External DNS name with Transversal Firewall

Similar Messages

• DNS names for external when having more pools

  Hi
  Simple question:
  I have poolA.internaldomain.com and poolB.internaldomain.com. And their external Web sites are "poolAws.company.com" and "poolBws.company.com".
  Beside of these I have directory which external web site is: "LyncWs.company.com".
  Do I need to publish those "poolAws.company.com" and "poolBws.company.com" to external DNS together with "LyncWs.company.com"? Or is it enough to publish only Directory's external web site if the Reverse Proxy (which terminate
  the SSL connection and start new one) is able to resolve those names? As Directory does the reroute for the session to the correct Front End pool. As the session is still initialized by the Reverse Proxy.
  My hope is, that I do not need to do publish those names so I can get a bit more security...
  Petri

  Yep that's correct, all web services are delivered via the reverse proxy server.
  Regardless of using a director or not, the documentation states that all web services in all pools should be published via the reverse proxy, and this includes the director pool. Jeff Schertz has a good article that summarises this - http://blog.schertz.name/2011/03/publishing-lync-director-web-services
  In most situations I would not deploy a director. In Lync 2013 it is no longer a recommended role but is optional.
  Hope this helps.
  Andrew Morpeth
  Lync Server Specialist - Auckland, NZ
  Check out my blog

• Setup internal and external DNS namespaces best practice

  Is external name space (e.g. companydomain.com) and internal name space (e.g. corp.companydomain.com or companydomain.local) able to run on the same DNS server (using Microsoft Windows DNS servers)?
  MS said it is highly recommended to use a subdomain to handle internal name space - say corp.companydomain.com if the external namespace is companydomain.com.  How shall this be setup?  Shall I create my ADDS domain as corp.companydomain.com directly
  or companydomain.com then create a subdomain corp?
  Thanks in advanced.
  William Lee
  Honf Kong

  Is external name space (e.g. companydomain.com) and internal name space (e.g. corp.companydomain.com or companydomain.local)
  able to run on the same DNS server (using Microsoft Windows DNS servers)?
  Yes, it is technically feasible. You can have both of them running on the same DNS server(s). Just only your public DNS zone can be published for external resolution.
  MS said it is highly recommended to use a subdomain to handle internal name space - say corp.companydomain.com
  if the external namespace is companydomain.com.  How shall this be setup?  Shall I create my ADDS domain as corp.companydomain.com directly or companydomain.com then create a subdomain corp?
  What is recommended is to avoid having a split-DNS setup (You internal and external DNS names are the same). This is because it introduces extra complexity and confusion when managing it.
  My own recommendation is to use .local for internal zone and .com for external one.
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Get Active Directory User Last Logon
  Create an Active Directory test domain similar to the production one
  Management of test accounts in an Active Directory production domain - Part I
  Management of test accounts in an Active Directory production domain - Part II
  Management of test accounts in an Active Directory production domain - Part III
  Reset Active Directory user password

• Getting single "generic" WLS 4.5.1 app to serve multiple DNS names, including SSL

  Hi everybody,
  I am trying to figure out a strategy to enable a single web application
  based on WLS 4.5.1 (SP13) running on Linux to serve multiple DNS
  names, with some specific pages to be transmitted using SSL.
  While the JSP pages differ in colouring and screen layout (but not in
  logic),
  the entire EJB business logic is identical for all DNS names. So are the
  servlets.
  The application data to be presented to the user can easily be mapped,
  and presently (with the application responding to a single DNS name)
  it is cached using a JNDI tree. To minimize coding effort, and
  to continue utilizing the present caching concept, only expanding it to
  support
  multiple similar "virtual" applications, I would prefer to
  continue using a single WLS instance when making the application "generic".
  But as a consequence of this, I could only present a single SSL certificate
  to the user if I had WLS answer internet HTTP requests directly.
  What would you think should be done to get the browsers
  "display the closed padlock while in the order form" for multiple DNS names
  served by this same application instance?
  One approach might be to put Apache in front of WLS, and configure it
  to serve multiple virtual hosts (one for each DNS name to be served,
  encoding the differences between the request URLs somehow in the ServerPath
  directive, and providing a separate SSL certificate for each of those
  virtual
  hosts).
  Does this make sense to you? Any experience in this area? Which Apache
  and WL modules should I be using - which combination
  of mod_proxy, mod_ssl (by Apache), mod_wl, mod_wl_ssl[_raven] ?
  Any input would be greatly appreciated! Thanks in advance!
  Ruben
  [A minor add-on question is: Is the situation truly different with
  WLS 6.0? I understand it supports virtual hosting on its own. Can multiple
  (web) applications running under a single common WLS "umbrella" server
  instance share the same application data? I would expect so - is this true?]

  Ruben, I can't help you with the specifics of the configuration but your
  general strategy seems correct to me. WLS does not handle multiple certs
  and one must front it with a Web server if multiple certs are required.
  Neil Smithline
  WLS Security Team
  BEA Systems
  "Ruben-B Reincke" <[email protected]> wrote in message
  news:[email protected]...
  Hi everybody,
  I am trying to figure out a strategy to enable a single web application
  based on WLS 4.5.1 (SP13) running on Linux to serve multiple DNS
  names, with some specific pages to be transmitted using SSL.
  While the JSP pages differ in colouring and screen layout (but not in
  logic),
  the entire EJB business logic is identical for all DNS names. So are the
  servlets.
  The application data to be presented to the user can easily be mapped,
  and presently (with the application responding to a single DNS name)
  it is cached using a JNDI tree. To minimize coding effort, and
  to continue utilizing the present caching concept, only expanding it to
  support
  multiple similar "virtual" applications, I would prefer to
  continue using a single WLS instance when making the application"generic".
  >
  But as a consequence of this, I could only present a single SSLcertificate
  to the user if I had WLS answer internet HTTP requests directly.
  What would you think should be done to get the browsers
  "display the closed padlock while in the order form" for multiple DNSnames
  served by this same application instance?
  One approach might be to put Apache in front of WLS, and configure it
  to serve multiple virtual hosts (one for each DNS name to be served,
  encoding the differences between the request URLs somehow in theServerPath
  directive, and providing a separate SSL certificate for each of those
  virtual
  hosts).
  Does this make sense to you? Any experience in this area? Which Apache
  and WL modules should I be using - which combination
  of mod_proxy, mod_ssl (by Apache), mod_wl, mod_wl_ssl[_raven] ?
  Any input would be greatly appreciated! Thanks in advance!
  Ruben
  [A minor add-on question is: Is the situation truly different with
  WLS 6.0? I understand it supports virtual hosting on its own. Can multiple
  (web) applications running under a single common WLS "umbrella" server
  instance share the same application data? I would expect so - is this
  true?

• Using Mac Mini server, DNS, static IP, and external domain name

  Greetings!
  I need to know the direction to take in order to use my domain name for the great features offered in the mac mini server, while having local and public access to my server with security.
  I am trying to do the following on my new mac mini server:
  -Set up DNS (myserver.private)
  I have a static IP I want to use for all this with my ISP
  -ftp access
  -ichat ([email protected])
  -email ([email protected])
  -ical etc. ([email protected])
  -my work website(mydomain.com) with public access!
  -host websites(other domains)
  I need to know the direction to take in order to use my domain name for these features. I have a domain name with godaddy, and I am happy with keeping it with them, however, how to I make my external domain name work on my private server with public access is the question?
  Thank you,
  Daniel G

  [Read this|http://labs.hoffmanlabs.com/node/1436] as a start; you're basically going to decide if you want to use NAT or not; if you have enough public static IP addresses to avoid the disaster that's NAT. If you want to use NAT (and few reasonable folks want to, but sometimes we have to), then you get to run your own DNS services internally, and establish public DNS and power-forwarding at a (preferably server-grade) firewall. With NAT, you end up with split DNS, and that's covered in the cited document.
  ps: it's easier to [use sftp|http://labs.hoffmanlabs.com/node/942]; while that shares three letters with ftp, it avoids most of the problems of ftp.

• Clients fail to resolve local DNS names, external names working fine

  Hi there,
  I've a strange issue with a couple of domain joined computers. Resolving internal and external host names works fine with nslookup. But clients loose AD connectivity because they can't resolve host names from the local DNS zones outside of nslookup.
  Pinging IP addresses always works.
  So far only notebook computers are affected. Desktop computers work fine. OS is Windows 7/8/8.1 for clients and Windows Server 2008 R2/2012 for AD DCs/DNS servers.
  Example:
  C:\>nslookup bl-sphv00
  Server:  bl-spdc01.bl.local
  Address:  192.168.154.21
  Name:    bl-sphv00.bl.local
  Address:  192.168.154.10
  C:\>ping bl-sphv00
  Ping request could not find host bl-sphv00. Please check the name and try again.
  C:\>ping bl-sphv00.bl.local
  Ping request could not find host bl-sphv00.bl.local. Please check the name and t
  ry again.
  C:\>ping 192.168.154.10
  Pinging 192.168.154.10 with 32 bytes of data:
  Reply from 192.168.154.10: bytes=32 time=52ms TTL=128
  Reply from 192.168.154.10: bytes=32 time=51ms TTL=128
  Reply from 192.168.154.10: bytes=32 time=52ms TTL=128
  Any help appreciated.
  Thanks a lot.
  Te.Be.

  Hi there,
  a Microsoft support guy send me a solution earlier posted under 
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/f49b8398-d923-4e7e-86e7-78094113c091/problems-with-dns-and-ad?forum=winservergen
  To get the client work again you just have to delete a few registry keys set by DirectAccess GPOs using this little batch:
  @echo off
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig" /f
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnectivity" /f
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\Tcpip" /f
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant\DTEs" /f
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant\Probes" /f
  reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v SMB1NATCompatibilityLevel /f
  Unfortunately this breaks the clients DirectAccess configuration and leaves me without a real solution. Found some hints here:
  http://blogs.technet.com/b/tomshinder/archive/2010/03/13/uag-directaccess-group-policy-assignment-make-sure-the-right-policies-are-applied.aspx
  So my question is now: How do i have to edit the wizard generated DirectAccess GPOs correctly?
  Anyone any idea?

• Xcelcius hyperlinks not working properly with DNS name

  Hello,
  we have the following environment:
  BOE XI 3.1 on win2003 server
  Tomcat and IIS
  ISA 2006 server for external access from internet
  SSL on ISA server for login
  WinAD SSO (also external from ISA form)
  DNS for internal usage (instead of the actual BO server name and port)
  the ISA listener has the exact same name as the DNS entry, so both internal as external we can use the same URL.
  this is working fine until we access a "menu" in xcelcius.
  from this menu we can select 4 different xcelcius dashboards, but when clicking on any of the links, we get an error:
  an error has occurred: error with attempt to view document
  we don't have SSL enabled on the BO server itself, only on the ISA server.
  the hyperlinks are valid, and we've tried both relative and absolute paths to our BO server
  strange thing is, that is DOES work when we use the hostname URL for BO instead of the DNS name.
  does anyone knows how to resolve this?
  thanks in advance.
  Edited by: D. Osseweijer on Jan 6, 2010 10:04 AM

  excluded the possibility that this has anything to do with SSL config.
  we had a SSL certificate on the BO server, but removed this, so that we only can use http traffic on BO server.
  when i have a look at the logfiles, i see the following error:
  .\infosessionmgr.cpp:959: TraceLog message 1
  2010/01/06 13:55:37.090|>>|A| |11832| 196| |||||||||||||||assert failure: (.\infosessionmgr.cpp:959). (false : Couldn't get token).
  this happens everytime just after reproducing the error.
  already tried some things mentioned in other topics, but to no avail.
  we use WinAD SSO .NET Kerberos.
  also enabled SSO for PlatformServices and OpenDocument (which is used in the hyperlinks)
  does the error about the token could cause the problem with the hyperlink ?
  i can only open the child dashboard with the hostname of the BO-server in de URL, not with the DNS alias.

• I have an old external drive with a firewall connection-How do I use this on my Mac with it's USB3 ports?

  I have an old external drive with a firewall connection-How do I use this on my Mac with it's USB3 ports?

  Does your Mac have ThunderBolt ports?
  There are ThunderBolt to FireWire adapters.
  As far as I know there are no FireWire to USB 3 adapters.
  Allan

• Problem with external domain name and hosting

  Hi I have my own domain name and hosting plan I want to use. However, I have trouble pointing my site from BC to my server.
  I found the following information but in my case "create A-Records" is not available on the "Site Domains". Please advise.
  Thanks.
  Bonbon668
  Point externally hosted domains to your Business Catalyst site
  If you have chosen to use external DNS service for your domain name, create A-Records for both the www and non-www versions of your domain name. Then, point them to your site, which resides on one of the following IP addresses:

  Hi
  Can you please confirm that there is no “Create A records” option under “More Actions” ?

• ICal Server external Email Invitations Not working for names with umlauts!!

  Hi,
  I was testing external email invitations with iCal Server on Lion Server and encountered that if a Name that can Be resolved via iPhone or mac addressbook or even the sending iCal Account contains an umlaut something like this show up in iCal Server error log:
  2011-09-26 17:01:18+0200 [-] [mailgateway] 2011-09-26 17:01:18+0200 [-] [twext.web2.server#error] [Failure instance: Traceback: <type 'exceptions.UnicodeDecodeError'>: 'ascii' codec can't decode byte 0xc3 in position 90: ordinal not in range(128)
  2011-09-26 17:01:18+0200 [-] [mailgateway]      /System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python /twisted/internet/defer.py:388:errback
  2011-09-26 17:01:18+0200 [-] [mailgateway]      /System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python /twisted/internet/defer.py:455:_startRunCallbacks
  2011-09-26 17:01:18+0200 [-] [mailgateway]      /System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python /twisted/internet/defer.py:542:_runCallbacks
  2011-09-26 17:01:18+0200 [-] [mailgateway]      /System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python /twisted/internet/defer.py:1076:gotResult
  2011-09-26 17:01:18+0200 [-] [mailgateway]      --- <exception caught here> ---
  2011-09-26 17:01:18+0200 [-] [mailgateway]      /System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python /twisted/internet/defer.py:1018:_inlineCallbacks
  2011-09-26 17:01:18+0200 [-] [mailgateway]      /System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python /twisted/python/failure.py:350:throwExceptionIntoGenerator
  2011-09-26 17:01:18+0200 [-] [mailgateway]      /usr/share/caldavd/lib/python/twistedcaldav/resource.py:310:renderHTTP
  2011-09-26 17:01:18+0200 [-] [mailgateway]      /System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python /twisted/internet/defer.py:1018:_inlineCallbacks
  2011-09-26 17:01:18+0200 [-] [mailgateway]      /System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python /twisted/python/failure.py:350:throwExceptionIntoGenerator
  2011-09-26 17:01:18+0200 [-] [mailgateway]      /usr/share/caldavd/lib/python/twext/web2/static.py:127:renderHTTP
  2011-09-26 17:01:18+0200 [-] [mailgateway]      /System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python /twisted/internet/defer.py:1018:_inlineCallbacks
  2011-09-26 17:01:18+0200 [-] [mailgateway]      /System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python /twisted/python/failure.py:350:throwExceptionIntoGenerator
  2011-09-26 17:01:18+0200 [-] [mailgateway]      /usr/share/caldavd/lib/python/twext/web2/resource.py:109:renderHTTP
  2011-09-26 17:01:18+0200 [-] [mailgateway]      /System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python /twisted/internet/defer.py:1020:_inlineCallbacks
  2011-09-26 17:01:18+0200 [-] [mailgateway]      /usr/share/caldavd/lib/python/twistedcaldav/mail.py:334:http_POST
  2011-09-26 17:01:18+0200 [-] [mailgateway]      /usr/share/caldavd/lib/python/twistedcaldav/mail.py:958:outbound
  2011-09-26 17:01:18+0200 [-] [mailgateway]      /usr/share/caldavd/lib/python/twistedcaldav/mail.py:1199:generateEmail
  2011-09-26 17:01:18+0200 [-] [mailgateway]      ]
  2011-09-26 17:01:18+0200 [-] [caldav-1]  [AuthorizedHTTPGetter,client] [twistedcaldav.scheduling.imip#error] Could not do server-to-imip request : <twistedcaldav.scheduling.imip.ScheduleViaIMip object at 0x103c65ed0> 500 Internal Server Error
  2011-09-26 17:01:18+0200 [-] [caldav-1]  [AuthorizedHTTPGetter,client] [twistedcaldav.scheduling.scheduler.ScheduleResponseQueue#error] Error during PUT for mailto:someemailaddress@yourdomain: iMIP request failed
  And No Email is send!
  If changing the Umlaut ü to something like ue in the Sender or Receiver Name everything is alright!
  Thank you Apple for obviously Not testing Lion Server for international use :-/
  Maybe this help someone else who is using umlauts with iCal Server external Email invitations
  Regards
  Eldrik

  Hello Daryn,
  Thinks for commenting. I am very upset that Apple just said "No" when I asked for this to be fixed. There appears to be no way to submit this as an official bug that keeps ical from running.
  Apple actually had me reinstall my whole server and the issue was still there and then they just said "Oh, well I will email someone about it.".
  This is the first time Apple has stunk it up in my books. This is bad support for Server.
  Brad

• NME-NAM with Cisco Prime 5.1.2 and IOS Firewall

  Hello,
  I have installed and configured the Cisco NME-NAM with Prime 5.1.2 and have access to the NAM via a web browser. It is not picking up any data even though I havew configured the following:
  internal data source
  network site 10.10.16.0/20
  All reports show "No data for selected time interval"
  I am running IOS 15.1 on a 2811 with IOS firewall enabled.
  Do I need to create a FW rule to allow traffic to be monitored by the NME-NAM?
  Thank you,
  Matthew

  Hi rajeeshp,
  Currently I am not allowed to upgrade it because of internal procedures involved in upgrading a specific piece of software (obtaining permissions from various departments). Is it free to upgrade from 1.2 to 1.3 or there is a specific charge for that.
  Predrag Petrovic

• Skype installed. Icon in Apps folder. Login ok... Skype logo, my name with "logout" next to it. Stopped right there. "check network connections".Skype guy said firewall must allow but FW is not even turned on. Have Airport router.

  Skype installed. Icon in Apps folder. Login ok... Skype logo, my name with "logout" next to it. Stopped right there. "check network connections". Skype guy said firewall must allow but firewall is not even turned on. Have Airport router.
  How do I allow Skype to get past network?

  You make no mention of which OS you are using.  The following are Yosemite instructions:
  System Preferences>Security & Privacy>Firewall>Unlock the padlock.
  Click on the Firewall Options button.
  Click the + (plus) button & do the necessary to add Skyp & to allow incoming connections.  When done, click the OK button & lock the padlock.
  Restart your computer.  Report back the results.

• Communicate with cRIO when IP Address and DNS Name changes over Network Variables

  I am developing a LabVIEW software for an European Project using cRIO-9074 and RT Application Reployment to update all cRIO devices with the last version.
  To communicate with the cRIO devices I have also developed some applications that are outside cRIO on LabVIEW Project that uses Network Variables to Read/Write to the devices.
  When I am developing the software, everything works just fine because the LabVIEW Project knows the IP Address on my cRIO device. However, when I use RTAD to install the software and then my applications outside the LabVIEW Project, the aplications are, not always able to find the device when the IP address changes.
  I have tried to replace the IP Address with the DNS Name but no success. When I change the router that is connected to the cRIO, the DNS Name also changes.
  With this, my question is how can I solve this sistematic problem? Should I change any configuration on MAX, in LabVIEW Project and/or in the applications to be able to always find the cRIO? Is it possible to have a field on the application to insert the IP Address of the device to connect? If yes, how can I do this?
  Best regards,

  Quintino,
  You can programatically open connecitons to Shared Variables.  This allows you to decide at runtime the IP address, lib name and SV name you wish to connect to.  I've attached a vi snippet the demonstrats an Action Engine to handle the connection to a SV named "Parameters".
  I normally store the cRIO_Settings in a .INI file that is easy to modify. 
  Attachments:
  SV Example.png ‏45 KB

• Error cannot connect to server or DNS name when working with the SRDemo

  I receive the error cannot connect to server or Dns name when trying to
  display the SRlist.jspx page in the SRDemo. I am using the embedded OC4J server . I tried to using the debugger to trouble shoot the problem but I did not get any information that was useful. The url I am using is http://localhost:8989/SRDemo-UserInterface-context-root/faces/app/SRlist.jspx I also tried using the IP address that didn't work . I really need to get through this demo.

  What about using:
  http://127.0.0.1:8989/SRDemo-UserInterface-context-root/faces/app/SRlist.jspx
  Or disabling any proxy settings your browser might have?

• External DNS server not replicating records to secondary after migration from 2003 to 2012

  Hi
  I have a query relating to 2012 Server and DNS.
  Last week we de-commissioned our primary external DNS server (Windows 2003 Server) and moved the role over to a new Windows 2012 server.
  Since this point replication to our secondary server (3rd party hosted) does not seem to occur and our DNS records seem to have expired on the secondary server as we cannot look these up via nslookup.
  I cannot see any failures in the event log of the server; I have checked our external firewall logs and nothing is being blocked inbound/ outbound as far as I can see. And the server’s local firewall has been disabled.
  The server is a standalone server in a workgroup with a standard filebased primary zone, with no AD integration and recursion disabled.
  When I created the zone I copied the .dns file from the old server and selected this in the interface during the creation of the zone on the new server.  The new server has the same internal and external IP as the old server and the old server is off-line.
  I have also manually increased the serial number of the zone and still no joy.
  One thing that I have noticed is when I open the zones properties/Name Servers and click edit on the external nameserver I get the infamous "The server with this IP address is not authoritative for the required zone" error.
  Any help Would be appreciated, thanks in advance

  Nice to hear that you are close in finding the problem. So in short:
  You have enabled Zone transfers in DNS management console for the applicable zone
  You have verified that your DNS is listening to the correct interfaces
  You have enabled firewall rules to accept TCP and UDP traffic to port 53
  You have checked if "BIND secondaries" option is applicable to your case
  You have initiated a zone transfer from the secondary server
  Lefteris Karafilis 
  MCSE, MCTS, SEC+ 
  LinkedIn: http://www.linkedin.com/in/lkarafilis 
  Mail: [email protected] 
  Blog: http://www.karafilis.net