MPF ASA for Web Filtering. Https traffic

Similar Messages

• WCCP on ASA for FTP over HTTP

  Hello,
  We have a WSA appliance that we have in explicit mode and want to configure as transparent. The protocols we cache and analyze with WSA are HTTP, HTTPS, native FTP and FTP over HTTP.
  Is there a service number on WCCP for FTP over HTTP protocol? Or it is included within HTTP?
  Thanks a lot in advance.
  Best regards,
  Igor

  Igor,
  The service number 60 (ftp-native service) only applies  to transparent redirection of FTP native requests and does not apply to  FTP-over-HTTP requests.
  On the other hand; the Content Engine listens for redirected HTTP  requests on the standard HTTP port (default port 80). To enable the  Content Engine to listen for WCCP-intercepted HTTP traffic on ports  other than the default port, configure the custom-web-cache service (98 and 99) or a  user-defined WCCP service (services 90 to 97).
  I hope this helps.
  Regards,
  Juan Lombana
  Please rate helpful posts.

• ASA MPF on HTTP traffic

  Hi, Im student who studying MPF atm, and I just wodnering about the parameters(request args regex, request body length etc..) that http provides, I was looking up and went through some resources and information on cisco website, but it was diffcult to understand all of theses parametes,
  how does ASA matches up with http traffic ?? is this parameters are located in HTML ??? (body java activ-x) , where does it located, ??
  thanks in advance, !!!

  Hello Terry,
  First thing to understand when we are talking about inspection on layer 5 to 7 ( In this case http) is that in order to work the client got to be on one ASA'Sinterface and the server needs to be on another one, this to allow the ASA to investigate the http session.
  Now you are asking about how the ASA is going to match that traffic, well with the policy map type inspect we will decide what to match (the http request, response,etc) , we can use different things in order to do it, just as an example we can create a regular expressions that matches www.cisco.com (\.cisco\.com)  and then let the ASA know that matches the header of the http packet using that particular rule and then we will be able  to  block cisco.com as an example.
  You can also match the URI, etc etc and then apply the rigth http inspection paramater.
  Please rate helpful posts.
  Regards,
  Julio

• Configure DNS on Snow Leopard Server for Web Hosting

  Hi Everyone,
  I put together an article on my blog about Snow Leopard DNS setup for web hosting. http://www.mkahn.com/?p=279
  I'll be revising it over the next few weeks to make it more informative based around feedback. Let me know if you have any questions or trouble setting up DNS on Snow Leopard Server for web hosting.

  Thanks for your replies. I realize I'm not making clear the way this network is configured . Also, the only services running on the Snow Leopard server are (at this time):
  dhcpd - in the 10.136.31.x range;
  dns - same as before;
  planned to add are:
  Open Directory (for network logins)
  Software update;
  Web (only on the 10.136.31.x Ethernet);
  mySQL (localhost only - for moodle);
  NAT is not set up on the Snow Leopard server itself. We have an outside router, a Cisco 2811. This router provides routing for both the public IP range, and the NAT range is configured in this router. The forwarding dns is located in LR and Fayetteville. So what I need is dns on Snow Leopard to forward outside queries to the state DNS servers, and resolve the local NAT IP only for Open Directory and a set of Snow Leopard clients.
  Is this going to be possible?

• Override action "save as" command with save for web batch processing

  Hi everyone,
  I've created an action that uses the save for web dialogue to optimise images for the web. When I use the batch command to process a full folder of images, even though I have "Override action "save as" command" checked, it ignores this and still uses the location that was used when the action was created.
  Apparently this is a known issue in CS6 and previous versions but I wondered if anyone knows whether this has been fixed in Photoshop CC?
  Appreciate any advice.
  Thanks

  Since save for web is an export plugin, none of the destination options have any effect on where the files are saved
  or the file names.
  Save for web only saves the files to the folder specified when you recorded the action.
  (it's always been that way and still is in photoshop cc)
  You might look at the Image Processor Pro
  (included in Dr. Brown’s Services 2.3.1)
  (has a save for web option)
  http://www.russellbrown.com/scripts.html

• CS3 Save for Web bugs - No answer from Adobe in all forum posts

  I just upgraded to Illustrator 13.0.02 and the problem is the same: Slice names and output settings are not remembered/saved like all previous AI versions.
  I don't understand why this post was closed: CS3 Save for Web Problems
  http://www.adobeforums.com/webx?128@@.3bc41aeb.
  and this one: "Save for Web" names of frames vanish
  http://www.adobeforums.com/webx/.3bc4cd31/2
  It is the same as: AI CS3 - Save for Web & Devises image name problem
  http://www.adobeforums.com/webx?128@@.3c057eab
  Concerning slice name: It looks like they now have to be saved via drop down menus in order for Illustrator to remember the slice names for export again: "Object - Slice - Slice Options, and then in Save for Web, set the Output Settings for Saving Files"
  In my opinion this is incredibly poor UI design. In prior versions of Illustrator, I would save the names in the Save for Web dialog box by simply double clicking the slice frame, and it would remember the names of my slices for export again.
  Clicking through drop down menus just to name a slice is inefficient compared to just double clicking a slice frame to name the slice.

  This is a bit of an old thread, but I too have recently discovered this problem in working with AI CS3.
  I contacted Adobe support with the question. I asked them why it was not possible to select and optimize individual slices in the Save for Web and Devices dialog in CS3, and then maintain those settings after saving the slices or clicking "Done"... even though that very feature was available and working in CS2.
  Adobe's answer was, quite simply, that they have ceased any development on CS3, including bug fixes, and that anyone who wants the problem fixes would have to buy CS4 in order to "fix" the problem.
  In short, they are quite aware of the problem, but would rather have us pay for a new product in order to have it fixed, than to pay a programmer to spend a few hours or a few days in tracking down the problem and getting it sorted out. This is their short-term solution to a long-term problem.
  There is a workaround to the slice naming, as you have found - name the slices from the Object - Slice - Slice Options menu. It's a royal PITA, I know, but it does maintain the slice name settings.
  However, there is no real workaround to save the optimization and output settings (such as color tables and JPEG/GIF/PNG settings) for each slice. It's a completely broken feature, or in Adobe's own words, "a problem". A big fat bug. Let us not mince words here - it is technical and corporate incompetency. Technical incompetency can be excused - publishing a new build will fix the problem. But corporate incompetency, which tells the programmers that they don't need to fix the problem for "marketing" reasons, is totally inexcusable.
  It doesn't cost Adobe anything to just shelve a problem... at least, not now. But I refuse to buy Illustrator CS4 as a result, because I don't want to give in to their ineptitude and lack of attention to the customer in this case. Which costs them more now, to pay the programmer to fix the error and then publish a new build on their web server... or to tell the customer that the problem won't be fixed and to buy the newest version? You do the math. Read 'em and weep.
  Makes you want to migrate to Fireworks for web comp design, doesn't it. At least Illustrator has an excuse - it's an all-purpose vector graphics application, not specifically a web comp design app. If this were Fireworks, on the other hand, I think that there would be oodles of furious programmers screaming colorful obscenities at Adobe's front door.
  I really like Illustrator for what it does, but I'm not using CS3 for any more web comps after this.
  Jeff Chapman

• ASA CX content filtering, looking for suggestions

  I wanted to get some feedback on how the rest of you security folks are doing web content filtering.
  The CX does a great job with HTTP but when it comes to HTTPS it leaves a lot to be desire. When the CX first went live, it was configured to decrypt all HTTPS traffic and Deny transactions to servers "Using an untrusted certificate" and "If the secure session handshake fails" turned on.
  Immediately I started to implement the "Do not decrypt" policy and it worked great for most websites experiencing HTTPS decryption issues. Other websites required that HTTPS certificate be imported to the CX for it to work.
  However, due to the constant "error:140920E3:SSL routines:SSL3_GET_SERVER_HELLO:parse tlsext" I experimented with different work a rounds till I found these articles.
  http://www.exploresecurity.com/the-small-print-for-openssl-legacy_renegotiation/
  https://www.digicert.com/news/2011-06-03-ssl-renego.htm
  TAC's suggestion was to create a deny statement (using an object group that defines the FQDN) at the top of the ACL that send the traffic from the ASA to the CX. This was the only way to keep the CX deny "Using an untrusted certificate" and "If the secure session handshake fails" decryption settings turned on.
  Now I feel I am back at square one as the number of exceptions have grown exponentially. This has led me to believe that I need to revisit the way that content filtering is being implemented. My goal is to apply a simple yet scalable solution. As I see it, I can continue to add to the "ASA to CX" exemption list, this is not a scalable solution as it requires all FQDN to be defined (ex. bank.com, server1.bank.com, server2.bank.com, etc). The alternative is to relax the CX decryption configurations which I feel is the equivalent of removing a car's airbags for weight reduction to make it faster.
  Any input would be appreciated!

  I've come to the conclusion that SSL decryption is only possible where a robust PKI has been deployed in an enterprise. Even then we would ideally use a dedicated SSL decryption appliance so we can hand the CX (or ASA with FirePOWER service module) plain old http for inspection.
  The software modules just don't have the processing power to be able to do line rate decryption for any but the most modest throughput rates.
  Also, the CX is being deprecated going forward in favor of the FirePOWER modules so you won't see any significant new feature addressing this shortcoming on the CX.

• Can Cisco connect be used for small business web filtering?

  I am searching for a web filtering solution for our small church.  The core requirement is to use a hardware-based solution to filter all internet traffic.  Our current wiring looks like this: [ISP router] --> [switch] --> [Open Mesh wireless access points].  Can I connect a Linksys EA2700/3500/4500/6500 between the [ISP router] and the [Switch], disable the Linksys wireless, and use Cisco Connect to filter all the internet traffic?
  More info: We will only have a handful of wired/wireless devices which we have control over.  We expect most of the rest of the traffic to be generally outside our control via personally owned devices connecting thru the public wifi.  Therefore any solution which requires installation of software on individual devices will not work.
  (If there are other threads on this topic I'd be more than happy to read them, I just couldn't find any.)
  Thanks!!

  Hey
  check this article:
  http://www.oracle.com/technology/pub/articles/cunningham-database-xe.html
  Regards

• Web Filtering Cisco ASA 5510

  Hello !
  I m a netword administrator, and i have been looking how to setup web filtering in a network, we are using cisco asa 5510 as a firewall and i have been looking for a way to block url such as facebook and streaming web sites since users are allowed to access to any website and they have been downloding stuff lately and i cant controll the bandwith!!
  What u guys recommand !
  Thanks

  Hi Neji,
  Here you have all the content security options available on the ASA. I think only the CX doesn't apply to your HW but the other options are available.
  Block URLs using Regular Experessions (Regex)
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
  CSC module:
  http://www.cisco.com/en/US/products/ps6823/index.html
  How to enable the CSC module:
  http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ssm.html
  ASA CX module (ASA 5512,5525,5545,5545,5555)
  http://www.cisco.com/en/US/docs/security/asa/quick_start/cx/cx_qsg.html
  Scansafe:
  http://www.cisco.com/web/about/ac49/ac0/ac1/ac259/scansafe.html
  Configuration Cisco Cloud Web Security
  http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/protect_cloud_web_security.html#wp1559223
  Ironport:
  http://www.cisco.com/web/about/ac49/ac0/ac1/ac259/ironport.html
  How to integrate the ASA with Ironport (WCCP):
  https://supportforums.cisco.com/docs/DOC-12623
  HTH
  Luis Silva
  "If you need PDI (Planning, Design, Implement) assistance feel free to reach"
  http://www.cisco.com/web/partners/tools/pdihd.html

• ASA - What is allowing return HTTP traffic?

  Hi,
  I'm just playing around with a few ASA's and wondering what allows return HTTP traffic into the firewall? Also, what other traffic is allowed by default like HTTP?
  Traffic is originating from a higher security interface (inside, 100) to a lower security interface (outside, 0). There is no ACL's applied on any interfaces.
  I'm asking because ICMP doesn't work unless inspection is turned on (service-policy global_policy global).
  Thanks for any help.

  Firewalls like the ASA are stateful so for TCP and UDP (although with UDP state is handled a little differently) if traffic is allowed one way it is automatically allowed back.
  So when a connection is initiated, if it is allowed through the firewall an entry is made in the state table and when the return packet arrives at the firewall if there is a matching entry the traffic is allowed and there is no acl check.
  The entry is made on source and destination IP and port numbers, and for TCP it also used the connection flags.
  ICMP doesn't use ports so originally it could not be treated statefully and you had to allow it back in with an acl (if traffic was from lower to higher security level).
  But then stateful inspection was added for ICMP as well but you still need to enable it unlike TCP and UDP.
  Jon

• How to specify HTTPS endpoint for web role?

  We're using CloudService of Azure, and within there are two web roles (A and B), we hope both use HTTPS protocol.
  For web role A, we specify the endpoint like this:
  <Endpoints>
  <InputEndpoint name="WebPortalEndPoint" protocol="https" port="443" certificate="WebPortalCertificate" />
  </Endpoints>
  For web role B, we do like:
  <Endpoints>
  <InputEndpoint name="WebApiEndPoint" protocol="https" port="444" certificate="WebApiCertificate" />
  </Endpoints>
  So after deploying to cloud, we can use this url to visit web role A: https://name.cloudapp.net, but for web role B, we couldn't visit like: https://name.cloudapp.net:444.
  Do we miss something? What ports can we use if we want to add more web role to cloud service which use HTTPS?

  Hi,
  How did your set the endpoints on your azure projects? I set my test project like this:
  WebRole1 Endpoints:
  WebRole2 EndPoints:
  I can use the 443 to access the webrole1, and use 8081 to access webrole2. If your setting didn't work, I suggest you could reset and re-deployed again.
  Regards,
  Will
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• QoS value for http traffic from IP Phone

  Since the phone marks all voice with COS 5 and data traffic with COS 0. Does this also include traffic sourced from the IP Phone http? request when doing Directory Lookups, IP Phone Services.
  Thanks!

  With 4.1 and up (not sure if 4.0 had this), this traffic is marked with TOS 3 or DSCP CS3 (24). You can modify this enterprise parameter to what ever you want.
  DSCP for SCCP Phone-based Services :
  This parameter specifies the Differentiated Service Code Point (DSCP) IP classification for IP phone services on SCCP-based phones, including any HTTP traffic. Note: You must restart SCCP-based phones for this parameter change to take effect.
  This is a required field.
  Default: default DSCP (000000).
  Restart SCCP-based phones for the parameter change to take effect.
  HTH
  Sankar
  PS: please remember to rate posts!

• Web.Xml Mapping For using Filters in Servlets

  Hi Team
  Can any one help me in getting the correct xml mappiing for using filters
  Currently i am getting 404 error when calling any resource
  using the below mapping
  <web-app>
  <display-name>OM</display-name>
  <welcome-file-list>
  <welcome-file>Hello.html</welcome-file>
  </welcome-file-list>
  <filter>
  <filter-name>Basic Filter</filter-name>
  <filter-class>BasicFilter</filter-class>
  </filter>
  <filter-mapping>
  <filter-name>Basic Filter</filter-name>
  <url-pattern>/sample1</url-pattern>
  </filter-mapping>
  <servlet>
  <servlet-name>sample2</servlet-name>
  <servlet-class>com.ustri.xml.FilteredServlet</servlet-class>
  </servlet>
  <servlet-mapping>
  <servlet-name>sample2</servlet-name>
  <url-pattern>/sample1</url-pattern>
  </servlet-mapping>
  </web-app>
  Thanks
  santhosh

  As the messages tries to suggest, the elements under <web-app> must appear in a specific order. In particular the <filter> elements, if any, must appear before any <session-config> elements. That isn't the case in what you posted so it fails validation by the DTD.

• Possible to use http for web authentication?

  Hi All,
  We are using WLC 2500 and AP 1041 with web authentication. Due to we do not have the trusted/public certificate and want to get rid of the certificate warning during the user login. I would like to ask if this is possible to change the web authentication method from HTTPS to HTTP. Thanks.
  Rgds,
  Jacky

  Hi Jacky,
  Yes u can... But there is a  catch..
  1) If ur running WLC code below 7.2.X then the only option is to disable HTTPS globally (Meaning HTTPS management access disabled only HTTP).
  2) If you are running 7.2.X and above, then you can use HTTP for client webauth and then HTTPS for Management access.
  The command for disabling https for web authetication would be:-
  config network web-auth secureweb disable
  Hope that helps
  Regards
  Najaf
  Please rate when applicable or helpful !!!

• Kerberos encryption for HTTP traffic

  Hello
  I am writing client for WinRM service(Windows Vista). This service use SOAP protocol for communication.
  And I cannot make subscription for Windows events using Push method.
  The issue is when I try to make events subscription - Vista tries to test connection with my server, but I don't know what should I send back for test connection request to Vista WinRM... :(
  I didn't find it in MSDN.
  Subscription request is:
  <?xml version="1.0" encoding="UTF-8"?>
  <env:Envelope xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:e="http://schemas.xmlsoap.org/ws/2004/08/eventing" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:ew="http://www.example.com/warnings'" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:x="http://www.w3.org/2001/XMLSchema">
  <env:Header>
  <a:To s:mustUnderstand="true">HTTP://winrmcient:80/wsman/</a:To>
  <w:ResourceURI>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</w:ResourceURI>
  <a:Action s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/eventing/Subscribe</a:Action>
  <a:MessageID s:mustUnderstand="true">uuid:a4b86ede-32d0-4a28-91f5-bc8f36bfca22</a:MessageID>
  <a:ReplyTo>
  <a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
  </a:ReplyTo>
  <w:MaxEnvelopeSize>262144</w:MaxEnvelopeSize>
  <w:Locale xml:lang="en-US"/>
  <w:OperationTimeout>PT5M0.000S</w:OperationTimeout>
  <w:OptionSet>
  <w:Option Name="ReadExistingEvents" mustComply="false"/>
  <w:Option Name="ContentFormat">RenderedText</w:Option>
  </w:OptionSet>
  </env:Header>
  <env:Body>
  <e:Subscribe>
  <e:Delivery e:Mode="http://schemas.xmlsoap.org/ws/2004/08/eventing/DeliveryModes/Push">
  <e:NotifyTo>
  <a:Address>http://Antares:443</a:Address>
  </e:NotifyTo>
  </e:Delivery>
  <e:Expires>PT12H0M0.000S</e:Expires>
  <w:Filter>
  <QueryList>
  <Query Path="Security">
  <Select>*</Select>
  </Query>
  <Query Path="System">
  <Select>*</Select>
  </Query>
  <Query Path="Application">
  <Select>*</Select>
  </Query>
  </QueryList>
  </w:Filter>
  <w:SendBookmarks/>
  </e:Subscribe>
  </env:Body>
  </env:Envelope>
  WinRM connection test request is request with empty content length and with header:
  Host=[Antares:443], Content-type=[application/soap+xml;charset=UTF-16], Content-length=[0], Connection=[Keep-Alive], Authorization=[Kerberos YIIE4wYJKoZIhvcSAQICAQBuggTSMIIEzqADAgEFoQMCAQ6iBwMFACAAAACjggOLYYIDhzCCA4OgAwIBBaEKGwhCUS5MT0NBTKIaMBigAwIBAqERMA8bBEhUVFAbB0FudGFyZXOjggNSMIIDTqADAgEXoQMCAQ2iggNABIIDPHstoHWBhepDeU/h3o6Uuzjtgxo5SlVRVaa9JjAUcEDb4k+DKQrtwia/GtvDsmoZ4VgE8gGpJmcuZHNUEBHwEmn48RAAuo/f3o/D7hBJ3XygexN8yPZFYtElT1CvtoVOuvox83xOr9TdUn+Dd12/AupkAIxwbdHNhftcOCajJOv3NnFGoeF5+NA54VguaW1XGZxoC1mviITkfeDW0rZnKQ3aJxRDG0kKfHvWYdIlifRydQkTY/XMGHBFvd8kA8Q3M6WYVmuCKLjjJwvHjfZ56GWUpax7MlYmOGs7ncHLptCyxiV7RTiP0c00MViangq4CoioLyPwdysG7V8oyMGcc32WpsWCbXJNm5N8ijy7JxRd4W2zfzL6rpkGFQ2F0AfsH/b+Dz45sYXKyEgJajA5TK/cPiECTIMbXnkehz2yC5mjY4XalhXf4U1j/D5E2ApbG0ITUrp10a6C/dy5yEtc4CNtVHDQ30BrdZS+vxO2PwwIKZovvvlzIyddgOqyKaKhs9i3eMfF61IjhUpquK4zZYYZEqpQtkgSaDz8rurD4M5Z1CzzlID5nlVg9YsA9JhPejsdU9Rmt51OjCu8rBvd+Kb7AMkujDogOli4NVNKssdLOJl7m3ulMQTs5AFT1O7YOW4SQsos1g2UEW+JzE+sj1IGdia8xmjxuZOsWks4QgX9O0PL3LNVE/iGgR2dOQhRzhuwEJEUfHpy1BIqZzbG48KkkNxFZLgeM+ztnrssw/zaD1vTs4+EF7KPVp1ldBwPId2P6PIyd4nyX+1tJt2SYHKyk0mdxkCw8pTAfrNxJGj9Ku573YcPfFdGhTtTTzo1CJPwSQFoNlEhh7wriaED/fseIEPPLASR+wIzGVPNBb5mTCd/vCPrwsShZl0wmtwUiDgNAu2732GVb7MDSKIc/hOjZAdFqoh3KzvWUSIsdrl1Mezcjb6VSuM87f4pWaR7f0RMexNB6ZEL0RzncbMXyhmUcqNaVyCWCgWN/ovKmWt53FkBQZkZIxLZUVyi6As3bhsfVxrw6dU4oKpHesDKldHFOz1fuEv8UKu6s7DaAd1VXiLmU4uzUSfiYH0iQCYkvf1sVqKBVyrFXHHQTKSCASgwggEkoAMCAReiggEbBIIBF2DcdvxWBV/D29hIBpQ8sJk8XF+q9tVNBHm3bFXtetxKwk1UxO64r7U5YQ4kqgvAyKTq/aL9V/QrO5x1M0mbqjKrfo/ehKGy5GGUZeQ0TYhkkmdNq8Mxo2CR5IIWqzEIaB00qSkombg/3IvniUoKbHfvoGMdr63DqRr8AbmXzHK+9kfyYMkkSMn72spoPBYadYAJZ02VUJp5fdNIqsMTREfEf3qfJNdvzaCRN/BcHVJ0C/5TChf8gFMThZzHShr2j1OdWBEZ/uLsMl2INqW0/AcCfLopSTcwgip/E63Zz/mKFCq2VIPp1++KvWPUKPalzdK9Pg/AwzXM6/+SBXdWfkUJGUW9x2nHFuZ6IeoAlhS2hvNLcjJ2ww==], User-agent=[Microsoft WinRM Client]
  I tried to send empty response(with the same test request header) for test request but it doesn't take any effect.
  WinRM subscription response is:
  <?xml version="1.0" encoding="UTF-8"?>
  <s:Envelope xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:e="http://schemas.xmlsoap.org/ws/2004/08/eventing" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xml:lang="en-US">
  <s:Header>
  <a:Action>http://schemas.xmlsoap.org/ws/2004/08/eventing/fault</a:Action>
  <a:MessageID>uuid:B83898C7-9F93-4E7A-8C8C-B72C7D189908</a:MessageID>
  <a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To>
  <a:RelatesTo>uuid:a4b86ede-32d0-4a28-91f5-bc8f36bfca22</a:RelatesTo>
  </s:Header>
  <s:Body>
  <s:Fault>
  <env:Code xmlns:env="http://www.w3.org/2003/05/soap-envelope">
  <s:Value>s:Sender</s:Value>
  <s:Subcode>
  <s:Value>e:EventSourceUnableToProcess</s:Value>
  </s:Subcode>
  </env:Code>
  <env:Reason xmlns:env="http://www.w3.org/2003/05/soap-envelope">
  <s:Text xml:lang="en-US">The connectivity test from the push subscription source to the client failed. This can happen if the client machine initiating the push subscription is unreachable from the server machine where the event source is located. Possible reasons include firewall or some other network boundary. Modify subscription to use Pull based subscription. </s:Text>
  </env:Reason>
  <s:Detail>
  <w:FaultDetail>http://schemas.dmtf.org/wbem/wsman/1/wsman/faultDetail/UnusableAddress</w:FaultDetail>
  <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150858901" Machine="">
  <f:Message>The connectivity test from the push subscription source to the client failed. This can happen if the client machine initiating the push subscription is unreachable from the server machine where the event source is located. Possible reasons include firewall or some other network boundary. Modify subscription to use Pull based subscription. </f:Message>
  </f:WSManFault>
  </s:Detail>
  </s:Fault>
  </s:Body>
  </s:Envelope>
  In WinRM documentation I see:
  +Note: HTTP traffic by default only allows messages encrypted with
  the Negotiate or Kerberos SSP.+
  But I use simple java HttpConnection and there are no any references to Kerberos in JavaDoc for this class... :(
  One more - I use BASIC authentication.
  Does anybody know what should I send back for connection test request.

  Sorry, I forgot to set "java.security.krb5.conf" and "java.security.auth.login.config" properties.
  But after I set these properties I've got another exception:
  GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
       at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:87)
       at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:111)
       at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)
       at sun.security.jgss.spnego.SpNegoMechFactory.getCredentialElement(SpNegoMechFactory.java:109)
       at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)
       at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:384)
       at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:42)
       at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:139)
       at com.symantec.cas.ucf.sensors.ws_management.WSServer.start(WSServer.java:132)
  Caused by: javax.security.auth.login.LoginException: No LoginModules configured for
       at javax.security.auth.login.LoginContext.init(LoginContext.java:256)
       at javax.security.auth.login.LoginContext.<init>(LoginContext.java:499)
       at sun.security.jgss.GSSUtil.login(GSSUtil.java:244)
       at sun.security.jgss.krb5.Krb5Util.getKeys(Krb5Util.java:185)
       at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:82)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:79)
       ... 28 more
  But it seems to me that I've set login module correctly:
  com.sun.security.jgss.krb5.initiate {
  com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=false useTicketCache=false;
  May be I missed something...
  What do yo think about it ?