Configuring the saprouter
hello gurus
i need to connect to sap using vpn.i have configured the sap router abnd it seems to be working.I recieved the connection details from sap with deatils at SAP site,Encryption,preshared secrect.
So now i have checked the next step where i will have to input the preshared key but no luck .I have looked at note 486688 but there is a section where it refers to see Notes 17285 and 29784 but those are said to be internal notes
Maybe i need a step by step guide on how to configure the connection once the saprouter has been installed.
any ideas will be welcome
Hello,
I think you are confusing SNC and VPN.
You use saprouter to control access to/from your sap systems and sap.
To encrypt the traffic (over the Internet) between your saprouter and the saprouter at SAP, you use either:
VPN - a firewall/vpn device (hardware and/or software) provided by third party (e.g. Check Point, Cisco devices)
OR
SNC - a software solution to encrypt traffic provided by saprouter
If you setup a VPN connection with SAP, you need to configure a VPN connection on your firewall as specified by SAP. This is where you need the shared secret.
When using VPN, your traffic is encrypted and you do not need SNC.
When you don't use a VPN connection, your saprouter communicates directly to the saprouter at SAP. To protect this traffic, which is sent in clear text over the Internet, you should encrypt this traffic. If you have no friewall or VPN device, you can use SNC to encrypt the traffic.
In this case, you need to request a certificate for your saprouter and configure the saprouter for SNC.
Note 486688 describes the requirements for a VPN connection and clearly states you need a VPN/IPSec-enabled router/firewall and a public IP-address for both your router/firewall and your saprouter.
I hope this makes things a bit more clear.
Kind regards,
Dagwin
Similar Messages
-
Configuration of saprouter.
Hello,
I have reinstalled the saprouter but after configuring the saprouter, it's giving error while starting saprouter.
The error is as follows :
$ ./saprouter -l
SAP Network Interface Router, Version 40.4
***LOG Q0I=> NiPGetHostByName: 'localhost' not found: getaddrinfo [niuxi.c 1759]
*** ERROR => NiGetLoopbackAddr: NiIGetNodeAddr failed (rc=-2) [nixx.c 2179]
Mon Jun 16 16:53:40 2014
peer SAProuter with NI version 40 ...
send info-request to running SAProuter ...
SAP Network Interface Router running on port 3299 (PID = 132)
Started on: Mon Jun 16 16:12:14 2014
ID CLIENT | PARTNER service
-----------------------------------+---------------------------------------
9 127.0.0.1 | (no partner)
Total no. of clients: 1
Working directory : /usr/sap/saprouter
Routtab : ./saprouttab
Please help.Hi,
I have configured SAP Router on Windows. When i start the router i am getting error like as below.
trcfile dev_rout
ERROR SNC processing failed:
SncInit
TIME Tue Sep 30 10:32:29 2008
RELEASE 700
COMPONENT NI (network interface)
VERSION 38
RC -17
MODULE nisnc.c
LINE 646
DETAIL NiSncInit: sncrc=-1
COUNTER 3
Please any body give the solution.
Thanks,
Regards,
venkat -
SNC Processing Failed starting the SAProuter
Dear Experts,
i have finished the configuration of SAProuter, while running the router i am getting the error "SNC Processing Failed." here may dev_rout file is
The command that i'm using is:
D:\usr\sap\saprouter>saprouter.exe -r -S 3299 -K "p:CN=SSAP00001PBBI, OU=0000893
577, OU=SAProuter, O=SAP, C=DE"
trc file: "dev_rout", trc level: 1, release: "700"
* ERROR SNC processing failed:
* sncInit
* TIME Thu Sep 25 10:40:38 2008
* RELEASE 700
* COMPONENT NI <network interface>
* VERSION 38
* RC -17
* MODULE nisnc.c
* LINE 646
* DETAIL NiSncInit: sncrc=-1
* counter 3
What is the error here?
Thanks a lot
Edited by: Daniel Humberto Ramirez on Sep 25, 2008 6:31 PMHi, this is the dev_rout file,
Thanks a lot!!!.
trc file: "dev_rout", trc level: 1, release: "700"
Mon Sep 29 09:01:29 2008
SAP Network Interface Router, Version 38.10
command line arg 0: saprouter.exe
command line arg 1: -r
command line arg 2: -S
command line arg 3: 3299
command line arg 4: -K
command line arg 5: p:CN=SSAP00001PBBI, OU=0000893577, OU=SAProuter, O=SAP, C=DE
SncInit(): Initializing Secure Network Communication (SNC)
PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)
SncInit(): Trying environment variable SNC_LIB as a
gssapi library name: "D:\usr\sap\saprouter\ntintel\sapcrypto.dll".
Mon Sep 29 09:01:30 2008
ERROR => DlLoadLib: LoadLibrary(D:\usr\sap\saprouter\ntintel\sapcrypto.dll) Error 193 [dlnt.c 237]
ERROR => SncPDLInit(): DlLoadLib("D:\usr\sap\saprouter\ntintel\sapcrypto.dll")=DLENOACCESS
[sncxxdl.0340]*** ERROR => SncPDLInit()==SNCERR_INIT, Adapter (#0) D:\usr\sap\saprouter\ntintel\sapcrypto.dll not loaded
[sncxxdl.0604]<<- SncInit()==SNCERR_INIT
sec_avail = "false"
ERROR => NiSncInit: SncInit failed (rc=-1) [nisnc.c 647]
ERROR => main: NiSncInit failed (rc=-17) [nirout.cpp 1219]
ERROR SNC processing failed:
SncInit
TIME Mon Sep 29 09:01:30 2008
RELEASE 700
COMPONENT NI (network interface)
VERSION 38
RC -17
MODULE nisnc.c
LINE 646
DETAIL NiSncInit: sncrc=-1
COUNTER 3
<<- ERROR: SncDone()==SNCERR_INIT_FIRST -
The SAProuter service failed to start due to the following error:
I installed the SAP router 710 on windows server 2003 NON_SAP SYSTEM. I installed it successfully using the command:
>ntscmgr install SAProuter -b c:\saprouter\saprouter.exe -p "service -r"
But when trying to start the service I am facing this error:
"SAP router service failed to start due to the following error: This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem".
I removed and reinstalled it, but again when trying to start the service facing the same error.
Plz help me in resolving this issue and also let me know using which user I need to start the SAPRouter Service(Local System Account or any other account) . Do the needful as the matter is urgent
Thanks in advance
AliHi Anil,
The version that I am using to install is SAP Router 710 on windows 2003 x64, I have to installed the SAP router on non SAP System.
now when I am trying to start the service, it is giving an error as mentioned above.
Plz help
Regards
Ali
Edited by: Mirza Munnawar Ali Baig on Jun 2, 2008 3:48 PM -
Configure the stms through internet
Hi guys,
I want to configure the STMS through internet.
My Development in my office and connected in internet.
My Quality and Production server are hosted in Data Center. So the way to configure the STMS through internet only. The QAS and PRD server are behind the Firewall.
What are the ports and protocol are playing while connect (configure ) the STMS ?
How TP will access the shared folder like sapmnt and saploc ?
Waiting for valuable replyHi all,
I opened the gateway (3300) and dispatcher(3200) in the firewall , where QAS server is hosted. But still the STMS not working.
Added to above.. The DEV server not using SAProuter but QAS server using the SAProuter. -
How do I configure the Airport utility to allow more than one rule per port?
How do I configure the Airport Utility (AU) to allow more than one rule per port?
I am on a home network, with broadband cable modem. I have my airport extreme connected to the broadband modem. I have 2 servers in my home that need to be accessed remotely from time (SSH), and they also serve data for an iphone app, so I'm using a variety of protocols. The problem I'm running into is that AU seems to only allow one rule per protocol, so if I go to add another address for access on a specific port that is being used by one of my servers, AU tells me "The Port Mapping Entry Already Exists".
I need to be able to allow SSH on both of my servers, for instance. Am I missing something? Is this doable with AU?
Thanks for any insight.
KhalidThe Port Mapping "rules" on the AirPorts will allow you to: 1. Map a single port to a single IP address OR 2) Map multiple ports to a single IP address.
What you won't be able to do is map a single or multiple ports to multiple IP addresses. -
Configuring the authentication scheme for a web application
Hi all,
We have a requirement to configure the authentication scheme for a web application where some set of users should access the application using basic LDAP (userid/password) authentication and some using digital certificate authentication.
Since the deployment descriptor (web.xml) allows only one directive for auth-method in logic-config, we want to know if there is any other way to achieve this requirement. We are thinking of a custom login module approach. But we are not able to figure out how to configure the auth-method at runtime from the login servlet.
Please let us know if there is any other approach to achieve this.
I will be thankful if any body shares any specific solution to this issue.This forum is probably not the correct one to ask in. It's more related to the web container than Java Programming.
Kaj -
Configuring the PATH for jdk1.3.1_01 in WindowsXP
I need help in configuring the autoexec.bat file for jdk1.3.1_01 . I am running on WindowsXP. (I used to have win 98 on my old pc that crashed and had jdk1.2.1 and working just fine) Now I have a new pc and have tried the following:
windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\jdk1.3.1_01\bin
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP
When I type in C:\path ...it does not show the path I entered. I have no clue what I am doing and the instructions I printed out from sun just do not help me out at all. I really need to get this working so I can continue learning. If anyone can please straighten me out on this I would really appreciate it. Feel free to email me at [email protected]
Thanks RebaYour PATH appears to be correct. However, to verify your PATH you should be able to type the following:
c:\>echo %PATH%
This will display your PATH setting on the console. In addition, you can verify that your PATH setting is correct by typing:
c:\>java -version
If your path is set correctly, you should see something like:
java version "1.3.0"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.0-C)
Java HotSpot(TM) Client VM (build 1.3.0-C, mixed mode)
If, instead, you get something like:
"Bad command or file name"
Then your PATH is not configured correctly.
Hope this helps. -
Error on my IPad 2. When I'm trying to access in utilities to configure the email, this close suddenly and send me to home page.
Not sure about Utilities on your iPad. Do you mean the Settings app?
First thing to try is a reboot of your iPad. Press and hold the Home and Sleep buttons simultaneously ignoring the red slider until the Apple logo appear. Let go of the buttons and let the iPad restart. See if that fixes your problem. -
I am Fedora 13x64 bit. I just installed FF v6.0.2 from the FF download site. I backed up the existing FF 3.6 as firefox_old
I need to have a Java plugin to access company site, how do I configure the Java Plugin ?
At the Plugin area in FF6 there is no Java Plugin available, even after a search.
I have Java 1.6.0 installed in the OS at:
/usr/lib/jvm/java-1.6.0/jre/lib/amd64/libnpjp2.so
I googled how to configure Java Plugin for FF 6 for Fedora 13 and the trick was to create a soft link from /home/<userID>/.mozilla/plugins to the above libnpjp2.soAVtech wrote:
. . . If a person can't get an answer here I don't know where else to turn since Sun certainly wouldn't offer tech support for a free product . . .These forums are user forums, and only occasionally visited by Sun employees. Sun does provide Java technical support options, although (of course) at a charge.
See:
http://developers.sun.com/services/
. . . I guess we'll just use JRE 5 until it's unsupported, whenever that will be. I'm still waiting for an answer on that question, too. See:
http://java.sun.com/products/archive/eol.policy.html
http://www.sun.com/service/eosl/
This document (part IV and Appendix) has some debugging and troubleshooting information that may allow someone involved in the problem to resolve the cause:
See:
http://java.sun.com/javase/6/docs/technotes/guides/plugin/developer_guide/contents.htm
Any steps that you can take to isolate the problem to specific Java versions, browsers, applets, web sites, operating systems (and versions), etc, would enhance the possibility of getting help.
You can try the applets at this Sun location and see if any of them are "slow".
See:
http://java.sun.com/javase/6/docs/technotes/samples/demos.html -
I have ASA 5505 8.4. How to configure the switch to the backup channel to the primary with a delay (for example 5 min.) using the SLA monitor?
Or as something else to implement it?
My configuration for SLA monitor:
sla monitor 123
type echo protocol ipIcmpEcho IP_GATEWAY_MAIN interface outside_cifra
num-packets 3
timeout 3000
frequency 10
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachabilityHey cadet alain,
thank you for your answer :-)
I have deleted all such attempts not working, so a packet-trace will be not very useful conent...
Here is the LogLine when i try to browse port 80 from outside (80.xxx.xxx.180:80) without VPN connection:
3
Nov 21 2011
18:29:56
77.xxx.xxx.99
59068
80.xxx.xxx.180
80
TCP access denied by ACL from 77.xxx.xxx.99/59068 to outside:80.xxx.xxx.180/80
The attached file is only the show running-config
Now i can with my AnyConnect Clients, too, but after connection is up, my vpnclients can't surf the web any longer because anyconnect serves as default route on 0.0.0.0 ... that's bad, too
Actually the AnyConnect and Nat/ACL Problem are my last two open Problems until i setup the second ASA on the right ;-)
Regards.
Chris -
I have a Samsung VGA Monitor connected to my MacBook Pro using the Mini Display Port to VGA Adapter. How do I configure the computer so that it doesn't sleep when I close the lid of the computer.
Hi alangium,
Welcome to the Support Communities!
Resetting your computer's PRAM should restore your Macbook Pro's screen appearance.
OS X Mavericks: Reset your computer’s PRAM
http://support.apple.com/kb/ph14222
This article may provide some information about your Mini DisplayPort to AVI adapter. Have you tried to connect a different VGA monitor to your Macbook to see if you get the same results?
Apple Mini DisplayPort adapters: Frequently asked questions (FAQ)
http://support.apple.com/kb/HT3382
18. What is the maximum resolution available for use with the Apple Mini DisplayPort to VGA adapter?
The resolution available with the Apple Mini DisplayPort to VGA Adapter is 1920 x 1200. VGA displays that use higher refresh rates (such as 85 Hz) at resolutions of 1600 x 1200 or greater may not generate video properly until you lower the refresh rate.
Apple computers: Troubleshooting issues with video on internal or external displays
http://support.apple.com/kb/HT1573#5
How can I detect displays?
If the detect displays option is not available, hold down the Option key while you are in the Display pane.
How do I select additional resolutions on my display?
You can use the Display pane of System Preferences to specify how your display works. Not all options appear for all display models. By default the best resolution for your display will already be selected in System Preferences.
To select a different resolution, use the Scaled option. Some additional resolutions may be available when you hold the Option button.
I hope this information helps ....
- Judy -
I bought a new Apple TV 3rd Gen.(which is currently updated) so I could stream the Netflix movies on my MacBook Pro Computer running Yosemite, onto my TV Screen. However, if I configure the settings on my Computer and Apple TV so that everything on my Desktop is displayed on the TV Screen, then Netflix can't even get the movie on my MBP open. It just keeps spinning until I get an error message about not being able to use Mirroring or Air Play if I want to stream my movie to the TV. So, when I switched the settings so that all mirroring and Air Play options were unchecked and selected all the streaming options using the internet. Then the Netflix movie would open up quick and easy, but there was nothing on the TV Screen.
I also was never able to Pair my Apple TV with my Bluetooth.(If they;re even supposed to be Paired, but something I read implied they should be Paired.f) My MBP Bluetooth discovered the Apple TV immediately and issued a Pairing Number to enter in the Bluethooth's setting for the Apple TV, but the Apple TV Bluetooth just kept spinning. I don't know if that is part of the problem or not, since it wasn't mentioned in any documentation I read.
Also, when I was digging for information on the browser, going to Netflix Website and Apple TV's information at apple.com, I did come across a few links while searching the browser for any answers to my questions, that said I needed to Activate my Netflix Account for streaming by finding my Apple TVs activation code and then enter it on Netflix's site in my Netflix account. And other's mentioned a registration code from my Apple TV needed to be entered to activate the "streaming" of Netflix movie content. And again, I've searched for hours and hours trying to find out where or how I could find the two codes, but never had any success. So, I have exhausted all avenues I can think of and with no luck, and I'm hoping my wonderful Apple Community can help me out or get me heading in the right direction. Thanks, RVAFThere is a native Netflix app on Apple TV. If you are attempting to use a VPN via MBP then that is not supported.
-
In EPM 11.1.2.1 Has anyone sucessfully configured the SSODiag web app
Hi All, we are installing and configuring Oracle EPM 11.1.2.1 with Foundation services running on a Windows 2008 R2 Standard server. Our users have been waiting for us to provide single sign-on for the Web applications (we are currently on 9.3.3). We installed and configured Foundation services and started the config for SSO using Kerberos and Active Directory.
We have performed the following :
1) setup the active directory user to use as the Kerberos principle
2) usign SETSPN, KTPASS configured the principle user and had the keytab file generated using:
ktpass -out SVC_ORACLEEPM.keytab -mapuser SVC_ORACLEEPM -crypto DES-CBC-CRC -princ HTTP/[email protected] -pass PASSWORD -ptype KRB5_NT_PRINCIPAL
3) copied the keytab file copied to the Foundation Services server (DEVEMP01) and placed in "C:\Oracle\Middleware\user_projects\domains\EPMSystem"
4) Verified the keytab using the java kinit commands
java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t C:\Oracle\Middleware\user_projects\domains\EPMSystem\SVC_ORACLEEPM.keytab HTTP/[email protected]
was able to get the kerberos ticket cached successfully:
--- KrbAsRep cons in KrbAsReq.getReply HTTP/devepm01.domain.com
--- New ticket is stored in cache file C:\Users\svc_oracleepm\krb5cc_SVC_ORACLEEPM
5) configured the Active Directory provider in Weblogic (can retreive all users including my service account)
6) configured the Negotiate Identity provider
7) installed and configured the SSODiag web application per the 11.1.2.0 document "http://www.oracle.com/technetwork/middleware/bi-foundation/config-epm-foundation-kerberos-303841.pdf " as the 11.1.2.1 document is incomplete. I also found some missing steps in the 11.1.2.0 doc, but was able to get it.
8) service account is used to log onto the Windows server and is used to starte the FoundationServices service and weblogic admin console.
in the above - the "DOMAIN.COM" is the Kerberos domain
The problems now are the SSODiag app is not authenticating the user. All our active directory users authenticate to MS Sharepoint through Kerberos, so the browsers and users are setup properly, I did double check the browser settings just in case.
I also have an open support ticket with Oracle support, but wanted to find out if anyone out there has sucessfully configured SSODiag and has it working with Kerberos, Active Directory and Weblogic 10.3.x included with EPM 11.1.2.1.
Any assistance is appreciated.
Rob Armstrong
** Updated to add #8
Edited by: Robert Armstrong on Jul 13, 2011 8:47 AMFor anyone interested, we were finally able to configure SSO. Working with Oracle support and a web conf with the developers was needed.
The documentation is lacking all the instructions to make a sucessful connection and has incorrect information as well. The SSODiag app was working for all XP and IE6/IE7 machines, my Windows 7 and IE8 machine would not work and is still an outstanding issue with development. -
Configuring the iPhone and your environment for wireless corporate email
I'm posting this as a top level thread, because I'm certain that there are others out there, who like me, are trying to figure this out.
Configuring the iPhone for Enterprise Use
With Apple’s release of the iPhone, IT organizations are presented with an interesting challenge. Senior execs, gadget heads, and technoratti are all flocking to this device, heralded as the be all and end all of smartphone telecommunications technology. As these devices begin to flood into our organizations, we are met with the challenge to ‘make it work’.
After much explaining that the iPhone is not intended for Enterprise integration, and many discussions surrounding the technical feasibility of bringing said devices into the fold, and being the resident Mac and Linux head with an iPhone in hand, I decided to embark on the mission of making one ‘work’. I succeeded in part, however it’s not the kind of ‘work’ that is going to be viable for most end users.
First of all, it’s important to understand that the email client for the iPhone is a modified version of Mac’s Mail program. Not the best client in the world, but it does support Exchange integration. It also does external email sources, such as Yahoo and gMail, very well. For my interest though, I’m focusing on the Exchange integration functionality, as that is just about everyone’s corporate standard.
Bringing this task to fruition requires some understanding about the limitations of the iPhone, as well as some of its current quirks. Wireless802.11x, EDGE, VPN and Mail are all components necessary to provide a serviceable solution for mobile email access, and each of these things has some peculiarities that don’t appear to be fully worked out by Apple at this time.
For instance, within my organization, we have a secured wireless connectivity option available within our building; however, the SSID of this network is not broadcast, for the obvious reasons. SO, connecting the iPhone to it is a manual process of defining the network, and automatic reconnection seems to be very hit or miss, so it becomes far less of an option for any form of direct network access to your Exchange environment. (As an example, I had to redefine that network, on the iPhone, at least half a dozen times during this process.)
The other components have equally quirky issues, and I will discuss the how’s to get around them below.
In coordinating this into a cohesive plan however, I will break this into three sections;
1. Wireless and EDGE connectivity
2. VPN access to your network
3. Connecting to Exchange
So, without further ado;
Wireless and EDGE Connectivity
The wireless capabilities of the iPhone are, on the surface at least, excellent. It connects seamlessly to unsecured networks, offers the option of prompted or unprompted automatic connectivity, and is capable of 802.11G performance. Not bad for such a small package. However, it is very limited in the forms of secure network access it supports. These are, to quote Apple’s website; (and my iPhone)
WEP Password
WEP hex or ASCII
WPA (personal)
WPA2 (personal)
Now, due to the obvious security problems in implementing WEP security, it’s likely that any network you run into is going to be WPA or WPA2. The iPhone ONLY supports the personal versions of these protocols, so be aware of this going into the situation. If you’re not connecting to your work or school wireless, and you’re entering the information correctly, then it’s probably because they have the Enterprise version of one of the protocols enabled. If that is the case, then you’re either hunting for unsecured hotspots, or else depending on EDGE.
In my case, I did have access to a WPA2 (Personal) enabled wireless signal to connect to my internal network. I thought my problem was half solved! I defined the connection, the wireless capability of the phone worked perfectly, and I was connected. I was wrong. Apparently, and judging from the Mac forums I’m not alone in this, the iPhone does not do a very good job of RE-connecting to a secured wireless network. It does an even worse job, when this is coupled with the fact that it doesn’t do a very good job reconnecting to a wireless network with an unpublished SSID.
After much fiddling and research into this, I determined that this simply was not the way to go, and I abandoned the idea. I wasn’t about to compromise my network security in order to get this silly phone working! So, that left me with either unsecured WiFi, or EDGE.
Either one of these connects pretty seamlessly, and gives me a relatively decent Internet connection. There are some issues being reported of the iPhone swapping between EDGE and WiFi for not apparent reason, but that said, it can still be made to work.
Now that I had this connection outside of my network, I obviously had to consider options for getting a secured connection into my network, which of course leads us to;
VPN Access Into Your Network
Being that this device was touted as the ‘real internet’ I was very excited to see if I could achieve this connection through my SSL VPN appliance. To make a long story short, I could not. Because Apple’s idea of the ‘Real Internet’ apparently does not include those wacky concepts like Java support, this proved to be impossible. My Apple cohorts will scream that it does support JavaScript, but we all know that that and 2 bucks will get you a small coffee at Starbucks… and not much more.
(The iPhone also does not support Flash, but that’s a topic for another conversation. I know, how could they leave that out? I’m amazed too, but then Steve Jobs always has been a bit too arrogant for his own good… I mean what does he expect, we’re all going to rewrite everything into QuickTime??? Please.)
Since that option didn’t work, I was left with the wide selection of two possibilities provided within the iPhone software. Either, a PPTP or L2TP VPN tunnel.
We went ahead and configured a PPTP connection on one of our Cisco routers in order to test this. It didn’t work. I couldn’t connect to it. Tried and tried. Nada. SOOOO, we said OK, and configured a L2TP connection on one of our Cisco routers, with similar results.
Figuring that this was something in the config, we called Cisco, and did the technical support dance with them for several days, trying one thing after another to get this connection to actually work. Nothing helped, and it never worked using either protocol. Then, I noticed an obscure article somewhere on some website that said something to the effect that getting one of these tunnels to work from the iPhone to Cisco was nigh on impossible.
About the same time, my senior network guy said screw it, let’s put this on a Microsoft server. And so we did. Now, this is interesting in it’s own right, because configuring out of the box L2TP or PPTP on a Microsoft server results in a default authentication method of Windows Authentication. This does not work for the iPhone, because it has no idea what to do with the Windows security token it receives. So, you authenticate, and then are immediately dropped due to an inability to communicate with the PPP server.
Fortunately, we (as do most organizations) have a Radius server. We selected Radius authentication, configured both sides of the Radius authentication setup properly, and launched the PPTP tunnel…. AND…. EUREKA!!! The iPhone’s VPN software connected, authenticated, got an IP, and I was on the network! Well, no.
After about 2 seconds, I realized that while I did indeed have a connection, I couldn’t do anything with it. Couldn’t even browse to an internal site via IP address. The connection was up, the connection was working, the connection was useless.
So, we decided to give L2TP a shot. Configured it pretty much identically to the PPTP setup, used Radius, launched the iPhone client, and finally, after many days of screwing around, it worked. Now all I needed was to get my email working, so I started working on;
Connecting to Exchange
In the Mail program on the iPhone, the first time you launch it, you’re presented with the ability to configure an email source. However on subsequent or additional accounts, you must go under Settings, Mail to get to this functionality.
Going into the Mail configuration, I selected an additional account, the account type is, of course, Exchange. The configuration components are pretty obvious, however some things of note are;
Do NOT include your domain information in the User Name field
For all Host Names, use the fully qualified domain name of the server, or else IP
You WILL need to have SMTP enabled somewhere in order to send email
Anyway, I set all this up, and nothing happened. It said that my server was not responding. Did a little research, and it turns out that the only way to connect to Exchange is through an IMAP4 connection, and just in case you didn’t know, IMAP4 is disabled by default, so you have to enable and configure it.
Went onto the Exchange server, set the service to Auto, Started the listener, and finally, at long last, EUREKA! I finally had Corporate email on my iPhone, connecting securely, and not sending anything plain text anywhere. Hooray!
Now for the problems with this solution;
First of all, it depends upon VPN access into your environment, something that you may or may not be comfortable with. One good thing is that the iPhone does prompt for password to reconnect, and will tie the continuity of the VPN connection into the general phone lock security, such that an inability to provide the appropriate access code to a locked phone results in the VPN not being accessible.
The VPN of course is dependant upon a reliable network connection. I’ve noticed that it’s somewhat graceful in switching between WiFi and EDGE, however it’s not totally graceful, and you can experience some hinky things, like being able to send and not receive, or the mail client saying ‘Connecting’ for about 5 minutes before it figures things out.
The best cure for this is to simply stop and restart the VPN connection. Note that when you reconnect, the first attempt will prompt you for a numeric password, this is meaningless unless you have the device lock turned on. Just enter anything. (I think this is another bug) THEN it will re-prompt you for your real VPN password.
This solution for email delivery is obviously dependant upon the VPN connection being active. I’ve noticed that at times the iPhone will disconnect the VPN (probably when service switching) and not bother to mention it. When that happens, of course the VPN must be restarted.
For the lazy, this is an inconvenient solution because while it would appear that the iPhone will cache the VPN password, in fact it will not. That means that each re-launch requires that you re-enter your password. Not terrible for me, but I could see it being very tedious for the average corporate user.
The OSX Mail client has several little deficiencies, which may or may not impact your use of the device in this manner. For instance, if you have subfolders defined for your inbox, and server side rules to move mail into them, then you will not see any synchronization of that mail until you actually select the subfolder. Also, since there is such poor management of attachments and downloads, moving anything around via email on this device is nigh on impossible.
EDGE access to your corporate email, via a VPN, is a bit sloooooow. It works, it’s certainly fast enough for my purposes, but it’s not the slick quick access that we’ve all become accustomed to with Blackberry and Good devices. The lack of 3G support becomes a very noticeable shortcoming here.
(Why Apply didn’t simply partner with Good Technologies to crank out a client for this thing, I’ll never understand, but I guess you can refer to my comment above about certain people’s arrogance.)
The biggest problem of all of course is that it’s simply klugey. I hate klugey. But, with the capabilities at this device’s disposal, and given Apple’s ambitious, if a bit idiotic, stance that no third party will develop software for the iPhone, then this is about as good as it’s going to get for now.
It is my understanding that overseas there is some initiative underway to provide a more seamless Visto or Synchronica integration for enterprise email. However, given Apple’s unbelievably restrictive agreement with ATT regarding this device and the OTA necessity of delivering the client, I seriously doubt if we’ll see this in the near future in the US.
But I digress, so…
In Conclusion
This solution is not for the faint of heart, it doesn’t work all that well, and it has way too many moving parts that are subject to failure. However, I would say that this solution is serviceable for the corporate technology professional who needs email, and really, REALLY wants the other features of the iPhone. (ie, phone whores such as me.) It requires patience, it requires an understanding that this is not a 100% thing, and there definitely needs to be a prebuilt expectation that this device will not serve your email in anything approaching the manner to which you’ve become accustomed.
As long as all of that is okay though, then go right ahead, set it up, and enjoy!
The Short Version;
(I put this at the end because I want everyone to feel my pain!)
Wireless:
Use unsecured wireless or EDGE. Secured wireless may be serviceable as long as the SSID is broadcast, but there are known issues with this.
VPN:
L2TP, shared secret, running on Microsoft server, with Radius. (May work elsewhere, but doesn’t seem to run on Cisco at all) Accounts enabled for external access.
Exchange:
Configure IMAP4 Virtual Server on your Exchange environment, ensure that you have some SMTP resource for outbound email, use fully qualified domain names for all servers (or IP) in the mail config and do not include any domain prefix or suffix for user accounts.
The BIG Disclaimer at the End
Please note that all of this is provided ‘as is’. It worked for me, and I hope it works for you. To my knowledge, it’s not endorsed by Apple, and I’m not in the business of providing support for this thing. If it breaks something, if it doesn’t work, or if you simply don’t like it or me, I don’t care. However, if you have a question, and I’m not busy, and I feel like answering, I may lend a hand. You can email me at
Matthew dot Yotko at mac dot com
Don’t be surprised or offended if I don’t answer. Also, understand that I don’t check this address every day… Maybe a couple times a week.
Macbook Pro Mac OS X (10.4.10) iphoneThanks, now I understand why the wifi keeps dropping. On my personal wireless network, it also seems the distance from the access point is not good compared to my laptop. At work our network & exchange teams don't seem to have the desire to struggle with this "toy" until customers start forcing its adoption. I am using OWA and it works fine over EDGE. I will share your posting with them.
Thank you again.
Dell Windows XP Pro
Maybe you are looking for
-
Search help in web dynpro Java i-view
Hi experts!! I am new to EP so i need some help.. I am trying to implement some web dynpro i-views and i would like to know if there is any way to have F4 search help for fields in form template that correspond to R/3 fields. In other words i want t
-
How to run a thread for second time ?
I have a written a ThreadPool, but I found that basically a thread is not running for the second time. i.e First i call run() method and call stop(). If i call again run() method for the same thread, it is not running. What should I do, If i want to
-
I have a case where a trading partner sends two separate file types: a 999 acknowledgement (uses the carat separator) and a 277U (uses the "U"). The trading partner uses the same ISA6/ISA8 identifiers. The 999 acknowledgement cannot be defined in the
-
Now I have a PC. Is it possible to migrate from the old Adobe Acrobat 9 Pro of my Mac, to an Adobe Acrobat XI Pro for my new PC ? At what price ?
-
Erreur 10007 lors de l'installation du moteur d'exécution Labview 8.2.1
Bonjour, lors de l'installation du moteur d'exécution Labview 8.2.1(LabVIEW821RuntimeEngine.exe) sur un PC sous windows XP 2002 , j'obtiens le l'erreur 10007 avec le message suivant : .\ConfigInfo.cpp(1948): IInstallerError 10007 Fatal Error. Unable