WLC tcp port 80 access only

Similar Messages

• Wcs 4.1 tcp port access

  How can I change tcp port used to access wcs app on nt server?? I have a server used for other apps in addition to wcs and they require port 8080 for usage. I have completed install and currently it is being re-directed from 80 to 443. How can I remove port 8080 from being used if possible??

  Windows or Linux?
  if linux, look under /opt/WCS4.1/webnms/apache/conf/
  edit httpd.conf with the ports you desire, restart WCS
  open the ports in iptables, restart iptables

• ACL filter tcp port

  Dear Expert,
  I study the ACL to filter (stop) the tcp port from below URL
  http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml
  In the section of "Allow Only Internal Networks to Initiate a TCP Session", grateful if someone would enlighten me the usage of "established"
  interface ethernet0
  ip access-group 102 in
  access-list 102 permit tcp any any gt 1023 established
  What is different if the ACL is changed to following:
  access-list 102 permit tcp any any gt 1023
  rdgs

  Dear Jennifer,
  Great helpful.
  Gratful if you would comment on following configuration which I digest your advice
  interface serial 0/0
  description 45M DS3 from HK to US
  ip access-group 105 in
  interface fastethernet 0/0
  Description Internat VLAN 100 for xxx department
  ip address 102.168.100.0 255.255.255.0
  ip access-group 101 in
  access-list 101 remark -- only allow Web service from internal to outside --
  access-list 101 permit tcp 192.168.100.0 0.0.0.255 any http
  access-list 105 remark -- allow return traffic if destination tcp port great than 1023 --
  access-list 105 permit tcp any 192.168.100.0 eq http 0.0.0.255 gt 1023 established
  ! it should embed the partial function of "permit tcp any eq http 192.168.100.0 0.0.0.255 gt 1023" but the
  ! traffic should be permit only if it initiates from 192.168.100.0/24. If the traffic is initiate from outside,
  ! the acl 105 would deny it.
  access-list 115 remark -- allow in/return traffic for tcp port great than 1023 --
  access-list 115 permit tcp any eq http 192.168.100.0 0.0.0.255 gt 1023
  ! the traffic is permit no matter it is initiate from internal or external
  access-list 125 remark -- allow return traffic for all tcp port --
  access-list 125 permit tcp any eq 80 192.168.100.0 0.0.0.255 any established
  ! include the function of ACL 105, also support tcp port range from 1 to 1023 
  access-list 135 remark -- allow in/return traffic for all tcp port --
  access-list 135 permit tcp any eq 80 192.168.100.0 0.0.0.255 any
  ! include the function of ACL 115, also support tcp port range from 1 to 1023
  If so, I would like to modify the ACL to support more services, grateful if you would comment on it.
  access-list 101 remark -- only allow Internet services from internal to outside --
  access-list 101 permit tcp 192.168.100.0 0.0.0.255 any http
  access-list 101 permit tcp 192.168.100.0 0.0.0.255 any smtp
  access-list 101 permit tcp 192.168.100.0 0.0.0.255 any pop
  access-list 101 permit tcp 192.168.100.0 0.0.0.255 any imap
  access-list 101 permit tcp host 192.168.100.120 eq imap any estanlished
  access-list 101 permit tcp 192.168.100.0 0.0.0.255 any telnet
  access-list 145 remark --- return and in traffic ---
  access-list 145 permit tcp any 192.168.100.0 0.0.0.255 gt 1023 established
  access-list 145 permit tcp any host 192.168.100.120 imap

• Operations Manager 2012 - TCP Port Monitor

  Hi,
  Is it possible to have the TCP port monitor only alert if it fails on subsequent polls, instead of the single connection failure which is the default? We have 3 GPRS connections which intermittently
  fail, so we only need to be alerted if they don't come back online after a 5-10 minute inverval and 2 failed connection attempts in a row.  We have orchestrator so perhaps a runbook needs to be created?
  Thanks

  Hi,
  Yes. The Runbook could do this trick. I think you need to make the monitors not to generate alerts when health state changes. Then use runbook to monitor the Health State, if some conditions are ture, an alert will be generated.
  I am not so familiar with Orchestrator, you may ask at Orchestrator to get answered of how to design the Runbook.
  Juke Chou
  TechNet Community Support

• Airport Extreme Simultaneous Dual-Band port forwarding broken if only TCP ports with firmware 7.6.1

  When configuring my Airport Extreme Simultaneous Dual-Band router, port forwarding is broken if you only specify TCP ports to forward. This is with firmware 7.6.1. What happens is that after you hit the Update button, when the router comes back and you open the port forwarding entry, the IP is still there but the port numbers are missing.
  I tried all different port numbers and ranges and nothing would stick if i only specified TCP ports. If i added UDP ports with the TCP ports then it would save them. And if you add a new entry with only UDP it saves them too.
  Now this is with adding a new port forwarding. I already have existing ports being forwarded that only have TCP. They are still working. I believe i added them with a previous version of the firmware.
  Any one else see this issue? Any ideas?
  Maybe i should perform a hard reset and reload a saved config.
  Peace,
  Dan

  I haven't seen the issue but you could just downgrade to an earlier firmware:

• Monitor a TCP port but alert only if timed out X times

  Hello,
  I need to build a moniotr that will probe a TCP port but alert only if timed out X times
  I was looking at Microsoft.SystemCenter.SyntheticTransactions.TCPPortCheckProbe module but it doesn't have this options
  Thanks,
  Marius

       You can check 
     http://www.ghacks.net/2010/05/25/tcp-port-monitor-port-alert/
       for TCP Port Monitor Port Alert

• LMS 4.2 Why is TCP port 514 used and how to close it?

  An internal security scan showed that TCP port 514 is open on the Cisco Prime LMS 4.2.4 server.  The security team is concerned that this port is commonly used for rsh, which is not encrypted and may use plain text logins or poorly authenticated logins.  The port being open is documented in the "Installing and Migrating ..." manual for LMS 4.2 where it says that this TCP port 514 is used for Remote Copy Protocol in the direction from the server to device.  The well-known port associated with a service is usually on the target host, not on the host that initiates the connection, so this is a little confusing.  I see that there is no rsh service in /etc/inetd.conf, but there is an rsh service in /etc/xinetd.conf.  This LMS is not configured to use RCP for anything, as far as I can tell.
  Can I close TCP port 514 on this server without disasterous results, and how do I do that?
  Or, how do I satisfy the security team that having this port open is not a security concern?
  Thanks for any help.
  Dave

  I have a love/hate relationship with security audits like that. Happy to know the profile of a server but then hating to have to justify everything their "report" "concludes" (95% of which is usually just dressed up too output from Nessus or whatever).
  Problem is with appliance servers running a packaged application like LMS, mucking with the OS settings (rc files etc.) can break things in unexpected ways. I'm more in favor of putting it on a segmented network and applying access-control lists or firewall rules inbound vs. trying to take apart the system and put it back together using only the parts you think are necessary (a bit of hyperbole there but it's to make a point).
  Call it defense in depth and declare victory and then move on with using the tool to actually manage the network instead of defending its configuration to the Stasi.

• Port Access Mapping Table

  PORT_ACCESS
  TCP|*|*|192.168.1.121|* \
  $C$[IMTA_LIB:conn_throttle.so,throttle,$1,1]\
  $N421$ Too$ Many$ Connection$E
  Anyone has any idea what does these lines do? Especially, I would like to know whether $1 refers to the 1st "*" or the 2nd "*" ??

  I suggest having a look at the improved documentation for 6.1:
  http://docs.sun.com/source/817-6266/filter.html
  A particular IP address can be limited to how often it connects to the MTA by using the shared library, conn_throttle.so in the Port Access mapping table. Limiting connections by particular IP addresses may be useful for preventing excessive connections used in denial-of-service attacks.
  conn_throttle.so is a shared library used in a PORT_ACCESS mapping table to limit MTA connections made too frequently from particular IP addresses. All configuration options are specified as parameters to the connection throttle shared library as follows:
  $[msg_svr_base/lib/conn_throttle.so,throttle,IP-address,max-rate]
  IP-address is the dotted-decimal address of the remote system. max-rate is the connections per minute that shall be the enforced maximum rate for this IP-address.
  The routine name throttle_p may be used instead of throttle for a penalizing version of the routine. throttle_p will deny connections in the future if they�ve connected too many times in the past. If the maximum rate is 100, and 250 connections have been attempted in the past minute, not only will the remote site be blocked after the first 100 connections in that minute, but they�ll also be blocked during the second minute. In other words, after each minute, max-rate is deducted from the total number of connections attempted and the remote system is blocked as long as the total number of connections is greater than the maximum rate.
  If the IP-address specified has not exceeded the maximum connections per minute rate, the shared library callout will fail.
  If the rate has been exceeded, the callout will succeed, but will return nothing. This is done in a $C/$E combination as in the example:
  PORT_ACCESS
  TCP|*|25|*|* \
  $C$[msg_svr_base/lib/conn_throttle.so,throttle,$1,10] \
  $N421$ Connection$ not$ accepted$ at$ this$ time$E
  Where,
  $C continues the mapping process starting with the next table entry; uses the output string of this entry as the new input string for the mapping process.
  $[msg_svr_base/lib/conn_throttle.so,throttle,$1,10] is the library call with throttle as the library routine, $1 as the server IP Address, and 10 the connections per minute threshold.
  $N421$ Connection$ not$ accepted$ at$ this$ time rejects access and returns the 421 SMTP code (transient negative completion) along with the message �Connection not accepted at this time.�
  $E ends the mapping process now. It uses the output string from this entry as the final result of the mapping process.

• 922 TCP ports closed!

  Hi All,
  Nmap gave me some disturbing news last night; I have 922 TCP ports closed on my computer, including stuff like Trinoo, Elite and some other trojans that I would think are Windows threats only. Even though the ports are closed (I've got firewall enabled), I have no idea how and why they appeared on my computer. I have a wireless router, but don't know if that matters. Thanks 4 your help.

  Hi,
  as you said, the ports are closed, this does mean that they are inaccessible so you don't have to worry. Additionally, when you're sitting behind a wireless router, it's own firewall should protect you from outside access. Anyway, it would be helpful if you could provide the whole output of nmap and tell us if you've scanned the IP which belongs to your local network or the IP which was assigned to your wireless router by your ISP.
  Cheers,
  ulrik

• Bypassing TCP port 25 restriction (i.e. worst ISP EVER; Mail is not allowed

  Hi
  The private company that runs my DOES NOT ALLOW Smtp connections on its "hi speed internet connection".
  Meaning that Mail cannot function and I have to check via webmail.
  I'm serious.
  Their FAQ states:
  Can I use email clients such as Microsoft Outlook or Outlook Express to send and receive emails?
  No, you will only be able to use web browser based email such as Hotmail or Gmail; this is due to limitations (on TCP port 25) which have been implemented to protect you against other computer users sending unsolicited bulk emails (SPAM) via your computer.
  Does anyone know a way to get around this as I NEED the functionality of Mail.....
  Also,
  Are all British ISPs this ridiculous?
  Dieing to find a solution to this....... Many Many Many Many Thanks
  PS. I already paid extra ($250USD) to enable 'super' internet which doesnt throttle VOIP, STREAMING, gaming, P2P etc.
  Luke

  Beginning January 1, 2006 Port 587 has been standardized as the port to use for authenticated SMTP servers although most will still work with Port 25 as well. More and more ISPs are blocking port 25 as various jurisdictions are holding them responsible for spam and/or viruses originating on their network. With unauthenticated SMTP anyone can send using that server whether they have an account or not. So the ISPs block that port with the sole exception of their own SMTP server so they can scan the messages for spam and viruses. With an authenticated SMTP server where a valid account id and password are required to send messages the provider of the server assumes the responsibility for scanning all traffic through their server thus relieving the ISP of the liability.
  Whether you think this is a big brother step or not, with estimates that spam on the internet is running as high as 70% of all email traffic, if it weren't for restrictions like this email would rapidly become an unusable tool. The only annoying thing I have found about this is how few ISP Tech Support people know about this. To often their solution is "you can only use another email provider through their webmail interface."

• Http probe on non-standard tcp port 8021

  I've configured http probe on standard port 80 with no issue. I'm now trying http probe on non-standard tcp port 8021, confirmed with packet capture to confirm that the CSM is indeed probing, status code 403 is returned but the reals are showing "probe failed". Am I missing something? Thank you in advance.
  CSM v2.3(3)2
  probe 8021 http
  request method head
  interval 2
  retries 2
  failed 4
  port 8021
  serverfarm TEST
  nat server
  no nat client
  real 10.1.2.101
  inservice
  real 10.1.2.102
  inservice
  probe 8021
  vserver TEST
  virtual 10.1.2.100 tcp 8021
  serverfarm TEST
  replicate csrp connection
  persistent rebalance
  inservice
  VIP and real status:
  vserver type prot virtual vlan state conns
  Q_MAS_8021 SLB TCP 10.1.2.100/32:8021 ALL OUTOFSERVICE 0
  real server farm weight state conns/hits
  10.1.2.101 TEST 8 PROBE_FAILED 0
  10.1.2.102 TEST 8 PROBE_FAILED 0

  you need to specify what HTTP response code you expect.
  The command is :
  gdufour-cat6k-2(config-slb-probe-http)#expect status ?
  <0-999> expected status - minimum value in a range
  The default is to expect only 200.
  This is why your 403 is not accepted.
  Gilles.

• [SQL QUERY] Select TCP Port Monitors and their related Watcher Node

  Hi everybody,
  I'm working on a SSRS report and SQL Query, I have no problem to find all my TCP Port Monitor (SCOM 2012 R2) based on the DisplayName, but I can't figure out how to get their related watcher nodes (in my case only 1 computer is a watcher node).
  I can't find which table, which field, contains this information..?
  Here is the query i started to write (i select * since i still searching for the right column):
  SELECT
  FROM StateView s
  INNER JOIN BaseManagedEntity me on me.BaseManagedEntityId=s.BaseManagedEntityId
  INNER JOIN MonitorView mv on mv.Id=s.MonitorId
  INNER JOIN ManagedTypeView mtv on mtv.Id=s.TargetManagedEntityType
  --where mv.DisplayName like 'Ping Target Status Check%'
  AND me.IsDeleted = '0'
  where mv.DisplayName like '%tcpmon%'
  and mv.LanguageCode = 'ENU'
  --and s.HealthState in (@state)
  ORDER BY s.Lastmodified DESC
  It would be great if someone can help me !
  Thanks,
  Julien

  Hi,
  After creating a TCP port monitor, we can find a table for this monitor under operationsmanager database :
  SELECT *
  FROM [OperationsManager].[dbo].[MT_TCPPortCheck_******WatcherComputersGroup]
  You will find the warcher computer group.
  Regards,
  Yan Li
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Route decisions based on destination TCP port with EIGRP

  Need information and plausibility on making routing decisions within EIGRP based on different destination TCP port.  I have a third party partner that we communicate too and they are adding a second location which we will connect too.  They are wanting to use the same destination host IP but make route decision based on destination TCP port; i.e. if we target tcp 6123 they want us to route down link A to site A, if we target tcp 7123 we would route down link B to site B.  I have never had to make that happen so I am looking into whether it actually can and if so what is basic configuration to pursue.  We use static IP routes to/from them today and will in the future at the edge, those are distributed internally to our EIGRP.  Can EIGRP make decisions based on IP and Port?

  No routing protocol makes decisions based on port number as far as I know.
  You need to look into PBR (Policy Based Routing) for this where you can use acls to define the route that traffic takes.
  Depending on your connections you may well need to use tracking as well but it depends.
  If the only reason to use EIGRP is for these connections you probably don't need it as with PBR you are overriding the routing table anyway but you may want to run it for other connectivity.
  If you do a search on PBR you should find quite a few examples but if you get stuck then by all means come back.

• Agentry Client 6.1.3 installation with preconfigure SMP server name et TCP Port

  Hi,
  I'm looking for a way to deploy an Agentry Client (version 6.1.3.xxx) on multiple devices without having to manually specify the SMP server name and TCP port.
  When the user get's it, I just want him to only enter his credential to start the first synch/config process.
  Anyway do easily do that?
  Thanks for your help!
  Eric

  Hi Bill,
  Here's what I did in more detail so you can pin point what I do wrong (hopefully :-)).
  First I extracted the branding files of the Agentry_6.1.3.10212_ClientWin32.exe.
  Agentry_6.1.3.10212_ClientWin32.exe /Branding=D:\Temp\Agentry.
  This is the directory and file structure I got out of it.
  The 2 directories are created as you mentionned.
  If I browse to the AgentryClient_Win32 directory I see thoses files:
  If I browse the Installer directory I see :
  The Include and Plugins directories are as follow :
  I still can't find the AgentryClient.exe.config file???
  Eric

• Changing the TCP port on async ports in Cisco router

  Hello,
  My goal is to replace old terminal servers from a factory environment.
  These terminal servers act as a aggregation point of terminal equipment (printers and factory automation).
  Software used in this factory writes to these devices using ip-address of the terminal server and TCP-port starting at 10001, where the last number is a port number.
  The problem is that in Cisco equipment, I can not find a way to change the tcp port to this 1000x. The only option would be to change the softwares TCP-port to Cisco default 200x, but this is not the solution I am looking for. This is because the switchover should be done when the machines are running, and the time window is to short to make changes in the factory software.
  Is there a way to change the logical TCP-port for Cisco routers asyncronous lines (HWIC-16A) to 10001-16?
  Marko Tuhkunen 

  So i figured out that i can use the archive tar /create command:
  To copy the entire flash towards TFTP:
  archive tar /create tftp://X.X.X.X/flash.tar flash:
  Now i will have to insert the new flash and probably format it first towards the correct file systems. Then i will have to use the next archive command:
  archive tar /xtract "Here i am unsure of the syntax, i want to be copying and extracting the tar I backed up from the old flash"
  After these steps are complete can i just reboot the router with the new flash card, won't there be any issues, since the startup config is on the NVRAM it will load the config properly, and i haven't seen any boot parameters but they shouldn't pose any issues since i'm not changing the flash slot.
  Thanks for your assistance