Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
307
Views
0
Helpful
3
Replies

CiscoPCA Question

pjt8537
Level 1
Level 1

‎10-19-2004 07:44 AM - edited ‎03-18-2019 03:42 PM

When some users try to access PCA, they get a IIS 4.04 error. Adding the server to be a trusted site on the users computer seems to solve the issue. Why do the clients need this setting to allow access to PCA. We do not use SSL. Any help you can provide would be greatly appreciated. Our Security Dept. is curious.

Thanks again,

Paul

Labels:
0 Helpful
3 Replies 3

path
Level 1
Level 1

‎10-19-2004 09:20 AM

To my knowledge Cisco PCA does not have such a requirement.

The source of the issue can be any of the following and possibly more:

1- IIS setting enforces NTLM over the /jakarta virtual folder.

2- Some policy is handed down from AD that enforce such a requirement on un-secured (non-SSL) web access.

3- IIS lock down tools where used?

4- Client system policy does not allow connect to un-trusted sites/domains.

5- Client third party security application (key logger, monitors, ...) does more of the same.

6- In house network settings on clients.

And so on ...

If you can give some details on the Unity version and the OS mix (server and client) where the issue is popping up for our labs?

0 Helpful

pjt8537
Level 1
Level 1
In response to path

‎10-19-2004 01:16 PM

OK, it turned out to be just some select Administrators of other systems with wierd settings that this was occuring on. On more question. When PCA validates the login to the Unity server it is sending the credentials in clear text. Isn't this supposed to be encrypted? If not, is there a way to accomplish this other than SSL?

Thanks,

Paul

0 Helpful

path
Level 1
Level 1
In response to pjt8537

‎10-19-2004 04:03 PM

There are 2 links where an intercept can occur.

PC+Browser --- http --- CPCA Server ---- http ---- AvXML.2

The first one should be secured as the credential will be sent from the browser to the server over the network, currently that is done in clear text.

Securing this link can be done either by the provided SSL support or if you have a more complex network with an IPSec properting your traffic (but that's over my head a bit).

The second one is a airpin (localhost) connection from the CPCA server (collocated with the unity server) to the AvXML service via http/soap to the through the IIS server.

That one can be secured by setting up acl for the AvXMl server and setting up SSL for it.

Setting up SSL on the AvXML access is a little tedious as the the CPCA container keystore data need to be updated to recognize the SSL certificate of the server. That is if using the a self-sign certificate or local root CA certificates (not one of the world known ones...).

Other method of securing this link are unknown to me at this time.

Note that on the return path, all credentials are encrypted.

PatH

0 Helpful
Customers Also Viewed These Support Documents