VLAN trunking to server and security

Similar Messages

• DI-Server and Secured DB Connections

  Hello,
  When I use DI-API or DI-Server, it creates a connection to the database.
  Can that connection be secured using KPI or Kerberos?

  The connection to the DB is between DI Server and the DB, and then usually it
  is local - in the same machine. The client got a session Id and uses this one
  in the subsequent operations ...

• VLAN trunking newbie SRW208MP to SRW2008MP

  Hello All,
  Just need a simple setup - 2 VLANs, a few ports each, on each unit, trunked together (ultimately on SFP module). Tried what seems to be right but (natch) not working. Just need simple guidelines to see where am going wrong. Thanks!

  OK, well, using that example, as well as another thread here (Cisco SLM224P
  VLAN TRUNKING), I reset and redid all the VLAN related settings.
  There are 2 subnets in play here -
  10.51.0.0/255.255.252.0 - VLAN 1 - Used as the Management VLAN.
  10.51.4.0/255.255.255.0 - VLAN 5 - A subnet for Wireless LAN POE connection and management.
  And 2 switches -
  198 is a SRW208MP, remote unit. will have single WAP and various devices.
  199 is a SRW2008MP, at head end near subnet(s) source. Will have up to 4 WAPs and the
  connections required to provide for both subnets.
  For purposes of discussion, the planned fiber SFP interconnect is being played by a copper trunk.
  Setups follow:
  198 VLANs-
  198 Port Setting-
  198 Ports to VLAN 1-
  198 Ports to VLAN 5-
  198 VLAN to Ports-
  Unit 2 - 199
  199 VLANs-
  199 Port Settings-
  199 Ports to VLAN 1-
  199 Ports to VLAN 5-
  199 VLAN to Ports-
  The configuration as posted does not provide the expected results.
  I am convinced I am overlooking something simple. Usually is!
  The net results are that the Management VLAN (1) is present and accounted for on both switches, but that could even be because they are acting as switches do.
  The VLAN 5, however, does not function at either end. The 'Local' switch, 199, shows traffic on the WAP ports but no traffic of any consequence is traversing and the WAPs are nonresponsive.
  Ditto Remote switch. Management VLAN yes, 5 VLAN no.
  Any suggestions greatly appreciated.

• VLAN trunking from Cisco Catalyst 3750 to Cisco SF300-48P issue and related

  Hello expert,
  I'm having difficulties to configure VLAN trunking between Cisco Catalyst 3750 switch with Cisco SF300-48P switch and my workstation unable to get any DHCP IP from our DHCP server via Cisco SF300-48P switch. Below is the snippet of configuration on both switches:
  [Cisco Catalyst 3750 Switch]
  interface GigabitEthernet1/0/45
   description NCC-CC-1stFlr
   no switchport trunk encapsulation dot1q
   no switchport trunk allowed vlan 101-103
   spanning-tree portfast
  [Cisco SF300-48P Switch]
  interface fastethernet48
   spanning-tree link-type point-to-point
   switchport trunk allowed vlan add 101-103
   macro description switch
   !next command is internal.
   macro auto smartport dynamic_type switch
  interface fastethernet29
   switchport mode general
   switchport general allowed vlan add 103 tagged
   switchport general pvid 103
  Are these are correct? Kindly advice!
  Thank you very much!
  Regards,
  Alex

  Hi Alex,
  for the trunk port on Catalyst on port GE 1/0/45, we need to enable the trunk and for on encapsulation dot1q because this catalyst model is ISL capable also and the SF300 working only with Dot1q Encapsultion
  The configuration on catalyst should :
  #config terminal
  #interface Gi 1/0/45
  # switchport encapsulation 
  #switchport trunk encapsulation dot1q
  #switchport mode trunk 
  #switchport trunk allowed vlan 101-103
  #spanning-tree portfast
  For SF300 the port trunk it looks fine but for the port where the PC should receive an IP address
  #interface fastethernet29
   #switchport mode access
   #switchport ccess vlan 103
  Please let me know after this configuration
  Thanks
  Mehdi
  Please rate or mark as answered to help other Cisco Customers

• Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points

  Hi Guys,
  I would like to go for "Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points 1300". I want the AP to broadcast only 1 SSID. The client find the SSID ->put in his user credential->Raudius athentication->assign him to an specific vlan based on his groupship.
  The problem here is that I don't have a AP controller but only configurable Aironet Access Points 1300. I can connect to the radius server, but I am not sure how to confirgure the AP's port, radio port, vlan and SSID.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
  I go through some references:
  3.5  RADIUS-Based VLAN Access Control
  As discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). This may not be preferred if the WLAN user is confined to a particular VLAN.
  There are two different ways to implement RADIUS-based VLAN access control features:
  1. RADIUS-based SSID access control: Upon successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge.
  2. RADIUS-based VLAN assignment: Upon successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a predetermined VLAN-ID on the wired side. The SSID used for WLAN access doesn't matter because the user is always assigned to this predetermined VLAN-ID.
  extract from: Wireless Virtual LAN Deployment Guide
  http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
  ==============================================================
  Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
  ==============================================================
  Controller: Wireless Domain Services Configuration
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml
  Any help on this issue is appreicated.
  Thanks.

  I'm not sure if the Autonomous APs have the option for AAA Override.  On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
  I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override".  I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
  Hope this helps

• Windows 7 and Server 2003 security errors

  I have a domain with a 2003 DC and 2012 DC. There is one Windows 7 PC on the network that is not domain joined. On the 2003 DC the Security log has a lot of errors about Failed Login and the source IP is the non-domain joined PC. These same errors do
  not appear on the 2012 DC.
  I've looked at the PC and I'm quite certain there is no infection that is causing this. I ran netstat -ab on the PC and it showed 2 entries in the list that pertain to the server.
  TCP 192.168.1.112:49405 server:epmap  ESTABLISHED [spoolsv.exe]
  TCP 192.168.1.112:49547 server:epmap  ESTABLISHED [spoolsv.exe]
  The 2003 DC does not have any printers installed on it as the 2012 DC is the print server. So I'm trying to figure out why the 2003 DC is getting all these failed logons and what the netstat entries on the PC have to do with it.
  I don't think any harm is being one but there must be a lot of useless network traffic being generated by this as the errors on the DC are very numerous.
  Jonathan

  Hi SmallBizAdmin,
  The details in Security log might be helpful for us to narrow down where the problem is, the best way is that refer to timeline in your error log and perform a network monitor on your client then find that why your Windows 7 computer keep trying access to
  your Domain controller.
  for the specific Windows Client, you could perform a clean boot and check if this issue still persists.
  Since you mentioned that it showed 2 entries in the list that pertain to the server, and it’s for the spoolsv.exe. Check if spoolsv.exe is working properly on your client machine or you can reset it for good measure.
  To reset your spool service:
  In the right pane of the Services.msc locate and      right-click on Print Spooler and then select Stop.
  After you have stopped this process, leave the Service      window open. Now open My Computer and navigate to the following folder.
                  %windows%\system32\spool\PRINTERS 
  Delete all the files in the Printers folder. After      deleting the files in this folder, go back to Services window, right-click      on Print Spooler, and then select start to re-enable the service.
  Regards
  Unfortunately a clean boot isn't possible. The PC is a ways away and this issue isn't critical enough to warrant a trip onsite.
  I did restart the spool service on the PC and checked the PRINTERS folder but I didn't see any files there.
  The failed audit events in the server's security log that are generated by this PC are 529 and 680 and they repeat over and over. There are 16 per minute, 8 529's and 8 680's. So you can how the Security log contains a lot more failed audit events
  than normal. Since those events pertain to logon, I'm not certain how it ties to the spooler service on the PC. The PC is mapped directly by IP to two printers near it so it shouldn't need to authenticate with this 2003 DC at all. DHCP is handled
  by the 2012 DC but it doesn't have any failed audit entries from the PC.
  So I'm not sure if the netstat entries on the PC pertaining to spoolsve.exe have anything to do with the constant 529/680 failed audits on the server or not but so far that's all I can find on the PC that show any reference to the 2003 DC.
  Jonathan

• Server 2012 R2 Remote Desktop Gateway. Most Simple and Secure Design For Small Environment?

  We would like users to be able to connect remotely over the Internet from their personal devices to their primary Windows 7 workstation (a physical box on their desk) by using the Microsoft RDP Client For Windows, Mac, iOS and Android.  There is no
  plan to use RDWeb or Remote Apps, or VDI.  Just plain remote access to their desktop PC without VPN plus a third party 2nd factor authentication product that can text them back a code to enter with their AD credentials (AuthAnvil or Duosecurity)
  We do not have TMG or ISA.
  We would like to get these services all running in a single server and be as simple as possible while still being very secure.
  The recommendations I see seem to suggest putting the RDG in a DMZ with either a domain controller on a new domain with a one-way trust to your internal domain or else a read-only domain controller on your domain and then RD Session Host and License server
  located on different servers on your internal LAN.
  http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
  That sounds like a lot of separate servers and cost for not a lot of users in our environment.
  Do we even need a separate session host server if there are no RDP sessions being hosted directly on the servers because  the users are only being redirected to connect to their workstations and will never be using terminal sessions on the server?
  Can the RODC or the Domain controller on new domain with the one-way trust be the same server as the Remote Desktop Gateway server and not separate servers?
  What is the most minimalist way to set this up with good security when opening all the ports needed to authenticate with internal DC is not secure enough?

  #2 sounds like we would need 2 Essentials servers and we will not have that.
  We currently have Server 2008 R2 and have 2012 Standard licenses that are not yet used.
  We have much more than 75 users total, but 75 is more than the number of users that will probably take advantage of using RD Gateway any time soon.  It will probably take time to catch on.
  If RD Gateway usage was to get super popular and more than 75 users were depending on access to it, then we could financially justify paying to buy all the CALs needed to run RD Gateway without Essentials.  Right now, they are skeptical that it will
  be worth spending much money on this and don't want to invest a lot  of money up front.
  My understanding is that if we have 75 or fewer users using RD Gateway then we need to by no CALs, just apply a Server Standard Edition License to the server, but if we had 76, we would need to turn off Essentials and buy 76 new CALs.
  Or would we need to add 50 CALs to the 25 that automatically come with Essentials?
  Also does "turning off" Essentials mean we would have to reinstall and redeploy the RDG or is it just a matter of enabling the RD license server and adding purchased CALs?
  No, when you buy essentials you get the right to create 25 users that access the server, when you create the 26th user you will need to have 26 CAL and RDS CAL. 

• Export/import login server and user grup security

  Hi,
  I followed the instructions to export Login server, user group
  security using the ssoexp.csh, secexp.csh. Then I imported the
  login server, and user group security using the ssoimp.csh,
  secimp.csh .
  I then logged into Portal and check the users, all the users are
  imported properly. However, I didn't see any group that are
  supposed to be imported. Do I missing anything?
  The syntax to run the secimp is as follows:
  secimp.csh -s portal30 -p portal30 -o portal30 -m reuse -d
  sec.dmp -c target_database
  The import finished w/o error. How can I see the groups in the
  new portal instance that I tried to import objects in?
  I noticed that the wwsec_group$ in the source area is over 3000,
  and in the target the count is only 10, which is the number of
  group I have before the import. But during the export, I don't
  see the wwsec_group$ table being exported, is that the problem?
  P.S. versions are: 9iAS 1.0.2, portal version 3.0.9.8 on solaris.
  Thanks;
  Kelly.

  This question is best suited to the Oracle9iAS SSO and Portal Security forum.
  Thanks

• Fresh EnterPrise One 9.0 (@MSSQL) installation and security server error

  Hello!
  I've managed to complete Standalone installation without any issues (Win XP SP2 EN) but I have encountered a problem with first login. After entering the password I'm receiving following message: "waiting for security server" and then: "unable to locate security server". Final one says: "failed to communicate with security server: unable to locate security server" and that's it. I can't log in. I've noticed few things:
  jdenet_n.exe is not being started with the system startup - I'm running it manually
  I can see it's working on correct port (6012 as entered in JDBJ.ini)
  Data Sources seems to be configured fine. I've just switched all words '(local)' and 'localhost' to my PC name in Data Source server name, JDE.ini and JDBJ.ini (at all locations). Someone did advice this step if there are security server issues like mine - it didn't help.
  I was following these steps in order to complete the installation, maybe it will help: http://e1tips.com/2011/11/03/jd-edwards-enterpriseone-9-0-standalone-installation/
  I've run out of ideas and google is not able to help any more. Have you encountered it before? I will be grateful for any advice!
  My best regards
  Rafał
  Edited by: 932762 on 2012-05-08 04:04

  Yes all Oracle9iAS installs will have perl directory.
  When you run emctl, please make sure Oracle_HOme variable is set properly
  You are running the command as the user who installed Oracle9iAS
  The restriction to bring down em during second installs will be addressed in the subsequent releases.
  Regards
  Pavna Jain
  Oracle9iAS Product Management

• No Protection Tools! I have enabled enhanced security. This is Acrobat XI on Windows 7 64-bit. Did same install on a Win8 server and it's fine.

  I just want the protection tools to show on the Tools dropdown! So I can use them...

  Hi Sara,
  Thanks for putting me in the right place. I'm not much of an
  online-community person!
  Here's what happened after your email:
  1. I went into Acrobat and clicked the down arrow as you described. I
  previously had been clicking in the View menu. I saw the Protection
  tools and I was so excited.
  2. So then I clicked on "allow multiple panels open" whereupon the
  Protection tools disappeared! They did not reappear when I unclicked the
  "allow multiple panels open".
  3. Remembered that I hadn't reinstalled the updates after reinstalling
  Acrobat in hopes that would fix this problem, so I installed the
  updates. I'm now on 11.0.07.
  Sadly, still no protection tools appearing in either the View-> Toolsets
  or the down-arrow in the upper-right corners of the Tools panel. Bummer.
  This is so strange, since the same installation worked great on our Win8
  server!
  PNG Karen
  On 2014-06-11 15:14, Sara.Forsberg wrote:
  NO PROTECTION TOOLS! I HAVE ENABLED ENHANCED SECURITY. THIS IS ACROBAT XI ON WINDOWS 7 64-BIT. DID SAME INSTALL ON A WIN8 SERVER AND IT'S FINE.
  created by Sara.Forsberg  in Acrobat Installation & Update Issues - View the full discussion

• ID Server and Policy Agent for AS .. is secure?

  Hello there,
  I have a question. Quite critical question, concerning iPlanetDirectoryPro cookie. If I've got it right, this cookie contains SSO Token. And the SSO token can be used with identity server to obtain any SSO assetion. I've experimentaly confirmed this.
  Now, can anyone tell me why this cookie is sent to any host in my domain? The default after instalation is "bgs.sk". This default value enables any host in my domain to impersonate me. Well, I still can change this, but it is now good to have insecure default values anyway, is it?
  Second, and more critical problem: I have Policy Agent installed on my Application Server. It looks like the agent requires access to the iPlanetDirectoryPro cookie to work correctly. But, if my application server has my SSO token, it can impersonate me anywhere. Not a good situation at all. That would mean security hole as big as hangar doors.
  Are my assumptions correct? Am I overlooking something?
  (All valid for ID server 6.0 and Liberty protocols)
  Thanks for any help.

  Although Sun promote Identity Server by emphasizing its Liberty/SAML feature, the product itself use a proprietary protocol for SSO and CDSSO.
  As all we know, this product could be totally useless without Sun's Policy/J2EE Agent deployed. But ironically these agents communicate with Identity Server in its own way, nothing to do with SAML, XACML, or even SOAP.
  The agent approach is usually not a good idea. We saw more and more problem raised from fields related to agent stability and scalability. We never see any performance benchmark data from Sun. Since the communication between agt and Identity Server are proprietary, no ISV can make agent for this product. You have to wait for Sun for agent support if you have new system not on the support matrix.
  In addition to agent, another big issue of Identity Server is its complex DIT structure. In fact, we prefer to have RDBMS as Identity Server's repository. Sun abuse ldap just because this company doesn't have any database product but still want to provide a pure Sun platform (JES) to customer. So they compromise the architecture for business reason, I'd like to tell you, I don't like the way Identity Server store data in DIT, I don't like the console UI (its for technical geek), and on one in our company dare to do any configuration change.
  Now Sun put Identity Server as the core of its JES product stack. If you have time to take a look at how the SJS Portal use Identity Server and how SSO between Portal channel and Email/Calendar Server are achieved, you'll find that you just buy a "framework" (I mean Identity server), not a product, because you have to do every integration work by intensively coding.
  I predict that Identity Server will be significantly rearchitctured in the near future, otherwise we don't see any benefit this product can bring to me. It is a headache for deployment as well as maintenance. If you just need Single Sign-On, there are lots alternative to achieve, Sun's Identity Server is really overkill. It's authentication feature is ok, but authorization feature (policy, role) is very limited. If you have lots of Windows/IIS web app need to do SSO with Identity Server, god bless you... you better have a sharp programmer to wrap up the C API so as your ASP programmer can leverage Identity Server SDK, and you got to pray for IIS agent behave well. In addition, don't forget to learn more about JATO if you want to do some fancy customization on the default login page.

• A Flash Video Server and Flash Security

  We are using Flix and Squeeze to create new Flash 8 SWF
  movies from our AVI files. Short 1 - 2 minute tutorials.
  We would like to be able to save them on our server and allow
  different websites to add a custom Flash Player to their site and
  watch these videos from their pages. The player gets an XML
  playlist of up to 50 videos and we would like to be able to play
  one or more of the movies on the webpage of our partner.
  However, this seems to cause (2) security violations in the
  Flash 8 environment. We need to add a crossdomain.xml file on our
  server to allow other sites to access our swf files, and
  apparantly, we also need to use actionscript
  System.security.allowDomain() to allow the parent SWF player to
  control the video in the player (stop, start, pause, etc.).
  Does anyone know more about this situation? How can we add
  the allowDomain() to an SWF created by Flix or Squeeze, or is there
  another way to communicate the allowDomain(). Can we pass anything
  in the XML itself, does it have to be in the SWF.
  In Flash 8, every SWF must communicate the allowDomain(). In
  earlier versions of Flash, only one SWF needed to open the sandbox
  for any other SWFs from that domain.
  Did we misunderstand the requirement? Our Flash developer
  can't figure out a way to make this happen, but I am sure others
  have been able to make it work. Otherwise, how can any of the Flash
  hosting companies allow these movies to be downloaded off of their
  sites.
  Any advice would be appreciated...

  Hello Thanks for reply,
             Its many to many chat and every one can speak and listen. There may be 10-12 users in a room  at a time and also the number room can be several.
  So what type of server I should take. Some delay is acceptable.

• Time Machine, OS X Server, and VLANs

  Hi all,
  I have a Time Machine share set up on my OS X server and am successfully running Time Machine backups from several Macs that are on the same VLAN as the server.
  I want to be able to bring some other Macs into the fold, but they are on a different VLAN. Bonjour does not traverse routing segments, so the machines on the other VLAN do not see the server as a valid backup point.
  Ideas?

  In my experience Time Machine will only work on the same VLAN, unless you have IP helpers on your routers pointing to your TM server. You could always put the sharepoint as an auto mount upon login. Either force it on the local machine, or if your using Leo server with OD, just do it via group control.

• VLAN Trunking and GVRP

  Decided we'd give the Cisco 300 series switches a try and see
  what we think about them compared to our Cisco Catalyst 2960 switches.
  I'm already stumped on setting up VLAN trunking between 4 switches. Do I have to manually setup all the VLAN's on each switch? I set them up on the first switch and was expecting GVRP would propagate them to the others like VTP.
  Denny

  Decided we'd give the Cisco 300 series switches a try and see
  what we think about them compared to our Cisco Catalyst 2960 switches.
  I'm already stumped on setting up VLAN trunking between 4 switches. Do I have to manually setup all the VLAN's on each switch? I set them up on the first switch and was expecting GVRP would propagate them to the others like VTP.
  Denny

• An impersonation error occurred using the security context of the current user. -- Report server is on remote server and file share folder is on local server

  I have deployed a report on the server (e.g. remoteserver\reports) from my local machine. I opened the report in browser in my local machine and created a new subscription with windows file share delivery option.
  But its giving an error "Failure writing file \\localserver\subscriptions\Report1.xls : An impersonation error occurred using the security context of the current user." Here "subscriptions"
  is the folder which I have created in my local machine.
  I followed the instructions found in the link "http://msdn.microsoft.com/en-us/library/ms157386.aspx"
  Please help to solve this issue.

  Hi,
  Thank you for your reply.
  I have followed the same process. The credentials which I have given are same as my PC. But I am getting the same error. Can you please clarify the statement "Service
  account that is using for file share subscription should have write access to shared folder."
  given in the above link?
  I am the one who created the folder and subscribing the report, so probably I have the full write permissions to the shared folder. What is the service account in this context?
  I think the problem is, I am deploying the report on the server and creating the shared folder in the local machine. I tried giving shared folder permissions to the user on the server. But my local machine is in local domain and I cant access the users on
  the remote server. Do I need to create a shared folder on the server? I am new to SSRS. Please help me.
  PS: I have assigned with all roles viz. Browser, Content Manager, Publisher, Report Builder etc. and My Role name (WEBSERVER\User)
  is different from my local user name (domain\username) in domain.