RemoteApp in DMZ
Scenario is TS Gateway in a dmz.com domain and RemoteApp server in internal.com both servers joined to respective domians. TS Gateway is exposed to internet. How to I configure this scenario so I can get to the RemoteApps internally ? There is a one-way
domain trust from external to internal, so the external domain trusts the internal domain. However I cannot get the RemoteApp internal as a source. Setup was followed by section 3.2 http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
See below. Any help would be greatly appreciated.
3.2. RD Gateway with forest trust model deployment:
In this deployment, there is AD DS in the perimeter network which trusts the internal network forest to authenticate the internal network forest users in the perimeter forest domain. RD Gateway is joined to the perimeter network domain. The trust between the
perimeter network forest and the internal network forest is one-way, so configuring RD Gateway to use a central NPS server which is in the internal network is required in this deployment.
The following diagram shows the traffic flow from the Internet to the perimeter network and from the perimeter network to the internal network in this deployment.
Hi,
Thank you for posting in Windows Server Forum.
“We set up the RD Gateway inside the network and protected by the firewall, because RD Gateway contains some credential information and policy settings (RAP and CAP), exposing the server in DMZ environment could cause security risks. Instead, if you use RD
Web Access to publish the RemoteApp programs, the Web server can be located in the DMZ because no critical information is stored.” (Quoted fromthis
thread.)
In addition, please check the beneath article for more information.
Checklist: Make RemoteApp Programs Available from the Internet
http://technet.microsoft.com/en-us/library/cc772415.aspx
Accessing to RemoteApp Externally via RDWeb
http://social.technet.microsoft.com/Forums/windowsserver/en-US/b2083438-b9e3-4eb5-a3f6-0ae9b555d3f0/accessing-to-remoteapp-externally-via-rdweb?forum=winserverTS
Hope it helps!
Thanks,
Dharmesh
Similar Messages
-
Rd web showing all remoteapps when logging in with an account of a trusted domain
we have a dmz with a separate domain. there is a one way trust to our local domain
In the dmz domain there is a rdweb and rd gateway. When logging in with an account from the dmz domain in the rdweb it's all fine but when logging in with an account from the trusted domain all remoteapp's are shown
all servers are 2012r2Hi sir,
Please make sure your account has already added into your Pay-As-You-Go subscription as co-administrator role . If the account was not in your subscription please add it and try to login on from your VS again.
If you always occurred this issue, you can try to download the publish file and import it into you VS, please follow this steps:
http://azure.microsoft.com/en-us/documentation/articles/mobile-services-windows-how-to-import-publishsettings/
Regards,
Will
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
RemoteApp to Windows 2012 RDGateway to Windows 2008 RD Web
I am trying to add in windows 7 a connection to the RD web server and am receiving "An error occurred" when pointing to the RD gateway. If I point to the RD Web server it works.
The setup is a 2012 RD Gateway server in the DMZ that is accessible from the internet and a 2008 RD Web server internally. If I login in via the web to the 2012 gateway server I am able to see the list of published apps. If I point a windows 7 workstation
to the gateway to pull the published apps it fails. If I point the client to the internal server it works.Hi,
Please check if you install the latest updates of RDP for the Windows 7 clients.
Description of the Remote Desktop Protocol 8.0 update for Windows 7 SP1 and Windows Server 2008 R2 SP1
http://support.microsoft.com/kb/2592687
Update for RemoteApp and Desktop Connections feature is available for Windows
http://support.microsoft.com/KB/2830477
Hope this helps.
Jeremy Wu
TechNet Community Support -
RemoteApp's not running when accessed from the internet
Hi TP,
Hopefully someone can help me here.
I've installed RDWeb on the RDG server which live in our DMZ - I can access and log on to RDS from the internet with the RDG FQDN remote.external.com but I can't launch any RemoteApp's. Basically there's no RemoteApp pop up warning with all the connection
information (Publisher, Type, Path, Name, Remote computer, Gateway server) just the RemoteApp connecting to window with no info. Seems like it can't grab this information.
Users can log in to RDS internally with the RDG FQDN remote.external.com and run RemoteApps with no problems.
Thanks for your help in advanced!Hi,
1. On the client PC, remove the thumbprint value entry for this server under the PublisherBypassList key. This is located under the following path:
HKCU\Software\Microsoft\Terminal Server Client\PublisherBypassList
<SHA thumbprint> REG_DWORD 0x00000xxx
Additonally, remove the key for the server under the Servers key:
HKCU\Software\Microsoft\Terminal Server Client\Servers\<FQDN of server>
2. What is the precise error message you receive when you attempt to launch a RemoteApp from external?
3. If you manually configure the Remote Desktop Client with the RD Gateway FQDN via Advanced tab--Connect from anywhere, are you able to connect from the Internet?
-TP -
RemoteApp 2012 - Optimize connectivity
Dear gents,
Here is the setup:
Session-based deployment
RDCB01.domain.local - Connection Broker
RDGW01.domain.local - RDWEB + RDGW roles located in DMZ.
DC01.domain.local - TS License server
FILE01.domain.local - central HOME drive and PROFILE (folder redirection) store.
Two RemoteApp Collections:
RDSH01-04-.domain.local (RD_FARM_01.domain.local)
RDSH10-16.domain.local (RD_FARM_02.domain.local)
I`m using a TLS certificate remote.domain.com from a public PKI for:
RDCB - Publishing
RDWEB
RDGW
And a self-signed TLS certificate *.domain.local (customer has no internal PKI) for:
RDCB - SSO
RDSH - Remote Desktop Connections
There are client-side GPOs in place, as per the documentation, to allow the credential delegation to the RDCB and RDGW servers and the self-signed certificate enrollment.
On RDGW I`m allowing only HTTP on default port, to limit the network firewall requirements.
Full folder redirection is in place to a network storage on FILE01.domain.local
Questions:
#1 An active RemoteApp intermittently disconnects and immediately reconnects (x minutes of inactivity), causing some discomfort for the users. There are no Active session timeouts and I have the GPO setting for Keep-Alive set to 10 minutes.
#2 The thing that puzzles me is long (~15 seconds) wait till I can see that the RDSH server initiates the user logon process. I can`t find errors on either RDCB or RDGW eventlog, of something being wrong. All I can see is successful handshakes. The reason why
I wondering if this is *ok*, is `cause my colleague has built an analog and it takes around 5 seconds to start to load. In both cases we are talking of decent infrastructure, good connectivity on national scale and access is via Web-interface.
#3 What do I need in order to allow the UDP support on RDGW network-wise?
UDP_3391 FROM:INTERNET_ANY TO: remote.domain.com
UDP_3391 FROM:remote.domain.com TO: RDGW01.domain.local
UDP_3391 FROM: RDGW01.domain.local TO: ???UDP info:
http://blogs.msdn.com/b/rds/archive/2013/04/09/get-the-best-rdp-8-0-experience-when-connecting-to-windows-7-what-you-need-to-know.aspx
you need to ensure you setup the GPOs properly to use the added UDP enhancements after you configure your firewalls.
also ensure users are using the latest RDP Client on their workstations to get the best functionality.
regarding keepalive settings, you need to ensure the timeouts on the RDSH go hand in hand with your keepalive settings on your switches/firewalls for RDP traffic to ensure they're not getting cut off, this is really sensitive. -
Using a SAN certificate with RemoteApps for connections outside of the firewall
I have two fairly simple two-server farms on the LAN with gateway servers in the DMZ. (One is 2008 R2 and the other is 2012 R2 in the same configuration) Users connect via the 2012 RD Web Access portal to run the apps on the two farms
and all that works fine. The trouble is that when connecting they get the certificate mis-match warning from the session host that is assigned the connection. I would like to get rid of that by installing a SAN/UCC certificate that lists
both servers and the DNS of the farm A record so that whichever server gets the connection ca present the cert and authenticate without the warning.
Our internal and Internet domains are the same (pre-dates me) We maintain our internal DNS and the outside world gets its info from a provider. The inside hosts do not exist on the outside DNS, which they don't need to anyway. As I said, this
configuration functions just fine except for the cert mismatch business.
I bought a SAN/UCC cert through DigiCert:
Ensures the identity of a remote computer
Proves your identity to a remote computer
2.16.840.1.114412.1.1
The subject shows the dns name of the farm host
The subject Alt Name shows all the hostnames:
DNS Name=rds-farm.myDomain.com
DNS Name=server1.myDomain.com
DNS Name=server2.myDomain.com
DNS Name=server3.myDomain.com (There isn't actually a server3 at this point but I figured I might as well add it for possible expansion)
The cert chains properly back to DigiCert.
On the 2012 install, when I try to add the cert for Connection Broker - Publishing it comes back with the following message:
"The specified certificate is not valid. The certificate properties must match the requirements of the role service."
So what are the requirements that don't match and what do I need to do to rekey this cert correctly?Hi,
Do you have a DNS A record on your internal network? Does it point to the RD Connection Broker server?
Please try to change the FQDN name of the server. You can use this cmdlet to change the server name that is used when publishing RemoteApps:
Change published FQDN for Server 2012 or 2012 R2 RDS Deployment
http://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80
Additionally check the following article for information.
Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
http://blogs.technet.com/b/askperf/archive/2014/01/24/certificate-requirements-for-windows-2008-r2-and-windows-2012-remote-desktop-services.aspx
Hope it helps!
Thanks.
Dharmesh Solanki
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
How to let SAP user use SSO to access Application in DMZ?
Hi All,
Our J2EE application is running on a system in DMZ which can not be connected with LDAP. So I am wondering if it's possible to let SAP user use SSO to access our application.
After talking with my colleague I think the only way is to import SSO public key to our WebAS and create user in UME and then assign user to the corresponding public key, but anybody know where to download SSP verification file or is it allowed to download and import into another system at all?
Regards,
BinHi,
Take a look at this example, it uses property nodes to select tha
active plot and then changes the color of that plot.
If you want to make the number of plots dynamic you could use a for
loop and an array of color boxes.
I hope this helps.
Regards,
Juan Carlos
N.I.
Attachments:
Changing_plot_color.vi 38 KB -
How can I permit all traffic from inside-dmz-outside on asa5505
Scenario :
Servers are in DMZ, Internal LAN Users should access ports Specified (5000 & 2048). Router 2801 is facing Leased line; from there it’s connected to firewall.
Router LAN IP: 83.111.X.X - 255.255.255.X
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.X.X 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 83.111.X.X 255.255.255.240
interface Vlan3
nameif dmz
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 83.111.x.x
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd enable inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:5663409d6ba3ad0bcd163e691f032f76
: endHi Ben,
Thank you for the response. I followed the link and tried reading everything you posted on AEs but I'm afraid that I didn't understand it all. It seems that each AE example had a single input and a single output (e.g. a double). Is this the case?
What I have is a couple of front panel clusters containing (approximately) 18 control doubles, 8 indicator doubles, 5 boolean radio button constructs and 26 boolean control discretes. I clusterized it to make it readable. In addition I'll eventually have a cluster of task references for hardware handles.
All I want to do is update the front panel values like I would do in a C, VB or any other language. I've tried referencing the cluster and using the reference from inside the loops. I've tied using local variables. Neither works. I'm experimenting with globals but it seems that I have to construct the front panel in the gloabal and then I wouldn't know how to repoduce that on the front panel of the main VI. Sometimes it seems that more time is spent getting around Labview constructs than benefitting from them.
I hope the 'Add Attachment' function actuals puts a copy of the VI here and not a link to it.
Thanks again for the suggestion,
Frank
Attachments:
Front Panel Reference.vi 33 KB -
Hello. I have a WRT310N and have been having a somewhat difficult time with my xbox 360's connection. I have forwarded all the necessary ports (53, 80, 88, 3074) for it to run, and tried changing MTU and what-not.
I don't know if I have DMZ setup incorrectly, or if it's my settings.
Setup as follows:
PCX2200 modem connected via ethernet to WRT310N.
The WRT310N has into ethernet port 1 a WAP54G, and then upstairs (so that my Mother's computer can get a strong signal) I have another WAP54G that I believe receives its signal from the downstairs 54G.
In the back of the WRT310N, I have my computer connected via ethernet port 3, and my Xbox 360 connected via ethernet port 4.
Now, I first figured I just have so many connections tied to the router and that is the reason for being so slow. However, when I unplug all the other ethernet cords and nothing is connected wirelessly, except for my Xbox connected to ethernet port 4, it is still poor. Also, with everything connected (WAP54G and other devices wirelessly) I get on my PC and run a speedtest. For the sake of advice, my speedtests I am running on my PC are (after 5 tests) averagely 8.5 Mbps download, and 1.00 Mbps upload, with a ping of 82ms.
Here is an image of the results:
http://www.speedtest.net][IMG]http://www.speedtest.net/result/721106714.png
Let me add a little more detail of my (192.168.1.1) settings for WRT310N.
For starters, my Father's IT guy at his workplace set up this WRT310N and WAP54G's. So some of these settings may be his doing. I just don't know which.
"Setup" as Auto-configurations DHCP. I've added my Xbox's IP address to the DHCP reservation the IP of 192.168.1.104. This has (from what I've noticed) stayed the same for days.
MTU: Auto, which stays at 1500 when I check under status.
Advanced Routing: NAT routing enabled, Dynamic Routing disabled.
Security: Disabled SPI firewall, UNchecked these: Filter Anonymous Internet Requests, Multicast, and Internet NAT redirection.
VPN passthrough: All 3 options are enabled (IPSec, PPTP, L2TP)
Access Restrictions: None.
Applications and Gaming: Single port forwarding has no entries. Port Range Forwarding I have the ports 53 UDP/TCP, 88 UDP, 3074 UDP/TCP, and 80 TCP forwarded to IP 192.168.1.104 enabled. (192.168.1.104 is the IP for my xbox connected via ethernet wired that is in DHCP reserved list)
Port Range Triggering: It does not allow me to change anything in this page.
DMZ: I have it Enabled. This is where I am a bit confused. It says "Source IP Address" and it has me select either "Any IP address" or to put entries to the XXX.XXX.XXX.XXX to XXX fields. I have selected use any IP address. Then the source IP area, it says "Destination:" I can do either "IP address: 192.168.1.XXX" or "MAC address:" Also, under MAC Address, it says DHCP Client Table and I went there and saw my Xbox under the DHCP client list (It shows up only when the Xbox is on) and selected it.
Under QoS: WMM Enabled, No acknowledgement disabled.
Internet Access Priority: Enabled. Upstream Bandwith I set it to Manual and put 6000 Kbps. I had it set on Auto before, but I changed it. I have no idea what to put there so I just put a higher number.
Then I added for Internet Access Priority a Medium Priority for Ethernet Port 4 (the port my xbox is plugged into).
Administration: Management: Web utility access: I have checked HTTP, unchecked HTTPS.
Web utility access via Wireless: Enabled. Remote Access: Disabled.
UPnp: Enabled.
Allow Users to Configure: Enabled.
Allow users to Disable Internet Access: Enabled.
Under Diagnostics, when I try and Ping test 192.168.1.104 (xbox when on and connected to LIVE), I get:
PING 192.168.1.104 (192.168.1.104): 24 data bytes
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
--- 192.168.1.104 data statistics ---
5 Packets transmitted, 0 Packets received, 100% Packet loss
Also, when I do Traceroute Test for my Xbox's IP, I just keep getting:
traceroute to 192.168.1.104 (192.168.1.104), 30 hops max, 40 byte packets
1 * * * 192.168.1.1 Request timed out.
2 * * * 192.168.1.1 Request timed out.
As for the Wireless Settings, it is all on the default settings with Wi-Fi Protected setup Enabled.
To add, I have tried connecting my modem directly to the Xbox and my connection is much improved. I have no difficulty getting the NAT open, for it seems my settings are working for that. Any help with these settings would be VERY much appreciated.
Message Edited by CroftBond on 02-18-2010 01:09 PMI own 2 of these routers (one is a spare) with the latest firmware and I have been having trouble with them for over a year. In my case the connection speed goes to a crawl and the only way to get it back is to disable the SPI firewall. Rebooting helps for a few minutes, but the problem returns. All of the other fixes recommended on these forums did not help. I found out the hard way that disabling the SPI Firewall also closes all open ports ignoring your port forwarding settings. If you have SPI Firewall disabled, you will never be able to ping your IP from an external address. Turn your SPI Firewall back on and test your Ping.
John -
Webserver on DMZ cannot send email via php script using SMTP (cisco firewall pix 515e)
Hello,
I have two web servers that are sitting in a DMZ behind a Cisco Firewall PIX 515e. The webservers appear to be configured correctly as our website and FTP website are up. On two of our main website, we have two contact forms that use a simple html for to call a php script that uses smtp as its mailing protocol. Since, I am not the network administrator, I don't quite understand how to read the current configurations on the firewall, but I suspect that port 25 is blocked, which prevents the script from actually working or sending out emails. What I've done to narrow the problem done is the following: I used a wamp server to test our scripts with our smtp servers settings, was able to successfully send an email out to both my gmail and work place accounts. Currently, we have backupexec loaded on both of these servers, and when I try to send out an alert I never receive it. I think because port 25 is closed on both of those servers. I will be posting our configuration. if anyone can take a look and perhaps explain to me how I can change our webservers to communicate and successfully deliver mail via that script, I would gladly appreciate it. our IP range is 172.x.x.x, but it looks like our webservers are using 192.x.x.x with NAT in place. Please someone help.
Thanks,
Jeff Mateo
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password GFO9OSBnaXE.n8af encrypted
passwd GFO9OSBnaXE.n8af encrypted
hostname morrow-pix-ct
domain-name morrowco.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 12.42.47.27 LI-PIX
name 172.20.0.0 CT-NET
name 172.23.0.0 LI-NET
name 172.22.0.0 TX-NET
name 172.25.0.0 NY-NET
name 192.168.10.0 CT-DMZ-NET
name 1.1.1.1 DHEC_339849.ATI__LEC_HCS722567SN
name 1.1.1.2 DHEC_339946.ATI__LEC_HCS722632SN
name 199.191.128.105 web-dns-1
name 12.127.16.69 web-dns-2
name 12.3.125.178 NY-PIX
name 64.208.123.130 TX-PIX
name 24.38.31.80 CT-PIX
object-group network morrow-net
network-object 12.42.47.24 255.255.255.248
network-object NY-PIX 255.255.255.255
network-object 64.208.123.128 255.255.255.224
network-object 24.38.31.64 255.255.255.224
network-object 24.38.35.192 255.255.255.248
object-group service morrow-mgmt tcp
port-object eq 3389
port-object eq telnet
port-object eq ssh
object-group network web-dns
network-object web-dns-1 255.255.255.255
network-object web-dns-2 255.255.255.255
access-list out1 permit icmp any any echo-reply
access-list out1 permit icmp object-group morrow-net any
access-list out1 permit tcp any host 12.193.192.132 eq ssh
access-list out1 permit tcp any host CT-PIX eq ssh
access-list out1 permit tcp any host 24.38.31.72 eq smtp
access-list out1 permit tcp any host 24.38.31.72 eq https
access-list out1 permit tcp any host 24.38.31.72 eq www
access-list out1 permit tcp any host 24.38.31.70 eq www
access-list out1 permit tcp any host 24.38.31.93 eq www
access-list out1 permit tcp any host 24.38.31.93 eq https
access-list out1 permit tcp any host 24.38.31.93 eq smtp
access-list out1 permit tcp any host 24.38.31.93 eq ftp
access-list out1 permit tcp any host 24.38.31.93 eq domain
access-list out1 permit tcp any host 24.38.31.94 eq www
access-list out1 permit tcp any host 24.38.31.94 eq https
access-list out1 permit tcp any host 24.38.31.71 eq www
access-list out1 permit tcp any host 24.38.31.71 eq 8080
access-list out1 permit tcp any host 24.38.31.71 eq 8081
access-list out1 permit tcp any host 24.38.31.71 eq 8090
access-list out1 permit tcp any host 24.38.31.69 eq ssh
access-list out1 permit tcp any host 24.38.31.94 eq ftp
access-list out1 permit tcp any host 24.38.31.92 eq 8080
access-list out1 permit tcp any host 24.38.31.92 eq www
access-list out1 permit tcp any host 24.38.31.92 eq 8081
access-list out1 permit tcp any host 24.38.31.92 eq 8090
access-list out1 permit tcp any host 24.38.31.93 eq 3389
access-list out1 permit tcp any host 24.38.31.92 eq https
access-list out1 permit tcp any host 24.38.31.70 eq https
access-list out1 permit tcp any host 24.38.31.74 eq www
access-list out1 permit tcp any host 24.38.31.74 eq https
access-list out1 permit tcp any host 24.38.31.74 eq smtp
access-list out1 permit tcp any host 24.38.31.75 eq https
access-list out1 permit tcp any host 24.38.31.75 eq www
access-list out1 permit tcp any host 24.38.31.75 eq smtp
access-list out1 permit tcp any host 24.38.31.70 eq smtp
access-list out1 permit tcp any host 24.38.31.94 eq smtp
access-list dmz1 permit icmp any any echo-reply
access-list dmz1 deny ip any 10.0.0.0 255.0.0.0
access-list dmz1 deny ip any 172.16.0.0 255.240.0.0
access-list dmz1 deny ip any 192.168.0.0 255.255.0.0
access-list dmz1 permit ip any any
access-list dmz1 deny ip any any
access-list nat0 permit ip CT-NET 255.255.0.0 192.168.220.0 255.255.255.0
access-list nat0 permit ip host 172.20.8.2 host 172.23.0.2
access-list nat0 permit ip CT-NET 255.255.0.0 LI-NET 255.255.0.0
access-list nat0 permit ip CT-NET 255.255.0.0 NY-NET 255.255.0.0
access-list nat0 permit ip CT-NET 255.255.0.0 TX-NET 255.255.0.0
access-list vpn-split-tun permit ip CT-NET 255.255.0.0 192.168.220.0 255.255.255
.0
access-list vpn-split-tun permit ip CT-DMZ-NET 255.255.255.0 192.168.220.0 255.2
55.255.0
access-list vpn-dyn-match permit ip any 192.168.220.0 255.255.255.0
access-list vpn-ct-li-gre permit gre host 172.20.8.2 host 172.23.0.2
access-list vpn-ct-ny permit ip CT-NET 255.255.0.0 NY-NET 255.255.0.0
access-list vpn-ct-ny permit ip CT-DMZ-NET 255.255.255.0 NY-NET 255.255.0.0
access-list vpn-ct-tx permit ip CT-NET 255.255.0.0 TX-NET 255.255.0.0
access-list vpn-ct-tx permit ip CT-DMZ-NET 255.255.255.0 TX-NET 255.255.0.0
access-list static-dmz-to-ct-2 permit ip host 192.168.10.141 CT-NET 255.255.248.
0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 192.168.220.0 255.255.25
5.0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 LI-NET 255.255.0.0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 NY-NET 255.255.0.0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 TX-NET 255.255.0.0
access-list static-dmz-to-ct-1 permit ip host 192.168.10.140 CT-NET 255.255.248.
0
access-list static-dmz-to-li-1 permit ip CT-DMZ-NET 255.255.255.0 CT-NET 255.255
.248.0
access-list vpn-ct-li permit ip CT-NET 255.255.0.0 LI-NET 255.255.0.0
access-list vpn-ct-li permit ip CT-DMZ-NET 255.255.255.0 LI-NET 255.255.0.0
access-list vpn-ct-li permit ip host 10.10.2.2 host 10.10.1.1
access-list in1 permit tcp host 172.20.1.21 any eq smtp
access-list in1 permit tcp host 172.20.1.20 any eq smtp
access-list in1 deny tcp any any eq smtp
access-list in1 permit ip any any
access-list in1 permit tcp any any eq smtp
access-list cap4 permit ip host 172.20.1.82 host 192.168.220.201
access-list cap2 permit ip host 172.20.1.82 192.168.220.0 255.255.255.0
access-list in2 deny ip host 172.20.1.82 any
access-list in2 deny ip host 172.20.1.83 any
access-list in2 permit ip any any
pager lines 43
logging on
logging timestamp
logging buffered notifications
logging trap notifications
logging device-id hostname
logging host inside 172.20.1.22
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside CT-PIX 255.255.255.224
ip address inside 172.20.8.1 255.255.255.0
ip address DMZ 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ctpool 192.168.220.100-192.168.220.200
ip local pool ct-thomson-pool-201 192.168.220.201 mask 255.255.255.255
pdm history enable
arp timeout 14400
global (outside) 1 24.38.31.81
nat (inside) 0 access-list nat0
nat (inside) 1 CT-NET 255.255.0.0 2000 10
nat (DMZ) 0 access-list nat0-dmz
static (inside,DMZ) CT-NET CT-NET netmask 255.255.0.0 0 0
static (inside,outside) 24.38.31.69 172.20.8.2 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.94 192.168.10.141 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.71 172.20.1.11 dns netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.93 192.168.10.140 netmask 255.255.255.255 0 0
static (DMZ,inside) 24.38.31.93 access-list static-dmz-to-ct-1 0 0
static (DMZ,inside) 24.38.31.94 access-list static-dmz-to-ct-2 0 0
static (inside,outside) 24.38.31.92 172.20.1.56 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.91 192.168.10.138 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.90 192.168.10.139 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.72 172.20.1.20 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.73 172.20.1.21 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.70 172.20.1.91 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.88 192.168.10.136 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.89 192.168.10.137 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.74 172.20.1.18 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.75 172.20.1.92 netmask 255.255.255.255 0 0
access-group out1 in interface outside
access-group dmz1 in interface DMZ
route outside 0.0.0.0 0.0.0.0 24.38.31.65 1
route inside 10.10.2.2 255.255.255.255 172.20.8.2 1
route inside CT-NET 255.255.248.0 172.20.8.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server ct-rad protocol radius
aaa-server ct-rad max-failed-attempts 2
aaa-server ct-rad deadtime 10
aaa-server ct-rad (inside) host 172.20.1.22 morrow123 timeout 7
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 173.220.252.56 255.255.255.248 outside
http 65.51.181.80 255.255.255.248 outside
http 208.65.108.176 255.255.255.240 outside
http CT-NET 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community m0rroW(0
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
crypto dynamic-map dyn_map 20 match address vpn-dyn-match
crypto dynamic-map dyn_map 20 set transform-set 3des-sha
crypto map ct-crypto 10 ipsec-isakmp
crypto map ct-crypto 10 match address vpn-ct-li-gre
crypto map ct-crypto 10 set peer LI-PIX
crypto map ct-crypto 10 set transform-set 3des-sha
crypto map ct-crypto 15 ipsec-isakmp
crypto map ct-crypto 15 match address vpn-ct-li
crypto map ct-crypto 15 set peer LI-PIX
crypto map ct-crypto 15 set transform-set 3des-sha
crypto map ct-crypto 20 ipsec-isakmp
crypto map ct-crypto 20 match address vpn-ct-ny
crypto map ct-crypto 20 set peer NY-PIX
crypto map ct-crypto 20 set transform-set 3des-sha
crypto map ct-crypto 30 ipsec-isakmp
crypto map ct-crypto 30 match address vpn-ct-tx
crypto map ct-crypto 30 set peer TX-PIX
crypto map ct-crypto 30 set transform-set 3des-sha
crypto map ct-crypto 65535 ipsec-isakmp dynamic dyn_map
crypto map ct-crypto client authentication ct-rad
crypto map ct-crypto interface outside
isakmp enable outside
isakmp key ******** address LI-PIX netmask 255.255.255.255 no-xauth no-config-mo
de
isakmp key ******** address 216.138.83.138 netmask 255.255.255.255 no-xauth no-c
onfig-mode
isakmp key ******** address NY-PIX netmask 255.255.255.255 no-xauth no-config-mo
de
isakmp key ******** address TX-PIX netmask 255.255.255.255 no-xauth no-config-mo
de
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 86400
vpngroup remotectusers address-pool ctpool
vpngroup remotectusers dns-server 172.20.1.5
vpngroup remotectusers wins-server 172.20.1.5
vpngroup remotectusers default-domain morrowny.comAmit,
I applaud your creativity in seeking to solve your problem, however, this sounds like a real mess in the making. There are two things I don't like about your approach. One, cron -> calling Java -> calling PHP -> accessing database, it's just too many layers, in my opinion, where things can go wrong. Two it seems to me that you are exposing data one your website (with the PHP) that you may not want expose and this is an important consideration when you are dealing with emails and privacy and so on.
I think the path of least resistance would be to get a new user account added to the MySQL database that you can access remotely with your Java program. This account can be locked down for read only access and be locked down to the specific IP or IP range that your Java program will be connecting from.
Again I applaud your creativity but truly this seems like a hack because of the complexity and security concerns you are introducing and I think is a path to the land of trouble. Hopefully you will be able to get a remote account set up. -
So our customer has asked us to compare compare Amazon Workspace and Azure RemoteApp offerings for them to choose from. While looking at Amazon Workspace, it clealy defines bundles with specific CPU cores, memory and user storage. However, Azure RemoteApp
only specifies user storage and vaguely compares its basic vs. standard plans in terms of "task worker" vs. "information worker"
I tried looking up its documentation but couldn't find specific CPU cores that are dedicated per user in basic vs. standard plans. I have following questions:
Can anyone point me in the right direction or help understand how many CPU cores and memory are dedicated (or shared) per user in each plan?
Our customer would most likely need a "custom" image for their custom apps. Is it possible for us to choose specific CPU cores and memory for the users to be able to run their apps in azure remoteapp?
In case i am misunderstanding the basic difference between AWS workspace and Azure RemoteApp, i'd appreciate some help in understanding it as well.
Thanks!Hi,
With Azure RemoteApp users see just the applications themselves, and the applications appear to be running on their local machine similar to other programs. With Workspaces users connect to a full desktop and launch applications within that.
1. Azure RemoteApp currently uses size A3 Virtual Machines, which have 4 vCPUs and 7GB RAM. Under Basic each VM can have a maximum of 16 users using it whereas under Standard each VM is limited to 10 users. The amount of CPU available
to a user depends on what the current demands are on the CPU at that moment from other users and system processes that may be on the server.
For example, say a user is logged on to a VM with 3 other users and the other users are idle (not consuming any CPU). At that moment the user could use all 4 vCPUs if a program they are running needed to. If a few moments later
the other 3 users all needed lots of CPU as well, then the first user would only have approximately 1 vCPU for their use. The process is dynamic and seeks to give each user their fair share of available CPU when there are multiple users demanding CPU.
Under the Standard plan a user will receive approximately a minimum of .4 vCPU assuming that the VM has the maximum number of users logged on and that all users are using as much CPU as possible at a given moment. Under the Basic plan the approximate
minimum would be .25 vCPU.
2. You cannot choose the specific number of cores and memory. What you can do is choose the Azure RemoteApp billing plan, which affects the user density of each VM as described above. If you need a lower density than Standard you
may contact support.
-TP -
How to Read file from Application in DMZ Server (page on DMZ)
Hi All,
i am trying open a file from application server from OAF page on DMZ server .
i am getting the error 'either not supported file type or file is damaged '.
i am taking the path of production server to read the file from DMZ server .
Please let me know what is the issue .
Thanks
RajuPlease post the details of the application release, database version and OS.
i am trying open a file from application server from OAF page on DMZ server .Is the issue with all OAF pages or with specific ones only?
i am getting the error 'either not supported file type or file is damaged '.Please check Apache log files for details about the error (error_log* and access_log*).
i am taking the path of production server to read the file from DMZ server .What type of DMZ configuration you have?
Thanks,
Hussein -
Internet Access to Portal located in DMZ
I've seen questions on the forum regarding gaing Internet access to the Oracle Portal located in the DMZ. This answer does not resolve the issue of having multple DADs to access your portal like abc.com and xyz.com. For that see note:162044.1 on metalink. http://metalink.oracle.com.
If you registered a domain name e.g. abc.com and have the portal up and running in the DMZ. Your local network should be accessing the portal just fine. Your computer name for example is portal. The URL translates into http://portal.abc.com. You opened the ports in the DMZ to allow access and wonder why you get partial portal pages, no login, etc. It's becase users can't resolve the DNS entry for portal.abc.com. Call your ISP and get an "A Record" entry. After a few hours and propogation of the A Record, users on the Internet can successfuly access your site. This A Record should be free.
Good luck
KellanHi,
You've to open the ITS for internet for accessing things from Portal too. As I've told you in previous post, the request goes directly to ITS server (http://itsserver.com/scripts..) and not as (http://myportal.com/scripts..). The idea of having it via Portal will be to mask the URL of ITS , which will not be visible (except for time you click on iview which will display in status bar). In any case, you can directly acces ITS as what you've told, however you give the proxy.
Regards,
Siva
P.S: Award points if you find this useful. -
RemoteApp 2012 problem on windows XP.
Hello
I have a problem with RemoteApp web access on Windows Server 2012 when i connect with Windows XP clients. The internet explorer shows the credential promt always and i can not access to the server. I have not this problem when i connect with windows 7 clients
with Remote Desktop client 8.1. Remote Desktop client 8.1 is not available on windows XP but i have installed 7.0 RDC but the problem continues.
What i have to do to correct this problem?
Thanks and sorry my english.When you say "The internet explorer shows the credential prompt always and i can not access to the server" do you mean it simply keeps re-prompting you to login and doesn't get any further, or are you getting any error messages?
Since you've already installed RDC 7.0, the other two things to check are that the XP machine is running SP3, and that you've enabled CredSSP on there (as it's not enabled by default on XP). To check this, click Start > All Programs > Accessories >
Remote Desktop Connection, then click the little computer icon in the title bar, left of the words "remote desktop connection", then choose "about", or "help > about". If it says "Network Level Authentication not supported"
or has no reference to this at all, you need to enable it. If it's not enabled then have a look at
http://support.microsoft.com/kb/951608 which has instructions for enabling it.
Depending on the options enabled on the 2012 server, it's possible however that you simply can't connect from an XP machine at all. Some of the newer features on 2012 RDP don't support XP as they rely on functionality that is missing from XP. Annoyingly
I can't find a reference to what those features at right now, but I know with our setup (with those features disabled currently) we're able to support XP clients, but have are intending to end support for it so we can enable those features and improve functionality
for the newer clients. -
Windows 8.1 Pro cannot log into RemoteApp running on Windows Server 2012 R2
I have setup a vm running Windows Server 2012 R2 Standard and have enabled multiple RemoteApps. Everything is setup correctly and I can use RD Web Access to access the portal and connect to the remoteapps from any computer except my own. I am
running Windows 8.1 Pro and when I log into the RD Web Access portal, click on one of the apps, it looks like it's loading the session, but gets stuck on Preparing Windows. Everything else up to that point looks like it loads correctly, (i.e. -
Applying Group Policy Settings, applying desktop, etc...). When I log into my Windows 7 dev machine, I can access and run everything just fine. So there must be something between the Windows 8 and 2012 that isn't working quite right.
I have tried logging into the portal as myself and test users...same result.
any ideas?
Jon Wooteni think there is something in your GPOs or collection settings causing an issue
this happens with any remote app, built-in stuff like notepad or just third party apps?
try not doing any kind of printer/device redirection from that host
you can also do winlogon logging to get a better idea of what's going on during the logon operation
you can also use the verbose logon messages GPO to get detailed login status info
if all else fails I think you need to isolate it by creating a test collection and test user with the bare minimum options
Maybe you are looking for
-
What are the roles need to add for webservice user in SAP ECC 6.0
Dear SDNS, Can you please help me to understand , what are the roles needed to add while creating a webservice user in ABAP STACK. Really appreciate your immediate help and response. Thanks and Regards. Suraj
-
Update: Purchase order text
Hi We would like to use the current long text of a material and update the purchase order text programatically with the same data. How can i create the P.O. text without using BDC updates?
-
Stationary/Background pictures question.
Hello, I just had a quick question. I am a new Mac user, I have always used a PC before, and I just bought a mac which I have had for about a week. Anyways, my question is... is there any way to put stationary/background pictures on the e-mail? I can
-
Is it possible to run 2 programs that need different versions of a library?
Hi, I have the following situation. Tomcat 5.0 Server. Program A is running on server, and needs axis 1.1 as a library. Program B is running on the same server, and needs axis 1.4 as a library. Axis 1.1 and 1.4 are not backwards compatible... if I ju
-
PSE 12 with updated Camera Raw will not recognize NEF from Nikon d610
It used to view all my NEF files from the D610, but not seems its broke