This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About BobW

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.

BobW
‎09-22-2015
since ‎03-31-2012
L4 Transporter
User Activity
User Profile
Latest posts by BobW
View All
My Liked Posts
View All
User Badges
Community Statistics
Member Since ‎03-31-2012 09:15 AM
Date Last Visited ‎09-22-2015 09:53 AM
Posts 111
Total Likes Received 27

Re: Best practice for OWA and OMA

by in General Topics
‎02-21-2013 10:15 PM
1 Kudo
‎02-21-2013 10:15 PM
1 Kudo
With ISA you could establish the SSL connection with the firewall and have the firewall attach to the Exchange server for the client.  I don't think an SSL cert on the PA is useful for publishing OWA/activeyns as the clients will be passed on directly to the Exchange server. Bob PS please correct me if I am wrong. ... View more

Re: Captive Portal on connecting to SSID rather than via Browser for Apple devices - is it possible?

by in General Topics
‎02-12-2013 01:12 PM
‎02-12-2013 01:12 PM
A lot of wireless units can have a redirect on connect to SSID which you should be able to point towards the CP on the PA-500.  But, when the timeout happens on the PA-500, the unit will still be on the wireless, which means they will be blocked until the authenticate again by going to a webpage. From the info I have gathered, the "success" page by Apple is mean to do exactly what you want:  Hit a page via http and prompt for captive portal if you can't get out. Does that help? Bob ... View more

Re: DNS Proxy

by in General Topics
‎02-06-2013 08:12 AM
‎02-06-2013 08:12 AM
I second this request. Thanks, Bob ... View more

Re: PA2020 High CPU utilization "useridd" 100% management plane

by in General Topics
‎02-05-2013 07:19 PM
1 Kudo
‎02-05-2013 07:19 PM
1 Kudo
I have a case open on this as well.  PA is aware of it and is actively coding a fix.  The timeline is unknown at this point, "will definitely be in 5.0.3" but and could be "weeks away".  According to the folks I spoke with it is a serious enough issue there may be some sort of hotfix issued, but he could not state that for sure. It has been causing quite a bit of issues on or PA500:  Captive portal timeouts, problems with UserID mappings etc. Given the lack of a timeline I rolled back to 5.0.1 which fixed it immediately. Hope that helps, Bob ... View more

Re: Rule to allow Client based email

by in General Topics
‎01-24-2013 12:43 PM
‎01-24-2013 12:43 PM
Just to add to this... some app-ids have a dependency on allowing SMTP from the clients.  How are people handling this? Thanks Bob ... View more

Re: Allowing some protocols from any user/port?

by in General Topics
‎01-22-2013 04:59 PM
‎01-22-2013 04:59 PM
The facetime problem is a bit tricky as I believe it has something to do with traffic going out pre captive portal. Thank you for your reply.  I have enabled the dependencies.  I have a rule at the bottom of my ruleset which blocks all protocols that get that far.  For STUN in particular I am seeing a lot of traffic to ports other than the default of 3478 which are being blocked by my bottom most rule.  So this goes back to part of the question.  Would it be beneficial (or detrimental) to have a rule that allows STUN to go out on any port or just stick with the default of 3478?  Right now I have a rule that lets STUN out for "application default" only, thus udp 3478. Thanks, Bob ... View more

Allowing some protocols from any user/port?

by in General Topics
‎01-22-2013 09:20 AM
‎01-22-2013 09:20 AM
I am curious what others are doing for some protocols:  Examples:  DNS, ocsp, STUN, meraki, apple push notification, etc.  It seems to me that these sorts of things could be let go for pretty much all users, anytime and be excluded from the captive portal.  Correct? I have a couple fo reasons for this question: 1.  I am having issues with Facetime which I believe is occurring because device is trying to talk to the apple servers before the user has yet to authenticate to the captive portal. 2.  STUN is trying to get out on some ports which are "nonstandard".  It seems that I could let STUN go on any port. Thoughts? Bob ... View more
Labels:

Re: Activeync, iislogs and user-id

by in Automation/API Discussions
‎01-15-2013 03:24 PM
‎01-15-2013 03:24 PM
All are on a single Exchange server.  I did inherit this server and it is a sketchy build (at best).  I will look for some more places that the previous admin may have disabled some logging.  I do know they did all kinds of strange things on this network. Thanks again and any further suggestions would be appreciated. Bob ... View more

Re: Activeync, iislogs and user-id

by in Automation/API Discussions
‎01-15-2013 02:45 PM
‎01-15-2013 02:45 PM
I am not seeing any events 4624 on Exchange.  I have enabled auditing via GPO for a number of items on the server and still nothing.  I am seeing some 4624s on the DCs, but no reference to the Ipad IP addresses. Thanks bob ... View more

Re: Activeync, iislogs and user-id

by in Automation/API Discussions
‎01-15-2013 02:15 PM
‎01-15-2013 02:15 PM
Thank you for your help.  However, I am not seeing any events on my DCs, or exchange server, that contain an the IP address of one of the ipads. Please note that I am currently on Exchange 2007, not sure if that matters. Thanks, Bob ... View more

App-id not working on some Apps

by in General Topics
‎01-15-2013 08:24 AM
‎01-15-2013 08:24 AM
I am seeing a number of applications which have definitions, but are not being identified correctly:  kaokatalk, league of legends, battle.net and guild wars to name a few.  these are showing the correct ports but showing as "unkown-tcp".  Is there some way to update these, reset the definitions, etc.? All of my App-ids are up to date. Thanks Bob ... View more
Labels:

Applications not being identified correctly

by in General Topics
‎01-13-2013 05:13 PM
‎01-13-2013 05:13 PM
I am running into a  number of situations where the applications are not being identified correctly and thus not working.  I can see that the applications is using the correct port, but the PA shows it is "web browsing", unknown, etc.  Examples: KaKaoTalk (ports 80 and 443) which is enabled, does not work Guild Wars (6112, 6600 and 80) 6112 shows up as unknown-tcp, 6600 Battle.net (80 and 1119) port 1119 shows up as uknown-tcp and "web browsing". Any suggestions on why?  How can I got about fixing them?  etc. Thanks Bob ... View more
Labels:

Re: Activesync and User-id

by in General Topics
‎12-30-2012 02:24 PM
‎12-30-2012 02:24 PM
John, Thanks for your help.  Just an FYI that I also have a case open on this problem.  Also not that I am currently on Exchange 2007, it might be that newer versions of exchange act differently. As best I can tell, the only time activesync shows an event in any event log is during the setup process.  Which is fine, but the ip-user info never gets updated and the timer keeps ticking.  However, the activesync keep alive process leaves a constant flow of information in the IIS Logs and it appears that the User-ID agent does not query those logs. I would like to suggest that someone at PA might want to take a look at this, what with the influx of non-domain devices flooding IT depts! My guess is someone at PA could hammer out a script for scraping the IIS logs and passing the info via the API in about 2 minutes! Any help would be appreciated, Bob ... View more

Activeync, iislogs and user-id

by in Automation/API Discussions
‎12-30-2012 02:06 PM
‎12-30-2012 02:06 PM
I have been battling a problem for quite sometime.  I think the end result is I somehow need to dig through the IISLogs for activesync information and pass it to the PA via their API.  Unfortunately I have no clue how to get started on this. Story is as follows: Typical AD environment.  Ipads and other non domain devices are coming inside our network.  Since the PA can monitor the internal exchange server logs and determine User-IDs, I figured this was the perfect solution to be able to use the PA rules by User-ID, regardless of the device.  If all else fails it falls back to the captive portal. It ends up that the only time the authentication of an "activesync" client is logged to the windows event logs is during the setup process....why, I am not sure.  But I can see the activesync activity in the IIS logs but NOT in the windows event logs. End result is the Ipad IP-user mapping expires and falls back to the captive portal.  While the captive portal does work, the timeout for the user is limited to 1440 minutes and is not terribly convenient for my many types of users (young students to teachers and everything between), especially since they are already authenticating for email! Anyway, any thoughts would be appreciated, Bob ... View more

Re: Activesync and User-id

by in General Topics
‎12-28-2012 10:26 AM
‎12-28-2012 10:26 AM
Thank you for your reply.  I do see an initial event log she the activesync account is setup on my iPads, but once the account is active, I see no additional events.  Can you verify that you see additional events  after the initial setup? i did inherit the exchange server in question and it is a mess., so it may be something i inherited. thanks for your time, bob ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎09-22-2015 09:53 AM
Latest Tags
No tags yet
Likes Given To
Likes From
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks