LB redirection configuration ACE30

Similar Messages

• Folder redirection configured in GPO does not create Documents folder and does not redirect

  Hi
  Another Folder Redirect-post - sorry for that, but I could not find an answer for my problem so far: even with consulting many threads here...
  We have an existing environment under Windows XP and want to move away from that. Now I ran into troubles with folder redirection...
  The following folder- and permission structure exists so far:
  \\<server>\<Users$-share>: This is the base folder for all users-directories
  -> Permissions: SYSTEM: Full / Administrators: Full / Users: Read&Execute, only this folder
  -> Share-permissions: Authenticated users: Full control
  \\<server>\<Users$-share>\<username>: base folder for the specific user
  -> Permissions: SYSTEM: Full / Administrators: Full / User: Change, all permissions inherited onwards
  -> Giving only change permission prevent further problems with self-called "advanced users"... ;-)
  \\<server>\<Users$-share>\<username>\profil.V2: Profile directory of the user
  -> Of course here the permissions are set by the system: override the predefined permission
  \\<server>\<Users$-share>\<username>\daten: Atcual Home directory of the user
  \\<server>\<Users$-share>\<username>\daten\Documents: Suposed Documents directory of the user
  Now I am going to Server 2012 and Windows 8.1, configured the GPO to redirect Documents folder into the above mentioned:
  GPO - User configuration - Policies - Windows settings - Folder Redirection - Documents:
  Setting: Standart - redirects all folders to the same path
  Destination folder: Copy to base directory of the user
  I apply policy to the user, log out and in - it doesn't work, no folder Documents created in my home-folder, Folder Documents still configured at C:\Users\<user>\Documents
  A very special point:
  I also do Redirection of the My Pictures-folder: Define it to follow the Documents folder. Funnily that one works and creates and configures \\<server>\<Users$-share>\<username>\daten\Pictures
  -> So in my eyes, it should work!
  Then: I want to do the folder redirection without Offline Files, due to the fact, that our users work with dynamically assigned virtual desktops, which are been cleaned everytime a user logs off a machine. Therefore synchronizing doesn't make sense...
  I just cannot see, why this redirection does not work :-(
  Thank you very much for any help!
  Kind regards
  David

  Hi David,
  Before going further, would you please let me confirm the OS version of the Windows Server which you used to
  configure folder redirection? Based on your description, did you mean that those users (who will be applied folder redirection settings) logged on Windows XP client computer?
  When you configure the folder redirection setting in Document Properties (path:
  User Configuration-> Policies-> Windows Settings-> Folder Redirection-> Documents), please check if you checked “Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating system” in Settings
  tab. As below picture shows.
  à
  GPO - User configuration - Policies - Windows settings - Folder Redirection - Documents:
  à•Setting: Standart
  - redirects all folders to the same path
  à•Destination
  folder: Copy to base directory of the user
  Would you please provide a screenshot of those settings you describe? Meanwhile, please summarily describe
  that how you configure. For example, where this GPO link to? Or any other. It will help me to understand clearly. Thanks for your understanding.
  In addition, please use
  gpresult command to check if the folder redirection group policy was really applied.
  If any update, please feel free to let me know.
  Hope this helps.
  Best regards,
  Justin Gu

• Permissions are not working after HTTP redirect configured.

  Hello,
  I have configured HTTP redirect in IIS Manager from root site to sub site. The users have to be redirect from roo tsite to
  sub site
  I have full rights for root site, but when I get to sub site I can only see documents, but all options are grey out. So I have limited access.

  Hi,
  For your question, you could check the account in the top right corner beside site setting icon.
  As I tested, I configured HTTP redirect via IIS manager as the screenshot below.
  http://sp:19073 is the url of root site, and subsite's url is
  http://sp:19073/subsite/_layouts/15/start.aspx#/SitePages/Home.aspx .
  Let me know if you are using a different approach to configure HTTP redirect.
  Regards,
  Rebecca Tu
  TechNet Community Support

• How do I configure ACE30 to allow server to server and server to VIP communications

         I have a ACE30 with 2 client vlans and 2 server vlans in a 2-arm routed mode.  I want to allow  server initiated traffic from either server vlan to access both client vlans via a VIP and also allow server to server traffic between the 2 server vlans via the server IP address.  This is all in a single context. Attached is a diagram of the environment.  The server's gateway is the ACE interface for that particular vlan.
  so servers on vlan 206 will initiate traffic to either vlan 296 or 298 and therefore load balance to servers on either vlan 206 or 216.  same goes for server vlan 216. 
  In conjunction with that how do i configure the ACE so that the servers in one vlan can talk to the servers in the other via directly via their IP address.  for instance the source would be vlan 206 and the destination would be vlan.
  Thank you
  Tony.

  Chris,  does this look correct based on your description of how to configure:
  class-map match-all REAL-SERVERS-VL226
    2 match source-address 10.192.34.0 255.255.255.0
  class-map match-all REAL-SERVERS-VL246
    2 match source-address 10.192.44.0 255.255.255.0
  policy-map multi-match INTRA-server_P
    class LYNCP2F_C
      loadbalance vip inservice
      loadbalance policy LYNCP2F_P
      loadbalance vip icmp-reply active
      nat dynamic 5 vlan 246
    class LYNCP-FE_C
      loadbalance vip inservice
      loadbalance policy LYNCP-FE_P
      loadbalance vip icmp-reply active
    class REAL-SERVERS-VL226
       nat dynamic 1 vlan 226
    class REAL-SERVERS-VL246
       nat dynamic 2 vlan 246
  interface vlan 226
    description Intranet Services Server Vlan 226
    ip address 10.192.34.2 255.255.255.0
    alias 10.192.34.1 255.255.255.0
    peer ip address 10.192.34.3 255.255.255.0
    no icmp-guard
    access-group input ALL-IN
    nat-pool 1 10.192.34.254 10.192.34.254 netmask 255.255.255.0 pat
    service-policy input INTRA-server_P
    no shutdown
  interface vlan 246
    description Intranet Services Server Vlan 246
    ip address 10.192.44.2 255.255.255.0
    alias 10.192.44.1 255.255.255.0
    peer ip address 10.192.44.3 255.255.255.0
    no icmp-guard
    access-group input ALL-IN
    nat-pool 2 10.192.44.254 10.192.44.254 netmask 255.255.255.0 pat
    service-policy input INTRA-server_P
    no shutdown
  interface vlan 292
    description Intranet Services Client Vlan 292
    ip address 10.192.8.4 255.255.254.0
    alias 10.192.8.6 255.255.254.0
    peer ip address 10.192.8.5 255.255.254.0
    mac-sticky enable
    no icmp-guard
    access-group input ALL-IN
    no shutdown
  interface vlan 294
    description Intranet Services Client Vlan 294
    ip address 10.192.6.4 255.255.254.0
    alias 10.192.6.6 255.255.254.0
    peer ip address 10.192.6.5 255.255.254.0
    mac-sticky enable
    no icmp-guard
    access-group input ALL-IN
    no shutdown

• URL-Redirect configuration differences

  Hi,
  I'm currently in the process of configuring a pair of 11506's, as part of the installation I'd need to configure a number of URL re-directs (http to https), I (thought) I'd the configuration in place, but looking at some documentation on cisco.com there appear to be a No. of ways to re-direct traffic, the first, which I've written up, is to use content rules for the VIP termination, and for traffic requiring re-direction, point the content rule to a separate re-direct service, thus for each re-direct, we require a content rule and a re-direct service.
  Looking at some documentation earlier, it appears I can also use a content rule re-direct, and simply within the content rule, apply the re-direct statement, this removing the need for a separate re-direct service for each content rule.
  Whilst I'm happy to run with the original configuration I've applied, what are the differences between the 2 re-direct configurations? Are there any?
  Thanks

  here is a link describing all the different ways
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a00801de8d6.shtml
  for http to https you need service in order to rewrite the domain with https.
  Gilles.

• Https and virtual host redirect configuration

  Hello,
  IAS10EE
  Only one of a number of mod pl/sql applications needs to be available from the internet via https - https certificate has been installed and is working.
  I've amended the default ssl.conf to try to redirect all https traffic to the one application see below
  <VirtualHost *:443>
  # added
  ServerName portal.tw.com
  ServerAlias portal.tw.com
  Options +FollowSymLinks
  DocumentRoot "/opt/ris/apex"
  RewriteEngine On
  RewriteRule .* https://%{SERVER_NAME}/pls/apex/f?p=103:101 [R=301,L]
  RewriteLog /opt/ris/log/rewrite.log
  ## end add
  Problem is that I cannot get a https://portal.tw.com to display when the rewrite rule is in
  When taking out the rewrite all DADs are accessible which I do not want!
  I cannot see any log entries in access_log, error_log, ssl_request_log that hints/explain the error
  Has anyone any ideas how to modify above to get it working or how to troubleshoot this?
  Many thanks
  Pete

  Thanks for your reply
  in the access_log and ssl_request_log I can see that the page is being requested
  so the redirect 301 is working but no page is sent back to the browser, the browser sort of hangs. I suspect the rewrite rule is missing something - Any ideas that I can try?
  Thanks
  Pete
  Looking in ssl_request_log -
  UNKNOWN SSL_RSA_WITH_RC4_128_MD5 "GET /pls/apex/f?p=103:101 HTTP/1.1" 395
  an entry like this every second
  Looking in current access_log*
  [07/Nov/2006:00:12:20 -0800] "GET /pls/apex/f?p=103:101 HTTP/1.1" 301 395
  an entry like this every second

• After upgrading to FF 8.0, a news website main page doesn't open, redirecting immediately to a site subsection. Doesn't work in Safe Mode either.IE Tab opens site perfectly.

  The question topic sums it up - after a recent upgrade one website stopped working properly in FF, even in Safemode, redirecting to subsection instead of opening main page. When I use IE Tab or IE, website opens fine.

  No, the problem is resolved. The Spry gallery portion of
  LyndaEllis.com works in IE6 and IE7 now that I've switched from my
  original hosted web server at Earthlink/Mindspring (i.e. which
  responded with 302 redirects on "resource not found") to my new web
  hosting provider as I described in the original post. Just to be
  clear, I changed nothing in Spry or in my HTML; I only had to work
  around the HTTP client behavior of IE by ensuring that 302
  redirects were not returned by the web server when non-existent
  resources were requested by the browser.
  But, I am still curious why both IE and Firefox make the
  request for the unsubstituted variable in the first place. I'm also
  curious as to why IE's JS engine just gives up when the 200 status
  "branded error" pages are returned. I suppose it should just be
  chalked up to the idiosyncrasies of Earthlink's httpd configuration
  and Microsoft's screwy browser. Perhaps someone who works in the IE
  JavaScript engine at Microsoft will read this and get Spry apps in
  IE to work for the "302 redirect" configuration.

• Step by step to disable Folder Redirection for a single user - Windows 7 and SBS 2011 Essentials

  OK...I got chewed (by someone I have a lot of respect for) for pounding on an old thread, so I'm starting a new one. I've got the Windows 7 Value Pack Plugin for SBS 2011 Essentials and Folder Redirection is working for everybody. What I'm looking for is
  exactly how to go into Group Policy and disable the FD for a single user. I'm not looking for quick, incomplete answers. If you don't have time to give me the 'For Dummies' version, don't bother. Sorry, but I've done all the Googling I can stand for one day
  and I'm over it! (and a little grumpy)
  Thanks in advance!
  Wayne S. CompTIA A+ CompTIA Network+ Microsoft MCP

  ... I've got the Windows 7 Value Pack Plugin for SBS 2011 Essentials and Folder Redirection is working for everybody. What I'm looking for is exactly how to go into Group Policy and disable the FD for a single user. I'm not looking for quick, incomplete
  answers....
  Hi Wayne,
  Here's what I'd do. 
  1) create a Security Group in your AD environment. Call it 'Folder Redirection Members' or something like that. Put all the user accounts in your AD environment who you want to have their folders continue to be redirected to the server, do not include the
  one user who you wish to exclude.  in other words, you're going to use a specific security group to target the Folder Redirection policy (right now, it's Domain Users, which is everyone).
  2) Edit the Group Policy that the W7PP created in your AD environment. It's likely called "W7PVP Folder Redirection".  Start with verification under the Settings tab, expand Folder Redirection beneath User Configuration states that
  Policy Removal Behaviouris set to Restore Contents.  Then proceed using the Editor, to make adjustments under the Scope tab; verify membership in Security Filtering.  Remove Domain Users,
  add in Folder Redirection Members (or whatever you named your group in step 1).
  3) on your workstation that your user you are applying the change to disable folder redirection, Log on to the domain account while connected to your network, elevate a command prompt, and perform a 'gpupdate /force' command and then reboot your computer. 
  Folder redirection configuration should be removed from the system and redirected contents should be restored back to your local path. Verify with inspection of the My Documents or other folders.
  Hope this helps. Keep in mind, no warranty implied or expressed in this advice.
  Try not to be so darn grumpy. :-/
  Jason Miller B.Comm (Hons), MCSA:Win7, MCITP, Microsoft MVP

• ACE30-MOD-k9 in bridge mode. Individual server in the same vlan of Real Servers not reacheable.

  I configured ACE30-MOD-K9 in bridge mode and I configured a server farm with his real servers. The traffic passes and is balanced correctly between all RSERVER. But I can not contact a server that is on the same vlan of the serverpharm but doesn't belong at this serverfarm.
  I Thought that the traffic directed to this "spare" server shouldn't  be balanced but the bridge should permit traffic to pass. (trasperent mode) Is it correct ?
  What does ACE in bridge mode with traffic directed to servers that do not belong to any server farm but are present on the same VLAN (same bridge group)?
  In rispect at the following configuration 10.10.10.168 isn't reacheable
  access-list INBOUND line 8 extended permit ip any any
  access-list INBOUND line 16 extended permit icmp any any
  probe http HTTP_PROBE1
    expect status 200 200
  rserver host RS_WEB1
    ip address 10.10.10.163
    inservice
  rserver host RS_WEB2
    ip address 10.10.10.164
    inservice
  rserver host RS_WEB3
    ip address 10.10.10.165
    inservice
  rserver host RS_WEB4
    ip address 10.10.10.167
    inservice
  serverfarm host SF_FIREGROUP
    rserver RS_WEB1
      inservice
    rserver RS_WEB2
      inservice
    rserver RS_WEB3
      inservice
    rserver RS_WEB4
      inservice
  sticky ip-netmask 255.255.255.255 address source sticky-ip
    replicate sticky
    serverfarm SF_FIREGROUP
  sticky http-cookie myCookie sticky-cookie
    cookie insert browser-expire
    serverfarm SF_FIREGROUP
  class-map match-any VS_FIREGROUP
    2 match virtual-address 10.10.10.169 tcp eq www
    4 match virtual-address 10.10.10.169 tcp eq 8081
    5 match virtual-address 10.10.10.169 tcp eq 8082
    6 match virtual-address 10.10.10.169 tcp eq 8083
    7 match virtual-address 10.10.10.169 tcp eq 8084
    8 match virtual-address 10.10.10.169 tcp eq 8085
    9 match virtual-address 10.10.10.169 tcp eq 8097
  class-map match-any VS_FIREGROUP_HTTPS
    2 match virtual-address 10.10.10.169 tcp eq https
  policy-map type loadbalance first-match HTTP
    class class-default
      sticky-serverfarm sticky-cookie
  policy-map type loadbalance first-match HTTPS
    class class-default
      sticky-serverfarm sticky-ip
  policy-map multi-match HTTP_HTTPS_MULTI_MATCH
    class VS_FIREGROUP
      loadbalance vip inservice
      loadbalance policy HTTP
      loadbalance vip advertise active
    class VS_FIREGROUP_HTTPS
      loadbalance vip inservice
      loadbalance policy HTTPS
      loadbalance vip advertise active
  interface vlan 4
    bridge-group 1
    access-group input INBOUND
    service-policy input HTTP_HTTPS_MULTI_MATCH
    no shutdown
  interface vlan 700
    bridge-group 1
    access-group input INBOUND
    no shutdown
  interface bvi 1
    ip address 10.10.10.150 255.255.255.0
    no shutdown
  ip route 0.0.0.0 0.0.0.0 10.10.10.1
  Thanks a lot
  Francesco

  Hi Francesco,
  Just to add more a bit, A bridge group is very similar to routed mode except ACE cannot NAT pass through traffic, vlan's cannot be shared and couple of other things but client's should be able to access the server as in before.
  But also whether in bridge or routed mode, ACE does create flows and applies other security parameters if configured to the traffic. This is for security. Also, ACE should know the MAC of the device to forward the traffic to. Can you check if ACE has the MAC of the destination? You can also put a route for testing purpose and see if that resolves the issue. That should probably be the quickest way to check if ACE is creating any issue here.
  Regards,
  Kanwal

• ACE Redirect not working

  We have a ACE redirect configured on 3 physically seperate ACE modules with the following config. It works on one ACE Module and not on the other 2.
  Capture on the ACE and sniffer gives this error.R [bad tcp cksum 2d41!] ACE sends resets to the client. Anyone run into this issue?
  The software version is   system:    Version A2(1.0a) [build 3.0(0)A2(1.0a)
  rserver redirect Test
    webhost-redirection http://www.test.com
    inservice
  serverfarm redirect Test
    rserver Test
      inservice
  class-map match-any Test
    2 match virtual-address 192.168.10.10 tcp eq www
  policy-map type loadbalance first-match Test
    class class-default
      serverfarm Test
  class Test
      loadbalance vip inservice
      loadbalance policy Test
      loadbalance vip icmp-reply active

  Sorry maybe I didn't explain what I was getting at good enough...
  I guess I'm basically asking if there's potential for asymmetry at the site that's not working.
  For example.
  Say I have a load balanced server. It has two interfaces a "front end" and a "back end".  I manage the server on the backend from my laptop, for which the server has a route.  Now if I try to hit the public VIP of the LB, traffic is routed to the VIP, then to the server, but because the server already has a route to my laptop via the backend, it bypasses the load balancer on the return and replies directly to me, thus putting the flow out of sync and never completing the connection...
  Not saying that's it, but I've had so many asymmetry issues that are tough to figure out that It's usually one of the first things I rule out...
  It's possible if the site that's not working is local to you and the others aren't, this may be a potential issue??

• Redirected folders show UNC path in address bar

  Hi,
  I'm using folder redirection for our user accounts and have redirected the Documents, Music, Pictures and Videos. The redirection process work fine apart from the fact users can go into any of these folders then click in the address bar and see and navigate
  the whole UNC file path.
  For example, when I logon: I can click on my name on the start menu and go into the 'My Music' folder. In the address bar I can see
  Matt Courtman > My Music but if I then click into the address bar this changes to the path of the redirected folder -
  \\server\usershare$\mcourtman\music this then allows them to have a look around the server, although they can't access anyone elses data.
  Can this be stopped?
  Many thanks, Matt
  Matt Courtman, Network Manager, Cromwell Community College, UK

  Hi,
  Did this issue occur on all accounts?
  I would like to suggest you re-configure folder redirection to check what the result is:
  How to Configure Folder Redirection
  Configuring Folder Redirection: Group Policy
  Good luck.
  Alex Zhao
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Icmp redirect issue

  hi guys:
  We have firewall that connect to the internet.We also have a 6509 switch connect to the internal lan. The client PC,6509 interface and firewall are on the same subnet. Client's gateway is on 6509. When client try to access internet, the 6509 switch should send icmp redirect to client telling them to go to firewall for internet access. However,I've found that some client were not receiving icmp redirect,therefore internet traffic send to 6509 then to fireawll.From the 6509 debug we saw it sending icmp redirect once or twice per second.Is this a security feature to prevent msfc from DOS attack?If so is there any way yo override it?Thanks for help.
  regards

  do you just have the pix and pc connected to the same subnet and have the pc default gateway point to the MSFC and have the MSFC default gateway point to the pix??
  this would allow for the pc to get to the internet and the icmp redirect sent to the pc to inform it of the better route.
  how is your icmp redirect configured? can you post configuration of switch/msfc?
  do you have 'no ip redirects' command configured on the MSFC SVI for the pc vlan? if so, use the 'ip redirects' command on the MSFC SVI (vlan) that the pc connects to.
  this will allow the MSFC SVI to be able to send icmp redirects.
  please see the following link for more info on icmp redirects:
  http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094702.shtml

• GPO Folder redirection using Powershell

  Dear,
  how can i configure a gpo for Folder Redirection using powershell.
  I would like to create gpo's with all kinds of folder redirection configurations using a script.
  Davy

  Hi,
  Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
  TechNet Subscriber Support
  If you are
  TechNet Subscription
  user and have any feedback on our support quality, please send your feedback
  here.
  Regards, Yan Li

• Warning message on ACE

  Hello expert,
  I'm just wondering whether we can set a maximum number of incoming connections on ACE?
  In such a way, if the limit is reached, users who still trying to access the website will be prompted with some kind of warning message. like
  "system is busy, try again later"
  please let me know. Thanks.
  Sincerely,
  Andrew

  Hello Andrew,
  Mmm, maybe you can take a look of this link:
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/command/reference/rsrce.html
  Perhaps you can assign some specific resources for connections but it will be good to check this your Cisco SE.
  On the rserver level, we have the following:
  Configuring Real Server Connection Limits
  To prevent a real server from being overburdened, you can limit the  maximum number of active connections to the server. You can set the  maximum and minimum connection thresholds by using the conn-limit command in either real server host or real server redirect configuration mode. The syntax of this command is as follows:
  conn-limit max maxconns min minconns
  The keywords and arguments are as follows:
  •max maxconns—Specifies the maximum allowable number of active connections to a real server. When the number of connections exceeds the maxconns threshold value, the ACE stops sending connections to the real server  and assigns the real server a state of OUTOFSERVICE until the number of  connections falls below the configured minconns value. Enter an integer from 2 to 4294967295. The default is 4294967295.
  •min minconns—Specifies  the minimum number of connections that the number of connections must  fall below before sending more connections to a server after it has  exceeded the maximum connections threshold. Enter an integer from 2 to  429496729. The default is 4294967295. The minconns value must be less than or equal to the maxconns value.
  Obviously the ACE cannot send messages like that, you can combine perhaps the configuration above with a backup serverfarm or something like that.
  Do not hesitate to let us know your feedback and mark it if it is useful for you
  Hope these details help.
  Jorge

• Guest users not getting IP address

  I am setting up Cisco wireless along with ISE 1.3 for guest wireless.  The client is going to use the self-registration portal for guest wireless users.  I followed this Cisco doc to configure the self-registration portal:
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/118742-configure-ise-00.html
  I tested this in my home lab and everything works fine.  However, at the client users are not getting IP addresses from the DHCP server.  This is the same DHCP server that is used for corporate wireless and if you connect that SSID, you get an IP address.  I have looked what I configured at home and the client and everything looks the same.  In the back of my mind, I feel something is missing, but I can't figure out what it is.  
  Edit: Not sure if this makes a difference or not, but they are using a Nexus 5K for their core switch and it hosts the SVI for this network.  
  Let me know what information you need and I will post it.
  TIA,
  Dan

  Hello,
  Some verifications below :
  Did you verify if DHCP Proxy is enabled in wlc's wlan interface ? Case DHCP proxy is disabled, did you verify if the ip helper address is enabled in Nexus SVI ?
  DHCP Scope is enabled in the DHCP Server or is enabled in the WLC ?
  Verify if Trunk in the switch is enabled correctly passing all VLANs to WLANs ?
  Verify if ACL to redirect configured in the WLC is allowing DHCP Server and DHCP Client to client receive IP Address and ports 8443 to Cisco ISE and DNS to resolve some address and get access to ISE Portal ?
  The scenario is Local Switching or Central Switching ?
  Regards