Web Filtering Proxy Suggestions

Similar Messages

• Web filtering/monitoring

  Dear All,
  We have one customer they need web filtering and monitoring product. Please advice me what can be the best solution. They have around 300 users. Can we give them iron port or ASA.
  Your consideration in this regard will highly be commendable.
  Thanks & Regards,
  Malik

  Can you get away with whitelisting just the IP addresses and/or websites that your users need to visit? If so, you can probably use just your ASA. Otherwise you're going to want a good web filtering/proxy solution. Check out IronPort, Webwasher, Blue Coat, SurfControl, or even Squid (open source.)
  You can also tie the ASA directly into a filtering product like WebSense, check out the ASA documentation.
  When deploying a web filtering product you can either go "inline" or transparent by using WCCP redirection, but I'd suggest against it, since it breaks normal web browser behavior. Better option is to use WPAD (web proxy auto-detect) and have your browsers point-to and/or be explicitly configured to use the proxy.

• Overly restrictive Web filtering

  During the day, I'm connected to the Internet behind a very restrictive content filtering appliance. I'd like the ability to simply check my .Mac email and my GMail accounts during lunch, but those sites are blocked.
  What I'm envisioning is using a Web browser at my office (MSIE or Firefox) to connect to a server at my home on port 80 or 443. (Obviously, I'd like my home server to require some kind of authentication to prevent abuse, etc.) My home server would fetch content on my behalf from these other services on whatever ports are necessary (probably 80, 443, etc.) and funnel them back to me.
  I think the answer to my question lies in running my own proxy server at home, but I'm not sure of what my options are. Has anybody out there done something similar to his? I'm hoping for some starting points at the very least.... Thanks!

  Can you get away with whitelisting just the IP addresses and/or websites that your users need to visit? If so, you can probably use just your ASA. Otherwise you're going to want a good web filtering/proxy solution. Check out IronPort, Webwasher, Blue Coat, SurfControl, or even Squid (open source.)
  You can also tie the ASA directly into a filtering product like WebSense, check out the ASA documentation.
  When deploying a web filtering product you can either go "inline" or transparent by using WCCP redirection, but I'd suggest against it, since it breaks normal web browser behavior. Better option is to use WPAD (web proxy auto-detect) and have your browsers point-to and/or be explicitly configured to use the proxy.

• ADFS Web Application Proxy - Automatically authenticate another federation

  I am setting up a Web Application Proxy as a reverse proxy to publish some of our internal websites to the internet. I am going to publish
  https://portal.workplace.example as the "hub" site which will link off to various other websites hosted internally. These sites are hosted on various different servers so I want to use the WAP to take
  advantage of the SSO facility. This works nicely.
  One of the links will be to Office 365. We are using IAMCloud's Federate 365 service (which is essentially a hosted ADFS service) to authenticate our users. Using this means that users away from the workplace
  are not dependant on our internet connection being active to access O365 and that they will still be able to authenticate should our internet connection die. However, it also means that when the user clicks on the link on the portal page to Office 365 they
  are forced to re-authenticate. What I'd like to is to pass on the credentials that the Web Application Proxy collects onto the external federation service automatically. I just can't see how you'd do it.
  I have added the external ADFS farm as a relying party trust but I have no idea what I need to use as a claim rule so I've used a passthrough rule with the UPN as the claim being passed. I've also set up a
  publishing rule with the WAP with the external federation's URL and changed the hosts file on a test computer to make the external federation's address resolve to the WAP's IP address but this just results in a blank page. I fully accept that I'm not doing
  this right but I'm unsure of where to go from here. Can anyone give me some advice?
  Many thanks,
  Ian

  Hi Lan,
  Thank you for your posting!
  Regarding claims based issue, I suggest you refer to experts from the following forum to get professional support:
  Claims based access platform (CBA), code-named Geneva Forum
  http://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva
  Thank you for your understanding and support.
  Best Regards,
  Amy

• Web service proxy receiving single element in array

  I've generated a web service proxy over a web service and expect to get multiple elements returned from the web service. However when I excute the proxy I receive only the first element. Testing the web service with the same parameters on the application server shows that I should be receiving 3 elements in total. Not sure where the disconnect is in generating the response message within the proxy. Any suggestions is appreciated.

  Are you looking for SOAP ENC Array feature? Which version are you using 10134 or 11g?

• Web Service Proxy not returning Response in 11g

  Hi,
  I am facing a difference in the creation of Web Service Proxy in 11g when compared to 10g. I have exposure of creating a Web Service Proxy in 10g and I do observe that the folder name 'runtime' gets generated automatically along with the proxy at the time of creation.
  But in 11g, the nature & behavior of Web Service Proxy creation has changed a lot according to my observation. I am facing an issue where the response object is not returning the expected results as per the functionality.
  In 10g, we have used a Stub class (automatically created under 'runtime' folder) and we are able to put some logs to see the request and response object in the form of 'xml'. But in 11g, I am facing difficulty in getting the same logged to see the response from OPA.
  Please share your thoughts which would definitely help me in resolving this issue.
  With Regards,
  Thiyagarajan V

  Hi,
  I have also tried using 'Web Service Data Control' as an alternate method to overcome the above mentioned issue. But I have ended up the error "DCA-29000: Unexpected exception caught: java.lang.NullPointerException,msg=null" and failed to create a data control.
  The JDeveloper version which I am using is 11.1.1.5.0. I also came to know that there is a patch (9790388) which has resolved this bug in JDeveloper. I also applied the same patch in my Oracle Home using OPatch utility.
  But unfortunatley, the version suitable for this patch is 11.1.1.4.0 and I suspected that could be one of the reason that the problem has not got resolved yet.
  Please suggest the patch or any solution which can also help me in resolving this issue. I really appreciate your time and effort in sharing your thoughts for the problems which I have mentioned over here.
  Thank you !!!
  With Regards,
  Thiyagarajan V

• Filtering proxy messages in XI

  Hello ,
  I have a proxy outbound scenario which is triggering data from ECC which is converted to flat file in XI.
  The number of messages triggered in a single run of this interface is around 3000. And many times I am required to find message in XI with particular business content.
  I dont know if there is any way of filtering proxy messages in XI as per content in payload.
  Is there anyway of doing this?
  Any help is greatly appreciated.
  Thanks
  Anand.

  Hi,
  you can filter this  in Proxy logic it self or you can filter this in PI Mapping.
  i suggest you to do in Proxy program.
  Regards,
  Raj

• AD FS & web application proxy: get error 511 and 364

  I set up ADFS with a service account and I get no errors in the event viewer. Then I set up web application proxy and made all settings (host, delegation, etc.) and also no errors and everything looked good. After publishing a site I wanted to open it and
  then always comes up an error page with the two error events 511 and 364. I did a lot of tipps given in the inet but nothing helped. Maybe you can give me some advices.
  here the error description (some words are in german):
  Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7009: Die Anforderung ist fehlerhaft oder ungültig. Wenden Sie sich für weitere Informationen an Ihren Administrator.
     bei Microsoft.IdentityServer.Web.Protocols.MSISHttp.MSISHttpProtocolHandler.ValidateSignInContext(MSISHttpSignInRequestContext msisContext, WrappedHttpListenerRequest request)
     bei Microsoft.IdentityServer.Web.Protocols.MSISHttp.MSISHttpProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
     bei Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
     bei Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

  Hi,
  In regard to ADFS related issues, I suggest you refer to the following forum to get professional support:
  Claims based access platform (CBA), code-named Geneva Forum
  http://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva
  Thank you for your understanding and support.
  Best Regards,
  Amy Wang

• Privacy Enhancing Filtering Proxy Chain for OS X

  A privacy enhanced web proxy is a nearly essential tool on the modern web: it blocks ads, malicious scripts, and conceals information used to track you around the web. I've provided a quick setup below in case it's useful to others. This will build a privatizing squid:privoxy proxy chain that works with any browser, and can be used by anyone on your LAN, including and especially secure VPN logins and ssh tunnels. In my experience, this setup is a lot more capable and effective than using a simple adblocking Firefox Add-On. There's a world of difference between reading ad-filled web pages with and without a filtering proxy server. I've also included information for a polipo proxy that can be used with Tor for full anonymity, as well as a script for ssh tunnelling
  Install Xcode and Macports
  Install squid, privoxy, and polipo:
  $ sudo port selfupdate
  $ sudo port install squid privoxy polipo
  $ sudo port load squid privoxy polipo
  Configure the squid/privoxy/polipo config files shown below, then relaunch the proxies and test to make sure they're up:
  $ sudo launchctl unload -w /Library/LaunchDaemons/org.macports.Squid.plist
  $ sudo launchctl load -w /Library/LaunchDaemons/org.macports.Squid.plist
  $ sudo launchctl unload -w /Library/LaunchDaemons/org.macports.Privoxy.plist
  $ sudo launchctl load -w /Library/LaunchDaemons/org.macports.Privoxy.plist
  $ sudo launchctl unload -w /Library/LaunchDaemons/org.macports.Polipo.plist
  $ sudo launchctl load -w /Library/LaunchDaemons/org.macports.Polipo.plist
  $ nmap -p 3128,8118,8123 localhost
  Starting Nmap 5.51 ( http://nmap.org ) at 2012-02-07 11:47 EST
  Nmap scan report for localhost (127.0.0.1)
  Host is up (0.00013s latency).
  PORT     STATE SERVICE
  3128/tcp open  squid-http
  8118/tcp open  privoxy
  8123/tcp open  polipo
  Now web applications can use your filtering web proxy chain. If you use the config files below, websites will not know where you came from (HTTP_REFERER header is forged), and will not know your User Agent (also forged), and read access is block to several HTTP header fields. Ads are filtered. Your connection looks like this:
  Application  <--port 3128-->  Squid  <--port 8118--> Privoxy  <----> Internet
  Configure your network to add an option to route your web traffic through this proxy. System Preferences>Network>Wi-Fi/Ethernet/...>Locations:>Edit Locations...> Gear icon, Duplicate Location, Advanced...>Proxies> Check boxes for HTTP and HTTPS web proxies with proxy server localhost:3128.
  While you're at it, configure your OS and browsers to block Adobe flash cookies. Read this WSJ article series to understand how this impacts your privacy.
  System Preferences>Flash Player>Block all sites from storing information, using your camera and microphone, and networking with peers. Also Delete all data and go to this Adobe Flash Player Settings web page and block all sites from storing information, using your camera and microphone, and networking with peers.
  Firefox/Safari>DO NOT ALLOW third party cookies, request not to be tracked
  Firefox Add-Ons: NoScript (blocks/manages JavaScript), Beef TACO (blocks/manages flash cookies), BetterPrivacy (blocks/manages flash cookies), and the EFFs HTTPS Everywhere.
  You can also download the Tor anonymous proxy chain for both OS X and iOS devices. This will run a little polipo proxy natively on mobile devices.
  Here are the config file settings. Search through the config file too see the appropriate location for these settings. Turn off http_access and icp_access (squid), permit-access (privoxy), and allowedClients (polipo) if you do not want everyone on your LAN to be able to use the proxy. Double check that you're not running an open web proxy on the internet.
  $ sudo vi /opt/local/etc/squid/squid.conf
  # See http://www.privoxy.org/user-manual/config.html
  # Define Privoxy as parent proxy (without ICP)
  cache_peer 127.0.0.1 parent 8118 7 no-query
  http_access allow localnet
  icp_access allow localnet
  via off
  # old 'http_anonymizer standard'
  header_access From deny all
  # forge Referer in Privoxy
  # header_access Referer deny all
  header_access Server deny all
  # forge User-Agent in Privoxy
  # header_access User-Agent deny all
  header_access WWW-Authenticate deny all
  header_access Link deny all
  # more privacy
  header_access Cache-Control deny all
  header_access Proxy-Connection deny all
  header_access X-Cache deny all
  header_access X-Cache-Lookup deny all
  header_access Via deny all
  header_access Forwarded-For deny all
  header_access X-Forwarded-For deny all
  header_access Pragma deny all
  header_access Keep-Alive deny all
  shutdown_lifetime 10 seconds
  # See http://www.privoxy.org/user-manual/config.html
  # Define ACL for protocol FTP
  acl ftp proto FTP
  # Do not forward FTP requests to Privoxy
  always_direct allow ftp
  # See http://www.privoxy.org/user-manual/config.html
  # Forward all the rest to Privoxy
  never_direct allow all
  dns_nameservers 10.0.1.2 10.0.1.1
  forwarded_for off
  $ sudo vi /opt/local/etc/privoxy/config
  forward  /      .
  $ sudo vi /opt/local/etc/privoxy/match-all.action
  +change-x-forwarded-for{block} \
  +deanimate-gifs{last} \
  +filter{refresh-tags} \
  +filter{img-reorder} \
  +filter{banners-by-size} \
  +filter{webbugs} \
  +filter{jumping-windows} \
  +filter{ie-exploits} \
  +hide-from-header{block} \
  +hide-referrer{conditional-block} \
  +session-cookies-only \
  +set-image-blocker{pattern} \
  / # Match all URLs
  # See http://www.christianschenk.org/blog/enhancing-your-privacy-using-squid-and-privo xy/
  +hide-referrer{conditional-forge} \
  +hide-user-agent{Mozilla/5.0} \
  / # Match all URLs
  $ sudo vi /opt/local/etc/privoxy/user.action
  # fix bing's travel site, others
  { -block }
  ads1.msn.com/
  .bing.com/travel/jsxc\.vjs\?
  .onecause.com
  .apple.com
  .go.com
  # sourceforge
  { -block -filter -deanimate-gifs}
  .sourceforge.net
  .dell.com
  # expedia
  { -hide-user-agent }
  .expedia.com
  # don't filter downloads
  {-filter -deanimate-gifs}
  /.*\.iso(\?|$)
  /.*\.mp3(\?|$)
  /.*\.mp4(\?|$)
  /.*\.mov(\?|$)
  /.*\.mpg(\?|$)
  /.*\.ogg(\?|$)
  /.*\.aac(\?|$)
  /.*\.zip(\?|$)
  /.*\.pdf(\?|$)
  /.*\.dmg(\?|$)
  /.*\.tar(\?|$)
  /.*\.gz(\?|$)
  /.*\.dat(\?|$)
  $ sudo vi /opt/local/etc/privoxy/config
  proxyAddress = "0.0.0.0"    # IPv4 only
  allowedClients = 127.0.0.1, 10.0.1.0/16

  This configuration looks great and I was try to apply for my laptop. Unfortunatly I'm not an expert, and I have problem with config file settings for squid.config.
  I was installing squid (at first 2.7 version but later 3.1, because being able to use the GUI squidMan)), Privoxy and polipo with sucess with MacPorts. Using also MacPort to get nmap.and proxies look to be up :
  Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-23 21:59 PHT
  Nmap scan report for localhost (127.0.0.1)
  Host is up (0.00046s latency).
  PORT     STATE SERVICE
  3128/tcp open  squid-http
  8118/tcp open  privoxy
  8123/tcp open  polipo
  Configure the network was not a problem (just an interrogation about FTP proxy ?)
  To edit and add lines and save  match-all.action,user.action
  was fine also. I don't know why the command sudo vi /opt/local/etc/privoxy/config is repeat twice one to add forward  / and later 
  proxyAddress = "0.0.0.0"    # IPv4 only
  allowedClients = 127.0.0.1, 10.0.1.0/16
  I was add these 3 lines anyway, the main problem being I guess to put properly configurations  for squid.conf
  Here below the template gave by SquidMan,(easier for me getting the main lines!) I just have modified Privoxy as parent proxy but I was not able to manage properly where adding these settings.( getting error about localhost ie).
  Could you kindly past them in this template ? I guess it will fix my configuration ! thank you in advance.
  Sincerly,
  Franck
  # WARNING - do not edit this template unless you know what you are doing
  # the parent cache
  cache_peer 127.0.0.1 parent 8118 7 no-query no-digest no-netdb-exchange default
  # disk and memory cache settings
  cache_dir ufs %CACHEDIR% %CACHESIZE% 16 256
  maximum_object_size %MAXOBJECTSIZE%
  # store coredumps in the first cache dir
  coredump_dir %CACHEDIR%
  # the hostname squid displays in error messages
  visible_hostname %VISIBLEHOSTNAME%
  # log & process ID file details
  cache_access_log %ACCESSLOG%
  cache_log %CACHELOG%
  cache_store_log %STORELOG%
  pid_filename %PIDFILE%
  # Squid listening port
  http_port %PORT%
  # Access Control lists
  acl localhost src 127.0.0.1/32
  acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
  acl manager proto cache_object
  acl SSL_ports port 443
  acl Safe_ports port 80                    # http
  acl Safe_ports port 21                    # ftp
  acl Safe_ports port 443                    # https
  acl Safe_ports port 70                    # gopher
  acl Safe_ports port 210                    # wais
  acl Safe_ports port 1025-65535          # unregistered ports
  acl Safe_ports port 280                    # http-mgmt
  acl Safe_ports port 488                    # gss-http
  acl Safe_ports port 591                    # filemaker
  acl Safe_ports port 777                    # multiling http
  acl CONNECT method CONNECT
  %ALLOWEDHOSTS%
  %DIRECTHOSTS%
  # Only allow cachemgr access from localhost
  http_access allow manager localhost
  http_access deny manager
  # Deny requests to certain unsafe ports
  http_access deny !Safe_ports
  # Deny CONNECT to other than secure SSL ports
  http_access deny CONNECT !SSL_ports
  # protect web apps running on the proxy host from external users
  http_access deny to_localhost
  # rules for client access go here
  http_access allow localhost
  %HTTPACCESSALLOWED%
  # after allowed hosts, deny all other access to this proxy
  # don't list any other access settings below this point
  http_access deny all
  # specify which hosts have direct access (bypassing the parent proxy)
  %ALWAYSDIRECT%
  always_direct deny all
  # hierarchy stop list (squid-recommended)
  hierarchy_stoplist cgi-bin ?
  # refresh patterns (squid-recommended)
  refresh_pattern ^ftp:                    1440          20%          10080
  refresh_pattern ^gopher:          1440          0%          1440
  refresh_pattern -i (/cgi-bin/|\?) 0          0%          0
  refresh_pattern .                    0          20%          4320

• Latest jdeveloper 11.1.2.1.0 doesn't have Web service Proxy at Business Tie

  I have installed the latest Jdeveloper 11.1.2.1.o and tried to create a wsrp consumer but couldn't find the "Generate Web Service Proxy" under Business Tier -> Web service as suggested in developer's guide.
  Did I miss anything? Should I installed any extention patches? Is there any other way to create a wsrp consumer to test the sample wsdl generated from wsrp producer for .net?
  Thanks,
  Judy

  All right, It turns out I have to install jdeveloper 11.1.1.6 instead.

• Building a custom Flex web services proxy server

  Hi All,
  I'm investigating the possibility of writing a custom proxy
  server for our web services, using ASP.NET. LiveCycle Data Services
  looks very cool and would do the proxying we need, but it's not in
  our budget this year, and I would still like to take advantage of
  proxying. I figured I could probably build something simple, and
  perhaps we may be able to move to LCDS at some point in the future.
  I did some searching and didn't find anything to help me get
  started. My next step would be to fire up Wireshark and start
  looking at traffic going back and forth to try and figure out what
  Flex expects from a web services proxy -- but I thought maybe some
  folks here would be able to point me to some documentation or other
  resources on writing a proxy?
  -Josh

  quote:
  Originally posted by:
  pete
  I think you're confusing two things here - the way in which a
  client communicates with a service, and what that service
  ultimately does for you. When you're using LCDS you're calling into
  a common, somewhat sophisitcated messaging framework that controls
  access to a range of services... one of which is the proxy service.
  This proxy service does ultimately act like an HTTP proxy on your
  client's behalf, but how it is contacted is complex because the
  messaging format is not designed just to do this one task.
  I apologize for oversimplying; I realize LCDS does much more
  than proxying, but that's all I'm worried about at the moment, so
  that's why I keep mentioning it in the same breath as "proxy".
  quote:
  Originally posted by:
  pete
  It will be easier to just build your own little naming
  convention on a URL for proxying your requests to your own .NET
  based proxy. I suggested a mechanism for doing so in my previous
  post - just use the URL to point to a "distinguished" service that
  your proxy knows how to translate.
  It might be simpler, but my goal is to abstract away from the
  Flex app the fact that a proxy is even being used. I was under the
  impression that a proxy service would allow me to do this; however
  as I review the documentation I'm not entirely sure this is the
  case. It looks like I have to define explicit endpoints even if I
  am using a proxy?
  What I had envisioned was that by setting up a proxy, all web
  service requests would be sent to the host I had specified as the
  proxy, regardless of what I had put for the web service WSDL and/or
  endpoint.
  So here's my hypothetical situation (I'm making all this up
  -- it's what I'd like to do, not how things actually work):
  {services-config.xml}
  <service id="proxy-service"
  class="flex.messaging.services.HTTPProxyService"
  messageTypes="flex.messaging.messages.HTTPMessage,flex.messaging.messages.SOAPMessage">
  <properties>
  <external-proxy>
  <server>intranetProxy</server>
  <port>80</port>
  </external-proxy>
  </properties>
  </service>
  Then I could define a bunch of web services in MXML:
  <mx:WebService wsdl="
  http://webservicesHost/myService.asmx?WSDL"/>
  <mx:WebService wsdl="
  http://webservicesHost/anotherService.asmx?WSDL"/>
  <mx:WebService wsdl="
  http://webservicesHost/handyService.asmx?WSDL"/>
  Now, when it attempts to load the WSDL, it will relay the
  request through intranetProxy. When I actually call a web method,
  it relays the request through intranetProxy. No further needs to be
  done, and I don't need to touch the WSDL URLs or the WSDL
  documents.
  If I go with the method of using the WSDL URL to contact my
  ASP.NET proxy directly, there are a few drawbacks:
  -The proxy service is no longer abstracted away from the
  MXML/ActionScript code. If I ever need to move the proxy, I need to
  touch the code everywhere I use a web service.
  -I have to rewrite the web service endpoints (defined in the
  WSDL) on the fly.
  Neither of these are showstoppers. In fact, I'm already using
  this method -- but a proxy that is totally transparent to the Flex
  app seems like a better design goal. Is this possible, though? If I
  have to manually define every Web Service WSDL and/or endpoint that
  I want to proxy, then I'm no better off than using the WSDL URL to
  directly contact my ASP.NET proxy, and rewriting the endpoint
  defined in the WSDL as it passes through the proxy.

• Is Web Application Proxy enough as a secure Reverse Proxy/publishing solution

  Hello,
  What are people's thoughts on using the Web Application Proxy role as a reverse proxy with only a Firewall between it and the internet...?
  We need to replace our ISA 2006 boxes and I have been advocating using WAP with ADFS.
  However other 'Reverse Proxy' solution available seem to have more capabilities then just WAP and a Firewall; without  we leave ourselves exposed. For instance FortiNet's product FortiWeb has the following 'additional' capabilities:
  Protection for application layer attacks (SQL Injection, XSS, PHP/OS/LDAP/RFI/LFI injection and more)
  Automatic layer 7 anomaly-based application baselining and threat detection
  Data Leak Prevention (CC, SSN, server/application leakage)
  IP Reputation
  Are these required? Does WAP provide these capabilities but use different terminology?

  Hi,
  https://technet.microsoft.com/en-us/library/dn383650.aspx
  You will see that Web Application Proxy is designed as a perimeter solution (=running in DMZ)
  FortiWeb's product seems a web application firewall. This is a security solution. Security solutions are seldom required, but can help keeping your environment secure.
  IIS can also server as a reverse proxy and can do some security stuff too (ip and domain restictions, request filtering,...)
  Whether one or the other is the best solution for you, depends on your requirements.
  MCP/MCSA/MCTS/MCITP

• Will adding a second ADFS Web Application Proxy cause service disruption

  Today I have attempted to add a second ADFS WAP server to an existing (working) ADFS solution based on 2012 R2.
  I am able to install and configure the required role/services successfully but then I'm presented with the Remote Access Management console. This shows the two WAP servers but not the existing published application from the original WAP server and only seems
  to let me Publish a new application.
  I'm not sure if I should go ahead and run the Publish Application wizard again in case it impacts on the existing application and causes disruption to the service/users.
  Any suggestions would be much appreciated.
  Cheers for now
  Russell 

  the config for the Web Application Proxy is stored in the ADFS v3 configuration database.
  As soon as you add a new WAP to the farm it will get its config from the database
  WAP can be domain joined or not. The reason for having it be domain joined is if you need to manage the system centrally and you need to leverage Kerberos Constrained Delegation for Windows based apps
  If you have more than one WAP, you should use some kind of load balancing mechanism such as either Windows NLB or a hardware loadbalancer
  adding a new WAP should not impact, you just need to make sure it is actually used
  Cheers,
  Jorge de Almeida Pinto
  Principal Consultant | MVP Directory Services | IAM Technologies
  COMMUNITY...:
  DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

• Web Dynpro Proxy Page vs Default Page Template

  Dear Experts.
  I have the following doubt with I am creating Page in the portal.
  The system display the two options following:
  [Template Page|http://www.freeimagehosting.net/uploads/d2eb3ec600.jpg]
  I found the following document:
  [Document|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/0c7b2f25-0c01-0010-f2a2-f8a65a9dcad9?QuickLink=index&overridelayout=true]
  But I what know When I should use the Web Dynpro Proxy Page option and When I should use Default Page Template
  Can Anyone help me with suggestions, please.
  Best Regards
  Juan.

  Hi.
  Default Page Template: Creates a page based on the regular portal page template
  Web Dynpro Proxy Page: Creates a page based on Web Dynpro technology
  But I created the page with the two options, but I not find differences between the two options with respect to Layouts, and others.
  Can anyone help me with suggestions.
  Thank You in advance.
  Regards
  Juan.

• 2012 R2 Web Application Proxy returns 400 (Bad Request) for Kerberos IIS App

  I've gone through all of the step-by-step examples for publishing applications with the Web App Proxy and I'm getting HTTP 400 when I try to publish an IIS Kerberos application. I'm using ADFS pre-authentication.
  The application is SharePoint but I CAN NOT change the authentication method to claims based auth...it has to be windows integrated. I've double checked all of the SPN's and delegation. I get the 400 returned once the user has been authenticated and is forwarded
  to the app url with the AUTHTOKEN?=blahblahblah query string. I've installed the ADFS certificate on the proxy and set it to be the external SSL certificate for the application.
  PLEASE DONT JUST TELL ME TO POST THIS IN THE GENEVA FORUM FOR ADFS.
  The event log has an exception that looks like this:
  Web Application Proxy received a nonvalid edge token signature.
  Error: Edge Token signature mismatch. edgeTokenHelper.ValidateTokenSignature failed: Verifying token with signature public key failed
  Received token: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkY4NmgzYlFJbEk0NzZ5Y25HNlBHb1NSNDJ4byJ9.eyJhdWQiOiJ1cm46QXBwUHJveHk6Y29tIiwiaXNzIjoiaHR0cDovL3N0cy5zb3N3ZWV0c29zb2Z0LmNvbS9hZGZzL3NlcnZpY2VzL3RydXN0IiwiaWF0IjoxMzk2NDY2NDQ2LCJleHAiOjEzOTY0NzAwNDYsInJlbHlpbmdwYXJ0eXRydXN0aWQiOiI3N2Y3OTQzYi1kOGI4LWUzMTEtODBiYy0wMDE1NWQ1MWY0OWMiLCJ1cG4iOiJqdGFkbWluQHNvc3dlZXRzb3NvZnQuY29tIiwiY2xpZW50cmVxaWQiOiJlZTA1MDU3ZS00ZTliLTAwMDAtZDkwNS0wNWVlOWI0ZWNmMDEiLCJhdXRoX3RpbWUiOiIyMDE0LTA0LTAyVDE5OjEwOjM2Ljc1NVoiLCJhdXRobWV0aG9kIjoidXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQiLCJ2ZXIiOiIxLjAifQ.E1SqDU1Q2qh00Bt1n1UsBHJrf2kxWh8mN0j03QJTGPQ6vtrkncun017idy2BgB8NzQBVhPQAhfQb3F_lRAAWnpHjwaCuTjeL-pi1-ntVax37TQqQxqg0PVND8OpWxd7rTECObp6KnHBSkgHdaC6ntJ4WzE-QV6afUOyKQrIXil9qF_ybX8IOvMorvGllQB4enR3ZD6KMZBZwzLSl0iueKvZC8TqacRL_Kdvhn2AmutqFVw4wbZILhTsQFRSl86tEp-PCSJ_yLHcxTgqmKWVpEVC0Jo00hJe1MH7P1QMoJISdFY3-4tkuUykpgSNSSlEqZ9EwVdN--4aGE3QlqdL1vA
  Details:
  Transaction ID: {ee05057e-4e9b-0000-da05-05ee9b4ecf01}
  Session ID: {ee05057e-4e9b-0000-d905-05ee9b4ecf01}
  Published Application Name: FIM Portal
  Published Application ID: 48db8de3-96e7-18b6-06d8-5cb6df999b6c
  Published Application External URL:
  https://portal.sosweetsosoft.com/IdentityManagement/
  Published Backend URL:
  https://portal.sosweetsosoft.com/IdentityManagement/
  User: <Unknown>
  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
  Device ID: <Not Applicable>
  Token State: Invalid
  Cookie State: NotFound
  Client Request URL:
  https://portal.sosweetsosoft.com/identitymanagement?authToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkY4NmgzYlFJbEk0NzZ5Y25HNlBHb1NSNDJ4byJ9.eyJhdWQiOiJ1cm46QXBwUHJveHk6Y29tIiwiaXNzIjoiaHR0cDovL3N0cy5zb3N3ZWV0c29zb2Z0LmNvbS9hZGZzL3NlcnZpY2VzL3RydXN0IiwiaWF0IjoxMzk2NDY2NDQ2LCJleHAiOjEzOTY0NzAwNDYsInJlbHlpbmdwYXJ0eXRydXN0aWQiOiI3N2Y3OTQzYi1kOGI4LWUzMTEtODBiYy0wMDE1NWQ1MWY0OWMiLCJ1cG4iOiJqdGFkbWluQHNvc3dlZXRzb3NvZnQuY29tIiwiY2xpZW50cmVxaWQiOiJlZTA1MDU3ZS00ZTliLTAwMDAtZDkwNS0wNWVlOWI0ZWNmMDEiLCJhdXRoX3RpbWUiOiIyMDE0LTA0LTAyVDE5OjEwOjM2Ljc1NVoiLCJhdXRobWV0aG9kIjoidXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQiLCJ2ZXIiOiIxLjAifQ.E1SqDU1Q2qh00Bt1n1UsBHJrf2kxWh8mN0j03QJTGPQ6vtrkncun017idy2BgB8NzQBVhPQAhfQb3F_lRAAWnpHjwaCuTjeL-pi1-ntVax37TQqQxqg0PVND8OpWxd7rTECObp6KnHBSkgHdaC6ntJ4WzE-QV6afUOyKQrIXil9qF_ybX8IOvMorvGllQB4enR3ZD6KMZBZwzLSl0iueKvZC8TqacRL_Kdvhn2AmutqFVw4wbZILhTsQFRSl86tEp-PCSJ_yLHcxTgqmKWVpEVC0Jo00hJe1MH7P1QMoJISdFY3-4tkuUykpgSNSSlEqZ9EwVdN--4aGE3QlqdL1vA&client-request-id=ee05057e-4e9b-0000-d905-05ee9b4ecf01
  Backend Request URL: <Not Applicable>
  Preauthentication Flow: PreAuthBrowser
  Backend Server Authentication Mode:
  State Machine State: Idle
  Response Code to Client: <Not Applicable>
  Response Message to Client: <Not Applicable>
  Client Certificate Issuer: <Not Found>

  Hi,
  I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
  Thanks for your understanding and support.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.