Get Ready for LDAPS Channel Binding

KB ID 0001645

Problem

I have written about Enabling LDAPS a long time ago, but it’s a subject that’s about to become important again, so I’ll revisit the subject. Microsoft are about to ‘enforce’ LDAPS authentication against their domain controllers, in the March 2020 round of updates. Now delayed until second half of 2020.

What does that mean? Well lookups against LDAP will now need to be secure, (i.e. SSL protected and over TCP port 636,) where as before they were in plain text and over TCP port 389.

So you need to start worrying about this now!

Solution

Enable LDAPS for your Domain Controllers

As I’ve mentioned above I’ve covered this before but as a quick recap, you need to have Microsoft Certificate services deployed, please don’t just add the role to a server, and click ‘Next’ furiously. Take this opportunity to deploy Certificate Services properly!

Microsoft PKI Planning and Deploying Certificate Services

Then make sure you have a Kerberos Authentication certificate template published;

If you do not: Simply follow the steps shown below.

Then on your domain controller(s): Windows Key +R > mmc.exe > OK > File > Add/Remove Snap-in > Certificates > Add > Computer > Local Computer.

Expand Certificates > Personal > Certificates > Request a Kerberos Authentication certificate.

Ta-Da!

Windows Server Testing LDAPS

The simplest way, I’ve found to do this is to use Ldp.exe, simply run Ldp from command line. Note: Ldp will normally only be found on domain controllers, and servers/clients that have the ‘AD and DS and AD LDS Management tools‘ installed.

Connection > Connect > Enter the FQDN of the domain controller to test > Tick SSL > Ensure Port is set to 636 > OK

Connections > Bind > Bind as currently logged on user, (unless you want to test a particular account), any member of domain users should work > OK.

View > Tree > Select the root DN of your domain > OK

If all is well you should be able to browse your Active Directory.

Tech Tip: I do this every time I need to enter a DN, because you can browse to any object and copy its DN from here, (and I’m too lazy to type them out by hand!)

Test LDAPS Port With PowerShell

If you want to check the port is open, i.e. not blocked in the Windows firewall or a physical firewall in between you and the server use;

[box]

Test-NetConnection {FQDN-Of-Server} -Port 636

[/box]

Additional LDAP Test Tools

Over on Github theres also a tool called LDAP Explorer Tool, if you want to do some more granular testing;

Find Out What’s Using LDAP and Prepare for LDAPS

If you don’t enforce LDAPS already then your Directory Service Event logs will be full of Event ID 2886, and Event ID 2887

Event ID 2886

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: xx/xx/xxxx xx:xx:xx
Event ID: 2886
Task Category: LDAP Interface
Level: Warning
Keywords: Classic
User: ANONYMOUS LOGON
Computer: (Server-Name}
Description:
The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.

Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds.

For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.

You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the “LDAP Interface Events” event logging category to level 2 or higher.

Event ID 2887

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: xx/xx/xxxx xx:xx:xx
Event ID: 2887
Task Category: LDAP Interface
Level: Warning
Keywords: Classic
User: ANONYMOUS LOGON
Computer: (Server-Name}
Description:

During the previous 24 hour period, some clients attempted to perform LDAP binds that were either:
(1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or
(2) A LDAP simple bind that was performed on a clear text (non-SSL/TLS-encrypted) connection

This directory server is not currently configured to reject such binds. The security of this directory server can be significantly enhanced by configuring the server to reject such binds. For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.

Summary information on the number of these binds received within the past 24 hours is below.

You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the “LDAP Interface Events” event logging category to level 2 or higher.

Number of simple binds performed without SSL/TLS: 0
Number of Negotiate/Kerberos/NTLM/Digest binds performed without signing: 1

Enable LDAPS Logging / Reporting

So you need to enable logging then when insecure (non LDAPS) connections are made, another Event ID will be logged which will point you towards what needs to be fixed. 

Open Regedit and navigate to;

[box]

HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics

[/box]

Change the ’16 LDAP Interface Events’ DWAORD value to ‘2’ > OK.

Or Execute the following command;

[box]

Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v “16 LDAP Interface Events” /t REG_DWORD /d 2

[/box]

Or Execute the following Powershell command;

[box]

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics’ -Name “16 LDAP Interface Events” -Value 2 -PropertyType DWORD -Force

[/box]

Checking for Insecure LDAP (TCP 389) Connections

Now you can locate the insecure connections by looking for Event ID 2889

Event ID 2889

Above you can see the IP address of the device trying to bind insecurely, you can also see that Anonymous Login was attempted’.

Above you can see the IP address of the device trying to bind insecurely, you can also see the domain username that is being used ‘PNL\asa’.

Disable LDAPS (Temporarily)

LDAPS is enabled and disabled with the following registry key;

[box]

HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LdapEnforceChannelBinding

[/box]

Note: You will need to CREATE this DWORD yourself;

Values: 0 Disabled, and 1 Enabled

WARNING: Take note I said temporarily, just because you have a crappy old insecure appliance or service that can’t use LDAPS, does not mean you should simply turn off security. Get it fixed! However, I appreciate you work in the real world, and if systems are down and you are getting shouted at, then fair enough. But you should have read this when I wrote in January 2020 my friend – bet you wished you followed me on Twitter or Facebook now eh?

Cisco ASA Change from LDAP to LDAPS

Well I’m the Cisco ASA guy so what happens if you are securing AAA access using LDAP on you firewall (for AnyConnect, Remote VPN, or device access). How do you swap to LDAPS? Like so

You will also need to upload the Root-CA certificate from your CA Services Server to the ASA, (so it trusts the servers Kerberos Certificate).

 

Related Articles, References, Credits, or External Links

Moving Certificate Services To Another Server

Microsoft PKI Planning and Deploying Certificate Services

Upgrade Your Microsoft PKI Environment to SHA2 (SHA256)

Duo: Migrate from LDAP to LDAPS

Veeam: No Backup Proxy is Able to Process this VM

KB ID 0001644

Problem

While setting up some new backups, all the virtual machine failed like so;

Unable to allocate processing resources. Error: No backup proxy is able to process this VM due to proxy processing mode restrictions.

Solution

On the face of it this looks like a simple problem, either you backup proxy does not have the capacity, you have too many jobs running at one, or you need to deploy some more backup proxies.

However, I tested this by creating a new job with one ‘problem’ VM in it and made sure no other jobs were running. It failed with the same error. So it’s got nothing to do with lack of resources!

The Actual Problem: Was due to the fact that the backup proxy (a physical machine) had direct fiber access to the storage array, and its backup mode was set to ‘Direct Storage Access’. These new VMs were in a different Datastore/LUN that the Veeam server could not see! So you can either tick ‘Failover to network mode if primary mode fails or is unavailable’

Or a better option would be to present the correct storage LUNS to the Veeam Backup server.

Related Articles, References, Credits, or External Links

Veeam Backup and Recovery Download

Veeam Availability Suite Download

Veeam Backup For Office 365 Download

Veeam Backup For Azure Download

Veeam Backup for AWS Download

Azure AD Connector: Disable ADFS Authentication

KB ID 0001643

Problem

Why would you want to disable ADFS authentication? Well what if ADFS is down, or you want to revert to some other authentication method? I was in a position a few weeks ago where I needed to disable ADFS on a clients Azure AD Sync. At that time the Microsoft Tech on the phone steered us towards doing what I can only describe as a ‘forced de-federation’. This involved using Powershell and it resets the password on all the ‘cloud’ accounts and puts those passwords in a text file.

[box]

Convert-MsolDomainToStandard -DomainName {Federated-Domain-Name} -SkipUserConversion $false -PasswordFile c:\password.txt

[/box]

BUT YOU DON’T NEED TO DO THAT!

I need to migrate the same client to ADFS in the near future, so I wanted to investigate what to do if I had a problem in future, “How do I roll back?” and more importantly “How do I limit disruption if theres a problem?

So I built it on the test bench, and did it myself.

Solution

To disable ADFS you need to substitute it for something else, the most common (and easiest) options to work with are ‘Password Hash Synchronisation‘ or ‘Pass-Through Authentication’. I’m going to use password hash synchronisation, but I will also link to pass-through authentication, if you prefer that option.

First job, is to make sure you are on the newest version of Azure AD Connect you can get your hands on. Older versions will not have the options you require. The version you see below was the newest at time of writing.

Then we need to enable password hash synchronisation > Launch Azure AD Connect > Configure > Customise Synchronisation options > Proceed to ‘Optional Features’ > Tick ‘Password Hash Synchronisation’ > Complete the wizard.

WAIT! Let your AD replicate the password hashes, I usually just Force a Delta Azure AD Replication. Then you need to swap from ADFS. Launch Azure AD Connect > Configure > Change user sign-in > Next > Tick “Password Hash Synchronisation’ > Accept the warning > Next.

Note: Yes I saw the warning too, but I had users logged into Outlook etc, and no-one was re-prompted, and no-one was refused authentication. Even so, If you are concerned you might want to do this on a weekend, or after hours.

OK what about ‘Pass-Through Authentication”? If you want a long term scalable ADFS replacement this might be a better option for you, there are some hoops to jump through, and a bit more planning and forethought. See the following article for an explanation;

Azure Pass-through Authentication

Because we are enabling single sign-on, you will be prompted for a set of local domain admin credentials > Complete the wizard.

Then force a Delta Azure AD Replication.

Related Articles, References, Credits, or External Links

NA

Azure Pass-through Authentication

KB ID 0001642

Problem

I’ve never really taken the time to look at pass-through authentication, I set up Azure AAD sync, then I either use ADFS or I don’t. It was only when looking at removing ADFS, that I even looked at it as an option. 

How does Pass-through Authentication Work?

  1. Remote client attempts to authenticate to Office 365 (Azure Active Directory).
  2. Azure queues the request and sends it to an Azure Authentication Agent (on-prem), of which there may be many. Note: The requests will load balance.
  3. The Azure Authentication Agents check the authentication request against the load Active Directory.
  4. The Azure Authentication Agents sends its response back to Azure Active Directory.
  5. The client is authenticated (or denied!)

Why is that Good?

Well you don’t need to deploy ADFS, or WAP. The agent only needs https (outbound) on the firewall Note: If you have a proxy server, theres some URL’s you need to allow. And you don’t need to wait for the default 30 minute AAD replication cycle for changes etc.

Solution

I’m assuming you already have Azure AD sync setup and running, (Simply accept ‘Express settings’ and accept all the defaults), once you have your  local AD replicated to Azure, then you can switch over to pass-through authentication.

Open Azure AS Sync > Configure > Change user sign-in > Proceed to ‘User sign-in’ >pass-through authentication > Finish the wizard.

What happens is the ‘first’ Azure Authentication Agent is installed on the Azure AAD server > Force an AAD Sync > Then look in your Azure Portal > Azure Active Directory > Azure Ad Connect > Pass-through authentication > You should see your first agent.

You can select it and check its details. Note: You can download the Azure Authentication Agent software form this page for you to deploy additional Azure Authentication Agents.

The additional agents are simple to deploy, they will require you to authenticate to Azure though.

They will appear one at a time as deployed.

 

Related Articles, References, Credits, or External Links

NA

Microsoft Edge (macOS) Migrate Bookmarks from Safari

KB ID 0001641

Problem

So now theres a version of Microsoft Edge for macOS! Normally I would not bother, but I spend a lot of time in SharePoint and Azure so I thought, rather than my usual approach of playing ‘Browser Roulette’ I’d try Microsoft Edge and see what it was like.

My usual browser of choice is Safari, but the install wizard defaults to wanting to import bookmarks / favourites* from Chrome. (I do also have Chrome, but I don’t use it often!)

*Note: Wow! Microsoft have spelled Favourites correctly for once!

So how to get my Safari Bookmarks?

Solution

Firstly Edge needs full disk access to get the bookmarks > Apple Logo > System Preferences > Security & Privacy > Privacy > Full Disk Access > ‘UNLOCK’ > Tick Microsoft edge.

Launch Edge > {ellipses} > Settings > Import Browser Data > Select ‘Safari’ > Import.

So now they are there, but they look like a ‘bag of spanners’ all my neat folders have been moved into another folder called ‘Imported from Safari”.

From ‘Manage Favourites’, you can drag everything to where you want it.

Related Articles, References, Credits, or External Links

NA

Password Sync: No Recent Syncronization

KB ID 0001640

Problem

I recently migrated the server that was running my Azure AD Connector. It was showing no errors post migration so I thought no more about it. A few days later I logged in to Office 365 and saw this;

AAD Connect Status
Azure AD Connect
Password sync: no recent synchronization

Solution

Apparently this can suddenly happen if you are running an old version of AAD Connect. But I checked and mine was brand new, (I’d only just installed it remember). A quick look in the Event Viewer pointed me in the right direction.

Event ID 611

Log Name: Application
Source: Directory Synchronization
Date: xx/xx/xxxx xx:xx:xx
Event ID: 611
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: {server-name}
Description:
Password hash synchronization failed for domain: pnl.com, domain controller hostname: PNL-MGMT.pnl.com, domain controller IP address: 192.168.100.3. Details:
Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8453 : Replication access was denied. There was an error calling _IDL_DRSGetNCChanges.

 

I’ve highlighted the important part, RPC Error 8453: Replication access was denied. So we have a permissions/rights problem. As I’d set a new user up for the AAD connector software, I checked their rights and found out I was missing the following;

Ensure that the user you are running AAD sync under, has the following permissions on the ‘root’ of your local AD domain.

  • Replicating Directory Changes: Allow
  • Replicating Directory Changes All: Allow

Then I forced an AAD sync, and waited a few minutes, the problem then disappeared.

Related Articles, References, Credits, or External Links

NA

Windows Server – Change Your Password in an RDP Session (Send Ctrl+Alt+Del)

KB ID 0001183 

Problem

Colleague: Windows Server, Where’s Windows Security gone?

Me: Eh?

Colleague: Windows Security!

Me: What are you trying to do?

Colleague: I want to change my password and I can’t send a Ctrl+Alt+Delete to the remote server.

Well I know that pressing Crtl+Alt+Delete would let you change your password like so;

I wasn’t aware that in Server 2008 and earlier if you were connected via RDP you got a ‘Windows Security’ option that lets you do the same, like so;

This is because if you press Ctrl+Alt+Delete it will execute on YOUR machine not the remote one. But this option is not included in Windows 2012 any more.

Solution

Well you can just normally use Ctrl+Alt+END while in an RDP session. But like me, my colleague was using a Mac and we don’t have an END key!

Mac OSX Sent a Ctrl+Alt+END Sequence

If your RDP connected from OSX then use Ctrl+Alt+Fn+Backspace

If your RDP connected using a Mac Keyboard, or from a VM session on your Mac (i.e. from a VMware Fusion Windows Machine), then use Ctrl+Alt+Fn+Right-Arrow.

Other Solution

From within the RDP session, launch the on-screen keyboard, (Start > Run > osk). Then Press Ctrl+Alt on your physical keyboard, and click the delete key on the on-screen keyboard with your mouse cursor like so;

 

 

BETTER Solution

Within the RDP session open powershell and run the following command;

[box]

(New-Object -COM Shell.Application).WindowsSecurity()

[/box]

 

Or use the following VB shortcut.

[box]

Set objShell = CreateObject("Shell.Application")
objShell.WindowsSecurity

[/box]

Scalable Solution (Create Password Reset Shortcut)

Create a shortcut for;

[box]

explorer.exe shell:::{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}

[/box]

 

Note: If you have a bunch of  RDP servers you wanted to roll this out to, you can set it up on your administrative account, capture your start menu to an XML file, and then distribute that start menu to all your users via group policy, (not available with server 2012 or earlier).

Related Articles, References, Credits, or External Links

NA

Cisco Firewall Port Forwarding

KB ID 0000077

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

Note2: If your firewall is running a version older than 8.3 you will need to scroll down the page.

Port forwarding on Cisco firewalls can be a little difficult to get your head around, to better understand what is going on remember in the “World of Cisco” you need to remember two things…..

1. NAT Means translate MANY addresses to FEW Addresses

2. PAT Means translate MANY addresses to ONE Address.

Why is that important you ask? Well most networking types assume NAT is translating one address to many, BUT on a Cisco device this is PAT, and it uses (as the name implies) port numbers to track everything. e.g. the first connection outbound might be seen on the firewall as 123.123.123.123:1026 and the second connection outbound might be seen as 123.123.123.123:2049 so when the traffic comes back the firewall knows where to send it.

Fair enough but what has that got to do with Port Forwarding? Well you can use the exact same system to lock a port to an IP address – so if only one port can go to one IP address then that’s going to give you port forwarding 🙂

To make matters more confusing (sorry) you configure PAT in the NAT settings, for this very reason it confuses the hell out of a lot of people, and the GUI is not intuitive for configuring port forwarding, (the ADSM is better than the old PIX PDM) but most people, (me included,) prefer to use command line to do port forwarding.

Below you will find;

Option 1 (Use ASDM)
Option 2 Use Command Line Interface
Option 3 Use PDM (PIX v6 Only)

Option 1: Port Forwarding Using ASDM

Note: This option uses ASDM Version 7.9(2) If yours is older see below;

Connect to the ASDM, Configuration > Firewall > NAT Rules > Right Click ‘Network Object Nat Rules’ > Add ‘Network Object’ Nat Rule.

Name = “Give the internal server/host a sensible name” > Type = Host > IP Address = The internal / private IP address > Type = Static > Translated address = Outside > Advanced > Source Interface = Inside > Destination Interface = Outside > Protocol = TCP  > Real port = http > Mapped Port = http > Ok > OK > Apply.

Note: This assumes your Outside interface is called outside, Inside interface is called inside and you want to port TCP port 80 (http).

Configuration > Firewall > Access Rules > Right Click ‘Outside Interface” > Add Access Rule.

Interface = Outside > Action = Permit > Source = Any > Destination {Browse}  > Locate the object you created earlier > Add to Destination > OK.

Service {Browse} > Select the Port you require (i.e. http) > OK.

OK > Apply > When you have tested it works, save the changes.

 

Using Older ASDM (PIX V7 and ASA5500) 1 Port to 1 IP Address

1. As above you will need to know the port and the IP to forward it to, Launch the ASDM, Select Configuration > Security Policy > Then either Rule Add, or right click the incoming rules and select “Add Access Rule.”

2. Interface = Outside > Direction = Incoming > Action = Permit > Source = Any > Destination, Type = Interface IP, Interface = Outside > Protocol = TCP > Destination Port Source = smtp (for example) > OK > Apply.

3. Back at the main screen select Configuration > NAT > Add, or Right Click an Existing mapping and click “Add Static NAT Rule.”

4. Real Address Interface = Inside > IP Address = 10.254.254.1 > Netmask = 255.255.255.255 > Static Translation Interface = outside > IP Address = (Interface IP) > Tick “Enable Port Translation (PAT) > Protocol = TCP > Original Port = smtp > Translated Port = smtp (for example) > OK > Apply.

5. File > “Save Running Configuration to Flash.”

Option 2 Use the Command Line to Port Forward (Post Version 8.3)

Note: Port forwarding changed on PIX/ASA devices running OS 8.3 and above, in regards to port forwarding. There is no longer a global command, for a full run-down of the changes click here.

If you issue a global command after version 8.3 you will see this error,

ERROR: This syntax of nat command has been deprecated.
Please refer to “help nat” command for more details.

1. First things first, you will need to know what port you want to forward, and where you want to forward it, for this example We will assume I’ve got a server at 10.254.254.5 and it’s a mail server so I want to Forward all TCP Port 80 traffic (HTTP) to it. Connect to the Firewall via Console/Telnet or SSH.

[box]

Warning Notice
User Access Verification#
Password:********
Type help or '?' for a list of available commands.
Petes-ASA>

[/box]

2. Enter enable mode, and enter the enable mode password.

[box]

Petes-ASA> enable
Password:********
Petes-ASA#

[/box]

3. Now we need to go to configuration mode.

[box]

Petes-ASA# configure terminal
Petes-ASA(config)#

[/box]

4. Create an object for the web server that the traffic is going to be forwarded to.

[box]

Petes-ASA(config)# object network Internal_Web_Server
Petes-ASA(config-network-object)# host 10.254.254.5

[/box]

5. Then create a NAT translation for the port to be forwarded. Then you can exit the network object prompt.

[box]

Petes-ASA(config-network-object)# nat (inside,outside) static interface service tcp http http
Petes-ASA(config-network-object)# exit

[/box]

6. Now you need to allow the http traffic in. Before you can add an ACL you need to see if you already have one. We are applying an ACL to the outside interface for traffic going in (I call this inbound for obvious reasons). To see if you already have an ACL applied, issue the following command;

[box]

Petes-ASA# show run access-group
access-group inbound in interface outside
access-group outbound in interface inside

[/box]

Note: In the example above we have an ACL called inbound that we MUST use. (If you added a new one, all the access list entries for the old one get ‘Un-applied’). If yours has a different name (e.g. outside_access_in then use that instead of the ACL name I’m using here). If you DONT have an access-group entry for inbound traffic then we will do that at the end!

[box]

Petes-ASA(config)# access-list inbound permit tcp any object Internal_Web_Server eq http

[/box]

7. Then: Only carry out the following command if you DO NOT HAVE an ACL applied for incoming traffic.

[box]

Petes-ASA(config)# access-group inbound in interface outside
Petes-ASA(config)#

[/box]

8. Don’t forget to save your hard work. (write memory).

[box]

Petes-ASA(config)# write memory
Building configuration...
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#

[/box]

All the commands to Copy & Paste (Post v 8.3);

[box]

object network Internal_Web_Server
 host 10.254.254.5
nat (inside,outside) static interface  service tcp http http
access-list inbound permit tcp any object Internal_Web_Server eq http
access-group inbound in interface outside 

[/box]

Use the Command Line to Port Forward (pre version 8.3) 1 Port to 1 IP Address

1. First things first, you will need to know what port you want to forward, and where you want to forward it, for this example we will assume I’ve got a server at 10.254.254.1 and it’s a mail server so I want to forward all TCP Port 25 traffic to it. Connect to the Firewall via Console/Telnet or SSH.

[box]

Warning Notice

User Access Verification
Password:*******

Type help or '?' for a list of available commands.
Petes-ASA>

[/box]

2. Enter enable mode, and enter the enable mode password.

[box]

Petes-ASA> enable
Password: ********
Petes-ASA#

[/box]

3. Now we need to go to configuration mode.

[box]

Petes-ASA# configure terminal
Petes-ASA(config)#

[/box]

4. Now you need to allow the http traffic in. Before you can add an ACL you need to see if you already have one. We are applying an ACL to the outside interface for traffic going in (I call this inbound for obvious reasons). To see if you already have an ACL applied, issue the following command;

[box]

Petes-ASA#show run access-group
access-group inbound in interface outside
access-group outbound in interface inside

[/box]

Note: In the example above we have an ACL called inbound that we MUST use. (If you added a new one, all the access list entries for the old one get ‘Un-applied’). If yours has a different name (e.g. outside_access_in then use that instead of the ACL name I’m using here). If you DON’T have an access-group entry for inbound traffic then we will do that at the end!

5. Then: Only carry out the following command if you DO NOT HAVE an ACL applied for incoming traffic.

[box]

Petes-ASA(config)# access-group inbound in interface outside
Petes-ASA(config)#

[/box]

6. Lastly the command that actually does the port forwarding, (static command). And allow the traffic in.

[box]

Petes-ASA(config)# static (inside,outside) tcp interface smtp 10.254.254.1 smtp netmask 255.255.255.255
Petes-ASA(config)# access-list inbound extended permit tcp any interface outside eq smtp

[/box]

7. Don’t forget to save your hard work. (write memory).

[box]

Petes-ASA(config)# write memory
Building configuration...
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#

[/box]

Option 3 Use the PIX Device Manager (PIX Version 6 Only)1 Port to 1 IP Address

1. As above you will need to know the port and the IP to forward it to, Launch the PIX Device manager, Select Configuration > Access Rules > Then either click “Rule”s > Add or Right click an incoming rule and select > “Insert Before” or “Insert After”.

2. Under the “Action” select “Permit”, Under Source Host/Network Select “Outside”, and all the zeros, Under Destination Host/Network Select “Inside” and all the zeros then set the “Destination Port” to smtp > OK > Apply.

3, Now select the “Translation Rules” tab, Rules Add or Right click a rule and select “Insert before” or “Insert After”.

4. In this example I’ve set it to forward all TCP Port 25 traffic to 10.254.254.10 (NOTE: I’ve blurred out the public IP Address you will need to add this also) > OK > Apply.

5. Finally save your work > File > “Save Running Configuration to Flash.” > Exit.

Related Articles, References, Credits, or External Links

ASA 5500 – Port Forwarding To A Different Port

Cisco ASA – Port Forward a ‘Range of Ports’

Add a Static (One to One) NAT Translation to a Cisco ASA 5500 Firewall

Page Ooops!

This page exists because it keeps getting indexed and I can’t work out where the link is coming from. For all of you who arrived here, please use the comments section below to let me know which page you came from!

Thanks

PeteLong 20/07/20

Certificate Services 0xc8000202 Error

KB ID 0001639

Problem

You will see this error if you are migrating a Certificate Services Server from Server 2008, (NOT Server 2008 R2) to Windows Server 2016, (or newer).

Version of log file is not compatible with the Jet version 0xc8000202 (ESE: 514 Jet_errBadLogVersion)

You will also see the following events logged;

Event ID 17

Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Date: xx/xx/xxxx xx:xx:xx
Event ID: 17
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: 2019-CA.migrate.com
Description:
Active Directory Certificate Services did not start: Unable to initialize the database connection for MIGRATE-CA. Version of log file is not compatible with Jet version 0xc8000202 (ESE: -514 JET_errBadLogVersion).

Event ID 454

Log Name: Application
Source: ESENT
Date: 1xx/xx/xxxx xx:xx:xx
Event ID: 454
Task Category: Logging/Recovery
Level: Error
Keywords: Classic
User: N/A
Computer: 2019-CA.migrate.com
Description:
certsrv.exe (1268,P,98) Restore0001: Database recovery/restore failed with unexpected error -514.

Event ID 640

Log Name: Application
Source: ESENT
Date: xx/xx/xxxx xx:xx:xx
Event ID: 640
Task Category: General
Level: Warning
Keywords: Classic
User: N/A
Computer: 2019-CA.migrate.com
Description:
certsrv.exe (1268,P,98) Restore0001: Error -1919 validating header page on flush map file “C:\Windows\system32\CertLog\{CA-Name}.jfm”. The flush map file will be invalidated.
Additional information: [SignDbHdrFromDb:Create time:00/00/1900 00:00:00.000 Rand:0 Computer:] [SignFmHdrFromDb:Create time:00/00/1900 00:00:00.000 Rand:0 Computer:] [SignDbHdrFromFm:Create time:01/17/2020 22:30:48.514 Rand:248810345 Computer:] [SignFmHdrFromFm:Create time:01/17/2020 22:30:48.529 Rand:4091580707 Computer:]

Solution

OK, if you followed a good CA migration guide like mine here, then you already have a copy of the the Database, CA certs, Private keys, and Registry settings. So you are good, don’t panic.

This has happened because the source Jet Database that Certificate Services used on the old 2008 Server, (Note: not 2008 R2) is simply too old to be upgraded straight to the one on Server 2016 or newer.

You need to spin up a 2012 R2 server, migrate Certificate Services, onto that, then migrate to Server 2016 (or 2019) from there.

Related Articles, References, Credits, or External Links

NA