OWSM in the DMZ?

Similar Messages

• Server 2012 Clustered Hosts - How can I place a Hyper-V Guest in the DMZ?

  I have 3 server 2012 hyper v clustered hosts. I've been recently asked to create a VM where external parties will have local admin rights. I've been resisting things for a variety of IMO valid security reasons. What I'm trying to understand is if it would
  be possible to build a guest VM that was not part of our domain and put in our firewalls DMZ zone. In this way these folks could be local admins but there's be no connection with the internal network.
  In a single host environment if I'm understand things correctly I'd create a external type virtual switch, connect it to a specific physical network card on my host and then connect that card to my switch's DMZ port. But my environment is clustered... does
  that mean I'd designate a physical network card on all 3 hosts, connect them to all the same named external virtual switch and plug all 3 in to DMZ ports on my firewall? Could I also instead of plugging all 3 in to DMZ ports on my firewall plug all 3 into
  some little rinky dink 4 port gigabit switch and then plug that in to my firewall's dmz port?

  Hi,
  When your guest vm using the external vswitch, it can be considered as the physical host, therefore it has the physical network features, in the DMZ zone we often create the
  decided subnet for the security reason. Therefore the decide NIC is needed, it will used for the Hyper-V host VLAN settings.
  When considering Hyper-V for server consolidation in a DMZ it is recommended not to run VMs of vastly differing trust levels on the same physical host in production environments
  (i.e. do not consolidate all DMZ boxes on one physical host). 
  Instead, the recommendation is to consolidate all the front-end boxes on one physical server and do the same for the back-end, depending on the workloads.
  More information:
  Hyper-V 2008 R2: Virtual Networking Survival Guide
  http://social.technet.microsoft.com/wiki/contents/articles/151.hyper-v-2008-r2-virtual-networking-survival-guide.aspx
  Hyper-V: What are the uses for different types of virtual networks?
   http://blogs.technet.com/jhoward/archive/2008/06/17/hyper-v-what-are-the-uses-for-different-types-of-virtual-networks.aspx
  Understanding Networking with Hyper-V
   http://www.microsoft.com/downloads/details.aspx?FamilyID=3FAC6D40-D6B5-4658-BC54-62B925ED7EEA&displaylang=en&displaylang=en
  VLAN Settings and Hyper-V
  http://blogs.msdn.com/virtual_pc_guy/archive/2008/03/10/vlan-settings-and-hyper-v.aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Connection Pooling in the DMZ

  Hi,
  Have a Sun One web server 6.1 in the DMZ. I want to set up connection pooling on this to connect to a DB on our LAN through an inner firewall.
  Is this a good idea, or a security risk?
  Also, when configuring, any way to secure the username/password which has to be entered in to the pool setup in the Sun One Admin Server?
  Cheers,
  Gareth

  Hi,
  Found some info on the web about passing in username and password in code using :
  conn = ds.getConnection("user", "pass");
  instead of
  conn = ds.getConnection(); (where username/password stored in server.xml)
  This would be better as I could get the username/password from ldap on our LAN. Would be more secure.
  Doesnt work for me though, get this error:
  java.sql.SQLException: invalid arguments in call
  java.sql.SQLException: invalid arguments in call
  at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:114)
  at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:156)
  at oracle.jdbc.dbaccess.DBError.check_error(DBError.java:803)
  at oracle.jdbc.ttc7.TTC7Protocol.logon(TTC7Protocol.java:175)
  at oracle.jdbc.driver.OracleConnection.<init>(OracleConnection.java:198)
  at oracle.jdbc.driver.OracleDriver.getConnectionInstance(OracleDriver.java:251)
  at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:224)
  at java.sql.DriverManager.getConnection(DriverManager.java:512)
  at java.sql.DriverManager.getConnection(DriverManager.java:171)
  at oracle.jdbc.pool.OracleDataSource.getConnection(OracleDataSource.java:102)
  at oracle.jdbc.pool.OracleDataSource.getConnection(OracleDataSource.java:85)
  at com.sun.enterprise.resource.JdbcAllocator.createResource(JdbcAllocator.java:98)
  at com.sun.enterprise.resource.IASNonSharedResourcePool.createSteadyResources(IASNonSharedResourcePool.java:865)
  at com.sun.enterprise.resource.IASNonSharedResourcePool.initPool(IASNonSharedResourcePool.java:360)
  at com.sun.enterprise.resource.IASNonSharedResourcePool.internalGetResource(IASNonSharedResourcePool.java:598)
  at com.sun.enterprise.resource.IASNonSharedResourcePool.getResource(IASNonSharedResourcePool.java:490)
  at com.sun.enterprise.resource.PoolManagerImpl.getResourceFromPool(PoolManagerImpl.java:189)
  at com.sun.enterprise.resource.PoolManagerImpl.getResource(PoolManagerImpl.java:93)
  at com.sun.enterprise.resource.JdbcDataSource.internalGetConnection(JdbcDataSource.java:201)
  at com.sun.enterprise.resource.JdbcDataSource.getConnection(JdbcDataSource.java:163)
  Any ideas?

• How do I log onto airport, how do I get to the DMZ on the router?

  How do I log onto airport, how do I get to the DMZ on the router?

  Open the airport utility.
  Bobby Pearce wrote:
  How do I log onto airport, how do I get to the DMZ on the router?
  If you mean how to set the DMZ..
  Click on the Airport in airport utility.. click on the edit that shows on the summary..
  Go to the Network tab.. and go to network options on the bottom of that page.
  Enable Default Host.. is DMZ..
  Tick the box and type in the IP of the computer or device you are placing in the DMZ.

• Can I add VOIP Gateway SPA2100-SU to the DMZ of Router BEFSR41 Ver 4 ?

  I am having multiple problems with dropped calls; need to reboot my LinkSys VOIP Gateway and so on, and my VOIP provider has suggested the following: "Add your Gateway (the physical device I guess) to the DMZ of your router." We are trying to tell the Router to give this VOIP Gateway, which gets its IP address via DHCP from the router, to essentially give this Gateway carte blanche to any port or destination it wants. I have NO idea how to do this on the BEFSR41, which is a CA model with Version 4 appended to its model number ? Can anyone send me how to advice ? - Mike BRYAN Ottawa Canada PM me for my email.
  (Edited post for guideline compliance. Thanks!)
  Message Edited by JOHNDOE_06 on 01-22-2008 02:54 PM

  First thing is to assign a static IP on the WAN / Internet side of your SPA-2100 so that you can set that IP to the DMZ of the BEFSR41. If you are not sure how to assign a static IP address on the spa2100 or how to open the web interface of the spa2100 and befsr41, then you better refer to the KB articles from www.linksys.com/kb. Just type in something like spa2100 or befsr41.
  By the way, you may also enable NAT mapping and NAT Keep alive in your spa2100 aside from opening / forwarding ports in the befsr41 (check out Answer ID 5242).  Lastly, enabling Send Resp To Src Port in the spa2100 is another option to try (this is under Voice > SIP > NAT Support Parameters).
  It really requires much reading for us beginners to fully understand these devices. I am happy that I learned how to use the KBase site of Linksys since it gives me useful info about their products.

• ISSUE with accessing Printer on the DMZ !!

  Hi,
  We are facing issues while accesing the printer in the DMZ interface from inside interface.The issue is happening when we are adding a printer to a new desktop. The printer is added via print server.The issue started happening after the server team has implemented authentication PIN for printing.The printer gets added but while giving print ,it is giving error as print driver not found.We have checked printing after removing the PIN and it works fine.I am getting the following error logs from firewall.Can somebody help on this ???
  %ASA-6-302014: Teardown TCP connection 3842514 for DMZ:172.19.48.207/80 to ODC-FW:10.132.123.19/1810 duration 0:00:06 bytes 711 TCP Reset-I
  %ASA-6-302014: Teardown TCP connection 3842514 for DMZ:172.19.48.207/80 to ODC-FW:10.132.123.19/1810 duration 0:00:06 bytes 711 TCP Reset-I
  172.19.48.207 -Printer
  10.132.123.19-Desktop

  Mujeeb,
  Based on the syslog you post we are getting a Reset from the internal device, the FW is just closing the connection becuase it got a reset packet; this will be the normal behaviour of the ASA.
  If you want to dig deeper on the issue you can place captures on the ASA and confirm the source mac-address/IP address of the reset packet.
  Luis Silva

• Wireless guest have no connectivity in the DMZ

  Hi,
  I am deploying a new wireless setup with two 2504 controllers, one for the corporate ssid and one for guest segment.
  The anchor controller used for web-authentication has 1 leg in the inside network (10.x.x.x) and 1 leg in the dmz 192.168.100.x (to ASA 5515 v9.0) on the 192.168.100.0 /24 range.
  The ASA has internal and external context.
  The Mobility tunnel is up.
  The ASA is doing DHCP, and the hosts receive IP addresses and (public) DNS 173.194.67.94.
  Problem is the hosts cannot do DNS lookup and thus no redirection to the web-portal.
  The ASA shows no denies. When I ping the DNS from the Anchor controller, I see the following.
  Jul 11 2013 07:44:17: %ASA-6-302020: Built outbound ICMP connection for faddr 173.194.67.94/0 gaddr 10.101.114.172/815 laddr 10.101.114.172/815
  Jul 11 2013 07:44:19: %ASA-6-302021: Teardown ICMP connection for faddr 173.194.67.94/0 gaddr 10.101.114.172/815 laddr 10.101.114.172/815
  A packet sniffer shows that hosts connected send DNS requests and never get anything back.
  How should approach this issue from here?

  Hi,
  after some changes, the WLC can now reach the public DNS server.
  However, the hosts cannot do anything. (no nslookup, no ping)
  I removed web-authentication from the WLAN config to simplify troubleshooting, but even so, the result is the same.
  Host receives IP address and DNS server.
  When I do a packet tracer on the outside context, from the guest (wifi) segment to the DNS, I see the packet is dropped.
  Phase: 2
  Type: ACCESS-LIST
  Subtype:
  Result: DROP
  Config:
  Implicit Rule
  my config is:
  object network Guest_wireless
  subnet 192.168.100.0 255.255.255.0
  access-list GUEST extended permit ip object Guest_wireless any
  access-list GUEST extended permit icmp object Guest_wireless any
  access-group GUEST in interface Guest_wireless
  interface GigabitEthernet0/3.2
  nameif Guest_wireless
  security-level 40
  ip address 192.168.100.254 255.255.255.0 standby 192.168.100.253
  object network Guest_wireless
  nat (dmz,outside) dynamic "public ip"
  Thanks

• Can Teredo for Microsoft DirectAccess work in the DMZ of an ASA 5510?

  I'd like to find some way to get Teredo to work with our DirectAccess implementation.  To do that, the external facing NIC on the DirectAccess server needs to be configured with a routable public IP address.
  We have an ASA 5510 (running 8.3 (2)) that has switches on the Internal and DMZ interfaces, but connects directly to our Internet router through the External interface.
  So, I do not have a switch that will allow me to connect our DA server directly to the edge.  Short of buying a new switch and putting it outside of the firewall, I wanted to see if there was a way to configure the ASA so that Teredo would work in the DMZ.
  Our current DMZ has 2 barracuda devices (spam and web filters) using static NAT objects.  The IPs are all 192.168.x.
  Is there some way of getting the DirectAccess external interface to work in the DMZ with a public IP address (and our ISP's gateway) without mucking everything else up?  I've read about transparency mode, but I cannot figure out if that would affect our other devices.
  Thanks in advance!
  -Brad

  Hi. I'm not 100% sure.......... But I think With UAG service pack 1 or 2 you no longer require a publicly routatable address for the external interface of the UAG server. You can now add the UAG server to your existing DMZ without affecting the addressing. Then  you allow the Teredo tunneling traffic to the server.
  HTH

• Server in the DMZ

  Hi,
  i want to install a new server in our DMZ that hosts iChat, a mail relay, Mobile Access and push. To get this up an running, I also need to connect the server to our Open Directory (for User Authentication). The Open Directory Servers are placed in the normal company Network.
  On the firewall I opened all ports that are required for OD-Traffic (LDAP, LDAPS, KERBEROS, etc.) but I don't want to open AFP for some security reasons. I figured out that this makes the server unstable and slow, because he can't connect to the automounts (User, Library and Group shares).
  Is there a way to tell the server not to mount the automounts from the active directory?
  Thanks a lot!
  Andre

  Sputnik,
  Interesting, I am embarking on the exact same thing in fact. I don't have an answer for you as I'm just installing the OS now, but why the heck would AFP be required for simple Open Directory auth between Mobile Access Server and origin server(s) behind it? Makes no sense at all, and I will be wicked ****** if that is indeed the case. What makes you think AFP is the problem?
  Let's compare notes, as I'm a bit new to the Leopard server game, but have read much on Mobile Server and how this is supposed to work. My plan is to place the Mobile Access Server in the DMZ, maybe run push on it, and reverse proxy just web, address book, etc. etc. back through the firewall to the origin server.
  By the way, the iChat server you mention hosting in the DMZ...interesting thought there. Would the idea be that remote external users half way around the world could use the chat server and stay in touch? Sorry for the naive question, but my thought was how would they authenticate if they are not in OD? Or do they have to be for this to work with iChat server?
  Feedback appreciated. Cheers!
  Message was edited by: Some Dude

• Add roles in the DMZ

  If I want to install an MP/DP/SUP in the DMZ, can I do so on workgroup machines or do they need to be a member of a domain?  If I can install on a workgroup machines, what settings when adding the site do I need to set? It is going to want an account
  to install the site...

  All CM roles have to be installed on machines that are domain joined.
  Torsten Meringer | http://www.mssccmfaq.de

• VMware on the DMZ

  Hello,
  We are planning to have VMware ESXi  in the DMZ.
  Our DMZ sits between an external and internal firewall.
  Is it possible to use a single /24 network and have VMware segment the vswitch with Vlans for each service i.e email, Sharepoint , web etc or do I have to create separate networks for each service ?
  I just need some help and guidelines on best practices for having VMware on the DMZ.
  We are also looking at having Checkpoint Blade installed.  If we don't configure Vlans and segment services will the firewall be enough to take care of this ?

  Hi Jay, Ok i think i understand the requirement here. Seems like you need a "transparent Firewall" in the ESXi environment. (If possible, active active transparent firewall - or two different transparent firewall with same or similar policy which is overhead)
  Essentially the transparent mode will bridge the different segments together - possibly different vlans - most occasions it is same vlan (all keeping the same IP addressing). All that is different, is defining Zones per interface.
  from here you can define Zones. Since they are all part of the same bridge domain it doesnt matter about addressing, they can all be same network - think of it as still one vlan one network.
  Separating these out will allow you to create policies per entry point and per exit point, you have more granularity this way.
  You can either split these out to different vswitches, or keep it on the same vswitch with different vlan assignments. But as i said, this ideally needs to be at the join points (e.g. in place of your cisco switches, transparent FW would be perfect for this scenario)
  Hope i understood requirement
  Bilal - CCIE 45032

• SCCM 2012 R2 Secondary site server will support the DMZ Zone?

  We are planning for SCCM 2012 Migration, currently we have separate Primary server in DMZ.
  Kindly suggest what is the best method to deploy in the DMZ (separate primary or secondary or DP) because we have only 500 Client in DMZ.

  Hi,
  There is a blog talking about this error. You could try the method in the blog.
  To summarise, when installing SCCM 2012 SP1 secondary site on a pre-configured SQL 2012 instance regardless which SQL edition is being used, “NT AUTHORITY\SYSTEM” account needs to be given
  securityadmin and sysadmin rights. If SQL Express is used, there are few additional steps need to be carried out to configure the SQL TCP connection as documented in my previous blog:
  http://blog.tyang.org/2012/04/09/installing-sccm-2012-rtm-secondary-site-using-a-pre-installed-sql-express-2008-r2-instance/
  Installing SCCM 2012 SP1 Secondary Site with a Pre-Configured SQL 2012 Instance
  Note:
  Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
  Best Regards,
  Joyce
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Interaction and the DMZ

  I would like to configure interaction in a manner where, Portal component and Image Service are placed within the DMZ and other Interaction components/services in the intranet ( private zone ). Does anybody have idea how portal/image service will communicate with backend services when they are on different servers ? In direct you can say, I would like to configure portal+image on different machine and backend components on different servers So, how they will communicate ?, what type of configuration and where required ?

  You only need to install the main portal and image server components, not any of the peripheral things (studio/collab/search/etc). Although you will need images from each of those also, in which case you can copy them from an internal image server location, or just install the images components.
  When you go through the portal install it will ask for your portal database and make the connections that way.
  Some other configurations (API, database, properties, logging, analytics) are done via the Configuration Manager website in 10.3 or the portal/settings/config/config files on earlier versions.
  I don't think there are any documents that would walk you through this although its possible you'll find some references to it if you search the forums archives here. When you do the install you'll see that it is quite straightforward and things will work like magic.
  MukeshNegi wrote:
  Do I need to install complete interaction on both machine ( where I have portal+image and other components ) or only specific component ? Where or in which file I need to do the configuration on portal side so that portal on machineA will use services ( search, api, dr etc ) on machineB ? Is there any reference link on net ?

• How do I install RD Web in the DMZ

  I have found a TON of information saying this can be done, however I have not been able to successfully deploy it.
  I have a working RDS Deployment inside my network with RD Web access coming in from the firewall. To comply with security policy, I need to deploy the web gateway to the DMZ. Here are some key notes:
  -There is a separate domain in the DMZ
  -There is a one-way trust between the DMZ and the inside domain. In other words, I can log into the DMZ with an internal domain account
  -I have a server in the DMZ that is joined to the DMZ and has full access to the inside network. Will be tightened down once I get it working.
  -I have enabled PS Remote on all servers and added allinternal servers to the Trusted Hosts list on the DMZ server, and added the DMZ server to the trusted hosts list on the internal servers.
  -I am able to connect a remote ps session to any internal server from the server in the DMZ
  WHAT I HAVE TRIED:
  1. Adding all internal servers to the server pool in the DMZ server. Hosts, Gateways, brokers, etc.
  2.  Deploying RDS in on the server in the DMZ with the RD Gateway and RD Web Gateway roles and then adding the internal domain hosts to the deployment.
  This fails with the following error:
  I have made sure that the internal domain admin group member that I am logging on with is a member of the local admins on the DMZ server.
  I have also made sure that I can ps remote back and forth between the internal and DMZ servers.
  As I have said I have read a LOT but have been unable to find any guides specifically for this deployment setup (which is supposed to be fairly common).
  Thanks in advance for the help.

  Hi,
  Here are some related articles below I suggest you refer to:
  [Forum FAQ] “Unable to connect to the server by using Windows PowerShell Remoting” error while installing RDS roles on Server 2012 R2
  https://social.technet.microsoft.com/Forums/en-US/42ad558c-79fe-4d6c-a352-53117ffc5147/forum-faq-unable-to-connect-to-the-server-by-using-windows-powershell-remoting-error-while?forum=winserverTS
  An Introduction to PowerShell Remoting Part Two: Configuring PowerShell Remoting
  http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/24/an-introduction-to-powershell-remoting-part-two-configuring-powershell-remoting.aspx
  about_Remote_Requirements
  https://technet.microsoft.com/en-us/library/hh847859.aspx
  Enable and Use Remote Commands in Windows PowerShell
  https://technet.microsoft.com/en-us/magazine/ff700227.aspx
  Enable PowerShell Remoting to Enable Running Commands
  http://blogs.technet.com/b/heyscriptingguy/archive/2010/11/16/enable-powershell-remoting-to-enable-running-commands.aspx
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]

• Install separate OWSM in DMZ

  Hello!
  We want to install a separate WSM gateway in the DMZ to handle requests from the internet. We have a complete SOA Suite install with WSM on the internal network. I have found a desription how to do this on http://ws-security.blogspot.com/2007/12/how-to-1013-owsm-setup-gateway-with.html. Here, they state that a OC4J 10.1.3.1 is needed to install OWS on. Regarding this I have two questions:
  1: Where can I download OC4J 10.1.3.1.0? I find only versions 10.1.3.3.0 and 10.1.3.4.0.
  2: In the WSM install guide, it says that Oracle Application Server 10g (10.1.3.1.0) is required. As opposite to "OC4J" in the guide above..
  Does anyone know of a "official" Oracle description of how to do this?
  Many thanks in advice :)

  A) An advanced Soa suite install is performed, choosing only the J2EE server option.
  B) an advanced Web Services Manager is performed, into the ora_home from A).
  C) the wsm components ccore, coreman, policymanager and gateway are seen from /em-console
  We are thus on step 3 of this procedure:
  http://ws-security.blogspot.com/2007/12/how-to-1013-owsm-setup-gateway-with.html
  but when trying to access Web Services Manager Control console (http://<host>:<port>/ccore) to reconfigure the wsm gateway, the error message is
  404
  Resource /j2ee/ccore not found on this server
  any idea on why the wsm console is not available even if the wsm components are running?