IronPort S160/ASA5510 integration - PAC file and blocking Port 80

Similar Messages

• Parse JavaScript '.pac' file and get proxy details using C# code

  Hi,
  I have PAC  file --> (A proxy auto-config (PAC) file defines how web browsers and other user agents can automatically choose the appropriate proxy server (access method) for a given URL (inbound request)).
  This PAC file contains a JavaScript function “FindProxyForURL(url, host)”. This function returns a string with one or more access method specifications. These specifications cause the user agent to use a particular proxy server or to connect directly.
  Eg:
  function FindProxyForURL(url, host)
                  // declare variable strings
                  //incorrect proxy value
                  var use_proxy_yes = "PROXY MyWrongServerAddress:8080";
                  //correct proxy value
                  //var use_proxy_yes = "PROXY MyCorrectServerAddress:8080";
                  var use_proxy_no = "DIRECT";
                  //we can keep adding all the url here for which we do not want proxy
                  if (shExpMatch(url, "*.MyWebsite.com*")) { return use_proxy_no; }
                  // Proxy anything else
                  return use_proxy_yes;
  } This method will be saved as 'proxy.pac' file.
  From C# code i have to parse the above 'proxy.pac' file and get the proxy value that it returns based some condition specified in above method.
  Please someone help me know how i can achieve the above requirement. Thanks in advance.
  Chetan Rajakumar

  Hi,
      HTTP Connection created in ECC is used for retrieving the SWC components of IR....but it cannot be used by PI for psoting the data to Proxy...
  so in this need to provide the needed details at XI adapter level ...
  chk the below blog which can give u an idea...
  /people/siva.maranani/blog/2005/04/03/abap-server-proxies
  Also for the above error check below threads
  SLD_NO_OWN_BS
  error: SLD_NO_OWN_BS, proxy scenario
  HTH
  Rajesh
  Edited by: Rajesh on Apr 15, 2010 12:04 PM

• STP and blocked ports

  Hi,
  I have five 3550s daisy-chained as a core hosting 2950s where the 2950s' Gig port are attached to different 3550s. Using IOS 12.20. No vlans. I noticed that sometimes a blocked port connecting the 2950 and 3550 is blocked at the 3550 instead of the 2950 (G0/12). Is this normal? Thanks

  Follow the path to the root. The root port should not be constantly changing. Check if the root also changes when the root port changes. These blocking ports are known as Designated Port. These switches have a lower cost path to the Root that are called root port.
  Take this topology for example:
  SwA(root)
  g0/1 g0/2
  | |
  | |
  g0/1 g0/1
  SwB SwC
  g0/2-----g0/2
  The drawing above shows SwA being the root and SwB and SwC are connected to one another via g0/2. The SwA being the root will have its gi0/1 and gi0/2 in forwarding mode and are called Designated Port. Both SwB and SwC will have their g0/1 in forwarding mode and are called root port. Now, either SwB or SwC's port gig 0/2 will be DP and the other NDP, this will be based on which one have a lower BID. Let's say the SwB have the lower BID (Bridge Priority + mac-address) than SwC. This means SwB's gig 0/2 will be DP thus will be forwarding and SwC's port gig 0/2 will be NDP and blocking. The only way this will change is if the cost of the path change, the path to the root had changed thus changing the cost and if the BPDU from SwB is not being received on SwC's gig 0/2 which will cause it to transition to DP and forward.

• PAC file and ASA

  Hi eveyone,
  I have PC  which has proxy configured and i can access all the websites with it.
  Traffic goes via firewall and websense.
  Another PC with no proxy configured i can not access some websites.
  FW logs shows when the connection is not made
  Apr 22 2013 15:03:28: %ASA-4-507003: tcp flow from  to outside:terminated by inspection engine, reason - inspector reset unconditionally.
  Apr 22 2013 15:03:28: %ASA-6-302014: Teardown TCP connection 4984216 for outside:/443 to :/59557 duration 0:00:00 bytes 123 Flow closed by inspection
  Apr 22 2013 15:03:28: %ASA-4-507003: tcp flow from /59557 to outside:/443 terminated by inspection engine, reason - inspector reset unconditionally.
  Apr 22 2013 15:03:28: %ASA-5-304002: Access denied URL https://x.x.x.x/ SRC  DEST  on interface .
  So need to know if connection is not made to those websites then traffic goes via firewall only?
  it does not touch the websense?
  When proxy is config on browser how hoes firewall handle the request then?
  If someone can explain me traffic flow from PC to Websense please?
  Thanks
  MAhesh

  Hello,
  No , I dont,
  I said that I am definelty not a websense expert but I will check the reports/logs on the websense appliance and then filter based on your client ip address having issues
  regards

• Query to Identify File and Block IDs

  i'm executing the following statement
  SELECT segment_name,
  file_id,
  block_id
  FROM dba_extents
  WHERE owner = 'OE'
  its executing in the case of OE owner but whn i type HR or others its showing no rows selected....
  plz suggest.

  It is not necessary that user who is in dba_users are also in dba_extents 100%. Chances are there may be some users who have only select privileges on different schema.objects. You will only find user name in dba_extents, if user is having any object in his/her schema; means empty schema will not be in dba_extents.
  Regards
  Girish Sharma

• Mac Mail and blocked ports

  Hi,
  I work in a not-very-Mac-friendly school district, but use a Mac anyway. We've figured out how to open the correct ports, etc. for internet use (via Network Preferences) but still can't access email (on an MS Exchange server) or any POP mail (Yahoo) or .mac mail through the mail program. I'm guessing it's something with a port somewhere that needs to be opened. Any thoughts on what it might be, or how to open ports on Mail?
  Thanks for any help anyone might offer.
  -Widget

  From the client side, you don't need to open any ports in Sys Prefs Sharing at all. Opening ports there is only for dealing with inbound traffic that you didn't initiate and weren't expecting as a response to something, i.e., if you were a mail or web server. But you're not a server, you're a client. So close 'em. Plus, in Mail.app (or any other application for that matter), those port numbers (like 25 or 587 or 465 for smtp, or 110 or 995 for pop, or 143 or 993 for imap) are at the destination mailserver, not your computer.
  If you launched Terminal.app, "su {adminUserName}" and "sudo tcpdump -i en1" (en1 if wireless, en0, if ethernet cable) you will find that when you launch Mail and try to check mail or send mail, stuff from your computer is leaving your machine on a randomly chosen (by Mail.app) five-digit port number and it's at the destination server where these port numbers (25, 587, 465, 110, 995, 143, 993) have any meaning. Same holds true for all applications, e.g. Safari, port 80 refers to the web server, not what port on which you are sending out your browser request to the server. The (mail, web, other) server responds back from its port (25, 143, ..., 80, etc.) port to the random port number that your application chose.
  Your problem, most likely, is that your IT Dept is blocking outbound traffic destined for any "foreign" host addresses at ports like 25 or 143, that are NOT the host addresses of your IT Dept's own mailservers. They would be blocking this at their firewall to the internet. My work's IT Secret Police does this. So unless they relax their firewall restrictions, you're going to have to do something like use your cellphone as a dialup modem to access those mail accounts, or use webmail (since they probably aren't blocking all http (destination server) port 80 traffic -- although they could be blocking traffic addressed to specific host addresses like yahoo.com/webmail).

• Spanning tree and blocked ports

  Hello
  I have a network built with 5 3560 switches. They are linked together over 6 fiber gigabit links. Two of them are for redundancy. I set up STP and all works fine. STP root is on the same switch for all VLANs.
  But I'm wondering why blocked links are only show state blocked on one of the two connected switches. I've read the docu but didn't found a hint.
  Thanks for any comment.
  Thomas

  I guess your question in fact translates to: why is there only one side of my redundant link that is blocking instead of both ends. There are several possible answers to that:
  First, because blocking one side is enough;-)
  But the an explanation I prefer is to remind that STP cannot know that this link is a fiber going to a single neighbor bridge. This link could be connected to a hub, where on the top of the neighboring bridge there would be some hosts (PCs, routers etc...). To put it short, STP must provide connectivity to this link. That's why *every* link has a designated port that connects it to the root bridge.
  Hope this helps;-)
  Francois

• FF unable to comprehend PROXY.PAC file with IPv4 and IPv6 rules in it

  My intranet setup involves users going through Squid proxy on a server discoverable by WPAD. Everything worked well until I introduced IPv6 into the network. Now I want their FFs to go IPv4 proxied and go IPv6 direct. I wrote proxy.pac ( http://pastebin.com/UFwVBzcN ) but FF8 throws "XPCSafeJSObjectWrapper is not defined" error. How can this be done?

  Hi guigs2,
  thanks for your response. As we only use myIpAddress once within our pac-File and only rely on dnsDomainIs(), ==-Comparisons and shExpMatch() and the sum of all pac-Executions was about 4 seconds compared to 40 seconds overall load time, I do not think that dns resolving is our issue.
  I checked the seetings of the configuration you mentioned above. It is set to "false", so the client would try the resolve the dns names. Our admin told, that we do not use socks-Proxies, only http-Proxies.
  Regarding sequential load of the contents included on www.bild.de from other web sites, I attached a screenthot.
  Please note the red highlights. These show the start time in milliseconds of the pac-execution. I added this as a kind of id which represents a unique identifier together with the URL if the log items are mixed. But they are not, instead they are cleanly ordered by URL (for all 360 pac-file calls).
  Moreover in the picture you can see the delay between the end of the last pac-file execution and the next one (blue timestamp in millisonds compared to the red timestamp of the next row saying "entered proxy.pac"). The delay sum up exactly to the 40 seconds the FF took to load the page completely.
  Alone the fragment shown represents a delay of 630ms between the pac-file executions. If the contents would be loaded in parallel, there should be no such delay.

• Cisco Ironport S160 Upgrade Source

  My Ironport S160 IOS is very old, and I'm trying to updgrade it. However - the path to the source of the updates which I had configured (long ago) to http://updates.ironport.com simply aren't working. I have the ability to go to that website, but it displays strange info. A telephone number for "support' delivers you to a telemarketing firm telling you that you've won a Walmart gift card... I dialed it several times. The only other item is [email protected], but given the first note - I won't be emailing that.
  My S160 shows several available upgrades on the device, but when it tries to go to the updates.ironport.com site - it always fails. I've put ".ironport.com" in the bypass list, and opened a hole in my Firewall for this host to anything on the internet...
  I've searched the forums and found nothing. I've hit my Cisco-CCO account and cannot find any async-OS to download when going down the path to the S160. I'd like to update it manually just by downloading the file and placing on the device - etc...
  Lame question and late in the day, but...

  There is no method of downloading the AsyncOS and updating your S160. Updates.ironport.com is still correct for upgrades and if your device is showing you a list of upgrades then it is communicating with the site. You can contact Cisco TAC for assistance using your CCO ID provided you've maintained a support contract on the S160. Good luck!!!

• Using a Pac File with the new Macbook Pros

  I have recently purchased a new Macbook pro and to access the internet at my college, I need to use a Pac File, and My class mate has the drop down option to select it due to their macbook pro is an older model and my new macbook doesn't, how do I get the "Using Pac File" option?
  Thanks people in advance for your help!

  OS X Lion is not being included as an install DVD with new Macs. (It does come pre-installed.) Apple is offering a $69 USB stick with Lion pre-installed for owners would like to own a solid state means of recovery. Lion is strictly internet based with its recovery features - in other words - Macs will need to be able to connect to the internet to restore a computer with HDD failure (or some other issue where you need to restore the system.)

• Proxy.PAC file not working after upgrade to 10.9.2

  I have a local proxy.pac file and it was working happily before 10.9.2.
  It was loaded under "Network > Proxies > Automatic Proxy Configuration" and effective for all browsers (Chrome, Safari and Firefox).
  After upgrade to 10.9.2 seems like it's being totally ignored. I have a CNTLM proxy in my machine and can see the traffic coming in. Looking at logs, no traffic really comes in and all browsers try to access internet directly.
  If I set the proxy.pac directly in Firefox, it works but I want all my browsers and application. I want the same functionality as of 10.9.1 and before.

  I submitted a bug report to Apple. The problem is present since 10.9.2, now with 10.10 and iOS. I hope they will take this problem seriously.

• Drop IE connection if PAC file not found

  When users are in the corporate network, their machines will grab the PAC file and use it.
  However, when they bring the machine back, since the machines are unable to grab the PAC file (without VPN), IE revert to direct connection, hence bypass PAC file settings and go to any sites they wanted.
  Is there a way to change the default settings of IE or the Windows to such that, if the PAC file is not present, no connect is allowed for IE.

  Hi Zacklu,
  As I know, when user leave the corporate network, it will be very hard to control the behavior of their actions, so I think it’s hard to achieve your goal.
  Could you please tell me why do you want to have this setting?
  Regards
  Yolanda
  TechNet Community Support

• Performance degradation when using proxy.pac file with FF ESR 31

  With Bug 923458 many people complained about a performance issue compared to other browsers when a proxy.pac file is used.
  The issue initially reported with the bug was resolved for ESR25 according to the statistics, but the general performance issue remained.
  I had the same issue with ESR24 and ESR31.3 .
  I was testing with www.bild.de.
  It took about 40 seconds to load the content completely. Without the proxy.pac file it took about 10 seconds.
  I added a few alerts to the pac-File in order to get logs within the console for some analyses.
  I found the following:
  1. the pac.file is executed for every request, no matter if the host changed or not.
  With us the pac-File checks for IP-Adresses and host-names only.
  It is not necessary to execute the pac file for each and every request to the same remote host.
  So the question is, if we are able to disable this behaviour via about:config?
  2. the content referenced by www.bild.de seems to be loaded sequentially and with a delay
  The overall time consumed by the proxy.pac file executions was about 4 Seconds compared to the 40 seconds of overall load time.
  So I checked the delay between executions of the pac-file and found an overall delay of 40 seconds. I expect that the delay between the calls to the pac-file is caused by the retrieval of contents from the remote host.
  So why are the requests executed sequentially?
  Hint: Due to the times necessary for executing the pac-file and downloading the contents from the remote host, I would expect the logs generated by my alerts to be mixed (especially if myIpAddress took 1 Second). But the log is cleanly ordered by URL. (see attachment)

  Hi guigs2,
  thanks for your response. As we only use myIpAddress once within our pac-File and only rely on dnsDomainIs(), ==-Comparisons and shExpMatch() and the sum of all pac-Executions was about 4 seconds compared to 40 seconds overall load time, I do not think that dns resolving is our issue.
  I checked the seetings of the configuration you mentioned above. It is set to "false", so the client would try the resolve the dns names. Our admin told, that we do not use socks-Proxies, only http-Proxies.
  Regarding sequential load of the contents included on www.bild.de from other web sites, I attached a screenthot.
  Please note the red highlights. These show the start time in milliseconds of the pac-execution. I added this as a kind of id which represents a unique identifier together with the URL if the log items are mixed. But they are not, instead they are cleanly ordered by URL (for all 360 pac-file calls).
  Moreover in the picture you can see the delay between the end of the last pac-file execution and the next one (blue timestamp in millisonds compared to the red timestamp of the next row saying "entered proxy.pac"). The delay sum up exactly to the 40 seconds the FF took to load the page completely.
  Alone the fragment shown represents a delay of 630ms between the pac-file executions. If the contents would be loaded in parallel, there should be no such delay.

• Example wsdl and logical port for consumer proxy anyone ?

  Hi,
  Could please somebody give me an example of external WSDL file and logcial port created for the WSDL file in SOAMANAGER ?
  I need to create manually logical port for my consumer proxy and I am missing something because my logical port is not active.
  Any example is more than welcome. 
  I need to know how to populate fields manually on the following tabs based on the info in a WSDL file:
    Consumer Security  Additional Information  Web Service Addressing  Messaging  Transport settings  Message Attachments  Operation specifi
  Thanks and Regards
  Agnieszka
  The message, I am getting, when creating logical port is:
  Operation 'SrtFmStatefulTf' not found [NS: 'urn:sap-com:document:sap:soap:functions:mc-style']
  I think that maybe something is wrong with my wsdl.
  Edited by: Agnieszka Domanska on Nov 17, 2010 5:41 PM

  Hi Milan,
  this kind of error occurs when there is no service and end point description in the WSDL of provider who's service you are trying to consume using Consumer Proxy.
  Just open the provider's WSDL URL that you have given while creating Logical port for the consumer proxy   and check if service and end point exists there.
  Thanks
  Sunil Singh

• Pac file multiple ironport proxy servers

  ironport proxy, is their away to automatically load a pac file on multiple ironport proxy servers

  It looks like your missing an else command. Below is how I have it configured and it is working. Without the else command I would think it would just return direct always.
  (host == "127.0.0.1") ||
      (host == "localhost"))
  return "DIRECT"
  else
  return randomProxy();
  function randomProxy()