DMZ and FIREWALL

Similar Messages

• DMZ and Firewall Issues or where to place the Infra Server

  Hi,
  finally, I've got a more or less working Midtier Server on United Linux. I've two machines: a Sun Box which has the Infrastructure and the storage on it in the intranet, and I've got a linux box in the DMZ with the midtier on it. Unlucky as I am in this mission, I figured out, that Portal want's to contact the Sunbox for SSO from the browser and not as I assumed from the Server Side. But the forwarded Hostname is an internal name only. Am I right, that it would be the best solution, to install the infra option (SSO etc.) on the DMZ machine as well. So, the scenario would look like this: E-Storage and files on the intranet machine (eg. Sunbox) and Infra and middle in the DMZ. Please help.
  Eric

  I don;t know to what end this will help you, or if it actually addresses your question - i;m a bit vague on technologies likes firwalls and dmz - save understanding their general purpose.
  anyway due to hardware limitations, we have had to deploy ocs on a single node. Red HAt 7.3 (yep os limitations aswell). Anyway our general access to the internet is done via a cable connection. This connection is shared amongst our LAN via a proxy. Now, the linux server was given an ip that belongs to the cable network - its not part of our LAN. Anyway , we initially started by opening port 7778 and 7779 as these were the ports for web access - for end users. This did not work. Just like u mentioned in your post SSO access - thus we had to open port 7777. This done it all appears to run fine.
  Anyway, have a search through technet, there is a paper on firewall loadbalancing - with respect to iAS - this is the technology used to deploy most of the OCS applications - i imagine this may just address a few of your questions.

• DMZ and php page issue

  Hi,
  We have an Oracle database server 11.2.0.1 that run in Oracle Linux version 3.8.13-16.2.3.el6uek.x86_64, and a Linux 32-bit client server that run in Linux CentOS 6.2.
  From the 32-bit client server in the DMZ if we run the query below by sqlplus we have no problem. When we run the same query from the same client server but by php page, it does not return more than 65 row. But (WHERE ROWNUM <= 64) it returns the result fine. If we move the 32-bit client server into LAN, we do not have the issue at all. If you have experience with DMZ or firewall for the situation, please help.
  Php query:
  'SELECT * FROM (SELECT
          p.T$NAMA AS NAMA,
          o.T$ORNO AS ORNO,
          CASE CAST(o.T$CORG AS INT )
  WHEN 1 THEN \'Contracts\'
  WHEN 2 THEN \'Quotations\'
  WHEN 3 THEN \'EDI\'
  WHEN 4 THEN \'Manual\'
  WHEN 5 THEN \'Phone\'
  WHEN 6 THEN \'Fax\'
  WHEN 7 THEN \'Mail\'
  WHEN 8 THEN \'Opportunity\'
  WHEN 9 THEN \'CRM\'
  WHEN 10 THEN \'Consumption\'
  WHEN 14 THEN \'Order Template\'
  WHEN 21 THEN \'Service\'
  WHEN 22 THEN \'Intercompany EDI\'
  WHEN 25 THEN \'Retro-Billing\'
  WHEN 30 THEN \'Planning\'
  WHEN 35 THEN \'Purchase\'
  WHEN 40 THEN \'Shipment\'
  ELSE \'Unknown\'
  END AS ORD_ORIGIN,
          CASE CAST(o.T$HDST AS INT )
  WHEN 2 THEN \'Suspended\'
  WHEN 5 THEN \'Free\'
  WHEN 10 THEN \'Approved\'
  WHEN 20 THEN \'In Process\'
  WHEN 25 THEN \'Modified\'
  WHEN 30 THEN \'Closed\'
  WHEN 35 THEN \'Cancelled\'
  WHEN 40 THEN \'Blocked\'
  WHEN 45 THEN \'Released\'
  WHEN 50 THEN \'Not Applicable\'
  ELSE \'Unknown\'
  END AS ORD_STATUS,
          o.T$ODAT AS ODAT,
          o.T$CORN AS CORN,
          SUM((l.T$OAMT)) AS ORD_TOT
  FROM
          INFOR.TTDSLS400104 o,
          INFOR.TTDSLS401104 l,
          INFOR.TTCCOM100104 p
  WHERE
          o.T$ORNO = l.T$ORNO AND
          p.T$BPID (+)= o.T$STBP AND
          o.T$OFBP = \'210008000\' AND
          o.T$ODAT BETWEEN to_date(\'07/14/2014\', \'MM-DD-YYYY\') and to_date(\'08/14/2014\', \'MM-DD-YYYY\')
  GROUP BY
          p.T$NAMA,
          o.T$ORNO,
          o.T$ODAT,
          o.T$CORN,
          o.T$STBP,
          o.T$CORG,
          o.T$HDST
  ORDER BY
          o.T$ODAT DESC ) WHERE ROWNUM <= 65';

  Maybe you run the statement with 2 different users and there could be some policies enabled for those tables ( VPD )

• Lync edge and two NICs, DMZ and NAT

  I am in the process of setting up my lync 2013 edge server and i seem to be stuck.  We run a external firewall and an internal firewall and have a  DMZ where all of my public facing servers sit that resides between these two   I have things
  like my webservers and edge transport for my exchange servers in here.,   I am in the process of creating my new edge pool topology and have a question.  I am going to NAT my Edge servers from the external firewall so the public IP address is something
  like 12.xx.xxx.xxx and then the DMZ subnet is 192.168.3.x.  For my internal IP address I put the internal IP of my edge server which is 192.168.3.17 and for external setting i put the 12.xx.xxx.xxx IP address even though there is not a NIC in the edge
  server that has that IP since it is NAT'd from my firewall.  Will that work?  The reason i ask is everyone seems to say that this edge server has to have two NICs that has one connected to my DMZ subnet and the other to my LAN subnet but doesn't
  that mean you have a huge hole with a Windows server with one foot in the DMZ and the other in the LAN?  Is htere a way to utilize only one NIC in an Edge server?  I guess i am trying to see if it will work like the edge transport role in exchange.
   thanks.  

  No, you shouldn't ever have an edge server with one foot in the DMZ and one foot in the LAN.  That somewhat defeats the purpose of a DMZ since you've just created a path around your firewall.  What you need is in effect two DMZs, one that communicates
  only with the Internet, and one that communicates only with the internal network.  This is where the two NICs come into play.
  The external facing NIC would get private IPs typically (though they can be public) which are in turn NAT'd to public IPs.  The topology builder knows about the private IPs, but for the A/V edge, there's also a section where you let it know that the
  edge will be NAT'd and what the public IP for the A/V edge is.
  You can get away with just one NIC, on just one subnet.  People have had issues, and it's not supported, but I personally have gotten this to work without issue on several occasions.
  So, if you simply can't have two DMZs, you could give the box one NIC and four IPs.  192.168.3.17, 18, 19, and 20.  Assign 17 as the internal NIC, and 18, 19, and 20 as the access edge, web edge, and av edge.  In the topology builder, specify
  the 192.168.3.X addresses, but also put the 12.xx.xxx.xxx address in the public section.  Put persistent routes on the box so that it knows to use the Internal firewall to get to internal addresses, and the default route should be the external firewall
  (I suspect this is in place for other boxes in the DMZ unless they only talk to the Internet).  Open your ports, add your DNS, install Lync and you should be good.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• RV320 WAN1, DMZ and PPPoE

  Hello fellow routing and switching enthusiasts.
  Looks like the RV320 firmware version 1.0.2.23 (release 1 Mar 2013) doesn't seem to automatically disable all settings which should be disabled, after WAN2 is swapped for DMZ - and this becomes obvious only if WAN1 is configured for PPPoE.
  Initial conditions:
  1) Configure ADSL modem/router/firewall to be a modem only, and connect to WAN1 port on RV320.
  2) Configure WAN2 as a DMZ
  3) Configure WAN1 to use PPPoE
  4) Wait several minutes in case authentication was taking several attempts to succeed.
  Symptoms of Problem:
  a) System Summary -> IPv4 tab -> WAN1 IP Address and Default Gateway were still 0.0.0.0
  b) Log -> System Statistics -> WAN1 IP Address and Default Gateway still 0.0.0.0
  c) Log -> Processes -> ntpclient had local address = ISP assigned IP external address    <------- very interesting indeed !
  d) Attempt to access internet via LAN ports fails.
  The fact that the ntpclient had the ISP assigned IP external address confirmed that the DSL modem was doing its thing, and that the RV320's PPPoE function was correctly authenticating, but not routing.
  Solution:
  (After a lot of failed attempts to identify what was causing this...)
  I manually unchecked the  setting: System Management -> Dual WAN -> WAN1 (edit) -> [  ] Network Service Detection.
  As soon as I manually disabled this setting and saved it, the routing tables were almost instantaneously updated / made available, and NAT functions succeeded and allowed clients connected to LAN ports to access to the internet via the RV320.
  Hope this helps someone.

  Dear Peter,
  Thank you for reaching Small Business Support Community.
  It is a very interesting case of yours and I am glad you managed to come up with a solution and this is definitely going to help others like myself when facing a similar scenario. I am going to pass the word over the Cisco development team so they can check this out.
  My only suggestion at this point is to upgrade to the latest firmware release v.1.1.0.09 which resolves some identified issues, please check on the release notes and download site;
  http://www.cisco.com/en/US/docs/routers/csbr/rv320/release_notes/rv32x_relnote_v1.1.0.09.pdf
  http://software.cisco.com/download/release.html?mdfid=284005929&flowid=43302&softwareid=282465789&release=1.1.0.09&relind=AVAILABLE&rellifecycle=&reltype=latest
  We, the Cisco Support Community, are very thankful for your commitment and effort to help us improve the Cisco products and please do not hesitate to reach me back if there is anything I may assist you with in the meantime.
  Kind regards,
  Jeffrey Rodriguez S. .:|:.:|:.
  Cisco Customer Support Engineer
  *Please rate the Post so other will know when an answer has been found.

• Sharepoint Internet publishing dmz and lan

  we have provided below list to Operation to configure dmz and lan envoirnment
  dmz server was not on domain they faced issue to put dmz on domain they have to open on firewall any from
  dmz to active directory is there any port we are missing below if we have to have communication from DMZ to db/application server
  MCTS,ITIL

  WFE -> DB only requires 1433 (or the assigned port) and 1434/udp if using a random port. WFE -> WFE communication is what leverages 32843/32844 (service calls).
  Outbound email must be port 25, unless you configure an anonymous relay that SharePoint can communicate to over port 25. 
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Need help with ASA 5512 and SQL port between DMZ and inside

  Hello everyone,
  Inside is on gigabitEthernet0/1 ip 192.9.200.254
  I have a dmz on gigabitEthernet2 ip 192.168.100.254
  I need to pass port 443 from outside to dmz ip 192.168.100.80 and open port 1433 from 192.168.100.80 to the inside network. 
  I believe this will work for port 443:
  object network dmz
  subnet 192.168.100.0 255.255.255.0
  object network webserver
  host 192.168.100.80
  object network webserver
  nat (dmz,outside) static interface service tcp 443 443
  access-list Outside_access_in extended permit tcp any object webserver eq 443
  access-group Outside_access_in in interface Outside
  However...How would I open only port 1433 from dmz to inside?
  At the bottom of this message is my config if it helps.
  Thanks,
  John Clausen
  Config:
  : Saved
  ASA Version 9.1(2) 
  hostname ciscoasa-gcs
  domain-name router.local
  enable password f4yhsdf.4sadf977 encrypted
  passwd f4yhsdf.4sadf977 encrypted
  names
  ip local pool vpnpool 192.168.201.10-192.168.201.50
  interface GigabitEthernet0/0
   nameif outside
   security-level 0
   ip address 123.222.222.212 255.255.255.224 
  interface GigabitEthernet0/1
   nameif inside
   security-level 100
   ip address 192.9.200.254 255.255.255.0 
  interface GigabitEthernet0/2
   nameif dmz
   security-level 100
   ip address 192.168.100.254 255.255.255.0 
  interface GigabitEthernet0/3
   shutdown
   no nameif
   no security-level
   no ip address
  interface GigabitEthernet0/4
   shutdown
   no nameif
   no security-level
   no ip address
  interface GigabitEthernet0/5
   shutdown
   no nameif
   no security-level
   no ip address
  interface Management0/0
   management-only
   nameif management
   security-level 100
   ip address 192.168.1.1 255.255.255.0 
  ftp mode passive
  dns server-group DefaultDNS
   domain-name router.local
  object network inside-subnet
   subnet 192.9.200.0 255.255.255.0
  object network netmotion
   host 192.9.200.6
  object network inside-network
   subnet 192.9.200.0 255.255.255.0
  object network vpnpool
   subnet 192.168.201.0 255.255.255.192
  object network NETWORK_OBJ_192.168.201.0_26
   subnet 192.168.201.0 255.255.255.192
  object network NETWORK_OBJ_192.9.200.0_24
   subnet 192.9.200.0 255.255.255.0
  access-list outside_access_in extended permit icmp any4 any4 log disable 
  access-list Outside_access_in extended permit udp any object netmotion eq 5020 
  access-list split standard permit 192.9.200.0 255.255.255.0 
  access-list VPNT_splitTunnelAcl standard permit 192.9.200.0 255.255.255.0 
  pager lines 24
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu management 1500
  mtu dmz 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static inside-network inside-network destination static vpnpool vpnpool
  nat (inside,outside) source static NETWORK_OBJ_192.9.200.0_24 NETWORK_OBJ_192.9.200.0_24 destination static NETWORK_OBJ_192.168.201.0_26 NETWORK_OBJ_192.168.201.0_26 no-proxy-arp route-lookup
  object network netmotion
   nat (inside,outside) static interface service udp 5020 5020 
  nat (inside,outside) after-auto source dynamic any interface
  access-group Outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 123.222.222.1 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 management
  http 192.9.200.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpool policy
  crypto ikev1 enable outside
  crypto ikev1 policy 10
   authentication crack
   encryption aes-256
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 20
   authentication rsa-sig
   encryption aes-256
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 30
   authentication pre-share
   encryption aes-256
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 40
   authentication crack
   encryption aes-192
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 50
   authentication rsa-sig
   encryption aes-192
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 60
   authentication pre-share
   encryption aes-192
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 70
   authentication crack
   encryption aes
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 80
   authentication rsa-sig
   encryption aes
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 90
   authentication pre-share
   encryption aes
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 100
   authentication crack
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 110
   authentication rsa-sig
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 120
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 130
   authentication crack
   encryption des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 140
   authentication rsa-sig
   encryption des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 150
   authentication pre-share
   encryption des
   hash sha
   group 2
   lifetime 86400
  telnet 192.9.200.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd address 192.168.1.2-192.168.1.254 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl encryption aes128-sha1 3des-sha1
  webvpn
   enable outside
   anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 2 regex "Windows NT"
   anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3 regex "Intel Mac OS X"
   anyconnect enable
   tunnel-group-list enable
  group-policy SSLVPN internal
  group-policy SSLVPN attributes
   dns-server value 192.9.200.13
   vpn-tunnel-protocol ssl-client 
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value split
   default-domain value router.local
  group-policy VPNT internal
  group-policy VPNT attributes
   dns-server value 192.9.200.13
   vpn-tunnel-protocol ikev1 l2tp-ipsec 
   split-tunnel-policy tunnelspecified
  split-tunnel-network-list value VPNT_splitTunnelAcl
   default-domain value router.local
  username grimesvpn password 7.wersfhyt encrypted
  username grimesvpn attributes
   service-type remote-access
  tunnel-group SSLVPN type remote-access
  tunnel-group SSLVPN general-attributes
   address-pool vpnpool
   default-group-policy SSLVPN
  tunnel-group SSLVPN webvpn-attributes
   group-alias SSLVPN enable
  tunnel-group VPNT type remote-access
  tunnel-group VPNT general-attributes
   address-pool vpnpool
   default-group-policy VPNT
  tunnel-group VPNT ipsec-attributes
   ikev1 pre-shared-key *****
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map 
    inspect ftp 
    inspect h323 h225 
    inspect h323 ras 
    inspect rsh 
    inspect rtsp 
    inspect esmtp 
    inspect sqlnet 
    inspect skinny  
    inspect sunrpc 
    inspect xdmcp 
    inspect sip  
    inspect netbios 
    inspect tftp 
    inspect ip-options 
    inspect icmp 
  service-policy global_policy global
  prompt hostname context 
  no call-home reporting anonymous
  Cryptochecksum:36271b5a1b9382621e14c3aa635e2fbb
  : end

  Hi Vibor. Apologies if my comment was misunderstood.  What I meant to say was that the security level of the dmz interface should probably be less than 100. 
  And therefore traffic could be controlled between DMZ and inside networks. 
  As per thr security level on the DMZ interface. ....... that command is correct. :-)

• HT203200 Have deleted temp video, configured anti spam and firewall, and one specific video keeps giving me an error. Just tried downloading a previous episode of the show and it worked just fine. Always sunny in philly "Charlie rules the world" anyone el

  Have deleted temp video, configured anti spam and firewall, and one specific video keeps giving me an error. Just tried downloading a previous episode of the show and it worked just fine. Always sunny in philly "Charlie rules the world" anyone else??

  Have deleted temp video, configured anti spam and firewall, and one specific video keeps giving me an error. Just tried downloading a previous episode of the show and it worked just fine. Always sunny in philly "Charlie rules the world" anyone else??

• Can't update iOS 8 on my iPhone5 through iTunes on Windows 8 (error 3004, 3194). Updated host file, opened port 80, 443; turned off security system and firewall, etc. But nothing works. How to solve this problem?

  Can't update iOS 8 on my iPhone5 through iTunes on Windows 8 (error 3004, 3194). Updated host file, opened port 80, 443; turned off security system and firewall, etc. But nothing works. How to solve this problem?

  Hi the_mad_movies,
  It seems like this article will be the best option for addressing this issue:
  Error 3194, Error 17, or "This device isn't eligible for the requested build"
  http://support.apple.com/kb/ts4451
  Thanks for coming to the Apple Support Communities!
  Cheers,
  Braden

• Setting up gateway and firewall in OS X Server 10.3?

  Hi all,
  I have a G4 tower with two working ethernet cards in it that I would like to configure as a gateway and firewall. It has OS X Server 10.3 on it. I have easily found the firewall configuration in the Server Admin intrerface, but I can find nothing about configuring the server to act as a gateway. The only information I have found that is pertinent is related to the Gateway Setup Assistant that comes with OS X Server 10.4, which doesn't exaclty help me. Does anyone have any documentation on configuring OS X Server 10.3 to be a gateway? Thanks.

  Actually, I may have marked this as answered too quickly...
  So I followed the guide at the back of the getting started manual, and set everything up as follows:
  - PCI ethernet card is set up as the connection to the outside world. It is plugged into a switch which connects to a wall jack. In Network under System Preferences, it is set up as the first internet conection to try. It has a static IP address, and is set up to use the organization's DNS servers. It is NOT plugged into the upstream port, but is instead in port #9. The light on the router is on.
  - Built-in wireless is set up to be the internal connection. It is plugged into the upstream slot on anouther switch. It has a static IP address, and is set up to use the organization's DNS servers. The light on the router is on, so it appears there is a connection.
  - A different computer is plugged into the second switch, which a static IP address and to use the organization's DNS servers.
  So basically, unlike in the scenario in the manual, I am not using the OS X Server for DNS, DHCP or NAT services. That should, if anything, simplify it.
  The firewall service is started, and is set to allow all traffic in and out, no problems. Nice and simple to start.
  The server has an okay connection to the outside world via the PCI ethernet card. I can ping other machines and load web pages. I cannot, however, access the machine connected to the router which is connected to the built-in ethernet. Likewise, that machine has no access to either the OS X Server or the outsideworld.
  How does OS X Server decide which ethernet card is to be connected to the outside world, and which is for the internal firewall? Is the confusion possible because I'm connected to two routers?

• I am getting a timeout when attempting to upload os5.0.1.  (3 attempts) including with av and firewall disabled.  1mbdsl.  3hr  download time.

  Thrree different times I attempted to download the new OS to my wife's iPad.  each time it would proceed to a point somewhere around 80 minutes remaining (started with 3+ hours remaining and downloaded about 4mb per minute).  I have a 1mbDSL line that routinely tests out at around .85mb per min.  I have tried all the "fixes" I found on the site including isolating allother USB interfaced hardware, rebooting both machines (PC and iPad), shutting off AV and firewall and still it fails at about the same point - giving error 3259.
  An attempt to find other info or any way to comminicate directly with Apple re this was not successful.
  Any ideas?
  My next idea is to take the entire PC to my son's where there is a faster internet connection but that is a lot of trouble and you shouldn;t have to do that.  with other large file updates I have done on other software, if it fails or times out you are able to resume where it left off and eventually get it done. 

  An alternative is to try downloading the update via a browser : https://discussions.apple.com/message/16703914#16703914
  You could also do that via, for example, a friend's computer and then copy it to your own computer for the actual update.

• When installing third party software, how do I temporarily turn off the factory installed virus sw and firewall?

  when installing third party software, how do I temporarily turn off the factory installed virus sw and firewall?  Is it necessary on a Mac to do so?  I come from the Windows world and am still in the learning curve on the Mac.

  Correct.  I have not installed ANY other software for anti-virus, etc.  I want to install a Synch app for my HTC phone to sych with MS Outlook 2011 installed on my Mac.    HTC will not synch with it otherwise.  That was really the basis for my question....if installing a non Apple app can be done without messing with factory settings on the Mac.  In Windows I remember that I needed to disable Norton and the Firewall in order for installation to occur. 
  Thanks.

• Suggest antivirus and firewall

  Hi, im running a windows computer xp home service pack3,
  I was having problems downloading films from itunes, and i suspected either a bug/virus in my computer
  or conflict with security software in my computer was causing problems, So i wiped my computer and installed new version
  of xp,Went onto itunes and downloaded film which seems to have downloaded okay,
  I dont want the same problem so can anyone suggest please an antivirus and firewall for my computer [had pandacloud antivirus before] which shouldnt cause conflict problems with itunes?, Many thanks for any help given.

  WIndows XP has a fairly serviceable firewall built into it already. As long as you are connecting to the internet via a router there really shouldn't be too much to worry about. Back in the day of directly connected modems people were inadverntly exposing their file systems to anyone who chose to look. A quick visit to Sheilds Up! should let you know if there are any significant issues.
  I tend to recommend AVG-Free as an AV solution for personal use. Don't install its toolbar or search redirector. Whatever AV package you use you may want to go into its advanced settings and exclude it from monitoring your iTunes folder. This should prevent any conflict between the AV and iTunes.
  tt2

• FMS: NAT and Firewall

  I've run into one roadblock after another with Cirrus (Stratus) - basically, even the Adobe Videophone example refuses to work in the 'real world' where there's a mix of NAT and firewall configurations outside the developer's control. (http://forums.adobe.com/message/1064983#1064983 and thread at http://forums.adobe.com/thread/736422?tstart=0)
  My question is whether Flash Media Server 4 has the same sort of issues? We don't want to pay up to install and run our own FMS only to discover that we won't be able to provide a P2P service to our end users because they're scattered around the Internet with a mix of mobile devices and computers lying behind NAT and firewall devices that we can't predict.

  FMS4 and Cirrus should behave identically as far as facilitating P2P communications on the open Internet.
  as the referenced article describes, with some combinations of NATs and firewalls, P2P communication is impossible.  RTMFP tries really hard to establish connections in the cases where direct communication is possible, but will not function in cases where direct communication is not possible.
  we believe direct communications should be possible for the majority of Internet users, but recognize that it won't be possible for 100% of users.

• File Vault and Firewall?

  I have a new macbook pro. Should I turn on File Vault and Firewall?

  The purpose of FileVault is to protect your files from being read by someone who has physical access to the computer. If you need or want that protection, you should enable it.
  The application firewall blocks incoming network traffic, regardless of origin, on a per-application basis. Typically, it would be configured to allow only applications digitally signed by Apple to listen on the network. It does not block outgoing traffic, nor can it distinguish between different sources of incoming traffic. It is not, as some people seem to believe, a malware filter.
  So for example, suppose you enable file sharing, and allow access by guests to certain folders. You want people on your local network to be able to access those files without having to enter a password. When configured as stated above, the firewall will allow that. Your router will prevent outsiders from accessing the files, whether the application firewall is on or not. But if your computer is portable and you connect it to an untrusted network such as a public hotspot, the firewall will still allow access to anyone, which is not what you want.
  Now suppose you unknowingly install a trojan that steals your data and uploads it to a remote server. The firewall, no matter how it's configured, will not block that outgoing traffic. It does nothing to protect you from that threat.
  Another scenario: Your web browser is compromised by a trojan. The trojan redirects all your web traffic to a bogus server. The firewall does nothing to protect you from this threat.
  A final scenario: You're running a public web server. Your router forwards TCP connection requests on port 80 to your Mac, and the connections are accepted by the built-in web server, which is signed by Apple. The application firewall, still configured as above, allows this to happen. Now you download a different trojan, one that tries to hijack port 80 and replace the built-in web server. The good news here is that the firewall does protect you; it blocks incoming connections to the trojan and alerts you. The bad news is that you've been rooted. The attacker who can do all this can just as easily disable the firewall, in which case it doesn't protect you after all.
  It might make a bit of sense to use the firewall if you're running trusted services on an unprivileged port; that is, a port numbered higher than 1023. Those ports can be bound by a process with no special privileges.
  Here is a more realistic scenario in which you should enable the firewall. Your portable Mac has several sharing services enabled. You want those services to be available to others on a home or office network. When you're on those networks, the firewall should be off. When you move to an untrusted network, you can either turn off all the services, or enable the firewall to block them. Blocking is easier: one configuration change instead of several.