Multiple certificates and JavaHelp - A solution

Similar Messages

• How to install maintenance certificate and License with solution Manger?

  Hi all,
  Is this possible to install maintenance certificate and License with solution Manger atomatically ?
  Regards,
  Neni

  Hi Swaroop,
  There is a feature in SAP Solution manager through which we can instal the licenses.
  Please see below links,
  http://help.sap.com/saphelp_sm70ehp1_sp23/helpdata/en/41/42b6397c604278b6626f3d570c98c8/content.htm
  http://help.sap.com/saphelp_sm70ehp1_sp23/helpdata/en/89/a7c08d740c4cffb491f98801f17d30/content.htm
  Thanks,
  Jagadish.

• Multiple additional SIP domains - certificate and DNS requirements

  We've setup Lync 2010 Enterprise in our organisation and have successfully enabled a couple of thousand users.
  This is working successfully internally, externally and through Lync Mobile.
  However, we've only enabled users who are using the main company domain for SMTP and SIP addresses aaaaa_group.com (so all nice and easy so far!)
  In other words, user A has a primary SMTP and SIP address of
  UserA@aaaaa_group.com
  However, due to numerous mergers and acquisitions over the years, we have quite a lot of users who have other primary SMTP addresses e.g. bbbbb_co.uk, ccccc_company.com, ddddd_ltd.co.uk, de.ccccc_company.com etc etc
  There must be in excess of 40 to 50
  of these other domains in use as primary SMTP addresses.
  (Nearly all
  these users have secondary SMTP addresses of aaaaa_group.com).
  I have been told to approach this from a best practices point of view and give all users a SIP address that matches their primary SMTP address and calculate how much it will cost to buy certificates to cover enabling every user for Lync on all these domains.
  I know from reading that wilcard certificates are considered to be a bad thing generally with Lync, especially if using Lync Mobility as the phone Lync clients don't accept them. 
  Wilcard certificates aside, what are the names that will I need to add to my SAN certificates?  Presumably sip.domain.com, access.domain.com, meet.domain.com, dialin.domain.com, edge.domain.com, autodiscover.domain.com, lyncdiscover.domain.com
  The potential cost of all these names is frankly getting pretty scary considering we currently use Verisign for all our cert requirements, and they charge like a wounded bull.  However, I still need to report back with a cost of doing this, no matter
  what it is.
  Any thoughts/comments would be very welcome. :-)

  Actually the Mobility clients for mobile devices (cell phones, tablets) DO support wildcard entries in the certificates, it's the Lync Phone Edition client (desktop handset devices) which does not work with wildcards.  So you may be able to use wildcards,
  but do plenty of research on how to approach this.  Here are some articles to get started:
  http://blog.schertz.name/2011/02/wildcard-certificates-in-lync-server/
  http://blog.schertz.name/2011/02/lync-phone-edition-incompatible-wildcard-certificates/
  That said, if you decide to skip the wildcard approach then you do NOT need to add additional entries for ALL FQDN types, only some.
  For both the Edge Server external certificate and any internal Front End certificate you'll need to add the 'sip' FQDN for every domain to the SAN field.
  sip.domain1.com, sip.domain2.com, sip.domain3.com, etc
  The Front End certificate will also need the lyncdiscover and lyncdiscoverinternal
  FQDNs, and the Reverse Proxy certificate will require the lyncdiscover
  FQDNs.
  For Exchange Server you'll need to an autodiscover.domainX.com record as well, although this can also be covered by the wildcard entry.  The remainder of names (web conferencing, external web services, dialin, meet, etc.) can all remain in the primary
  SIP domain only as these FQDNs will be passed in-band to the clients after they have successfully signed-in to Lync.  Unless you need users to all user their own domain names for the SimpleURLs (which it doesn't not sound like in your scenario) then you'd
  have to add all those as well.
  So if you are not supporting any Lync Phone Edition devices I would try going with the wildcard route first to see how well things work.  And even if you do have some of those devices you could simply add the 40-50
  sip.domain.com FQDNs to both the FE and Edge certificate but still use a wildcard entry for the mobility clients, SimpleURls, etc.  Just make sure that the certificates Common Name (e.g. Subject Name) is NOT the wildcard entry, use the primary
  domain name entry in the CN and then place the wildcard entries in the SAN field.  It is also best practice to duplicate the CN as a SAN field entry for the widest range of support by all clients.
  For example:
  Edge Server external certificate
  Common Name: sip.domain1.com
  Subject Alternative Name: sip.domain1.com, *.domain1.com, *.domain2.com, *.domain3.com, *.domain4.com,
  etc...
  Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP

• Solution need for multiple xml and Flowlist component

  Hi! I am using multiple xml and AFComponents AS3 Flowlist component. I am having an issue with the thumbnails in the Flowlist component after about 20 or so user clicks, the images no longer appear, yet the threaded data is still there. http://www.littlewinggames.com/
  I have tried changing some publish settings: hardware acceleration to Level-1 Direct and script time limit increased to 30???
  Can anyone please help me to find a solution? Greatly appreciated! Lisa [email protected]

  Ben,
  Normally when you have multiple cameras you would log into the web interface and change the http port of at least one of them. The default port is 80. We normally would change one camera to use http port 1024 and the second 1025. Then you simply forward port 1024 to the first camera and 1025 to the second in the router. Just remember that when you attempt to access the cameras after you change the port it will look like this: :1024">http://:1024 (locally and remotely) Please reply if you have further questions.

• How to achieve no-downtime solution deployment on farms with multiple WFEs and LB

  Taking SharePoint Solution Deployer, my opensource PowerShell deployment script, to the next level,
  Bill Simser got me the idea of making the deployment even more smooth on farms with multiple WFEs and load balancer in order to achieve a no-downtime deployment
  The basic idea is to deploy the solutions on each WFEs one-by-one by
  1. Taking one WFE offline
  2. Installing the solution with the -local switch
  //Solution deployment
  Install-SPSolution -Identity <solutionname>.wsp –GACDeployment –CASPolicies –Local
  // Solution upgrade
  Update-SPSolution -Identity <solutionname>.wsp -LiteralPath LocalPathOfTheSolution.wsp -GacDeployment -Local
  3. Run post-deployment actions on the WFE (ie. restart services, recycle apppools or IIS reset, warmup server), which my script already does for each server
  4. Take WFE online again
  5. Repeat step 1-4 for all other WFEs
  I am struggling with three things here:
  1. The whole deployment process could be quite risky when something goes wrong in between. And in order to roll back I would require the original solution if it was already deployed before (which I can back up of course before I replace
  it)
  Anything which involves changing the content dbs should of course be done after the solutions is deployed to the whole farm, so this should not hurt in this case.
  Anyway MSDN says that the "DeployLocal" method (which I assume is the same as the -local switch in PS ) should be only used
  for
  troubleshooting purposes.
  So it would be great to hear about anyones experiences with it
  2. As there can be different types of load balancers (hardware, software) which might not be configurable through my script I assume that taking out the WFE from the the load balancer may not always be possible.
  So I thought about just taking the server offline.
  I haven't found an option yet to take only one server in the farm offline (without removing it from the farm of course), so maybe I miss something. Any ideas?
  3. Before taking a single WFE offline, I would like to assure that this server does not have any open sessions, operations of users ongoing. Unfortunately I found only the possibility to quiesce the whole farm, but not a single
  server. Am I missing something?
  Appreciate any ideas which might point me in the direction to solve the overall goal!
  SharePoint Architect, Speaker, MCP, MCPD, MCITP, MCSA, MCTS, Scrum Master/Product Owner
  Blog: www.matthiaseinig.de, Twitter:
  @mattein
  CodePlex: SharePoint Software Factory,
  SharePoint Solution Deployer

  Hi Mike, 
  unfortunately not. I tried several different approaches but didn't really success reliably with any of them. So eventually I gave up on it.
  Interesting idea though that Eric Hasley is commenting on the blog post you mentioned.
  "There is another approach that has worked for me in the past.  Because the deployment to each server is handled through a timer job,
  by stopping the timer service in a controlled fashion you can rollout your solution without incurring any user outage."
  It could work like that (in theory).
  Stop the SPTimerV4 on all servers in the farm apart from one.
  Take out the one to deploy to from the NLB
  Wait until it has no connections
  Deploy the solutions on it in the ordinary way (eg. with my
  SharePoint Solution Deployer ;))
  Put it back into the NLB and take the others out
  Wait until they have no connections left
  Activate the timer service on the others servers and let them deploy
  Put them back into the NLB
  No clue if this is actually working and you still have the problem with the NLB, so it could take a while.
  Also I am not certain what happens in state 5 if users use different versions of your solutions at the same time (old version on the remaining open connections, new version on the updated server)
  I do not have a suitable farm at hand to play with it though, so can't test it.
  Cheers
  Matthias
  Matthias Einig, CEO, SharePoint MVP
  Blog: www.matthiaseinig.de, Twitter:
  @mattein
  Projects: SharePoint Code Analysis Framework (SPCAF),SharePoint Code Check (SPCop),
  SharePoint Software Factory,
  SharePoint Solution Deployer

• Multiple mail certificates and signing mail

  If I understand the information I have read correctly, you can sign an email in Mail as long as you have a personal certificate. I can do this without a problem. My question to you all is.. if you have multiple certificates on your machine, which is Mail using to sign? Is there a way to choose a default?
  Thanks.

  your personal cert should be tied to a specific email address. mail uses the one for the address that is being used to send the email. if the digital signatures/certs aren't tied to a single email address, what good would they be?

• Is it possible to use certutil to export multiple certificates from a local client machine store, to a .p7b file?

  Is it possible to use certutil to export multiple certificates from a local client machine store, to a .p7b file?
  Scenario: We have a few legacy certificates based on some legacy templates (2012 R2). Some belong to an old SubCA (2008 R2).
  I’ve can manually export them using certmgr mmc on the local machine to a single .p7b e.g.
  cert_backupNEW.p7b. But this is not a practical solution for me and I want to achieve this remotely via certutil or some other util that comes with Windows 7 machines.
  I’ve already worked out how to run a certutil command to add the certs back into the store e.g.
  certutil.exe -addstore -f my cert_backupNEW.p7b
  Is there a way to export multiple certs to a single backup cert, or is what I’m trying to do not possible with multiple certs?
  TC

  Something like this:
  $store = New-Object Security.Cryptography.X509Certificates.X509Store "my","localmachine"
  $store.Open("ReadOnly")
  Set-Content -Path exportedcerts.pfx -Value $store.Certificates.Export("pfx","password")
  $store.Close()
  note that this command will fail, if there are certificates with non-exportable keys. You cannot export certificates with non-exportable keys.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Multiple certificate stored in Browser

  I run certificate request using https://.../oca/sso_oca_link and also /oca/user.
  eg. with these User DN:
  => cn=ferry,cn=users,dc=subdom,dc=mydomain,dc=com
  => cn=tova,cn=users,dc=subdom,dc=mydomain,dc=com
  => cn=ferry,cn=users,dc=subdom,dc=mydomain,dc=com
  By requesting certificate several times from the same PC using several user account, have result in multiple certificate stored in Browser.
  When visit my secure web using Internet Explorer 6, a window raised and lists these
  "users"
  "users"
  "users"
  By using Netscape Navigator 7.1: a window appear with a bit more information display
  "users's myOrganisation"
  "users's myOrganisation"
  "users's myOrganisation"
  and some explanation eg
  Issued to:
  Subject: CN=ferry, CN=users, DC=subdom, DC=domain, DC=com
  Serial Number: 1C
  Valid from 23/09/2005 14:53:42 to 23/09/2006 14:53:42
  Issued by:
  Subject: CN=MyCcertificate Authority,...
  How to display USER NAME (according to CN) in the list instead of "users" ?
  or this is the expected behaviour?
  TIA,
  ferry

  Ok. I've found the solution.
  For reference to all you guys:
  ByteArrayInputStream bais = new ByteArrayInputStream( (byte[])attr.get() );
  CertificateFactory cf = CertificateFactory.getInstance("X.509");
  cert = (X509Certificate)cf.generateCertificate(bais);

• Cisco ISE - EAP-TLS - Machine / User Authentication - Multiple Certificate Authentication Profiles (CAP)

  Hello,
  I'm trying to do machine and user authentication using EAP-TLS and digital certificates.  Machines have certificates where the Principal Username is SAN:DNS, user certificates (smartcards) use SAN:Other Name as the Principal Username.
  In ISE, I can define multiple Certificate Authentication Profiles (CAP).  For example CAP1 (Machine) - SAN:DNS, CAP2 (User) - SAN:Other Name
  Problem is how do you specify ISE to check both in the Authentication Policy?  The Identity Store Sequence only accepts one CAP, so if I created an authentication policy for Dot1x to check CAP1 -> AD -> Internal, it will match the machine cert, but fail on user cert.  
  Any way to resolve this?
  Thanks,
  Steve

  You need to use the AnyConnect NAM supplicant on your windows machines, and use the feature called eap-chaining for that, windows own supplicant won't work.
  an example (uses user/pass though, but same concept)
  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

• 3rd party Certificate and AAA Authentication

  I am using a cisco asa5520 and i have set up remote access vpn with an AnyConnect connection profile.
  In the connection profile i have set up that users should authenticate using both certificate and AAA.
  Due to a high security requirement, the user certificate is issued from a 3rd party.
  This is working fine and the user now need a valid certificate and a username/password to authenticate successfully.
  I added the CA certificate as a associated trustpoint on the ASA box to get the certificate verification working.
  Problem:
  If Jane and Joe both have a valid certificate AND a valid username/password, Jane could authenticate using a combo of Joes certificate, and Janes username/password. Both are valid (isolated), but i only want jane to be able to authenticate with her username/password and her personal certificate.
  I got an idea that i could put the Serial Number of the users certificate on the user object in AD (on the users department field or something like that) and check if this value match during authentication.
  So, to sum things up, i want to compare the Serial Number (SER) field of the users certificate with a field on the user object in AD during authentication. As far as i can see the user would need a valid certificate and a valid username/password to authenticate. The user would also be authenticated only if the serial field match the value on the user object in AD.
  I am happy for any help that could point me in the right direction on how to accomplish this.
  Best regards,
  Kenneth

  I actually got a better idea, and i think this will work great!
  One of the guys at work pointed out that the sAMAAccountName is still used in many areas even though it is called pre-windows 2000.
  After some trying and failing i got the idea that should try to change the "Naming Attribute(s)" on the defined AAA (ldap) server under "AAA server groups".
  So i change the Naming attribute to "department", and put in the certificate serial number. I changed the connection profile and specified that it should use the "SER" value from the certificate as username. After that i tried to log in, and voila:
  [123] LDAP Search:
          Base DN = [dc=Testlab,dc=local]
          Filter  = [department=xxxx-xxxx-xxxxxxxxx]
          Scope   = [SUBTREE]
  [123] User DN = [CN=Peter Pan,OU=Wonderland,DC=testlab,DC=local]
  The ldap debug is clear, the ldap query during authentication is now searching for the user using the department field, and looking for the value of the serial number from my certificate.
  I wasnt quite happy about using the "department" field and i took a look at the user object looking for a more suitable attribute. To my surprise the user has got a "serialNumber" attribute, and it can hold multiple values. I changed the "Naming Attribute(s)" from "department" to "serialNumber" and added the serial number from the certificat to the "serialNumber" attribute on the user object:
  [138] LDAP Search:
          Base DN = [dc=Testlab,dc=local]
          Filter  = [serialNumber=xxxx-xxxx-xxxxxxxxx]
          Scope   = [SUBTREE]
  [138] User DN = [CN=Peter Pan,OU=Wonderland,DC=testlab,DC=local]
  Worked like a charm!
  I will settle for this solution, i cant see any issues regarding security, and it will be a breeze to admin. I will make a tool now so i can search for users in AD and update/view this attribute on the user objects.
  Thank you for the input Marcin

• Keychain Access: Adding multiple Certificates, signed by the same CA

  Hello, Community.
  I have recently posted my request for help in this thread:
  http://discussions.apple.com/thread.jspa?messageID=10448884
  Now, I am facing a new problem: I wish to add a new Certificate to the Keychain, but whenever I try, it tells me the item exists, and does not add it to the Keychain. It adds the keys perfectly fine, both public and private, but not the Certificate.
  What can I do to have multiple Certificates, signed by the same CA.
  I cannot add them to my Keychain, so that will be of no help. And I have tried to create every Certificate anew in the same Keychain, but this will not work, either. I created they Certificates and exported them before I went on to the next and they are now on my desktop. This is very inconvenient, as the keychain is distributed over a network as a shared Keychain and resides in a Snow Leopard Server (Domestic version, not Snow Leopard Server). Our business is one day behind, but since it is now weekend, I hope to get this issue resolved by Monday morning, send out the e-mails we should have and update our register with sales.
  Could I please have some advice?
  Also, if this topic is handled in full in another thread, please post the links, so I can read up on this topic and try to find a solution.
  Thank you for your time.
  Kashidom Nenakh
  Mantha Designs incorporated
  http://www.manthadesigns.net
  [email protected]

  http://www.isi.edu/~brian/security/kerberos.html

• Multiple Artists and Genres per Song

  I listen to lots of electronic music, and I'm a professional DJ.
  Electronic music is a very diverse and complex music category, and have lots of genres and sub-genres. Electronic music producers usually try to transpose genre boundaries, and they usually produce songs contained in two or more equally important genres. For instance, a track can be contained in the genres "house" and "techno", or "disco", "techno" and "acid".
  Also, it's really very common that electronic music artists collaborate with each other. Songs produced in collaboration do not belong to one single artist, but to two or more. In this case, it's not correct to say that one is the main artist, and the others are second artists (collaborators, composers remixes, or whatever) - they all detain the same equal authorship status over the composed track.
  The problem with iTunes is that it supports one single genre, and one single artist per song. Sure, there's the album artist, but, again, that doesn't apply to albums where multiple artists participate with equal importance. And using "V.A." or "Various Artists" in the song artist or album artist fields is ugly and useless - it doesn't say anything relevant.
  I know that Smart Playlists and Grouping features can help alleviate this deficiency, but they don't solve them at all. They're not elegant and complete solutions. If you browse the iTunes library, you will still see tracks as having only one genre and one artist, which is very frustrating.
  What I ask is really easy to implement. In fact, it wouldn't require to alter the existing ID3 and tag scheme. Just split artists and genres using a colon or semicolon character. For instance, in the "Artist" tag, iTunes can store the following:
      "Christian Smith; Mark Broom; Renato Cohen"
  and then, in the browser, iTunes could display "Christian Smith", "Mark Broom" and "Renato Cohen" as three distinct artists.
  The same could be used for the "Genre" tag:
      "Techno; House; Progressive"
  could be see, in the browser, as three different genres: "Techno", "House" and "Progressive".
  I've made an extensive web research, and I know that this deficiency  doesn't annoy only me, but lots of other users. And it's a pretty old request too - dated from 2003.
  Please, Apple, implement this feature. My huge electronic music collection really needs to be categorized into multiple artists and multiple genres.
  Thank you.

  Well said comment...
  The solution to this problem overall is simple.
  If I pull out my Ipod, and go to the section to browse by artist, then all artists would be listed individually in the list if they are separated in a song by the '&' symbol.  In the main music list in itunes, this would not result in multiple copies of the file.
  The same situation would apply in the genre browser.  If there is a tag with "POP & Chinese" then the song would appear if I was searching in pop OR Chinese.  It would not show a Genre called "POP & Chinese" in the genre browser.  It would show POP and Chinese SEPARATELY in the list!!!
  This is not a issue of some programming esoterica nor does it require some super genius to figure out.
  Wake up Apple programmers....
  Even smartlists are broken in the ipad/ipod and don't work the same way as they do in itunes. WHAT ARE YOU DOING WITH THAT A5X chip that you can't fix this problem?  I make a smartlist for the genre section at least and this allows me to accomplish what I stated above with genres by using the smartlists instead of the genre browser.
  The artist browser and genre browser are worthless to me...  since MANY of my songs have multi-artist and multi-genre separated by '&' and the stupid browser lists all the permutations instead of delimiting the genres and artists.
  My genre list looks sorta like this:
  Pop & chinese & instrumental
  Pop & japanese
  Pop & Soundtrack & Anime & Japanese
  Pop & score & anime
  Pop & chinese & vocal
  Pop & electronica
  What a mess...  but I can't categorize my stuff any other way without making it hard to decide which place to put a song.  Does a chinese soundtrack pop song get filed under chinese? or pop? or soundtrack?  I SHOULD be able to find the song regardless of which sub-genre I look under in the genre browser.
  This is basically simple.  The people that understand this are basically right and Apple is WRONG on this...  no matter what detractors on this thread say. The devices and software could easily be tweaked to dramatically improve the user experience but Apple is poor at getting involved in discussion forums like this to allow us to help them fix these issues.  Some of the product developers on the app store are far more receptive to suggestions than Apple is.  They are not getting enough of the advantages of crowd sourcing.
  I would fly out to Cupertino and correct MANY UI mistakes/errors for them if they will have me out there...
  I'll hold my breath and wait for a message to have me come out there.  There are still a lot of things about OSX and iOS that can be made simpler too.  still FAR too much extraneous junk and poor implementation of cloud capabilities.
  Why on earth does itunes have a "get info" menu dropdown to get into track data?  Why is the track data separated into 7 submenus separated by tabs?  The whole data entry situation in itunes is way too complex.  It's downright painful.
  Why are there no 24bit audio files yet for premium prices?  Are the people at apple doing too much LSD?  WHAT IS GOING ON?  You have to be disabled not to hear the difference between great recordings and that 256kbps garbage the peddle.  come to my house on the 107db sensitivity speakers with a Class A amplifier and tell me you can't tell the difference and I will have your hearing checked.
  hopefully the itunes department will contact someone on this thread to provide a list of the mistakes in itunes/ipod software so the problems can all be fixed.
  An AUDIOPHILE needs to take over itunes and fix this nonsense STAT.  It's simply embarassing at this point.  Where are my 24 bit files on my 1000gb ipod?  WHY IS THERE NO AUDIOPHILE IPOD? They can use there 100 billion cash hoard and make a GOOD home distribution system beyond "airplay/airport".
  Why is mediocrity being considered at Apple when they do so many other things great?  Considering I own half a million dollars in stock, believe me I do appreciate the company at large.  I am only ranting about the treatment of audiophiles and the complete dumbing down of the music experience to mass garbage when we live in the 21st century.   What we see is important (retina display) but what we hear is not?
  /rant off...
  Apple feel free to contact me and I can tell you how to develop the BEST product for music ever implemented...  I don't need compensation...  I want products that I WANT to buy!!!!

• Multiple Certificates for the same WLS

  Hi,
  IHAC who asks the following:
  Background
  Bigshop Limited carried out a soft launch of our e-tailing website under
  the
  url fonzie.bigshop.com.au
  We have a verisign certificate setup up for 128 bit ssl under the
  knownname
  fonzie.bigshop.com.au
  All ssl connections that connect to the site with this url are able to
  establish an SSL session.
  Current Issue
  Bigshop is now in the process of carrying out the public launch of the
  website. The public url for the website will be www.bigshop.com.au
  We have generated new public/private key pair and a Certificate Signing
  Request (CSR) and have ordered a new certificate from verisign
  Could you please advise if it is possible to operate two certificates
  for
  the one server. This will allow our www.bigshop.com.au and
  fonzie.bigshop.com.au url's to operate concurrently and enable both to
  establish SSL session with valid certificates.
  Is what they want to do possible ?? any suggestions
  appreciated,
  regards,
       Patrick.

  Did you ever figure out how to use multiple certificates to the sameserver? I have a need to do this also. Thanks a lot.
  In current versions of weblogic (5.1,6.x,7.0,8.1), you can configure only
  one certificate per server.
  -utpal

• Multiple routers and subnets - can't access across subnets

  Hey all, I'm having an issue with multiple routers and subnets on my FIOS connection. Here's how everything is setup:
  Primary router:
  ActionTec MI424WR Rev D (from Verizon)
  WAN IP: From ISP
  WAN NETMASK: From ISP
  LAN IP: 192.168.1.1LAN NETMASK: 255.255.255.0
  Secondary router (WAN connected to ActionTec LAN):
  Belkin N750 gigabit w/ 802.11n
  WAN IP: 192.168.1.2
  WAN NETMASK: 255.255.255.0
  LAN IP: 192.168.2.1
  LAN NETMASK: 255.255.255.0
  With this setup, I have the secondary router's WAN port connected to a LAN port on the primary router. Each are broadcasting an SSID and each are running DHCP to assign address to their respective subnets. Everything was well and good, except that I could reach 192.168.1.* systems from 192.168.2.*, but not vice versa -- anything connected to the Primary router was blind to systems connected to Secondary. Also, I could not ping anything on .2 from .1.
  So, I added the following static route to the primary router:
  DESTINATION: 192.168.2.0
  NETMASK: 255.255.255.0
  GATEWAY: 192.168.1.2
  Once this was added to the router, I could ping everything, so that was good. However, even though .1 can now ping .2, I can't access certain things such as the web interface of my NAS (192.168.2.2). I can ping it, but accessing it in the browser from .1 doesn't work; however, accessing from .2 does work.
  I think the ActionTec router might be blocking it, but that's just a guess. The firewall on this thing has me thoroughly confused. Currently, I have 192.168.1.2 in the DMZ on the ActionTec, but that didn't make a difference. I've also completely disabled the firewall on the secondary Belkin router, but still nothing.
  Any help from the pros here? Much appreciated!
  Solved!
  Go to Solution.

  Ok, I figured it out and everything is now working. The issue appears to be that the ActionTec router doesn't recognize traffic from Subnet 1 to Subnet 2 as internal traffic -- it treats it as external traffic and closes it off. To fix this, it required some Advanced Firewall Filters that were far from unituitive and took a lot of testing to get it just right. If anyone runs into a similar situation in the future, here's a rundown of what I did to make it all work:
  Primary Router:
  ActionTec, MI424WR Rev D
  WAN IP/NETMASK:Assigned by ISP
  LAN IP/NETMASK:192.168.1.1 / 255.255.255.0
  Secondary Router:
  Belkin N750 Gigabit w/ 802.11n
  WAN IP/NETMASK:192.168.1.2 / 255.255.255.0
  LAN IP/NETMASK:192.168.2.1 / 255.255.255.0
  Plug Secondary router's WAN port into a LAN port on the Primary router.
  Setup Secondary router to have static LAN address (192.168.1.2)
  At this point, you should have 2 separate subnets: Subnet 1 (192.168.1.*) and Subnet 2 (192.168.2.*).
  Systems on both subnets should be able to reach the internet. Also, Subnet 2 should be able to ping and reach systems on Subnet 1; however, systems on Subnet 1 should not be able to ping or reach systems on Subnet 2. For this, we need to create a static route so Subnet 1 can reach Subnet 2.
  Create and apply the following static route in the Primary router:  (Advanced > Routing)
  RULE NAME:Network (Home/Office)
  DESTINATION:192.168.2.0(your secondary subnet)
  GATEWAY:192.168.1.2(secondary router's WAN IP)
  NETMASK:255.255.255.0
  METRIC:1
  The router now has a route between Subnet 1 (192.168.1.*) and Subnet 2 (192.168.2.*). You should be able to ping systems on Subnet 1 from 2, and ping systems on Subnet 2 from 1. You should not be able to access any systems, though -- the firewall is still blocking all but ping traffic from Subnet 1 to Subnet 2. We need to create some firewall rules to allow this communication.
  Make sure Primary firewall is set to at least typical/medium (Firewall Settings > General).
  We need to create some network objects to make it easier to manage the rules we'll create. Go to Advanced > Network Objects and do the following:
  1.Click Add. You are now on Edit Network Object screen. 
  2.Set Description to 'Subnet 1'.
  3.In Items section below, click Add.
  4.Set Network Object Type to 'IP Subnet'.
  5.Set Subnet IP Address to 192.168.1.0.
  6.Set Subnet Mask to 255.255.255.0.
  7.Click Apply. You are now back on Edit Network Object screen.
  8.Click Apply. You are now back on Network Objects Screen.
  9.Repeat the above steps again, but this time creating a second network object called 'Subnet 2':
  Nameubnet 2
  IP Subnet:192.168.2.0
  Subnet Mask:255.255.255.0
  Now we create the firewall rules. Go to Firewall Settings > Advanced Filtering.
  In the Inbound/Input rules section, click the Add link next to Network (Home/Office) Rules.
  Create the following Advanced Filter:
  SOURCE ADDRESSelect 'Subnet 1'
  DEST. ADDRESSelect 'Subnet 2'
  PROTOCOL:'Any'
  OPERATION:'Accept Packet'
  OCCUR:'Always'
  Click Apply. You will now be back on the Advanced Filtering page.
  In the Outbound rules section, click the Add link next to Network (Home/Office) Rules.
  Create the following Advanced Filter:
  SOURCE ADDRESSelect 'Subnet 1'
  DEST. ADDRESSelect 'Subnet 2'
  PROTOCOL:'Any'
  OPERATION:'Accept Packet'
  OCCUR:'Always'
  Click Apply. You will now be back on the Advanced Filtering page.
  Click Apply.
  You're all done. You should now have internet access on both subnets, be able to ping across subnets and also be able to access services across subnets (local webservers, SSH, telnet, mail, etc). You will not be able to see network file shares across subnets in Windows, however, as this requires a WINS server (which is well outside the scope of this post). For instance, I have a Western Digital NAS on the 192.168.2.0 subnet that I can access as \\Mybooklive\ from within Subnet 2; on Subnet 1, however, I have to access it by its IP \\192.168.2.10\. 

• My ipad2 is unable to find wireless network(s). while at home I am able to connect my MacBook and iPhone to network but am unable to connect iPad. I have restarted the device multiple times and even reset the network and all settings but still no luck

  my ipad2 is unable to find wireless network(s). while at home I am able to connect my MacBook and iPhone to network but am unable to connect iPad. I have restarted the device multiple times and even reset the network and all settings but still no luck

  Look at iOS Troubleshooting Wi-Fi networks and connections  http://support.apple.com/kb/TS1398
  iPad: Issues connecting to Wi-Fi networks  http://support.apple.com/kb/ts3304
  iOS: Recommended settings for Wi-Fi routers and access points  http://support.apple.com/kb/HT4199
  Additional things to try.
  Try this first. Turn Off your iPad. Then turn Off (disconnect power cord) the wireless router & then back On. Now boot your iPad. Hopefully it will see the WiFi.
  Go to Settings>Wi-Fi and turn Off. Then while at Settings>Wi-Fi, turn back On and chose a Network.
  Change the channel on your wireless router. Instructions at http://macintoshhowto.com/advanced/how-to-get-a-good-range-on-your-wireless-netw ork.html
  Another thing to try - Go into your router security settings and change from WEP to WPA with AES.
  How to Quickly Fix iPad 3 Wi-Fi Reception Problems
  http://osxdaily.com/2012/03/21/fix-new-ipad-3-wi-fi-reception-problems/
  If none of the above suggestions work, look at this link.
  iPad Wi-Fi Problems: Comprehensive List of Fixes
  http://appletoolbox.com/2010/04/ipad-wi-fi-problems-comprehensive-list-of-fixes/
  Fix iPad Wifi Connection and Signal Issues  http://www.youtube.com/watch?v=uwWtIG5jUxE
  ~~~~~~~~~~~~~~~
  If any of the above solutions work, please post back what solved your problem. It will help others with the same problem.
   Cheers, Tom