Policy Exceution Questions.

Similar Messages

• EAP-TLS client security policy enforcement question using ISE

  Hi Experts ,
  I have remote site connected to HQ wireless controller and cisco ISE used as RADIUS server . I am using EAP-TLS authentication method where client will validate the server certificate and server will validate the client certificate.
  I am using EAP-TLS and machine authentication.
  In case of server certificate installation using internal PKI (Root CA ) server , I am quite clear that we can create certificate in ISE and can be signed by CA which will be used for EAP-TLS as well. however I am trying to under the client certificate installation.
  how does client gets certificate from CA. is there any mechanism used by AD to import the certificate automatically to all the clients ?
  and more important is , which certificate will be installed on client machines. Do we need to create certificate first from CA and save in repository and later can be installed same to client machines .... Sorry it could be microsoft AD related question however i am pretty sure that since we as a wireless techie , need to know even client side configuration.
  This is all about certificate installation . how about entire security policy which is used for EAP-TLS ?
  how will client wireless network adapter properties automatically configured with same SSID which is configured with EAP-TLS along with certificate validation ?
  I am not sure ... will it get pushed through AD ? how will it happen ?
  It would be really helpful if someone could put light on this ..

  Hello Vino,
  Some answers below :
  how does client gets certificate from CA. is there any mechanism used by AD to import the certificate automatically to all the clients ?
  You have templates in the certificate authority to user or machine certificate and you can apply these certificates to a group of machines or users using GPO in the Windows Server 2008.
  It can be automatically because the machine can get it using GPO from domain and after can authenticates using 802.1X using these certificates received from this policy.
  If you want a user certificate and get it manually you can access the CA too using the URL https://X.X.X.X/certsrv and request manually the user certificate using your domain credentials and install manually to authenticate using EAP-TLS with this user certificate.
  In the Cisco ISE Side it needs to have a local certificate from the same client CA or from another CA and the Cisco ISE needs to trust in the clients CA Issuer to accept the client certificate and allow this one to access the network.
  In the client side the same happens, the client needs to trust in the Issuer CA for the Cisco ISE certificate to validate ISE certificate and get access to the network.
  and more important is , which certificate will be installed on client machines. Do we need to create certificate first from CA and save in repository and later can be installed same to client machines .... Sorry it could be microsoft AD related question however i am pretty sure that since we as a wireless techie , need to know even client side configuration.
  If you have a Windows Server with GPO and a CA configured you can use some templates to apply automatically a machine certificate or user certificate to a group of machines or user, in the case of machines it can be get from the domain using GPO and in the case of user certificate it can be get manually or using GPO too.
  This is all about certificate installation . how about entire security policy which is used for EAP-TLS ?
  The EAP-TLS is the most secured method to use to authenticate devices in the network because you have certificates and you have trusted certificate authority that you trust and only devices who has certificates from these CAs will be allowed to access the network.
  Another method very secured is EAP-FAST with machine and user certificate that the ISE will validade both the machine and user certificate before allow this one to get access to the network.
  how will client wireless network adapter properties automatically configured with same SSID which is configured with EAP-TLS along with certificate validation ?
  You can apply it too using GPO in the Windows Server to a domain machine but when you have a machine that is not a domain machine you can use a user certificate to authenticate this one and need to install manually the user certificate in that machine to authenticate the user to wireless network and create SSID specifying the policy that is EAP-TLS.
  Remember that client machine needs to have the CA issuer for the Cisco ISE certificate to trust in the Cisco ISE and get access to the network and the opposite too (ISE needs to have the CA Issuer to trust in the client)
  I hope it helps.

• Fundamental ACL & Service Policy related questions

  Hi All,
  apologies in advance for seemingly stupid questions but I was forced to ask them as I have ALWAYS had great difficulty in using debug on Cisco platforms. Nothing ever shows up when I set up debug despite configuring "logging console" and setting the level to 7 etc. I have no clue why that is and if it's because all debugging messages go to the debug log instead of being prnted on the console, or what it is...I just don't get it. When I'm saying logging console...please print it on the console! Anyway, that rant aside...
  I have a VERY simple topology like so
                                                                                      A few servers in this VLAN
  ISP <---> 3560G (Physical Routed Port) <--> SVI (VLAN)
                                                                                      ASA5520 <--> Internal VLAN
  With regards to ACLs and their direction, when an ACL is applied to a physical port (or in cases where QoS is enabled and a service-policy) is applied to either a routed physical port on the 3560, saying that the policy is applied in the "in" direction (or 'input' in case of service-policy) does that mean 'inbound' in either direction? As in IF that routed port is my direct connection to the ISP, and I set up "ip access-group myacl in" (or service-policy input myPolicymap) ...will that be applicable if the traffic enters that port from the ISP side OR from the internal network side, or "IN" for it is always JUST the ISP side because it's assuming that all traffic generated from inside the network going out to the Internet is implcitly allowed UNLESS an ACL somewhere in the network restricts that?
  then, in case of an SVI...I believe just like the physical routed port, I can ONLY implement an "Inbound" ACL on this as well. So when I implement either a Heirarchical policy-map or just an access-group "in", then what is "IN" ...traffic entering this VLAN from the internal network and those public servers going out to the Internet AND Traffic entering this VLAN from the ISP/Internet via the physical routed Port OR is it JUST the latter, or is it just the former?
  Now Lastly, when I have the physical ports to which the ASA and each of those physical servers are connected to sitting on the public VLAN, if I apply port-based ACLs or service-policies to them, then again, what direction is the "IN" ACL applied? Both? i.e. traffic coming into it from the public servers and the Internal network through the ASA, and the Internet OR just the traffic coming into it from the Internet, but the traffic going out from the servers to the Internet is not subjected to this ACL or service-policy
  Again, very sorry for a dumb question but I'm seeing bizzare things in my network so was just wondering before I decide on what kind of security I want to plan/design
  Thanks in advance

  The mystical difference between debug output going to the console versus showing up in syslog is "logging debug-trace".  On goes to syslog, "no logging debug-trace" goes to console.  I've been bit by this one myself.
  ACLs on physical ports have directionality like the cable plug: "in" is from the cable entering into the switch or firewall, "out" is leaving the device to run along the cable to somewhere else.  On Catalyst switches port ACLs are inbound (receiving packets) only.  Obviously, on directly connected devices, one devices out is the other devices in.
  ACLs on SVI's depend on whether your are running a base image or services image; services images can do IPv4 and IPv6 in both directions.  However, port ACL's trump routed ACL's; if both exist, the port ACL is the only one applied.  I think if a directly connected port has no port ACL, no ACL is applied at all; routed ACL's on SVI's only apply to transitions between VLANs inside the switch, not to traffic entering physical ports.
  -- Jim Leinweber, WI State Lab of Hygiene

• ISE policy creation question - best practices

  Ok, I am a rookie ISE user here and am trying to learn as I go. I have a 802.1x policy for our corporate users on both wired and wireless and a wireless guest policy that redirects to the guest portal to enter credentials created in the sponsor portal. The corporate user has access to corporate resources and the guest basically has access to just the internet.
  I need to make what I am calling a Vendor policy that is basically a hybrid of the corporate user and the guest user. These would be vendors that are on-site to assist with programming and need access longer than what the guest account can be created for. This would also have specific ACLs that grant them access to the specific resources they would nee. I would like to tie this into AD authentication since they have an AD account created to be able to access those corporate resources in most cases. My first question is do I have a single policy that is tweaked as vendors come and go or do I simply create a specific policy for each vendor? My second question is do I or should I create unique SSIDs for each vendor?
  As I said I am just now getting into getting ISE configured. I am just not sure of what is considered a best practice or what is considered a secure way to may things happen. In regards to the policies I have created, they work but I think I have a couple holes to address.
  Thanks ...
  Brent

  Mostly makes sense. I have the AD part just need to get an AD group created for my test subject.
  I created an Endpoint Identity Group to place the vendors devices into so that we can allow laptop to connect but not phone. Got that.
  I think I can handle the Authorization Profile. It will be something like if VendorAsset and AD1:ExternalGroups Equals VendorADGroup then VendorPermissions. VendorPermissions would be the ACL that limits where they can go. I also need to create a non 802.1x based SSID as well and add this to the Authorization profile but can still be generic enough to be useable by all vendors.
  I think it is my Authentication rules that I need to modify for Vendor as my Corporate based policies use Dot1x and I need a policy that does not use dot1x. Right?

• Policy updating question

  I've got a ZFD User Policy Package that does a GPO to windows XP
  It points to a \\server\something\directory
  I know that normally unless you go and "edit" that GPO, the workstation/ZEN won't reinstall (probably not the proper term) policy again (we have "caching" enabled)
  The question I have is this:
  Does ZEN look at the eDir object to determine if it's been updated or does it look at the GPO files themselves to determine the update?
  So let's say I have 30 ZEN policy objects and each one points to the same policy files, just that the files are on diff. file servers (we replicated/sync via taskmaster/rsync currently)
  I'm just wondering if I need to trigger the update on one of them (so it'll update the files on the server which then replicates everywhere) or if i have to "touch" each ZEN Policy package edir object.

  > Does ZEN look at the eDir object to determine if it's been updated or
  > does it look at the GPO files themselves to determine the update?
  It only looks for the timestamp on the eDirectory policy object and compares
  that with the timestampes here:
  HKLM\Software\Novell\Workstation Manager\Group Policies\User and
  Workstation.
  > So let's say I have 30 ZEN policy objects and each one points to the
  > same policy files, just that the files are on diff. file servers (we
  > replicated/sync via taskmaster/rsync currently)
  >
  > I'm just wondering if I need to trigger the update on one of them (so
  > it'll update the files on the server which then replicates everywhere)
  > or if i have to "touch" each ZEN Policy package edir object.
  Either touch each policy package or do what I do (I have a similar
  environment but use ZSM7 instead) an Application Object that deletes the
  User or Workstation entry.
  Regards
  Rolf Lidvall
  Swedish Radio (Ltd)

• Another OAM 10g policy evaluation question

  I have a policy with authz expression= Rule A & Rule B & Rule C:
  Rule A:
  Allow: ldap_attr_1 = X
  Deny: no one is denied
  Allow preceeds denial: true
  Authz failure redirection URL: URL1
  Rule B:
  Allow: ldap_attr_2 = Y
  Deny: no one is denied
  Allow preceeds denial: true
  Authz failure redirection URL: URL1
  Rule C:
  Allow: anyone is allowed
  Deny: ldap_attr_3 = Z
  Allow preceeds denial: false
  Authz failure redirection URL: URL2
  My user profile has ldap_attr_1=X, ldap_attr_2=Y, ldap_attr_3=Z, I expect access to be denied based on Rule C and user redirected to URL2. Instead I see authorization = Inconclusive and Rule=<not found>.
  If user has ldap_attr_1=X, ldap_attr_2=Y and NOT ldap_attr_3=Z I am getting correct evaluation - user is authorized.
  Any ideas how to make this working? Basically I want user to be redirected to the URL that is defined in the rule that caused denial.
  Thanks,
  Alex

  Hi Colin,
  Here's what I have:
  Authz Rule: Rule1
  Access allowed: Any one
  Access denied: ldap rule (attr=value)
  Allow takes precedence: false
  Actions: redirect to URL1 on denied
  You can use any attribute and any value, i am using my custom attribute. Then I protect a resource /myresource with policy Policy1 that only has this rule. Set up attr=value and access tester shows redirection to URL1. Now 2 more rules:
  Authz Rule: Rule2
  Access allowed: ldap rule (o=org)
  Access denied: no one is denied
  Allow takes precedence: true
  Actions: no actions
  Authz Rule: Rule3
  Access allowed: ldap rule (title=title)
  Access denied: no one is denied
  Allow takes precedence: true
  Actions: no actions
  And Policy2 has authz expression Rule2 AND Rule3 AND Rule1. And Policy2 has action: redirect on authorization inconclusive to URL2. My user's profile has o=org, title=title, attr=value. Access tester shows redirection to URL2.
  Thanks,
  Alex

• Cisco Nexus 5ks EIGRP and Policy routing question.

  We just got installed a METRO LINK between our primary and secondary data center (Site-A <> Site-B) I would like to be able to route data replication between these two sites over that link, instead of going over MPLS.  We run EIGRP internally and BGP to the MPLS (typical scenario)
  At first I thought about doing ‘Policy Based Routing’ with IP SLA to be able to track and route traffic coming from the 10.10.10.0/24 bound to 10.11.11.0/24 and track link state with IP SLA in case the metro link would go down;  data replication would continue to flow over MPLS.
  In researching this, I found out that Cisco NX-5ks and 6Ks don’t support IP SLA and there is no telling if they will support it any time in future releases either.
  I haven’t turned on routing (EIGRP)  between the two 5ks over the metro link yet. 
  Also, I don’t want to statically route replication traffic over the link unless I have to. It would have to  be a manual change in case I need to re-route it over the MPLS.
  See attached drawing
  Any help would be greatly appreciated.
  Marramix01 

  can you calculate the metrics of the two different links for EIGRP? 
  Once you have that you would know which one EIGRP would say is the best path. Then if the MPLS link is not the primary path then you can use Offset-list to force the traffic to and from subnets and still have failover with EIGRP. 
  I hope I understood your problem correctly. 

• Group policy adm question

  Hey there,
  I am bit stuck on a group policy thingy. :)
  When I edit my group policy in c1, I see all of my policies including all those custom ADM files that I added to both the user and computer policies. Everything looks good.
  However, when I go to a workstation and run the gpedit.msc all I see are the standard policies and none of the custom ADMs. Along with that, it looks as if none of my custom adm settings actually apply.
  We have a small ADM from Energy star that turns off a non-logged in PC after 30 minutes. Worked last year, not this year.
  Any ideas?
  Tom

  Tom,
  try this "Computer Configuration,Administrative Template, then for
  Windows2000 you must click Views, then uncheck "Show Policies Only",
  and for XP, View, Filtering,and then uncheck "Only show policy settings
  that can be fully managed"."
  Shaun Pond

• IPSec tunnel and policy NAT question

  Hello All!
  I have a router acting as VPN gateway on my end and I need to implement NAT translations on my IPSEC tunnel as follows:
  1. I need to translate incoming IP address of the remote end of IPSec tunnel to some other IP address on our end
  2. I need to translate outgoin IP address of our end of IPSec tunnel to a different IP address
  I have impemented following configuration, but for some reason it is not working, I get packets decrypted on my end, but dont have packets encrypted to send to the other end.
  Here is the configuration
  Remote end  crypto interesting ACL:
  ip access-list extended crypto-interesting-remote
  permit ip host 192.168.1.10 host 10.0.0.10
  My end configuration:
  interface GigabitEthernet0/0
  ip address xxx.xxx.xxx.xxb yyy.yyy.yyy.yyy
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map VPN
  ip access-list extended crypto-interesting-local
  permit ip host 10.0.0.10 host 192.168.1.10
  interface GigabitEthernet0/3
  ip address 172.16.0.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  speed auto
  ip nat inside source static 172.16.0.20 10.0.0.10   (to translate loca IP address to the one on the crypto-interesting list - exposed to the remote peer - it works)
  ip nat outside source static 192.168.1.10 192.168.168.10 (to translate remote IP address to some other IP address on our end - not working - I get packets decrypted, but no packets encrypted)
  ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
  ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxa
  All the routes are set, crypto ipsec tunnel is up and working and I am wondering if this is possible to achieve two-way NAT translation ?
  Any response highly appreciated!
  Thanks!

  Figured that out.
  The problem was in route
  ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
  should be next-hop IP address instead of interface gigabitethernet0/0
  Apparently packet arrives on the interface but does not pass it, when having route like this, becuase there is no one sitting with 192.168.168.10 ip address on the outside

• XP group policy no applying

  Hi all: This has me scratching my head. We run ZCM 11.2.2 mu2 on all servers and workstations. The primary server is on an OES2 SP3 box while all clients run Windows XP sp3, ZCM 11.2.2 mu2 and the Novell client.
  I have a particular group of users which has two policies assigned to them. The first is a user-associated Windows XP user Group Policy, and the second is a Windows XP Workstation computer policy. ZENworks adaptive agent shows them as successful.
  The policy in question is a Windows XP User Group Policy. When I run rsop.msc, the resulting GP set clearly shows none of the user group policy settings present, but as stated above, the adaptive agent does show them as successful. The only thing I can think of is that the user group policy is being over-written by another policy. In the past there was a setting make sure the user policy was applied last.
  Any suggestions on how to fix this? Thanks, Chris.

  Originally Posted by Chris
  Hi all: This has me scratching my head. We run ZCM 11.2.2 mu2 on all servers and workstations. The primary server is on an OES2 SP3 box while all clients run Windows XP sp3, ZCM 11.2.2 mu2 and the Novell client.
  I have a particular group of users which has two policies assigned to them. The first is a user-associated Windows XP user Group Policy, and the second is a Windows XP Workstation computer policy. ZENworks adaptive agent shows them as successful.
  The policy in question is a Windows XP User Group Policy. When I run rsop.msc, the resulting GP set clearly shows none of the user group policy settings present, but as stated above, the adaptive agent does show them as successful. The only thing I can think of is that the user group policy is being over-written by another policy. In the past there was a setting make sure the user policy was applied last.
  Any suggestions on how to fix this? Thanks, Chris.
  The setting is still there, when you assign the policy in step 2 it will ask the following:
  Specify how policy conflicts should be resolved.
  User Last - device associated policies applied first followed by user associated policies
  Device Last - user associated policies applied first followed by device associated policies
  Device Only - user associated policies ignored
  User Only - device associated policies ignored
  Thomas

• Group policy printer settings

  When using Group policy computer configuration control panel settings \printers you can specifiy both an IP address port and a path to the print server.  Are these connections for local TCP\IP printers or for network print server printers.  I am
  not sure why I would have to specify path to server if they were local TCP\IP printers or vice\versa(specify IP address if they are only network printers).

  The best spot for Group Policy Preferences questions is in the Group Policy forum
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverGP&filter=alltypes&sort=lastpostdesc
  However, since they included this print related setting I do know what you are asking about.
  The share is used to get the print driver installed on the client for adding the local printer.  This will not work if you use type 4 print drivers since the drivers are not downloaded to the clients and the GPP printing scenario falls apart here.
  I totally agree with you that this is confusing, however, as a print server admin, what I would do is create one share for each print driver that you need to install on the clients.  If you have 80 printers that can use the same driver, create one share
  and just update the GPP data with the IP for the specific device.
  I would not use a print server to act as a software distribution point if the number of clients on your network is less than 100.  Setup a Win7 or Win8 machine with the shares. 
  Alan Morris Windows Printing Team

• Why are Windows 'APP's so much harder to code than a Windows Forms application?

  For example I have been smashing my head against a wall trying to save an image file from a share target, the best help I can find is the below code:
  https://social.msdn.microsoft.com/Forums/en-US/65a61679-0da8-4109-8a69-b918be351dfa/how-to-save-a-bitmap-image-from-a-share-target?forum=winappswithcsharp&prof=required
  But in a 'normal' application I can do what I need to do with:
  using System;
  using System.Drawing;
  namespace Project1
  class Class1
  static void Main()
  Image photo = Image.FromFile("C:\\Temp\\oldphoto.png");
  photo.Save("C:\\Temp\\newphoto.png");
  Why do the APPs take so much more code to do something like save a file to disk?
  Mediocre Access 2010 | (Baby) Beginner C Sharp | OK at Active Directory (2012) | Fragmented understanding of DNS/DHCP | Laughable experience with Group Policy | Expert question asker on MSDN Forums

  It is a good question!
  If you need 100 lines of code to save an image it is like a Java program:
  - complicated
  - not fun to develop with
  I think the main problem is that Microsoft release 2 new libraries each year. On the most cases, if you try to compile it with an old library it works, but the app crashes with unexpected errors. It is always harder to develop for Windows and there
  are always more libraries to use.
  So it begun to be normal, to find a W8-store-app-library and use it in Silverlight, to add missing functionality.
  It is a jungle and it seems that Microsoft too doesn't know anymore what library should be in the msdn-help. Some times, if you search for something, you finish on a library that can't be added to your project.
  This is the reason, because your question will probably never be answered!

• Printing blank lines in IE 8, 9, 10 and 11 differs

  We have Credit Reports that are put in Iframe (and hidden fields) and when the users checks which ones they want to print, we take the hidden fields an populate one Iframe to print them all from.
  Problem is, IE 8 prints fine, IE 9 removes many of the blank lines that used to be there and IE 10 pretty much removes all blank lines.  IE 11 seems to work ok though.
  While IE 8 is being deprecated, IE 9 & 10 are still our majority users and am I trying to find a solution for them.
  Is there something other than an iframe I should be using?
  Here is the code:
  for(count=0; count <= intCounter; count++)
  vartabChecked = $get(printTab[count]);
  if(tabChecked.checked ==
  true)
  varhdnPrintFieldName =
  "hdnPrintFieldName"+
  count;
  vardoc = document.getElementById(hdnPrintFieldName);
      appendReports = appendReports + doc.value;
  varprintDoc = appendReports;
      parent.iframeprint.document.open();
      parent.iframeprint.document.write(printDoc);
      parent.iframeprint.document.close();
      parent.iframeprint.focus();
      parent.iframeprint.print();
  The report even looks different in the presented iframe (tabbed) in the various IE versions, though sometimes not exactly the same as the printed version in the same IE.
  Cliff

  Hi,
  IE8 doesn't understand textNodes that are white space. the firstChild property is affected by any white space preceeding the Node.
  use
  &nbsp;<br/>
  instead of
  the above is a blank line.. (white space).
  ensure that your external stylesheet links have a media attribute. Normally one would use a print only stylesheet (media='print') to show/hide visual elements when printing.
  eg.
  @media='print'{
  #divCopyright{
  display:block;visibility:visible;}
  @media='screen'{
  #divCopyright{
  display:none;visibility:hidden;}
  Post questions about html, css and scripting for website development to the IE Web Development forum.
  http://social.msdn.microsoft.com/Forums/ie/en-US/home?forum=iewebdevelopment
  Include with your questions a link to your website or a mashup that shows the issue.
  Questions regarding Internet Explorer 8, 9 and 10 and Internet Explorer 11 for the IT Pro Audience. Topics covered are: Installation, Deployment, Configuration, Security, Group Policy, Management questions. If you are a consumer looking for answers or to
  raise a question, it's highly recommended you head on over to http://answers.microsoft.com/en-us
  Rob^_^

• IE not using some CSS or JS files, some of the time..

  I'm working with a client trying to solve a problem that just started on a site I built for her.  The problem started about three weeks ago.
  It's a really simple ASP.NET site: http://nancyjoart.com/  One master page loads a common CSS bundle and JS bundle on all pages, however I used to have then unbundled and only bundled them to try to limit the
  problem.  It didn't work, but I left the bundles as they do speed the site up.
  One machine on her network constantly fails, a surface pro 2, Windows 8.1, IE11, all updates installed.  Short story:  On four pages, two public and two privately accessed, IE doesn't apply a CSS or run the javascript in the bundle.
  Here are the two public pages that fail:
  http://nancyjoart.com/default.aspx and
  http://nancyjoart.com/gallery.aspx
  If the NAV bar at the top has blue links instead of grey/black, the CSS didn't load.  If the page has no art and shows the loading GIF, or no images, the JS didn't load.
  Now the fun and amazing part: the CSS that doesn't work on these four pages, is successfully used and works on every other page.
  The CSS and JS files do actually get requested and downloaded by IE, as evidenced by a Network Monitor trace session and the F12 tools, but don't get applied (CSS) or loaded(JS) on these pages.
  Now it gets weirder:  I can run the site fine on my Surface RT and my Pro2 from anywhere else without fail.  However, if I'm on her wifi - only half the time I can't get the scripts to run or that one CSS to apply.  I press CTRL+R and
  they work fine when the page reloads, but only half the time.  In fact, it took me about a half an hour to experience the failure.  Once it happened, my dev machine would exhibit the problem, then it would work, then it would fail.
  In terms of the JS - When it fails, the debugger indicates a class isn't found.  IE has parsed and downloaded that JS file, and shows the file in the debugger file list dropdown  - but doesn't seem to use it.
  Even more odd, the request and responses all appear to happen quickly, all have 200 OK/Success results and the request and response headers look completely normal.  I've even saved the JS file itself and binary compared it to what I have on the server,
  and it matches, so it isn't somehow getting mangled in-transit.  Even more odd than this little oddity is that once the files are requested and "fail", even if you switch to a cellular connection, the next page loads, and IE doesn't NOT load
  the files correctly either.  CTRL+R eventually will get it to work on this new connection type though.
  Other things I've tried:
  Works on her wifi on:  iPhone, Windows Phone 8.1, Windows Phone 8, Windows Phone 7, Blackberry (Bold and Playbook) and her Windows 7 desktop.  I've put Firefox on her machine, and it works fine every time.   Anything in this list never
  fails, ever except ie11 on the surfaces.
  Her surface is pretty much OOB in terms of apps.  Just Modern apps installed.
  My surface pro 2 dev machine is OOB too. used daily for development - Again, site works everywhere but her wifi.
  Minifying the CSS or JS doesn't seem to help,
  Chkdsk reports nothing,
  Windows Defender is the only AV installed,
  all Windows updates are installed,
  Bundling the css and JS with webgrease didn't help,
  I've reset the IE advanced settings, security settings, cleared the cache, tried inPrivate, tried making it trusted, nothing worked.
  even reset the wifi router
  She reports other websites all work fine. (** caveat: not sure how complicated these sites are, or how frequently she does this...)
  Does anyone have any suggestions that they'd try next if they were in my sad shoes?
  Darin R.

  Hi,
  f12>Networking tab, click the start button then refresh the page to view request/response timings.
  http://nancyjoart.com/api/art/ThumbImage/fb958270-8c20-46e9-9adf-05ef6990ec85/250
  Key Value
  Response HTTP/1.1 200 OK
  Cache-Control public, max-age=36000, s-maxage=36000
  Transfer-Encoding chunked
  Content-Type text/html
  Server Microsoft-IIS/8.0
  X-AspNet-Version 4.0.30319
  X-Powered-By ASP.NET
  Date Wed, 20 Aug 2014 02:34:12 GMT
  you are sending back the wrong mime-type + it appears that you are not using response.close after streaming back the image in your asp.net code behind.
  Open a new window in IE... copy and paste
  http://nancyjoart.com/api/art/ThumbImage/fb958270-8c20-46e9-9adf-05ef6990ec85/250
  in the address bar... the image loads but the document.readyState does not reach loaded. there is no EOF in the response body and it is served as text/html not image/jpg.
  ensure Internet Options>Security tab, click "Reset all zones to default"... (IE has security settings for mime types) and also that Tracking Protection is turned off for the site (Tools>Tracking protection)
  + the defer attribute on the <script> tag only applies to script tags with a src attribute... validate and correct your markup errors at validator.w3.org.
  Post questions about html, css and scripting to the IE Web Development forum. Include with your question a link to your website or a mashup that shows the issue.
  Questions regarding Internet Explorer 8, 9 and 10 and Internet Explorer 11 for the IT Pro Audience. Topics covered are: Installation, Deployment, Configuration, Security, Group Policy, Management questions. If you are a consumer looking for answers or to
  raise a question, it's highly recommended you head on over to http://answers.microsoft.com
  Rob^_^

• IE 9 - can't sign in to ebay (every other site works fine, as before)

  I can't sign in to ebay from my main computer; I can get to the main ebay website (www.ebay.com) and I can get to sign-in page, but when I enter my user ID and password, ebay displays an error page and returns immediately
  to the sign-in page. The error page flashes by so quickly I can't read it, although I have tried probably 30 times or so to catch enough of the words to determine at least the subject of the problem. I've cleaned out the cache, including all cookies; I've
  added several ebay pages to trusted sites, I've tried it with security levels set on lowest setting, and checked everything I know and still no results. I've also contacted ebay and done everything they suggested (which was actually very little), still with
  no success. Ebay is not listed as a blocked site.
  We have a laptop which accesses from our home WIFI network, and on it I am able to sign in just fine. Also, with Mozilla Firefox I am able to sign in just fine. So there is some small setting on my main computer that is preventing me from signing in. I've
  searched all of the Tools - Internet Options tabs and settings, and can't find out what may be preventing my access. Pop-up blockers are off, both in IE9, Google, etc.
  Every other website I've visited since this began happening works fine. The problem began when I downloaded the latest updates from Windows Update about 3 or 4 days ago. My IE9 is completely up to date, I use Windows 7 and ESET security software. Nothing
  has changed in my software or in how I access ebay except for the latest Windows updates. Please advise; thank you.

  Hi,
  Tools>Internet Options>Security tab, click "Reset all zones to default"
  Trusted Sites icon, 'Sites' button... remove Ebay from your Trusted Sites list..... websites work just as well in the (default) Internet Zone.
  Create separate windows accounts for each user that shares your computer, so that nothing is changed on your windows account without your knowledge.
  For the best security open Ebay with InPrivate browsing.
  Ebay won't login properly if you have their site in the Trusted Sites list in IE because there is a security setting to prevent navigation to zones of lower integrity.... Ebay use a sub-domain to validate your credentials and have a number of different global
  websites with different domains.
  For consumer help with IE select the Help>Online Support menu from IE and follow the links for your windows and IE versions.
  this forum is for Questions regarding Internet Explorer 8, 9 (and 10 Release Preview) for the IT Pro Audience. Topics covered are: Installation, Deployment, Configuration, Security, Group Policy, Management questions. If you are a consumer looking for answers
  or to raise a question, it's highly recommended you head on over to http://answers.microsoft.com/en-us
  Rob^_^