Cisco Ironport Certificate ISsue

Similar Messages

• Cisco ironport 370 to 670 Configuration Compatibility Issue

  I have currently Cisco IronPort S360 and want to Upgade with Cisco S670, upload configuration file of Cisco ironport 360 in &760 but unable to succeed.becasue of compatibility issue of OS .any one can help me regarding how to compatible .
  Regards,
  Shafiq

  Hi Shafiq,
  Please open a ticket and send both of your configuration files with the ticket. The CSE will need to verify that the network interfaces are the same or modify your xml file to allow it to be successfully uploaded to the new 670.
  Sincerely,
  Erik Kaiser
  WSA CSE
  WSA Cisco Forums Moderator

• Cisco IronPort AsyncOS 6.7.6-068 for Management GA Notification

  Cisco is pleased to announce the General Availability (GA) of a new major release of AsyncOS 6.7.6-068 for
  Management to all customers. This release applies to all our Security Management Appliances (M-Series).
  AsyncOS 6.7.6-068 for Management enables Centralized Tracking and Reporting for the new features introduced in AsyncOS 7.0 for Email.
  New Features and Enhancements in AsyncOS 6.7.6-068 for Management
  New Feature: Centralized support for the reporting and tracking changes in the AsyncOS for Email release 7.0:
  RSA Data Loss Prevention
  Marketing Message Detection
  New Feature: Reporting by ESA Groups
  Enhanced: Domain-Based Executive Summary Report now configurable by:
  Domain of Email Server
  Domain of Email Address
  Fixes in AsyncOS 6.7.6-068 for Management
  Fixed: MemoryError after losing Housekeeper thread [Defect ID: 52048]
  Fixed: The Show Details link results in a timeout [Defect ID: 51558]
  Fixed: Safelist/Blocklist should be exportable via CLI [Defect ID: 43360]
  Fixed: LDAP Query strips spaces [Defect ID: 46099]
  Fixed: Tracking database time does not update after system timezone is changed [Defect ID: 49407]
  Fixed: Application error when accessing Online Help from the End User Spam Quarantine page [Defect ID: 52395]
  This release has gone through our beta program, internal soak tests and is also running in production at our FCS customers.
  Please upgrade at your convenience and let us know how you like this new release!
  Cheers,
  Jakob

  Hi,
  We identified an issue in AsyncOS 6.7.6-068 for Management that under certain circumstances can cause loss of historical reporting data when reporting groups are configured. To ensure a high quality release, further testing on our side is required.
  6.7.6-068 is no longer available for upgrade to your M-Series appliances.
  If you already upgraded to 6.7.6-068 we strongly recommend to disable group based reporting to avoid being affected.
  We expect to release a new improved build of 6.7.6 shortly and apologize for any inconvenience or confusion this might have caused.
  If you are required to upgrade to 6.7.6 before a new build is available, please contact Cisco IronPort Customer Support.
  I'll let you know once the new build is available...
  Best Regards,
  Jakob

• Clean Access Agent 4.0.5 certificate issue

  Dear all,
  I ran into an issue that I hope you could help me resolve.
  We have NAC 4.0.5 and windows active directory domain.... the clients log on to the client to access the network with their domain credentials and they used to get the "Certificate is issued from an untrusted...." until I installed the www.perfigo.com certificate to the local certificate store...
  But as I'm a newbie... I seem to have done something on the NAC manager that messed up something, cause now the client considers the certificate issued from a trusted source, BUT a warning stating that the name on the certificate does not match the name (image attached)..
  What would be the possible solution to this??

  Hi,
  This can happen if you change IP address or hostname of the issued certificate...
  Have you done any of these?
  As side note, please beaware that 4.0.5 is End of Life since March 16th 2009... so you may want to consider upgrading your setup.
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/end_of_life_notice_c51-524732.html.
  HTH,
  Tiago

• Cisco IronPort with On Premise Exchange 2013

  Hello All
  The company I work for is in the process of starting an on premise Exchange 2007 to Exchange 2013 migration.
  Most of the issues I don't think I'll have an issue with; however, where I am not finding much info is in regards to other companies using Cisco IronPort with Exchange 2013.
  SO, I have two questions within this topic...
  One, is anyone using Cisco IronPort with Exchange 2013 (on premise) out here?
  Two, my manager is very controlling.  I am the Exchange Admin; however, anything having to do with this IronPort thing with regards to Exchange HE has to do it. So, if anyone is familiar with this IronPort thing... How much work on the IronPort is going
  to have to be done during this migration to keep things going?

  It shouldn't be any different with Exchange 2013 than it is with Exchange 2007.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• HT4864 Emails from .mac or .me emails being bounced by Cisco Ironports

  Is anyone else having problems with their .mac or .me email being bounced by Cisco Ironports?  Mine recently began bouncing when sending email to my wife at work.  She investigated it with their IT team and got the following response.
  We did some research and with the system administrators assistance we've figured out what is causing this. Seems that a lot of @mac.com accounts have been compromised lately and have earned themselves a bad reputation with our spam blocking service, Cisco IronPorts. What this means is that it's not any settings on either side, nor anything we control but it is in Apple's court to remedy the issue with their e-mail servers to get a proper reputation again. This is causing e-mails to be blocked from @mac.com, @me.com and @icloud.com accounts worldwide.

  I have also been having this issue for the last several weeks. Apple seriously needs to adjust whatever is causing outbound emails to get flagged. Apple also has the ability to work on their end to remove accounts that cause our email accounts to be lumped in with those causing the bad reputation. They also have the ability to work with upper level people at the companies where the rejection as spam is occuring, to help create specific algorithms to work around this for those not at fault. This has caused major disruptions in my business and is strangly unpredictable. Sometimes I get rejected, and sometimes it goes through to the same address. It doesn't make any sense to me but then again, I'm not a programmer. APPLE, PLEASE FIX THIS!

• WLC Certificate Issue

  So we had a vendor come in to look over our wireless and install new APs at the same time. Well previously we had no issues with our guest wireless and certificates. We have two sets of WLCs, 4 for one site, and another 3 for another site. While the secondary site is up and working fine in terms of guest wireless and regular wifi (as far as I know) we get certificate issues and connection problems in the main hospital. I know we should go back to the vendor, but this guy basically had all our management SSID set to the same IP.
  So I'm trying to see if we can not buy a $1000 CA certificate and utilize what we had previously. It seems there was no Ca certificate for these WLC, but it worked fine for guest wireless SSID. I see a Web Auth certificate on the WLC in the main site, but it has dates which are either expired, or future dates. The Web Auth certs for the secondary site are all valid and expire in 2018. We don't seem to have any certificate issues from what I've seen in the secondary site. I could use some help because there is only so much in Cisco docuumentation and everything I've read is to buy a CA cert, when it worked fine before this vendor touched it.

  Well with certificates, you can take one of the valid certificates and install them on all the WLC's that are hosting a webauth page.  That is what I do:)  YOu will have to verify that the VIP dns name is correct and also verify that the guest users dns that they obtain from dhcp can resolve the FQDN to the VIP address.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Cisco Ironport failover

  Hi all
  Can someone please assist me im trying to setup two Cisco Ironport WSA devices to failover for each other, what would i require for this to happen.
  With Thanks
  Kuda

  Hi Vince
  Yes, i had that issue using pac files and IE9.
  i opened a case with Microsoft Tech support, and after 2 months, they said that there is an IE9 bug, and will be considered on new patch releases. (it was 6 months ago, and i think is not a patch available yet...)
  The Microsoft solution was use IE8 (failover works as expected)...and don't upgrade to IE9...
  i didn't test it on IE10, i think the issue is the same as IE9, but you should test it with all the patches up to date.

• Is it Support Network News Transfer Protocol On Cisco Ironport WSA S670?

  Hi,
  I have an issue whith a costumer with Cisco Ironport WSA S670, my question is if the WSA support NNTP?
  Thanks
  Alex Juache

  Hi Alejandro,
  The WSA does not support NNTP.
  Sincerely,
  Erik Kaiser
  WSA CSE
  WSA Cisco Forums Moderator

• How do i deal with 'security certificate' issues on my iPad2? I'm unable to answer the security questions that pop up when Im trying to download an app because the pop up does not load properly...

  Basically my Ipad2 stopped allowing me to go to sites such as Tumblr a little while ago. It wouldn't display the page properly because of 'security certificate' issues. This in itself would not have been such a problem, but when I went to the App store to try and download the Tumblr App, a pop up appeared asking me to answer some security questions before I could successfully install the App. However, the pop up would not display correctly because of 'security certificate' issues and as a result I can't download any apps from the App Store. Can anyone help with this??

  Well, I maged to delete some stuff, download the update...
  My Mac mail is still not ok. Still only displays today, yesterday and everything is the 16th of the month previous to this?
  All a bit strange to say the least any suggestons on how to resolve this.
  I now have a second issue in all my emails at the very top of each it describes in detail the full information of
            Delivered-To:  
            Received:  
            Received:  
            Received:  
            Received:  
            X-Received:  
            Return-Path:  
            Received-Spf:
            Authentication-Results:
            Content-Type:  
            Mime-Version:  
            X-Mailer:  
            X-Cloudmark-Analysis:  
  Surely this should not be displayed rather insecure I would think. Any suggestions on how to amend

• Certificates issued by communications server for client authentication

  Hi,
  we ran into problem with those certificates, that are being issued by the lync server itself.  In our enteprise we have CX600 and CX3000 phones, and i know that certificate authentication is required for the phones to work (both for registrar and webservice).
  However, now that users have lync installed, they have their communications server certificate assigned as well. The problem is when a user needs to sign a document with the certificate from our private CA, for most of the users, word or excel suggests to
  use a certificate issued by communications server, not our ent CA. Maybe there is a way for LYNC to trust private enteprise CA and not give out its own certificates and STILL use certificate authentication?
  Thanks!

  Facing almost the same issue, Lync (server) issues ClientAuth certs from "Communication Server", (btw
  is not trusted of course), and in turns forces users to make a selection of which VPN cert to use when dialing in, instead of only one ClientAuth cert installed, they now have 2 ClientAuth certs installed, which our internal CA's should care about and NOT
  the Lync (server).
  Don’t get how an MS product of this caliber can be built without proper PKI integration, how can it NOT utilize internally issued certs for client authentication???
  Not the first though, SCCM and OSD is another example....
  However, are you saying that Lync communication can’t be used without certificate authentication,
  without the user being spammed with credential prompts?
  Trying to get clarification on this…

• Checklist for Exchange Certificate issues

  Checklist for Exchange Certificate issues
  1. 
  Why certificate is important for Exchange and What are Certificates used for
  Exchange is now using certificates for more than just web, POP3, or IMAP. In addition to
  securing web services, it has also incorporated Transport Layer Security (TLS) for session based authentication and encryption.
  Certificates are used for several things on Exchange Server. Most customers also use certificates
  on more than one Exchange server. In general, the fewer certificates you have, the easier certificate management becomes.
  IIS (OWA, ECP, EWS, EAS, OA, Autodiscover, OAB, UM)
  POP/IMAP
  SMTP
   2. 
  Common symptoms for
  certificate issue
  Here we can see three different types of the certificate warning, mainly from the Outlook
  side.
  a.
  Certificate mismatch issue
  b.
  Certificate trust issue
  c.
  Certificate expiration issue
  3. 
  Checklists
  In this section, checklists will be provided according to the three different scenarios:
  Certificate Mismatch Issue
  [Analysis]:
  This issue mainly occurs because the URL of the web services Outlook tries
  to connect does not match the host name in the certificate.
  [Checklist]:
  Firstly make sure how many host name in your certificate the certificate. Run “Get-ExchangeCertificate | select certificatedomain”.
  Secondly, check the web services URLs which Outlook are trying to connect to. Run “Test Email AutoConfiguration”
  In this scenario, you need to check the host name for the following services:
  Autodiscover
  EWS
  OAB
  ECP
  UM
  If any of the urls above does not match the one in the certificate, refer to the following article to change
  it via EMS:
  http://support.microsoft.com/kb/940726
   1.
  Do not forget to restart the IIS service after applying the changes above.
   2. Make sure a valid certificate is enabled on the IIS service.
  Certificate Trust Issue
  [Analysis]:
  For the self-signed and PKI-based (Enterprise)
  certificates, they are not automatically trusted by the client computer or mobile device, you must make sure that you import the certificate into the trusted root certificate store on client computers and devices. On the other hand, Third-party or commercial
  certificates do not have this problem. Most commercial CA certificates are already trusted because the certificate already resides in the trusted root certificate store. Because the issuer is trusted, the certificate is also trusted. Using third-party certificates
  greatly simplifies deployment.
  [Checklist]:
  If it’s an Enterprise CA certificate, manually install the root certificate to the “Trusted Root Certification Authorities” folder:
  If it is a 3^rd-party certificate, first remove and reinstall the certificate. Check whether the Windows Certificate Store on the local
  client is corrupted. If it still does not work, please contact the third-party CA support to verify the certificate.
  Certificate Expiration Issue
  [Checklist]:
  When a certificate is about to expired, we just need to renew it by referring the following article:
  Renew an Exchange Certificate
  http://technet.microsoft.com/en-us/library/ee332322(v=exchg.141).aspx
  To avoid any conflictions, it’s recommended to remove the expired certificate from the certificate store.
  [How to set a reminder to alert the administrator when a certificate is about to expired]:
  It’s easy to fix the certificate expire issue. But it should be more important to set a reminder before the
  certificate expiration. Or there can be a large user impacts.
  Generally, the Event ID “^(24|25)$” will appear in Application log when a certificate is about to expire.
  If it’s not quite visible, we can refer to the following solution:
  http://blogs.technet.com/b/nexthop/archive/2011/11/18/certificate-expiration-alerting.aspx
  OWA certificate revoked issue
  [Analysis]:
  IE
  includes support for server certificate revocation which verifies that an issuing
  CA has not revoked a server certificate. This feature checks for CryptoAPI revocation when certificate extensions
  are present. If the URL for the revocation information is unresponsive, IE cancels the connection.
  [Solution or workaround]:
  1. Contact CA provider and check whether the questioned certificate is in the Revoked List.
  2. If not, check whether the certificate has a private key.
  3. Remove the old certificate and import the new one.
  Workaround:
  IE Internet Options -> Advanced tab -> Clear the "Check for server certificate revocation"
  checkbox.
  4. 
  More References
  Digital Certificates and SSL
  http://technet.microsoft.com/en-us/library/dd351044(v=exchg.150).aspx
  More on Exchange 2007 and certificates - with real world scenario
  http://blogs.technet.com/b/exchange/archive/2007/07/02/3403301.aspx

  (Reported previous post with link to SIS package to moderator)
  This is not the correct SIS package for the N73. The package shown is for S60 3.2 devices, but the N73 is not S60 3.2, I believe it is S60 3.0.
  Most features may work with this SIS, but if you experience strange problems, try using the S60 3.0 version.
  But there are no significant difference between 2.5.3 and 2.5.5 with regard to attachments. The only changes were with localization (languages).
  At this point, try 2.7.0 which is out now:
  http://businesssoftware.nokia.com/mail_for_exchange_downloads.php
  Make sure to pick the right phone on the drop down list. It does matter! There are 4 different packages. This list makes sure you get the right one.
  I have seen some issues with attachments not completing that seem to be carrier dependent. You can test this my using Wifi (if possible).
  Message Edited by m4e_team_k on 28-Sep-2008 12:25 AM

• CF7 and JDK 1.4.2 - EV SSL Certificate Issue

  Let me start off by telling the group that we do not use CF for any of our applications.  We are a payments company that hosts a .NET API in IIS that 100's of thousands of customer use.  We have one particular customer using CF7 and JDK 1.4.2 who is currently unable to process against our API.  About a week ago we upgraded our SSL certificates to EV (Extended Validation) and since that time our once happy customer is now unhappy.  I have spent hours working with him, going through FAQs and walk throughs, knowledge bases and forums and have had no luck.  Here are the details:
  EV Certificate issued by DigiCert (4096-bit).
  Customer is on CF7 and JDK 1.4.2.
  When he attempts to process against our API with the new certificate he gets 'Connection Failure: Status code unavailable' message from his CF application.  He is using cfhttp to post his requests.  We found a work around that indicated that the only issue with JDK 1.4.2 was importing the high-bit certificates.  Our customer installed JDK 1.6, imported the certificate (and all intermediate certificates) successfully into the cacerts file, but when attempting to list using JDK 1.4.2 is returns an invalid certificate error and still will not work.
  Please help as we are currently in a work around state for this customer (not long term) and we have exhausted the resources we have access to for solving this issue.
  Thanks in advance to those gurus that reply.  I have attached a sample post from our customers logs with non-essential data removed.
  I can be reached by phone at 801-341-5620 if anyone feels like reaching out to talk.
  - Dave

  Dave,
  I am having a similar issue with CF7 and PayPal's Reporting API which also uses EV SSL.
  I can offer that in my testing, both CF 8 and CF 9 do seem to be able to work when using CFHTTP and EV SSL,
  so the only solution I can offer at this time is to make the suggestion to your customer that they need to upgrade
  to either CF 8 or CF 9 to get the issue quickly resolved.
  I'm still working to see if I can find a solution for CF7 and I've been asking around in the CF community for help, so
  if I do find a solution, I'll definitely post it there for you.
  Cheers

• How to fetch certificates issued in past

  Hi,
  I have a long list of templates issued in my Client's Issuing CA, some of them are not in use. If I try to export " Issued Certificates" list from CA, it hangs.
  I want to know how many certificates and last certificate issed from a specific template for fine-tuning and seggregation purpose. Please let me know how we can check that status.
  Thanks
  Neha Garg

  Hi Paul,
  I am getting the output like this :
  C:\Windows\system32>certutil -view -restrict "certificate template=<1.3.6.1.4.1.
  311.21.8.10269956.2688026.1196953.3333800.9810006.227.1092942.575204>"
  Schema:
    Column Name                   Localized Name                Type    MaxLength
    Request.RequestID             Request ID                    Long    4 -- Index
  ed
    Request.RawRequest            Binary Request                Binary  65536
    Request.RawArchivedKey        Archived Key                  Binary  65536
    Request.KeyRecoveryHashes     Key Recovery Agent Hashes     String  8192
    Request.RawOldCertificate     Old Certificate               Binary  16384
    Request.RequestAttributes     Request Attributes            String  32768
    Request.RequestType           Request Type                  Long    4
    Request.RequestFlags          Request Flags                 Long    4
    Request.StatusCode            Request Status Code           Long    4
    Request.Disposition           Request Disposition           Long    4 -- Index
  ed
    Request.DispositionMessage    Request Disposition Message   String  8192
    Request.SubmittedWhen         Request Submission Date       Date    8 -- Index
  ed
    Request.ResolvedWhen          Request Resolution Date       Date    8 -- Index
  ed
    Request.RevokedWhen           Revocation Date               Date    8
    Request.RevokedEffectiveWhen  Effective Revocation Date     Date    8 -- Index
  ed
    Request.RevokedReason         Revocation Reason             Long    4
    Request.RequesterName         Requester Name                String  2048 -- In
  dexed
    Request.CallerName            Caller Name                   String  2048 -- In
  dexed
    Request.SignerPolicies        Signer Policies               String  8192
    Request.SignerApplicationPolicies  Signer Application Policies   String  8192
    Request.Officer               Officer                       Long   
  4
    Request.DistinguishedName     Request Distinguished Name    String  8192
    Request.RawName               Request Binary Name           Binary  4096
    Request.Country               Request Country/Region        String  8192
    Request.Organization          Request Organization          String  8192
    Request.OrgUnit               Request Organization Unit     String  8192
    Request.CommonName            Request Common Name           String  8192
    Request.Locality              Request City                  String  8192
    Request.State                 Request State                 String  8192
    Request.Title                 Request Title                 String  8192
    Request.GivenName             Request First Name            String  8192
    Request.Initials              Request Initials              String  8192
    Request.SurName               Request Last Name             String  8192
    Request.DomainComponent       Request Domain Component      String  8192
    Request.EMail                 Request Email Address         String  8192
    Request.StreetAddress         Request Street Address        String  8192
    Request.UnstructuredName      Request Unstructured Name     String  8192
    Request.UnstructuredAddress   Request Unstructured Address  String  8192
    Request.DeviceSerialNumber    Request Device Serial Number  String  8192
    RequestID                     Issued Request ID             Long    4 -- Index
  ed
    RawCertificate                Binary Certificate            Binary  16384
    CertificateHash               Certificate Hash              String  128 -- Ind
  exed
    CertificateTemplate           Certificate Template          String  254 -- Ind
  exed
    EnrollmentFlags               Template Enrollment Flags     Long    4
    GeneralFlags                  Template General Flags        Long    4
    PrivatekeyFlags               Template Private Key Flags    Long    4
    SerialNumber                  Serial Number                 String  128 -- Ind
  exed
    IssuerNameID                  Issuer Name ID                Long    4
    NotBefore                     Certificate Effective Date    Date    8
    NotAfter                      Certificate Expiration Date   Date    8 -- Index
  ed
    SubjectKeyIdentifier          Issued Subject Key Identifier  String  128 -- In
  dexed
    RawPublicKey                  Binary Public Key             Binary  4096
    PublicKeyLength               Public Key Length             Long    4
    PublicKeyAlgorithm            Public Key Algorithm          String  254
    RawPublicKeyAlgorithmParameters  Public Key Algorithm Parameters  Binary  4096
    PublishExpiredCertInCRL       Publish Expired Certificate in CRL  Long    4
    UPN                           User Principal Name           String 
  2048 -- In
  dexed
    DistinguishedName             Issued Distinguished Name     String  8192
    RawName                       Issued Binary Name            Binary  4096
    Country                       Issued Country/Region         String  8192
    Organization                  Issued Organization           String  8192
    OrgUnit                       Issued Organization Unit      String  8192
    CommonName                    Issued Common Name            String  8192 -- In
  dexed
    Locality                      Issued City                  
  String  8192
    State                         Issued State                 
  String  8192
    Title                         Issued Title                 
  String  8192
    GivenName                     Issued First Name             String  8192
    Initials                      Issued Initials               String  8192
    SurName                       Issued Last Name              String  8192
    DomainComponent               Issued Domain Component       String  8192
    EMail                         Issued Email Address          String  8192
    StreetAddress                 Issued Street Address         String  8192
    UnstructuredName              Issued Unstructured Name      String  8192
    UnstructuredAddress           Issued Unstructured Address   String  8192
    DeviceSerialNumber            Issued Device Serial Number   String  8192
  Maximum Row Index: 0
  0 Rows
     0 Row Properties, Total Size = 0, Max Size = 0, Ave Size = 0
     0 Request Attributes, Total Size = 0, Max Size = 0, Ave Size = 0
     0 Certificate Extensions, Total Size = 0, Max Size = 0, Ave Size = 0
     0 Total Fields, Total Size = 0, Max Size = 0, Ave Size = 0
  CertUtil: -view command completed successfully.
  but it doesnt give me the output that I am looking for. I want to know details of last certificate issued by a given template and its validity status.
  Please let me know if I need to make any changes in command.
  Thanks
  Neha Garg

• What is the cisco ironport C680 and M680 configuration backup file size?

  what is the cisco ironport C680 and M680 configuration backup file size?

  Size of the XML itself?  That is going to vary based on what you have configured, total lines of code, and # of appliances you may/may not have in cluster.
  M680, based on SMA as stand-alone, should be similar --- you are probably looking @ < 1 MB... 
  Looking @ my test environment, in which I have a nightly cron job set to grab a backup of...
  -rw-rw----  1 robert robert 161115 Sep 26 02:00 C000V-564D1A718795ACFEXXXX-YYYYBAD60A5A-20140926T020002.xml
  So, 161115 bytes = .15 MB
  -Robert