Policy Implement for Clients through DSFW

HI,
I have to implement some policies at remote site (218 locations) with Domain controller.
Please suggest regarding the Group Policy creation. Policies are mentioned below:
Local Policy
Site Policy
Domain Policy
Organizational Unit(OU) policy

vinishrustagi,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://www.novell.com/support and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Forums Team
http://forums.novell.com

Similar Messages

  • Policy retreiving for client that is pxe booting

    Wanna ask, to which management point server does a client will retrieve its policy prior to executing the TS? Does it based on the ip address boundary range?
    Which logfile I can see to reoubleshoot client pxe issue? is it smspxe.log?

    Short answer is:  it doesn't.  But we have to break down what's happening.
    Remember when you PXE boot you are actually operating at Layer 2 still, and the WDS services are answering a broadcast.  So no MP enters the picture before a TS runs _at_all_, instead it's the Distribution Point (which controls the WDS/PXE services
    in 2012) that is connecting to the client and providing the TS.
    You can actually see this happening on the SMSPXE.log (I'm going from memory on the log name, sorry if i got it wrong) in the SMS_DP$\sms\logs when the PXE servive gets the mac, matches it against the DB then provides the TS available.
    Again we are basically doing this at layer 2, even though the client will eventually get an IP and use said IP to TFTP download said image... 
    More depth here:
    http://blogs.technet.com/b/pingpawan/archive/2014/01/12/deep-dive-pxe-boot-flow-for-sccm-2007-2012.aspx
    EDIT:  to speculate on your question a bit: so if there are multiple DPs in the same subnet, or there is possibly IPHelper in the picture in some way ... the DP that answers is basically random unless a response delay is set (can be done on the DP in
    in the MMC).

  • Password Policy implementation for SAP users

    Dear Friends,
    We are planning to implement the Password Policy for SAP users in our organization...
    Here my question is,
    Letu2019s say that the Password Policy is implemented today, what will happen to the SAP usersu2019 passwords?
    Will they be locked out until they create a new password that follows the policy?  Will there be a dialog box that will tell them what the criteria is for new passwords and its the time to change the password?
    Thank you,
    Nikee

    Hi
    Letu2019s say that the Password Policy is implemented today, what will happen to the SAP usersu2019 passwords?
    SAP Users password will be intact till it prompts for next password change. Say, 90 Days. (Provided Parameter is not set)
    Will they be locked out until they create a new password that follows the policy? Will there be a dialog box that will tell them what the criteria is for new passwords and its the time to change the password?
    They will not be locked out until they create a new password that follows the policy (provided parameter is not set),  During the time of changing the password they would get a dialog box if they have not met the specified criteria indicating that it should have specific values.
    Once the password change prompt appears, in order to login to SAP they are forced to change password with password criteria set, other wise they can not login.
    Thanks and Regards
    Arun R

  • Internet for clients through squid

    i have proxy-server on linux.Squid.
    my clients on WinXP.
    I want to make internet for the whole localnet,but only several users can has it.i dont know why.
    On the same computer in the same group one user has access to the internet,another doesn't (the same ip)
    what can i do?
    /etc/squid/squid.conf
    acl LOCAL src 10.0.3.0/24
    acl BANNER url_regex -i banner reklama linkexch banpics us\.yimg\.com [\./]ad[s]
    acl BANNERS url_regex "/etc/squid/banners"
    http_access deny BANNERS
    http_access deny BANNER
    http_access allow LOCAL
    http_access deny all

    Now I've got the problem, that the clients got only
    internet access, when the DSL-Port (ppp0) is on first
    place in the hierarchy of ethernet ports in the
    network-prefpane.
    It's a while since I configured 2 NICs but I seem to remember that older servers (maybe 10.3?) defaulted to using the first in that list as the 'internet' connected one. However, in 10.4 this is supposed to be indicated in Server Admin NAT pane (External Network Interface). Maybe once initially configured it has difficulty changing its config files to an alternative?
    This is a problem because when i open the workgroup
    manager, it gets the ISP hostname instead of the
    servers hostname (i.e. "Location:
    hostname.isp.com/LDAPv3/127.0.0.1).
    I do remember that. However, it didn't seem to have any effect on any other services - just an annoyance.
    I wonder if you could 'cheat' and create a false reverse zone & PTR record in server's own DNS for your ext IP? Then, when it looks up the IP address, it finds your own server name...
    -david

  • Minimum implementation for SMTP-ESMTP clients

    Hi,
    if I want to develop a Mail client I can use SMTP/ESMTP. I read already some of the RFC-Specs, but I cannot find an advice for the minimum implementation for a client - just for servers.
    Is the minimum number of commands the same as for the servers (7 commands for SMTP and 9 commands for ESMTP) ?
    Thanks for any help.
    BR

    Simple config...
    rserver host EXCHANGE001
      ip address 10.2.3.101
      probe PING_EXCHANGE
      inservice
    rserver host EXCHANGE002
      ip address 10.2.3.102
      probe PING_EXCHANGE
    rserver host EXCHANGE003
      ip address 10.2.3.103
      probe PING_EXCHANGE
    rserver host EXCHANGE004
      ip address 10.2.3.104
      probe PING_EXCHANGE
    serverfarm host EXCHANGE
      description EXCHANGE SERVERS
      predictor hash address
      probe PR-EXCHANGE-HTTPS
      rserver EXCHANGE001
        inservice
      rserver EXCHANGE002
      rserver EXCHANGE003
      rserver EXCHANGE004
    class-map match-all EXCHANGE-VIP
      10 match virtual-address 10.2.3.100 tcp any
    sticky ip-netmask 255.255.255.255 address both EXCHANGE-STICKY
      timeout 20
      replicate sticky
      serverfarm EXCHANGE
    policy-map type loadbalance first-match EXCHANGE-VIP
      class class-default
        sticky-serverfarm EXCHANGE-STICKY
    policy-map multi-match EXCHANGE_POL
      class EXCHANGE-VIP
        loadbalance vip inservice
        loadbalance policy EXCHANGE-VIP
        loadbalance vip icmp-reply
    NB: Only rsever EXCHANGE001 is active in the serverfarm.

  • Set a standard font for Outlook through group policy

    Dear All,
               We are using exchange 2010 and domain 2008 server in our company. For outlook we are using 2003, 2007, 2010 and 2013. Now we are plans to set a standard font and default font size for sending and replaying through
    outlook. We need to set this one through group policy.
            Your support will be highly appreciated  

    Hi,
    We can deploy default font for same version of Outlook, I haven’t found a way to change the font among different versions. The only way to achieve this is deploy font for each version of Outlook separately:
    Set default font for Outlook 2003, please refer:
    http://thommck.wordpress.com/2009/05/28/standardising-outlook-fonts-using-group-policy-preferences/
    To set default font for other versions of Outlook, please refer to the steps below:
    1. Set the font you want in one computer.
    Outlook 2007: click Tools > Options > Mail Format > Stationary and Fonts.
    Outlook 2010 and Outlook 2013: File > Options > Mail > Stationary and Fonts.
    2. Export the following registry key:
    HKEY_CURRENT_USER\Software\Microsoft\Office\XX.0\Common\MailSettings
    XX.0 is the version of your Office. 12.0 for Outlook 2007, 14.0 for Outlook 2010 and 15.0 for Outlook 2013.
    3. Distribute the .reg file via Group Policy.
    For more information, please refer to the following article and look at the “Changing Default Font for Outlook 2007” section:
    http://blogs.technet.com/b/odsupport/archive/2009/04/24/how-to-deploy-specific-fonts-in-office-2007.aspx
    Hope this helps.
    Regards,
    Steve Fan
    TechNet Community Support

  • Group policy template for Novell Client for Windows 7

    Does anyone know if there is a group policy template for the Novell Client for Windows 7? I find it really hard to believe that Novell has not yet released one, but I cannot find one anywhere. We use ZCM 11.2, and I really need to be able to send out settings for the client via a group policy.
    By the way, I am also posting this on the Novell Client forum, but since this is also a ZCM thing, I am hoping I might get some feedback here.
    Rick P

    Two recent/new resources are available for the Novell Client 2 SP3 for Windows:
    Cool Solutions AppNote: Novell Client 2 SP3 for Windows: Registry Settings
    Novell Client 2 SP3 for Windows: Registry Settings | Novell User Communities
    Cool Solutions Tool: Group Policy Administrative Template for Novell Client 2 SP3 for Windows
    Group Policy Administrative Template for Novell Client 2 SP3 for Windows | Novell User Communities

  • No log for am policy agent for iis6

    Hello!
    Im trying to get Policy Agent for IIS to run on my Win Srv 2003 with IIS6 and Sharepoint Services.
    I am running the OpenSSO version of Access Manager.
    I have installed the agent and done the initial cofiguration.
    When i try to browse the resource i get a login prompt (IIS Basic Auth)and cannot login followed by "Not Authorized 401.3"
    I should get redirected to the AM Login page, shouldn't I?
    I tried to look for answers in the log file but the /debug/<id> directory i empty.
    Anyone know what to do?
    The amAgent.properties file:
    # $Id: AMAgent.properties,v 1.103 2005/09/19 22:08:34 madan Exp $
    # The syntax of this file is that of a standard Java properties file,
    # see the documentation for the java.util.Properties.load method for a
    # complete description. (CAVEAT: The SDK in the parser does not currently
    # support any backslash escapes except for wrapping long lines.)
    # All property names in this file are case-sensitive.
    # NOTE: The value of a property that is specified multiple times is not
    # defined.
    # WARNING: The contents of this file are classified as an UNSTABLE
    # interface by Sun Microsystems, Inc. As such, they are subject to
    # significant, incompatible changes in any future release of the
    # software.
    # The name of the cookie passed between the Access Manager
    # and the SDK.
    # WARNING: Changing this property without making the corresponding change
    # to the Access Manager will disable the SDK.
    com.sun.am.cookie.name = iPlanetDirectoryPro
    # The URL for the Access Manager Naming service.
    com.sun.am.naming.url = http://login.lta.mil.se:8080/opensso/namingservice
    # The URL of the login page on the Access Manager.
    com.sun.am.policy.am.login.url = http://login.lta.mil.se:8080/opensso/UI/Login
    # Name of the file to use for logging messages.
    com.sun.am.policy.agents.config.local.log.file = C:/Sun/Access_Manager/Agents/2.2/debug/Identifier_1414639615/amAgent
    # This property is used for Log Rotation. The value of the property specifies
    # whether the agent deployed on the server supports the feature of not. If set
    # to false all log messages are written to the same file.
    com.sun.am.policy.agents.config.local.log.rotate = true
    # Name of the Access Manager log file to use for logging messages to
    # Access Manager.
    # Just the name of the file is needed. The directory of the file
    # is determined by settings configured on the Access Manager.
    com.sun.am.policy.agents.config.remote.log = amAuthLog.sharepoint.lta.mil.se.80
    # Set the logging level for the specified logging categories.
    # The format of the values is
    # <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
    # The currently used module names are: AuthService, NamingService,
    # PolicyService, SessionService, PolicyEngine, ServiceEngine,
    # Notification, PolicyAgent, RemoteLog and all.
    # The all module can be used to set the logging level for all currently
    # none logging modules. This will also establish the default level for
    # all subsequently created modules.
    # The meaning of the 'Level' value is described below:
    # 0 Disable logging from specified module*
    # 1 Log error messages
    # 2 Log warning and error messages
    # 3 Log info, warning, and error messages
    # 4 Log debug, info, warning, and error messages
    # 5 Like level 4, but with even more debugging messages
    # 128 log url access to log file on AM server.
    # 256 log url access to log file on local machine.
    # If level is omitted, then the logging module will be created with
    # the default logging level, which is the logging level associated with
    # the 'all' module.
    # for level of 128 and 256, you must also specify a logAccessType.
    # *Even if the level is set to zero, some messages may be produced for
    # a module if they are logged with the special level value of 'always'.
    com.sun.am.log.level = 5
    # The org, username and password for Agent to login to AM.
    com.sun.am.policy.am.username = UrlAccessAgent
    com.sun.am.policy.am.password = PN4rEZ1uhx1404ivWY6HPQ==
    # Name of the directory containing the certificate databases for SSL.
    com.sun.am.sslcert.dir = C:/Sun/Access_Manager/Agents/2.2/iis6/cert
    # Set this property if the certificate databases in the directory specified
    # by the previous property have a prefix.
    com.sun.am.certdb.prefix =
    # Should agent trust all server certificates when Access Manager
    # is running SSL?
    # Possible values are true or false.
    com.sun.am.trust_server_certs = true
    # Should the policy SDK use the Access Manager notification
    # mechanism to maintain the consistency of its internal cache? If the value
    # is false, then a polling mechanism is used to maintain cache consistency.
    # Possible values are true or false.
    com.sun.am.notification.enable = true
    # URL to which notification messages should be sent if notification is
    # enabled, see previous property.
    com.sun.am.notification.url = http://sharepoint.lta.mil.se:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
    # This property determines whether URL string case sensitivity is
    # obeyed during policy evaluation
    com.sun.am.policy.am.url_comparison.case_ignore = true
    # This property determines the amount of time (in minutes) an entry
    # remains valid after it has been added to the cache. The default
    # value for this property is 3 minutes.
    com.sun.am.policy.am.polling.interval=3
    # This property allows the user to configure the User Id parameter passed
    # by the session information from the access manager. The value of User
    # Id will be used by the agent to set the value of REMOTE_USER server
    # variable. By default this parameter is set to "UserToken"
    com.sun.am.policy.am.userid.param=UserToken
    # Profile attributes fetch mode
    # String attribute mode to specify if additional user profile attributes should
    # be introduced into the request. Possible values are:
    # NONE - no additional user profile attributes will be introduced.
    # HTTP_HEADER - additional user profile attributes will be introduced into
    # HTTP header.
    # HTTP_COOKIE - additional user profile attributes will be introduced through
    # cookies.
    # If not within these values, it will be considered as NONE.
    com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
    # The user profile attributes to be added to the HTTP header. The
    # specification is of the format ldap_attribute_name|http_header_name[,...].
    # ldap_attribute_name is the attribute in data store to be fetched and
    # http_header_name is the name of the header to which the value needs
    # to be assigned.
    # NOTE: In most cases, in a destination application where a "http_header_name"
    # shows up as a request header, it will be prefixed by HTTP_, and all
    # lower case letters will become upper case, and any - will become _;
    # For example, "common-name" would become "HTTP_COMMON_NAME"
    com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organiz ational-unit,o|organization,mail|email,employeenumber|employee-number,c|country
    # Session attributes mode
    # String attribute mode to specify if additional user session attributes should
    # be introduced into the request. Possible values are:
    # NONE - no additional user session attributes will be introduced.
    # HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
    # HTTP_COOKIE - additional user session attributes will be introduced through cookies.
    # If not within these values, it will be considered as NONE.
    com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
    # The session attributes to be added to the HTTP header. The specification is
    # of the format session_attribute_name|http_header_name[,...].
    # session_attribute_name is the attribute in session to be fetched and
    # http_header_name is the name of the header to which the value needs to be
    # assigned.
    # NOTE: In most cases, in a destination application where a "http_header_name"
    # shows up as a request header, it will be prefixed by HTTP_, and all
    # lower case letters will become upper case, and any - will become _;
    # For example, "common-name" would become "HTTP_COMMON_NAME"
    com.sun.am.policy.agents.config.session.attribute.map=
    # Response Attribute Fetch Mode
    # String attribute mode to specify if additional user response attributes should
    # be introduced into the request. Possible values are:
    # NONE - no additional user response attributes will be introduced.
    # HTTP_HEADER - additional user response attributes will be introduced into
    # HTTP header.
    # HTTP_COOKIE - additional user response attributes will be introduced through
    # cookies.
    # If not within these values, it will be considered as NONE.
    com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
    # The response attributes to be added to the HTTP header. The specification is
    # of the format response_attribute_name|http_header_name[,...].
    # response_attribute_name is the attribute in policy response to be fetched and
    # http_header_name is the name of the header to which the value needs to be
    # assigned.
    # NOTE: In most cases, in a destination application where a "http_header_name"
    # shows up as a request header, it will be prefixed by HTTP_, and all
    # lower case letters will become upper case, and any - will become _;
    # For example, "common-name" would become "HTTP_COMMON_NAME"
    com.sun.am.policy.agents.config.response.attribute.map=
    # The cookie name used in iAS for sticky load balancing
    com.sun.am.policy.am.lb.cookie.name = GX_jst
    # indicate where a load balancer is used for Access Manager
    # services.
    # true | false
    com.sun.am.load_balancer.enable = false
    ####Agent Configuration####
    # this is for product versioning, please do not modify it
    com.sun.am.policy.agents.config.version=2.2
    # Set the url access logging level. the choices are
    # LOG_NONE - do not log user access to url
    # LOG_DENY - log url access that was denied.
    # LOG_ALLOW - log url access that was allowed.
    # LOG_BOTH - log url access that was allowed or denied.
    com.sun.am.policy.agents.config.audit.accesstype = LOG_BOTH
    # Agent prefix
    com.sun.am.policy.agents.config.agenturi.prefix = http://sharepoint.lta.mil.se:80/amagent
    # Locale setting.
    com.sun.am.policy.agents.config.locale = en_US
    # The unique identifier for this agent instance.
    com.sun.am.policy.agents.config.instance.name = unused
    # Do SSO only
    # Boolean attribute to indicate whether the agent will just enforce user
    # authentication (SSO) without enforcing policies (authorization)
    com.sun.am.policy.agents.config.do_sso_only = true
    # The URL of the access denied page. If no value is specified, then
    # the agent will return an HTTP status of 403 (Forbidden).
    com.sun.am.policy.agents.config.accessdenied.url =
    # This property indicates if FQDN checking is enabled or not.
    com.sun.am.policy.agents.config.fqdn.check.enable = true
    # Default FQDN is the fully qualified hostname that the users should use
    # in order to access resources on this web server instance. This is a
    # required configuration value without which the Web server may not
    # startup correctly.
    # The primary purpose of specifying this property is to ensure that if
    # the users try to access protected resources on this web server
    # instance without specifying the FQDN in the browser URL, the Agent
    # can take corrective action and redirect the user to the URL that
    # contains the correct FQDN.
    # This property is set during the agent installation and need not be
    # modified unless absolutely necessary to accommodate deployment
    # requirements.
    # WARNING: Invalid value for this property can result in the Web Server
    # becoming unusable or the resources becoming inaccessible.
    # See also: com.sun.am.policy.agents.config.fqdn.check.enable,
    # com.sun.am.policy.agents.config.fqdn.map
    com.sun.am.policy.agents.config.fqdn.default = sharepoint.lta.mil.se
    # The FQDN Map is a simple map that enables the Agent to take corrective
    # action in the case where the users may have typed in an incorrect URL
    # such as by specifying partial hostname or using an IP address to
    # access protected resources. It redirects the browser to the URL
    # with fully qualified domain name so that cookies related to the domain
    # are received by the agents.
    # The format for this property is:
    # com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
    # This property can also be used so that the agents use the name specified
    # in this map instead of the web server's actual name. This can be
    # accomplished by doing the following.
    # Say you want your server to be addressed as xyz.hostname.com whereas the
    # actual name of the server is abc.hostname.com. The browsers only knows
    # xyz.hostname.com and you have specified polices using xyz.hostname.com at
    # the Access Manager policy console, in this file set the mapping as
    # com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
    # Another example is if you have multiple virtual servers say rst.hostname.com,
    # uvw.hostname.com and xyz.hostname.com pointing to the same actual server
    # abc.hostname.com and each of the virtual servers have their own policies
    # defined, then the fqdnMap should be defined as follows:
    # com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
    # WARNING: Invalid value for this property can result in the Web Server
    # becoming unusable or the resources becoming inaccessible.
    com.sun.am.policy.agents.config.fqdn.map =
    # Cookie Reset
    # This property must be set to true, if this agent needs to
    # reset cookies in the response before redirecting to
    # Access Manager for Authentication.
    # By default this is set to false.
    # Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
    com.sun.am.policy.agents.config.cookie.reset.enable=false
    # This property gives the comma separated list of Cookies, that
    # need to be included in the Redirect Response to Access Manager.
    # This property is used only if the Cookie Reset feature is enabled.
    # The Cookie details need to be specified in the following Format
    # name[=value][;Domain=value]
    # If "Domain" is not specified, then the default agent domain is
    # used to set the Cookie.
    # Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
    # token=value;Domain=subdomain.domain.com
    com.sun.am.policy.agents.config.cookie.reset.list=
    # This property gives the space separated list of domains in
    # which cookies have to be set in a CDSSO scenario. This property
    # is used only if CDSSO is enabled.
    # If this property is left blank then the fully qualified cookie
    # domain for the agent server will be used for setting the cookie
    # domain. In such case it is a host cookie instead of a domain cookie.
    # Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
    com.sun.am.policy.agents.config.cookie.domain.list=
    # user id returned if accessing global allow page and not authenticated
    com.sun.am.policy.agents.config.anonymous_user=anonymous
    # Enable/Disable REMOTE_USER processing for anonymous users
    # true | false
    com.sun.am.policy.agents.config.anonymous_user.enable=false
    # Not enforced list is the list of URLs for which no authentication is
    # required. Wildcards can be used to define a pattern of URLs.
    # The URLs specified may not contain any query parameters.
    # Each service have their own not enforced list. The service name is suffixed
    # after "# com.sun.am.policy.agents.notenforcedList." to specify a list
    # for a particular service. SPACE is the separator between the URL.
    com.sun.am.policy.agents.config.notenforced_list = SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/UI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTCONSOLE_DEPLOY_URI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/login_images/* SERVER_PROTO://SERVER_HOST:SERVER_PORT/docs* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/namingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/sessionservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/loggingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/profileservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/policyservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/config* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/js/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/css/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/authservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLAwareServlet SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLSOAPReceiver SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLPOSTProfileServlet
    # Boolean attribute to indicate whether the above list is a not enforced list
    # or an enforced list; When the value is true, the list means enforced list,
    # or in other words, the whole web site is open/accessible without
    # authentication except for those URLs in the list.
    com.sun.am.policy.agents.config.notenforced_list.invert = false
    # Not enforced client IP address list is a list of client IP addresses.
    # No authentication and authorization are required for the requests coming
    # from these client IP addresses. The IP address must be in the form of
    # eg: 192.168.12.2 1.1.1.1
    com.sun.am.policy.agents.config.notenforced_client_ip_list =
    # Enable POST data preservation; By default it is set to false
    com.sun.am.policy.agents.config.postdata.preserve.enable = false
    # POST data preservation : POST cache entry lifetime in minutes,
    # After the specified interval, the entry will be dropped
    com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
    # Cross-Domain Single Sign On URL
    # Is CDSSO enabled.
    com.sun.am.policy.agents.config.cdsso.enable=false
    # This is the URL the user will be redirected to for authentication
    # in a CDSSO Scenario.
    com.sun.am.policy.agents.config.cdcservlet.url =
    # Enable/Disable client IP address validation. This validate
    # will check if the subsequent browser requests come from the
    # same ip address that the SSO token is initially issued against
    com.sun.am.policy.agents.config.client_ip_validation.enable = false
    # Below properties are used to define cookie prefix and cookie max age
    com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
    com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
    # Logout URL - application's Logout URL.
    # This URL is not enforced by policy.
    # if set, agent will intercept this URL and destroy the user's session,
    # if any. The application's logout URL will be allowed whether or not
    # the session destroy is successful.
    com.sun.am.policy.agents.config.logout.url=
    # Any cookies to be reset upon logout in the same format as cookie_reset_list
    com.sun.am.policy.agents.config.logout.cookie.reset.list =
    # By default, when a policy decision for a resource is needed,
    # agent gets and caches the policy decision of the resource and
    # all resource from the root of the resource down, from the Access Manager.
    # For example, if the resource is http://host/a/b/c, the the root of the
    # resource is http://host/. This is because more resources from the
    # same path are likely to be accessed subsequently.
    # However this may take a long time the first time if there
    # are many many policies defined under the root resource.
    # To have agent get and cache the policy decision for the resource only,
    # set the following property to false.
    com.sun.am.policy.am.fetch_from_root_resource = true
    # Whether to get the client's hostname through DNS reverse lookup for use
    # in policy evaluation.
    # It is true by default, if the property does not exist or if it is
    # any value other than false.
    com.sun.am.policy.agents.config.get_client_host_name = true
    # The following property is to enable native encoding of
    # ldap header attributes forwarded by agents. If set to true
    # agent will encode the ldap header value in the default
    # encoding of OS locale. If set to false ldap header values
    # will be encoded in UTF-8
    com.sun.am.policy.agents.config.convert_mbyte.enable = false
    #When the not enforced list or policy has a wildcard '*' character, agent
    #strips the path info from the request URI and uses the resulting request
    #URI to check against the not enforced list or policy instead of the entire
    #request URI, in order to prevent someone from getting access to any URI by
    #simply appending the matching pattern in the policy or not enforced list.
    #For example, if the not enforced list has the value http://host/*.gif,
    #stripping the path info from the request URI will prevent someone from
    #getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
    #However when a web server (for exmample apache) is configured to be a reverse
    #proxy server for a J2EE application server, path info is interpreted in a different
    #manner since it maps to a resource on the proxy instead of the app server.
    #This prevents the not enforced list or policy from being applied to part of
    #the URI below the app serverpath if there is a wildcard character. For example,
    #if the not enforced list has value http://host/webapp/servcontext/* and the
    #request URL is http://host/webapp/servcontext/example.jsp the path info
    #is /servcontext/example.jsp and the resulting request URL with path info stripped
    #is http://host/webapp, which will not match the not enforced list. By setting the
    #following property to true, the path info will not be stripped from the request URL
    #even if there is a wild character in the not enforced list or policy.
    #Be aware though that if this is set to true there should be nothing following the
    #wildcard character '*' in the not enforced list or policy, or the
    #security loophole described above may occur.
    com.sun.am.policy.agents.config.ignore_path_info = false
    # Override the request url given by the web server with
    # the protocol, host or port of the agent's uri specified in
    # the com.sun.am.policy.agents.agenturiprefix property.
    # These may be needed if the agent is sitting behind a ssl off-loader,
    # load balancer, or proxy, and either the protocol (HTTP scheme),
    # hostname, or port of the machine in front of agent which users go through
    # is different from the agent's protocol, host or port.
    com.sun.am.policy.agents.config.override_protocol =
    com.sun.am.policy.agents.config.override_host =
    com.sun.am.policy.agents.config.override_port = true
    # Override the notification url in the same way as other request urls.
    # Set this to true if any one of the override properties above is true,
    # and if the notification url is coming through the proxy or load balancer
    # in the same way as other request url's.
    com.sun.am.policy.agents.config.override_notification.url =
    # The following property defines how long to wait in attempting
    # to connect to an Access Manager AUTH server.
    # The default value is 2 seconds. This value needs to be increased
    # when receiving the error "unable to find active Access Manager Auth server"
    com.sun.am.policy.agents.config.connection_timeout =
    # Time in milliseconds the agent will wait to receive the
    # response from Access Manager. After the timeout, the connection
    # will be drop.
    # A value of 0 means that the agent will wait until receiving the response.
    # WARNING: Invalid value for this property can result in
    # the resources becoming inaccessible.
    com.sun.am.receive_timeout = 0
    # The three following properties are for IIS6 agent only.
    # The two first properties allow to set a username and password that will be
    # used by the authentication filter to pass the Windows challenge when the Basic
    # Authentication option is selected in Microsoft IIS 6.0. The authentication
    # filter is named amiis6auth.dll and is located in
    # Agent_installation_directory/iis6/bin. It must be installed manually on
    # the web site ("ISAPI Filters" tab in the properties of the web site).
    # It must also be uninstalled manually when unintalling the agent.
    # The last property defines the full path for the authentication filter log file.
    com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
    com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
    com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = C:/Sun/Access_Manager/Agents/2.2/debug/Identifier_1414639615/amAuthFilter

    If the agent doesnot start properly you would always get redirected to com.sun.am.policy.agents.config.accessdenied.url , if thats not specified you will get a 403.
    For the agent itself check that the naming.url is correct. the agent username and passwords are correct, and see that the user has priviledges to write to the agent log files. Apart from these post the windows event logs.

  • Internet access for clients

    GuysNeed some assistance on providing internet access at a branch site for clients. Any thoughts and suggestions welcome and appreciatedWe have a number of branch offices connected over ISP managed MPLS network, any-2-any. I am looking at implementing some kind of internet access at the branch offices, either wired or wireless. We manage all the L1 and L2 connectivity at the sites, and the L3 side at our hub offices, of which we have 2, mainly for internet traffic etc, which isnt provided by our MPLS ISPCurrently all internet traffic for all sites goes to our data centre and is routed out through our firewall. Routing isnt an issue here, its more the best way to set this up securely.My initial thoughts were to set aside a whole bunch of ports on a seperate PVLAN that would connect the clients to the network (I am not conerned about the clients talking to each other, as long as they cant reach the local vlans). But the problem may lie at the firewall end, as I will need to specify specific hosts for port 80, 443 traffic only. Would a seperate DHCP scope, of say a /28, allowing 16 hosts only be an idea? Then I wouldnt have to mess around with firewall changes for different hosts all the timeThanks

    Hi,
    How are things going?
    I agree with Darshana. You could connect to Internet by using a router. Router can be configured to enable all users in a network to share a single connection to the Internet. Routing and Remote Access of windows server provides built-in
    routing services that can be used to connect an organization to the Internet through a routed connection to an ISP.
    You can also configure a windows server as a NAT server in your network. A network address translator is an IP router that can translate IP addresses and TCP or UDP port numbers of packets as they are being forwarded. NAT translates private
    IP addresses to external, public IP addresses. Then the computers of LAN can access Internet.
    Best Regards,
    Tina
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • Gallery for client photo review

    Search didn't give me much useful, so I post.
    What recommendations to you have for a easy to navigate LR gallery for clients to add comments and return them to me.
    Or, do people have recommendations for galleries they like for presenting images to clients?
    Thoughts? Suggestions?
    Thanks!
    Reid

    Does the TTG selection gallery remember comments if I close my browser, reopen it and revisit the same site?
    The problem with most stand-alone templates is that they are single session only. If the TTG Gallery or other templates have an effective way of being multi-session, then that is very nice and my next comments are irrelevant.
    By single session I mean that the comments and checkmarks only exist for that visit to the website, and leaving the website and coming back makes you start all over. That is a big problem, because there are few things more frustrating than spending a long time commenting or checkmarking files, only to lose all the work because the browser gets accidentally closed, or the email fails to send, or they didn't know they would lose all their work by 'continuing tomorrow', or some other problem happens. Think about it... if you are a client that spends a couple of hours sorting through photos and then the comments are irretrievably lost, are you going to be a happy client?
    Some comment systems try to make the system 'sticky' by using cookies, but you can effectively only hold a couple thousand characters in a cookie after overhead, and that isn't much.
    I learned the hard way by trying to do some 'little job' sales through the "EOS Template" ( http://www.eostemplate.com/eos ), which is a VERY nice template, but suffers from the ZERO memory between sessions fatal flaw.
    So be very careful when selecting an interactive photo system to use with your clients... if the data isn't collected dynamically and stored on the server somehow, I would avoid it.
    I wish that I could fully recommend Zenfolio.com , since it has such a great interface, and it allows for the client to create their own 'collections' of referenced photos (a great sorting aid), but comments are not implemented yet.

  • Is LDAP or AD as a external identity store recommended in ISE implementation for machine authentication

    Hi Experts,
    I have question about External identity store integration in ISE . I had chance to go through the cisco doc for ISE configuration especially for external identity store .
    there are two ways to configure external identity store.
    1) AD
    2) LDAP
    Which one is actually recommended ? technically which one would be convinient to configure to set-up machine authentication. do we have any limitation in terms of functionality in either of one ?

    Hi Leo,
    its not duplicate post , I have created one more post where you have linked that is for client policy enforcement . I want to understand how certificates will be pushed to client.
    This post is to understand the LDAP & AD intergration with ISE .
    I have requirement where client is asking to intergrate machine database using LDAP.
    I am quite new for LDAP intergration that is the reason I have created this discussion.

  • Does Sun provide an implementation for the PolicyManager interface (OMG)

    I need an interface through which I can set Policies and view the current Policy overrides. Doesn't the Java IDL provide a default implementation for the PolicyManager interface? (on the lines of what is available in VisiBroker and JacORB)
    Also want to know the values that need to be set for protocol_type if I need to use IIOP and SSLIIOP profocols

    It also makes a difference whether RMI/IIOP or Java IDL is used. Considering RMI/IIOP, there is still many work to be done. See, for example, bug 6239444, which came up when testing interoperability between Sun's and IBM's ORBs. I was told by experts that this problem came up due to the ambiguity of the RMI/IIOP specification. Java IDL should work better there.
    However, the discussion seems to become off-topic :-/, I am not sure that the original question was about interoperability.
    Regards,
    Miran

  • When converting over to HTTPS and PKI for clients, not all actions are available in configuration manager cpl

    I'm not exactly sure which forum heading this should go under so if this isn't correct please let me know or move it on my behalf.  
    So I am trying to setup Internet Based Client Management in SCCM 2012 R2 and have come across a few articles on how to do so.   I think I have mostly gotten it to work but I seem to be having a client issue when deploying new machines.  My already
    deployed servers seem to have picked up the PKI setting no problem.  In the past when I would deploy a new windows client everything would be fine.  When i converted over to PKI in my test environment I am now having issues when I go to deploy a
    new windows client. I don't get all of the Actions listed in the Configuration Manager control panel.  All I have are Discovery Data Collection, Machine Policy Retrieval and Eval, User Policy Retrieval and Eval, and Windows Installer Source list Update
    Cycles, before all of them would populate no problem.  I have let this machine sit here for several hours and nothing has changed yet.  It does say PKI for client certificate.  Sometimes when I would deploy new machines it would say NONE for
    Client certificate.  In my production environment it says self-signed.  I have found if i uninstall the client and re-install the client it does populate all of the cycles but I don't understand why it is not working on deployment.
    Ok so maybe not all the time that when i reinstall the client it fixes it.  I just did an uninstall and reinstall on a test client and all it has under actions are machine and user policy cycles.
    Does anyone have any ideas?

    Hi,
    I think SCCM client installed before the GPO applied, so you don't a certificate available when it is required.
    You can export and import the certificate by using MDT integration, try this blog for PKI part:
    How To: Build and Capture in Configuration Manager 2012 using HTTPS
    And in addition, you can upload the log to your onedrive so you can share with us.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • What is package structure for Client ABAP Proxy?

    1.     What is the package structure need to be  followed for creating abap client proxy.
    2.     I read some where in the form, it need to be 4 levels. Why is it?
    Thank you
    Ganges Leaves

    Hi
    U hav to create a 4 level package structure for client ABAP proxy.
    U can create ur on packages
    1st level-structure package.
    2nd level-main package.
    3rd and 4th level-sub packages.
    To the 4th level only u hav to create proxy.
    The classes and code wil be automatically generated at the time of proxy creation.
    I think the 4 level structure bcz while in r/3 everythin in integration builder like software component version and all wil be takin as different levels.
    Also u can go through the weblogs in the above replies u got.
    Regards
    Victoria.

  • Implement HSBC connect through XML MESSAGE

    Hi all,
    We are planning to implement HSBC connect through “HSBC ISO 20022 XML MESSAGE” to send payment file from SAP to HSBC connect for Asia and Middle East region. Can someone please guide me to develop payment file generation program in HSBC ISO 20022 XML MESSAGE format. If any example code is of great help. Sharing your experiences is a great help to me in this regard ..
    Thanks in advance.

    Hi Eman,
    Please go through the design we made for a bank interface.
    - We had generated IDOC XML file, configured partner profiles for the same.
    - These IDOC files were sent to the XI systems where where ISO XML files were generated.
    - These ISO XML's were in sync with the banks ISO XML.
    - They are received from the Banks side and the data is further processed by the banks SAP system.
    I Hope this information will be helpful.
    PS : The bank configurations can be country specific.
    Regards,
    Himanshu.

Maybe you are looking for

  • Power Shell Script for getting the list of members of a particular collection group

    Hi Group I am looking for a powershell script for the below  manual process in sccm2012. please help Obtain the list of "All Users Group1" collection that have been defined as a Primary User of a device, and what that Users ShortName and Device name

  • Apple's bluetooth mouse problem

    hi there, now here is an intresting problem i have with my apple bluetooth mouse. the problem i have is that if i turn off my mouse and then turn it on, it wont connect to my powerbook, so inorder to connect it, i have 2 options, the first one is to

  • Cancel Down payment (noted item)

    Hi, Can I cancel customer down payment request? It is noted item and I need to cancel it. I have try to use VF11 and FB08, but it's not working. VF11 let me cancel it, but it is still on system. I found out, that it is not FI document at the moment,

  • Need of Proxy settings

    Hi,    Please post me the details of why we need proxy settings in detail...    1.why to Create a HTTP connection in the business system    2.why to Configuration Business system as local Integration Engine.    3.why we need a Connection between Busi

  • Develop mode doesn`t work in realtime

    Winsows 8.1 x64 Lightroom 5.4 CC When I move any sliders in develop mode image in main view doesn`t change, but in filmstrip changes. If I switch to another image and back all changes applies. Please help.