WebVPN Tunnel-Group Aliases and URLS

Hi,
 
 I have a requirement to create a new group policy and a new tunnel-group and apply it to a webvpn user account
 
 
 The web vpn is working fine without any issues when I give a new name under Group Aliases and URL
 
 My requirement is to use the existing Group Alias for this new tunnel-group. When I enter the existing alias it says it is already used by other tunnel-group
 
 Please help

If you use the same group-alias for two tunnel-groups, then how will the firewall distinguish between the two? Let say, as per your requirement you want to have the group-alias 'securevpn' for two tunnel-groups, TG1 and TG2. Now how will the firewall map a user landing on this alias to a group? TG1 or TG2? round-robin? :). This is not possible AFAIK.
Please rate if helpful.
Regards
Farrukh Haroon
CCIE # 20184 (Security)

Similar Messages

ASA 5505 VPN Group Policies (RADIUS) and tunnel group

I have a single ASA firewall protecting a small private developing network, and I need it in order to access remotely to two distinct network spaces both of wich are VLAN tagged: 1 is LAN and 3 is management. Each net has its own IP address space and DNS server.
I'd like to set up Anyconnect to land on lan 1, and SSL VPN in order to see the IPMI and management websites sitting on VLAN 3. In order to make things "safer" I have found a free OTP solution, OpenOTP, and I decided to implement it on a virtual machine, setting up a radius bridge to allow user authentication for VPN. I can pass wichever attribute I'd like to using this radius bridge (for example "Class" or "Group-Policy" or whatever is included in the radius dictionaries).
Actually all I need is quite simple. I have to segregate my remote users in 2 groups, one for Anyconnect, and one for SSL based on the radius response from authentication. (I don't need authorization nor accounting) I'm no Cisco Pro, what I've learnt is based on direct "on the field" experience.
I'm using two radius users for testing right now, one is called "kaisaron78" associated to a group policy "RemoteAC" and a second one called "manintra" associated to a group policy called "SSLPolicy". "kaisaron78" after logging in should only see the Anyconnect "deployment portal", while "manintra" should see the webvpn portal populated with the links specified in the URL list "Management_List". However, no matter what I do, I only see the default "clean" webvpn page. This is an example of "sh vpn-sessiondb webvpn" for both users..
Session Type: WebVPN
Username     : kaisaron78             Index        : 1
Public IP    : 172.16.0.3
Protocol     : Clientless
License      : AnyConnect Premium
Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
Bytes Tx     : 518483                 Bytes Rx     : 37549
Group Policy : RemoteAC               Tunnel Group : DefaultWEBVPNGroup
Login Time   : 10:59:33 CEDT Mon Aug 18 2014
Duration     : 0h:00m:23s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : c0a801fa0000100053f1c075
Security Grp : none
Asa5505# sh vpn-sessiondb webvpn
Session Type: WebVPN
Username     : manintra               Index        : 2
Public IP    : 172.16.0.3
Protocol     : Clientless
License      : AnyConnect Premium
Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
Bytes Tx     : 238914                 Bytes Rx     : 10736
Group Policy : SSLPolicy              Tunnel Group : DefaultWEBVPNGroup
Login Time   : 11:01:02 CEDT Mon Aug 18 2014
Duration     : 0h:00m:05s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : c0a801fa0000200053f1c0ce
Security Grp : none
As you can see, it seems like the policies are assigned correctly by radius attribute Group-Policy. However, for example you'll notice no vlan mapping, even if I have declared them explicit in group policies themselves. This is the webvpn section of the CLI script I used to setup remote access.
! ADDRESS POOLS AND NAT
names
ip local pool AnyConnect_Pool 192.168.10.1-192.168.10.20 mask 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_27
subnet 192.168.10.0 255.255.255.224
access-list Split_Tunnel_Anyconnect standard permit 192.168.1.0 255.255.255.0
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.10.0_27 NETWORK_OBJ_192.168.10.0_27 no-proxy-arp route-lookup
! RADIUS SETUP
aaa-server OpenOTP protocol radius
aaa-server OpenOTP (inside) host 192.168.1.8
key ******
authentication-port 1812
accounting-port 1814
radius-common-pw ******
acl-netmask-convert auto-detect
webvpn
port 10443
enable outside
dtls port 10443
anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
anyconnect profiles AnyConnect_Profile_client_profile disk0:/AnyConnect_Profile_client_profile.xml
anyconnect enable
! LOCAL POLICIES
group-policy SSLPolicy internal
group-policy SSLPolicy attributes
vpn-tunnel-protocol ssl-clientless
vlan 3
dns-server value 10.5.1.5
default-domain value management.local
webvpn
url-list value Management_List
group-policy RemoteAC internal
group-policy RemoteAC attributes
vpn-tunnel-protocol ikev2 ssl-client
vlan 1
address-pools value AnyConnect_Pool
dns-server value 192.168.1.4
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_Anyconnect
default-domain value home.local
webvpn
anyconnect profiles value AnyConnect_Profile_client_profile type user
group-policy SSLLockdown internal
group-policy SSLLockdown attributes
vpn-simultaneous-logins 0
! DEFAULT TUNNEL
tunnel-group DefaultRAGroup general-attributes
authentication-server-group OpenOTP
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group OpenOTP
tunnel-group VPN_Tunnel type remote-access
tunnel-group VPN_Tunnel general-attributes
authentication-server-group OpenOTP
default-group-policy SSLLockdown
!END
I had to set up DefaultWEBVPNGroup and RAGroup that way otherwise I couldn't authenticate using radius (login failed every time). Seems like in ASDM the VPN_Tunnel isn't assigned to AnyConnect nor to Clientless VPN client profiles. Do I have to disable both default tunnel groups and set VPN_Tunnel as default on both connections in ASDM ? I know I'm doing something wrong but I can't see where the problem is. I'm struggling since may the 2nd on this, and I really need to finish setting this up ASAP!!!!
Any help will be more than appreciated.
Cesare Giuliani

Ok, it makes sense.
Last question then I'll try and report any success / failure. In this Cisco webpage, http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_extserver.html#wp1661512 there's a list of supported radius attributes. Actually I'm using number 25 Group-Policy, in order to get the correct group policy assigned to users. I see, in that list an attribute 146 Tunnel-Group-Name. Will it work out for the purpose you explained in the previous post ? I mean, if I set up two tunnel groups instead of 1, 1 for anyconnect with its own alias and its own url, and 1 for SSL VPN again with its own alias and url, do you think that using that attribute will place my users logging in into the correct tunnel group ?
Thank you again for your precious and kind help, and for your patience as well!
Cesare Giuliani

Anyconnect tunnel-group and group-policy from LDAP

Recently we've changed from LOCAL to LDAP authentication and added additional group-policies for different users to increase security.
To prevent users from selecting an incorrect group-policy, the LDAP server provides a IETF-Radius-Class value which matches the different group-policy names.
It is my understanding that the authentication method is provided by the tunnel-group.
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group LDAP_AD
This all works, but for _one_ of the group policies i'd like to enable (external) two factor authentication. Two enable two factor auth a 'secondary-authentication-server-group' needs to be set in the tunnel-group.
Creating a tunnel-group which maches the name of the group-policy doesn't seem to have any effect. When listing the connected users via "show vpn-sessiondb anyconnect", it always states the correct Group Policy but also always DefaultWEBVPNGroup.
When enabling the listing of tunnel-groups for webvpn, thus allowing users to select their own tunnel-group, the two factor auth does work.
To summarize, is it possible to let LDAP decide which tunnel-group is used or is there another way to have different group policies without users being able to choose ?

Fabian,
Your connection lands on a tunnel group and picks a group policy.
A typical way to overcome the problem you're indicating is by using group-url.
a URL is bound to a specific tunnel-group and allows you to land directly on the one you desire.
vide:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
M.

Can i use same address pool for different remote access VPN tunnel groups and policy

Hi all,
i want to create a different remote access VPN profile in ASA. ihave one RA vpn already configured for some purpose.
can i use the same ip address pool used for the existing one for the new tunnel-group (to avoid add rotuing on internal devices for new pool) and its a temporary requirement)
thanks in advance
Shnail

Thanks Karsten..
but still i can have filtering right? iam planning to create a new group policy and tunnelgroup and use the existing pool for new RA and i have to do some filetring also. for the new RA i have to restrict access to a particualr server ,my existing RA have full access.
so iam planning to create new local usernames for the new RA and new group policy with vpn-filter value access-list to apply for that user as below, this will achive waht i need right??
access-list 15 extended permit tcp any host 192.168.205.134 eq 80
username test password password test
username test attributes
vpn-group-policy TEST
vpn-filter value 15
group-policy TEST internal
group-policy TEST attributes
dns-server value 192.168.200.16
vpn-filter value 15
vpn-tunnel-protocol IPSec
address-pools value existing-pool
tunnel-group RAVPN type ipsec-ra
tunnel-group RAVPN general-attributes
address-pool existing-pool
default-group-policy TEST
tunnel-group Payroll ipsec-attributes
pre-shared-key xxx

SSL Multiple Tunnel Groups with Multiple group policies

Hello folks.
Have a query and cant seem to find an answer on the web.
I have configured SSL Clientless VPN on a lab ASA5510, using 2 tunnel groups, one for enginneers and one for staff, mapped to 2 different group policies, each with different customisation. I have mapped the AD groups to the tunnel groups using both ACS and now LDAP (currently in use), both working successfully, using group lock and LDAP map of IETF-Radius-Class to Group name ensures engineers get assigned to the engineers tunnel group and staff get mapped to the staff tunnel group only.
The question i have is....is there a way to use a single tunnel group to map the user based on AD group which will then use the correct Group-policy (1 tunnel group to multiple group-polciies). I have seen examples of doing this with different URLs but want to know if they can all use the same URL and avoid using the drop down list using aliases.
It may be a simple "No" but it would be nice to know how to do it without using the URLs or drop down list. Users are easily confused ......

Easy. Disable the drop-down list, and use the authentication-server (LDAP or Radius) in the DefaultWEBVPNGroup. By default when you browse to the ASA, it will be using the DefaultWEBVPNGroup. Let LDAP or Radius take care of the rest.
You will get the functionality you are looking for.
HTH
PS. If this post was helpful, please rate it.

Can you authenticate users from 2 different AAA-servers for one specific tunnel-group?

I need to authenticate users from two separate AD LDAP databases on the same tunnel-group. I would like them to use the same tunnel-group and thereby using the same group-alias. I tried creating a new aaa-server group and putting both LDAP servers into group but apparently the ASA does not roll through the separate servers in the aaa-server group and will stop if the first server states that the authentication failed.
I also tried assigning multiple aaa-server groups into the tunnel-group authentication-server-group but that also did not work. I finally tried to create a separate tunnel-group and assigning it the same group-alias but the ASA will not allow me to assign the same group-alias to different tunnel-group. What is the best way to accomplish this without having to create a new group-alias that will show up and possible confuse the dumb users requiring this access? Please help.

If you don't want ANY drop down I believe you can do it in a kludgy sort of way.
Eliminate all the group aliases (which are used to populate the dropdown) and make a local database of the users for the sole purpose of assigning / restricting them to a non-default tunnel-group which authenticates to the secondary LDAP server.
You can also send out a non-published URL that points to a second tunnel-group not in the dropdown.
Of course, we can accomplish this if the AAA server is ISE. ISE 1.3 can authenticate users to multiple AD domains (with or without trust relationships) or a single domain with multiple join points in the Forest.
The ISE answer makes me wonder - could you establish trust between the domains and authenticate users that way?

ISAKMP Phase 1 dying for Site to Site tunnel between ASA and Fortigate

 I am facing strange issue on my asa and client Fortigate fw.
We have site to site tunnel with 3des and sha and DH-5 on asa
3des sha1 and dh-5 on Fortigate.
Tunnel came up when configured after some time it went down and it is throwing below errors. Please
some one help me here.
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 8
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, constructing ISAKMP SA payload
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, constructing Fragmentation VID + extended capabilities payload
Jul 24 17:25:13 [IKEv1]: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104
Jul 24 17:25:13 [IKEv1]: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 244
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, processing ke payload
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, processing ISA_KE payload
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, processing nonce payload
Jul 24 17:25:13 [IKEv1]: IP = X.X.X.X, Unable to compute DH pair while processing SA!<<<<---------Please suggest if DH group 5 does not work with PSK.
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, IKE MM Responder FSM error history (struct &0xcf9255d8) <state>, <event>: MM_DONE, EV_ERROR-->MM_BLD_MSG4, EV_GEN_DH_KEY-->MM_WAIT_MSG3, EV_PROCESS_MSG-->MM_WAIT_MSG3, EV_RCV_MSG-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_BLD_MSG2, EV_BLD_MSG2
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA MM:5f1fdffc terminating: flags 0x01000002, refcnt 0, tuncnt 0
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, sending delete/delete with reason message
Mum-PRI-ASA#

Hey All,
I experienced same issue with my another tunnel. Lately I came to know it was higher level of DH computation which my ASA was not able to perform and ASA reboot worked here. See the logs for tunnel which came up after reboot.
Eror Before Reload
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing ISAKMP SA payload
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing Fragmentation VID + extended capabilities payload
Aug 06 21:17:33 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 416
Aug 06 21:17:33 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing SA payload
Aug 06 21:17:33 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Aug 06 21:17:33 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Oakley proposal is acceptable
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing VID payload
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Received Fragmentation VID
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
Aug 06 21:17:33 [IKEv1]: IP = xx.xx.xx.xx, Unable to compute DH pair while processing SA!
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE MM Initiator FSM error history (struct &0xd0778588) , : MM_DONE, EV_ERROR-->MM_BLD_MSG3, EV_GEN_DH_KEY-->MM_WAIT_MSG2, EV_PROCESS_MSG-->MM_WAIT_MSG2, EV_RCV_MSG-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_BLD_MSG1, EV_BLD_MSG1
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE SA MM:64cf4b96 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, sending delete/delete with reason message
Isakmp phase completion After reload
Aug 25 10:40:35 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing SA payload
Aug 25 10:40:35 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Aug 25 10:40:35 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Oakley proposal is acceptable
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing VID payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Received Fragmentation VID
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing ke payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing nonce payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing Cisco Unity VID payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing xauth V6 VID payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Send IOS VID
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing VID payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Aug 25 10:40:35 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 320
SENDING PACKET to xx.xx.xx.xx

Dynamically passing text and url-based images as an input parameter to cf8 report builder

I'm unsuccessfully trying to dynamically pass text and url-based images to a group footer or the detail section via an input parameter or even hardcoded. The field has the attribute 'XHTML Text Formating' set to True. The following are failed samples of a simplified value:
"<img height=’300’ alt=’Document’ width=’300’ src=’http://www.google.com/intl/en_ALL/images/logo.gif’ />"
or
"<img src=’http://www.google.com/intl/en_ALL/images/logo.gif’ />"
This just results in the above text being output. The end result would have various text and images from a database as input by a user, thus the reason I cannot just use the hyperlink information attribute as I could if it were a single known image. I tried rtf and pdf report types. Ideas?

HTH,
Thanks. I'll keep that in mind, although I don't know how many images my user might need or what sizes so that might be tricky.
Since my target output is rtf so that MS Word can be used to edit the result, I added a pagebreak to a MS Word doc and used the resulting html source to replace the rich text editor source code for the page break, but that did not help either. The page break was so a user could add an image later. Something is wrong with the Report Builder related to intepreting XHTML, especially anything that has an attribute, including URL-based image links. I hope they try to provide another update before CF9. I doubt my client will be going to CF9 for some time, since they are just completing the migration to CF8.
BrianO

Automatic tunnel group selection through radius on Cisco ASA

Hi all. I try to let Cisco ASA automatic select a tunnel group for users, after user input username and password. I try to do this without user selection a connection profile on login page. Authentication on ASA<>ACS 5.3<>MS AD. How i can will do this? Radius attribute class=group_policy don't work.
May be someone did expirience this?

You can't select a tunnel-group from RADIUS. But you can assign the right group-policy for your user with the class-attribute. For that you need to have different group-policies configured on your ASA. Alternatively instead of assigning the group-policy you can assign the individual parameters like IP, VPN-filter and so on.
Sent from Cisco Technical Support iPad App

Anyconnect new tunnel group

hi , i have cisco asa 5520 8.2 with any connect clients authentication through ACS connected to AD, i have new requirements to create new tunnel group and new group policy so that i can apply specfic policy on one user. how i can associate the new user (AD) to specfic tunnel group

When using ASDM you can check "Enable Tunnel Group Selection" on the AnyConnect Main Page.
Or via Group Policy you can specify, when your ASA is reachable via vpn.test.com, then you set to group "sales" the link "vpn.test.com/sales". So when you set in AnyConnect the link vpn.test.com/sales the correct group will be chosen.
Michael
Please rate all helpful posts

Execution order - group by and order by

is there any execution order when we use group by and order by together in single query ?

BOL: "Logical Processing Order of the SELECT statement
The following steps show the logical processing order, or binding order, for a SELECT statement. This order determines when the objects defined in one step are made available to the clauses in subsequent steps. For example, if the query processor can bind to
(access) the tables or views defined in the FROM clause, these objects and their columns are made available to all subsequent steps. Conversely, because the SELECT clause is step 8, any column aliases or derived columns defined in that clause cannot be referenced
by preceding clauses. However, they can be referenced by subsequent clauses such as the ORDER BY clause. Note that the actual physical execution of the statement is determined by the query processor and the order may vary from this list.
1. FROM
2. ON
3. JOIN
4. WHERE
5. GROUP BY
6. WITH CUBE or WITH ROLLUP
7. HAVING
8. SELECT
9. DISTINCT
10. ORDER BY
11. TOP"
http://msdn.microsoft.com/en-us/library/ms189499.aspx
Kalman Toth Database & OLAP Architect
IPAD SELECT Query Video Tutorial 3.5 Hours
New Book / Kindle: Exam 70-461 Bootcamp: Querying Microsoft SQL Server 2012

User inherits privilege 15 when inside a tunnel-group - ASA 5510 7.2(2)

Hello
After enabling AAA and assigning a user a privilege level of 3(Read only) for management purposes, I realize that user has in fact a privilege 15 when logged in to ASDM (5.22). If I create a new account outside a tunnel-group, it works fine but if I move that new user inside a tunnel-group then it gets a privilege of 15.
Any thoughts?
Thanks!
Guido

Hello,
I'm sorry but you posted on the wrong forum, this one is for small business devices.
Try posting on this forum:
LAN, Switching and Routing
I hope this hels

I need to show grouped id and only the max order value for each unique id

select distinct
Table1.id,
Table1.id +' - '+ Table1.VisitNumber +' : '+ Table1.Priority as UidVisitKey,
Table1.VisitNumber,
DATEDIFF(d, [dob],[Visite_dte])/365.25 as Age_On_Visit,
Table1.Priority,
Table1.OrderOfVisit,
Table1.OrderOfVisit + ' - ' + Table1.Notes AS VisitNote,
Table1.Visitor_FName,
Table1.Visitor_SName,
Table2.dob,
Table2.sex,
Table1.Visit_dte,
into #Temp1
FROM Table1 INNER JOIN
Table2 ON Table1.id = Table2.id
WHERE Table1.LeaveDate IS NOT NULL
and Table1.LeaveDate between DATEADD(mm,-1,DATEADD(mm,DATEDIFF(mm,0,GETDATE()),0))
and DATEADD(ms,-3,DATEADD(mm,0,DATEADD(mm,DATEDIFF(mm,0,GETDATE()),0)))
select #Temp1.id, max(#Temp1.[OrderOfVisit]), #Temp1.VisitNote
from #Temp1
group by #Temp1.id, #Temp1.OrderOfVisit, #Temp1.[VisitNote]
ORDER BY #Temp1.id
drop table #Temp1
---I need to show grouped id and only the max OrderOfVisit for each unique id, and the VisitNote for each OrderOfVisit
----------------need help-------------

Sounds like this
select distinct
Table1.id,
Table1.id +' - '+ Table1.VisitNumber +' : '+ Table1.Priority as UidVisitKey,
Table1.VisitNumber,
DATEDIFF(d, [dob],[Visite_dte])/365.25 as Age_On_Visit,
Table1.Priority,
Table1.OrderOfVisit,
Table1.OrderOfVisit + ' - ' + Table1.Notes AS VisitNote,
Table1.Visitor_FName,
Table1.Visitor_SName,
Table2.dob,
Table2.sex,
Table1.Visit_dte,
into #Temp1
FROM Table1 INNER JOIN
Table2 ON Table1.id = Table2.id
WHERE Table1.LeaveDate IS NOT NULL
and Table1.LeaveDate between DATEADD(mm,-1,DATEADD(mm,DATEDIFF(mm,0,GETDATE()),0))
and DATEADD(ms,-3,DATEADD(mm,0,DATEADD(mm,DATEDIFF(mm,0,GETDATE()),0)))
select id,OrderOfVisit,VisitNote
from
select #Temp1.id, #Temp1.[OrderOfVisit], #Temp1.VisitNote,ROW_NUMBER() OVER (PARTITION BY #Temp1.id ORDER BY #Temp1.[OrderOfVisit] DESC) AS Seq
from #Temp1
)t
WHERE Seq = 1
ORDER BY id
drop table #Temp1
Please Mark This As Answer if it helps to solve the issue Visakh ---------------------------- http://visakhm.blogspot.com/ https://www.facebook.com/VmBlogs

How to display URL images and URL link (html) from Smartforms?

Hi Gurus,
I'm having difficulty on how to display targeted URL images and URL link from the smartforms, after i sending it out as html mail. The mail i sent just can be preview as a plain text, which can't execute the html code that i put inside the smartforms itself. I follow a few step from this very useful blog.. Hopefully, you guys can give me some solutions or ideas on this.
/people/pavan.bayyapu/blog/2005/08/30/sending-html-email-from-sap-crmerp -thanks to Pavan for his useful blog.
My code is like this..
<--- Start Code.
FORM call_smartforms.
DATA : lv_subject TYPE so_obj_des,
 lc_true(1) VALUE 'X',
 lw_control_parameters TYPE ssfctrlop,
 lw_output_options TYPE ssfcompop,
 lc_graphics(8) VALUE 'GRAPHICS',
 lw_xsfparam_line TYPE ssfxsfp,
 lc_extract(7) VALUE 'EXTRACT',
 lc_graphics_directory(18) VALUE 'GRAPHICS-DIRECTORY',
 lc_mygraphics(11) VALUE 'mygraphics/',
 lc_content_id(10) VALUE 'CONTENT-ID',
 lc_enable(6) VALUE 'ENABLE',
 lw_job_output_info TYPE ssfcrescl,
 lw_html_data TYPE trfresult,
 lw_graphics TYPE ssf_xsf_gr,
 lt_graphics TYPE tsf_xsf_gr,
 lv_html_xstr TYPE xstring,
 lw_html_raw LIKE LINE OF lw_html_data-content,
 lv_incode TYPE tcp00-cpcodepage VALUE '4110',
 lv_html_str TYPE string,
 lv_html_len TYPE i,
 lc_utf8(5) VALUE 'utf-8',
 lc_latin1(6) VALUE 'latin1',
 lv_offset TYPE i,
 lv_length TYPE i,
 lv_diff TYPE i,
 lt_soli TYPE soli_tab,
 lw_soli TYPE soli,
 lc_mime_helper TYPE REF TO cl_gbt_multirelated_service,
 lv_name TYPE mime_text VALUE 'sapwebform.htm',
 lv_xstr TYPE xstring,
 lw_raw TYPE bapiconten,
 lt_solix TYPE solix_tab,
 lw_solix TYPE solix,
 lv_filename TYPE string,
 lv_content_id TYPE string,
 lv_content_type TYPE w3conttype,
 lv_obj_len TYPE so_obj_len,
 lv_bmp TYPE so_fileext VALUE 'BMP',
 lv_description TYPE so_obj_des VALUE 'Graphic in BMP format',
 lc_doc_bcs TYPE REF TO cl_document_bcs,
 lc_bcs TYPE REF TO cl_bcs,
 lc_send_exception TYPE REF TO cx_root,
 lw_adsmtp TYPE lty_adsmtp,
 lv_mail_address TYPE ad_smtpadr,
 lc_recipient TYPE REF TO if_recipient_bcs,
 lc_send_request TYPE REF TO cl_bcs,
 lv_sent_to_all TYPE os_boolean.
DATA : v_language TYPE sflangu VALUE 'E',
 v_e_devtype TYPE rspoptype.
v_form_name = 'ZTEST_EMAIL'.
CALL FUNCTION 'SSF_FUNCTION_MODULE_NAME'
 EXPORTING
 formname = v_form_name
 IMPORTING
 fm_name = v_namef
 EXCEPTIONS
 no_form = 1
 no_function_module = 2
 OTHERS = 3.
IF sy-subrc = 0.
 break mhusin.
ENDIF.
starting here. ***
Set title for the output
lv_subject = 'Smartforms.'.
Set control parameters to "no dialog"
lw_control_parameters-no_dialog = lc_true.
IF lw_service_subject-code = lc_fm1.
*--- To get output device type
CALL FUNCTION 'SSF_GET_DEVICE_TYPE'
 EXPORTING
 i_language = v_language
 i_application = 'SAPDEFAULT'
 IMPORTING
 e_devtype = v_e_devtype.
lw_output_options-tdprinter = v_e_devtype.
lw_control_parameters-getotf = 'X'.
IF sy-subrc = 0.
 break mhusin.
ENDIF.
Set output options
lw_output_options-xsf = lc_true.
lw_output_options-xsfcmode = lc_true.
lw_output_options-xsfoutmode = 'A'.
lw_output_options-xsfoutdev = space.
lw_output_options-xsfformat = lc_true.
lw_xsfparam_line-name = lc_graphics.
lw_xsfparam_line-value = lc_extract.
APPEND lw_xsfparam_line TO lw_output_options-xsfpars.
lw_xsfparam_line-name = lc_graphics_directory.
lw_xsfparam_line-value = lc_mygraphics.
APPEND lw_xsfparam_line TO lw_output_options-xsfpars.
lw_xsfparam_line-name = lc_content_id.
lw_xsfparam_line-value = lc_enable.
APPEND lw_xsfparam_line TO lw_output_options-xsfpars.
Get the smartform content
CALL FUNCTION v_namef
 EXPORTING
 control_parameters = lw_control_parameters
 output_options = lw_output_options
*pass other application specific parameters (eg order number, items ).
IMPORTING
 job_output_info = lw_job_output_info
TABLES
 tt_tabh = tt_tabh
 tt_tabb = tt_tabb
 tt_tabf = tt_tabf
EXCEPTIONS
 formatting_error = 1
 internal_error = 2
 send_error = 3
 user_canceled = 4
 OTHERS = 5.
IF sy-subrc = 0.
 break mhusin.
ENDIF.
lw_html_data = lw_job_output_info-xmloutput-trfresult.
lt_graphics[] = lw_job_output_info-xmloutput-xsfgr[].
CLEAR lv_html_xstr.
LOOP AT lw_html_data-content INTO lw_html_raw.
 CONCATENATE lv_html_xstr lw_html_raw INTO lv_html_xstr IN BYTE MODE.
ENDLOOP.
lv_html_xstr = lv_html_xstr(lw_html_data-length).
CALL FUNCTION 'SCP_TRANSLATE_CHARS'
 EXPORTING
 inbuff = lv_html_xstr
 incode = lv_incode
 csubst = lc_true
 substc_space = lc_true
 IMPORTING
 outbuff = lv_html_str
 outused = lv_html_len
 EXCEPTIONS
 OTHERS = 1.
*HACK THE HTML CODE GENERATED BY SMARTFORM TO MAKE THE
*EXTERNAL IMAGES APPEAR AS <IMG> TAG IN HTML
REPLACE ALL OCCURRENCES OF '<IMG' IN lv_html_str WITH '<IMG' IGNORING CASE.
REPLACE ALL OCCURRENCES OF '/>' IN lv_html_str WITH '/>' IGNORING CASE.
REPLACE ALL OCCURRENCES OF '</A>' IN lv_html_str WITH '' IGNORING CASE.
REPLACE ALL OCCURRENCES OF '<' IN lv_html_str WITH '<' IGNORING CASE.
REPLACE ALL OCCURRENCES OF '>' IN lv_html_str WITH '>' IGNORING CASE.
CALL METHOD html_control - >load_mime_object
 EXPORTING
 object_id = 'ZWN'
 object_url = 'ZWN.GIF'
 EXCEPTIONS
 OTHERS = 1.
REPLACE ALL OCCURRENCES OF lc_utf8 IN lv_html_str WITH lc_latin1.
REPLACE ALL OCCURRENCES OF lc_utf8 IN lv_html_str WITH 'iso-8859-1'.
 break mhusin.
lv_html_len = STRLEN( lv_html_str ).
lv_offset = 0.
lv_length = 255.
WHILE lv_offset < lv_html_len.
 lv_diff = lv_html_len - lv_offset.
 IF lv_diff > lv_length.
 lw_soli-line = lv_html_str+lv_offset(lv_length).
 ELSE.
 lw_soli-line = lv_html_str+lv_offset(lv_diff).
 ENDIF.
 APPEND lw_soli TO lt_soli.
 ADD lv_length TO lv_offset.
ENDWHILE.
CREATE OBJECT lc_mime_helper.
CALL METHOD lc_mime_helper->set_main_html
 EXPORTING
 content = lt_soli
 filename = lv_name
 description = lv_subject.
LOOP AT lt_graphics INTO lw_graphics.
 CLEAR lv_xstr.
 LOOP AT lw_graphics-content INTO lw_raw.
 CONCATENATE lv_xstr lw_raw-line INTO lv_xstr IN BYTE MODE.
 ENDLOOP.
 lv_xstr = lv_xstr(lw_graphics-length).
 lv_offset = 0.
 lv_length = 255.
 CLEAR lt_solix[].
 WHILE lv_offset < lw_graphics-length.
 lv_diff = lw_graphics-length - lv_offset.
 IF lv_diff > lv_length.
 lw_solix-line = lv_xstr+lv_offset(lv_length).
 ELSE.
 lw_solix-line = lv_xstr+lv_offset(lv_diff).
 ENDIF.
 APPEND lw_solix TO lt_solix.
 ADD lv_length TO lv_offset.
 ENDWHILE.
 CONCATENATE lc_mygraphics lw_graphics-graphics text-001 INTO lv_filename.
 CONCATENATE lc_mygraphics lw_graphics-graphics text-001 INTO lv_content_id.
 lv_content_type = lw_graphics-httptype.
 lv_obj_len = lw_graphics-length.
*Add images to the email
 CALL METHOD lc_mime_helper->add_binary_part
 EXPORTING
 content = lt_solix
 filename = lv_filename
 extension = lv_bmp
 description = lv_description
 content_type = lv_content_type
 length = lv_obj_len
 content_id = lv_content_id.
ENDLOOP.
TRY.
 lv_subject = lv_subject.
 lc_doc_bcs = cl_document_bcs=>create_from_multirelated(
 i_subject = lv_subject
 i_multirel_service = lc_mime_helper ).
 CATCH cx_document_bcs INTO lc_send_exception.
 CATCH cx_bcom_mime INTO lc_send_exception.
 CATCH cx_gbt_mime INTO lc_send_exception.
ENDTRY.
Create send request
TRY.
 lc_bcs = cl_bcs=>create_persistent( ).
 CATCH cx_send_req_bcs INTO lc_send_exception.
ENDTRY.
TRY.
 lc_bcs->set_document( i_document = lc_doc_bcs ).
 CATCH cx_send_req_bcs INTO lc_send_exception.
ENDTRY.
Set-up email receiver
lv_mail_address = '[email protected]'.
TRANSLATE lv_mail_address TO UPPER CASE.
TRY.
 lc_recipient = cl_cam_address_bcs=>create_internet_address(
 i_address_string = lv_mail_address ).
 CATCH cx_address_bcs INTO lc_send_exception.
ENDTRY.
TRY.
 lc_bcs->add_recipient( i_recipient = lc_recipient ).
 CATCH cx_send_req_bcs INTO lc_send_exception.
ENDTRY.
Send smartforms as HTML email
TRY.
 lc_bcs->send( ).
 CATCH cx_send_req_bcs INTO lc_send_exception.
ENDTRY.
COMMIT WORK.
WRITE:/ 'Mail sent'.
ENDFORM. "call_smartforms
End Code --->
Thanks and Regards.

1- put your images in a directory under the web app directory. Example: app/images/
2- in your jsp, use: String file = application.getRealPath("/images/"); to get the images directory. See http://java.sun.com/j2ee/sdk_1.3/techdocs/api/javax/servlet/ServletContext.html#getRealPath(java.lang.String)
3- it's not the right forum to post this kind of question. Post them in the JSP/Servlet JSTL forum instead

How can I set up an SMS group so that all group members can dial a group number and have a text sent out to all members of the group

How can I set up an SMS group so that all group members can dial a group number and have a text sent out to all members of the group
This would be an SMS group similar to an email listserv but running on the SMS network
I have seen private individuals offering this service
It seems strange to me that no internet site like Apple, Yahoo or Google offers this as a free service much as the email group services are free services.
Steve

I think the app GroupMe might do what you want. You might also try contacting your carrier. My carrier offered some fancy group texting service for a while but they never really advertised it so, unless you asked, you never would have known. But, GroupMe is available in the app store. There are lots of other apps that also do group texting but it seems to be the one that gets recommended the most.

WebVPN Tunnel-Group Aliases and URLS

Similar Messages

Maybe you are looking for