Context Directory Agent VM Requirements

Similar Messages

• Context Directory Agent Path not found

  I am trying to connect Cisco Context Directory Agent to my AD 2012r2 server,
  Went through the setup guide and changed all needed register keys, firewall rules, DOCOM and wmimgmt permissions,
  I got passed the access denied error, but now I am getting a "The system cannot find the path specified. [0x80070003]" error.
  Here is my log.
  wmi-property exception-stack org.jinterop.dcom.core.JIComServer.init(JIComServer.java:580)
  org.jinterop.dcom.core.JIComServer.initialise(JIComServer.java:481)
  org.jinterop.dcom.core.JIComServer.<init>(JIComServer.java:445)
  com.cisco.cda.rt.adobserver.adobserver.jinteropUtil.getWmiLocator(jinteropUtil.java:42)
  com.cisco.cda.rt.adobserver.adobserver.EventsThread.QueryWMIProperty(EventsThread.java:81)
  com.cisco.cda.rt.adobserver.adobserver.EventsThread.getNetBIOS(EventsThread.java:171)
  com.cisco.cda.rt.adobserver.adobserver.EventsThread.extractDCData(EventsThread.java:203)
  com.cisco.cda.rt.adobserver.adobserver.EventsThread.run(EventsThread.java:609)
  dc-hostname maddcr2.xxxxxxx.local/10.1.0.19
  dc-name xxxxx
  exception-cause org.jinterop.dcom.common.JIRuntimeException: The system cannot find the path specified. [0x80070003]
  wmi-class Win32_NTDomain
  exception-message The system cannot find the path specified. [0x80070003]
  wmi-property DomainName
  dc-username _zxxxxx
  Thank you,

  Are you're running CDA 1.1 with Patch 1:
  cda-patchbundle_1.0.0.011-1.i386.tar.gz
  Support for Windows 2012 server was added in patch 1. Enable
  this patch using the command:
  admin# patch install cda-patchbundle_1.0.0.011-1.i386.tar.gz myrepository
  (see step 2a below for setting up a repository)
  Refer :
  http://www.cisco.com/en/US/docs/security/ibf/cda_10/Install_Config_guide/cda_install.html#wp1061521  

• Context Directory Agent ipv4 and ipv6 mappings

  I have the context directory agent 1.0 patch 2 installed and running.  It works good mostly.  We have a duel stack running ipv6 and ipv4 on our workstations.  They connect to the AD with ipv6, so the mapping is for ipv6.  Is there a way to get the ipv4 mappings?
  We need to map both addresses for the Web Filtering on the CX.

  Same question.

• Need of Context Directory Agent

  Hi all
  I downloaded from CCO CDA (Cisco Directory Agent - filename is AD_Agent-v1.0.0.32.1-build-598.Installer.zip) and installed it. The goal is to authenticate users of WSA using Windows Server 2003 Active Directory.
  During deployement I discovered CDA supports until W2008R2 AD servers. Because customer plans to migrate soon AD to Windows Server 2012, I think CDA has to be replaced. 
  Is Cisco Context Directory Agent the right replacement? I read it  runs on a separate Virtual Machine, so I need to inform customer we need an additional VM?
  Thanks in advance

  What you downloaded was the old Active Directory Agent. You need to download CDA (Context Directory Agent) and the four patches and install them on a VM. Download link here: https://software.cisco.com/download/release.html?mdfid=282803423&flowid=4949&softwareid=284724387&release=CDA&relind=AVAILABLE&rellifecycle=&reltype=latest

• What is the new Cisco Context Directory Agent?

  Hi Everyone.
  I noticed on the ASA software download page the new Content Directory Agent (~800MB).  I could not find any release notes nor other references from a Google search.
  http://www.cisco.com/cisco/software/release.html?mdfid=280582808&softwareid=280775065&release=8.4.4.ED&flowid=4822
  What is it?
  A

  Context Directory Agent is the successor product to AD agent. It provides similar functionality buit comes with Linux distribution and has a GUI based interface. You are right that at the link you gave there is no documentation posted. Will need to dig around
  The release notes for the AD Agent product are at: http://www.cisco.com/en/US/docs/security/ibf/release_notes/ibf10_rn.html

• Context Directory Agent server 2012R2

  Hi,
  Win server 2012R2 is not offically on the supported list for Contex Directory Agent ( CDA  ) , anyone tested this setup ?
  I have been following the Installation guide for 2012 : http://www.cisco.com/en/US/docs/security/ibf/cda_10/Install_Config_guide/cda_install.html but I the server stays red in the CDA gui. No error messages in the log though. 
  CDA is patch1 and CDA user is within the Domain Admin group and necessary priv changes according to the installation document is in place ( registry key ownership etc,) , firewall on the server has been temporarily disabled.
  Just wanted to see if there is anyone who got the combination CDA/2012R2 running and/or when there will be an official patch to CDA to add 2012R2 support.

  I opened a case and they refer me to bug CSCun10631.
  (CDA doesn't support 2012R2).
  the good news is that a new patch (3) should be release this month (July) and will include support.

• Context Directory Agent maps the Active Directory Anti-Virus user

  Hi,
  Today I was able to join a couple of CDA's to our Active Directory domain (2008 R2 DC's) using a non-privileged account and the CDA maps (most) users to IP addresses.
  I would like to use the CDA solely for building up firewall policies based on AD details whenever possible
  as maintaining granular firewall policies on 8 different ASA's is too time consuming as we are not a large IT organization.
  But, after deploying the first "AD Group" based rule, it turned out, that the AD user-account mapped to the IP address of my PC was actually a domain user, running the local anti-virus engine, and not my own.
  It makes total sense that the the anti-virus user is logged on to the PC before any user, so it can do "its thing",
  but my own user-account is never mapped. 
  CDA was able to map certain users to an IP address, even though the anti-virus user is actually logged on to the PC before them.
  Has anyone deployed Identity Based Firewalling and experienced something which resembles this scenario and were you able to do any workarounds?
  I looked into filtering out the logon events (for the Sophos user-account) from the Windows Security logs,
  so the CDA will not be able to map these, but it seems a bit far fetched, and would probably violate a security policy or two :)
  Cheers, Søren Elleby Sørensen

  I opened a case and they refer me to bug CSCun10631.
  (CDA doesn't support 2012R2).
  the good news is that a new patch (3) should be release this month (July) and will include support.

• Cisco Context Directory Agent - Windows logs - Forwarded events

  Hello,
  I have a setup testing with Cisco ASA, Cisco CDA and MS 2012 R2. All this works fine. Only problem I encountered is that I want to read the forwarded events on the AD LDS server instead of the security events.
  So in small words is it possible to connect CDA agent with wmi to forwarded events instead of security logs?
  Is this possible?
  Thanks,
  Mark Post

  Hi,
  I applied the solutions mentioned above, but now i get the below error. Domain still shows as down.
  wmi-property
  exception-stack
  org.jinterop.dcom.core.JIRemUnknownServer.call(JIRemUnknownServer.java:158)
  org.jinterop.dcom.core.JIRemUnknownServer.addRef_ReleaseRef(JIRemUnknownServer.java:181)
  org.jinterop.dcom.core.JISession.releaseRef(JISession.java:805)
  org.jinterop.dcom.core.JIComServer.createInstance(JIComServer.java:777)
  com.cisco.cda.rt.adobserver.adobserver.jinteropUtil.getWmiLocator(jinteropUtil.java:40)
  com.cisco.cda.rt.adobserver.adobserver.EventsThread.QueryWMIProperty(EventsThread.java:83)
  com.cisco.cda.rt.adobserver.adobserver.EventsThread.getNetBIOS(EventsThread.java:171)
  com.cisco.cda.rt.adobserver.adobserver.EventsThread.extractDCData(EventsThread.java:203)
  com.cisco.cda.rt.adobserver.adobserver.EventsThread.run(EventsThread.java:599)
  dc-hostname
  dc-name
  exception-cause
  java.net.ConnectException:       Connection timed out
  wmi-class
  Win32_NTDomain
  exception-message
  An internal   error     occurred. [0x8001FFFF]
  wmi-property
  DomainName
  dc-username
  Any Idea on the error?
  Thanks.

• One Microsoft Server 2003 R2 (small business server) doesn't connect to Context Directory Agent

  I have 2 DC's and I'm trying to get the cda to connect to both dc's.  Both are 2003 R2 but the one I'm having trouble with is Small Business Server.  I've double checked security settings and firewalls, but I'm still receiving the error on one server only. 
  All help is appreciated.
  The error I'm getting is:
  Log attributes
  wmi-property
  exception-stack
  org.jinterop.dcom.core.JIComServer.init(JIComServer.java:576)
  org.jinterop.dcom.core.JIComServer.initialise(JIComServer.java:481)
  org.jinterop.dcom.core.JIComServer.<init>(JIComServer.java:445)
  com.cisco.cda.rt.adobserver.adobserver.jinteropUtil.getWmiLocator(jinteropUtil.java:42)
  com.cisco.cda.rt.adobserver.adobserver.EventsThread.QueryWMIProperty(EventsThread.java:81)
  com.cisco.cda.rt.adobserver.adobserver.EventsThread.getNetBIOS(EventsThread.java:169)
  com.cisco.cda.rt.adobserver.adobserver.EventsThread.extractDCData(EventsThread.java:201)
  com.cisco.cda.rt.adobserver.adobserver.EventsThread.run(EventsThread.java:605)
  dc-hostname
  email.houstonarmature.local/192.168.1.1
  dc-name
  Email
  exception-cause
  java.io.IOException: Socket Closed
  wmi-class
  Win32_NTDomain
  exception-message
  An internal error occurred. [0x8001FFFF]
  wmi-property
  DomainName
  dc-username
  hawadmin

  Hi Toby,
  Just an addition. Did you use an administrator account to logon the RWA and then connect to the remote computer?
  Did encounter the same issue?
  Meanwhile, please refer to following threads and check if can help you.
  RD
  Gateway - Unable to connect via IP (Netbios, FQDN work fine)
  If any update, please feel free to let me know.
  Hope this helps.
  Best regards,
  Justin Gu

• IronPort WSA S170 and Context directory agent

  Hello people and experts,
  I need your consultation regarding IronPort and CDA deployment.
  I couldn't find any information in internet...
  So my question is - if IronPort is AD domain member and Explicit forward proxy is planned to be used. Do I need CDA to be deployed? What will happen if I don't want to deploy CDA in my environment?
  As I understood CDA is useful when IronPort works as Transparent Proxy or if IronPort is not a member of the same domaiin as users.
  Please advise.

  The CDA eliminates the need for NTLM authentication.  Once a user logs onto their computer in the morning and authenticates to the domain, the CDA will have received a successful audit event/log that informs it that user X is signed on to IP address X.  When the WSA needs to find out who is on this IP address, instead of using NTLM to challenge the client machine, it will ask the CDA who signed on this particular IP address.  Once it gets the user name, the WSA will proceed as usual and query the AD to determine the group membership of that particular user.

• How to send a multicast request to 239.255.255.253, seeking an SLP Directory Agent (DA)?

  Hi,
  How to send a multicast request to 239.255.255.253, seeking an SLP Directory Agent (DA) in C++?
  Thanks in advance.

  Hi,
  How about your issue now? Is it fixed?
  I think you will get progessional support from other network related forum. Because VC++ forum aims to discuss and ask questions about the Visual C++ IDE, libraries, samples, tools, setup, and Windows programming using MFC and ATL.
  Hope you can understand.
  May
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• SLP Directory Agent (port 427) - internal network goes down

  Due to some VPN problems with corporate headquarters, I had to switch out my current firewall (Instagate EX2) with a new SonicWall. Whenever we tried to switchover to the new SonicWall, my entire internal network went down. I was not able to login to the different Xserves for their appropriate services. Examples included the email server, FTP server, and a special application server we use for news editing. All Xserves run OS X Server 10.4. Our clients range from PowerMacs to Mac Minis and Mac Pros - all running OSX 10.4 with a few running 10.3. Symptoms of problems include when trying to connect to the email server, it just sits saying "Connecting to 10.1.2.x...", same thing for the FTP services. The newsroom software, that usually takes a 1 - 2 seconds to log into, then takes 45 seconds or so. Several techs looked at the problem without any suggestions about what to do to fix it.
  We have a Juniper Netscreen router provided by our ISP that connects to the Instagate firewall and to the network itself. Upon looking at the logs, it was discovered that the OS X stations IPs were using a port 427 - which is used by SLP. One of the techs said that is what is taking our network down when we disconnect the Instagate router from the network (because it evidently is passing this SLP traffic onto the Netscreen router). So when the Netscreen router comes off the network, none of the services on the Xserves work because of this. They said I needed to disable the port 427 on the Netscreen, but if I do this, isn't this having the same effect as taking the network down. Then it was told to me to setup a Directory Agent to handle this traffic. But they didn't provide any instructions to me on how to setup this up on the network or on OS X Server.
  Does anyone have any guidance or suggestions regarding this?
  Thanks,
  G

  I had the ISP's tech in today with proper network analysis software to see what's going on.
  We discovered that it is not SLP that is causing problems as one tech had suggested. Anytime that the internet access was disconnected from the network, the access to services on the OS X Servers go down or are extremely slow. So we began to look at the DNS entries and realized if we removed DNS then the servers refused access, if DNS entries were made (using OpenDNS), then the servers work.
  For example, we use the mail server component of OS X Server 10.4 for our email services. We cannot access the internal server (via IP) without the XServe having an entry in DNS. Put in OpenDNS servers, and things work like they should. The same scenario applies to any services (FTP, NewsEdit, etc.) that's on the OS X Servers. I guess what I'm not understanding is why does everything work internally as long as the OS X Servers have something listed for DNS - even though the DNS is an external DNS IP? Because it is external outside of the network, it's not like the mail server or clients are resolving the private IPs (which there's nothing to resolve since use IP numbers for connection purposes).

• Select root directory of the required rapid install disk

  Hi,
  Im installing EB12, 20% into the installation i get this message "select root directory of the required rapid install disk, Enter the location for the disk labeled: Oracle Applications Rapid Install - Database Disk1".
  I'm not sure why its not finding what it wants. I've followed all installation steps and extracted all zip files in the same stage directory. Any hints?
  Thanks in advance for any help :D
  Edited by: user8830084 on Sep 29, 2009 4:42 PM

  Hi,
  Im installing EB12, 20% into the installation i get this message "select root directory of the required rapid install disk, Enter the location for the disk labeled: Oracle Applications Rapid Install - Database Disk1".This error indicates that the stage area directory was not created successfully. Please mention the step you have followed to create the stage directory.
  Regards,
  Hussein

• SLP received service register/deregister error from directory agent

  What's up with this message?
  We occasionally see it on our NetWare 6.5 SP5 servers (and others):
  SLP received service register/deregister error from directory agent.
  Address BLAH, error 2
  We have two DA's, single IP on each.
  The "other" servers are set to "4" for their discovery type (single NIC,
  but multiple IP's).
  Static scope list.
  Display slpda shows active/active on the "other" servers.
  On the DA's, the loopback shows active, as does the "other" DA (they
  point to each other).

  In article <[email protected]>,
  [email protected] says...
  > On 1/16/2007 m_jonis wrote:
  >
  > > SLP received service register/deregister error from directory agent.
  > > Address BLAH, error 2
  >
  > The SLPDA maintains the list of all services from all servers in the
  > working SLP scope. If a server from within a scope stops the service
  > of, let's say iManager, then this change is send over to the SLPDA
  > to deregister this service from being announced.
  >
  > The services are listed as URL: when you issue the DISPLAY SLP
  > SERVICES command.
  >
  >
  >
  So this is kinda an "informational" message and not really an error,
  then?
  So we didn't actually do anything wrong (for once)?

• EXECUTE xp_cmdshell AS context of a sysadmin requires ##xp_cmdshell_proxy_account## credential to exist?

  Hi,
  I am unable to use a stored procedure to allow a non-sysadmin to execute in the context of a sysadmin and call xp_cmdshell unless the ##xp_cmdshell_proxy_account## actually exists.
  My understanding is that a sysadmin does not require the use of a proxy in order to execute xp_cmdshell.  However without one set up I receive the following error:
  Msg 15153, Level 16, State 1, Procedure xp_cmdshell, Line 1
  The xp_cmdshell proxy account information cannot be retrieved or is invalid. Verify that the '##xp_cmdshell_proxy_account##' credential exists and contains valid information.
  A little confused as to why the ##xp_cmdshell_proxy_account## needs to be set up and if/how/when the credential identity's details are actually used?
  Regards
  Dan

  I am unable to use a stored procedure to allow a non-sysadmin to execute in the context of a sysadmin and call xp_cmdshell unless the ##xp_cmdshell_proxy_account## actually exists.
  When you use EXECUTE AS in the procedure header, you impersonate a database user, but you don't get any permissions on server level, unless the database is marked as trustworthy. But don't make the database trustworthy, as it can can open a security
  hole.
  Instead a better solution is to create a certificate in the master database, and create a login from that certificate. That is not a login that can acutlly login, but only serves as a placeholder for permissions. In this case, you add the login to the sysadmin
  role. Then you export the certificate to the user database and you sign the procedure with the certificate. Below are the steps to take as a script. For more details on the technique, see this article on my web site:
  http://www.sommarskog.se/grantperm.html
  I also discuss the dangers with trustworthy in more detail in this article.
  USE master
  go
  -- Create certificate in master.
  CREATE CERTIFICATE xp_cmdshell_cert
     ENCRYPTION BY PASSWORD = 'All you need is love'
     WITH SUBJECT = 'For xp_cmdshell privileges',
     START_DATE = '20020101', EXPIRY_DATE = '20200101'
  go
  -- Create a login for the certificate.
  CREATE LOGIN xp_cmdshell_cert_login FROM CERTIFICATE xp_cmdshell_cert
  go
  -- Grant rights for the certificate login.
  EXEC sp_addsrvrolemember xp_cmdshell_cert_login, sysadmin
  go
  -- Save the certificate to disk.
  BACKUP CERTIFICATE xp_cmdshell_cert TO FILE = 'C:\temp\cert.cer'
  WITH PRIVATE KEY (FILE = 'C:\temp\cert.pvk' ,
                    ENCRYPTION BY PASSWORD = 'Tomorrow never knows',
                    DECRYPTION BY PASSWORD = 'All you need is love')
  go
  -- Move to test database.
  USE somedatabase
  go
  -- You procedure here.
  CREATE PROCEDURE run_xp_cmdshell AS
  EXEC xp_cmdshell 'DIR'
  go
  -- Give test user right to execute the procedure.
  GRANT EXECUTE ON run_xp_cmdshell TO someuser
  go
  -- Import the certificate we created in master into the test database.
  CREATE CERTIFICATE xp_cmdshell_cert FROM FILE = 'C:\temp\cert.cer'
  WITH PRIVATE KEY (FILE = 'C:\temp\cert.pvk',
                    DECRYPTION BY PASSWORD = 'Tomorrow never knows',
                    ENCRYPTION BY PASSWORD = 'A day in life')
  go
  -- Delete the files.
  EXEC master..xp_cmdshell 'DEL C:\temp\cert.*', 'no_output'
  go
  -- Sign the test procedures.
  ADD SIGNATURE TO run_xp_cmdshell BY CERTIFICATE xp_cmdshell_cert
      WITH PASSWORD = 'A day in life'
  go
  Erland Sommarskog, SQL Server MVP, [email protected]