Allow external host to relay through Ironport?

Similar Messages

• How to set "Allow external users who accept sharing invitations and sign in as authenticated users" programmatically?

  Sharepoint 2013 online/office 365.
  I am creating site collection programmatically using sharepoint Auto hosted app.
  Now i want to set "Allow external users who accept sharing invitations and sign in as authenticated users" programmatically after site collection creation.
  Is it possible through code? If yes please let me know how to do it?
  Najitha Sidhik

  For SharePoint 2013 Online, check below links:
  http://office.microsoft.com/en-us/office365-sharepoint-online-small-business-help/manage-sharing-with-external-users-HA102849862.aspx
  http://office.microsoft.com/en-us/office365-sharepoint-online-enterprise-help/manage-external-sharing-for-your-sharepoint-online-environment-HA102849864.aspx
  https://www.nothingbutsharepoint.com/sites/eusp/Pages/SharePoint-Online-2013-Sharing-with-External-Users.aspx
  http://blogs.office.com/2013/11/21/sharepoint-online-improves-external-sharing/
  Please ensure that you mark a question as Answered once you receive a satisfactory response.

• Allow external traffic to access internal computers

  We have an ASA 5505 running version 8.4. We are having problems allowing external traffic to access computers behind the firewall. Our current config is:
  ASA Version 8.4(3)
  hostname ciscoasa
  domain-name default.domain.invalid
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.2.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 152.18.75.132 255.255.255.240
  boot system disk0:/asa843-k8.bin
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  object network a-152.18.75.133
  host 152.18.75.133
  object network a-10.2.1.2
  host 10.2.1.2
  object-group network ext-servers
  network-object host 142.21.53.249
  network-object host 142.21.53.251
  network-object host 142.21.53.195
  object-group network ecomm_servers
  network-object 142.21.53.236 255.255.255.255
  object-group network internal_subnet
  network-object 10.2.1.0 255.255.255.0
  access-list extended extended permit ip any any
  access-list extended extended permit icmp any any
  access-list extended extended permit ip any object-group ext-servers
  access-list acl_out extended permit tcp any object-group ecomm_servers eq https
  access-list outside_in extended permit ip any host 10.2.1.2
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any echo-reply inside
  icmp permit 10.2.1.0 255.255.255.0 inside
  icmp permit any echo-reply outside
  icmp permit any outside
  asdm image disk0:/asdm-523.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static a-10.2.1.2 a-152.18.75.133
  route outside 0.0.0.0 0.0.0.0 152.18.75.129 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 10.2.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  telnet timeout 5
  ssh 10.2.1.2 255.255.255.255 inside
  ssh 122.31.53.0 255.255.255.0 outside
  ssh 122.28.75.128 255.255.255.240 outside
  ssh timeout 30
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 10.2.1.2-10.2.1.254 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:c7d7009a051cb0647b402f4acb9a3915
  : end
  ciscoasa(config)# sh nat
  Manual NAT Policies (Section 1)
  1 (inside) to (outside) source static a-10.2.1.2 a-152.18.75.133
      translate_hits = 1, untranslate_hits = 112
  ciscoasa(config)# sh nat
  Manual NAT Policies (Section 1)
  1 (inside) to (outside) source static a-10.2.1.2 a-152.18.75.133
      translate_hits = 1, untranslate_hits = 113
  ciscoasa(config)#

  Okay I will bite.
  Assuming you have
  a.  dynamic pat rule for lan users-devices to reach the internet
  (missing ???????????????
  (should look like a nat rule that makes two entries when you make the one rule)
  (with router set at defaults it may make this rule for you already in place)
  -object bit  
  object network obj_any_inside
  subnet 0.0.0.0 0.0.0.0
  and rule bit
  object network obj_any_inside
  nat (inside,outside) dynamic interface
  b.  route rule - tells asa next hop is IP gateway address
  route outside 0.0.0.0 0.0.0.0 152.18.75.129 1
  c.  Nat rule for port forwarding- Using objects it creates two entries (lets say i call it natforward4server)
  object bit
  object network natforward4server
  host 10.2.1.2
  Nat bit
  object network natforward4server
  nat (inside,outside) static interface service tcp 443 443
  d. Nat for translated ort.
  If you had wanted to translate a port, lets say you have external users that can only use port 80 but need to access https
  object bitobject network natfortransl4server
  host 10.2.1.2
  Nat bit
  object network natfortransl4server
  nat (inside,outside) static interface service tcp 443 80

• ASA 5505: unable to ping external hosts

  Hi,
  I have a LAN behind ASA 5505, interface NAT/PAT is configured.
  External interface is configured for PPPoE.
  Everything works fine except I cannot ping from a LAN PC external hosts. I can however ping external hosts from ASA itself. ICMP is allowed:
  icmp permit any inside
  icmp permit any outside
  access-list outside_access_in extended permit icmp any any
  Protocol inspections and fixups are default.
  When I ping an external host 61.95.50.185 from the LAN host 10.2.32.68 I am getting the following in the log:
  302020 61.95.50.185 10.2.32.68 Built ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 10.2.32.68/512
  302020 61.95.50.185 202.xx.yy.zz Built ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 202.xx.yy.zz/1
  313004 Denied ICMP type=0, from laddr 61.95.50.185 on interface outside to 202.xx.yy.zz: no matching session
  313001 61.95.50.185 Denied ICMP type=0, code=0 from 61.95.50.185 on interface outside
  302021 61.95.50.185 202.xx.yy.zz Teardown ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 202.xx.yy.zz/1
  302021 61.95.50.185 10.2.32.68 Teardown ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 10.2.32.68/512
  Where 202.xx.yy.zz is IP of external interface of ASA.
  This is a very simple setup that runs on a number of othe PIXes/ASAs and pings to external IP normally work just fine. I can't understand why ping replies are getting dropped on the interface?
  Any help will be highly appreciated.
  Thank you.
  Alex

  Alex / Kerry, you have couple of options for handling icmp outbound, either acl or icmp inspection :
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended permit icmp any any source-quench
  access-list outside_access_in extended permit icmp any any unreachable
  access-list outside_access_in extended permit icmp any any time-exceeded
  access-group outside_access_in in interface outside
  or icmp inspection instead of acl.
  policy-map global_policy
  class inspection_default
  inspect icmp
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
  HTH
  Jorge

• ASA5505 Upgrade to 9.1.5 from 8.4.1 - problem with nat and accessing external host

  When running on 8.4 i had a working config with the following scenario.
  I have 2 interfaces configured as the outside interface.
  One is connected to my internet connection
  The other one is connected to a host that has a public ip.
  The public host can access internet and also a PAT port on an internal host.
  But after the upgrade the internal hosts can't access the external host but everything else on internet 
  packet-tracer input inside tcp 10.x.x.11 1024 x.x.x.89 22
  Phase: 1
  Type: ACCESS-LIST
  Subtype: 
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  MAC Access list
  Phase: 2
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   x.x.x.0    255.255.240.0   outside
  Result:
  input-interface: inside
  input-status: up
  input-line-status: up
  output-interface: outside
  output-status: up
  output-line-status: up
  Action: drop  
  Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
  If i add 1 to the destination ip:
  packet-tracer input inside tcp 10.x.x.11 1024 x.x.x.90 22
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   x.x.x.0    255.255.240.0   outside
  Phase: 2
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group inside_access_in in interface inside
  access-list inside_access_in extended permit ip any4 any4 
  Additional Information:
  Phase: 3
  Type: NAT
  Subtype: 
  Result: ALLOW
  Config:
  nat (inside,outside) source dynamic any interface
  Additional Information:
  Dynamic translate 10.x.x.11/1024 to x.x.x.80/1024
  Phase: 4
  Type: NAT
  Subtype: per-session
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 5
  Type: IP-OPTIONS
  Subtype: 
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 6
  Type: NAT
  Subtype: rpf-check
  Result: ALLOW
  Config:
  nat (inside,outside) source dynamic any interface
  Additional Information:
  Phase: 7      
  Type: USER-STATISTICS
  Subtype: user-statistics
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 8
  Type: NAT
  Subtype: per-session
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 9
  Type: IP-OPTIONS
  Subtype: 
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 10
  Type: USER-STATISTICS
  Subtype: user-statistics
  Result: ALLOW 
  Config:
  Additional Information:
  Phase: 11
  Type: FLOW-CREATION
  Subtype: 
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 98586, packet dispatched to next module
  Result:
  input-interface: inside
  input-status: up
  input-line-status: up
  output-interface: outside
  output-status: up
  output-line-status: up
  Action: allow
  Nat rules:
  nat (inside,outside) source static IPv6_HOST interface service https https
  nat (inside,outside) source static IPv6_HOST interface service http http
  nat (inside,outside) source static IPv6_HOST interface service ssh ssh
  nat (inside,outside) source static INTERNAL interface destination static EXTERNAL EXTERNAL service apcupsd apcupsd
  nat (inside,outside) source static IPv6_HOST interface destination static IPv6_POP IPv6_POP
  nat (inside,outside) source dynamic any interface
  The EXTERNAL is the host that is connected to an outside interface and that NAT rule works ok.
  I can ping the EXTERNAL host from the ASA but not from the internal network.
  Any ideas would be appreciated.

  Hmmm, by adding the following i got it working:
  nat (inside,outside) source static IPv6_HOST interface service https https
  nat (inside,outside) source static IPv6_HOST interface service http http
  nat (inside,outside) source static IPv6_HOST interface service ssh ssh
  nat (inside,outside) source static INTERNAL interface destination static EXTERNAL EXTERNAL service apcupsd apcupsd
  nat (inside,outside) source static IPv6_HOST interface destination static IPv6_POP IPv6_POP
  nat (inside,outside) source dynamic inside interface destination static EXTERNAL EXTERNAL
  nat (inside,outside) source dynamic any interface
  It is a bit complicated though since the EXTERNAL host get it's address via DHCP and so does the ASA.

• After specifying the external host name under outlook anywhere, users pop up for password

  Dear All,
  I have installed and configured exchange 2013 as a fresh installation on server 2012 and it worked fine till i changed
  specifying the external host name under outlook anywhere(in exchange ECP -> Server -> server -> W12R2-Email2013).
  My internal domain is starnavigator.lk and we have several accepted domains listed. but all the staff checked web mail through
  mail.leoburnett.lk internally and externally. even now web mail is working fine.
  After i added external host name as mail.leoburnett.lk
  all the internal PCs start to pop up for user name and password and its not  connecting. 
  even if I reversed back the settings, still prompt for user name and password. also auto discover cant locate the settings. if i configure the settings manually, i t works for first time and after restarting outlook, again prompt for name and password.Any
  any advice or solution please??
  Thx,
  Dulana

  Run this tool and post the result (only errors)
  https://testconnectivity.microsoft.com/
  After configuring outlook manually, run Test E-Mail Autoconfiguration and Connection Status and post the result.
  Editing just an URL for OA shouldn't cause any issue.
  Did you restarted IIS Service?
  Cheers,
  Gulab Prasad
  Technology Consultant
  Blog:
  http://www.exchangeranger.com    Twitter:
    LinkedIn:
     Check out CodeTwo’s tools for Exchange admins
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• Can't download PDF through IronPort (result:corrupted pdf)

  Hi,
  Users can't download  PDF through IronPort web proxy(7.3.1)
  The result is always the same: corrupted pdf.
  Who can help me ?

  Hi,
  Please check in access policy matched, in 'Objects' column, if you have any limit set or type of files blocked.
  You can also perform a test - create a Custom URL Category and add the
  website where you are downloading PDF in it, then in access policy -> URL Filtering, configure this Custom URL Category to 'Allow'. 
  Regards,
  Kush

• Allow external iframes local IP

  I am at the beginning of migrating from on-site SharePoint to SharePoint Online.
  Trying to get a page viewer to display an HTML/PHP page that is hosted locally. I understand that this will cause problems when viewing the pages when off-site, but that is ok for the requirements.
  Is it possible to set Site Settings > Site
  Collection Administration > HTML
  Field Security > Allow
  External iFrames to accept content from internal servers, local IP (eg 192.168.1.*)?
  If so, what "domain" is needed in the above settings (or otherwise) to allow these pages to display?
  The URL pointing to the local page works in web browsers fine, just doesn't display on SharePoint Online.
  Thanks,
  Lachy

  Hello
  Nat provides ip.translation but its doesnt give.you any real security to.the server you still.need.to prohibit access via either ios fw features( cbac zbfw,extended acls etc) or via a designated fwl
  To answer your question
  Yes you can
  You can position it in a dmz with a.public ip address and use port forwarding/filtering etc to.open up specifc ports to the server
  Res
  Paul
  Sent from Cisco Technical Support Android App

• Can't use voice/video functionality with external domain connected users through federation

  Hello All,
  Hope you keeping well..!!
  We are communicating with external customers lync server through federation option setup on our corporate lync server.  We have received the federation setting from the customer with SIP address which has been setup on our corporate lync servers after
  that we were able to browse the customer contact through corporate lync account.
  We were also able to chat with external customer but however voice/video functionality are not working through same session.  Whenever we try to dial out external customer lync account it ended with error message "call ended due to network issue".
  We have checked the setting from corporate lync servers and network point of view but doesn't find any issue which cause the disconnection to voice/video over lync.  Could you pl help or guide with the way to resolve the issue.
  Thanks, MK

  Thanks for your reply.<o:p></o:p>
  Audio/Video works fine within corporate when dial any lync contact.  We only have issue while trying to use the same functionality with any other
  external lync contact configured over federation option.<o:p></o:p>
  We already checked the security rules and all required ports are open, as confirmed by local resolver group.<o:p></o:p>
  We have checked with external parties and according to them their systems are hosted by Microsoft as part of office 365 suite and they already have
  federation option for 17 different customers which works fine.  Which means issue must be your local end.<o:p></o:p>
  Is there any tool available to identify the issue from client end?<o:p></o:p>
  Also I have a question here....In my corporate environment...client is sitting in India and lync servers are hosted in UK and users connect to it
  over MPLS route.  In Client lync configuration we have  internal/external servers configured .....so when i tried to make a voice call with external lync users then I see from netstat -a command that traffic hitting to multiple public IP addresses
  directly from my machine..<o:p></o:p>
  Does it mean that client required internet connectivity with specific open media ports to connect with external parties for video/voice? or in ideal
  case all request should handle by corporate internal server which should took UK internet path to connect with external lync contact?
  Thanks, MK

• Mail relay through Windows Server 2003

  I work in a communications department at a small university.  I'm running a Mac network sandboxed inside of the main institution's Windows network.  All of my macs are connected to an XServe and all services except internet access are controlled via my XServe.  We're connected to the internet through a router between my network and the main institution's.  We're set up this way because the IT department won't touch macs, so they pushed all the mac stuff onto me (I don't have a computer science degree or anything of that nature, just an interest and a couple server certification classes).
  Anyway, I have a small web-based app that handles gear checkout.  For simplicity, it only works on my intranet.  However, it's designed to send emails to appropriate people for different things (when gear is checked out, if there's a problem, etc).  The problem is that these emails must be relayed through IT's server.  They're telling me that they can't set their server up to relay email from mine without making it an open relay (which, obviously, none of us wants).
  My question is, is it really that difficult to allow email to relay from a specific address on Windows Server 2003?  On my mail server, I readily found a "Allow relays from these address only" section and seems this is exactly what would be needed on their side--I can't imagine it's much more difficult or generalized than that on their end.
  Here is the log entry on my server when an email is attempted to send.  Is there something else I should be looking at besides the relay?
  Mar  8 10:03:28 MYSERVER postfix/smtp[12631]: 3C02EE81654: to=<[email protected]>, relay=IT.MAIL.SERVER[192.168.x.x]:25, delay=0.01, delays=0/0/0.01/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server IT.MAIL.SERVER[192.168.x.x: generic failure)

  They're telling me that they can't set their server up to relay email from mine without making it an open relay
  Then they're even stupider than your opening paragraph implies. Seriously. If they cannot setup their mail server to accept and relay mail from a specific IP address they really should be looking for other jobs... no, other careers entirely, since they have no idea what they're doing. Or, at least, no interest in what they do.
  Indeed, a google search finds a Microsoft Technet article as the first hit. I believe item #4 on that list is exactly what you need. And I don't even do Windows!

• AIR App, load externally hosted SWF which loads XML

  I am wondering if this is even possible, because I am getting error 2148. 
  I am loading in SWF files that are externally hosted into an AIR app.  Everything works great!
  Is it possible to have one  of these child SWFs load in some type of XML data or access an XML file on the desktop/tmp?
  Or if need be, should I have the AIR app do all the loading (including the other XML) and pass that to the child SWF?
  Thanks in advance!
  In detail:
  AIR app -> Loads SWFs
  SWFS -> Load XML
  SWF -> displays something or does something RAD!!!
  Stuff I have tried:
  Ive added an mms.cfg file in the proper places, as well as, changed my adobe security settings to allow access to a "tmp" folder on desktop. The loaded SWF from an external domain loads fine however it still shows an error 2148 when trying to access an XML file within the "tmp" folder on desktop. The SWF when published is also set to "access local files"

  I was able to find a workaround of the security sandbox using Loader.loadBytes();
  Aleksandar Andreev's Loader class really helped:
  http://blog.aleksandarandreev.com/?p=42

• Externally Hosted Widgets (Flash object embed) In Catalyst or Flex

  Is there any way I can embed flash objects, i.e., externally hosted widgets in FC? ...In Flex?
  There are many externally hosted widgets now available for sideshows, video etc, that are flash objects like Cooliris.
  ( http://developer.cooliris.com/?p=embed/quickstart )
  Any suggestions?

  Hi Rick,
  I am not an expert at this, so I apologize if anything I tell you is wrong. The experts are over on the Flex forums and you'll want to hop over there for deeper questions.
  1) To load a SWF from within a SWF, you use the SWFLoader component.
  2) FC allows you to embed a SWF within the same project by File > Import > SWF File. In this case, the SWF is compiled into your main SWF and increases its size.
  3) To include a SWF that doesn't exist in your project, but that is somewhere else on the internet, you'll need to use FB. There are some cross-domain and security considerations, just like with HTML/JS. Here is the documentation on SWFLoader: http://livedocs.adobe.com/flex/3/html/help.html?content=controls_15.html
  Hope that helps =\...
  -Adam

• How do I move my externally hosted iTunes to a new computer?

  Hello,
  I recently upgraded my MacBook Pro from a 2008 model to one of the current retina models.  On the recommendation of many, I chose not to migrate my old system to the new machine.  Instead, I'm simply installing apps and moving files as needed.
  One of the bigger tasks at hand: moving iTunes.
  On my old machine, I have the last iTunes 10 version installed.  It is a huge music library, but a modest video library.  My in-machine hard disk drive cannot hold everything, so years ago I switched to external hosting (and within the last year upgraded to a new, bigger drive).
  On my new machine, I am using iTunes 11.  I signed in with iTunes Match and downloaded 2 or 3 albums.  I've made one video purchase (a TV Season Pass), which thus far only has one episode.
  I'd like to move my old library to my new machine.  I *think* I know how to approach this, but in the interest of not screwing anything up, I thought I'd run my plans by the forum.  PLEASE let me know if I'm totally off, missing steps, or on the right track:
  1.  Update my old machine to iTunes 11.
  2.  Copy the Library .itl and .xml files on my old machine
  3.  Create a duplicate file string on new machine -- the exact string as the old machine (e.g. Users > johndoe > iTunes Music)
  4.  Delete previous iTunes library files from new machine
  5.  Replace with copied files from old machine
  6.  Connect external drive to new machine
  7.  Open iTunes
  Will this work, or are there hidden properties that I'm unaware of that simply prevent such a move from happening in the way I've outlined it?

  Bumping one last time! 
  If no one has any thoughts on this, I'll give it a shot and report back with what I find.

• How can I capture an externally hosted page as a variable ?

  How can I capture the html or css of an externally hosted
  page and use it as a local variable ? There's plenty of options for
  doing it with local file but I can't work out how to go about it
  when the file isn't on your cf server. Any ideas ?

  Yes, of course.
  {insert the sound of slapping oneself in the head here}

• How can I allow the application to line through a field that has been locked after being digitally signed?  We have multiple sections on a form with some fields being proposed information and other in another section having the approved information. once

  How can I allow the application to line through a field that has been locked after being digitally signed?
  We have multiple sections on a form with some fields being proposed information and other in another section having the approved information. once the approved information is entered we line through the proposed field so the data entry clerk won't pick up the wrong information.  However we are receiving an error when attempting to enter data  in the field which we have this edit.  Error property: line through cannot be set because doing so would violate the document permission setting.  any idea how we can get around this issue?

  You can control which fields are locked down after signing by setting up a collection. Then those that are not locked can be changed after signing. If this is not possible, then the line outs must occur prior to signing.