AnyConnect configuration using IPSec

Similar Messages

• Using IPSec on TMG to secure access to Exchange not working

  Hello,
  I am trying to following the
  MS white paper to use IPsec to secure Exchange 2010 Outlook Anywhere via TMG.
  However, I am having trouble with getting IPsec configured properly on the TMG server. When I configure the IPsec Connection rule, Exchange site is still accessible without any restrictions.
  - I assigned an additional IP to the TMG server and created a new Web Listener
  - As a first step to ensure that everything works without IPsec, I have published Exchange on TMG and verified that I can access the server normally using OWA and Outlook Anywhere
  - The Root CA have been imported on the TMG servers.
  - I then follow the steps to create the Connection Security Rules where endpoint1 is any IP, and endpoint-2 is the IP of the TMG server, and configured it for computer authentication for inbound and outbound
  - At this point I believe that the published Exchange site should no longer be accessible since it requires IPsec for HTTPS access to the Web Listener. However, this is not the case. I suspect that it is ignoring the Connection Security Rule that was configured
  within Windows 2008 R2 and not TMG
  The part I am confused with is that the white paper outlines adding the Connection Security Rule in the Windows Firewall advanced security. However, I thought that TMG basically overrides any Windows firewall configuration with the firewall policies within
  TMG. So is there another way to set this up on TMG without having to configure any IPsec rules on the actual Exchange server.

  Lutz,
  I already have "Require inbound and outbound" selected. It seems like TMG is just ignoring the connection security rule.
  Environment:
  TMG: Workgroup
  External NIC: x.x.1.1, gw set, no DNS
  - additional IP binded to external NIC x.x.1.2 dedicated for the web listener
  - Public NAT: x.1.1.2 translates to x.x.1.2
  ran "netsh advfirewall set global ipsec ipsecthroughnat serverandclientbehindnat"
  Internal NIC: x.x.2.1, no gw, DNS set
  The Web listener network is set to x.x.1.2
  OWA publishing rule is set to use the Web listener
  I verified that OWA is working normally without IPSec. The TMG logs shows HTTPS connections to the destination IP for x.x.1.2 (listener) during logon. After successful logon the log shows the Exchange server in the destination IP address column.
  I create a Connection Security Rule
  - Endpoint 1: any IP
  - Endpoint 2: x.x.1.2 (listener IP)
  - Protocols: TCP, endpoint 1: all ports, Endpoint 2: Specific: 443 (I also tried selecting the protocol to ANY)
  - Authentication: Require inbound and outbound
  - Advanced: all profiles selected
  When I enable this Connection filter, I can still access Exchange normally without using IPSec on the client. I can see that TMG still allows 443 access to the web listener without requiring IPSec authentication. It behalves exactly the same as before I
  created the connection filter.

• Anyconnect profiles using by using different extended key attributes

  Hi,
  I have an anyconnect VPN with workstations located in the same OU in Active Directory.  The current anyconnect deployment uses seperate OUs to determine what profile is applied to the client.
  I'm looking for a solutiuon to enable machines to be located in a single OU & still have the ability to apply different profiles to machines.
  The only way I can think of doing this is using machine certificates in Active Directory & configuring different extended key attributes.
  Any advice/suggestions or information on the best way of doing this would be greatly appreciated

  Resolved my own issue today. The error does nothing to describe the actual cause. The user's private key was corrupted (uncertain as to how). The certificate GUI in Windows showed it was okay, but running "certutil -store -user my" showed the error "Missing stored keyset" on the certificate in question.
  The resolution was to delete the certificate and enroll for a new one, with a new key pair.

• Can I make a Data Guard configuration using EM console without Grid Control

  Can I make a Data Guard configuration using EM console without Grid Console?
  Can I download Grid Console software from Oracle website without cost?

  Assuming this is for 10g,
  You could use Oracle® Data Guard Broker
  Even you can download Grid Control software for free from Oracle site, you can't legally use it without license.

• Configuring use of clinet certificates for jax web services  configuring u

  Hello dear people,
  I have a very simple jax web service under glassfish v.2.1 and I want to secure it using mutual authentication. I could configure using server certificates but I have problems with configuring the server to ask client certificates. The problem is that the clients are not asked to provide a valid client certificate to use the service. The clients can easily use the service without having a certificate.
  Can anyone tell me what should I do to have this?
  I got the example code from http://java.net/projects/javaeetutorial/downloads and the sample code that I used is in the folder : javaeetutorial5/examples/jaxws/helloservice-clientcert
  Best regards,
  Arash.

  Did you resolve your issue?
  I´m posting some comments that maybe can help newer administrators facing similar doubts.
  I´m using NW PI 7.1 EHP1 also and some interfaces were developed for using an external site providing web services through SSL (HTTPS) connection.
  As in browser navigation, secure sites protected with SSL has a certificate emited by a international CA. We didn´t perceive the "handshake" in the most of cases because normally the web browser has a group of trusted CAs loaded on its certificate store.
  With SAP PI and its WAS Java a similar procedure occurs with a small difference. The WAS Java didn´t have the trusted CAs loaded on KeyStorage. So, when the adapter tries to establishing a connection with an HTTPS site (it is a background process)  a "handshake" is required to accepting the certificate and produces a error.
  We completes the handshake importing the entire certificate chain (you can upload the site´s certificate to your browser and export it as file) on Keytore under the Trusted CAs view.
  Hope this can help someone. It´s an "easy" part of SSL communication.
  Now I´m trying to configure the inverse: Some third party consuming the PI web services using SSL. I have an additional component on inbound/ incoming connections that is the SAP Web Dispatcher.
  The Help.sap.com is the reference but as always its a little difficult to find the (sequential) path following the links (go ahead, go ahead, go ahead, go back, go back, go ahead)...
  Regards,
  Rodrigo Aoki

• Manage MSMQ is missing from Failover Cluster Manager when configured using powershell

  Hi,
  I am hoping someone would be able to help me as I have looked on the internet for an answer to this. We deploy a number of servers that are configured using Powershell. I am in the process of creating a clustered WIN2K8R2 cluster with MSMQ. I am able to
  do this successfully through the Failover Mgr with no issues.  In addition, I can do this via Powershell (code listed below) with one caveat.
  However, when I create the same exact MSMQ in Powershell, I am unable to right click on the MSMQ service to manage it as the "Manage MSMQ" is missing when I right click on it. The settings are the same, including dependencies. The only difference
  I have been able to find is the icon in the Failover Manager shows the Service as a Generic Service icon when created in Powershell, but when it is created in the GUI it shows up as the MSMQ icon. I was able to verify this in the registry in HKLM\Cluster\Groups\<GUID>\:
  GroupType HEX: 68 for msmq icon. When it is the Generic Service icon it is HEX: 270f. When I change it from 270f to 68, the icon changes in Failover Manager and I am able to open, but then I get an invalid handle and I am unable to manage it.
  This is causing an issue, because I want to automate this build and hand it over, but they would be unable to manage it except by programming which the operators are not ready for.
  Here is the code which I have created in Powershell:
      Write-host "Configuring MS MSMQ Cluster Failover..."
      $CluName = "Cluster Name"
      $ClsMSMQName = $CluName.Name + "MSMQ"
      $ClsMSMQResourceName = "MSMQ-" + $ClsMSMQName
      $Response = Read-host "Enter the IP Address of the Clustered MSMQ"
      $ClsIpRes = get-clusterresource "Cluster IP Address"
      $MSMQIpAddr = New-Object Microsoft.FailoverClusters.PowerShell.ClusterParameter $ipres,Address,$Response
      Add-ClusterServerRole -Name $ClsMSMQName -Storage "Cluster Disk" -StaticAddress $MSMQIpAddr.value
      # Add the MSMSMQ Service to the new Server Role
      Get-ClusterGroup $ClsMSMQName | Add-ClusterResource -Name $ClsMSMQResourceName -ResourceType "MSMQ"
      # Create Dependencies for the MSMQ group
      Add-ClusterResourceDependency $ClsMSMQResourceName $ClsMSMQName
      Add-ClusterResourceDependency $ClsMSMQResourceName "Cluster Disk"
      # Start MSMQ group
      Start-ClusterGroup $ClsMSMQName
  You would just have to change "Cluster Disk" and "Cluster Name".
  Thank you

  Hi,
  I am hoping someone would be able to help me as I have looked on the internet for an answer to this. We deploy a number of servers that are configured using Powershell. I am in the process of creating a clustered WIN2K8R2 cluster with MSMQ. I am able to
  do this successfully through the Failover Mgr with no issues.  In addition, I can do this via Powershell (code listed below) with one caveat.
  However, when I create the same exact MSMQ in Powershell, I am unable to right click on the MSMQ service to manage it as the "Manage MSMQ" is missing when I right click on it. The settings are the same, including dependencies. The only difference
  I have been able to find is the icon in the Failover Manager shows the Service as a Generic Service icon when created in Powershell, but when it is created in the GUI it shows up as the MSMQ icon. I was able to verify this in the registry in HKLM\Cluster\Groups\<GUID>\:
  GroupType HEX: 68 for msmq icon. When it is the Generic Service icon it is HEX: 270f. When I change it from 270f to 68, the icon changes in Failover Manager and I am able to open, but then I get an invalid handle and I am unable to manage it.
  This is causing an issue, because I want to automate this build and hand it over, but they would be unable to manage it except by programming which the operators are not ready for.
  Here is the code which I have created in Powershell:
      Write-host "Configuring MS MSMQ Cluster Failover..."
      $CluName = "Cluster Name"
      $ClsMSMQName = $CluName.Name + "MSMQ"
      $ClsMSMQResourceName = "MSMQ-" + $ClsMSMQName
      $Response = Read-host "Enter the IP Address of the Clustered MSMQ"
      $ClsIpRes = get-clusterresource "Cluster IP Address"
      $MSMQIpAddr = New-Object Microsoft.FailoverClusters.PowerShell.ClusterParameter $ipres,Address,$Response
      Add-ClusterServerRole -Name $ClsMSMQName -Storage "Cluster Disk" -StaticAddress $MSMQIpAddr.value
      # Add the MSMSMQ Service to the new Server Role
      Get-ClusterGroup $ClsMSMQName | Add-ClusterResource -Name $ClsMSMQResourceName -ResourceType "MSMQ"
      # Create Dependencies for the MSMQ group
      Add-ClusterResourceDependency $ClsMSMQResourceName $ClsMSMQName
      Add-ClusterResourceDependency $ClsMSMQResourceName "Cluster Disk"
      # Start MSMQ group
      Start-ClusterGroup $ClsMSMQName
  You would just have to change "Cluster Disk" and "Cluster Name".
  Thank you

• Configuring using AAEI have been going through the following document. http

  I have been going through the following document.
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/700058f0-b1a1-2a10-39a8-ab2627b87cfa?quicklink=index&overridelayout=true
  1. I have a JMS to Proxy scenario async. How do I make this scenario configured using Integrated configuration in 7.11 using AAE to improve the performance of this scenario?
  I know it is not supported by Proxies?
  Plz let me know the steps required for the same?
  2. I have a file to Proxy scenario - Async. Can I configure the same using integrated configuration scenario?
  Thanks
  ~N

  Hi
  Please check the following links for AAE with proxy
  ABAP Proxy sender possible in integrated configuration AAE with PI 7.11
  /people/makoto.sugishita/blog/2009/10/23/a-new-feature-in-netweaver-pimessage-protocol-xi-30-in-soap-adapter
  Regards
  Abhijit

• Error on Send Port configured using HTTP adapter

  Hi All,
  For Load balancing purpose we have created new host and host instance and changed send handler for send port configured using 
  plain HTTP adapter.
  We are getting below error after change:
  A password is mandatory if UserName is specified
  Parameter name: Password
  Please advice.
  Thanks
  Pooja Jagtap Software Engineer KPIT Cummins

  Have you updated the password for your Host instance . Try restarting your host instance once .
  Thanks
  Abhishek

• System configuration using java

  Hi friends
  Can I get System configuration using java code.
  If yes plz suggest how.
  thanks in advance.. Anjana

  some bits and pieces are available see the details in
  System.getProperties():
  Properties sysProps  = System.getProperties();
  meration en       = sysProps.keys();
  while ( en.hasMoreElements() )
  //add the key=value pairs
  Object keyObj    = en.nextElement();
  String key       = ( String ) keyObj;
  Object valueObj  = sysProps.getProperty( key );
  System.out.println( key + " : " +
  + valueObj.toString());
  de]
  just an idea??YES, and also you can do
  System.getenv();but they also don't give all the info the OP was/is looking for.

• How to find the configuration use the Z message class.

  Usually when I do some configuration, it may need to create some message. such as the Validation.
  It raise a message when I run some standard t-code. So when I check some Z message class to find what program use this message, i can not find anything. So I assume there might two situation:
  1、we can not trace it dome when the program didn't write like this way:    MESSAGE E003(ZFI).
  2、this message might be used in some configuration,not in program.
  so how do we find the configuration use this message? or Is there any way can trace all message ?
  Thank you so much for your sincere answer.

  Hi,
  Case 1:  Message is defined correctly with message number & message class.
       Example - Message E003(ZFI).
    Easy to locate the message using whereused list.
  Case 2 :
  There are some FM's like BALW_BAPIRETURN_GET where we pass the message details.
  For example : 
  call function 'BALW_BAPIRETURN_GET'
          exporting
               type       = p_message-msgty
               cl         = p_message-msgid
               number     = p_message-msgno
               par1       = p_message-msgv1
               par2       = p_message-msgv2
               par3       = p_message-msgv3
               par4       = p_message-msgv4
  *          LOG_NO     = ' '
  *          LOG_MSG_NO = ' '
          importing
               bapireturn = p_return
          exceptions
               others     = 1.
  In these case, we won't be able to track the message number from where used list.  So, what we do is before calling these FM we use the below statement,
    IF 1 = 2. message e003(zfi). ENDIF. 
      so that message can be tracked using where used list.
  Case 3: Some messages can be configured in message control.( Table T100S ) . For those
    messages we search for table T100S in the program.
  Regards,
  DPM

• Is it possible to delete message in the server using Mail configured using IMAP?

  Is it possible to delete message in the server using Mail configured using IMAP?
  Currently when I delete the message in Mail, the server still keep a copy of it, which means it is not deleted on the server. I know that POP can do this but I still want the option of being able to access it from other computers.
  My server has only a small size, so I hope that I can just delete it from my Mail instead of having to log in to the server and delete it again.
  Thank you.

  yxchng wrote:
  Is it possible to delete message in the server using Mail configured using IMAP?
  Yes, but doing so will remove it from everything else.

• How to install/Configure/Use VT Hash Check to detect Malware/Unwanted programs in Windows?

  This just to share the below post with windows users.. 
  How to install/Configure/Use VT to detect Malware/Unwanted programs in Windows?
  http://www.windowstechinfo.com/2014/03/how-to-installconfigureuse-vt-to-detect_29.html
  Hetti Arachchige V Aravinda | Network & System Administrator (B.Sc, Microsoft Small Business Specialist, MCP, MCTS, MCSA, MCSE,MCITP, CCNA, CEH, MBCS)

  That is interesting. Normally a bootmgr error message means that the boot loader is corrupt and hard disk not "dead".. Replacing the hard drive is a quickie shotgun method of resolving the issue.
  Did you give up on the SSD?
  The  desktop ( w/ASUS Crossfire V Formula-Z  mobo) I am using to type this, has the same SSD that you asked about. I used the method I described in the earlier post to clone the OS to the SSD. The SSD is the boot drive.
  ****Please click on Accept As Solution if a suggestion solves your problem. It helps others facing the same problem to find a solution easily****
  2015 Microsoft MVP - Windows Experience Consumer

• Launch Configuration using CIO object

  Hi,
  I am trying to launch Configuration using CIO object.
  plz find the code below, that am using.
  ===========START CODE==================
  Context context = new CZWebAppsContext("hostName","portNumber","dbcFileName");
  System.out.println("------------- Context object created ----------");
  ConfigParameters cp = new ConfigParameters(79160);
  System.out.println("------------- ConfigParameters object created ----------");
  CIO cioObject = new CIO();
  System.out.println("------------- CIO object created ----------");
  Configuration config = cioObject.startConfiguration(cp,context);
  System.out.println("------------- Configuration object created ----------");
  IUserInterface ui = config.getUserInterface();
  System.out.println("------------- UI object created ----------");
  ui.navigateToScreen("Page-1");
  System.out.println("------------- Page navigation ----------");
  =============END CODE==================
  am getting the following error after CIO object is created, while trying to start the configuration, at cioObject.startConfiguration(cp,context). The hostName, portNumber and dbcFileName are correctly provided.
  ============START LOG ====================
  ------------- Context object created ----------
  ------------- ConfigParameters object created ----------
  ------------- CIO object created ----------
  java.lang.RuntimeException: Null JDBC Connection returned from connection pool.
  Contents of CZWebAppsContext error stack: AOLJ_JAVA_EXCEPTION (MESSAGE=Not able to create new database connection. Cause:java.sql.SQLException: Io exception: The Network Adapter could not establish the connection)
  SECURITY-No gateway reconnect
  SYSTEM-ERROR (MESSAGE=Io exception: The Network Adapter could not establish the connection)
       at oracle.apps.cz.common.CZWebAppsContext.getJDBCConnection(CZWebAppsContext.java:116)
       at oracle.apps.cz.dio.DbTransaction.<init>(DbTransaction.java:61)
  ==============END LOG=======================
  plz help me in finding the solution.
  Regards,
  Adarsh

  Adarsh,
  Looks like the parameters passed in the constructor call are not valid ones and hence the database connection is not getting done.
  Context context = new CZWebAppsContext("hostName","portNumber","dbcFileName");
  Check the above call carefully and its parameters. I guess the dbcFileName might be the reason as other 2 entries are pretty easy to know.
  --Shiv                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

• Automate cf mx 7 server configuration using scripts?

  Hi all,
  just wondering is it possible to change a ColdFusion MX 7
  server configuration using scripts? For example,could I change the
  password for a data source without having to go into the console
  and change it manually?
  Cheers.

  Hi all,
  just wondering is it possible to change a ColdFusion MX 7
  server configuration using scripts? For example,could I change the
  password for a data source without having to go into the console
  and change it manually?
  Cheers.

• [SOLVED] UEFI boot configuration using efibootmgr

  Hello All,
  I've been having a very frustrating time with efibootmgr on my HP Laptop.
  I've been searching around for some information regarding the OS Bootmanager in UEFI boot and cannot find anything that works for me.
  I'm trying to get efibootmgr to load the boot entries in the order that I specify, but, although it lists exactly what I want in the terminal, when it comes to a reboot, the OS Bootmanager is failing and writing new entries every boot and I cannot fathom why.
  Please could someone point me in the direction of a good guide to UEFI boot/OS Bootmanager and it's configuration using efibootmgr?  I have read info found in the Archwiki, but was hoping for something focussing on efibootmgr alone as a configuration tool.
  Many thanks for your help,
  Frazer
  Last edited by frazer (2014-03-10 22:21:14)

  It's likely that the firmware (or maybe Windows, if you're booting into Windows between boots and haven't mentioned that fact) is changing the boot order. Unfortunately, some EFIs do that, or worse.
  I recommend you start by upgrading your firmware. (In some cases, this will wipe out all your boot entries, so be prepared.) If the problem continues, either file a bug report with the manufacturer or return the hardware for a refund and buy something else. The manufacturers have had a long enough time to work out such major problems with their firmware, and returning defective hardware is really the only thing we as consumers can do that will get the manufacturers' attention.
  If you must keep the hardware and a firmware update doesn't help, you may just need to find a workaround. If you need advice on doing that, you'll need to provide more details about what your setup is -- in particular, what you want the boot manager's boot list to look like (as in "efibootmgr -v" output once it's configured) and how the firmware is reshaping that when you reboot.