Kernel SSL (KSSL) Proxy isn't listening on port 443

Hello
I'm having some trouble with Solaris 10 KSSL. The SMF says it's configured and online but netstat shows nothing listening on 443. The configuration I'm using is below so you can try it if you like.
Thanks for any insight.
J
--- config commands start here ---
- Generate certificate and key (In this case self-signed for testing)
/usr/sfw/bin/openssl req -x509 -nodes -days 365 -subj "/C=NZ/ST=Canterbury/L=MtHutt/CN=`hostname`" -newkey rsa:1024 -keyout /var/tmp/mykey.pem -out /var/tmp/mycert.pem
- Configure KSSL Proxy instance
echo "password" > /var/tmp/kssl.pass
cat /var/tmp/mycert.pem /var/tmp/mykey.pem > /var/tmp/mystuff.pem
rm /var/tmp/mykey.pem /var/tmp/mycert.pem
(NOTE: The following command must be run from Global Zone.)
ksslcfg create -f pem -i /var/tmp/mystuff.pem -p /var/tmp/kssl.pass -x 8080 443
- Configure web server
(This example uses the Solaris supplied Apache in /usr/apache2)
hostname=`hostname`
ipaddr=`grep $hostname /etc/hosts | awk '{ print $1 }'`
cat /etc/apache2/httpd.conf-example | sed "s/^Listen 80/Listen $ipaddr:8080/" > /etc/apache2/httpd.conf
svcadm enable apache2
Edited by: ajcook on 9/01/2009 00:25

The answer, as it often is, was user error. I had neglected to restart the Apache server to listen on the KSSL proxy port (port 8080 in the example given).
Mildly interesting exercise because it means that the KSSL doesn't start listening on it's SSL port until it verifies that the proxy port is available.
As soon as Apache was restarted, KSSL burst into life, ie.
/usr/sfw/bin/openssl s_client -connect localhost:443
CONNECTED(00000004)

Similar Messages

  • How do i temporarily disable TLS/SSL port 443 going to server on CSS

    We are having issues with truncating packets that go through the CSS
    I did a capture after the CSS and there is truncation............however i cant read it before the since everything is encrypted.
    They hit vip address 172.20.120.16. on the CSS and get redirected to 2 servers depening on what the url says
    They server team would like to turn it off just to test..i tried removing
    "add service ARR-public-ssl" from the contetn below and we lost http and https to the server
    so in essence i want to try and turn the 443 connection to a port 80---than it goes to port 7777 backend to 172.20.212.6
    content BYE-WEB-SSL
       vip address 172.20.120.16
       protocol tcp
       port 443
       advanced-balance ssl
       application ssl
       add service ARR-public-ssl
       active
    ssl-server 40
    ssl-server 40 rsacert byetest
    ssl-server 40 vip address 172.20.120.16
    ssl-server 40 cipher rsa-with-rc4-128-sha 172.20.120.17 80
    ssl-server 40 cipher rsa-with-rc4-128-md5 172.20.120.17 80
    ssl-server 40 urlrewrite 1 *
    ssl-server 40 cipher rsa-with-3des-ede-cbc-sha 172.20.120.17 80
    ssl-server 40 rsakey byekey
    backend-server 50
    backend-server 50 type initiation
    backend-server 50 server-ip 69.xxx.xxx.xxx
    backend-server 50 ip address 69.xxx.181.xxx
    backend-server 50 rsacert byetest
    backend-server 50 rsakey byekey
    active
    !************************** SERVICE **************************
    service TIE-SSLINIT
      protocol tcp
      ip address 69.xxx.xxx.xxx
      keepalive type tcp
      keepalive port 443
      slot 2
      type ssl-init
      add ssl-proxy-list HR-SSL
      active
    owner PublicBYE
      content BYE-WEB-ARRR
        vip address 172.20.120.17
        protocol tcp
        port 80
        url "/arr*"
        advanced-balance arrowpoint-cookie
        balance aca
        arpt-lct http-100-reinsert
        add service BYE-ods-web1
        active
      content BY-WEB-TIX
        protocol tcp
        port 80
        url "/tix*"
        advanced-balance arrowpoint-cookie
        balance aca
        arpt-lct http-100-reinsert
        add service BYE-ods-web2
        vip address 172.20.120.17
        active
      content BYE-WEB-TIX-CLEARTEXT
        add service TIX-SSLINIT
        vip address 172.20.120.19
        protocol tcp
        port 80
        active
    content BYE-WEB-Nav
      vip address 172.20.120.17
      protocol tcp
      port 80
      url "/na*"
      balance aca
      arpt-lct http-100-reinsert
      add service BYE-ods-web1
      active
    content BYE-WEB-SSL
      vip address 172.20.120.16
      protocol tcp
      port 443
      advanced-balance ssl
      application ssl
      add service ARR-public-ssl
      active
    service BYE-ds-web1-ssl
      ip address 172.20.212.5
      port 443
      keepalive type ssl
      active
    service BYE-ds-web2
      ip address 172.20.212.6
      port 7777
      keepalive port 7777
      keepalive type tcp
      active
    service BYE-ds-web2
      ip address 172.20.212.6
      port 7777
      keepalive port 7777
      keepalive type tcp
      active
    service BYEos-web2-ssl
      ip address 172.20.212.6
      port 443
      keepalive type ssl
      active

    CSS11506# sh ver
    Version:               sg0810205 (08.10.2.05)
    Flash (Locked):        08.10.1.06
    Flash (Operational):   08.10.2.05
    Type:                  PRIMARY
    Licensed Cmd Set(s):   Standard Feature Set
                           Secure Management
    Yeah..if done a packet trace before it hits the CSS and after......the only issue is that everything is engrypted before it hits the LB so i cant really read anythign....i did a pacet trace after the LB and on the Server itself its seems we get this
    I thought i saw some bug info from cisco but i cant tell if its related
    CSCsx05640—When you configure the CSS for a Layer 5 (L5) content rule and it receives an HTTP method POST with the HTTP header in one packet that is quickly followed by many packets of POST data or payload, it could fail to deliver all the data to the back-end server. The CSS Flow Manager (FM) application could incorrectly handle the POST and the data packet as a spanned content request and could cause the data to be mishandled. Workaround: Use less than 1-Gb connections in the network; a 100-Mb link does not exhibit this issue.
    As you can see after the content-length..........nothing comes across........sometimes addtional stuff will come in ...but usually nothing
    Is there a bug related to this on the CSS?
    POST /TIXX/DocumentRepository_Service HTTP/1.1
    Accept-Encoding: gzip,deflate
    Content-Type: application/soap+xml;charset=UTF-8;action="urn:ihe:iti:2007:ProvideAndRegisterDocumentSet-b"
    User-Agent: Jakarta Commons-HttpClient/3.1
    Host: www.xxxxxxxxxxxx.net
    Content-Length: 9044

  • WebServer 6.1 SP3 SSL reverse proxy to Sun One Application Server 7

    I have an application in the appserver7 that requires SSL authentication. I have already installed a self cert in the appserver7, and the authentication works fine when I browse directly to the appserver.
    The appserver7 has both listener for port 80 and 443 enabled.
    I'm currently setting up a webserver (WebServer 6.1 SP3) to act as a reverse proxy to the appserver7. The reverse proxy for the basic jsp pages found in the appserver worked fine.
    When I try to access the login page, in the appserver, in ssl mode, I am unable to do so. I then try changing the obj.conf to the following, from http to https:
    <Object name="passthrough">
    ObjectType fn="force-type" type="magnus-internal/passthrough"
    Service fn="service-passthrough" method="(GET|HEAD|POST)" servers="https://172.2
    8.48.53"
    However, it still doesn't work.
    Do I need to install a self cert in the webserver and enable the ssl listener as well?
    Do I need to install any reverse proxy addon for the appserver? Any
    setup for the obj.conf in the appserver?
    Any ideas how to get this done?
    Thanks.
    Mac.

    The Web Server 6.1 SP3 Reverse Proxy Plugin is supported, but it sounds like you're trying to do something that simply isn't possible.
    If you want the Reverse Proxy Plugin to perform SSL mutual authentication with the Application Server using the client's certificate, that's impossible due to the nature of SSL mutual authentication. If the plugin could impersonate the client, then SSL would be vulnerable to MITM (Man In The Middle Attacks). Fortunately, SSL isn't vulnerable to such attacks because the plugin doesn't know the client's private key.
    If you simply want the Reverse Proxy Plugin to pass information about the client's certificate along to the Application Server, that hapens automatically. There's nothing special to configure. Note that the plugin will not authenticate to the Application Server in this case. Rather, it will simply copy the X.509 certificate into the proprietary Proxy-auth-cert: HTTP request header.
    The application running on the Application Server can inspect the Proxy-auth-cert: header using standard Servlet APIs. Alternatively, you can use Application Server 7's auth-passthrough AuthTrans SAF to cause the contents of the Proxy-auth-cert: header to be copied to the javax.servlet.request.X509Certificate Servlet attribute.

  • Reverse Proxy Configuration - Apache as an SSL reverse-proxy

    Hi,
    We have EP 6.0 SP 14 installed with SSL configured.
    We are in need to open the application to internet.
    For the same we have set up a reverse proxy server (Apache as SSL
    Reverse Proxy).
    Our requirement is to open the application to the internet with
    web address https://abc.domain.com.
    The issue is we are able to access the application from internet only when
    https://abc.domain.com/irj/potal is typed.
    (ie.) Mapping is working fine for
    https://abc.domain.com/irj/portal to
    our EP Portal address https://abc2.domain.com:50001/irj/portal
    And not working for mapping https://abc.domain.com to our EP Portal
    address https://abc2.domain.com:50001/irj/portal
    We have been working on to resolve this issue for days together but have been really unsuccessful
    Kindly help us in resolving the same asap.
    Note : The references we used are:
    1. SAP's document:
    "Apache Reverse Proxy Configuration for J2ee 6.20 and 6.40 Web Applications"
    2. Weblogs:
    The Reverse Proxy Series -- Part 1: Introduction
    The Reverse Proxy Series -- Part 3: Apache as a reverse-proxy
    The Reverse Proxy Series -- Part 3.1: Apache as an SSL reverse-proxy
    Regards,
    venkat.

    Thanks much for the feedback. We're using the default settings on the HTTP rule we have set up for the portal on the ISA server. We'll be looking into the details of what the default rule settings are, however we did find a note in the Microsoft Knowledge base detailing with the ISA server screening high bits in URL strings for Outlook Web Access (OWA). This generates a similar error message. Here is the link to the detailed note on the Microsoft web site:
    http://support.microsoft.com/?scid=kb;en-us;837865
    Also,we are going to be applying the SP1 upgrade to the ISA server (released in March) to see if this might be some type of issue that may have been identified and corrected by the service pack. We'll see what happens with that.
    One area where we can recreate the problem at will is when we set up the system landscape configuration. We can navigate to a system configuration object, however when we attempt to right click to edit the object we get the error. There are other circumstances where we get errors but that is one that occurs for sure. Anyone have any idea as to what might be special about that type of transaction??
    Thanks again.
    Rich

  • ACE functionally question - SSL tunnelling / proxy on behalf of non SSL client

    Hi
    Can the ACE perform SSL tunnelling of web services(HTTP) traffic. Can ACE perform SSL tunnelling/proxy on behalf of a non SSL client.
    Example:
    Client (HTTP) ---->>> (HTTP)Cisco ACE(HTTPS) ------>>>>(HTTPS) Server
    The "client" Server does not support SSL.
    Can an ACE tunnel the web services traffic inside an SSL tunnel to a specific destination server on behalf of the client server (that does not support SSL)
    Are there any other Cisco products that could be used to perform this SSL tunnelling on behalf of a non SSL Client.
    Regards

    Hello Byron,
    Yes, the ACE can do it
    Here you have some of the flavors of SSL with the ACE.
    Here you have a sample about it:
    parameter-map type http CASE_PARAM
      case-insensitive
      persistence-rebalance
      set header-maxparse-length 65535
      set content-maxparse-length 65535
    class-map match-all CLEAR_TEXT_VIP
      2 match virtual-address 172.20.120.19 tcp eq www
    policy-map multi-match JORGE-MULTIMATCH
      class CLEAR_TEXT_VIP
        loadbalance vip inservice
        loadbalance policy POLICY_TO_ENCRYPT_TRAFFIC
        loadbalance vip icmp-reply active
        appl-parameter http advanced-options CASE_PARAM
    policy-map type loadbalance first-match POLICY_TO_ENCRYPT_TRAFFIC
      class class-default
        serverfarm ENCRYPTED-SERVERFARM
        ssl-proxy client SSL-PROXY-JORGE
    ssl-proxy service SSL-PROXY-JORGE
      key TAC-key
      cert TAC-cert
    serverfarm host ENCRYPTED-SERVERFARM
      rserver JORGE-SERVER 443
        inservice
    Here you have some additional details under the configuration guide:
    http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/initiate.html
    Here you have some additional samples:
    http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples
    Hope this helps for you and fix your issue
    Jorge

  • SSL on port 443

    BM 3.8 sp5, Open Enterprise 6.5 SP6 - SSL - listening port 443 - Craig
    advised to change to port 444 because it conflicts with Apache on the
    server. Do my users need to type :444 when they authenticate or is this
    change will be transparent to them? Also, one of our NetAdmins indicates
    we are not running Apache...
    Please provide me with more info. on this issue.
    Thank you in advance for your help

    Is wrote:
    > BM 3.8 sp5, Open Enterprise 6.5 SP6 - SSL - listening port 443 - Craig
    > advised to change to port 444 because it conflicts with Apache on the
    > server. Do my users need to type :444 when they authenticate or is this
    > change will be transparent to them?
    I assume you're referring to proxy authentication, where the user enters
    credentials in the browser to gain access to the proxy. In this case the
    BM server automatically redirects users to the port 444 URL... they
    don't type it in. Thus, the port the proxy listens on for SSL
    *authentication* requests doesn't matter much, as long as it doesn't
    conflict with other services running on the server.
    Jim
    Support Sysop

  • Non SSL website on port 443

    Hi, I have a non-SSL website running on port 443. When I access this website using Chrome or IE it works just fine, but Firefox can't seem to accept what I have done. All browsers on the same machine and using the same web proxy.
    I access the website as http://xyz:443.
    Just a bit of background info as to why I need this. Where I work I can only access ports 443 and 80 via the web proxy. I have two distinct websites running on a couple of devices at home behind a very config-wise limited router which has ports 80 and 443 redirected to these hosts. There is no way for me to setup two port forward rules on port 80 to two different devices. I cannot setup SSL on either of the websites.
    Regardless of options that could exist to overcome my particular issue, I would like to check if you guys know how to make Firefox work with a website running on port 443 whilst not having a certificate assigned to it.
    Firefox 32.0.3
    Error message:
    The connection was reset
    The connection to the server was reset while the page was loading.
    The site could be temporarily unavailable or too busy. Try again in a few moments.
    If you are unable to load any pages, check your computer's network connection.
    If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

    What type of ssl are you running? [https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/]
    You can somehow remove the Strict-Transport-Security header or if there is a feature that forced encryption but by default https uses 443 for encryption. I do not know if this is possible.

  • I need to modify Postfix to listen to port 587

    Mountain Lion Server OS X 10.8.4
    Running Mail service with Postfix and Dovecot. In production with several mailboxes.
    I need to modify Postfix to listen to port 587. I should be able to telnet to port 587, and finally send mail via 587.
    587 already redirects to 25 via the firewall, but external devices need to visit the internal subnet without modifications to the mail app.
    At this stage I just want to get it working with password authentication.   SSL is a project for another day.
    Here's my understanding of the OS X Postfix config:
    /etc/services file:
    Maps service names to port numbers.  Port 25 is  "smtp" and port 587 is "submission".
    /etc/postfix/master.cf file:
    Loads Postfix preferences. Service configurations for "smtp" and "submission" are listed at the top of the file. Each service configuration can be modified with parameters (-o variable_name_here=value_here).
    I found many discussion boards with instructions for enabling 587. They suggest removing the comment syntax for the existing "submission" line:
    # submission inet n - - n - smtpd
    My server didn't have a comment, the line was already enabled:
    submission inet n - - n - smtpd
    I restarted services and 587 didn't work.
    Then I tried a more direct approach:
    587 inet n - - n - smtpd
    This had no effect.
    After each attempt to enable 587 I test with:
    telnet 127.0.0.1 587
    And I get: Connection Refused
    I used the Server app and turned Mail off and on. This stops and starts Postfix.
    I also used commands to restart Postfix:
    postfix stop
    postfix start
    sudo postfix stop
    sudo postfix start
    postfix reload
    sudo postfix reload
    Nothing opens 587.  Any ideas? Thanks in advance for your insights.
    -SE30Emulation

    @Kraftwerk: You cannot change the TCP port used for SMTP.  Well, technically, you can, but then no other mail servers on the Internet will find and communicate with your mail server.  So... forget that.
    The ISP controls the terms and conditions for the network connection, and particularly controls the network and network access.  There's just no way 'round that either, as the ISP has the network position to implement port blocks and firewalls, and usually the contractual authority to allow or deny access.
    With the proper (static) network connection and proper DNS, there is nothing to struggle with; this stuff works. 
    Which implies your ISP does not offer static connections, or there's an ISP error, or you're attempting to operate a mail server on a dynamic address.  None of this works.
    You might try mailhop service — if that's permitted within the limits of the terms of service — but it'll be easier and cheaper to host your mail elsewhere.  Or to get a static IP address and proper public DNS, if your ISP offers that. 
    SMTP services are also tied to DNS, as well; other mail servers use DNS checks to detect rogue (spam) servers, and a mail server erroneously configured on a dynamic IP address will have mismatched DNS, and other mail servers will detect that and drop mail from and often to that mail server; that server is indistinguishable from a spam engine.
    There's rather more the ISP can do as part of best-practices networking, too.  TCP port 25 connections both inbound and outbound are usually spam engines operating on malware-infested, so it's common to block that traffic to reduce the volume of spam.  Various ISPs will further blacklist dynamic IP address blocks, which means other SMTP servers using these blacklist services will ignore servers in these address ranges.
    Get static IP.  Or host elsewhere.  Or (if permitted) mail hop. 

  • Sccm 2012 R2 - Windows 7 not listening on Port 80

    Hello,
    In looking through smsts.log and IIS logs I saw a lot of error communicating on Port 80.  When  tried to telnet from a pc to our sccm 2012 server using port 80, it goes through fine. But when I tried it the other way around, it fails.  When
    I ran netstat -an |find /i  "listening" on my pc and others around me, I discover port 80 isn't listening. The firewall is off on both the pcs and sccm primary server.  Port 80 isn't blocked on the network.
      TCP     0.0.0.0:135            0.0.0.0:0              LISTENING
      TCP     0.0.0.0:445            0.0.0.0:0              LISTENING
      TCP     0.0.0.0:1025           0.0.0.0:0              LISTENING
      TCP     0.0.0.0:1026           0.0.0.0:0              LISTENING
      TCP     0.0.0.0:1027           0.0.0.0:0              LISTENING
      TCP     0.0.0.0:1028           0.0.0.0:0              LISTENING
      TCP     0.0.0.0:1036           0.0.0.0:0              LISTENING
      TCP     0.0.0.0:1041           0.0.0.0:0              LISTENING
      TCP     0.0.0.0:1057           0.0.0.0:0              LISTENING
      TCP     0.0.0.0:3389           0.0.0.0:0              LISTENING
      TCP     0.0.0.0:5357           0.0.0.0:0              LISTENING
      TCP    127.0.0.1:5020          0.0.0.0:0              LISTENING
      TCP     127.0.0.1:5354         0.0.0.0:0              LISTENING
      TCP     127.0.0.1:27015        0.0.0.0:0              LISTENING
      TCP     127.0.0.1:62522        0.0.0.0:0              LISTENING
      TCP     172.24.94.131:139      0.0.0.0:0              LISTENING
      TCP     172.24.102.23:139      0.0.0.0:0              LISTENING
      TCP     [::]:135               [::]:0                
    LISTENING
      TCP     [::]:445               [::]:0                
    LISTENING
      TCP     [::]:1025              [::]:0                
    LISTENING
      TCP     [::]:1026              [::]:0                
    LISTENING
      TCP     [::]:1027              [::]:0                
    LISTENING
      TCP     [::]:1028              [::]:0                
    LISTENING
      TCP     [::]:1036              [::]:0                
    LISTENING
      TCP     [::]:1042              [::]:0                
    LISTENING
      TCP     [::]:1057              [::]:0                
    LISTENING
      TCP     [::]:3389              [::]:0                 LISTENING
      TCP     [::]:5357              [::]:0                
    LISTENING
    I was told something has to initiate port 80 being open on win7.  Is this true? If so, any idea why sccm isn't doing this? I could switch to port 8530 (have to do this for wsus too), but would think networking would have to open this port and then again,
    would the pc listen for it?
    PS, The sccm position before this one,  dealt with Servers, that must have had port 80 listening.

    After installing SCCM client via Task Sequence, and rebooting, the Self-signed certificate never comes down so the other Action items in Cinfiguration Manager Properties never come down.  The only way I can get the Certificate to come down (seen in
    MMC) is to give full permission (No one had rights initially) to rsa keys folder, delete smscfg.ini file and restart the sms host service.  But if you go into configuration manager properties the client certificate is still shown as None. The locationServices.log
    shows :failed to send management point list location request message to Primary Server/MP. If try
    http://PrimaryServer it fails to connect from a pc. But if I try it from the primary server sccm01 it works fine. Port 80 is open on the network. 
    smsts shows:
     Sending with winhttp Failed; 80072ee2  and also socket connect failed; 8007274c
    Is there any other logs I can send you to help resolve this?
    Again, Thanks so much for all of your help!!!
    Mark

  • What's listening on port 454 and 455 in Azure? Warning flagged by security scan

    We are about to go live with an Azure Website and, as a precaution, did a security scan on the IP address that has been allocated to us.
    There were a number of low severity warnings listed which we're not too worried about, however the scan did flag that something appears to be listening on port 454 and 455, and supports TLS1.0.
    RESULTS:
    Available non CBC cipher Server's choice SSL version
    RC4-SHA DES-CBC3-SHA TLSv1
    Does anyone know what this is? I can't find it obviously listed anywhere. If it's not necessary, can I switch it off? And if it is necessary, can I set it to require a more secure protocol?
    We're hosted in the "Australia East" datacentre, in case that's relevant.
    Crossposted to Stack Overflow here:
    http://stackoverflow.com/questions/27807505/whats-listening-on-port-454-and-455-in-azure-warning-flagged-by-security-scan

    Hello Michael,
    These ports are used for internal communication in Azure Websites infrastructure. They are not site specific and you cannot turn them off. It is safe to ignore them.
    Thanks,
    Petr

  • Listening on port

    Hello,
    I have to listen on a port and catch any transportation going in/out to/from it, from any software using it to connect to another computer. An example: If I want a spam filter for my arriving e-mail messages, I want to listen to port 110 (the default for POP3), scan every message arriving, and let only messages that don't meet the filter criteria pass on to the mail agent. How can I do it?
    Thanks.

    Are you trying to write an application that acts as a proxy, i.e. connects to a Mailserver, retrieves mail, and allows another application (e.g. Mail Client application) to connect on a different port and collect the mail from your new application? This is how a lot of e-mail Anti-virus software works....
    ....or, are you trying to write a "packet sniffer" type application that intercepts all the traffic on a specific port, without the application that already connects on that port being aware, or needing to be reconfigured? This would be more like the way something like a software firewall works.
    If it's the former, it's relatively straightforward, if it's the latter, I would say it's almost impossible in Java. You would need access to the underlying operating system TCP/IP implementation, which you would need to handle through JNI to be able to use in Java, but this would certainly not be a trivial task.
    Hope this helps you, if you need more help with the first possibility, post again....
    D

  • How to do a PortForward/Port Proxy? Redirecting traffic from port 8080 to 80 on the SAME machine

    We have a CFTV system running on Win2008R2 that listens on 4 sequential port numbers and the last port is the Web Browser Port number for management and viwing cameras
    When we configure the port 8077 on the software, it opens 8077, 8078, 8079 and 8080 and works with no problem
    But...
    When we try to configure ports 77 (and therefore 77, 78, 79 and 80) thw applications hangs and seems like not be possible to configure to use port 80
    I could confirm that,  using NETSTAT and the main CFTV application open all required ports with no problem, but only works on ports with a different number from "80", wich is what i want, to make users more confortable, avoiding to type ":PORT_NUMBER"
    after the URL, it will be more "ellegant" solution to use default port 80 for user´s connections
    The question is: How to do a PortForward/Port Proxy? Redirecting traffic from port 8080 to 80 on the SAME machine?
    May i Use NETSH? (based on Help, it can be used to do this, but on different machines, not the same one)
    There is a RELIABLE application, running as a service, that can do the port forward/redirect?

    Hi,
    I’m sorry to tell you that we can’t redirect traffic from a port to another port on the same server itself. But we can do it with a router which is configured to portfoward.
    By the way, according to your description, another program may use the port 80. Is there an IIS installed on the server? If it is necessary, you can consult your CFTV system vendor.
    Hope this helps.
    Steven Lee
    TechNet Community Support

  • IChat File Transfer port issue (can't listen to port 5190 and 7777)

    Greentings ladies and gentlemen,
    I need help opening port 5190 and 7777 for ichat server file transfers. As for now, my situation can be described as below:
    (1)I have a ichat server in a mac mini(2010, newest model as for today) running a fully updated version of MACOSX SERVER 10.6 inside a lab in my university.
    (2)As for the ichat server itself, text, voice, video between 2 or more persons are all working great. As for clients the latest version of ichat and pidgin(text only) are being used. The only problem is the lack of file transfer between ichat clients.
    (3)The server is behind a router (YAMAHA RTX 1200). I am 100% sure that the router is correctly configured to allow packets in and out of the port 5190 and 7777, among the other necessary ports. All the other ports are open and working correctly. I also manually disabled the firewall of a windows7 laptop and tested packet transfers on both ports and both worked fine.
    (4)As I said before, the server is inside my university lab. I made sure that all ports between 1023~65535 are open in the univesity gateway/backbone network.
    Bellow are firewall(IPFW) settings before flushing (tried configuring using both GUI and CUI, and both returned the same results)
    sudo ipfw l
    Password:
    00001 allow udp from any 626 to any dst-port 626
    01000 allow ip from any to any via lo0
    01010 allow udp from any to any dst-port 5190
    01030 allow tcp from any to any dst-port 5190
    12300 allow tcp from any to any established
    12301 allow tcp from any to any out
    12302 allow tcp from any to any dst-port 22
    12302 allow udp from any to any dst-port 22
    12303 allow udp from any to any out keep-state
    12304 allow tcp from any to any dst-port 53 out keep-state
    12304 allow udp from any to any dst-port 53 out keep-state
    12305 allow udp from any to any in frag
    12306 allow tcp from any to any dst-port 311
    12307 allow tcp from any to any dst-port 625
    12308 allow icmp from any to any icmptypes 8
    12309 allow icmp from any to any icmptypes 0
    12310 allow igmp from any to any
    12311 allow tcp from any to any dst-port 5190
    12311 allow udp from any to any dst-port 5190
    12312 allow tcp from any to any dst-port 5222
    12313 allow tcp from any to any dst-port 5223
    12314 allow tcp from any to any dst-port 5269
    12315 allow udp from any to any dst-port 5297,5678
    12316 allow tcp from any to any dst-port 5298
    12316 allow udp from any to any dst-port 5298
    12317 allow udp from any to any dst-port 16384-16403
    12318 allow udp from any to any dst-port 5060
    12319 allow tcp from any to any dst-port 7777
    12320 allow tcp from any to any dst-port 8008
    12321 allow tcp from any to any dst-port 8443
    65535 allow ip from any to any
    And after flushing
    sudo ipfw l
    Password:
    65535 allow ip from any to any
    In either case ports that are being listened are listed below.
    netstat -na | grep LIST
    tcp46 0 0 *.5269 . LISTEN
    tcp46 0 0 *.5223 . LISTEN
    tcp46 0 0 *.5222 . LISTEN
    tcp4 0 0 127.0.0.1.5347 . LISTEN
    tcp46 0 0 *.5900 . LISTEN
    tcp4 0 0 *.88 . LISTEN
    tcp6 0 0 *.88 . LISTEN
    tcp4 0 0 *.311 . LISTEN
    tcp4 0 0 192.168.2.96.53 . LISTEN
    tcp4 0 0 *.3659 . LISTEN
    tcp4 0 0 *.106 . LISTEN
    tcp4 0 0 *.3659 . LISTEN
    tcp4 0 0 *.106 . LISTEN
    tcp4 0 0 127.0.0.1.54 . LISTEN
    tcp4 0 0 127.0.0.1.53 . LISTEN
    tcp4 0 0 *.749 . LISTEN
    tcp4 0 0 *.389 . LISTEN
    tcp6 0 0 *.389 . LISTEN
    tcp4 0 0 *.22 . LISTEN
    tcp6 0 0 *.22 . LISTEN
    tcp4 0 0 *.548 . LISTEN
    tcp6 0 0 *.548 . LISTEN
    tcp4 0 0 *.625 . LISTEN
    tcp4 0 0 127.0.0.1.631 . LISTEN
    tcp6 0 0 ::1.631 . LISTEN
    As you can see my firewall settings are not being reflected on the actual server firewall.
    Is there any way I could just force the server into listening the port?
    If necessary I can post screenshots of every ichat server/firewall configuration tab from the Server Admin GUI.
    Thanks in advance for any help/support.

    First off, realize there is no association between your firewall rules and netstat.
    Just because your firewall is letting traffic in that does not mean it will appear in your netstat.
    netstat -a will show you a list of ports that are in use - i.e. there is some process listening to (or writing to) that port. That is independent of whether the firewall permits the traffic (e.g. the firewall could well allow traffic in on 5190, but unless there's a process listening to 5190 you won't see it in the netstat).
    Secondly, IIRC iChat file transfers are client-to-client therefore it might not be your server, or your server's firewall or your server's network that's the issue - the client will need to have a firewall configured to allow incoming traffic from other iChat clients.
    Does that help shed some light on things? (it isn't clear whether your post is referring to the server or the client side of things).

  • Proxy and filter on same port

    Hi all,
    On our BorderManager 3.8 server we've got a HTTP-proxy listening on port 8080. Now, a new external web-app requires a direct connection on port 8080 also. I thought about defining a statefull filter allowing port 8080 from internal to external for that specific site but I'm not sure if this would cause conflicts or security issues in any way. I don't think so, but because it's better to be safe than sorry....I thought I'd ask. ;-)
    Arnold...

    In article <_7z%j.371$[email protected]>, Arnold Jesse
    wrote:
    > On our BorderManager 3.8 server we've got a HTTP-proxy listening on
    > port 8080. Now, a new external web-app requires a direct connection
    > on port 8080 also. I thought about defining a statefull filter
    > allowing port 8080 from internal to external for that specific site
    > but I'm not sure if this would cause conflicts or security issues in
    > any way. I don't think so, but because it's better to be safe than
    > sorry....I thought I'd ask. ;-)
    >
    First, realize that the proxy is listening on port 8080 only for
    requests coming to the proxy's IP address, so it's not going to
    conflict with a request to port 8080 on a remote web site. What
    should be happening here is that (on port 8080) you send the proxy a
    request to a web site that uses port 8080. The proxy sends a request
    to the web site using port 8080 instead of the usual port 80, that's
    all.
    What could well be a problem here is that the default 3.7-3.9 filter
    exceptions do not allow port 8080 out from the public IP address of the
    proxy. You will have to modify the default filter exceptions to allow
    that traffic, whether you want to connect directly through NAT or
    through the proxy. My advice is to connect through the proxy, and
    modify the filter exceptions to allow the traffic.
    At the least, you could configure a custom filter exception for
    stateful port 8080, like the defaults. Look at the defaults in
    FILTCFG.NLM to see how they are done, and add a new one.
    Personally, I don't like to add custom filter exceptions one-by-one for
    every non-standard web server out there. I use a more global approach,
    detailed in the advanced chapter of my BMgr filtering book (see url
    below).
    Craig Johnson
    Novell Support Connection SysOp
    *** For a current patch list, tips, handy files and books on
    BorderManager, go to http://www.craigjconsulting.com ***

  • Sql 2008 express not listening on port 1433

    I installed sql 2008 express on 2008R2 but it is not listening on port 1433.
    I check configuration for tcp and enabled that already. also started sql browser service.
    any idea?

    I installed sql 2008 express on 2008R2 but it is not listening on port 1433.
    I check configuration for tcp and enabled that already. also started sql browser service.
    any idea?
    by default SQL Server Express does not enable Remote Connections.
    Could you check the following:
    1) check that the SQL Express is running (SQL Server Configuration Tool)
    2) log onto the box containing the SQL Server and try to connect with SSMS to the SQL Express instance. Try tcp/ip and/or shared memory to connect.
       if you can successfully login check that the SQL Server does allow Remote Connections
    3) Firewall does not block incoming connections
    4) does the DNS server name resolve to the correct ip address of the SQL Server ?

Maybe you are looking for

  • Report with multiple COUNT columns with counts from same table

    I am new to discoverer so I am a bit lost. I am working to create a report to show usage data from the eBusiness Knowledge Base. I have the query written in SQL using subqueries that is in the format: Solution Number | Soultion Title | Solution Views

  • "No Airport Card Installed" After 10.5.6 updgrade...

    After I installed the 10.5.6 upgrade using software update (from 10.5.5), I no longer have an airport card detected. It does not show up in system profiler either. Is there anyone that knows why this happened and how to fix it? Thanks, Mechmess I'm o

  • New Macbook Air 11" 2014 Model Display Hinge Loose and exacerbated by extremely poor service

    I have bought a new MacBook Air 11 from Ezone on the 3rd of October.  When I opened the product, I realised that the hinge seemed to be loose and would fall back on its own when tilted. That's when my troubles started. I went to the Maple Apple Autho

  • Identifying Roles for Reports

    Hello, Can some one suggest me where to find the role folder a particular report is published under? Thanks, Kris

  • Video image problem

    Hi...A neighbor has a iMac G5 and has developed a video/image problem. The iMac boots up and sometimes shows an ok screen for a little time, sometimes not. What emerges is an array of digital black on white graphic line images (maybe I should upload