Configuring PFR with NAT - Dual ISP

Similar Messages

• Performance Routing (PfR) with single router, dual ISP and load balancing

  It looks like PfR can do this but I have only found information about this feature which will start using ISP2 once ISP1 reaches 75% usage. But this is not load balancing.
  Can we accomplish load balancing utilizing a single router with dual ISPs using this PfR feature? 
  Or do we have to use another feature?
  thank you in advance

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  I'm rusty using OER/PfR, but I recall it could load balance two links on same router.  The issue, I also recall, if doing BGP, OER/PfR has to detect a load imbalance, and there's a certain difference allowance, and OER/PfR takes some time to decide, so depending on actual traffic, it might not be obvious it's working.  If doing BGP, there's a hidden command (which I don't recall is) that will load balance the two links on the same router; then you use OER/PfR to dynamically refine the balance load.

• VPN device with dual ISP, fail-over, and load balancing

  We currently service a client that has a PIX firewall that connects to multiple, separate outside vendors via IPSEC VPN. The VPN connections are mission critical and if for any reason the VPN device or the internet connection (currently only a T1) goes down, the business goes down too. We're looking for a solution that allows dual-ISP, failover, and load balancing. I see that there are several ASA models as well as the IOS that support this but what I'm confused about is what are the requirements for the other end of the VPN, keeping in mind that the other end will always be an outside vendor and out of our control. Current VPN endpoints for outside vendors are to devices like VPN 3000 Concentrator, Sonicwall, etc. that likely do not support any type of fail-over, trunking, load-balancing. Is this just not possible?

  Unless I am mistaken the ASA doesn't do VPN Load Balancing for point-to-point IPSec connections either. What you're really after is opportunistic connection failover, and/or something like DMVPN. Coordinating opportunistic failover shouldn't be too much of an issue with the partners, but be prepared for lot of questions.

• How to configure BODS in network environment with NAT ?

  Hi Team,
  Now we are working on POC of BO Data Services 4.0 with SI partner and they reported us that  a communication error (error code:BODI-1241023) occurred when they started a job from Designer. 
  They can do it without any problems in the following two cases.
  1. from Designer which is installed in the CMS/JobServer machine
  2. from Designer which is installed in local PC within internal network (without firewall / NAT) 
  That is, the cause is Firewall with NAT(Network Address Translation) between Designer and JobServer/CMS.
  And, they can log on to CMS/JobServer with NAT environment, however, cann't start a job from Designer.
  The port #3500 for JobServer is open. They confirmed that they could log on to the JobServer in the event log
  of the JobServer.
  That is,  Designer -> CMS/JobServer communication is OK, but JobServer -> Designer communication must be NG.
  Could you advise us how to configure BODS both client and server sides in the network environment with NAT ?
  Thanks and best regards,

  HI Buddy,
  You can achieve this by $FLEX$, create first value set, and assign it to first field. Create second value set based on first value set using $FLEX$.
  follow steps mentioned in the bellow link
  http://erpschools.com/articles/usage-of-flex

• Ipsec tunnel possible with Checkpoint ngx 6.5 and Cisco ISR-dual ISP?

  Hi Gurus,
  I have a requirement to fulfill in that there are 2 sites that I need to create an ipsec tunnel. A remote site running a Checkpoint ngx 6.5 and a local site with 2 different ISPs and 2 x ISR 29xx routers for both ISP and hardware redundancy. I have only done the vpn setup with one ISR and ISP1 so far.
  I am planning to have just 1 ISR (ISR1) and ISP1  being active at any given time. If ISP1 or ISR 1 goes out, all traffic should fail over to ISR2 with ISP2.
  is this possible with the ISRs?
  Checkpoint does not appear to allow seeing the different ISRs with 2 possible WAN ip addresses with the same encryption domain or 'interesting traffic', so i am not sure if this work at all.
  BGP won't be used.
  I have looked at ip sla, pbr, and it appears that the best I could achieve would be vpn traffic via ISR1 and ISP1, and could failover only the non vpn traffic to ISR2 and ISP2.  Please correct me if I am wrong....many thanks.
  Any ideas will be greatly appreciated..
  Civicfan

  I found the problem but dont know how to fix it now!
  Problem is on siteB with using the same ACL name "siteA" in both sequence numbers in cryptomap "outside_map"
  crypto map outside_map 9 match address SiteA
  crypto map outside_map 9 set peer 212.89.229.xx
  crypto map outside_map 9 set transform-set ESP-AES-256-SHA
  crypto map outside_map 9 set security-association lifetime seconds 28800
  crypto map outside_map 9 set security-association lifetime kilobytes 4608000
  crypto map outside_map 10 match address SiteA
  crypto map outside_map 10 set peer 212.89.235.yy
  crypto map outside_map 10 set transform-set ESP-AES-256-SHA
  crypto map outside_map 10 set security-association lifetime seconds 28800
  crypto map outside_map 10 set security-association lifetime kilobytes 4608000
  If I remove:
  no crypto map outside_map 9 match address SiteA
  the IPSEC through 2nd ISP on siteA is working correct

• Problem with nat-ing on asa 5505

  i have the asa5505 with asa8.4.2 and asdm 6.4.5. i use this asa5505 for connecting my network 192.168.0.0/24 with network 10.15.100.0/24. my wan port of asa5505 on network 10.13.74.0/24, lan port is on 192.168.0.0./24. this configuration worked ok until my isp changed router on address 10.13.74.1. i nat-ed on asa5505, i puted access policy and i had access network 10.15.100.0/24. but now i can't. the users from network can access devices on addresses 192.168.0.20 and 192.168.0.22 but i can't access the network 10.15.100.0/24. my configuration of asa5505 is:
  Result of the command: "show runn": Saved:ASA Version 8.4(2) !hostname ciscoasaenable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address 192.168.0.17 255.255.255.0 !interface Vlan2 nameif outside security-level 0 ip address 10.13.74.33 255.255.255.0 !ftp mode passiveobject network obj_any subnet 0.0.0.0 0.0.0.0object network server host 192.168.0.20object network sharepointdri host 192.168.0.22object network paragraflex host 192.168.0.20object network dri.local subnet 192.168.0.0 255.255.255.0object service ParagrafLex1 service tcp source eq 6190 description Odlazniobject service paragraf service tcp destination eq 6190 description dolazniobject network nonat host 192.168.0.20object network lokalnamreza range 192.168.0.1 192.168.0.254object network natnetwork subnet 192.168.0.0 255.255.255.0object network natmreze subnet 192.168.0.0 255.255.255.0object-group service DM_INLINE_SERVICE_2 service-object ip service-object icmp echo-reply service-object tcp object-group service DM_INLINE_SERVICE_1 service-object icmp echo-reply service-object tcp service-object ip service-object tcp destination eq domain service-object tcp destination eq ldap service-object object ParagrafLex1 object-group service DM_INLINE_SERVICE_8 service-object ip service-object tcp service-object icmp echo-replyobject-group service DM_INLINE_SERVICE_3 service-object tcp service-object tcp destination eq domain service-object tcp destination eq ldap object-group service DM_INLINE_SERVICE_4 service-object tcp service-object icmp echo-replyobject-group protocol DM_INLINE_PROTOCOL_2 protocol-object udp protocol-object tcpobject-group protocol TCPUDP protocol-object udp protocol-object tcpobject-group service DM_INLINE_SERVICE_5 service-object ip service-object icmp echo-replyobject-group protocol DM_INLINE_PROTOCOL_1 protocol-object ip protocol-object tcpobject-group service DM_INLINE_SERVICE_6 service-object ip service-object tcp service-object icmp echo-reply service-object icmp service-object tcp destination eq https object-group service DM_INLINE_SERVICE_7 service-object ip service-object tcp service-object icmp echo-reply service-object tcp destination eq https object-group network DM_INLINE_NETWORK_1 network-object 10.13.74.0 255.255.255.0 network-object 10.15.100.0 255.255.255.0object-group service DM_INLINE_SERVICE_9 service-object tcp-udp service-object tcp destination eq https service-object tcp destination eq domain object-group service DM_INLINE_SERVICE_10 service-object ip service-object tcp service-object icmp echo-replyobject-group service DM_INLINE_SERVICE_11 service-object ip service-object tcp service-object icmp echo-replyaccess-list nonat extended permit object-group DM_INLINE_SERVICE_8 192.168.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 access-list inside_access_out extended permit object-group DM_INLINE_SERVICE_6 any any access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 object dri.local 10.15.100.0 255.255.255.0 access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_7 any any access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 object dri.local 10.13.74.0 255.255.255.0 access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_4 any any access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 192.168.0.0 255.255.255.0 10.13.74.0 255.255.255.0 access-list outside_access_in_1 extended permit object paragraf any object server access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 any object server access-list outside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_1 any object sharepointdri access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_10 object natmreze any access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_9 any any access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_11 object natmreze 10.15.100.0 255.255.255.0 pager lines 24logging asdm informationalmtu inside 1500mtu outside 1500icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp outside 10.13.74.1 000d.bd64.a8e2 arp timeout 14400!object network server nat (inside,outside) static 10.13.74.34 dnsobject network sharepointdri nat (any,any) static 10.13.74.39object network nonat nat (inside,outside) static 192.168.0.20object network natmreze nat (any,any) static 10.13.74.42 dnsaccess-group inside_access_in in interface insideaccess-group inside_access_out out interface insideaccess-group outside_access_in_1 in interface outsideaccess-group outside_access_out out interface outsideroute outside 0.0.0.0 0.0.0.0 10.13.74.1 1route outside 10.15.100.0 255.255.255.0 10.13.74.1 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyuser-identity default-domain LOCALhttp server enablehttp 192.168.0.0 255.255.255.0 insideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart warmstarttelnet timeout 5ssh timeout 5console timeout 0dhcpd auto_config outside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters  message-length maximum client auto  message-length maximum 512policy-map type inspect ftp paragraf parameterspolicy-map global_policy class inspection_default  inspect dns   inspect icmp   inspect ip-options   inspect netbios   inspect tftp   inspect h323 h225   inspect h323 ras !service-policy global_policy globalprompt hostname context state priority domain no call-home reporting anonymousCryptochecksum:61572938ed01b1c7447e43fcb2df4bc8: end
  what i do? plz help me?
  thanks

  Please do this, and let me know how it goes
  no access-list nonat extended permit object-group DM_INLINE_SERVICE_8 192.168.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
  no access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 object dri.local 10.13.74.0 255.255.255.0
  no access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_4 any any
  no access-list uprava_access_out extended permit object-group DM_INLINE_SERVICE_3 192.168.0.0 255.255.255.0 10.13.74.0 255.255.255.0
  access-list inside_access_in line 1 permit ip 192.168.0.0 255.255.255.0 any
  access-list outside_access_in_1 line 1 permit ip any 192.168.0.0 255.255.255.0
  no object network nonat
  no access-group inside_access_out out interface inside
  no access-group outside_access_out out interface outside
  no route outside 10.15.100.0 255.255.255.0 10.13.74.1 1

• Help with NAT ?

  Hi,
  I have the following network connected and configured to a single Cisco 1800 router.
  VLAN 2 (10.1.20.0/24)
  |
  int vlan2, ip address 10.1.20.1
  |
  Cisco 1800 ----- int fa0, public ip address ---- Internet
  |
  int vlan3, ip address 10.1.30.1
  |
  VLAN 3 (10.1.30.0/24)
  VLAN 2 is server vlan with a webserver.
  VLAN 3 is clients.
  NAT configuration:
  VLAN 2 and VLAN 3 is using NAT to access the internet, and both is configured as inside interfaces.
  fa0 is configured as outside interface.
  Now I don't know if this is about NAT, but I've tried several things without luck.
  Problem:
  A client in VLAN 3 tries to access a domain on the webserver in VLAN 2.
  It starts by sending a DNS query to a DNS server located at the ISP, and gets the ip address for the domain, which is of course a public ip address.
  Then nothing happens because the client tries to access the domain on the webserver using the public ip address, and the webserver have a local ip address 10.1.20.20 which is on the local LAN (VLAN 2).
  I've tried NAT because I have to change the destination ip address, but I can't seem to get it right.
  Does anyone know how to do this or can anyone point me in the right direction it would be appriciated?

  Change the nat config should work.
  On fa0 use:
  ip nat enable
  On vlan 2 and 3 use:
  ip nat enable
  Tcp port 80 nat and all other nat config should be changed also:
  Ip nat source static tcp (inside ip) 80 (outside ip, not interface name) 80 extendable
  Etc
  Etc
  Also configure this:
  Ip nat source list XXX interface fa0 overload
  That works like a charm in many of my networks atleast.
  Sent from Cisco Technical Support iPad App

• Example Config ACE routed mode with NAT

  Hi all,
  i have a two-arm loadbalancer (routed mode).
  client ->vlan100->[VIP]Loadbalancer[NAT] ->vlan200-> serverfarm
  But i have my problems to configure the NAT. Can anybody show me a example configuration of a two-arm loadbalancer with NAT?
  Especially the access-list, class-map, policy-map and on which interface the NAT-Policy must be added.
  BR
  Dominik

  Hi Dominik,
  Something like this:
  access-list ANYONE line 10 extended permit ip any any
  rserver host SERVER_01
    ip address 10.198.16.2
    inservice
  rserver host SERVER_02
    ip address 10.198.16.3
    inservice
  rserver host SERVER_03
    ip address 10.198.16.4
    inservice
  serverfarm host REAL_SERVERS
    rserver SERVER_01
      inservice
    rserver SERVER_02
      inservice
    rserver SERVER_03
      inservice
  class-map match-all VIP-30
    2 match virtual-address 192.168.1.30 tcp eq www
  class-map type management match-any REMOTE_ACCESS
    description remote-access-traffic-match
    2 match protocol telnet any
    3 match protocol ssh any
    4 match protocol icmp any
  policy-map type management first-match REMOTE_MGT
    class REMOTE_ACCESS
      permit
  policy-map type loadbalance first-match SLB_LOGIC
    class class-default
      serverfarm REAL_SERVERS
  policy-map multi-match CLIENT_VIPS
    class VIP-30
      loadbalance vip inservice
      loadbalance policy SLB_LOGIC
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 452
  interface vlan 451
      ip address 192.168.1.2 255.255.255.0
    access-group input ANYONE
    service-policy input CLIENT_VIPS
    no shutdown
  interface vlan 452
    description Servers vlan
    ip address 10.198.16.1 255.255.255.0
    access-group input ANYONE
    nat-pool 1 10.198.16.5 10.198.16.5 netmask 255.255.255.0 pat
    no shutdown
  ip route 0.0.0.0 0.0.0.0 192.168.1.1
  Cesar R
  ANS Team

• How to re-enable Beats speakers and sub woofer after configured Windows 8/Ubuntu dual boot?

  HP ENvy DV7-7240us
  Windows 8 / Linux Ubuntu Dual Boot
  No Sound through two front Beats speakers or sub woofer both operating systems after installed Ubuntu 12.10 as dual boot.
  Is there a way to at least re-enable the Beats speakers and sub woofer in Windows 8 when I boot on that OS?  I am using the UEFI as the boot manager by hitting ESC / F9,  and not GRUB2 (Linux).
  I did update to "BIOS" (UEFI) F.22 concurrently with the dual boot...possibly this has something to do with it?
  I would like to keep the dual boot,  but the loss of the Beats speakers is kind of a deal breaker,  and virtualization of Linux seems to be buggy in its own right.
  I tried re-enabling the sound through right clicking on the speaker icon in the tray, and configuring Playback devices.  The  only option available is IDT High Definition Audio Codec.  Is there another device listing for the Beats speakers that I am missing?
  Only other minor issue with the hardware I am aware of is only on the Linux side, that being no pinch to zoom on track pad, which I try not to use anyway.
  Thank you.

  Have you tried resetting BIOS settings to default? Enter BIOS by tapping/holding F10 key immediately after powering on.Reset to Default settings, usually tap F9,check bottom of screen for correct key.Save & Exit.
  ******Clicking the Thumbs-Up button is a way to say -Thanks!.******
  **Click Accept as Solution on a Reply that solves your issue to help others**

• IPSEC tunnel with NAT and NetMeeting

  I have established an IPSEC tunnel with two Cisco 2621 routers. Clients over the Internet are able to dial into the MCU server, which is behind one of the Cisco 2621 routers configured with NAT but the MCU is not able to call the client. The MCU is able to call any server or client on the LAN however it is not able to call anyone passed the router configured with NAT. Could anyone who has experience with NAT and IPSEC help me out?
  Thanks,

  The following doc should help...
  http://www.cisco.com/warp/public/707/ipsecnat.html

• TS3899 I have set up two email accounts on my iphone4, one with tiscali, my ISP, and the other on gmail. I am able to receive emails on both accounts, and can send emails from my gmail account, but am "Unable to Send Email" from my tiscali (talktalk) acco

  I have set up two email accounts on my iphone4, one with tiscali, my ISP, and the other on gmail. I am able to receive emails on both accounts, and can send emails from my gmail account, but am "Unable to Send Email" from my tiscali (talktalk) account. I get the error message "A copy has been placed in your Outbox. The sender address "name"@tiscali.co.uk was rejected by the server".

  Hi apmichael,
  If you are having issues sending email from one of your mail accounts on your iPhone, you may find the following article helpful:
  iOS: Troubleshooting Mail
  http://support.apple.com/kb/ts3899
  Regards,
  - Brenden

• 10g - how to configure sso with iis-

  hi, experts, I have followed Oracle® Business Intelligence Enterprise Edition Deployment Guide to configure SSO with IIS.
  but I always meet this message.
  Not Logged In
  You are not currently logged in to the Oracle BI Server.
  If you have already logged in, your connection might have timed out, or a communications or server error may have occurred
  what steps are missing?
  how to check?

  hi, experts,
  I checked C:\OracleBIData\web\log\sawlog0.log on the obi server (windows server 2003 standard).
  at Thu Feb 17 14:48:46 2011 , I logined OBI on another machine (not via the browser on the obi server).
  however, the log shows the login user is the administrator of the obiserver (obiserver\administrator ).
  any setup on IIS are wrong? thank you very much!
  =========================================================================================
  Running job 'MinutelyMonitor' took 7422 milliseconds, 12.3% of job's frequency (60 seconds).
  Type: Error
  Severity: 40
  Time: Thu Feb 17 14:48:46 2011
  File: project/webodbcaccess/odbcconnectionimpl.cpp Line: 371
  Properties: ConnId-1,1;ThreadID-1796
  Location:
       saw.odbc.connection.open
       saw.connectionPool.getConnection
       saw.subsystem.security.checkAuthenticationImpl
       saw.threadPool
       saw.threads
  Odbc driver returned an error (SQLDriverConnectW).
  State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
  [nQSError: 43001] Authentication failed for obiserver\administrator in repository Star: invalid user/password. (08004)
  Type: Error
  Severity: 42
  Time: Thu Feb 17 14:48:46 2011
  File: project/webconnect/connection.cpp Line: 276
  Properties: ThreadID-1796
  Location:
       saw.connectionPool.getConnection
       saw.subsystem.security.checkAuthenticationImpl
       saw.threadPool
       saw.threads
  Authentication Failure.
  Odbc driver returned an error (SQLDriverConnectW).
  ---------------------------------------

• How to configure sso with SSL step by step

  Purpose
  In this document, you can learn how to configure SSO with SSL. After user have certificate installed in browser, he can login without input username and password.
  Overview
  In this document we will demonstrate:
  1.     How to configure OHS support SSL
  2.     How to Register SSO with SSL
  3.     Configure SSO for certificates
  Prerequisites
  Before start this document, you should have:
  1.     Oracle AS 10g infrastructure installed (10.1.2)
  2.     OCA installed
  Note:
  1.     “When you install Oracle infrastructure, please make sure you have select OCA.
  2.     How Certificate-Enabled Authentication Works:
  a.     The user tries to access a partner application.
  b.     The partner application redirects the user to the single sign-on server for authentication. As part of this redirection, the browser sends the user's certificate to the login URL of the server (2a). If it is able to verify the certificate, the server returns the user to the requested application.
  c.     The application delivers content. Users whose browsers are configured to prompt for a certificate-store password may only have to present this password once, depending upon how their browser is configured. If they log out and then attempt to access a partner application, the browser passes their certificate to the single sign-on server automatically. This means that they never really log out. To effectively log out, they must close the browser.
  Enable SSL on the Single Sign-On Middle Tier
  The following steps involve configuring the Oracle HTTP Server. Perform them on the single sign-on middle tier. In doing so, keep the following in mind:
  l     You must configure SSL on the computer where the single sign-on middle tier is running.
  l     You are configuring one-way SSL.
  l     You may enable SSL for simple network encryption; PKI authentication is not required. Note though that you must use a valid wallet and server certificate. The default wallet location is ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default.
  1.     Back up the opmn.xml file, found at ORACLE_HOME/opmn/conf
  2.     In opmn.xml, change the value for the start-mode parameter to ssl-enabled. This parameter appears in boldface in the xml tag immediately following.
  <ias-component id="HTTP_Server">
  <process-type id="HTTP_Server" module-id="OHS">
  <module-data>
  <category id="start-parameters">
  <data id="start-mode" value="ssl-enabled"/>
  </category>
  </module-data>
  <process-set id="HTTP_Server" numprocs="1"/>
  </process-type>
  </ias-component>
  3.     Update the distributed cluster management database with the change: ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct opmn
  4.     Reload the modified opmn configuration file:
  ORACLE_HOME/opmn/bin/opmnctl reload
  5.     Keep a non-SSL port active. The External Applications portlet communicates with the single sign-on server over a non-SSL port. The HTTP port is enabled by default. If you have not disabled the port, this step requires no action.
  6.     Apply the rule mod_rewrite to SSL configuration. This step involves modifying the ssl.conf file on the middle-tier computer. The file is at ORACLE_HOME/Apache/Apache/conf. Back up the file before editing it.
  Because the Oracle HTTP Server has to be available over both HTTP and HTTPS, the SSL host must be configured as a virtual host. Add the lines that follow to the SSL Virtual Hosts section of ssl.conf if they are not already there. These lines ensure that the single sign-on login module in OC4J_SECURITY is invoked when a user logs in to the SSL host.
  <VirtualHost ssl_host:port>
  RewriteEngine on
  RewriteOptions inherit
  </VirtualHost>
  Save and close the file.
  7.     Update the distributed cluster management database with the changes:
  ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct ohs
  8.     Restart the Oracle HTTP Server:
  ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=HTTP_Server
  ORACLE_HOME/opmn/bin/opmnctl startproc process-type=HTTP_Server
  9.     Verify that you have enabled the single sign-on middle tier for SSL by trying to access the OracleAS welcome page, using the format https://host:ssl_port.
  Reconfigure the Identity Management Infrastructure Database
  Change all references of http in single sign-on URLs to https within the identity management infrastructure database. When you change single sign-on URLs in the database, you must also change these URLs in the targets.xml file on the single sign-on middle tier. targets.xml is the configuration file for the various "targets" that Oracle Enterprise Manager monitors. One of these targets is OracleAS Single Sign-On.
  1.     Change Single Sign-On URLs
  Run the ssocfg script, taking care to enter the command on the computer where the single sign-on middle tier is located. Use the following syntax:
  UNIX:
  $ORACLE_HOME/sso/bin/ssocfg.sh protocol host ssl_port
  Windows:
  %ORACLE_HOME%\sso\bin\ssocfg.bat protocol host ssl_port
  In this case, protocol is https. (To change back to HTTP, use http.) The parameter host is the host name, or server name, of the Oracle HTTP listener for the single sign-on server.
  Here is an example:
  ssocfg.sh https login.acme.com 4443
  2. Restart OC4J_SECURITY instance and verify the configuration
  To determine the correct port number, examine the ssl.conf file. Port 4443 is the port number that the OracleAS installer assigns during installation.
  If you run ssocfg successfully, the script returns a status 0. To confirm that you were successful, restart the OC4J_SECURITY instance:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
  Then try logging in to the single sign-on server at its SSL address:
  https://host:ssl_port/pls/orasso/
       3. Back up the file targets.xml:
  cp ORACLE_HOME/sysman/emd/targets.xml ORACLE_HOME/sysman/emd/targets.xml.backup
  4. Open the file and find the target type oracle_sso_server. Within this target type, locate and edit the three attributes that you passed to ssocfg:
  ·     HTTPMachine—the server host name
  ·     HTTPPort—the server port number
  ·     HTTPProtocol—the server protocol
  If, for example, you run ssocfg like this:
  ORACLE_HOME/sso/bin/ssocfg.sh http sso.mydomain.com:4443
  Update the three attributes this way:
  <Property NAME="HTTPMachine" VALUE="sso.mydomain.com"/>
  <Property NAME="HTTPPort" VALUE="4443"/>
  <Property NAME="HTTPProtocol" VALUE="HTTPS"/>
  5.Save and close the file.
  6.     Reload the OracleAS console:
       ORACLE_HOME/bin/emctl reload
  7. Issue these two commands:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
  Registering mod_osso
  1.     This command sequence that follows shows a mod_osso instance being reregistered with the single sign-on server.
  $ORACLE_HOME/sso/bin/ssoreg.sh
       -oracle_home_path $ORACLE_HOME
       -config_mod_osso TRUE
       -mod_osso_url https://myhost.mydomain.com:4443
  2.     Restarting the Oracle HTTP Server
  After running ssoreg, restart the Oracle HTTP Server:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
  Configuring the Single Sign-On System for Certificates
  1.     Configure policy.properties with the Default Authentication Plugin
  Update the DefaultAuthLevel section of the policy.properties file with the correct authentication level for certificate sign-on. This file is at ORACLE_HOME/sso/conf. Set the default authentication level to this value:
  DefaultAuthLevel = MediumHighSecurity
  Then, in the Authentication plugins section, pair this authentication level with the default authentication plugin:
  MediumHighSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOX509CertAuth
  2.     Restart the Single Sign-On Middle Tier
  After configuring the server, restart the middle tier:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
  Bringing the SSO Users to OCA User Certificate Request URL
  The OCA server reduces the administrative and maintenance cost of provisioning a user certificate. The OCA server achieves this by authenticating users by using OracleAS SSO server authentication. All users who have an Oracle AS SSO server account can directly get a certificate by using the OCA user interface. This reduces the time normoally requidred to provision a certificate by a certificate authority.
  The URL for the SSO certificate Request is:
  https://<Oracle_HTTP_host>:<oca_ssl_port>/oca/sso_oca_link
  You can configure OCA to provide the user certificate request interface URL to SSO server for display whenever SSO is not using a sertificate to authenticate a user. After the OracleAS SSO server authenticates a user, it then display the OCA screen enabling that user to request a certificate.
  To link the OCA server to OracleAS SSO server, use the following command:
  ocactl linksso
  opmnctl stoproc type=oc4j instancename=oca
  opmnctl startproc type=oc4j instancename=oca
  You also can use ocactl unlinksso to unlink the OCA to SSO.

  I have read the SSO admin guide, and performed the steps for enabling SSL on the SSO, and followed the steps to configure mod_osso with virtual host on port 4443 as mentioned in the admin guide.
  The case now is that when I call my form (which is developed by forms developer suite 10g and deployed on the forms server which is SSO enabled) , it calls the SSO module on port 7777 using http (the default behaviour).
  on a URL that looks like this :
  http://myhostname:7777/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
  and gives the error :
  ( Forbidden
  You don't have permisission to access /sso/auth on this server at port 7777)
  when I manually change the URL to :
  https://myhostname:4443/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
  the SSO works correctly.
  The question is :
  How can I change this default behaviour and make it call SSO on port 4443 using https instead ?
  Any ideas ?
  Thanks in advance

• How can I change the default Google search engine in Firefox 8 from google.fr to google.co.uk? Yes, I live in France with a French ISP, but English is my mother tongue and I want UK based responses.

  How can I change the default Google search engine in Firefox 8 from google.fr to google.co.uk? Yes, I live in France with a French ISP, but English is my mother tongue and I want UK based responses.
  I'm using XP Pro.

  You can find search engines on the Mycroft Project website.
  * http://mycroft.mozdev.org/
  * http://mycroft.mozdev.org/google-search-plugins.html

• Video ichat no longer working with a new ISP

  Hiya, I have read pages and pages of these posts and I am still none the wiser. I used to be able to video ichat with my old ISP but I can't with my new one. Audio and text work fine.
  I have changed my quicktime streaming settings
  I have disabled my firewall
  I have gone to portforwarding.com and done the port forwarding thing (I think, I am not that technical)
  I am using a fixed IP - my airport is using 192.168.7.3, my DSL router 192.168.7.1
  I can ichat video fine from work (as long as it's not to my wife when she is at home)
  I have tried to ichat to other people who have ichated succesfully to their friends
  I have called my ISP and they assure me that no ports are being blocked
  I am using the latest version of Tiger and ichat on a brand new MacBook Pro (wow this thing is fast), but my older Powerbook laptop can't connect either.
  Can anyone help?
  MacBook Pro   Mac OS X (10.4.6)   ichat 3.1.4

  Hi Russell,
  Most of the devices listed here can be made to work with iChat
  http://portforward.com/routers.htm
  However I would tend to stick to the bigger names.
  AT this stage MIMO and Pre-N devices (the ones with the extra antennas and the ones trying to predict the 802.11N wireless protocol) as iChat seems to have soem problems with them.
  Things like the Linksys WRT54G has routing and UPnP capabilities. The Netgear DG834G and it's variants are also popular. (D-Links seem to be a bit odd as set ups vary and they do not always have UPnP)
  Thomson/Alcatel Speedtouch devices need to be on Version 4 firmware (No higher than 4.2.9) and not Version 5 or 6 (or the 4.3.x version that is really version 5 re-written for earlier devices). These Alcatels need the SIP Unbound from port 5060 that I was talking about.
  See Mine in the white box just out of site http://www.ralphjohnsuk.dsl.pipex.com/page4.html#_text
  What you have to look in to at this stage is whether the ISP is blocking port 5060 for it's own VoIP service. It it is it will not matter what modem you get.
  As I said before in some cases it may be the device itself and we may be able to do soemthing about that.
  http://www.ralphjohnsuk.dsl.pipex.com/page4.html#_text Scroll down to the White box with text in it.
  Apple have this list http://docs.info.apple.com/article.html?artnum=93333
  These are supposed to work Out of the Box which is not the same as Can Work with iChat.
  11:43 AM Saturday; July 8, 2006