DMZ setup (11g)

Similar Messages

• DMZ setup for SBS 2011

  Any suggestions on a low end router capable of providing a decent firewall that would begin to meet the security requirements needed for a DMZ setup?  (example Cisco PIX 506 Firewall) 
  And whether it can be done with just a couple of wireless routers, one with an enabled DMZ?   My initial thought on this is that the standard consumer wireless routers have an eight character password which is far from secure enough to do
  much of anything. (brainstorm details below)
  Thought is to place a web form login page in the DMZ... add a read only file to test the web form access.  Nothing fancy and for now, it does nothing except verify that user can login or is denied login.   Verified login goes nowhere except
  "Success".  Build something later when the first part works (if it works).
  Plan is to exist over two lans (or IP sets within the domain - one set is 192.168.01.xxx and the other set is 192.168.02.xxx) and set up bypass rules between the two.  The Lan 192.168.01.xxx would house the DMZ (with HTTP port 80 access) and the
  Lan 192.168.02.xxx would house the internal domain (SBS 2011 DC running VPN, Sharepoint etc, HyperV server with virtuals running SQL and TFS, and laptop access).  The 192.168.01.xxx is a guest lan for non-domain (non-hostile) members.
  So my questions: 
  1) Can the HTTP header be forwarded from SBS 2011 router rules on the router firewall to hit the second lan (http requests from 192.168.02.xxx would be routed over to 192.168.01.xxx)?
  2) Can an inexpensive router like the PIX ($30 used) above solve the "crack the eight character router password issue?"  (Maybe I just need a newer router in general where the passwords are more secure?)
  Currently RWW open, SSL open, VPN (1723) open, 25 open... all other ports closed.  [Does this create any snafu's?]
  Hard to make head or tails of
  http://forums.untangle.com/networking/25935-setting-up-sbs-2011-secondary-internal-dmz-3.html
  R, J

  While all this is good information, I would clarify one point
  Port 80 should not be open and port forwarded as it's the single most commonly attacked port
  Users should be taught to come in via port 443, using https
  Cris Hanna [SBS - MVP] (since 1997)
  Co-Contributor, Windows Small Business Server 2008 Unleashed
  http://www.amazon.com/Windows-Small-Business-Server-Unleashed/dp/0672329573/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1217269967&sr=8-1
  Owner, CPU Services, Belleville, IL
  A Microsoft Registered Partner
  MVPs do not work for Microsoft
  Please do not submit questions directly to me.
  <Linda Graham> wrote in message
  news:[email protected]...
  Hi,
  I have deployed similar setups for clients. The main thing is the quality of the router/firewall facing the internet. I assume when you talk about open ports, you mean open via NAT (network address translation) otherwise, you are leaving the firewall to
  do the hard work. I am a fan of Draytek 2830 adsl routers. They also have cable routers if you connect via cable. These are much more expensive than $30 - about £230 in the UK. Cheaper models by other manufacturers are available, but what you should look for
  is a fully customisable NAT server (also called virtual server on some cheaper models) Have a look at Zyxel and TP-Link professional routers. Passwords with these routers can be as complex as you need.
  I assume you have a static IP address or block of static IP addresses for your public wan address. Using dynamic DNS will create problems with spam filters if you are using an Exchange/smtp server on your SBS server to send email and is not recommended.
  SBS needs to be able to access your server via ports 25, 80, 443 and 987. You may also want to use 1726 if you need a VPN connection. Use NAT to map these ports from WAN to LAN. for example if your WAN address is XXX.XXX.XXX.XXX and your LAN subnet
  is 192.168.1.0 with your SNS server IP address set to 192.168.1.1 and your router IP is 192.168.1.254, then you would add the following to the NAT address table:
  WAN XXX.XXX.XXX.XXX port 25 to LAN 192.168.1.1 port 25
  WAN XXX.XXX.XXX.XXX port 80 to LAN 192.168.1.1 port 80
  WAN XXX.XXX.XXX.XXX port 443 to LAN 192.168.1.1 port 43
  WAN XXX.XXX.XXX.XXX port 987 to LAN 192.168.1.1 port 987
  This will provide secure access to these ports from WAN to LAN and will enable SBS remote web access, SBS Exchange Email and Outlook Web Access. Computers connecting will require either a third party domain certificate (eg from Verisign or
  GoDaddy etc) or the self issued certificate (found in the public document folder on the SBS server) to be distributed to machines to enable them to use this remote access.
  For the non secure subnet, you will need another router connected to a LAN port on your main router. Configure the WAN address of the secondary router to be 192.168.1.253 and the LAN  subnet to be anything suitable but different from your primary
  LAN, eg 192.168.2.0. On your main router, set the WAN IP address of your secondary router (192.168.1.253) on the DMZ. This opens the WAN port of the secondary router to the internet but isolates it from your primary LAN subnet.
  This setup is suitable for a secure network with public wifi access via the secondary router. Use the secondary router to restrict bandwidth, download types adult content etc. to prevent public abuse of your Wifi network, but still making it suitble
  for smatphones to connect.
  I hope this is clear, but if you have any questions, post again.
  regards,
  Linda
  Cris Hanna, Microsoft SBS MVP, Owner-CPU Services, Belleville, IL

• Cisco ASA 5505 DMZ Setup

  Hello,
  I am new to Cisco firewalls and am attempting to setup a DMZ on the firewall.
  I have managed to create the interface and vlan and ip address settings etc. But im a bit lost with the NAT settings and rules i need to create for it.
  I need to be able to do the following:
  - RDP access from inside network to the DMZ servers
  - Internet access for the DMZ
  I am also setting up Active Directory Federation and requirre HTTPS traffic from the following:
  - DMZ HTTPS to outside (Office 365 Services)
  - Outside HTTPS to DMZ (ADFS Servers on DMZ only)
  - DMZ HTTPS to inside (ADFS Servers Only)
  -  Inside HTTPS to DMZ (ADFS Servers Only)      
  Running Config:
  interface Vlan1
  nameif inside
  security-level 100
  ip address ccl-sua-asa 255.255.255.0
  ospf cost 10
  interface Vlan3
  no forward interface Vlan1
  nameif dmz
  security-level 50
  ip address 172.16.0.1 255.255.255.0
  interface Vlan100
  nameif outside
  security-level 0
  ip address 77.107.90.202 255.255.255.248
  ospf cost 10
  interface Ethernet0/0
  switchport access vlan 100
  speed 100
  duplex full
  interface Ethernet0/1
  description Connected to CCL-SUA-SW1 port 16
  interface Ethernet0/2
  switchport access vlan 3
  access-list inbound extended permit icmp any any
  access-list inbound extended permit tcp host 87.86.204.100 host 77.107.90.203 eq smtp
  access-list inbound remark Inbound ACT for Ruth Edmonds Only
  access-list inbound extended permit tcp any interface outside eq www
  access-list inbound extended permit tcp any interface outside eq 5022 inactive
  access-list inbound remark Inbound rules for OWA 30/06/09 MD
  access-list inbound extended permit tcp any host 77.107.90.203 eq https log
  access-list inbound remark Inbound access for LDAP and SMTP from mimecast 02/07/09 MD
  access-list inbound extended permit tcp object-group mimecast interface outside eq ldap
  access-list inbound extended permit tcp object-group mimecast host 77.107.90.203 eq smtp
  access-list inbound remark change request MET 56030 inbound POP3 for mimecast
  access-list inbound extended permit tcp object-group mimecast host 77.107.90.203 eq pop3
  access-list inbound remark Inbound rule for helpdesk 10/07/2012 ML
  access-list inbound extended permit tcp any host 77.107.90.205 eq https
  access-list inbound remark Inbound rule for survey 011012 ML
  access-list inbound extended permit tcp any host 77.107.90.205 eq www
  access-list inbound extended deny ip any any
  access-list nonat extended permit ip 192.168.40.0 255.255.255.0 192.168.245.0 255.255.255.0
  access-list nonat extended permit ip 192.168.40.0 255.255.255.0 192.168.252.0 255.255.252.0
  access-list vpn-met-bir extended permit ip 192.168.40.0 255.255.255.0 192.168.252.0 255.255.252.0
  access-list outbound extended permit ip object-group servers 192.168.255.0 255.255.255.0
  access-list outbound extended deny ip any 192.168.255.0 255.255.255.0
  access-list outbound extended permit ip 192.168.40.0 255.255.255.0 192.168.254.0 255.255.255.0
  access-list outbound extended deny udp any 192.168.255.0 255.255.255.0
  access-list outbound extended deny ip any 10.0.0.0 255.0.0.0
  access-list outbound extended deny ip any 192.168.0.0 255.255.0.0
  access-list outbound extended permit ip any any
  global (outside) 1 interface
  nat (inside) 0 access-list nonat
  nat (inside) 1 192.168.40.0 255.255.255.0
  nat (inside) 1 192.168.41.0 255.255.255.0
  nat (dmz) 1 172.16.0.0 255.255.255.0
  static (inside,outside) tcp interface 5022 192.168.41.1 ssh netmask 255.255.255.255
  static (outside,outside) tcp interface ssh 192.168.41.1 ssh netmask 255.255.255.255
  static (inside,outside) tcp interface www WEB www netmask 255.255.255.255
  static (inside,outside) tcp interface ldap FILESERVER ldap netmask 255.255.255.255
  static (inside,outside) 77.107.90.203 MAILSERVER netmask 255.255.255.255
  static (inside,outside) 77.107.90.205 helpdesk netmask 255.255.255.255
  static (dmz,outside) 77.107.90.206 172.16.0.7 netmask 255.255.255.255
  access-group outbound in interface inside
  access-group inbound in interface outside
  route outside 0.0.0.0 0.0.0.0 77.107.90.201 1
  route inside 192.168.41.0 255.255.255.0 ccl-sua-sw1 1
  Like i mentioned I have already setup the DMZ itself but its just the NAT and rules im struggling to get working
  Many Thanks
  James          

  Hi,
  If you have only a ASA5505 Base License then you can initiate/open connections from the DMZ to INSIDE
  You can confirm the License level with "show version" command. It should read at the end of the output.
  In the Base License you only have a restricted DMZ/3rd interface on the ASA. You can connect to it from anywhere BUT you have to limit it from connecting towards one of the other 2 intefaces. You have already done this with the command
  no forward interface Vlan1
  Which to my understanding is required to get the 3rd interface active when you only have Base License on ASA5505.
  OUTSIDE -> DMZ
  INSIDE -> DMZ
  Connection initiating should be possible.
  So it seems to me that you already have one problem that will limit connectivity and not just the NAT.
  You already seem to have the Default PAT configuration for DMZ Internet traffic.
  You dont have the NAT for DMZ <-> INSIDE traffic but as mentioned above it might already be limited by something else even though your configurations were fine.
  The corrent NAT configuration to enable that traffic would be to use
  static (inside,dmz) netmask
  Repeat for all
  EDIT: Naturally you would also need an ACL on the DMZ interface for DMZ -> INSIDE traffic since the INSIDE is of higher "security-level". But as soon as you add the ACL to the DMZ interface you would also have to use it to allow Internet bound traffic since the "security-level" looses its meaning after an ACL is attached to the interface.
  - Jouni

• High Availability setup 11g

  How do you setup for DR failover in OEM 11g?
  I have dataguard standby to other server, and web logic installed.
  How do I install/setup Grid install but not activate it? the OMS is only stand-alone at the primary site.
  Yes, I have tried to look at HA doco. but does anyone have step by step approach?

  How about this http://docs.oracle.com/cd/E23943_01/doc.1111/e15722/create_domain.htm#BAJBDDJB
  biinternal.mycompany.net/analytics is your BI Service.
  If helps pls mark

• DMZ setup

  Hi
  I've got an advanced leopard server running providing mail services, ical services and web services.
  I would like to put the server in the DMZ and hence I need to activate the firewall. But I'm a bit unsure as to what ports I should allow traffic to. I would also like to be able to use Apple remote desktop from outside the local network and ofcourse open directory authentication from the "outside".
  I have set allow traffic from any to these ports
  TCP Outgoing
  TCP established
  UDP Fragments
  UDP outbound and responses to same port
  IGMP
  Mail:IMAP
  SSH
  Mail:SMTP standard
  ARD 2.x
  HTTPS
  DNS - response outbound queries
  Remote Directory Access
  Serial Number support
  LDAP secure
  HTTP - web service
  Mail Imap SSL
  ICMP - echo replymessages
  ICMP - echo request
  Is this a safe or good configuration or should I add some ports or rmove some ports?
  I also plan to use VPN between this server and another server at another location
  Any and all input appreciated.
  Thanks

  These are basically the defaults that where activated when instarted the firewall services. As for UDP and UDP fragments, as far as I know i dont need them. I thought these things where set by default because there was something that needed it. The same goes for ICMP. As for SSH i have set that so you need to use keys to use ssh..so without the necessary keys you cant access ssh and ofourse I have disabled root login for ssh. I havent touched the apache config file.. what specifially where you thinking of with regards to apache from a security standpoint?.
  Thanks

• Xbox Live DMZ Setup

  Hello.  So i seem to get alot of disconnects from my xbox live.  so if anyone can give me a straight forward answer on what to do then let me know.
  first of all, nothing has changed except the routers password.
  I want to set the xbox on the DMZ.  
  can someone give me VERY CLEAR instructions on how to do this. I would greatly appreciate it.

  nevermind, I figured it out.

• WRT310N: Help with DMZ/settings (firmware 1.0.09) for wired connection

  Hello. I have a WRT310N and have been having a somewhat difficult time with my xbox 360's connection. I have forwarded all the necessary ports (53, 80, 88, 3074) for it to run, and tried changing MTU and what-not.
  I don't know if I have DMZ setup incorrectly, or if it's my settings.
  Setup as follows:
  PCX2200 modem connected via ethernet to WRT310N. 
  The WRT310N has into ethernet port 1 a WAP54G, and then upstairs (so that my Mother's computer can get a strong signal) I have another WAP54G that I believe receives its signal from the downstairs 54G. 
  In the back of the WRT310N, I have my computer connected via ethernet port 3, and my Xbox 360 connected via ethernet port 4.
  Now, I first figured I just have so many connections tied to the router and that is the reason for being so slow. However, when I unplug all the other ethernet cords and nothing is connected wirelessly, except for my Xbox connected to ethernet port 4, it is still poor. Also, with everything connected (WAP54G and other devices wirelessly) I get on my PC and run a speedtest.  For the sake of advice, my speedtests I am running on my PC are (after 5 tests) averagely 8.5 Mbps download, and 1.00 Mbps upload, with a ping of  82ms.
  Here is an image of the results:
  http://www.speedtest.net][IMG]http://www.speedtest.net/result/721106714.png
  Let me add a little more detail of my (192.168.1.1) settings for WRT310N.
  For starters, my Father's IT guy at his workplace set up this WRT310N and WAP54G's. So some of these settings may be his doing. I just don't know which.
  "Setup" as Auto-configurations DHCP. I've added my Xbox's IP address to the DHCP reservation the IP of 192.168.1.104. This has (from what I've noticed) stayed the same for days.
  MTU: Auto, which stays at 1500 when I check under status.
  Advanced Routing: NAT routing enabled, Dynamic Routing disabled. 
  Security: Disabled SPI firewall, UNchecked these: Filter Anonymous Internet Requests, Multicast, and Internet NAT redirection.
  VPN passthrough: All 3 options are enabled (IPSec, PPTP, L2TP)
  Access Restrictions: None.
  Applications and Gaming: Single port forwarding has no entries. Port Range Forwarding I have the ports 53 UDP/TCP, 88 UDP, 3074 UDP/TCP, and 80 TCP forwarded to IP 192.168.1.104 enabled. (192.168.1.104 is the IP for my xbox connected via ethernet wired that is in DHCP reserved list)
  Port Range Triggering: It does not allow me to change anything in this page.
  DMZ: I have it Enabled. This is where I am a bit confused. It says "Source IP Address" and it has me select either "Any IP address" or to put entries to the XXX.XXX.XXX.XXX to XXX fields. I have selected use any IP address. Then the source IP area, it says "Destination:"  I can do either "IP address: 192.168.1.XXX" or "MAC address:" Also, under MAC Address, it says DHCP Client Table and I went there and saw my Xbox under the DHCP client list (It shows up only when the Xbox is on) and selected it.  
  Under QoS: WMM Enabled, No acknowledgement disabled.
  Internet Access Priority: Enabled. Upstream Bandwith I set it to Manual and put 6000 Kbps. I had it set on Auto before, but I changed it. I have no idea what to put there so I just put a higher number. 
  Then I added for Internet Access Priority a Medium Priority for Ethernet Port 4 (the port my xbox is plugged into).
  Administration: Management: Web utility access: I have checked HTTP, unchecked HTTPS.
  Web utility access via Wireless: Enabled. Remote Access: Disabled.
  UPnp: Enabled.
  Allow Users to Configure: Enabled.
  Allow users to Disable Internet Access: Enabled.
  Under Diagnostics, when I try and Ping test 192.168.1.104 (xbox when on and connected to LIVE), I get:
  PING 192.168.1.104 (192.168.1.104): 24 data bytes
  Request timed out.
  Request timed out.
  Request timed out.
  Request timed out.
  Request timed out.
  --- 192.168.1.104 data statistics ---
  5 Packets transmitted, 0 Packets received, 100% Packet loss
  Also, when I do Traceroute Test for my Xbox's IP, I just keep getting: 
  traceroute to 192.168.1.104 (192.168.1.104), 30 hops max, 40 byte packets
  1 * * * 192.168.1.1 Request timed out.
  2 * * * 192.168.1.1 Request timed out.
   As for the Wireless Settings, it is all on the default settings with Wi-Fi Protected setup Enabled.
  To add, I have tried connecting my modem directly to the Xbox and my connection is much improved. I have no difficulty getting the NAT open, for it seems my settings are working for that. Any help with these settings would be VERY much appreciated. 
  Message Edited by CroftBond on 02-18-2010 01:09 PM

  I own 2 of these routers (one is a spare) with the latest firmware and I have been having trouble with them for over a year.  In my case the connection speed goes to a crawl and the only way to get it back is to disable the SPI firewall.  Rebooting helps for a few minutes, but the problem returns.  All of the other fixes recommended on these forums did not help.  I found out the hard way that disabling the SPI Firewall also closes all open ports ignoring your port forwarding settings.  If you have SPI Firewall disabled, you will never be able to ping your IP from an external address.  Turn your SPI Firewall back on and test your Ping. 
  John

• Issues expected in oracle 9i/10g to 11g upgrade

  Hi.
  We are planning to migrate some 95 odd applications from Oracle 9i/10g to 11g. The upgrade method we are planning to use is to setup 11g target servers and move databases from source to target using import/export. Then do the necessary changes in the app code and connect the application to the new target server and test.
  The source OS may be RHEL 3/4/5 or Solaris 8 and target OS will be RHEL 4/5 or Solaris 10.
  My questions are:
  1. What can be the expected database side issues possible while moving the structure+data+views/sps etc from old version to new version using import/export.
  2. How much time may it take to move the database from source to target for say a 100GB database?
  3. Will the change of OS have any implications on the movement from source to target?
  4. What are the application side issues possible considering that most apps use odbc/jdbc to connect to the datastores?
  5. Can any application side inline queries be affected?
  6. Will there be any changes to the column data types from 9i/10g to 11g which can impact the code?
  Thanks,
  Vipul Shah
  Edited by: 885362 on Sep 15, 2011 1:31 AM
  Edited by: 885362 on Sep 15, 2011 1:39 AM

  1. What can be the expected database side issues possible while moving the structure+data+views/sps etc from old version to new version using import/export. If you complete the steps in (Interoperability Notes Oracle EBS 11i with Oracle Database 11gR2 (11.2.0.2) [ID 881505.1]) please see these docs.
  After RDBMS Upgrade To 11gR2 In An Applications 11i Environment: ORA-20000 DRG-100[51021],[Drwaf.C],[1605],[],[] ORA-4088 [ID 1104963.1]
  Running adbldxml.pl On DB Node Fails With Unsatisfiedlinkerror Exception Loading Native Library: njni11 [ID 1183373.1]
  Adstats.sql Fails While Upgrading Database to 11gR2 [ID 1232853.1]
  Ad_parallel_compile: Ora-01031: Insufficient Privileges in adadmin / re-create grants and synonyms for APPS schema after upgrade from 10gR2 to 11gR2 [ID 1148264.1]
  Ad_parallel_compile: Ora-01031: Insufficient Privileges in adadmin / re-create grants and synonyms for APPS schema after upgrade from 10gR2 to 11gR2 [ID 1148264.1]
  2. How much time may it take to move the database from source to target for say a 100GB database? Depends on many factors -- Try this on a test instance with similar hardware configuration and setup to production to estimate the time.
  3. Will the change of OS have any implications on the movement from source to target?No, but you may relink the executable files -- How to Relink Oracle Database Software on UNIX [ID 131321.1]
  4. What are the application side issues possible considering that most apps use odbc/jdbc to connect to the datastores? If you run AutoConfig with no errors when there should be no issues with ODBC/JDBC connectivity.
  5. Can any application side inline queries be affected? It should not be affected expect if you custom code use some features which are no longer available in 11g database.
  6. Will there be any changes to the column data types from 9i/10g to 11g which can impact the code?Typically no, however you need to do full and proper testing to verify.
  Thanks,
  Hussein

• Issue with cookies in DMZ multi node envt

  Hi ,
  We are facing the following issue at our client site:
  The client has implemented iStore and iSupport on top of the existing Oracle Applications (11.5.10 ).
  For these two modules they have added the DMZ node for their customers to make istore order and to use isupport.
  And for the other internal users who use the other modules they have the internal node. Both the internal and external nodes have different domain name.
  They also have some internal users having access to their istore and isupport as well as other module access. So they access the apps both from the external and internal nodes.
  The issue is, that when the user log-on to istore/isupport thru the external node (eccp.company.com domain).
  Once they are in istore/isupport pages, without log-off or closing the browser, if the user goes to the internal node url AppsLocalLogin.jsp (prodapp01.company.com) on the same browser with a difft user name, he gets the resp. of the user who had logged thru the external node on the home page with the LAF changes for iStore and iSupport. But it will not allow them to navigate further. So the users wont see their regular home page when they logon to the internal node in this case. This might be because the home page (AppsLocalLogin) doesn’t associate the correct cookie when the user log-on thru the internal node on the same browser (The browser has both the cookies).
  How to solve this issue? Is there any set-up/patch available for this scenario? Any help on this is greatly appreciated.

  I don't see much relevance of this issue with OAF. It is more of your DMZ setup issue. For better response, you can post it in forum "Managing Oracle Applications" http://forums.oracle.com/forums/forum.jspa?forumID=40&start=0
  --Shiv                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

• Performance issue in guest access anchored in DMZ

  Hello,
  I've been having performance issue in our wifi guest network anchored in the DMZ.
  I have 3-5508 anchor controllers behind the Checkpoint gaia firewall and have 24 guest SSIDs in here.
  Right now, only 14 guest SSIDs are enabled and tunnelled out in this anchor DMZ setup, whenever I try to add few more SSIDs I run into performance issue.
  It seems to me that the problem is not about these additional SSIDs that I add because the performance issue starts to appear only when the traffic peaks or associated clients reached to certain number which is in my case 4000 users.
  The firewall serves as the NAT device and gateway for all these guest SSIDs. The cpu, memory, number of connections have been checked and verified low.
  Has anyone seen a problem like this? or has a setup like mine?
  thanks!

  Presuming you're not exceeding client count maximums on the individual WLCs I can't say I've seen anything in line with this "specific problem", but anything is possible.
  What are the specific "performance issues" the clients are experiencing?  Is it just general poor performance (slow web browsing/etc) or do you see other issues like no internet connectivity at all or something else?
  May I ask, what is the use-case behind having 24 SSIDs on your anchors?

• Need DMZ set up document?

  Dear
  We have our Oracle ERP R12 running on i550 machines with AIX 5L, 2 LPAR's. Our requirement for iprocurement module is that, we need to have DMZ setup. What should be the configuration setup? IBM pseries server are very costly, we are planning to have IBM iseries servers. Can we have iseries server with aix for DMZ setup? Need to explore about DMZ?

  You can also refer to:
  Note: 380483.1 - Oracle E-Business Suite Release 12 Additional Configuration and Deployment Options
  https://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=380483.1
  Additional Configuration and Deployment Options in Release 12
  http://blogs.oracle.com/stevenChan/2007/02/additional_configuration_and_d.html

• 11g DBConsole on a 10g DB

  Is it possible to install a 11g DB Console to run on top of a 10gR2 DB? There are features of the 11g console that we would like to use for some junior people here.

  >
  We got a 10gR2 DB on Sun Solaris (5.5) that we monitor with 10G GRID, but we want to use the 11g DB Console for this DB as it has some features that we would like to use.
  So my questions are can we setup 11g Console?
  The exisiting binaries will get me the 10g Console which is not what I am looking for. I only have one home. Not looking to configure GRID as we already have that.
  >
  If you mean using your existing 10gR2 Database as a repository, then yes indeed you can; currently supported versions are:
  10.2.0.4
  10.2.0.5You might want to go through MOS Note 412431.1 - Grid Control Certification Matrix
  Regards,
  Phiri

• 11g DataGuard

  Hi all,
  I followed "http://www.oracle.com/technology/pub/articles/oracle-database-11g-top-features/11g-dataguard.html" to setup 11g standby database. In point 9, it required to start standby database in NOMOUNT mode. However I got the following error:
  C:\app\eric\product\11.1.0\db_1\NETWORK\ADMIN>set ORACLE_SID=orclsb
  C:\app\eric\product\11.1.0\db_1\NETWORK\ADMIN>sqlplus /nolog
  SQL*Plus: Release 11.1.0.6.0 - Production on Thu Nov 13 12:01:11 2008
  Copyright (c) 1982, 2007, Oracle. All rights reserved.
  SQL> connect / as sysdba;
  ERROR:
  ORA-12560: TNS:protocol adapter error
  SQL>

  Hi,
  Check for the Listener Status... and also for the entries in litener.ora files
  Also at the same time check for entries in the tnsnames.ora and check whether they are correctly mentioned or not..
  tnsping <service_name> see if it is able to resolve the alias.....
  Regards,
  Prosenjit Mukherjee

• Port Foward Vs. DMZ

  My company is in the process of implementing a new system that they want internal and external access to.
  I would like to use our DMZ, however there is a concern that we will overrun the throughput of our PIX 525.
  The software vendor just wants us to port forward from the outside across the firewall. What are the ramifications of doing this besides the large security holes from the untrusted to trusted network?
  Thanks

  Thanks for your reply.
  We have a pix 525 pair in active/standby right now. Each has 256MB of memory and they are not being utilized very heavy today. We have on average 30 concurrent VPN connections, plus the PIX is our Firewall for our companies internet access.
  We are worried about the throughput when we bring our new software system online. We will have 200Mb of bandwidth out of our data center to our offices and up to 100Mb of bandwidth outbound to the internet. If we put all our application on the DMZ, that is very close to the PIX rated throughput of 330. If we put only a few of the systems on the DMZ, then the
  servers will not be able to communicate to eachother at 1Gb speeds because of the PIX limitations.
  As for port forwarding, the application will only need 2 open ports. SSL and another TCP port.
  As for the servers, they will all have public IPs assigned to them (either physically assigned in a port forward setup or through NAT in a DMZ setup).
  My major concern with port forwarding is if one of the servers is compromised, then the entire inside network becomes vulnerable.
  Even if we put them on the DMZ I am still going to need to allow access from the inside to the DMZ for internal users. Is it possible to do this securely?
  Thanks

• Reverse proxy setup for EBS R12.1.1

  We have an external DMZ server configured for oracle ebs r12.1.1. The URL is http://testerp.mydomain.com:8003.
  Can you please provide a link that shows step by step setup of Reverse proxy for the above URL to access the application.
  I already have the metalink notes that says about DMZ setup for oracle ebs. I actually am looking for step by step setup for the reverse proxy using oracle application server 10g. Please help. Thanks.

  Roy, I have already gone through that document, it is actually showing how to install and configure webcache 10g for oracle ebs r12.
  It also says the features that oracle applicaiton server web cache provides like,
  •Load Balance
  •Reverse Proxy
  •Failover and Surge Protection to minimize downtime
  •Personalize Attributes for Caching
  BUT IT IS NOT MENTIONING HOW TO CONFIGURE THE 'REVERSE PROXY' FOR THE ORACLE EBS EXTERNAL APPLICATION SERVER ON DMZ.