Kerberos encryption for HTTP traffic

Similar Messages

• QoS value for http traffic from IP Phone

  Since the phone marks all voice with COS 5 and data traffic with COS 0. Does this also include traffic sourced from the IP Phone http? request when doing Directory Lookups, IP Phone Services.
  Thanks!

  With 4.1 and up (not sure if 4.0 had this), this traffic is marked with TOS 3 or DSCP CS3 (24). You can modify this enterprise parameter to what ever you want.
  DSCP for SCCP Phone-based Services :
  This parameter specifies the Differentiated Service Code Point (DSCP) IP classification for IP phone services on SCCP-based phones, including any HTTP traffic. Note: You must restart SCCP-based phones for this parameter change to take effect.
  This is a required field.
  Default: default DSCP (000000).
  Restart SCCP-based phones for the parameter change to take effect.
  HTH
  Sankar
  PS: please remember to rate posts!

• WSA access logging for HTTPS traffic

  Hi,
  We have a WSA s370 with AsyncOS  version 7.5.1-079 and it is configured as a transparent proxy.
  HTTPS proxy is enabled and all the URL categories set to pass through ( no decrytpting or monitoring ).
  Seems like the WSA does not generate logs for HTTPS transactions.
  I would like to know whether this is the expected behaviour.
  Is there any way that I can monitor HTTPS transactions without decrypting ?
  Thanks,
  Wipula.

  In addition to what Ken mentioned, the only way you can monitor HTTPS traffic without decrypting it will be done so using the IP address.
  In the access logs, you will see the following transaction when accessing an HTTPS site (google for example):
  TCP_CONNECT 74.125.101.50
  It will only report URLs once decrypted.  At that point, it is just HTTP.
  -Vance

• Cookie persistence for HTTP traffic

  hello,
  i have the following situation: on an 11506, clients connects to VIP on port 80, this VIP maps to port 7777 on 2 services. The objective is to configure cookie persistence for http. The cookie persistence should be for URI /thestring/
  I have used
  advanced-balance cookies
  string prefix "/thestring/"
  in the content rule and it did not work.
  Does this have anything to do with the port changing from 80 to 7777, or am i missing something for cookie persistence?
  Regards
  Bassam

  thx for you reply; still it sometimes work and sometimes dont
  my service config:
  service ebizsso1
  keepalive frequency 3
  keepalive port 7777
  ip address 10.10.230.82
  port 7777
  protocol tcp
  string /oiddas/
  active
  my content rule
  content ebizsso-servers
  add service ebizsso1
  vip address 10.10.231.9
  protocol tcp
  port 80
  advanced-balance cookieurl
  string prefix "/oiddas/"
  active
  is this is the required?
  thank you
  bassam

• Multiple HTTP Servers, 1 for HTTP and other for HTTPS

  I am trying to install 9ias 1.0.2.2.2 on 2 machines both running solaris. 1st machine hosts the database (8.1.7.4) and the other hosts the App server (9ias), what i am tryin to achive is have 2 listeneres. One for HTTP traffic and other for HTTPS traffic. Have anyone configured this and could shed some light and enlighten me.
  With all the notes i have read i have understood that i need to basically install 2 instance of Apache in 2 different Oracle Homes. but my question is how can i just have one portal repository. or rather i should say if somebody could guide me from installing the 2 instance of Apache.
  Thanks
  Mir

  You left out Twixl.
  Bob

• WEB_CAT User Notifications different for http and https

  Hi,
  We're using a AsyncOS7.5 on Ironport S360.
  When a user accesses a URL which according to URL Category Filtering is forbidden
  (e.g. www.mydrive.ch) then the Error Message when using http is:
  This  Page Cannot Be Displayed
  Based on your organization's policies, access to this web site (http://www.mydrive.ch/ )
  has been blocked because the web category .... is not allowed.
  Date:
  Username:
  Source:
  URL:
  Category:
  Reason:
  Notification:
  If on the other hand the user uses https then the error message looks like this:
  The proxy server is refusing connections
  Firefox is configured to use a proxy that is refusing connections.
  - Check the proxy settings ...
  - Contact your network administrator ...
  Does anyone know why is that and how can I make it use the former notification for both cases?

  Hi Jannis,
  In HTTP policy or access policy, the returned log from a blocked traffic due to category is BLOCK_WEBCAT and you will also see a TCP_DENIED/403 in the line.
  In decryption policy for HTTPS traffic, the returned log from a blocked traffic due to category is DROP_WEBCAT, and you will so see a TCP_DENIED/403 in the response.
  With policy trace:
  For HTTPS traffic it should reply with information that indicates that the HTTPS request dropped based on URL category.
  And for HTTP traffic, it should reply with "Request blocked based on URL category"
  Also, you can determine which policy that triggers the blocking, whether it is the access policy (for HTTP) or decryption policy (for HTTPS).
  thanks,
  Donny

• How to shape a 5Mbit link (4Mb reserved for HTTP, 1Mbit for all else)

  I have a dual-NIC linux router.  Internal LAN is on eth0. External (Internet) is on eth1.  Our Internet is 5Mbit dedicated link.  I'd like to setup traffic shaping to guarantee 4Mbit for HTTP traffic, and whatever is leftover (1Mbit) for SMTP and any other traffic.
  Is there a simple way to accomplish this?

  Try to google QOS Linux. As far as i can say what you want is QOS (quality of service).

• MPF ASA for Web Filtering. Https traffic

  SOURCE: https://supportforums.cisco.com/docs/DOC-1268#Allow_specific_urls
  Hi all,
  I have the following configuration in my ASA  based on guidelines from the above source to allow only certain sites in my home and block all requests to http and https sites. However,requests to HTTP sites are being blocked but not to HTTPS. Only one host in the network can access all sites
  access-list WEBFILTER extended deny tcp host 192.168.254.115 any eq www
  access-list WEBFILTER extended deny tcp host 192.168.254.115 any eq https
  access-list WEBFILTER extended permit tcp any any eq www
  access-list WEBFILTER extended permit tcp any any eq https
  regex allowex1 “website1\.com”
  regex allowex2 “website2\.com”
  class-map type inspect http match-all allow-url-class
  match not request header host regex allowex1
  match not request header host regex allowex2
  class-map allow-user-class
  match access-list WEBFILTER
  policy-map type inspect http allow-url-policy
  parameters
  class allow-url-class
    drop-connection
  policy-map allow-user-url-policy
  class allow-user-class
    inspect http allow-url-policy
  service-policy allow-user-url-policy interface inside
  HOW can the HTTPS traffic be also blocked in the above configuration? What am I missing?
  Thanks in advance for your help
  Juan

  Is it even possible for for MPF ASA to inspect and filter HTTPS traffic? I do not even see it in the options:
  (config)# class-map type inspect ?
  configure mode commands/options:
    dns   Configure a class-map of type DNS
    ftp   Configure a class-map of type FTP
    h323  Configure a class-map of type H323
    http  Configure a class-map of type HTTP
    im    Configure a class-map of type IM
    sip   Configure a class-map of type SIP

• Exchange Server Restarts Automatically After Configuring Allowed Kerberos Encryption Types

  Hi,
  Our Exchange 2013 SP1 servers are installed on Windows Server 2012 R2. After configuring "Network security: Configure encryption types allowed for Kerberos" to AES256_HMAC_SHA1
  only. The Exchange Servers began rebooting automatically. But after adding RC4_HMAC_MD5, the issue stopped.
  Does this means that Exchange 2013 SP1 requires RC4_HMAC_MD5 as an allowed Kerberos encryption type?

  this will help you to understand...
  http://blogs.msdn.com/b/openspecification/archive/2011/05/31/windows-configurations-for-kerberos-supported-encryption-type.aspx
  Thanks Prem P Rana MCSA Messaging 2003 MCSE 2003 Server MCTS MCITP Exchange 2007, 2010 Gurgaon, India http://blogs.msexchange-experts.com

• Does WAAS really support TFO, DRE and LZC for HTTPS?

  We are currently using WAAS 4.0.17.b.14 to optimize HTTP across the WAN using TFO, DRE and LZ Compression. Does this same WAAS version (or a newer one) support all methods of optimization for HTTPS too?

  In 4.0.17, you should only configure HTTPS traffic for TFO (TCP Flow Optimization). If you configure HTTPS for full optimization, then you will just be wasting CPU processing and DRE disk space as WAAS can't look inside the encryption. In a future release (4.1.x) there will be SSL decryption available so you can take advantage of full optimization of HTTPS traffic.
  Dan

• Internet Connection sharing and HTTP traffic

  Hello anyone,
  I have a late 2009 iMac and a late 2008 MacBook Air. I connect to the internet via a ADSL PPPoE modem, which is connected to the iMac via ethernet. I've set up the iMac to share the ADSL connection via AirPort to the MacBook Air, with WEP protection (it's either WEP or no protection at all, so I have to stick with it). Before the OS X Lion upgrade, everything worked fine (the iMac used Snow Leopard and the MacBook used Leopard). Now I have upgraded both comptuers to Lion: the iMac works flawlessly, but the MacBook Air is unable to get HTTP traffic from the iMac. IMAP, Skype, ICMP, XMPP and other protocols works fine but HTTP has some problems. First of all, I can get some web pages (either via a browser or curl), like Google and Google-owned sites (YouTube, Orkut, Blogger...), Macworld.com and some Italian sites, but if I try other sites, all I get is the browser to load something forever. If I ping these sites, they reply normally. If I try to get (for instance), Yahoo's homepage with curl all I get is a blank file (and curl shows that 0 bytes were transmitted/recieved). This problem is shown with every device I use via Wi-Fi, such as iPod touch, iPhone and another MacBook (with Snow Leopard on).
  So I guess there's some problem in iMac's Conncetion Sharing... has anyone a suggestion?
  Thanks
  Simone

  I no nothing about Windows. Nothing.
  But to configure your Mac to share an ehternet to wi-fi connect follow these steps;
  My Mac mini is connected to the internet by Ethernet cable to my ISP's Arris gateway. I am sharing the Ethernet connection to two iPod Touches, an iPhone and now an iPad 2 over AirPort from my Mac mini.
  1. In Sys Prefs/Sharing I highlighted Internet Sharing (do not check the box)
  2. Share your connection from: Ethernet (from the dropdown menu)
  3. To computers using: AirPort (check the little box)
  4. Press the button AirPort Options...
  5. Name your Network
  6. I use Automatic for the channel
  7. I encrypt my network using a 40-bit WEP key
  8. For a non-Apple device, like a Windows laptop or an XBox, you must use only a 5 alphanumeric character, 40-bit WEP password or only a 13 alphanumeric character, 128-bit WEP password
  9. Press OK
  10. Check the box for Internet Sharing
  11. Answer any dialog boxes that pop up
  Dah•veed

• Steps to enable Web Proxy for https

  I have an S160 WSA and want to enable the Web service for http and https. I am using transparent mode with WCCP.
  This is part of the router configuration:
  ACL:
  access-list 110 permit tcp 192.168.80.0 0.0.7.255 any eq 80
  access-list 120 permit tcp 192.168.80.0 0.0.7.255 any eq 443
  ip wccp 97 redirect-list 110
  ip wccp 98 redirect-list 120
  interface FastEthernet0/0.380
  ip wccp 97 redirect in
  ip wccp 98 redirect in
  It is the same configuration for http and for https, but only http traffic is working. When I see the logs in the WSA, it looks like accepted connections for https.
  In Security Services -> Web Proxy it is enabled, when I put the port 443, I get an https error in the end user laptop; when I dont, it keeps trying and I get a timeout.
  I tried enabling https proxy but some sites (as gmail), wont work with self-generated certificates.
  Would you please, list me the steps to enable Proxy services for https.
  Thanks!!!
  Sergio L.

  Hi Sergio,
  When WSA is configured as transparent proxy, it also accepts explitcit connections. So in order to test HTTPS proxy, you can configure client browser to explicitly use WSA as proxy and see if it is working before testing in transparent mode.
  When WSA is used as HTTPS proxy, it uses its self-generated certificate to encrypt the connection between itself and the client browser. Since this certificate is not trusted by browser, it'll throw SSL certificate error when connecting via WSA. In order to get rid of this error, download the self-generated certificate from WSA and install it in your browser as a trusted certificate. That should resolve SSL issue with gmail also.
  Hope this helps.
  Thanks,
  Chetan

• Lync FIPS 140-2 encryption for Data in Transit Certificate?

  I work for an organization that has deployed Lync 2013 throughout the enterprise. 
  We have no need for “Data at Rest” encryption on the servers or clients at this time, but we do have a customer requirement for FIPS 140-2 encryption for “Data in Transit”?  Does Lync provide data in transit encryption utilizing one of the National
  Institute of Standards and Technology (NIST) approved modules by default? If so, have all the traffic types been “Certified” compliant (i.e. Server-to-Server, Client-to-Server, IM, Audio, Video, Desktop Sharing, web conferencing, etc…)? 
  I’ve read all the technet articles and looked at the following links, but it is not clear to me. 
  I cannot find the certification number and certificate for the FIPS 140-2 validation for Lync's encryption module on either the Microsoft or NIST websites.
  http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
  https://technet.microsoft.com/en-us/library/security/cc750357.aspx

  Lync Server 2013 and Microsoft Exchange Server 2010 Service Pack 1 (SP1) operate with support for Federal Information Processing Standard (FIPS) 140-2 algorithms if the Windows Server 2008 R2 operating systems
  are configured to use the FIPS 140-2 algorithms for system cryptography. To implement
  FIPS support, you must configure each server running Lync Server 2013 to support it. For details about
  FIPS-compliant algorithms and how to implement
  FIPS support, see Microsoft Knowledge Base article 811833, "System cryptography: Use
  FIPS compliant algorithms for encryption, hashing, and signing security setting in Windows XP and in later versions of Windows at
  <linktext xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">http://go.microsoft.com/fwlink/p/?linkid=3052&kbid=811833</linktext>. For details about
  FIPS 140-2 support and limitations in Exchange 2010, see "Exchange 2010 SP1 and Support for
  FIPS Compliant Algorithms" at
  <linktext xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">http://go.microsoft.com/fwlink/p/?linkId=205335</linktext>.
  For More information on FIPS in Lync server 2013 
  http://technet.microsoft.com/en-us/library/jj205114.aspx 
  http://technet.microsoft.com/en-us/library/jj205084.aspx 
  Please remember, if you see a post that helped you please click ;Vote As Helpful" and if it answered your question please click "Mark As Answer" Regards Edwin Anthony Joseph

• Need suggestion for ISE distributed deployment model in two different data centers along with public certificate for HTTPS

  Hi Experts,
  I am bit confused about ISE distributed deployment model .
  I have two data centers one is DC & other one is as a DR I have  requirement of guest access service implementation using CWA and get public certificate for HTTPS to avoid certificate error on client devices :
  how do i deploy ISE persona for HA in this two data centers
  After reading cisco doc , understood that we can have two PAN ( Primary in DC  & Secondary in DR ) like wise for MnT (Monitoring will be as same as PAN ) however I can have 5 PSN running in secondary i.e. in DR ISE however I have confusion about HA for PSN .. since we have all PSN in secondary , it would not work for HA if it fails
  Can anybody suggest me the best deployment solution for this scenario ?
  Another doubt about public certificate :
   Public Certificate: The ISE domain must be a registered or part of a registered domain name on the Internet. for that I need Domain name being used from customer .
  Please do correct me if I am wrong about certificate understanding :
  since Guest will be the outside users , we can not use certificate from internal CA , we need to get the certificate from service provider and install the same in both the ISE servers
  Can anybody explain the procedure to opt the public certificate for HTTPS from service provider ? And how do i install it in both the ISE servers ?

  Hi there. Let me try answering your questions:
  PSN HA: The PSNs are not configured as "primary" or "secondary" inside your ISE deployment. They are just PSN nodes as far as ISE is concerned. Instead, inside your NADs (In your case WLCs) you can specify which PSN is primary, which one is secondary, etc. You can accomplish this by:
  1. Defining all PSN nodes as AAA radius servers inside the WLC
  2. Then under the SSID > AAA Servers Tab, you can list the AAA servers in the order that you prefer. As a result, the WLC will always use the first server listed until that server fails/gets reloaded, etc. 
  3. As a result, you can have one WLC or SSID prefer PSN server A (located in primary DC) while a second WLC or SSID prefer PSN server B (located in backup DC)
  Last but not the least, you could also place PSNs behind a load balancer and that way the traffic would be equally distributed between multiple PSNs. However, the PSN nodes must be Layer 2 adjacent, which is probably not the case if they are located in two different Data Centers
  Certificates: Yes, you would want to get a public certificate to service the guest portal. Getting a public/well known certificate would ensure that most devices out there would trust the CA that signed your ISE certificate. For instance, VeriSign, GoDaddy, Entrust are some of the ones out there that would work just fine. On the other hand, if you use a certificate that was signed by your internal CA, then things would be fine for your internal endpoints that trust your internal CA but for any outsiders (Guests, contractors, etc) that do not trust and do not know who your internal CA is would get a certificate error when being redirected to the ISE guest portal. This in general is only a "cosmetic" issue and if the users click "continue" and add your CA as a trusted authority, the guest page would load and the session would work. However, most users out there would not feel safe to proceed and you will most likely get a lot of calls to your helpdesk :)
  I hope this helps!
  Thank you for rating helpful posts!

• ISE Guest Portal only redirect HTTPS traffic.

  I have a wireless deployment consisting of the following:
  5760 WLC & ISE 1.2
  Am I missing something here
  I have 4 similar deployments, and never had these issues:
  On Android / Apple devices, the guest portal does not pop up automatically &
  On a Windows Laptop only https traffic directs to the guest portal.
  Thanx

  i think you need to recheck the configuration also check the link for step by step config
  http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-security/landing_DesignZone_TrustSec.html