ADMT (Active Directory Migration Tool) Domain Migration – Part 1

KB ID 0001305

Problem

I’ve not used ADMT for ages, I’ve got a domain migration to do soon, so I thought I’d get on the bench and have a reminder. Although ADMT 3.2 was ‘re-jigged’ to support Server 2012 R2, I’m still going to install it on Server 2008 R2. I’ve got a test domain built to migrate from, and a new domain setup ready to migrate into.

  • Old/Source Domain: olddomain.com
  • Old/Source Domain Controller: Source-DC.olddomain.com
  • New/Target Domain: newdomain.com
  • New/Target Domain Controller: Target-DC.newdomain.com

 

Solution

ADMT – DNS Setup

The old domain needs to be able to resolve names in the new domain, and the new domain needs to be able to resolve names in the old domain. To achieve this you need to setup ‘Conditional Forwarding’ in each domain for the other one.

Don’t worry if it looks like there’s a problem as long as the DNS servers can se each other, (and there’s no firewall in-between blocking TCP and UDP port 53). Just add in the DNS server give it a while then re-open the forwarders settings and it should have ‘gone-green’.

You can test it’s working by pinging BOTH the old and new domain names, in BOTH domains.

In addition, we want all machines (in both domains) to set their primary DNS Suffix, to their own domain, and their DNS suffix search list to look for their own domain first, then the other domain. The easiest way to do that is via group policy.  On a domain controller > Administrative Tools > Group Policy Management Console.

It’s better practice to ‘link’ your policy to the actual OU that your computers are in, to keep things simple, (and because I’m lazy) I’m going to link my policy to the root of the domain.

 

Edit the policy you have just created.

Navigate to;

[box]Computer Configuration > Policies > Administrative Templates > Network > DNS Client > [/box]

Setting: Primary DNS Suffix: Set to current domain.

Setting: DNS Suffix Search List: Set to current domain ‘comma‘ other domain.

Then wait or Force a Group Policy Update, to test visit a machine and issue an ‘ipconfig /all‘ command;

Above: you can see both the policies have taken effect.

Repeat the procedure in the new domain, (but the domain names will be the opposite way round) like so;

ADMT – Creating Domain Trust

Both domains need to trust each other for the migration to take place. If you have two simple domains like I do a “two way domain trust” is fine. You would only need a ‘forest-trust‘ if you were migrating from/to root and sub domains for example.

As the name implies Trusts are setup from Administrative tools > Active Directory Domains and Trusts. You can setup the whole thing from one domain, below I’m creating it in the old domain.

Welcome Screen  = Next > Provide the name to the ‘other’ domain > Next > External Trust > Next.

Two Way > Next > Both this domain and the specified domain > Next > Provide administrative credentials for the ‘other’ domain > Next.

Domain wide authentication > Next > Domain wide authentication > Next > Next.

Next > Yes. Confirm outgoing trust > Next > Yes. Confirm incoming trust > Next.

Finish > READ the warning about SID history, we will have to mess about with SID History filtering a bit further on > OK.

This step is not really necessary, (it’s just for peace of mind). I do this in BOTH domains and validate each trust, (so you will do this four times).

Select the trust > Properties > Validate > Type in credentials > OK > Type in Credentials > OK > OK.

ADMT – Users / Admins and Rights Assignment

 Create the user that will do all the hard work in the NEW domain. Then add that user to the domain admins group (again in the NEW domain).

Username: ADMTAdmin (Can be anything you want, but I’ll refer to this username throughout).

Over in the OLD domain, you won’t be able to add your ADMT user into the domain admins group, you need to add the ADMTAdmin account from the NEW domain into the Builtin\Administrators group on the OLD domain.

Additionally: the ADMTAdmin user needs to have local administrative rights to all the machines in the OLD domain. The easiest way to do that is again with a group policy.

In the OLD domain create a group, (Type: Domain Local)

Group Name: GP-ADMT-Admins, (again you can call it something else if you want).

Add your ADMTAdmin account to this group, (Note: I like to add the domain admin account for the NEW domain as well, though that’s not necessary).

On a domain controller > Administrative Tools > Group Policy Management Console.

Once Again: It’s better practice to ‘link’ your policy to the actual OU that your computers are in, to keep things simple, (and because I’m lazy) I’m going to link my policy to the root of the domain.

Edit the policy you have just created;

Navigate to;

[box]Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups[/box]

Add Group > Select GP-ADMT-Admins > OK > Add (bottom option) > Administrators > OK.

Setup correctly it should look like this;

To Test: On a client Open an administrative command window > and run ‘gpresult-R’.

Or the best test is, make sure that the GP-ADMT-Admins group is actually in the local admins group.

ADMT – Database Requirements

OK, a lot of posts say don’t install ADMT/SQL on a domain controller. That’s not strictly true, you can install ADMT and SQL on a domain controller, in fact that’s what Im going to do (there are a few commands and extra steps that I will point out below).

You can you use full blown SQL if you like, but it’s just as easy to use SQL Express 2008 SP1 > Download and run > Instalation > New SQL Server stand-alone installation or add features to an existing installation.

Accept the defaults > In feature Installation select ‘Database Engine Services’.

Accept the named instance ‘SQLExpress’.

Keep accepting defaults until you get to ‘Server configuration‘ page, add in the ADMTAdmin account.

Then add in your ADMTAdmin account again. (Once again theres nothing wrong with adding the domain admin account as well).

ADMT – Additional SQL Steps For Domain Controllers

Open an administrative command window > and run the following commands;

[box]

NET LOCALGROUP SQLServerMSSQLUser$Target-DC$SQLEXPRESS /ADD
SC SHOWSID MSSQL$SQLEXPRESS
{Copy the SID to the clipboard you will need it in a minute}
MD %SystemRoot%\ADMT\Data
ICACLS %Systemroot%\ADMT\Data /grant *{Paste the SID from above}:F
i.e.
ICACLS %systemroot%\ADMT\Data /grant *S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133:F

[/box]

ADMT – Downloading and Installing ADMT

Download the ADMT software, if that link ever dies use this one. Download ADMT 3.2. Launch the installer and accept all the defaults until you get to database selection, use .SQLEXPRESS

No we don’t want to import and data from an existing database > Next > Finish.

We can now open the ‘Active Directory Migration Tool’ management console.

 In Part Two we will look at SID filtering, setup a password export server, and do some group policy work.

Related Articles, References, Credits, or External Links

NA

Using the VI Editor (For Windows Types)

KB ID 0001304 

Problem

I dont have a ginger ponytail, nor do I wear sandals, couple these two things together and you will understand why I find VI so confusing! Many times I’ve had to alter a config file on an appliance, or a Linux box, and sat frowning at VI wondering why I can’t change a one to a zero.

Note: Nano is easier, if possible try nano {filename} to save hassle. But on hardened appliances for example, it wont be there. 🙁

So, this article gives you enough information to open, edit, and save a file. If you want a massive tutorial on VI you are in the wrong place.

Solution

Not really part of VI but you need to know where the file is you want to edit, and the path to it;

[box]

For Example:

vi {filename}
vi {path}/{filename}

[/box]

You can ‘move around’ the file being edited with your arrow keys.

Deleting Text: Press the X key to delete the character that’s ‘under’ the cursor.

Selecting Text: Press (and hold) the V Key while using the arrow keys to select multiple text characters.

Note: From here you can CUT (press X), or COPY (press Y). To PASTE put the cursor where you want the text and press P.

Inserting Text: To actually type anything, you need to be in ‘insert‘ mode press I then type in your text.

Note: Some flavours of Linux give no indication you are in ‘insert‘ mode, (unlike the example below).

Saving and Exiting: you need to be in ‘command‘ mode to save and exit, to enter ‘command‘ mode press ESC. As above there may be no visual clue what mode you are in. To SAVE AND EXIT type :wq {Enter}. TO EXIT Type :q {Enter}. Basically q means quit and w means ‘write’ the changes.

Job done, now keep your Linux skills quiet or you may get your dinner money stolen, and not get a girlfriend.

Related Articles, References, Credits, or External Links

NA

How To Install Exchange 2016 (Greenfield Site) – Part 3

KB ID 0001303

Problem

In Part-One we covered Exchange Pre-Install Tasks, in Part-Two we installed Exchange 2016, but it still won’t be working properly, so we need to carry out a few Post-Install Tasks.

Solution

Install Exchange 2016 Product Key

Log into Exchange Admin Center > Servers > Servers > Select the Server > Enter Product Key.

Manually enter your product key > Save.

Heed the warning > OK.

Open an administrative PowerShell window, and run the following command;

[box]Restart-Service MSexchangeIS[/box] 

Now if you hit the refresh button it should say the product is licensed,

Exchange 2016 Install Certificate

As you can see (below) Exchange 2016, (like its predecessors) creates and installs a locally signed certificate. These days I just recommend that clients use wildcard certificates, they are much less hassle even if they are a bit more expensive.

To create the request > Servers > Certificated > Select the server > Add.

Create a request > Next > Give the request a sensible name > Next. 

Don’t forget the asterisk i.e “*.publicly-addressable-domain.com” > Next > Add in the server > Next.

You need a “share” to save the certificate request in > Finish.

The request will be stored in PEM format, this is the information you will need to send to your certificate provider to obtain your wildcard certificate. Use the link below to get the correct certificate.

Click to Buy Exchange 2016 Certificate

Once you have received your certificate back from your certificate vendor, then locate your request and ‘Complete’ it.

Browse to the certificate you have saved > OK.

Exchange 2016 Assigning Services to a Certificate

Now we have the certificate we need to enable it, select the new cert > Edit.

Select SMTP and IIS > Save > Yes.

Note: POP and IMAP will be disabled and don’t like using wildcard certificates!

Now navigate to https://{server-FQDN}/ecp and log back into Exchange Admin Center, to check it’s using the correct certificate.

Remember you need to use the FQDN, NOT the server name, or you will get certificate errors!

Exchange 2016 Create a Send Connector

Before you can send mail externally, you need to create a send-connector. Mail flow > Send Connectors > Add.

Give it a sensible name, select ‘Internet’ > Next > Unless you have a mail filtering appliance/server then you will want to use DNS/MX records to route mail > Next.

Add > Simply add an asterisk to the FQDN field (meaning all domains) > Save > Next.

Finish.

Beware: By default this connector has a 35Mb limit on it, for most people that will be fine, but you may need to change this.

Exchange 2016 Add An Accepted Domain

Freshly installed the Exchange server will only be serving email addresses for your internal domain, most people will need to add in their public domain name. See the following article;

Exchange 2016 / 2013 Adding a New Email Domain

Exchange 2016 Move Mailbox Stores

Freshly installed your Exchange databases will be in the program install directory, I prefer to have the databases on their own volumes. See the following article;

Exchange 2016 (2013) Renaming and Moving Databases

Exchange 2016 Setup Split DNS

Most people have a different domain name publicly to their internal domain name, if yours is the same then skip this section. The easiest way to address this is to use split DNS, see the following article;

Windows – Setting Up Split DNS

 

Finally: Don’t forget to add your new Exchange servers into your backups! And install some AV (Note: Some AV providers have very specific settings that might need disabling, (I’m looking at you you McAfee). At the very least exclude the folders holding your data-stores, logs, and queue databases from AV scanning.

Related Articles, References, Credits, or External Links

NA

How To Install Exchange 2016 (Greenfield Site) – Part 2

KB ID 0001302

Problem

Back in Part-One, we looked at all the things to consider before you start to install Exchange 2016. Now we will start installing software, and getting to a point where we can configure Exchange 2016 and carry out some post deployment.

Solution

Your forest functional level needs to be at ‘Windows Server 2008’ before you can install Exchange 2016.

The server you intend to deploy Exchange on, needs to be a domain member server.

To save you any hassle, make sure your intended server is fully updated.

The server needs .Net installing, the versions, (at time of writing ) are;

  • Exchange 2016 CU3 Req.Net 4.5.2 (or greater).
  • Exchange 2016 CU5 Req.Net 4.6.2 (or greater).
  • Exchange 2016 CU6 Req.Net 4.7.2 (or greater).

Exchange 2016 Roles/Features Windows Server 2016

As with previous versions of Exchange there’s a long list of roles and features that needed to be added, open an administrative PowerShell Window and run the following;

[box]

Install-WindowsFeature NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS, Server-Media-Foundation

[/box]

Exchange 2016 Roles/Features Windows Server 2012 (2012 R2)

As with previous versions of Exchange there’s a long list of roles and features that needed to be added, open an administrative PowerShell Window and run the following;

[box]

Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS

[/box]

You will also need to install the ‘Unified Communications Managed API 4.0 Runtime‘ software. Note: Not required if you are only installing the management tools.

Windows Server 2016 Only: You should already have update KB3206632 as we updated the server above, if you skipped that step you need to pre install that update, so update now!

Installing Exchange 2016

If you downloaded the Exchange media as a .iso file mount it and let it autoplay. If you extracted the software run Setup.exe. The first thing it will do is look to see if it has any updates.

Files will get copied over > Next > You will be presented with an introduction > Next.

Accept the EULA > Next > I usually just accept the recommended settings > Next.

Select either Mailbox server, Edge Transport server, or just the management tools > Next > Select the location that you want to install Exchange to > Next.

Note: Although in the example below, I’m using the ‘C:’ drive, for production I would always install Exchange onto a separate volume to the OS.

I usually accept the default organisation name of ‘First Organisation’ you can change it if you with, but choose wisely because you can’t change it once installed > Next > Unless you have a specific requirement to disable the built in malware protection, leave it enabled > Next.

Exchange now does a quick check to make sure it’s happy to progress, you will always get a couple of warnings, if it complains about anything else rectify it and click ‘recheck’, once you are happy click Next.

Setup progress takes ages! Seriously go to lunch at this point > Next > Once completed Ive ticked the box to open the Exchange Admin Center, but nearly every time I’ve done this it fails. Your best bet is to reboot the server, go and have a coffee then come back and open a browser window and navigate to https://{server-FQDN}/ecp 

In Part 3, we will look at post install tasks.

Related Articles, References, Credits, or External Links

How To Install Exchange 2016 (Greenfield Site) – Part 1

How To Install Exchange 2016 (Greenfield Site) – Part 1

KB ID 0001301 

Problem

As the title implies, this article assumes you do not already have Exchange of any flavour in your organisation. If you do and you simply want to migrate to Exchange 2016, then this is NOT the article you want, instead head to the following link;

Migration From Exchange 2010/2007 to Exchange 2016 (& 2013)

Solution

Now before you sit at the keyboard there are a few things to consider;

Media: At the time of writing the Exchange 2013 CU5 download is over 5GB in size, if the site you are deploying on has a slow internet connection then you might want to consider getting the media and all the prerequisite software copied to disk before you start.

AV Software: Does you current AV solution have a product supported for Exchange 2016? 

Backup: Does you current backup solution fully cover Exchange 2016?

Exchange 2016 Outlook Software Requirements

Only the following are supported for Exchange 2016;

  • Outlook 2010 (fully updated).
  • Outlook 2013 (full updated).
  • Outlook 2016 (fully updated).

Note: In previous versions it would state the service pack and specific updates that needed to be applied, now the requirement is ‘fully updated’.

Exchange 2016 Hardware Requirements

Obviously a 10 thousand mailbox server processing 1 thousand emails a day, will have very different requirements to a server with 10 mailboxes processing 50 emails a day!

CPU: x64 bit processor, See this post for the sizing

RAM: 8 GB (Minimum) for Mailbox servers 4GB (minimum for Edge Transport Servers).

HDD: 30GB for mail-stores, plus 500MB per language pack, and an additional 200MB free space on the system drive.

Exchange 2016 Operating System Requirements

  • Windows Server 2012 Standard or Data Center, (not Core editions).
  • Windows Server 2012 Standard or Data Center, (not Core editions).
  • Windows Server 2016 Standard or Data Center, (not Nano editions). Note: Requires Exchange 2016 Cu3 of greater for Mailbox AND Edge roles.*
  • Windows 10 (Management tools only).
  • Windows 8.1 (Management tools only).

*Although on the supported list, Microsoft have recommended that you DO NOT install the edge role on a 2016 Server.

Note: If you have not installed Windows Server before ensure you choose the desktop experience option when you install it.

Exchange 2019/2016/2013 Licensing

As with all Microsoft products you need to be licensed to install them, the server itself comes in two licensing flavours;

  • Standard : 1 to 5 Mailbox databases.
  • Enterprise: 1 to 100 Mailbox databases.

And to access the servers, each client will need a CAL (Client Access Licence). As with previous versions they have given them the same names to confuse everyone! You do not need an Enterprise CAL for Enterprise Exchange, for example. The enterprise CAL just gives you some more features.

  • Standard: The minimum required to access Exchange, (per database journaling/archiving).
  • Enterprise: Same as above but allows per user journaling/archiving, DLP (Data Loss Protection), IRM (Information rights management search facility), and IPC (Information Protection and Control).

Related Articles, References, Credits, or External Links

How To Install Exchange 2016 (Greenfield Site) – Part 2

Deploying Exchange 2013 (Greenfield Site)

Exchange 2010 (c/w SP1) Install – Greenfield Site

Chrome Browser – Show Sites SSL / HTTPS Certificate?

KB ID 0001300 

Problem

I used to use Chrome all the time back in the dark ages before I saw the light and bought a mac. Since then I’ve persevered with Safari and never felt the need to go back.

This afternoon someone in the office asked, ‘How do you see site certificates in Chrome?’ Which I thought was a little odd as it’s easy to do in IE, Firefox, and Safari. So I jumped on a remote machine for a look. Sure enough it’s well hidden?

Solution

With the site loaded  > {Three Dots} or Ellipses  > More Tools > Developer Tools.

Security Tab (might be hidden, use the ‘more’ arrows) > View Certificate.

Related Articles, References, Credits, or External Links

NA

HP Switches – Find ‘Uptime’

KB ID 0001299 

Problem

Nice short and sweet article, you have an HP Switch, and you want to know how long it’s been online.

Solution

Execute the following command;

[box]

show system-information

[/box]

Note: On newer versions of the OS, the command may omit the hyphen i.e. show system information

Related Articles, References, Credits, or External Links

NA

Testing AnyConnect With Packet Tracer

KB ID 0001298

Problem

Packet tracer is a great tool, I wrote about it in the ‘Prove It’s Not the Firewall‘ article a while ago. A couple of months ago I was having a discussion with a colleague about packet tracing a remote VPN client to check connectivity, he said at the time, “It will behave differently if the IP you use is already connected”. I never really thought about it until today, when I was troubleshooting a clients AnyConnect they they had ‘hair pinned‘ to another site.

So after I had finished I tested the theory on the bench to discover he was correct.

Solution

Results When The IP is NOT IN USE

I prefer to work at commend line, so if I packet-trace the above connection (using normal http port 80 for example) This is what I get;

[box]

Petes-ASA# packet-tracer input outside tcp  192.168.199.2 www 192.168.100.10 w$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.100.0   255.255.255.0   inside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.100.10/80 to 192.168.100.10/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inbound in interface outside
access-list inbound extended permit tcp any object Internal_HTTP_Server eq www
Additional Information:

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
 match any
policy-map global_policy
 class class-default
  set connection decrement-ttl
service-policy global_policy global
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.199.2/80 to 192.168.199.2/80

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 5786108, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Petes-ASA#

[/box]

If you really must use the ASDM here’s what it looks like in there;

Results When The IP is IN USE

So, if I connect my remote client, and it gets an IP, (for simplicities sake the same IP we used above), like so;

Then run the exact same test, here’s the result;

[box]

Petes-ASA# packet-tracer input outside tcp  192.168.199.2 www 192.168.100.10 www

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.100.0   255.255.255.0   inside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.100.10/80 to 192.168.100.10/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inbound in interface outside
access-list inbound extended permit tcp any object Internal_HTTP_Server eq www
Additional Information:

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
 match any
policy-map global_policy
 class class-default
  set connection decrement-ttl
service-policy global_policy global
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.199.2/80 to 192.168.199.2/80

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Config:
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Petes-ASA#

[/box]

Again, the same thing in the ASDM;

So the moral of the story is, if you are testing, make sure the IP you are using for the remote client is NOT in use. 

How do I know which AnyConnect IPs are in use? Simple run the ‘show vpn-sessiondb anyconnect‘ command like so;

[box]

Petes-ASA# show vpn-sessiondb anyconnect

Session Type: AnyConnect

Username     : pete.long              Index        : 293
Assigned IP  : 192.168.199.2          Public IP    : 123.123.123.123
Assigned IPv6: 2a03:7f80:d1ab:199::1
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Essentials
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)AES128  DTLS-Tunnel: (1)AES128
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA1  DTLS-Tunnel: (1)SHA1
Bytes Tx     : 4948010                Bytes Rx     : 555588
Group Policy : PNL-GP-ANYCONNECT-ACCESS
Tunnel Group : PNL-TG-ANYCONNECT-ACCESS
Login Time   : 14:07:00 GMT/BST Wed Apr 5 2017
Duration     : 0h:34m:48s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

Petes-ASA#

[/box]

Related Articles, References, Credits, or External Links

Packet-Tracer Fails Subtype: rpf-check Result: DROP

Cisco ASA ASDM – Packet Tracer Wont Work

Cisco ASA (acl-drop) Flow is Denied by Configured Rule

Exchange 2016 / 2019 Adding a New Email Domain

KB ID 0001297

Problem

On EE this morning someone asked this question and I realised I’ve never written it up. So If you want to add a new domain to an already working Exchange deployment how do you do it?

Solution

Firstly, you need to have purchased the new domain name, and have the DNS records setup properly  for the new domain name. See the following article;

Setting up the Correct DNS Records for your Web or Mail Server

Add the New Domain Into Exchange 2016 / 2013

Log into Exchange Admin Center > Mail Flow > Accepted Domains > Add.

Add a sensible name > Enter the new domain name > Select Authoritative > Save.

Create a User Mailbox For the New Domain

If you only have a few users to setup you can do them manually within the Exchange Admin Center  > Recipients > Mailboxes > Add.

On the properties of the new recipient you can edit the email addresses associated with it.

Change and add accordingly.

Remember for individual users to untick the ‘Automatically update email addresses based on the email address policy applied to this recipient’ > then change the Clients ‘Reply address’ > OK > Save.

Create an Email Address Policy And Apply It to an OU

The procedure above does not scale well if you have a lot of users to allocate a new domain to, so you can write a new email address policy, and apply it to a particular OU, then create/import your new users into this OU, mail enable them, and they will all get the correct Email addresses.

Mail flow > Email Address polices > Add.

Add a new policy with the email  format you require;

Repeat to add multiple email address formats > Save.

Scroll down to where you want to apply the  policy to and select ‘recipient container’, (because OU would have been to simple).

Select the OU with your users in > OK.

Note: You don’t have to use OU’s you can use other things like ‘department’ which will get read from the users AD object.

OK

With the policy selected  > Apply.

Now go and have a few cups of coffee, and your users will get the new policy.

Related Articles, References, Credits, or External Links

NA

Barracuda Web Filter – Not Displaying Usernames

KB ID 0001296 

Problem

I installed a Barracuda Web Filter 410 hardware appliance last week for a client on a 30 day trial. It was in ‘inline’ mode in front of their firewall and was happily logging all web activity and sites that were getting blocked. The problem was when you looked in the log this is what you saw;

With other vendors you simply need to put an agent in to fix this, and as it turns out Barracuda is no different.

Solution

I went onto the web and tried to get the agent, but you can download it straight from the appliance. (Users and Groups > Authentication Tab)

To proceed you need to add your domain controllers onto the Barracuda

Note: You will need a domain account (a simple domain user is fine, it does not need any additional rights). Here I’m connecting via 389, if you wanted to connect with LDAPS see the following article.

Windows Server 2012 – Enable LDAPS

Once you have installed the ADAgent.exe, (on each domain controller), run it and enter your domain user account, and test it connects properly.

Then add in your Barracuda device.

Note: Theres nothing else you need to do in the agent but while you are setting it up I suggest you see the logging level to debugging.

Now, before the successful logon events can be uploaded to the barracuda, the domain controllers need to have auditing enabled for;

  • Audit account logon events (success)
  • Audit logon events (success)

Set this in the ‘local security policy’ on each of the domain controllers, (administrative tools local security policy).

On the Barracuda itself  you now have to register the agent for each one you have deployed, after a few minutes they should ‘go green’ this is done on the same tab you specified the domain controllers.

You now need to wait until your users have logged off and back on again before it starts logging properly so leave it a while to slowly populate.

Related Articles, References, Credits, or External Links

Barracuda Email Security Gateway Setup and Deployment