User http access after OWA certificate expired
we are facing problem with owa certificate, we need enduser to access OWA using http not https
Ahmed
Hi Ahmed,
Please use following article to simplify the OWA URL.
Simplify the Outlook Web App URL
https://technet.microsoft.com/en-us/library/aa998359(v=exchg.150).aspx
Thanks
Mavis Huang
TechNet Community Support
Similar Messages
-
New User cannot access OWA after migrate from Exchange 2007 to Exchange 2013
Dear all,
I recently migrate the Exchange server from Exchange 2007 on Windows Server 2003 to Exchange 2013 on Windows 2012 R2. I can open the mailbox moved from Exchange 2007 without any problem. However when I created a new user in Exchange 2013, the user cannot
login the OWA, the browser will throw out following screen. Can anyone help me in this case. Thanks a lot!Hi Winnie,
Thank for your reply. Below is the result, please note there has four exchange servers, HKAD and HKEX are the existing Exchange 2007 server. HKCAS1 and HKCAS2 are the new Exchange Server 2013 - both of xchange server 2013 are using owa.ksi.com.hk
as the external URL.
Identity : HKAD\owa (Default Web Site)
InternalAuthenticationMethods : {Basic, Fba}
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}
Url : {}
SetPhotoURL :
Exchange2003Url :
FailbackUrl :
InternalUrl :
https://hkad.ksi.com.hk/owa
ExternalUrl :
Identity : HKAD\Exchange (Default Web Site)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : False
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}
Url :
SetPhotoURL :
Exchange2003Url :
FailbackUrl :
InternalUrl :
ExternalUrl :
Identity : HKAD\Public (Default Web Site)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : False
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}
Url :
SetPhotoURL :
Exchange2003Url :
FailbackUrl :
InternalUrl :
ExternalUrl :
Identity : HKAD\Exchweb (Default Web Site)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : False
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}
Url :
SetPhotoURL :
Exchange2003Url :
FailbackUrl :
InternalUrl :
ExternalUrl :
Identity : HKAD\Exadmin (Default Web Site)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : False
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}
Url :
SetPhotoURL :
Exchange2003Url :
FailbackUrl :
InternalUrl :
ExternalUrl :
Identity : HKEX\owa (Default Web Site)
InternalAuthenticationMethods : {Basic, Fba}
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}
Url : {}
SetPhotoURL :
Exchange2003Url :
FailbackUrl :
InternalUrl :
https://hkex.ksi.com.hk/owa
ExternalUrl :
Identity : HKEX\Exchange (Default Web Site)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : False
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}
Url :
SetPhotoURL :
Exchange2003Url :
FailbackUrl :
InternalUrl :
ExternalUrl :
Identity : HKEX\Exadmin (Default Web Site)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : False
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}
Url :
SetPhotoURL :
Exchange2003Url :
FailbackUrl :
InternalUrl :
ExternalUrl :
Identity : HKEX\Public (Default Web Site)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : False
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}
Url :
SetPhotoURL :
Exchange2003Url :
FailbackUrl :
InternalUrl :
ExternalUrl :
Identity : HKEX\Exchweb (Default Web Site)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : False
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}
Url :
SetPhotoURL :
Exchange2003Url :
FailbackUrl :
InternalUrl :
ExternalUrl :
Identity : HKCAS2\owa (Default Web Site)
InternalAuthenticationMethods : {Basic, Fba}
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}
Url : {}
SetPhotoURL :
Exchange2003Url :
FailbackUrl :
InternalUrl :
https://hkcas2.ksi.com.hk/owa
ExternalUrl :
https://owa.ksi.com.hk/owa
Identity : HKCAS1\owa (Default Web Site)
InternalAuthenticationMethods : {Basic, Fba}
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}
Url : {}
SetPhotoURL :
Exchange2003Url :
FailbackUrl :
InternalUrl :
https://hkcas1.ksi.com.hk/owa
ExternalUrl :
https://owa.ksi.com.hk/owa -
Exchange 2013 Sp1 some users cant access owa
After I install new exchange 2013 with sp1 on windows 2012 R2 server one for mail boxes and the second Client Access, i move all mail boxes to it, then i uninstall the old server (exchange 213 with cu3).
All may exchange server’s virtual machines on hyper-v 2012R2
I install certificate and configure virtual directories
I notice some users can’t open there mail boxes from OWA they get a blank page after the enter username and password (from internal and external) (the same users can open outlook anywhere) at the same times many users can access owa.
After many restarts they can access OWA.
After some days some other users can’t access owa.
I remove ECP and OWA virtual directories, Then Recreate and configure it.
But the same problem some users cant access owa
I install a new client access server, configure it
But the same problemHI
YOu can check below things to resolve the problem
Disable SSL from Default Web Site if you have enabled them
Check if you have set any redirection in the Default Website if so remove redirection and see the results
Ensure that you have a valid certificate for owa VD
check correctly the authentication type - windows authentication is enabled or if you have form based authentication enabled
Below is an example for enabling WA
set-Owavirtualdirectory -identity "servername\owa (Exchange Back End)" -WindowsAuthentication $True -Basicauthentication $false -Formsauthentication $false
Set-EcpVirtualDirectory -Identity "servername\ecp (Exchange Back End)" -WindowsAuthentication $true -FormsAuthentication $false
Remember to mark as helpful if you find my contribution useful or as an answer if it does answer your question.That will encourage me - and others - to take time out to help you -
Users cannot access removable devices after you enable and then disable a Group Policy setting on Windows 7 64 bit machines.
on the 32 bit machines I was able to apply this hotfix
http://support2.microsoft.com/kb/2738898
But it will not install on 64 bit machines.
Is there a hotfix for 64 bit? If not, what is the work around?
Thanks!
RobertSelect "Show hotfixes for all platforms and languages", then download x64 hotfix:
Please take a moment to Vote as Helpful and/or Mark as Answer where applicable. Thanks. -
OWA Users cannot access .snp attachments
One of my user complains none of the user can access or download .SNP (MS Access Snapshot File) attachments from OWA 2013. When a user clicks on the attachment they get the warning message "Access to this Attachment is blocked. Recipients may not be
able to view the attachment, either."
But the same file is easily accessible from Outlook.
I have tried Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AllowedFileTypes ".snp" and restarted the IIS Service but no luck!
Do I need to have Office Web App Server to be able to download these .SNP files? Is there any way around to allow such files in OWA out of the box?Hi,
I recommend you should check the owavirtualdirectory also with the following command:
Get-OwaVirtualDirectory -Identity "ServerName\owa (Default Web Site)" |fl name,server,*FileTypes
If no .snp type, you should to add it.
Get-OwaVirtualDirectory -Identity "ServerName\owa (Default Web Site)" -AllowedFileTypes @{add = ".SNP"}
The following article for your reference:
http://technet.microsoft.com/en-us/library/bb123515.aspx
AllowedFileTypes
The
AllowedFileTypes parameter specifies the extensions of file types that the user can save locally and view from a web browser. If the same extensions are in multiple settings lists, the most secure setting overrides the less secure
settings.
To enter multiple values and overwrite any existing entries, use the following syntax:
<value1>,<value2>.... If the values contain spaces or otherwise require quotation marks, you need to
use the following syntax: "<value1>","<value2>"....
To add or remove one or more values without affecting any existing entries, use the following syntax:
@{Add="<value1>","<value2>"...; Remove="<value1>","<value2
Thanks.
Niko Cheng
TechNet Community Support -
Removing user access after hours
All,
We are running Oracle 10g. What is the best way to remove user access after hours say from 5:00 pm to 6:00 am? I have searched this site and the only thread that I found was Can I limit user access to Oracle DB based on time?? which is not helpful to me. My manager wants users to access the Database only during the user's work hours which is M-F 8:00 am - 5:00 pm. Any suggestions would be greatly appreciated.
Seyed>
Creating a logon trigger will need a restart of the database, but I think it is the best approach.
Am not sure why restart would be required?
Possibly creating a seperate listener entry on a different port especially for the users could also be a solution.
Then after 05:00 pm, stop that perticular listener only
HTH
What if I know the port number of another listener?
FJFranken
My Blog: http://managingoracle.blogspot.com
If this answer satifies your question, mark the question as answered and award the points. It is appreciated!Regards
Anurag -
User is not getting access after providing him db_owner also in SQL 2000 SP4
Team,
I have one instance of SQL 2000 SP4.
On this, one user wants access to update / drop user defined table.
I have given him db_datawriter & db_ddladmin role but he is still not able to perform his operation ( update or drop)
Server: Msg 229, Level 14, State 5, Line 1
DELETE permission denied on object '<Table>', database '<DB>', owner 'dbo'.<Server_Name>
Also given individual update/drop on some tables, but still error.
Finally, given him db_owner also but no success.
Anybody .. what could be issue ??
ChetanCan you check if there is any DENY for that user?
If there is DENY then it will outwiegh.
Can you run
sp_helprotect
and check if the permission is properly given and if there is any DENY?
http://technet.microsoft.com/en-us/library/aa933420(v=sql.80).aspx
Regards, Ashwin Menon My Blog - http:\\sqllearnings.com -
Have come full circle---k9-4235 server(https) certificate expired
Ok i have been running k94235's and idsm2's for a couple years and when I was munking around with a sig on one of the k9-4235 i discovered that the server certificate expired this past sat...When I tried to create a new sensor in IEV it gave the error "connection handshake failure"....
where/how do I get/make a new server certificate for https sessions on k9-4235, is the latest and greatest
sysinfo
Cisco Systems Intrusion Detection Sensor, Version 4.1(4)S178
MainApp 2004_Dec_17_16.03 (Eng4f) 2004-12-17T15:41:15-0600Running
AnalysisEngine 2004_Dec_17_16.03 (Eng4f) 2004-12-17T15:41:15-0600Running
Authentication 2004_Dec_17_16.03 (Eng4f) 2004-12-17T15:41:15-0600Running
Logger 2004_Dec_17_16.03 (Eng4f) 2004-12-17T15:41:15-0600Running
NetworkAccess 2004_Dec_17_16.03 (Eng4f) 2004-12-17T15:41:15-0600Running
TransactionSource 2004_Dec_17_16.03 (Eng4f) 2004-12-17T15:41:15-0600Running
WebServer 2004_Dec_17_16.03 (Eng4f) 2004-12-17T15:41:15-0600RunningYou can try removing the expired certificate from the sensor by logging into the sensor's CLI and entering the following commands:
sensor# configure terminal
sensor(config)# no tls trusted-host ip-address 10.1.2.3
Next, tell the sensor to trust 10.1.2.3:
sensor(config)# tls trusted-host ip-address 10.1.2.3 -
As titled, what is the way to record video/audio files using Flash Meida Server through rmtp, and allow users to access the recorded files through http?
What I am trying to do, is to record a user's microphone's input and save it to the server. Afterwards, I would like other users to be able to access the recorded files and mainuplating the audio data, by computeSpectrum(), to do some visualization of the audio. As I know computeSpectrum() cannot work on streaming files, so I think I need to access the recorded files using http instead of rmtp. Is that true?
How can I redirect the http request to the files I was recorded into my applications/appName folder? Or I need to somehow moved the recorded files to the /webroot folder?
Thanks!I probably have asked a stupid question.
My recorded streams are still saved in the applications/appName/streams folder.
And I redirect the www.mydomain.com/streams to point to the applications/appName/streams folder.
And the rmtp recorded streams are abled to connect through http now. -
User cannot access Crystal reports after user was deleted and recreated
We are using Crystal Enterprise XIr2. We are using Windows AD authentication. We had an issue with a user where they were deleted in Active Directory. Now they can no longer run Crystal reports. When I go into the CMC and open users I see this user. When I try to open this user I get the following error
There was an error while retrieving data from the server: Active Directory Authentication failed to get the Active Directory groups for the account with ID "8B003DF11D45B244AC3B61AB36B6C445:ALLENDG". Please make sure this account is valid and belongs to an accessible domain.
I think Crystal is still trying to access the user's old Active Directory account.
I cannot delete the user either in CMC.
Is there someway I can correct this user.
Thanks
AdamArjun - Thank you for your help. I looked in Central Management Console but I could not find what you indicated.
CMC--> Public Folder --> Administration Tools
In administration tool, there are two objects
1) Update Windows AD Group Graph
2) Update Windows AD Group Graph and Aliases --> Right click on this Report and click on RUN Now.
I ended up deleting the records for this user in these SQL tables and then user could access InfoView
CMS_Aliases5 (2 records for this user)
CMS_InfoObjects5 (1 record with both aliases) -
What must I do to obtain and install a valid SSL Certificate for the Linksys WRT54G version 5 router?? Secure access is essential for remote administration.
Using Administration > Web Access, I enabled (only) HTTPS for secure access. At some point, the user interface apparently launched a "wizard" which proceeded to create a "certificate". However, when I subsequently tried to access the router with IP https://192.168.1.1 Firefox 3.0.4 reported:
192.168.1.1 uses an invalid security certificate.
The certificate is not trusted because it is self signed.
The certificate is only valid for <a id="cert_domain_link" title="Linksys">Linksys</a>
(Error code: sec_error_ca_cert_invalid)
What must I do to obtain and install a valid SSL Certificate for the Linksys WRT54G version 5 router?? Firefox will not display the log-on dialog, thus it will not allow access to the router. Internet Explorer 7 also displays an error message that is rather vague and cryptic, and it also does not allow access to the router. Neither Firefox nor I.E. have a "security certificate" that pertains to the router, only one to send when a server requests it.
According to Linksys, the most recent revision of the WRT54G firmware is installed.
What must I do to obtain and install a valid SSL Certificate for the Linksys WRT54G version 5 router??
--- Stardance
Stardance
nil carborundum illegitimi!For Firefox click on "Or you can add an exception…", press the "Add Exception..." button, in the new popup, press the "Get Certificate" button, make sure to "Permanently store this exception" and press the "Confirm Security Exception" button. That's it. This is what I meant with "accepting the certificate". If that does not work in your Firefox then it must be a Firefox problem on your computer. It works fine on my computer and it seems to work fine with Internet Explorer on your computer.
If you want to examine the certificate you can do so, after you have pressed the Get Certificate button. It is a self-signed certificate with name "Linksys". It is stored in the router.
If you "Confirm Security Exception" in Firefox the certificate is stored in the "Certificate Manager" (Tools - Options - Advanced - View Certificates). There you can remove it again if you don't want it anymore. Internet Explorer works similar and also has a certificate manager.
So on my computer both Firefox and Internet Explorer behave the same even if they call and label things differently. They both see the self-signed certificate from the router and require you to manually accept the connection before you can continue. On both you will get to the router web interface. On both you have the choice to permanently remember the certificate. I see no substantial difference between Internet Explorer and Firefox in this respect.
Re (1) You wanted to know how to create a valid SSL certificate on the router. First of all, the certificate presented is the certificate which identifies the router. Of course, you see this error message because the router has only a dummy certificate installed which allows you to use SSL, but it won't correctly identify the router.
Thus what you write in (1) about the computer is irrelevant. It is not the computer which identifies itself but the router. You connect to the HTTPS server on the router. The HTTPS server on the router has the certificate. This certificate is supposed to identify the HTTPS server. If you click on https://mail.google.com or some other standard https website in the internet which has a valid correct certificate you can right-click into the web site in Firefox and choose "Page Info". Click on Security. It shows you some information on the certificate. For more details press "View Certificate".
There are two essential parts:
A. "Issued To". This section contains the hostname to which you are connected to. This is "mail.google.com". If this does not match with the hostname in the URL then you will get a certificate error message. If you use one of the IP addresses of mail.google.com https://66.249.89.18/ instead, you'll see a certificate error message, simply because the 66.249.89.18 is not the same as mail.google.com which is in the certificate.
B. "Issued By". This is the issuer of the certificate, i.e. the "Certification Authority" which issued the certificate. You see "Thawte SGC CA" there. If you click on "Details" in the Certificate Viewer you'll see that actually the "Thawte SGC CA" certificate was itself issued by Verisign. The Verisign certificate is a "Builtin Object Token" of Firefox, i.e. by default Firefox trusts everything which is signed by Verisign and anything which is signed by anyone who was signed by Verisign, etc. Windows has the Verisign certificate built-in, too.
The router certificate is self-sign and has now proper "Common Name" set. The common name is "Linksys". This is in the Issued To and Issued By sections, which means the certificate was signed with the own key.
In order to be a "valid SSL certificate" which is accepted without any user interaction, the certificate must
(i) contain the correct hostname/IP address in the "Common Name", i.e. it must be identical to what you enter in the URL.
(ii) it must be signed by Verisign or similar.
(iii) it must not be expired.
(iv) installed inside the router.
But again, the problem is:
Re (i): the router has 192.168.1.1 in the LAN, but unknown IP addresses and hostnames in the internet. It is impossible to preinstall a correct certificate on the router except for 192.168.1.1 with obviously little effect on the remote management access through the internet which uses the public IP address.
Re (ii): to obtain a Verisign certificate the router would have to submit a certificate request to Verisign, pay the $$$ bill, wait for the certificate to be issued and then install it. Of course, Verisign won't create a certificate for 192.168.1.1 and they will probably verify that the public IP address or the hostname given is really yours.
Re (iii): Verisign server certificates expire after one year. You have to renew the certificate and pay $$$ again.
So the only really feasible way to get a "valid SSL certificate" into the router would be to add some function to the interface which allows you to either upload a certificate&key to the router or to download a certificate request from the router and upload a certificate. With the request you could go to Verisign and get a certificate issued. This is what Google does for Google Mail. They create the certificate request for mail.google.com, pay the hefty bill and get the certificate from Thawte/Verisign.
For Google it is worth it. I doubt it is worth it for your $50 router to buy a one-year certificate signed by Verisign costing probably $500 or more just for the sole purpose that you can open your remote management interface without an error message which requires you to add an exception the first time you access the page.
Re (2). I hope the above makes clear why the router does not come with a Verisign certificate. Of course Linksys could buy one certificate from Verisign for 192.168.1.1 (in case they would do that). But what would be the benefit of that? You still have the same issue with the remote management interface as it ends on a different IP address. And still, all Linksys routers would come with the same certificate, i.e. even if you connect to the router with HTTPS you still won't be able to identify if it is really your router or not from the certificate presented. So basically, the self-signed dummy certificate "Linksys" or any "better" certificate won't make any real difference: you still will have to add exceptions to firefox for remote management and the certificate itself still won't make anything more secure then what you already have due to the HTTPS connection.
Re (3) The router works as server. As web server. You access the web server inside the router to access the web interface of the router. If you open http://192.168.1.1/ your browser connects to the web server in the router presenting you with the current configuration inside the router and options to reconfigure it.
So to answer your questions:
Q: (1) who is responsible for creating the SSL certificate?"
A: Linksys
Q: and (2) why is an invalid SSL certificate created?
A: It is not invalid. It is a valid X509 certificate. It is self-signed. That Firefox calls it "invalid" is unfortunate because it is fully valid. However, it is not signed by a trusted CA and thus Firefox won't trust it automatically, unlike mail.google.com.
Q: Since Cisco/Linksys chose to include secure access in its design of the router, what is Linksys doing to prevent the creation of invalid certificates for its router?
A: They offer you to connect to the router through a HTTPS connection. Within reasonable means this is the only thing they can do. Anything else would costs much. I doubt you would still buy the router if it cost $500 but had a Verisign SSL certificate. -
ISE - What happens when the on-boarded certificate expires?
I'm trying to design a good BYOD deployment model but have a few questions that need direct answers. I have down how to go about on-boarding and getting a certificate on a device, the ISE provides great flow for this to happen in many ways. My questions come from a design perspective before and after the BYOD deployment is completed.
1. Figuring out a method to validate the device is a Corporate asset or a BYOD asset.
(I don't want to install a certificate on just any device, or perhaps I do but I need to give permissions to all resources if its a Corporate Device, and more resitrictions if it's BYOD, so how do I figure this out during the provisioning phase?)
a. Use MDM (May not have one, or if you do we are still waiting on ISE 1.2 for that integration)
b. Build a Group for provisioning admins, if user PEAP-MSCHAPv2 account is from this group install a certificate. (issue here is that the end user looses administration of the device in the my device portal as the device is now registered to the provisioning admin)
c. Pre-populate MAC into ISE as all Corporate devices should be provisioned by I.T. before they go to the end user (I think this is good but can see push back from customers as they don't want to add more time to the process)
d. Certs on any IOS or Android device, provide access based on user group and do not worry if device is Company asset or not (I believe that this is the easiest solution and seems to be what I find in the guides)
e. Other options I have not thought about, would love input from the crowd
2. What happens to the device once the Certificate expires?
(I don't know the answer to this, my thought would be the user or device will fail during the authentication policy and this creates a mess)
a. Tell the user to delete the profile so they can start all over again (creates help desk calls and frustrated users)
b. Use MDM for Cert management (may not have one)
c. Perhaps the client uses SCEP to renew based on the cert template renew policy and there are no issues (this is me wishing)
Would appreciate some feed back and would like to know if anyone has run into these issues.Neno,
Sorry but I don't have any other info on using a public CA, Cisco says to use internal CA's for PKI. I think the best practice in 1.2 comes out will be to use one interface for Web Management and a different interface for Radius, profiling, posture, and on boarding. This way you can use your private CA for EAP and a public CA for web traffic. Have you tried a public CA bound to management and a private CA for EAP yet?
I did do a session on EAP-TEAP, they explained how it will work and also discussed EAP-FASTv2. EAP-FASTv2 is available now but you must use anyconnect as your supplicant. Microsoft and all other vendors will have EAP-TEAP native once it is fully released and comissioned as it will be the new gold standard for EAP. It will support TLS, MD5, and CHAPv2. If you are interested I have the PDF of the presentation I attended that shows the flow of how EAP-TEAP will work. This is much better than wasMachineAuthenticated and machine auth caching, which has many down falls.
I currently do machine and user auth I just don't require them. If Machine auth then allow machine on vlan-x with access to AD, DNS, and blah blah. Then a seperate rule to say user auth gets more access, although I require EAP-TLS for both and if you think about it you are accomplishing the same thing if your PKI is setup correctly. Make it so users and machines can only auto enroll, that way you know the only way they got their cert was from GPO policy. I won't go into anymore detail, but there is lots you can do. -
Remote site to site VPN user cannot access LAN resources
Users in remote site can get ping response but no http service from local web server where the local web server also has NAT rule allowing access from WAN. In the below config, users in remote 10.10.10.160/27 can ping 10.10.10.30 and 10.10.10.95, but http packets are not returned.
What do I need to do to fix this?
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname SFGallery
boot-start-marker
boot-end-marker
no logging buffered
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authentication login ciscocp_vpn_xauth_ml_3 group radius local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa session-id common
clock timezone PCTime -7 0
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ipv6 cef
ip source-route
ip cef
ip dhcp excluded-address 172.16.0.1 172.16.3.99
ip dhcp excluded-address 172.16.3.200 172.16.3.254
ip dhcp pool SFGallery172
import all
network 172.16.0.0 255.255.252.0
domain-name xxxxxxxxxxxx
dns-server 10.10.10.10
default-router 10.10.10.94
netbios-name-server 10.10.10.10
ip domain name gpgallery.com
ip name-server 10.10.10.10
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 10.10.10.80
multilink bundle-name authenticated
crypto pki token default removal timeout 0
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name [email protected]
revocation-check crl
crypto pki trustpoint SFGallery_Certificate
enrollment selfsigned
serial-number none
ip-address none
revocation-check crl
rsakeypair SFGallery_Certificate_RSAKey 512
crypto pki certificate chain test_trustpoint_config_created_for_sdm
crypto pki certificate chain SFGallery_Certificate
certificate self-signed 01
xxxxxx
quit
license udi pid CISCO2911/K9 sn FTX1542AKJ3
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
hw-module sm 1
object-group network Corp
172.16.4.0 255.255.252.0
10.10.10.128 255.255.255.224
object-group network SFGallery
172.16.0.0 255.255.252.0
10.10.10.0 255.255.255.128
object-group network NY
10.10.10.160 255.255.255.224
172.16.16.0 255.255.252.0
object-group network GPAll
group-object SFGallery
group-object NY
group-object Corp
username xxx
username xxx
username xxx
username xxx
redundancy
no ip ftp passive
ip ssh version 1
class-map type inspect match-all CCP_SSLVPN
match access-group name CCP_IP
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
zone security sslvpn-zone
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key TempVPN1# address xx.xx.xx.xx
crypto isakmp client configuration group SFGallery
key Peters2011
dns 10.10.10.10 10.10.10.80
wins 10.10.10.10 10.10.10.80
domain gpgallery.com
pool SDM_POOL_1
acl 111
save-password
split-dns gpgallery.com
max-users 25
max-logins 3
netmask 255.255.252.0
banner ^CYou are now connected to the Santa Fe Gallery and Corp. ^C
crypto isakmp profile ciscocp-ike-profile-1
match identity group SFGallery
client authentication list ciscocp_vpn_xauth_ml_3
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 3
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 43200
set transform-set ESP-3DES-SHA3
set isakmp-profile ciscocp-ike-profile-1
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toxx.xx.xx.xx
set peer xx.xx.xx.xx
set transform-set ESP-3DES-SHA1
match address 107
reverse-route
interface Loopback1
ip address 192.168.5.1 255.255.255.0
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description T1 Cybermesa$ETH-WAN$
ip address xx.xx.xx.xx 255.255.255.240
ip access-group 105 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
interface GigabitEthernet0/1
description LANOverloadNet$ETH-WAN$
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/2
description LAN$ETH-LAN$
ip address 10.10.10.2 255.255.255.128
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/0/0
ip address 192.168.100.1 255.255.255.0
ip access-group ReplicationIN out
duplex auto
speed auto
interface GigabitEthernet1/0
description $ETH-LAN$
ip address 172.16.0.1 255.255.252.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet1/1
description Internal switch interface connected to EtherSwitch Service Module
no ip address
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
interface Virtual-Template2
ip unnumbered Loopback1
zone-member security sslvpn-zone
interface Virtual-Template3 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
no ip address
ip local pool SDM_POOL_1 172.16.3.200 172.16.3.254
ip forward-protocol nd
ip http server
ip http access-class 1
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 60000
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
ip nat inside source route-map SDM_RMAP_4 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.10.10.95 22 xx.xx.xx.xx extendable
ip nat inside source static udp 10.10.10.95 22 xx.xx.xx.xx extendable
ip nat inside source static tcp 10.10.10.95 25 xx.xx.xx.xx extendable
ip nat inside source static udp 10.10.10.95 25 xx.xx.xx.xx 25 extendable
ip nat inside source static tcp 10.10.10.95 80 xx.xx.xx.xx 80 extendable
ip nat inside source static udp 10.10.10.95 80 xx.xx.xx.xx 80 extendable
ip nat inside source static tcp 10.10.10.95 443 xx.xx.xx.xx 443 extendable
ip nat inside source static udp 10.10.10.95 443 xx.xx.xx.xx 443 extendable
ip nat inside source static tcp 10.10.10.30 80 xx.xx.xx.xx 80 extendable
ip nat inside source static tcp 10.10.10.104 80 xx.xx.xx.xx 80 extendable
ip nat inside source static tcp 10.10.10.37 26 xx.xx.xx.xx 25 extendable
ip nat inside source static udp 10.10.10.37 26 xx.xx.xx.xx 25 extendable
ip nat inside source static tcp 10.10.10.115 80 xx.xx.xx.xx 80 extendable
ip nat inside source static tcp 10.10.10.115 443 xx.xx.xx.xx 443 extendable
ip nat inside source static tcp 10.10.10.80 443 xx.xx.xx.xx 443 extendable
ip nat inside source static tcp 10.10.10.47 26 xx.xx.xx.xx 25 extendable
ip nat inside source static udp 10.10.10.47 26 xx.xx.xx.xx 25 extendable
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx permanent
ip route 10.10.10.0 255.255.255.128 GigabitEthernet0/2 10 permanent
ip route 10.10.10.44 255.255.255.255 10.10.10.1 permanent
ip route 10.10.10.128 255.255.255.224 10.10.10.126 permanent
ip route 10.10.10.172 255.255.255.255 10.10.10.3 permanent
ip route 10.10.10.175 255.255.255.255 10.10.10.3 permanent
ip route 10.10.10.177 255.255.255.255 10.10.10.3 permanent
ip route 172.16.4.0 255.255.252.0 10.10.10.126 permanent
ip route 192.168.100.0 255.255.255.0 FastEthernet0/0/0 permanent
ip route 192.168.101.0 255.255.255.0 10.10.10.126 permanent
ip access-list extended CCP_IP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended ReplicationIN
remark CCP_ACL Category=1
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
deny ip any any
ip access-list extended ReplicationOUT
remark CCP_ACL Category=1
deny ip any any
no logging trap
logging 10.10.10.107
access-list 1 permit 192.168.1.2
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 72.216.51.56 0.0.0.7
access-list 1 permit 172.16.0.0 0.0.3.255
access-list 1 permit 172.16.4.0 0.0.3.255
access-list 1 permit 10.10.10.128 0.0.0.31
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 permit xx.xx.xx.xx 0.0.0.15
access-list 1 permit 10.10.10.0 0.0.0.127
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark CCP_ACL Category=1
access-list 100 permit tcp object-group GPAll object-group NY eq www
access-list 100 permit udp host 10.10.10.10 eq 1645 host 10.10.10.2
access-list 100 permit udp host 10.10.10.10 eq 1646 host 10.10.10.2
access-list 100 permit ip any host 10.10.10.2
access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq telnet
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq telnet
access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq telnet
access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq telnet
access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq 22
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 22
access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 22
access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 22
access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq www
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq www
access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq www
access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq www
access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq 443
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 443
access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 443
access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 443
access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq cmd
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq cmd
access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq cmd
access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq cmd
access-list 100 deny tcp any host 10.10.10.2 eq telnet
access-list 100 deny tcp any host 10.10.10.2 eq 22
access-list 100 deny tcp any host 10.10.10.2 eq www
access-list 100 deny tcp any host 10.10.10.2 eq 443
access-list 100 deny tcp any host 10.10.10.2 eq cmd
access-list 100 deny udp any host 10.10.10.2 eq snmp
access-list 100 permit udp any eq domain host 10.10.10.2
access-list 100 permit udp host 10.10.10.80 eq domain any
access-list 100 permit udp host 10.10.10.10 eq domain any
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 72.216.51.56 0.0.0.7 any
access-list 101 permit ip 172.16.0.0 0.0.3.255 any
access-list 101 permit ip 172.16.4.0 0.0.3.255 any
access-list 101 permit ip 10.10.10.128 0.0.0.31 any
access-list 101 permit ip xx.xx.xx.xx 0.0.0.15 any
access-list 101 permit ip host 192.168.1.2 any
access-list 101 permit ip 10.10.10.0 0.0.0.127 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip 72.216.51.56 0.0.0.7 any
access-list 102 permit ip 172.16.0.0 0.0.3.255 any
access-list 102 permit ip 172.16.4.0 0.0.3.255 any
access-list 102 permit ip 10.10.10.128 0.0.0.31 any
access-list 102 permit ip xx.xx.xx.xx 0.0.0.15 any
access-list 102 permit ip host 192.168.1.2 any
access-list 102 permit ip 10.10.10.0 0.0.0.127 any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark CCP_ACL Category=1
access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq telnet
access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 22
access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq www
access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 443
access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq cmd
access-list 103 deny tcp any host 172.16.0.1 eq telnet
access-list 103 deny tcp any host 172.16.0.1 eq 22
access-list 103 deny tcp any host 172.16.0.1 eq www
access-list 103 deny tcp any host 172.16.0.1 eq 443
access-list 103 deny tcp any host 172.16.0.1 eq cmd
access-list 103 deny udp any host 172.16.0.1 eq snmp
access-list 103 permit ip any any
access-list 104 remark CCP_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31
access-list 105 remark Auto generated by SDM Management Access feature
access-list 105 remark CCP_ACL Category=1
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.128 0.0.0.31
access-list 105 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.10.10.160 0.0.0.31 172.16.0.0 0.0.255.255
access-list 105 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 105 permit ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 105 permit ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq telnet
access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq telnet
access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq telnet
access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq 22
access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq 22
access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq 22
access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq www
access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq www
access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq www
access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq 443
access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq 443
access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq 443
access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq cmd
access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq cmd
access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq cmd
access-list 105 deny tcp any host xx.xx.xx.xx eq telnet
access-list 105 deny tcp any host xx.xx.xx.xx eq 22
access-list 105 deny tcp any host xx.xx.xx.xx eq www
access-list 105 deny tcp any host xx.xx.xx.xx eq 443
access-list 105 deny tcp any host xx.xx.xx.xx eq cmd
access-list 105 deny udp any host xx.xx.xx.xx eq snmp
access-list 105 permit tcp any host xx.xx.xx.xx eq 443
access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.0 0.0.0.127
access-list 105 permit udp any eq domain host xx.xx.xx.xx
access-list 105 permit ahp host 209.101.19.226 host xx.xx.xx.xx
access-list 105 permit esp host 209.101.19.226 host xx.xx.xx.xx
access-list 105 permit udp host 209.101.19.226 host xx.xx.xx.xx eq isakmp
access-list 105 permit udp host 209.101.19.226 host xx.xx.xx.xx eq non500-isakmp
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127
access-list 105 permit ip any any
access-list 106 remark CCP_ACL Category=2
access-list 106 remark IPSec Rule
access-list 106 deny ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31
access-list 106 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 106 remark IPSec Rule
access-list 106 deny ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31
access-list 106 deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 106 deny ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
access-list 106 deny ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 106 deny ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31
access-list 106 remark IPSec Rule
access-list 106 deny ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127
access-list 106 permit ip 10.10.10.0 0.0.0.255 any
access-list 107 remark CCP_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31
access-list 107 remark IPSec Rule
access-list 107 permit ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31
access-list 107 permit ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 107 permit ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
access-list 107 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 107 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 107 remark IPSec Rule
access-list 107 deny ip 172.16.0.0 0.0.255.255 host 10.10.10.177
access-list 108 remark CCP_ACL Category=2
access-list 108 remark IPSec Rule
access-list 108 deny ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31
access-list 108 permit ip 70.56.215.0 0.0.0.255 any
access-list 109 remark CCP_ACL Category=2
access-list 109 remark IPSec Rule
access-list 109 deny ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31
access-list 109 remark IPSec Rule
access-list 109 deny ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31
access-list 109 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 109 remark IPSec Rule
access-list 109 deny ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31
access-list 109 deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 109 deny ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
access-list 109 deny ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 109 permit ip 172.16.0.0 0.0.255.255 any
access-list 111 remark CCP_ACL Category=4
access-list 111 permit ip 10.10.10.0 0.0.0.127 any
access-list 111 permit ip 10.10.10.128 0.0.0.31 any
access-list 111 permit ip 172.16.0.0 0.0.3.255 any
access-list 111 permit ip 172.16.4.0 0.0.3.255 any
access-list 111 permit ip 10.10.10.160 0.0.0.31 any
route-map SDM_RMAP_4 permit 1
match ip address 109
route-map SDM_RMAP_1 permit 1
match ip address 106
route-map SDM_RMAP_2 permit 1
match ip address 108
snmp-server community public RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps transceiver all
snmp-server enable traps ds1
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps license
snmp-server enable traps envmon
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps flash insertion removal
snmp-server enable traps c3g
snmp-server enable traps ds3
snmp-server enable traps adslline
snmp-server enable traps vdsl2line
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps energywise
snmp-server enable traps vstack
snmp-server enable traps mac-notification
snmp-server enable traps bgp
snmp-server enable traps isis
snmp-server enable traps rf
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps memory bufferpeak
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps nhrp nhs
snmp-server enable traps nhrp nhc
snmp-server enable traps nhrp nhp
snmp-server enable traps nhrp quota-exceeded
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
snmp-server enable traps ipsla
snmp-server enable traps bfd
snmp-server enable traps firewall serverstatus
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down
snmp-server host 10.10.10.107 public
radius-server host 10.10.10.10 key HelloSFGal1#
control-plane
banner login ^CCCWelcome to Santa Fe Gallery Cisco 2911 router 10.10.10.1.^C
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
flowcontrol software
line vty 0 4
access-class 102 in
transport input telnet
line vty 5 15
access-class 101 in
transport input telnet
scheduler allocate 20000 1000
endThanks so much, Herbert.
As an alternative to what you suggest, what do you think of this? I got it from Cisco's support document, http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
I would delete these lines:
no ip nat inside source static tcp 10.10.10.95 80 [outside IP) 80 extendable
no ip nat inside source static udp 10.10.10.95 80 [outside IP) 80 extendable
no ip nat inside source static tcp 10.10.10.95 443 [outside IP) 443 extendable
no ip nat inside source static udp 10.10.10.95 443 [outside IP) 443 extendable
no ip nat inside source static tcp 10.10.10.30 80 [outside IP) 80 extendable
and replace with these
ip nat inside source static tcp 10.10.10.95 80 [outside IP) 80 route-map nonat extendable
ip nat inside source static udp 10.10.10.95 80 [outside IP) 80 route-map nonat extendable
ip nat inside source static tcp 10.10.10.95 443 [outside IP) 443 route-map nonat extendable
ip nat inside source static udp 10.10.10.95 443 [outside IP) 443 route-map nonat extendable
ip nat inside source static tcp 10.10.10.30 80 [outside IP) 80 route-map nonat extendable
Then add:
access-list 150 deny ip host 10.10.10.95 10.10.10.160 0.0.0.31
access-list 150 deny ip host 10.10.10.95 172.16.8.0 0.0.3.255
access-list 150 deny ip host 10.10.10.130 10.10.10.160 0.0.0.31
access-list 150 deny ip host 10.10.10.130 172.16.8.0 0.0.3.255
access-list 150 permit ip host 10.10.10.95 any
access-list 150 permit ip host 10.10.10.130 any
route-map nonat permit 10
match ip address 150 -
Ftp and http access over XDB repository is not allowed...
When I try to execute the following command on a reasonably fresh Oracle 11 installation:
insert into "XMLTEST" ( "name", "xmlfof" ) values ( 'small', DBMS_XDB.GETCONTENTXMLTYPE('/public/small.xml') );
-- The schema is correctly registered, the file "small.xml" is in the /public repository folder, the user has every conceivable role and priviledge
-- http access works fine from a remote location, tried to execute the command on the server and from remote system...
I get the following error message:
ORA-31020: Der Vorgang ist nicht zulässig, Ursache: For security reasons, ftp and http access over XDB repository is not allowed on server side ORA-06512: in "XDB.DBMS_XDB", Zeile 1915
Searching for an answer on the forum didn't produce any concreate explanation... Does anyone have any idea how to solve this problem?As it turns out, the XML file contained a reference to a DTD at an external web-site, which caused the problem - it was identical to that described here:
Re: ORA-31020 when using XML with external DTD or entities
After removing the reference, everything works perfectly... -
HTTPS connection with client certificate not working in spartan
Spartan does not show certificate for the user to select
when I click the https link.
The certificates (taken from a smartcard) are indeed present in the user CertStore.
It works with IE 11 and Chrome.
Has somebody any suggestions ?
Thanks.in fact you are more using a reverse-proxy than a proxy since it is on the server part..
You have to put all the SSL server part on the reserve-proxy itself and not on the final RSS feed. Then, the reverse-proxy will authenticate your client and gets its certificate. After that, either this proxy will open a plain connection (no ssl) towards the RSS, or you can also open a ssl connection but this means you must create a client certificate for the proxy. It just depends on the security level you need, and I used this solution many times in professional hosting.
hope it helps !
Maybe you are looking for
-
Keyedobjects.nib error when starting up in OS X
Hi I just purchased a 500 gig SeaGate drive to upgrade my old 160 gig on the MacBook. Upgrade went quiet easy by using SuperDuper and I have all my data on my new drive and everything works perfect except every time I start up and log in to OS X I se
-
How to Import Vector Identified Files into Photoshop Without Losing Quality
Hello, I am creating a series of music worksheets on photoshop. I have created some music scores in a music writing software called Sibelius 7. It has the capability to export the sheet music graphics in the following forms: .pdf, .eps, .bmp, .tiff,
-
Character problem in toad import table data from excel
Hi everybody, I want to import data from an excel file to an Oracle table, so I'm using Toad's "Import Table Data" tool for this purpose. The problem is Oracle doesn't import non-english characters properly. My database is XE and character set is 'AL
-
I cannot seem to get the Firefox upgrade to function
When I click the upgrade at the start menu....I can download the upgrade and run it but when I open my browser, it still says that I am not running the upgrade.
-
Hello, I would like to ask how to check the maximum space ever used for TEMP. I want to know it because I need to resize the TEMP and I want to know how small it can be. As I can see from a documentation http://docs.oracle.com/cd/B14117_01/server.101