LEAP Through a Firewall

Similar Messages

• Portal access through a firewall

  Hi there!
  Having the default installtion of R2 on a single W2K box, what's the minimal procedure to make this configuration available through a firewall?
  I've opened ports 7777-7778 but fail when trying to logon via SSO (host.domain.com:7777/pls/orasso)
  Have I missed out to open another port or am I forced to follow the steps of setting up a reversing proxy to have portal-access outside the firewall?
  Cheers
  /Staffan

  If they are on different servers, then both are listening on the 7777 port, and you will have to change one of them to use another port (assuming your firewall can only port forward a port to only one host).
  If you are running both instances on the same server, then your SSO is accessible via 7777 and your midtier would be on 7778, so your setup as described should be enough (I do the same thing).
  If they are running on the one machine, can you access the SSO/INF server directly? http://inf.domain.com:7777 and then http://inf.domain.com:7777/pls/orasso ?

• Solaris 10 ssh through a firewall

  I have Solaris 10 up and running on an HP Vectra. Everything is fine until I attempt to ssh through my firewall from the outside world.
  I can ssh from my linux systems on the lan. But when I attempt to ssh from outside using either putty or ssh on another solaris 10 system the connection times out.
  Anyone else experience a similar problem? Many thanks in advance.
  John Wright
  Asst Professor
  CIT
  Bellevue University

  It's hard to tell what's going on without some more information. Here're a few things you can try:
  Run "ssh localhost" from the Solaris box and make sure that works.
  ssh to the Solaris box from another box on the same network segment.
  From the site that doesn't work, do "ssh -v solaris_box" and see if that gives you any clues.
  After trying to ssh from outside, do a "netstat -an |grep -i '*.22' and see the state of the TCP connection
  (or if the first packet never even makes it).
  Run sshd on the Solaris box with with the "-d" debug option.

• Workstation Clients through a Firewall

  Does anyone out there know if there are any issues with workstation clients going
  through a firewall?
  Thanks!
  mervin

  We have done it successfully from NT to a Unix server over afirewall. Its a case
  of getting the WSNADDR set up correctly.
  use the -H option in the WSL entry in ubb config shows to set it up.
  eg
  CLOPT="-A -- -d /dev/tcp -n 0x0002nnnnxxxxxxxx -H 0x0002MMMMyyyyyyyy"
  Where nnnn is a port number
  xxxxxxxx is the true hex IP address of the server
  yyyyyyyy is the firewall hex address of the server
  MMMM is fixed.
  WSNADDR on the PC is set to port number and firewall address.
  I know the hex notation is a bit out of date these date but it works fine for
  us.
  Hope it helps
  Sue
  "Mervin Calverley" <[email protected]> wrote:
  >
  Does anyone out there know if there are any issues with workstation clients
  going
  through a firewall?
  Thanks!
  mervin

• Whenever I try to open up Firefox, it says that it's unable to connect, however, my internet connection is fine and I can still open up Internet Explorer. I already allowed Firefox through my firewall.

  My internet connection is fine, I already allowed Firefox through my firewall. This is the first time it had ever happened and it happened suddenly, out of nowhere.

  Try "Firefox connection settings" in [[Server not found]]
  You can find the connection settings in Tools > Options > Advanced : Network : Connection<br />
  If you do not need to use a proxy to connect to internet then select No Proxy
  You can also try to remove all rules for Firefox from the permissions list in the firewall and let your firewall ask again for permission to get full unrestricted access to internet for Firefox and the plugin-container process.
  See:
  * [[Server not found]]
  * [[Firewalls]]

• Endpoint on DMZ interface (through the firewall)

  Hi
  I have an ASA which connects to a BT Inifinty router. The address on the outside interface is dynamic. BT provide us with 5 static addresses (No NAT 5) which are routed to the outside interface but are a different subnet.
  I would like to terminate the site to site  VPN using one of the static IP addresses rather than the outside dynamic address.
  Can I NAT the public static address to the DMZ interface (or any interface for that matter) and terminate the VPN on that interface i.e. the firewall is terminated through the firewall?
  Thanks
  Stuart
  Update: A few people have looked but no answer. Is there some detail I need to add?

  Matheus.Omega.Mendes wrote:
  Well one solution that they found was implements one hollow interface called InterfaceWeb, just to mark the classes that works on web and desktop, although our system isn't perfectly object oriented, this solution was the worst that I ever seen. At least I think this way and I'd like to know if someone agree, disagree or have some explication for this choose.Hard to say without actually seeing it. Probably not a good idea.
  Presumably the design was driven by time to market and cost rather than just because the developers didn't want to refactor.
  As per the other suggestion, normally besides breaking the layers out you could share common functionality with a layer of its own (or several)

• How to allow Flash, Reader, and Shockwave installations through the firewall?

  When I allow a single machine to full access through the firewall on port 80, all three products install flawlessly. I am trying to narrow this down and only open the specific IP ranges used by adobe. Does anyone know which ones need to be allowed for this to work? Also, I do know about the standalone files that can be downloaded and then installed to avoid the firewall issue, but I would like to allow all users who bring their own devices to install these products. With the below IP address open through port 80, I am able to install Flash almost every time, but Reader and Shockwave are less reliable. Thank you for any help you can provide.
  Bill
  23.67.250.122
  23.67.250.129
  23.67.250.104
  23.67.250.147
  23.15.7.153
  23.15.7.130
  23.15.7.160
  23.15.7.99
  23.15.7.155
  23.15.7.113
  23.15.8.203
  23.57.1.169
  23.57.3.235
  23.67.250.88
  23.57.2.70
  8.10.179.247
  66.235.147.77
  96.17.160.72
  96.17.160.18
  192.150.16.58
  192.150.16.64
  193.104.215.66
  199.167.187.72

  I have a method that works for FLASH player, but am trying to come up with a method for the other 2 myself.  To automate flash player, I created a Policy and added the following:
  Under Computer Config, Prefrences, Windows Setting, Files I created a new File Item.
  I set Action = Replace, Created a Source File named mms.cfg* (more below) and have the destination file as systemroot%\System32\Macromed\Flash\mms.cfg (or %systemroot%\SysWOW64\Macromed\Flash\mms.cfg for x64)
  I used notepad to edit the mms.cfg, and used the following in the body:
  AutoUpdateDisable=0
  SilentAutoUpdateEnable=1
  AutoUpdateInterval=0
  My non-admin users now update flash in the background silently and automatically.

• Firewall Rules for Printing and Scanning through Windows Firewall

  Hello,
  I am having trouble determining the Ports, Programs, and Services required for printing and scanning with my AIO.
  I am using Windows Firewall in Windows 7, and am only allowing certain rules in and out.
  I know the firewall is the problem, for when I disable it, everything works fine.
  Which rules are required for printing and scanning through the firewall?

  4th Bump,
  Is there anyone who can help me with this?
  As I said before, other printer manufacturers such as Lexmark and Brother provide this exact information.
  Why doesn't hp have a document for this? Does everyone just disable their firewall or open every port?

• Cisco 8851 phones registering through Checkpoint firewall

  We have a customer with a secured network, using Checkpoint firewalls and have a VPN site-to-site tunnel between our Cisco ASA and their Checkpoint firewall, with Cisco phones on the far side of the tunnel and CallManager 8.6 behind the ASAs.  We have all the proper network ports referenced, but cannot get either a new Cisco 8851 (SIP) or a Cisco 7942 phone to register.  The 8851 phone, when it tries to register, uses the 6970 port for distributed TFTP via HTTP first (by design), followed by TFTP/69.  The 7900 phone never generates TFTP on port 69 at all.  What is also strange is that the source port 5060 on the 8851 phone seems to be masked with an upper ephemeral network port (51566) when the request traverses the network, regardless of it passing through the firewall or a router.  I know that TFTP uses UDP, but there is nothing in the docs that state it uses these upper port ranges?
  Is this behavior normal for a Cisco SIP-based phone, and with the Skinny phone, is there something with Checkpoint firewalls that causes issues with Cisco VOIP phones.  I have done key-word searches on the Forum for this issue, but have not found anything significant.  I have also looked at the Nokia support forum, and saw some briefs, but it didn't directly describe our issue.  Any help would b e greatly appreciated.
  Thanks,

  Hi Andrew
  The attached document may assist:
  http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/port/7_0/CCM_7.0PortList.pdf
  A lot depends on topology etc, and the handset registration protocol you are using (SIP vs SCCP).
  Hope this helps.
  Barry Hesk
  Intrinsic Network Solutions

• How can we allow internal users to access internet through ASA firewall?

  Hello,
  I am new to security track, i have been asked to setup lab and allow users from inside firewall to access internet. here is my lab setup
  PC -> switch 1 (layer2) -> (inside) ASA (outside) -> switch 2 (Layer2) -> Router
  does switch 2 port needs internet access through router?
  what configuration required on ASA to allow users behind the firewall to access internet?
  any help on this would be much appreciated.
  thanks,

  Hi,
  Okay , can you clarify on this for me. Are you able to ping the internet from the ASA outside interface ?
  Just try something like this:-
  ping 4.2.2.2 .. Does this work ?
  If this does not work , then i think the ASA even is not able to get to the internet and that would be a problem on the router.
  Also , internet from Switch 2 is not a requirement as that is only a Layer 2 device.
  You can assign the ISP allocated address on the PC , connect it to the Switch 2 port and then try to ping something on the internet or surf internet and i think that should work.
  Thanks and Regards,
  Vibhor Amrodia

• Can JMQ 2.0 work through a firewall?

  We are interested in using JMQ for B2B communication for messages to be sent
  through firewalls from one enterprise to another. Does JMQ 1.1 support this or
  does JMQ 2.0? If JMQ 2.0 is the only option, can you please specify when it
  will be released, as of now it is only in beta version? I would appreciate your
  prompt response as we are in the process of evaluating each vendor.

  JMQ 1.1 only supports a TCP based transport, and could only work across a firewall
  if that fiewall was specially configured to let the communication through. JMQ 2.0
  will support use of HTTP as a transport, and this will eliminate the need for
  special administration for any firewall that will naturally allow HTTP through. JMQ
  2.0 is in Beta now, and is scheduled to be available as an FCS product early in
  Q2CY01.

• Forwarding through IPv6 Firewall partial solution

  I figured out how to selectively forward port 22 (ssh) to all of my internal machines at home, through the Airport Express's IPv6 firewall. I couldn't find documentation for this, so I'm sharing, to help anyone else that might be trying to accomplish the same.
  Under Advanced / IPv6 Firewall, add an Exception. This hint is how to choose the appropriate IPv6 address so that you add port forwarding for a specific port to all machines. For the IPv6 address field, enter
  (that is a double colon).
  So my exception looks like this:
  Description - ssh
  IPv6 Address - ::
  Specific TCP and UDP ports
  TCP Port(s) - 22
  UDP Port(s) -
  Note that I have no security fears for enabling port 22, because my personal IPv6 address space is 64 bits, which would take ages for anyone to probe to find my machines listening on port 22, just so that they could then probe for obvious accounts and passwords. And password probing is easy to defeat anyway --- just disable password-based logins and require public/private key logins.

  Call your ISP and have them set your Modem into BRIDGED MODE... ask them also for your account username and password... Go to your router setup page and configure its IP to 192.168.2.1 and set it to PPPoE, you have to type your username and password after this then save the settings... that way, your westell will be a modem only and your firewall will only be the LInksys

• WMI query through ASA Firewall

  I'm a newbie - please be patient
  We have an ASA firewall that has several DMZ VLANs.
  A support company that responsible for the SQL Servers wants to use WMI to query server health.
  Their monitoring server currently on the internal lan, eight SQL servers on the internal lan and six of the SQL Servers are in the DMZ.
  Two of the SQL Servers in the DMZ are 2003x32 Standard Edition and four are 2008R2x64 Enterprise Edition
  The question is the ports that need to be open for Windows 2003 is concerningly large tcp/1025-65535, tcp/135
  What are everyone’s thoughts on opening up such a large range?
  Is there a better way of doing this – unfortunately getting the monitoring software rewritten is not an option and nor is going Linux
  Thanks
  PS - if this has already been asked can someone point me to the discussions

  Hi
  I would say that that is a No No
  But that depends on the environment, for some (most) i woulds say its not ok, but some might feel that they do not need that much security.
  WMI is a bit tough on firewalls.
  But there are ways to limit the ports used by WMI
  fx you can set it to use Fixed ports. and so on.
  Sure it makes the server guys a little less happy since it does not work from the start and they have to make some changes but the added security is well worth the fight.
  Here is a link to solarwinds for people with the same problem.and an answer that seems to work
  (i have not tested this) from ASH J Kent. (almost at the bottom)
  http://thwack.solarwinds.com/forums/68/application--server-management/21/server--application-monitor/16415/wmi-monitoring-through-firewal/
  Here is one from MSDN
  http://msdn.microsoft.com/en-us/library/windows/desktop/bb219447(v=vs.85).aspx
  Good luck
  HTH

• 10.4.11 and HTTPS through corporate firewall

  At work we just moved to 10.4.11 from 10.4.9, and now apparently anything that requires https doesn't work any more in Safari. We first noticed it with email sites like Hotmail, Gmail, Yahoo mail etc. At work we're going through our corporate firewall which is apparently a Windows-based firewall. I'm not in IT so I can't provide details on that.
  It does appear to be a problem with Safari specifically because Firefox still works with https sites through the same firewall. With Safari, I've tried using both a pac file and setting the proxy settings manually, with the same results either way. Additionally, these Macs were working with these sites when they were on 10.4.9.
  Does anybody know what changed in OS X between 10.4.9 and 10.4.11 that might be causing this problem? Does anybody have any potential solutions? Keep in mind that using Firefox is not an option because it's been outlawed in my department, and similarly I'm not in IT here and I have no control over the firewall or changing anything on it.
  Not being able to get to any secure sites in Safari is a real pain. I had to use Firefox just to post this, because it required a secure sign on. On all these machines everything is fully upgraded through 10.4.11, including Safari 3.1.1. Anything to even point me in the right direction would be helpful. Thanks.

  I may not have a solution, but I can tell you that HTTPS works fine for me from behind my corporate firewall (Safari 3.1.1, OS X 10.4.11). If there's a proxy server needed (there is for me, and that's something you seem to have investigated with your IT department) I assume you have the setting for that enabled in System Preferences > Network > active connection > Proxies tab; also, if the box for HTTPS is checked and you are not behind a proxy server, the connection will fail, so UNcheck the box.
  Note that FireFox uses it's own proxy settings (Preferences > Advanced tab > Network tab > Settings button), bypassing the OS X network prefs.
  Hope this helps...

• Allowing WMI through Windows Firewall

  I am trying to modify the setting in Windows Firewall to allow WMI through so that I can activate Windows using VAMT. I followed the steps to allow WMI-In via GPO and it appears to work. But when checking the firewall settings on the laptop I can see 2 entries
  for Windows Management Instrumentation (WMI) 1 entry has ticks in all 3 boxes (Domain, Home, Public) and a Yes in the Group Policy column. This line is greyed out as I would expect it to be as it's managed via GPO. The 2nd entry does not have any ticks in
  the boxes, i can manually tick these boxes.
  My question is why do I have 2 entries? Would my VAMT activation be failing because 1 of the entries is not ticked? The error VAMT gives me is "Unable to connect to the WMI service on the remote machine."

  Shouldn't fail and i have seen lots of erroneous duplicates in the past its not affected anything AFAIK