Draytek Vigor Router Port Forwarding

KB ID 0000425 

Problem

This procedure was carried out on a Draytek Vigor 2800 Router, for this I needed to forward RDP (That’s on TCP Port 3389).

Warning: If you need to forward any of the following ports 23 (Telnet), 80 (HTTP) , 443 HTTPS/SSL), 21 (FTP), or 22 (SSH). The Draytek has these reserved for remote management. You will need to change the port number (system Maintenance > Management > Management Port Setup).

Solution

1. Log into the routers web console (default will be a blank username and password, or admin and admin, or admin and blank password).

2. Expand NAT > Select Port Redirection.

2. Give the service a name (Like RDP) > Enter the protocol type TCP or UDP > Enter the internal IP that you want to forward the port to > Tick active > Click OK.

Note: Depending on setup you may see this instead (if that’s the case select the correct public IP)

3. That should be all you need to do, unless the firewall is turned on, if that’s the case expand NAT > Open Ports.

4. Again enter a name in the comment box > The local IP of the machine > and the port details > OK.

 

Related Articles, References, Credits, or External Links

Draytek Router – Firmware Update

DrayTek Vigor – Reset To Factory Settings

IIS – ‘This Web site cannot be started. Another Web site may be using the same port’.

KB ID 0000660 

Problem

After being unable to access my Exchange Management console, it turns out the default website had stopped. When I attempted to start it I was greeted with this error.

Solution

1. Nothing was using the usual web ports (80 and 443) which I found out by running the following two commands;

[box]netstat -aon | find “:80″</p> <p>netstat -aon | find “:443″[/box]

Note: If you do have a process using these ports, it will be sown with its PID. To find out what that PID is, right click your Task bar > Launch Task Manager > Processes Tab > View > Select Columns > Turn on the PID column > locate the PID and investigate.

2. My problem was there was a ‘Binding’ to https that had no information in it? Right click the website > Edit Bindings > here you can remove any spurious entries. (Warning: if you’re unsure, document any binding before you remove it – just in case).

Related Articles, References, Credits, or External Links

NA

Exchange – Redirect OWA (HTTP to HTTPS)

KB ID 0000697 

Problem

Out of the box, Exchange (quite rightly) secures Outlook Web Access so that you have to access it via https. The problem is some of your users are used to accessing websites via http, (or simply typing a URL in their browser, without typing any prefix, so it defaults to http).

If you try and access OWA via http://server.domain.com/owa..

There are a number of ways to get round this, the simplest is to redirect that error message (above) back to the correct OWA URL.

WARNING: DO NOT do this on a Microsoft SBS Server. (For SBS you need to create the custom error messages on the OWA Virtual Directory (directly)). This procedure assumes you have a stand alone Exchange CAS server with no other web services or virtual directories being served from its IIS.

Solution

1. Open IIS Manager and drill down to the Default Web Site > Error Pages.

2. Add > Status code = 403.4 > Select “Respond with a 302 Request” > Type in the correct (https) URL for your OWA site > OK.

3. Then restart the website (or reboot the server).

Note: DONT attempt to test this in the Exchange server itself! That will always show the original error, you need to test it from a client machine.

Related Articles, References, Credits, or External Links

NA

Redirect AnyConnect Browser Connections From HTTP to HTTPS

KB ID 0000707 

Problem

AnyConnect, is great for users, but most of them are not used to typing full URL’s into their browsers. Modern browsers will prefix your URL with ‘http://’ for you. That’s brilliant most of the time, but AnyConnect and SSL VPN need to go to ‘https://’.

Wouldn’t it be good if your users typed vpn.petenetlive.com into their browsers, and instead of the browser ‘helpfully’ changing that to http://vpn.petenetlive.com, and it giving you an error message, the ASA redirected the traffic to https://vpn.petenetlive.com automatically?

Solution

There is just one command to do this for you, and it’s ‘http redirect outside 80‘. Below I’ve enabled it then saved the change.

[box]

Sent username "pix"
Type help or '?' for a list of available commands.
PetesASA>
PetesASA> enable
Password: ***********
PetesASA# configure terminal
PetesASA(config)# http redirect outside 80
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: ac21d44c 109662c4 66495572 e5a106c7

49756 bytes copied in 3.540 secs (16585 bytes/sec)
[OK]
PetesASA(config)#

[/box]

Related Articles, References, Credits, or External Links

NA

CentOS – Setup the iptables Firewall

KB ID 0000938

Problem

I was a little perturbed to find out the firewall on my CentOS web server was wide open today. My server setup notes yielded no clues, so it was time to put my ‘Linux Head’ on and fix it.

Solution

1. Connect to the server via console or SSH. As I’m going to change the iptables config file lets back it up (always assume you are going to smash something!)

[box] cp /etc/sysconfig/iptables iptables.bak[/box]

2. I have a VPS so I’m usually logged on via SSH, so to avoid locking myself out I’m going to change the default policy to allow (yes in my current scenario that’s a moot point, but it’s good practice). Then I can flush the current rules, without kicking myself out.

[box]iptables -P INPUT ACCEPT
iptables -F[/box]

3. Then allow packets destined to Loopback (127.0.0.1), some processes on the server rely on this, and expect it to be open.

[box] iptables -A INPUT -i lo -j ACCEPT [/box]

4. Allow packets that were not initiated by the server, but are already established or related to an established connection.

[box] iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT[/box]

5. Allow in the ports you require (your requirements may differ).

[box]iptables -A INPUT -p tcp –dport 22 -j ACCEPT
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -p tcp –dport 443 -j ACCEPT
iptables -A INPUT -p tcp –dport 25 -j ACCEPT
iptables -A INPUT -p tcp –dport 110 -j ACCEPT
iptables -A INPUT -p tcp –dport 53 -j ACCEPT
iptables -A INPUT -p tcp –dport 993 -j ACCEPT
iptables -A INPUT -p udp –dport 53 -j ACCEPT
iptables -A INPUT -p tcp –dport 12345 -j ACCEPT[/box]

6. To allow your server to respond to pings (if required);

[box]iptables -A INPUT -p icmp -j ACCEPT
[/box]

7. Drop all other traffic, and set the forwarding table to also drop all traffic. Then I’m going to allow all outbound ports from the server.

[box]iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT[/box]

8. TEST EVERYTHING! Then save the changes, to make them persistent.

[box] /sbin/service iptables save[/box]

Show iptables Settings

[box] iptables -L -v[/box]

Start/Stop and Restart the iptables Service

[box]service iptables stop
service iptables start
service iptables restart[/box]

 

Related Articles, References, Credits, or External Links

NA