Management Articles

Featured Article
AD Group Policy Overview   Active Directory Group Policy allows you to manage your network from on high, governing how your users and computers operate within your AD environment. Policy settings can be created to target the logged-in user or the computer, and a variety of settings that can be configured, including software installation.   To apply policy settings to users and computers in your AD environment you must first configure a Group Policy Object (GPO), which resides in a special folder called “Group Policy Objects” within the AD domain. A GPO is a named collection of configured policy settings.   The policy settings in the GPO aren’t enforced until the GPO is linked to an AD site, domain or organizational unit (OU).   Once the GPO is associated with one of these, the policy settings take effect for the users and computers defined within that container. If the GPO is linked at the domain level, the policy settings apply to the workstations and servers within the domain. If it is linked instead to the Marketing OU, for example, the settings apply only to computers inside that OU.   GPOs can be linked in multiple places such as two different OUs, and a site, domain or OU can have multiple GPOs linked to it.   Group Policy works from the “outside in”, first processing any local policies, then applying the site, domain and subsequent OU GPOs and working its way toward the object’s position in the AD tree. If any policy settings conflict along the way, the last setting applied rules.  Similarly, policy settings applied to user logons do the same, following the path to the user object’s resting place in the AD tree.  AD will override policies set on the individual computer.   Group Policy is a “pull” technology. When a windows client system starts up and is connected to the network it will pull the policy and then poll the domain for GPO changes every 90 to 120 minutes by default. There are intervals for computer and user policy and both have a default offset of up to 30 minutes.   GlobalProtect and GPO   The GlobalProtect client can be installed as either a computer or user policy. Use the Computer Policy to ensure that it is installed on specific systems regardless of the user. Use the User Policy to ensure that specific users receive the client on all systems that they use. Create and Link the GPO   You can use the Group Policy Management MMC (Microsoft Management Console) to create and link the GPO.   Server 2003: Path: Active Directory Users and Computers > your domain> Properties > Group Policy Server 2008: Path: Administrative Tools > Group Policy Management > Forest > Domain > your domain > Group Policy Objects The GPO begins with no settings. Edit the GPO and create a package Path: Computer Configuration > Policies > Software Settings > Software Installation   Assigning the MSI: Make sure the Global Protect client .msi file is in a location reachable on your network by Windows client computers. Clients will download the file from the location selected here. Assigned applications will be installed. Published applications will be available to the user through the Add/Remove programs interface.   owner: panagent
View full article
nrice ‎12-26-2015 10:44 AM
1 Reply
1 Like
Overview PBF is generally used when there are 2 ISPs or if there are 2 routes for traffic to get to the next hop. PBF takes precedence over the routing table. If PBF fails the routing table is used to route traffic.   Issue Traffic stops working if there is a PBF policy in place and if there is a static route added that points to a redundant route. Traffic also stops working if there is a zone protection configured with "spoofed IP address" enabled.     Traffic is dropped due to zone protection.   (active)> show counter global filter packet-filter yes delta yes flow_dos_pf_ipspoof                        2        0 drop      flow      dos       Packets dropped: Zone protection option 'discard-ip-spoof   Cause IP spoof protection uses a routing table to verify if the source IP of the traffic is arriving on the correct interface. With PBF enabled traffic will be on a different interface. If the routing table points to a different interface, the device thinks the packet has been spoofed and discards the packet.   Resolution Disable IP spoofing.   owner: ashaikh
View full article
ashaikh ‎09-08-2015 03:04 AM
6 Replies
1 Like
Ask Questions Get Answers Join the Live Community