Restricting MDM client access when LDAP is in use
Hi all,
I'm struggling a bit with MDM's security concept an hope you can help.
We're using LDAP integration so we don't need to create all users in MDM. Most users shall use the Portal with MDM iViews to access and maintain data. Very few users shall use rich clients, like Data Manager or Import Manager.
Some MDM WebServices run in the background of the portal process to automate some tasks, but still with the portal user authentification to make sure that the change tracking / user stamp fields are filled correctly.
I know that LDAP is either on or off, so if we use it, we must use it for both portal and rich client. This means, everybody with a Data Manager installation and MDMRoles in LDAP can log in to Data Manager and use it according to their role. This, we want to prevent, as Data Manager generally offers way more functionality than we want our endusers to have but which we cannot restrict in the role definition so as not to corrupt our portal integration (e.g. the Web Services need more functional rights than a Data Manager user shall have).
Of course we will restrict who gets an installation of Data Manager, but this is hardly enough to ensure security policy, if people simply install the client software themselves.
We already considered a firewall between client and server and only opening the port 20005 for select users (by fixed IP addresses), but that same port is used by Data Manager and Java API (meaning our portal / Web Services), so we would also restrict the portal access.
Is there a solution to grant portal access for basically everyone and rich client access for a select few while having LDAP in use?
Thanks a lot in advance!
Cheers
Christiane
Hi Christiane,
I think you can restrict more functionality of Data Manager for a LDAP User. For this user assign a role which do not have access to create data etc as per the Role assigned to that user of LDAP. I mean the user is able to perform operations in Data Manager according the groups he is member of (Roles in MDM). In MDM Console, You have Role table where you can see Table and Fields and Functions, here you can give access to none for the functions & table and Fields.
Please refer for more details Page no 4 onwards [Step-by-Step Process to Configure LDAP Support for MDM|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/8054d5e1-1000-2c10-a09e-a168973f74b5?quicklink=index&overridelayout=true]
Just check and revert with result.
Hope it helps..
Regards,
Mandeep Saini
Similar Messages
-
Configured Nacs- how to restrict AAA client access by specified Password
Hi all
i hav given the below config in AAA Client& added the Client in User,Group, the NAR is configured for all Clients ,
But my requirement is restrict AAA client access by specified Password
aaa new-model
aaa group server tacacs+ NACS_Group1
server 10.x.x.x
server 10.y.y.y
aaa authentication login default group NACS_Group1 local
aaa authentication enable default group NACS_Group1 enable
aaa authorization config-commands
aaa authorization exec default group NACS_Group1 if-authenticated
aaa authorization exec NACS_Group1 group tacacs+ local
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+You use the Network Access Restrictions table in the Advanced Settings area of User Setup to set NARs in three ways:
Apply existing shared NARs by name.
Define IP-based access restrictions to permit or deny user access to a specified AAA client or to specified ports on an AAA client when an IP connection has been established.
Define CLI/DNIS-based access restrictions to permit or deny user access based on the CLI/DNIS that is used.
Note: You can also use the CLI/DNIS-based access restrictions area to specify other values. See the Network Access Restrictions section for more information. -
Cascaded routers: no internet access when second router not use NAT
Cascaded routers: no internet access when second router not use NAT
Here is my setup:
[pre]
WAN
|
| 74.96.170.x (WAN IP) |
| Router1(Verizon FiOS Router) |
| Model: MI424WR-GEN2 (Rev F) |
| Firmware: 20.21.0.2 |
| Def router: 74.96.170.1 |
| 192.168.1.1 (Local IP) |
|
| 192.168.1.22 (WAN IP) |
| Router2(Linksys) |
| Model: WRT54GL v1.1 |
| Firmware: v4.30.16 |
| Def Router: 192.168.1.1 |
| 192.168.2.1 (Local IP) |
|
| Computer 192.168.2.160 |
| Def Router: 192.168.2.1 |
"q.route" 120L, 4441C written
[m.wang@m-wang-ltm2:/Users/m.wang/m/Network]
$ more q.route
Cascaded routers: no internet access when second router not use NAT
Here is my setup:
[pre]
WAN
|
| 74.96.170.x (WAN IP) |
| Router1(Verizon FiOS Router) |
| Model: MI424WR-GEN2 (Rev F) |
| Firmware: 20.21.0.2 |
| Def router: 74.96.170.1 |
| 192.168.1.1 (Local IP) |
|
| 192.168.1.22 (WAN IP) |
| Router2(Linksys) |
| Model: WRT54GL v1.1 |
| Firmware: v4.30.16 |
| Def Router: 192.168.1.1 |
| 192.168.2.1 (Local IP) |
|
| Computer 192.168.2.160 |
| Def Router: 192.168.2.1 |
| NO iptables, basic setup |
[/pre]
On computer, I have:
[pre]
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.2.1 0.0.0.0 UG 2 0 0 enp2s0
loopback localhost 255.0.0.0 UG 0 0 0 lo
192.168.2.0 * 255.255.255.0 U 0 0 0 enp2s0
[/pre]
On Router2, I have:
[pre]
Routing Table Entry List
Destination LAN IP | Subnet Mask | Gateway | Hop Count | Interface
192.168.2.0 255.255.255.0 0.0.0.0 1 LAN & Wireless
192.168.1.0 255.255.255.0 0.0.0.0 1 WAN (Internet)
0.0.0.0 0.0.0.0 192.168.1.1 1 WAN (Internet)
[/pre]
Router2's Operating Mode is Gateway. On Router1, I have:
[pre]
[Router1] Routing Table
Name Destination Gateway Netmask Metric Status
Network (Home/Office) 192.168.2.0 192.168.1.22 255.255.255.0 0 Applied
Network (Home/Office) 192.168.1.0 192.168.1.1 255.255.255.0 0 Applied
Routing Protocol: Internet Group Management Protocol (IGMP)
Default Gateway: 74.96.170.1
[/pre]
On computer, I can run tcptraceroute to yahoo.com OK:
[pre]
# tcptraceroute yahoo.com
Selected device enp2s0, address 192.168.2.160, port 46596 for outgoing packets
Tracing the path to yahoo.com (206.190.36.45) on TCP port 80 (http), 30 hops max
1 192.168.2.1 0.610 ms 0.729 ms 0.735 ms
2 192.168.1.1 1.843 ms 1.378 ms 1.363 ms
3 l100.washdc-vfttp-107.verizon-gni.net (96.241.146.1) 13.620 ms * *
... /* It reached the destination. */
[/pre]
I want to change Router2's Operating Mode from "Gateway" to "Router" because I
want to turn off NAT on Router2 so that I can access all computers attached to
Router2 by their individual IP instead of using port forwarding at Router2.
The problem is after the mode change from "Gateway" to "Router", and regardless
whether I disable RIP or enable RIP, and on what interfaces it is enabled, computer
192.168.2.160 does not have internet connection.
Observations:
[0] INTRAnet works as I can reach computer 192.168.2.160 from computer behind Router1
192.168.1.x and vice versa.
[1] ping and traceroute *work* on Router2 itself using the built-in dianostic tool.
[2] nslookup on computer 192.168.2.160 always works on new lookup. It uses
192.168.2.1 as the resolver.
[3] tcptraceroute stops after step 2:
[pre]
# tcptraceroute yahoo.com
Selected device enp2s0, address 192.168.2.160, port 45999 for outgoing packets
Tracing the path to yahoo.com (98.139.183.24) on TCP port 80 (http), 30 hops max
1 192.168.2.1 2.553 ms 0.534 ms 0.638 ms
2 192.168.1.1 1.342 ms 0.964 ms 0.867 ms
3 * * *
[/pre]
[4] tcpdump shows that computer 192.168.2.160 tries to reach out and nothing is returned:
[pre]
13:34:03.172828 IP 192.168.2.160.45999 > 98.139.183.24.http: Flags [S], seq 1122548929, win 0, length 0
13:34:06.175786 IP 192.168.2.160.45999 > 98.139.183.24.http: Flags [S], seq 1122548929, win 0, length 0
13:34:09.178804 IP 192.168.2.160.45999 > 98.139.183.24.http: Flags [S], seq 1122548929, win 0, length 0
[/pre]
This is not expected because NAT to internet should still be done by Router1, no? Computer
behind Router1 with IP 192.168.1.x has internet connection.
[5] It looks like I cannot change the Routing Table Entry on Router2. I do not think I need to change anything,
just an observation.
[6] If I use LAN to LAN connection, then both intranet and internet works. [The internet IP of Router2 can be
anything not in the same subnet of the Router1, and DHCP on the local side should be disabled to avoid conflict
with the the DHCP on Router1].I have a question. Unfortunately in order to ask my question, I have to have a lengthy description of my setup. Basically, I have a second Linksys router in "router" operating mode with NAT disabled connected to the Verizon router, and I have a computer which is in a different subnet (192.168.2.x) behind the Linksys router. This computer can communicate with computers behind Verizon router in subnet (192.168.1.x), but cannot reach internet. This is a simplified version of my question, full details are in the original post.
If I setup the Linksys router in "gateway" operating mode, which means with NAT enabled, then both intranet and internet works, but there is no easy way to setup port forwarding for 10 compueters in 192.168.2.x network to communicate with 10 computers in 192.168.1.x network.
If I setup the Linksys router in a LAN to LAN configuration with Verizon routers, but this way all computers are in the same subnet, I want them to be in different subnet for access control and things like that.
I hope this makes things a little clear.
Thanks. -
I have set up a wireless network in my office using a couple of Airport Extremes, and, for some reason, our Windows computers are able to view the password of the network. Well, given that we employ teenagers, you can imagine what happens when they all find out the password. We want to restrict network access to only those devices we deem necessary. How do I accomplish this?
SidMed wrote:
We need 18-20 devices to access, all wirelessly.
You can keep using your Apple routers as AP devices.. but get a router running a secure OS as the actual router that controls the network..
If you have 18-20 teens on the network.. then setting quota and restrictions on bandwidth is far more important than time..
Gargoyle on a cheap router can do it.. eg WNDR3800 or the newer W1024ND v2.
Simply turn off the wireless in these devices.. and use the ethernet connection to the airport as WAP.
Honestly you just will never get the security or control using apple domestic routers. -
Restrict Material Group Access when creating a PO
Folks-
I have a scenario where in different material groups are created for different levels
Ex:
Machinery - 1500
Machinery-Warehouse 150010
Machinery Warehouse Exteriors 15001010
If I want to restrict the buyer to use only level 3(15001010) of the material groups when creating a PO, how do I do that. Any help or line of though is appreciated.
Cheers,
CHi my friend,
I hope that my tip help you..
Try ativate the BADI /ISDFPS/PO_POSTED and inside the method you can creat the roles that you need in order to block for a group of the user's for example. You can check the user thru the authority_check_object and to validate the group of material using the structure existing inside the method of this BADI.
The path for this BADI is Materials Management>Purchasing>Business Add-Ins for Purchasing-->BAdI: Define Follow-On Processing for External Purchasing Documents
Regards,
Marcelo Rodrigues -
How to scroll up and down in IBM client access using windows 7 on mac running bootcamp
How to scrool up and down in Client Access 5250 (AS/400 emulator) using windows 7 on Mac running boot camp. The key board does not function within the client access 5250 session?
You can also share a printer between the Mac/PC as well as files and mounted Volumes, see the Tiger articles here
http://www.ifelix.co.uk/tech/
You may want to use Bonjour for Windows on your PC
http://www.apple.com/macosx/features/bonjour/
Then there are VNC clients for Mac/PC that also allow you to actually control the other machine, if they aren't in the same room and you just need to check something quick that can be handy, it's kind of slow though for regular use.
The main benefit of partitioning is being able to have different versions of bootable OS on them. You can try out Leopard on a new partition, while keeping your Tiger partition intact, you can have a XP/Vista partition for parallels or BootCamp, etc... other than that drives are pretty much fast enough, having smaller partitions probably won't realize any significant speed ups over searching the whole large drive. -
EMC Crash when i try to - reset client access virtual directory
Hi All,
I have one exchagne server 2010 sp3 rollup 7 installed on server 2012R2 Std.
When i try to reset client access virtual directory the MMC is crashing.
In the event viewer i can find 3 error after to crash:
1.
The program mmc.exe version 6.3.9600.17415 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: 2360
Start Time: 01d04e7b531a4a0d
Termination Time: 4294967295
Application Path: C:\Windows\system32\mmc.exe
Report Id: 69db84d3-ba91-11e4-80c3-0050569b5787
Faulting package full name:
Faulting package-relative application ID:
2.
Application: mmc.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.Reflection.TargetInvocationException
Stack:
at Microsoft.ManagementConsole.Executive.MmcThreadMessageWindow.OnThreadException(Exception e)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
at System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG& msg)
at System.Windows.Forms.Application.ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(IntPtr dwComponentID, Int32 reason, Int32 pvLoopData)
at System.Windows.Forms.Application.ThreadContext.RunMessageLoopInner(Int32 reason, ApplicationContext context)
at System.Windows.Forms.Application.ThreadContext.RunMessageLoop(Int32 reason, ApplicationContext context)
at Microsoft.ManagementConsole.Internal.SnapInMessagePumpProxy.Microsoft.ManagementConsole.Internal.ISnapInMessagePumpProxy.Run()
at Microsoft.ManagementConsole.Executive.SnapInThread.OnThreadStart()
at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
at System.Threading.ThreadHelper.ThreadStart()
3.
Faulting application name: mmc.exe, version: 6.3.9600.17415, time stamp: 0x54504e26
Faulting module name: KERNELBASE.dll, version: 6.3.9600.17415, time stamp: 0x54505737
Exception code: 0xe0434352
Fault offset: 0x0000000000008b9c
Faulting process id: 0x2014
Faulting application start time: 0x01d04e9e432feaef
Faulting application path: C:\Windows\system32\mmc.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Report Id: b8276755-ba91-11e4-80c3-0050569b5787
Faulting package full name:
Faulting package-relative application ID:
When i try to preform the task from EMC that installed on my PC (Win 7 SP1 x64) everything works fine
Thank you.Hi Eliran,
Thank you for your question.
Are there any update recently?
We could refer to the following steps to troubleshoot:
1)disable A/V
2) Run: DISM.exe /Online /Cleanup-image /Restorehealth
http://support.microsoft.com/kb/947821/en-gb
3) follow http://support.microsoft.com/kb/929833/en-gb to upload %WinDir%\Logs\CBS\CBS.log
4) disable snap-ins exept DNS-snapin
5) run SDP
6) enable A/V
We could also re-install .Net 4.0 to check if the issue persist by the following link:
http://www.microsoft.com/en-us/download/details.aspx?id=17718
If the issue persist, we could install Exchange 2010 SP3 CU8 by the following link:
http://www.microsoft.com/en-us/download/details.aspx?id=45225
If there are any questions regarding this issue, please be free to let me know.
Best Regard,
Jim -
WRT54G2 and WRT54G locks-up (freezes) when blocking web sites using Access Restrictions
I am convinced that a few Linksys routers such as WRT54G2 and WRT54G have a major issue when blocking web sites using Access Restrictions (Internet Access Policy). After a few hours of internet access by 15 wired users the Linksys locks-up and blocks all internet web access. The only solution is to restart the power on the router.
We are currently using a Linksys WRT54G2 v1 (firmware 1.0.04). We upgraded the WRT54G2 v1 firmware to the latest 1.0.04 version which did not resolve the issue. NOTE: We were previosuly using a a Linksys WRT54G v1.1 (firmware 4.21.1) until the power supply blew a week after we started blocking web sites using Access Restrictions (Internet Access Policy).
Basically, we have a T1 internet connection and a hub connected to the Linksys router. We are trying to block several web sites such as facebook, myspace, etc. for 15 wired users. We do not use wireless connections.
This is the 2nd time it happened with 2 different models.
Please help ASAP.
Thank you,
Lance
(Mod note: Edited post. Some parts off topic.. Thanks!)Also, you have already upgrade/re-flash the firmware of your Linksys Router you need to reset and reconfigure your router from scratch. Press and hold the reset button for 30 seconds...Release the reset button...Unplug the power cable from your router, wait for 30 seconds and re-connect the power cable...Now re-configure your router...
-
Error when updating Client Access Front End Service to Exchange 2013 Update 6
When updating to Exchange 2013 Update 6 we received the following error at the Step 11 of 13: Client Access role: Client Access Front End service step:
Error:
The following error was generated when "$error.Clear();
$fe = get-ActiveSyncVirtualDirectory -server $RoleFqdnOrName -DomainController $RoleDomainController -ErrorAction SilentlyContinue;
if ($fe -eq $null)
new-ActiveSyncVirtualDirectory -DomainController $RoleDomainController -Role ClientAccess;
else
update-ActiveSyncVirtualDirectory $fe -DomainController $RoleDomainController -InstallIsapiFilter $true
" was run: "System.Management.Automation.ParameterBindingException: Cannot convert 'System.Object[]' to the type 'Microsoft.Exchange.Configuration.Tasks.VirtualDirectoryIdParameter' required by parameter 'Identity'. Specified method is not supported. ---> System.NotSupportedException: Specified method is not supported.
at System.Management.Automation.ParameterBinderBase.CoerceTypeAsNeeded(CommandParameterInternal argument, String parameterName, Type toType, ParameterCollectionTypeInformation collectionTypeInfo, Object currentValue)
--- End of inner exception stack trace ---
at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(Object input, Hashtable errorResults, Boolean enumerate)
at System.Management.Automation.PipelineOps.InvokePipeline(Object input, Boolean ignoreInput, CommandParameterInternal[][] pipeElements, CommandBaseAst[] pipeElementAsts, CommandRedirection[][] commandRedirections, FunctionContext funcContext)
at System.Management.Automation.Interpreter.ActionCallInstruction`6.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)".
Problem was that if you have more than one ActiveSyncVirtualDirectory, the installer for Update 6 fails because it's not expecting an array of virtual directories to be returned. Solution is to remove the "extra" virtual directory, perform the
installation, and then re-add the virtual directory.
None of the other types of virtual directories are susceptible to this, only ActiveSync.Hi,
Please try to reset registrar state:
http://tsoorad.blogspot.in/2013/04/lync-2013-ee-pool-wont-start.html
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make
sure that you completely understand the risk before retrieving any suggestions from the above link.
Kent Huang
TechNet Community Support -
Restrict read/edit access for a Manager, when Manager Visibility is enabled
Customer wants to restrict read/edit access for a Manager on his/her subordinates' owned record, if manager Visibility is enabled at the company level.
For example: If SM1 is a manager of SR1 and SM1 owner profile says that he has Edit Access on his owned records then, he will get Edit Access
on the records owned by his sales rep.
Current requirement here is Manager should not be able to edit the records of his sales rep but should able to only View. And manager also
need the Edit/Read access on the records which they owned.
Is there a possible workaround ?I have devised this to our customer:
First, create a custom text field named "Reports To" on the object, say, Accounts.
Second, user JoinFieldValue to set a default value for the "Reports To" field: equal to the "Reports To" User field value for the current owner.
Third, add a new value named "Manager Read-Only" to 'Account Type' picklist. make sure that this picklist value is active.
Fourthly, add a new page layout marking all Account Fields as 'read-only' and name it "Account Read-Only layout".
Fifthly, create a new Account Dynamic Layout and set "Account Read-Only layout"
for Field Type = "Manager Read-Only".
Sixthly, create a new workflow rule condition for Account object ( before modified record saved ). Use the workflow rule condition similar to UserValue('<Alias>') = [<ReportsTo>] and set the workflow action to update 'Account Type' picklist value to
"Manager Read-Only".
This is just an example. Customer needs to improvise on this.
Any more suggestions please ? -
Restrict SCEP Proxy access using %machineid%/AD?
Hello,
we want to use AnyConnect w/ SCEP Proxy enrollment to provision machine certificates to devices wich are not members of a windows domain. We use hostscan set the CN of the request to %machineid%. This works so far and the certificate gets downloaded to the device.
The next step would be to restrict access to the provisioning VPN-group, so that only already "known" devices are allowed to load certificates. It would be nice, if this could be done by secondary authentication if there were also a way to pre-fill the username with %machineid%, but pre-filling seems only possible based an already existing certificate.
Some configuration guides suggest, that it should be possible to restrict the SCEP Access via AD, but so far I haven't found any detailed instructions.
Has anyone succeded in such a setup? Any hints are much appreciated.
Thank you,
J.Hi Bora,
I guess that you are having a username/password for directory manager on OUD proxy (let's say cn=proxymgr / proxypwd), and another username/password for directory manager your ODSEE servers (let's say cn=odseemgr / odseepwd).
When you connect to OUD proxy using cn=proxymgr to perform a search on your backend, OUD proxy creates a connection to the ODSEE backend with the same credentials (because the proxy is configured in use-client-identity mode), i.e. cn=proxymgr / proxypwd. If this user does not exist on ODSEE (or has the same name with a different password), you get an error 49.
To avoid this issue, OUD proxy offers configuration parameters in the proxy-workflow-element: the exclude-list and remote-ldap-server-bind-dn / remote-ldap-server-bind-password. You have to add cn=proxymgr to the exclude-list, and set remote-ldap-server-bind-dn to cn=odseemgr, remote-ldap-server-bind-password to odseepwd.
This way, when connecting with cn=proxymgr, the proxy will know that he should not use the client credentials, but rather cn=odseemgr when discussing with ODSEE backend.
This concept is explained in OUD admin guide, Configuring the Bind Mode.
HTH,
Flo. -
AnyConnect error " User not authorized for AnyConnect Client access, contact your administrator"
Hi everyone,
it's probably just me but I have tried real hard to get a simple AnyConnect setup working in a lab environment on my ASA 5505 at home, without luck. When I connect with the AnyConnect client I get the error message "User not authorized for AnyConnect Client access, contact your administrator". I have searched for this error and tried some of the few solutions out there, but to no avail. I also updated the ASA from 8.4.4(1) to 9.1(1) and ASDM from 6.4(9) to 7.1(1) but still the same problem. The setup of the ASA is straight forward, directly connected to the Internet with a 10.0.1.0 / 24 subnet on the inside and an address pool of 10.0.2.0 / 24 to assign to the VPN clients. Please note that due to ISP restrictions, I'm using port 44455 instead of 443. I had AnyConnect working with the SSL portal, but IKEv2 IPsec is giving me a headache. I have stripped down certificate authentication which I had running before just to eliminate this as a potential cause of the issue. When running debugging, I do not get any error messages - the handshake completes successfully and the local authentication works fine as well.
Please find the current config and debugging output below. I appreciate any pointers as to what might be wrong here.
: Saved
ASA Version 9.1(1)
hostname ASA
domain-name ingo.local
enable password ... encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd ... encrypted
names
name 10.0.1.0 LAN-10-0-1-x
dns-guard
ip local pool VPNPool 10.0.2.1-10.0.2.10 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif Internal
security-level 100
ip address 10.0.1.254 255.255.255.0
interface Vlan2
nameif External
security-level 0
ip address dhcp setroute
regex BlockFacebook "facebook.com"
banner login This is a monitored system. Unauthorized access is prohibited.
boot system disk0:/asa911-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup Internal
dns domain-lookup External
dns server-group DefaultDNS
name-server 10.0.1.11
name-server 75.153.176.1
name-server 75.153.176.9
domain-name ingo.local
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network LAN-10-0-1-x
subnet 10.0.1.0 255.255.255.0
object network Company-IP1
host xxx.xxx.xxx.xxx
object network Company-IP2
host xxx.xxx.xxx.xxx
object network HYPER-V-DUAL-IP
range 10.0.1.1 10.0.1.2
object network LAN-10-0-1-X
access-list 100 extended permit tcp any4 object HYPER-V-DUAL-IP eq 3389 inactive
access-list 100 extended permit tcp object Company-IP1 object HYPER-V-DUAL-IP eq 3389
access-list 100 extended permit tcp object Company-IP2 object HYPER-V-DUAL-IP eq 3389
tcp-map Normalizer
check-retransmission
checksum-verification
no pager
logging enable
logging timestamp
logging list Threats message 106023
logging list Threats message 106100
logging list Threats message 106015
logging list Threats message 106021
logging list Threats message 401004
logging buffered errors
logging trap Threats
logging asdm debugging
logging device-id hostname
logging host Internal 10.0.1.11 format emblem
logging ftp-bufferwrap
logging ftp-server 10.0.1.11 / asa *****
logging permit-hostdown
mtu Internal 1500
mtu External 1500
ip verify reverse-path interface Internal
ip verify reverse-path interface External
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo External
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (Internal,External) dynamic interface
object network LAN-10-0-1-x
nat (Internal,External) dynamic interface
object network HYPER-V-DUAL-IP
nat (Internal,External) static interface service tcp 3389 3389
access-group 100 in interface External
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server radius protocol radius
aaa-server radius (Internal) host 10.0.1.11
key *****
radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication ssh console radius LOCAL
http server enable
http LAN-10-0-1-x 255.255.255.0 Internal
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map External_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map External_map interface External
crypto ca trustpoint srv01_trustpoint
enrollment terminal
crl configure
crypto ca trustpoint asa_cert_trustpoint
keypair asa_cert_trustpoint
crl configure
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
crl configure
crypto ca trustpool policy
crypto ca server
cdp-url http://.../+CSCOCA+/asa_ca.crl:44435
issuer-name CN=...
database path disk0:/LOCAL_CA_SERVER/
smtp from-address ...
publish-crl External 44436
crypto ca certificate chain srv01_trustpoint
certificate <output omitted>
quit
crypto ca certificate chain asa_cert_trustpoint
certificate <output omitted>
quit
crypto ca certificate chain LOCAL-CA-SERVER
certificate <output omitted>
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable External client-services port 44455
crypto ikev2 remote-access trustpoint asa_cert_trustpoint
telnet timeout 5
ssh LAN-10-0-1-x 255.255.255.0 Internal
ssh xxx.xxx.xxx.xxx 255.255.255.255 External
ssh xxx.xxx.xxx.xxx 255.255.255.255 External
ssh timeout 5
ssh version 2
console timeout 0
no vpn-addr-assign aaa
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local
dhcpd dns 75.153.176.9 75.153.176.1
dhcpd domain ingo.local
dhcpd option 3 ip 10.0.1.254
dhcpd address 10.0.1.50-10.0.1.81 Internal
dhcpd enable Internal
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address LAN-10-0-1-x 255.255.255.0
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter use-database
dynamic-filter enable interface Internal
dynamic-filter enable interface External
dynamic-filter drop blacklist interface Internal
dynamic-filter drop blacklist interface External
ntp server 128.233.3.101 source External
ntp server 128.233.3.100 source External prefer
ntp server 204.152.184.72 source External
ntp server 192.6.38.127 source External
ssl encryption aes256-sha1 aes128-sha1 3des-sha1
ssl trust-point asa_cert_trustpoint External
webvpn
port 44433
enable External
dtls port 44433
anyconnect image disk0:/anyconnect-win-3.1.02026-k9.pkg 1
anyconnect profiles profile1 disk0:/profile1.xml
anyconnect enable
smart-tunnel list SmartTunnelList1 mstsc mstsc.exe platform windows
smart-tunnel list SmartTunnelList1 putty putty.exe platform windows
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
webvpn
anyconnect profiles value profile1 type user
username write.ingo password ... encrypted
username ingo password ... encrypted privilege 15
username tom.tucker password ... encrypted
class-map TCP
match port tcp range 1 65535
class-map type regex match-any BlockFacebook
match regex BlockFacebook
class-map type inspect http match-all BlockDomains
match request header host regex class BlockFacebook
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 1500
id-randomization
policy-map TCP
class TCP
set connection conn-max 1000 embryonic-conn-max 1000 per-client-max 250 per-client-embryonic-max 250
set connection timeout dcd
set connection advanced-options Normalizer
set connection decrement-ttl
policy-map type inspect http HTTP
parameters
protocol-violation action drop-connection log
class BlockDomains
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect dns preset_dns_map dynamic-filter-snoop
inspect http HTTP
service-policy global_policy global
service-policy TCP interface External
smtp-server 199.185.220.249
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command service-policy
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:41a021a28f73c647a2f550ba932bed1a
: end
Many thanks,
IngoHi Jose,
here is what I got now:
ASA(config)# sh run | begin tunnel-group
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPNPool
authorization-required
and DAP debugging still the same:
ASA(config)# DAP_TRACE: DAP_open: CDC45080
DAP_TRACE: Username: tom.tucker, aaa.cisco.grouppolicy = DfltGrpPolicy
DAP_TRACE: Username: tom.tucker, aaa.cisco.username = tom.tucker
DAP_TRACE: Username: tom.tucker, aaa.cisco.username1 = tom.tucker
DAP_TRACE: Username: tom.tucker, aaa.cisco.username2 =
DAP_TRACE: Username: tom.tucker, aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
DAP_TRACE: Username: tom.tucker, DAP_add_SCEP: scep required = [FALSE]
DAP_TRACE: Username: tom.tucker, DAP_add_AC:
endpoint.anyconnect.clientversion="3.1.02026";
endpoint.anyconnect.platform="win";
DAP_TRACE: Username: tom.tucker, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: tom.tucker, Selected DAPs: DfltAccessPolicy
DAP_TRACE: Username: tom.tucker, DAP_close: CDC45080
Unfortunately, it still doesn't work. Hmmm.. maybe a wipe of the config and starting from scratch can help?
Thanks,
Ingo -
Sun Java System Access Manager LDAP Exception
Hi All,
I am new to sun access manager. i have deployed amserver.war in my weblogic 8.1 sp5 . i have edited the weblogic.policy file to add permissions for Access Manager. I m using SUN Directory Server and it is running on port 389 .When i m trying to create a new role in Access Control > Realm - internetDomain > Subjects > Role > New Role, i am getting the following error
"Plug-in com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo encountered a ldap exception. LDAP Error 50: The client is authenticated as a user who does not have the access privileges to perform this operation. "
I have logged in as amAdmin . Below mentioned are my DataStore configurations
DataStore Type : Sun Directory Server with Access Manager Schema
LDAP Server : jophissystem.corp.mycompany.com:389
LDAP BIND NAME : cn=administrator,ou=administrator,dc=corp,dc=mycompany,dc=com
LDAPv3 Repository Plug-in Class Name: com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo
LDAPv3 Plug-in Search Scope: SCOPE_ONE
Please help me on this .
Regards,
JophisRushi-Reliance wrote:
Kindly let us know how to proceed further as we are waiiting some reply from your team.As I already advised in your previous posting (http://forums.sun.com/thread.jspa?threadID=5359095), you are best off re-installing solaris from scratch and installing Communication Suite 6 update 1 if you cannot get Access Manager 7.1 configured.
Regards
Shane. -
Hello
My goal is to subscribe for streaming notifications for multiple users in the same time.
One way to do that is to create multiple StreamingSubscriptionConnections each one should contain one StreamingSubscription for each user. The problem with this method is that in Office 365 the maximum
number of connections opened is 20.
Another method to solve this problem is by creating one StreamingSubscriptionConnection and then all StreamingSubscriptions for each user to the connection. This method solves the maximum number of connections
problem and it works fine with exchange onPrimises. But when trying it with Office 365 it will result with the SubscriptionError:
"One or more subscriptions in the request reside on another Client Access server. GetStreamingEvents won't proxy in the event of a batch request."
Can anyone help me here ?With Office365 you need to Group your subscriptions and set the Affinityheaders see
http://msdn.microsoft.com/en-us/library/office/dn458789(v=exchg.150).aspx and
http://blogs.msdn.com/b/mstehle/archive/2013/07/17/more-affinity-considerations-for-exchange-online-and-exchange-2013.aspx . Take note of the restrictions on the Group and other throttling restrictions if your using only one service account.
Cheers
Glen -
Hi All,
I am not able to access any of my MDM clients.
In console, when I mount the MDM server, the cursor gets stuck in the busy mode and nothing happens after that.
other clients Import Manager, Data Manager and Syndicator, when I click on them, the clients doesn't open but I see the processes running in the task manager.
MDM server is up and running.
What might be the problem?
Please give me your inputs.
Regards,
SravanHi John,
I am using a system with a 32 bit Windows 7 Professional OS to connect to the clients.
The MDM version is MDM 7.1 SP 07.
This is not the first time I am connecting through this system. I was not facing this issue before.
Just wondering what would have went wrong now.
Regards,
Sravan
Maybe you are looking for
-
How do I change credit card info and email thru apple store
My CC was stolen and I need to change for IPAD apps and I Tunes - I can't seem to find the right place to make those changes
-
In Applet how to send an ' image' and 'string' as parameter
Hi, In web application, how to use post method in applet to send an ' image' and 'string' as a parameter, I can able to send the image alone form applet to servlet.
-
Out of curiosity, if you have the time...
If you have the time, I'd like to see what the results of this for you are. I'm seeing if I can eliminate the possibility of our setup here at the office. Your email should be able to support clickable links (no plain text), and your project should u
-
URGENT: Oracle 10g License Purchase Issue
Dear All, I have a small environment of around 50 desktops with Compaq Proliant Server. The Server machines are normally coming with dual processor. Now I am looking for Oracle Processor Based license as we are going to deploy our in-house built appl
-
Subcontracting with chargeable components Node missing
Dear Experts, Our system is ERP EHP5 SPS05. In SPRO under MM - Inventory Management and Physical Inventory - the node Subcontracting with chargeable components is missing Please help. Thanks.