RemoteApp in DMZ

Similar Messages

• Rd web showing all remoteapps when logging in with an account of a trusted domain

  we have a dmz with a separate domain. there is a one way trust to our local domain
  In the dmz domain there is a rdweb and rd gateway. When logging in with an account from the dmz domain in the rdweb it's all fine but when logging in with an account from the trusted domain all remoteapp's are shown
  all servers are 2012r2

  Hi sir,
  Please make sure your account has already added into your Pay-As-You-Go subscription as co-administrator role . If the account was not in your subscription please add it and try to login on from your VS again.
  If you always occurred this issue, you can try to download the publish file and import it into you VS, please follow this steps:
  http://azure.microsoft.com/en-us/documentation/articles/mobile-services-windows-how-to-import-publishsettings/
  Regards,
  Will 
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• RemoteApp to Windows 2012 RDGateway to Windows 2008 RD Web

  I am trying to add in windows 7 a connection to the RD web server and am receiving "An error occurred" when pointing to the RD gateway. If I point to the RD Web server it works.
  The setup is a 2012 RD Gateway server in the DMZ that is accessible from the internet and a 2008 RD Web server internally. If I login in via the web to the 2012 gateway server I am able to see the list of published apps. If I point a windows 7 workstation
  to the gateway to pull the published apps it fails. If I point the client to the internal server it works.

  Hi,
  Please check if you install the latest updates of RDP for the Windows 7 clients.
  Description of the Remote Desktop Protocol 8.0 update for Windows 7 SP1 and Windows Server 2008 R2 SP1
  http://support.microsoft.com/kb/2592687
  Update for RemoteApp and Desktop Connections feature is available for Windows
  http://support.microsoft.com/KB/2830477
  Hope this helps.
  Jeremy Wu
  TechNet Community Support

• RemoteApp's not running when accessed from the internet

  Hi TP,
  Hopefully someone can help me here.
  I've installed RDWeb on the RDG server which live in our DMZ - I can access and log on to RDS from the internet with the RDG FQDN remote.external.com but I can't launch any RemoteApp's. Basically there's no RemoteApp pop up warning with all the connection
  information (Publisher, Type, Path, Name, Remote computer, Gateway server) just the RemoteApp connecting to window with no info. Seems like it can't grab this information. 
  Users can log in to RDS internally with the RDG FQDN remote.external.com and run RemoteApps with no problems.
  Thanks for your help in advanced!

  Hi,
  1. On the client PC, remove the thumbprint value entry for this server under the PublisherBypassList key.  This is located under the following path:
  HKCU\Software\Microsoft\Terminal Server Client\PublisherBypassList
  <SHA thumbprint>     REG_DWORD     0x00000xxx
  Additonally, remove the key for the server under the Servers key:
  HKCU\Software\Microsoft\Terminal Server Client\Servers\<FQDN of server>
  2. What is the precise error message you receive when you attempt to launch a RemoteApp from external?
  3. If you manually configure the Remote Desktop Client with the RD Gateway FQDN via Advanced tab--Connect from anywhere, are you able to connect from the Internet? 
  -TP

• RemoteApp 2012 - Optimize connectivity

  Dear gents,
  Here is the setup:
  Session-based deployment
  RDCB01.domain.local - Connection Broker
  RDGW01.domain.local - RDWEB + RDGW roles located in DMZ.
  DC01.domain.local - TS License server
  FILE01.domain.local - central HOME drive and PROFILE (folder redirection) store.
  Two RemoteApp Collections:
  RDSH01-04-.domain.local (RD_FARM_01.domain.local)
  RDSH10-16.domain.local (RD_FARM_02.domain.local)
  I`m using a TLS certificate remote.domain.com from a public PKI for:
  RDCB - Publishing
  RDWEB
  RDGW
  And a self-signed TLS certificate *.domain.local (customer has no internal PKI) for:
  RDCB - SSO
  RDSH - Remote Desktop Connections
  There are client-side GPOs in place, as per the documentation, to allow the credential delegation to the RDCB and RDGW servers and the self-signed certificate enrollment.
  On RDGW I`m allowing only HTTP on default port, to limit the network firewall requirements.
  Full folder redirection is in place to a network storage on FILE01.domain.local
  Questions:
  #1 An active RemoteApp intermittently disconnects and immediately reconnects (x minutes of inactivity), causing some discomfort for the users. There are no Active session timeouts and I have the GPO setting for Keep-Alive set to 10 minutes.
  #2 The thing that puzzles me is long (~15 seconds) wait till I can see that the RDSH server initiates the user logon process. I can`t find errors on either RDCB or RDGW eventlog, of something being wrong. All I can see is successful handshakes. The reason why
  I wondering if this is *ok*, is `cause my colleague has built an analog and it takes around 5 seconds to start to load. In both cases we are talking of decent infrastructure, good connectivity on national scale and access is via Web-interface.
  #3 What do I need in order to allow the UDP support on RDGW network-wise?
  UDP_3391 FROM:INTERNET_ANY TO: remote.domain.com
  UDP_3391 FROM:remote.domain.com TO: RDGW01.domain.local
  UDP_3391 FROM: RDGW01.domain.local TO: ???

  UDP info:
  http://blogs.msdn.com/b/rds/archive/2013/04/09/get-the-best-rdp-8-0-experience-when-connecting-to-windows-7-what-you-need-to-know.aspx
  you need to ensure you setup the GPOs properly to use the added UDP enhancements after you configure your firewalls.
  also ensure users are using the latest RDP Client on their workstations to get the best functionality.
  regarding keepalive settings, you need to ensure the timeouts on the RDSH go hand in hand with your keepalive settings on your switches/firewalls for RDP traffic to ensure they're not getting cut off, this is really sensitive.

• Using a SAN certificate with RemoteApps for connections outside of the firewall

  I have two fairly simple two-server farms on the LAN with gateway servers in the DMZ.  (One is 2008 R2 and the other is 2012 R2 in the same configuration) Users connect via the 2012 RD Web Access portal to run the apps on the two farms
  and all that works fine.  The trouble is that when connecting they get the certificate mis-match warning from the session host that is assigned the connection.  I would like to get rid of that by installing  a SAN/UCC certificate that lists
  both servers and the DNS of the farm A record so that whichever server gets the connection ca present the cert and authenticate without the warning. 
  Our internal and Internet domains are the same (pre-dates me)  We maintain our internal DNS and the outside world gets its info from a provider.  The inside hosts do not exist on the outside DNS, which they don't need to anyway. As I said, this
  configuration functions just fine except for the cert mismatch business.
  I bought a SAN/UCC cert through DigiCert:
  Ensures the identity of a remote computer
  Proves your identity to a remote computer
  2.16.840.1.114412.1.1
  The subject shows the dns name of the farm host
  The subject Alt Name shows all the hostnames:
  DNS Name=rds-farm.myDomain.com
  DNS Name=server1.myDomain.com
  DNS Name=server2.myDomain.com
  DNS Name=server3.myDomain.com  (There isn't actually a server3 at this point but I figured I might as well add it for possible expansion)
  The cert chains properly back to DigiCert.
  On the 2012 install, when I try to add the cert for Connection Broker - Publishing it comes back with the following message:
  "The specified certificate is not valid. The certificate properties must match the requirements of the role service."
  So what are the requirements that don't match and what do I need to do to rekey this cert correctly?

  Hi,
  Do you have a DNS A record on your internal network?  Does it point to the RD Connection Broker server?
  Please try to change the FQDN name of the server. You can use this cmdlet to change the server name that is used when publishing RemoteApps:
  Change published FQDN for Server 2012 or 2012 R2 RDS Deployment
  http://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80
  Additionally check the following article for information.
  Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
  http://blogs.technet.com/b/askperf/archive/2014/01/24/certificate-requirements-for-windows-2008-r2-and-windows-2012-remote-desktop-services.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• How to let SAP user use SSO to access Application in DMZ?

  Hi All,
  Our J2EE application is running on a system in DMZ which can not be connected with LDAP. So I am wondering if it's possible to let SAP user use SSO to access our application.
  After talking with my colleague I think the only way is to import SSO public key to our WebAS and create user in UME and then assign user to the corresponding public key, but anybody know where to download SSP verification file or is it allowed to download and import into another system at all?
  Regards,
  Bin

  Hi,
  Take a look at this example, it uses property nodes to select tha
  active plot and then changes the color of that plot.
  If you want to make the number of plots dynamic you could use a for
  loop and an array of color boxes.
  I hope this helps.
  Regards,
  Juan Carlos
  N.I.
  Attachments:
  Changing_plot_color.vi ‏38 KB

• How can I permit all traffic from inside-dmz-outside on asa5505

  Scenario :
  Servers are in DMZ, Internal LAN Users should access ports Specified (5000 & 2048). Router 2801 is facing Leased line; from there it’s connected to firewall.
  Router LAN IP: 83.111.X.X - 255.255.255.X
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password 2KFQnbNIdI.2KYOU encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.X.X 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 83.111.X.X 255.255.255.240
  interface Vlan3
  nameif dmz
  security-level 100
  ip address 192.168.100.1 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  switchport access vlan 3
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  switchport access vlan 3
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 83.111.x.x
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 192.168.1.2-192.168.1.254 inside
  dhcpd enable inside
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:5663409d6ba3ad0bcd163e691f032f76
  : end

  Hi Ben,
  Thank you for the response. I followed the link and tried reading everything you posted on AEs but I'm afraid that I didn't understand it all. It seems that each AE example had a single input and a single output (e.g. a double). Is this the case? 
  What I have is a couple of front panel clusters containing (approximately) 18 control doubles, 8 indicator doubles, 5 boolean radio button constructs and 26 boolean control discretes. I clusterized it to make it readable. In addition I'll eventually have a cluster of task references for hardware handles.
  All I want to do is update the front panel values like I would do in a C, VB or any other language. I've tried referencing the cluster and using the reference from inside the loops. I've tied using local variables. Neither works. I'm experimenting with globals but it seems that I have to construct the front panel in the gloabal and then I wouldn't know how to repoduce that on the front panel of the main VI.  Sometimes it seems that more time is spent getting around Labview constructs than benefitting from them.
  I hope the 'Add Attachment' function actuals puts a copy of the VI here and not a link to it.
  Thanks again for the suggestion,
  Frank 
  Attachments:
  Front Panel Reference.vi ‏33 KB

• WRT310N: Help with DMZ/settings (firmware 1.0.09) for wired connection

  Hello. I have a WRT310N and have been having a somewhat difficult time with my xbox 360's connection. I have forwarded all the necessary ports (53, 80, 88, 3074) for it to run, and tried changing MTU and what-not.
  I don't know if I have DMZ setup incorrectly, or if it's my settings.
  Setup as follows:
  PCX2200 modem connected via ethernet to WRT310N. 
  The WRT310N has into ethernet port 1 a WAP54G, and then upstairs (so that my Mother's computer can get a strong signal) I have another WAP54G that I believe receives its signal from the downstairs 54G. 
  In the back of the WRT310N, I have my computer connected via ethernet port 3, and my Xbox 360 connected via ethernet port 4.
  Now, I first figured I just have so many connections tied to the router and that is the reason for being so slow. However, when I unplug all the other ethernet cords and nothing is connected wirelessly, except for my Xbox connected to ethernet port 4, it is still poor. Also, with everything connected (WAP54G and other devices wirelessly) I get on my PC and run a speedtest.  For the sake of advice, my speedtests I am running on my PC are (after 5 tests) averagely 8.5 Mbps download, and 1.00 Mbps upload, with a ping of  82ms.
  Here is an image of the results:
  http://www.speedtest.net][IMG]http://www.speedtest.net/result/721106714.png
  Let me add a little more detail of my (192.168.1.1) settings for WRT310N.
  For starters, my Father's IT guy at his workplace set up this WRT310N and WAP54G's. So some of these settings may be his doing. I just don't know which.
  "Setup" as Auto-configurations DHCP. I've added my Xbox's IP address to the DHCP reservation the IP of 192.168.1.104. This has (from what I've noticed) stayed the same for days.
  MTU: Auto, which stays at 1500 when I check under status.
  Advanced Routing: NAT routing enabled, Dynamic Routing disabled. 
  Security: Disabled SPI firewall, UNchecked these: Filter Anonymous Internet Requests, Multicast, and Internet NAT redirection.
  VPN passthrough: All 3 options are enabled (IPSec, PPTP, L2TP)
  Access Restrictions: None.
  Applications and Gaming: Single port forwarding has no entries. Port Range Forwarding I have the ports 53 UDP/TCP, 88 UDP, 3074 UDP/TCP, and 80 TCP forwarded to IP 192.168.1.104 enabled. (192.168.1.104 is the IP for my xbox connected via ethernet wired that is in DHCP reserved list)
  Port Range Triggering: It does not allow me to change anything in this page.
  DMZ: I have it Enabled. This is where I am a bit confused. It says "Source IP Address" and it has me select either "Any IP address" or to put entries to the XXX.XXX.XXX.XXX to XXX fields. I have selected use any IP address. Then the source IP area, it says "Destination:"  I can do either "IP address: 192.168.1.XXX" or "MAC address:" Also, under MAC Address, it says DHCP Client Table and I went there and saw my Xbox under the DHCP client list (It shows up only when the Xbox is on) and selected it.  
  Under QoS: WMM Enabled, No acknowledgement disabled.
  Internet Access Priority: Enabled. Upstream Bandwith I set it to Manual and put 6000 Kbps. I had it set on Auto before, but I changed it. I have no idea what to put there so I just put a higher number. 
  Then I added for Internet Access Priority a Medium Priority for Ethernet Port 4 (the port my xbox is plugged into).
  Administration: Management: Web utility access: I have checked HTTP, unchecked HTTPS.
  Web utility access via Wireless: Enabled. Remote Access: Disabled.
  UPnp: Enabled.
  Allow Users to Configure: Enabled.
  Allow users to Disable Internet Access: Enabled.
  Under Diagnostics, when I try and Ping test 192.168.1.104 (xbox when on and connected to LIVE), I get:
  PING 192.168.1.104 (192.168.1.104): 24 data bytes
  Request timed out.
  Request timed out.
  Request timed out.
  Request timed out.
  Request timed out.
  --- 192.168.1.104 data statistics ---
  5 Packets transmitted, 0 Packets received, 100% Packet loss
  Also, when I do Traceroute Test for my Xbox's IP, I just keep getting: 
  traceroute to 192.168.1.104 (192.168.1.104), 30 hops max, 40 byte packets
  1 * * * 192.168.1.1 Request timed out.
  2 * * * 192.168.1.1 Request timed out.
   As for the Wireless Settings, it is all on the default settings with Wi-Fi Protected setup Enabled.
  To add, I have tried connecting my modem directly to the Xbox and my connection is much improved. I have no difficulty getting the NAT open, for it seems my settings are working for that. Any help with these settings would be VERY much appreciated. 
  Message Edited by CroftBond on 02-18-2010 01:09 PM

  I own 2 of these routers (one is a spare) with the latest firmware and I have been having trouble with them for over a year.  In my case the connection speed goes to a crawl and the only way to get it back is to disable the SPI firewall.  Rebooting helps for a few minutes, but the problem returns.  All of the other fixes recommended on these forums did not help.  I found out the hard way that disabling the SPI Firewall also closes all open ports ignoring your port forwarding settings.  If you have SPI Firewall disabled, you will never be able to ping your IP from an external address.  Turn your SPI Firewall back on and test your Ping. 
  John

• Webserver on DMZ cannot send email via php script using SMTP (cisco firewall pix 515e)

  Hello,
  I have two web servers that are sitting in a DMZ behind a Cisco Firewall PIX 515e. The webservers appear to be configured correctly as our website and FTP website are up. On two of our main website, we have two contact forms that use a simple html for to call a php script that uses smtp as its mailing protocol. Since, I am not the network administrator, I don't quite understand how to  read the current configurations on the firewall, but I suspect that port 25 is blocked, which prevents the script from actually working or sending out emails.  What I've done to narrow the problem done is the following: I used a wamp server to test our scripts with our smtp servers settings, was able to successfully send an email out to both my gmail and work place accounts. Currently, we have backupexec loaded on both of these servers, and when I try to send out an alert I never receive it. I think because port 25 is closed on both of those servers.  I will be posting our configuration. if anyone can take a look and perhaps explain to me how I can change our webservers to communicate and successfully deliver mail via that script, I would gladly appreciate it. our IP range is 172.x.x.x, but it looks like our webservers are using 192.x.x.x with NAT in place. Please someone help.
  Thanks,
  Jeff Mateo
  PIX Version 6.3(4)
  interface ethernet0 100full
  interface ethernet1 100full
  interface ethernet2 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  nameif ethernet2 DMZ security50
  enable password GFO9OSBnaXE.n8af encrypted
  passwd GFO9OSBnaXE.n8af encrypted
  hostname morrow-pix-ct
  domain-name morrowco.com
  clock timezone EST -5
  clock summer-time EDT recurring
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  no fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  name 12.42.47.27 LI-PIX
  name 172.20.0.0 CT-NET
  name 172.23.0.0 LI-NET
  name 172.22.0.0 TX-NET
  name 172.25.0.0 NY-NET
  name 192.168.10.0 CT-DMZ-NET
  name 1.1.1.1 DHEC_339849.ATI__LEC_HCS722567SN
  name 1.1.1.2 DHEC_339946.ATI__LEC_HCS722632SN
  name 199.191.128.105 web-dns-1
  name 12.127.16.69 web-dns-2
  name 12.3.125.178 NY-PIX
  name 64.208.123.130 TX-PIX
  name 24.38.31.80 CT-PIX
  object-group network morrow-net
  network-object 12.42.47.24 255.255.255.248
  network-object NY-PIX 255.255.255.255
  network-object 64.208.123.128 255.255.255.224
  network-object 24.38.31.64 255.255.255.224
  network-object 24.38.35.192 255.255.255.248
  object-group service morrow-mgmt tcp
  port-object eq 3389
  port-object eq telnet
  port-object eq ssh
  object-group network web-dns
  network-object web-dns-1 255.255.255.255
  network-object web-dns-2 255.255.255.255
  access-list out1 permit icmp any any echo-reply
  access-list out1 permit icmp object-group morrow-net any
  access-list out1 permit tcp any host 12.193.192.132 eq ssh
  access-list out1 permit tcp any host CT-PIX eq ssh
  access-list out1 permit tcp any host 24.38.31.72 eq smtp
  access-list out1 permit tcp any host 24.38.31.72 eq https
  access-list out1 permit tcp any host 24.38.31.72 eq www
  access-list out1 permit tcp any host 24.38.31.70 eq www
  access-list out1 permit tcp any host 24.38.31.93 eq www
  access-list out1 permit tcp any host 24.38.31.93 eq https
  access-list out1 permit tcp any host 24.38.31.93 eq smtp
  access-list out1 permit tcp any host 24.38.31.93 eq ftp
  access-list out1 permit tcp any host 24.38.31.93 eq domain
  access-list out1 permit tcp any host 24.38.31.94 eq www
  access-list out1 permit tcp any host 24.38.31.94 eq https
  access-list out1 permit tcp any host 24.38.31.71 eq www
  access-list out1 permit tcp any host 24.38.31.71 eq 8080
  access-list out1 permit tcp any host 24.38.31.71 eq 8081
  access-list out1 permit tcp any host 24.38.31.71 eq 8090
  access-list out1 permit tcp any host 24.38.31.69 eq ssh
  access-list out1 permit tcp any host 24.38.31.94 eq ftp
  access-list out1 permit tcp any host 24.38.31.92 eq 8080
  access-list out1 permit tcp any host 24.38.31.92 eq www
  access-list out1 permit tcp any host 24.38.31.92 eq 8081
  access-list out1 permit tcp any host 24.38.31.92 eq 8090
  access-list out1 permit tcp any host 24.38.31.93 eq 3389
  access-list out1 permit tcp any host 24.38.31.92 eq https
  access-list out1 permit tcp any host 24.38.31.70 eq https
  access-list out1 permit tcp any host 24.38.31.74 eq www
  access-list out1 permit tcp any host 24.38.31.74 eq https
  access-list out1 permit tcp any host 24.38.31.74 eq smtp
  access-list out1 permit tcp any host 24.38.31.75 eq https
  access-list out1 permit tcp any host 24.38.31.75 eq www
  access-list out1 permit tcp any host 24.38.31.75 eq smtp
  access-list out1 permit tcp any host 24.38.31.70 eq smtp
  access-list out1 permit tcp any host 24.38.31.94 eq smtp
  access-list dmz1 permit icmp any any echo-reply
  access-list dmz1 deny ip any 10.0.0.0 255.0.0.0
  access-list dmz1 deny ip any 172.16.0.0 255.240.0.0
  access-list dmz1 deny ip any 192.168.0.0 255.255.0.0
  access-list dmz1 permit ip any any
  access-list dmz1 deny ip any any
  access-list nat0 permit ip CT-NET 255.255.0.0 192.168.220.0 255.255.255.0
  access-list nat0 permit ip host 172.20.8.2 host 172.23.0.2
  access-list nat0 permit ip CT-NET 255.255.0.0 LI-NET 255.255.0.0
  access-list nat0 permit ip CT-NET 255.255.0.0 NY-NET 255.255.0.0
  access-list nat0 permit ip CT-NET 255.255.0.0 TX-NET 255.255.0.0
  access-list vpn-split-tun permit ip CT-NET 255.255.0.0 192.168.220.0 255.255.255
  .0
  access-list vpn-split-tun permit ip CT-DMZ-NET 255.255.255.0 192.168.220.0 255.2
  55.255.0
  access-list vpn-dyn-match permit ip any 192.168.220.0 255.255.255.0
  access-list vpn-ct-li-gre permit gre host 172.20.8.2 host 172.23.0.2
  access-list vpn-ct-ny permit ip CT-NET 255.255.0.0 NY-NET 255.255.0.0
  access-list vpn-ct-ny permit ip CT-DMZ-NET 255.255.255.0 NY-NET 255.255.0.0
  access-list vpn-ct-tx permit ip CT-NET 255.255.0.0 TX-NET 255.255.0.0
  access-list vpn-ct-tx permit ip CT-DMZ-NET 255.255.255.0 TX-NET 255.255.0.0
  access-list static-dmz-to-ct-2 permit ip host 192.168.10.141 CT-NET 255.255.248.
  0
  access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 192.168.220.0 255.255.25
  5.0
  access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 LI-NET 255.255.0.0
  access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 NY-NET 255.255.0.0
  access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 TX-NET 255.255.0.0
  access-list static-dmz-to-ct-1 permit ip host 192.168.10.140 CT-NET 255.255.248.
  0
  access-list static-dmz-to-li-1 permit ip CT-DMZ-NET 255.255.255.0 CT-NET 255.255
  .248.0
  access-list vpn-ct-li permit ip CT-NET 255.255.0.0 LI-NET 255.255.0.0
  access-list vpn-ct-li permit ip CT-DMZ-NET 255.255.255.0 LI-NET 255.255.0.0
  access-list vpn-ct-li permit ip host 10.10.2.2 host 10.10.1.1
  access-list in1 permit tcp host 172.20.1.21 any eq smtp
  access-list in1 permit tcp host 172.20.1.20 any eq smtp
  access-list in1 deny tcp any any eq smtp
  access-list in1 permit ip any any
  access-list in1 permit tcp any any eq smtp
  access-list cap4 permit ip host 172.20.1.82 host 192.168.220.201
  access-list cap2 permit ip host 172.20.1.82 192.168.220.0 255.255.255.0
  access-list in2 deny ip host 172.20.1.82 any
  access-list in2 deny ip host 172.20.1.83 any
  access-list in2 permit ip any any
  pager lines 43
  logging on
  logging timestamp
  logging buffered notifications
  logging trap notifications
  logging device-id hostname
  logging host inside 172.20.1.22
  mtu outside 1500
  mtu inside 1500
  mtu DMZ 1500
  ip address outside CT-PIX 255.255.255.224
  ip address inside 172.20.8.1 255.255.255.0
  ip address DMZ 192.168.10.1 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  ip local pool ctpool 192.168.220.100-192.168.220.200
  ip local pool ct-thomson-pool-201 192.168.220.201 mask 255.255.255.255
  pdm history enable
  arp timeout 14400
  global (outside) 1 24.38.31.81
  nat (inside) 0 access-list nat0
  nat (inside) 1 CT-NET 255.255.0.0 2000 10
  nat (DMZ) 0 access-list nat0-dmz
  static (inside,DMZ) CT-NET CT-NET netmask 255.255.0.0 0 0
  static (inside,outside) 24.38.31.69 172.20.8.2 netmask 255.255.255.255 0 0
  static (DMZ,outside) 24.38.31.94 192.168.10.141 netmask 255.255.255.255 0 0
  static (inside,outside) 24.38.31.71 172.20.1.11 dns netmask 255.255.255.255 0 0
  static (DMZ,outside) 24.38.31.93 192.168.10.140 netmask 255.255.255.255 0 0
  static (DMZ,inside) 24.38.31.93 access-list static-dmz-to-ct-1 0 0
  static (DMZ,inside) 24.38.31.94 access-list static-dmz-to-ct-2 0 0
  static (inside,outside) 24.38.31.92 172.20.1.56 netmask 255.255.255.255 0 0
  static (DMZ,outside) 24.38.31.91 192.168.10.138 netmask 255.255.255.255 0 0
  static (DMZ,outside) 24.38.31.90 192.168.10.139 netmask 255.255.255.255 0 0
  static (inside,outside) 24.38.31.72 172.20.1.20 netmask 255.255.255.255 0 0
  static (inside,outside) 24.38.31.73 172.20.1.21 netmask 255.255.255.255 0 0
  static (inside,outside) 24.38.31.70 172.20.1.91 netmask 255.255.255.255 0 0
  static (DMZ,outside) 24.38.31.88 192.168.10.136 netmask 255.255.255.255 0 0
  static (DMZ,outside) 24.38.31.89 192.168.10.137 netmask 255.255.255.255 0 0
  static (inside,outside) 24.38.31.74 172.20.1.18 netmask 255.255.255.255 0 0
  static (inside,outside) 24.38.31.75 172.20.1.92 netmask 255.255.255.255 0 0
  access-group out1 in interface outside
  access-group dmz1 in interface DMZ
  route outside 0.0.0.0 0.0.0.0 24.38.31.65 1
  route inside 10.10.2.2 255.255.255.255 172.20.8.2 1
  route inside CT-NET 255.255.248.0 172.20.8.2 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ max-failed-attempts 3
  aaa-server TACACS+ deadtime 10
  aaa-server RADIUS protocol radius
  aaa-server RADIUS max-failed-attempts 3
  aaa-server RADIUS deadtime 10
  aaa-server LOCAL protocol local
  aaa-server ct-rad protocol radius
  aaa-server ct-rad max-failed-attempts 2
  aaa-server ct-rad deadtime 10
  aaa-server ct-rad (inside) host 172.20.1.22 morrow123 timeout 7
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http 173.220.252.56 255.255.255.248 outside
  http 65.51.181.80 255.255.255.248 outside
  http 208.65.108.176 255.255.255.240 outside
  http CT-NET 255.255.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community m0rroW(0
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  sysopt connection permit-pptp
  crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
  crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
  crypto dynamic-map dyn_map 20 match address vpn-dyn-match
  crypto dynamic-map dyn_map 20 set transform-set 3des-sha
  crypto map ct-crypto 10 ipsec-isakmp
  crypto map ct-crypto 10 match address vpn-ct-li-gre
  crypto map ct-crypto 10 set peer LI-PIX
  crypto map ct-crypto 10 set transform-set 3des-sha
  crypto map ct-crypto 15 ipsec-isakmp
  crypto map ct-crypto 15 match address vpn-ct-li
  crypto map ct-crypto 15 set peer LI-PIX
  crypto map ct-crypto 15 set transform-set 3des-sha
  crypto map ct-crypto 20 ipsec-isakmp
  crypto map ct-crypto 20 match address vpn-ct-ny
  crypto map ct-crypto 20 set peer NY-PIX
  crypto map ct-crypto 20 set transform-set 3des-sha
  crypto map ct-crypto 30 ipsec-isakmp
  crypto map ct-crypto 30 match address vpn-ct-tx
  crypto map ct-crypto 30 set peer TX-PIX
  crypto map ct-crypto 30 set transform-set 3des-sha
  crypto map ct-crypto 65535 ipsec-isakmp dynamic dyn_map
  crypto map ct-crypto client authentication ct-rad
  crypto map ct-crypto interface outside
  isakmp enable outside
  isakmp key ******** address LI-PIX netmask 255.255.255.255 no-xauth no-config-mo
  de
  isakmp key ******** address 216.138.83.138 netmask 255.255.255.255 no-xauth no-c
  onfig-mode
  isakmp key ******** address NY-PIX netmask 255.255.255.255 no-xauth no-config-mo
  de
  isakmp key ******** address TX-PIX netmask 255.255.255.255 no-xauth no-config-mo
  de
  isakmp identity address
  isakmp nat-traversal 20
  isakmp policy 10 authentication pre-share
  isakmp policy 10 encryption 3des
  isakmp policy 10 hash sha
  isakmp policy 10 group 2
  isakmp policy 10 lifetime 86400
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption 3des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  isakmp policy 30 authentication pre-share
  isakmp policy 30 encryption 3des
  isakmp policy 30 hash md5
  isakmp policy 30 group 1
  isakmp policy 30 lifetime 86400
  vpngroup remotectusers address-pool ctpool
  vpngroup remotectusers dns-server 172.20.1.5
  vpngroup remotectusers wins-server 172.20.1.5
  vpngroup remotectusers default-domain morrowny.com

  Amit,
  I applaud your creativity in seeking to solve your problem, however, this sounds like a real mess in the making. There are two things I don't like about your approach. One, cron -> calling Java -> calling PHP -> accessing database, it's just too many layers, in my opinion, where things can go wrong. Two it seems to me that you are exposing data one your website (with the PHP) that you may not want expose and this is an important consideration when you are dealing with emails and privacy and so on.
  I think the path of least resistance would be to get a new user account added to the MySQL database that you can access remotely with your Java program. This account can be locked down for read only access and be locked down to the specific IP or IP range that your Java program will be connecting from.
  Again I applaud your creativity but truly this seems like a hack because of the complexity and security concerns you are introducing and I think is a path to the land of trouble. Hopefully you will be able to get a remote account set up.

• What is the difference between Azure RemoteApp Basic vs Standard Plans in terms of compute cores and memory?

  So our customer has asked us to compare compare Amazon Workspace and Azure RemoteApp offerings for them to choose from. While looking at Amazon Workspace, it clealy defines bundles with specific CPU cores, memory and user storage. However, Azure RemoteApp
  only specifies user storage and vaguely compares its basic vs. standard plans in terms of "task worker" vs. "information worker"
  I tried looking up its documentation but couldn't find specific CPU cores that are dedicated per user in basic vs. standard plans. I have following questions:
  Can anyone point me in the right direction or help understand how many CPU cores and memory are dedicated (or shared) per user in each plan?
  Our customer would most likely need a "custom" image for their custom apps. Is it possible for us to choose specific CPU cores and memory for the users to be able to run their apps in azure remoteapp?
  In case i am misunderstanding the basic difference between AWS workspace and Azure RemoteApp, i'd appreciate some help in understanding it as well.
  Thanks!

  Hi,
  With Azure RemoteApp users see just the applications themselves, and the applications appear to be running on their local machine similar to other programs.  With Workspaces users connect to a full desktop and launch applications within that.
  1. Azure RemoteApp currently uses size A3 Virtual Machines, which have 4 vCPUs and 7GB RAM.  Under Basic each VM can have a maximum of 16 users using it whereas under Standard each VM is limited to 10 users.  The amount of CPU available
  to a user depends on what the current demands are on the CPU at that moment from other users and system processes that may be on the server.
  For example, say a user is logged on to a VM with 3 other users and the other users are idle (not consuming any CPU).  At that moment the user could use all 4 vCPUs if a program they are running needed to.  If a few moments later
  the other 3 users all needed lots of CPU as well, then the first user would only have approximately 1 vCPU for their use.  The process is dynamic and seeks to give each user their fair share of available CPU when there are multiple users demanding CPU.
  Under the Standard plan a user will receive approximately a minimum of .4 vCPU assuming that the VM has the maximum number of users logged on and that all users are using as much CPU as possible at a given moment.  Under the Basic plan the approximate
  minimum would be .25 vCPU.
  2. You cannot choose the specific number of cores and memory.  What you can do is choose the Azure RemoteApp billing plan, which affects the user density of each VM as described above.  If you need a lower density than Standard you
  may contact support.
  -TP

• How to Read file from Application in DMZ Server (page on DMZ)

  Hi All,
  i am trying open a file from application server from OAF page on DMZ server .
  i am getting the error 'either not supported file type or file is damaged '.
  i am taking the path of production server to read the file from DMZ server .
  Please let me know what is the issue .
  Thanks
  Raju

  Please post the details of the application release, database version and OS.
  i am trying open a file from application server from OAF page on DMZ server .Is the issue with all OAF pages or with specific ones only?
  i am getting the error 'either not supported file type or file is damaged '.Please check Apache log files for details about the error (error_log* and access_log*).
  i am taking the path of production server to read the file from DMZ server .What type of DMZ configuration you have?
  Thanks,
  Hussein

• Internet Access to Portal located in DMZ

  I've seen questions on the forum regarding gaing Internet access to the Oracle Portal located in the DMZ. This answer does not resolve the issue of having multple DADs to access your portal like abc.com and xyz.com. For that see note:162044.1 on metalink. http://metalink.oracle.com.
  If you registered a domain name e.g. abc.com and have the portal up and running in the DMZ. Your local network should be accessing the portal just fine. Your computer name for example is portal. The URL translates into http://portal.abc.com. You opened the ports in the DMZ to allow access and wonder why you get partial portal pages, no login, etc. It's becase users can't resolve the DNS entry for portal.abc.com. Call your ISP and get an "A Record" entry. After a few hours and propogation of the A Record, users on the Internet can successfuly access your site. This A Record should be free.
  Good luck
  Kellan

  Hi,
    You've to open the ITS for internet for accessing things from Portal too. As I've told you in previous post, the request goes directly to ITS server   (http://itsserver.com/scripts..) and not as  (http://myportal.com/scripts..). The idea of having it via Portal will be to mask the URL of ITS , which will not be visible (except for time you click on iview which will display in status bar). In any case, you can directly acces ITS as what you've told, however you give the proxy.
  Regards,
  Siva
  P.S: Award points if you find this useful.

• RemoteApp 2012 problem on windows XP.

  Hello
  I have a problem with RemoteApp web access on Windows Server 2012 when i connect with Windows XP clients. The internet explorer shows the credential promt always and i can not access to the server. I have not this problem when i connect with windows 7 clients
  with Remote Desktop client 8.1. Remote Desktop client 8.1 is not available on windows XP but i have installed 7.0 RDC but the problem continues. 
  What i have to do to correct this problem?
  Thanks and sorry my english.

  When you say "The internet explorer shows the credential prompt always and i can not access to the server" do you mean it simply keeps re-prompting you to login and doesn't get any further, or are you getting any error messages?
  Since you've already installed RDC 7.0, the other two things to check are that the XP machine is running SP3, and that you've enabled CredSSP on there (as it's not enabled by default on XP). To check this, click Start > All Programs > Accessories >
  Remote Desktop Connection, then click the little computer icon in the title bar, left of the words "remote desktop connection", then choose "about", or "help > about". If it says "Network Level Authentication not supported"
  or has no reference to this at all, you need to enable it. If it's not enabled then have a look at
  http://support.microsoft.com/kb/951608 which has instructions for enabling it.
  Depending on the options enabled on the 2012 server, it's possible however that you simply can't connect from an XP machine at all. Some of the newer features on 2012 RDP don't support XP as they rely on functionality that is missing from XP. Annoyingly
  I can't find a reference to what those features at right now, but I know with our setup (with those features disabled currently) we're able to support XP clients, but have are intending to end support for it so we can enable those features and improve functionality
  for the newer clients.

• Windows 8.1 Pro cannot log into RemoteApp running on Windows Server 2012 R2

  I have setup a vm running Windows Server 2012 R2 Standard and have enabled multiple RemoteApps.  Everything is setup correctly and I can use RD Web Access to access the portal and connect to the remoteapps from any computer except my own.  I am
  running Windows 8.1 Pro and when I log into the RD Web Access portal, click on one of the apps,  it looks like it's loading the session, but gets stuck on Preparing Windows.  Everything else up to that point looks like it loads correctly, (i.e. -
  Applying Group Policy Settings, applying desktop, etc...).  When I log into my Windows 7 dev machine, I can access and run everything just fine.  So there must be something between the Windows 8 and 2012 that isn't working quite right.  
  I have tried logging into the portal as myself and test users...same result.  
  any ideas?
  Jon Wooten

  i think there is something in your GPOs or collection settings causing an issue
  this happens with any remote app, built-in stuff like notepad or just third party apps?
  try not doing any kind of printer/device redirection from that host
  you can also do winlogon logging to get a better idea of what's going on during the logon operation
  you can also use the verbose logon messages GPO to get detailed login status info
  if all else fails I think you need to isolate it by creating a test collection and test user with the bare minimum options