Recommendation hosts in a single subnet for agents in IPCC

Similar Messages

• Large Subnet for single SSID

  I am looking for a design guide to help me split up a large subnet for a Cisco Wireless network.  We have a Campus with a centralised Wsim and a single SSID.  We are hoping to be able to keep the single SSID but split the subnet as it is now quite large and we would like to reduce the broadcast domain to a manageable size.  I have found a number which have different SSID but we would like to keep only 1 as it simplifies the user experience. 

  Adding to Scotts post.  If you are doing 802.1x you can use dynamic VLAN assignment to achieve the results as well.
  AAA returns attributes 64/65/81 to the WLC, to change the VLAN the user gets put into.  You do still need to create the dynamic interfaces on the WLC.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• Multiple RAC databases on same GI using different subnets for Public i/face

  Hello. We are configuring a 2 node cluster. That cluster will host several RAC databases. For security reasons our networking team want to create separate subnets for the application traffic to each specific RAC database on the cluster.
  E.g. application 1 has 2 application servers that will connect to RAC database PROD1 via one subnet, application 2 has 3 application servers that will connect to RAC database PROD2 via a different subnet, etc.
  In addition the networking team want to configure a separate management subnet that DBAs etc. will use to administer all RAC databases and infrastructure in the cluster.
  Grid Infrastructure version 11.2.0.2. Database versions will vary from 10.2.0.x to 11.2.0.2. All databases will utilise RAC.
  We want to take advantage of SCAN listener functionality to support connectivity to all databases on the cluster. Forum thread 2199620 [https://cn.forums.oracle.com/forums/thread.jspa?threadID=2199620] suggests that 11gR2 supports multiple subnets, which looks to be exactly the feature we need. Please can you confirm how this works and point us to any documentation (standard docs, white papers, MOS, etc.) that might help us configure this.
  Document referenced in thread 2199620 was not exactly what we were looking for, and didn't translate too well in Google Translate.
  Any guidance much appreciated. Thanks, Rich.
  Similar threads:
  https://cn.forums.oracle.com/forums/thread.jspa?messageID=9846298? (Dual SCAN on multi homed cluster)
  https://cn.forums.oracle.com/forums/thread.jspa?threadID=2199620 (scan listener in OAM VLAN)
  Edited by: 887449 on 26-Sep-2011 01:41

  Thanks Levi. Your advice is very much appreciated.
  Your statement that we can only have one SCAN listener listening on one public network is actually the clarification I was looking for.
  For anyone else reading this thread I believe this gives us 3 options:
  1) Configure a SCAN listener and have all applications, and all management/administration, connecting to the corresponding database on the same cluster via that SCAN listener, all on the same subnet.
  2) Configure a SCAN listener for use by all applications connecting to the corresponding database on the same cluster, and use TNSNAMES/VIP for management/administration traffic, both on separate subnets (by configuring the LISTENER_NETWORKS parameter)
  3) Configure a SCAN listener for use by applications connecting to one of the databases on the cluster via one subnet, use TNSNAMES/VIP for all other applications connecting to other databases, each using their own subnet. Plus, the management/administration could be via another subnet utilising TNSNAMES/VIP.
  From our perspective we will work out the best one for us and implement accordingly.
  Thanks again for your timely and comprehensive response.

• Single-signon for multiple sites or sub sites

  Does anyone know of some good articles/publications or suggestions for
  implementing a single signon for multiple very secure internet sites in
  weblogic type environments.
  For example, bank1 has a internet site and bank 2 has an internet site.
  Bank 2 has some cool features they want to offer bank1's customers. They
  agree but, bank1 wants to present bank2 as a tab or part of bank1 site.
  IN order to do this there are lots of fun things, but the things Im
  interested in are how to authenticate between them and handle timeouts.
  timeouts seem particularly tricky in that if I dont hit a page on bank2
  for a while, it could time out its session for the guy on bank1. Also if
  im in the bank2 section of the site, then bank1 could time me out as
  well.
  any ideas let me know.
  thanks
  Joel

  I've been informed ;-) that a pure Java solution is also available from
  Entegrity. So here are a couple of URLs for you to research
  anagrammatically:
  http://www.netegrity.com
  http://www.entegrity.com
  Cameron Purdy
  Tangosol, Inc.
  http://www.tangosol.com
  Tangosol: How Weblogic applications are customized
  "Cameron Purdy" <[email protected]> wrote in message
  news:[email protected]...
  Netegrity?
  Cameron Purdy
  Tangosol, Inc.
  http://www.tangosol.com
  Tangosol: How Weblogic applications are customized
  "Tim Funk" <[email protected]> wrote in message
  news:[email protected]...
  This is long winded and I tried to have this make sense, if it doesn't
  just mark this as read ...
  I am running into the same issue. Out of need, different applications
  need to be hosted on different boxes/JVM's/web applications. I am
  experimenting with a customer single sign on process which is
  independent of Java but lends itself nicely to it. Here is my thoughts:
  1) All applications need to run under the same domain. For example:
  foo.redrose.net, www.redrose.net, bar.redrose.net, app1.redrose.net
  all reside under redose.net.
  2) You have a database table (secure) that contains the following:
  user id, password, session id, last access time.
  3) This database table contains all of the valid sessions across the
  domain (in this exmaple .redrose.net)
  4) There is a daemon running which runs every ?? seconds that deletes
  any records older than ?? seconds/(or minutes/hours) in the
  database.
  5) There exist a cookie which is set to the domain level that contains
  the session id.
  6) The session id provides a way to obtain the id and password for the
  user to authenticate to the container. For example in WL5.1SP8 there
  exists: weblogic.servlet.security.ServletAuthentication.weak(...) to
  authenticate to your container. By using this you will get the
  capability of setting up your roles and ACLS etc in you web.xml and
  weblogic.xml to handle authorization.
  7) All requests to any applications participating in this philosophy
  must do the following for EVERY request (or appropriate):
  Even if you are logged authenticated to the container and authorized,
  you may have timed out or logged out of another application. So the
  database table must be checked to see if the session id exists. At the
  same time, you must also update the last access time to prevent timeout.
  8) If the user tries to access a different application which he has not
  authenticated to yet - the user will be forwarded to a servlet whichwill:
  a) Look for the cookie at the domain level
  b) If the cookie is found - get the UID and PWD from database
  b2) Present login form if cookie is invalid/not exists
  c) Authenticate to container
  d) Forward back to original page and let the container handle
  authorization since you have already authenticated.
  I use have encapsulated the database activity into 3 stored functions:
  1) isValidSession(session_id) - Returns null or the user id and pwd
  concatentated which will need split apart if needed
  2) makeSession(user_id, password) - Returns a new unique session id and
  creates the appropriate record
  3) cleanUpSessions() - Arguements not yet determined. This will delete
  any records older than a certain time. I would like to have the proc
  know what to delete without being given a parameter but time to the
  second level can be tricky for some DBMS's.
  There is a concern of storing the user id and password in the database
  but this can be eliminated with a good design to restrict access to the
  database table and using encrypted connections.
  Hope this helps. Hopefully - a similar philosphy will be adopted by an
  application container so I may not have to worry about this and I can go
  back programming business functionality.
  -Tim
  Joel Nylund wrote:
  Does anyone know of some good articles/publications or suggestions for
  implementing a single signon for multiple very secure internet sites
  in
  weblogic type environments.
  For example, bank1 has a internet site and bank 2 has an internetsite.
  Bank 2 has some cool features they want to offer bank1's customers.They
  agree but, bank1 wants to present bank2 as a tab or part of bank1site.
  IN order to do this there are lots of fun things, but the things Im
  interested in are how to authenticate between them and handletimeouts.
  >>>
  timeouts seem particularly tricky in that if I dont hit a page onbank2
  for a while, it could time out its session for the guy on bank1. Alsoif
  im in the bank2 section of the site, then bank1 could time me out as
  well.
  any ideas let me know.
  thanks
  Joel

• No ping between host in the same subnet

  Hello,
  I have a question about the ASA and the ARP traffic in IOS 9.1.2 for ASA 5585-X and multicontext. I have discovered a curious behaviour about the traffic ARP in the my CLUSTER of ASA's. When I try to send a ping between host in the  same subnet and these host have as Gateway the interface of the ASA (ASA is his router) don't works, if I mark the check to enable the comunications between host connected to the same interface this cotinues without work. The only way to get my aim (ping between host), I need to implement and Access Rule allowing the traffic IP between my origin network and destination the same network.
  I think that this is some feature of ASA that filter the ARP Request but I don't understand!!! Can I help me, please?
  Thanks.

  Hi,
  Your firewall should not see any traffic between the hosts on the same subnet.
  If it is seeing traffic between the hosts then its likely that Proxy ARP on the ASA is the problem. Proxy ARP is enabled on the ASA by default on all interfaces. This essentially means that when the host connecting to the other host on the same subnet sends an ARP request the ASA might reply to that ARP request instead of the actual destination host. This is why traffic might get forwarded to the ASA instead of the actual host.
  If you want to disable the Proxy ARP on some ASA interface then you can use
  sysopt norpoxyarp
  Where you replace the with the actual name you have given to the interface on the ASA. This disables the Proxy ARP
  - Jouni

• Can anyone recommend a duplicate file finder application for OS10.6 systems?  All the apps I find on the App Store are only for 10.7 and later.  I don't know how to filter a search by operating system (if this is even possible).

  Can anyone recommend a duplicate file finder application for OS10.6 systems?  All the apps I find on the App Store are only for 10.7 and later.  I don't know how to filter a search on the App Store by operating system (if this is even possible).  I currently have a MacBook running OS10.6.8.   If you can recommend an app,  please post the URL.     Would appreciate any helpful suggestions....  
  <Email Edited By Host>

  Launch the Console application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Console in the icon grid.
  Make sure the title of the Console window is All Messages. If it isn't, select All Messages from the SYSTEM LOG QUERIES menu on the left. If you don't see that menu, select
  View ▹ Show Log List
  from the menu bar.
  Click the Clear Display icon in the toolbar. Then try the action that you're having trouble with again. Select any messages that appear in the Console window. Copy them to the Clipboard by pressing the key combination command-C. Paste into a reply to this message by pressing command-V.
  When posting a log extract, be selective. In most cases, a few dozen lines are more than enough.
  Please do not indiscriminately dump thousands of lines from the log into this discussion.
  Important: Some private information, such as your name, may appear in the log. Anonymize before posting.

• Install agent fail (Agent host must be registered before an agent can be installed or upgraded.)

  I got the following error with trying to install agent
  # java -jar agent.jar -d /u01/avagent/
  Agent host is not registered.
  Agent host must be registered before an agent can be installed or upgraded. Agent deployment failed.
  database firewall ip address is 10.0.0.10 (for management) and 192.168.0.10 (for traffic source)
  auditvault server ip address is 10.0.0.11 (for management) 
  I have 2 IP address on my DB 10.0.0.9 and 192.168.0.9
  when i register host with ip 192.168.0.9 i will get the error
  but if i register host with ip 10.0.0.9 installation is fine with no error
  i want to monitor audit traffic on 192.168.0.9 interface which is for client to access so i need to register host with ip 192.168.0.9

  hi Stefan,
  this is expected behaviour, or at least it's better to say : in a multi homed system the choice of the network path that is used is determined by the underlying tcp network,
  it doesn matter which path the sqlnet connection from agent to AV server takes as long as it is able to connect. Your statement about 'monitor audit traffic on 192.168.0.9'
  does not make sense, the agent / collection framework is the part that fetches audit records from secured targets and has nothing to do with monitoring network traffic since
  that part of the functionality is done by the firewall component. Anyway if you want to change the nework path you need to use 'route' and force it,
  greetings,
  Harm ten Napel

• Existance of two different domain in a single subnet

  Hi..i have a query...Is it possible to create two domains say A.com and B.com in a single subnet(in the same network)?sujit mohanty

  Yes, there is no problem to perform that.
  You have to give more details about what you want to accomplish exactly so that we can help you more.
  Note that it is recommended to have at least two DC/DNS/GC servers per domain.
  This
  posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Microsoft
  Student Partner 2010 / 2011
  Microsoft Certified
  Professional
  Microsoft Certified
  Systems Administrator: Security
  Microsoft Certified
  Systems Engineer: Security
  Microsoft Certified
  Technology Specialist: Windows Server 2008 Active Directory, Configuration
  Microsoft Certified
  Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
  Microsoft Certified
  Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
  Microsoft Certified
  Technology Specialist: Windows 7, Configuring
  Microsoft Certified
  IT Professional: Enterprise Administrator

• Please recommend a 2TB USB external HD for my MacBook Air.

  Please recommend a 2TB USB external HD for my MacBook Air.

  Probably better to put this in the MacBook Air Forums.    Hope you don't mind. but I have asked the hosts to consider doing this.

• Please recommend best quad i7 & intel mb for PP cs5.5

  Please recommend best quad i7 & intel mb for PP cs5.5
  Looking for best bang for the buck. 6 sata drive connectors, usb3 also.
  doing mostly avchd. Utilizing software 2 drive raid0. Win 7 64bit. I usually convert my avchd footage to more editable formats before i edit them.

  Steve,
  I assume that you already have a single non-RAID OS disk in addition to the 2-disk aid0. If that's the case, I'd strongly recommend two additional disks and create a second aid0 array.
  If on the other hand the 2-disk aid0 are the only disks that you have (and used for absolutely everything including the OS and programs), then get at least three more disks: One single non-RAID disk for the OS and programs plus two identical disks and create a second aid0 array with that pair.
  With either of those configurations, if you are going to transcode AVCHD to a format with an intermediate codec, then you can get away with the "Budget" quad-core i5 system (however, I would change the 192-core GTX 550 Ti to a 336-core non-Ti GTX 560 since the prices for those two right now are closer together than the differences in performance between them). But if you're going to edit AVCHD directly in Premiere Pro CS5.5, you will need at least the "Economical" (i7-2600(K)) system in order to edit smoothly.
  Oh, I see that you are actually looking for an i7. In this case, then, unless you are willing to spend at least $1,000 just for the CPU and mobo, the only current choices would be in LGA 1155: the i7-2600, 2600K and 2700K. The non-K CPU is limited-overclockable (meaning that you'll get only 3.9GHz out of that CPU maximum) while the other two can be overclocked further (to 4.4GHz and up with most chips). The i7-3820 isn't on reseller shelves yet, but from what I read it should perform on a par with a slightly overclocked i7-2600K.
  For the motherboard, I'd recommend a Z68 board from Asus, MSI or Gigabyte. (Or, if you choose the i7-3820 when it begins shipping to resellers, your only feasible choices would be an X79 / LGA 2011 mobo from Asus or Intel since the X79 boards from Gigabyte suffer from quality issues with the VRMs used on those boards.) Keep in mind, however, that the lower-priced Z68 boards from the three brands are more difficult than pricier Z68 mobos to achieve a high stable overclock because the budget boards often lack manual CPU core voltage adjustments per se (they have only voltage offsets instead). Pricier Z68 mobos have fixed manual CPU voltage settings in addition to offsets.

• Single URL for internal and external CRM access when using IFD

  Hello,
  At one of our client site I have setup IFD on CRM 2011. This IFD is behind TMG. My client is a big corporation therefore all CRM components including CRM, ADFS and SQL are on separate servers.
  I have configured IFD using single url https://orgname.contoso.com Their IT staff wants to know why can't they use single URL for internal and external access where internal users are nto prompted for authentication
  when logging on to the CRM server. I know you can do URL re-write in ADFS but they want to know the reason "why internal users can't use the same IFD URL and don't get prompted for their credentials". Text below is from their IT staff.

  There are several approaches to your question.  You need to set up both an internal and an external relying party trust. If you use the external URL, it will always direct you to the signin page, if you use the internal URL, it will resolve you single
  sign on.
  I've configured IFD for CRM multiple times, and this is how it works. CRM looks at the URL. If you use the external URL (org.domain.com), it will prompt for credentials. So what you are asking for, a single URL that works single sign on internally and prompts
  externally really isn't possible.
  What I recommend is:
  1. make the external URL available internally
  2. Configure all outlook clients against the external URL, that way you won't have to reconfigure when someone goes internal to external
  3. Have users who are primarily internal use the internal URL for the web client, which will resolve single sign on
  4. Have users who are primarily external use the external URL for the web client
  For #1, since you only need to enter the credentials when you first configure CRM, it is in all effects single sign on.
  One thing I haven't tried that may work is using IIS redirect internally to redirect the external URL to the internal URL. There is also a powershell script in the IFD guide that you can use to make the outlook client switch between the internal and external
  URL's, but nothing that will give you a single URL that works as the internal relying party trust when internal and the external relying party trust when you are external.

• Installing Valid SSL Certificate for Agent Reskilling Tool

  Has anyone done this?  I'm looking for documentation and can't find anything.  There's documentation for UCM/CUIC, but nothing for agent reskilling.  The Cisco Security Best Practices seems to just gloss over this subject and not really provide any good data.
  david

  Hi David, I recently tried to do this and I think I figured out a solution. This is on ICM 8.5(4). Let me know if this works for you.
  Open SSL Encryption Utility. Select All Instances. Click Certificate Administration tab. Click Uninstall. Close SSL Encryption Utility.
  Create Certificate request in IIS Manager.
  Complete Certificate request in IIS Manager.
  Export Certificate in IIS to c:\icm\ssl\[yourfile.pfx]. Remember password you use.
  Open command prompt
  Cd c:\icm\ssl\bin
  Openssl.exe
  pkcs12 -in c:\icm\ssl\[yourfile.pfx] -nocerts -out keyfile-encrypted.key
  pkcs12 -in c:\icm\ssl\[yourfile.pfx] -clcerts -nokeys -out [host.crt]
  Exit
  Copy c:\icm\ssl\bin\host.crt   to   c:\icm\ssl (overwrite if necessary)
  Copy c:\icm\ssl\bin\keyfile-encrypted.key   to   c:\icm\ssl (overwrite if necessary)
  Open SSL Encryption Utility. Select All Instances. Click Certificate Administration tab. Click Install. Click no when it asks to create a new certificate. Close SSL Encryption Utility. I got one error but certificate imported successfully.
  Verify by going to https:///reskill
  Openssl commands taken from http://www.markbrilman.nl/2011/08/howto-convert-a-pfx-to-a-seperate-key-crt-file/

• Single inovice for TAN and TAS ITEMS ?

  HOW TO SETUP SINGLE INVOICE FOR THE SALES ORDER WITH LINE ITEMS TAN AND TAS.? PLZ HELP WITH SEETINGS AND PROCEDURE.
  REGARDS,

  Hi
  Copy Item Category TAS to ZTAS and for ZTAS Item Category,do the following changes delivery relevant billing,Also maintain
  Copy controls.
  Also make sure that in the sales order split invoice should not take place because of the billing split parameters.It is recommended not  to go with the same sales order as it is related to third party sales process
  Regards
  Srinath

• Coldfusion 9 Recommended Hosting Providers

  i am with flinthosts.co.uk and the service is really bad, its been over 2 days and they cant seem to sort out the issue with the server and below is the answer they gave for the issue they have with the server
  "It's not a simple problem - u seem to think that every issue is straight foward and solvable with the flick of a switch. Some things are rarely like that.
  We are investiating and trying to find the cause of the issue and will update you at a later stage"
  so till they can figure it out, the site is having errors and i am stuck in limbo and thats not an answer i can give the client.
  would anyone know alternative coldfusion 9 recommended hosting providers.

  We're running ColdFusion 9 Enterprise on our newest servers, one physical host running five different ColdFusion virtual machines for optimum usage of the Java heap.
  As for a guarantee if your application will not work on our platform due to a technical limitation our end then yes, we'll give you your money back no problem. However you can't just change your mind and get a refund, no.
  In saying that, I think we've had maybe five people in the five years need a refund, and that includes ASP, PHP, and other platforms as well
  If there's anything you need that's out of the ordinary that you think specifically might not work let me know and I'll take a look.

• Create a single delivery for different schedule lines in the scheduling agr

  Hi
  I want to create a single delivery for different line items with different delivery dates in the scheduling agreement,  as Iam aware it is possible to combine different line items into one delivery through sales order.
  Need your inputs
  Aravind

  Hi,
  Try with below solution and see I am not confirm about this
  VL01N >>> Menu outbound delivery >>> Deliver sales order
  Here you put order number and selected date as your ANOTHER SCHEDULE LINE
  Kapil