Re: CAE with/with out SSL.

["Roger Vicker, CCP" <rvicker@xxxxxxxxxx>]

Mark,

I've put off the SSL till after this weekend as they are going to V5R1M0 then.

I will let you know how it goes when get back to it.

Roger Vicker, CCP

Mark Villa wrote:

> ~~~Hello,
> ~~~
> ~~~I am getting ready to open the SSL ports of a firewall and issue
> ~~~certificates for remote CAE users. What I want to make sure
> ~~~of is that
> ~~~the users inside the firewall can continue without SSL while those
> ~~~outside must use SSL because those are the only ports open on the
> ~~~firewall. Correct?
>
> Roger,
>
> We could not get that to work without timeouts using a particular nat
> configuration. We had a 192.168 and a 10.10 network that was trusted. We
> needed explicit opening of non-SSL ports (at least for telnet). We do not
> think it had anything to do with our lack of port ID knowledge of intended
> use within CAE or the signon server. It was something to do with a Cisco
> setting or the way Cisco handled nat'ting, we think.
>
> We added an iSeries filter using ops Navigator to the iSeries IP card to do
> exactly what you said above. Actually I like this better because it becomes
> integrated with the asset we are protecting in our case. We agreed that
> double protection would have been better.
>
> In the meanwhile we learned a lot about PTF's for this area, depending on
> release.
>
> Fortunately, the iSeries filter works in sequential order, so you are able
> to come up with some flexible rules. Based on this, I could make it work
> anywhere no matter what the case given enough time.
>
> Would be very interested in response here to your final method of choice and
> why.
>
> Mark Villa in Charleston SC
>
> _______________________________________________

--
*** Vicker Programming and Service *** Have bits will byte *** www.vicker.com
***
EXPERT: called in at the last minute to share the blame.