WAAS mobile with secure access https (not VPN)
Hi all !!! Hope everyone is well !!!
I have a WAAS environment in place we want to deploying WAAS mobile for teleworkers. My question is, can WAAS mobile works for users that use secure access with https (not vpn connexion)
Thanks in advance !!!
Hi Tarik,
First of all, let me insist on the fact the a WAAS mobile client will not interact with a WAAS appliance on the core side and that you'll need to have a WAAS mobile installed there is you want your teleworkers to get the benefit from WAAS.
That said, let me answer your question: WAAS mobile can indeed accelerate HTTPS traffic.
This is described on page 61 of the following document:
http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas_mobile/v3.5/configuration/administration/g
uide/CiscoWAASMobileAdminGuide_3_5.pdf
Regards,
Nicolas
Similar Messages
-
SOAP Adapter with Security Levels - HTTP & HTTPS
We have a successfully working interface scenario where SAP XI is hosting a web service and the partner systems calling it using SOAP Adapter URL http://host:port/XISOAPAdapter/MessageServlet?channel=:service:channel with Security Level HTTP on the SOAP Sender Communication channel.
Going forward, for other similar interfaces (SAP XI hosting Web Service and partner systems calling it), we would like to use HTTPS and/or certificates.
If we enable HTTPS on XI J2EE server as per the guide How to configure the [SAP J2EE Engine for using SSL - Notes - PDF|https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/964f67ec-0701-0010-bd88-f995abf4e1fc]....
can partner systems still use the URL http://host:port/XISOAPAdapter/MessageServlet?channel=:service:channel or should they switch to https://host:port/XISOAPAdapter/MessageServlet?channel=:service:channel?
can we continue to have the existing interface working using HTTP Security Level i.e. partners not having to send the certificate with each message?
If we use HTTPS security level, is it mandatory for the partner system need to send the certificate? Is it possible to have an HTTPS scenario w/o certificates?
What is the difference between Security Levels 'HTTPS Without Client Authentication' & 'HTTPS with Client Authentication'?
I appreciate your inputs on this.
thx in adv
praveen
PS: We are currently on SAP PI 7.0 SP17Hi Praveen,
There is no need to change the interface and It is manditory for the partners to send certificates in order to validate each other. Use the https in url.
HTTPS With Client authentication:
The HTTPS client identifies itself with a certificate that is to be verified by the server. To validate the HTTPS clientu2019s certificate, the HTTPS server must have a corresponding CA certificate that validates this certificate. After validation of the clientu2019s certificate, the server maps the certificate to an actual system user executing the HTTP request.
and check this link.
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
Regards,
Prasanna -
Configuring BO Mobile with external access
Hi Experts,
I am trying to configure Business Objects Mobile in my company server (windows 2008) with an external access to it. I have two servers - master and client (hyper V). I installed BOBJI 4.0 server and BOXI client on master server and planning to have mobile server on hyper V. I have gone through the SAP documents on installation and deployment but confused on installing and configuring mobile server and accessibility both internally (wireless router) and externally (outside company network)
1) Is it a better practice to have mobile sever on hyper v?
2) Should i create a proxy server for the process? If on which one should be - master or client?
If anybody has done similar to this, can they share any documentation or best practices followed?
Appreciate your earliest help.
regards,
ArunHi Durga,
in intranet we will have HTTP it is working fine.
in Internet HTTPS. issue occurs.
Previously we are using the mobile client version which less than 5.1 Release. we never had any issue with HTTP or HTTPS.
Today we have upgraded mobile client to 5.1.32. And issue started occurring.
we are not using any VPN to connect. our web url is enabled in internet to access the reports.
Note:we have verified the web url in the internet by connecting it from other system which is out of our network. There launchpad/CMS are working fine without having any issue with HTTPS.
Only issue in Mobile Device.
Refer the below notes to have some more information.
http://service.sap.com/sap/support/notes/1658001
http://service.sap.com/sap/support/notes/1962026 -
Hi All,
when I turn on WAAS client on the windows Vista, the network connection is disconnected but it works with XP like a charm. any suggestion would be very appreciated.
AlexThanks for the reply,
I've upgraded to newest version of WAAS mobile and upgrade client as well and problem has been resolved. But still I have another issue, when I run Cisco VPN client with WAAS mobile enable, then I try to access to the web page intranet. I can ping web server IP address, I can access to the web page, but when I enter username and password, it doesn't let me to login. when I turn off WAAS client, I am able to login to intranet web page.
any suggetion?
thanks
Alex -
XMLStreamReader exception when using webservice with security access denied
Hi,
I'm using CXF webservices generated from a WSDL with SOAP document style. Under normal conditions, the client and server work fine, and can I read info back from the the server (SOAP http messages passed between both)
However, for some servers, I am using SUNs Policy Agent, which checks for an authentication token in the http header cookie before allowing access to the web service. I set up the cxf service port as follow:
Service service = Service.create(serviceName);
service.addPort(portName, SOAPBinding.SOAP11HTTP_BINDING, address);
servicePort = (IMyService)service.getPort(portName, IMyService.class);
I also add the authentication token to the http header cookie in the service's request context.
If the token is correct, everything works fine. However, if the token is incorrect, and access is denied, the policy agent does not return a SOAP http message. In this case, the web service method throws a low-level XMLStreamReader exception i.e. it can't read the SOAP message response - so I can't get the actual response from the policy agent.
Would anyone have an idea on this? Should I configure the CXF port differently, or should I try to get the policy agent to return a SOAP message even if access is denied.
There is already a browser that can access the policy agent - and this needs to be redirected if access is denied. So in effect, we need the redirect functionality for the browser, and the returned SOAP message for the application using the web service.
Any help would be greatly appreciated!
RobThanks for your answer.
I eventually found a workaround for this problem.
Actually you don't need to provide an SSO cookie the first time you connect to the webgate server, you just need to provide basic credentials and the webgate will provide you an SSO cookie that you can use for the next call.
The problem is that this doesn't work out of the box with the .NET/WSDL framework for some reason (with Java + the HTTPClient library I had no problem).
I had to had manually the following headers to the HTTP request to make it work:
Authentication: Basic XXXXXXXX
Cookie: OBBasicAuth=fromDialog
Where XXXXXXXX is a base64 encoded string containing "login:password"
Thanks,
Franck -
Auto-Mapping with Full Access Mailboxes-not working in exchange 2010 clients outlook 2013
hello, I have exchange server 2010, the clients are running outlook 2013, I set an mailbox for automapping (full access) but when i restart client it does not appear in the client. i also did the command in the exchange shell, no errors. how can i fix this.
no sp info shows with the
Get-ExchangeServer | Format-List Name, Edition, AdminDisplayVersionName
Edition : Enterprise
AdminDisplayVersion : Version 14.0 (Build 639.21)
chart says
Exchange Server 2010 November 9, 200914.00.0639.021
is that the issue need sp 1? -
Role/Profile required with full access but not HR/payroll
HI,
We are running SAP ECC 6.0 and HR/payroll is also live. Few memebers in our functional team need full access. But as per our policies HR and Payroll access should be there only with HR team.
My query is: Is there any role/profile that I can assign to functional team memebrs through whcih they will have access for all T codes/programs but NOT related to HR.Hi ,
BASIS needs to restrict authorizations.
Ojbect Id : P.
...lakhan -
ISE Wired 802.1x with Foundry access switch ,not show "Device Port"
Our customer wanna enable wired 802.1x for user and machine authentication on Foundry Switch.
They want to use ISE as radius server.We try it ,but the ISE report can't show which port the client is connectd on the switch.
We get the tcp dump packets from ISE.It shows that the "nas-port-id" radius attribute is not sent out by foundry switch,but it sends "nas-port".
Is it possible to let foundry switch send "nas-port-id" attribute in the radius request packet ?
Or is it possible to let ISE show "nas-port" attribute value on the authentication report ?
Thanks.Our customer wanna enable wired 802.1x for user and machine authentication on Foundry Switch.
They want to use ISE as radius server.We try it ,but the ISE report can't show which port the client is connectd on the switch.
We get the tcp dump packets from ISE.It shows that the "nas-port-id" radius attribute is not sent out by foundry switch,but it sends "nas-port".
Is it possible to let foundry switch send "nas-port-id" attribute in the radius request packet ?
Or is it possible to let ISE show "nas-port" attribute value on the authentication report ?
Thanks. -
Probelm with the access key not shown on menu item
Hi
I have created a Menu and used setMnemonic for the menu items.
But, I dont see the letter underlined when I set the look and feel as the following code
try {
UIManager.setLookAndFeel
(UIManager.getSystemLookAndFeelClassName());
} catch (Exception e) {
e.printStackTrace();
}I see it only when I click on it or I press Alt button on the keyboard.
Is it because of the look and feel for windows XP or what may be the reason? Please help.
ThanksIs it because of the look and feel for windows XP Yes. This is configurable in XP and the default is to not show it.
Search the forum if you want to know how to change the default in XP. -
Page from Sample - Mobile Starters - jQuery Mobile with theme not working on mobile
I created a new webpage - New - Page from Sample - Mobile Starters - Jquery Mobile with Theme and did not modify it.
That does not work on an iPhone or Android.
What am I missing? Is there an update to make the jquery mobilesite work?
This is how it looks in dreamweaver
http://ricston.com/push/test/screenshot_dreamweaver.png
This is how it looks on my phone:
http://ricston.com/push/test/screenshot_galaxy.png
The page for the template is here http://ricston.com/push/test/test.html - As you can see, nothing has been changed.Thank you. I was having the exact same problem. I even upoaded the unmodified starter page, just in case it was something I did. Inserting the viewport line fixed it. (Now I need to go back and insert that line into each of the pages I was working on.)
The question remains, however, as to why the mobile starter pages don't include that line in the first place.
[edit] FYI - On Dreamweaver CC, it's under the "common" group within "insert". (I would have expected it under "JQuery Mobile", but it's not there.) -
WAAS Mobile - Outlook Webmail (OWA)
While running our new instance of WAAS Mobile, we've got one issue we cannot understand. Outlook Web Access does not work under WAAS Mobile. If we disable it, works fine.
We are able to ping the OWA server with the WAAS Mobile client enabled or disabled however we cannot connect to it via it's web interface.
I've enabled HTTPS for the WAAS Mobile to optimize on the client but this did not help. So far i'm at a loss.
Any ideas?Is the session TCOP session to OWA accelerated ?
1) Connect to your OWA
2) On the WAAS Mobile Client - Go to http://127.0.0.1:9021/Acceleration_Client.html
3) Navigate to the section Diagnostics --> TCP Sessions, Does the TCP session show up as accelerated ?
You can also collect the sysreport from the client and server and attach it to this forum. -
Remote access VPN with Cisco Router - Can not get the Internal Lan .
Dear Sir ,
I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .Please see the attachment for Scenario, Configuration and Ping status.
I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
Below is the IP address of the device.
Local PC connect with Router -2 (Through MS Loopback) Router -2 Router-1 PC -01
IP Address :10.10.10.2 Mask : 255.255.255.0 F0/01
IP address:10.10.10.1
Mask:255.255.255.0 F0/0
IP Address :20.20.20.1
Mask :255.255.255.0
F0/1
IP address :192.168.1.3
Mask:255.255.255.0
F0/0
IP address :20.20.20.2
Mask :255.255.255.0
F0/1
IP address :192.168.1.1
Mask:255.255.255.0
I can ping from local PC to the network 10.10.10.0 and 20.20.20.0 .Please find the attach file for ping status .So connectivity is ok from my local PC to Remote Router 1 and 2.
Through Cisco remote vpn client, I can get connected with the VPN Router R1 (Please see the VPN Client pic.)But cannot ping the network 192.168.1.0
Need your help to fix the problem.
Router R2 Configuration :!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip tcp synwait-time 5
interface FastEthernet0/0
ip address 20.20.20.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
ip forward-protocol nd
no ip http server
no ip http secure-server
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
end
Router R1 Configuration :
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login USERAUTH local
aaa authorization network NETAUTHORIZE local
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
username vpnuser password 0 strongpassword
ip tcp synwait-time 5
crypto keyring vpnclientskey
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp client configuration group remotevpn
key cisco123
dns 192.168.1.2
wins 192.168.1.2
domain mycompany.com
pool vpnpool
acl VPN-ACL
crypto isakmp profile remoteclients
description remote access vpn clients
keyring vpnclientskey
match identity group remotevpn
client authentication list USERAUTH
isakmp authorization list NETAUTHORIZE
client configuration address respond
crypto ipsec transform-set TRSET esp-3des esp-md5-hmac
crypto dynamic-map DYNMAP 10
set transform-set TRSET
set isakmp-profile remoteclients
crypto map VPNMAP 10 ipsec-isakmp dynamic DYNMAP
interface FastEthernet0/0
ip address 20.20.20.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPNMAP
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip local pool vpnpool 192.168.50.1 192.168.50.10
ip forward-protocol nd
ip route 10.10.10.0 255.255.255.0 FastEthernet0/0
no ip http server
no ip http secure-server
ip nat inside source list NAT-ACL interface FastEthernet0/0 overload
ip access-list extended NAT-ACL
deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended VPN-ACL
permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
endDear All,
I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .
Please see the attachment for Scenario, Configuration and Ping status. I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
Waiting for your responce .
--Milon -
SSL VPN Failed to validate server certificate (cannot access https)
Hi all,
I have the next problem.
I've configured in an UC520 a SSL VPN.
I can access properly and I can see the labels, but I only can access urls which are http, not https:
I can access the default ip of the uc520 (192.168.1.10) but
When I try to get access to a secure url I get the msg: Failed to validate server certificate
I'm trying to access a Cisco Digital Media Manager, whose url is https://pc.sumkio.local:8080
Does the certificate of both hardware has to be the same?
How can I add a https?
Here is the config of the router:
webvpn gateway SDM_WEBVPN_GATEWAY_1
ip address 192.168.1.254 port 443
ssl trustpoint TP-self-signed-2977472073
inservice
webvpn context SDM_WEBVPN_CONTEXT_1
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
url-list "Intranet"
heading "Corporate Intranet"
url-text "DMM Sumkio" url-value "http://pc.sumkio.local:8080"
url-text "Impresora" url-value "http://192.168.10.100"
url-text "DMM" url-value "https://pc.sumkio.local:8443"
url-text "DMM 1" url-value "http://192.168.10.10:8080"
url-text "UC520" url-value "http://192.168.10.1"
policy group SDM_WEBVPN_POLICY_1
url-list "Intranet"
mask-urls
svc dns-server primary 192.168.10.250
svc dns-server secondary 8.8.8.8
default-group-policy SDM_WEBVPN_POLICY_1
aaa authentication list sdm_vpn_xauth_ml_1
gateway SDM_WEBVPN_GATEWAY_1
max-users 10
inservice
Any help would be apreciatted.
Thank youHi, thanks for your advise.
I'm trying to copy the certificate via cut and paste, but I'm getting a
% Error in saving certificate: status = FAIL
I dont know if I'm doing this right.
I open the https page from the DMM with Mozilla Firefox, and in options I export the certificate in PEM format.
I get a file which if I open with notepad is like
-----BEGIN CERTIFICATE-----
MIICOzCCAaSgAwIBAgIET7EwyzANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJV
KoZIhvcNAQEFBQADgYEAdk7n+tJi0igrTD2o7RD9ty8MLTyHN4uk8km+7DbpEy0g
mxLY0UZswYvbj15kPdd8QbeGEdDR6SXOYePsfIRJzL0mqMON4oiUhsqAK5y2yC6R
nqy4wWQ2fGVEYAeLpb1jGKdZWpuag/CO90NMHcMiobfBh+4eTqm7kRPTEyma6V0=
-----END CERTIFICATE-----
If I try to authenticate the trustpoint, I get that error.
how can I export the certificate from the DMM?
I think that this file is not the right file.
and then, do I have to make some changes in
webvpn gateway SDM_WEBVPN_GATEWAY_1?
Should I choose the new trustpoint?
I understand that the old trustpoint is for the outside connection, no for the LAN connection.
Dont worry about me, answer when you can but I really need to fix this.
Thank you so much -
Hi Mobile Experts,
we need you valuable inputs to solve one of issue in the Mobile devices.
we are in SAP BI 4.0 SP6 and we have Enabled Business objects environment to access thorough the internet(https) and intranet(http).
Our MObile BI service product version is productVersion="14.0.6.1036;
Mobile client version 5.1.32 in Android and 5.1.8 in IOS.
we have noticed below issue when we connect to BO environment from the internet.(https)
MOB06031 when trying to connect to BI 4.0 server from SAP BI Mobile App using HTTPS. Mobile client is requesting forPersonal Information Exchange (.pfx) of CA SSL of Web url.
where ever same client is connecting to the BO environment in intranet (http) and working fine.
we have gone through few of the notes for the same issue
http://service.sap.com/sap/support/notes/1658001
http://service.sap.com/sap/support/notes/1962026
1)
it was suggested to installo root certificate of web server to be installed in Mobile Device.
or
2)
Remove the proxy configuration from Mobile Device OR add https://<servername>:8080/ under browser's exception list.
I will be working wih web hosting team to have the root certificate of web server as peremenant solution.( 1st option)
in the meanwhile can any one explain how to Remove the proxy configuration from Mobile Device OR add https://<servername>:8080/ under browser's exception list in the Mobiel Device.( Andriod and IOS)
I would request you to share experience to get of my issue
Below are the screenshots.Hi Durga,
in intranet we will have HTTP it is working fine.
in Internet HTTPS. issue occurs.
Previously we are using the mobile client version which less than 5.1 Release. we never had any issue with HTTP or HTTPS.
Today we have upgraded mobile client to 5.1.32. And issue started occurring.
we are not using any VPN to connect. our web url is enabled in internet to access the reports.
Note:we have verified the web url in the internet by connecting it from other system which is out of our network. There launchpad/CMS are working fine without having any issue with HTTPS.
Only issue in Mobile Device.
Refer the below notes to have some more information.
http://service.sap.com/sap/support/notes/1658001
http://service.sap.com/sap/support/notes/1962026 -
VM with remote access VPN without split tunneling
Hello experts,
I have customers who require to use VM in their laptop. These users also require to VPN to Corporate network to do their job. However when they do remote VPN to corporate Network (ASA VPN concentrator) from their VM host machine, they loose their access to their VM guest machines. This problem was not happening when they used cisco VPN client which has gone end of life and support as of end of July 31, 2012. In Cisco VPN client (IKEV1) if we set the protocol to udp they had no problem to keep their connectivity to VM machines while connected to corporate with remote access VPN. However this feature does not work in new Cisco VPN client which is called AnyConnect. ( NOTE: I am using IPSEC IKEV2. NO SSL at this time).
My Question to Experts:
1. Was the ability to maintain connection to VM guest machines, while connected to VPN without enabling split tunneling a security flaw in the old cisco VPN client?
2. Is there a way to maintain connectivy to VM machines installed in a computer and still connect to remote access VPN concentrator through host machine? (My question is about AnyConnect client only using IPSEC IKEV2 and I do not want to enable split tunneling)
Thanks for your help,
RaziDid you figure this out?
Maybe you are looking for
-
Cannot find "Create A Role " in BI Publisher
Hi All, I am trying to configure EBS security and assign catalog permissions to the EBS Roles.Following the Oracle Document Integrating with Other Oracle Security Models - 11g Release 1 (11.1.1) and it says under Security Center-->Role & Permissions
-
JDBC - Class Statement not found...
Hi, I'm trying to access Oracle from Java. I typed the oracle supplied sample code JDBCExample. First round at compiling the Java code I was getting an error saying the OracleDriver class was not found. Setting the ClassPath and LD_LIBRARY_PATH envir
-
Unable to make a connection to weblogic server 6.0
I need urgent help on this: I have installed BEA weblogic server on my machine(Win2000). Following is the classpath: ClassPath=C:\Program Files\Exceed.nt\hcljrcsv.zip;C:\Program Files\Exceed.nt;c:\ jdk1.3.1\bin;.;c:\downloads;c:\downloads\weblogic510
-
MOVED: System wont boot up
This topic has been moved to Intel Core 2 Duo/Quad boards. https://forum-en.msi.com/index.php?topic=133123.0
-
HELP! can not connect to itunes store
please help it started when i update the 7.2 itunes. i have done everything it says make sure your network connection is active and try again. please help!!!