Icmp redirects best practice

Similar Messages

• Flash Lite Server Redirect - best practice?

  Hey all,
  I work in a small creative department in Japan, and we are
  starting to take orders for mobile Flash apps. We have, until
  recently, only done inline Flash movies, but I've been put in
  charge of our first full-Flash app. The only thing I'm not clear on
  is this: How should I implement the switch on the server side that
  a) redirects people trying to get to the content from a PC to a PC
  page; and b) keeps people from being able to access the content
  directly so they can download and decompile the Flash file?
  Capcom, for example, is doing an excellent job at this, and
  even if I spoof the server with a mobile user-agent, I still can't
  get the mobile content to come up on my PC.
  Anyway, I was hoping maybe somebody would know something
  about this and would be able to advise on best practices: PHP?
  .htaccess? JavaScript redirects? Also how do you hide the content
  (no need to type up an example script - but what are the key
  parameters that I should be testing against)?
  Thanks in advance!
  Ryoma

  Kunerilite is free, but you can install only one sis
  application at a time, for the Basic version.
  Yeah, it does have plugins, etc, but then comes the pain,
  register at symbiansigned, UID, etc.
  For the simple choice and for a quick sis, nothing fancy,
  swf2go might be good.
  At least this is my initial thought. Haven't tested
  yet.

• Best Practices for configuring ICMP from the outside

  Question,
  Are there any best practices or best recommendations on how ICMP should be configured from the outside? I have been cleaning up the rules on our ASA as a lot were simply ported over years ago when we retired our PIX. I noticed that there is a rule to allow ICMP any any and began to wonder how this works when the rules above are specific IP addresses and specific ports. This in thurn started me looking to see if there was any documentation or anything to help me determine a best practice. Anyone know of anything?
  As a second part how does this flow on a firewall if all the addresses are natted? It the ICMP traffic simply passed through the NAT and the destiantion simply responds?
  Brent                   

  Here you go, bro!
  http://checkthenetwork.com/networksecurity%20Cisco%20ASA%20Firewall%20Best%20Practices%20for%20Firewall%20Deployment%201.asp#_Toc218778855
  access-list inside permit icmp any any echo
  access-list inside permit icmp any any echo-reply
  access-list inside permit icmp any any unreachable
  access-list inside permit icmp any any time-exceeded
  access-list inside permit icmp any any packets-too-big
  access-list inside permit udp any any eq 33434 33464
  access-list deny icmp any any log
  P/S: if you think this comment is useful, please do rate them nicely :-)

• ICMP Best Practices for Firewall

  Hello,
  Is there a such Cisco documentation for ICMP best practices for firewall?
  Thanks

  Hello Joe,
  I havent look for such a document but what I can tell you is the following?
  ICMP is a protocol that let us troubleshoot or test whether IP routing is good on our network or if a host is live on our network so I can tell you that from that perspective this is definetly something good (Not to mention some of the other good usage that we can provide to this protocol such for PATH MTU Discovery, etc).
  But you also have to be careful with this protocol as we all know it's also used to scan or discover hosts on our network.. Even to perform DoS attacks (Smurf attack, etc).
  So what's the whole point of this post:
  Well at least on my opinion I would allow ICMP on my network but I would definetly permit only the right ICMP code messages and I would protect my network against any known vulnerability regarding DoS attacks with ICMP, In this case I will still take advantage of the really useful protocol while protecting my enviroment,
  Hope that I could help
  For Networking Posts check my blog at http://laguiadelnetworking.com/
  Cheers,
  Julio Carvajal Segura

• Best Practices for Integrating UC-5x0's with SBS 2003/8?

  Almost all of Cisco's SBCS market is the small and medium business space.  Most, if not all of these SMB's have a Microsoft Small Business Server 2003 or 2008. It will be critical, In order for Cisco to be considered as a purchase option, that the UC-5x0 integrates well into these networks.
  To that end, I see a  lot of talk here about how to implement parts and pieces of this, but no guidance from Cisco, no labs and no best practices or other documentation. If I am wrong, please correct me.
  I am currently stumbling through and validating these configurations myself, Once complete, I will post detailed recommendations. However, it would have been nice to have a lab to follow instead of having to learn from each mistake.
  Some of the challanges include;
  1. Where should the UC-540 be placed: As the gateway for QOS or behind a validated UC-5x0 router/security appliance combination
  2. Should the Microsoft Windows Small Business Server handle DCHP (as Microsoft's documentation says it must), or must the UC-540 handle DHCP to prevent loss of features? What about a DHCP relay scheme?
  3. Which device should handle DNS?
  My documentation (and I recommend that any Cisco Lab/Best Practice guidence include it as well) will assume the following real-world scenario, the same which applies to a majority of my SMB clients;
  1. A UC-540 device utilizing SIP for the cost savings
  2. High Speed Internet with 5 static routable IP addresses
  3. An existing Microsoft Small Business Server 2003/8
  4. An additional Line of Business Application or Terminal Server that utilizes the same ports (i.e. TCP 80/443/3389) as the UC-540 and the SBS, but on seperate routable IP's (Making up crazy non-standard port redirections is not an option).
  5. A employee who teleworks from various places that provide a seat and a network jack, which is not under our control (i.e. a employees home, a clients' office, or a telework center). This teleworker should use the built in VPN feature within the SPA or 7925G phones because we will not have administrative access to any third party's VPN/firewall.
  Your thoughs appreciated.

  Progress Report;
  The following changes have been made to the router in support of the previously detailed scenario. Everything appears to be working as intended.
  DHCP is still on the UC540 for now. DNS is being performed by the SBS 2008.
  Interestingly, the CCA still works. The NAT module even shows all the private mapped IP's, but no the corresponding public IP's. I wouldnt recommend trying to make any changes via the CCA in the NAT module.  
  To review, this configuration assumes the following;
  1. The UC540 has a public IP address of 4.2.2.2
  2. A Microsoft Small Business Server 2008 using an internal IP of 192.168.10.10 has an external IP of 4.2.2.3.
  3. A third line of business application server with www, https and RDP that has an internal IP of 192.168.10.11 and an external IP of 4.2.2.4
  First, backup your current configuration via the CCA,
  Next, telent into the UC540, login, edit, cut and paste the following to 1:1 NAT the 2 additional public IP addresses;
  ip nat inside source static tcp 192.168.10.10 25 4.2.2.3 25 extendable
  ip nat inside source static tcp 192.168.10.10 80 4.2.2.3 80 extendable
  ip nat inside source static tcp 192.168.10.10 443 4.2.2.3 443 extendable
  ip nat inside source static tcp 192.168.10.10 987 4.2.2.3 987 extendable
  ip nat inside source static tcp 192.168.10.10 1723 4.2.2.3 1723 extendable
  ip nat inside source static tcp 192.168.10.10 3389 4.2.2.3 3389 extendable
  ip nat inside source static tcp 192.168.10.11 80 4.2.2.4 80 extendable
  ip nat inside source static tcp 192.168.10.11 443 4.2.2.4 443 extendable
  ip nat inside source static tcp 192.168.10.11 3389 4.2.2.4 3389 extendable
  Next, you will need to amend your UC540's default ACL.
  First, copy what you have existing as I have done below (in bold), and paste them into a notepad.
  Then, im told the best practice is to delete the entire existing list first, finally adding the new rules back, along with the addition of rules for your SBS an LOB server (mine in bold) as follows;
  int fas 0/0
  no ip access-group 104 in
  no access-list 104
  access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_24##
  access-list 104 remark SDM_ACL Category=1
  access-list 104 permit tcp any host 4.2.2.3 eq 25 log
  access-list 104 permit tcp any host 4.2.2.3 eq 80 log
  access-list 104 permit tcp any host 4.2.2.3 eq 443 log
  access-list 104 permit tcp any host 4.2.2.3 eq 987 log
  access-list 104 permit tcp any host 4.2.2.3 eq 1723 log
  access-list 104 permit tcp any host 4.2.2.3.35 eq 3389 log 
  access-list 104 permit tcp any host 4.2.2.4 eq 80 log
  access-list 104 permit tcp any host 4.2.2.4 eq 443 log
  access-list 104 permit tcp any host 4.2.2.4 eq 3389 log
  access-list 104 permit udp host 116.170.98.142 eq 5060 any
  access-list 104 permit udp host 116.170.98.143 any eq 5060
  access-list 104 deny   ip 10.1.10.0 0.0.0.3 any
  access-list 104 deny   ip 10.1.1.0 0.0.0.255 any
  access-list 104 deny   ip 192.168.10.0 0.0.0.255 any
  access-list 104 permit udp host 116.170.98.142 eq domain any
  access-list 104 permit udp host 116.170.98.143 eq domain any
  access-list 104 permit icmp any host 4.2.2.2 echo-reply
  access-list 104 permit icmp any host 4.2.2.2 time-exceeded
  access-list 104 permit icmp any host 4.2.2.2 unreachable
  access-list 104 permit udp host 192.168.10.1 eq 5060 any
  access-list 104 permit udp host 192.168.10.1 any eq 5060
  access-list 104 permit udp any any range 16384 32767
  access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
  access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
  access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
  access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 104 deny   ip host 255.255.255.255 any
  access-list 104 deny   ip host 0.0.0.0 any
  access-list 104 deny   ip any any log
  int fas 0/0
  ip access-group 104 in
  Lastly, save to memory
  wr mem
  One final note - if you need to use the Microsoft Windows VPN client from a workstation behind the UC540 to connect to a VPN server outside your network, and you were getting Error 721 and/or Error 800...you will need to use the following commands to add to ACL 104;
  (config)#ip access-list extended 104
  (config-ext-nacl)#7 permit gre any any
  Im hoping there may be a better way to allowing VPN clients on the LAN with a much more specific and limited rule. I will update this post with that info when and if I discover one.
  Thanks to Vijay in Cisco Tac for the guidence.

• Printing best practices

  I've been asking a bunch of questions recently on TS printing and realize that I should just start from scratch. Since I'm not sure what best practices are for this environment, I would like to get everyone's opinion. 
  This environment:
  20 Server 2008 R2 TS' and approximately 200 fat clients (mixed XP and 7). Currently, all network printers are installed on each TS individually (not shared). We also have about 10 USB printers that redirect. Our network printers are set up on 5 different local
  servers since we have multiple locations. We print both from local desktops and terminal servers.
  What we need is for all network printers to be on each server like they are currently but I'd like to eliminate the need to manage each one on each and every server whenever there is a change. Our current environment was set up by previous IT personnel and
  I'm not sure if it's optimal
  I understand there are multiple ways to deploy printers but I don't know what is best for our environment. I've tried Print Management but I need to be able to set preferences. I've tried GPP in Computer Configuration but it doesn't seem to work (possibly because
  of the current set up). I would like to know how others would manage the printers in this environment, even if I need to delete everything and start over. I am also inexperienced with servers and group policy so I will ask follow up questions to most responses.
  Sorry in advance!
  Edit:To be more clear about my scope of knowledge- I know where the Active Directory and Group Policy Management reside. I have modified existing group policies
  but not made new ones. Since all of our changes always apply to all users/terminal servers/roaming profiles, I've never needed to create OU's or use any kind of item-level targeting so I am not familiar with those.
  Also, I would greatly appreciate not being redirected to another site/forum for answers. I've read hundreds
  and am getting mixed responses since I'm not sure what is appropriate for this particular environment. That and because I need layman's terms :) Thank you!

  Hey Lynnette
  I read through some of the other questions you were asking. 
  Deployed Printers from Print Management is only for adding printer connections, it's not for adding local printers and Deployed Printers does not support setting a default printer.
  Group Policy Preferences supports adding local printers and connections.  It can be used to set the default but not sure if that's for connections or local printers.
  If the end result is to have the same configuration of local printers on multiple machines, I suggest using \windows\system32\spool\tools\PrintBRM.exe to backup the local printers from your Primary machine, then restore to all the other targets. 
  You can create a scheduled task to perform the backup and restores.
  If you are looking to add printer connections in the "Computer" context (all users logging on will get the connection to the shared printer), you can achieve this using the local machine policy or using a domain policy that only applies to a specific
  set of computers.  But once again no default is set but it's fairly easy to set the default with printui.exe or prnmngr.vbs both included with the operating system.
  Alan Morris Windows Printing Team

• Looking for Some Examples / Best Practices on User Profile Customization in RDS 2012 R2

  We're currently running RDS on Windows 2008 R2. We're controlling user's Desktops largely with Group Policy. We're using Folder Redirection to configure their Start Menus as well.
  We've installed a Server 2012 R2 RDS box and all the applications that users will need. Should we follow the same customization steps for 2012 R2 that we used in 2012 R2? I would love to see some articles on someone who has customized a user profile/Desktop
  in 2012 R2 to see what's possible.
  Orange County District Attorney

  Hi Sandy,
  Here are some related articles below for you:
  Easier User Data Management with User Profile Disks in Windows Server 2012
  http://blogs.msdn.com/b/rds/archive/2012/11/13/easier-user-data-management-with-user-profile-disks-in-windows-server-2012.aspx
  User Profile Best Practices
  http://social.technet.microsoft.com/wiki/contents/articles/15871.user-profile-best-practices.aspx
  Since you want to customize user profile, here is another blog for you:
  Customizing Default users profile using CopyProfile
  http://blogs.technet.com/b/askcore/archive/2010/07/28/customizing-default-users-profile-using-copyprofile.aspx
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]

• Best practice with WCCP flows for WAAS

  Hi,
  I have a WAAS SRE 910 module in a 2911 router that intercepts packets from this router with WCCP.
  All packets are received by external interface (gi 2/0, connected to a switch with port configured in WCCP vlan), and are sent back to the router via internal interface (gi 1/0 directly connected to the router) :
  WAAS# sh interface gi 1/0
  Internet Address                    : 10.0.1.1
  Netmask                             : 255.255.255.0
  Admin State                         : Up
  Operation State                     : Running
  Maximum Transfer Unit Size          : 1500
  Input Errors                        : 0
  Input Packets Dropped               : 0
  Packets Received                    : 20631
  Output Errors                       : 0
  Output Packets Dropped              : 0
  Load Interval                       : 30
  Input Throughput                    : 239 bits/sec, 0 packets/sec
  Output Throughput                   : 3270892 bits/sec, 592 packets/sec
  Packets Sent                        : 110062
  Auto-negotiation                    : On
  Full Duplex                         : Yes
  Speed                               : 1000 Mbps
  WAAS# sh interface gi 2/0
  Internet Address                    : 10.0.2.1
  Netmask                             : 255.255.255.0
  Admin State                         : Up
  Operation State                     : Running
  Maximum Transfer Unit Size          : 1500
  Input Errors                        : 0
  Input Packets Dropped               : 0
  Packets Received                    : 86558
  Output Errors                       : 0
  Output Packets Dropped              : 0
  Load Interval                       : 30
  Input Throughput                    : 2519130 bits/sec, 579 packets/sec
  Output Throughput                   : 3431 bits/sec, 2 packets/sec
  Packets Sent                        : 1580
  Auto-negotiation                    : On
  Full Duplex                         : Yes
  Speed                               : 100 Mbps
  The default route configured in WAAS module is 0.0.0.0/0 to 10.0.1.254 (router interface).
  Would it be better that packets leave WAAS module by the external interface (in place of the internal interface) ?
  Is there a best practice recommended by Cisco on this ?
  Thanks.
  Stéphane

  Hi Stephane,
  We usually advise the following in such scenario with an internal module:
  "ip wccp 61 redirect in" the LAN interface.
  "ip wccp 61 redirect in" on the WAN one.
  "ip wccp redirect exclude in" on the internal interface between the WAAS and the router.
  That way, we are sure that no loops are created because of the WCCP redirection.
  Regards,
  Nicolas

• Sessions and Controllers best-practice in JSF2

  Hi,
  I've not done web development work since last using Apache Struts for its MVC framework ( about 6 years ago now ). So bear with me if my questions does not make sense:
  SESSIONS
  1) Reading through the JSF2 spec PDF, it mentions about state-saving via the StateManager. I presume this is also the same StateManager that it used to store managed-beans that are in @SessionScoped ?
  2) In relation to session-scoped managed beans, when does a JSF implementation starts a new session ? That is, when does the implementation such as Mojarra call ExternalContext.getSession( true ) .. and when does it simply uses an existing session ( calling ExternalContext.getSession( false ) ) ?
  3) In relation to session-scoped managed beans, when does a JSF implementation invalidate a session ? That is, when does the implementation call ExternalContext.invalidateSession() ?
  4) Does ExternalContext.getSession( true ) or ExternalContext.invalidateSession() even make sense if the state-saving mechanism is client ? ( javax.faces.STATE_SAVING_METHOD = client ) Will the JSF implementation ever call these methods if the state-saving mechanism is client ?
  CONTROLLERS
  Most of the JSF2 tutorials that I have been reading on-line uses the same backing-bean when perfoming an action on the form ( when doing a POST or a GET or a post-back to the same page ).
  Is this best practice ? It looks like mixing what should have been a simple POJO with additional logic that should really be in a separate class.
  What have others done ?

  gimbal2 wrote:
  jmsjr wrote:
  EJP wrote:
  It's better because it ensures the bean gets instantiated, stuck in the session, which gets instantiated itself, the bean gets initialised, resource-injected, etc etc etc. Your way goes goes behind the scenes and hopes for the best, and raises complicated questions that don't really need answers.Thanks.
  1) But if I only want to check that the bean is in the session ... and I do NOT want to create an instance of the bean itself if it does not exist, then I presume I should still use ExternalApplication.getSessionMap.get(<beanName>).I can't think of a single reason why you would ever need to do that. Checking if a property of a bean in the session is populated however is far more reasonable to me.In my case, there is an external application ( e.g. a workflow system from a vendor ) that will open a page in the JSF webapp.
  The user is already authenticated in the workflow system, and the external system from the vendor sends along the username and password and some parameters that define what the request is about ( e.g. whether to start a new case, or open an existing case ). There will be no login page in the JSF webapp as the authentication was already done externally by the workflow system.
  Basically, I was think of implementing a PhaseListener that would:
  1) Parse the request from the external system, and store the relevant username / password and other information into a bean which I store into the session.
  2) If the request parameter does not exist, then I go look for a bean in the session to see if the actual request came from within the JSF webapp itself ( e.g. if it was not triggered from the external workflow system ).
  3) If this bean does not exist at all ( e.g. It was triggered by something else other than the external workflow system that I was expecting ) then I would prefer that it would avoid all the JSF lifecycle for the current request and immediately do a redirect to a different page ( be it a static HTML, or another JSF page ).
  4) If the bean exist, then proceed with the normal JSF lifecycle.
  I could also, between [1] and [2], do a quick check to verify that the username and password is indeed valid on the external system ( they have a Java API to do that ), and if the credentials are not valid, I would also avoid all the JSF lifecycle for the current request and redirect to a different page.

• Select One Choice attribute' LoV based on two bind variables, best practice

  Hello there,
  I am in the process of learning the ADF 11g, I have following requirement,
  A page must contain a list of school names which is needed to be fetched based on two parameters, the parameters are student information been inserted in the previous page.
  I have defined a read only view "SchoolNamesViewRO", it's query depends on two bind variables :stdDegree and stdCateg.
  added that RO View as a view accessor to the entity to which the name attribute belongs, and then add LoV for the name attribute using the ReadOnly view,
  added the name attribute as Select One Choice to page2,
  and now I need to pass the values of the bind variables of the ReadOnly view,
  the information needed to be passed as the bind variables is inserted in the previous page, I could have the data as bindings attribute values in the page2 definition
  I have implemented the next two appraoches but both resulted in an empty list :
  * added ExecuteWithParams Action to the bindings of the page and then defined an Invoke Action (set refresh condition) in the executable s, set the default values of the parameters to be the attributes values' input value,
  in the trace I code see that the binding fetches correct values as supposed , but the select list appears empty, does the this execution for the query considered to be connected to the list ?
  * added a method to the ReadOnly view Imp java class to set the bind variables, then I define it as a MethodAction in the bindings , and then create an Invoke action for it , also the select is empty,
  if the query been executed with the passed variables, then why the list is empty? is it reading data from another place than the page!
  and what is the best practice to implement that requirement?
  would the solution be : by setting the default value of the bind variables to be some kind of Expression!
  please notice that query execution had the bound variables ( I see in the trace) are set to the correct values.
  would you give some hints or redirect me to a useful link,
  Thanks in advance
  Regards,

  please give me any example using backing bean .for example
  <?xml version='1.0' encoding='UTF-8'?>
  <jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" version="2.1"
  xmlns:f="http://java.sun.com/jsf/core"
  xmlns:h="http://java.sun.com/jsf/html"
  xmlns:af="http://xmlns.oracle.com/adf/faces/rich">
  <jsp:directive.page contentType="text/html;charset=UTF-8"/>
  <f:view>
  <af:document id="d1">
  <af:form id="f1">
  <af:selectOneChoice label="Label 1" id="soc1" binding="#{Af.l1}"
  autoSubmit="true">
  <af:selectItem label="A" value="1" id="si1"/>
  <af:selectItem label="B" value="2" id="si2"/>
  </af:selectOneChoice>
  <af:selectOneChoice label="Label 2" id="soc2" disabled="#{Af.l1=='2'}"
  partialTriggers="soc1">
  <af:selectItem label="C" value="3" id="si3"/>
  <af:selectItem label="D" value="4" id="si4"/>
  </af:selectOneChoice>
  </af:form>
  </af:document>
  </f:view>
  </jsp:root>
  package a;
  import oracle.adf.view.rich.component.rich.input.RichSelectOneChoice;
  public class A {
  private RichSelectOneChoice l1;
  public A() {
  public void setL1(RichSelectOneChoice l1) {
  this.l1 = l1;
  public RichSelectOneChoice getL1() {
  return l1;
  is there any mistake

• Best practice for database move to new disk

  Good morning,
  Hopefully this is a straight forward question/answer, but we know how these things go...
  We want to move a SQL Server Database data file (user database, not system) from the D: drive to the E: drive.
  Is there a best practice method?
  My colleague has offered "ALTER DATABASE XXXX MODIFY FILE" whilst I'm more inclined to use "sp_detach_db".
  Is there a best practice method or is it much of a muchness?
  Regards,
  Andy

  Hello,
  A quick search on MSDN blogs does not show any official statement about ALTER DATABASE – MODIFY FILE vs ATTACCH. However, you can see a huge number of article promoting and supporting
   the use of ALTER DATABASE on any scenario (replication, mirroring, snapshots, always on, SharePoint, service broker).
  http://blogs.msdn.com/b/sqlserverfaq/archive/2010/04/27/how-to-move-publication-database-and-distribution-database-to-a-different-location.aspx
  http://blogs.msdn.com/b/sqlcat/archive/2010/04/05/moving-the-transaction-log-file-of-the-mirror-database.aspx
  http://blogs.msdn.com/b/dbrowne/archive/2013/07/25/how-to-move-a-database-that-has-database-snapshots.aspx
  http://blogs.msdn.com/b/sqlserverfaq/archive/2014/02/06/how-to-move-databases-configured-for-sql-server-alwayson.aspx
  http://blogs.msdn.com/b/joaquint/archive/2011/02/08/sharepoint-and-the-importance-of-tempdb.aspx
  You cannot find the same about ATTACH. In fact, I found the following article:
  http://blogs.msdn.com/b/sqlcat/archive/2011/06/20/why-can-t-i-attach-a-database-to-sql-server-2008-r2.aspx?Redirected=true
  Hope this helps.
  Regards,
  Alberto Morillo
  SQLCoffee.com

• Best practice for nested scripting on UCCX

  Hello All!
  Newbie on scripting here and inheritted a HIGHLY customized UCCX environment.  In looking at the scripts, it seems the system integrator built out the logic for every script within every script.  That is, if one script queues calls into CSQ1 and if they are waiting for more than 2 minutes it sends them to CSQ2, it has all of the logic in that one script that the regular CSQ2 script has as well.  So that means anytime "a change" has to be made, it has to be made to the CSQ2 logic in the CSQ1 script AND the CSQ2 script as well.
  Is there a best practice for this?  I would think it would be easier to say, in the above scenario that if the caller is waiting in CSQ1 for more than 2 minutes, it shoudl redirect the call to a trigger for the application that uses CSQ2.  Thus the logic is in the respective scripts and not duplicated across the board.
  Any thoughts and experiences on how this is best accomplished and maintained would be greatly appreciated!
  Thanks!
  JG

  Yes, if all queue logic is the common for your different CSQs you can build one common script and then reference this script as a subflow from your main scripts and simply pass the CSQ name as a variable to it.  This way you avoid what you said the need to rebuild logic in several places if you need to make a global change, you simply change the one common script logic.
  HTH,please rate all helpful posts!
  Chris

• What is the best practice for full browser video to achieve the highest quality?

  I'd like to get your thoughts on the best way to deliver full-browser (scale to the size of the browser window) video. I'm skilled in the creation of the content but learning to make the most out of Flash CS5 and would love to hear what you would suggest.
  Most of the tutorials I can find on full browser/scalable video are for earlier versions of Flash; what is the best practice today? Best resolution/format for the video?
  If there is an Adobe guide to this I'm happy to eat humble pie if someone can redirect me to it; I'm using CS5 Production Premium.
  I like the full screen video effect they have on the "Sounds of pertussis" web-site; this is exactly what I'm trying to create but I'm not sure what is the best way to approach it - any hints/tips you can offer would be great?
  Thanks in advance!

  Use the little squares over your video to mask the quality. Sounds of Pertussis is not full screen video, but rather full stage. Which is easier to work with since all the controls and other assets stay on screen. You set up your html file to allow full screen. Then bring in your video (netstream or flvPlayback component) and scale that to the full size of your stage  (since in this case it's basically the background) . I made a quickie demo here. (The video is from a cheapo SD consumer camera, so pretty poor quality to start.)
  In AS3 is would look something like
  import flash.display.Loader;
  import flash.net.URLRequest;
  import flash.display.Bitmap;
  import flash.display.BitmapData;
  import flash.ui.Mouse;
  import flash.events.Event;
  import flash.events.MouseEvent;
  import flash.display.StageDisplayState;
  stage.align = StageAlign.TOP_LEFT;
  stage.scaleMode = StageScaleMode.NO_SCALE;
  // determine current stage size
  var sw:int = int(stage.stageWidth);
  var sh:int = int(stage.stageHeight);
  // load video
  var nc:NetConnection = new NetConnection();
  nc.connect(null);
  var ns:NetStream = new NetStream(nc);
  var vid:Video = new Video(656, 480); // size off video
  this.addChildAt(vid, 0);
  vid.attachNetStream(ns);
  //path to your video_file
  ns.play("content/GS.f4v"); 
  var netClient:Object = new Object();
  ns.client = netClient;
  // add listener for resizing of the stage so we can scale our assets
  stage.addEventListener(Event.RESIZE, resizeHandler);
  stage.dispatchEvent(new Event(Event.RESIZE));
  function resizeHandler(e:Event = null):void
  // determine current stage size
      var sw:int = stage.stageWidth;
      var sh:int = stage.stageHeight;
  // scale video size depending on stage size
      vid.width = sw;
      vid.height = sh;
  // Don't scale video smaller than certain size
      if (vid.height < 480)
      vid.height = 480;
      if (vid.width < 656)
      vid.width = 656;
  // choose the smaller scale property (x or y) and match the other to it so the size is proportional;
      (vid.scaleX > vid.scaleY) ? vid.scaleY = vid.scaleX : vid.scaleX = vid.scaleY;
  // add event listener for full screen button
  fullScreenStage_mc.buttonMode = true;
  fullScreenStage_mc.mouseChildren = false;
  fullScreenStage_mc.addEventListener(MouseEvent.CLICK, goFullStage, false, 0, true);
  function goFullStage(event:MouseEvent):void
      //vid.fullScreenTakeOver = false; // keeps flvPlayer component from becoming full screen if you use it instead  
      if (stage.displayState == StageDisplayState.NORMAL)
          stage.displayState=StageDisplayState.FULL_SCREEN;
      else
          stage.displayState=StageDisplayState.NORMAL;

• Best practice for Global Address?

  Good Morning,
  I am new to Cisco firewalls and would like to know what is the best practice for creating an external ip address and port into my network and then redirecting that to a specific machine.  I am thinking of using a global ip address and then only allowing this type of traffic to talk to the specific destnation and on that specific port.  Is this the correct course of action?  Or os there a better or more effecient way of allowing this process using ADSM.
  Troy
  Message was edited by: Troy Currence

  Hi,
  Basically when you are attempting to allow traffic from the external public network to some of your servers/hosts you will either use Static NAT or Static PAT
  Static NAT is when you bind a single public IP address to be used by only one internal host. This is usually the preferred option if you can spare a single public IP address for your server, meaning you probably have a small public subnet from your ISP.
  Static PAT is when you only allocate certain ports on your public IP address and map them to a local port on the host. This is usually the option when you only have a single public IP address that is configured on your ASAs external interface. Or perhaps in a situation when you just want to conserver your public IP addresses even though you might have a few of them.
  In Static NAT case you configure the Static NAT and use the interface ACL to allow the services you require.
  In Static PAT you only create a translation for a specific port/service so only connections to that port are possible. Naturally you will also have to allow those services/ports in the interface ACL just like with Static NAT.
  Again if you can spare the public IP addresses then I would go with Static NAT or if you only have a single or few IP addresses you can consider Static PAT (Port Forward) also.
  I dont personally use ASDM for configurations but can help you with the required CLI format configurations. These can actually be done through ASDM also from the Tools -> Command Line Interface menus at the top.
  Hope this helps
  - Jouni

• HTTP/HTTPS on the same ACE VIP - best practice

  I currently have a VIP representing one server farm that contains two http servers:-
  class-map match-all VIP-HTTP-xxxxx.co.uk
  2 match virtual-address 10.79.18.10 tcp eq www
  class-map match-all VIP-SSL-xxxxx.co.uk
  2 match virtual-address 10.79.18.10 tcp eq https
  I have port 80 and 443 open on the VIP and SSL termination performed on the ACE (both http servers are the same and configured for default load balancing behaviour - I've also specified port 80 for ACE to server traffic). Having 80 and 443 on the same VIP (meaning the site can be accessed via one NAT'd external IP) came from a request from the business so the site can have one domain.
  The majority of the http server(s) web content is standard http but there is a specific sub-directory of interactive forms that requires https termination.
  I have a couple of queries with regards to URL re-writes:-
  1) Is the SSL URL re-write functionality limited to just the host part of the URL or can the ACE enforce https for specific sub-directories, i.e. can the ACE intercept and re-write a URL if a user tries to go to a particular https page/directory using http (by just deleting the s from the URL within their browser)? A possible example being:-
  ssl url rewrite location "www\.cisco\.com\secure-forms"
  2) Can the ACE re-direct users back to a standard http page if they try to 'secure' their session by changing http to https within their browser (basically the opposite of the above).
  Basically as I have 80 and 443 on the same VIP I'm interested in the best practice methods of enforcing http and https content segregation using just the ACE (as opposed to having Apache doing the re-writes, etc).
  Web services functionality (in terms of SSL and URL re-writes) has traditionally fallen within the domain of a dedicated web development team (who use Apache, Tomcat, etc.) but the introduction of the ACE as a load balancing appliance that is primarily managed by the networks team but with functionality that crosses traditional team boundaries has resulted in lots of questions from web development around what functionality can be moved from Apache, etc. and onto the ACE?
  Any advice or personal experiences would be gratefully received.
  Thanks
  Matthew

  Back again!
  Could someone possibly cast their eye over the following config?
  The only bit I'm not sure on (syntactically and whether it can even be done on the ACE) is how to specify a DO NOT match regular expression, i.e. how to capture https URLs that do not match my secure pages so I can re-direct the request back to the normal http URL (class-map type http loadbalance Non-Secure_Pages). What I'd like to avoid is re-directing requests that don't need to be, i.e. re-directing all requests that don't match /secure back to http when the majority will be correctly going to a normal http URL :-
  rserver host server1
  description *** HTTP server 1 ***
  ip address 10.100.194.2
  inservice
  rserver host server2
  description *** HTTP server 2 ***
  ip address 10.100.194.3
  inservice
  rserver redirect REDIRECT_TO_HTTPS
  webhost-redirection https://www.website.co.uk/%p 302
  inservice
  rserver redirect REDIRECT_TO_HTTP
  webhost-redirection http://www.website.co.uk/%p 302
  inservice
  class-map type http loadbalance Secure_Pages
  match http url /secure.*
  class-map type http loadbalance Non-Secure_Pages
  *** DO NOT *** match http url /secure.*
  class-map match-all VIP-HTTP-website.co.uk
  2 match virtual-address 10.79.18.10 tcp eq www
  class-map match-all VIP-SSL-website.co.uk
  2 match virtual-address 10.79.18.10 tcp eq https
  policy-map type loadbalance first-match VIP-LB-HTTP-website.co.uk
  class Secure_Pages
  serverfarm REDIRECT_TO_HTTPS
  class class-default
  serverfarm serverfarm-website.co.uk
  policy-map type loadbalance first-match VIP-LB-SSL-website.co.uk
  class Non-Secure_Pages
  serverfarm REDIRECT_TO_HTTP
  class class-default
  serverfarm serverfarm-website.co.uk
  serverfarm host serverfarm-website.co.uk
  failaction purge
  rserver server1 80
  probe PING_SERVER
  probe http-website.co.uk
  inservice
  rserver server2 80
  probe PING_SERVER
  probe http-website.co.uk
  inservice
  serverfarm redirect REDIRECT_TO_HTTPS
  rserver REDIRECT_TO_HTTPS
  inservice
  serverfarm redirect REDIRECT_TO_HTTP
  rserver REDIRECT_TO_HTTP
  inservice
  many thanks