About BobW

I guess I had an epiphany of sorts and wanted some verification. Traffic between zones used to be a big negative.  With app level filtering, it seems it can be pretty darned safe.  Especially considering the applications I am talking about are published to the untrust zone anyway (activsync and OWA).  Currently the private devices are getting NATed and coming back in to do activesync.  Given appid publishing it seems rather silly to go through all of that AND Yes, you nailed it that I am interested in getting around the captive portal.  If they have activesync, and the IP is not NATed, I should be able to run rules  without captive portal. So I guess your post, at least verified with me that it i not a "bad" idea....given Appid publishing rules and all I am letting is activesync. Thanks for listening. bob ... View more

I have had success with using the Exchange log monitor.  Of course that will only work if you have an internal Exchange server.  This is one reason I will not be taking our students to GMail anytime soon. Bob ... View more

So after digging a bit deeper, this IOS thing has become messier. A new Ipad "activates" by hitting the internet with web browsing, OCSP, facetime, itunes etc.  With captive portal turned on, the unit can not activate as the CP never shows up. After the unit is activated (via a non CP network) and the IOS device is attached to the SSID, it immediately calls home as shown here http://erratasec.blogspot.com/2010/09/apples-secret-wispr-request.html .  That then forces the user to authenticate via CP.  Problem is if the unit is on a network with exchange, the preferred method is to map the ip-user via the Exchange logs which can't happen until it is on the wireless. So it looks like: A non CP zone must be propped up just for activation of the units. A rule must be set to allow the unit to "call home" in order to avoid the captive portal. I have attempted to create a rule to just allow web-browsing to the special URL with no luck.  For some reason, the rule allows web traffic to different URLs as well. I hope the above helps, if anyone has an idea as for a rule to allow all users to get to www.apple.com/library/test/success.html via the following I would appreciate it. GET /library/test/success.html HTTP/1.0 Host: www.apple.com User-Agent: CaptiveNetworkSupport/1.0 wispr Connection: close Bob ... View more

Ability to define and fold up groups of security rules.  The tags are very cool but a way to fold up groups of rules to a single line would be nice. Longer captive portal, ability to put in length of captive portal based on user/group and/or timeout and/or native client etc.  Bottom line is BYOD is here. Free copy of Panorama for small rollouts.  Why?  Word of mouth for larger installations, ability to gain experience with Panorama. Real world examples of implementation, rules etc.  It is a different way of thinking and honestly is difficult to get a grip on it for complex situations. Graphical interface for schedules. Bob ... View more

I have had good luck with CP and firefox although I do not recall if I was using 4.1.7. One issue I did have was our wireless system was disallowing access to the necessary IP address for the redirect.  Not sure if that helps, but something to keep in mind. Bob ... View more

One trick I have used in a similar situation is using Outlook Web Access.  Users can change password from there. Bob ... View more

I too would like to see some more of these included. Examples I have are: Activesync, outlok-web require the manual addition of ssl and web-browsing. A more interesting one is that World of Warcraft requires bittorent, which I obviously am not interested in enabling. Note that I work at a boarding school so I am running into all kinds of obscure (and international) rule combinations. Bob ... View more

I Had a similar issue and turning on the ldap proxy option on the client seemed to fix it for me.  that've since upgraded to 5 and have yet to have an issue. Bob ... View more

I did this so that our Ipads could get from their zone into the trust zone for activesync.  Seems to me that using an external DNS might make it more difficult for more than a couple of servers.  You can probably take the below and substitute in some ranges (i.e. the translated address can be a range).  Of source you will need some security rules as well. Hope this helps. Bob Nat rule: Original packet: source zone-ipad zone dest zone-Untrust dest address-a public IP of PA Translated packet: type:  Dynamic IP and port address type:  Interface address interface:  ethernet1/1 (interface of untrust zone) IP address:  A public facing IP different than the one above translated address:  Internal address of exchange server ... View more