Best Practice for DHCP when Anchoring to a Guest Wireless LAN Controller

Similar Messages

• Best practice for DHCP Server 2008 utilization of IP Addresses

  I am currently using 85% of addresses on my DHCP server running windows 2008 Server. Does microsoft recommend a particular percentage (%) of its utilization before building another scope? Or what is the industry's best practice or microsoft's
  recommendation to build another scope?

  Hi,
  As far as I know, there is no standard for the
  usage of DHCP scope. Just make sure that the IP address pool isn’t exhausted.
  For the best practices of DHCP, please refer to the article below,
  DHCP Best Practices
  http://technet.microsoft.com/en-us/library/cc780311(v=WS.10).aspx
  Recommended tasks for the DHCP server role
  http://technet.microsoft.com/en-us/library/cc731392.aspx
  Hope this helps.
  Steven Lee
  TechNet Community Support

• Best practice for Smartview when upgrading from Excel 2003 to Excel 2007?

  Does anyone know the best pratice for Smartview when upgrading from Excel 2003 to Excel 2007?
  Current users have Microsoft Excel 2003 with Smartview 9.3.1.2.1.003.
  Computers are being upgraded to Microsoft Excel 2007.
  What is the best pratice for Smartview in this situation?
  1. Do nothing with Smartview and just install Excel 2007.
  2. Install Excel 2007 and then uninstall and reinstall Smartview
  3. Uninstall Smartview, Install Excel 2007, and then install Smartview
  4. Somthing else??
  Thanks!

  We went with option 1 and it worked out fine. Be aware that SV processes noticeably slower in Excel 2007 than 2003. Many users were/are unhappy with the switch. We haven't tested SV v11 yet, so I'm not sure if it has improved performance with Excel 2007 or not (hopefully it does).

• Best Practices for Setting up a Windows 2012 R2 STD Domain Controller in a Remote Site

  So I'm looking for an article or writeup similar to the "Adding Domain Controllers in Remote Sites" TechNet article but for Windows Server 2012 STD R2.  Here is my scenario:
  1.  I want to setup the domain controller at Site A where the primary domain controller is located.  The primary domain controller is Windows Server 2008 R2. 
  2.  Once the DC is setup I plan on leaving it on our network for a few days before shipping it to remote Site B for installation
  Other key items:
  1.  The remote Site B will have a different IP range than Site A but will be connected to Site A via a single VPN tunnel.  All the DCs that replicate with each other are on the same domain. 
  2.  The 2012 DC that I setup for Site B (same domain in same forest) will be a DHCP, DNS, and WSUS server all replicating to the primary DC at Site A
  Questions:
  1.  What items can I setup while it's at Site A without effecting or conflicting with the existing network and domain controller?  Can I setup a scope once the DHCP role is added? 
  2.  All of our DCs replicate through Sites and Services, do I have to manually add this to our primary DC for the new DC going to remote Site B?  Or when does this happen automatically when I promote the DC? 
  All and all I'm just looking for a list of Best Practices for 2012 or a Step by Step Guide.  Any help would be appreciated. 

  Hi,
  Thanks for your posting.
  When you install AD DS in the hub or staging site, disconnect the installed domain controller, and then ship the computer to the remote site, you are disconnecting a viable domain controller from the replication topology.
  For more and detail information, please refer to:
  Best Practices for Adding Domain Controllers in Remote Sites
  http://technet.microsoft.com/en-us/library/cc794962(v=ws.10).aspx
  Regards.
  Vivian Wang

• Error when installing webauth certificate virtual wireless LAN controller

  Hi there
  I am having issues installing web auth certificate for our virtual wirelesss LAN controller. 
  I am issuing a certificate from our own PKI in following format
  device cert for WLC > Intermediate > our root cert. 
  I have followed the discussion here
  https://supportforums.cisco.com/discussion/10890871/generating-csr-wlc-5508
  and the document here 
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html#support
  However I am still getting the following errors 
  *sshpmLscTask: Jun 30 17:18:26.443: sshpmLscTask: LSC Task received a message 4 
  *TransferTask: Jun 30 17:18:28.785: Memory overcommit policy changed from 0 to 1
  *TransferTask: Jun 30 17:18:28.785: RESULT_STRING: FTP Webauth cert transfer starting.
  *TransferTask: Jun 30 17:18:28.785: RESULT_CODE:1
  FTP Webauth cert transfer starting.
  *TransferTask: Jun 30 17:18:33.154: ftp operation returns 0
  *TransferTask: Jun 30 17:18:33.154: RESULT_STRING: FTP receive complete... Installing Certificate.
  FTP receive complete... Installing Certificate.
  *TransferTask: Jun 30 17:18:33.154: RESULT_CODE:13
  *TransferTask: Jun 30 17:18:37.159: Adding cert (8217 bytes) with certificate key password.
  *TransferTask: Jun 30 17:18:37.169: sshpmCheckWebauthCert: Verification return code: 1
  *TransferTask: Jun 30 17:18:37.169: Verification result text: ok
  *TransferTask: Jun 30 17:18:37.171: sshpmAddWebauthCert: Extracting private key from webauth cert and using bundled pkcs12 password.
  *TransferTask: Jun 30 17:18:37.361: sshpmDecodePrivateKey: calling ssh_skb_decode()...
  *TransferTask: Jun 30 17:18:37.493: sshpmDecodePrivateKey: SshPrivateKeyPtr after skb_decode: 0x2aaaacb51628
  *TransferTask: Jun 30 17:18:37.493: sshpmAddWebauthCert: got private key; extracting certificate...
  *TransferTask: Jun 30 17:18:37.494: sshpmAddWebauthCert: extracted binary cert; doing x509 decode
  *TransferTask: Jun 30 17:18:37.494: sshpmAddWebauthCert: doing x509 decode for 1594 byte certificate...
  *TransferTask: Jun 30 17:18:37.494: sshpmAddWebauthCert: failed to validate certificate...
  *TransferTask: Jun 30 17:18:37.494: RESULT_STRING: Error installing certificate.
  *TransferTask: Jun 30 17:18:37.495: RESULT_CODE:12
  *TransferTask: Jun 30 17:18:37.495: Memory overcommit policy restored from 1 to 0
  Error installing certificate.
  Any help is much appreciated

  Similar issue:
  https://supportforums.cisco.com/discussion/11043836/wism-42112-and-web-auth-certificate

• Best Practice for ViewObjects when inserting data through pl/sql procedure

  My applications is oracle form based enterprise level application and we are now developing new module in ADF 11g but there is restriction that all data insertion, updation, and deletion will be through oracle pl/sql procedures. Now my question is that adf pages should be binded with ViewObjects based on Entity Object or with Viewobjects not based on Entity / sql query. Currently I have developed pages with programmatic ViewObjects which are neither based on Entity Objects nor on sql query. In those view objects, i create transient attributes and then used it to create adf pages. Then on save, i extract the data from ViewObject's current row and pass it to procedure. This is working fine but just wondering whether this approach is ok or there is better alternative for that. Ideally i want to create ViewObjects based on EntityObject but don't finding any way to synchronize entityObjects with data inserted through procedures.

  Hi,
  I create a EO for the Database-View and override the doDML()-Method. For insert/update and delete I call the pl/sql-functions.
  See "38.5 Basing an Entity Object on a PL/SQL Package API" in Oracle® Fusion Middleware Fusion Developer's Guide for Oracle Application Development
  Framework.

• Best Practice for Security Point-Multipoint 802.11a Bridge Connection

  I am trying to get the best practice for securing a point to multi-point wireless bridge link. Link point A to B, C, & D; and B, C, & D back to A. What authenication is the best and configuration is best that is included in the Aironet 1410 IOS. Thanks for your assistance.
  Greg

  The following document on the types of authentication available on 1400 should help you
  http://www.cisco.com/univercd/cc/td/doc/product/wireless/aero1400/br1410/brscg/p11auth.htm

• Kernel: PANIC! -- best practice for backup and recovery when modifying system?

  I installed NVidia drivers on my OL6.6 system at home and something went bad with one of the libraries.  On reboot, the kernel would panic and I couldn't get back into the system to fix anything.  I ended up re-installing the OS to recovery my system. 
  What would be some best practices for backing up the system when making a change and then recovering if this happens again?
  Would LVM snapshots be a good option?  Can I recovery a snapshot from a rescue boot?
  EX: File system snapshots with LVM | Ars Technica -- scroll down to the section discussing LVM.
  Any pointers to documentation would be welcome as well.  I'm just not sure what to do to revert the kernel or the system when installing something goes bad like this.
  Thanks for your attention.

  There is often a common misconception: A snapshot is not a backup. A snapshot and the original it was taken from initially share the same data blocks. LVM snapshot is a general purpose solution which can be used, for example, to quickly create a snapshot prior to a system upgrade, then if you are satisfied with the result, you would delete the snapshot.
  The advantage of a snapshot is that it can be used for a live filesystem or volume while changes are written to the snapshot volume. Hence it's called "copy on write (COW), or copy on change if you want. This is necessary for system integrity to have a consistent data status of all data at a certain point in time and to allow changes happening, for example to perform a filesystem backup. A snapshot is no substitute for a disaster recovery in case you loose your storage media. A snapshot only takes seconds, and initially does not copy or backup any data, unless data changes. It is therefore important to delete the snapshot if no longer required, in order to prevent duplication of data and restore file system performance.
  LVM was never a great thing under Linux and can cause serious I/O performance bottlenecks. If snapshot or COW technology suits your purpose, I suggest you look into Btrfs, which is a modern filesystem built into the latest Oracle UEK kernel. Btrfs employs the idea of subvolumes and is much more efficient that LVM because it can operate on files or directories while LVM is doing the whole logical volume.
  Keep in mind however, you cannot use LVM or Btrfs with the boot partition, because the Grub boot loader, which loads the Linux kernel, cannot deal with LVM or BTRFS before loading the Linux kernel (catch22).
  I think the following is an interesting and fun to read introduction explaining basic concepts:
  http://events.linuxfoundation.org/sites/events/files/slides/Btrfs_1.pdf

• Best Practice for setting bind variable when application loads

  I am using JDeveloper 11.1.2.3.
  When my application loads, the first unbounded page has a table populated by a named query.
  I would like to set the parameter used by the named query when the page loads, to populate the initial data that is displayed.
  What is the best practice for a solution to this issue?

  user6003393 wrote:
  I am using JDeveloper 11.1.2.3.
  When my application loads, the first unbounded page has a table populated by a named query.
  I would like to set the parameter used by the named query when the page loads, to populate the initial data that is displayed.
  What is the best practice for a solution to this issue?Hi,
  You can set the bind variable on VO by overriding prepareSession() method in Application Module check this http://docs.oracle.com/cd/E37975_01/web.111240/e16182/bcservices.htm#sthref357
  Setting bind variable on runtime http://docs.oracle.com/cd/E37975_01/web.111240/e16182/bcquerying.htm#CHDECJHD
  Zeeshan

• Best practice for integrating a 3 point metro-e in to our network.

  Hello,
  We have just started to integrate a new 3 point metro-e wan connection to our main school office. We are moving from point to point T-1?s to 10 MB metro-e. At the main office we have a 50 MB going out to 3 other sites at 10 MB each. For two of the remote sites we have purchase new routers ? which should be straight up configurations. We are having an issue connecting the main office with the 3rd site.
  At the main office we have a Catalyst 4006 and at the 3rd site we are trying to connect to a catalyst 4503.
  I have attached configurations from both the main office and 3rd remote site as well as a basic diagram of how everything physically connects. These configurations are not working ? we feel that it is a gateway type problem ? but have reached no great solutions. We have tried posting to a different forum ? but so far unable to find the a solution that helps.
  The problem I am having is on the remote side. I can reach the remote catalyst from the main site, but I cannot reach the devices on the other side of the remote catalyst however the remote catalyst can see devices on it's side as well as devices at the main site.
  We have also tried trunking the ports on both sides and using encapsulation dot10q ? but when we do this the 3rd site is able to pick up a DHCP address from the main office ? and we do not feel that is correct. But it works ? is this not causing a large broad cast domain?
  If you have any questions or need further configuration data please let me know.
  The previous connection was a T1 connection through a 2620 but this is not compatible with metro-e so we are trying to connect directly through the catalysts.
  The other two connection points will be connecting through cisco routers that are compatible with metro-e so i don't think I'll have problems with those sites.
  Any and all help is greatly welcome ? as this is our 1st metro e project and want to make sure we are following best practices for this type of integration.
  Thank you in advance for your help.
  Jeff

  Jeff, form your config it seems you main site and remote site are not adjacent in eigrp.
  Try adding a network statement for the 171.0 link and form a neighbourship between main and remote site for the L3 routing to work.
  Upon this you should be able to reach the remote site hosts.
  HTH-Cheers,
  Swaroop

• Best Practice for FlexConnect Wireless roaming in MediaNet environment?

  Hello!
  Current Cisco best practice recommendations for enterprise MediaNet design, specify that VLANs be local to a switch / switch stack (i.e., to limit the scope of spanning-tree). 
  In the wireless world, this causes problems if you want users while roaming to keep real-time applications up and running.  Every time they connect to a new AP on a different VLAN, then they will need to get a new IP address, which interrupts real-time apps. 
  So...best practice for LAN users causes real problems for wireless users.
  I thought I'd post here in case there's a best practice for implementing wireless roaming in a routed environment that we might have missed so far!
  We have a failover pair of FlexConnect 7510s, btw, configured for local switching for Internal users, and central switching with an anchor controller on the DMZ for Guest users.
  Thanks,
  Deb

  Thanks for your replies, Stephen and JSnyder.
  The situation here is that the original design engineer is no longer here, and the original design was not MediaNet-friendly, in that it had a very few /20 subnets bridged over entire large sites. 
  These several large sites (with a few hundred wireless users per site), are connected to an HQ location (where the 7510s in failover mode are installed) via 1G ethernet hand-offs (MPLS at the WAN provider).  The 7510s are new, and are replacing older contollers at the HQ location. 
  The internal employee wireless users use resources both local to their site, as well as centralized resources.  There are at least as many Guest wireless users per site as there are internal employee users, and the service to them consists of Internet traffic only.  (When moved to the 7510s, their traffic will continue to be centrally switched and carried to an anchor controller in the DMZ.) 
  (1) So, going local mode seems impractical due to the sheer number of users whose traffic bound for their local site would be traversing the WAN twice.  Too much bandwidth would be used.  So, that implies the need to use Flex / HREAP mode instead.
  (2) However, re-designing each site's IP environment for MediaNet would suggest to go routed to the closet.  However, this breaks seamless roaming for users....
  So, this conundrum is why I thought I'd post here, and see if there was some other cool / nifty solution I wasn't yet aware of. 
  The only other (possibly friendly to both needs) solution I'd thought of was to GRE tunnel a subnet from each closet to the collapsed Core / Disti switch at each site.  Unfortunately, GRE tunnels are not supported in the rev of IOS on the present equipment, and so it isn't possible to try this idea.
  Another "blue sky" idea I had (not for this customer, but possibly elsewhere in the future), is to use LAN switches such as 3850s that have WLC functionality built-in.  I haven't yet worked with the WLC s/w available on those, but I was thinking it looks like they could be put into a mobility group, and L3 user roaming between them might then work.  Do you happen to know if this might be a workable solution to the overall big-picture problem? 
  Thanks again for taking the time and trouble to reply!
  Deb

• Best practice configure DHCP server NAC

  hi all,
  any idea how the best practice deploy dhcp on cas? i tired follow user guide configure dhcp on cas but still cannot running smoothly user just only grep ip authenticate.
  - CCA agent very slow appear when user get ip dhcp on authenticate.any idea ?
  - how to integrated profiler with nac appliance .?

  Hi ahmed,
  You have configured your CAS to be your DHCP server, Thats well and good because you are using Real IP mode, Which Supports the CAS to be a DHCP server.
  Remember
  This Setting is only For your Authentication VLAN that your client gets an ip While Authentication ok.
  When your Client switches to Access VLAN , your client trafiic no longer flows through the CAS so CAS is now not responsible for DHCP.
  You'll have to configure another DHCP on the Trusted Side which can Lease IPs to the Acess VLAN Members.
  As you have configured OOB then your client is in Acess VLAN and does not come in contact with the CAS so you need the Trusted side DHCP to give the Client an IP address.
  Here in your Scenario your ACCESS VLANS are 2022,2044
  Hope this helps, Do reply after Testing.
  Thank You
  Regards
  Edward

• Best practice for ASA Active/Standby failover

  Hi,
  I have configured a pair of Cisco ASA in Active/ Standby mode (see attached). What can be done to allow traffic to go from R1 to R2 via ASA2 when ASA1 inside or outside interface is down?
  Currently this happens only when ASA1 is down (shutdown). Is there any recommended best practice for such network redundancy?  Thanks in advanced!

  Hi Vibhor,
  I test ping from R1 to R2 and ping drop when I shutdown either inside (g1) or outside (g0) interface of the Active ASA. Below is the ASA 'show' failover' and 'show run',
  ASSA1# conf t
  ASSA1(config)# int g1
  ASSA1(config-if)# shut
  ASSA1(config-if)# show failover
  Failover On
  Failover unit Primary
  Failover LAN Interface: FAILOVER GigabitEthernet2 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 3 of 60 maximum
  Version: Ours 8.4(2), Mate 8.4(2)
  Last Failover at: 14:20:00 SGT Nov 18 2014
          This host: Primary - Active
                  Active time: 7862 (sec)
                    Interface outside (100.100.100.1): Normal (Monitored)
                    Interface inside (192.168.1.1): Link Down (Monitored)
                    Interface mgmt (10.101.50.100): Normal (Waiting)
          Other host: Secondary - Standby Ready
                  Active time: 0 (sec)
                    Interface outside (100.100.100.2): Normal (Monitored)
                    Interface inside (192.168.1.2): Link Down (Monitored)
                    Interface mgmt (0.0.0.0): Normal (Waiting)
  Stateful Failover Logical Update Statistics
          Link : FAILOVER GigabitEthernet2 (up)
          Stateful Obj    xmit       xerr       rcv        rerr
          General         1053       0          1045       0
          sys cmd         1045       0          1045       0
          up time         0          0          0          0
          RPC services    0          0          0          0
          TCP conn        0          0          0          0
          UDP conn        0          0          0          0
          ARP tbl         2          0          0          0
          Xlate_Timeout   0          0          0          0
          IPv6 ND tbl     0          0          0          0
          VPN IKEv1 SA    0          0          0          0
          VPN IKEv1 P2    0          0          0          0
          VPN IKEv2 SA    0          0          0          0
          VPN IKEv2 P2    0          0          0          0
          VPN CTCP upd    0          0          0          0
          VPN SDI upd     0          0          0          0
          VPN DHCP upd    0          0          0          0
          SIP Session     0          0          0          0
          Route Session   5          0          0          0
          User-Identity   1          0          0          0
          Logical Update Queue Information
                          Cur     Max     Total
          Recv Q:         0       9       1045
          Xmit Q:         0       30      10226
  ASSA1(config-if)#
  ASSA1# sh run
  : Saved
  ASA Version 8.4(2)
  hostname ASSA1
  enable password 2KFQnbNIdI.2KYOU encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface GigabitEthernet0
   nameif outside
   security-level 0
   ip address 100.100.100.1 255.255.255.0 standby 100.100.100.2
   ospf message-digest-key 20 md5 *****
   ospf authentication message-digest
  interface GigabitEthernet1
   nameif inside
   security-level 100
   ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
   ospf message-digest-key 20 md5 *****
   ospf authentication message-digest
  interface GigabitEthernet2
   description LAN/STATE Failover Interface
  interface GigabitEthernet3
   shutdown
   no nameif
   no security-level
   no ip address
  interface GigabitEthernet4
   nameif mgmt
   security-level 0
   ip address 10.101.50.100 255.255.255.0
  interface GigabitEthernet5
   shutdown
   no nameif
   no security-level
   no ip address
  ftp mode passive
  clock timezone SGT 8
  access-list OUTSIDE_ACCESS_IN extended permit icmp any any
  pager lines 24
  logging timestamp
  logging console debugging
  logging monitor debugging
  mtu outside 1500
  mtu inside 1500
  mtu mgmt 1500
  failover
  failover lan unit primary
  failover lan interface FAILOVER GigabitEthernet2
  failover link FAILOVER GigabitEthernet2
  failover interface ip FAILOVER 192.168.99.1 255.255.255.0 standby 192.168.99.2
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-715-100.bin
  no asdm history enable
  arp timeout 14400
  access-group OUTSIDE_ACCESS_IN in interface outside
  router ospf 10
   network 100.100.100.0 255.255.255.0 area 1
   network 192.168.1.0 255.255.255.0 area 0
   area 0 authentication message-digest
   area 1 authentication message-digest
   log-adj-changes
   default-information originate always
  route outside 0.0.0.0 0.0.0.0 100.100.100.254 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 10.101.50.0 255.255.255.0 mgmt
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  telnet timeout 5
  ssh 10.101.50.0 255.255.255.0 mgmt
  ssh timeout 5
  console timeout 0
  tls-proxy maximum-session 10000
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username cisco password 3USUcOPFUiMCO4Jk encrypted
  prompt hostname context
  no call-home reporting anonymous
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  crashinfo save disable
  Cryptochecksum:fafd8a885033aeac12a2f682260f57e9
  : end
  ASSA1#

• Best practices for setting up users on a small office network?

  Hello,
  I am setting up a small office and am wondering what the best practices/steps are to setup/manage the admin, user logins and sharing privileges for the below setup:
  Users: 5 users on new iMacs (x3) and upgraded G4s (x2)
  Video Editing Suite: Want to connect a new iMac and a Mac Pro, on an open login (multiple users)
  All machines are to be able to connect to the network, peripherals and external hard drive. Also, I would like to setup drop boxes as well to easily share files between the computers (I was thinking of using the external harddrive for this).
  Thank you,

  Hi,
  Thanks for your posting.
  When you install AD DS in the hub or staging site, disconnect the installed domain controller, and then ship the computer to the remote site, you are disconnecting a viable domain controller from the replication topology.
  For more and detail information, please refer to:
  Best Practices for Adding Domain Controllers in Remote Sites
  http://technet.microsoft.com/en-us/library/cc794962(v=ws.10).aspx
  Regards.
  Vivian Wang

• Best Practice for Securing Web Services in the BPEL Workflow

  What is the best practice for securing web services which are part of a larger service (a business process) and are defined through BPEL?
  They are all deployed on the same oracle application server.
  Defining agent for each?
  Gateway for all?
  BPEL security extension?
  The top level service that is defined as business process is secure itself through OWSM and username and passwords, but what is the best practice for security establishment for each low level services?
  Regards
  Farbod

  It doesnt matter whether the service is invoked as part of your larger process or not, if it is performing any business critical operation then it should be secured.
  The idea of SOA / designing services is to have the services available so that it can be orchestrated as part of any other business process.
  Today you may have secured your parent services and tomorrow you could come up with a new service which may use one of the existing lower level services.
  If all the services are in one Application server you can make the configuration/development environment lot easier by securing them using the Gateway.
  Typical probelm with any gateway architecture is that the service is available without any security enforcement when accessed directly.
  You can enforce rules at your network layer to allow access to the App server only from Gateway.
  When you have the liberty to use OWSM or any other WS-Security products, i would stay away from any extensions. Two things to consider
  The next BPEL developer in your project may not be aware of Security extensions
  Centralizing Security enforcement will make your development and security operations as loosely coupled and addresses scalability.
  Thanks
  Ram