Config XDB for https ssl access

Similar Messages

• Applicationhost.config updates for HTTP Slow Post with Azure Websites

  We are trying to update our Azure websites to not show as vulnerable to the HTTP Slow Post vulnerability. Some articles suggest fixing this by updating the applicationHost.config via IIS to update the connection timeout values. Obviously with Azure websites,
  we don't have access to IIS. Came across some options with Kudu and XDT to modify the application host file, as outlined on these two sites:
  http://azure.microsoft.com/en-us/documentation/articles/web-sites-transform-extend/#transform
  http://rtigger.com/blog/2014/03/31/number-til-modifying-you-azure-applicationhost-dot-config
  Currently am using the following as our applicationHost.xdt (I have this both in our application root, as well as in a SiteExtensions folder as I wasn't clear which one was required).
  <?xml version="1.0"?> 
  <configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform"> 
  <system.applicationHost>
          <sites>
              <siteDefaults>
                  <limits connectionTimeout="00:00:30"
  xdt:Transform="Insert" />
              </siteDefaults>
              <applicationDefaults applicationPool="DefaultAppPool" />
              <virtualDirectoryDefaults allowSubDirConfig="true" />
          </sites>
          <webLimits connectionTimeout="00:00:30"
  xdt:Transform="Insert" />
  </system.applicationHost>
  </configuration> 
  We also set the WEBSITE_PRIVATE_EXTENSIONS app-setting to 1 as instructed.
  When testing our site using a 3rd party tool, it appears the setting is not getting applied. Hoping someone can point out where our error may be. Alternatively, is there any way to see what the current applicationHost.config is for our website? I'm curious
  if our XDT is correctly being applied, so if we could see what the resulting file was that may also allow us to further troubleshoot.
  Thanks in advance for any advise!

  Please see
  this page, which has detailed steps on finding your applicationhost.config and finding the logs from the transformation. And please make sure that your applicationhost.xdt is in your
  d:\home\site folder (and not in your site\wwwroot).
  David

• Need to change the Certificate in ACE that is using for HTTPS Management access

  Dear Team,
  Currently we are getting certificate cannot be trusted error in web browser while we are accessing the ACE through https. So we need to installed the new https certificate for https management connection to ACE for removing this error. We do not want to use the self signed certificate for https access to ACEmanagement. We have done the below configuration but there no luck, still its showing the previous self signed certificate in browser.
  parameter-map type ssl MNGMT_SSL
  cipher RSA_WITH_AES_128_CBC_SHA priority 2
  ssl-proxy service PSERVICE_SERVER
  key ACEKEY.key
  cert ACECERT.cert
  ssl advanced-options MNGMT_SSL
  Kindly suggest how we can installed the certificate on ACE for only https management access.
  Thanks in advance.
  Regrads,
  Ranjith

  Ranjith,
  You may want to see the details and recommendation relatedo to this situation and this bug:
  CSCte42757
  Jorge

• How do I configure XSQL for HTTPS/SSL?

  I'm using Allaire JRUN. Does anything special need to be done in order to use SSL?
  I followed the installation instructions, and xsql works fine with HTTP but it failed with HTTPS.

  <xsql:include-xsql href="https://{@host}/file.xsql?id={@id}"/>
  Also, when a user goes to /file.xsql?id={@id}]http://{@host}/file.xsql?id={@id} the URL is being forced to https. When this happens I get file not found.
  <BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by Steve Muench ([email protected]):
  Are you trying to retrieve the source of an XSQL Page from another server over https and then process it locally?
  This is what's attempting to be done by giving the XSQLRequest() a URL with http:// or https://
  Is that what you are intending?
  If not, tell me more about what you're trying to accomplish in words, and we'll try to recommend a strategy.<HR></BLOCKQUOTE>
  null

• Https ssl config Oracle AS, webcache, portal...almost works

  Hi,
  I have searched the forums and I havent found anything that works for me.
  I have Oracle infrastructure on one server, and Oracle App server/portal on another server. I can get as far as the http server showing the "welcome to oracle" page in https form. When I try to access a page in the portal (plsql) I get a blank page. It does convert the "https://myserver:xxxx//pls/portal/url/page/IRWEB/HOME
  " to "https://myserver:xxxx/portal/page?_pageid=73,86254,73_86264:73_86316:73_8632...." but nothing comes up.
  Also, it uses the Infrastructure server for single-sign-on...so I need to make the app server do the single sign-on. I've tried by adding /pls/orasso entry in DADS.conf of http server..
  So as far as I can tell...the http server IS operating in https/ssl, but the single-sign-on and the pages in the portal are not.
  I have to do everything manually since I am using 10.1.2 (no Oracle Collab Suite installed, so no SSLConfigTool and other assistants)
  Here is what I've done to get https://myserver:xxxx/ to come up ok.
  server 1: Oracle Infrastructure and Oracle database release 1 10.1.2.0.0
  server 2: Oracle Application Server / Portal with webcache release 2 10.1.2
  using Oracle Wallet for certificate,
  http server -> process management "ssl-enabled",
  http server -> advanced -> ssl.config: SSLWallet file:, SSLWalletPassword, virtual host for ssl
  webcache -> added settings for ssl (I used the current entries for non-ssl as a guide for the ssl entries)
  Interesting issue...with the ports in the ssl.conf file example:
  Port 4459
  Listen 4459
  VirtualHose myserver.blah.edu:4450
  Port 4458
  When I get the blank page trying to use ssl and 4459, I can manually change the url in my browser to 4458 (or maybe its the other way around) and get this message: "Error: The portlet could not be contacted"
  Is this a problem with webcache? Do I have to do any ssl config on the server with the database?
  I've even tried disabling the webcache, both with the oracle sql script and through web interface but neither made a difference...same problem.
  Any help would be greatly appreciated..I feel as if I'm almost there.
  If I did not post enough info for accurate help, please ask what you need to know to provide help! Thanks in advance.

  Hi,
  Yes you can go for SSl configuration without re-installing any of the components.
  Regards,
  access_tammy

• How To Force Access Via HTTPS/SSL?

  Forgive me if this question reveals how little I know about SSL, but... ;-)
  What is the standard, best practice way to force a web client (via browser)
  to use HTTPS/SSL? Our configuration is that the clients hit an IIS server
  first, which then uses the WebLogic proxy/forward plug-ins to the WebLogic
  server. The URLs that our clients follow come from an email we send, which
  has https:// on the front. Access seems to stay in https as long as they
  follow our links, but if the client edits the URL and changes https to
  http, the access is now without SSL. How can I restrict access to https
  only, or otherwise make sure they never use non-SSL access?
  Thanks in advance for any explanations or pointers to references, etc.
  -Paul

  Paul,
  You can disable the http port between IIS and weblogic. Configure only the SSL
  connection. That way if any request comes to weblogic as http , it will be rejected.
  Udit
  Paul Hodgetts <[email protected]> wrote:
  Thanks for the reply! What if the web server (the front end IIS server)
  also serves static web pages that are allowed to be accessed without
  HTTPS/SSL? It's primarily the requests forwarded through to JSP/servlets
  on the WebLogic server that must use HTTPS/SSL.
  Thanks,
  -Paul
  Robert Patrick <[email protected]> wrote:
  One way would be to close the HTTP port in your firewall so that non-HTTPS
  traffic cannot reach the web server...
  Paul Hodgetts wrote:
  Forgive me if this question reveals how little I know about SSL,
  but... ;-)
  What is the standard, best practice way to force a web client (viabrowser)
  to use HTTPS/SSL? Our configuration is that the clients hit an IISserver
  first, which then uses the WebLogic proxy/forward plug-ins to theWebLogic
  server. The URLs that our clients follow come from an email we send,which
  has https:// on the front. Access seems to stay in https as long
  as they
  follow our links, but if the client edits the URL and changes httpsto
  http, the access is now without SSL. How can I restrict access tohttps
  only, or otherwise make sure they never use non-SSL access?
  Thanks in advance for any explanations or pointers to references,etc.
  -Paul

• Https / SSL needed for my website

  I hope someone can help me.
  I have a website
  http://www.to-shea.com
  I purchased a SSL package from register.com (they host my
  site too). They told me "anyone who sees my site would see the
  https prefix. I received an email from them stating that they could
  not put the https prefix on my site, although it is on their secure
  servers. needless to say, I was quite upset. Anyone on the web
  knows that an https prefix means it is a secure site. Is there ANY
  thing I can do to fix this problem. (it only cost me $28.00)
  Is there a program I can use to force the https prefix.
  I am on a Mac (OSX) and I use Dreamweaver CS3. I am a LITTLE
  familiar with html code but not a alot.
  Can someone there help me???

  What exactly are you asking a question about?
  https and SSL are usually only used for secure transfer of
  information when
  ordering and sending sensitive information. You do not want
  people viewing
  the web site using https and not completing an order to be in
  https SSL
  because it slows things down. It involves encoding/decoding
  of everything in
  the page including graphics.
  In other words- I shop at the site. I add things to the cart.
  I am viewing
  the site in http until it's time to check out and i am asked
  for my card
  numbers.
  Does the certificate not work or throw an error?
  Do you understand how to change links from https to http?
  When to use http or https?
  And if you want to force https, what is the server side
  scripting language.
  What's the question please.
  Alan
  Adobe Community Expert, dreamweaver
  http://www.adobe.com/communities/experts/

• How  to config receiver http adapter for HTTP POST without XML tags ??

  Hi All,
  Can you please provide some infornation on How  to config receiver http adapter for HTTP POST (Request) without XML tags ?? Our receiving product doesn't support XML formats.
  Is there any option to bypass server authentication on the XI?
  If anybody has the same experience or know how to please provide inputs.
  Thanx
  Navin

  Hi,
  you can use xsl mapping for this in which u xtract
  the contents only but not the xml tag.
  Ranjit

• How the external system will talk to ECXpert 3.5 for transfering files via HTTP SSl?

  We are using ECxpert3.5 on Solaris box. One of our Trading Partner want to communicate through HTTP-SSL and we are doing XML/EDI mapping. Could you guide us what steps we need to take care to implement this.
  How the external system will talk to ECXpert for transferring files. (We need the syntax for the URL). How ECXpert will receive XML file through HTTP-SSL protocol from External System and file submittion.
  Please send is there any other document which explain about. Thanks in advance for your help. [email protected] or [email protected]

  Hi Steve,
  You can bring the GRC framework to a state equivalent to a raw install by following options:
  Option 1.) You should have a base-line backup before GRC installation. If so then apply that base-lin backup and deploy GRC components. If there is no base-lin backup, then
  Option 2.) Uninstall and re-install J2EE and then follow up with rest of the installation process. If you don't want to go through re-install process, then
  **Correction to Option 3**
  Option3.) SAP is in process of creating a SAP Note for Delete script, Instead of delivering Delete Script script via OSS message.  Will update you as soon as the Note gets released.
  Please refere to Note # 1416728 to Manage your deletion in RAR 5.3 SP10.
  Hope this helps.
  Best Regards,
  Sirish Gullapalli.

• Create Apps for HTTP access

  Hi,
  Is there a way to create apps for HTTP access instead of using UNC?
  And have it access via Application Explorer?
  Thanks,
  Harold

  Do you mean an app to launch a web page via IE/NetScape?
  Just run "IEXPLORE.EXE" with the webpage as the parameter.
  Of do you mean HTTP connectivity for the workstation to run an app?
  The 2nd starts to exist in ZFD4 in some fashion , but not ZFD3.
  [email protected] wrote:
  > Hi,
  >
  > Is there a way to create apps for HTTP access instead of using UNC?
  > And have it access via Application Explorer?
  >
  > Thanks,
  > Harold

• WSA access logging for HTTPS traffic

  Hi,
  We have a WSA s370 with AsyncOS  version 7.5.1-079 and it is configured as a transparent proxy.
  HTTPS proxy is enabled and all the URL categories set to pass through ( no decrytpting or monitoring ).
  Seems like the WSA does not generate logs for HTTPS transactions.
  I would like to know whether this is the expected behaviour.
  Is there any way that I can monitor HTTPS transactions without decrypting ?
  Thanks,
  Wipula.

  In addition to what Ken mentioned, the only way you can monitor HTTPS traffic without decrypting it will be done so using the IP address.
  In the access logs, you will see the following transaction when accessing an HTTPS site (google for example):
  TCP_CONNECT 74.125.101.50
  It will only report URLs once decrypted.  At that point, it is just HTTP.
  -Vance

• ECXpert3.5- How to setup HTTP-SSL for xml protocol

  Hi,
  We are using ECXpert3.5 on Solaris box. One of our Trading Partner want to communicate through HTTP-SSL and we are doing XML/EDI mapping. Could you guide us what steps we need to take care to implement this.
  How the external system will talk to ECXpert for transferring files.(We need the syntax for the URL). Could you suggest how to setup the HTTP SSL for XML protocol to receive xml files from remote system.
  Thanks in advance for your help!
  Regards,
  Ravi.

  Hi,
  We are using ECXpert3.5 on Solaris box. One of our Trading Partner want to communicate through HTTP-SSL and we are doing XML/EDI mapping. Could you guide us what steps we need to take care to implement this.
  How the external system will talk to ECXpert for transferring files.(We need the syntax for the URL). Could you suggest how to setup the HTTP SSL for XML protocol to receive xml files from remote system.
  Thanks in advance for your help!
  Regards,
  Ravi.

• Enabling SSL for HTTP Sender Adapter

  Hi Experts,
  I'd like to have a step by step process in enabling HTTPS for Plain_HTTP Sender Adapter. I've already read the enabling HTTPS on SAP Help, but it does not provide much detail. Would the steps be the same for enabling HTTPS for Plain_HTTP Receiver which are:
  1. Install the certificates using STRUST
  2. Configure an RFC Destination using SM59
  3. Call your RFC Destination in Receiver HTTP Adapter (not valid for http sender adapter)
  The connection for setting up http is http://<hostname>:port/<path>?<query string>
  but what about https? Would it be connecting to the webdispatcher first?
  Hope you can help me,
  Regards,

  Hi,
  as HTTP Adapter is on ABAB stack you will need to configure with STRUST.
  http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
  The URL should start then with https, but you could test with this sample client:
  https://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/66dadc6e-0a01-0010-9ea9-bb6d8ca48cc8
  Regards
  Patrick

• I don't have access to Google Images Search since I installed the latest update for https everywhere (today)

  I have installed the https everywhere add-on a while ago.
  Since I've done this I've never been able to click on images each time I was doing a Google search from their first page of results ("search everything"), but I could still find images by going directly to Google Images search.
  Since I installed the latest update for https everywhere this morning, I simply cannot search a single image with Google, which is a problem as I'm a professional art historian.
  I get the message"Your search - rembrandt - could not be completed with the requested search options. Reset search tools".
  But resetting the search tools don't change anything. I'm working on a Mac, if it helps.

  I had the same problem although it was a previous update rather than this one that caused the problem. Just hadn't got round to doing something about it - was using Bing images instead.
  I searched for some answers this morning and seemed like most suggestions were a nuisance to try. Couldn't find 'Preferences button of HTTPS-Everywhere' as suggested above. Decided to check if No Script was blocking it. Sure enough. So problem is solved.
  Thought I'd put it out there in case it helps someone else. Appreciate that people are so helpful on here.

• AnyConnect error " User not authorized for AnyConnect Client access, contact your administrator"

  Hi everyone,
  it's probably just me but I have tried real hard to get a simple AnyConnect setup working in a lab environment on my ASA 5505 at home, without luck. When I connect with the AnyConnect client I get the error message "User not authorized for AnyConnect Client access, contact your administrator". I have searched for this error and tried some of the few solutions out there, but to no avail. I also updated the ASA from 8.4.4(1) to 9.1(1) and ASDM from 6.4(9) to 7.1(1) but still the same problem. The setup of the ASA is straight forward, directly connected to the Internet with a 10.0.1.0 / 24 subnet on the inside and an address pool of 10.0.2.0 / 24 to assign to the VPN clients. Please note that due to ISP restrictions, I'm using port 44455 instead of 443. I had AnyConnect working with the SSL portal, but IKEv2 IPsec is giving me a headache. I have stripped down certificate authentication which I had running before just to eliminate this as a potential cause of the issue. When running debugging, I do not get any error messages - the handshake completes successfully and the local authentication works fine as well.
  Please find the current config and debugging output below. I appreciate any pointers as to what might be wrong here.
  : Saved
  ASA Version 9.1(1)
  hostname ASA
  domain-name ingo.local
  enable password ... encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd ... encrypted
  names
  name 10.0.1.0 LAN-10-0-1-x
  dns-guard
  ip local pool VPNPool 10.0.2.1-10.0.2.10 mask 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif Internal
  security-level 100
  ip address 10.0.1.254 255.255.255.0
  interface Vlan2
  nameif External
  security-level 0
  ip address dhcp setroute
  regex BlockFacebook "facebook.com"
  banner login This is a monitored system. Unauthorized access is prohibited.
  boot system disk0:/asa911-k8.bin
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  dns domain-lookup Internal
  dns domain-lookup External
  dns server-group DefaultDNS
  name-server 10.0.1.11
  name-server 75.153.176.1
  name-server 75.153.176.9
  domain-name ingo.local
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network LAN-10-0-1-x
  subnet 10.0.1.0 255.255.255.0
  object network Company-IP1
  host xxx.xxx.xxx.xxx
  object network Company-IP2
  host xxx.xxx.xxx.xxx
  object network HYPER-V-DUAL-IP
  range 10.0.1.1 10.0.1.2
  object network LAN-10-0-1-X
  access-list 100 extended permit tcp any4 object HYPER-V-DUAL-IP eq 3389 inactive
  access-list 100 extended permit tcp object Company-IP1 object HYPER-V-DUAL-IP eq 3389
  access-list 100 extended permit tcp object Company-IP2 object HYPER-V-DUAL-IP eq 3389 
  tcp-map Normalizer
    check-retransmission
    checksum-verification
  no pager
  logging enable
  logging timestamp
  logging list Threats message 106023
  logging list Threats message 106100
  logging list Threats message 106015
  logging list Threats message 106021
  logging list Threats message 401004
  logging buffered errors
  logging trap Threats
  logging asdm debugging
  logging device-id hostname
  logging host Internal 10.0.1.11 format emblem
  logging ftp-bufferwrap
  logging ftp-server 10.0.1.11 / asa *****
  logging permit-hostdown
  mtu Internal 1500
  mtu External 1500
  ip verify reverse-path interface Internal
  ip verify reverse-path interface External
  icmp unreachable rate-limit 1 burst-size 1
  icmp deny any echo External
  asdm image disk0:/asdm-711.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  object network obj_any
  nat (Internal,External) dynamic interface
  object network LAN-10-0-1-x
  nat (Internal,External) dynamic interface
  object network HYPER-V-DUAL-IP
  nat (Internal,External) static interface service tcp 3389 3389
  access-group 100 in interface External
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server radius protocol radius
  aaa-server radius (Internal) host 10.0.1.11
  key *****
  radius-common-pw *****
  user-identity default-domain LOCAL
  aaa authentication ssh console radius LOCAL
  http server enable
  http LAN-10-0-1-x 255.255.255.0 Internal
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map External_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map External_map interface External
  crypto ca trustpoint srv01_trustpoint
  enrollment terminal
  crl configure
  crypto ca trustpoint asa_cert_trustpoint
  keypair asa_cert_trustpoint
  crl configure
  crypto ca trustpoint LOCAL-CA-SERVER
  keypair LOCAL-CA-SERVER
  crl configure
  crypto ca trustpool policy
  crypto ca server
  cdp-url http://.../+CSCOCA+/asa_ca.crl:44435
  issuer-name CN=...
  database path disk0:/LOCAL_CA_SERVER/
  smtp from-address ...
  publish-crl External 44436
  crypto ca certificate chain srv01_trustpoint
  certificate <output omitted>
    quit
  crypto ca certificate chain asa_cert_trustpoint
  certificate <output omitted>
    quit
  crypto ca certificate chain LOCAL-CA-SERVER
  certificate <output omitted>
    quit
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable External client-services port 44455
  crypto ikev2 remote-access trustpoint asa_cert_trustpoint
  telnet timeout 5
  ssh LAN-10-0-1-x 255.255.255.0 Internal
  ssh xxx.xxx.xxx.xxx 255.255.255.255 External
  ssh xxx.xxx.xxx.xxx 255.255.255.255 External
  ssh timeout 5
  ssh version 2
  console timeout 0
  no vpn-addr-assign aaa
  no ipv6-vpn-addr-assign aaa
  no ipv6-vpn-addr-assign local
  dhcpd dns 75.153.176.9 75.153.176.1
  dhcpd domain ingo.local
  dhcpd option 3 ip 10.0.1.254
  dhcpd address 10.0.1.50-10.0.1.81 Internal
  dhcpd enable Internal
  threat-detection basic-threat
  threat-detection scanning-threat shun except ip-address LAN-10-0-1-x 255.255.255.0
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  dynamic-filter use-database
  dynamic-filter enable interface Internal
  dynamic-filter enable interface External
  dynamic-filter drop blacklist interface Internal
  dynamic-filter drop blacklist interface External
  ntp server 128.233.3.101 source External
  ntp server 128.233.3.100 source External prefer
  ntp server 204.152.184.72 source External
  ntp server 192.6.38.127 source External
  ssl encryption aes256-sha1 aes128-sha1 3des-sha1
  ssl trust-point asa_cert_trustpoint External
  webvpn
  port 44433
  enable External
  dtls port 44433
  anyconnect image disk0:/anyconnect-win-3.1.02026-k9.pkg 1
  anyconnect profiles profile1 disk0:/profile1.xml
  anyconnect enable
  smart-tunnel list SmartTunnelList1 mstsc mstsc.exe platform windows
  smart-tunnel list SmartTunnelList1 putty putty.exe platform windows
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
  webvpn
    anyconnect profiles value profile1 type user
  username write.ingo password ... encrypted
  username ingo password ... encrypted privilege 15
  username tom.tucker password ... encrypted
  class-map TCP
  match port tcp range 1 65535
  class-map type regex match-any BlockFacebook
  match regex BlockFacebook
  class-map type inspect http match-all BlockDomains
  match request header host regex class BlockFacebook
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 1500
    id-randomization
  policy-map TCP
  class TCP
    set connection conn-max 1000 embryonic-conn-max 1000 per-client-max 250 per-client-embryonic-max 250
    set connection timeout dcd
    set connection advanced-options Normalizer
    set connection decrement-ttl
  policy-map type inspect http HTTP
  parameters
    protocol-violation action drop-connection log
  class BlockDomains
  policy-map global_policy
  class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect dns preset_dns_map dynamic-filter-snoop
    inspect http HTTP
  service-policy global_policy global
  service-policy TCP interface External
  smtp-server 199.185.220.249
  privilege cmd level 3 mode exec command perfmon
  privilege cmd level 3 mode exec command ping
  privilege cmd level 3 mode exec command who
  privilege cmd level 3 mode exec command logging
  privilege cmd level 3 mode exec command failover
  privilege cmd level 3 mode exec command vpn-sessiondb
  privilege cmd level 3 mode exec command packet-tracer
  privilege show level 5 mode exec command import
  privilege show level 5 mode exec command running-config
  privilege show level 3 mode exec command reload
  privilege show level 3 mode exec command mode
  privilege show level 3 mode exec command firewall
  privilege show level 3 mode exec command asp
  privilege show level 3 mode exec command cpu
  privilege show level 3 mode exec command interface
  privilege show level 3 mode exec command clock
  privilege show level 3 mode exec command dns-hosts
  privilege show level 3 mode exec command access-list
  privilege show level 3 mode exec command logging
  privilege show level 3 mode exec command vlan
  privilege show level 3 mode exec command ip
  privilege show level 3 mode exec command failover
  privilege show level 3 mode exec command asdm
  privilege show level 3 mode exec command arp
  privilege show level 3 mode exec command ipv6
  privilege show level 3 mode exec command route
  privilege show level 3 mode exec command ospf
  privilege show level 3 mode exec command aaa-server
  privilege show level 3 mode exec command aaa
  privilege show level 3 mode exec command eigrp
  privilege show level 3 mode exec command crypto
  privilege show level 3 mode exec command ssh
  privilege show level 3 mode exec command vpn-sessiondb
  privilege show level 3 mode exec command vpnclient
  privilege show level 3 mode exec command vpn
  privilege show level 3 mode exec command dhcpd
  privilege show level 3 mode exec command blocks
  privilege show level 3 mode exec command wccp
  privilege show level 3 mode exec command dynamic-filter
  privilege show level 3 mode exec command webvpn
  privilege show level 3 mode exec command service-policy
  privilege show level 3 mode exec command module
  privilege show level 3 mode exec command uauth
  privilege show level 3 mode exec command compression
  privilege show level 3 mode configure command interface
  privilege show level 3 mode configure command clock
  privilege show level 3 mode configure command access-list
  privilege show level 3 mode configure command logging
  privilege show level 3 mode configure command ip
  privilege show level 3 mode configure command failover
  privilege show level 5 mode configure command asdm
  privilege show level 3 mode configure command arp
  privilege show level 3 mode configure command route
  privilege show level 3 mode configure command aaa-server
  privilege show level 3 mode configure command aaa
  privilege show level 3 mode configure command crypto
  privilege show level 3 mode configure command ssh
  privilege show level 3 mode configure command dhcpd
  privilege show level 5 mode configure command privilege
  privilege clear level 3 mode exec command dns-hosts
  privilege clear level 3 mode exec command logging
  privilege clear level 3 mode exec command arp
  privilege clear level 3 mode exec command aaa-server
  privilege clear level 3 mode exec command crypto
  privilege clear level 3 mode exec command dynamic-filter
  privilege cmd level 3 mode configure command failover
  privilege clear level 3 mode configure command logging
  privilege clear level 3 mode configure command arp
  privilege clear level 3 mode configure command crypto
  privilege clear level 3 mode configure command aaa-server
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:41a021a28f73c647a2f550ba932bed1a
  : end
  Many thanks,
  Ingo

  Hi Jose,
  here is what I got now:
  ASA(config)# sh run | begin tunnel-group
  tunnel-group DefaultWEBVPNGroup general-attributes
  address-pool VPNPool
  authorization-required
  and DAP debugging still the same:
  ASA(config)# DAP_TRACE: DAP_open: CDC45080
  DAP_TRACE: Username: tom.tucker, aaa.cisco.grouppolicy = DfltGrpPolicy
  DAP_TRACE: Username: tom.tucker, aaa.cisco.username = tom.tucker
  DAP_TRACE: Username: tom.tucker, aaa.cisco.username1 = tom.tucker
  DAP_TRACE: Username: tom.tucker, aaa.cisco.username2 =
  DAP_TRACE: Username: tom.tucker, aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
  DAP_TRACE: Username: tom.tucker, DAP_add_SCEP: scep required = [FALSE]
  DAP_TRACE: Username: tom.tucker, DAP_add_AC:
  endpoint.anyconnect.clientversion="3.1.02026";
  endpoint.anyconnect.platform="win";
  DAP_TRACE: Username: tom.tucker, dap_aggregate_attr: rec_count = 1
  DAP_TRACE: Username: tom.tucker, Selected DAPs: DfltAccessPolicy
  DAP_TRACE: Username: tom.tucker, DAP_close: CDC45080
  Unfortunately, it still doesn't work. Hmmm.. maybe a wipe of the config and starting from scratch can help?
  Thanks,
  Ingo