Client NAT in CSS11500

Similar Messages

• Use of client nat pools on the CSM

  Hi Guys,
  Just a quick questions about the use of NAT POOLS, which the configuration guide is a little scant for information.
  If a client NAT pool such as this is used (16 addresses):
  natpool POOL1 10.1.5.0 10.1.5.15 netmask 255.255.255.240
  I just want to make sure that port address translation (PAT) will be used by the CSM if the number of sessions exceed the number of IP addresses available in the NAT pool?
  I hope this makes sense!
  thanks
  Sheldon

  the CSM does PAT by default.
  Gilles.

• Client NAT and Source IP Sticky

  How can we implement client NAT and source IP sticky for the same server farm without running into issues? Our NAT pool is using IPs from the VIPs' subnet. Is this possible? This configuration is on Cat 6500 w/ CSM-S v. 2.1.1. Thanks.

  this is possible.
  The CSM will first determine the destination server based on the client ip and the sticky srcip table and then it will nat the client ip address using your pool.
  It does not matter which subnet is being used as long as the servers know to respond back to the CSM.
  Regards,
  Gilles.

• CSM - Client NAT for routable server subnet

  I have clients and servers that are outside of the vlans that are the defined ones for CSM. I am using a client NAT pool that is part of the server side address space and server NAT. I see in a packet capture that the server is replying to pings to one of the NAT pool addresses. The ping does not get back to the client. The CSM is acting like it is not listening to traffic for the client NAT address. I saw an article that talked about "Secure router mode" and doing "IP SLB MODE CSM". I am not in that mode. Do I need to be and what effect will that have on my current load balanced servers?

  Thanks. This is now working.
  I see that the NAT has to be in the client address space as that is where the default gateway for the CSM is. Made the following changes:
  no natpool CLIENTNAT1 10.200.0.230 10.200.0.232 netmask 255.255.255.0
  natpool CLIENTNAT1 10.200.250.230 10.200.250.232 netmask 255.255.255.0
  Noticed that a previous "show mod csm 5 arp" showed:
  10.200.2.100 -->10.200.250.1 0 REAL routed
  10.200.2.101 -->10.200.250.1 0 REAL routed
  10.200.2.102 -->10.200.250.1 0 REAL routed

• Client NAT - ACE

  Hi All,
  We are trying to configure client NAT on ACE , I have tried with the following configuration.
  I want to make sure the following things
  1) Whether this is a right way or not or if this is possible?
  2) If it is and any one is having ideas for that please do let me know so that I can send the topology diagram as well to get it understand easily.
  class-map match-all CLIENT-TO-AVS-VIP
  2 match virtual-address 172.16.30.110 tcp eq www
  class-map match-all NAT
  2 match source-address 0.0.0.0 0.0.0.0
  3 match destination-address 172.16.30.110 255.255.255.255
  policy-map multi-match MOON-POLICY
  class CLIENT-TO-AVS-VIP
  loadbalance vip inservice
  loadbalance policy MOON_AVS_CLIENT
  loadbalance vip icmp-reply
  class NAT
  nat dynamic 9 vlan 300
  interface vlan 300
  description Clentside interface
  bridge-group 30
  access-group input ALL
  nat-pool 9 172.16.30.200 172.16.30.210 netmask 255.255.255.255 pat
  service-policy input REMOTE-MGMT
  service-policy input MOON-POLICY
  no shutdown
  Regards
  Aslam...

  Hi Aslam,
  yes it's possible in a quite simple way, I see some errors in your configuration :
  You don't need a second class map "NAT", the first one is sufficient. You can tell the ACE "When traffic matches CLIENT-TO-AVS-VIP, loadbalance AND nat client traffic".
  To do so, simply insert the "nat dynamic 9 vlan 300" command inside the "class CLIENT-TO-AVS-VIP" mapping in the multi-match policy.
  This should work as you want :
  class-map match-all CLIENT-TO-AVS-VIP
  2 match virtual-address 172.16.30.110 tcp eq www
  policy-map multi-match MOON-POLICY
  class CLIENT-TO-AVS-VIP
  loadbalance vip inservice
  loadbalance policy MOON_AVS_CLIENT
  loadbalance vip icmp-reply
  nat dynamic 9 vlan 300
  remember that an instruction like
  "2 match source-address 0.0.0.0 0.0.0.0" is a pleonasm, no instruction on source-address means match any source.
  You can check some other scenarios on source nat here :
  http://snippets101.blogspot.com/2007/12/source-nat-on-cisco-ace.html
  Hope this helps.
  Alberto

• Client nat in csm?

  in csm, we need client nat.
  I have a question about client nat.
  client nat is pat or nat?
  if that is pat, that is operated with rotary type?
  if client nat is just nat, we have problem.

  The PAT for FTP service setting vserver is 1025 - 8192.
  For others, the PAT range is 8193-65535.
  It start at 8193 and incrementing.
  PAT is always on.
  Gilles.

• Ace module in bridged mode with client nat

  Could someone confirm whatever a NAT is supported for ACE-20 module, please?
  Let me to explain technical details.
  I do need to convert working CSM(SLB) config to ACE configuration and I am not quite sure
  if the configuration below is correct. ACE module should be configured in bridge mode with two
  vlans - vlan 36 (client) and vlan 436 (server) - bridged with interface bvi 36.
  NAT on ACE configurad as "nat dynamic 1025 vlan 436" into corresponding
  "policy-map type loadbalance"
  Could you check two parts of configs and advise me if the ACE config is
  properly converted from CSM and will be working in the same way (especialy for NAT).
  Thank you in advance.
  CSM config
  =======
  vlan 36 client
    ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
    gateway 10.36.3.1
  vlan 436 server
    ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
  natpool WEB-MAIL 10.36.3.100 10.36.3.100 netmask 255.255.255.0
  sticky 30 netmask 255.255.255.255 address source timeout 60
  probe SHAREPOINT tcp
    interval 30
    failed 120
    open 3
    port 80
  probe WEBMAIL-443 tcp
    interval 5
    failed 60
    open 2
    port 443
  serverfarm WEBMAIL-443
    nat server
    nat client WEB-MAIL
    predictor leastconns
    real 10.36.3.101 443
     inservice
    real 10.36.3.102 443
     inservice
    probe WEBMAIL-443
  serverfarm WEBMAIL-80
    nat server
    nat client WEB-MAIL
    predictor leastconns
    real 10.36.3.101 80
     inservice
    real 10.36.3.102 80
     inservice
    probe SHAREPOINT
  vserver WEBMAIL-443
    virtual 10.36.3.100 tcp https
    serverfarm WEBMAIL-443
    sticky 60 group 30
    replicate csrp sticky
    replicate csrp connection
    persistent rebalance
    inservice
  vserver WEBMAIL-80
    virtual 10.36.3.100 tcp www
    serverfarm WEBMAIL-80
    replicate csrp connection
    persistent rebalance
    inservice
  ACE config
  =======
  probe tcp WEBMAIL-443
    interval 5
    open 2
    passdetect interval 60
    port 443
  probe tcp SHAREPOINT
    interval 30
    open 3
    passdetect interval 120
    port 80
  serverfarm host WEBMAIL-443
    predictor leastconns
    probe WEBMAIL-443
    rserver 10-36-3-101 443
      inservice
    rserver 10-36-3-102 443
      inservice
  serverfarm host WEBMAIL-80
    predictor leastconns
    probe SHAREPOINT
    rserver 10-36-3-101 80
      inservice
    rserver 10-36-3-102 80
      inservice
  class-map match-all WEBMAIL-80
    match virtual-address 10.36.3.100 tcp eq www
  class-map match-all WEBMAIL-443
    match virtual-address 10.36.3.100 tcp eq https
  sticky ip-netmask 255.255.255.255 address source 30
    serverfarm WEBMAIL-443
    replicate sticky
    timeout 60
  policy-map type loadbalance first-match WEBMAIL-80
    class class-default
      serverfarm WEBMAIL-80
      nat dynamic 1025 vlan 436 serverfarm primary
  policy-map type loadbalance first-match WEBMAIL-443
    class class-default
      sticky-serverfarm 30
      nat dynamic 1025 vlan 436 serverfarm primary
  parameter-map type http HTTP_ADV_OPT
    persistence-rebalance
  policy-map multi-match IFVLAN36-POLICY
  class WEBMAIL-80
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-80
      loadbalance vip inservice
      loadbalance vip icmp-reply active
    class WEBMAIL-443
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-443
      loadbalance vip inservice
      loadbalance vip icmp-reply active
  interface vlan 36
    bridge-group 36
    service-policy input IFVLAN36-POLICY
    mac-sticky enable
    no shutdown
  interface vlan 436
    bridge-group 36
    nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0
    no shutdown
  interface bvi 36
    ip address 10.36.3.3 255.255.255.0
    peer ip address 10.36.3.4 255.255.255.0
    no shutdown

  Hello F.Makarenko-
    You will want to use PAT while you do nat, so change the natpool configuration to this:
     nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0 pat
    You also need to apply the nat like this:
  policy-map multi-match IFVLAN36-POLICY
  class WEBMAIL-80
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-80
      loadbalance vip inservice
      loadbalance vip icmp-reply active
      nat dynamic 1025 vlan 436
    class WEBMAIL-443
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-443
      loadbalance vip inservice
      loadbalance vip icmp-reply active
      nat dynamic 1025 vlan 436
  If you are going to build out a lot of classes, you can instead do source nat like this:
  policy-map multi-match IFVLAN36-POLICY
  class WEBMAIL-80
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-80
      loadbalance vip inservice
      loadbalance vip icmp-reply active
  class WEBMAIL-443
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-443
      loadbalance vip inservice
      loadbalance vip icmp-reply active
  class class-default
      nat dynamic 1025 vlan 436
  Regards,
  Chris Higgins

• RV042 Shrew soft client NAT-t new mapping

  Hi everyone,
  Since I had Quick VPN issue, so I tried the Shrew soft client hoping to get the IPSec tunnel with router RV042 in Client2gateway mode.
  On Shrew client, I got "Tunnel is activated" but got establised failed errors.
  On RV042 IPSec log, it ended with : NAT-T: x.x.x.x new mapping.
  What does it mean?
  Thanks for your answers.

  Hi Hdam,
  That's good :) 
  - Yes you can change the FQDN from remote.com to other domain name.
  - Why I don't select IP address as remote ? because from the router first when you select Group VPN automatically the VPN will be responder and waiting for a connection, also in that case we don't need to specify the Public or LAN network of the client because they can connect from anywhere. 
  Now from the client the local ID should be the same as remote ID in the router (remember when you configure VPN tunnel between two router the local address from site B should be the remote local on Site A is the same here with shrewVPN but using FQDN)
  - Just I want to clarify for RV0xx doesn't support VLAN's it's Port based Vlan and multiple Subnet BUT you can achieve what you need :)
  Please follow this steps : 
  Step 1 : I assume that you have already add additional subnet if not just add it under Setup --> Network and then add additional subnet and for better implementation for the subnet better to have like this example if you have the default network 192.168.1.1/24 add second subnet 192.168.2.1/24 in this case in the VPN setup we can do subnet summarization and will be 192.168.0.0/16 class B and all the PC connected to the router should have gateway 192.168.1.1 or 192.168.2.1 in my example of course
  Step 2 : Under VPN -- > summary --> edit the old configuration for VPN client and change the local network to 192.168.0.0 mask 255.255.0.0 
  Step 3 : on shrew VPN also under policy  --> Remote Network Resource change to 192.168.0.0 255.255.0.0 
  and should work :) 
  Please rate this post to help other Cisco Customer
  Greetings
  Mehdi

• ACE 4710 client NAT (outgoing)

  Hi Experts,
       I have a ace 4710 set as load balancing http and https only, seems working fine.
       Now I have another requirment to NAT all real servers IP (server side internal network 10.8.8.0) to VIP (192.168.1.20).
  our configuration is as below,
  two real server ip are 10.8.8.2 and 10.8.8.3 connected to VLAN interface v500 (ip is 10.8.8.254)
  vlan v400 face to public, v400 interface ip 192.168.1.10, and one VIP 192.168.1.20, VIP is mapped to two real servers.
  I need to config: all outgoing trafic from network 10.8.8.0 to public to NAT the source IP to 192.168.1.20 (VIP, not the interface real IP 192.168.1.10).
  Thanks,
  BQ

  Here are a few things you could try
  1. nat-pool 5 192.168.1.20 192.168.1.20 netmask 255.255.255.0 pat
  changeto
  nat-pool 5 192.168.1.20 192.168.1.20 netmask 255.255.255.255 (/32 host)
  2.service-policy input remote-access
  do you have a management Vlan interface defined if so add to that interface
  3. The requirements are to LB http (80), and https (443). In this case you would need two seperate VIPS defined
  VIP1:
  class-map match-all slb-vip
    2 match virtual-address 192.168.1.20 eq tcp 80
  VIP2:
  class-map match-all slb-vip
    2 match virtual-address 192.168.1.20 eq tcp 443
  Is there a requirement to redirect http traffic ? If so you would need to define another class-map to redirect http traffic to https
  show service-policy client-vips detail   
  HTH

• VPN / NAT Problem

  Hi I have quite a complex (to explain) VPN problem, I've built a model in GNS3 but I still cant get it to work. here is the topology
  1. SiteW is the main site, if W-CLient wants to talk to S-Client (on SiteS) the traffic is simply NATTED to 106.200.194.240 and sent there (this works fine).
  2. SiteB is a new site, Ive set that up with a Site to Site VPN, that works fine.
  New Requirement
  If a user at SiteB wants to Talk to a Client at SiteS, then the traffic should go over the existing VPN to W-FW1 then get decrypted and routed there. This is the bit I CANNOT despite HOURS of tweaking and testing get to work.
  What I've done
  On W-FW2
  Added Site S to the existing interesting traffic ACL and added a 'NO NAT' for it like so;
  object network S-CLIENTS
  subnet 65.253.1.0 255.255.255.0
  access-list VPN-INTERESTING-TRAFIC extended permit ip object B-CLIENTS object S-CLIENTS
  nat (inside,outside) source static B-CLIENTS B-CLIENTS destination static S-CLIENTS S-CLIENTS
  On W-FW1
  Added Site S to the existing interesting traffic ACL and added a 'NO NAT' for it like so;
  object network S-CLIENTS
  subnet 65.253.1.0 255.255.255.0
  access-list VPN-INTERESTING-TRAFIC extended permit ip object S-CLIENTS object B-CLIENTS
  nat (inside,outside) source static S-CLIENTS S-CLIENTS destination static B-CLIENTS B-CLIENTS
  At this point packet tracer said the traffic was being blocked by ACL so I added
  access-list inbound extended permit ip object B-CLIENTS object S-CLIENTS
  access-list inbound extended permit icmp object B-CLIENTS object S-CLIENTS
  access-group inbound in interface outside
  Now Packet Tracer was happy, Still B-Client Cannot Ping S-Client!
  W-FW1 can ping S-Client
  Attempting to ping S-Client from B-Client brings up the tunnel (phase 1 and 2) but no traffic ever travels BACK to B-Client.
  Running Wireshark on the 106.200.194.1 interface of S-FW1 whilst attempting to ping 65.253.1.10 from S-FW1 shows traffic (as expected) but if I ping from B-Client it gets nothing (so I'm assuming the traffic never gets out of W-FW1
  Help!

  First check if the packet from the S client is making it back to the W-F1. 
  Configure Captures on the interface that is connected to the 106.200.194 subnet. 
  #cap capin interface <interface name> match ip host <sclient ip> host <bclient ip>
  #show cap capin
  Capture is bidirectional. Hence no need to enable it in the opposite direction.
  If the packet is seen coming back from the  Sclient and still not getting encrypted then do asp drop capture to see if the ASA is dropping it
  #capture asp type asp-drop all
  send the traffic.
  #show cap asp | in <Sclient IP>
  If the packet is see in this capture then the ASA is dropping it.
  Then do a packet tracer to see why it is dropping it.
  #packet-t input <Sclient connected interface name> icmp <sclient IP> 8 0 <b client IP> det.
  Check why the packet is dropping.
  if the capin capture does not see the reply packet then check the reply path and routing.

• VPN -- different behavior between Mac and Windows XP clients.

  Hi,
  Background:
  I have a Mini server serving L2TP IPSEC vpn with both Mac and Windows (all XP, so far) clients.
  The mini sits behind a Netopia router/firewall/NAT box that port forwards L2TP traffic to the mini.
  The mini has a public but unrouted address (unrouted in the public Internet, that is.) The same Netopia serves as the router for outgoing public connections. DNS is served by other servers.
  The VPN clients are distributed addresses from the unrouted public address space.
  Client <-> NAT <-> Public Cloud <-> NAT <-> Private (with public addresses) <-> Mini (VPN)
  Mac clients work happily, accessing internal and external hosts.
  The XP clients have a registry value set to allow NAT traversal:
  under HKEYLOCALMACHINE\SYSTEM\CurrentControlSet\Services\IPSec, AssumeUDPEncapsulationContextOnSendRule is set to 2 to allow dual Nat traversal.
  The XP clients happily access internal hosts, but hang accessing some, but not all external hosts.
  For example, most Google services are quickly displayed, whereas www.comcast.net or www.llbean.net hang. It appears to be more frequent accessing third-party hosts while processing the initial page. Some Google web services, e.g. some Google Map plugins do eventually hang.
  An XP host internal to the network configured with the above registry key set to 0 (No NAT traversal)
  exhibits the same behavior when using a VPN connection
  Public Cloud <-> NAT <-> Private (with public addresses) <-> Mini (VPN) <-> Pvt. <-> Client
  Same host without VPN works fine.
  Clearing the XP checkbox that routes all traffic to the remote (VPN) router makes external hosts work
  as you would expect.
  So my questions are:
  a) What's XP doing?
  b) Can it be fixed? (besides routing public traffic away from the VPN.)
  Thanks Jonathan
  p.s. MrHoffman, I almost asked this in the HP Forum as well, till I noticed you were here. (Assuming you are Hoff.)

  Hi soccerdude21490-
  +Is this possible?+
  Theoretically yes. However, it would be up to the school to allow you access through their network.
  The first step would be to contact the school's IT department and ask them if they will allow such a connection, and if so, could they please provide you with the settings (ip address etc.).
  Luck-
  -DP

• CSS 11500:Client ip-address visible to the real server

  Is it possible to keep the original ip-address of the client when the the css is redirecting the traffic to the real server. customer needs the client ip-address on the real server for reporting.
  regards
  Dietrich Schleyer

  Dietrich,
  by default the CSS will keep the original client ip address.
  To have the CSS changing the client ip, your customer must have configured a group with 'add destination service'.
  Probably because your client is using a one-armed setup which is the easiest to implement but the worst to use.
  So, your customer should go to a 2-sides CSS design and have the traffic flow through the CSS without the need to do client nat.
  Once the design is correct, you can remove the group and the CSS will keep the client ip address.
  Regards,
  Gilles.
  Thanks for rating.

• ACE 4710 Client and Server hitting same VIP

  But the catch here is we are using IP's from server side VLAN's as opposed to from the Client side. If that were the case I would simply use SNAT and assign a pool but in this case that doesn't appear to work.
  So how do I get this to work?
  Mike

  And how do I do that? You say client nat, i hear source nat and think of this-
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6ef5.shtml
  this doesn't work because my VIP IP pool is the same as the server side vlan.
  We are using public IP on our servers as to not have to manage rfc1918 addresses.
  Mike

• ACE: Transparent NAT feasibility

  Is transparent NAT possible? The applications need to be aware of the source IP address to process. The only way I can see to do this is insert the source into the header. I seem to recall reading about transparent NAT, and no NAT, but I cannot find it now.
  All ideas welcome.

  BTW, I want to clarify that client nat is not on by default. You must have configure it and if you do so, you lose information about the client ip. The solution to insert the info into the http header is a good one.
  Gilles

• Potential NAT Solution, some issues

  Greetings,
  I am currently developing software that entails the need to have live voice transmission to several clients. All of the audio comes into the server and is redirected out to the appropriate clients. I'm sure that by now many of you are aware of the issues inherent in using JMF, or more specifically UDP, across the internet : NAT routers don't deal with UDP packets very well and the clients behind them tend not to receive them. For my application I can't expect every client that is behind a NAT router to set up port forwarding to their machine; I want the application to work without extra technical effort on their part. Simplicity is of vital importance especially when trying to reduce the need for support calls.
  After reading up on the different kinds of NAT' s and how they respond to incoming UDP packets I discovered a way that will, in theory, work. To start with the server needs to be publicly acessible. If the server is behind a NAT then port forwarding must be set up (no big deal). Let us say that the server is sending out audio on port S1 with control port S2 and the client wishes to receive the audio on port C1 with control port C2. The client, upon logging in, must send a UDP packet from local port C1 to server port S1 and from local port C2 to server port S2.
  The server must accept these handshaking UDP packets and store the address and port that they come from. The client ports might not be C1 and C2 by the time they reach the server because the NAT router may have changed them. Indeed, they may not even be consecutive ports by the time they reach the server, it's all dependant on how the client's NAT chooses to map them.
  The server, by examing the initial handshake, knows exactly where to send the RTP data for that client. Now when RTP data reaches the clients network it will be properly forwarded to the client since the network has already sent out a packet from those ports to those locations and thus a mapping has been established. If the clients ports are not consecutive ports by the time they are mapped and reach the server then the SessionAddress which typically sends out data on the port provided and the next consecutive one, does have a constructor where you can specify both the data and control port to be specific, non-consecutive ports.
  By sending this initial handshake any NAT, even the most restricitve symmetric NAT, will now correctly foward any incoming UDP packets from server ports S1 and S2 as long as they are coming in to the client ports that initially sent out the handshake. Now you may be wondering how the server can be listening for handshakes on the same port that it is supposed to be sending out audio on. Well in my case no audio is transmitted until all of the expected clients have connected. If this was not desirable, if one wanted to allow clients to join after RTP data has already started transmitting then the handshake would need to be accepted on a different port than the one's that are transmitting RTP data. The tradeoff associated with this, however, is that clients that are behind symettric NAT's won't be able to receive audio, since the handshake must go to the exact server port that they wish to receive RTP data from; all of the other kinds of NAT's will allow this however.
  I implemented this into my application and it works, but inconsistently. In other words the clients aren't always receiving the ReceiveStream events from the server and I can't figure out why. I am running clients on machines that are apparently behind a port resticted NAT and after much debugging have establised that proper mappings aren't always being establised the way that they should be based on the definitions of NAT's. Is it possible that the router that I am testing the clients on isn't compliant with the 4 kinds of NAT's that supposedly exist? Or is there some error in the logic that I have used to set up the mappings (the handshaking?) Everything that I said above has been implemented correctly, I am postive because I have been going over it for weeks, puzzled as to why it won't work. The only other thing I can think of is that the server is behind the same NAT that the clients are behind for testing, the server just has certain ports mapped but the clients are treating it as if it was at a remote public location so I can't see how this would matter.
  Does anyone have any ideas on what it might be? Does anyone see any logical problem with the the way I've tried to establish mappings? Or have any questions? As far as I can tell it should work, perhaps I am missing something obvious and if I am I know that there are a lot of intelligent people here who will spot it. Thank you very much.
  Message was edited by:
  Malcolm_F

  Hi lagar,
  Good stuff, I've made some additional progress as well. One thing that I discovered is that the mappings that you establish with the initial handshake are only kept by the client's NAT for a short period of time. In other words, it was working inconsistently for me because I was setting up the mappings early and then not sending the audio until a few minutes later; by that time some of the clients NAT's had lost the mappings that had been previously established and thus some of the clients weren't receiving the audio.
  I modified my application so that right before it starts sending audio it shakes hands with all of the clients, establishing fresh mappings right before the audio is sent. This seems to be working consistently now, I just tested it with someone on a different network who is behind a symettric NAT (the ugly kind) and they were able to send and receive live audio consistently, we had a little online conference call. I tested it from several other remote locations and it has worked fine so far. I have just run into one issue while testing it with someone at a remote location but there might be an issue with their JMF installation.
  Please keep me updated on the status of your project and let me know if you have any questions or ideas.