ASA - What is allowing return HTTP traffic?

Similar Messages

• ASA 5510 not allowing some https traffic

  I have 2 ASA 5510's in a failover bundle.  I have a weird issue right now, where a site (https) is apparently getting blocked behind the firewall.  If I browse to the site, it just spins, then says the page could not be displayed.  I can ping the IP address, and I can browse to the http version of the page, but I cannot browse to the https site.  If I plug into the DMZ on the outside of the firewall, I can see the page no problem. There is something in the ASA that is blocking it.  We certainly allow 443 out, and use https heavily, all the time.  It's just this one site, which is weird, because I know ASA's don't do deep packet inspection.  Can anyone think of what would be causing this?

  Well, we figured this out.  It actually wasn't the firewall.  It was DNS resolution.  This particular site's DNS was all messed up.  When I was on the DMZ, I changed to another DNS server, which hadn't updated yet.  External DNS tests were all returning either no records or just the generic Network Solutions IP, which would give you a landing page.  We used the hosts file to get around it until they fixed their DNS pointers. 

• MPF ASA for Web Filtering. Https traffic

  SOURCE: https://supportforums.cisco.com/docs/DOC-1268#Allow_specific_urls
  Hi all,
  I have the following configuration in my ASA  based on guidelines from the above source to allow only certain sites in my home and block all requests to http and https sites. However,requests to HTTP sites are being blocked but not to HTTPS. Only one host in the network can access all sites
  access-list WEBFILTER extended deny tcp host 192.168.254.115 any eq www
  access-list WEBFILTER extended deny tcp host 192.168.254.115 any eq https
  access-list WEBFILTER extended permit tcp any any eq www
  access-list WEBFILTER extended permit tcp any any eq https
  regex allowex1 “website1\.com”
  regex allowex2 “website2\.com”
  class-map type inspect http match-all allow-url-class
  match not request header host regex allowex1
  match not request header host regex allowex2
  class-map allow-user-class
  match access-list WEBFILTER
  policy-map type inspect http allow-url-policy
  parameters
  class allow-url-class
    drop-connection
  policy-map allow-user-url-policy
  class allow-user-class
    inspect http allow-url-policy
  service-policy allow-user-url-policy interface inside
  HOW can the HTTPS traffic be also blocked in the above configuration? What am I missing?
  Thanks in advance for your help
  Juan

  Is it even possible for for MPF ASA to inspect and filter HTTPS traffic? I do not even see it in the options:
  (config)# class-map type inspect ?
  configure mode commands/options:
    dns   Configure a class-map of type DNS
    ftp   Configure a class-map of type FTP
    h323  Configure a class-map of type H323
    http  Configure a class-map of type HTTP
    im    Configure a class-map of type IM
    sip   Configure a class-map of type SIP

• Allow only http traffic on iphone

  creating a mobileconfig file to allow our company iphones access our apn but we only want http only traffic to use this. anyone know the playload to use in the xml?

  Do you know of any ways of manually editing the mobileconfig file to configure HTTP only proxies

• ASA MPF on HTTP traffic

  Hi, Im student who studying MPF atm, and I just wodnering about the parameters(request args regex, request body length etc..) that http provides, I was looking up and went through some resources and information on cisco website, but it was diffcult to understand all of theses parametes,
  how does ASA matches up with http traffic ?? is this parameters are located in HTML ??? (body java activ-x) , where does it located, ??
  thanks in advance, !!!

  Hello Terry,
  First thing to understand when we are talking about inspection on layer 5 to 7 ( In this case http) is that in order to work the client got to be on one ASA'Sinterface and the server needs to be on another one, this to allow the ASA to investigate the http session.
  Now you are asking about how the ASA is going to match that traffic, well with the policy map type inspect we will decide what to match (the http request, response,etc) , we can use different things in order to do it, just as an example we can create a regular expressions that matches www.cisco.com (\.cisco\.com)  and then let the ASA know that matches the header of the http packet using that particular rule and then we will be able  to  block cisco.com as an example.
  You can also match the URI, etc etc and then apply the rigth http inspection paramater.
  Please rate helpful posts.
  Regards,
  Julio

• Cisco ASA CSC HTTPS Traffic Filtering

  Hello,
  I am interesting how https filtering is working on ASA CSC module. When https filtering is enabled, should I import any certificate in csc which is trusted by users ? And what procedures should I complite to enable https filtering ?

  Hello,
  Here is the configuration guide for https filtering. I hope it helps:
  http://www.cisco.com/en/US/docs/security/csc/csc66/administration/guide/csc4.html#wp1098125
  Regards,
  Felipe.

• WSA blocking HTTPS traffic -allowing HTTP

  We have two S170 WSA appliances configured as Guest Wi-Fi Internet proxy servers.  The local network design is as follows:
  WLC5508 (Foreign)     >>     WLC5508 (Anchor)     >>     ACE20 Context     >>     WSA 170     >>     FWSM     >>     Internet
  Guest traffic is authenticated via WCS using RADIUS but is disabled for now.
  Clients associate to SSID, receive IP address via local DHCP scope on anchor WLC and forward all traffic to DFWG which is ACE20 interface.
  ACE20 has specific class-maps for public DNS use and loadbalance policy-map which forwards all other traffic (excluding DNS) to WSA.
  HTTP traffic works fine, HTTPS traffic fails.  The HTTPS proxy service uses a local self-signed certificate for initial decryption of the session. The browser and WSA negotiates to use TLSv1 then the error below is shown.
  Fails
  57666018.658 32 192.168.244.1 NONE_SSL/200 0 TCP_CONNECT 10.153.9.6:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 0 cs-auth-group= - c-port= 54930 cs-bytes= 0 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= - cs-referer= - cs-cookie= -
  1357666018.760 32 192.168.244.1 NONE_SSL/200 0 TCP_CONNECT 10.153.9.6:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 0 cs-auth-group= - c-port= 54931 cs-bytes= 0 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= - cs-referer= - cs-cookie= -
  1357666018.799 0 192.168.244.1 TCP_DENIED_SSL/403 0 GET https://post.packetconsulting.com:443/owa - NONE/- - BLOCK_ADMIN-HTTPS-NonLocalDestination-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 1 cs-auth-group= - c-port= 54931 cs-bytes= 598 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.4; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; InfoPath.2; Tablet PC 2.0; MS-RTC LM 8)" cs-referer= - cs-cookie= -
  I have seen this error posted before but no resolution.  I'm sure this is a config problem, but cannot figure why or where!
  Any ideas, thoughts or help would be great...
  Cheers

  Hi axa,
  This is an access policy blocking the SSL traffic based on the TCP_DENIED_SSL / 403. Also I would suspect that you do not have HTTPS proxy enabled which would be required since your not using port 80 for 443 traffic. I would recommend opening a ticket with the WSA Content Security Team.
  Sincerely,
  Erik Kaiser
  WSA CSE
  WSA Cisco Forums Moderator
  Message was edited by: Erik Kaiser

• ASA 5505 NAT rules blocking inside traffic

  Previous attempts to set up these NAT rules has been met with minimal success. We have been able to get the NAT rules created, and able to ping our inside servers and receivers from a  different outside network, but every time we get that far our internal network crashes.  Running the Packet Trace utility via the ASDM shows that internal traffic from the servers to  the workstations is being blocked by the default implicit rule under the access rule heading  that states "any to any, service being ip, action= deny". Reverse traffic from the workstations to  the servers is being allowed though. In an effort to start over again, the Cisco ASA has been  Factory Defaulted via the CLI, and has had it's Inside network, and Outside IP address set back up. DHCP pool has been setup for a minimal amount of addresses on the   inside network, since  most of our equipment will always be assigned statics. We reset our static NAT policies, and  seem to be having the same problem. My partner and I have been working on this for some time now, and have ourselves so frustrated that I know we are missing something simple. Any help will be greatly appreciated.
  Embarq :          Network                                      xxx.xxx.180.104
  Gateway:                                                             xxx.xxx.180.105
  Subnet Mask:                                                     255.255.255.248
  Our Static IP's:                                                    xxx.xxx.180.106 to xxx.xxx.180.110
  Cisco Pix for VPN tunnels :                              xxx.xxx.180.107  outside IP
      used for DataBase Servers :                        100.1.0.2  Inside IP/ Gateway 2
  Cisco ASA 5505:                                               xxx.xxx.180.106  outside IP
      all other traffic :                                              100.1.0.1  Inside IP/ Gateway 1
  Inside Network:                                                 100.1.0.0/24
  Application Server:                                          100.1.0.115 uses Gateway 1
  BackUp AppSrvr:                                             100.1.0.116 uses Gateway 1
  DataBase Server:                                            100.1.0.113 uses Gateway 2
  BackUp DBSrvr:                                               100.1.0.114 uses Gateway 2
  Cobox/Receiver:                                               100.1.0.140
  BackUp Cobox:                                                 100.1.0.150
  Workstation 1:                                                   100.1.0.112
  Workstation 2:                                                   100.1.0.111
  Network Speaker1,2,3,4:                                 100.1.0.125 to 100.1.0.128
  Future Workstations:                                        100.1.0.0/24
  1.           Embarq Gateway feeds both Cisco Pix, and Cisco ASA. Both Ciscos feed a Dell Switch.
  2.           All inside network devices at 100.1.0.0/24 are networked into the Dell Switch.
  3.           All Workstations/Network Speakers need to be able to communicate with all four servers, and   the Cobox/Receiver.
  4.          The DataBase Servers have VPN tunnels created in the Pix for clients to be able to login  securely and edit their account info.
  5.          The App Server (100.1.0.115), and BackUp App Srvr (100.1.0.116) need to have a NAT rule  created NAT'ing them to xxx.xxx.180.109.
        A.          The xxx.xxx.180.109 NAT rule needs to allow ALL UPD traffic TO and FROM ANY outside    IP address.
        B.          The xxx.xxx.180.109 NAT rule needs to allow ICMP traffic FROM ANY Outside IP address.
  6.          The Cobox/Receiver (100.1.0.140) and BackUp Cobox (100.1.0.150) need to have a NAT rule created NAT'ing them to xxx.xxx.180.108
        A.          The xxx.xxx.180.108 NAT rule needs to allow UDP traffic FROM ANY Outside IP address source port 6000 or 9000 to destination port 9000
        B.           The xxx.xxx.180.108 NAT rule needs to allow ICMP traffic FROM ANY Outside IP address.
  7.          Right now the Cisco PIX is functioning and working perfectly for our VPN tunnels.
  8.         
  : Saved
  ASA Version 8.2(5)
  hostname ciscoasa
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 100.1.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address xxx.xxx.180.106 255.255.255.248
  ftp mode passive
  same-security-traffic permit intra-interface
  object-group protocol DM_INLINE_PROTOCOL_2
  protocol-object ip
  protocol-object icmp
  protocol-object udp
  protocol-object tcp
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object ip
  protocol-object icmp
  protocol-object udp
  protocol-object tcp
  object-group protocol DM_INLINE_PROTOCOL_3
  protocol-object ip
  protocol-object icmp
  protocol-object udp
  protocol-object tcp
  object-group protocol DM_INLINE_PROTOCOL_4
  protocol-object icmp
  protocol-object udp
  object-group protocol DM_INLINE_PROTOCOL_5
  protocol-object icmp
  protocol-object udp
  access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any xxx.xxx.180.104 255.255.255.248
  access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 host xxx.xxx.180.108 any
  access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_5 host xxx.xxx.180.108 any
  access-list inside_access_allow extended permit object-group DM_INLINE_PROTOCOL_2 100.1.0.0 255.255.255.0 100.1.0.0 255.255.255.0
  access-list inside_access_allow extended permit object-group DM_INLINE_PROTOCOL_1 any any
  access-list inside_nat_static extended permit udp host 100.1.0.140 eq 9000 any
  access-list inside_nat_static_1 extended permit ip host 100.1.0.115 any
  access-list inside_nat0_outbound extended permit ip 100.1.0.0 255.255.255.0 100.1.0.0 255.255.255.0
  access-list outside_nat_static extended permit udp host xxx.xxx.180.108 eq 6000 host 100.1.0.140
  access-list outside_nat_static_1 extended permit ip host xxx.xxx.180.109 host 100.1.0.115
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any outside
  no asdm history enable
  arp timeout 14400
  nat-control
  global (inside) 1 100.1.0.3-100.1.0.254 netmask 255.0.0.0
  nat (inside) 0 access-list inside_nat0_outbound
  static (inside,outside) udp xxx.xxx.180.108 6000 access-list inside_nat_static
  static (outside,inside) udp 100.1.0.140 9000 access-list outside_nat_static
  static (inside,outside) xxx.xxx.180.109  access-list inside_nat_static_1
  static (outside,inside) 100.1.0.115  access-list outside_nat_static_1
  access-group outside_access_in in interface outside
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 100.1.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto ca certificate chain _SmartCallHome_ServerCA
  certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 100.1.0.5-100.1.0.15 inside
  dhcpd dns 71.0.1.211 67.235.59.242 interface inside
  dhcpd auto_config outside interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  prompt hostname context
  call-home reporting anonymous
  Cryptochecksum:52e69fa95fcffd43ed9e73df320e3a55
  : end
  no asdm history enable

  OK. Thank you very much for your help. I am going to get with the powers that be to upgrade the "Base" license in this ASA.
  In the meantime I will Close and Rate this post for now so others can get this info also.
  If we have any further issues after the upgrade, then I will open a new post.
  Thanks again. We new it was something simple. Not sure how we overlooked that, but hey we're getting somewhere now.

• How to return "HTTP/1.0 401 Authorization Required" from OSB's Message Flow

  How can I return "HTTP/1.0 401 Authorization Required" header from OSB's Message Flow?
  Using of "HTTP Transport -> Authentification" is not possible, because I need flow condition. Transports Headers activity from design palette doesn't allow to send such headers.
  Practical usage: request for kerberos ticket by sending two headers: 401 and WWW-Authenticate: Negotiate...

  Can you briefly expand the use case for better understanding?
  HTTP Client---> Hand Shakes or what ever ----> HTTP Proxy (OSB )---> Pipeline----
  Philosophy behind pipeline is that it is designed to work on the request. Correct me if I'm wrong.
  What you are asking is ability to control the hand shake either in Pipeline or some way during proxy configuration. Unfortunately there is no configuration that is exposed for HTTP proxies in OSB to control that behavior.
  Manoj

• Kerberos encryption for HTTP traffic

  Hello
  I am writing client for WinRM service(Windows Vista). This service use SOAP protocol for communication.
  And I cannot make subscription for Windows events using Push method.
  The issue is when I try to make events subscription - Vista tries to test connection with my server, but I don't know what should I send back for test connection request to Vista WinRM... :(
  I didn't find it in MSDN.
  Subscription request is:
  <?xml version="1.0" encoding="UTF-8"?>
  <env:Envelope xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:e="http://schemas.xmlsoap.org/ws/2004/08/eventing" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:ew="http://www.example.com/warnings'" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:x="http://www.w3.org/2001/XMLSchema">
  <env:Header>
  <a:To s:mustUnderstand="true">HTTP://winrmcient:80/wsman/</a:To>
  <w:ResourceURI>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</w:ResourceURI>
  <a:Action s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/eventing/Subscribe</a:Action>
  <a:MessageID s:mustUnderstand="true">uuid:a4b86ede-32d0-4a28-91f5-bc8f36bfca22</a:MessageID>
  <a:ReplyTo>
  <a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
  </a:ReplyTo>
  <w:MaxEnvelopeSize>262144</w:MaxEnvelopeSize>
  <w:Locale xml:lang="en-US"/>
  <w:OperationTimeout>PT5M0.000S</w:OperationTimeout>
  <w:OptionSet>
  <w:Option Name="ReadExistingEvents" mustComply="false"/>
  <w:Option Name="ContentFormat">RenderedText</w:Option>
  </w:OptionSet>
  </env:Header>
  <env:Body>
  <e:Subscribe>
  <e:Delivery e:Mode="http://schemas.xmlsoap.org/ws/2004/08/eventing/DeliveryModes/Push">
  <e:NotifyTo>
  <a:Address>http://Antares:443</a:Address>
  </e:NotifyTo>
  </e:Delivery>
  <e:Expires>PT12H0M0.000S</e:Expires>
  <w:Filter>
  <QueryList>
  <Query Path="Security">
  <Select>*</Select>
  </Query>
  <Query Path="System">
  <Select>*</Select>
  </Query>
  <Query Path="Application">
  <Select>*</Select>
  </Query>
  </QueryList>
  </w:Filter>
  <w:SendBookmarks/>
  </e:Subscribe>
  </env:Body>
  </env:Envelope>
  WinRM connection test request is request with empty content length and with header:
  Host=[Antares:443], Content-type=[application/soap+xml;charset=UTF-16], Content-length=[0], Connection=[Keep-Alive], Authorization=[Kerberos YIIE4wYJKoZIhvcSAQICAQBuggTSMIIEzqADAgEFoQMCAQ6iBwMFACAAAACjggOLYYIDhzCCA4OgAwIBBaEKGwhCUS5MT0NBTKIaMBigAwIBAqERMA8bBEhUVFAbB0FudGFyZXOjggNSMIIDTqADAgEXoQMCAQ2iggNABIIDPHstoHWBhepDeU/h3o6Uuzjtgxo5SlVRVaa9JjAUcEDb4k+DKQrtwia/GtvDsmoZ4VgE8gGpJmcuZHNUEBHwEmn48RAAuo/f3o/D7hBJ3XygexN8yPZFYtElT1CvtoVOuvox83xOr9TdUn+Dd12/AupkAIxwbdHNhftcOCajJOv3NnFGoeF5+NA54VguaW1XGZxoC1mviITkfeDW0rZnKQ3aJxRDG0kKfHvWYdIlifRydQkTY/XMGHBFvd8kA8Q3M6WYVmuCKLjjJwvHjfZ56GWUpax7MlYmOGs7ncHLptCyxiV7RTiP0c00MViangq4CoioLyPwdysG7V8oyMGcc32WpsWCbXJNm5N8ijy7JxRd4W2zfzL6rpkGFQ2F0AfsH/b+Dz45sYXKyEgJajA5TK/cPiECTIMbXnkehz2yC5mjY4XalhXf4U1j/D5E2ApbG0ITUrp10a6C/dy5yEtc4CNtVHDQ30BrdZS+vxO2PwwIKZovvvlzIyddgOqyKaKhs9i3eMfF61IjhUpquK4zZYYZEqpQtkgSaDz8rurD4M5Z1CzzlID5nlVg9YsA9JhPejsdU9Rmt51OjCu8rBvd+Kb7AMkujDogOli4NVNKssdLOJl7m3ulMQTs5AFT1O7YOW4SQsos1g2UEW+JzE+sj1IGdia8xmjxuZOsWks4QgX9O0PL3LNVE/iGgR2dOQhRzhuwEJEUfHpy1BIqZzbG48KkkNxFZLgeM+ztnrssw/zaD1vTs4+EF7KPVp1ldBwPId2P6PIyd4nyX+1tJt2SYHKyk0mdxkCw8pTAfrNxJGj9Ku573YcPfFdGhTtTTzo1CJPwSQFoNlEhh7wriaED/fseIEPPLASR+wIzGVPNBb5mTCd/vCPrwsShZl0wmtwUiDgNAu2732GVb7MDSKIc/hOjZAdFqoh3KzvWUSIsdrl1Mezcjb6VSuM87f4pWaR7f0RMexNB6ZEL0RzncbMXyhmUcqNaVyCWCgWN/ovKmWt53FkBQZkZIxLZUVyi6As3bhsfVxrw6dU4oKpHesDKldHFOz1fuEv8UKu6s7DaAd1VXiLmU4uzUSfiYH0iQCYkvf1sVqKBVyrFXHHQTKSCASgwggEkoAMCAReiggEbBIIBF2DcdvxWBV/D29hIBpQ8sJk8XF+q9tVNBHm3bFXtetxKwk1UxO64r7U5YQ4kqgvAyKTq/aL9V/QrO5x1M0mbqjKrfo/ehKGy5GGUZeQ0TYhkkmdNq8Mxo2CR5IIWqzEIaB00qSkombg/3IvniUoKbHfvoGMdr63DqRr8AbmXzHK+9kfyYMkkSMn72spoPBYadYAJZ02VUJp5fdNIqsMTREfEf3qfJNdvzaCRN/BcHVJ0C/5TChf8gFMThZzHShr2j1OdWBEZ/uLsMl2INqW0/AcCfLopSTcwgip/E63Zz/mKFCq2VIPp1++KvWPUKPalzdK9Pg/AwzXM6/+SBXdWfkUJGUW9x2nHFuZ6IeoAlhS2hvNLcjJ2ww==], User-agent=[Microsoft WinRM Client]
  I tried to send empty response(with the same test request header) for test request but it doesn't take any effect.
  WinRM subscription response is:
  <?xml version="1.0" encoding="UTF-8"?>
  <s:Envelope xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:e="http://schemas.xmlsoap.org/ws/2004/08/eventing" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xml:lang="en-US">
  <s:Header>
  <a:Action>http://schemas.xmlsoap.org/ws/2004/08/eventing/fault</a:Action>
  <a:MessageID>uuid:B83898C7-9F93-4E7A-8C8C-B72C7D189908</a:MessageID>
  <a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To>
  <a:RelatesTo>uuid:a4b86ede-32d0-4a28-91f5-bc8f36bfca22</a:RelatesTo>
  </s:Header>
  <s:Body>
  <s:Fault>
  <env:Code xmlns:env="http://www.w3.org/2003/05/soap-envelope">
  <s:Value>s:Sender</s:Value>
  <s:Subcode>
  <s:Value>e:EventSourceUnableToProcess</s:Value>
  </s:Subcode>
  </env:Code>
  <env:Reason xmlns:env="http://www.w3.org/2003/05/soap-envelope">
  <s:Text xml:lang="en-US">The connectivity test from the push subscription source to the client failed. This can happen if the client machine initiating the push subscription is unreachable from the server machine where the event source is located. Possible reasons include firewall or some other network boundary. Modify subscription to use Pull based subscription. </s:Text>
  </env:Reason>
  <s:Detail>
  <w:FaultDetail>http://schemas.dmtf.org/wbem/wsman/1/wsman/faultDetail/UnusableAddress</w:FaultDetail>
  <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150858901" Machine="">
  <f:Message>The connectivity test from the push subscription source to the client failed. This can happen if the client machine initiating the push subscription is unreachable from the server machine where the event source is located. Possible reasons include firewall or some other network boundary. Modify subscription to use Pull based subscription. </f:Message>
  </f:WSManFault>
  </s:Detail>
  </s:Fault>
  </s:Body>
  </s:Envelope>
  In WinRM documentation I see:
  +Note: HTTP traffic by default only allows messages encrypted with
  the Negotiate or Kerberos SSP.+
  But I use simple java HttpConnection and there are no any references to Kerberos in JavaDoc for this class... :(
  One more - I use BASIC authentication.
  Does anybody know what should I send back for connection test request.

  Sorry, I forgot to set "java.security.krb5.conf" and "java.security.auth.login.config" properties.
  But after I set these properties I've got another exception:
  GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
       at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:87)
       at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:111)
       at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)
       at sun.security.jgss.spnego.SpNegoMechFactory.getCredentialElement(SpNegoMechFactory.java:109)
       at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)
       at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:384)
       at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:42)
       at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:139)
       at com.symantec.cas.ucf.sensors.ws_management.WSServer.start(WSServer.java:132)
  Caused by: javax.security.auth.login.LoginException: No LoginModules configured for
       at javax.security.auth.login.LoginContext.init(LoginContext.java:256)
       at javax.security.auth.login.LoginContext.<init>(LoginContext.java:499)
       at sun.security.jgss.GSSUtil.login(GSSUtil.java:244)
       at sun.security.jgss.krb5.Krb5Util.getKeys(Krb5Util.java:185)
       at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:82)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:79)
       ... 28 more
  But it seems to me that I've set login module correctly:
  com.sun.security.jgss.krb5.initiate {
  com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=false useTicketCache=false;
  May be I missed something...
  What do yo think about it ?

• Transparent wsa and https traffic

  folks
  i've deploying a S300V in transparent mode and using wccp
  i have a single policy allowing http and https
  http works fine but https doesn't
  i can see both sets of requests go out through my outer firewalls but the https handshake doesn't get past the client hello
  the VM is being used on a guest wifi network so clients won't be authenticated, won't have a common root certificate and i don't want to decrypt traffic
  tac are telling me i need to enable the https proxy but i can't as clients won't have the root certificate required
  do i need to use https proxy?
  thanks to anyone taking the time to reply

  Ken,
  If I dont to decrypt HTTPS but still want the traffic to be inspected for URL and web reputation, do I need to upload a root certificate still? I would have assume not as I do not want to decrypt HTTPS but the GUI doesn't allow me to enal HTTPS Proxy without uploading a certificate; basically I cannot "Enable HTTPS Proxy" and submit without a cert.
  Basically what I just want to do is just pass through the HTTPS traffic to be check against the Access policies that the HTTP is being checked against.
  Is this viable? If so can you let me know how I can achieve the above?
  Thanks

• Windows Azure Pack - Server returned HTTP response code: 500 error while accessing the public tenant API

  Hi,
  We are facing the following error while trying to access the given Windows Azure Pack Public tenant API to query the virtual machines list along with network adaper details - 
  java.io.IOException: Server returned HTTP response code: 500 for URL: https://<hostname>:30006/<subscription-id>/services/systemcenter/vmm/VirtualMachines?$expand=VirtualNetworkAdapters&$top=10000&$skip=0
  The response is proper when we access the following URL - 
  https://<hostname>:30006/<subscription-id>/services/systemcenter/vmm/VirtualMachines
  Only on adding the $expand=VirtualNetworkAdapters, url parameter we are getting the above error.
  Where can we check for the error logs on the Azure Pack server ? We checked for the logs using Windows Event Viewer but did not find any for the public tenant API.
  What should be the cause for such an error and how can we fix this to get the proper data?
  Thanks in advance.

  Yes, we tried this, $top=10&$skip=0 works for the following url
  https://<hostname>:30006/<subscription-id>/services/systemcenter/vmm/VirtualMachines?$top=10&$skip=0
  It is only when we add $expand=VirtualNetworkAdapters,
  the server returns the mentioned error response - 
  URL for which the server returns the 500 error -
  https://<hostname>:30006/<subscription-id>/services/systemcenter/vmm/VirtualMachines?$expand=VirtualNetworkAdapters&$top=10&$skip=0
  Can
  you point to the error logs for Windows Azure Pack and SPF ?

• .and suddenly java.io.IOException: Server returned HTTP response code: 500

  I have this code for a long time and it always works:
       URL url = new URL("http://www.infoamistades.net/load.do");          
            URLConnection urlConnection = null;
            urlConnection = url.openConnection();
            urlConnection.setRequestProperty("Content-Type","text/html; charset=utf-8");
  urlConnection.setRequestProperty("Accept-Charset","utf-8");
  BufferedReader bin = new BufferedReader(new InputStreamReader(urlConnection.getInputStream(),"utf-8"));
  but....suddenly I always have the java.io.IOException: Server returned HTTP response code: 500 (?!?!?)
  using this URL works properly
  URL url = new URL("http://www.infoamistades.net/");     
  but now it doesn't works with URL url = new URL("http://www.infoamistades.net/load.do");     
  and putting thia addrees to the browser it works, of course..
  no changes at the server, not firewalls.. (?!?!)
  thanks,

  Hi,
  Actually I am also having exactly same problem that you mentioned, I am new to the world of servlets. I could not get what you mean by "put variable in the request" Please tell me exactly what to do to solve this problem.
  Someone please help.........

• Segmentation Error : Server returned HTTP response code: 500 for URL

  Hi,
  when we do customer segmentation in Applet Java Builder, we create a target group using 2 or more criterion, then it prompts us an error "Communication Error" - Server returned HTTP response code: 500 for URL: http//xxxxxxxxxxx/bc/bsp/sap/CRM_MKTTG_SEGAP/communication.do
  we're in CRM 7.0 SP 6.
  What we have done
  - activated the service CRM_MKTTG_SEGAP
  - implement sap note 1481289, 1359890, 1161753
  any info is really appreciated.
  Thanks
  JD

  HI ,
  Communication error occurs because of two active versions of segment builder jar files are appearing , deletion of older version resolves this issue .
  Go to SE80 u2013 Select the BSP Application - CRM_MKTTG_SEGAP and check segmentbuilder.jar Segment Builder Applet under MIME folder and check the size and delete the older version .
  Regards,
  Satish Bondu

• Server returned HTTP response code: 500.. i need help

  i have this applet that communicates with a servlet.. when the applet connects to the servlet, i get the Server returned HTTP response code: 500 error.. when i am testing in my own pc, everything is fine.. when i tried deploying it in a server, the error occurs.. i do not have any idea what is wrong.. please help

  sir, what do you mean by trace?
  here is what i got from the java console..
  java.io.IOException: Server returned HTTP response code: 500 for URL: http://mental_boi.s46.eatj.com/myServlet/loadMap?action=load&fileName=http://mental_boi.s46.eatj.com/CityNavigator/mapSpain.svg
       at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
       at edu.citynavigator.map.editor.MapEditor.loadMap(MapEditor.java:685)
       at edu.citynavigator.map.editor.MapEditor.init(MapEditor.java:130)
       at sun.applet.AppletPanel.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)
  java.lang.NullPointerException
       at java.io.StringReader.<init>(Unknown Source)
       at edu.citynavigator.map.editor.MapEditor.stringToSVG(MapEditor.java:703)
       at edu.citynavigator.map.editor.MapEditor.init(MapEditor.java:131)
       at sun.applet.AppletPanel.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)
  and does the applet have to be signed?
  Message was edited by:
  hardcoder