Route Summarisation with EIGRP

KB ID 0001149

Problem

I’ve already written a post that lets you calculate a route summarisation. So now you have a method of advertising your routes more efficiently, what do you do with it? Well I’m at the EIGRP point in my studies so here’s how to implement it with EIGRP.

To demonstrate I’ve built the above network on GNS3, there is a loopback interface on the routers for each of those networks.

Solution

I’ve already setup EIGRP, and importantly disabled auto-summarisation* If we take a look at the routing table on the North router we can see the routes being learned from the South router;

*Note: If this exercise is about summarisation, why have I disable auto-summarisation? Well if I didn’t the routers would see all the remote subnets as 10.0.0.0/8 and nothing would work!

And you will see the ‘opposite’ in the routing table on the South router;

And just to prove it’s not all smoke and mirrors, here’s the current EIGRP config on both routers;

Now you actually apply the route summarisation on the network interface that the routes are getting advertised through (even through the IP of that network may not be in the networks you are summarising). This may seem a little odd that it’s not done in the ‘router eigrp {system number}’ part of the config. My routers both connect to each other with their GigiabitEthernet1/0 interface.

Firstly, perform your route summarisation, and you should come up with 10.0.0.0/14 for the North router and 10.4.0.0/14 on th South router.

Apply the route summarisation on the GE1/0 interface;

[box]

interface GigabitEthernet1/0
ip summary-address eigrp 90 10.0.0.0 255.252.0.0

[/box]

If you are wondering /14 is 255.252.0.0, I struggle to remember converting short and long notation subnets, that’s why I’ve got an IP subnet aide memoir.

Now configure the South router;

[box]

interface GigabitEthernet1/0
ip summary-address eigrp 90 10.4.0.0 255.252.0.0

[/box]

Now if you look on the routing tables of both routers, you will see the routes have been summarised.

Why is the summarised route listed twice? And why does one route point to Null0?

Well to get your head round this, you need to understand that ‘a more specific route always wins‘, e.g. traffic coming from the 10.1.0.0 subnet behind router North that is arriving at router South will have a subnet of /16 (or /32), which is more specific than the /14 summarised route. OK, but Null0 drops the traffic? So lets say all the remote networks in the North Site ‘Go Down’. The South, route now only has the 10.0.0.0/14 route left, so it would drop the traffic, which is good as those subnets are all down.

Related Articles, References, Credits, or External Links

Network Summarisation – Exam Technique and Examples

Cisco Router IOS – Configuring EIGRP

IP (v4) Networking Crib Sheet

Safari – Open jnlp Files Not Download Them

KB ID 0001148

Problem

Next to the rise of Nazism, war, hunger, and pestilence Java is the worst hing to happen to humankind! But because people keep using it for management consoles and things we are stuck with it.

I’m particularly a big fan of the way they (Oracle) upgrade it because it’s got some huge security flaw in it, then all my remote iLO, DRAC and Cisco ASDM sessions don’t work anymore. It’s even better when the device that launches Java is old and not supported so I can’t upgrade that either, So I have to maintain a VM with an old version of Java just to do my job.

So this week after I stupidly hit the ‘update’ button I had to downgrade Java ‘again’. Seriously just put in a button that says, “You need to click this button for things to work but tough luck if it all breaks”, and was on the brink of being able to get back to work, when Safari decided to download the java file and not run it, (which is not normally the end of the world, but was the straw that broke the camels back!)

Solution

When the .jnlp file has downloaded once, go and find it > Right click (or cmd click) > Open With > Other.

Navigate to System/Library/CoreServices > Locate and select Java Web Start > Always Open With > Open.

Related Articles, References, Credits, or External Links

NA

VMware Fusion – Change IP Addresses

KB ID 0001147 

Problem

I use Fusion a lot, and it does what I want and never gives me any problems. I was working for a client this week and had to VPN onto their network (172.16.0.0/16 but all the servers were on 172.16.48.x). When connected I could not RDP to any of their servers? I asked a colleague to try on his laptop and it worked fine? I asked another colleague who also uses a mac, his worked as well.

Solution

I wondered if I had added a strange static route in the past, and maybe that was tripping me up. so I looked at the routing table;

[box]

netstat -nr

[/box]

At this point I noticed that 172.16.48.0 was set to send traffic to vmnet8, A quick Google search told me that this was used for VMware Fusion. I quit Fusion, and it started working, which is fine, but I’d rather have Fusion running so how do I change the IP addresses it uses?

VMware Fusion Changing IP addresses

Open a terminal window, and execute the following command;

[box]

sudo nano /Library/Preferences/VMware\ Fusion/networking[/box]

Tap in your password, and you can edit the file to change the IP addresses VMware Fusion uses;

In case you are thinking, the client was using 172.16.0.0/16 and Fusion was using 172.16.48.0/24 Why did it break? Well, as I said above, the servers were all on 172.16.48.x, and with routing the most specific route ALWAYS WINS.

Related Articles, References, Credits, or External Links

NA

OCSP Server – Bad Signing Certificate On Array Controller

OCSP KB ID 0001145 

Problem

I had a client ring in the other day, they have a three tier PKI solution on Windows Certificate Services, that I put in about a year ago, it has been running fine, but now they were seeing some errors.

Bad signing certificate on Array controller.

The following errors were also being logged;

Event ID 23

[box]

Log Name:      Application
Source:        Microsoft-Windows-OnlineResponder
Date:          12/01/2016 08:44:01
Event ID:      23
Task Category: None
Level:         Error
Keywords:      
User:          NETWORK SERVICE
Computer:      PKICRL00v
Description:
The Online Responder Service could not locate a signing certificate for configuration 
inter00.(Cannot find the original signer. 0x8009100e
 (-2146889714 CRYPT_E_SIGNER_NOT_FOUND))

[/box]

Event ID 34

[box]

Log Name:      Application
Source:        Microsoft-Windows-OnlineResponder
Date:          12/01/2016 08:44:01
Event ID:      34
Task Category: None
Level:         Error
Keywords:      
User:          NETWORK SERVICE
Computer:      PKICRL00v
Description:
The Online Responder Service encountered an error while submitting the enrollment request
 for configuration inter00 to certification authority PKIINTER00v\PKIINTER00V. The request
 ID is 0.(The system cannot find the file specified. 0x80070002 
(WIN32: 2 ERROR_FILE_NOT_FOUND))

[/box]

OCSP Solution

I quickly ascertained that removing and adding the nodes, didn’t fix the problem. On the OCSP server, launch an MMC session, and add in the Certificates snap-in for local computer. Do a manual enrolment, but in the details, set the issuing CA to one of the CA’s that is displaying an error, (using the OCSP Responder certificate template). Repeat for each CA.

Now add each node, but choose ‘manually select a signing certificate’.

Then assign the certificate, and choose the correct cert for each node.

Related Articles, References, Credits, or External Links

NA

Certificate Services – Disable CRL Checking

KB ID 0001144 

Problem

Sometimes the services on your CA server will stop and complain about not being able to see your CRL, and some times the service will just refuse to start with the following error;

The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).

Solution

OK the way to fix this permanently is to fix your CRL and make sure it’s setup properly, a CRL has been published and is in date, and the CA server can see it.

Windows Certificate Services – Setting up a CRL

That might take a while, in the mean time, the way to get the services up and issuing is to temporarily stop the CA server checking for CRL services. Open an administrative command window and issue the following command;

[box]

Certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

[/box]

You will need to restart the certificate services.

[box]

net stop certsvc

net start certsvc

[/box]

Once your CRL problem is resolved you can re-enable CRL checking with the following command;

[box]

Certutil –setreg ca\CRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE

[/box]

Related Articles, References, Credits, or External Links

NA

Deploying Windows ‘Web Application Proxy’

KB ID 0001142

Problem

This is part of a larger piece of work Im putting together on publishing Remote Desktop Services with Microsoft Web Application Proxy.

This article is simply to guide you though the process of installing the Web Application Proxy role. In a later article I will run though configuring it to work with Active Directory Federation Services, and Remote Desktop Services, to present secure RemoteApps.

Solution

Before You Start: This is a secure web proxy so that means certificates, I find it a lot easier to use wildcard certs for this sort of thing, The best solution is to buy one from a vendor, or you can create your own wildcard certificate.

You will need a Server deployed to install this on, preferably a non-domain joined computer that resides in a DMZ (this is a secure deployment, if you want to put it on your LAN, then why not just point external clients directly at your Remote Desktop Services Web Access server and forget WAP?)

You will also need to have deployed ‘Active Directory Federation Services‘ in you LAN, and TCP port 443 (Https) needs to be open from the WAP server to the ADFS server.

Server Manager > Manage > Add Roles and Features > Next > Next > Select the server > Next > Server Roles > Select Remote Access > Next > Next >Next.

Select Web Application Proxy only > Accept all the defaults and install the role.

Launch the Post-Deployment configuration wizard.

Next.

Type in the name of your AD federated SERVICE  > And supply credentials to be able to access that server > Next.

Note: As you can see below I can resolve the name of the federation service “fs.smoggyninja.com”, from my DMZ server, it’s easier to just put an entry in the WAP servers hosts file rather than open DNS to the LAN, (or you can register it in public DNS of course!) Below you can see I’ve been able to ping the federation server, normally you would not be able to, (from the DMZ), I simply opened ICMP/Ping for testing, as stated (above), you only need https open > Next.

Select the certificate you are going to use.

Configure.

Close.

The ‘Remote Access Management Console’ should open, if not launch it from administrative tools.

Select Operational Status and all the services should be ‘Green’.

That’s the role installed, now you just need to setup a publishing rule to publish the service you want to present. In my case thats Remote Desktop Web Access. Which I will cover in the next article.

Related Articles, References, Credits, or External Links

NA

Publishing Remote Desktop Services With Web Application Gateway

KB ID 0001143 

Problem

Getting this article to completion has been a bit of a journey! This is the final post that will stitch together all the others I’ve posted over the last couple of weeks, that will enable you to publish your RemoteApps with  ‘Remote Desktop Web Access’, and have that service presented securely from your DMZ. I’ll be using Active Directory Federation Services, (you don’t have to, but it’s more secure than simply using ‘pass-though’ security).

Solution

Prerequisites

Topology: Simply getting your ‘ducks in a row’ will take a lot longer than actually deploying the service. Here is the topology that I’m going to deploy;

Firewall Rules: You will see I’ve labelled all the Certificate/CRL rules as optional, this is because you would only need them if you were using self signed certificates. In this example that’s what I am doing, this means that all my remote clients need the root certificate installing on them, so for production I suggest you purchase a publicly signed wildcard certificate for simplicity.

DNS Requirements: For your internal domain and the DMZ it’s simple enough but your external clients will need to be able to resolve your public URL (and the URL of your CRL is used).

Certificate Services (Optional): If you want to deploy self signed wildcard certificates you will  need a PKI environment and a published CRL. See the following article;

Windows Certificate Services – Setting up a CRL

Once setup you will need to generate a self signed wildcard certificate. See the following article;

Certificate Services – Create a ‘Wildcard Certificate’

Active Directory Directory Services: You need to have your ADFS farm deployed and ready to add your relying trust to. See the following article;

Deploy Active Directory Federation Services

Web Application Proxy: The Role needs installing ready to have the publishing rule added for Remote Desktop Web Access. See the following article;

Deploying Windows ‘Web Application Proxy’

MAKE SURE: You have ran Windows updates on the WAP server, there are a number of bugs that have been fixed, ensure you have at least KB2975719, and in addition you need to have KB2983037 Hotfix installed.

Step 1: Add A Relying Trust To Active Directory Federation Services For Web Application Proxy

On your ADFS Server > Administrative Tools > AD FS Management > AD FS > Trust Relationships > Relying Party Trusts > Add Relying Party Trust.

Next.

Enter data about relying party trust manually > Next.

Give the trust a name > Next.

AD FS Profile  > Next.

Next.

Next.

As an identifier, add in the UEL to access Remote Desktop Web Access > Next.

I do not want to configure multi-factor authentication settings for this relying  party trust at this time > Next.

Permit all users to use this relying party > Next.

Next.

Untick “Open Edit Claim Rules dialog  for this relying party trust when the wizard closes’ > Close.

You should see your relying part trust listed, take note of its name.

Step 2: Configure Web Application Proxy To Publish Remote Desktop Web Access

On the WAP Server > Administrative Tools > Remote Access Management > Select the Server > Publish.

Next.

Select ‘Active Directory Federation Services (AD FS) > Next.

Note: As mentioned above, you can choose ‘pass-through’, then author authentication is done on the internal RD Web Access server (which is less secure).

Select the relying trust you created above > Next. (If it’s not there check https is open, and you can resolve the AD FS service name) > Next.

Give the publishing rule a name, and enter the URL the service will be published on, (this is usually the same inside and outside but does not have to be) >  Select your wildcard certificate > Next.

Publish.

Close

In PowerShell execute the following command;

[box]

Get-WebApplicationProxyApplication -Name “SmoggyNinja Remote Desktop Web Access” | Set-WebApplicationProxyApplication -DisableHttp

[/box]

Then the following command;

[box]

Get-WebApplicationProxyApplication -Name “SmoggyNinja Remote Desktop Web Access” | Set-WebApplicationProxyApplication -DisableTranslateUrlInRequestHeaders:$true
[/box]

Note: You only actually need this command if you’re  using different URLs but let’s stick with a script that works.

Step 3: Additional Works.

On the Remote Desktop Session Host Server run the following commands;

[box]

Import-Module Remote Desktop

Set-RDSessionCollectionConfiguration -CollectionName SN-RDS-COLLECTION -CustomRdpProperty “pre-authentication server address:s:https://remote.smoggyninja.com`nrequire pre-authentication:i:1″

[/box]

Related Articles, References, Credits, or External Links

NA

Remote Desktop Web Access – Connection Error

KB ID 0001141 

Problem

Eleven days! That’s how long it took to fix this, after seven days, I bit the bullet and logged a call to Microsoft. I spent hours on the phone to the Remote Desktop Team, The Web Application Proxy Team, and the Networking Team. I replicated the error by building a complete new domain, PKI, ADFS, Remote Desktop Deployment and Web Application Proxy Server. Then today I got a call from the ‘Connectivity Team’ who had it fixed in about 45 minutes.

Symptoms:

I had the entire deployment built in VMware, and it was deployed behind a Cisco ASA 5510, (it was a proof of concept for a client). The Web Application Proxy was in a DMZ. All this was sat on my test bench, and I was remote VPN connected. To test, I was using a Windows 10 client that was running on my laptop, (in VMware Fusion). I had all the public DNS names in the remote clients ‘Hosts file’.

Your computer can’t connect to the remote computer because the Remote Desktop Gateway server’s certificate has expired or has been revoked. Contact your network administrator for assistance.

After trying to get a rid of this error Microsoft asked me to put another client in the DMZ, and try connecting though the Web Application Proxy from there. Then I got this error;

Your computer can’t connect to the remote computer because an error occurred on the remote computer that you want to connect to. Contact your network administrator for assistance.

Solution

I had the remote Desktop Web Access, and the Remote Desktop Gateway roles installed on the same server, (which is fine). You will notice if you look at the examples I posted above, that the URL for web access was https://remote.smoggyninja.com (1), and the Gateway is set to rdg.smoggyninja.com (2), both these resolved to the public IP address of the Web Application Proxy. Then on the Web Application proxy they resolved to the internal IP address (192.168.100.114 set in the servers hosts file).

This was the problem! Simply changing the advertised name of the Remote Desktop Gateway server from ‘rdg‘ to ”remote‘, fixed all the problems.

Launch Server Manager > Remote Desktop Services > Collections > {Collection-name} > Tasks > Edit Deployment Properties > RD Gateway > Change > Apply.

Related Articles, References, Credits, or External Links

Special thanks and kudos to Nathanaël Stassart who tested the whole concept for me, and stayed engaged in the Microsoft Forum.

Installing vSphere VI Client on Server 2012 Fails – Error 28173

KB ID 0001139

Problem

If you attempt to install the VI client, (in this case on a 2012 R2 Datacenter Server), you may see this error;

Error 28173. Setup failed to enable Microsoft .NET Framework 3.5 Refer to Microsoft KB article 2734782 and 3002547 which may help you resolve the .NET failure. You will need to enable this feature in Windows Server Manager before installing vSphere Client.

Solution

I’ve had problems with .NET on server 2012 before, so let’s cut out the middle man and install it directly from the install media. Pop in the server 2012 DVD. Then execute the following command in PowerShell, (change drive letter accordingly);

[box]

Install-WindowsFeature -Name NET-Framework-Core -Source D:\sources\sxs

[/box]

Then make sure you reboot the server and try again.

Related Articles, References, Credits, or External Links

NA

Network Summarisation – Exam Technique and Examples

KB ID 0001138 

Problem

Note: Yes I’m spelling Summarisation with an ’S’ I’m English.

Most examples I’ve seen on this give you a bunch of subnets then ask you to come up with a summary route for all of them, (that’s kind of the point of route summarisation, I’ll grant you). However in an exam with a laminated board and the dodgy permanent pen they give you to make notes with, are you seriously expected to convert everything to binary to find the ‘last contigious bit’?

I was studying this today and kept getting it wrong, so I asked a colleague to look and see where I was going wrong. He scribbled on a piece of paper for two minutes and came up with the correct answer. So I’ve stolen his methodology. You can use it for any range of subnets, and if it comes up in an exam, you also have the added bonus that the right answer will be on the screen so even if your maths is off a little, the answer should jump out at you.

Solution

Step 1: You get a range of subnets to summarise;

[box]

192.168.10.0 /24
192.168.11.0 /24
192.168.12.0 /24
192.168.13.0 /24
192.168.14.0 /24
192.168.15.0 /24

[/box]

Points to note:

A) Everything’s happening in the third octet.

B) Ignore everything except the lowest and the highest subnet.

Step 2: Write down the Highest and Lowest Network (in fact just the third octet).

[box]

10
15

[/box]

Step 3:Convert those into Binary (use a full 8 bits).

[box]

10 = 00001010 (if you’ve just gone eh! That's an 8, and a 2).
15 = 00001111 (if you’ve just gone eh! That's an 8, a 4, a 2, and a 1).

[/box]

Step 4: Find the POSITION of last contigious bit, (the same in both).

[box]

00001010 
00001111

[/box]

Above, the first 5 numbers are the same, thats where the LAST bit of the summarised subnet will be. (If you’re confused, everything to the left will be a one, everything to the right will be a zero. i.e. 11111111.11111111.11111000.0000000

So the answer will have a /21 mask, (because there’s 21 x 1s).

Well that’s great, but I still don’t know the subnet address?

Yes you do! In step 3 you worked out the LOWEST subnet, you simply forget all the numbers that are NOT contigious, and the subnet is all the bits that are left. (That sounds more complicated than it is), So;

[box]

00001010 
00001111

[/box]

You ignore the last three, they are not contigious, (010 and 111 are not the same), that leaves you with;

[box]

00001000 = 8

[/box]

So the network to summarise is 192.168.8.0/21 (or 255.255.248.0 if you prefer).

You might think, THAT WAS LONG WINDED! Well I took pains to explain everything. Once you have the method you can apply it to any list of networks;.

A More Complicated Example

[box]

192.168.112.0 /24
192.168.113.0 /24
192.168.114.0 /24
192.168.115.0 /24
192.168.116.0 /24
192.168.117.0 /24
192.168.118.0 /24
192.168.119.0 /24

Lowest and Higest

192.168.112.0
192.168.119.0

Convert the changing Octet to Binary

01110000
01110111

We are the same up to the 5th bit so its a /21
Drop the last three bits 01110000 is 112

Answer is 192.168.112.0/21

[/box]

More Exercises to Try (Answers Below)

[box]

1. 

10.10.1.0/27
10.10.1.32/28
10.10.1.48/28
10.10.1.64/26
10.10.1.128/29
10.10.1.136/29
10.10.1.144/28

2.

10.22.178.0 /23
10.22.180.0 /23
10.22.182.0 /23
10.22.184.0 /23
10.22.186.0 /23
10.22.188.0 /23
10.22.190.0 /23

3. 

172.16.4.0/24
172.16.5.0/24
172.16.6.0/24
172.16.128.0/24

4.

172.16.207.192 /26
172.16.205.64 /26	
172.16.206.128 /25
172.16.204.0 /24

5.

172.16.0.0/24
172.16.1.0/24
172.16.2.0/24
172.16.3.0/24

[/box]

ANSWERS

1. 10.10.1.0 /24

2. 10.22.176.0 /20

3. 172.16.0.0 /16

4. 172.16.204.0 /24

5. 172.16.0.0 /22

Related Articles, References, Credits, or External Links

NA