WLC 5508 & Forefront Threat Management Gateway.

Similar Messages

• Steps to configure Forefront Threat Management Gateway 2010 Standard Version

  Can you please guide the steps to configure Forefront Threat Management Gateway 2010 Standard Version

  Hi,
  Before you install the Forefront TMG, please make sure that your system meets the minimum system requirements for installing TMG. For TMG 2010 standard edition, it only supports deploying TMG server in a standalone server. You can refer to the link
  below:
  About the Forefront TMG Editions
  In addition, it would be better if you can share more detailed information about your environment and requirements, such as the deployment model for the TMG. Besides, the links below would be helpful to you:
  Forefront TMG Deployment
  TMG Firewall Interface Configuration （Note:
  Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.）
  Best regards,
  Susie

• Is there any latest version of forefront threat management gateway 2010

  Deal All
  I  just wanna know that did Microsoft released new version of forefront threat management gateway 2010?
  Zeeshan Ibrahim Network Administrator

  Hi, there is no new Version of Forefront TMG planned:
  http://blogs.technet.com/b/server-cloud/archive/2012/09/12/important-changes-to-forefront-product-roadmaps.aspx
  regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.galileocomputing.de/3276?GPP=MarcGrote

• Microsoft Forefront Threat management Gateway services keeps stopping

  Please assist urgently
  Microsoft Forefront Threat management Gateway 2010 services keeps stopping. We are on the 
  Service Pack 2 Roll update 5
   On the event viewer does not display reason why the services stopped.
  Your assistance will be highly appreciated
  Regards
  Daniel Nkuna

  Hi,
  Here is a similar thread that TMG keeps stopping and no error displayed in event log. It is fixed by uninstalling Surf cop on the TMG servers. Do you have such application installed on TMG server?
  TMG Firewall service stopping
  Best Regards,
  Joyce
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Forefront Threat management Gate 2010 & Apple Server Addresses.

  We are using Microsoft Forefront Threat Management Gateway 2010 at our college. We would like to set up a policy which will allow a group of machines through to your servers ,with Malware detection disabled. When this is enabled it causes large downloads from your apps store to fail. What i require is a addresses of the apple server which run this part of the app store. Then i can set up a exclusion policy for the servers.
  We can track the IP 's but looks like the IP of the apple servers change ramdonly.
  Chris

  Large companies like Apple (and Microsoft) use a worldwide network of co-located servers to provide services.  Excluding all possible IP addresses from filtering would be a monumental if not impossible task.  You would be better off contacting Microsoft support on how to resolve a problem like this with their software.

• Expiring Certificate in Threat Management Gateway workgroup configuration

  Can someone point me to documentation on how to renew a expiring certificate in a Threat Management Gateway in an workgroup configuration.   The certificate is tied to the ISASTGCTL service.
  Thanks in advanced.

  Thanks a Lot Anders but I could not understand "one server cert for each array member issued to the fqdn
  of the member" . Does it mean
  1 . different certificate for each array member (i.e server01.workgroup.local for server01 and server02.workgroup.local
  for server02)?    
                          OR
  2. Single server certificate (server01.workgroup.local) for both the servers. server01 in the primary
  member of the array.
  I am asking this because at present I can see that there is same server certificate present (i,e server01.workgroup.local)
  on both the servers under ADAM_ISASTGCTRL\personal certificate store.
  could you please throw some light on it.
  Thanks and regards
  Lalit

• WLC 5508 7.3 management interface access to GUI

  Hi,
  I have faced with the strange issue.
  After I've upgraded software to the v7.3 and applied AP-SSO it made imposible to access the controller's gui via Service-port. So we tried to access it by management-port, but there is some problem too. It is not working from another subnets. But default gateway on management vlan is set correctly and I even tried to turn of all acl's on switch. WLC is only accessible from the same network. But at the same time wlc is replying on ping fine.
  All other protocols cannot connect to the controller.
  Has anybody faced with the same issue?

  Your running the WLC in HA, so have you tried to disable HA and enable it to see if that fixes it or remove it in HA and see if its HA that's the issue or something else?
  Sent from Cisco Technical Support iPhone App

• Problem uploading SSL certificat on a WLC 5508

  Hello,
  I'm trying to upload a SSL-certificate (RSA:2048) on a WLC 5508 via the "Management->HTTP-HTTPS" - Tab and get the following problem :
  *TransferTask: Jul 18 16:36:14.487: %UPDATE-3-CERT_INST_FAIL: updcode.c:1276 Failed to install Webauth certificate. rc = 1
  *TransferTask: Jul 18 16:36:14.487: %SSHPM-3-KEYED_PEM_DECODE_FAILED: sshpmcert.c:4028 Cannot PEM decode private key
  I've generated it using the following commands:
  # openssl pkcs12 -export -in my.crt -inkey my.key -certfile my.ca-bundle -out CA.pfx
  # openssl pkcs12 -in CA.pfx -nodes -out CA.pem
  But it doesn't work...
  Does anyone have an idea?
  Best regards,
  Eric

  Hello Eric,
  I'm facing the same problem, when trying to upload a chained SSL certificate (2048bits) to the wlc version 7.0.116.0
  Did you use an unchained certificate and what size is your cert?
  According to a Cisco document, for controllers version 5.1.151.0 and later, only unchained certificates are supported for the management certificate.
  I'm just wondering, if this limitation still applies to the newer versions.
  Regards,
  Oliver

• SSL-Certificates on WLC 5508

  I'm trying to upload an SSL-certificate(.PEM) to a WLC 5508 via the "Management->HTTP-HTTPS"-Tab, but always get the error messages:
  *TransferTask: Mar 30 07:51:20.882: %UPDATE-3-CERT_INST_FAIL: updcode.c:1276 Failed to install Webauth certificate. rc = 1
  *TransferTask: Mar 30 07:51:20.882: %SSHPM-3-KEYED_PEM_DECODE_FAILED: sshpmcert.c:4028 Cannot PEM decode private key
  any idea how to resolve this problem?

  Yes, the password is entered correctly, double checked that again
  (does the ios probably not like special characters as password, such as ! or / ?)
  is there a maximum lenght for encryption keys? its 2048 right now
  otherwise i did as explained in http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
  (the .pem is not the root certificate, only a server ca)
  edit: ok "Management" tab would have been the wrong attempt in the first place, it seems (actually want to be it a webauth not a webadmin certificate), "Security->web auth->certificate" seems to be the way to go, according to http://www.entrust.net/knowledge-base/technote.cfm?tn=8029 still the same problem though.http://www.entrust.net/knowledge-base/technote.cfm?tn=8029
  1 – Your SSL certificate (webserver)
  2 - The Entrust cross certificate (L1C)
  3 – The Entrust Root certificate (Entrust 2048 root)
  are all included in the certificate
  Product Version.................................. 7.0.98.0 - so should be able to use chained certificates according to the first link.

• WLC 5508 AP-Manager interface

  Hi, I own a WLC 5508 and I (probably) do not understand AP-Manager interfaces. I have a lab with 2x 1242AG and 1x 1252AG connected to c2960. APs are in vlan 10 (192.168.10.0/24, configured via DHCP), APs are connected to "switchport mode access" interface. c2960 is connected via a trunk to c4506, and WLC is plugged in gi1/3 and gi1/4 (both through twingig). Both ports are configured as "switchport mode trunk". Management interface on WLC is on WLC port 8 (connected to gi1/4), and AP-Manager is on WLC port 1 (connected to gi1/3). Management interface on WLC has "Dynamic AP management" set to disabled, and AP-Manager has it set to enabled. Both, Management and AP-Manager interfaces are tagged, vlan id 12 and 13 (subnets 192.168.12.0/24, 192.168.13.0/24) respectively. APs receive their IP configuration via DHCP (server located in vlan 20, 192.168.20.0, ip helper-address in use), and try to discover WLC by DNS resolution (CISCO-CAPWAP-CONTROLLER.some.domain resolves to AP-Manager IP correctly). But APs do not join to controller, WLC says "Ignoring discovery request received on non-management interface", AP has "not joined" status in Monitor/Statistics/AP Join.
  But if I set management interface as "Dynamic AP enabled", and change DNS to resolve CISCO-CAPWAP-... to it's IP everything works fine - AP joins at once. Please help, how to join LAP to AP-Manager interface? Join to WLC manager is simple, but my design requires at least 2 AP-Manager interfaces.

  Hello,
  I just wanted to mention foremost; a split LAG configuration is not supported on the WLCs.  This "can" be achieved if you are splitting your LAG ports amongst VSS configuration on your two capable devices, but is not a recommended or supported configuration. I would highly suggest a LAG configuration over your individual port.  As far as the "ap-manager" concern you have of managing more than 48 APs, you are correct in that the AP-manager cannot handle more than 48 APs, however only when in an individual port configuration.  The LAG will overcome this limitation.
  George was correct about your DNS entry, this needs to point to the WLC's management interface.  This is why the AP joined when you pointed the DNS entry back to the management address-- as intended.
  This link is anchored to the mgmt, ap-manager, and dynamic interface creation for the 7.0.116.0 Config Guide: http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_ports_interfaces.html#wp1286790
  "If" you want to keep an individual port configuration, and need more than 60 APs connected, you will need to create more than one "ap-manager" interface.  You will just make a new dyanamic intreface and place it on the same network as the current ap manager (ie, management interface) and mark it for dynamic ap management.  All APs will still need to only see the management interface for joining; the WLC will assign to the appropriate AP manager as needed.  The WLC will fill up the first AP manager before joining building tunnels through the next AP-manager interface, so in your lab you will not really be able to test this behavior, assuming the 3-4 APs you were using.
  1. You can keep your management interface with "dynamic ap management" enabled so this serves as the first AP manager; if you desire. 
  2. You will need to create another dynamic interface mapped to the next port.  enabled "dynamic ap management" again here, and place this new "ap-manager" interface on the same vlan as the mgmt.  Keep in mind creating a dynamic interface and designating it as an AP manager prevents mapping that interface to a WLAN, see note below.
  *NOTE (from config guide): When you enable this feature, this dynamic interface is configured as an AP-manager interface (only one AP-manager interface is allowed per physical port). A dynamic interface that is marked as an AP-manager interface cannot be used as a WLAN interface.
  I would highly suggest the LAG configuration so there is no need to worry about the ap manager interfaces, regardless of the number of APs communicating. This also allows for growth if WLC needs to be licensed for more and more APs.

• ACL blocking traffic towards the management interface on WLC 5508

  Hello All,
  I need to apply an ACL in WLC 5508 such that it would allow https traffic on management interface only from selected clients. 
  For same, I have created an ACL permitting only the intended users while blocking the rest. Have applied the same on the management interface. 
  However still the access from all devices to management interface is not blocked. The ACL hit count too is not incremented. 
  I am on WLC code 8.0.110.0. 
  Has anyone else faced similar issue while applying ACL against management interface. 
  Highly appreciate the inputs. 
  Thanks and Regards,
  Adnan

  Hi Adnan,
  you have to apply this ACL as a CPU ACL. Then it will work.
  For your reference:
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109669-secure-wlc.html#t4
  Hope that helps...
  Kind regards
  Philip
  --> Pls rate useful responses <--

• WLC 5508 management interface

  Hi, I have a particular wireless design that requires one WLC 5508 to be connected to two seperate swithces. Port 1 of WLC is connected trunk to Switch A and Port 2 of WLC is connected to Switch B. Each switch has its own local VLANS. When I connect 1130s LAPs they need to find the management interface initially and then use only AP management interfaces. since there is only one management interface, if I assign management interface on a vlan that is configured on switch A then APs on switch A join fine but those on switch B keep asking for management interface and from capwap debug on WLC it says that join request was received on wrong ineterface ....
  the only work around to this was to make routing between switch A and switch B for the two vlans on which APs reside... but for security purposes - client would like to avoid this
  any help much appreciated ..

  Hi thanks for your reply,
  Yes I agree perfectly with your explanation - On both switches I have UDP forward for 5246 and 5247 and everything works fine.
  You understood exactly what's happening for initial discovery the Guest AP asks for managemnt interface through WLC port 2 but managerment IP is on admin side WLC port 1 and then it drops packet saying that it was received on the wrong port. In fact that is why I put an ACL between the Admin switch and guest switch taht allows only 5426 capwap control - just to allow that initial discovery from guest AP to contact Management interface which can only be assigned to one port and in my case it is on the admin switch side. And that is why I had to make a route between the two independent switches.
  My question is to know if there is any other way with my given design to eliminate this initial discovery to the management inetrface, as my client would like the admin and guest switches to be completely seperated i.e. without the routing. Is there any way that the guest APs can make contact with the AP management interface on their side only skipping the discovery of the management interface ? the guest APs were primed on the admin side so they know the IP. After the initial discovery, if I remove the routing between admin and guest switch, guest APs keep their connectivity without any problems.

• WLC 5508 with 6.0.188 -- ap-manager interface..

  6.0.188 code on new 5508 WLC does not show ap-manager interface.
  6.0.188 code on 4404 wlc does have ap-manager interface.
  Both are working fine.
  Why is that?

  The 5500 controllers use the management interface to function as both the management interface and ap-manager.  There will not be an ap-manager in the 5500.

• 2 AP Management interface WLC 5508 at the same time

  Good afternoon,
  I have a customer that wants a few APs are managed by the interface of management and do join by that interface and another group of APs are managed and do join by another interface configured as "Enable Dynamic AP Management"
  is a WLC 5508, i created an interface by checking the option "Enable Dynamic AP Management" but does not work, by the interface of management are recorded without problems.
  Is it possible to do this? Are you supported?

  I don't know I understand your question properly or not.
  I think you want to join APs to management and AP manager interface at same time ?
  When you want to allow APs to join on two ports 1(management) & 2 at the same time, then you have use this:
  As you must be aware that only one AP manager is allowed per port. So if you leave the Management interface as an AP‐manager and just create one additional AP manager interface, you’ll allow APs to join to either port, but the Management interface will not be able to fail over since that would make two AP managers on the same interface.
  Or 
  Remove the AP management function from the Management interface and then create two new AP manager interfaces (one for each port).
  Regards
  Dont forget to rate helpful posts

• Wlc 5508 management interface vlan - access point vlan

  Is it required that the access points are in the same vlan as the management interface on a wlc 5508?

  There is a story behind this .. Just yesterday my guy was like "aps wont join" .. I let him hammer away at it .. It was the check box
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."