CSM client vlan addressing

Hi there,
I'm testing out some new topologies for a planned installation and I have a question about the addressing that should be used on the client vlan of the CSM.
In my topology I'll be running the CSM adjacent to a FWSM, with the MSFC will be on the inside of the FWSM.  Typically I assign a router-router or router-FW link a /29 range and assign the actual devices addresses in that range.  In my first test I setup the CSM and FWSM in a /29, and used client side VIP addresses in a totally different range.  I added static routes to the FWSM to point to the CSM for those ranges and as far as I can tell it works great.  I also tried the setup with the CSM, FWSM, and VIP addresses all in the same /24 range, and it also worked great.
So while it seems that both worked fine, is there any advantage or technical reason why one would be better than the other, or is it all a matter of choice?  I've attached a diagram to illustrate.
Thanks,
Brandon

Hi Brandon,
Any of the two options are perfectly valid, and I see no technical reasons to choose one over the other.
Daniel

Similar Messages

  • CSM + multiple client vlan

    If a CSM has more than one client VLANs, connected to different routers, how does CSM decide what path to take when server initiate a connection? in other words is there a way to associate server vlan(s) to client vlan?

    The term client vlan actually represents an interface between the CSM and the 6500's L2 and L3 vlan.
    If you have multiple routers connecting to your 6500, they will be associated vlan(s) n the 6500 as any other vlan is...you define the balanced servers default gateway as the alias address within the server vlan define on the CSM...the CSM then forwards this to the gateway defined on the csm client vlan which is also the 6500's L3 interface. The 6500 then uses it's own routing table to define where the next hop for this destination is.
    Hope this helps
    Steve

  • 2 client vlan for CSM - possible?

    Hi,
    Is it possible that CSM has two client side vlans? The reason why i need to configure 2 client-side vlans is the ip address of the first client-side vlan is running out.
    Thanks.
    J.W.

    Yes you can definitely use mulitiple client vlans with CSM.
    CSM keeps track of the MAC address from where it recieves the flow
    and send the reponse from reals back there.
    If you define two default gateways then you will face some routing issues. With multiple
    gateways defined, CSM randomly picks one gateway. This random selection can hurt you if your reals intiate coonections.
    To tackle server initiated connection issue you can use following workaround
    vserver Server-side
    virtual 0.0.0.0 0.0.0.0 any
    vlan 100 <------- server vlan where real exist
    serverfarm RealX-out
    inservice
    serverfarm RealX-out
    no nat server
    real 192.168.1.1 <---- Gateway that you want to use for this traffic
    inservice
    Hope it helps
    Syed Iftekhar Ahmed

  • CSM clients on vlans

    i have 6500 with 8 vlans..now iam going to implement a CSM with remote clients as well as all the local users on my 8 vlans. My questions are;
    1. do i have to configure all vlans as clients?
    2. is the VLAN where my CSM client is configured, be my only gateway?
    thx a lot

    HI,
    regarding 1)
    no normaly u have 1 client vlan and x server vlans
    regarding 2)
    this depends on the implementation if you use the brdiged mode the GW is placed in the "client vlan" if you use secure mode you have to take care that a default GW is configured on the CSM server side.
    Regards,
    Joerg

  • CSM - Client NAT for routable server subnet

    I have clients and servers that are outside of the vlans that are the defined ones for CSM. I am using a client NAT pool that is part of the server side address space and server NAT. I see in a packet capture that the server is replying to pings to one of the NAT pool addresses. The ping does not get back to the client. The CSM is acting like it is not listening to traffic for the client NAT address. I saw an article that talked about "Secure router mode" and doing "IP SLB MODE CSM". I am not in that mode. Do I need to be and what effect will that have on my current load balanced servers?

    Thanks. This is now working.
    I see that the NAT has to be in the client address space as that is where the default gateway for the CSM is. Made the following changes:
    no natpool CLIENTNAT1 10.200.0.230 10.200.0.232 netmask 255.255.255.0
    natpool CLIENTNAT1 10.200.250.230 10.200.250.232 netmask 255.255.255.0
    Noticed that a previous "show mod csm 5 arp" showed:
    10.200.2.100 -->10.200.250.1 0 REAL routed
    10.200.2.101 -->10.200.250.1 0 REAL routed
    10.200.2.102 -->10.200.250.1 0 REAL routed

  • How can I preserve Client IP address?

    I am configuring the ACE for bridged mode. However, the real server is seeing VIP IP but not Client IPs. Our business requires that the real server must see client IPs. Do you have any idea how to set that up?
    I tried to turn ON/OFF normalization but it is still not working.
    Thanks,
    Vincent
    ==============================
    Here is my configuration:
    rserver host 192.168.71.71
      ip address 192.168.71.71
      inservice
    serverfarm host WEB_FARM
      failaction purge
      probe ICMP
      rserver 192.168.71.71
        inservice
    access-list PERMIT-BPDU ethertype permit bpdu
    access-list ALL line 8 extended permit ip any any
    sticky ip-netmask 255.255.255.255 address source WEB_FARM_Sticky
      timeout 180
      replicate sticky
      serverfarm WEB_FARM
    class-map match-all WEB_FARM_VIP
      2 match virtual-address 192.168.71.154 tcp eq 80
    class-map type management match-any remote_access
      2 match protocol xml-https any
      4 match protocol icmp any
      5 match protocol telnet any
      6 match protocol ssh any
      7 match protocol http any
      8 match protocol https any
      9 match protocol snmp any
    policy-map type loadbalance first-match WEB_FARM_Policy
      class class-default
        sticky-serverfarm WEB_FARM_Sticky
    policy-map multi-match WEB_VIPS
      class WEB_FARM_VIP
        loadbalance vip inservice
        loadbalance policy WEB_FARM_Policy
        loadbalance vip icmp-reply active
        nat dynamic 6 vlan 31
        nat dynamic 5 vlan 21
    interface vlan 21
      description Client VLAN
      bridge-group 171
      no normalization
      mac-sticky enable
      access-group input PERMIT-BPDU
      access-group input ALL
      service-policy input WEB_VIPS
      nat-pool 5 192.168.71.154 192.168.71.154 netmask 255.255.255.255 pat
    interface vlan 31
      description Server VLAN
      bridge-group 171
      no normalization
      mac-sticky enable
      access-group input PERMIT-BPDU
      access-group input ALL
      service-policy input WEB_VIPS
      nat-pool 6 192.168.71.154 192.168.71.154 netmask 255.255.255.255 pat
      no shutdown
    interface bvi 171
      ip address 192.168.71.3 255.255.255.0
      no shutdown

    Do you have a default route on the ACE and the rservers? Are they all pointing to the same IP? I have the same configuration.  An ACE 4710 in transparent mode, but I have no NATing and my rservers are able to see the original client IPs (security requirement).
    Here is part of my config for one serverfarm
    rserver host RS_MIDTIER_220
      description
      ip address 172.31.0.131
      inservice
    rserver host RS_MIDTIER_221
      description
      ip address 172.31.0.132
      inservice
    rserver host RS_MIDTIER_222
      description
      ip address 172.31.0.133
      inservice
    rserver redirect RS_SSL_Redirects
      webhost-redirection https://%h/%p 301
      inservice
    action-list type modify http SSL_URL_REWRITE
      ssl url rewrite location ".*"
    serverfarm redirect SF_SSL_Redirects
      predictor leastconns
      rserver RS_SSL_Redirects
      inservice
    serverfarm host SF_Midtier_Prod
      description Midtier Production
      predictor leastconns
      probe APACHE
      probe ICMP
      rserver RS_MIDTIER_220 80
        inservice
      rserver RS_MIDTIER_221 80
        inservice
      rserver RS_MIDTIER_222 80
        inservice
    ssl-proxy service SSL_PSERVICE_MIDTIER_PROD
      key
      cert
      chaingroup EntrustChainGroup
    sticky http-cookie JSESSIONID Sticky_Jsession_Cookie_Midtier_Prod
      timeout 90
      serverfarm SF_Midtier_Prod
    class-map type management match-any REMOTE_MGT_ACCESS
      description remote access traffic match
      2 match protocol ssh source-address
      4 match protocol https source-address
      5 match protocol snmp source-address
    class-map match-any VS_Midtier_Prod_L3SLB
      description Midtier Prod IPs
      2 match virtual-address 172.31.0.46 tcp eq https
      3 match virtual-address 172.31.0.47 tcp eq https
    class-map match-any VS_SSL_Redirects
      description Redirects any http VIPS to https
      5 match virtual-address 172.31.0.46 tcp eq www
      6 match virtual-address 172.31.0.47 tcp eq www
    policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
      class REMOTE_MGT_ACCESS
        permit
    policy-map type loadbalance http first-match Midtier_Prod_L4SLB
      class class-default
        sticky-serverfarm Sticky_Jsession_Cookie_Midtier_Prod
        action SSL_URL_REWRITE
    policy-map type loadbalance first-match SSL_Redirect_L4SLB
      class class-default
        serverfarm SF_SSL_Redirects
    policy-map multi-match Farm_VIPS
      class VS_SSL_Redirects
        loadbalance vip inservice
        loadbalance policy SSL_Redirect_L4SLB
      class VS_Midtier_Prod_L3SLB
        loadbalance vip inservice
        loadbalance policy Midtier_Prod_L4SLB
        loadbalance vip icmp-reply active
        ssl-proxy server SSL_PSERVICE_MIDTIER_PROD
    interface vlan 100
      description DMZ ACE frontside
      bridge-group 1
      access-group input BPDUALLOW
      access-group input ALL
      service-policy input REMOTE_MGMT_ALLOW_POLICY
      service-policy input Farm_VIPS
      no shutdown
    interface vlan 110
      description DMZ ACE backside
      bridge-group 1
      access-group input BPDUALLOW
      access-group input ALL
      no shutdown
    interface bvi 1
      ip address 172.31.0.150 255.255.255.0
      no shutdown
    rserver redirect RS_SSL_Redirects
      webhost-redirection https://%h/%p
    301
      inservice
    domain
    ip route 0.0.0.0 0.0.0.0 172.31.0.1

  • DHCP from CSM Server VLAN

    Is there a way to add a helper-address (or something similiar) to the CSM server VLAN? My unix team is planning on setting up a PIXE server boot server and a few of their servers that would need the ability to boot from it are in the server VLAN that my CSM hosts, I'm not sure how a DHCP request would ever leave that VLAN is I don't have some way of adding a helper address to it.
    Thanks for any help....Jeff

    Hello-
    The CSM does not have any DHCP Helper address equivelants.  However, you can configure the server VLAN in question in a bridged mode with a vlan on the MSFC that does do DHCP and the CSM will bridge the BOOTP requests to it.
    Regards,
    Chris Higgins

  • Blocking Client MAC Addresses at Sup720/WLSM?

    I want to block client MAC addresses at the central 6500, where the WLSM is located. Is there any solution like "dot11 association mac-list" at the accesspoints? I tried an "access-expression" on the tunnelinterface, but it did not work. Any suggestions?

    Here is an example of config
    switch(config)# mac access-list extended ARP_Packet
    Switch(config-ext-nacl)# permit host 0000.861f.3745 host 0006.5bd8.8c2f 0x806 0x0
    Switch(config-ext-nacl)# end
    Issue the vlan access-map map_ name command and the action drop command, which is the action to perform.
    The vlan access-map map_ name command uses the MAC access list that you created to block ARP traffic from the hosts.
    Switch(config)# vlan access-map block_arp 10
    Switch (config-access-map)# action drop
    Switch (config-access-map)# match mac address ARP-Packet
    Add an additional line to the same VLAN access map to forward the rest of the traffic.
    Switch(config)# vlan access-map block_arp 20
    Switch (config-access-map)# action forward
    Choose a VLAN access map and apply it to a VLAN interface.
    Issue the VLAN filter vlan_access_map_name vlan-list vlan_number command.
    Switch(config)# vlan filter block_arp vlan-list 2

  • I am automating the process of sending appointment reminders to my clients. I started with an alert with an email in calendar using the clients email address as a custom entry in my me card in my contacts. this was resulting in three emails being sent wit

    I am automating the process of sending appointment reminders to my clients. I started with an alert with an email in calendar using the clients email address as a custom entry in my me card in my contacts. this was resulting in three emails being sent with slightly different versions of the same address (see my previous post). Heating someone else's suggestion I created a workflow file to send an email and calling that file from an alert on my calendar. This is working and sends only one email to the client.
    My calendar is on I cloud and I access it from three different computers so I can keep my appointment calendar current. The files that send the email only exist on one computer. My other computers show error messages when those emails get sent. It seems that each computer wants to send the email. It's a small problem but is there a way that I could not get those alerts.
    But appreciate any thoughts about this. It seems like both problems might be related to the iCloud system.
    Thank you in advance,
    Michael

    Good work, catch so far Michael, does seem to be a "feature" of iCloud syncing, not sure what you could do to disable it.

  • Install PT8.53 with Linux Issue: Jolt client (ip address 192.168.196.102) does not have proper application password

    Folks,
    Hello.
    I am installing PeopleTools 8.53 with Oracle Database Server 11gR1 and OS Oracle Linux 5.10.
    Data Mover Bootstrap and Application Designer can log into Database instance successfully. My procedure to run PIA is below:
    Step 1: start Oracle Database Server and LISTENR is listening.
    Step 2: start Application Server ./psadmin and 8 processes are started.
    Step 3: start WebLogic Server PIA /opt/PT8.53/webserv/PT853/bin/startPIA.sh
    In Browser, http://192.168.196.102:8000/ps/signon.html comes up successfully. But when sign in using UserID PSADMIN and password "myname", I get the error message in Browser as below:
    The application server is down at this time.
    CHECK APPSERVER LOGS. THE SITE BOOTED WITH INTERNAL DEFAULT SETTINGS, BECAUSE OF: bea.jolt.ServiceException: Invalid Session
    We've detected that your operating system is not supported by this website. For best results, use one of the following operating systems:
    Mac OS X 10.6(Snow Leopard)
    Mac OS X 10.5(Leopard)
    iPad
    Oracle Linux Enterprise
    Mac OS X 10.4(Tiger)
    Windows 8
    Windows 7
    Mac OS X 10.7(Lion)
    Regarding Application Designer, both Database Type "Oracle" and Connection Type "Application Server", UserID "PSADMIN" and password "myname" login successfully. I view TUXLOG (current Tuxedo log file) and its last screen is below:
    191723.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
    191723.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
    191723.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
    191724.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
    191724.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
    191724.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
    191724.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
    191724.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
    191725.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
    191725.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
    191725.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
    191726.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
    191726.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
    191726.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
    191726.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
    191726.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
    191727.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
    191727.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
    191727.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
    191727.lucylinux.lucydomain!JSH.32462.2485226496.-2: JOLT_CAT:1626: "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password"
    I View APPSRV_1023.LOG (current server log file) and its content is below:
    PSADMIN.32259 (0) [2013-10-23T18:55:12.134](0) Begin boot attempt on domain PT853
    PSAPPSRV.32290 (0) [2013-10-23T18:55:35.701](0) PeopleTools Release 8.53 (Linux) starting. Tuxedo server is APPSRV(99)/1
    PSAPPSRV.32290 (0) [2013-10-23T18:55:35.923](0) Cache Directory being used: /home/user/psft/pt/8.53/appserv/PT853/CACHE/PSAPPSRV_1/
    PSAPPSRV.32290 (0) [2013-10-23T18:56:19.256](2) App server host time skew is DB+00:00:00 (ORACLE PT853)
    PSAPPSRV.32290 (0) [2013-10-23T18:56:23.504](0) Server started
    PSAPPSRV.32290 (0) [2013-10-23T18:56:23.507](3) Detected time zone is EDT
    PSAPPSRV.32338 (0) [2013-10-23T18:56:25.793](0) PeopleTools Release 8.53 (Linux) starting. Tuxedo server is APPSRV(99)/2
    PSAPPSRV.32338 (0) [2013-10-23T18:56:26.003](0) Cache Directory being used: /home/user/psft/pt/8.53/appserv/PT853/CACHE/PSAPPSRV_2/
    PSAPPSRV.32338 (0) [2013-10-23T18:57:08.871](2) App server host time skew is DB+00:00:00 (ORACLE PT853)
    PSAPPSRV.32338 (0) [2013-10-23T18:57:10.662](0) Server started
    PSAPPSRV.32338 (0) [2013-10-23T18:57:10.663](3) Detected time zone is EDT
    PSSAMSRV.32388 (0) [2013-10-23T18:57:12.159](2) Min instance is set to 1. To avoid loss of service, configure Min instance to atleast 2.
    PSSAMSRV.32388 (0) [2013-10-23T18:57:12.168](0) PeopleTools Release 8.53 (Li nux) starting. Tuxedo server is APPSRV(99)/100
    PSSAMSRV.32388 (0) [2013-10-23T18:57:12.265](0) Cache Directory being used: /home/user/psft/pt/8.53/appserv/PT853/CACHE/PSSAMSRV_100/
    PSSAMSRV.32388 (0) [2013-10-23T18:57:59.414](0) Server started
    PSSAMSRV.32388 (0) [2013-10-23T18:57:59.416](3) Detected time zone is EDT
    PSADMIN.32259 (0) [2013-10-23T18:58:48.149](0) End boot attempt on domain PT853
    PSAPPSRV.32290 (1) [2013-10-23T18:59:06.144 GetCertificate](3) Returning context. ID=PSADMIN, Lang=ENG, UStreamId=185906140_32290.1, Token=PT_LOCAL/2013-10-23-11.59.26.248432/PSADMIN/ENG/vSz0ix+wq8d+zPRwQ0Wa4hcek0Q=
    ~                                                                                                                                                        
    I think the error is indicated in TUXLOG file "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password". The application password "myname" in Browser http://192.168.196.102:8000/ps/signon.html page is not working. I use the same password "myname" to login Data Mover Bootstrap mode, Application Designer, and Application Server psadmin configuration successfully. I have tried a few other passwords in Browser http://192.168.196.102:8000/ps/signon.html page but not working.
    My question is:
    How to solve Sign In issue on http://192.168.196.102:8000/ps/signon.html that is "ERROR: Jolt client (ip address 192.168.196.102) does not have proper application password" ?
    Thanks.             

    Dear Nicolas,
    Hello. I have used the same password for "DomainConnectPswd" in the file Configuration.properties with that for Application Server setting. Eventually, UserID PSADMIN sign in http://192.168.196.102:8000/ps/signon.html successfully. PeopleTools 8.53 runs correctly in Browser.
    It seems that whether upgrade Oracle Linux 5.0 to the latest 5.10 does not have effect !
    I am very grateful to your great help for this installation of PT8.53 with Linux and Oracle Database !

  • Retrieve Client IP Address in a Oracle WebServices Manager Custom Policy

    Hi everybody,
    For some reasons i had to implement a custom policy in the OWSM, to restrict the access to webservices by Client IP Addresses. I´ve been following the examples for custom policies mentioned in the books: "Oracle Web Services Manager, Oracle Web Services Manager" by Sitaraman Lakshminarayanan, and the "Oracle® Web Services Manager Extensibility Guide 10g (10.1.3.3.0)" by Oracle. I followed the examples mentioned in those books to implement my Custom policy, the policy is successfully deployed to OWSM and it works, only by the issue that when i want to retrieve the Client Ip address it returns null, and following the example by the Oracle Guide, the HttpServletRequest its also returns null, im desperated because in every site that i finally find some info about it, quotes any of these 2 examples in those books, and mine doesnt work! this is the code of the custom policy, i´ve combined the 2 aproaches:
    package project1;
    import com.cfluent.ccore.util.logging.ILogger;
    import com.cfluent.ccore.util.logging.Level;
    import com.cfluent.ccore.util.logging.LogManager;
    import com.cfluent.pipelineengine.container.MessageContext;
    import com.cfluent.policysteps.sdk.AbstractStep;
    import com.cfluent.policysteps.sdk.Fault;
    import com.cfluent.policysteps.sdk.IMessageContext;
    import com.cfluent.policysteps.sdk.IResult;
    import com.cfluent.policysteps.sdk.InvocationStatus;
    import com.cfluent.policysteps.sdk.Result;
    import java.util.HashMap;
    import java.util.Iterator;
    import java.util.Vector;
    import javax.servlet.http.HttpServletRequest;
    public class CustomPolicy extends AbstractStep {
    private static String CLASSNAME = CustomPolicy.class.getName();
    private static ILogger LOGGER = LogManager.getLogger(CLASSNAME);
    private String allowedIpAddress = null;
    private String allowedRoleName = null;
    private String protectedServiceMethodName = null;
    public CustomPolicy() {
    public void init() throws IllegalStateException {
    // nothing to initialize
    public void destroy() {
    * This is the main method which will validate that the request is coming from
    * the correct IP Address and has permission to access the specified metod.
    public IResult execute(IMessageContext messageContext) throws Fault {
    LOGGER.entering(CLASSNAME, "execute");
    Result result = new Result();
    result.setStatus(IResult.FAILED); //initialize result
    String processingStage = messageContext.getProcessingStage();
    LOGGER.log(Level.INFO, "Processing stage is " + processingStage);
    HttpServletRequest httpServletRequest = (HttpServletRequest)
    messageContext.getProperty("javax.servlet.request");
    String remoteAddr = httpServletRequest.getHeader("Host");
    LOGGER.log(Level.SEVERE, "Dir IP:"+remoteAddr);
    String remoteHost = httpServletRequest.getRemoteHost();
    LOGGER.log(Level.INFO, "ADDR" + remoteAddr+ "HOST"+remoteHost);
    boolean isRequest =
    (IMessageContext.STAGE_REQUEST.equals(messageContext.getProcessingStage()) ||
    IMessageContext.STAGE_PREREQUEST.equals(messageContext.getProcessingStage()));
    //Execute the step Only when its a Request pipeline else return success
    if (!isRequest) {
    result.setStatus(IResult.SUCCEEDED);
    return result;
    MessageContext msgCtxt = (MessageContext)messageContext;
    String _MethodName = msgCtxt.getRequest().getMethodName();
    LOGGER.log(Level.INFO,
    "Writing Allowed IP Addr before creating SOAP header " +
    allowedIpAddress);
    LOGGER.log(Level.INFO,
    "Writing Remote IP Addr before creating SOAP header " +
    msgCtxt.getRemoteAddr());
    /*LOGGER.log(Level.INFO,
    "Writing Remote IP Addr before creating SOAP header " +
    remoteAddr);*/
    String cadTempo = allowedIpAddress;
    Vector vect = new Vector();
    for (int i = 0; i < allowedIpAddress.length(); i++) {
    if (cadTempo.indexOf(",") != -1) {
    //vect.add(cadTempo.substring(0, cadTempo.indexOf(",") - 1));
    vect.add(cadTempo.substring(0, cadTempo.indexOf(",")));
    cadTempo =
    cadTempo.substring(cadTempo.indexOf(",") + 1, cadTempo.length());
    LOGGER.log(Level.INFO,
    "AQUI111");
    } else {
    if (!cadTempo.equalsIgnoreCase("")) {
    vect.add(cadTempo);
    LOGGER.log(Level.INFO,
    "AQUI222");
    break;
    for(int i=0;i<vect.size();i++){
    String temp = (String)vect.get(i);
    if (temp.equals(msgCtxt.getRemoteAddr()) &&
    _MethodName.equals(protectedServiceMethodName)) {
    LOGGER.log(Level.INFO,
    "AQUI333");
    result.setStatus(IResult.SUCCEEDED);
    break;
    } else {
    msgCtxt.getInvocationStatus().setAuthorizationStatus(InvocationStatus.FAILED);
    LOGGER.log(Level.INFO,
    "AQUI444");
    /*if(allowedIpAddress!=null){
    result.setStatus(IResult.SUCCEEDED);
    /*if (allowedIpAddress.equals(msgCtxt.getRemoteAddr()) &&
    _MethodName.equals(protectedServiceMethodName)) {
    result.setStatus(IResult.SUCCEEDED);
    } else {
    msgCtxt.getInvocationStatus().setAuthorizationStatus(InvocationStatus.FAILED);
    // Set the result to SUCCESS
    //result.setStatus(IResult.SUCCEEDED);
    return result;
    public String getIpAddress() {
    return allowedIpAddress;
    public void setIpAddress(String IpAddress) {
    this.allowedIpAddress = IpAddress;
    LOGGER.log(Level.INFO, "IP Address is.. " + allowedIpAddress);
    public String getServiceMethodName() {
    return protectedServiceMethodName;
    public void setServiceMethodName(String serviceMethodName) {
    this.protectedServiceMethodName = serviceMethodName;
    public String getRoleName() {
    return allowedRoleName;
    public void setRoleName(String roleName) {
    this.allowedRoleName = roleName;
    And the xml:
    <csw:StepTemplate xmlns:csw="http://schemas.confluentsw.com/ws/2004/07/policy"
    name="Custom authenticate step" package="project1"
    timestamp="Oct 31, 2005 05:00:00 PM" version="1"
    id="0102030405">
    <csw:Description>Custom step that authenticates the user against the
    credentials entered here. This step requires Extract
    credentials to be present before it in the request pipeline.</csw:Description>
    <csw:Implementation>project1.CustomPolicy</csw:Implementation>
    <csw:PropertyDefinitions>
    <csw:PropertyDefinitionSet name="Basic Properties">
    <csw:PropertyDefinition name="Enabled" type="boolean">
    <csw:Description>If set to true, this step is enabled</csw:Description>
    <csw:DefaultValue>
    <csw:Absolute>true</csw:Absolute>
    </csw:DefaultValue>
    </csw:PropertyDefinition>
    </csw:PropertyDefinitionSet>
    <csw:PropertyDefinitionSet name="Custom Access Rules">
    <csw:PropertyDefinition name="IpAddress" type="string" isRequired="true">
    <csw:DisplayName>IpAddress</csw:DisplayName>
    <csw:Description>IP Address that is allowed access</csw:Description>
    <csw:DefaultValue>
    <csw:Absolute>192.168.0.1</csw:Absolute>
    </csw:DefaultValue>
    </csw:PropertyDefinition>
    <csw:PropertyDefinition name="ServiceMethodName" type="string"
    isRequired="true">
    <csw:DisplayName>ServiceMethodName</csw:DisplayName>
    <csw:Description>Service Method Name that is Protected (Secured)</csw:Description>
    <csw:DefaultValue>
    <csw:Absolute>getTime</csw:Absolute>
    </csw:DefaultValue>
    </csw:PropertyDefinition>
    </csw:PropertyDefinitionSet>
    </csw:PropertyDefinitions>
    </csw:StepTemplate>
    Please any tip or idea is welcome, thanks in advance for the help.
    Carlos.

    Hi again
    copied your code for testing. And it works fine.
    So both the code and policy-step definition is fine, log output below.
    What is your log output?
    Using soapui to send the request will give the ip of my localhost, using the test client will give the ip of the server, because that is the actual client.
    I guess the server ip is 192.168.0.1 in your case, as you are testing from test console.
    <b>anyway, results from SOAPUI:</b>
    2009-05-19 09:52:15,096 FINE [HTTPThreadGroup-4] CSWComponent - Executing policy step. Policy='SID0003004', Step Name='Custom Policy Step', Step Class='com.*.soa.wsm.CustomPolicy'
    2009-05-19 09:52:15,096 FINER [HTTPThreadGroup-4] wsm.CustomPolicy - com.*.soa.wsm.CustomPolicy execute:ENTERING
    2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - Processing stage is Request
    2009-05-19 09:52:15,096 SEVERE [HTTPThreadGroup-4] wsm.CustomPolicy - Dir IP:hostname.domain:8890
    2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - ADDRhostname.domain:8890HOST10.47.89.116
    2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - MethodName=getHostNameElement
    2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - Writing Allowed IP Addr before creating SOAP header 10.47.89.116, 192.168.0.1
    2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - Writing Remote IP Addr before creating SOAP header 10.47.89.116
    2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI111
    2009-05-19 09:52:15,096 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI222
    2009-05-19 09:52:15,097 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI333
    2009-05-19 09:52:15,097 FINER [HTTPThreadGroup-4] agent.Agent - com.cfluent.agent.Agent intercept:ENTERING
    <b>But if I use the test client the remote IP would be 10.47.137.50 and execution fails, as code is written</b>
    <i>
    2009-05-19 09:54:12,266 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - Writing Allowed IP Addr before creating SOAP header 10.47.89.116, 192.168.0.1
    2009-05-19 09:54:12,266 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - Writing Remote IP Addr before creating SOAP header 10.47.137.50
    2009-05-19 09:54:12,267 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI111
    2009-05-19 09:54:12,267 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI222
    2009-05-19 09:54:12,267 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI444
    2009-05-19 09:54:12,267 INFO [HTTPThreadGroup-4] wsm.CustomPolicy - AQUI444
    2009-05-19 09:54:12,267 FINE [HTTPThreadGroup-4] CSWComponent - Step execution failed: Policy=[SID0003004] Pipeline=[Request] Step Name=[Custom Policy Step] Step Class=[com.tandberg.soa.wsm.CustomPolicy]
    2009-05-19 09:54:12,267 FINER [HTTPThreadGroup-4] common.PrepareForServiceStep - Step PrepareForServiceStep called
    </i>

  • HT4061 My gateway PC is locked up after itunes update.  When i restarted the computer for the hangers to take effect. Now my pc is locked up.  It gives me a client Mac address and no boot file name received.  What happened, and how do I get my pc back?

    jute way pc locked up after iTunes update.   It says client Mac address 001320 be ad 25 .  PXE E53  No boot file name received
    pXE MOF.  Exiting Broadcom PXE. ROM .  How do I unlock my pc?

    jute way pc locked up after iTunes update.   It says client Mac address 001320 be ad 25 .  PXE E53  No boot file name received
    pXE MOF.  Exiting Broadcom PXE. ROM .  How do I unlock my pc?

  • HT4061 I downloaded an iTunes update on my HP.  PC and restarted the computer for the hangers to take effect. Now my pc is locked up.  It gives me a client Mac address and no boot file name received.  What happened, and how do I get my pc back?

    I downloaded an iTunes update and when ashen I restarted my pc it locked up.  It says client Mac address 001320bead25,   PXE E53  No boot file name received.  PXE MOF.  Exiting Broadcom pie rom.   How do I get my pc back!

    When you installed iTunes on your work computer, then connected your iPad to that computer, it wiped what was on the iPad, then put the iTunes library (nothing) from the work computer onto the iPad. You can try copying the iTunes folder from your home computer over to your work computer, but since the apps were bought with a different account, they may not load or update properly.

  • How do I get list of client IP Addresses using new Airport Utility v6.3?

    I have purchased and Airport Time Capsule 3TB (newest model).  Previous models were still compatible with Airport Utility 5.6 and I could use "manual" mode to get a list of client IP addresses attached to the device.  The new Airport Time Capsule is only compatible with Airport Utility 6.3 and I cannot figure out how to get a list of client IP addresses with this new model. Does anyone know how to do this?

    Try a ping broadcast - for example if your network were 192.168.1.xxx (netmask of 255.255.255.0) try this from a Termnal.app window (located in /Applications/Utilities):
         ping 192.168.1.255
    If you have a different type netmask, you need to put 255's where the 0's are in your netmask.
    Everyone on the local network (the 192.168.1.xxx network) should reply that is up and running unless you have them setup to not respond to pings (the WAN port on your TC should not reply cause it's in a different network) and you have your list of clients on the network. If you setup the TC to dedicate a range of addresses for WiFi clients you can even identify which of them are wired and which are wireless.
    good luck.

  • UNABLE TO RETRIEVE THE CLIENT IP ADDRESS AND HOST NAME OF A PORTAL USER

    I'm trying to retrive the client IP address and host name of a portal user
    trying to access a portal page using APIs:
    PortletRenderRequest portletRequest =
    (PortletRenderRequest)request.getAttribute(HttpCommonConstants.PORTLET_RENDER_REQUEST);
    HttpServletRequest servletRequest =
    (HttpServletRequest)portletRequest.getAttribute(HttpCommonConstants.SERVLET_REQUEST);
    String l_szClientIPAddress = servletRequest.getRemoteAddr();
    String l_szClientHost = servletRequest.getRemoteHost();
    but i found that for all portal users on different machines IP addresses, the
    returned IP is the same for all which is Portal middle tier IP address.
    So how can retrive the IP addess of a portal user trying to access a portal
    page ?

    Brijesh,
    Do you mean how to see hostname/ip address of client requests processed by the server? If yes, depending on what's your front ending component - Web Cache or OHS, you can configure the access log format to have this information recorded in either of these component's access log file.
    For Web Cache access log file, refer this:
    http://download.oracle.com/docs/cd/B14099_19/caching.1012/b14046/diagnostics.htm#sthref2090
    For OHS access log file, refer this:
    http://download.oracle.com/docs/cd/B14099_19/web.1012/b14007/servlog.htm#sthref439
    By default, both Web Cache and OHS are configured to use Common Log Format (CLF) that does record hostname/ip address so if you haven't made any changes to log format, this info is already there for you. Look for $ORACLE_HOME/webcache/logs/access_log file for Web Cache and $ORACLE_HOME/Apache/Apache/logs/access_log file for OHS.
    Thanks
    Shail

Maybe you are looking for

  • IPhone 4 reception

    Hi, I've got an iPhone 4S and not had a problem with it in the 15 months since I've had it. However, on Saturday my reception dropped off completely but I could still receive wireless and 3G. After a few attempts to reboot (power&menu button) it woul

  • Best Practice for Running Number Table

    Dear All Thank you for your attention. I would like to generate number for each order AAAA150001 AAAA is prefix 1 is year and 0001 is he sequence number. I proposed the table as below Prefix    | Year     | Number AAAA    | 15        | 1 Using  SQL q

  • Conductor collumn?

    Hi Maybe off topic... I have been importing some classical albums lately, and some albums is almost all about the conductor. He/She is the star of the recording. Example: Herbert Von Karajan. I still don't how, or where, to put the conductor's name i

  • Is there an SDK to read/import *.ai files?

    I would like to read/import the vector graphics from an *.ai file into my own 2D drawing package. Is there an SDK to do this? thanks. -bill

  • Internationalization for Local Langauges

    Dear All, Can we design applications for Local languages like (Telugu,Tamil ,marathi ) using Internationalization Concept in Webdynpro for java. pls anybody suggest me in clarifiying the issue. Regards Subash