I am trying to connect Azure to our OnPremise-SAP-Installation. Our target: calling an RFC via SAP-Connector within a LogicApp.
What we did so far:
Created a Relay-ServiceBus.
Created a default SAP-Connector available in Azure Marketplace and inserted all required information including the ServiceBus-ConnectionString.
For testing purpose: Created a new Windows Server VM onPrem:
Enabled IIS
Disabled Windows-Firewall
Installed SAP-Libraries required by the HybridConnector.
Than we downloaded and installed the HybridListener on the Windows Server and entered the required ConnectionString.
Basically it was pretty much straight-forward according to this article:
http://azure.microsoft.com/de-de/documentation/articles/app-service-logic-integrate-with-an-on-premise-sap-server/
(Maybe except installing the SAP Libraries which is a bit weak documented..)
After all that installation process we went back into our Azure Portal. Suprisingly the SAP-Connector still told us: "On-Premise Setup Incomplete"
Our biggest problem: there are no other information available. Why is the Setup incomplete? Did we entered some wrong configuration or is there a network issue?
After some time we found out that we also need to open the following outgoing ports:
9350 to 9354
443
Unfortunately this was documented at a different place: https://msdn.microsoft.com/en-us/library/azure/ee706729.aspx
But the connection is still not working, same error as above: "On-Premise Setup Incomplete" And yes, we did reboot the IIS as well as the whole system.
My Question now: is there any possibilty to find the reason for this situation? A couple of weeks ago we had the same issue with an SharePoint-Connector which is still not running.
Is there any kind of HybridConnector-Logfile on the Server or something similar that helps us the figure out the real problem? Or maybe did someone had the same problem in the past and has some advice?
Thanks in advance!
EDIT: Hybrid Connection is now online!
I just had to change writing permissions for the HybridListenerAppPool:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Aspnet_regiis.exe -ga "IIS AppPool\HybridListenerAppPool"
Solution found: http://forums.asp.net/t/1566987.aspx and IIS7 folder permissions for web application.
But it is still not possible to use the SAP Connector within a LogicApp:
After analyzing the Log of the AppService Gateway I found a hint telling me to look at the SwaggerFile of the SAP Connector:
I really do not understand why the HybridConnection is fine but there is still no Listener connected.
After some firewall forensics, we actually figured out that there is some outgoing traffic on ports 5671 and 5672. If someone else faces the same problem, you need to open all the following outgoing TCP ports:
443
5671 - 5672
9350 - 9354
Unfortunatley it looks like this is not documeted at all.
Related
First of all, a rookie, related to VPN/Security issues, so really
forgive me for whatever error I make while describing my problem,
and hope I'm able to make it clear.
Our contractors changed AVIATRIX-OKTA VPN for AWS-VPN with OKTA
Authentication, they send as an .ovpn file, that works ok for
Windows/MAC using AWS-Vpn-Client application software, but a
couple of us using Linux boxes (Ubuntu specifically) run the
described method in AWS which is: openvn config-file.ovpn,
and it does not work.
It simply asks for usr/pwd an then it fails with auth error (we use our OKTA credentials)
, seems nothing is configured to go to OKTA, open a browser or whatever it needs to do.
As an aside note, we can connect without any trouble to our k8s cluster using OKTA
client libraries, no sure is this is useful or not, just in case.
The .ovpn file looks like this
client
dev tun
proto tcp
remote random.cvpn-endpoint-xxxxxx.yyy.clientvpn.us-west-2.amazonaws.com 443
remote-random-hostname
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
verb 5
<ca>
....
....
....
</ca>
auth-user-pass
auth-federate
auth-retry interact
auth-nocache
reneg-sec 0
An interesting thing to notice is that openvpn complains about auth-federate
seems not to recognize it, so I started using gnome network-manager which seems
to accept this configuration, but getting Auth error too.
After this I tried openvpn3 which didn't complain about configuration,
but still getting the same error.
I also tried adding TOPT token to password and the same problem
Any help on how to configure it, or just know if it is possible, will be greatly welcome
, seems there is very little information around this in the net
and we are really stuck on this, we are willing not to change OS or machines as they
are asking to, or using VM just to connect.
Thanks in advance,
We have tried the solution mentioned in the following URL and it worked for us:
https://github.com/samm-git/aws-vpn-client/blob/master/aws-connect.sh
The detailed working of this solution is explained in :https://github.com/samm-git/aws-vpn-client/blob/master/aws-connect.sh.
We have made few changes in the configuration files to make it work.
Removed the following lines in vpn.conf.
auth-user-pass
auth-federate
Made the following change in line 38 in the script aws-connect.sh.
open "$URL"
to
xdg-open "$URL"
Finally I got an answer from AWS people:
If the Client VPN endpoint is configured using SAML-based
authentication (such as Okta), then you have to use the AWS-provided
client to connect:
https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#saml-requirements
And the promise to update del client documentation with a WARNING about
this.
When connecting to the CloudSQL DB, you must provide the PostgreSQL configuration details (this makes sense).
When getting the necessary address information from Google's configuration page, you are provided with an external IP address (and nothing else as far as external solutions work) to connect to it.
This then produces a warning when using it:
(node:18101) [DEP0123] DeprecationWarning: Setting the TLS ServerName to an
IP address is not permitted by RFC 6066. This will be ignored in a future
version.
I have tried researching about this warning, and am struggling to come up with a proper resolution for this, since Google does not provide any sort of servername (or similar) for this.
I'm thinking one solution could be to externally add a subdomain to my companies servers that points to this IP address, but to be honest that is not very ideal for us (if it's the only solution though, that is fine).
This is a server running Node 12.7.0 on Debian 9.9 (stretch), connecting to CloudSQL PostgreSQL 11 (beta).
Obviously the expected solution is to remove all [deprecation] warnings from a production code-base, so looking to resolve that, and any ideas of how best to attack that since nobody seems to have posted this elsewhere!
Edit:
I was able to resolve this by adding proper hostnames to said IPs. Not sure if there is a better solution (if you find one, please let me know!), but this will work in the interim since keeping the external server around is only a short-term scenario for us anyways.
Related issue created for adding this to the documentation: https://github.com/brianc/node-postgres/issues/1950
I changed from IP name to DNS name and the error is gone.
You can change in ServerName: // your ip and just put "localhost".
I know that this question has been asked in multiple forums and have several versions of the answers.. Unfortunately, none of those answers helped me out to resolve my issue.
I stood up an AWS EC2 instance of Windows Server 2016 and installed IIS, MSMQ, Windows Process Activation Service and few other things.. When I cracked open my IIS Manager, I noticed that the "Default Web Site" is stopped and when I tried to start it I get an error "The process cannot access the file because it is being used by another process (Exception from HRESULT:0x80070020)". Tried to dig a little more and found these two exceptions in my Event Viewer:
Unable to bind to the underlying transport for [::]:80. The IP Listen-Only list may contain a reference to an interface which may not exist on this machine. The data field contains the error number.
The World Wide Web Publishing Service (WWW Service) did not register the URL prefix http://:80/SmsHandler for site 1. The site has been disabled. The data field contains the error number.*
Researching more online I found more than 2 dozen articles on this issue and more than 95% of them saying that the potential application that might be conflicting with IIS and using port 80 and 443 could be Skype.. But I DON'T HAVE SKYPE installed on my server..
I ran the "netstat -aon" command and found this:
C:\Windows\system32>netstat -aon | findstr :80
TCP 169.254.170.2:80 0.0.0.0:0 LISTENING 1164
Going by what's mentioned in other articles online.. I tried to trace down the PID - 1164 in my Task Manager and found that its the "Service Host - Local System" process having 15 System services running into it.. There's no way I can kill that process to make my IIS work..
I then tried to change the Bindings in my IIS to listen on a different port than 80 and was able to get it up and running.. But I don't want IIS to run on any other port than 80 since I don't want the user to specify the port in the URL every time when they hit the website..
I'm now running short of ideas here.. Any suggestions would be greatly appreciated.
Thanks!
I ran into a similar issue, but not with port 80. In my case it was because the ip address [::] wasn't allowed to listen on any port. Adding it to the ListenOnly list in the registry fixed the issue.
From an admin command prompt:
netsh http add iplisten ipaddress=::
From this thread.
Found the culprit.. It apparently wasn't skype for me (as it is in most of the cases), it was this service called IP Helper which was running on port 80 and was conflicting with IIS. The way I found that out was, I checked all the services running under the PID for Service Host - Local System (which in my case as 1164) and started stopping them one at a time and saw if IIS starts working.. Just wanted to close this thread.. Hope this helps if someone else get stuck with the same issue.
I had VMware Workstation installed, the solution is: "VMware -> Edit -> Preferences -> Shared VMs -> "Disable Sharing".
I've a sitecore azure deployment 2.0. Unfortunately, when I try to run this from company network I get the error below:
A connection attempt failed because the connected party did not
properly respond after a period of time, or established connection
failed because connected host has failed to respond 213.199.180.206:80
When I try below on the same machine it works:
http://www.google.com
https://www.google.com
Wondering what exactly is causing the above issue given both 443 and 80 works well via IE.
Thanks.
Definitely sounds like a corporate firewall/gateway problem. Have written a blog post with my experiences of just these types of issues. http://reservoirdevs.wordpress.com/2013/10/18/sitecore-azure-walkthrough-and-gotchas/
My solution was to try from outside the corporate network. It then worked fine.
This sounds like your firewall on your Azure machine is not set to allow incoming http traffic on port 80. Although there could be a lot of other reasons for this timeout.
I am trying to create a web based PHP application which can allow chat to my Gmail friends. Something like meebo.com. I downloaded XMPPHP, and executed on localhost, and it is working fine, but when I uploaded everything to Yahoo Small business web hosting, it is throwing connection timeout error.
Do anyone else faced such problem. I heard many of them did, but no one have any solution yet.
Any suggestion will be very helpful. I am new to XMPP clients.
Just some ideas...
How are you trying to connect to the XMPP server? With XMPPHP you may use two classes which are
XMPPHP
XMPPHP_BOSH
You might try both, since they work on different ports (XMPPHP for example on 5222 and XMPPHP_BOSH on 80). So if this is a port issue, trying XMPPHP_BOSH would be an idea. You will need to find out though if this is supported by the XMPP server you are trying to connect to. And if so, you need to know the url the server exposes the BOSH service on.
Anyways, I would recommend to check out what kind of 'restrictions' there are in Yahoo Small business web hosting and on the side of the XMPP server.
If you intend to check XMPPHP_BOSH out, consider this issue to make it work: Issue 47: Http-bind error. All in all XMPPHP seems very buggy and incomplete...