NTP server setup in DMZ

Similar Messages

• Server setup in DMZ

  Hi,
   Iam setting up a DMZ environment to have External customers access my Servers sitting in the DMZ. I have attached the diagram for reference.
  Proposed Setup
  1) 2x ISP links (redundant) - IPSEC connections from customer terminating on our Internet Facing FWs.
  2) There are 2 DMZ FWs separting the Corporate (internal) and External environment.
  3) The APP server and Jump server is placed behind the Server switches.
  Requirement
  1) External customer needs to access Jump server and APP server from over the Internet IPSEC VPN
  2) Internal (Corporate) users need to access the Jump server and App server.
  3) Any user accessing the Jump server would need to get authenticated with from a Domain controller. Domain controller would be on the Internal corporate segment
  Questions
  1) With the current design, Internal users have to pass DMZ FW and Internet FW to access server. Is it recommended? Is it ok to connect the servers behind a separate pair of server switches? Or can they connect directly to DMZ switches? What is the best possible solution (standard) that is generally followed in this case?
  2) If there are multiple customers with IPSEC VPNs coming in, can VLANs be defined and access given accordingly to the servers?
  Appreciate your inputs.
  Cheers
  Mikey

  Hi ,
  Appreciate if someone could please reply to this.
  Thanks in advance.
  Mikey

• Server setup in DMZ Environment

  Hi,
   Iam setting up a DMZ environment to have External customers access my Servers sitting in the DMZ. I have attached the diagram for reference.
  Proposed Setup
  1) 2x ISP links (redundant) - IPSEC connections from customer terminating on our Internet Facing FWs.
  2) There are 2 DMZ FWs separting the Corporate (internal) and External environment.
  3) The APP server and Jump server is placed behind the Server switches.
  Requirement
  1) External customer needs to access Jump server and APP server from over the Internet IPSEC VPN
  2) Internal (Corporate) users need to access the Jump server and App server.
  3) Any user accessing the Jump server would need to get authenticated with from a Domain controller. Domain controller would be on the Internal corporate segment
  Questions
  1) With the current design, Internal users have to pass DMZ FW and Internet FW to access server. Is it recommended? Is it ok to connect the servers behind a separate pair of server switches? Or can they connect directly to DMZ switches? What is the best possible solution (standard) that is generally followed in this case?
  2) If there are multiple customers with IPSEC VPNs coming in, can VLANs be defined and access given accordingly to the servers?
  Appreciate your inputs.
  Cheers
  Mikey

  Hi Mikey,
  I am not sure why you have kept the corporate network under the dmz zone. In general security practice we use to keep the dmz zone/dmz firewall for having the server/hosting environment where external parties requires access to those.... for example web server / application server.....
  So your design requires some change in order to have a better architecture....
  internet
  |
  router
  |
  external SW
  |
  internet facing firewalls
  |
  DMZ SW and Junp Server / Application Server (DMZ Interface of the Firewall).
  Internet facing Firewall
  |
  LAN Interface SW (Inside Interface of the firewall)
  |
  LAN FW (If you really want to keep it)
  |
  Corporate Network
  Regards
  Karthik

• How to setup NTP service in server 2012 R2 to synch with an external NTP server

  Server 2012 R2 Std as DC
  I have looked at the blogs on setup and could not make sense of them. I did this easily on SBS2008 before I migrated to 2012 R2.
  What is the process to establish the DC server 2012 R2 as the time source.  Right now it is BIOS clock and I wish to move to NTP as the time source.
  Thanks for your help
  John Lenz

  Hi JohnLenz,
  You can use the following command line and refer the following KB:
  w32tm /config /syncfromflags:manual
  w32tm /config /manualpeerlist:<IP_or_FQDN_of_the_time_source>
  Note: please replace "<IP_or_FQDN_of_the_time_source>” with the IP address or FQDN of your NTP server.
   Net stop w32time
  Net start w32time
  The related KB:
  Synchronize the Time Server for the Domain Controller with an External Source
  http://technet.microsoft.com/en-us/library/cc784553(v=ws.10).aspx
  Configure the Time Source for the Forest
  http://technet.microsoft.com/zh-cn/library/cc794937(v=ws.10).aspx
  Configuring a time source for the forest
  http://technet.microsoft.com/en-us/library/cc784800(v=ws.10).aspx
  I’m glad to be of help to you!
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• How to sync clock of Cisco ASA 5505 from NTP Server on internet

  Hi there!
  i've setup a site, with cisco ASA 5505. It has public ip also.
  i want to sync the clock of firewall from on ntp server on internet, or with internal domain controller that is inside LAN.
  The firewall has public IP also.
  how can i do this?
  Regards!

  Hello Lasandro,
  This should do it!
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/basic_hostname_pw.html#wp1236530
  Looking for some Networking Assistance? 
  Contact me directly at [email protected]
  I will fix your problem ASAP.
  Cheers,
  Julio Carvajal Segura
  http://laguiadelnetworking.com

• 10.5.1 Server Setup - Help Make it all Work!

  Hello Everyone, I currently have a new MacMini running 10.5.1 with our Calendar, Wiki and File Sharing. I have recently just returned from the Mac OS 10.5 Training Session from Chicago Columbia College and was astonished at what their demo servers did versus what mine has never done lol. We are a small tech company and there isn't much yet in the way of documentation or training or even training materials for Leopard Server. So I wanted to share some of what we learned from the training seminar and hopefully someone will know the proper answers to my questions. This is going to be a bit long winded but I think it's important to convey my questions/concerns.
  1. Ok initial setup of our Leopard server requires you to input a host name and then the domain name. Well after the first install of Leopard we found as I have read amongst the posts for the past 2 hours that if you place let's say macmini in the host-name field then place domain.com in the domain field. After the server setup is complete Leopard Server wants you to chat, vpn, and browse to http://macmini.domain.com/groups as well as mail. This is all well and good if you have access to DNS like I do and can easily make changes to the MX & A records but if your a typical SMB user then you won't and this means that once your e-mail is setup and your ready to start using your server anyone you e-mail will come from [email protected] and not [email protected] which is a huge problem. So be cautious here. I was instructed by Apple after scratching their head to leave the host-name blank and only fill in the domain name here if your on let's say a T1 or other medium with a static IP pointed at your machine or router. So this is my first pet peve, there is a sloppy work around to this by telling the server to receive e-mail for domain.com as well but still whenever you send it comes from the original domain.
  2. Application Setup - Single Sign-on - When I attended Leopard training this week in Chicago I was amazed at how whenever a user (demo -lab environment) logged into ichat, ical, wiki or e-mail there was simple single sign-on kerberos auth. What I mean by this is once the server is up and running and your Mac connects to the network for the first time either by manual add thru the directory application or a new Mac that finds the Leopard server automatically at first boot and you auth a user on the server to that Mac then there is just a single signon from that point on, NOT! For us our users log into their machines, (mind u they are already users on the Leopard server and can log in just fine) and they try to go to their e-mail for the first time it always fails. We then have to disable SSL over SMTP and IMAP and manually type in their passwords because the MacMail clients cannot trust the SSL cert or we simply just delete their accounts and recreate them from scratch. Same happens with iChat. By design when you auth your Mac against the server, the server auto configs the security and client apps, i.e. mail, ichat, directory, VPN, ical. But iCal has consistently failed setup across 5 server builds and 10 clients. What will happen is when you go to prefs in ichat you see your account but it can't auth you and doesn't show up in ical for your personal server calendar. If you manually remove your user account and re-add it works great. But next time you go to ichat, once again you have to recreate. And I can recreate this all day long. But at the demo it worked like magic. So that is problem number two, SSL and single sign-on does not really work and app auto-config does not work at all.
  3. Apple Airport Extreme 802.11N. - As a test and per Apple's recommendation for SMB clients we picked up a new Airport. We patched it and setup user/pass info and setup DHCP on the device for so if server fails we have internet. And during server setup it logged into Airport and tried to configure settings. We were on the net and all was good after server setup. However with VPN enabled per user in Standard mode on server we have only been able to gain VPN access for clients if they are actually inside the network. I have spent about 10 hours back and forth with Apple Support trying to get VPN to work outside. The Manual setup of new Airport Port-Mapping is simple but crude. It does not seem to work. And there is a default hosts setting which should translate to an open DMZ but does not. So that is third on my list, running a MacMini with 2gig's of RAM which is within SPEC for Leopard Server and using the Apple Recommended solution of an Airport Extreme N does not work for s&*% and I would be very surprised if anyone here has gotten that to work.
  4. E-Mail Services - As stated prior Leopards auto app setup utility does not work for crap unless by some magic there are other steps besides the ones outlined and printed with the purchase of server. But the main thing about mail is that we are missing the basics. I mean your going to be hard pressed to find ANY e-mail application on the market today, Notes, Exchange, Gmail, Hotmail, Yahoo, iMail or other that does not include basic vacation/out of the office message replies. This is a huge issue for any small business or for that matter any size business that wants to automate things when they are out and I think this is one of my small peeves but certainly worth a listing here.
  5. VPN - We have tried like **** to get the VPN to work thru the Airport as previously noted but we have also connected MacPro with 2 nics, one for net and one for LAN and not been able to connect to the server from outside our network. Here is my largest frustration, we currently run SBS2003 from MSFT and they run flawlessly. I have literally sat with clients in their office during a new setup for SBS and in 3-4 hours we were up and running with minimal system level changes from the guided path. And for Apple to advertise this in the manual and all online materials as being SMB friendly is a complete slap in the face. Now don't confuse my above descriptions of problems we have seen across 5 Leopard builds as being a rant because it's not but seriously I am a network engineer with 10 years in the field working with 20+ product ranges and in our office we only use Mac because of stability and uptime. But OS X 10.5 is not Small Business Friendly at all even with the half hearted attempt at the new System Admin console for SMB users. However that being said I will still push on and try to get all these little bugs worked out and what I would really like to see is some feedback on my issues and I would love to know if anyone else has had similar issues. I really had hoped that 10.5 could help my firm finally push the proper solution (Mac OS X) for our SMB clients but it just isn't there yet.
  Cheers,
  DM

  Thanks for the quick read and response. Do you feel the issue might lie with the fact that it is a Mac Mini? And possibly just not powerful enough to run Leopard Server? I have to say in our trials with MacPro it was like night and day as to how they performed. And if you could elaborate on this "Many VPNs don't play well with NAT so your VPN server should have a direct connection to the public network (preferably firewalled, of course, but not NATted)." Most every SoHo and for that matter uses simple NAT translation for security even our multi thousand dollar Cisco PIX and ASA's are basic NAT devices to start with. How would you put the VPN on public net while keeping the attack surface low for the rest of the services like file, web, mail and print?
  Don't get me wrong I want this to work more than you can imagine. We are so tired of supporting MSFT technologies that cost thousands a year in antivirus, antispyware, antispam and other malware protection for the enterprise. We know that Leopard has great potential but for an integrator, getting this system up and functional is not an easy task. And the worst part of it is every time we have called for support the tech always lets out a sigh when they hear we have run standard setup because they are not allowed to walk us thru the server console to make repairs. And have been told by 3 techs so far that this is a new product and the support avenues are not there for standard since it just supposed to work out of the box. But when it doesn't then ohh well. Which is sorta sad...
  DM

• Synchronize with  External NTP server.

  Dear All Good morning,
  Environment:
  SunOS CSF-2 5.10 Generic_138888-03 sun4u sparc SUNW, Sun-Fire-V245 system.
  Sun Cluster 3-2 Two node.
  Question:
  How to Synchronize Cluster timing with external NTP server/device? If external NTP device is down will have any impact in the cluster setup?

  epmuneer wrote:
  Question:
  How to Synchronize Cluster timing with external NTP server/device?The configuration for NTP on Solaris Cluster is explained here:
  [http://docs.sun.com/app/docs/doc/820-4676/cacbdgeg?l=en&a=view|http://docs.sun.com/app/docs/doc/820-4676/cacbdgeg?l=en&a=view]
  and
  [http://docs.sun.com/app/docs/doc/820-4677/cbhijhbh?l=en&a=view|http://docs.sun.com/app/docs/doc/820-4677/cbhijhbh?l=en&a=view]
  If external NTP device is down will have any impact in the cluster setup?You should configure the cluster nodes as peers as well as getting the time from the external NTP server.
  If the external NTP server fails, then time will drift, but at least the cluster nodes keep themselves in sync to have a consistent view.
  Regards
  Thorsten

• NTP server unreachable through ASA firewall

  Hi all,
  I've configured a DMZ switch to point to an NTP server on on the Inside, but I get a debug message on the switch that says:
  NTP: <NTP server IP address> unreachable
  I'm confident that the NTP server is configured properly, as there are more than a dozen other hosts using it, successfully. The difficulty here is that the NTP packets are having to flow from the DMZ to the Inside. I have a rule set on the firewall that permits the IP address of the switch to connect to the IP address of the NTP server as follows:
  access-list intdmz1_acl extended permit udp host <IP address of switch> host <IP address of NTP server> eq ntp
  I can see the hit counter on this rule incrementing.
  The firewall can ping the NTP server, and the NTP server can ping the switch, so I think routing is OK.
  Output from the DMZ switch:
  switch#show ntp associations
        address         ref clock     st  when  poll reach  delay  offset    disp
  ~192.168.65.254   0.0.0.0          16     -    64    0     0.0    0.00  16000.
  * master (synced), # master (unsynced), + selected, - candidate, ~ configured
  switch#show ntp status
  Clock is unsynchronized, stratum 16, no reference clock
  nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**17
  reference time is 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
  clock offset is 0.0000 msec, root delay is 0.00 msec
  root dispersion is 0.00 msec, peer dispersion is 0.00 msec
  PRNLN-DMZ-SW01#sh run | inc ntp
  ntp source Vlan138
  ntp server 192.168.65.254
  ukhvdc00vs01#sh run | inc ntp
  ntp source Vlan65
  ntp master 3
  ntp update-calendar
  ntp server 0.uk.pool.ntp.org
  ntp server 1.uk.pool.ntp.org
  PRNLN-DMZ-SW01#show ntp status
  Clock is unsynchronized, stratum 16, no reference clock
  nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**17
  reference time is 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
  clock offset is 0.0000 msec, root delay is 0.00 msec
  root dispersion is 0.00 msec, peer dispersion is 0.00 msec
  Does the firewall rule need to permit more than UDP/123 for this to work perhaps?
  NTPconfig on DMZ switch:
  switch#sh run | inc ntp
  ntp source Vlan138
  ntp server <IP address of NTP server>
  ===================
  NTP config on NTP server:
  NTP_Server#sh run | inc ntp
  ntp source Vlan65
  ntp master 3
  ntp update-calendar
  ntp server 0.uk.pool.ntp.org
  ntp server 1.uk.pool.ntp.org
  Any guidance welcomed.
  Thank you,
  Olly

  Hi Julio,
  Hi Julio,
  For the purposes of this information:
  DMZ switch IP = 5.6.7.8
  NTP server IP = 10.1.1.1
  Here's the output from the show commands:
  ciscoasa# show capture NTPCAPTUREDMZ
  11 packets captured
     1: 16:22:05.271500 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
     2: 16:23:09.276185 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
     3: 16:24:13.274033 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
     4: 16:24:57.272813 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
     5: 16:24:58.279480 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
     6: 16:24:59.277817 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
     7: 16:25:00.275971 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
     8: 16:25:01.275559 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
     9: 16:25:02.272599 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
    10: 16:25:03.279129 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
    11: 16:25:04.277710 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  11 packets shown
  ciscoasa# show capture NTPCAPTUREINSIDE
  0 packet captured
  0 packet shown
  ciscoasa# show capture NTPASP | include 10.1.1.1
  419: 16:24:13.274171 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  1820: 16:24:57.272904 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  1841: 16:24:58.279587 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  1876: 16:24:59.277909 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  1934: 16:25:00.276062 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2027: 16:25:01.275651 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2068: 16:25:02.272690 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2095: 16:25:03.279221 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2129: 16:25:04.277802 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2200: 16:25:05.275849 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2233: 16:25:06.274094 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2275: 16:25:07.273606 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2327: 16:25:08.280182 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2347: 16:25:09.277222 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2373: 16:25:10.275467 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2399: 16:25:11.273759 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2414: 16:25:12.273347 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  I'm guessing we should see some packets in the second capture, but we're not...
  Does this help?
  Thanks!
  Olly

• NTP Server Configuration

  Dear All,
  I have setup NTP Server with basic steps provided by SUN. In my setup i would be using it for Solaris, WIndows and few OS and devices like Switches and Routers..
  I am not sure what additional steps do i need to synch it with servers without using Multicast, i want to use NTP SERVER IP Addresses to synch with clietns.
  Here is my current configuration..
  ===========================================================================
  server 0.pool.ntp.org
  server 1.pool.ntp.org
  server 2.pool.ntp.org
  server 3.pool.ntp.org
  broadcast 224.0.1.1 ttl 4
  enable auth monitor
  driftfile /var/ntp/ntp.drift
  statsdir /var/ntp/ntpstats/
  filegen peerstats file peerstats type day enable
  filegen loopstats file loopstats type day enable
  filegen clockstats file clockstats type day enable
  keys /etc/inet/ntp.keys
  trustedkey 0
  requestkey 0
  controlkey 0
  ===========================================================================
  Please, let me know if you require anymore information..
  Regards,
  Sambhaji

  Hi,
  I don't believe that the 7204 has a calendar chip in it. If it doesn't, a reload will clear the clock, setting it to the 1993 date. You should sync the 7204 to an external ntp time source, preferably more than one.
  If the 7204 does have a calendar chip, then it will work, but you are still better off using external ntp sources.
  Greg

• Standalone CA setup in DMZ

  Hi,
  We are planning to setup Standalone CA server(workgroup) in DMZ. Is it possible and recommended?
  What are points that we should keep in mind while doing so?
  We have an option to use Window server 2008 R2 enterprise or server 2012, please recommend.
  Regards,
  Tushar

  Standalone CA is are best for DMZ implementations.
  http://technet.microsoft.com/en-us/library/cc756989(v=WS.10).aspx  I recommend using Server 2012 as it has some newer templates.
  Here are some links to helpful blogs/articles/repositories on PKI that may guide you on what you're trying to accomplish overall.
  http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx
  http://social.technet.microsoft.com/wiki/contents/articles/987.windows-pki-documentation-reference-and-library.aspx
  Like Meinolf said, for specific questions feel free to hit us back up in the security forum or there are some of us with PKI expertise in the Directory Services forum as well.

• L4 ASA5520 Firewall act as NTP Server/Client

  Hi experts,
  I know that ASA can act as ntp server/client simultaneously, so my question is, do you preffer/recommend to use dorder router or FW such as ASA to act as NTP server for internal switch/router as well as the windows hosts??? I know that network equipments is ok, but not sure how about synch time from ASA to windows hosts.
  so, I've ASA 5520 and designed to be reside on L4 Firewall, and also create one DMZ, and put PDC on inside's ASA. then what is the best practice for time stratum?
   1) Use L4 FW, asa 5520 to get time from internet, and configure it to NTP server as well as. then my internal switches/routers and windows PDC(primary domain controller)could set their time source to border asa 5520.
   2) Set internal PDC to take time from internet, supposed to allow to pass only ntp between PDC/internet via ASA 5520, then L4 ASA 5520 and others sw/routers get time from insides PDC...
  can some one point me out?
  Thanks and regards,
  Taixing An

  My central point for sync NTP is my SVI in Management, and this one Sync from Internet in last case i have a less prefered end-point (PDC)

• My solution for AEBS locking up (NTP server not reachable)

  I'll prefix this by saying that the issue that I found is pretty rare, but easy to fix.
  I had a problem with my Airport Express that would cause all sorts of weird problems. After a couple days, either it wouldn't print, not allow clients to associate, not accept the correct password in the Airport Admin Utility, or not show up in the Airport Admin utility.
  It turns out that I had enabled using a NTP server, but the NTP server wasn't reachable. In my network setup, the airports are in part of the subnet that's firewalled from the internet. The fix was for me to change the NTP server to an internal machine, but turning off NTP would have worked just the same.
  NTP seems to only be used for logging, so turning it off shouldn't affect network performance.
  I haven't had to reset either base stations since.

  Here you go!
  Use the terminal and be a root user and follow the steps bellow:
  cd /etc
  more ntp.conf
  Then include this two lines:
  server 127.127.1.1 prefer
  fudge 127.127.1.1 stratum 3 refid NIST
  After that save and exit. Then checked your ntp using the server admin tool and thats done. Be warn don't mend anything with the system preferences date and time.

• Deploy sip servlet to Occas5.0(weblogic) occurs exception: com.bea.wcp.sip.engine.server.setup.SipAnnotationParsingException

  hi,
  I install Occas on OS win7 64bit, jdk 1.6.0.45.
  I got the following error message while I start Occas server:
  because error occurs when parsing sip related annotations of "testservicecomplexobject-application"
  WLST-WLS-1396579151484: com.bea.wcp.sip.engine.server.setup.SipAnnotationParsingException
  at com.bea.wcp.sip.engine.server.setup.SipAnnotationData.<init><SipAnnotationData.java:155>
  Also, when I deploy a sip servlet package(sar) to the Occas server, after deploy finish, at the deployment manager page,
  health term is none.
  and also I found many error info in AdminServer/logs/domain.log as below blue font:
  ####<Apr 4, 2014 11:09:21 AM CST> <Error> <WLSS.Setup> <E76C3BE51B4188> <AdminServer> <[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1396580961513> <BEA-331210> <Skip SIP related logic, because error occurs when parsing sip related annotations of "b2bua-sip-servlet-1.0.0-SNAPSHOT"
  com.bea.wcp.sip.engine.server.setup.SipAnnotationParsingException:
      at com.bea.wcp.sip.engine.server.setup.SipAnnotationData.<init>(SipAnnotationData.java:155)
      at com.bea.wcp.sip.util.DeploymentUtil.getOrCreateAnnotationData(DeploymentUtil.java:74)
      at com.bea.wcp.sip.util.DeploymentUtil.getAnnotationData(DeploymentUtil.java:89)
      at com.bea.wcp.sip.engine.server.SipServerTailModule$1.visit(SipServerTailModule.java:129)
      at com.bea.wcp.sip.engine.server.SipServerTailModule.visitAllContexts(SipServerTailModule.java:112)
      at com.bea.wcp.sip.engine.server.SipServerTailModule.initialize(SipServerTailModule.java:137)
      at com.bea.wcp.sip.engine.server.SipServerTailModule.prepare(SipServerTailModule.java:69)
      at weblogic.application.internal.flow.DeploymentCallbackFlow$1.next(DeploymentCallbackFlow.java:507)
      at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)
      at weblogic.application.internal.flow.DeploymentCallbackFlow.prepare(DeploymentCallbackFlow.java:149)
      at weblogic.application.internal.flow.DeploymentCallbackFlow.prepare(DeploymentCallbackFlow.java:45)
      at weblogic.application.internal.BaseDeployment$1.next(BaseDeployment.java:1221)
      at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)
      at weblogic.application.internal.BaseDeployment.prepare(BaseDeployment.java:367)
      at weblogic.application.internal.SingleModuleDeployment.prepare(SingleModuleDeployment.java:43)
      at weblogic.application.internal.DeploymentStateChecker.prepare(DeploymentStateChecker.java:154)
      at weblogic.deploy.internal.targetserver.AppContainerInvoker.prepare(AppContainerInvoker.java:60)
      at weblogic.deploy.internal.targetserver.operations.ActivateOperation.createAndPrepareContainer(ActivateOperation.java:207)
      at weblogic.deploy.internal.targetserver.operations.ActivateOperation.doPrepare(ActivateOperation.java:98)
      at weblogic.deploy.internal.targetserver.operations.AbstractOperation.prepare(AbstractOperation.java:217)
      at weblogic.deploy.internal.targetserver.DeploymentManager.handleDeploymentPrepare(DeploymentManager.java:747)
      at weblogic.deploy.internal.targetserver.DeploymentManager.prepareDeploymentList(DeploymentManager.java:1216)
      at weblogic.deploy.internal.targetserver.DeploymentManager.handlePrepare(DeploymentManager.java:250)
      at weblogic.deploy.internal.targetserver.DeploymentServiceDispatcher.prepare(DeploymentServiceDispatcher.java:159)
      at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doPrepareCallback(DeploymentReceiverCallbackDeliverer.java:171)
      at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.access$000(DeploymentReceiverCallbackDeliverer.java:13)
      at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer$1.run(DeploymentReceiverCallbackDeliverer.java:46)
      at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
      at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
      at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  Caused By: java.lang.LinkageError: loader constraint violation: when resolving overridden method "antlr.debug.LLkDebuggingParser.removeMessageListener(Lantlr/debug/MessageListener;)V" the class loader (instance of weblogic/utils/classloaders/ChangeAwareClassLoader) of the current class, antlr/debug/LLkDebuggingParser, and its superclass loader (instance of sun/misc/Launcher$AppClassLoader), have different Class objects for the type antlr/debug/MessageListener used in the signature
      at java.lang.Class.getDeclaredMethods0(Native Method)
      at java.lang.Class.privateGetDeclaredMethods(Class.java:2436)
      at java.lang.Class.privateGetPublicMethods(Class.java:2556)
      at java.lang.Class.getMethods(Class.java:1412)
      at com.bea.wcp.sip.engine.server.setup.SipAnnotationData.classAnnotationParsing(SipAnnotationData.java:344)
      at com.bea.wcp.sip.engine.server.setup.SipAnnotationData.jarAnnotationParsing(SipAnnotationData.java:288)
      at com.bea.wcp.sip.engine.server.setup.SipAnnotationData.annotationParsing(SipAnnotationData.java:223)
      at com.bea.wcp.sip.engine.server.setup.SipAnnotationData.<init>(SipAnnotationData.java:144)
      at com.bea.wcp.sip.util.DeploymentUtil.getOrCreateAnnotationData(DeploymentUtil.java:74)
      at com.bea.wcp.sip.util.DeploymentUtil.getAnnotationData(DeploymentUtil.java:89)
      at com.bea.wcp.sip.engine.server.SipServerTailModule$1.visit(SipServerTailModule.java:129)
      at com.bea.wcp.sip.engine.server.SipServerTailModule.visitAllContexts(SipServerTailModule.java:112)
      at com.bea.wcp.sip.engine.server.SipServerTailModule.initialize(SipServerTailModule.java:137)
      at com.bea.wcp.sip.engine.server.SipServerTailModule.prepare(SipServerTailModule.java:69)
      at weblogic.application.internal.flow.DeploymentCallbackFlow$1.next(DeploymentCallbackFlow.java:507)
      at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)
      at weblogic.application.internal.flow.DeploymentCallbackFlow.prepare(DeploymentCallbackFlow.java:149)
      at weblogic.application.internal.flow.DeploymentCallbackFlow.prepare(DeploymentCallbackFlow.java:45)
      at weblogic.application.internal.BaseDeployment$1.next(BaseDeployment.java:1221)
      at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)
      at weblogic.application.internal.BaseDeployment.prepare(BaseDeployment.java:367)
      at weblogic.application.internal.SingleModuleDeployment.prepare(SingleModuleDeployment.java:43)
      at weblogic.application.internal.DeploymentStateChecker.prepare(DeploymentStateChecker.java:154)
      at weblogic.deploy.internal.targetserver.AppContainerInvoker.prepare(AppContainerInvoker.java:60)
      at weblogic.deploy.internal.targetserver.operations.ActivateOperation.createAndPrepareContainer(ActivateOperation.java:207)
      at weblogic.deploy.internal.targetserver.operations.ActivateOperation.doPrepare(ActivateOperation.java:98)
      at weblogic.deploy.internal.targetserver.operations.AbstractOperation.prepare(AbstractOperation.java:217)
      at weblogic.deploy.internal.targetserver.DeploymentManager.handleDeploymentPrepare(DeploymentManager.java:747)
      at weblogic.deploy.internal.targetserver.DeploymentManager.prepareDeploymentList(DeploymentManager.java:1216)
      at weblogic.deploy.internal.targetserver.DeploymentManager.handlePrepare(DeploymentManager.java:250)
      at weblogic.deploy.internal.targetserver.DeploymentServiceDispatcher.prepare(DeploymentServiceDispatcher.java:159)
      at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doPrepareCallback(DeploymentReceiverCallbackDeliverer.java:171)
      at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.access$000(DeploymentReceiverCallbackDeliverer.java:13)
      at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer$1.run(DeploymentReceiverCallbackDeliverer.java:46)
      at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
      at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
      at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  >
  ####<Apr 4, 2014 11:09:21 AM CST> <Error> <WLSS.Engine> <E76C3BE51B4188> <AdminServer> <[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1396580961523> <BEA-330004> <Failed to deploy SIP application "b2bua-sip-servlet-1.0.0-SNAPSHOT"
  java.lang.NullPointerException
      at com.bea.wcp.sip.engine.server.setup.SipDeploymentDescriptor.<init>(SipDeploymentDescriptor.java:285)
      at com.bea.wcp.sip.engine.server.setup.SipDeploymentDescriptor.parse(SipDeploymentDescriptor.java:148)
      at com.bea.wcp.sip.engine.server.CanaryContext.initContext(CanaryContext.java:396)
      at com.bea.wcp.sip.engine.server.CanaryContext.<init>(CanaryContext.java:334)
      at com.bea.wcp.sip.engine.server.CanaryServer.installContext(CanaryServer.java:1001)
      at com.bea.wcp.sip.engine.server.SipService.setupSipServletContext(SipService.java:126)
      at com.bea.wcp.sip.engine.server.SipServerTailModule$1.visit(SipServerTailModule.java:130)
      at com.bea.wcp.sip.engine.server.SipServerTailModule.visitAllContexts(SipServerTailModule.java:112)
      at com.bea.wcp.sip.engine.server.SipServerTailModule.initialize(SipServerTailModule.java:137)
      at com.bea.wcp.sip.engine.server.SipServerTailModule.prepare(SipServerTailModule.java:69)
      at weblogic.application.internal.flow.DeploymentCallbackFlow$1.next(DeploymentCallbackFlow.java:507)
      at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)
      at weblogic.application.internal.flow.DeploymentCallbackFlow.prepare(DeploymentCallbackFlow.java:149)
      at weblogic.application.internal.flow.DeploymentCallbackFlow.prepare(DeploymentCallbackFlow.java:45)
      at weblogic.application.internal.BaseDeployment$1.next(BaseDeployment.java:1221)
      at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)
      at weblogic.application.internal.BaseDeployment.prepare(BaseDeployment.java:367)
      at weblogic.application.internal.SingleModuleDeployment.prepare(SingleModuleDeployment.java:43)
      at weblogic.application.internal.DeploymentStateChecker.prepare(DeploymentStateChecker.java:154)
      at weblogic.deploy.internal.targetserver.AppContainerInvoker.prepare(AppContainerInvoker.java:60)
      at weblogic.deploy.internal.targetserver.operations.ActivateOperation.createAndPrepareContainer(ActivateOperation.java:207)
      at weblogic.deploy.internal.targetserver.operations.ActivateOperation.doPrepare(ActivateOperation.java:98)
      at weblogic.deploy.internal.targetserver.operations.AbstractOperation.prepare(AbstractOperation.java:217)
      at weblogic.deploy.internal.targetserver.DeploymentManager.handleDeploymentPrepare(DeploymentManager.java:747)
      at weblogic.deploy.internal.targetserver.DeploymentManager.prepareDeploymentList(DeploymentManager.java:1216)
      at weblogic.deploy.internal.targetserver.DeploymentManager.handlePrepare(DeploymentManager.java:250)
      at weblogic.deploy.internal.targetserver.DeploymentServiceDispatcher.prepare(DeploymentServiceDispatcher.java:159)
      at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doPrepareCallback(DeploymentReceiverCallbackDeliverer.java:171)
      at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.access$000(DeploymentReceiverCallbackDeliverer.java:13)
      at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer$1.run(DeploymentReceiverCallbackDeliverer.java:46)
      at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
      at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
      at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  Can anyone give some suggession?
  Thanks in advance!
  BR//Margin

  Hi,
  I changed my jvm from sun jdk to latest jrockit and the issue was solved :)

• Remote Update Server setup

  Using the AUSST tool to set up a remote update server on Windows Server 2012R2 which is IIS 8.5.
  Working through this document: http://helpx.adobe.com/creative-cloud/packager/update-server-setup-tool.html#Preparing a web server to use as the update server
  Have reached the point where it says "Add the httpHandles for the zip, xml, crl, dmg, and sig extension in the web.config file as shown here:"
  I have added the lines specified to the web.config file, here is the complete file:
  configuration>
      <system.web>
          <compilation targetFramework="4.5" />
          <membership>
              <providers>
                  <add name="WebAdminMembershipProvider" type="System.Web.Administration.WebAdminMembershipProvider" />
              </providers>
          </membership>
          <httpModules>
              <add name="WebAdminModule" type="System.Web.Administration.WebAdminModule"/>
          </httpModules>
          <authentication mode="Windows"/>
          <authorization>
              <deny users="?"/>
          </authorization>
          <identity impersonate="true"/>
         <trust level="Full"/>
         <pages validateRequest="true"/>
         <globalization uiCulture="auto:en-US" />
             <httphandlers>
               <add path="*.zip" verb="*" type="system.web.staticfilehandler" />
               <add path="*.xml" verb="*" type="system.web.staticfilehandler" />
               <add path="*.crl" verb="*" type="system.web.staticfilehandler" />
               <add path="*.dmg" verb="*" type="system.web.staticfilehandler" />
               <add path="*.sig" verb="*" type="system.web.staticfilehandler" />
             </httphandlers>
      </system.web>
      <system.webServer>
          <modules>
              <add name="WebAdminModule" type="System.Web.Administration.WebAdminModule" preCondition="managedHandler" />
          </modules>
          <validation validateIntegratedModeConfiguration="false" />
      </system.webServer>
  </configuration>
  But when I try to access the web site I get this: " The configuration section 'httphandlers' cannot be read because it is missing a section declaration "
  Clearly I am a newbie in IIS (and indeed on Web Development of any sort).
  Could someone please point out the no-doubt-obvious mistake?
  Thanks.

  I'm on 2012 R2 too.
  ISAPI Module is not available by default. Choose to add ISAPI features (and Server Side Includes) using the Server Manager, Add Roles and Features, Web Server, Web Server, Application Development. I chose both ISAPI options as well as Server Side Includes - not sure which is needed.
  Added Server Side Includes (as well as the ISAPI .xml .crl .zip .dmg .sig ) entries in Add Module Mappings (as per  https://forums.adobe.com/thread/951308?tstart=0)
  My HTTP Handlers section is as follows:
          <httpHandlers>
              <add path="*.xml" verb="*" type="System.Web.StaticFileHandler"/>
              <add path="*.crl" verb="*" type="System.Web.StaticFileHandler"/>
              <add path="*.zip" verb="*" type="System.Web.StaticFileHandler"/>
              <add path="*.dmg" verb="*" type="System.Web.StaticFileHandler"/>
              <add path="*.sig" verb="*" type="System.Web.StaticFileHandler"/>
        <add verb="*" path="*.rules" type="System.Web.HttpForbiddenHandler" validate="true"/>
        <add verb="*" path="*.xoml" type="System.ServiceModel.Activation.HttpHandler, System.ServiceModel, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" validate="false"/>
              <add path="*.svc" verb="*" type="System.ServiceModel.Activation.HttpHandler, System.ServiceModel, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" validate="false"/>
              <add path="trace.axd" verb="*" type="System.Web.Handlers.TraceHandler" validate="True"/>
              <add path="WebResource.axd" verb="GET" type="System.Web.Handlers.AssemblyResourceLoader" validate="True"/>
              <add path="*.axd" verb="*" type="System.Web.HttpNotFoundHandler" validate="True"/>
              <add path="*.aspx" verb="*" type="System.Web.UI.PageHandlerFactory" validate="True"/>
              <add path="*.ashx" verb="*" type="System.Web.UI.SimpleHandlerFactory" validate="True"/>
              <add path="*.asmx" verb="*" type="System.Web.Services.Protocols.WebServiceHandlerFactory, System.Web.Services, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" validate="False"/>
              <add path="*.rem" verb="*" type="System.Runtime.Remoting.Channels.Http.HttpRemotingHandlerFactory, System.Runtime.Remoting, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" validate="False"/>
              <add path="*.soap" verb="*" type="System.Runtime.Remoting.Channels.Http.HttpRemotingHandlerFactory, System.Runtime.Remoting, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" validate="False"/>
              <add path="*.asax" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.ascx" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.master" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.skin" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.browser" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.sitemap" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.dll.config" verb="GET,HEAD" type="System.Web.StaticFileHandler" validate="True"/>
              <add path="*.exe.config" verb="GET,HEAD" type="System.Web.StaticFileHandler" validate="True"/>
              <add path="*.config" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.cs" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.csproj" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.vb" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.vbproj" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.webinfo" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.licx" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.resx" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.resources" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.mdb" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.vjsproj" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.java" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.jsl" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.ldb" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.ad" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.dd" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.ldd" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.sd" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.cd" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.adprototype" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.lddprototype" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.sdm" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.sdmDocument" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.mdf" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.ldf" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.exclude" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*.refresh" verb="*" type="System.Web.HttpForbiddenHandler" validate="True"/>
              <add path="*" verb="GET,HEAD,POST" type="System.Web.DefaultHttpHandler" validate="True"/>
              <add path="*" verb="*" type="System.Web.HttpMethodNotAllowedHandler" validate="True"/>
          </httpHandlers>
  You should be able to get a web page with "0001" printed on it when you access your servers website from another PC.
  I used the default paths so this was my URL:
  http://server.ucd.ie/Adobe/CS/webfeed/oobe/aam20/win/updaterfeed.xml

• Mobile Access Server setup

  So, I'm setting up a 10.6.1 server in the DMZ to be a Mobile Access Server to reverse proxy mail, calendaring, and web. Couple issues I have:
  1. I want to manage this DMZ server from a different internal 10.6.1 Server inside my network. I have turned on Remote Management on the DMZ server, but cannot connect from Server Admin on the internal server to the DMZ server. I need to be able to manage both servers from one Server Admin console. I also need to be able to screen share the DMZ server for access ONLY from the internal server. How do I accomplish this?
  2. My internal 10.6.1 server is my Open Directory Master already, and working nicely. But to use Mobile Access Server and reverse proxy services back to the internal server, I need the DMZ server to be aware of my existing directory inside. Would I want to make the DMZ server an Open Directory Replica, or should I use the middle option for Open Directory types called "Connect to another directory"? Obviously, I know that it should NOT be another master.
  3. I have purchased and implemented a wildcard cert on my internal 10.6.1 server to use for TLS, HTTPS, etc. I have also told the Open Directory Master to use ssl for the LDAP piece of it (there's a GUI option for that). Figured I might as well secure everything I can a bit more since I purchased the cert. What effect will this have on Question 2 above? Will I need to open a different port for instance on the firewall for LDAP over SSL? Or any issues with creating a Replica or "connect to another OD server" on the OD server in the DMZ to get it to connect to the internal OD Master?
  Thanks for all the help here.

  To your #1: When you use a firewall to place a device in a DMZ, that device is not part of the internal network. It 'technically' sits on the outside of the firewall at nearly the same place as your external connection.
  Some discussions about a firewall use colors to designate the 'data protection' level or 'threat' vector.
  (Below was 'borrowed' from http://riskless.com/firewall_configuration.aspx)
  * RED Network Interface
  This network is the Internet or other untrusted network. IPCop’s primary purpose is to protect the GREEN, BLUE and ORANGE networks and their computers from traffic originating on the RED network. Your current connection method and hardware are used to connect to this network.
  * GREEN Network Interface
  This interface only connects to the computer(s) that IPCop is protecting. It is presumed to be local. Traffic to it is routed though an Ethernet NIC on the IPCop computer firewall.
  * BLUE Network Interface
  This optional network allows you to place wireless devices on a separate network. Computers on this network cannot get to the GREEN network except tightly controlled “pinholes”, or via a VPN. Traffic to this network is routed through an Ethernet NIC.
  * ORANGE Network Interface
  This optional network allows you to place publicly accessible servers on a separate network. Computers on this network cannot get to the GREEN or BLUE networks, except through tightly controlled “DMZ pinholes”. Traffic to this network is routed through an Ethernet NIC.
  * The GREEN and RED networks are required
  * The ORANGE and BLUE networks are optional
  The interface requirements for your RED network will vary depending on your connection to the Internet. The RED network may require an additional Ethernet card and cable.
  you can also read up all this from a more neutral article here: http://www.ocmodshop.com/ocmodshop.aspx?a=1526
  The point of all this is that, depending on 'where' the dat is comgin from , it either is denied access ,or must be 'punched through' to allow access. Her is a diagram of that process (from a linux firewall called ipcop)
  !http://www.ipcop.org/1.4.0/en/admin/images/traffic.png!
  Soaccess from inside (your network) to your DMZ device should work without any trouble but from DMZ to inside should require ports to be opened up. On most Firewalls, they call this port access 'Pin Holes' as the DMZ is itself protected by only allowing the ip address of that network into through the firewall. Possibly Your firewall is not doing any kind of Statefull Packet Inspection so all conversations must have a pinhole to come 'back' out of the dmz? Tell us your firewall brand and that might help.
  #2: I would use "Connect to another directory". YOu want to limit the amount of data that can be compromised in the DMZ. As I mentioned the DMZ is outside your network, technically naked to the world. I believe that any port that does NOT get routed (forwarded) into your green, will automatically be forwarded to your DMZ, so it will be hammered with all manner of hack and virus vectors.
  Peter