redo the setup.
  If the ISP uses PPPoE, then setup the dlink in bridge mode and run the PPPoE client on the AE.. this is the best method.. but PPPoE is seldom used in Europe for whatever reason.
  If you use pppoa or ipoa or other dsl authentication then you must keep using the AE in bridge.
  Go back to the fundamental problem.. it is not passing packets over ethernet correctly. The AE is gigabit unless it is very old. Dlink I am guessing is 100mbit. There are occasional hitches.. if you have a switch 10/100 drag it along with you and plug it between the dlink and the AE.. and see if it then gets IP correctly. Check with another ethernet cord.. all the stuff you know.
  In the AE you can set wan port speed.. but you will need the AE in router mode.. ie it is NATting a public IP, but you will get double NAT.. as a test you can go for that.
  Use 100mbps full duplex.
  Of course you don't want to double NAT permanently.
  If you don't make progress.. post again..
  There is a manual way of bridging the AE.. we normally call it wan bypass.
  It is complicated so try the above before you do that.
  BTW,,, when the one computer does work, check what IP it is getting.. is it  83.79.62.39.. or whatever the public IP. If so the AE is definitely set wrongly in the DMZ of the dlink.

• Router acces "Local Only"

  hi. I have this router WRT54GS working fine until yesterday suddenly my PC and Laptop can not connect to internet.. Have tried many ways and gave up , Hopefully someone here can help to resolve the issue. Have tried a few steps which was recommended by many helper in the forum like http://en.kioskea.net/forum/affich-10899-trouble-with-linksys-router-wrt54gs 1) ipconfig /release and /renew 2) ipconfig /flushdns 3) or enable MAC addrs cloning 4) also reset router 5) and also have tried to update firmware latest version hardware type i.e: ver 6, I can access the admin Linksys menu and check every tab menus , they all seems ok to me, follow default settings. and all led indicator works ok too. i do not know what went wrong with this router. appreciate your help

  What is the connection status? Post the information on the Status page.
  In addition, post the output of "ipconfig /all" and "netstat -rn" from your computer, while connected to the router.

• Can't connect to OID using SSL (handshake failed NZerr 29039)

  Hi!
  I'm trying to set up OID running on Windows Server 2003 for testing purposes.
  I have downloaded the files as_windows_x86_oim_oif_101401_disk(1/2) and installed Oracle Internet Directory only.
  I'm able to connect using standard clear text and using Oracle Directory Manager.
  I have followed the instructions on this page (chapter 17):
  [http://download.oracle.com/docs/cd/B28196_01/idmanage.1014/b15991/ssl.htm]
  Using Oracle Wallet Manager I have generated a certificate request with the key size of 2048.
  I'm unsure what I was supposed to enter into the subject name of the request so I entered just "oid_idm", it looks like this now: "CN=oid_idm,C=US".
  I then used my Novell eDirectory CA to sign the request and to generate the certificate. I exported the CA certificate from eDirectory and imported it into the wallet, it's listed under Trusted Certificates as "META-TREE", I then imported my signed certificate into the wallet and it says Certificate:Ready now.
  The wallet is saved into C:\Documents and Settings\Administrator.DC-1\ORACLE\WALLETS.
  Auto Login is enabled.
  Using Directory Manager I right-clicked Configuration Set1 and selected "Create Like"
  I configured the new set to listen on non-SSL port 1389 and SSL port 1636,
  SSL Authentication: No SSL Authentication
  SSL Enable: SSL only
  SSL Wallet URL: file:C:\Documents and Settings\Administrator.DC-1\ORACLE\WALLETSSSL Port: 1636
  Then I changed the OracleServiceORCL
  to run as Administrator. Restarted the server, started the new instance (2).
  Using this command on the OID server I can connect:
  ldapsearch -D cn=orcladmin -w secret -U 1 -h 192.168.0.101 -p 1636 -b dc=lab -s base "objectclass=*"
  Trying to connect from my Linux server using it's own ldapsearch it doesn't work, I get the error: ldap_bind: Can't contact LDAP server
  Trying to connect using Apache Directory Studio or LDAP Browser\Editor also doesn't work (SSL connection).
  I can see the following in the log no matter which of the tree tools above I try to use:
  2008/10/12:13:01:09 * SSLthread:19 * ERROR * gslsflnNegotiateSSL * SSL Hand Shake failed Source address: 192.168.0.15(WINDESK)
  * (NZerr 29039)
  Any ideas what I can do to solve this issue?
  Thanks!

  If you are using openldap commands in your linux machine, you can get some issues with OID. Try with oracle ldap client command if you have it installed in your linux machine. Also try to use a ldapbrowser java client to confirm that your installation is fine it is the better choice to test your environment from remote machines.

• Disable weak ciphers and support for all SSL protocols prior to v3.

  I am very new to Weblogic and I need a little help with the SSL configurations. I received a security audit back and discovered that Weblogic's SSL is running weak ciphers and also supporting unacceptable versions of SSL (we require a minimum of SSLv3 and need to deny connections with anything less). That said, can anyone point me in the right direction for disabling weak ciphers as well as forcing support for SSLv3 and up only for client connections. I am running Weblogic 10.3.
  Edited by: David Pulliam on Jan 26, 2011 8:31 AM

  Hi David,
  -Dweblogic.security.SSL.protocolVersion=SSL3 —> Using this JAVA_OPTION will allow Only SSL V3.0 messages are sent and accepted. So add the mentioned JAVA_OPTION in the server start script along with the below OPTION:
  -Dweblogic.security.disableNullCipher=true
  Also you can do the following in your "config.xml" to make sure that the Weblogic will not accept weak and medium weak passwords:
  <ssl>
         <enabled>true</enabled>
        <ciphersuite>TLS_RSA_WITH_RC4_128_SHA</ciphersuite>
        <ciphersuite>TLS_RSA_WITH_RC4_128_MD5</ciphersuite>
        <hostname-verification-ignored>true</hostname-verification-ignored>
        <listen-port>7002</listen-port>
        <server-private-key-alias>aliasHere</server-private-key-alias>
        <server-private-key-pass-phrase-encrypted>encryptedpassphraseHere</server-private-key-pass-phrase-encrypted>
  </ssl>Thanks
  Jay SenSharma
  http://middlewaremagic.com/weblogic (Middleware magic Is Here)

• 2008 r2 RDP SSL NLA problem "Local Security Authority cannot be contacted"

  Hi!
  I have run into an issue with RDP settings for 2008 R2 servers (all of them) whenever I enable NLA. That happens on user accounts that do NOT enforce password expiration (and so passwords are not expired) and MSTSC supporting NLA (client computers are win7
  or win8).
  In fact those same clients can use NLA just fine for connections to other win7/win8 workstations (domain members) using NLA, no probs!
  SSL certificates are automatically issued by enterprise CA. All computers/servers have current and valid Computer certificates.
  For some strange reason, I cannot enable NLA on RDP settings for any of 2008 R2 servers (various roles, ranging from physical DC running multiple roles, through dedicated virtual DC or dedicated virtual Print Servers up to dedicated Remote Desktop Services
  host), because all of them at once stop accepting RDP connections, always with same error message:
  An authentication error has occurred.
  The Local Security Authority cannot be contacted
  Remote computer: server.domain.local
  This could be due to an expired password.
  Please update your password if it has expired.
  For assistance, contact your administrator or technical support.
  That same message also appears on DC (2008 R2) running the enterprise CA role ... irony ...
  Please keep in mind that domain member computers running windows 7 x64 or windows 8.1 x64 can accept NLA enabled and SSL encrypted RDP traffic at same time without issues while using the same user accounts to connect.
  To make it even funnier, I can set RDP on 2008 R2 acting as Remote Desktop Services server to accept only SSL RDP traffic and keep NLA disabled and all works just fine. So, it is strictly the NLA causing trouble here, but why? WS 2008 R2 unable to use Kerberos
  authentication for RDP?
  WS 2012 R2 can accept NLA/SSL RDP connections without trouble, just as win7/win8 workstations can, so issue is narrowed down to only 2008 R2 servers (physical or virtual).
  Is there a hotfix for this problem on 2008 R2? sounds to me like it is a bug in 2008 r2 regarding Kerberos authentication for RDP... is MS ever planning to fix it or we have to upgrade all servers to 2012R2 to "fix it" ...

  In case this is of use to anyone, I traced this issue down to some group policy settings restricting the use of NTLM. If you're connecting to a server from a Windows client within the same domain, this won't be an issue, as Kerberos is used for authentication.
  However, when connecting from a machine outside the domain, or from a non Windows client (e.g. Wyse ThinOS terminal as we were), it seems NTLM is used for authentication.
  Since we have quite a secure environment setup, the following group policy had been set throughout the domain:
  Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
  Network security: Restrict NTLM: Incoming NTLM traffic - Deny all domain accounts
  Network security: Restrict NTLM: NTLM authentication in this domain
  - Deny for domain accounts to domain servers
  What was needed was to apply a new policy to the RDS servers being connected to from outside the domain with the following settings and so that the new GPO took precedence over the standard GPO applying the above:
  Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
  Network security: Restrict NTLM: Incoming NTLM traffic - Allow all
  Network security: Restrict NTLM: NTLM authentication in this domain - Disable
  In addition, the domain controller policy had to be updated with these settings:
  Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
  Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication -
  Enabled with either all RDS servers listed, or use a wildcard name which will capture all RDS servers
  Network security: Restrict NTLM: Add server exceptions in this domain - Enabled with either all RDS servers listed, or use a wildcard name which will capture all RDS servers
  Took me a while to figure this one, so hopefully it will help someone somewhere :)

• Can you turn off SSL for EAS on Pre

  Is it possible to disable SSL on the Palm pre to set up an EAS account.  This was previously done with my Treo 755p and emai, contacts, and calendar worked fine.  Unfortunately I cannot get the Pre to sync.
  Post relates to: Pre p100eww (Sprint)

  I have another thread on this forum regarding this ... basically it is forcing SSL port 443 to be used.
  I also have port 80 setup and it works with Treos... this function doesn't appear to be available in the PRE.
  The PRE is Exchange active sync enabled for only SSL 443!!

• SSL 3.0

  Hi,Most of the browsers are set for SSL 2.0.The weblogic 6 documents says only SSL 3.0 is supported.All the browsers who have not set this option in browser will get error.Is there any work around for this problem?

  Just my first spontaneous thought: does your ColdFusion version support SSL 3?

• SSL Replication - why supplier using regular port?

  My consumer is using the default SSL port 636, but the supplier port is
  fixed with 390. I am using regular port 390. Is that mean referrals are
  made over non-SSL(regular) port, and only replications done over SSL? I
  would like all communications between the consumer and the supplier to be
  over SSL.
  There is an optional item under "Replica Settings" where I could specify
  URLs for write operations for referral, but it would not accept
  ldaps://myhost:636. It would take ldap://myhost:636. The iPlanet doc said
  that if I specify ldaps:// then referrals would be done over SSL not over
  regular port. What am I doing wrong?
  Also, the iPlanet doc said I must not use the same port number for regular
  and SSL. But did not explain why. We are thinking of using only SSL port.
  So the question came up - so why not just disable the regular port?
  Thanks in advance,
  Choi

  Hallo Armin,
  Please check the ownership of the files in your /opt/iplanet/servers/alias
  directory. All files should be owned by the user under slapd is running.
  I hope this helps.
  Bertold
  "Armin Wenz" <[email protected]> wrote in message
  news:[email protected]..
  Hallo all
  We are using iDS 5.0 on a Solaris. When I want to try a replication over
  SSL I got the following error from my supplier server:
  NSMMReplicationPlugin - Connection Init Failed. Can not establish secure
  replication to consumer leela:13636
  - SSL alert:
  ldapssl_clientauth_init(/opt/iplanet/servers/alias/slapd-replica-supplier-ce
  rt7.db)
  failed -8174 (error -8174 - security library: bad database.)
  What does this mean: bad database? Is the database corrupt or are there
  any entries missing?
  Both Servers (supplier and consumer) are running with SSL enabled and I
  can connect to both via ldaps. Replication over an unencrypted line is
  working as well.