What is a Container?

Container KB ID 0001793

Problem

Google containers and the net is full of people with whiteboards talking at a very low level about containers. They also appear to be largely developer and dev ops related, (which is understandable), but if you simply want to understand the concept of what a container is, then that’s a lot of YouTube watching to pick out some basic concepts. Particularly if you’re an IT pro, Engineer, or a Solutions architect.

Simple Container

Before we look at containers, let’s look at a concept we have had for about fifteen years now. The Virtual Machine; 

Here we use a Hypervisor (Type 1: e.g vSphere, NSX, or Hyper-V, or Type 2 e.g. Parallels, Fusion, VMware Workstation, or Virtual Box etc). To create a virtual machine, the virtual machine runs its own Operating System, and you can install your applications on that operating system. The whole thing runs on the Hypervisor and, (for the most part), the machine does not even know it’s virtualised.

A Hypervisor allows a “Bunch of files” to behave like a physical machine.

A container is slightly different, where a hypervisors job is to separate the Machine from the Hardware, by supplying it with a set of virtualised hardware, so it (the virtual machine) thinks it’s running on hardware. The container ‘engine’ (in this case Docker), separates the Applications from the Operating Systems, by supplying a set of operating system processes, so that the applications think they’re running on an operating system. 

A containerisation tool allows a portable file to behave like an application.

The above diagram is simply to illustrate the point, what is actually happening is, in the Operating system the Docker Engine, puts all the applications into their own CONTAINERS, and supplies each container, with all the processes and OS elements the application needs to run. Each container runs completely separately from all the others, and can be started and stopped independently, so a better representation of what happening is this;

Thats pretty much it! What you will find though, is a lot of people have their containers running in a virtual machine that’s running on a Hypervisor. Some people will recoil in horror, and say that’s  NOT what you should be doing, (unless they work for VMware of course). That scenario looks a little more like this;

Related Articles, References, Credits, or External Links

NA

Use Azure MFA With Microsoft NPS (RADIUS) Server

 

KB ID 0001759

Problem

I was in a forum last week and someone asked, “Can I enable Azure MFA, on my RADIUS server, to secure access to my switches and routers etc”. It turns out if you want to enable Azure MFA with Microsoft NPS it’s actually quite  simple.

So, I’m using RADIUS auth (above) on my NPS server, and it’s simply checking the authenticating user is a member of a domain security group. Once it has satisfied that requirement, it will authenticate against my Azure AD, which will trigger an MFA event, (in my case send a request to the Microsoft Authenticator Application on my Android Phone).

Azure MFA With Microsoft NPS Pre-Requisites

The remote user needs EITHER an Azure P1 License, or a Microsoft 365 license. 

“But I can use the Authenticator App with my Office 365 subscription?”

Well yes you can, but we are not authenticating to office 365 are we?

Below you can prove the licence is allocated in Office 365

And the same in Azure AD.

Now your user needs to have MFA enabled, (this should be pretty obvious), to use the Microsoft authenticator application the USER chooses that method of authentication, when you enable MFA for them (the first time they login). You can re-force that, from the following screen if you wish.

Azure MFA With Microsoft NPS: Deploying NPS

So I’ve pretty much covered this half a dozen times before, but for completeness I’ll quickly run though setting up NPS / NPAS. The quickest simplest method is to use PowerShell.

[box]

Install-WindowsFeature NPAS -IncludeManagmentTools

[/box]

From administrative tools open > Network Policy Server >Right click (Top Level) > Register Server in Active Directory  > OK > OK

Execute the following PowerShell command to create a registry key

[box]

New-Item 'HKLM:\SOFTWARE\Microsoft\AzureMfa' -Force | New-ItemProperty -Name REQUIRE_USER_MATCH -Value TRUE -Force | Out-Null

[/box]

Enable NPS RADIUS on Windows Firewall

Now for some reason installing NPS does not open the correct ports on the Windows Firewall? So issue the following command;

[box]

Get-NetFirewallRule -DisplayGroup "Network Policy Server" | where DisplayName -like "*RADIUS*" | Set-NetFirewallRule -Service Any

[/box]

Azure MFA With Microsoft NPS: Domain (on Premises and Azure AD)

You will need to know what your Azure Tenant ID is, keep a copy of this handy either in notepad or on the clipboard because you will need it in a minute.

Below you can see I’ve got my domain user, their remote access (Dial In Tab) is set to control access though policy, and I’ve placed them in a security group called SG-Azure-MFA.

Configure NPS for RADIUS Access

Note: You may already have this configured, if so please skip to the next section.

The first task is to define the RADIUS CLIENT, in my case it will be a Cisco firewall, yours could be any device that requires RADIUS authentication. Locate REDIUS Clients  > New > Provide a ‘Friendly Name’ (REMEMBER WHAT IT IS) > Enter its IP address > Then provide and confirm a shared secret (think of it like a password, you will need to add this to the radius clients config) > OK

Policies > Network Policies > New > Give it a sensible name > Next.

Add in a ‘Condition‘ for User Group, then add in the user group you created/used above.

Add in another ‘Condition‘ > Set the friendly name to the one you used when you created your RADIUS client.

Accepts all the defaults until you get to Configure Authentication Methods > Tick ‘Unencrypted Authentication (PAP, SPAP)’> Click yes if you want to read the warning > Next > Accept all the defaults from this point forward.

Enable Azure MFA With Microsoft NPS

Download the ‘NPS Extension For Azure MFA‘ software form Microsoft, and install it on your NPS server.

To actually enable it against your Azure AD, Execute the following PowerShell commands;

[box]

cd "c:\Program Files\Microsoft\AzureMfa\Config"
.\AzureMfaNpsExtnConfigSetup.ps1

[/box]

Eventually you will be asked to authenticate to Azure, do so with an administrative account.

You will be asked to provide your Azure Tennant ID.

When complete REBOOT THE NPS SERVER!

Testing Azure MFA With NPS

Again for Cisco ASA I’ve already blogged about this, but for completeness here’s me making sure it works;

Remember to RAISE the RADIUS timeout, by default its 10 seconds, I raised it to 30 seconds.

And on my phone I get prompted to allow

 

Authentication successful!

Troubleshooting (NPS Azure MFA Not Working)

Event ID 6274: The Request Was Discarded by a third-party extension DLL file. 

This happens when the user you are authenticating does not have the correct license in Azure (or you have just allocated the license and have not waited for a while).

Full Error

[box]

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          15/07/2021 16:42:58
Event ID:      6274
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      PKI-02.pnl.com
Description:
Network Policy Server discarded the request for a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			PNL\tanya.long
	Account Name:			tanya.long
	Account Domain:			PNL
	Fully Qualified Account Name:	pnl.com/PNL/Users/Tanya Long

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	Called Station Identifier:		-
	Calling Station Identifier:		-

NAS:
	NAS IPv4 Address:		192.168.254.254
	NAS IPv6 Address:		-
	NAS Identifier:			-
	NAS Port-Type:			Virtual
	NAS Port:			6

RADIUS Client:
	Client Friendly Name:		Firewall
	Client IP Address:			192.168.254.254

Authentication Details:
	Connection Request Policy Name:	Use Windows authentication for all users
	Network Policy Name:		NP-Azure-MFA
	Authentication Provider:		Windows
	Authentication Server:		PKI-02.pnl.com
	Authentication Type:		PAP
	EAP Type:			-
	Account Session Identifier:		-
	Reason Code:			9
	Reason:				The request was discarded by a third-party extension DLL file.

[/box]

Event ID 6273: An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection

In my case I had re-install the NPS Azure extension.

Full Error

[box]

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          15/07/2021 17:24:39
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      PKI-02.pnl.com
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			NULL SID
	Account Name:			tanya.long
	Account Domain:			PNL
	Fully Qualified Account Name:	PNL\tanya.long

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	Called Station Identifier:		-
	Calling Station Identifier:		-

NAS:
	NAS IPv4 Address:		192.168.254.254
	NAS IPv6 Address:		-
	NAS Identifier:			-
	NAS Port-Type:			Virtual
	NAS Port:			10

RADIUS Client:
	Client Friendly Name:		Firewall
	Client IP Address:			192.168.254.254

Authentication Details:
	Connection Request Policy Name:	Use Windows authentication for all users
	Network Policy Name:		-
	Authentication Provider:		Windows
	Authentication Server:		PKI-02.pnl.com
	Authentication Type:		Extension
	EAP Type:			-
	Account Session Identifier:		-
	Logging Results:			Accounting information was written to the local log file.
	Reason Code:			21
	Reason:				An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.

[/box]

 

Related Articles, References, Credits, or External Links

NA

Test Port Connectivity Through a Firewall

KB ID 0001541

Problem

Test Port Connectivity: I was asked if I had a test Exchange server that someone could test TCP port 587 to this morning. Usually if I need to test a port I simply use Microsoft IIS and then set it to the appropriate port, add a ‘welcome banner’ and telnet to it. This time it didn’t work, so I found a small application that you can use for this very purpose.

How to Test Port Connectivity

Test Port Connectivity with PowerShell

Use the following syntax;

[box]

Test-NetConnection {Target-IP} -Port {Port-Number}

[/box]

Test Port Connectivity with Telnet and Listen.exe

The application is called listen.exe and is from Allscoop.com Simply run it after a port number and a welcome banner message > Listen.

Test it internally first ‘telnet localhost {port-number}‘, on the machine where you are running it, and from another machine on the LAN.

Then assuming your firewalls are setup correctly you can test it from outside the network.

Each time there’s a successful connection you will see it, and the time stamp.

Related Articles, References, Credits, or External Links

Windows – ‘Telnet’ is not recognized as an internal or external command

Mac High Sierra – Telnet and FTP Missing?

Cisco AnyConnect – With Google Authenticator 2 Factor Authentication

KB ID 0001256 

Problem

This was asked as a question on Experts Exchange this week, and it got my interest. A quick search turned up a bunch of posts that said, yes this is possible, and you deploy it with FreeRADIUS and it works great. The problem was, a lot of the information is a little out of date, and some of it is ‘wrong enough’ to make the non-technical types give up. But I persevered, and got it to work.

Disclaimer: This is not an exercise in deploying AnyConnect, I’ve got that covered to death all over the website, use the search function above, or simply go to the following article;

Cisco ASA 5500 AnyConnect Setup From Command Line

So before proceeding I’ll assume you have AnyConnect setup, and you can connect with a local username.

Disclaimer 2: Please don’t email me with questions like, “Can I take this and integrate it with Active Directory, eDirectory” etc. Or “I’m trying to get this to work with ‘insert name of some Linux distro” and I’m getting an error. 

Prerequisite: You will need to have the Google-Authenticator app on a device, (probably an IOS or Android phone), and have that running, and ready to accept a new identity/account.

Solution

Setup FreeRADIUS

I’m not a Linux guru, I just downloaded the latest version of Ubuntu Server (16.04.1 at time of writing). and deployed it as an ESX host.

Non Linux Types Note: A lot of the commands below require you to either be logged on as root, or ‘su‘ to root, (if that’s not an option, you will need to prefix the commands with ‘sudo‘.

Ubuntu Enable Root Account: I quickly learned that these days the root account is disabled, (for sensible reasons). However because of the way FreeRADIUS works, it needs to run under the root account.

[box]

sudo passwd root
ENTER AND CONFIRM PASSWORD
sudo passwd -u root

[/box] 

Ubuntu: Install Prerequisites: We need to get all current updates, then install NTP, (because the authenticator keys are time specific). Then there are some tools that we will need to install the Google Authenticator software. 

[box]

apt-get update
apt-get install autotools-dev
apt-get install autoconf
apt-get install libtool
apt-get install ntp
apt-get install build-essential libpam0g-dev freeradius git libqrencode3 

[/box] 

Install Google Authenticator: This is quite cool, (if like me you don’t do a lot of Linux). We need to connect to a folder on a web server, then move into that ‘Directory’ and install the software. 

[box]

cd ~
git clone https://github.com/google/google-authenticator.git
cd google-authenticator/libpam/
./bootstrap.sh
./configure
make
make install

[/box] 

 Configuring FreeRADIUS and Google-Authenticator 

Ubuntu has nano installed by default thats what I’m going to use, if you’re a sandal wearing ‘vi’ user, then feel free to use that instead.

First we are going to change FreeRADIUS, so it runs under the ‘root’ account.

[box]nano /etc/freeradius/radiusd.conf[/box]

At the bottom of the file, change the user and group from freerad to root, save the file and exit.

Like so:

 

Next we are going to create a group called radius-disabled, then if you need to deny a user access, you can simply make them a member of this group.

[box]addgroup radius-disabled[/box]

Then configure FreeRADIUS to reject members of that group.

[box]nano /etc/freeradius/users[/box]

Locate the lines indicated below;

Change and un-comment them, to add the following text;

[box]

DEFAULT Group == "radius-disabled", Auth-Type := Reject
        Reply-Message = "Your account has been disabled."
DEFAULT Auth-Type := PAM

[/box] 

So it looks like below, then save and exit the file;

Enable Pluggable Authentication Mode (PAM): Edit the following file;

[box]nano /etc/freeradius/sites-enabled/default[/box]

Locate the line with ‘pam’ in it and uncomment it (remove the hash/pound sign), like so

Before;

After;

Exit and save the changes.

Configure FreeRADIUS to use Google Authenticator: Edit the following file;

[box]nano /etc/pam.d/radiusd[/box]

Locate all the lines that start with an ‘@’ symbol and comment them out, (prefix them with a “#”), then paste the following text onto the end of the file;

[box]

auth requisite /usr/local/lib/security/pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass

[/box]

Before;

 

After;

Testing Google-Authenticator and FreeRADIUS

The easiest way to do this is setup a test user, then create a password for them, then assign a Google-Authenticator Code to that user, on your Linux server;

[box]

adduser tommytester
ENTER AND CONFIRM PASSWORD
su tommytester
ENTER THE PASSWORD
google-authenticator

[/box]

Now you can either scan the QR code into the Google Authenticator app on your phone, or type in the ‘secret-key‘. 

Once done, you should be looking at a 6 digit number, that changes every 30 seconds;

 

Test Authentication on the FreeRADIUS Server first! To do that issue the following command;

[box]radtest tommytester password456743 localhost 18120 testing123[/box]

Note: the password for tommytester is ‘password‘ and the 6 digit code is added to the end of it, the testing123 value is set within FreeRadius in the /etc/freeradius/clients.conf file.

Successful Authentication

[box]

tommytester@RADIUS-HOST:/home/petelong$ radtest tommytester password302971 localhost 18120 testing123
Sending Access-Request of id 165 to 127.0.0.1 port 1812
 User-Name = "tommytester"
 User-Password = "password302971"
 NAS-IP-Address = 192.168.110.85
 NAS-Port = 18120
 Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=165, length=20
tommytester@RADIUS-HOST:/home/petelong$

[/box]

Unsuccessful Authentication

[box]

tommytester@RADIUS-HOST:/home/petelong$ radtest tommytester password302973 localhost 18120 testing123
Sending Access-Request of id 36 to 127.0.0.1 port 1812
 User-Name = "tommytester"
 User-Password = "password302973"
 NAS-IP-Address = 192.168.110.85
 NAS-Port = 18120
 Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=36, length=20
tommytester@RADIUS-HOST:/home/petelong$

[/box]

Troubleshooting: If there’s a problem, make sure that the time on the FreeRADIUS server is correct, (is NTP getting blocked at the firewall?) Then what I do is, SSH into the server from another session, and enable debugging, then back at the console test authentication again, then you can see the debugging output on the other screen, which will point you in the right direction.

To enable debugging;

[box]

service freeradius stop
freeradius -XXX

[/box]

Add the Cisco ASA Firewall as a RADIUS Client: You need to add the firewall as a ‘client’ before it can authenticate. Edit the following file;

[box]nano /etc/freeradius/clients.conf[/box]

Add the following test to the end of the file, (cisco123 is the shared secret we will enter on the ASA later);

[box]

client 192.168.110.1 {
 secret = cisco123
 shortname = CiscoASA
 nastype = cisco
}

[/box]

Configure Cisco ASA for FreeRADIUS Authentication

On the ASA you create an AAA group, set its authentication type to RADIUS, then add the FreeRADIUS server as a host, specify the secret key you used above. REMEMBER you need to specify the ports or authentication will fail, (you get a no response error).

[box]

aaa-server PNL-RADIUS protocol radius
aaa-server PNL-RADIUS (inside) host 192.168.110.85
 authentication-port 1812
 accounting-port 1813
 key cisco123
 radius-common-pw cisco123
 exit

[/box]

 The ASA also need to have the correct time for authentication to work, I’ve covered that elsewhere, run through the following article;

Cisco ASA – Configuring for NTP

Change AnyConnect AAA Authentication Method: With nothing set, your AnyConnect is probably using its LOCAL database of usernames and passwords, we now need to change it to use the RADIUS host we just setup. You do that in the AnyConnect’s ‘tunnel-group general-attribures’  section. Issue a show run tun command, to see the tunnel groups listed.

[box]

Petes-ASA# show run tun
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
 address-pool ANYCONNECT-POOL
 default-group-policy GroupPolicy_ANYCONNECT-PROFILE
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
 group-alias ANYCONNECT-PROFILE enable

[/box]

Then add your RADIUS GROUP as the authentication server.

[box]

Petes-ASA# tunnel-group ANYCONNECT-PROFILE general-attributes 
Petes-ASA(config-tunnel-general)# authentication-server-group PNL-RADIUS

[/box]

Test RADIUS Authentication on the Cisco ASA First: I’ve covered this in the past see the following article;

Cisco – Testing AAA Authentication (Cisco ASA and IOS)

Remember that the password will be the user password, followed by the 6 digit number displayed on the authenticator.

[box]

Petes-ASA# test aaa-server authentication PNL-RADIUS host 192.168.110.85 username tommytester password password125689
INFO: Attempting Authentication test to IP address <192.168.110.85> (timeout: 12 seconds)
INFO: Authentication Successful
Petes-ASA#

[/box]

Or. if you prefer to use the ASDM;

Finally you can test authentication from your remote AnyConnect client.

 

Related Articles, References, Credits, or External Links

NA

Deploying Applications with VMware ThinApp

KB ID 0000612

Problem

ThinApp is an “Odd” VMware product, insofar as it’s got nothing to do with virtual machines or virtual technology. It’s a product that turns applications into “Stand alone” thin applications, that can be sent to a user and ran without the need for that user to have administrative access, or the need to install anything.

ThinApp was a product called Thinstall that VMware purchased and “re-badged”, you get a free copy with VMware View 5 (Premier Edition). And it ships with a copy of VMware workstation. (Not because it needs a copy, but VMware recommends you use a clean virtual machine to create your ThinApps on).

If you’ve ever used sysdiff in the past or Novell Zenworks for Desktops, you will be familiar with the process, take a ‘scan’ of a clean machine, then install application(s), then carry out another ‘scan’. The software then works out the ‘difference’ and uses that information to build a software package.

In the example below I’m going to create a stand alone version of Google Chrome, that is pre configured, and has Java already installed, and finally deploy that as a single executable file.

Solution

1. It’s recommended that you create your ThinApp on the oldest operating system that it might be deployed on, so here I’m creating a virtual machine in VMware workstation that’s running Windows XP.

2. When built remove any hardware that will not be needed, like the floppy drive, and the USB Controller (Edit > Settings).

3. Installing ThinApp is pretty straightforward, simply run the executable and follow the on screen prompts the only thing to note is; when you enter your licence key, be aware the name you enter will display on the “splash screen” as your ThinApp loads (as shown).

4. Once your reference machine is setup, take a snapshot of it, so you can roll back to this point to create further ThinApps on this clean machine (VM > Snapshot > Take Snapshot).

5. Run the ThinApp Setup Capture > Next > Prescan > This will take a few minutes > When finished simply minimise the window you are finished with it for now. Note: Don’t worry if the application you are installing requires a reboot, ThinApp is clever enough to cope with that.

6. Now install and configure the application you require, in this case Google Chrome. I’m also installing Java, and setting the default homepage to the Google search page.

7. When the application is installed to your liking, maximise (or open the capture if you’ve rebooted) and select ‘Postscan’ > OK.

Note: Before running Postscan make sure you delete any installer files downloaded, any icons from the desktop you do not want deployed in the ThinApp, and empty the recycle bin (you don’t want all that stuff captured, when creating your ThinApp).

8. Make sure only the executable you require is ticked as an entry point > Next > At the Horizon App Manage Page > Next.

9. In a domain environment you can restrict ThinApp access to particular users or groups > Next.

10. Set the isolation mode as required, for most cases it will be ‘Full’ > Next.

11. Select the option to store the sandbox in the user profile > Next > Select whether you want to provide statistics to VMware > Next.

12. You will see this screen ONLY of you are capturing a browser. This is used if you have a particular website that will only run in IE6, or Firefox etc. So that only when URL’s enters listed here are accessed (either directly or from a hyper link) the ThinApp browser will open them, all other URL’s will be opened by the default browser. It’s a cool feature but not one I’m using > Next.

13. Give your ThinApp a name > Next.

14. I’m choosing the option to embed everything into my executable, selecting this may cause a warning about icons, but I ignored and deployed with no problems > Save.

Note: You can use this page to create an MSI file to deploy via group policy if you wish.

15. After ThinApp generates the files it needs > Build.

16. Finish

17. Heres my ThinApp executable file.

18. To test I’ve copied it to a Windows 7 machine.

19. While it’s loading this is what you will see.

20. And here is my ThinApp version of Google Chrome running and pre configured.

Related Articles, References, Credits, or External Links

NA

Creating and Deploying USB Portable Applications with VMware ThinApp

KB ID 0000616 

Problem

The last time I wrote about deploying applications with ThinApp, it was geared towards getting standalone applications onto client PC’s for non admins to run, or putting them in a network share. But if you have a portable application the advantage is you can run it from portable media (Like a USB drive).

Like before I’ll convert Google Chrome to a ThinApp, but the difference is I will set the applications ‘sandbox’ to live in the same location (on the USB). Then I’ll try it out on a different machine.

Solution

1.  It’s recommended that you create your ThinApp on the oldest operating system that it might be deployed on, so here I’m creating a virtual machine in VMware workstation that’s running Windows XP.

2.  When built remove any hardware that will not be needed, like the floppy drive, and the USB Controller (Edit > Settings).

3. Installing ThinApp is pretty straightforward, simply run the executable and follow the on screen prompts the only thing to note is; when you enter your licence key, be aware that the name you enter will display on the “splash screen” as your ThinApp loads.

4. Once your reference machine is setup, take a snapshot of it, so you can roll back to this point to create further ThinApps on this clean machine (VM > Snapshot > Take Snapshot).

5. Run the ThinApp Setup Capture > Next.

6. Prescan > This will take a few minutes > When finished simply minimise the window you are finished with it for now. Note: Don’t worry if the application you are installing requires a reboot, ThinApp is clever enough to cope with that.

7. Now install and configure the application you require, in this case Google Chrome. I’m also installing Java, and setting the default homepage to the Google search page.

8. When the application is installed to your liking, maximise (or open the capture if you’ve rebooted) and select ‘Postscan’ > OK.

Note: Before running Postscan make sure you delete any installer files downloaded, any icons from the desktop you do not want deployed in the ThinApp, and empty the recycle bin (you don’t want all that stuff captured, when creating your ThinApp).

9. Make sure only the executable you require is ticked as an entry point > Next.

10. At the Horizon App Manage Page > Next.

11. In a domain environment you can restrict ThinApp access to particular users or groups > Next.

12. Set the isolation mode as required, for most cases it will be ‘Full’ > Next.

13. As you are storing the App on USB I’d suggest (though you don’t have to) set the application to save its sandbox in the same directory.

14. Select whether you want to provide statistics to VMware > Next.

15. You will see this screen ONLY if you are capturing a browser. This is used if you have a particular website that will only run in IE6, or Firefox etc. So that only when URL’s entered, listed here, are accessed (either directly or from a hyper link) the ThinApp browser will open them, all other URL’s will be opened by the default browser. It’s a cool feature but not one I’m using > Next.

16. Give your ThinApp a name > Next.

17. I’m choosing the option to embed everything into my executable, selecting this may cause a warning about icons, but I ignored and deployed with no problems > Save.

18. After ThinApp generates the files it needs > Build.

19. Finish.

20. Heres my ThinApp executable file.

21. Which I’ve copied to my USB Drive.

22. So when use the drive in another machine.

23. You can simply run the executable.

24. While the app loads it will show a splash screen like this.

25. And should load pre-configured.

 

Related Articles, References, Credits, or External Links

NA

Juniper (JUNOS) SRX – Static ‘One-to-One’ NAT

KB ID 0000995 

Problem

Setting up ‘Static NAT’ is the process of taking one of your ‘spare’ public IP addresses, and permanently mapping that public IP to a private IP address on your network.

In the example above I want to give my web sever which has an internal IP address of 192.168.1.10/24, the public IP address of 1.1.1.5/24. So if someone out on the Internet wants to view my website, they can browse to http://1.1.1.5 (or a URL that I’ve pointed to 1.1.1.5 like http://www.mywebsite.com). Then that traffic will be NATTED, on the firewall for me.

Solution

1. Create a rule-set from the ‘untrust’ zone. Then add a rule to that rule-set, that has a destination of 1.1.1.5/32, and finally set it to NAT that traffic to 192.168.1.10/32.

[box]login: root
Password: *******

— JUNOS 12.1X44-D30.4 built 2014-01-11 03:56:31 UTC

root@FW-02% cli
root@FW-02> configure
Entering configuration mode

[edit]
root@FW-02# set security nat static rule-set UNTRUST-TO-TRUST from zone untrust

[edit]
root@FW-02# set security nat static rule-set UNTRUST-TO-TRUST rule NAT-RULE-1 match destination-address 1.1.1.5/32

[edit]
root@FW-02# set security nat static rule-set UNTRUST-TO-TRUST rule NAT-RULE-1 then static-nat prefix 192.168.1.10/32

[/box]

2. Set the firewall to proxy-arp (advertise your pubic IP address with is MAC address), then add the web server to the global address book.

Note: ge-0/0/0.0 is the physical address you are advertising the new IP address from, on firewalls in a failover cluster you would use the Reth address i.e. reth0.0

[box] [edit]
root@FW-02# set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.5/32

[edit]
root@FW-02# set security address-book global address WEB-SERVER 192.168.1.10/32

[/box]

3. Allow traffic OUT from the web server. Here I’m letting out all ports, if you wanted just web traffic then use the keyword junos-http (TCP Port 80 (http)).

[box]

[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT match source-address WEB-SERVER

[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT match destination-address any

[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT match application any

[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT then permit

[/box]

4. Then allow traffic IN to the web server, (here I’m locking it down to just http).

[box] [edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN match source-address any

[edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN match destination-address WEB-SERVER

[edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN match application junos-http

[edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN then permit

[/box]

5. Save the changes.

[box][edit]
root@FW-02# commit
commit complete[/box]

Juniper Allowing Traffic To Custom Ports And Applications

1. Although Juniper have a lot of built in ‘applications’ you can allow, what if you want to create your own? Below I’ll create a custom application for Remote Desktop Protocol (TCP port 3389).

[box] [edit]
root@FW-A# set applications application APP-RDP protocol tcp

[edit]
root@FW-A# set applications application APP-RDP destination-port 3389

[/box]

2. You could now use this application in your security policies e.g.

[box] [edit]
root@FW-A#set security policies from-zone untrust to-zone trust policy TERMINAL-SERVER-IN match application APP-RDP[/box]

 

Related Articles, References, Credits, or External Links

NA

 

Google Chrome – Can’t Open jnlp (Java) files

KB ID 0000354

Problem

It’s annoying but for some reason Google Chrome simply downloads .jnlp files rather than opening and launching the Java applications. You would think that associating .jnlp files so that they open in Chrome would fix the problem, but it does not.

Solution

1. Go to the link that you are trying to launch the Java application from, and Chrome will download it, as before.

2. By default Chrome will list the download on the bottom of the page, and to the right of the filename is a small drop down arrow, click it.

3. From the menu that pops up select “Always open files of this type”.

 

Related Articles, References, Credits, or External Links

NA