AnyConnect configuration using IPSec
I have configured our ASA running 8.4(7) for the AnyConnect client (using IPSec). It prompted me to create an identity certificate when running the VPN wizard, which I did. We use AAA to authenticate so I didn't create a CA certificate. Is this required anyways for AnyConnect? When I try to connect from a pre-deployed AnyConnect client, I get an error: "Untrusted VPN Server Certificate". If I ignore and choose to connect anyway, the Login Fails. What am I missing?
Thanks
The identity certificate generated during setup is OK as long as you want to manually install it as follows below.
to establish trust, install it on the client PC in the trusted root CA store. You need to browse to the ASA and use your browser tools to download the certificate to your computer. (i.e click on lock icon in your browser bar, select certificate information, copy to file). Then import it - in windows this is the default action for a .cer file. You should override the default store to make sure it is installed n the trusted root store.
Avoiding that complexity is why Cisco recommends getting a certificate issued by a trusted 3rd party CA. Most organizations don't want to have to explain all the above to their users as it doesn't scale very well support-wise.
Similar Messages
-
Using IPSec on TMG to secure access to Exchange not working
Hello,
I am trying to following the
MS white paper to use IPsec to secure Exchange 2010 Outlook Anywhere via TMG.
However, I am having trouble with getting IPsec configured properly on the TMG server. When I configure the IPsec Connection rule, Exchange site is still accessible without any restrictions.
- I assigned an additional IP to the TMG server and created a new Web Listener
- As a first step to ensure that everything works without IPsec, I have published Exchange on TMG and verified that I can access the server normally using OWA and Outlook Anywhere
- The Root CA have been imported on the TMG servers.
- I then follow the steps to create the Connection Security Rules where endpoint1 is any IP, and endpoint-2 is the IP of the TMG server, and configured it for computer authentication for inbound and outbound
- At this point I believe that the published Exchange site should no longer be accessible since it requires IPsec for HTTPS access to the Web Listener. However, this is not the case. I suspect that it is ignoring the Connection Security Rule that was configured
within Windows 2008 R2 and not TMG
The part I am confused with is that the white paper outlines adding the Connection Security Rule in the Windows Firewall advanced security. However, I thought that TMG basically overrides any Windows firewall configuration with the firewall policies within
TMG. So is there another way to set this up on TMG without having to configure any IPsec rules on the actual Exchange server.Lutz,
I already have "Require inbound and outbound" selected. It seems like TMG is just ignoring the connection security rule.
Environment:
TMG: Workgroup
External NIC: x.x.1.1, gw set, no DNS
- additional IP binded to external NIC x.x.1.2 dedicated for the web listener
- Public NAT: x.1.1.2 translates to x.x.1.2
ran "netsh advfirewall set global ipsec ipsecthroughnat serverandclientbehindnat"
Internal NIC: x.x.2.1, no gw, DNS set
The Web listener network is set to x.x.1.2
OWA publishing rule is set to use the Web listener
I verified that OWA is working normally without IPSec. The TMG logs shows HTTPS connections to the destination IP for x.x.1.2 (listener) during logon. After successful logon the log shows the Exchange server in the destination IP address column.
I create a Connection Security Rule
- Endpoint 1: any IP
- Endpoint 2: x.x.1.2 (listener IP)
- Protocols: TCP, endpoint 1: all ports, Endpoint 2: Specific: 443 (I also tried selecting the protocol to ANY)
- Authentication: Require inbound and outbound
- Advanced: all profiles selected
When I enable this Connection filter, I can still access Exchange normally without using IPSec on the client. I can see that TMG still allows 443 access to the web listener without requiring IPSec authentication. It behalves exactly the same as before I
created the connection filter. -
Anyconnect profiles using by using different extended key attributes
Hi,
I have an anyconnect VPN with workstations located in the same OU in Active Directory. The current anyconnect deployment uses seperate OUs to determine what profile is applied to the client.
I'm looking for a solutiuon to enable machines to be located in a single OU & still have the ability to apply different profiles to machines.
The only way I can think of doing this is using machine certificates in Active Directory & configuring different extended key attributes.
Any advice/suggestions or information on the best way of doing this would be greatly appreciatedResolved my own issue today. The error does nothing to describe the actual cause. The user's private key was corrupted (uncertain as to how). The certificate GUI in Windows showed it was okay, but running "certutil -store -user my" showed the error "Missing stored keyset" on the certificate in question.
The resolution was to delete the certificate and enroll for a new one, with a new key pair. -
Can I make a Data Guard configuration using EM console without Grid Control
Can I make a Data Guard configuration using EM console without Grid Console?
Can I download Grid Console software from Oracle website without cost?Assuming this is for 10g,
You could use Oracle® Data Guard Broker
Even you can download Grid Control software for free from Oracle site, you can't legally use it without license. -
Configuring use of clinet certificates for jax web services configuring u
Hello dear people,
I have a very simple jax web service under glassfish v.2.1 and I want to secure it using mutual authentication. I could configure using server certificates but I have problems with configuring the server to ask client certificates. The problem is that the clients are not asked to provide a valid client certificate to use the service. The clients can easily use the service without having a certificate.
Can anyone tell me what should I do to have this?
I got the example code from http://java.net/projects/javaeetutorial/downloads and the sample code that I used is in the folder : javaeetutorial5/examples/jaxws/helloservice-clientcert
Best regards,
Arash.Did you resolve your issue?
I´m posting some comments that maybe can help newer administrators facing similar doubts.
I´m using NW PI 7.1 EHP1 also and some interfaces were developed for using an external site providing web services through SSL (HTTPS) connection.
As in browser navigation, secure sites protected with SSL has a certificate emited by a international CA. We didn´t perceive the "handshake" in the most of cases because normally the web browser has a group of trusted CAs loaded on its certificate store.
With SAP PI and its WAS Java a similar procedure occurs with a small difference. The WAS Java didn´t have the trusted CAs loaded on KeyStorage. So, when the adapter tries to establishing a connection with an HTTPS site (it is a background process) a "handshake" is required to accepting the certificate and produces a error.
We completes the handshake importing the entire certificate chain (you can upload the site´s certificate to your browser and export it as file) on Keytore under the Trusted CAs view.
Hope this can help someone. It´s an "easy" part of SSL communication.
Now I´m trying to configure the inverse: Some third party consuming the PI web services using SSL. I have an additional component on inbound/ incoming connections that is the SAP Web Dispatcher.
The Help.sap.com is the reference but as always its a little difficult to find the (sequential) path following the links (go ahead, go ahead, go ahead, go back, go back, go ahead)...
Regards,
Rodrigo Aoki -
Manage MSMQ is missing from Failover Cluster Manager when configured using powershell
Hi,
I am hoping someone would be able to help me as I have looked on the internet for an answer to this. We deploy a number of servers that are configured using Powershell. I am in the process of creating a clustered WIN2K8R2 cluster with MSMQ. I am able to
do this successfully through the Failover Mgr with no issues. In addition, I can do this via Powershell (code listed below) with one caveat.
However, when I create the same exact MSMQ in Powershell, I am unable to right click on the MSMQ service to manage it as the "Manage MSMQ" is missing when I right click on it. The settings are the same, including dependencies. The only difference
I have been able to find is the icon in the Failover Manager shows the Service as a Generic Service icon when created in Powershell, but when it is created in the GUI it shows up as the MSMQ icon. I was able to verify this in the registry in HKLM\Cluster\Groups\<GUID>\:
GroupType HEX: 68 for msmq icon. When it is the Generic Service icon it is HEX: 270f. When I change it from 270f to 68, the icon changes in Failover Manager and I am able to open, but then I get an invalid handle and I am unable to manage it.
This is causing an issue, because I want to automate this build and hand it over, but they would be unable to manage it except by programming which the operators are not ready for.
Here is the code which I have created in Powershell:
Write-host "Configuring MS MSMQ Cluster Failover..."
$CluName = "Cluster Name"
$ClsMSMQName = $CluName.Name + "MSMQ"
$ClsMSMQResourceName = "MSMQ-" + $ClsMSMQName
$Response = Read-host "Enter the IP Address of the Clustered MSMQ"
$ClsIpRes = get-clusterresource "Cluster IP Address"
$MSMQIpAddr = New-Object Microsoft.FailoverClusters.PowerShell.ClusterParameter $ipres,Address,$Response
Add-ClusterServerRole -Name $ClsMSMQName -Storage "Cluster Disk" -StaticAddress $MSMQIpAddr.value
# Add the MSMSMQ Service to the new Server Role
Get-ClusterGroup $ClsMSMQName | Add-ClusterResource -Name $ClsMSMQResourceName -ResourceType "MSMQ"
# Create Dependencies for the MSMQ group
Add-ClusterResourceDependency $ClsMSMQResourceName $ClsMSMQName
Add-ClusterResourceDependency $ClsMSMQResourceName "Cluster Disk"
# Start MSMQ group
Start-ClusterGroup $ClsMSMQName
You would just have to change "Cluster Disk" and "Cluster Name".
Thank youHi,
I am hoping someone would be able to help me as I have looked on the internet for an answer to this. We deploy a number of servers that are configured using Powershell. I am in the process of creating a clustered WIN2K8R2 cluster with MSMQ. I am able to
do this successfully through the Failover Mgr with no issues. In addition, I can do this via Powershell (code listed below) with one caveat.
However, when I create the same exact MSMQ in Powershell, I am unable to right click on the MSMQ service to manage it as the "Manage MSMQ" is missing when I right click on it. The settings are the same, including dependencies. The only difference
I have been able to find is the icon in the Failover Manager shows the Service as a Generic Service icon when created in Powershell, but when it is created in the GUI it shows up as the MSMQ icon. I was able to verify this in the registry in HKLM\Cluster\Groups\<GUID>\:
GroupType HEX: 68 for msmq icon. When it is the Generic Service icon it is HEX: 270f. When I change it from 270f to 68, the icon changes in Failover Manager and I am able to open, but then I get an invalid handle and I am unable to manage it.
This is causing an issue, because I want to automate this build and hand it over, but they would be unable to manage it except by programming which the operators are not ready for.
Here is the code which I have created in Powershell:
Write-host "Configuring MS MSMQ Cluster Failover..."
$CluName = "Cluster Name"
$ClsMSMQName = $CluName.Name + "MSMQ"
$ClsMSMQResourceName = "MSMQ-" + $ClsMSMQName
$Response = Read-host "Enter the IP Address of the Clustered MSMQ"
$ClsIpRes = get-clusterresource "Cluster IP Address"
$MSMQIpAddr = New-Object Microsoft.FailoverClusters.PowerShell.ClusterParameter $ipres,Address,$Response
Add-ClusterServerRole -Name $ClsMSMQName -Storage "Cluster Disk" -StaticAddress $MSMQIpAddr.value
# Add the MSMSMQ Service to the new Server Role
Get-ClusterGroup $ClsMSMQName | Add-ClusterResource -Name $ClsMSMQResourceName -ResourceType "MSMQ"
# Create Dependencies for the MSMQ group
Add-ClusterResourceDependency $ClsMSMQResourceName $ClsMSMQName
Add-ClusterResourceDependency $ClsMSMQResourceName "Cluster Disk"
# Start MSMQ group
Start-ClusterGroup $ClsMSMQName
You would just have to change "Cluster Disk" and "Cluster Name".
Thank you -
Configuring using AAEI have been going through the following document. http
I have been going through the following document.
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/700058f0-b1a1-2a10-39a8-ab2627b87cfa?quicklink=index&overridelayout=true
1. I have a JMS to Proxy scenario async. How do I make this scenario configured using Integrated configuration in 7.11 using AAE to improve the performance of this scenario?
I know it is not supported by Proxies?
Plz let me know the steps required for the same?
2. I have a file to Proxy scenario - Async. Can I configure the same using integrated configuration scenario?
Thanks
~NHi
Please check the following links for AAE with proxy
ABAP Proxy sender possible in integrated configuration AAE with PI 7.11
/people/makoto.sugishita/blog/2009/10/23/a-new-feature-in-netweaver-pimessage-protocol-xi-30-in-soap-adapter
Regards
Abhijit -
Error on Send Port configured using HTTP adapter
Hi All,
For Load balancing purpose we have created new host and host instance and changed send handler for send port configured using
plain HTTP adapter.
We are getting below error after change:
A password is mandatory if UserName is specified
Parameter name: Password
Please advice.
Thanks
Pooja Jagtap Software Engineer KPIT CumminsHave you updated the password for your Host instance . Try restarting your host instance once .
Thanks
Abhishek -
System configuration using java
Hi friends
Can I get System configuration using java code.
If yes plz suggest how.
thanks in advance.. Anjanasome bits and pieces are available see the details in
System.getProperties():
Properties sysProps = System.getProperties();
meration en = sysProps.keys();
while ( en.hasMoreElements() )
//add the key=value pairs
Object keyObj = en.nextElement();
String key = ( String ) keyObj;
Object valueObj = sysProps.getProperty( key );
System.out.println( key + " : " +
+ valueObj.toString());
de]
just an idea??YES, and also you can do
System.getenv();but they also don't give all the info the OP was/is looking for. -
How to find the configuration use the Z message class.
Usually when I do some configuration, it may need to create some message. such as the Validation.
It raise a message when I run some standard t-code. So when I check some Z message class to find what program use this message, i can not find anything. So I assume there might two situation:
1、we can not trace it dome when the program didn't write like this way: MESSAGE E003(ZFI).
2、this message might be used in some configuration,not in program.
so how do we find the configuration use this message? or Is there any way can trace all message ?
Thank you so much for your sincere answer.Hi,
Case 1: Message is defined correctly with message number & message class.
Example - Message E003(ZFI).
Easy to locate the message using whereused list.
Case 2 :
There are some FM's like BALW_BAPIRETURN_GET where we pass the message details.
For example :
call function 'BALW_BAPIRETURN_GET'
exporting
type = p_message-msgty
cl = p_message-msgid
number = p_message-msgno
par1 = p_message-msgv1
par2 = p_message-msgv2
par3 = p_message-msgv3
par4 = p_message-msgv4
* LOG_NO = ' '
* LOG_MSG_NO = ' '
importing
bapireturn = p_return
exceptions
others = 1.
In these case, we won't be able to track the message number from where used list. So, what we do is before calling these FM we use the below statement,
IF 1 = 2. message e003(zfi). ENDIF.
so that message can be tracked using where used list.
Case 3: Some messages can be configured in message control.( Table T100S ) . For those
messages we search for table T100S in the program.
Regards,
DPM -
Is it possible to delete message in the server using Mail configured using IMAP?
Is it possible to delete message in the server using Mail configured using IMAP?
Currently when I delete the message in Mail, the server still keep a copy of it, which means it is not deleted on the server. I know that POP can do this but I still want the option of being able to access it from other computers.
My server has only a small size, so I hope that I can just delete it from my Mail instead of having to log in to the server and delete it again.
Thank you.yxchng wrote:
Is it possible to delete message in the server using Mail configured using IMAP?
Yes, but doing so will remove it from everything else. -
This just to share the below post with windows users..
How to install/Configure/Use VT to detect Malware/Unwanted programs in Windows?
http://www.windowstechinfo.com/2014/03/how-to-installconfigureuse-vt-to-detect_29.html
Hetti Arachchige V Aravinda | Network & System Administrator (B.Sc, Microsoft Small Business Specialist, MCP, MCTS, MCSA, MCSE,MCITP, CCNA, CEH, MBCS)That is interesting. Normally a bootmgr error message means that the boot loader is corrupt and hard disk not "dead".. Replacing the hard drive is a quickie shotgun method of resolving the issue.
Did you give up on the SSD?
The desktop ( w/ASUS Crossfire V Formula-Z mobo) I am using to type this, has the same SSD that you asked about. I used the method I described in the earlier post to clone the OS to the SSD. The SSD is the boot drive.
****Please click on Accept As Solution if a suggestion solves your problem. It helps others facing the same problem to find a solution easily****
2015 Microsoft MVP - Windows Experience Consumer -
Launch Configuration using CIO object
Hi,
I am trying to launch Configuration using CIO object.
plz find the code below, that am using.
===========START CODE==================
Context context = new CZWebAppsContext("hostName","portNumber","dbcFileName");
System.out.println("------------- Context object created ----------");
ConfigParameters cp = new ConfigParameters(79160);
System.out.println("------------- ConfigParameters object created ----------");
CIO cioObject = new CIO();
System.out.println("------------- CIO object created ----------");
Configuration config = cioObject.startConfiguration(cp,context);
System.out.println("------------- Configuration object created ----------");
IUserInterface ui = config.getUserInterface();
System.out.println("------------- UI object created ----------");
ui.navigateToScreen("Page-1");
System.out.println("------------- Page navigation ----------");
=============END CODE==================
am getting the following error after CIO object is created, while trying to start the configuration, at cioObject.startConfiguration(cp,context). The hostName, portNumber and dbcFileName are correctly provided.
============START LOG ====================
------------- Context object created ----------
------------- ConfigParameters object created ----------
------------- CIO object created ----------
java.lang.RuntimeException: Null JDBC Connection returned from connection pool.
Contents of CZWebAppsContext error stack: AOLJ_JAVA_EXCEPTION (MESSAGE=Not able to create new database connection. Cause:java.sql.SQLException: Io exception: The Network Adapter could not establish the connection)
SECURITY-No gateway reconnect
SYSTEM-ERROR (MESSAGE=Io exception: The Network Adapter could not establish the connection)
at oracle.apps.cz.common.CZWebAppsContext.getJDBCConnection(CZWebAppsContext.java:116)
at oracle.apps.cz.dio.DbTransaction.<init>(DbTransaction.java:61)
==============END LOG=======================
plz help me in finding the solution.
Regards,
AdarshAdarsh,
Looks like the parameters passed in the constructor call are not valid ones and hence the database connection is not getting done.
Context context = new CZWebAppsContext("hostName","portNumber","dbcFileName");
Check the above call carefully and its parameters. I guess the dbcFileName might be the reason as other 2 entries are pretty easy to know.
--Shiv -
Automate cf mx 7 server configuration using scripts?
Hi all,
just wondering is it possible to change a ColdFusion MX 7
server configuration using scripts? For example,could I change the
password for a data source without having to go into the console
and change it manually?
Cheers.Hi all,
just wondering is it possible to change a ColdFusion MX 7
server configuration using scripts? For example,could I change the
password for a data source without having to go into the console
and change it manually?
Cheers. -
[SOLVED] UEFI boot configuration using efibootmgr
Hello All,
I've been having a very frustrating time with efibootmgr on my HP Laptop.
I've been searching around for some information regarding the OS Bootmanager in UEFI boot and cannot find anything that works for me.
I'm trying to get efibootmgr to load the boot entries in the order that I specify, but, although it lists exactly what I want in the terminal, when it comes to a reboot, the OS Bootmanager is failing and writing new entries every boot and I cannot fathom why.
Please could someone point me in the direction of a good guide to UEFI boot/OS Bootmanager and it's configuration using efibootmgr? I have read info found in the Archwiki, but was hoping for something focussing on efibootmgr alone as a configuration tool.
Many thanks for your help,
Frazer
Last edited by frazer (2014-03-10 22:21:14)It's likely that the firmware (or maybe Windows, if you're booting into Windows between boots and haven't mentioned that fact) is changing the boot order. Unfortunately, some EFIs do that, or worse.
I recommend you start by upgrading your firmware. (In some cases, this will wipe out all your boot entries, so be prepared.) If the problem continues, either file a bug report with the manufacturer or return the hardware for a refund and buy something else. The manufacturers have had a long enough time to work out such major problems with their firmware, and returning defective hardware is really the only thing we as consumers can do that will get the manufacturers' attention.
If you must keep the hardware and a firmware update doesn't help, you may just need to find a workaround. If you need advice on doing that, you'll need to provide more details about what your setup is -- in particular, what you want the boot manager's boot list to look like (as in "efibootmgr -v" output once it's configured) and how the firmware is reshaping that when you reboot.
Maybe you are looking for
-
Re-installing PSE 10 Trial version Mac OS X
Okay, I uninstalled my trial version of PSE 10 while troubleshooting other issues. I then re-downloded the install img and am now attempting to re-install, but receive the following warning: One discussion mentioned unchecking "Verify checksums" for
-
how do i get them back =(
-
Compiling to iOS in Flash Builder throws Java null exception
I'm attempting to port a large application from the browser to iPad. It works perfectly fine when I do a 'fast' compile, but when I attempt to compile using the 'slow' packager I get this error: Error occurred while packaging the application: Exc
-
FTP error: Unable to start a standalone server
Hello, I've installed PureFTP Manager, but the following error messages appear when I use different ftp clients: [Error] Unable to start a standalone server: [Address already in use] Error: the server dropped the connection (it may be too busy). I've
-
If I preorder the iPhone 4s can I wait a month or two to activate it?
My parents want me to wait till Christmas to use it but I want to order it now incase they sell out or something.. can I do that? (I read somewhere I'd be charged the full price of the phone if it isn't activated within 30 days, don't know if it's tr