NAC Problem_In-Band Virtual Gateway deployment

we deployed In-Band virtual gateway deployment..
the users connected to untrusted Vlan and took IP address from DHCP where it configured on ASA that is connected to trusted interface but no one can reach to the gateway " IP address of the firewall" and when we open any browser not redirect to web login page and we don't have local DNS and we use global DNS..
Note: we used HP switches..
Please support me ASAP..
BR,
Saad Eid

I have not found any either. You can use the one for VPN since it will be the same.
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml

Similar Messages

NAC Appliance for Wirelles In-Band Virtual Gateway

Hi, People.
Does anybody know as configuring NAC Appliance for Wirelles In-Band Virtual Gateway.
Tks.

Hi Wemerson,
Basic Wireless or Wired InBand is basically the same thing regarding the NAC configuration.
Please follow the chalk-talks available online: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html.
Notes:
- In Inband all traffic MUST flow through the CAS, which means that al the traffic on the VLAN of the wireless client MUST flow through the CAS. This can be done via L2 mechanisms (VLAN restrictions) or L3 (routing).
- For the CAS, it is transparent if the client traffic comes from a wireless client or wired client.
- If you want to use wireless sso, you can configure the WLC the same way as a VPN concentrator. the Wlc will then send RADIUS Accounting information to the CAS and the CAS can allow clients to access resouces if they have already been authenticated by the WLC.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

NAC L3 OOB Virtual Gateway/Real-IP Gateway

In a Central Deployment (NAC server at Central Site) for Remote Office (WAN) users it´s possible to work with L3 OOB
Virtual Gateway? or it´s only possible to work with L3 OOB Real-IP gateway?
If it´s possible both modes (Real-IP o Virtual) which are the advantages/disadvantages of each one?
I didn't found a response for this in the documentation.
Thanks in advance.

Hi, Paul
>>I then disconnect the PC and patch it into the Switch 2. I then authenticate but instead of the port being moved to the correct VLAN it is left in the authentication VLAN and the Web Login cycles and asks me to log in again. Looking at the Online Users display it says I'm online on Switch 1 on the port I have disconnected from. This is INCORRECT!
Have a look at the Switch Management ->Port Profiles and below "Options: Device Connected to Port" (the second one) "Change to .... if the device is certified" there should be Access VLAN option -make it active.

NAC layer 3 Virtual Gateway Setup

I am running the NAC Appliance currently in virtual gateway mode for layer 2 inband and it works great. I wanted to add layer 3 virtual gateway inband to this same NAC server, but I can't seem to find enough documentation on this. I do have layer 3 enabled and a static route to the layer 3 network in place. I don't think I understand how to get the network to go through the NAC. Do I need to run the Agent on the layer 3 network or can it still somehow go through just the web page authentication?
Thanks.

Policy route the unauthenticated traffic so it forces the layer 3 network in question through your CAS layer 3 device. Your discovery host address should be on the other side of the clean access server trusted side. Theres a NAC Chalk talk pdf that steps this through for you
Search "NAC Chalktalk"

NAC Appliance + OOB Virtual Gateway Trunking issues

I have the following problem. When I connect the CAS eth0 to a trunk port in the core switch it disconnects from the CAM. When the port is in access mode, the CAM can connect to the CAS. The core switch is a 4500 with IOS 12.2(25)EW. What could be the problem?

Hi prananth,
I managed to resolve the issue. It was a HA issue. I had configured "Link failure detect" on the redundant CAS app. Apparently the CAS couldnt reach the pingable IP causing failover to take place many times between the two boxes causing the CAS not to communicate with the CAM.
Kindly help me with the following problem I am now having:
http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=General&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddf45d4/0#selected_message
I will really appreciate. Thank you.

L3 Deployment OOB Virtual Gateway

Hi Faisal,
Good day! I would like to ask about the L3 deployment approach using OOB Virtual Gateway. What I did was enabled the L3 support and applied static routes. When I tried to connect a client workstation I cannot get an ip address. The cisco switch that Im using to the remote site were already discovered in the devices in NAC. When I check the ports it change to authentication vlan 100 but cannot passthrough. The IP block for the site is 10.19.x.x. Do I have to put a managed subnet and vlan mapping? But what I've read from the manual no need to configure the managed subnet instead a static route need to apply.
For the L2 deployment OOB Virtual gateway its working now, the IP block im using is 10.1.x.x. I want add the L3 deployment for the remote sites also for the users to authenticate through the nac. I'm thinking to apply 2 approach for the nac one for L2 deployment for the main site and L3 deployment for the remote site. Faisal, am I doing it correctly? Please let me know what should I apply for it and see attachment. Thanks.
Richard

I have setup windows dhcp server locally in the L3 hops away network. Basically the network from the main site (where the NAC is installed) and the remote site were already connected and talking because of the static route. The remote site has always dhcp server locally where the clients get ip address. Also I created the dhcp scope for the authentication vlan as what I see in the manual though in the example they're using L3 switch. I configured the static route in the cas. What else do need in the configuration?
In the OOB virtual gateway there is no problem using the windows dhcp server but the thing it cannot do L3 hops away it just in the main site. Thats why I change to OOB RIP. Please see the attachment.

NAC - virtual gateway vs. real gateway

Hi All,
I don't have too much experience with NAC deployment. I want to go with L3 (because we have central site), OOB (for LAN) and IB (for wireless and VPN). but I don't know whether I should go with real gateway or virtual gateway. I know virtual gateway is easier than real gateway. but technically, which way is more popular and provide better security measures?
any suggestion would be very appreciated.
thanks
Alex

If your remote subnets are multiple hops away, RIP would be the option you should use. They both are equally popular, but for L3 subnets which are remote, RIP is the most often used design

NAC/CCA Configuration Verification: OOB + Virtual Gateway (L2)

Hello,
I am currently configuring a NAC deployment based on Out-of-Bound OOB with Virtual gateway. Can someone please verify my configs below:
Core Switch:
VLAN DB:
vlan 10
name VLAN_DEPT1
vlan 11
name VLAN_DEPT2
vlan 20
name VLAN_DEPT3
vlan 26
name VLAN_DEPT4
vlan 27
name VLAN_DEPT5
vlan 28
name VLAN_DEPT6
vlan 29
name VLAN_DEPT7
vlan 30
name VLAN_DEPT8
vlan 32
name VLAN_DEPT9
vlan 50
name VLAN_NetMGT
vlan 51
name VLAN_CAS_MGT
vlan 52
name VLAN_CAM_MGT
vlan 210
name VLAN_DEPT1_Auth
vlan 211
name VLAN_DEPT2_Auth
vlan 220
name VLAN_DEPT3_Auth
vlan 226
name VLAN_DEPT4_Auth
vlan 227
name VLAN_DEPT5_Auth
vlan 228
name VLAN_DEPT6_Auth
vlan 229
name VLAN_DEPT7_Auth
vlan 230
name VLAN_DEPT8_Auth
vlan 232
name VLAN_DEPT9_Auth
Interface Configs
interface GigabitEthernet3/41
description "Link to Cisco CAM-PRI eth0"
switchport access vlan 52
switchport mode access
spanning-tree portfast
spanning-tree guard root
no cdp enable
no ip address
interface GigabitEthernet3/42
description "Link to Cisco CAM-FO eth0"
switchport access vlan 52
switchport mode access
spanning-tree portfast
spanning-tree guard root
no cdp enable
no ip address
interface GigabitEthernet3/43
description "Trunk to Cisco CAS-PRI eth1 / UN-Trusted Network"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 777
switchport mode trunk
switchport trunk allowed vlan 210,211,220,226-230,232
interface GigabitEthernet3/44
description "Trunk to Cisco CAS-FO eth1 / UN-Trusted Network"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 777
switchport mode trunk
switchport trunk allowed vlan 210,211,220,226-230,232
interface GigabitEthernet3/46
description "Trunk to Cisco CAS-PRI eth0 / Trusted Network"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 700
switchport mode trunk
switchport trunk allowed vlan 10,11,20,26-30,32,50-51
interface GigabitEthernet3/48
description "Trunk to Cisco CAS-FO eth0 / Trusted Network"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 700
switchport mode trunk
switchport trunk allowed vlan 10,11,20,26-30,32,50-51
interface GigabitEthernet1/1
description "Trunk link to DEPT1 Access SW"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 700
switchport mode trunk
!------- Example of VLAN Interface --------
interface Vlan10
description "DEPT1 VLAN"
ip address x.x.10.1 255.255.255.0
ip helper-address x.x.50.5
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
!------- No VLAN Interface for AUTH VLAN 210 --------
Access Switch Configuration
interface GigabitEthernet0/1
description "Trunk Link to Core Switch"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 700
switchport mode trunk
no ip address
interface GigabitEthernet0/6
switchport access vlan 30
switchport mode access
spanning-tree portfast
spanning-tree guard root
no cdp enable
no ip address
=========================================
Is the above config correct?
Thanks

Hi,
By bogus I assume you mean something like;
interface Vlan700
description "BIT BUCKET for unused ports"
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
shutdown

Cisco Clean Access OOB with virtual gateway

I have set the clean access OOB virtual gateway mode, i put managed subnet one of unused ip with unauthenticated vlan,some of the pc running with dhcp so i put ip refresh after successful authentication (this working fine), but some of them running with static so i cannot refresh the ip address,
after authentication through clean access clean access manager changing Unautheticated vlan(44) authenticated vlan (4), but i can't access internet and any other application through network (even with static ip and dhcp (if i put refresh dhcp ip i can) ), in pc arp cache i can see the orginal gateway mac address if i clear the arp cache with arp -d command the moment it start working how can solve this issue please help me guys
thank you

This document describes how to configure the syslog settings in order to log the events to an external server in the Cisco Network Admission Control (NAC) Appliance, formerly known as Cisco Clean Access (CA).
http://www.cisco.com/en/US/products/ps6128/products_tech_note09186a008085d6e9.shtml

Just FYI, new Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide

New! Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide
This new guide is available on the Web at
http://technet.microsoft.com/en-us/library/dn641937.aspx. It is also available for download in Word format at TechNet Gallery at
http://gallery.technet.microsoft.com/Windows-Server-2012-R2-37eb8e17
If you work for a Cloud Service Provider (CSP) or an organization that's planning on deploying cloud technologies, you might be interested in the new Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide.
You may already know that in Windows Server® 2012 R2, the Remote Access server role includes the Routing and Remote Access Service (RRAS) role service. (It also includes DirectAccess and Web Application Proxy, however those role services will not be discussed
in this article.)
The new deployment guide demonstrates how to use Windows PowerShell to deploy RRAS as a virtual machine (VM)-based multitenant software gateway and Border Gateway Protocol (BGP) router that allows CSPs and Enterprises to enable datacenter and cloud network
traffic routing between virtual and physical networks, including the Internet.
You can use the gateway with VM networks by using either Hyper-V Network Virtualization or Virtual Local Area Networks (VLANs) - but using Network Virtualization is recommended due to VLAN limitations such as difficult management and a limited number of
available VLAN IDs.
If you're using System Center Virtual Machine Manager (SC VMM), you can use SC VMM to deploy Windows Server Gateway; however even if you are using SC VMM, you can manage the gateway with the same Windows PowerShell commands that are used for the RRAS Multitenant
Gateway. (Some Windows Server Gateway features are configurable only with Windows PowerShell.)
For information on deploying Windows Server Gateway with SCVMM, see the Test Lab Guide: Windows Server 2012 R2 Hyper-V Network Virtualization with System Center 2012 R2 VMM, at
http://www.microsoft.com/download/details.aspx?id=39284
With the RRAS Multitenant Gateway, you can create site-to-site VPN connections between your tenants' physical locations and your cloud datacenter. You can also provide tenants with point-to-site VPN connections that allow tenant Administrators to access
and manage their VM resources from anywhere. The RRAS Multitenant Gateway also allows you to configure Network Address Translation (NAT), so that tenant VMs can access the Internet, and you can deploy dynamic routing by configuring the gateway and tenant gateways
with BGP.
Thanks -
James McIllece

Hi,
It is very useful , thanks for your sharing .
Best Regards
Elton Ji
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Fiori gateway deployment for SRM

Hi
Been trying to figure out how the gateway deployment for the SRM fiori apps should be.
All through the SAP help for Fiori I see that the SAP recommended method is a Central Deployment. And some other SAP docs say that the deployment is SRM independent
But I also see that for the SRM UI addon is a prereq for SRM Fiori and that the UI addon needs a local deployment of the gateway.
So does that mean for SRM Fiori we would need a local gateway instance.
So if I were to use ECC and SRM Fiori I would need two separate Gateway instances?
Can some one advice?
Thanks
Vishakh

Hi Masa
Thank you for your response
Understood. But SRMNXP is a prereq for SRM Fiori. And SRMNXP needs a local deployement. And Fiori reuses these gateway services.
So indirectly, logic would mean that I use the local deployment for the Fiori as well.
So the the choice between local and hub doesn't really hold good for SRM right?
If I were to say already have a hub deployment for ECC. And i need to start using the SRM Fiori apps.
a. Is there any way I can reuse the central deployment for the gateway or in other words what would be the best way or only way forward
b. If i were to have say only Approve shopping carts, i assume SRMNXP is not a pre req and hence I can use the central gateway and install the front end components on it?
c. If i were to use the other two apps I would need to have SRMNXP. In this case would I install the UI components locally or the central hub?
Hope the questions make sense. I cant really get around the fact that even though SRMNXP is mandatory for two of the apps and the SAP Help on Fiori says so.. there is no tip on how to handle a situation where someone would deploy both the ECC and SRM Fiori and how the gateway deployment would be then. Does it then make sense that you have a central hub solely for the ECC apps (unless we are using some other suite component that doesn't have a prereq like SRMNXP for SRM) ?
Thank you for the patient reading.

NAC In-band Real IP Gateway process

Hi all,
I've been doing a lot of research and I still can't find good answers to some of my questions. All the big questions are answered for out-of-band configuration but I find that it's assumed that understanding in-band is taken for granted lol...I guess I'm slow =P
How does In-band Real-IP Gateway work?
What is the point of the /30 subnets?
Are there access/auth VLAN pairs in in-band configurations?
How does quarantining work?
I read that the NAC Server can only send traffic out the untrusted port in one VLAN and that you aren't allowed to trunk that port. Does this mean that there's no support for multiple untrusted VLANs mapped to a single NAC Server?
Can you do role-mapping with in-band configurations?
Any help with any or all of these questions would be GREATLY appreciated!
Thanks much =]
~ Xavier.

Hi Xavier,
let me try to answer your questions
1.How does In-band Real-IP Gateway work?
The CAS works in routed mode, so you have different IP addresses (on different subnets) on the trusted and untrusted interfaces. Since the CAS doesn't support routing protocols, all the routing has to be configured through static routes
2. What is the point of the /30 subnets?
The idea is to have small subnets for your clients so that with this IP config the clients in the authentication VLAN need to go through the CAS even to talk to other clients in the same L2 subnet.
Check here for some explaination:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/47/cas/s_dhcp.html#wp1057889
3. Are there access/auth VLAN pairs in in-band configurations?
If you ask if there's VLAN mapping, then the answer is NO, as the aim of the VLAN mapping is to *bridge* traffic between the trusted and untrusted mapped VLANs, but in Real-IP the CAS does L3 routing of the traffic.
4. How does quarantining work?
When a client is quarantined, this works in the same way as in OOB, as in this phase the client is still inline to the CAS.
So the concept is that the CAS assigns the user to the temporary or quarantine role and it applies a traffic policy that you configured for the temporary or quarantine role.
5. I read that the NAC Server can only send traffic out the untrusted port in one VLAN and that you aren't allowed to trunk that port. Does this mean that there's no support for multiple untrusted VLANs mapped to a single NAC Server?
The "single" VLAN restriction for Real-IP CAS applies only to the *trusted* side. The CAS can be the default gateway for multiple VLANs/IP Subnets on the *untrusted* side.
You configure additional VLAN/IP addresses on the untrusted side using the "managed subnet" configuration.
This is also mentioned here:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cas/s_deploy.html#wp1050938
The Clean Access Server can manage one or more subnets, with its untrusted interface acting as a gateway for the managed subnets. For details on setting up managed subnets, see Configuring Managed Subnets or Static Routes, page 5-26.
6. Can you do role-mapping with in-band configurations?
Yes, you can do it! However, you cannot assign VLANs as you do in OOB but you can assign different access level based on the IP traffic policies and bandwidth restrictions you assign to the specific role.
Check for instance here for more details:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cam/m_users.html#wp1040231
In a nutshell, irrespective of the use of InBand vs. OutOfBand:
- the clients are InBand to the CAS during the CAS discovery, authentication, posture assessment and remediation phases.
The main difference occurs when the user is authorized to have access to the network and you perform role assignment both in IB and OOB but..:
- in IB the client traffic keeps on flowing inline to the CAS, so you can apply different access policies (ACL) and bandwidth control policies depending on the role (but you cannot assign VLAN);
- in OOB the client traffic bypasses the CAS once it's authorized: in this case you can apply different VLANs but (since the CAS is no longer along the path) you can't apply ACLs and/or traffic shaping policies in this case.
I hope this answers your questions.
Regards,
Federico
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

NAC in-band vs out-of-band bandwidth management

Hi,
I am new to NAC. Would you please give me hints about bandwidth/traffic policy/QoS management when using out-of-band deployment of NAC? Is it possible NAC to configure the switch port with the appropriate bandwidth limiting template when it recognizes a certain user identity?
Regards,
Mladen

Refer to NAC appliance configuration guide for more information
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cam/m_intro.html

How to provide RDP cert file when create virtual machine deployment?

hi,
the Azure REST API here http://msdn.microsoft.com/en-us/library/azure/jj157194.aspx#bk_certificates did not say how to provide a cert for the VM when create it.
the StoredCertificateSettings let you install the uploaded cert onto the vm, but this does not allow you to replace
the RDP cert which created by Azure when the VM is created.
see below:
the highlighted cert is automatically created by Azure for the virtual machine to secure the RDP connection.
so when you try to remote to the VM, you will see this error, because the cert used for the RDP on the VM is not installed into the "Trused Root Certification Authorities" on local machine.
i want to replace the cert that azure automatically created :
var dpinput = string.Format(
System.Globalization.CultureInfo.CurrentCulture,
@"<?xml version='1.0' encoding='utf-8' ?>
<Deployment xmlns='http://schemas.microsoft.com/windowsazure' xmlns:i='http://www.w3.org/2001/XMLSchema-instance'>
<Name>{0}</Name>
<DeploymentSlot>Production</DeploymentSlot>
<Label>{1}</Label>
<RoleList>
<Role>
<RoleName>{2}</RoleName>
<RoleType>PersistentVMRole</RoleType>
<ConfigurationSets>
<ConfigurationSet i:type='WindowsProvisioningConfigurationSet'>
<ConfigurationSetType>WindowsProvisioningConfiguration</ConfigurationSetType>
<ComputerName>{3}</ComputerName>
<AdminPassword>{4}</AdminPassword>
<StoredCertificateSettings>
<CertificateSetting>
<StoreLocation>LocalMachine</StoreLocation>
<StoreName>Root</StoreName>
<Thumbprint>{5}</Thumbprint>
</CertificateSetting>
</StoredCertificateSettings>
<WinRM>
<Listeners>
<Listener>
<Protocol>Http</Protocol>
</Listener>
<Listener>
<Protocol>Https</Protocol>
<CertificateThumbprint>{6}</CertificateThumbprint>
</Listener>
</Listeners>
</WinRM>
<AdminUsername>{7}</AdminUsername>
</ConfigurationSet>
<ConfigurationSet>
<ConfigurationSetType>NetworkConfiguration</ConfigurationSetType>
<InputEndpoints>
<InputEndpoint>
<LoadBalancedEndpointSetName></LoadBalancedEndpointSetName>
<LocalPort>443</LocalPort>
<Name>HTTPS</Name>
<Port>443</Port>
<Protocol>TCP</Protocol>
</InputEndpoint>
<InputEndpoint>
<LoadBalancedEndpointSetName></LoadBalancedEndpointSetName>
<LocalPort>5986</LocalPort>
<Name>PowerShell</Name>
<Port>5986</Port>
<Protocol>TCP</Protocol>
</InputEndpoint>
<InputEndpoint>
<LoadBalancedEndpointSetName></LoadBalancedEndpointSetName>
<LocalPort>3389</LocalPort>
<Name>Remote Desktop</Name>
<Port>3389</Port>
<Protocol>TCP</Protocol>
</InputEndpoint>
</InputEndpoints>
<SubnetNames/>
</ConfigurationSet>
</ConfigurationSets>
<DataVirtualHardDisks>
<DataVirtualHardDisk>
<HostCaching>ReadWrite</HostCaching>
<DiskLabel>data</DiskLabel>
<Lun>0</Lun>
<LogicalDiskSizeInGB>127</LogicalDiskSizeInGB>
<MediaLink>{8}</MediaLink>
</DataVirtualHardDisk>
</DataVirtualHardDisks>
<OSVirtualHardDisk>
<HostCaching>ReadWrite</HostCaching>
<MediaLink>{9}</MediaLink>
<SourceImageName>{10}</SourceImageName>
</OSVirtualHardDisk>
<RoleSize></RoleSize>
<ProvisionGuestAgent>false</ProvisionGuestAgent>
<ResourceExtensionReferences/>
</Role>
</RoleList>
<VirtualNetworkName/>
<Dns/>
</Deployment>",
service,
service,
service,
computer,
password,
thumbprint,
thumbprint,
user,
datavhd,
osvhd,
osname);
i want to use my own self-signed the cert as the RDP cert to be used by Azure when create the vm, but the above request does not replace the cert.
how can i do that?
Thanks
the request i used as below:
var dpinput = string.Format(
System.Globalization.CultureInfo.CurrentCulture,
@"<?xml version='1.0' encoding='utf-8' ?>
<Deployment xmlns='http://schemas.microsoft.com/windowsazure' xmlns:i='http://www.w3.org/2001/XMLSchema-instance'>
<Name>{0}</Name>
<DeploymentSlot>Production</DeploymentSlot>
<Label>{1}</Label>
<RoleList>
<Role>
<RoleName>{2}</RoleName>
<RoleType>PersistentVMRole</RoleType>
<ConfigurationSets>
<ConfigurationSet i:type='WindowsProvisioningConfigurationSet'>
<ConfigurationSetType>WindowsProvisioningConfiguration</ConfigurationSetType>
<ComputerName>{3}</ComputerName>
<AdminPassword>{4}</AdminPassword>
<StoredCertificateSettings>
<CertificateSetting>
<StoreLocation>LocalMachine</StoreLocation>
<StoreName>Root</StoreName>
<Thumbprint>{5}</Thumbprint>
</CertificateSetting>
</StoredCertificateSettings>
<WinRM>
<Listeners>
<Listener>
<Protocol>Http</Protocol>
</Listener>
<Listener>
<Protocol>Https</Protocol>
<CertificateThumbprint>{6}</CertificateThumbprint>
</Listener>
</Listeners>
</WinRM>
<AdminUsername>{7}</AdminUsername>
</ConfigurationSet>
<ConfigurationSet>
<ConfigurationSetType>NetworkConfiguration</ConfigurationSetType>
<InputEndpoints>
<InputEndpoint>
<LoadBalancedEndpointSetName></LoadBalancedEndpointSetName>
<LocalPort>443</LocalPort>
<Name>HTTPS</Name>
<Port>443</Port>
<Protocol>TCP</Protocol>
</InputEndpoint>
<InputEndpoint>
<LoadBalancedEndpointSetName></LoadBalancedEndpointSetName>
<LocalPort>5986</LocalPort>
<Name>PowerShell</Name>
<Port>5986</Port>
<Protocol>TCP</Protocol>
</InputEndpoint>
<InputEndpoint>
<LoadBalancedEndpointSetName></LoadBalancedEndpointSetName>
<LocalPort>3389</LocalPort>
<Name>Remote Desktop</Name>
<Port>3389</Port>
<Protocol>TCP</Protocol>
</InputEndpoint>
</InputEndpoints>
<SubnetNames/>
</ConfigurationSet>
</ConfigurationSets>
<DataVirtualHardDisks>
<DataVirtualHardDisk>
<HostCaching>ReadWrite</HostCaching>
<DiskLabel>data</DiskLabel>
<Lun>0</Lun>
<LogicalDiskSizeInGB>127</LogicalDiskSizeInGB>
<MediaLink>{8}</MediaLink>
</DataVirtualHardDisk>
</DataVirtualHardDisks>
<OSVirtualHardDisk>
<HostCaching>ReadWrite</HostCaching>
<MediaLink>{9}</MediaLink>
<SourceImageName>{10}</SourceImageName>
</OSVirtualHardDisk>
<RoleSize></RoleSize>
<ProvisionGuestAgent>false</ProvisionGuestAgent>
<ResourceExtensionReferences/>
</Role>
</RoleList>
<VirtualNetworkName/>
<Dns/>
</Deployment>",
service,
service,
service,
computer,
password,
thumbprint,
thumbprint,
user,
datavhd,
osvhd,
osname);
the request i used as below:
var dpinput = string.Format(
System.Globalization.CultureInfo.CurrentCulture,
@"<?xml version='1.0' encoding='utf-8' ?>
<Deployment xmlns='http://schemas.microsoft.com/windowsazure' xmlns:i='http://www.w3.org/2001/XMLSchema-instance'>
<Name>{0}</Name>
<DeploymentSlot>Production</DeploymentSlot>
<Label>{1}</Label>
<RoleList>
<Role>
<RoleName>{2}</RoleName>
<RoleType>PersistentVMRole</RoleType>
<ConfigurationSets>
<ConfigurationSet i:type='WindowsProvisioningConfigurationSet'>
<ConfigurationSetType>WindowsProvisioningConfiguration</ConfigurationSetType>
<ComputerName>{3}</ComputerName>
<AdminPassword>{4}</AdminPassword>
<StoredCertificateSettings>
<CertificateSetting>
<StoreLocation>LocalMachine</StoreLocation>
<StoreName>Root</StoreName>
<Thumbprint>{5}</Thumbprint>
</CertificateSetting>
</StoredCertificateSettings>
<WinRM>
<Listeners>
<Listener>
<Protocol>Http</Protocol>
</Listener>
<Listener>
<Protocol>Https</Protocol>
<CertificateThumbprint>{6}</CertificateThumbprint>
</Listener>
</Listeners>
</WinRM>
<AdminUsername>{7}</AdminUsername>
</ConfigurationSet>
<ConfigurationSet>
<ConfigurationSetType>NetworkConfiguration</ConfigurationSetType>
<InputEndpoints>
<InputEndpoint>
<LoadBalancedEndpointSetName></LoadBalancedEndpointSetName>
<LocalPort>443</LocalPort>
<Name>HTTPS</Name>
<Port>443</Port>
<Protocol>TCP</Protocol>
</InputEndpoint>
<InputEndpoint>
<LoadBalancedEndpointSetName></LoadBalancedEndpointSetName>
<LocalPort>5986</LocalPort>
<Name>PowerShell</Name>
<Port>5986</Port>
<Protocol>TCP</Protocol>
</InputEndpoint>
<InputEndpoint>
<LoadBalancedEndpointSetName></LoadBalancedEndpointSetName>
<LocalPort>3389</LocalPort>
<Name>Remote Desktop</Name>
<Port>3389</Port>
<Protocol>TCP</Protocol>
</InputEndpoint>
</InputEndpoints>
<SubnetNames/>
</ConfigurationSet>
</ConfigurationSets>
<DataVirtualHardDisks>
<DataVirtualHardDisk>
<HostCaching>ReadWrite</HostCaching>
<DiskLabel>data</DiskLabel>
<Lun>0</Lun>
<LogicalDiskSizeInGB>127</LogicalDiskSizeInGB>
<MediaLink>{8}</MediaLink>
</DataVirtualHardDisk>
</DataVirtualHardDisks>
<OSVirtualHardDisk>
<HostCaching>ReadWrite</HostCaching>
<MediaLink>{9}</MediaLink>
<SourceImageName>{10}</SourceImageName>
</OSVirtualHardDisk>
<RoleSize></RoleSize>
<ProvisionGuestAgent>false</ProvisionGuestAgent>
<ResourceExtensionReferences/>
</Role>
</RoleList>
<VirtualNetworkName/>
<Dns/>
</Deployment>",
service,
service,
service,
computer,
password,
thumbprint,
thumbprint,
user,
datavhd,
osvhd,
osname);

Hi,
In Azure, this feature is called
custom data. Currently, you can inject custom data into an Azure VM by using the
Windows Azure command-line tools (--custom-data).
I assume that it is not supported in Python API. You can use “custom_data=xxx”
within “create_virtual_machine_deployment” to check if it works.
If it is not yet available, please submit your requirement in Azure feedback below:
http://feedback.azure.com/forums/34192--general-feedback
Best regards,
Susie
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

ISE 1.2 NAC solution for 12500 Persona Deployment

i have a deployment sceniro for NAC solution ( ISE ) must support 12500 users and must provide the ability to implement security policies onendpoints before they connect so should i order ISE-3395 with ISE -3315 or its not a workable solution please advice

Hi Shakeeb,
The total number of appliances needed in a deployment depends on multiple factors and not just the number of endpoints as described here :
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/guide_c07-656177.html
Refer to Step 2: Estimate the Number of Appliances or Servers Needed for the Deployment
We have a dedicated team at Cisco who deals with presales issues, I would advise you to contact them for more guidance. Here is their contact info :
• Phone: 408 902-4872
• Email: [email protected]
• Live chat: http://tinyurl.com/sacise
Thanks,
Aastha

NAC Problem_In-Band Virtual Gateway deployment

Similar Messages

Maybe you are looking for