TMG 2010- SSL web access via port 2096
I configured TMG 2010 some time ago with additional SSL ports so that our internal users can access an externally hosted https website on port 2096. It worked fine for almost a year, until today...
Here is the TMG configuration:
C:\Users\marcos\Desktop>cscript "show added ports.vbs"
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.
NNTP: 563-563
SSL: 443-443
SSL 2083: 2083-2083
SSL 2096: 2096-2096
I could try to recreate the added ports but I'm reluctant to do that because it may require a restart (downtime) and probably won't solve the issue.
Many thanks for your help!
Marco S
Hi,
are you sure that the configuration of the SSL extension has been lost? Have you looked into the TMG realtime logging to see the reason why the clients cannot access the website over port 2096?
regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.galileocomputing.de/3276?GPP=MarcGrote
Similar Messages
-
Remote TC access via port forwarding
I have been trying to setup my network for remote TC access via port forwarding. Here's my setup:
Verizon FiOS router (main router, dhcp & nat) -> connected to TC set in bridge mode with a static IP
I can remotely access the TC using Back to my Mac with no problems, and of course locally on the home network via Wifi.
Since the TC has to connect in bridge mode, port forwarding is done on the FiOS router.
If I set a port forwarding rule in the FiOS router TCP,UDP (any) to port 548, it works. However I want to use a specific connection port
so others can't connect unless they know the forwarded port. BTW, I have remote disk sharing set with Use Device Password.
So here's what works:
FiOS Router (TCP any -> 548, UDP any ->548)
What doesn't work:
FiOS router (TCP 8990 -> 548, UDP 8990 -> 548).
Is there any additional setting required for specific port forwarding to work?You're my hero!
I also have my TC in Bridge Mode to my Verizon FIOS Router. I used to be able to access my TC remotely, but since I upgraded my router (MI424WR GigE), I had forgotten some port forwarding rules I must have established in my old router. Once I re-created these two port forwarding rules (just like yours), I can remote access my TC (with TC password) again.
In addition, I have a static host name aliased to my dynamic IP address through dyndns.org (I have the free version, which I don't think is available anymore, but there are other free providers out there) for easier remote access.
Regarding, Secure Share Disks: with TC password vs a disk password. Is one more secure than the other?
Thanks! -
WebAS access via Portal: Web Dispatcher required for load balancing ABAP
Hi Folks -
We have EP 6.0 SP18 (Java only, WebAS 6.40, Unix/Solaris). The portal has a CI/SCS and one DI so we have a Web Dispatcher to load balance the portal servers. This works fine (and provides port 80 access).
This portal will provide access to HTTP services from an ABAP WebAS (6.20 with 6.40 kernel, Unix/Solaris). A landscape configuration entry has been added to the portal for this ABAP system. The ABAP system has a CI and multiple app servers, all capable of handling HTTP requests. This will also require port 80 access.
1. Will we need an additional Web Dispatcher to load balance HTTP requests to the 'backend' ABAP WebAS system, or will the portal be smart enough to handle the load balancing itself (perhaps based on the information in the landscape configuration)?
2. If the portal itself handles the HTTP load balancing can you point me to documentation (so I can make sure I have proper configuration)?
3. Are there any changes to this with NW2004s Portal (we plan to upgrade soon)?
Thanks in advance! JeffJeff,
Regarding:
Q1. If you create a system object from the "SAP system with load balancing" template in portal and configure the object to point to your CI (msg server), the LB should be handled.
Q2. Portal load balancing is handled by the message server. If you point a test URL to the port of your message server, you will notice that you are issued a redirect the URL of your dialog instance. The web dispatcher is just a proxy (with some intelligence). When a request is made to the WD, it makes a connection to the MSG server, the list of active instances is queried, a redirect is made to that instanct. If you use WD, that connection can be proxied behind a standard URL. If you connect directly to the MSG Server instead, you will notice your URL change, just as it does on the service marketplace.
WDs are good for providing services, masked (proxied) behind virtual names. If you do not want the customer to see a physical URL of the server, use the WD. There are lots of other solutions that can do this too though such as Apache, ISA, Juniper devices, Cisco LDs. WDs have a very low performance threshold though, especially if you use SSL. WD is a performance bottleneck and should be benchmarked to see if it is right for your application.
Q3. No changes this architecture in 04s.
jwise -
TFS 2010 Team Web Access Work Items not loading dropdowns and not saving
Some of our users have lost their ability to add new work items. When they select New -> Bug the WorkItemEdit page opens, but none of the dropdowns load and required fields are no longer highlighted. When they click save it acts like
it refreshes, but actually nothing is saved and work item numbers are not assigned. No error message is displayed. This also occurs when they try to edit existing work items. We have checked permissions and these have not changed. We have cleared cache
and rebooted the server and local laptops. Is there anywhere else we can check to see what is going on? Anyone else have this issue before? It seems like we are loosing another person's capabilities every day.Thank you for your help. We have SP1 scheduled for install Monday morning. However, we have been running a lot of tests. We are testing mainly in Chrome and IE 9 browsers.
I was able to get 2 users back up and working. Not sure what fixed them, but I had them log into the server and test there. Accessing the web portal on the server worked for them and when they went back to their laptops their full capabilities
were working there again. I have since removed their rdp access to the server and the capabilities are still working correctly on their laptops.
However, I have a 3rd user that I had log into the server and updating and creating new work items did not work for him. This is the error he receives when opening a work item. This user did try testing in Mozilla one day this week.
Webpage error details
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Timestamp: Fri, 6 Feb 2015 14:23:43 UTC
Message: 'undefined' is null or not an object
Line: 459
Char: 9
Code: 0
URI: http: //synqtfs2:8080/tfs/web/ScriptResource.axd?d=FYYkafvHmJyg7KmGDtGowHNi60MyDp_sPy-aHe4FCjNjVsni06fZnOIXJiFxZpzcMt92dwoABVR433z1HUUKi-9aLOEO651UC75HFjmS7hvUIPs_HbO_gMhEIFzDLJCRn3-zV0_qstaTszOYGGcLVSqLpmbOMg9VwaYgOa0o__3xszzq_OYpQwOuLyDFEZY_2zbcjg2&t=ffffffffe8aa60f2
Message: 'this.m_scrollCell.style' is null or not an object
Line: 513
Char: 9
Code: 0
URI: http://synqtfs2:8080/tfs/web/ScriptResource.axd?d=FYYkafvHmJyg7KmGDtGowHNi60MyDp_sPy-aHe4FCjNjVsni06fZnOIXJiFxZpzcMt92dwoABVR433z1HUUKi-9aLOEO651UC75HFjmS7hvUIPs_HbO_gMhEIFzDLJCRn3-zV0_qstaTszOYGGcLVSqLpmbOMg9VwaYgOa0o__3xszzq_OYpQwOuLyDFEZY_2zbcjg2&t=ffffffffe8aa60f2 -
Web Access via a proxy server not working
We are developing an application on weblogic that needs to connect to the internet,
login and retrieve informatoin back into weblogic. We have a problem where this
works on a direct connection to the net, but via a proxy server we get:
<21-Aug-03 10:18:38 BST> <Info> <net> <000900> <Could not open connection
java.net.ConnectException: Operation timed out: connect
java.net.ConnectException: Operation timed out: connect
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:350)
at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:137)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:124)
at java.net.Socket.<init>(Socket.java:268)
at java.net.Socket.<init>(Socket.java:122)
at weblogic.net.http.HttpClient.openServer(HttpClient.java:213)
at weblogic.net.http.HttpClient.openServer(HttpClient.java:274)
at weblogic.net.http.HttpClient.<init>(HttpClient.java:126)
at weblogic.net.http.HttpClient.New(HttpClient.java:168)
at weblogic.net.http.HttpURLConnection.connect(HttpURLConnection.java:11
1)
at weblogic.net.http.HttpURLConnection.getOutputStream(HttpURLConnection
.java:158)
at com.dnb.globalaccess.SSLConnection.<init>(SSLConnection.java:89)
at com.dnb.globalaccess.XmlHandler.run(XmlHandler.java:157)
>
Failed to login to D&B - com.dnb.globalaccess.ServerException
Does anyone have any idea's on what this is or means? Has anyone come accross
similar issues with proxy servers?Thanks Criag.
For anyone else's reference, my odiparams.bat file now has a line something like:
set ODI_ADDITIONAL_JAVA_OPTIONS=-Dhttp.proxyHost=myproxyhost.com -Dhttp.proxyPort=proxyPortNumber -Dhttp.proxyUser=someUserName -Dhttp.proxyPassword=somePassword "-Dhttp.nonProxyHosts=127.0.0.1|someInternalHost.com"
Note the -Dhttp.nonProxyHosts (which is the proxy exceptions list) is in quotes to escape the pipe character (for windows at least).
Also, check out: [http://java.sun.com/j2se/1.4.2/docs/guide/net/properties.html]
Matt -
Disable access via insecure port 7001
Is there a way in OVM Manager 3.1.1 to disable access via port 7001 and only allow access via the encrypted port 7002 through the web interface? I have a customer that is trying to lock things down security wise and they would like to see that happen. Thanks!
Did you try this in the weblogic console?
http://yourserver:7001/console -
Hi,
I have an odd issue whereby if I set "user must change password" on an AD account, the end user cannot logon, they're simply taken back to the OWA login page as if their password is incorrect.
My setup is as follows:
outer TMG -- uses a listener for email.contoso.com and is configured for no authentication.This uses a publishing rule to publish the inner TMG server. This server is not a domain member.
inner TMG - uses a listener for email.contoso.com and is configured for NLTM\kerberos negotiation with forms authentication (Windows Active Directory). This server is a domain member and use a publishing rule to publish the internal CAS. Allow users to change
password is selected in the publishing rules.
Exchange 2010 SP1 - uses integrated windows and basic authentication. Has the appropriate registry key configured to allow users to change their AD password on first logon.
I've registered an snp for "http/email.contoso.com mailserver-dc1", all SSL certificates being used are valid and my configuration used to allow users to login and change their password with "user must change password on first login"
set in AD.
If I launch a web browser on an internal server and point it to email.contoso.com I'm immediately presented with a generic Windows authentication request (similar to what's seen in ADFS) rather than the standard OWA page. No matter what I do, I cannot login
and change my password using the correct URL. However if I point my browser at
http://192.168.4.10/owa I'm prompted to login and I can change my password using the sam credentials.
The only recent changes made are:
- Disabling SSL 3.0 and enabling TLS (http://www.isaserver.org/articles-tutorials/configuration-security/improving-ssl-security-forefront-threat-management-gateway-tmg-2010-published-web-sites.html)
- Replacing the TMG listener certificates so that they now use SHA2 rather than SHA2 (certificates are trusted on each TMG server)
Looking on the outer TMG and the DC logs I can see schannel errors which I believe are related to the problem. TMG monitoring also shows "Failed connection attempt: 1907 The user'spassword must be changed before logging on for the first time"
I've checked that my inner TMG and DC are using the same certificate for server authentication and gone through this guide:
http://blogs.technet.com/b/keithab/archive/2012/02/29/setting-up-and-troubleshooting-ldaps-authentication-in-forefront-tmg-2010.aspx
If I try to use ldp.exe on the inner TMG, I get the error in the pic below
Thanks
IT Support/EverythingHi,
You could try to analyze the TMG tracing and try the troubleshoot steps in the blog below.
TMG 2010 – FBA, troubleshooting the change password feature
http://blogs.technet.com/b/isablog/archive/2012/05/07/tmg-2010-fba-troubleshooting-the-change-password-feature.aspx
Best Regards,
Joyce -
RD Gateway and RD Web Access - better together or on different servers?
I am evaluating Remote Desktop Services with 2012 R2 and initially I had all the roles on 1 server for testing. I began thinking it would be a better setup to split the RD Gateway role and the RD Webaccess role into different servers for security purposes.
This way I could expose only the RD Gateway to the internet and the Web Access role would not be exposed. In all my reading and searching it seems that nearly every article I come upon has both RD Gateway and Web Access installed on the same system.
What is the ideal setup from a security standpoint to have the these two roles separate or does it not mater? If it does not mater then I will setup 1 server with Gateway and Web Access and I will then have other servers for licensing, broker, session
host, and visualization host once I move this into production.
If these roles are on the same system how do I know if the gateway role is doing anything? Is the FQDN\rdweb the correct URL to use even when the gateway is implemented?
If they are separate how do I tell the gateway and web access servers to use each other?Hi,
As far as I know, it’s fine to have RD Gateway and RD Web Access roles installed on the same server.
“Normally external users would log on to RD Web Access via tcp port 443, click on a RemoteApp and connect to RD Gateway via
tcp 443/udp 3391, RDG connects them to RDCB on tcp 3389 which redirects them to a RDSH server, finally the RDG connects to the RDSH on tcp 3389/udp 3389.”
Quoted from TP in this post below:
RD Gateway and RD web issue
https://social.technet.microsoft.com/Forums/windowsserver/en-US/5ab40559-23f7-4ebc-b60d-87375cc55674/rd-gateway-and-rd-web-issue?forum=winserverTS
More links below for you:
RD Gateway deployment in a perimeter network & Firewall rules
http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
Remote Desktop Gateway/Web Server Placement
https://social.technet.microsoft.com/forums/windowsserver/en-US/b2970cf5-a5b5-494c-88b7-cd6e01f84bb6/remote-desktop-gatewayweb-server-placement
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected] -
Having this strange problem accessing the web portal of my management interface. The appliance will not respond to the request.... connections get refused. The problem exists only on the management interface.... the data interface continues to process the URL request from clients. Pings from a system outside the management interface's subnet fail.... pings from a system within the same subnet of the management interface are successful, though request for the management portal fail within the same subnet.
The only way that I can get to the web portal is if I directly connect the management interface to a computer's network card, bypassing any switching or routing device. I have reconfigured the management interface with a different ip address on a different subnet, but that resulted in the same problem behavior.
Any ideas as what could be the culprit here.....
Thanks -If everything is in default settings. The M1 interface can be accessed via port 8080 and port 8443 using HTTPS.
When ping is still responsive, the issue could be on the port communication. Have you tried running telnet on the client in the same subnet to IP address of the M1 interface on the communication port set in the WSA (8080 and 8443)?
If the telnet test failed on both ports, it could indicate something in your network is blocking it.
-Donny -
MS Exchange 2010 Outook Web App "Untrusted Connection" error in Firefox. No issue with IE or Chrome
I installed Microsoft Root CA Certificate on my Computer. (For Exchange 2010 Outlook Web Access) But Firefox appear "This Connection is Untrusted" error ((Error code: sec_error_unknown_issuer)). IE and Chrome works fine.
My firefox version is 18.0.1.
I want to fix this issue without adding a exception. Please help.Try to export those certificates in IE and import the certificates in Firefox.
*Tools > Options > Advanced : Encryption: Certificates - View Certificates
If this is to be a root certificate then you need to set the applicable trust bits. -
Lync 2013 clients behind TMG 2010
Hi
My escenario is as follow
Lync Client 2013 --> TMG 2010 --> ISP Router (without fillter ports)
I have a problema with this escenario because TMG drop me the voice calls and sudendly drop me the connection with the server.In TMG i created the following rullo
From internal to external, and URL Set (*.microsoftonline.com,
*.microsoftonline-p.com , *.onmicrosoft.com, sharepoint.com, *.outlook.com )
Protocols: http, htpps, RTP, SIP, Sip Server, Sips, Sips Server,
50040-50059 TCP Outbound
50000-50019 UDP Send Receive
3478 UDP Send Receive
59999 UDP Send Receive
50020-50039 UDP Send Receive
So what is the problema with this TMG 2010 (with all updates, SPs and rollouts)
ThanksHi,
The following blog might help.
http://www.jaapwesselius.com/2012/12/21/publish-lync-2013-services-in-tmg-2010/
(Note: Microsoft provides third-party contact information to help you find technical support. This contact
information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.)
Best Regards,
Joyce
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
The main issue is that the external Lync clients can't connect to the Lync server. The reason this happens is blocked ports on TMG.<o:p></o:p>
There is Non-web server publishing rules setup allowing inbound connection from public ip to Lyncedge server's external ip using tcp ports: 443, 444, 445, 5061, 50000-59999 (inbound).<o:p></o:p>
All the rules use to work fine and the external Lync clients were connecting fine, but now when i test the ports on the public ip, using
web tools (like checkmyports.net) I am getting "Port is Closed" for all of them.
What is not allowing the ports to be open?<o:p></o:p>
Nothing has been changed on the TMG server. The other rules (Activesync and OWA access) on the TMG work with no problem.<o:p></o:p>
Any help would be greatly appreciated!<o:p></o:p>Hi,
Thank your for your post here.
Please double check your configuration via the article below:
http://ucbeacon.blogspot.com/2013/03/configure-forefront-tmg-2010-as-reverse.html
Please also check the TMG live logging.
Best Regards
Quan Gu -
Coldfusion 11 - Web Sockets via SSL
Help!
I can't seem to figure out how to handle WSS (Websockets over SSL). I have a cert that has already been sent/received by verifier. I have a cert and an intermediate cert. I've been looking at documentation and from what I've gathered i need to add the certs to the "keystore". I issued a command like this ->>> D:\CF11\jre\bin\keytool -import -v -alias myCert-cert -file myCert.cer -keystore D:\CF11\jre\lib\security\cacerts -storepass changeit <-- I see the cert is added. And if list the keystore i see the number of certs increased by one. I then enable the SSL WS, use default port (built in server.. not proxied), and point it to the keystore D:\CF11\jre\lib\security\cacerts and for pass i simply use the default changeit.... I've modified my cfcode to have the secure="true" attribute. So I think everything is setup correctly ....but... when i goto the webpage the web socket will try to connect then simply not connect (Firebug says the connection was refused) (The code works fine removing the secure attribute and accessing via http) ... So i guess i'm not sure exactly what i should be doing. Can i use the same cert that I had created via IIS. The cert looks valid. Also further more i see nothing showing up in the log files.. I see a log called WebSocket.log but the size is 0 and nothing is being thrown in the exception log either.. I'm completely confused.Hi Sharma,
I also sent you a note directly via email (see below). I am having a similar issue to Prem without resolution.
Our CF11 server configuration:
Windows 2012 Server R2
IIS 8
We have a *.balboadigital.com registered RapidSSL certificate installed on our server which resolves to https://dev.balboadigital.com on this particular development box. I've been unable to locate any online resources which would show me how to utilize this certificate for websockets within CF11. Due to this, I was happy to find your reference to try a self-signed certificate. I followed your instructions. Here is the breakdown:
1. I generated the keystore per your instructions which created the websocket.crt file.
2. The CF server XML was uncommented and updated to:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="C:\ColdFusion11\jre\bin\websocket.crt" keystorePass="[my password]"/>
3. I restarted the CF11 Application Windows service.
4. The "Use Built-In WebSocket Server" radio button was selected with PORT: 8575 for non-SLL and PORT: 8543 for SSL as defaults. The KeyStore was set to "C:/ColdFusion11/jre/bin/websocket.crt" and the KeyStore Password to "[MyPassword]" and changes posted.
5. I restarted the CF11 Application Windows service.
6. I then ran a test web page: https://dev.balboadigital.com/admin/websocket/index_withssl.cfm (this is live for you to test)
Application.cfc
<CFCOMPONENT>
<CFSCRIPT>
this.name = "balboa";
this.wschannels = [{name="phone"}];
</CFSCRIPT>
</CFCOMPONENT>
index_withSSL.cfm
<script type="text/javascript">
function mymessagehandler(atoken)
if (atoken.data != null) {
var message = ColdFusion.JSON.encode(atoken.data);
var txt = document.getElementById("myDiv");
txt.innerHTML += message + "<br>";
function publishmessage()
var msg = document.getElementById("message").value;
mycfwebsocketobject.publish("phone.4",msg );
</script>
<cfwebsocket name="mycfwebsocketobject" onmessage="mymessagehandler" subscribeto="phone" secure="true">
"Phone" Message: <input id ="message" type="text" > <input type="button" onclick="publishmessage();" value="Publish Message"><br />
<cfdiv id="myDiv"></cfdiv>
The test fails and returns the following from the Google Chrome Console:
WebSocket connection to 'wss://dev.balboadigital.com:8543/cfusion/cfusion' failed: WebSocket opening handshake was canceled
7. The script was copied and modified to eliminate SSL as follows: http://dev.balboadigital.com/admin/websocket/index_nossl.cfm (this is live for you to test)
index_nossl.cfm
<script type="text/javascript">
function mymessagehandler(atoken)
if (atoken.data != null) {
var message = ColdFusion.JSON.encode(atoken.data);
var txt = document.getElementById("myDiv");
txt.innerHTML += message + "<br>";
function publishmessage()
var msg = document.getElementById("message").value;
mycfwebsocketobject.publish("phone",msg );
</script>
<cfwebsocket name="mycfwebsocketobject" onmessage="mymessagehandler" subscribeto="phone">
"Phone" Message: <input id ="message" type="text" > <input type="button" onclick="publishmessage();" value="Publish Message"><br />
<cfdiv id="myDiv"></cfdiv>
This test passes and works as expected, but no SSL.
Please advise as our application absolutely requires that SSL is working for us.
Thanks,
Kevin -
Consuming a Web Service via SSL with Basic Authentication
Hello,
I have a simple web service (returns a parameter value) and want to consume it. Therefore I have generated a proxy for its in Netweaver Studio SP13.
When I set up the web service to be accessed via HTTP and Basic Authentication (Username/Password), everything is fine. When I set up the web service to communicate via HTTPS, I get the following error message in my client:
java.rmi.RemoteException: Service call exception; nested exception is:
java.lang.NullPointerException
at priv.senw04.wsproxy.multisec_ssl.SSLBindingStub.pingText(SSLBindingStub.java:87)
at priv.senw04.wsproxy.multisec_ssl.SSLBindingStub.pingText(SSLBindingStub.java:96)
at priv.se.wsclient.MultiSecSSL.main(MultiSecSSL.java:38)
Caused by: java.lang.NullPointerException
at com.sap.engine.services.webservices.jaxm.soap.HTTPSocket.disconnect(HTTPSocket.java:625)
at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.HTTPTransport.closeSession(HTTPTransport.java:396)
at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.MimeHttpBinding.call(MimeHttpBinding.java:1312)
at priv.senw04.wsproxy.multisec_ssl.SSLBindingStub.pingText(SSLBindingStub.java:80)
... 2 more
Testing the web service with WebServiceNavigator and/or by using a generated WebDynpro Client results in the following error:
000D604C66BE004E0000001300000AFC00040922E0160632 : An error occurred during processing the timestamp. The error was: com.sap.security.core.ws.wss.NoSecurityHeaderException No wsse:Security header has been defined for role soap:finalActor. Please verify the policy configuration..
But my main focus is on the client implementation based on a proxy. Here comes the client's code:
public class MultiSecSSL {
public static void main(String[] args) {
try {
MultiSecuritySSLAuthImpl serviceInterface = new MultiSecuritySSLAuthImpl();
SSLBindingStub service = (SSLBindingStub)serviceInterface.getLogicalPort(MultiSecuritySSLAuthViDocument.class);
SecurityProtocol protocol = (SecurityProtocol) service._getGlobalProtocols().getProtocol("SecurityProtocol");
AuthenticationContext auth = protocol.getAuthenticationContext();
auth.setIgnoreSSLServerCertificate(true);
auth.setUsername("cfpcompany");
auth.setPassword("demo");
String ret = service.pingText("Called service MultiSecurity via SSL");
System.out.println(ret);
} catch (Exception e) {
e.printStackTrace(System.out);
Here comes the logical port information of the generated proxy:
<?xml version="1.0" encoding="UTF-8"?>
<LogicalPorts Name='MultiSecuritySSLAuth' InterfaceName='priv.senw04.wsproxy.multisec_ssl.MultiSecuritySSLAuth'>
<LogicalPort Name='SSLPort_Document' Endpoint='https://192.168.129.76:50001/MultiSecuritySSLAuth/SSL?style=document' BindingName='SSLBinding' BindingUri='urn:MultiSecuritySSLAuthWsd/SSL/document' BindingImplementation='SOAP 1.1 HTTP Binding with Attachments' StubName='priv.senw04.wsproxy.multisec_ssl.SSLBindingStub' Default='true' InterfaceName='priv.senw04.wsproxy.multisec_ssl.MultiSecuritySSLAuthViDocument' Original='true' Valid='true'>
<globalFeatures>
<Feature Name='http://www.sap.com/webas/630/soap/features/headers/' Provider='SoapHeadersProtocol' Original='false'>
</Feature>
<Feature Name='http://www.sap.com/webas/630/soap/features/session/' Provider='SessionProtocol' Original='false'>
<Property Name='SessionMethod' Value='httpCookies'>
</Property>
</Feature>
<Feature Name='http://www.sap.com/webas/630/soap/features/authentication' Provider='SecurityProtocol' Original='true'>
<Property Name='AuthenticationLevel' Value='None'>
</Property>
<Property Name='AuthenticationMechanism' Value='HTTP'>
</Property>
<Property Name='AuthenticationMethod' Value='BasicAuth'>
</Property>
<Property Name='SupportsSSO2Authentication' Value='false'>
</Property>
</Feature>
<Feature Name='http://www.sap.com/webas/630/soap/features/transportguarantee' Original='true'>
<Property Name='Level' Value='No'>
</Property>
<Property Name='TLSType' Value='SSL'>
</Property>
</Feature>
</globalFeatures>
<localFeatures>
<Operation Name='pingText'>
<Feature Name='http://www.sap.com/webas/630/soap/features/wss' Original='true'>
<Property Name='RequestPolicy' Value='Signature'>
</Property>
<Property Name='ResponsePolicy' Value='None'>
</Property>
</Feature>
<Feature Name='http://sap.com/webservices/authorization' Original='true'>
</Feature>
</Operation>
</localFeatures>
</LogicalPort>
</LogicalPorts>
To me, this looks consistent. Any idea, what is misconfigured on my machine ?Hi Martin,
that is exactly, what I did.
- Change Web Service Configuration in IDE
- Build and Deploy the Service to my local Server
- Check Service in Visual Administrator
- Deleted and Regenerated the Standalone Proxy
- Deleted and Recreated the link between CLient and Proxy Project in IDE
- Started Client
Here comes the section of the ws-deployment-descriptor.xml of the service. For me, it matches, what the proxy generated.
<webservice>
<guid>ed8363_10876a54b6d__7fe9_192_168_129_76_1135862193037</guid>
<ejb-name-temp>MultiSecWSBean</ejb-name-temp>
<webservice-name>
<namespaceURI>urn:MultiSecuritySSLAuthWsd</namespaceURI>
<localName>MultiSecuritySSLAuth</localName>
</webservice-name>
<webservice-internal-name>MultiSecuritySSLAuth</webservice-internal-name>
<standard-namespaceURI>urn:MultiSecuritySSLAuthWsd</standard-namespaceURI>
<ws-configuration>
<configuration-name>SSL</configuration-name>
<ejb-name>MultiSecWSBean</ejb-name>
<service-endpoint-name>
<namespaceURI>urn:MultiSecuritySSLAuthWsd</namespaceURI>
<localName>SSLPort</localName>
</service-endpoint-name>
<wsdl-porttype-name>
<namespaceURI>urn:MultiSecuritySSLAuthWsd</namespaceURI>
<localName>MultiSecuritySSLAuthVi</localName>
</wsdl-porttype-name>
<webservice-definition-ref>
<package>com.technidata.cfp.i3rdparty.cfpxml</package>
<name>MultiSecuritySSLAuthWsd.wsdef</name>
</webservice-definition-ref>
<service-endpoint-vi-ref>
<package>com.technidata.cfp.i3rdparty.cfpxml</package>
<name>MultiSecuritySSLAuthVi.videf</name>
</service-endpoint-vi-ref>
<transport-binding name="SOAPHTTP_TransportBinding">
<wsdl-binding-name>
<namespaceURI>urn:MultiSecuritySSLAuthWsd</namespaceURI>
<localName>SSLBinding</localName>
</wsdl-binding-name>
</transport-binding>
<transport-address>/MultiSecuritySSLAuth/SSL</transport-address>
<global-features>
<feature name="http://www.sap.com/webas/630/soap/features/transportguarantee" protocol="SecurityProtocol">
<property name="TLSType" value="SSL"/>
</feature>
<feature name="http://www.sap.com/webas/630/soap/features/authorization" protocol="SecurityProtocol"/>
<feature name="http://www.sap.com/webas/630/soap/features/authentication" protocol="SecurityProtocol">
<property name="AuthenticationMethod" value="BasicAuth"/>
<property name="AuthenticationMechanism" value="HTTP"/>
<property name="SupportsSSO2Authentication" value="false"/>
</feature>
</global-features>
<operation-configuration uniqueViName="pingText(java.lang.String)">
<transport-binding-configuration>
<input>
<property name="soapAction" value=""/>
<property name="encodingStyle" value="http://schemas.xmlsoap.org/soap/encoding/"/>
</input>
<output>
<property name="encodingStyle" value="http://schemas.xmlsoap.org/soap/encoding/"/>
</output>
</transport-binding-configuration>
<feature name="http://www.sap.com/webas/630/soap/features/wss" protocol="SecurityProtocol">
<property name="RequestPolicy" value="None"/>
<property name="ResponsePolicy" value="None"/>
</feature>
<feature name="http://sap.com/webservices/authorization" protocol="SecurityProtocol">
<property name="security-roles">
<property name="role1" value="use_multisec_service"/>
</property>
</feature>
</operation-configuration>
</ws-configuration>
</webservice>
Regards,
Stefan -
How To Force Access Via HTTPS/SSL?
Forgive me if this question reveals how little I know about SSL, but... ;-)
What is the standard, best practice way to force a web client (via browser)
to use HTTPS/SSL? Our configuration is that the clients hit an IIS server
first, which then uses the WebLogic proxy/forward plug-ins to the WebLogic
server. The URLs that our clients follow come from an email we send, which
has https:// on the front. Access seems to stay in https as long as they
follow our links, but if the client edits the URL and changes https to
http, the access is now without SSL. How can I restrict access to https
only, or otherwise make sure they never use non-SSL access?
Thanks in advance for any explanations or pointers to references, etc.
-PaulPaul,
You can disable the http port between IIS and weblogic. Configure only the SSL
connection. That way if any request comes to weblogic as http , it will be rejected.
Udit
Paul Hodgetts <[email protected]> wrote:
Thanks for the reply! What if the web server (the front end IIS server)
also serves static web pages that are allowed to be accessed without
HTTPS/SSL? It's primarily the requests forwarded through to JSP/servlets
on the WebLogic server that must use HTTPS/SSL.
Thanks,
-Paul
Robert Patrick <[email protected]> wrote:
One way would be to close the HTTP port in your firewall so that non-HTTPS
traffic cannot reach the web server...
Paul Hodgetts wrote:
Forgive me if this question reveals how little I know about SSL,
but... ;-)
What is the standard, best practice way to force a web client (viabrowser)
to use HTTPS/SSL? Our configuration is that the clients hit an IISserver
first, which then uses the WebLogic proxy/forward plug-ins to theWebLogic
server. The URLs that our clients follow come from an email we send,which
has https:// on the front. Access seems to stay in https as long
as they
follow our links, but if the client edits the URL and changes httpsto
http, the access is now without SSL. How can I restrict access tohttps
only, or otherwise make sure they never use non-SSL access?
Thanks in advance for any explanations or pointers to references,etc.
-Paul
Maybe you are looking for
-
Video Camera Doesn't Auto-Focus Nokia X2
My phones camera doesn't focus while in video camera mode... whereas when i bought this phone new, that time it was doing a proper job... Sometimes even when my camera is in photo mode it doesn't focus properly.... In video mode it doesn't do totally
-
nable to convert pdf to any other format. Tried cloud as well as acrobat reader. Reader error message "unable to contact service" and Cloud message "conversion error". I tried multiple pdf documents and checked security settings on all of them. Help
-
I've recently noticed that my desktop icons keep disappearing and reapearing intermittently. I realized it was happening when I was listening to an audio file on an external firewire drive. It seems to specifically be the external drives (one firewir
-
I deleted and re-added some BlazeDS services to my Flex project which was started with Flex 4 and migrated to Flex 4.5. BlazeDS generates this line of code: _serviceControl.convertResultHandler = mx.data.TypeUtility.convertResultHandler; ...which thr
-
Has VZW updated the security on the SIM cards?
I came across this post on Symantec's Blog regarding *most* SIM cards today use the weaker 56-bit DES private key. It can be cracked within a few minutes using rainbow tables. It says to check with your provider asking if they filter OTA messages on