ISA570 Block Non-HTTP Access by FQDN instead of IP Address

Similar Messages

• British Telecom BT 220v router blocking incoming http access ?

  (Partly in response to Neil's suggested solution to my incoming traffic problem, in thread 'Wake when the modem detects a ring ...' )
  I am assured by my ISP (BT or British Telecom: previously able to give good advice on my non-Windoze, non-Explorer, non-USB configuration, so stuck with them) that there is no firewall on my BT 220V router and that there is no blocking or filtering of incoming traffic by BT for domestic (or business) customers.
  However, inspection of the router configuration and BT's own Quick Start guide reveals that IP filtering can indeed be set up, the default appearing to be that filtering is Enabled for inbound traffic.
  The latest BT tech-help person ensured me that these are 'factory settings' which cannot be changed (and indeed I can't and don't want to), but did not know what they do. No doubt they are for security & firewall purposes: anyone know what kind of traffic they filter, and has anyone had this problem (no external access to shared folders or personal web site folders, timeouts rather than 404 errors) with a 220v ?
  I've been round every other possible explanation and this is all that is left. Completely stuck otherwise.
  iBook G4, 256MB ram, Aiport Extreme, built-in ethernet, 133MHz   Mac OS X (10.3.9)  

  I'll shed some light -- if you try this in a forum OTHER than an iPhone forum, perhaps you may get more responses.

• Redirect / Block non https traffic

  I have a quick question. Today I setup teaming 2.0 on SLES10.
  After customizing the SuSE firewall per the instructions everything is perfect. I then cut off non-secure port 80 traffic. Looked OK. I found that the email that teaming sends out is http://server, since I killed http traffic it's now broken. I tried changing the firewall rule to FW_REDIRECT="0/0,10.0.100.100,tcp,80,8443 to see if it would just redirect the port 80 traffic to 8443 on the server - but that did not work. Is their a place I can simply change the email to link to https://server?
  Any other thoughts?
  Cool product by the way!
  Tha
  Dennis

  Dennis,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• Unable to block Non-Corprate machine access to CORP wireless network

                     Hello everyone
  I am facing this problem right now , I created rule 1 for host authentication and rule 2 for user authentication ,but seems I am unable to block non-corprate machine * IPAD or smart phone* to access CORP wireless network if people put vaild domain user name and password.
  Here is deatils and please help.
  Rule 1 --Host AUTH---
  External Groupls : AD1
  Protocol: Radius
  Was Machine Authenticated: -ANY-
  System name : start with host/
  Results : Permit Access
  Rule 2 --User AUTH---
  External Groupls : AD1
  Protocol: Radius
  Was Machine Authenticated: -true-
  System name : -ANY-
  Results : Permit Access
  Default : Deny Access
  Now , If I connect personal smart phone with windows username and password , ACS is able to blocked , screenshot as follow
  But ,If I connect same personal phone with "domain\username" and password , the phone is able to connact , and here is screenshot.
  Question is why matched "host AUTH" rule when I use "domain\username " on personal phone ? However, I do check the system name in "host AUTH" and permit access until system name start with "host/ " , so how come , this person is able to passed the rule .

  We don't have BYOD at this moment , so we don't want employee access CORP wireless network with their personal devices.
  Back to question, I was able to authenticate the laptop by machine name and seems work if I only type the username without domain . 
  But if I type "domain\username " into phone, I am able to connect it , I don't know why this can be happened and how to fix.
  Please show off your kind help , thanks all

• Parental controls blocks all https websites

  When I enabled parental controls for my 9-year old, I didn't expect her not to be able to use Google, Gmail and just about every single other website that requires logging in. The reason? Those websites are all https websites and parental controls blocks *ALL* https websites.
  With https becoming more and more prevalent on the web, adding an exception is not really an option anymore. I don't want to add an exception for half of the internet. It's gotten so bad that she's encountering a popup several times per minute when just doing a little research for her homework. Web filtering is apparently a whilelist only solution, suitable only for the smallest of children - the ones that you sit next to because they can't type a web address themselves, 5 years or younger.
  The only solution I could find was to turn off web filtering completely and use OpenDNS instead. Does anyone else know of a better solution?

  Hello,
  A alternative application as a option that is very worthy,
  <http://www.netnanny.com/mac>
  Randy Mac
  RMACS, LLC

• Non-HTTP servlet

            I need to support concurrent access from multiple clients using a non-HTTP protocol
            over socket connection. One way is to write my socket server and create a new
            thread for each request. But WLS forbids user-created threads from calling into
            WLS components such as EJB. So I would like to write a non-HTTP servlet so that
            the WLS servlet container will create a new thread calling into the servlet and
            have the servlet calling EJBs on this WLS created thread. But is there a way to
            plug a subclass of GenericServelt into WLS?
            Thanks,
            T Tse
            

  I don't think there is a way to use non-HTTP servlet's, but still you can use WLS
            execute queue and execute threads, for example:
            ServerSocket serverSocket = new ServerSocket(...);
            for(;;) {
            new MyThread(new RequestHandler(serverSocket.accept())).start();
            class RequestHandler implements Runnable {
            Socket socket;
            public RequestHandler(Socket socket) {
            this.socket = socket;
            public void run() {
            // to see if this is executing on a WebLogic execute thread
            new Exception().printStackTrace();
            try {
            socket.close();
            } catch(Throwable whatever) {}
            class MyThread implements Schedulable, Triggerable {
            boolean done = false;
            Runnable runnable = null;
            Object sync = new Object();
            ScheduledTriggerDef std;
            public void join() throws InterruptedException {
            synchronized(sync) {
            if(!done) {
            sync.wait();
            public void run() {
                 if(runnable != null) {
                 runnable.run();
            public MyThread() {
            public MyThread(Runnable runnable) {
                 this.runnable = runnable;
            public boolean start() {
                 boolean ok = false;
                 try {
                 T3ServicesDef t3 = (T3ServicesDef)(new InitialContext()).lookup("weblogic.common.T3Services");
                 std = t3.time().getScheduledTrigger(this, this);
                 std.schedule();
                 ok = true;
                 } catch(NamingException ne) {
                 System.out.println(ne.getMessage());
                 } catch(TimeTriggerException tte) {
                 System.out.println(tte.getMessage());
                 return ok;
            public void trigger(Schedulable sched) {
                 try {
                 run();
                 } catch(Throwable t) {
                 System.out.println(t);
            synchronized(sync) {
            done = true;
            sync.notify();
            public long schedule(long time) {
                 return done ? 0 : 1;
            ttse <[email protected]> wrote:
            > I need to support concurrent access from multiple clients using a non-HTTP protocol
            > over socket connection. One way is to write my socket server and create a new
            > thread for each request. But WLS forbids user-created threads from calling into
            > WLS components such as EJB. So I would like to write a non-HTTP servlet so that
            > the WLS servlet container will create a new thread calling into the servlet and
            > have the servlet calling EJBs on this WLS created thread. But is there a way to
            > plug a subclass of GenericServelt into WLS?
            > Thanks,
            > T Tse
            Dimitri
            

• Form 11g - Is is possible to block specific forms access when user directly type form name in url ?

  Hi everyone,
  We have XXF000.fmb, XXF001.fmb , XXF002.fmb , XXF003.fmb in 6i.
  For migration to 11g , we recompile these forms and move fmx to 11g form server under form_path.
  In 6i , we login for validation & responsibilities control in XXF000, So we can use account info to verify if user have priviledge to access XXF001, XXF002 and XXF003.
  But in 11g , we can access these forms vial url request , such as : http://<host>:<port>/forms/frmservlet?form=XXF000   ; http://<host>:<port>/forms/frmservlet?form=XXF001  ... etc
  These may cause some unexpected access and operations in functions.
  Is is possible to block specific forms access when user directly type form name in url ?
  Thanks.
  Hendry

  You need to alter your formsweb.cfg file, either directly or through the Fusion web interface. You need to set the following parameters:
  #this sets the default form for your application
  form=yourmenuform.fmx
  #this stops these parameters being entered in the URL, seperate different parameters with commas
  restrictedURLparams=form,pageTitle,HTMLbodyAttrs,HTMLbeforeForm,HTMLafterForm,log

• Sharepoint HTTPS access stopped working suddenly

  Hi,
  we have a single server sharepoint 2013 server.
  HTTP and HTTPS access are enabled for sharepoint site collection. The bindings and aam are set correctly.
  The HTTPS access suddenly stopped working. Might be related to updates installation.
  HTTP access is working properly.
  When I create a new non sharepoint site in IIS the HTTPS access works.
  When I create a new sharepoint site in IIS the HTTPS access does not work only HTTP access is possible. There is no response from the server.
  Following event log error message might be related to this problem:
  Schanel 36888 Error: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel
  error state is 1203.
  I checked the ULS, Event logs, changed bindings, tried creating new sharepoint web applications to find the source,
  Any ideas?
  Thanks,
  Andrej

  Hi Andrej,
  I think unless the issue for Schanel 36888 error is fixed,the HTTPS issue may not  get resolve.
  Please refer the below link which was resolved in different OS.
  http://social.technet.microsoft.com/Forums/en-US/9dfb4d09-8096-40c9-ac75-1e23f75417c9/frequent-event-id-36888-windows-schannel-errors-in-the-event-viewer?forum=W8ITProPreRel
  TLS and HTTPS:
  TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are protocols that provide data encryption and authentication between applications and servers in scenarios where that data is being sent across an insecure network, such as checking your email
  (How does the Secure Socket Layer work?).
  http://luxsci.com/blog/ssl-versus-tls-whats-the-difference.html
  http://searchsecurity.techtarget.com/definition/Transport-Layer-Security-TLS
  Please remember to mark your question as answered & Vote helpful,if this solves/helps your problem. 
  s p kumar

• RV042 - limiting HTTP access by IP address?

  I am trying to limit HTTP access to my server on the local network to a specific IP address.  I create an Access Rule in the firewall section, however that doesn't work.  The only way it works is if I add the internal IP address of the server to the Forwarding section where I create a new HTTP forwarding rule.
  However, that is not good because that allows ALL HTTP traffic to that server instead of just by the single IP address.
  Anyone know how to do this?  Any help would be greatly appreciated.  Thanks in advance.

  Thanks for the reply.  You are correct - I want to allow 1 specific external IP address to access an http server on my LAN.  Looking through those threads, it seems like the other use enabled one-to-one NAT.  I tried turning it on but it gave me an error message (I forgot what the error was, but it was something along the lines of the external IP address already being used in the Basic Settings or something).
  I will double-check the error message and will post it here.  The current access rules are:
  Deny: All services, WAN, All external, All internal
  Allow: All servifces, LAN, All internal
  Thanks for any additional help.

• WLS http access logs not written to when starting WLS instance using nodemanager

  When starting managed WLS instances using node manager the HTTP access logs are
  not written to (the WLS log in the same directory is written to). All other functionality
  of the WLS instances seem to operate just fine when started using node manager.
  When we start the same managed WLS instances using a start-up script the HTTP
  access logs are written to.
  ===
  How can we get HTTP access logs to be written to when starting a WLS instance
  using node manager?

  I think I know the answer to this one!
  I got bitten by the same bug (at least I think it is a bug). Check the location
  specified for the HTTP-access log for your server instance. It is probably a relative
  location, right?
  According to the docs, relative paths should start from the Root Directory (see
  your Remote Start config), but it seems like the BEA-programmers forgot to retrieve
  the Root Directory and instead blindly writes to the process' current working
  directory (CWD).
  And when started by the Node Managet, the CWD = WL_HOME/common/nodemanager.
  If you are as paronoid as I am (and you should be too), that directory should
  not be writeable by anyone. Because my BEA installation was owned by 'bin', and
  the processes run by 'beawls', I got an error message in my NM-logs pointing to
  the problem. In your case, you are probably running NM as a user that has write-access
  to your NM-home, and all your missing HTTP-access logs are deep, down there.
  Jan Bruun Andersen

• 1and1 Webmail signing out only on this computer, won't sync, blocking non-existant pop-ups & windows

  My webmail is auto signing me out several times a day, but only on this computer. It's set for 'private', I've uninstalled and reinstalled that program, cleared cache and re-started, same thing with Firefox.
  Firefox is also frequently blocking pages from opening that apparently don't exist, and blocking non-existent pop-up windows as well.
  Today I got an error message that my sync password was rejected, which is odd since it's set to manually sync and nothing's been changed. All the resets happened days ago. It also wouldn't let me use my password, but let me change it.
  Since this is the only computer I'm having the problems on I'm assuming that it's either the version of Firefox that I'm using or something in my computer that suddenly isn't playing nice with Firefox, but I don't know where to start, other than once again un and re-installing it (which did nothing).
  Thanks for any help!

  I kept getting that error message. I thought that since I'm syncing with my corporate email so the calendar syns wirelessly with Outlook, that it was causing a conflict.
  I just found this post though, and other people said it worked for them
  http://www.google.com/support/forum/p/Google%20Mobile/thread?tid=0267f2909cea0df9&hl=en
  If someone has been helpful please consider giving them kudos by clicking the star to the left of their post.
  Remember to resolve your thread by clicking Accepted Solution.

• Re: Disable HTTP access to Weblogic 6.0

  Appears to be: http://e-docs.bea.com/wls/docs60///////config_xml/properties.html
  On 20 Jul 2001 08:35:38 -0800, "Florian Kirchhoff" <[email protected]> wrote:
  >
  Is this possible in Weblogic 6.0?
  "Don Dwoske" <[email protected]> wrote:
  It looks like you've got a couple of different things going on
  here.
  If you want to disable http, do this in the WL properties file:
  weblogic.httpd.enable=false
  your getInitialContext should figure out what port your naming
  service is on unless you've hardcoded it to be localhost:80, true?
  I switch between ports 80 and 7001 all the time without problems.
  -Don
  "Gagan Bhalla" <[email protected]> wrote:
  Hi,
  Can someone tell me how do I disable the HTTP access to
  Weblogic.
  The environment I am running on my dev machine would be
  Win2000+
  Weblogic 5.1+ SP6. I am redirecting any HTTP request to
  the secure
  port and that part is working. But I want to be able to
  completely
  disable any HTTP requests all together. Is there a way
  to do this.
  In the weblogic.properties file, if I change the weblogic.system.listenPort
  property to point to anything other than port 80, it gives
  me errors
  on the WLInitialContext. What else do I need to change
  in this
  so that I can listen on a port other than 80?
  Thanks for your help,
  Gagan
  javax.naming.CommunicationException. Root exception is
  java.net.ConnectException: No server found at T3://localhost:80
  at weblogic.rjvm.RJVMFinder.findOrCreate(RJVMFinder.java,
  Compiled Code)
  at weblogic.rjvm.ServerURL.findOrCreateRJVM(ServerURL.java,
  Compiled Code)
  at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java,
  Compiled Code)
  at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:148)
  at weblogic.jndi.WLInitialContextFactory.getInitialContext(WLInitialContextFactory.java:123)
  at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:671)

  I Need to keep HTTP session alive.
  But i need to block trace method or say get method.
  Any clue how can we do that.
  thanks

• Non-HTTP(S) Servlets

  I'd like to use servlets to provide services over a non-HTTP protocol (e.g. FTP, NNTP, SMTP, etc.). The existence of the Servlet -> GenericServlet -> HTTPServlet hierarchy suggests this is supposed to be possible but I'm not sure how to do it. The main problem I see is getting my servlet container to know what protocol (IP port) I want to use.
  So, are non-HTTP servlets supposed provide their own logic to set up a socket listener in the Servlet.init() method, manage their own thread pool, and dispatch requests to servlet instances as they are received? Or, is there some service provider API I can use to plug a non-HTTP service into my servlet container?
  BTW, I'd like to do this in a J2EE v1.3 server.
  Thanks, Dave

  I'd like to use servlets to provide services over a
  non-HTTP protocol (e.g. FTP, NNTP, SMTP, etc.)My first reaction would be "don't".
  In an HTTP request, there is a bunch of headers, which the servlet container uses to decide which servlet it will invoke. There are no such headers in e.g. FTP. Even if you manage to subclass Servlet to FTPServlet, the web server doesn't know how that FTP requests should be routed to that servlet.
  The piece of code that listens to port 80 etc really wants to see "GET", "POST" etc plus an URL on the first line of incoming data. That code won't respond well to seeing SMTP's "HELO".
  That being said, you can put such protocols in a web server or app server. Write a thread that creates a server socket for the appropriate port and then sits in accept(). When a connection comes in, it starts a new per-client thread which talks SMTP or whatever over the incoming socket. Pretty basic client/server socket programming.
  Also, to me, the servlet model appears inappropriate for FTP et al: a servlet services one request, then exits. FTP, NNTP and SMTP are all more like a discussion than request-reply.
  In theory, it would be possible to fashion e.g. an SMTP server as a sort of a servlet. Instead of doGet() and such perhaps you'd have doHELO(), doMAIL_FROM(), doDATA() etc. But that seems overly complicated... Seems easier to me to do simply:
      while (true)
          read socket input a line at a time;
          if (in data mode) {
              check for end-of-message;
              append to string buffer;
          } else {
              tokenize it;
              obey the incoming command;
      }Maybe if you really want to use the servlet model, write a Servlet-like class that has a doCommand() method and make the "obey the incoming command" bit above call that. I'm not sure how much that buys, though. There are enough small differences in things like command tokenizing to make code reuse in the various protocol "servlets" difficult.
  Btw, FTP in particular is an incredibly messy protocol. Implement that one only if you absolutely must, and even then crib some existing public domain implementation as a base. Active/passive, separate command/data channels, a wide range of buggy FTP clients, security difficult to get right, ... ouch...

• Create Apps for HTTP access

  Hi,
  Is there a way to create apps for HTTP access instead of using UNC?
  And have it access via Application Explorer?
  Thanks,
  Harold

  Do you mean an app to launch a web page via IE/NetScape?
  Just run "IEXPLORE.EXE" with the webpage as the parameter.
  Of do you mean HTTP connectivity for the workstation to run an app?
  The 2nd starts to exist in ZFD4 in some fashion , but not ZFD3.
  [email protected] wrote:
  > Hi,
  >
  > Is there a way to create apps for HTTP access instead of using UNC?
  > And have it access via Application Explorer?
  >
  > Thanks,
  > Harold

• I have accidentally blocked Firefox's access to the internet, how do I unblock it?

  Earlier I saw a popup while I was browsing that said that Firefox was trying to access my internet, and at the time this seemed suspicious. I don't know why, but I pressed "block" which, in return, blocked my entire access of the internet through Firefox. I tried reinstalling Firefox, and I also tried to do stuff with the firewall but I didn't understand what to do. How could I allow Firefox to access the internet again?

  Remove all rules for Firefox from the permissions list in the firewall and let your firewall ask again for permission to get full unrestricted access to internet for Firefox and the plugin-container process and the updater process.
  See:
  * https://support.mozilla.com/kb/Server+not+found
  * https://support.mozilla.com/kb/Firewalls