Microsoft – NDES Site Shows ‘HTTP Error 500.0 – Internal Server Error’

KB ID 0001181

Problem

I was doing some testing for a client this week, a while ago I had deployed a three tier PKI solution for them, and as part of the rollout we deployed NDES for their network devices, (they were going to use certificates to secure site to site VPNs). The client was concerned, and wanted the auto renewal process testing. This could not be done on the live system. So myself and a colleague went to the test bench, I build a model off the three tier PKI, and then setup NDES, while my colleague did the comms/switches and routers.

When I was ready to go, he could not get any enrolments working with NDES. Troubleshooting NDES is usually a case of looking in event viewer, but the one check you can do is go to;

http://localhost/certsrv/mscep_admin

And I got this;

HTTP Error 500.0 – Internal Server Error
The page cannot be displayed because an internal server error has occurred.

The normal web enrolment site http://localhost/certsrv was up and working this was just NDES?

Solution

This took me a while, theres a ton of posts on this that suggest enabling local profiles logging in as the NDES service user, etc etc and non of them fixed the problem. 

This was happening to me because when NDES starts, the first thing it does is check its RA, (Registration Authority) certificate. It’s in the local computer certificate store if you want to look at it, (or you will find it in ‘issued certificates’ on the CA of course). 

Let’s take a look at that cert’s certificate chain;

You can see my three tier PKI solution, from the top, Offline Root > Intermediate CA (Sub CA) > Issuing CA (Sub CA) > My certificate.

But if I take a look in the CRL location (General Tab > Certificate Revocation  Information). I found the following;

What my clients see via http

For the un-initiated these are CRL files, the ones with a ‘+’ on the end are ‘delta url files’, (but that’s not important here). What is important is there is no CRL for my offline root CA in there. Luckily I had it on a disk, if you don’t you will have to bring the offline root CA online (turn it on). Then get a copy of the CRL. You can normally find it in C:\Windows\System32\Certsrv. If yours is not there, open ‘Certificate Services Management’ > Revoked certificates  > Publish.

Simply copy the CRL file into the CRL location;

Then I rebooted the NDES Server, (I could probably have restarted certsvc and IIS, but let’s be thorough). And the system burst into life.

Related Articles, References, Credits, or External Links

Windows Server 2012 – Install and Configure NDES

Cisco – Automatic Re-enrollment Fails to MSCEP/NDES

Cisco ASA – Enrolling for Certificates with NDES

Cisco IOS – Enrolling for Certificates with NDES

NDES – Fails to Issue Certificates (Signature Algorithm)

Assign Public IP Address (No NAT) on a Thompson Speedtouch ST510

Bridged Mode – Thompson Speedtouch ST510

KB ID 0000210 

Problem

You have a device either a PC, or In my case a Cisco firewall you want to have the public IP address assigned by your ISP, rather than the translated private IP address given out by the speedtouch router/modem.

Solution

1. Once you have your Speedtouch up and running, connect your devices to the back of it (it only has one internal Ethernet port so you may need to plug in a switch to get your laptop/PC, and the item in question on – though you can plug them in one at a time if your pushed). Select “Home Network” > “Devices” > all being well you should see the device you are after on the list > Select it.

2. Here’s my firewall listed, currently with a private IP address via DHCP (192.168.1.65 in this case). At the bottom select “Assign the public IP address of a connection to a device.”

3. At present nothing is set you need to click “Edit”.

4. Change the drop down section so that your device is listed and > Apply.

5. Now you should see it listed, if you mistakenly assigned it to the wrong device you can click “Unassign”.

6. Note on the device you will need to reboot or refresh the IP address before it will get the public IP address.

Firewall Notice

If you are deploying a firewall behind this router – you might find that your VPN’s work but your port forwarding and remote management does not. You will need to disable the Speedtouch’s internal firewall. Select Firewall > Configure > Select “Disabled” > Apply.

Related Articles, References, Credits, or External Links

NA

ZyXEL – Router Setup (Public IP Range)

KB ID 0000331 

Problem

You have a ZyXEL router (In my case a P-600R-D1) and you want to put a device behind it with a public IP.

Note: I’m assuming you have agreed with your ISP that you will receive a range of public IP addresses. With some ASDL packages the first IP in the range usually gets allocated to the router, confirm this with your ISP.

BT Business Broadband Note: If you are a BT Business customer, your setup will be slightly different, I’ll point that out as we go along.

Solution

1. Connect up to the router, and you should get an IP address from it, open your web browser and proceed to http://192.168.1.1 the default password is “1234”

2. You will be prompted to change the default password, do so, then select the option to go to ‘Advanced Setup’.

3. Expand Network > WAN > Enter the ADSL details provided by your ISP (i.e. ADSL username and ADSL password). If you are having a static IP on the outside of the router you can also set that here.

Note: If you have only been given TWO IP addresses you may need to set BOTH the WAN and LAN IP address to the SAME IP (and disable NAT).

BT Business Broadband Note: Even if you have been allocated a range of public IP addresses, you LEAVE the routers outside IP address option set to, ‘Obtain an IP address automatically’

4. Disable NAT ONLY IF YOU ARE SETTING THE LAN AND WAN TO THE SAME IP: Select NAT > General > Un-tick “Active Network Address Translation (NAT)” > Apply.

4. Disable DHCP: Select LAN > DHCP Setup > Change DHCP to “None” > Apply.

5. Set the inside IP: Set this to the IP address allocated to your Router – (Note: this may be the SAME as the address allocated to the outside IP, don’t panic it will not conflict (NAT is disabled).

BT Business Broadband Note: This is typically the highest IP address in the range, BT have given you.

6. You can now connect your internal device/firewall (Note: You may need to reboot the device AND the router as the MAC address may have changed if you have been testing from your laptop/PC.) Or simply allocate another public IP address to device, then make its default route, (or default gateway) the IP address you set on the LAN port of the ZyXEL, (in our example above 123.123.123.124).

Factory Reset ZyXEL Router

If things break and you want to reset the router,

1. Power off the router.

2. Depress the reset button on the rear of the router.

3. Power on the device until the ethernet light, flashes amber.

4. Now DHCP will be turned on and the router will use 192.168.1.1 internally and the default password will be reset to 1234.

Related Articles, References, Credits, or External Links

ZyXEL Firmware downloads (Look under DSL Technology)

Original Article Written 28/09/10

Draytek Vigor Router Port Forwarding

KB ID 0000425 

Problem

This procedure was carried out on a Draytek Vigor 2800 Router, for this I needed to forward RDP (That’s on TCP Port 3389).

Warning: If you need to forward any of the following ports 23 (Telnet), 80 (HTTP) , 443 HTTPS/SSL), 21 (FTP), or 22 (SSH). The Draytek has these reserved for remote management. You will need to change the port number (system Maintenance > Management > Management Port Setup).

Solution

1. Log into the routers web console (default will be a blank username and password, or admin and admin, or admin and blank password).

2. Expand NAT > Select Port Redirection.

2. Give the service a name (Like RDP) > Enter the protocol type TCP or UDP > Enter the internal IP that you want to forward the port to > Tick active > Click OK.

Note: Depending on setup you may see this instead (if that’s the case select the correct public IP)

3. That should be all you need to do, unless the firewall is turned on, if that’s the case expand NAT > Open Ports.

4. Again enter a name in the comment box > The local IP of the machine > and the port details > OK.

 

Related Articles, References, Credits, or External Links

Draytek Router – Firmware Update

DrayTek Vigor – Reset To Factory Settings

Draytek Router – Firmware Update

KB ID 0000568 

Problem

You have a Draytek router (In my case a 2800 ADSL 2/2+), and you want to update the firmware to the latest version.

Solution

1. Make sure you have EXACTLY the correct model number, this one’s a Draytek Vigor2800.

2. Go here and download the latest firmware for your model.

3. The firmware will be in a ZIP file download and extract it to your machine.

4. Log into the web console of your Draytek > Navigate to > System Maintenance > Firmware Upgrade. (Note: Newer models will let you upload the firmware from here, ours sadly does not).

5. Download the run the Draytek Firmware Update Utility > Locate the IP address of your router (If you have multiple NICS select the one you will use) > Navigate to the firmware you extracted above > Enter the routers password > Send > Have a Coffee > OK.

Note: Select the firmware that has an .all extension, WARNING selecting the firmware that has an .rst extension will upgrade the router BUT it also removes all the settings.

6. If you now check your firmware version, it should be correct.

Related Articles, References, Credits, or External Links

DrayTek Vigor Router Port Forwarding

DrayTek Vigor – Reset To Factory Settings

DrayTek Vigor – Reset To Factory Settings

KB ID 0000573

Problem

If you cannot get access to your router, or you have bought, found or been given one, and you cannot access it. The simplest thing to do it to reset to to factory settings. Once the Router has been reset its settings will be as follows;

DrayTek Default Username and Passwords

Model
Username
Password
Vigor Rev. ALL admin admin
Vigor 2600 admin {blank}
Vigor 2800 {blank} {blank}
Vigor 2900+ admin admin
Vigor 3300 draytek 1234

Note: The Router will set itself up with a static IP address http://192.168.1.1) and will act as a DHCP server (Make sure your network card it set to get its address automatically.

 

Solution

Warning: Make sure you have all your Routers settings, before you start, especially your ADSL username and password (ring your ISP and confirm) before resetting the Router as all these settings will be WIPED!

Factory Reset DrayTek Vigor: Option 1 (If you do not know the password)

Note: Model shown is a DrayTek Vigor 2800

1. with the router powered on in normal operation the power light should be blinking (slowly)

2. Use a pen, to depress the factory reset button on the rear of the device.

3. The power light will blink rapidly.

4. Release the factory reset button.

Factory Reset DrayTek Vigor: Option 2 (If you know the password)

If you can log in but just want to wipe the settings, and revert to factory defaults.

1. Connect to the web management console and navigate to, System Maintenance > Reboot system > Tick “Using factory default configuration”.

Factory Reset DrayTek Vigor: Option 3 (If you know the password)

If you can log in but just want to wipe the settings, and revert to factory defaults.

1. Familiarise yourself with the DrayTek Vigor firmware upgrade procedure. But use the firmware that ends in .RST NOT the firmware that ends in .ALL. (Note: The .all firmware just updates the firmware but keeps the settings).

 

Related Articles, References, Credits, or External Links

Draytek Router – Firmware Update

Draytek Vigor Router Port Forwarding

 

BT Business ADSL – Configure a 2Wire Router to Allocate a Static (Public) IP Address

KB ID 0000760 

Problem

I know BT are now shipping the BT Business Hub, to their business ADSL clients, but there’s still a few 2Wire routers out there in the wild. Essentially if you have a range of public IP addresses, this is how to allocate one of the public IP addresses to one of your devices. In my case its a Cisco ASA firewall that I need to have a public IP.

Solution

Firstly I’m going to assume the router is working and connected to the internet, if there’s a problem and you need to reset it you will need the following pieces of information.

1. The BT ADSL Username and password.

2. The public IP address range allocated to you by BT (and the IP allocated to the router).

Note: Plug your device into the router before you start, and set it to get its address via DHCP.

1. Connect to the web interface of the 2Wire router (normally http://192.168.1.254) > Settings > Broadband > Link Configuration > Scroll down the page.

2. Locate the ‘Add additional network’ section > Add in the IP address that BT have told you to allocate to the router, the subnet mask will be provided by BT also, but you can work it out with my subnet calculator if you don’t know > Save >Enter the router password if prompted.

Note: By default the password will be the Serial Number of the router, (on the white sticker). If you have forgotten you can reset it.

3. Select the LAN tab > NAT & Address Allocation > Locate your device > Set the firewall to disabled > Address Assignment = Public (Select WAN IP Mapping) > WAN IP Mapping = Public Fixed {The IP address you want to assign} > Save > Enter the password if prompted.

4. This relies on the router providing DHCP, which it will do by default, though you can check on the Private Network tab.

5. Finally either reboot the device you are assigning the IP address to, (or ‘reload’ if it’s a Cisco ASA).

Related Articles, References, Credits, or External Links

NA

BT Business Hub 3 – And Cisco ASA 5500

KB ID 0000762 

Problem

Warning: If your ASA is running version 8.3(4) or above you are going to have problems assigning public IP addresses from your allocated BT Range (jump to the bottom of the article for a resolution).

You have a pool of public IP addresses and you wish to allocate one of these IP addresses to your Cisco ASA Firewall. Note: This is for customers using BOTH ADSL and BT Infinity

Solution

For this procedure I was running an ASA5505 (Unlimited) with version 8.4(5). You will need to know the public IP address range allocated to you by BT (and the IP allocated to the router/hub).

Allocating a Public IP address to an Internal Client with the BT Business Hub

1. Log into the router, (the password initially is on the pull out plastic tab on top of the router). Set the IP to the one allocated to the router by BT (from the IP range they have given you). Note: The router actually gets a different IP address externally, this is normal, don’t panic.

2. Apply > Wait for the changes to apply.

3. Under business Network > Devices> You should see your device listed > Select it.

4. Assign the public IP as shown, you need to select the two radio buttons before the drop-down list of IP addresses will work > Apply.

5. Note: additionally if you are installing a firewall you might want to disable the Business Hubs internal firewall. Settings >Port Forwarding > Firewall > “Allow all traffic…” > Apply.

Problem with Cisco ASA (Now Resolved: See below)

My firewall (after a reload) picked up the correct IP address, but was unable to connect to the internet. My laptop (also connected to the BT Business Hub) connected fine to the internet (both with an allocated public address, and using the public address of the router). The ASA could not get out at all, nor could it ping the IP address of the Business Hub. The ASA showed as disconnected for a while, then disappeared from the ‘Devices’ tab, even though it continued to get the correct IP address leased to it from the Business Hub, this persisted after a reload of the firewall – so the hub COULD see it. I tried giving the ASA the correct IP address statically, I also locked the speed and duplex of the ethernet interface (in case it was simply an auto-negotiation error), this did not resolve the problem. BT told me they had no record of anyone having the same problem, but that they would take a note in case it came up again. Luckily the client had his old 2Wire router as soon as I plugged that in everything worked fine.  

 

Update 210414 (and resolution)

Got an email from Nate Morris this week who had been working on this very problem, while debugging the ARP traffic he saw;

[box]

arp-in: request at external from 192.168.1.254 c0ac.54e4.d8d8 for 123.123.123.123 
0000.0000.0000 arp-in: Arp packet received from 192.168.1.254 which is in different subnet 
than the connected interface 123.123.123.123/255.255.255.248 

[/box]

This pointed to a known problem with Cisco ASA introduced in version 8.3(4). Cisco identified this as bug CSCty95468 (Cisco CCO Login required to view). To resolve this problem you need to allow the ASA to populate its ARP table from a non connected subnet. To do this you need to issue an arp permit-nonconnected command.

[box]

User Access Verification Password: 
Type help or '?' for a list of available commands. 
Petes-ASA> enable 
Password: ******** 
Petes-ASA# configure terminal 
Petes-ASA(config)# arp permit-nonconnected 
Petes-ASA(config)# exit 
Petes-ASA# write mem 
Building configuration... Cryptochecksum: 28790e0e 91da681e 7cf92e8a 85efb7ea 9449 bytes copied in 1.310 secs (9449 bytes/sec) [OK] 
Petes-ASA# 

[/box]

Update 260213

Got an Email from Andrew Joubert, to say that he had the same problem, and he was using the BT business hub via BT Infinity not ADSL.

Related Articles, References, Credits, or External Links

Original Article Written 26/02/13

Credit to: Nate Morris, for finding the resolution to the original problem.

Special thanks to Steve at BT, who rang me back on my mobile so I didn’t have wait in a queue, and then followed up afterwards to see what the outcome was, if I knew his surname I would publish it! He did a grand job, and does not get paid enough!

Also thanks to Chris at BT who pitched in and did as much as he could.