Providing access to the internet to the DMZ

Similar Questions

• OAS / provides access to the files for Internet Explorer browser

  Hello
  
  I would like to provide access to the files for browser Internet Explorer with a Url of type https://myserver.com:443 / photos
  
  How is this thing?
  
  Thank you
  A.G.

  Here's what you do:

  1. ensure that your /pictures directory is a subdirectory in the htdocs directory. By default the htdocs directory is $OH/Apache/Apache/htdocs. If you have directory default htdocs, so your images created under that directory place your files. If your photos directory will be $OH/Apache/Apache/htdocs/images

  -Edit $OH/Apache/Apache/conf/httpd.conf to make sure that you have following set of guidelines:

  AllowOverride All

  AccessFileName .htaccess

  Note that this is a security concern to set AllowOverride to all, then you should put carefully. See below for more details on the AllowOverride directive:
  http://httpd.Apache.org/docs/1.3/mod/core.html#AllowOverride

  -In your /pictures directory, create a file with the name .htaccess with a single line:

  Options + Indexes

  See below for more details on 'Options ':
  http://httpd.Apache.org/docs/1.3/mod/core.HTML#options

  -C' is this, restart your OHS (Oracle HTTP Server) and access after URL to see the list of directories:
  http://myserver.com:7777 / images

  If you want to list directories only happen via the SSL port (443), then you can have above guidelines defined in in $OH/Apache/Apache/conf/ssl.conf.

  Thank you
  Shail

• Is access to the DMZ on VPN best practices?

  Hello

  We have aDMZ which hosts comments wireless society and also installed on the same network of network security cameras. We must be able to access these security cameras remotely (from office) and one way to do that would be to include a network DMZ on your remote access VPN access. I don't know if this is a good/best practices since the same DMZ network also called Wireless on it.

  I think that since the security/DVR cameras is something private, they should be moved inside the network instead of on the DMZ.

  Could you please comment and suggest?

  Thank you.

  Yes! Move the inside security cameras and create another guest lan, do not use the demilitarized zone for the guests!

  DMZ must expose several services outside.

• Vpn client access to the DMZ host

  I'm having a problem where my customers who establish a VPN with Pix 515 cannot access hosts on the DMZ. VPN clients can access hosts inside network without any problems. I discovered that when I make a route to trace from a client computer that has established a VPN connection to a host on the DMZ, he tries to go through the default gateway of computers instead of the client from cisco. Any ideas?

  More information:

  When a client connects with the PIX over the VPN, it is given the internal DNS servers and the DNS Server internal, we have a host entry that says "www.whatever.com" 2.2.2.2 (this is the DMZ host). Customers within the network can access this host with problems, it's just the customers who establish a VPN connection. But the VPN Clients can access "www.whatever.com" using the public ip address. The problem is that if remove us the entry from the host on the DNS server so that the name of "www.whatever.com" decides the public ip address customers inside will not be able to access the DMZ host. The names and IP numbers are not real just using those as an example.

  Any help would be apperciated. Thank you

  You'll currently have something like this in your config file:

  sheep allowed ip access-list

  NAT (inside) 0 access-list sheep

  This tells the PIX not to NAT any traffic from inside interface, which is to go to a VPN client. You need the same thing but for the DMZ interface, then add the following:

  sheep allowed ip access-list

  NAT 0 access-list sheep (dmz)

  Who should you get.

• Access to the DMZ to remote sites via VPN S2S

  We have an ASA 5520 and two remote site ASA 5505 that connect to each other through tunnels VPN S2S. They are doing tunneling split, while local traffic passes over the tunnel. We are local LAN (10.0.0.0/16) and our network to the DMZ (10.3.0.0/24) on the main site. The DMZ hosts our external sharepoint, but we access it internally

  The problem is site A (10.1.0.0/24) and B (10.2.0.0/24) have no idea of it, and when you try to go to the site, it fails. You can access it via the external site address, but that's the only way. Normally the external address is blocked when you're an intern.

  That I'm stuck on is even when we had all sent traffic from Site A to our Senior Center, would find it yet. I do a separate vpn purely tunnel that traffic to DMZ?

  Yes. So if you do this in ASDM under Edit Site profile connection Site, it will look like this.

  Local network: 10.0.0/16, 10.3.0.0/24

  Distance: 10.1.0.0/24

• To access the servers in the DMZ

  People:

  I have a PIX 515E and I need to access a SQL Server that is inside the network... I don't know if I should activate NAT on the demilitarized zone to be able to 'see' the servers inside...

  I tried a

  > static (dmz, inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

  to activate servers on the DMZ for access within the network without translation... but I can't create a static to a low security to a high security interface...

  I wonder if anyone has the same configuration problem?

  should I try to activate NAT on the DMZ also?

  It's my current setup!

  Thank you very much!

  Luis

  -------------------------------------------

  PIX Version 6.1 (2)

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  nameif dmz security10 ethernet2

  access-list 100 permit tcp any host 200.200.200.37 eq smtp

  access-list 100 permit tcp any host 200.200.200.37 eq pop3

  access list 100 permit tcp any host 200.200.200.37 EQ field

  access-list 100 permit udp any host 200.200.200.37 EQ field

  access-list 100 permit tcp any host 200.200.200.35 eq www

  access-list 100 permit tcp any host 200.200.200.35 eq 443

  access-list 100 permit tcp any host 200.200.200.36 eq www

  access-list 100 permit tcp any host 200.200.200.36 eq 443

  access-list 100 permit icmp any one

  access-list 100 permit tcp any host 200.200.200.35 eq ftp

  access-list 100 permit tcp any host 200.200.200.36 eq ftp

  access-list 100 permit tcp any host 200.200.200.36 eq 3389

  access-list 100 permit tcp any host 200.200.200.35 eq 3389

  access list 100 permit tcp any host 200.200.200.36 EQ field

  access-list 100 permit udp any host 200.200.200.36 EQ field

  access-list 100 permit tcp any host 200.200.200.38 eq www

  access-list 100 permit tcp any host 200.200.200.38 eq 443

  access-list 100 permit tcp any host 200.200.200.38 eq 3389

  access-list 100 permit tcp any host 200.200.200.37 eq www

  access-list 100 permit tcp any host 200.200.200.38 eq 1547

  access-list 100 permit tcp any host 200.200.200.39 eq 3389

  access-list 100 permit tcp any host 200.200.200.39 eq ftp

  access-list 100 permit tcp any host 200.200.200.39 eq 1433

  IP outdoor 200.200.200.34 255.255.255.224

  IP address inside 192.168.1.1 255.255.255.0

  IP dmz 192.168.2.1 255.255.255.0

  Global (outside) 1 200.200.200.45 - 200.200.200.61 netmask 255.255.255.224

  Global (outside) 1 200.200.200.62 netmask 255.255.255.224

  NAT (inside) 1 192.168.1.0 255.255.255.0 0 0

  alias (inside) 192.168.1.2 200.200.200.38 255.255.255.255

  alias (inside) 200.200.200.36 192.168.2.11 255.255.255.255

  alias (inside) 200.200.200.35 192.168.2.10 255.255.255.255

  alias (inside) 200.200.200.37 192.168.2.12 255.255.255.255

  static (dmz, external) 200.200.200.36 192.168.2.11 netmask 255.255.255.255 0 0

  static (dmz, external) 200.200.200.35 192.168.2.10 netmask 255.255.255.255 0 0

  public static 200.200.200.38 (inside, outside) 192.168.1.2 mask subnet 255.255.255.255 0 0

  public static 200.200.200.39 (Interior, exterior) 192.168.1.186 netmask 255.255.255.255 0 0

  static (inside, dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

  static (dmz, external) 200.200.200.37 192.168.2.12 netmask 255.255.255.255 0 0

  Access-group 100 in external interface

  Route outside 0.0.0.0 0.0.0.0 200.200.200.33 1

  Did you apply an access list to allow traffic from the dmz to the inside interface?

  Also, try to be specific with the server you are trying to provide access to the.

  static (inside, dmz) xx.xx.xx.xx xx.xx.xx.xx 255.255.255.255 netmask (where two groups of xx.xx.xx.xx represent your address of sql server)

  Then add the following list of access

  access-list 101 permit tcp any host xx.xx.xx.xx eq sql (again, xx.xx.xx.xx is sql server)

  Access-group 101 in the dmz interface

  (test you can do initially access list permit all traffic instead of just sql, then tighten it to the top when you are sure that the static command works)

  Hope that helps. Allowing less than an interface on a security interface traffic higher security is carried out with controls static and ACL (or ducts), so you seem to be on the right track.

  ~ rls

• Tecra M11 has a trap door for access to the hard drive?

  Can someone tell me if the Tecra M11 is equipped with a door to provide access to the hard drive?

  Previous Tecras have such a door, but I can't say for some photos of the site Web or the M11 manual if this still applies. I need to know before ordering.

  Thanks in advance for any help.

  Hello

  I put t know what you mean exactly. hatch giving access to the disk hard but the notebooks THAT HDD is placed at the bottom of the unit.
  You can easily remove the cover that secures the HARD drive Bay to get access to the internal HARD drive

  Welcome them

• Remote clients are denied access to the portal...

  We're having sporadic problems with remote clients are denied access to our portal, they do not even have a login prompt.  We use a SRA 4600 with SonicOS SSL - VPN 8.0.0.3 - 23sv but have see on 8.0.0.1 as well.

  Journal entry:

  Threat of prevented WAF: Injection SQL 1 attack
  More details

  Entry matching: _ga = ga1.2.676072112.1440205737; _dc_gtm_ua-21325736-1 = 1
  Threat: SQL Injection attack 1
  Threat ID: 9005
  Description: SQL Injection is a technique of attack used to exploit websites that construct SQL statements from user-supplied input
  URI: remote.ncmic.com:443/
  Agent: Mozilla/5.0 (Windows NT 10.0;) WOW64; Trident/7.0; RV:11.0) as the Gecko

  The field 'entry matched' is not indicative of the entry that is triggering the signature. There would be something else, we need to study. Can you please make a ticket and we provide access to the portal so we can try to reproduce it?

• Is it possible to put a server on the DMZ SQL

  Hi all

  He would ask about the deployment of PIX. Is it possible to put a server on DMZ SQL (or one of 5 exclusion inside the interface interfaces) and simply define a NAT to allow inside the user access to the DMZ? Also without allowing the outside user access to SQL server. We intend to set a SQL on a DMZ server, such that unathourized internal users will not be able to know the actual address of the SQL Server.

  Are there problems which should be considered on this deployment?

  Thanks in advance,

  udimpas

  Hi Udimpas,

  Yes, your scenario is possible. You can put SQL Server on the DMZ network and allow access to inside users. at the same time, you can also block the access from the outside.

  Let's say, your sql IP address is 192.168.1.10 & your home LAN is 10.1.1.0/24. You can do the following:

  NAT (inside) 0 access-list sheep

  access-list allowed sheep ip 10.1.1.0 255.255.255.0 host 192.168.1.10

  by doing this, you have not nat all traffic from your inside sql server. In case you have defined everything inside your network access lists, you must open port 1433.

  list of access within permit udp 10.1.1.0 255.255.255.0 host 192.168.1.10 eq 1433

  You should not add the ACL above, if you have no restrictions from the inside, from now.

  I hope this helps... all the best...

  REDA

• quick question on the DMZ and networking

  Need help please, I am a newbie to vm and need quick help...

  I have a well-configured firewall and 1 Server ESXi 5.5 configuration to test only at home...

  My firewall has 2 ports for internal network and one connected to my ISP

  I have the internal ports

  Port LAN ip 1 local schema with DHCP server running on the firewall

  Port 2 is DMZ, I have 4 static ip to use for remote mail, web server

  on an ESX Server, I have 2 NICs 1 plugged into port DMZ and LAN 1 port firewall

  What is the best way to separate these 2 and make them work

  internal vms example has no access to the DMZ and will have no LAN NIC, added to the virtual machine

  But Web servers and mail server should have connected NIC times and each nic gets entered the appropriate IP address based on what network card and the network it uses

  Can I use 1 switch vm and vm 1 network? or 1 vm change and create 2 networks? How to configure NIC and vmnetworks to communicate properly?

  Since you have two separate network, an in-house cards and a demilitarized zone, you will need two vSwitches. Each with a network card. The first will be your internal network and management, the other for the demilitarized zone.

  Then, you will need to create the appropriate exchanges.

• ADF Mobile: Access to the authentication context

  Hello

  My app uses against remote WLS basic authentication (cookie JSESSIONID is used to store the token).

  A java bean, I would read the name of the authenticated user and store it in the local database. Methods and who or classes provide access to the authentication context?

  JDeveloper 11.1.2.4 does not allow me to import something like oracle.idm.mobile. *.

  Thank you very much

  Daniel

  It should be available as: #{securityContext.userName}

  Try to watch this value once the user is connected and see if it is correctly set.

  Rich.

• I just changed my internet provider and can connect with two of our cell phones, but the third said no identified network/no access to the internet.

  I just changed my internet provider and can connect with two of our cell phones, but the third said no identified network/no access to the internet.  I tried all of the obvious solutions.  Windows 7

  Original title: unidentified network

  Hello

  Thanks for choosing Windows and thank you for providing an opportunity to help you.

  According to the description, you are having problems with the unidentified network error message.

  Perform the steps from the link below and see if it helps.

  http://answers.Microsoft.com/en-us/Windows/Forum/Windows_7-networking/network-connection-shows-that-it-is-connected-but/52e60042-2666-4EAF-80be-193b26db10be

  Answer to us if you are having problems with the unidentified network or any other issue of Windows, and we would be happy to help you.

  Good day!

  Hope this information helps.

• Links in wrong if access to the hive by instance of DMZ bcentral

  If I access bcentral hive on the DMZ server Webmail, TeamCollab, conference and Bcentral itself links are wrong.
  My DMZ Instance called beedmz.mydomain.com, ist
  My hive Instance is called beehive.intra.mydomain.com.
  
  The links displayed in bcentral are always http://beehive.intra.mydomain.com/..., no matter if I have access to hive through DMZ or locally.
  Of course if I have Beehive on DMZ I can fix the URL manually (and it will work then), but it's a bit uncomfortable.
  
  Any ideas what could be the problem?
  
  Thank you
  Jochen

  Hello

  merlin2 wrote:
  "There is only 1 virtual name in your instance... "does that mean we can mention does not exceed 1 virtual for an App Instance hive?

  It's true - in fact, it may be that a single virtualname hive all instances app and dmz.

  I configured two different names:
  -My App Instance internal booty is called beehive.intra.mydomain.com. This name is resolved internally of our DNS internal. This instance is configured without https and internal users work with this instance without problem.
  -My Instance of DMZ external hive is called beedmz.mydomain.com. This name is a name Internet official and resolved through the internet public DNS servers. It is not resolved by our internal DNS (why should he, it is only for external access).

  Internal users cannot connect to the Instance of the DMZ through the firewall. External users can connect to the instance of the DMZ, the affected ports are open, everything works perfectly (zimbra, teamcollab, o, OBEO,...).
  But I have to change the settings profile for external for o and OBEO users, http to https and beehive.intra.mydomain.com to beedmz.mydomain.com.

  Yes, as far as I've heard so far (I could only collect small pieces of information the last few days, I have not found a clear documentation how configure the DMZ Forum, where this simple real scenario is described) I would need a second VIRTUAL server entry in the configuration.
  But, if I understand you right, it is not possible.

  It's true. All users must use the same name for the hive servers, regardless of the question of whether they come from the internet or intranet. In the contrary case, it send links in notifications etc. impossible to treat (as hive do not know where the link has been received).

  What would be the correct way to configure this?
  My guess:
  The App Instance of hive and the Instance of DMZ Beehive must have the same DNS name.
  I need to make an entry in our internal DNS server that resolves the IP address of beehive.intra.mydomain.com to users internal beedmz.mydomain.com.
  I have to configure the VIRTUAL server to the name of beedmz.mydomain.com.
  Then internal and external users will have access to the same name, but with different IP addresses in the background.
  Am I right so far?

  That's exactly right. It is sometimes called "split DNS" where you have a dns server for internet customers (as beehive.yourdomain.com resolves to the dmz host) and another dns server for intranet clients (as beehive.yourdomain.com resolves to the hosts on the intranet).
  Alternatively, you could send your intranet clients via a virtual local network via servers in the dmz so not only the virtualhostname is the same, but the actual road and servers used by all clients is the same. It's a choice of network for you if.

  A few questions:
  How should I put HttpSslEnabled in the configuration of the VIRTUAL Server? true or false?

  Who controls if you want your users to use HTTPS or not for all their business on the web. What he in fact that all URLS generated by hive for customers have started to https://.
  Of course, you will need to follow the installation guide and make sure that you have the certificates etc. for your virtualhostname.

  If I set to true then beekeeper will work any more in this instance (I found an entry in metalink sure this will be fixed in 2.1).

  No, it's not good. The question of what you're probably thinking refers to activation of ssl from the ONS, which is an internal protocol used within the hive between servers (not for the hive web browsers).

  And every default internal customer will complain of the self-signed certificate so that I have to change each o/OBEO and customer conference for use HTTP, not https.

  Right - if you need a real certificate. Self-signed coming out of the box is just to facilitate the actual SSL configuration; you need a real SSL certificate of your favorite (as Verisign etc.) SSL cert provider

  But if I set it false then the configuration for external access to o/OBEO and the Conference is by default via http, not https.
  I could change that of course, but what I can't change are the settings for my windows mobile client (another my friends questions in this forum). So, it won't work.

  And therefore, if I want to add an additional Instance of DMZ Beehive (which must have another official DNS entry), that I need to set up an App Instance additional hive for this one?

  If you add another instance of hive DMZ, then you will need a router for load balancing. Your dns server will point to the loadbalancer IP address beehive.yourdomain.com, your host name of the virtual server is set to this value (NOT the value of a physical host in the dmz or intranet instances names) and your certificate will, of course, correspond to beehive.yourdomain.com.
  You can choose to terminate SSL at the loadbalancer or dmz hive bodies - but that is more detailed that I discuss here right now.

  Kind regards
  Richard

• How can I allow one of my children to use local applications, while temporarily blocking his access to the Internet and while allowing children to continue to access the Internet?

  I have three children who have separate user accounts on our two computers. Both computers running Windows 7 Home Premium edition. We use Windows Live Family Safety on each computer to our parental controls for defining when and what each child can access. We used the period of parental control feature to block every child signed to computers, except when we allow. (It would be nice if we could block a computer and allow them to use the other.)

  However, I can't find a way to allow a child to not use the computer for local activities (for example, Microsoft Word), while blocking its access to the Internet. I also want to allow his brothers to continue to use the Internet during this time.

  Any help would be appreciated. Thank you.

  Hello

  Windows parental control have no option to directly block access to the internet in a Windows user account, because the system needs to provide activity reports. To work around the problem, you can block all internet browsers available for this user account so that the child have no way to access the internet. Restriction of the app to access the control that installed programs on the computer children.  Here are the detailed steps to block some apps:

  1. on any computer, log on to the parent account for http://fss.live.com

  2. click Edit settings under the name of the child you want to change the settings and then click the App restrictions.

  3. check the circle next to turn on the restrictions of the app.

  4. check all programs related to access to the internet or type the application in the area of Search apps .

  5. check the box next to the application or the program once it appears in the list.

  6. click on Save.

  This settings apply only to that specific user account. If you have any other questions, please let us know.

  Thank you!

• access to the Internet

  I want to be able to lock internet access to prevent its use when I'm not home

  Hi Lesleyhodges,

  You will not be able to completely block access to the internet other than to unplug the internet connection.

  You can use the option of Parental control and limit access. The links below provide detailed information that you can apply.

  http://www.Microsoft.com/Windows/Windows-Vista/features/parental-controls.aspx

  http://Windows.Microsoft.com/en-us/Windows-Vista/kids-online-A-parents-guide-to-monitoring-computer-use

  I hope this helps.

  Bindu S - Microsoft Support
  Visit our Microsoft answers feedback Forum and let us know what you think