Using OHS to redirect traffic based on intranet or internet URL

Similar Messages

• Using OHS to redirect or rewrite using wildcards..

  Ok, so I'm trying to configure my OHS application to append a url on to the end of another.. Let me give an example to explain what I mean by that.
  This url is on my webpage http://servername/applicationname/faces/dDocName:20000 . I want to rewrite the url to go to http://servername/webcenter/content/conn/UCM_Repository/uuid/dDocName:20000 when a user clicks on it. Everything will be constant except for the dDocName. The number on the end will vary. It will always be redirected to the same content ID though (i.e. 300 -> 300, 68393 -> 68393, etc.)
  What I'm looking for is a way to map this using a wildcard or something.. So here's some pseudocode for what I'm thinking:
  If Incoming url = http://servername/applicationname/faces/dDocName:*
       redirect to http://servername/webcenter/content/conn/UCM_Repository/uuid/ + dDocName (where the number carries over from the incoming url)
  I'm sure there's a way to do this, but there are so many different modules I just don't know where to start... Does anyone have an idea how this could be done, or even where some documentation is that describes it?
  Thanks

  Maybe you could try it like this... I saw this question answered not too long ago.
  Submit Portal Form Values to Portal Report

• Redirecting traffic based on source address on CSS11503

  Hi all,
  I need to redirect HTTP traffic originating from a specific range of IPs to a specific farm of HTTP servers. More specifically, I need request comming to CSS's outside VIP address on port 80/tcp to be redirected to the HTTP farm (2 boxes with RFC1918 addresses) on port 30084/tcp.
  The trick is that this rule should only apply for a certain range of source IP addresses. The rest should be content switched normally. I.e. 80/tcp -> 80/tcp, etc.
  Is this possible with ACL or somthing similar?
  I'm running WebNS 7.20 on a CSS11503.
  Thanks,
  haver

  you could create a 2nd VIP like x.x.x.x:81 and
  a service like
  service redirect
  domain x.x.x.x:81
  type redirect
  keepalive type none
  Under the Vip x.x.x.x:81, you configure the 2 services with private ip addresses and port 30084.
  Then you create an ACL
  acl 10
  clause 10 permit tcp destination content prefer redirect
  clause 99 permit any any destination any
  apply circuit-VLAN...
  Don't forget you will need an ACL permit any any on all other interfaces to avoid blocking the rest of the traffic.
  What this will do is tell the browser to close the current connection to vip:80 and reopen a new one to vip:81 and this will be loadbalanced to the private servers.
  Gilles.

• Url link (Intranet and internet) in DIS(CV03n) as original attac.(10 point)

  Hello Friends,
          I am working on DIS(Documnet managemnet system),
         I would like to attach Intranet or internet url links to the
         DIS as a original attachment.How can i do this please help me.
        I will reward with full points(10 points)  if I get help .
       Please Help me...................
  Thanks In Advance
  Preethi

  Try this link
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/e0bba346-cb84-2910-2aa9-ba1f8a1c8617
  Reward if useful
  Ravish Garg

• SCCM design DMZ for intranet and internet clients

  Hello,
  I am looking for some design recommendations for my test environment that I would like to apply to one production environment (I already posted about this topic but I still have some questions).
  I am working with 2 domains (2 forests) with no trust relationships.
  Domain A : internal
  Domain B : DMZ
  From a firewall point of view, only the ports from the internal to the DMZ will be opened.
  From the internet to the DMZ, only HTTPS will be opened.
  Currently, I only manage the clients connected to the internal domain.
  I would like to deploy a new management point in DMZ that will allow me to manage my DMZ clients (servers) and my Internet clients (laptops).
  Should I use 2 management points ? Is it supported ?
  - one for the DMZ clients
  - one dedicated to my internet clients
  If I use only one MP, should I allow Intranet and Internet clients ?
  Should I allow my DMZ clients to communicate with the internal management point (port 80) and only use the MP in DMZ for my Internet clients.
  The only documents I can find on Technet require too many ports to be opened in the firewall (From DMZ to Internal) and can't be applied to my environment.
  Thanks.

  Have a look at the following blog which explains your queries comprehensively.
  http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx
  -RG

• How to do a PortForward/Port Proxy? Redirecting traffic from port 8080 to 80 on the SAME machine

  We have a CFTV system running on Win2008R2 that listens on 4 sequential port numbers and the last port is the Web Browser Port number for management and viwing cameras
  When we configure the port 8077 on the software, it opens 8077, 8078, 8079 and 8080 and works with no problem
  But...
  When we try to configure ports 77 (and therefore 77, 78, 79 and 80) thw applications hangs and seems like not be possible to configure to use port 80
  I could confirm that,  using NETSTAT and the main CFTV application open all required ports with no problem, but only works on ports with a different number from "80", wich is what i want, to make users more confortable, avoiding to type ":PORT_NUMBER"
  after the URL, it will be more "ellegant" solution to use default port 80 for user´s connections
  The question is: How to do a PortForward/Port Proxy? Redirecting traffic from port 8080 to 80 on the SAME machine?
  May i Use NETSH? (based on Help, it can be used to do this, but on different machines, not the same one)
  There is a RELIABLE application, running as a service, that can do the port forward/redirect?

  Hi,
  I’m sorry to tell you that we can’t redirect traffic from a port to another port on the same server itself. But we can do it with a router which is configured to portfoward.
  By the way, according to your description, another program may use the port 80. Is there an IIS installed on the server? If it is necessary, you can consult your CFTV system vendor.
  Hope this helps.
  Steven Lee
  TechNet Community Support

• Can you refer to the original host name when using a challenge redirect?

  I have an authentication scheme that uses a challenge redirect to cause authentication to happen using https instead of http. However, this seems to break some of our monitoring scripts because now the credential challenge is coming from a different host name. Is it possible to refer to the original host name with some type of variable in the challenge redirect parameter? Below is an example:
  1. User accesses secured URL at http://appstenv2.company.com/testurl
  2. This webserver is hosting several aliases (appstenv2.company.com, appstenv4.company.com, appstenv6.company.com) and has a main name of appsdev.company.com - but is a single apache webserver where there is an application server plugin installed which will route to the desired application server environment based on the original hostname. So if a user accesses it with a name of appstenv2.company.com/testurl they will be routed to the "test 2" environment application server. If they access it as appstenv6.company.com, they would be routed to the "test 6" environment application server.
  3. This webserver listens on both http and https.
  4. The current challenge redirect can only redirect to a specific URL so it is set to "https://appsdev.company.com" which works fine interactively but the recorded monitoring scripts suddenly see a new hostname doing the prompting for credentials even though it is the same webserver - just a different alias.
  5. If possible, I would want to do the redirect in a relative fashion rather than absolute by using the original hostname from the URL being accessed. So, if the user was accessing http://appstenv2.company.com/testurl, I would like to redirect to https://appstenv2.company.com for the basic authentication. but with the same authentication scheme, if the user accesses http://appstenv6.company.com/testurl, I would want the challenge redirect to go to https://appstenv6.company.com. I'm hoping it's possible to use some system variable like SERVER_NAME to do this.
  Challenge Redirect: https://$SERVER_NAME
  Does anyone know if that is available in OAM 10.1.4.3 or some other way to accomplish the same thing with a single authentication scheme?

  No, there are not multiple policies - the host names for all aliases on that single webserver are together in a single host identifier. And I realize I can only have a single challenge redirect, I just want to use a variable to redirect to the host name that was accessed as opposed to a static name.

• Using ohs as a front end to weblogic

  I had a lot of trouble trying to enable ssl in weblogic (10.3.4 windows 64 bits). So I was thinking of just using ohs as a front end. I need the traffice between the forms and reports clients and the web service to be encrypted. Between the webservice and weblogic and database can be in the clear. I already got ohs to do ssl for application express. It was nowhere as hard to deal with as weblogic (10.3.4) . I don't seem to be able to think like weblogic :-(
  However I need some good and correct instructions on how to do this. Anyone got any?
  This is one of those things where the more you look the more confused you get.
  (BTW this seems to be saying you can't use ohs in front of em or console.)
  for example:
  Doc ID 1268723.1
  Following this note will result in the following architecture:
  Browser --> https --> OHS --> https --> WebLogic Server
  There are three steps needed to configure mod_wl_ohs in this setup:
  Step I: Configure OHS for SSL
  Step II: Configure Weblogic for SSL
  Step III: Configure mod_wl_ohs
  Now that is very complex and one has to face both the wallet and the keystore and more.
  whereas another doc
  Doc ID 1240977.1
  advocates only enabling ssl in ohs and not in weblogic. Well which is it? Does ssl have to be in weblogic?
  If it does I could picture not involving ohs and that apparently crash prone module.

  Well I wanted to close this out by saying that I never found out definitively how to put ohs in front of
  weblogic. (10.3.4) I'm not sure it's that great of an idea considering some reports of problems with
  mod_wl_ohs in support but anyway I did get ssl working in weblogic. Basically I followed 1109753.1 This is the very
  simple way that you just configure ssl for wls_forms and wls_reports in weblogic and no involvement of any apache
  modules or rewriting or proxying or anything like that.
  I did convert the oracle wallet (cwallet.sso) that I was using for ohs to .jks using the
  orapki pks12_to_jks command. That had in fact the server cert and two associated trust certs from the cert
  vendor. Some instructions make it sound like you have to "separate identity and trust" but I didn't and it does
  work.
  Configuration of WLS_FORMS or WLS_REPORTS for ssl is like this:
  in weblogic administration http://myserver:7001/console :
  (environment,servers, WLS_FORMS)
  _________keystores tab _________________
  keystores: custom identity and java standard trust
  custom identity keystore: d:\somewhere\mykeystore.jks
  custom identity keystore type JKS
  custom identity keystore passphrase keystorepasswd
  Java Standard Trust Keystore:     
  C:\PROGRA~1\Java\JDK16~1.0_2\jre\lib\security\cacerts
  Java Standard Trust Keystore Type:     jks
  <no passwords entered for java standard trust although the password is known to be changeit>
  ___________SSL tab_____________
  Identity and Trust Locations:     Keystores
  Private Key Location:     from Custom Identity Keystore
  Private Key Alias: <for key. You can list this with a utility if you forgot>
  Private Key Passphrase: <private key password>
  Certificate Location:     from Custom Identity Keystore
  Trusted Certificate Authorities:     from Java Standard Trust Keystore
  plus in Configuration Tab:
  ssl listen port enabled specify port you want
  I am guessing that since the forms and reports ports are different by default
  that the ssl ports should be different also?
  after that I actually think you have to stop and then start the service instead of just restart ssl.
  Anyway then try whatever your forms or reports url was but using the new port and using https:
  eg. https://my.domain.name:7002/forms/frmservlet
  If that doesn't work then look for the log which is something like:
  c:\<middlewarehome>/user_projects/domains/mydomain/servers/WLS_FORMS/logs look for it there.

• Possible to Route Traffic Based on AVC?

  Is it possible to route traffic, based on the Application Visibility Control functions that specific Cisco routers are capable of?  Here's my issue:  I have two ISP's.  One is at about 120% utilization.  The other isn't doing anything.  I can specify ip routes based on IP addresses.  For instance, I can ip route 173.252.110.27 255.255.255.255 10.x.x.x to point to our ISP2 firewall, which is our non-utilized provider, for Facebook traffic.  The problem is that sites like this have massive public subnets, so I won't be able to capture all of the traffic destined to Facebook.  Is there a way to route traffic based on application?  I know that Palo Alto firewalls have a way to do Policy Based Forwarding, based on application.  I was wondering if the same was possible with AVC.  Thanks for any help.

  Hello.
  Yes, it's possible and, actually, you have 2 ways.
  1. use manual load-balanace between links.
  2. use PfR to load-balance traffic automatically.
  PS: you also will need NAT with route-map.

• Prioritise traffic based on IP subnet

  I'm currently using an Avaya IP Office VoIP solution and I want to introduce a Cisco 2600 to replace the WAN units. I've been told that I will need a QOS switch or have two Lan ports on the router to create two subnets (1 for Data & 1 for VoIP).
  If I decide to use 2 lan ports instead of installing a QOS switch can someone tell me if this solution is viable and if it is how would I proritise the traffic based upon the IP subnet.

  If you are going to place the phones on a single subnet and connect them to a dedicated router interface with no other devices (PCs, printers etc) you should get away without any QoS because all the data on that subnet will be voice bearer, voice signaling and network management with voice bearer being by far the majority of the traffic. Your greatest concern for voice quality should be aimed at the WAN link. You will need to ensure that you have QoS between sites and this will be dependent on the type of WAN link employed.

• Redirect traffic destined for an IP on Server 1 to go to Server 2 at DR Site?

  DNS is what I'm using for most of my subnets. The problem is that I have a handful of subnets that have devices that are under the control of an outside agency. Those devices access a server in my DC by pointing to the IP Address.
  If I performed a failover test to Server 2 at a DR Site, how can I redirect traffic from those subnets to Server 2 if they are still pointing at the IP on Server 1? In the DC, a 6509 sits between Server 1 and the subnets in question. To get to Server 2 at the DR site, I have an FWSM in the DC and an ASA5585 at the DR site.

  If your route point is a router or L3 switch then you could configure a route-map with an ACL that is used to change the next hop ip for the servers in the DC to the DRC. This will be a lot of manual configuration and testing but it maybe a viable solution.
  Sent from Cisco Technical Support iPad App

• Redirecting traffic on SunOne 6.1 SP4

  hi all,
  i've got a web server running SunOne 6.1 SP4, and im trying to figure how to redirect traffic from 2 different locations.
  the web server is accessed both thru the LAN and the Internet. how is it possible to re-direct traffic coming from an internal UP to another interanl IP and traffic from an external IP to an external IP.....?
  currently im using the following in my obj.conf file. but this is re-directing all traffic to one location.
  <Client security="false">
  NameTrans fn="redirect" from="/" url-prefix="http://x.x.x.x/"
  </Client>
  how can i configure this to re-direct traffic coming from the LAN (these come from a 10.1.x.x segment) to another internal IP and traffic coming from the web to another external IP...?
  any help on the matter would be highly appreciated.
  thanks and regards,

  To Documentation team,
  Here is what to do :
  update in http://docs.sun.com/app/docs/doc/820-1643/6nda4qg75?l=en&a=view#abvau
  Old Text :
  <Client ip="~192.85.250.*">AddLog fn="flex-log" name="access"</Client>
  New Text :
  <Client ip="\*~192.85.250.\*">
  AddLog fn="flex-log" name="access"
  </Client>
  Note that a * (asterisk) is required before ~ (tilda) and make these 3 separate lines.

• Prioritize traffic based on destination IP?

  Hi all, we're looking to use an ASA5505 or 5510 as our firewall but want to see if one of them can help us prioritize traffic. I know it does QoS but we're wanting to dedicate x amount of our bandwidth to traffic based on destination IP address. Is that possible and does it take a license upgrade?
  Thanks!

  Jerry, i would try something like in the second config example I mentioned. keep in mind, if ISP doesn't support marking packets, it may be hard to QoS inbound. if you assign the VOIP traffic high priority, it should go out interface first during congestion. Don't need to dedicate a certain amount of bandwidth in any way. Make sure in the design to keep the VOIP traffic, VPN traffic and User PAT (outbound NAT) traffic on separate IP's. That will help when defining the access-lists. This QoS stuff is kind of tricky and is bit confusing. I have setup a few configs according to the above examples and they _seem_ to work. I ran a policing queue on the edge router for traffic leaving to ASA, and ran a priority queue on the ASA. When i test big download from a major site, which could consume all bandwidth, it doesn't appear to clobber VOIP traffic. The same results apply, when I test a big upload to internet. The QoS stuff is tricky though, and i _didn't_ see what I expected when i use the show QoS commands to see traffic drops, etc. so YMMV!
  Take a look at this link for ASA 7.X release, which may give you some ideas:
  "QoS based on ACL with VPN Configuration" You can change ACL to include the outside interface IP as long as you have separated the NAT's, VPN, etc. like i mentioend earlier.
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml
  Will

• Regd using OHS to publish data to DSR

  Hi Gurus,
  We are planning to publish data from current BW 3.5 to DSR system(which is relational table based), it is a third party system.
  In order to attain this please advice :
  1) Does we need to pay extra license fee to use OHS services?
  2)Our Data Targets(Info Cubes and ODS ) objects have more fields , would bee around 40-60 on each of them and does the table genearated as /BIC/OHXXX accomodate these many fields?
  3)Is it mandatory that we use Third party tool to publish data from the OHS table to DSR system?
  4) what will be the ideal approach to publish data in the format of DSR ?
  Kindly advice
  Chinna

  Hi,
  1) Does we need to pay extra license fee to use OHS services?
  as long as you are not directly connect to third party system no fee is needed.
  2)Our Data Targets(Info Cubes and ODS ) objects have more fields , would bee around 40-60 on each of them and does the table genearated as /BIC/OHXXX accomodate these many fields?
  I think it should.
  3)Is it mandatory that we use Third party tool to publish data from the OHS table to DSR system?
  not really.. one of the approach could be create flat files out of BW data move these from BW application server to your third party system
  hope it helps
  regards
  Vikash

• Issues with using the output redirection character with newer NXOS versions?

  Has anyone seen any issues with using the output redirection character with newer NXOS versions?
  Am receiving "Error 0x40870004 while copying."
  Simply copying a file from bootflash to tftp is ok.
  This occurs for both 3CDaemon and Tftpd32 softwares.
  Have tried it on multiple switches - same issue.
  Any known bugs?
  thanks!
  The following is an example of bad (NXOS4.1.1b) and good (SANOS3.2.1a)
  MDS2# sho ver | inc system
    system:    version 4.1(1b)
    system image file is:    bootflash:///m9200-s2ek9-mz.4.1.1b.bin
    system compile time:     10/7/2008 13:00:00 [10/11/2008 09:52:55]
  MDS2# sh int br > tftp://10.73.54.194
  Trying to connect to tftp server......
  Connection to server Established. Copying Started.....
  TFTP put operation failed:Access violation
  Error 0x40870004 while copying tftp://10.73.54.194/
  MDS2# copy bootflash:cpu_logfile tftp://10.73.54.194
  Trying to connect to tftp server......
  Connection to server Established. Copying Started.....
  |
  TFTP put operation was successful
  MDS2#
  ck-ci9216-001# sho ver | inc system
    system:    version 3.2(1a)
    system image file is:    bootflash:/m9200-ek9-mz.3.2.1a.bin
    system compile time:     9/25/2007 18:00:00 [10/06/2007 06:46:51]
  ck-ci9216-001# sh int br > tftp://10.73.54.194
  Trying to connect to tftp server......
  |
  TFTP put operation was successful

  Please check with new version of TFTPD 32 server. The error may be due to older version of TFPT server, the new version available solved this error. Files are getting uploaded with no issues.
  1. Download tftpd32b.zip from:
  http://tftpd32.jounin.net/tftpd32_download.html
  2. Copy the tftpd32b.zip file into an empty directory and extract it.
  3. Copy the file you want to transver into the directory containing tftpd32.exe.
  4. Run tftpd32.exe from that directory. The "Base Directory" field should show the path to the directory containing the file you want to transfer.
  At this point, the tftpserver is ready to begin serving files. As devices request files, the main tftpd32 window will log the requests.
  Best Regards...