Recently, A client running in a problem, really big problem : (
They have a Bluecoat proxy SG to access to the internet, and in order to authorizes different users , they used windows domain with windows 2003 server.
All things running well until ... they upgraded the windows server 2003 to 2008, then they began to got the complaint phone calls from end users, end users said that they cannot browsing the internet, when they open websites they will got a message prompting "Access Denied"
There have not so much complaint person, just about 100 users, but which one got this problem is random (they have 4,000 end users). actually , this is a big problem.
We tried to find the root cause of this problem, and then we found the reason in Bluecoat KB.https://kb.bluecoat.com/index?page=content&id=FAQ873&actp=search&viewlocale=en_US&searchid=1368960465967
Then, another problem came out, how to solve it! this is the key point!
I checked all the KB website and tried all the methods Bluecoat gives. No one works.
After a lot test and refer to the Bluecoat SE's advise, finally I found the really works way.
This is my commands:
define condition IWA_SILENT_USERS
user="NT AUTHORITY\anonymous logon"
user="AUTORITE NT\anonymous logon"
user.regex='.+\$$'
end condition
<Proxy>
realm=AD_Authen condition=IWA_SILENT_USERS deny.unauthorized user.login.log_out(yes)
<Proxy>
condition=userAgentList authenticate(no) allow
condition=DoNotAuthDomains authenticate(no) allow
define condition userAgentList
request.header.User-Agent="Microsoft-CryptoAPI"
request.header.User-Agent="MSUpdate"
request.header.User-Agent="AVUpdate"
request.header.User-Agent="iTunes"
request.header.User-Agent="iphone"
request.header.User-Agent="ipad"
request.header.User-Agent="Stocks"
request.header.User-Agent="CFNetwork"
request.header.User-Agent="Windows-Media-Player"
request.header.User-Agent="NSPlayer"
request.header.User-Agent="flash"
request.header.User-Agent="Office"
request.header.User-Agent="webex utiltp"
request.header.User-Agent="241Extra!"
request.header.User-Agent="Acrobat Messages Updater"
request.header.User-Agent="Adobe Log Transport"
request.header.User-Agent="Adobe Update Manager"
request.header.User-Agent="Microsoft BITS"
request.header.User-Agent="Microsoft Data Access Internet Publishing Provider Protocol Discovery"
request.header.User-Agent="Microsoft-CryptoAPI"
request.header.User-Agent="Microsoft-WebDAV"
request.header.User-Agent="Windows-Update-Agent"
request.header.User-Agent="ncsi"
request.header.User-Agent="TMUFE"
end
define condition DoNotAuthDomains
url.domain=msftncsi.com
url.domain=windowsupdate.com
url.domain=crl.microsoft.com
url.domain=mscrl.microsoft.com
url.domain=crl.microsoft.com
url.domain=verisign.com
url.domain=mscrl.microsoft.com
url.domain=watson.microsoft.com
url.domain=trendmicro.com
url.domain=update.nai.com
url.domain=update.symantec.com
url.domain=acs.pandasoftware.com
url.domain=secure.pandasoftware.com
end
After I added these commands into local policy files, All things going well ...
And I think the major commands is the bold fonts, I tried to added the other commands independently, It doesn't work.
Sunday, May 19, 2013
Saturday, May 4, 2013
LinkProof的一个小问题
昨晚LinkProof上线,仅仅做了很简单的转发配置,完全没有更加复杂的就近性,A记录解析等配置。
可是问题出现了,当LinkProof上线后,内网接口无法与下联防火墙进行通信,无法ping通,但是不能建立任何通信会话,也可以获取正确的MAC地址。
问题终于找到:
因为LinkProof上使用了port channel, 同时使用了VRRP,仅需将指定VR shutdown 再up,该问题解决。
原因暂不明。
Subscribe to:
Posts (Atom)