Authentication throu controler 4402 from remote branch office

Similar Messages

• ASA5505 I cannot reach to an outside network from a branch office

  My customer has a HQ office and many Branch offices. In the HQ there is an ASA5510 configured as a default gateway, From HQ customer must access to internet (everythig works fine), from Inside LAN should reach to anyway including special services like Credit Card service provider and others (it works fine). From Branch offices must reach Inside LAN hosts (it works fine), from Branch Offices must reach DMZ (it works fine), from branch offices should reach CC Service provider and here's the point of this Q, From almost all branch offices they reach CCSP fine but branch offices where an ASA5505 is installed (Offices that reach CCSP have a RV042 installed or a TPlink ER6120 installed) but offices with ASA just can ping to LAN side of CCSP's router.
  I think ASA5505 conf is an opened door configuration. Here's the 5505 configuration and also attached the network diagram. Some one can help please

  Hi,
  Are the branch offices connected to the HQ through some ISP MPLS network since I do not see any L2L VPN configurations on the ASA5505?
  I presume this is the case. Since you say that the connections between Branch Office (with ASA5505) and HQ LAN work fine it should tell us that there should be no routing problems between those networks.
  The diagram possibly also suggests that all the Branch Office connections come to your HQ network through the same Router at the edge so if other Branc Offices connections CCSP work then there should be no routing problem between the Branch Offices and the CCSP (atleast regarding your part of the network)
  Now, some questions.
  Does the ISR Router forward traffic destined to CCSP directly to the Router at 192.168.2.249 ?
  Does the Router with the connection to the CCSP use the Internet to reach the CCSP or is there somekind of dedicated connection between these networks?
  If the Router towards CCSP uses Internet then does it lack some NAT configurations for the source network 192.168.27.0/24? Does it perhaps lack a route towards the network 192.168.27.0/24? Or is there any possible errors in the configurations (wrong gateway IP or network mask somewhere?)
  Is there any ACLs configured on the Router that has the connection to the CCSP that might block traffic?
  Does the CCSP have all the required routing information to pass traffic towards the network 192.168.27.0/24? (If were talking about a dedicated connection and not traffic through the Internet) Have they allowed traffic from the mentioned network 192.168.27.0/24 to their servers/network?
  Have you taken "packet-tracer" output from the ASA5505 to confirm that the ASA configurations allow the traffic and dont drop it for some reason?
  For example
  packet-tracer input inside tcp 192.168.27.100 12345 193.168.1.100 80
  You can modify the IP addresses (source/destination) and the used destination port and protocol to match the connections that are actually attempted.
  Have you monitored the connections on the ASA when users attempt them? This should atleast tell you why they are failing or give a hint. You could also configure traffic capture on the ASA5505 if you wanted to make sure if any traffic was coming from the CCSP towards this ASA (return traffic for connection attempt)
  Hope this helps :)
  Let me know if I missunderstood the situation wrong somehow.
  - Jouni

• To make a new site or not? (for branch office with small number of people)

  We have a main office, with our DC (DC01) and a single site (SiteHO), and we are about to open up a new branch office in another city.  This branch office is connected to the head office via a 5 Mbps MPLS network.  The branch office will have around
  5-7 domain joined workstations, and the people there will require access to the existing file and exchange servers in the head office. 
  I was thinking about not adding a RODC in the branch office and not creating another site in AD for the branch office either.  My thinking is that since the number of users is relatively low, it doesn't warrant having a new RODC and site.  The
  traffic generated by the 5-7 user logon activities will be minimal, and the local profiles are stored on the workstations (no roaming profiles), so there shouldn't be much WAN link impact.  Obviously I would have to add the subnet from the branch office
  to the SiteHO site. 
  Can anybody think of something wrong with my reasoning?

  I think the dedicated line has a little to do with AD since its used both to authenticate the users and move the data.
  I am not sure what bandwith you get from an internet provider in your location, but for example you might get a 100Mb internet connection from an ISP. A VPN tunnel over a 100Mb internet connection I am guessing is faster then a 5Mb guaranteed MPLS link.
  The advantage of MPLS is that you can have QoS policies for voice and video traffic.
  If users move 'very large files' perhaps a local file server might be an good option. DFS replication can save a lot of bandwidth in that case. And then you would have 'local resources' in the branch and in case of wan failure the users will not be able
  to access the local file server resource. So you would need a secondary DC in that location.
  And if they are moving the files think (and check) the impact on the MPLS, because authentication requests go through that link, Exchange traffic (RPC MAPI) goes through that link so these might be affected. For example, lets say you have 2GB mailboxes.
  All Outlook users use OST files. One user's profile gets corrupted and needs to be rebuilt. The Outlook client sets up a fresh OST copy of the mailbox so now its downloading a 2GB mailbox copy over a 5Mb MPLS while some other user is moving a 'large file'.
  By local resources I am referring to file servers, printers, applications in the branch location that require AD authentication. Authentication works with both VPN and MPLS and in case the wan/vpn is down users can even log in with
  cached credentials.
  Hope it helps.
  http://mariusene.wordpress.com/

• Local Portal instance in branch office

  Are there any solutions for speeding up Portal for remote/branch office users?
  We have a lot of users who will be accessing the corporate network & Portal over relatively slow lines or satellite links; buying more bandwidth is physically not an option in some places we operate.
  Has anyone looked at installing a local Portal instances in the field, and replicating PCD content to still allow central administration?
  Does SAP have any offerings in this space? Global/Federated Portal does not address the speed issue - users still go across the WAN to render their content. Portal Lite is still too slow.
  Any and all ideas appreciated.
  RBL

  Well spoken - you can't speed up the speed of light.
  Luckily, many of our content sources CAN be replicated to the branch offices. We use Lotus Notes/Domino for many web apps & web content; DFS (Microsoft replicated file system) for distributing files; and Exchange Public Folders for replicating commonly accessed email-type postings.
  Have you (or anyone out there) found any solutions for keeping PCD updates in sync between a head office Portal and a branch office Portal?

• I have 3dparty software wirelessly with a cryptographic authentication system without my consent (seems to be new technology developed by stanford) obtaining ownership of my iPhone 4s software and controlling it with remote device to jail break. Now what?

  I have 3rd party software wirelessly injected and used on my iphone with a cryptographic authentication system without my consent (seems to be new technology developed by stanford and apple security is not updated for this technology) obtaining ownership of my iPhone 4s software and controlling it with remote device to jail breaking my phone, adding and removing software, changing settings all from a remotely controled device from different location (I have a Mac address I'd of this device to know for sure). Almost undetectable. When I look at the legal section of my phone it shows a list of all the unauthorized 3rd party software "as is" copyright encrypted on the phone.  This is the most basic way to legally steal software of any kind.  Because of this legalality 3rd party ownership have total control of certain software correlated with hardware use including visualization technology, etc.  most people luckily will never have this happen to them so it's unlikely many readers have not a clue of what I'm saying currently.  Either way, without needing to obtain specific warranty of any kind "as is" copyright control makes system restores not a solution because the source code is not directly encrypted on the actual hardware device only a copy right notice must appear on the specific device 3rd party software validation making it extremely difficult for me to take control of the situation. Apple claims their iOS technology prevents this type copyright obstruction from being possible, however, according to my phone a new form of technology was used developed by Tom wu of Stanford university called the STANFORD SRP AUTHENTICATION TECHNOLOGY which uses Some form of cryptographic authentication system and uses quote "secure remote password" which seems to suceed in hacking iOS apple technology apple claims is not possible to jailbreak an unstolen phone or without the owners consent As well as loading the device with 3rd party copyright Notices to make all of this legalized. My phone shows atleast 30 pages worth of legalized 3rd party copyright permissions! Yesterday my apple care provider labeled me a jailbreaker and refused to look at my legal documented proof which completely blew my mind because it voides my apple care contract I spent 100 on. This employee did not take all factors into consideration and made quick assumptions as well as verbally speaking to me as I'm an automatic criminal. I left the store yesterday with no payed insurance help on a problem I had no control over and couldn't prevent, leaving with voided contracts. This is an apple users worst nightmare and I have spent days researching all of this like i am some kind of lawyer only to be able to use my phone the way it should and spent alot of money on.  I can legally backup any claim I have just wrote above currently and have a large source of data collected to prove apple is wrong in voiding insurance support on this issue. The problem lies in apple avoiding and not wanting to believe their software can legally be obtained ot "hacked". Yet still labeled a jailbreaker basically.. What should I do????? Been to local apple store 3 times and rebooted my phone as well sprint service restore 4 times and spoke with reps twiice on the phone. Spoke with my phone provider who said apple has full control over these matters so they can't help me.  My case is according to apple "still open"...Anyone else heard of this or of Stanford's office of technology licensing? Maybe I need to buy a blackberry again or just use a landline so I can stop being my own lawyer and focus on other productive areas in life instead of this horrible mess. I shouldn't have to prove to apple I not a jailbreaker they should have to prove I'm one before voiding support I desperately need!!

  Mullaly75 wrote:
  I assume u guys don't understand what open source software is
  Yes, I think most of us do understand what open source software is. It sounds as if you don't. Here's some information:
  Open-source software (OSS) is computer software that is available in source code form: the source code and certain other rights normally reserved forcopyright holders are provided under an open-source license that permits users to study, change, improve and at times also to distribute the software.
  Open source software is very often developed in a public, collaborative manner. Open-source software is the most prominent example of open-sourcedevelopment and often compared to (technically defined) user-generated content or (legally defined) open content movements.
  from http://en.wikipedia.org/wiki/Open_source_software
  Yes, Tom Wu of Stanford wrote a paper on something called Secure Remote Access Protocol. It's a form of Asymetric Key Exchange and has nothing to do with hacking anything. It's actually intended to protect data.

• Join remote computers in a branch office over vpn(GRE)

  Hi
  I have a problem with joining computers located in a branch office described in the following, It would be grateful if anyone help me.
  I have a FG1240B firewall as edge firewall in my network and a FG60C in branch office, these firewalls can see each other with assigned IPs, in the other hand I established a GRE tunnel between them to increase security and making direct site to site connection.
  The tunnel interfaces have it's own IPs. Routes between two LANs are created and computers in branch can see HQ's servers such as DC and Additional DC, it should be noted all services are opened to two side and even branch's computers can resolve records in
  DNS and open https web servers and ... .
  But I face the problem when i want to join computers to domain, after entering the credentials it returned error message as "the network path was not found" . For solving this problem I found that the TCP ports 139 and 445 (that refers to user
  and computer authentication) could not establish connection to DC while all services are open in origin and destination, even DNS service is passed and when I issue the netstat command in branhce's computer, I noticed connection to DC is established in SYN_sent
  step and it couldn't step forward to SYN_ack and SYN_RCVD . it is worth to mention that all these logs information were seen in the branch and there is no join query in the firewall 1240B
  I know this problem should answered in firewall forums but I asked this question here because i hope anyone can help me :-/
  thank you in advance for replying

  Hi,
  You can use a wireshark or network monitor capture to see if any traffic is being blocked/stopped somewhere along the path, when trying to join domain. You do not need WINS. Have you enabled DNS debugging logs on the DC/DNS serversin the hub site and
  watched if the client from branch site reaches the server?
  Regards,
  Calin

• Unable to allow traffic from remote office - Cisco RV220W

  Hi there,
  I have just bought the RV220W Cisco router firewall because my DLINK-1600 got broken and now I am unable to allow access to the machines located behind this router from the machines located at a remote office. Any help would be much appreciated!!
  This is the situation:
  1. Two remote offices A and B connected by a VPN tunnel (this connection is managed by an external provider and it is properly functioning)
  2. IP range A office: 192.168.236.0/24
  3. IP range B office: 192.168.237.0/24
  4. Office A: CISCO RV220W router/firewall (the one that I´ve just bought as the old dlink has broken). This RV220W is connected to a cisco router (managed by provider) that is the one with the VPN tunnel to the other office. The CISCO router does not do NAT. On the other end (Office B) there is another CISCO router managed by the provider.
  5. Everything was working smoothly until our old router/firewall got broken and that is when I bought the rv220w. I have set up the CISCO RV220W at office A and the machines can ping the machines located at office B and can browse the internet, i.e., the traffic going out is OK and in that sense everything works smoothly.
  6. The problem is that the machines located at office B cannot access the machines located behind the CISCO RV220W and I know it is a problem of the firewall as if I capture traffic coming from office B, I can see that it is dropped by the CISCO RV220W.
  7. I have tried to enable an access rule in the firewall to allow traffic from office B (see picture below) but it does not seem to work. In the field, Send to Local Server (DNAT IP) I have entered the WAN IP of my router (you cannot leave it blank) … this rule does not work at all. I think that is not properly configured but I don´t know how to do it.
  8. As you see, the problem is that I don´t know how to set up a rule to allow specific traffic coming from the WAN (traffic from remote office – 192.168.237.0/24) to the LAN at office A - 192.168.236.0/24.
  In the old router/firewall I just had to create a rule specifying the source interface (WAN) and network (Office B) and the destination interdace (LANOfficeA) and network (Office A). It does not seem that here I can do the same. i mean, you always have to point to a server ip inside the LAN??
  I know it has to be a very easy thing to do but at this moment I am completely stuck. If anyone can give me some advice would be great.
  Thanks a lot for your help in advanced!
  Eva

  Hi Eva, the default inbound policy cannot be changed. It will block all inbound traffic. To my knowledge there is not a way around this. Access rules are the only way to 'poke' a hole through the firewall but as you note, it is for a specific host. Values such as .0 and .255 do not work.
  -Tom
  Please mark answered for helpful posts

• Branch office logic from SD

  The business scenario I'm trying to address is:
  we have multiple customers/shiptos that order, have credits issued for, and an individual credit limit set - but one corporate office that pays all of the bills and wants to take credits from shipto A for a balance on shipto B. 
  I know about and have set up the head office/branch office relationship and about setting the Payer partner to = the head office.  The problem with this set up is that it rolls into one credit limit (head office customer) rather than each branch having it's own.  If I change the payer to = the branch office, then it does not show up within open items or cash app in FI under the head office.
  Has anyone figured out how to keep seperate credit accounts for the branch offices but apply cash from a corporate level?

  The variable WDSSERVER is a variable that is figured out by MDT when booting a machine using the boot image created by Microsoft Deployment Toolkit. Therefore it is not available in Windows.
  If you want different WSUS servers depending on location of the client you can use for instance this technique in CustomSettings.ini. This will point clients on a specific subnet to a specific WSUS server.
  [Settings]
  Priority=DefaultGateway,Default
  [DefaultGateway]
  10.0.0.1=HQ
  10.0.1.1=BranchOffice
  [HQ]
  WSUSServer=http://wsus-hq:8530
   [BranchOffice]
  WSUSServer=http://wsus-branch:8530
  Blogging about Windows for IT pros at
  www.theexperienceblog.com

• Branch office WDS still pullinh image from main site

  Hi,
  I'm trying to configure a WDS on our branch site.
  what i did was open a new folder named DeployFilesFromMaster on the branch office server and replicate the DeploymentShare from main to branch office using DFS.
  then i installed WDS services on the branch office and add a Boot Image (taken from DeployFilesFromMaster)
  next i configured, under Scope Option on the DHCP server, options 66 (giving the ip address of the branch WDS), and option 67 (giving the path \Boot\x64\wdsnbp.com).
  now when I'm booting a computer into PXE it start working, but when pressing F8 and use the netstat command i see it has a session to my main office deploy server instead to the branch office.
  what do i need to change?
  when looking in the branch office server, there is ofcourse the DeployFilesFromMaster folder and there is another folder named DeploymentShare that was made while installiing the WDS server, and there is a wdsnbp.com file as well. how do I know, when DHCP
  direct me to the boot file name, that it direct me to the right file, or it doesnt matter.
  thanks for your help

  The variable WDSSERVER is a variable that is figured out by MDT when booting a machine using the boot image created by Microsoft Deployment Toolkit. Therefore it is not available in Windows.
  If you want different WSUS servers depending on location of the client you can use for instance this technique in CustomSettings.ini. This will point clients on a specific subnet to a specific WSUS server.
  [Settings]
  Priority=DefaultGateway,Default
  [DefaultGateway]
  10.0.0.1=HQ
  10.0.1.1=BranchOffice
  [HQ]
  WSUSServer=http://wsus-hq:8530
   [BranchOffice]
  WSUSServer=http://wsus-branch:8530
  Blogging about Windows for IT pros at
  www.theexperienceblog.com

• HT201397 My "remote" can't control my Apple TV, however apple tv still received signal from "remote"

  My "remote" can't control my Apple TV, however apple tv still received signal from "remote" . Before that I have to press and hold the menu button, then the "remote" icon appeared on the screen.

  Welcome to the Apple Community.
  Your Apple TV may have become paired with another remote. Hold the remote close to and pointed at the Apple TV, hold down the menu and Rewind buttons together for 6 seconds or until you see a broken chain icon on screen.

• Can you wake up your Mac remotely to control it from iPod using VNC app?

  I have the VNC app that allows you to connect to your Mac or PC and control it from your iPod. Your iPod screen displays a miniature version of you computer and by using a selection of tools you are able to do everything on you Mac remotely. The problem is that when you go away or are away from your computer you don't want to have to leave it running continuously so the preferred option is to let it sleep and wake it up remotely when you need to access it. I tried calling Skype on my Mac from another computer but either just leaves a message or rings but doesn't bring the Mac out of sleep mode. This little VNC app is amazing and very useful only if I can get my Mac to wake up so I can connect to it. If not, great app but useless... at least for me.
  Anyone have any ideas?
  Kev

  How about using SSH to remote secure shell into your Mac? That might wake it up.
  Touchterm is the touch app to use for ssh.
  -fred

• I want to share files from iMac to MacBookPro.  In "Sharing" setup I want to check "screen Sharing" but get the error message"Screen Sharing is currently being controlled by the Remote Management service."  What do I need to FIX???

  I want to share files from iMac to MacBookPro.  In "Sharing" setup I want to check "screen Sharing" but get the error message"Screen Sharing is currently being controlled by the Remote Management service."  What do I need to FIX???

  Care to share which OS you are using? 
  Have you read for possible solutions over in the "More Like This" thread over here?-----------------------> 

• Getting a 1809 error when trying to remote control PC from the Console.

  This is message i get when trying to remote view or remote control PC.....
  1809: An error has occurred while generating a session key for
  encryption.The remote session cannot be initiated. Contact Novell
  Techical Services and specify this code.

  This is for a 1807 error. My error is and 1809 error. Is there somewhere
  else to research on a 1809 error when trying to remote control PC from
  the Console?
  > Perhaps.................
  >
  > http://support.novell.com/techcenter/search/search.do?
  cmd=displayKC&docType=kc&externalId=10094808html&s liceId=&dialogID=2356487
  >
  > --
  > Craig Wilson
  > Novell Product Support Forum Sysop
  > Master CNE, MCSE 2003, CCNA
  >
  > Editor - http://www.ithowto.com
  >
  > (Seeking Full-Time Expert? Drop me a note :> )
  > <[email protected]> wrote in message
  > news:09i_e.2044$[email protected]..
  > > This is message i get when trying to remote view or remote control
  PC.....
  > >
  > >
  > > 1809: An error has occurred while generating a session key for
  > > encryption.The remote session cannot be initiated. Contact Novell
  > > Techical Services and specify this code.
  >
  >

• Connecting from Office and Connecting from Remote

  Hello
  Can anyone tell me what is the difference between "Connecting from Office" and "Connecting from Remote" in the connection wizard ?
  Thank you in advance

  Hi Naldoo,
  Into installation of SAP BPC you are specifying for application server 3 names:
  Application Server Name
  External Application Server Name
  Virtual Name
  The third one is used in case if you are using NLB.
  The first one is the one using by "Connecting from Office"
  The second one is used by "Connecting outside of office"
  For this reason External name must be FQDN )Fully qualify name)
  Application Server name can be short name
  I hope this will help.
  Regards
  Sorin Radulescu

• Control music from iPad remotely

  Hi,
  I have an iPad sat on a dock which is connected to my hifi. I'd like to be able to control playback from my iPhone 4. Does anyone know if this is possible?
  Thanks,
  Rob.

  Try this:
  http://itunes.apple.com/us/app/tango-remote-control-music/id345279970?mt=8
  http://www.youtube.com/watch?v=mmIolPu6dSI