Context Directory Agent ipv4 and ipv6 mappings
I have the context directory agent 1.0 patch 2 installed and running. It works good mostly. We have a duel stack running ipv6 and ipv4 on our workstations. They connect to the AD with ipv6, so the mapping is for ipv6. Is there a way to get the ipv4 mappings?
We need to map both addresses for the Web Filtering on the CX.
Same question.
Similar Messages
-
Context Directory Agent Path not found
I am trying to connect Cisco Context Directory Agent to my AD 2012r2 server,
Went through the setup guide and changed all needed register keys, firewall rules, DOCOM and wmimgmt permissions,
I got passed the access denied error, but now I am getting a "The system cannot find the path specified. [0x80070003]" error.
Here is my log.
wmi-property exception-stack org.jinterop.dcom.core.JIComServer.init(JIComServer.java:580)
org.jinterop.dcom.core.JIComServer.initialise(JIComServer.java:481)
org.jinterop.dcom.core.JIComServer.<init>(JIComServer.java:445)
com.cisco.cda.rt.adobserver.adobserver.jinteropUtil.getWmiLocator(jinteropUtil.java:42)
com.cisco.cda.rt.adobserver.adobserver.EventsThread.QueryWMIProperty(EventsThread.java:81)
com.cisco.cda.rt.adobserver.adobserver.EventsThread.getNetBIOS(EventsThread.java:171)
com.cisco.cda.rt.adobserver.adobserver.EventsThread.extractDCData(EventsThread.java:203)
com.cisco.cda.rt.adobserver.adobserver.EventsThread.run(EventsThread.java:609)
dc-hostname maddcr2.xxxxxxx.local/10.1.0.19
dc-name xxxxx
exception-cause org.jinterop.dcom.common.JIRuntimeException: The system cannot find the path specified. [0x80070003]
wmi-class Win32_NTDomain
exception-message The system cannot find the path specified. [0x80070003]
wmi-property DomainName
dc-username _zxxxxx
Thank you,Are you're running CDA 1.1 with Patch 1:
cda-patchbundle_1.0.0.011-1.i386.tar.gz
Support for Windows 2012 server was added in patch 1. Enable
this patch using the command:
admin# patch install cda-patchbundle_1.0.0.011-1.i386.tar.gz myrepository
(see step 2a below for setting up a repository)
Refer :
http://www.cisco.com/en/US/docs/security/ibf/cda_10/Install_Config_guide/cda_install.html#wp1061521 -
Need of Context Directory Agent
Hi all
I downloaded from CCO CDA (Cisco Directory Agent - filename is AD_Agent-v1.0.0.32.1-build-598.Installer.zip) and installed it. The goal is to authenticate users of WSA using Windows Server 2003 Active Directory.
During deployement I discovered CDA supports until W2008R2 AD servers. Because customer plans to migrate soon AD to Windows Server 2012, I think CDA has to be replaced.
Is Cisco Context Directory Agent the right replacement? I read it runs on a separate Virtual Machine, so I need to inform customer we need an additional VM?
Thanks in advanceWhat you downloaded was the old Active Directory Agent. You need to download CDA (Context Directory Agent) and the four patches and install them on a VM. Download link here: https://software.cisco.com/download/release.html?mdfid=282803423&flowid=4949&softwareid=284724387&release=CDA&relind=AVAILABLE&rellifecycle=&reltype=latest
-
Problem running apache dual stack IPv4 and IPv6
Hello!
I am running a single Lion-Server with one public IPv4 address. Because my Provider is able to support IPv6 now, I ordered a public IPv6 address for my server. (To learn IPv6)
I setup IPv6 address and setup the firewall with ip6fw - everything works fine, I can connect to ssh and afp via IPv4 or IPv6 but when I try to connect to my wiki over IPv6 I get the certificate question (unknown certificate ... blah) click continue and the certificate is loeded againe - I end up in an infinte loop of certificate questions.
The part of the firewall config looks like this:
20515 allow tcp from any to any 443
20516 allow tcp from any to any 8443
20517 allow tcp from any to any 1640
I looked into apache config:
/etc/apache2/sites/virtual_host_global.conf has this entries:
Listen *:443
NameVirtualHost *:443
Listen *:80
NameVirtualHost *:80
I have only one domain and only one single virtual host as defined in /etc/apache2/sites/0000_any_443_.conf:
## Default Virtual Host Configuration
<VirtualHost *:443>
ServerAdmin [email protected]
DocumentRoot "/Library/Server/Web/Data/Sites/Default"
DirectoryIndex index.html index.php /wiki/ default.html
CustomLog "/var/log/apache2/access_log" combinedvhost
ErrorLog "/var/log/apache2/error_log"
<IfModule mod_ssl.c>
SSLEngine On
SSLCipherSuite "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"
SSLProxyEngine On
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCertificateFile "/etc/certificates/www.ABCDE.de.1A00F8DFC2738F25D26E3248A4C8F687D7EA7F32.cert.p em"
SSLCertificateKeyFile "/etc/certificates/www.ABCDE.de.1A00F8DFC2738F25D26E3248A4C8F687D7EA7F32.key.pe m"
SSLCertificateChainFile "/etc/certificates/www.ABCDE.de.1A00F8DFC2738F25D26E3248A4C8F687D7EA7F32.chain. pem"
SSLProxyProtocol -ALL +SSLv3 +TLSv1
</IfModule>
<Directory "/Library/Server/Web/Data/Sites/Default">
Options All +MultiViews -ExecCGI -Indexes
AllowOverride None
<IfModule mod_dav.c>
DAV Off
</IfModule>
</Directory>
</VirtualHost>
I have not modified the apache config by hand until now - but this was an upgrade from Snow Leopard Server. At the moment I am a littel scared to upgrade to Mountain Lion server because this server runs mail and calender services for my company.
I tried to setup "Listen" entry with dedicated IP-addresses, one for IPv4 and one for IPv6 but this only leads to the same problem - IPv4 works, IPv6 ends in an infinte loop.
I found somewhere that I had to duplicate virtual hosts setup for IPv4 and IPv6 but afaik "Server.app" will overwrite it, right?
Every hint is welcome, bye
Christoph
P.S. Sorry just saw that I posted to ML-Server discussions not Lion-Server, but maybe someone can tell me that I can upgrade without scare.
Message was edited by: Christoph Ewering1Hello!
Did some more testing and found that FireFox works with the loopback-address.
https://[::1]/
So, the address above works with FireFox after accepting the certificate - Safari loops in the dialog accepting the certificate.
Then I tried the link-local-address but it looks like apache does not listen to that address at all
Then I tried the global-address and got to:
Safari looping in the certificate dialog
FireFox brings an alert „sec_err_bad_database"
BTW this tests were made on the server that runs the apache. So no firewall between the browser and the server.
No one using Mac OS X server in a dual stack enviroment?
Bye,
eweri -
Best way to pass IPv4 and IPv6 traffic over a GRE Tunnel
Hello,
We have two 3825 routers with Advanced Enterprise IOS 12.4.9(T). Each of them serves many IPv4 (private and public) and IPv6 networks on their respective site.
We have created a wireless link between the two, using 4 wireless devices, with IP Addresses 10.10.2.2, 3, 4, 5 respectively (1 and 6 are the two end Ethernet interfaces on the routers).
Then we created a GRE tunnel over this link using addresses 172.16.1.1 and 2 (for the two ends) to route traffic over this link.
Now we want to route IPv6 traffic over the same link. However, we found that simply routing the IPv6 traffic over the above GRE / IP tunnel did not work.
Questions:
Is there a way we can use the same (GRE / IP) tunnel to transport both IPv4 and IPv6 traffic?
If not, can we setup two GRE tunnels over the same wireless link, that is, one GRE / IP for IPv4 traffic and a second one GRE / IPv6 for IPv6 traffic?
In brief, what is the suggested way to transport IPv4 and IPv6 traffic over the aforementioned (wireless) link?
I have read http://www.cisco.com/c/en/us/td/docs/ios/12_4/interface/configuration/guide/inb_tun.html#wp1061361 and other Internet material, however I am still confused.
Please help.
Thanks in advance,
NickWe have set up two tunnels over the same link, one GRE / IP for the IPv4 traffic and one IPv6 / IP ("manual") for the IPv6 traffic. This setup seems to be working OK.
If there are other suggestions, please advise.
Thanks,
Nick -
ZBF in a mixed ipv4 and ipv6 environment, don't touch ipv4
I have a dual stacked router for both ipv4 and ipv6. Ipv4 traffic should pass the zbf untouched due to the fact that there is another rock solid ipv4 firewall egress of the inside Interface. Is there a way that a class map like this could function on ipv6 traffic only?:
class-map type inspect match-any fullproto
description Permitted Traffic to internet
match protocol http
match protocol https
match protocol dns
match protocol imaps
match protocol icmp
match protocol ftp
match protocol ntp
match protocol rtsp
match protocol realmedia
match protocol netshow
match protocol appleqtc
match protocol streamworks
match protocol vdolive
match protocol ssh
match protocol user-rdp
So far there is only a CBAC solution in place for ipv6.
I'm showing my Interfaces:
interface FastEthernet0/0
description *** Inside IPV6 ***
no ip address
speed auto
full-duplex
ipv6 address FE80::1 link-local
ipv6 address ????:????:????:10::1/64
ipv6 nd other-config-flag
ipv6 dhcp relay destination ?:?:?:10::12
ipv6 traffic-filter inne6-inn in
no cdp enable
no mop enabled
interface FastEthernet0/0.4
description *** Inside IPV4 ***
encapsulation dot1Q 4
ip address 82.?.?.129 255.255.255.248
no cdp enable
interface FastEthernet0/1
description *** Outside ***
ip address 82.?.?.42 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
speed auto
full-duplex
ipv6 address FE80::2 link-local
ipv6 address ?:599::2/126
ipv6 enable
ipv6 nd prefix default no-advertise
ipv6 nd prefix ?:599::/126 no-advertise
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ipv6 nd router-preference High
ipv6 inspect ipv6-cbac out
ipv6 traffic-filter ut-inn6 in
no cdp enable
no mop enabled
Please advise.
Regards,
HenningI didn't test it, but what about the following:
Configure a new class-map where you match on an ipv6 access-list "any to any"
Configure a third class map of type ""match all" where you match on your "fullproto" class-map and also the above ipv6 class-map. For this class map you configure your inspections.
For ipv4-traffic you configure a class with a "pass" action in both directions. -
WRT54G v6 not working with new Motorola SB6141 on Comcast (IPv4 and IPv6)
My WRT54G v6 not working with a new Motorola SB6141 Cable Modem on Comcast (IPv4 and IPv6).
Yesterday, I had my old DOCSIS 1.1 cable modem and the WRT54G had been working just fine for the past 8 years.
Last night, I swap in the DOCSIS 3.0 SB6141 cable modem, and now the WRT54G keeps losing the internet connection. When I go into the status page for the WRT54G, I often do not see DNS servers and sometimes do not even see an IP address.
If I connect a PC directly to the SB6141 cable modem, I have no problems whatsoever. But whenever I connect through the WRT54G and power cycle both devices, then I have internet connectivity for about an hour before it drops out. I have noticed my gateway IP address and DNS servers change at that time as well. I can also force the Linksys to lose connectivity by doing a DHCP release/renew on the Linksys status page.
Is this behavior because of the dual stack (IPv4 and IPv6) coming through the cable modem from Comcast now? Is there any way I can keep using my WRT54G v6 now that I have the SB6141 cable modem?You just have to install it correctly.
http://kb.linksys.com/Linksys/ukp.aspx?pid=80&login=1&app=search&vw=1&articleid=3686 -
Dynamic DNS for ipv4 AND ipv6?
tl;dr: do you know any dynamic dns service and updater daemon that supports both ipv4 and ipv6?
Hi,
ever since my provider supplied me with a proper dual stack account (real ipv4, real ipv6) for internet access I got some kind of little problem regarding the services I host at home. So this is mainly about email. I have a server sitting behind my router that has an open submission and IMAPS port. For ipv4 I've been using the NAT and dyndns features of my router (fritzbox) without any problem. For ipv6 there is no NAT (at least as far as my router is concerned). What I can do though is to open the firewall for incoming ports dynamically based on the interface identifier. So if someone wants to connect to an ipv6 address that would map to my server the router knows to not block the traffic. For this to work though I need update a dynamic DNS record with the public ipv6 address that my server gets to use (something out of the prefix my provider assignes me). This server is an arch linux box. I tried to use inadyn-mt with some systemd unit file I found through google but this does not seem to work right. When I'm in ipv4-only networks (on a mobile connection for example) I often can't resolve the right ip address of my server through dyndns. The thing is that my server doesn't know about a changed ipv4 address because this is handled by the router. It does only know about when his own ipv6 address changes/expires. Based on when this happens inadyn-mt might fire an update to dyndns and with that also pick up the new ipv4 address, but this is not guaranteed.
Any suggenstions, tool and/or service proposals? Is there a way dns-wise to add a CNAME alias just for A records and not for AAAA?I currently use cloudflare as the DNS servers for my domain as it's free and allows to update certain records with their API. I only use it for IPv4, but since they support AAAA records, I assume it will work for IPv6 just as well. It should be quite simple for you to update the script to get the ip of a given interface instead of fetching it from the net.
#!/bin/sh
# modified by jfro from http://www.cnysupport.com/index.php/linode-dynamic-dns-ddns-update-script
# Uses curl to be compatible with machines that don't have wget by default
# modified by Ross Hosman for use with cloudflare.
cfkey=<your api key>
cfuser=<your username>
cfhost=<hostname you want to update>
WAN_IP=`curl -s http://icanhazip.com/`
if [ -f $HOME/.wan_ip-cf.txt ]; then
OLD_WAN_IP=`cat $HOME/.wan_ip-cf.txt`
else
OLD_WAN_IP=""
fi
perl -i -pe 'chomp if eof' /var/log/cfclient.log
if [ "$WAN_IP" = "$OLD_WAN_IP" ]; then
echo -ne "." >> /var/log/cfclient.log
else
echo $WAN_IP > $HOME/.wan_ip-cf.txt
echo -ne "\nUpdating IP to $WAN_IP\n" >> /var/log/cfclient.log
curl -s https://www.cloudflare.com/api.html?a=DIUP\&hosts="$cfhost"\&u="$cfuser"\&tkn="$cfkey"\&ip="$WAN_IP" >> /var/log/cfclient.log
fi
echo -ne "\n" >> /var/log/cfclient.log -
EA4500 loses IPv4 and IPv6 information
No changes made but router will lose all information for IPv connectivity. I have paid twice to support to fix this issue and it still occurs every few months.
I tried rebooting router, and doing an IP Release/ Renew and router does not get IP address. I'd prefer not to have to pay again to fix this router. Any ideas?Sorry - thought I had info:
I don't see anything on the router indicating a model other than EA4500. There is a serial number. Its plugged directly into a
Toshiba PCX2500 modem. If I connect my PC directly to the modem I have internet.
The router maintains all settings that Cisco helped me set up before except there are not IPv4 or IPv6 settings. I have screen shots from the setup. The Cisco rep had to clone the MAC of the modem to get the router to work. (Admin tab).
I unplugged modem and router and rebooted each. Everything appears to come up normally except for no IPv4/6 settings. I tried a release/renew but those settings stay blank.
I have internal network connectivity with the router, just no internet. I use Road Runner. I have a second network also on Road Runner but on a different modum and domain that is working fine. Unfortunately I have hard wired connections and kids games that rely on the EA4500 -
How to configure a COM domain, IPv4 and IPv6
Hi,
I am a new user on the Mac Server, but I have experience in Linux, my problem would be to understand how I configure the Mac Mini Server during installation or after installation, to assign a COM domain.
I would like to configure only the service Apache, FTP, MySQL.
My internet provider, today provided me 4 static IPs IPv4 and 4 IPv6, to use, now I want also to configure two local DNS if possible:
IPv4:
www.mydomain.com
ftp.mydomain.com
mysql.mydomain.com
IPv6:
www6.mydomain.com
For if I can configure DNS in Dual Stack or if I have to record them in a different way.
A control panel is currently not able to find it, you can advise me if something is well accepted, the important it is for business use as I would like to configure the server is for private use.
I hope I was clear, I'm sorry but I do not speak perfect English.
Thanks in advance to all.To be clear, in your example you only have one domain - mydomain.com - all the other entries are just host records within that domain.
For your IPv4 hosts just add standard A records:
ftp A 1.2.3.4
www A 1.2.3.5
mysql A 1.2.3.6
For your IPv6 hosts just add AAAA records:
www6 AAAA 1234::ab:cd:ef
I seriously doubt you want to put your MySQL server on a public IP address, though, so I'd look carefully at your network setup before going much further. -
What is the new Cisco Context Directory Agent?
Hi Everyone.
I noticed on the ASA software download page the new Content Directory Agent (~800MB). I could not find any release notes nor other references from a Google search.
http://www.cisco.com/cisco/software/release.html?mdfid=280582808&softwareid=280775065&release=8.4.4.ED&flowid=4822
What is it?
AContext Directory Agent is the successor product to AD agent. It provides similar functionality buit comes with Linux distribution and has a GUI based interface. You are right that at the link you gave there is no documentation posted. Will need to dig around
The release notes for the AD Agent product are at: http://www.cisco.com/en/US/docs/security/ibf/release_notes/ibf10_rn.html -
Context Directory Agent server 2012R2
Hi,
Win server 2012R2 is not offically on the supported list for Contex Directory Agent ( CDA ) , anyone tested this setup ?
I have been following the Installation guide for 2012 : http://www.cisco.com/en/US/docs/security/ibf/cda_10/Install_Config_guide/cda_install.html but I the server stays red in the CDA gui. No error messages in the log though.
CDA is patch1 and CDA user is within the Domain Admin group and necessary priv changes according to the installation document is in place ( registry key ownership etc,) , firewall on the server has been temporarily disabled.
Just wanted to see if there is anyone who got the combination CDA/2012R2 running and/or when there will be an official patch to CDA to add 2012R2 support.I opened a case and they refer me to bug CSCun10631.
(CDA doesn't support 2012R2).
the good news is that a new patch (3) should be release this month (July) and will include support. -
IronPort WSA S170 and Context directory agent
Hello people and experts,
I need your consultation regarding IronPort and CDA deployment.
I couldn't find any information in internet...
So my question is - if IronPort is AD domain member and Explicit forward proxy is planned to be used. Do I need CDA to be deployed? What will happen if I don't want to deploy CDA in my environment?
As I understood CDA is useful when IronPort works as Transparent Proxy or if IronPort is not a member of the same domaiin as users.
Please advise.The CDA eliminates the need for NTLM authentication. Once a user logs onto their computer in the morning and authenticates to the domain, the CDA will have received a successful audit event/log that informs it that user X is signed on to IP address X. When the WSA needs to find out who is on this IP address, instead of using NTLM to challenge the client machine, it will ask the CDA who signed on this particular IP address. Once it gets the user name, the WSA will proceed as usual and query the AD to determine the group membership of that particular user.
-
How to configure DNS to support ipv4 and ipv6
I have a 2008 r2 domain controller in my lab.
i'm doing Exchange 2007, 2010 and 2013. I have mix Windows 2008 r2 servers for other applications.
i'm running into issues where i'm thinking it is time to have both IPV4 & IPV6 to run on all lab machines.
I can't get a clear picture on how to accomplish a mix environment. in the DNS administrator do I create a new "reverze lookup zone" with only the IPV6? or do I have to create a new record in the "forward lookup zone" to with both IPV4
& IPV6 which the later points to the new "reverse lookup zone".
I see a lot of internet article but little on "how to".
or on the DC should I enable the DHCP role to support the IPV6?1. You assign an IPv6 address to the domain controller/DNS server
One method is letting this site (legitimate) create a random private IPv6 range for you:
http://www.simpledns.com/private-ipv6.aspx
For example:
fd06:fcde:8b4e:d6bd:xxxx:xxxx:xxxx:xxxx
You can configure the x's like this (you cannot leave the x's there):
fd06:fcde:8b4e:d6bd:0000:0000:0000:0001
If you close and open IPv6 properties, or do an "ipconfig /all" you'll see that the IPv6 is abbreviated as follows:
fd06:fcde:8b4e:d6bd::1
That's normal.
If you look in your forward lookup zone, you'll now see this IPv6 address (you may have to register that manually - ipconfig /registerdns - but it seemed to happen automatically for me.
So there is no need to create a separate forward lookup zone for IPv6.
OK, but what about the reverse zone?
2. Create reverse lookup
In DNS Manager (what you call administrator), right-click on reverse lookup zone, select New Zone, click, Next, Next (default values are fine) until you choose between IPv6 and IPv4. Selecft IPv6 of course.
Then enter your prefix as shown here:
That's it. The reverse lookup information is configured automatically (your prefix " backwards").
Now, unlike with the forward lookup zone, my domain controller does not seem to be registering its name in the reverse IPv6 zone: there's only the SOA and NS record.
But that's another question.
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. -
Multihomed servers with IPv4 and IPv6
We have a set up where we have virtual servers with two NIC's. One NIC is connected to our corporate network and the other NIC is connected (via layer 2 over MPLS) to the customer network. The NIC on our network is only assigned an IPv6 address
and the NIC on the customer network is only assigned an IPv4 address from the customer DHCP server. The problem we are running into is when the server does an NSLOOKUP for a URL that is associated with a server located on our network (the server has
an IPv6 and IPv4 address and is publicly accessable to the internet) the traffic goes out the customer NIC then out their internet connection and back to our public facing load balancer. Our application that runs on the server needs to communicate with
a server at the customer site and then send that data to a server on our side. We believe this behavior is happening because the customer server is responding as an "Authoritative" DNS server. We are trying to avoid using the HOSTS file
if possible (when we use the HOSTS file and specify the FQDN with the IPv6 address our application works fine and goes out our NIC).
Any help would be appreciated
Thanks,Thanks for the idea Bruno, however we did try this already. I moved the adapter with IPv6 to the top of the binding order and rebooted the VM. However when I run NSLOOKUP it still goes out the adapter with IPv4 which is now second in the binding
order.
Side question. When I do an IPCONFIG /all what determines the order of listed adapters? I have changed the adapter names (so it isn't alphabetical), I have looked at the adapters in device manager and it isn't based on which one is #1 next to
it. And now I have changed the binding order and it still hasn't changed. The adapter with IPv4 is always listed first. Not sure if that means anything but just an observation.
Any other ideas?
Thanks,
Adam
Maybe you are looking for
-
Is there a way to create standard text messages that can be reused easily
is there a way to create standard text messages that can be reused easily
-
The Skinny on IMAP vs POP Email and work arounds
It took me a while to figure out email so I figured I'd share what I've learned so far. Do feel free to reply with more useful tips for us all if anyone has some. First email accounts are either IMAP or POP and the first step was figuring out t
-
Android READ_GMAIL permission
I can successfully retrieve an attachment in Gmail when I use strictly Android development. However, if I use an ANE, within an AIR app, to pass the data in an InvokeEvent to an Android activity, I no longer have permission... even though it is set i
-
Send a record type parameter to a stored procedure
Hi! I have a stored procedure, which accepts an input parameter which is a record type. How do I send such a parameter using ODP.NET? Thanks.
-
How do I wirelessly reconnect the scanning function on my Canon PIXMA MG3350?
I recently bought a new computer without cd drive. I managed to wirelessly connect my Canon printer to the wifi network. When I wanted to scan a document today, I noticed it could not. I am trying to remember if I have been able to scan successfully