Howfunky...a place with useless technical content!
Tuesday, July 01, 2008
MVP status
I got the official word this morning and I have been renewed for another year. To be honest, I was very surprised about this since my original MVP category of Windows Server - Networking was eliminated and I was moved to Identity and Access - Enterprise Security. I haven't changed my focus at all even though I have been put in a new category and felt it hurt my chances of becoming an MVP again. Apparently Microsoft felt differently, which I am grateful for. Looking forward to another year of MVP news and happenings. - Ed
Tuesday, June 24, 2008
Cisco Networkers this week
Even though it technically started on June 22 things don't really start until today if you look at the schedule. I've attended Networkers in the past and it is a good conference but I am going to hold out until next year when it is here in the San Francisco Bay Area.
For those that follow conferences it looks like Microsoft's TechEd will be in Los Angeles next year. Both conferences were in Florida this year which is a real long flight from the Northwest or even California. I guess all the west coast folks get to be lazy next year if they want to attend. - Ed
For those that follow conferences it looks like Microsoft's TechEd will be in Los Angeles next year. Both conferences were in Florida this year which is a real long flight from the Northwest or even California. I guess all the west coast folks get to be lazy next year if they want to attend. - Ed
Thursday, May 29, 2008
Cisco ASA and DAP
OK, for those of you who play with the Cisco ASA product you might have heard of DAP (Dynamic Access Policies). DAP is used to build policy rules on the fly to provide a customer user experience for VPN sessions (SSLVPN and Clientless or webportal VPN in particular) and is something that has been needed for awhile to compete with the Juniper Neoteris product. DAP has some issues with configuration and setup that can be a challenge, the primary challenge being the Microsoft AD integration.
It turns out that trying to figure out the Login DN parameters can be difficult and also the format for the LDAP attributes. I recommend using LDP to help you figure out the LDAP attributes you can match on and also as a useful tool to walk the LDAP structure of AD. The other missing information is that the testing tool does NOT test against the LDAP authentication server to see if the parameters you are providing actually exist. All it does is TRUST what you are providing as the if that was supplied back from the LDAP server and uses that to test your DAP policy. So you can happily test away thinking your DAP policy will work when it will fail because you are using the wrong LDAP attribut to match in the first place! Very frustrating.
Key commands to know:
debug dap trace
debug ldap 255
Also, for some reason the ASDM DAP testing tool puts commands in the ASA that are cumilative and you have to remove them via the command line. So if you do use the DAP testing tool remember to go in and remove the old parameters you gave it. Otherwise you will have a list a mile long and all of them will be getting checked even though you might only have one or two in the ASDM GUI window.
Oh, and make sure you are running 8.0.3.12, that fixes a SSH issue on the platform that is pretty important.
- Ed
It turns out that trying to figure out the Login DN parameters can be difficult and also the format for the LDAP attributes. I recommend using LDP to help you figure out the LDAP attributes you can match on and also as a useful tool to walk the LDAP structure of AD. The other missing information is that the testing tool does NOT test against the LDAP authentication server to see if the parameters you are providing actually exist. All it does is TRUST what you are providing as the if that was supplied back from the LDAP server and uses that to test your DAP policy. So you can happily test away thinking your DAP policy will work when it will fail because you are using the wrong LDAP attribut to match in the first place! Very frustrating.
Key commands to know:
debug dap trace
debug ldap 255
Also, for some reason the ASDM DAP testing tool puts commands in the ASA that are cumilative and you have to remove them via the command line. So if you do use the DAP testing tool remember to go in and remove the old parameters you gave it. Otherwise you will have a list a mile long and all of them will be getting checked even though you might only have one or two in the ASDM GUI window.
Oh, and make sure you are running 8.0.3.12, that fixes a SSH issue on the platform that is pretty important.
- Ed
Tuesday, May 27, 2008
EUROPEAN IPv6 DAY - 30 May 2008
Well, it seems our European counterparts are starting to take IPv6 seriously. They are planning an advancement meeting in Belgium to get things moving along.
The IPv6 task force website has good information if you are getting started in the IPv6 arena.
I am sure everyone saw that 6 of the 13 root level servers are running IPv6 AAAA records now - you don't even need IPv4 to do name services for IPv6 anymore, you can go completely native IPv6 for everything.
It is moving slowing but it is definitely moving along.
- Ed
The IPv6 task force website has good information if you are getting started in the IPv6 arena.
I am sure everyone saw that 6 of the 13 root level servers are running IPv6 AAAA records now - you don't even need IPv4 to do name services for IPv6 anymore, you can go completely native IPv6 for everything.
It is moving slowing but it is definitely moving along.
- Ed
Sunday, April 27, 2008
IPv6 - folks seem to be paying more attention?
Well, one of my observations for the Microsoft MVP Summit was that the network team at Microsoft is still very interested in hearing about what is happening with IPv6 and if anyone has done anything with IPv6. I am not sure that Microsoft has a good road map of what needs to happen to make IPv6 a reality in North America but they are paying attention.
Microsoft has several reasons for getting IPv6 out to the consumer space as quickly as possible. IPv6 will allow Microsoft devices to do peer to peer easily and allow them to get back to the model of all hosts being available and accessible which is a desirable thing when you build an OS platform for PC's.
In addition to all this, there appears to be in the works some cool applications that will be IPv6 only that will leverage that peer to peer openness that IPv6 allows. I think the next generation of Groove would be a great starting point myself.
With Server 2008 having the same network stack as Vista and both being IPv6/IPv4 I think there is an opportunity for IPv6 services to leapfrog some of the IPv4 technologies and potentially allow IPv6 to grow more quickly then originally anticipated. Only time will tell.
- Ed
Microsoft has several reasons for getting IPv6 out to the consumer space as quickly as possible. IPv6 will allow Microsoft devices to do peer to peer easily and allow them to get back to the model of all hosts being available and accessible which is a desirable thing when you build an OS platform for PC's.
In addition to all this, there appears to be in the works some cool applications that will be IPv6 only that will leverage that peer to peer openness that IPv6 allows. I think the next generation of Groove would be a great starting point myself.
With Server 2008 having the same network stack as Vista and both being IPv6/IPv4 I think there is an opportunity for IPv6 services to leapfrog some of the IPv4 technologies and potentially allow IPv6 to grow more quickly then originally anticipated. Only time will tell.
- Ed
Subscribe to:
Posts (Atom)