Context Directory Agent ipv4 and ipv6 mappings

I have the context directory agent 1.0 patch 2 installed and running.  It works good mostly.  We have a duel stack running ipv6 and ipv4 on our workstations.  They connect to the AD with ipv6, so the mapping is for ipv6.  Is there a way to get the ipv4 mappings?
We need to map both addresses for the Web Filtering on the CX.

Same question.

Similar Messages

  • Context Directory Agent Path not found

    I am trying to connect Cisco Context Directory Agent to my AD 2012r2 server,
    Went through the setup guide and changed all needed register keys, firewall rules, DOCOM and wmimgmt permissions,
    I got passed the access denied error, but now I am getting a "The system cannot find the path specified. [0x80070003]" error.
    Here is my log.
    wmi-property exception-stack org.jinterop.dcom.core.JIComServer.init(JIComServer.java:580)
    org.jinterop.dcom.core.JIComServer.initialise(JIComServer.java:481)
    org.jinterop.dcom.core.JIComServer.<init>(JIComServer.java:445)
    com.cisco.cda.rt.adobserver.adobserver.jinteropUtil.getWmiLocator(jinteropUtil.java:42)
    com.cisco.cda.rt.adobserver.adobserver.EventsThread.QueryWMIProperty(EventsThread.java:81)
    com.cisco.cda.rt.adobserver.adobserver.EventsThread.getNetBIOS(EventsThread.java:171)
    com.cisco.cda.rt.adobserver.adobserver.EventsThread.extractDCData(EventsThread.java:203)
    com.cisco.cda.rt.adobserver.adobserver.EventsThread.run(EventsThread.java:609)
    dc-hostname maddcr2.xxxxxxx.local/10.1.0.19
    dc-name xxxxx
    exception-cause org.jinterop.dcom.common.JIRuntimeException: The system cannot find the path specified. [0x80070003]
    wmi-class Win32_NTDomain
    exception-message The system cannot find the path specified. [0x80070003]
    wmi-property DomainName
    dc-username _zxxxxx
    Thank you,

    Are you're running CDA 1.1 with Patch 1:
    cda-patchbundle_1.0.0.011-1.i386.tar.gz
    Support for Windows 2012 server was added in patch 1. Enable
    this patch using the command:
    admin# patch install cda-patchbundle_1.0.0.011-1.i386.tar.gz myrepository
    (see step 2a below for setting up a repository)
    Refer :
    http://www.cisco.com/en/US/docs/security/ibf/cda_10/Install_Config_guide/cda_install.html#wp1061521  

  • Need of Context Directory Agent

    Hi all
    I downloaded from CCO CDA (Cisco Directory Agent - filename is AD_Agent-v1.0.0.32.1-build-598.Installer.zip) and installed it. The goal is to authenticate users of WSA using Windows Server 2003 Active Directory.
    During deployement I discovered CDA supports until W2008R2 AD servers. Because customer plans to migrate soon AD to Windows Server 2012, I think CDA has to be replaced. 
    Is Cisco Context Directory Agent the right replacement? I read it  runs on a separate Virtual Machine, so I need to inform customer we need an additional VM?
    Thanks in advance

    What you downloaded was the old Active Directory Agent. You need to download CDA (Context Directory Agent) and the four patches and install them on a VM. Download link here: https://software.cisco.com/download/release.html?mdfid=282803423&flowid=4949&softwareid=284724387&release=CDA&relind=AVAILABLE&rellifecycle=&reltype=latest

  • Problem running apache dual stack IPv4 and IPv6

    Hello!
    I am running a single Lion-Server with one public IPv4 address. Because my Provider is able to support IPv6 now, I ordered a public IPv6 address for my server. (To learn IPv6)
    I setup IPv6 address and setup the firewall with ip6fw - everything works fine, I can connect to ssh and afp via IPv4 or IPv6 but when I try to connect to my wiki over IPv6 I get the certificate question (unknown certificate ... blah) click continue and the certificate is loeded againe - I end up in an infinte loop of certificate questions.
    The part of the firewall config looks like this:
    20515 allow tcp from any to any 443
    20516 allow tcp from any to any 8443
    20517 allow tcp from any to any 1640
    I looked into apache config:
    /etc/apache2/sites/virtual_host_global.conf has this entries:
    Listen  *:443
    NameVirtualHost *:443
    Listen  *:80
    NameVirtualHost *:80
    I have only one domain and only one single virtual host as defined in /etc/apache2/sites/0000_any_443_.conf:
    ## Default Virtual Host Configuration
    <VirtualHost *:443>
            ServerAdmin [email protected]
            DocumentRoot "/Library/Server/Web/Data/Sites/Default"
            DirectoryIndex index.html index.php /wiki/ default.html
            CustomLog "/var/log/apache2/access_log" combinedvhost
            ErrorLog "/var/log/apache2/error_log"
            <IfModule mod_ssl.c>
                    SSLEngine On
                    SSLCipherSuite "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"
                    SSLProxyEngine On
                    SSLProtocol -ALL +SSLv3 +TLSv1
                    SSLCertificateFile "/etc/certificates/www.ABCDE.de.1A00F8DFC2738F25D26E3248A4C8F687D7EA7F32.cert.p em"
                    SSLCertificateKeyFile "/etc/certificates/www.ABCDE.de.1A00F8DFC2738F25D26E3248A4C8F687D7EA7F32.key.pe m"
                    SSLCertificateChainFile "/etc/certificates/www.ABCDE.de.1A00F8DFC2738F25D26E3248A4C8F687D7EA7F32.chain. pem"
                    SSLProxyProtocol -ALL +SSLv3 +TLSv1
            </IfModule>
            <Directory "/Library/Server/Web/Data/Sites/Default">
                    Options All +MultiViews -ExecCGI -Indexes
                    AllowOverride None
                    <IfModule mod_dav.c>
                            DAV Off
                    </IfModule>
            </Directory>
    </VirtualHost>
    I have not modified the apache config by hand until now - but this was an upgrade from Snow Leopard Server. At the moment I am a littel scared to upgrade to Mountain Lion server because this server runs mail and calender services for my company.
    I tried to setup "Listen" entry with dedicated IP-addresses, one for IPv4 and one for IPv6 but this only leads to the same problem - IPv4 works, IPv6 ends in an infinte loop.
    I found somewhere that I had to duplicate virtual hosts setup for IPv4 and IPv6 but afaik "Server.app" will overwrite it, right?
    Every hint is welcome, bye
    Christoph
    P.S. Sorry just saw that I posted to ML-Server discussions not Lion-Server, but maybe someone can tell me that I can upgrade without scare.
    Message was edited by: Christoph Ewering1

    Hello!
    Did some more testing and found that FireFox works with the loopback-address.
    https://[::1]/
    So, the address above works with FireFox after accepting the certificate - Safari loops in the dialog accepting the certificate.
    Then I tried the link-local-address but it looks like apache does not listen to that address at all
    Then I tried the global-address and got to:
    Safari looping in the certificate dialog
    FireFox brings an alert „sec_err_bad_database"
    BTW this tests were made on the server that runs the apache. So no firewall between the browser and the server.
    No one using Mac OS X server in a dual stack enviroment?
    Bye,
    eweri

  • Best way to pass IPv4 and IPv6 traffic over a GRE Tunnel

    Hello,
    We have two 3825 routers with Advanced Enterprise IOS 12.4.9(T). Each of them serves many IPv4 (private and public) and IPv6 networks on their respective site.
    We have created a wireless link between the two, using 4 wireless devices, with IP Addresses 10.10.2.2, 3, 4, 5 respectively (1 and 6 are the two end Ethernet interfaces on the routers).
    Then we created a GRE tunnel over this link using addresses 172.16.1.1 and 2 (for the two ends) to route traffic over this link.
    Now we want to route IPv6 traffic over the same link. However, we found that simply routing the IPv6 traffic over the above GRE / IP tunnel did not work.
    Questions:
    Is there a way we can use the same (GRE / IP) tunnel to transport both IPv4 and IPv6 traffic?
    If not, can we setup two GRE tunnels over the same wireless link, that is, one GRE / IP for IPv4 traffic and a second one GRE / IPv6 for IPv6 traffic?
    In brief, what is the suggested way to transport IPv4 and IPv6 traffic over the aforementioned (wireless) link?
    I have read http://www.cisco.com/c/en/us/td/docs/ios/12_4/interface/configuration/guide/inb_tun.html#wp1061361 and other Internet material, however I am still confused.
    Please help.
    Thanks in advance,
    Nick

    We have set up two tunnels over the same link, one GRE / IP for the IPv4 traffic and one IPv6 / IP ("manual") for the IPv6 traffic. This setup seems to be working OK.
    If there are other suggestions, please advise.
    Thanks,
    Nick

  • ZBF in a mixed ipv4 and ipv6 environment, don't touch ipv4

    I have a dual stacked router for both ipv4 and ipv6. Ipv4 traffic should pass the zbf untouched due to the fact that there is another rock solid ipv4 firewall egress of the inside Interface. Is there a way that a class map like this could function on ipv6 traffic only?:
    class-map type inspect match-any fullproto
     description Permitted Traffic to internet
     match protocol http
     match protocol https
     match protocol dns
     match protocol imaps
     match protocol icmp
     match protocol ftp
     match protocol ntp
     match protocol rtsp
     match protocol realmedia
     match protocol netshow
     match protocol appleqtc
     match protocol streamworks
     match protocol vdolive
     match protocol ssh
     match protocol user-rdp
    So far there is only a CBAC solution in place for ipv6.
    I'm showing my Interfaces:
    interface FastEthernet0/0
     description *** Inside IPV6 ***
     no ip address
     speed auto
     full-duplex
     ipv6 address FE80::1 link-local
     ipv6 address ????:????:????:10::1/64
     ipv6 nd other-config-flag
     ipv6 dhcp relay destination ?:?:?:10::12
     ipv6 traffic-filter inne6-inn in
     no cdp enable
     no mop enabled
    interface FastEthernet0/0.4
     description *** Inside IPV4 ***
     encapsulation dot1Q 4
     ip address 82.?.?.129 255.255.255.248
     no cdp enable
    interface FastEthernet0/1
     description *** Outside ***
     ip address 82.?.?.42 255.255.255.252
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     speed auto
     full-duplex
     ipv6 address FE80::2 link-local
     ipv6 address ?:599::2/126
     ipv6 enable
     ipv6 nd prefix default no-advertise
     ipv6 nd prefix ?:599::/126 no-advertise
     ipv6 nd managed-config-flag
     ipv6 nd other-config-flag
     ipv6 nd router-preference High
     ipv6 inspect ipv6-cbac out
     ipv6 traffic-filter ut-inn6 in
     no cdp enable
     no mop enabled
    Please advise.
    Regards,
    Henning

    I didn't test it, but what about the following:
    Configure a new class-map where you match on an ipv6 access-list "any to any"
    Configure a third class map of type ""match all" where you match on your "fullproto" class-map and also the above ipv6 class-map. For this class map you configure your inspections.
    For ipv4-traffic you configure a class with a "pass" action in both directions.

  • WRT54G v6 not working with new Motorola SB6141 on Comcast (IPv4 and IPv6)

    My WRT54G v6 not working with a new Motorola SB6141 Cable Modem on Comcast (IPv4 and IPv6).
    Yesterday, I had my old DOCSIS 1.1 cable modem and the WRT54G had been working just fine for the past 8 years.
    Last night, I swap in the DOCSIS 3.0 SB6141 cable modem, and now the WRT54G keeps losing the internet connection.  When I go into the status page for the WRT54G, I often do not see DNS servers and sometimes do not even see an IP address.
    If I connect a PC directly to the SB6141 cable modem, I have no problems whatsoever.  But whenever I connect through the WRT54G and power cycle both devices, then I have internet connectivity for about an hour before it drops out.  I have noticed my gateway IP address and DNS servers change at that time as well.  I can also force the Linksys to lose connectivity by doing a DHCP release/renew on the Linksys status page.
    Is this behavior because of the dual stack (IPv4 and IPv6) coming through the cable modem from Comcast now?  Is there any way I can keep using my WRT54G v6 now that I have the SB6141 cable modem?  

    You just have to install it correctly.
    http://kb.linksys.com/Linksys/ukp.aspx?pid=80&login=1&app=search&vw=1&articleid=3686

  • Dynamic DNS for ipv4 AND ipv6?

    tl;dr: do you know any dynamic dns service and updater daemon that supports both ipv4 and ipv6?
    Hi,
    ever since my provider supplied me with a proper dual stack account (real ipv4, real ipv6) for internet access I got some kind of little problem regarding the services I host at home. So this is mainly about email. I have a server sitting behind my router that has an open submission and IMAPS port. For ipv4 I've been using the NAT and dyndns features of my router (fritzbox) without any problem. For ipv6 there is no NAT (at least as far as my router is concerned). What I can do though is to open the firewall for incoming ports dynamically based on the interface identifier. So if someone wants to connect to an ipv6 address that would map to my server the router knows to not block the traffic. For this to work though I need update a dynamic DNS record with the public ipv6 address that my server gets to use (something out of the prefix my provider assignes me). This server is an arch linux box. I tried to use inadyn-mt with some systemd unit file I found through google but this does not seem to work right. When I'm in ipv4-only networks (on a mobile connection for example) I often can't resolve the right ip address of my server through dyndns. The thing is that my server doesn't know about a changed ipv4 address because this is handled by the router. It does only know about when his own ipv6 address changes/expires. Based on when this happens inadyn-mt might fire an update to dyndns and with that also pick up the new ipv4 address, but this is not guaranteed.
    Any suggenstions, tool and/or service proposals? Is there a way dns-wise to add a CNAME alias just for A records and not for AAAA?

    I currently use cloudflare as the DNS servers for my domain as it's free and allows to update certain records with their API. I only use it for IPv4, but since they support AAAA records, I assume it will work for IPv6 just as well. It should be quite simple for you to update the script to get the ip of a given interface instead of fetching it from the net.
    #!/bin/sh
    # modified by jfro from http://www.cnysupport.com/index.php/linode-dynamic-dns-ddns-update-script
    # Uses curl to be compatible with machines that don't have wget by default
    # modified by Ross Hosman for use with cloudflare.
    cfkey=<your api key>
    cfuser=<your username>
    cfhost=<hostname you want to update>
    WAN_IP=`curl -s http://icanhazip.com/`
    if [ -f $HOME/.wan_ip-cf.txt ]; then
    OLD_WAN_IP=`cat $HOME/.wan_ip-cf.txt`
    else
    OLD_WAN_IP=""
    fi
    perl -i -pe 'chomp if eof' /var/log/cfclient.log
    if [ "$WAN_IP" = "$OLD_WAN_IP" ]; then
    echo -ne "." >> /var/log/cfclient.log
    else
    echo $WAN_IP > $HOME/.wan_ip-cf.txt
    echo -ne "\nUpdating IP to $WAN_IP\n" >> /var/log/cfclient.log
    curl -s https://www.cloudflare.com/api.html?a=DIUP\&hosts="$cfhost"\&u="$cfuser"\&tkn="$cfkey"\&ip="$WAN_IP" >> /var/log/cfclient.log
    fi
    echo -ne "\n" >> /var/log/cfclient.log

  • EA4500 loses IPv4 and IPv6 information

    No changes made but router will lose all information for IPv connectivity.  I have paid twice to support to fix this issue and it still occurs every few months. 
    I tried rebooting router, and doing an IP Release/ Renew and router does not get IP address. I'd prefer not to have to pay again to fix this router. Any ideas?

    Sorry - thought I had info:
    I don't see anything on the router indicating a model other than EA4500. There is a serial number. Its plugged directly into a
    Toshiba PCX2500 modem. If I connect my PC directly to the modem I have internet. 
    The router maintains all settings that Cisco helped me set up before except there are not IPv4 or IPv6 settings. I have screen shots from the setup. The Cisco rep had to clone the MAC of the modem to get the router to work. (Admin tab). 
    I unplugged modem and router and rebooted each. Everything appears to come up normally except for no IPv4/6 settings. I tried a release/renew but those settings stay blank.
    I have internal network connectivity with the router, just no internet. I use Road Runner. I have a second network also on Road Runner but on a different modum and domain that is working fine. Unfortunately I have hard wired connections and kids games that rely on the EA4500

  • How to configure a COM domain, IPv4 and IPv6

    Hi,
    I am a new user on the Mac Server, but I have experience in Linux, my problem would be to understand how I configure the Mac Mini Server during installation or after installation, to assign a COM domain.
    I would like to configure only the service Apache, FTP, MySQL.
    My internet provider, today provided me 4 static IPs IPv4 and 4 IPv6, to use, now I want also to configure two local DNS if possible:
    IPv4:
    www.mydomain.com
    ftp.mydomain.com
    mysql.mydomain.com
    IPv6:
    www6.mydomain.com
    For if I can configure DNS in Dual Stack or if I have to record them in a different way.
    A control panel is currently not able to find it, you can advise me if something is well accepted, the important it is for business use as I would like to configure the server is for private use.
    I hope I was clear, I'm sorry but I do not speak perfect English.
    Thanks in advance to all.

    To be clear, in your example you only have one domain - mydomain.com - all the other entries are just host records within that domain.
    For your IPv4 hosts just add standard A records:
    ftp  A  1.2.3.4
    www   A   1.2.3.5
    mysql  A  1.2.3.6
    For your IPv6 hosts just add AAAA records:
    www6    AAAA 1234::ab:cd:ef
    I seriously doubt you want to put your MySQL server on a public IP address, though, so I'd look carefully at your network setup before going much further.

  • What is the new Cisco Context Directory Agent?

    Hi Everyone.
    I noticed on the ASA software download page the new Content Directory Agent (~800MB).  I could not find any release notes nor other references from a Google search.
    http://www.cisco.com/cisco/software/release.html?mdfid=280582808&softwareid=280775065&release=8.4.4.ED&flowid=4822
    What is it?
    A

    Context Directory Agent is the successor product to AD agent. It provides similar functionality buit comes with Linux distribution and has a GUI based interface. You are right that at the link you gave there is no documentation posted. Will need to dig around
    The release notes for the AD Agent product are at: http://www.cisco.com/en/US/docs/security/ibf/release_notes/ibf10_rn.html

  • Context Directory Agent server 2012R2

    Hi,
    Win server 2012R2 is not offically on the supported list for Contex Directory Agent ( CDA  ) , anyone tested this setup ?
    I have been following the Installation guide for 2012 : http://www.cisco.com/en/US/docs/security/ibf/cda_10/Install_Config_guide/cda_install.html but I the server stays red in the CDA gui. No error messages in the log though. 
    CDA is patch1 and CDA user is within the Domain Admin group and necessary priv changes according to the installation document is in place ( registry key ownership etc,) , firewall on the server has been temporarily disabled.
    Just wanted to see if there is anyone who got the combination CDA/2012R2 running and/or when there will be an official patch to CDA to add 2012R2 support.

    I opened a case and they refer me to bug CSCun10631.
    (CDA doesn't support 2012R2).
    the good news is that a new patch (3) should be release this month (July) and will include support.

  • IronPort WSA S170 and Context directory agent

    Hello people and experts,
    I need your consultation regarding IronPort and CDA deployment.
    I couldn't find any information in internet...
    So my question is - if IronPort is AD domain member and Explicit forward proxy is planned to be used. Do I need CDA to be deployed? What will happen if I don't want to deploy CDA in my environment?
    As I understood CDA is useful when IronPort works as Transparent Proxy or if IronPort is not a member of the same domaiin as users.
    Please advise.

    The CDA eliminates the need for NTLM authentication.  Once a user logs onto their computer in the morning and authenticates to the domain, the CDA will have received a successful audit event/log that informs it that user X is signed on to IP address X.  When the WSA needs to find out who is on this IP address, instead of using NTLM to challenge the client machine, it will ask the CDA who signed on this particular IP address.  Once it gets the user name, the WSA will proceed as usual and query the AD to determine the group membership of that particular user.

  • How to configure DNS to support ipv4 and ipv6

    I have a 2008 r2 domain controller in my lab.
    i'm doing Exchange 2007, 2010 and 2013. I have mix Windows 2008 r2 servers for other applications.
    i'm running into issues where i'm thinking it is time to have both IPV4 & IPV6 to run on all lab machines.
    I can't get a clear picture on how to accomplish a mix environment. in the DNS administrator do I create a new "reverze lookup zone" with only the IPV6? or do I have to create a new record in the "forward lookup zone" to with both IPV4
    & IPV6 which the later points to the new "reverse lookup zone".
    I see a lot of internet article but little on "how to".
    or on the DC should I enable the DHCP role to support the IPV6?

    1. You assign an IPv6 address to the domain controller/DNS server
    One method is letting this site (legitimate) create a random private IPv6 range for you:
    http://www.simpledns.com/private-ipv6.aspx
    For example:
    fd06:fcde:8b4e:d6bd:xxxx:xxxx:xxxx:xxxx
    You can configure the x's like this (you cannot leave the x's there):
    fd06:fcde:8b4e:d6bd:0000:0000:0000:0001
    If you close and open IPv6 properties, or do an "ipconfig /all" you'll see that the IPv6 is abbreviated as follows:
    fd06:fcde:8b4e:d6bd::1
    That's normal.
    If you look in your forward lookup zone, you'll now see this IPv6 address (you may have to register that manually - ipconfig /registerdns - but it seemed to happen automatically for me.
    So there is no need to create a separate forward lookup zone for IPv6.
    OK, but what about the reverse zone?
    2. Create reverse lookup
    In DNS Manager (what you call administrator), right-click on reverse lookup zone, select New Zone, click, Next, Next (default values are fine) until you choose between IPv6 and IPv4. Selecft IPv6 of course.
    Then enter your prefix as shown here:
    That's it. The reverse lookup information is configured automatically (your prefix " backwards").
    Now, unlike with the forward lookup zone, my domain controller does not seem to be registering its name in the reverse IPv6 zone: there's only the SOA and NS record.
    But that's another question.
    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

  • Multihomed servers with IPv4 and IPv6

    We have a set up where we have virtual servers with two NIC's.  One NIC is connected to our corporate network and the other NIC is connected (via layer 2 over MPLS) to the customer network.  The NIC on our network is only assigned an IPv6 address
    and the NIC on the customer network is only assigned an IPv4 address from the customer DHCP server.  The problem we are running into is when the server does an NSLOOKUP for a URL that is associated with a server located on our network (the server has
    an IPv6 and IPv4 address and is publicly accessable to the internet) the traffic goes out the customer NIC then out their internet connection and back to our public facing load balancer.  Our application that runs on the server needs to communicate with
    a server at the customer site and then send that data to a server on our side.  We believe this behavior is happening because the customer server is responding as an "Authoritative" DNS server.  We are trying to avoid using the HOSTS file
    if possible (when we use the HOSTS file and specify the FQDN with the IPv6 address our application works fine and goes out our NIC).
    Any help would be appreciated
    Thanks,

    Thanks for the idea Bruno, however we did try this already.  I moved the adapter with IPv6 to the top of the binding order and rebooted the VM.  However when I run NSLOOKUP it still goes out the adapter with IPv4 which is now second in the binding
    order.
    Side question.  When I do an IPCONFIG /all what determines the order of listed adapters?  I have changed the adapter names (so it isn't alphabetical), I have looked at the adapters in device manager and it isn't based on which one is #1 next to
    it.  And now I have changed the binding order and it still hasn't changed.  The adapter with IPv4 is always listed first.  Not sure if that means anything but just an observation.
    Any other ideas?
    Thanks,
    Adam

Maybe you are looking for