Policy NAT 8.6(1)2 Windows Server Cluster
We have 2 email servers in a cluster on the network. I have the cluster IP address configured for Object static NAT. This works great for email coming into our organization. However, when either of these 2 email servers send mail, they send using their configured IP address which is different from the cluster IP address. Thus, the NAT'd address is different than for incoming. It hasn't been an issue to this point, but I would like to be able to send SMTP from either server and have it NAT to the same IP used for the cluster IP. This way, any reverse DNS lookups on the internet would show a consistent IP to name mapping for our mail servers. I've attached a diagram. If there is a way to force the cluster servers to use the cluster address on the Windows server side, that could be an option as well.
Thanks,
Andrew
Hi,
The actual NAT configuration used depends on how your Dynamic PAT rule for all the users of the network is configured at the moment. Mainly is it Auto NAT or Manual NAT.
Though naturally I can give you an example that includes both Dynamic PAT for all users and Dynamic PAT for the Mail servers and the Static NAT for incoming mail.
MAIL SERVER STATIC NAT
object network MAIL-SERVER
host 10.0.0.1
nat (inside,outside) static 10.10.10.140
The above configuration is the basic Static NAT configuration for a host using Auto NAT / Network Object NAT. It could be done with Manual NAT / Twice NAT also but I prefer Auto NAT / Network Object NAT
MAIL SERVER DYNAMIC PAT
object-group network MAIL-PAT-SOURCE
network-object host 10.0.0.1
network-object host 10.0.0.2
network-object host 10.0.0.3
object network MAIL-SERVER-PUBLIC
host 10.10.10.140
nat (inside,outside) after-auto source dynamic MAIL-PAT-SOURCE MAIL-SERVER-PUBLIC
The above is a normal Dynamic PAT configuration (no Policy elements involved).
The key thing to notice here is that we are entering this to the ASA before the next Dynamic PAT that catches all the rest of the source IP address. One thing to notice also is that its a Section 3 NAT rule (the lowest priority) so that it wont override any other NAT rules like the above Static NAT.
I you had your existing Dynamic PAT for all users already with a similiar configuration than last configuration example then you would have to add a line number to the NAT configuration like this
nat (inside,outside) after-auto 1 source dynamic MAIL-PAT-SOURCE MAIL-SERVER-PUBLIC
DEFAULT DYNAMIC PAT FOR USERS
nat (inside,outside) after-auto source dynamic any interface
The above is just an Dynamic PAT configuration that catches all source addresses from behind the "inside" interface and does Dynamic PAT for them when connecting to networks behind "outside". As this is inserted to the configuration after the above command it will be at a lower priority and wont apply for the 3 source hosts we specified above.
I wonder if I made this out to be more complicated than it needs to be
I guess the easiest way to determine the configuration you will need/want would be to see the current NAT configuration on the ASA
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
Similar Messages
-
FMS 3.5 on Windows Server cluster?
Is FMS 3.5 supported on a Windows 2003 (or better yet Windows 2008) server fail-over cluster?
Thinking it would be nice to have an origin server clustered so no single point of failure can occur. Any thoughts?yes =) windows and linux
http://www.adobe.com/devnet/flashmediaserver/articles/scaling_securing_fms3.html
http://help.adobe.com/en_US/FlashMediaServer/3.5_AdminGuide/WS5b3ccc516d4fbf351e63e3d119f2 925d1a-7ffc.html
regards
Leonardo França
Adobe Certified Expert Flex 3 with AIR
Adobe Certified Expert Rich Internet Application Specialist v1.0
Adobe Certified Expert Flash CS3 Professional
Certified Professional Adobe Flex 2 Developer
Adobe Certified Professional Flash MX 2004 Developer
http://www.leonardofranca.com
http://twitter/leofederal
Manager AUGDF - Adobe User Group do Distrito Federal
http://www.augdf.com.br
http://twitter/augdf
jwa10 escreveu:
Is FMS 3.5 supported on a Windows 2003 (or better yet Windows 2008) server fail-over cluster?
Thinking it would be nice to have an origin server clustered so no single point of failure can occur. Any thoughts?
> -
Windows Server 2008 R2 RRAS NAT Security Concerns
Recently we are deploying Windows Server 2008 R2 as the NAT gateway of our private network. During the testing, we found that the RRAS was doing its job as the NAT gateway,
however it seemed that hosts in the private network were allowed to access any listening port opened on the server side (2008 R2). In the normal scenario, the server side will have the process "wininit.exe" running and listening on the TCP port 49152.
We confirmed that all hosts in the private network were be able to connect to TCP port 49152 opened on the server (connecting by using the NAT's public IP), which introduced lots of security concerns and made us nervous. Since the server is acting as a NAT,
IP packets sent by hosts in the private network will be translated and forwarded as if it is generated by the NAT server itself. Thus, the windows firewall will not block the connection at all while dealing with "local" traffic, which actually is
the traffic from the host in the private network.
What we need is a mechanism that can block the hosts in the private network to access the TCP/UDP ports opened on the NAT server side. Since the NAT server has it IP on
the public network assigned dynamically (DHCP), static IP filtering on the private NIC does not fit our needs (Or probably we may use some hidden but advanced filter settings?). Which policy or setting should be used in our case?Hi Daniel,
I am aware of what you are suggesting. Actually I have active the windows firewall to protect the server.
Suppose I have a network configuration as follows:
Private Network: 192.168.149.0 / 255.255.255.0 (Private NIC on server side IP:192.168.149.1)
--------------Windows 2008 R2 RRAS NAT--------------------
Public Network: 10.1.0.0 / 255.255.255.0 (Public NIC on server side IP:10.1.0.100 )
The problem is that while the windows firewall is effectively protecting my server by filtering inbound traffic from the public network, the windows firewall will not filter the traffic from
192.168.149.0 /255.255.255.0 to 10.1.0.100 (NAT's public IP)
The reason is that the TCP/UDP connection from the private network (192.168.149.0 / 255.255.255.0) to any other networks will be NATed. Suppose TCP connection from
192.168.149.23:50000 -> 10.1.0.100:1023
It will be translated by NAT and becomes
192.168.149.23:50000 <-NAT-> 10.1.0.100:60100 -> 10.1.0.100:1023
From the windows firewall's point of view, the connection is essentially a 'local' TCP connection and should be allowed regardless of any inbound filtering rules. So vulnerability is introduced. After some research, we are almost sure that the windows firewall
does not filter local traffic. Also, we are not able to guarantee any firewalls on the client side to be installed, since the nature of a NAT server is to provide such network access ability to clients and should not require the client side to change its configuration.
I do think it is a common security concern in lots of enterprise networks where Windows Servers are deployed as NAT servers. Would you mind help us address this issue and give us some advice about best-practices related?
Thank you -
Configuring group policy for user profiles in Windows Server 2012 R2 Domain
Requesting some experts advise on configuring group policy for user profiles.
We will be building new Windows Server 2012 R2 Domain Controllers (Domain of 400 users).
The settings which I am concerned:
1. Folder Redirection: Desktop, Documents, Favorites.
2. Quota for Folder Redirection - 1 GB per user.
3. Map a networked drive - 1 GB per user.
4. Roaming profile - (Will ignore if it does not suit our requirement).
The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
FYI, E-mails hosted on MS Office365 and OST file size of few users more than 25GB. So, in case the user moves from one computer to other, the entire mailbox will be downloaded via internet. This consumes high bandwidth if more than 3-4 users shift per day.
Thanks a lot for your valuable time and efforts.Hi,
>>The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
This depends on where our outlook data files are stored. If these data files are stored under
drive:\Users\<username>\AppData\Local, then these files can’t be redirected, for folder redirection can’t redirect appdata local or locallow.
However, regarding your question, we can refer to the following thread to find the solution.
Roam outlook profiles without roaming profiles
http://social.technet.microsoft.com/Forums/office/en-US/3908b8e0-8f44-4a34-8eb5-5a024df3463e/roam-outlook-profiles-without-roaming-profiles
In addition, regarding how to configure folder redirection, the following article can be referred to for more information.
Configuring Folder Redirection
http://technet.microsoft.com/library/cc786749.aspx
Hope it helps.
Best regards,
Frank Shen -
Dear All,
We are having an infrastructure setup of around 500 client computers managed through group policy.
Recently the domain controllers have been migrated from Windows Server 2003 to Server 2008 R2.
Since this account requires extremely strict environment, we need to figure the solution for restricting the users from access anything locally.
It would be great if you can assist me with the following query.
How to restrict users logged on Windows 7 clients from accessing Windows Explorer and browsing other systems in the network through Group Policy with a domain controller running on Windows Server 2008 r2 ?
Can we disable Network Tab on the left hand pane ?
explorer.exe is blocked already, but users are able to enter the Windows Explorer by clicking on the name which is visible on the Start Menu.> * explorer.exe is blocked already, but users are able to enter the
> Windows Explorer by clicking on the name which is visible on the
> Start Menu.
You cannot block explorer.exe when you do not replace the shell - the
desktop you see effectively IS explorer.exe...
Your requirement sounds like you need a custom shell:
http://gpsearch.azurewebsites.net/#2812
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
How to install unlimited strength policy files with 2003 windows server
Hi all,
I am working on encryption AES 256 bit key encryption.
128 is default encryption key.But for use 256 bit encryption key need to add unlimited strength policy file with jdk.
That is working fine on windows xp.
Now problem
But when i run on client machine with operating system windows 2003 server standard.
I replaced all files under folder Java\jdk1.6.0_10\jre\lib\security with files which i am using on windows XP.
Restarted the computer after update files but on windows server 2003 256 bit key encryption not working.
Giving following exception
java.security.InvalidKeyException: Illegal key size or default parameters
javax.crypto.Cipher.a(DashoA13*..)
javax.crypto.Cipher.a(DashoA13*..)
javax.crypto.Cipher.a(DashoA13*..)
javax.crypto.Cipher.init(DashoA13*..)
javax.crypto.Cipher.init(DashoA13*..)
Please suggest me how to run encryption on windows server 2003..
Thanks
Anuanu1106 wrote:
I replaced all files under folder Java\jdk1.6.0_10\jre\lib\security with files which i am using on windows XP.Why? Why not just install the unlimited strength files in the normal way according to the installation instructions given in the distribution file? -
I have applied IPsec policy on local machine(ip address:10.82.138.76) with windows server 2008 ent r2 installed,only permit local machine to comunicate with itself,one other server(ip address:10.82.138.77) and the gateway device(ip address:10.82.138.1).After
i asigned this policy,i can ping the gateway (ip address:10.82.138.1),and the other server(ip address:10.82.138.77),but i can't ping local machine itself(ip address:10.82.138.76),could anybody tell me why and how to solve this problem?When i applied the same
policy to windows server 2003 ent,i can ping the local machine ip address.Hi,
Thanks for your post.
First, try to ping the loopback address 127.0.0.1. If the loopback test succeeds but you cannot ping the local IP address, please post the unedited
ipconfig /all and route print of the problematic computer.
For test purpose, you may refer to the following lab step by step guide to deployment Tunnel Mode IPsec. Hope it helps.
Windows Firewall and IPsec Policy Deployment Step-by-Step Guide
http://technet.microsoft.com/en-us/library/cc732400(v=ws.10)
Connection Security and IPsec
http://technet.microsoft.com/en-us/library/cc771593(v=ws.10).aspx
Connection Security Rule Wizard: Tunnel Endpoints Page - Client-to-Gateway
http://technet.microsoft.com/en-us/library/dd759083
Best Regards,
Aiden
Aiden Cao
TechNet Community Support -
Windows 8 and IE10 and 11 not accepting Proxy Settings via Group Policy from windows server 2003
Hi
We are still running Windows Server 2003 with a Win7 and Win8 desktop environment. I can control Win7 IE9 settings,
But Win8 systems are running IE10. We have an internal proxy server.
Is there any way to force the proxy settings to the Win8/IE10 or 11 systems .
i have tried with The IE 10 .adm template and applied gpo,but does not have any proxy settings for ie10 and no changes were applies
please can anyone help me regarding this
i want to apply GPO from windows server 2003 to windows 8 ie10/11
Thanks
KNCHi,
I agree with Zanderol24, we can install RSAT on a windows8 client, and then we can use Group Policy Management to manage group policy from the client.
For more information about RSAT, we can refer to the following link:
Remote Server Administration Tools (RSAT) for Windows Client and Windows Server (dsforum2wiki)
http://social.technet.microsoft.com/wiki/contents/articles/2202.remote-server-administration-tools-rsat-for-windows-client-and-windows-server-dsforum2wiki.aspx
For more detailed information about how to use GPP to configure the proxy setting for ie10 and ie11, we can refer to the following link:
How to configure Group Policy Preference settings for Internet Explorer 11 in Windows 8.1 or Windows Server 2012 R2
http://support.microsoft.com/kb/2898604
When we use GPPs you need to be aware of the F5-F8 keys:
Red / Green: GP Preferences doesn’t work even though the policy applied and after gpupdate \force
http://blogs.technet.com/b/grouppolicy/archive/2008/10/13/red-green-gp-preferences-doesn-t-work-even-though-the-policy-applied-and-after-gpupdate-force.aspx
Besides, aside from using group policy to manage IE, IEAK can also be used to do this.
For IEAK, the following article can be referred to for more information.
Internet Explorer Administration Kit (IEAK) Information and Downloads
http://technet.microsoft.com/en-in/ie/bb219517.aspx
Best Regards,
Erin -
Hello,
I have a Windows Server 2012 R2.
I have configured the Group Policy on it to block the usage of USB - Storage Devices @ user level on the client machines. It works properly for my Windows 7 client machines but it's not working on one of the machine having Windows Server 2008 R2 installed
on it (this machine is also a domain client in the same domain).
I will really be thankful if anyone can suggest some solution to this issue.
Please feel free to write back in-case I have missed anything obvious to be shared.
Thanks!
-Vinay Pugalia
If a post answers your question, please click "Mark As Answer" on that post or
"Vote as Helpful".
Web : Inkey Solutions
Blog : My Blog
Email : Vinay PugaliaHi,
Any update?
Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
Best Regards,
Andy Qi
TechNet
Subscriber Support
If you are TechNet
Subscription user and have any feedback on our support quality, please send your feedbackhere.
Andy Qi
TechNet Community Support -
Windows Server 2008 - Group policy for domain client to start/stop services installed on it
Hello Experts
I am a newbie to windows server administration , though did a Google , but ended up with these question with my requirements
I have created a new domain and 2 client/computer (A & B namely) to domain . Now A & B has tomcat server running with port 8080 , 9090 which i have installed
domain ADMIN account .
&& now i am want to start/stop/restart services enabled for domain users !! How do i achieve this !!
basic question : How can i access A & B tomcat services on DOMAIN CONTROLLER server to create a GPO and that are on (A & B)
what is the easiest way to achieve the same , (if not using GPO)???
similarly I am looking for many features : where I want to control the permission to user on (A & B ) like : If the binaries of tomcat is available on machine say : A , if the user can install (now
it ask for ADMIN credentials)
Thanks
Mike~EdControlling services with Group Policy is done under Computer Configuration\Policies\Windows Settings\Security Settings\System Services.
The limitation is that system services can only see the services the computer running the Group Policy management console. To access other services, you will either need to create the services on your computer (install the software the adds the service)
or install the remote server administration toolkit (RSAT) on the computer with the service already on it.
If my answer helped you, check out my blog:
Deploy Happiness -
Group Policy Administrative Templates not applying on Windows XP SP3 - Windows Server 2008 R2
I have a Windows 2008 R2 domain with windows 7, and Windows XP SP3 client workstations.
I have a group policy to deny all access to removable storage in policies/administrative templates/system in user configuration (actually its in the computer configuration as well)
The problem is the policy is having no effect on the Windows XP machines. It works perfectly on Windows 7 machines.
Group policy in general is working on the Windows XP machines, as I can successfully map drives, push out scheduled tasks, and push out printers. (All preferences I know and I have GP Preferences client side extensions installed).
Its almost like the windows XP machines can't "understand" the admin templates from Windows Server 2008 R2.
Do I need to install something on the windows XP machines? What could be the problem?> Its almost like the windows XP machines can't "understand" the admin
> templates from Windows Server 2008 R2.
Simply read the "supported on" of these settings... Vista and above
required.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Dear ALL,
I want to Pin Programs on the Windows 7 Taskbar & Start Menu with Group Policy (Windows Server 2008 R2) as per below description. Can someone please help me how to proceed and achieve this.
Pin the following applications to the Taskbar:
Outlook
Pin the following applications to the Start Menu:
Outlook
Excel
Word
Internet Explorer
Software Center
Regards,
Amit Kumar Raohttps://www.google.de/search?q=windows+7+pin+to+taskbar+vbs
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
How to join to window server with NIP policy
how to join to window server with NIP policy?
Since you refer to MySQL as the default database, I presume that you're talking about using PHP.
Yes, you can link to MS SQL Server - as long as you're willing to code everything by hand. If you're looking for automated code generation, though, the answer is no.
Even the default PHP/MySQL server behaviors are not really worth considering for professional web development. They're fine for quick prototyping, but they use deprecated functions that are not suitable for a production environment. -
Reg retention policy in Windows server Backup
Please let me know how long time the backups will be maintained in Windows server Backup.
Is there any place where I can go and modify the retention policy?The statements
"If the backup storage location is full, Windows Server Backup automatically deletes the oldest backup"
and
"If you do not delete the corresponding shadow copy, the backup sets will be always reserved."
are contradictory. As explained in the "Overview" section of the source you linked, the first statement is correct. It is not necessary that the server admin take any action to delete shadow copies in order to implement a retention
policy. When the backup destination drive gets full, WSB "automatically deletes the oldest backup version" (http://blogs.technet.com/b/filecab/archive/2009/06/22/backup-version-and-space-management-in-windows-server-backup.aspx)
This all said, this behavior and the source cited are for Windows Server 2008.
The automatic disk space management behavior seems to have changed in Server 2012 (for example see this link: http://technet.microsoft.com/en-us/library/jj614621.aspx). Unfortunately I've not been able to determine
specifically how it is different. -
Unable to login Windows Server 2012 after making local policy changes
Experts, we have modified the local policy setting on the windows server 2012 and badly it was domain controller now none of the users are able to login to the server. After entering the user name and password it will launch till welcome screen then it errors
out saying user name or password incorrect. below are the steps which we followed
1. Policy setting is located in Computer Configuration\Security Settings\Local Policies\Security Options \Network security: Configure encryption types allowed for Kerberos values change from Not Configured to DES_CBC_MD5
2. changed user attribute msDS-SupprtdEncryptionTypes to 2 , this account we were used for kerberos authentication.
3. Logged off from the server and then server doesn't allow any user to login.
regards,
JakkHave you tried connecting to the server from a 2nd DC? Have you tried installing the RSAT tools on a domain member server and modify the offending policy ?
last choice would be restart the DC into safe mode.
Maybe you are looking for
-
Are the screens on white iMac 20" better than those on new 24"?
I have read so much about the troubles with the 20" and 24" Aluminum iMac screens that I'm afraid to buy one now, and was thinking of buying a refurb'd white (plastic) iMac from Apple. Is the screen tech in the white version better than that in the 2
-
Can I take a broken USB wire to Apple Store for replacement (within Warranty)?
That's my question, the USB is broken on both sides, can I just walk into the Apple store, show them my iPhone in warranty and get a replacement?
-
I don't know why but I always have trouble with Quizzes in Adobe Presenter. I recently published a new module and the quiz appears but it won't show the results and it won't advance to the final slide of the presentation after the quiz is complete.
-
I'm trying to write a program to transfer files over "https" using "GET" & "POST", but I do not know where to start from, like which java packages to use, sample programs etc. Any pointers would be most helpful. Thanks a lot in advance.
-
I have an iPad. I have used it off and on. When I went to use it tonight, I kept getting an error message on my password which I have used for at least 7 months. Then I have to go through all kinds of contortions to get it reset. Then I have to r