Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.
If you have a spare/available public IP address you can statically map that IP address to one of your network hosts, (i.e. for a mail server, or a web server, that needs public access).
This is commonly referred to as a ‘Static NAT’, or a ‘One to One translation’. Where all traffic destined for public address A, is sent to private address X.
Note: This solution is for firewalls running versions above version 8.3. If you are unsure what version you are running use the following article.
In the following example I will statically NAT a public IP address of 81.81.81.82 to a private IP address behind the ASA of 172.16.254.1. Finally I will allow traffic to it, (in this example I will allow TCP Port 80 HTTP/WWW traffic as if this is a web server).
Create a Static NAT and allow web traffic via ASDM
3. Give the ‘object’ a name (I usually prefix them with obj-{name}) > It’s a Host > Type in it’s PRIVATE IP address > Tick the NAT section (press the drop-down if its hidden) > Static > Enter it’s PUBLICIP address > Advanced > Source = Inside > Destination > Outside > Protocol TCP. Note: You could set this to IP, but I’m going to allow HTTP with an ACL in a minute, so leave it on TCP > OK > OK > Apply.
4. Now navigate to Firewall > Access Rule > Add > Add Access Rule.
5. Interface = outside > Permit > Source = any > Destination = PRIVATEIP of the host > Service > Press the ‘more’ button > Locate TCP/HTTP > OK > OK > Apply.
6. Then save your work with a File > Save Running Configuration to Flash.
Create a Static NAT and allow web traffic via Command Line
2. Log In > Go to enable mode > Go to configure terminal mode.
[box]
User Access Verification
Password:*******
Type help or '?' for a list of available commands.
PetesASA> enable
Password: *******
PetesASA# conf t
PetesASA(config)
[/box]
3. First I’m going to allow the traffic to the host (Note: after version 8.3 we allow traffic to the private (per-translated IP address). This assumes you don’t have an inbound access list if you are unsure execute a “show run access-group” and if you have one applied substitute that name for the word ‘inbound’.
Warning before carrying out applying the ‘access-group’ command, see the following article;
This procedure was done on Cisco ASA (post) version 8.4, so it uses all the newer NAT commands. I’m also going to use self signed certificates so you will see this error when you attempt to connect.
Solution
1. The first job is to go get the AnyConnect client package(s), download them from Cisco, (with a current support agreement). Then copy them into the firewall via TFTP. If you are unsure how to do that see the following article.
2. Create a ‘pool’ of IP addresses that the ASA will allocate to the remote clients, also create a network object that covers that pool of addresses we will use later.
[box]
Petes-ASA(config)# ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
Petes-ASA(config)# object network OBJ-ANYCONNECT-SUBNET
Petes-ASA(config-network-object)# subnet 192.168.100.0 255.255.255.0
[/box]
3. Enable webvpn, set the package to the one you uploaded earlier, then turn on AnyConnect.
[box]
Petes-ASA(config)# webvpn
Petes-ASA(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
Petes-ASA(config-webvpn)# tunnel-group-list enable
Petes-ASA(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.8.02042-webdeploy-k9.pkg 1
Petes-ASA(config-webvpn)# anyconnect enable
[/box]
4. I’m going to create a LOCAL username and password, I suggest you do the same, then once you have proved it’s working OK, you can. change the authentication method, (see links below). I’m also going to create an ACL that we will use for split-tunneling in a minute.
Given the amount of deployments I do, it’s surprising that I don’t use KMS more often. Like most technical types, I find a way that works for me, and that’s the way I do things from then on. However these last few weeks I’ve been putting in a new infrastructure for a local secondary school. Their internet access is through a proxy server, that refuses to let Windows activation work. Unfortunately the “Administrators” of this proxy server were not disposed to give me any help, or let me anywhere near it, to fix it.
So after activating a dozen servers over the phone, I decided enough was enough “I’m putting in a KMS Server!”
I’m deploying KMS on Windows Server 2008 R2, and it is for the licensing and activation of Serer 2008 R2 and Windows 7. I will also add in the licensing KMS mechanism for Office 2010 as well.
Note: If you are using Server 2003 it will need SP1 (at least) and this update.
Solution
To be honest it’s more difficult to find out how to deploy a KMS server, than it actually is to do. I’ve gone into a fair bit of detail below but most of you will simply need to follow steps 1-4 (immediately below). In addition, after that I’ve outlined how to deploy KMS from command line. Then how to test it, and finally how to add Microsoft Office 2010 Licenses to the KMS Server.
Install Microsoft Windows 2008 R2 Key Management Service (EASY)
1. The most difficult part is locating your KMS Key! If you have a Microsoft License agreement, log into the the Microsoft Volume License Service Center, and retrieve the KMS License Key for “Windows Server 2008 Std/Ent KMS B”
Note: To License/Activate Server 2008 R2 AND Windows 7 THIS IS THE ONLY KEY YOU NEED. You do NOT need to add additional keys for Windows 7. (You DO for Office 2010, but I’ll cover that below).
2. Armed with your new key, you simply need to change the product key on the server that will be the KMS server, to the new key. Start > Right Click “Computer” > Properties. (Or Control Panel > System). Select “Change Product Key” > Enter the new KMS Key > Next.
3. You will receive a warning that you are using a KMS Key > OK. You may now need to activate your copy of Windows with Microsoft, this is done as normal, if you can’t get it to work over the internet you can choose to do it over the phone.
4. In a corporate environment (behind an edge firewall) you may have the local firewall disabled on the server. If you do NOT then you need to allow access through the local firewall for the “Key Management Service”, (this runs over TCP port 1688). To allow the service, Start > Firewall.cpl {enter} > Allow program or feature through Windows Firewall” > Tick Key Management Service > OK.
Note: Should you wish the change the port the service uses, you can do so with the following command, i.e. to change it to TCP Port 1024;
[box]
cscript c:\Windows\System32\slmgr.vbs /SPrt 1024
[/box]
That’s It! That is all you should need to do, your KMS Server is up and running.
Install Microsoft Windows 2008 R2 Key Management Service from Command Line
You will notice below that I’m running these commands from command windows running as administrator (Right click “Command Prompt” > Run as administrator).
Note: To License/Activate Server 2008 R2 AND Windows 7 THIS IS THE ONLY KEY YOU NEED. You do NOT need to add additional keys for Windows 7. (You DO for Office 2010, but I’ll cover that below).
2. Providing the command runs without error, we have just changed the product key for this Windows server to be the KMS key.
3. Now we need to activate the Windows Server > Run the following command;
[box]
c:\Windows\System32\slui.exe
[/box]
Select “Activate Windows online now” > Follow the on screen prompts.
4. When complete, it should tell you that it was successfully activated.
5. In a corporate environment (behind an edge firewall) you may have the local firewall disabled on the server. If you do NOT then you need to allow access through the local firewall for the “Key Management Service”, (this runs over TCP port 1688). To allow the service, Start > Firewall.cpl {enter} > Allow program or feature through Windows Firewall” > Tick Key Management Service > OK.
Note: Should you wish the change the port the service uses, you can do so with the following command, i.e. to change it to TCP Port 1024;
[box]
cscript c:\Windows\System32\slmgr.vbs /SPrt 1024
[/box]
That’s It! That is all you should need to do, your KMS Server is up and running.
Testing the Key Management Server
Before it will start doing what you want it to, you need to meet certain thresholds, with Windows 7 clients it WONT work till it has had 25 requests from client machines. If you are making the requests from Windows 2008 Servers then the count is 5. (Note: For Office 2010 the count is 5 NOT 25)
Interestingly: On my test network I activated five Windows 7 machines, then one server, and it started working.
Windows 7 and Windows 2008 R2 have KMS Keys BUILT INTO THEM, if you are deploying/imaging machines you should not need to enter a key into them (unless you have entered a MAK key on these machines then you will need to change it to a client KMS Key). These are publicly available (see here).
1. The service works because it puts an SRV record in your DNS, when clients want to activate, they simply look for this record before they try and activate with Microsoft, if they find the record, they activate from your KMS Server instead. If you look on your domain DNS servers, expand “Forward Lookup Zones” > {your domain name} > _tcp > You will see an entry for _VLMCS that points to your KMS Server.
2. From your client machines you can test that they can see the SRV record, by running the following command;
[box]
nslookup -type=srv _vlmcs._tcp
[/box]
Note: If this fails, can your client see the DNS server? And is it in the domain?
3. There is no GUI console for KMS to see its status, so run the following command on the KMS server;
[box]
cscript c:\Windows\System32\slmgr.vbs /dli
[/box]
4. As I’ve mentioned above, with Windows clients you need 25, and Windows Servers you will need 5 requests before KMS will work, before this you will see;
Windows Activation
A problem occurred when Windows tried to activate. Error Code 0xC004F038
5. For each of these failures, look-in the KMS Server, and the “Current count” will increment by 1 till it starts to work). In a live environment this wont be a problem, (You probably wont be looking at KMS with less than 25 clients!). On a test network just clone/deploy a load of machines until you hit the threshold.
Troubleshooting KMS Clients
To make things simple the command to execute on the clients, is the same command that you run on the KMS server to check the status.
[box]
cd c:\windows\system32
slmgr /dli
[/box]
For further troubleshooting, see the following links.
In addition to servers and clients, KMS can activate and handle Office 2010 licenses as well. You simply need to add in Office support, and your Office 2010 KMS key. As mentioned above, unlike Windows clients, you only need five requests to the KMS server before it will start activating Office 2010 normally.
1. First locate your Office 2010 KMS Key! If you have a Microsoft License agreement, log into the the Microsoft Volume License Service Center, and retrieve the KMS License Key for “Office 2010 Suites and Apps KMS”
Note: As with Windows 7, and Server 2008 R2, Office 2010 comes with a KMS key already installed, if you have changed the key to a MAK key you can change it back using the Microsoft public KMS keys (see here).
“I don’t know what it is about Certificates, I just don’t like them, I don’t understand them, and I don’t like working with them”
I hear this a lot, In fact I heard it this week, and as I’m usually the ‘go-to-guy’ for certificates and PKI, it winds me up! IT pros take the time to learn concepts like DNS, DHCP, Kerberos etc. But mention Certificate Services and heads disappear below monitors and silence decends.
OR WORSE: Someone adds the role, clicks Next > Next > Next > Job done! Lets have tea and medals!
So in typical PNL fashion lets simplify everything, get everyone on the same page. And most importantly, lay out how to do it so I don’t have to do it for you!
Solution
To design PKI well, you need to decide if you want a two or three tier PKI environment.
What can’t I just have one CA Server? (Hmm your the Next > Next > Next > Job Done Person Eh?) Well you can! But if that one server breaks, (or get compromised.) Then you are in trouble. Plan you deployment properly and save yourself a headache.
Two Tier Or Three Tier PKI? That’s your call, The main advantage of three tier PKI is, if one of your issuing servers, is compromised, you don’t need to bring the offline Root CA back online to re-issue its certificate. I have a client who have an issuing server in their DMZ so this was a good fit for them. For most domains Two Tier is the best option.
So I can only have one issuing Server? No, I just put one on the diagram for simplicity, you can have 1, or 100, or 1000, it’s up to you.
Do I need CRL (Certificate Revocation List) and/or OCSP (Online Certificate Status Protocol) On a Separate Server? Strictly speaking No, but it’s considered good practice, and if you need to advertise a CRL externally, it is more secure.
PKI Terminology Differences
You will notice I’ve mentioned a Root CA, an Intermediate CA, and an Issuing CA. This is to better explain the architecture and define a difference between an Intermediate CA, and an Issuing CA. Microsoft does not care,.Both of those servers are SubCA servers in Microsoft speak.
Deploying an Offline Root CA
Whichever architecture you choose this will be your fist step. The offline Root CA is a non domain joined machine, its sole job is to issue SubCA certificates to your intermediate CAs (three tier PKI), or issuing CAs (two tier PKI). When you have finished you power off the Offline Root CA and keep it off.
Note: In my example I want my Root CA Cert to last 20 years
Before You Install Anything: Create a CAPolicy.inf file you can edit it with notepad. You may want to change the validity period, you certainly will need to change the legal notice URL (more on this later) to your own domain FQDN (Note: If you need people outside your organisation, (either at a partner, or just someone the public internet) to see that, ensure that URL is addressable.
Save the CAPolicy.inf file to C:\Windows, Make sure it’s not called Capolicy.inf.txt, (or it wont work).
Launch Server Manager > Manage > Add Roles and Features.
Role Based > Next > Select the local server > Next > Select ‘Active Directory Certificate Services’ > Add Features > Next.
No other features are required > Next > Next > Certification Authority > Next.
Next > Next > Close.
Configure Active Directory Certificate Services.
Accept the default (local administrator) > Next > Certification Authority > Next.
Stanalone CA > Next > Root CA > Next.
Create a new private key > Next > Make sure the hash algorithm is SHA 256 (NOT SHA1) > Next.
Give the CA a sensible name > Next > Set the validity period (as mentioned above I’m going for 20 years) > Next.
All the default can now be accepted > Next > Next > Close.
Launch the Certification Authority Management console and make sure we have a green tick.
Now we need to ‘Stamp’ Certificates issued by this CA Server with some domain information, but we have no connection to the domain, so we need to do it manually. Open an administrative command window and execute the following commands;
Note: I want my SubCA certificate to be valid for 15 years, if you want longer/shorter then adjust the figures below
Now my Offline Root server is not connected to a network, (because that’s best practice,) and as it’s a virtual machine the only way to get files from it is to use a virtual floppy drive, Im going to copy both my Root CA Certificate and CRL file to my floppy drive.
Note: These command publish the CA Certificate, (and its CRL) into Active Directory. You can see where, if you open the path shown in the example in ADSIEdit.msc (CN=Public Key Services, CN=Services, CN=Configuration, DC={forest root domain})
Every time I go to a networking event theres a sea of MacBooks in the audience, If techs like MacBooks so much why is there such a lack of decent Mac TFTP software?
Solution
The thing is, I’m looking at the problem with my ‘Windows User’ head on. When I have a task to perform I’m geared towards looking for a program do do that for me. OS X is Linux (There I said it!) Linux in a pretty dress, I’ll grant you, but scratch the surface a little bit and there it is.
Why is that important? Well your already holding a running TFTP server on your hand, your MAC is already running a TFTP server, you just need to learn how to use it.
MAC TFTP Server (OS X Native)
As I said it’s probably running anyway, but to check, open a Terminal window and issue the following command;
[box]netstat -atp UDP | grep tftp[/box]
If it’s not running you can manually start and stop the TFTP server with the following commands;
Note: In macOS Catalina, it’s disabled by default, so if you don’t manually start it, you will see errors like;
[box]
%Error reading tftp://192.168.1.20/cisco-ftd-fp1k.6.6.0-90.SPA (Timed out attempting to connect)
[/box]
It would normally go without saying, but If I don’t say it, the post will fill up with comments! Make sure your Mac is physically connected to the same network as the network device, and has an IP address in the same range.
And make sure the device, and the Mac can ‘ping’ each other.
Use Mac TFTP Deamon To Copy a File To a Network Device
I’ve got a Cisco ASA 5505, but whatever the device is, does not really matter. You will have a file that you have downloaded, and you want to ‘send’ that file to a device. This file will probably be in your ‘downloads’ folder, the TFTP deamon uses the /private/tftpboot folder so we are going to copy the file there. Then set the correct permissions on the file.
[box]
cd ~/Downloads
cp FILENAME /private/tftpboot
cd /private/tftpboot
chmod 766 FILENAME
To set permissions on ALL files in this directory.
You can then execute the command on your device to copy the file across;
[box]
ciscoasa# copy tftp flash
Address or name of remote host []? 192.168.1.5
Source filename []? asa825-59-k8.bin
Destination filename [asa825-59-k8.bin]? {Enter}
Accessing tftp://192.168.1.5/asa825-59-k8.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asa825-59-k8.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
15482880 bytes copied in 12.460 secs (1290240 bytes/sec)
ciscoasa#
[/box]
Use Mac TFTP Deamon To Copy a File From a Network Device
There is a gotcha with the TFTP daemon, which is you cant copy a file to the TFTP daemon if that file does not already exist there. Which at first glance sort of defeats the object, but what it really means id you have to have a file there with the same name and the correct permissions on it. In Linux you can create a file with the ‘Touch’ command.
[box]
cd /private/tftpboot
touch FILENAME
chmod 766 FILENAME
[/box]
You can then sent the file to your Mac from the device;
[box]
ciscoasa# copy flash tftp
Source filename []? asa825-59-k8.bin
Address or name of remote host []? 192.168.1.5
Destination filename [asa825-59-k8.bin]? {Enter}
Writing file tftp://192.168.1.5/asa825-59-k8.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
15482880 bytes copied in 9.940 secs (1720320 bytes/sec)
ciscoasa#
[/box]
I Want Mac OS X TFTP Software!
Well you have a limited choice, if you don’t like using the Mac TFTP Daemon. You can install and use a GUI front end that uses the built in TFTP software.
But if you want a ‘stand-alone’ piece of software then the only other one I’ve found is PumpKIN, you will need to disable the built in TFTP daemon or it will throw an error.
Related Articles, References, Credits, or External Links
Kiosk mode is quite useful, if you have some machines that you want to put in a public area for visitors to use, or for machines that are used in displays etc. Or if you have some older PC’s that you just want to repurpose as internet terminals or ‘point of sale’ box’s.
Essentially it’s a system that delivers a virtual VMware View desktop to a PC or Thin client without the need to authenticate to the connection server. Kiosk authentication is disabled by default, so you need to run a few commands to get it enabled.
Solution
Before starting you will need a Virtual Machine ready to be used for the Kiosk machine. You might want to create this machine with a “nonpersistent” disk.
Note: Alternatively you can create a user that matches the MAC address of the client machine and auto generate a password like so, (this assumes the thin client or PC’s MAC addresses is 3C:4A:92:D3:12:1C).
4. Then allow this connection server to accept kiosk connections with the following command;
[box]vdmadmin -Q -enable -s PNL-CS[/box]
Note: Where PNL-CS is the name of my VMware Connection Server.
5. You can view the settings configured on this connection server with the following command;
[box]vdmadmin -Q -clientauth -list[/box]
6. While still on your connection server open VMware View Administrator, and create a ‘Pool’ for your Kiosk machine.
7. Manual Pool > Next.
8. Dedicated > Next.
9. vCenter virtual Machines > Next.
10. Next.
11. Give the pool an ID and Display name > Next.
12. Select the machine you are using as the source for the Kiosk machine > Next.
13. When the pool is created > Entitlements.
14. Add in the group that you created in step 1 > OK.
15. Just check on the ‘desktops’ tab and make sure the machine is listed as ‘available’.
Step 3: Connect to the Kiosk Machine
16. Now from your client machine or thin client, you can execute the following command to open the kiosk session.
Note: In a live environment you may want to make the host machine or thin client automatically log on and put this command in the ‘startup’ folder, or call it from a startup/logon script so the machine will boot straight into the kiosk virtual machine.
17. All being well you should be presented with the kiosk VM machine, note you no longer get the normal VMware View tool bar etc, it will behave as if the machine is in front of you.
Related Articles, References, Credits, or External Links
A client who we recently did a WDS (Windows 7) install for, needed to image a couple of Windows XP machines, (They had some software that either would not run, or was not supported on Windows 7).
They asked me for some documentation on how to do this, it’s been such a long time since I imaged any XP machine, so I took the opportunity to document it properly.
Solution
Before you begin, be aware you need to be building your reference machine with a Volume Licenced copy of Windows XP NOT an OEM or Retail copy (i.e. DONT build the machine with manufacturers rescue disks like Dell or HP). If you don’t do this you will need to activate every Windows machine that you deploy with Microsoft.
Make sure the version of sysprep you are using is at the same service pack level as the reference machine or bad things will happen.
1. Build your reference machine, and configure it as you require.
2. Create a folder on the root of the C: Drive called ‘Sysprep”. Insert the Windows XP CD and locate the Deploy cabinet file. (This is ‘like’ a zip file and it’s in the supporttools folder).
3. Double click the support cab, then copy over the sysprep.exe file, the setupcl.exe file and the setupmgr.exe file to your c:sysprep folder.
4. You can now run sysprep.exe and skip to step 13. BUT if you require an answerfile (a script that will answer all the questions Windows will ask while it’s reinstalling post sysprep) then run the setupmgr.exe program, at the welcome screen click next.
5. Create New > Sysprep Setup > Windows XP Professional.
6. Fully Automate > Enter Name and Organisation > Set the Display Properties.
7. Set Time Zone > Enter the Volume Licence unlock code > If you are joining a domain, I suggest generating a random name then changing it later.
8. Set the Local Administrators password > Typical settings will enable DHCP > Supply any domain and domain credentials you need to join your domain.
9. Telephony (I just skip this) > Regional Settings > Languages.
10. Printers > Run Once commands > Additional Commands.
11. Enter a string that will go into the registry, and can be identified later > Finish > Accept the default save path > OK > At this point it looks like it’s crashed, you can manually close the setupmgr.
12. Now you can run sysprep.exe > OK > I select ‘mini-setup’ (If you don’t, it will run the welcome to windows session and play the annoying music you cant turn down!) > If you have installed applications and are going to image the machine click Reseal > OK.
Note: Factory will literally set the machine back to a ‘day one’ install of Windows XP.
The machine will then shut down and can be imaged.
Final Note: If you power it back on, it will rebuild itself and delete the c:sysprep directory. Which is fine unless you are doing some testing and realise you have to do the whole thing from scratch!
Related Articles, References, Credits, or External Links
One of the advantages of launching applications form the ‘Run box’ is, no matter where Microsoft move things to in the graphical interface, they rarely change the commands. So when Windows 8 came out and there was much gnashing of teeth, I just ran the same old commands I used to run, and wondered what all the fuss was about!
Solution
Below is by no means a complete list, but is a collection of stuff I’ve found either from other sites or in my day to day troubleshooting.
Note: If Im missing one you think should be included, drop me an email (contact details below), and I’ll include it for you.
To Launch
From The Run Command,
Accessibility Controls
access.cpl
Accessibility Wizard
accwiz
Action Center
wscui.cpl
Active Directory Users and Computers (if installed)
dsa.msc
Add Hardware Wizard
hdwwiz.cpl
Add/Remove Programs
appwiz.cpl
Administrative Tools
control admintools
Adobe Acrobat (if installed)
acrobat
Adobe Bridge (if installed)
bridge
Adobe Designer (if installed)
formdesigner
Adobe Distiller (if installed)
acrodist
Adobe Dreamweaver (if installed)
dreamweaver
Adobe ImageReady (if installed)
imageready
Adobe Photoshop (if installed)
photoshop
Application Data Folder(opens the logged in users)
%appdata%
Automatic Updates
wuaucpl.cpl
Backup and Restore
sdclt.exe
Bluetooth Devices
bthprops.cpl
Bluetooth Transfer Wizard
fsquirt
Calculator
calc
Certificate Manager
certmgr.msc
Character Map
charmap
Check Disk Utility
chkdsk
Clipboard Viewer (XP only)
clipbrd
Color Calibration
dccw.exe
Color Management
colorcpl.exe
Command Prompt
cmd
Common Program Files Folder (open)
%commonprogramfiles%
Compare Files
comp
Component Services
dcomcnfg
Computer Management
compmgmt.msc
Contacts
wab
Control Panel
control
Date and Time Properties
timedate.cpl
DDE Shares (XP only)
ddeshare
Devices and Printers
control printers
Device Manager
devmgmt.msc or hdwwiz.cpl
Direct X Control Panel (if installed)
directx.cpl
Direct X Troubleshooter
dxdiag
Disk Cleanup Utility
cleanmgr
Disk Defragment (XP only)
dfrg.msc
Disk Management
diskmgmt.msc
Disk Partition Manager
diskpart
Display Properties
control desktop
Display Properties
desk.cpl
Display Properties (XP Appearance Tab Preselected, Windows 8 Personalization > Color and Appearance)
control color
Display (Scaling)
DpiScaling.exe
DNS Management Console (if installed)
dnsmgmt.msc
Dr. Watson System Troubleshooting Utility (Now Windows 8)
drwtsn32
Driver Verifier Utility
verifier
Ease of Access Center
utilman
Event Viewer
eventvwr.msc
Files and Settings Transfer Tool
migwiz
File Signature Verification Tool
sigverif
Findfast (XP Only)
findfast.cpl
Firefox (if installed)
firefox
Folder Sharing Management
fsmgmt.msc
Folders Properties (XP only)
folders
Fonts
control fonts
Fonts Folder
fonts
Font Viewer
fontview
FTP
ftp
Free Cell Card Game (if installed)
freecell
Gateway Services for Netware (if installed)
nwc.cpl
Game Controllers
joy.cpl
Group Policy Editor (LOCAL Policy)
gpedit.msc
Group Policy Management Console (Domain)
gpmc.msc
Hearts Card Game (if installed)
mshearts
Help and Support (XP only)
helpctr
Home Path (display)
%homepath%
Home Folder / Drive (display)
%homedrive%
HyperTerminal (if installed (Removed in Windows 7)
hypertrm
Iexpress Wizard
iexpress
Import Windows Contacts
wabmig
Indexing Service (XP only)
ciadv.msc
Infrared Port properties (only if device installed)
Irprops.cpl
Internet Connection Wizard (XP only)
icwconn1
Internet Explorer
iexplore
Internet Information Services
iis.msc
Internet Properties
inetcpl.cpl
Internet Setup Wizard (XP only)
inetwiz
Java Control Panel (if installed)
jpicpl32.cpl
Java Control Panel (if installed)
javaws
Keyboard Properties
control keyboard
Local Group Policy Editor
gpedit.msc
Local Security Policy
secpol.msc
Local Users and Groups
lusrmgr.msc
Log on Server (display)
%logonserver%
Logs You Out Of Windows
logoff
Malicious Software Removal Tool
mrt
Microsoft Access (if installed)
msaccess
Microsoft Chat
winchat
Microsoft Excel (if installed)
excel
Microsoft Frontpage (if installed)
frontpg
Microsoft Mail Post Office (XP only)
wgpocpl.cpl
Microsoft Movie Maker
moviemk
Microsoft Outlook (if installed)
outlook
Microsoft Paint
mspaint
Microsoft Picture Manager (if installed)
ois
Microsoft Powerpoint (if installed)
powerpnt
Microsoft Word (if installed)
winword
Microsoft Syncronization Tool
mobsync
Minesweeper Game (if installed)
winmine
Mouse Properties
control mouse
Mouse Properties
main.cpl
Narrator Settings
narrator
Nero (if installed)
nero
Netmeeting (XP only)
conf
Network Connections
control netconnections
Network Connections
ncpa.cpl
Network Setup Wizard (XP only)
netsetup.cpl
Notepad
notepad
Nview Desktop Manager (if installed)
nvtuicpl.cpl
Object Packager (XP only)
packager
ODBC Data Source Administrator (XP only)
odbccp32.cpl
On Screen Keyboard
osk
Opens AC3 Filter (if installed)
ac3filter.cpl
Outlook Express (XP only)
msimn
Paint
pbrush
Password Properties (XP only_
password.cpl
PCMCIA card properties (if installed)
main.cpl pc card
Pen and Touch
tabletpc.cpl
People Near Me
collab.cpl
Performance Monitor
perfmon.msc
Performance Monitor
perfmon
Phone and Modem Options
telephon.cpl
Phone Dialer
dialer
Pinball Game (if installed)
pinball
Power Configuration
powercfg.cpl
Printers and Faxes
control printers
Printers Folder (XP only)
printers
Private Character Editor
eudcedit
Quicktime (If Installed)
quicktime.cpl
Quicktime Player (if installed)
quicktimeplayer
Real Player (if installed)
realplay
Regional Settings
intl.cpl
Registry Editor
regedit
Registry Editor
regedit32
Remote Access Phonebook
rasphone
Remote Desktop
mstsc
Removable Storage (XP only)
ntmsmgr.msc
Removable Storage Operator Requests (XP only)
ntmsoprq.msc
Resultant Set of Policy
rsop.msc
Set Program Access and Computer Defaults
computerdefaults.exe
Scan
wiaacmgr
Scanners and Cameras (XP only)
sticpl.cpl
Screen Resolution
desk.cpl
Scheduled Tasks
control schedtasks
Security Center
wscui.cpl
Services
services.msc
Shared Folders
fsmgmt.msc
Shuts Down Windows
shutdown
Sounds and Audio
mmsys.cpl
Speech Properties (XP only)
sapi.cpl
Spider Solitare Card Game (if installed)
spider
SQL Client Configuration
cliconfg
System Configuration Editor (XP only)
sysedit
System Configuration Utility
msconfig
System Information
msinfo32
System Management Properties (XP only)
smscfg.cpl
System Properties
sysdm.cpl
System Properties (advanced tab)
SystemPropertiesAdvanced.exe
System Restore
rstrui.exe
Task Manager
taskmgr
Telnet
telnet
Tempraray Folder (open)
%temp%
TCP Tester (XP only)
tcptest
Telnet Client
telnet
Tweak UI (if installed)
tweakui
User Accounts
netplwiz.exe
User Account Management (XP only)
nusrmgr.cpl
User Profiles
%allusersprofiles%
Utility Manager (XP only in later versions Ease of Access Center)
utilman
User Profile (open)
%userprofile%
Volume Mixer
sndvol.exe
Windows Address Book (XP only in newer versions opens Contacts)
wab
Windows 7 File Recovery
sdclt.exe
Windows Address Book Import Utility
wabmig
Windows Backup Utility (XP/2003 and earlier)
ntbackup
Widows Directory
%windir%
Windows Explorer
explorer
Windows Features (turn on or off)
optionalfeatures.exe
Windows Firewall
firewall.cpl
Windows Magnifier
magnify
Windows Management Infrastructure
wmimgmt.msc
Windows Management Instrumentation
wmic
Windows Media Player
wmplayer
Windows Messenger (if installed)
msmsgs
Windows Messaging (if installed)
mlcfg32.cpl
Windows Picture Import Wizard (XP only – need a camera connecting)
wiaacmgr
Windows Security Center (XP SP2 only)
wsciu.cpl
Windows Script Host
wscript
Windows System Security Tool
syskey
Windows Update Launches (XP only)
wupdmgr
Windows Version
winver
Windows XP Tour Wizard (XP only)
tourstart
Wordpad
write
Related Articles, References, Credits, or External Links
In the following procedure I’m using Window Server 2012, and Windows 8 Enterprise, I am NOT configuring for Windows 7 so I don’t need to worry about PKI and certificates. (Other than the one the direct access server uses for https identification).
I’m not adding in any Application or Infrastructure servers, this is just a basic run through on setting up Direct Access to get you up and running.
Solution
Step 1 Create Direct Access Group
You can of course accept the default of allowing access to the domain computers group, but I would like to tie things down a little further.
1. Server Manager> Tools > Active Directory Administrative Center > Select the OU (or create one) where you want to create the group.
2.Give the group a sensible name like DirectAccessComputers.
3. Remember when you try and ‘add’ members it will by default NOT have computers listed you will need to add them in.
6. Or from Server Manager > Tools > Add Roles and Features.
7. Simply add in ‘Remote Access’ and accept all the defaults.
Step 3 Configure Remote Access
8. Once installed launch Remote Access Management.
9. Run the getting stated wizard.
10. Deploy Remote Access Only (I’m not deploying VPNs).
11. Select how the server will be deployed, mine has a single NIC and I’m going to port forward TCP Port 443 (https) to it from the firewall. Enter its Publicly addressable name > Next > Finish.
14. Remove the domain computers and add in the group we created above. Untick the ‘mobile only’ option.
Note: Force Tunnelling means that the remote clients will access the internet though YOUR corporate network. This is only a good idea if you have internet filtering, AV or NAP that you want to take advantage of. (It’s literally the exact opposite of split tunnelling).
15. Remote Access Server > Edit.
16. Select an existing Cert or create a new one > Next.
17. Remember I’m just using Windows 8, if you see the Windows 7 box and think “ooh I’ll tick that!” Then you need to start using certificates > Finish.
18. Finish.
19. Review the settings > Apply.
20. Operation Status.
21. Press Refresh until all the services are green.
Step 4 Configure Clients
The title is a misnomer and to be honest there is no configuration to be done, but they have to get the settings through group policy, so log then onto the domain.
22. A quick simple check is to run the following command;
[box]
Get-DaConnectionStatus[/box]
Note: If you get an error message make sure you are not using Windows 8 Pro see here.
23. The client knows it’s ‘inside’ the LAN, because it has a Name Resolution Policy Table and it can see your internal DNS, you can prove this with the following command;
[box] Get-DNSClientNrptPolicy[/box]
Step 5 Test Clients Externally
Note: Before you proceed your Direct access server needs to be publicly available via the name you specified on the certificate in step 11, and needs to have https open to it.
25. Whilst out on the internet you can test your remote client by first making sure it’s pointing to the correct place;
[box]netsh interface httpstunnel show interface[/box]
This should give the the URL that is on the certificate you specified in step 11, when you ping it by name you should expect a reply (unless ICMP has been blocked by your edge device).
26. And to prove that the client knows it’s NOT on the corporate LAN execute the following;
[box]netsh dnsclient show state[/box]
27. So If i try to ping the internal FQDN of my Direct Access server it should respond (Note its IPv6 address will respond this is normal).
Note: Here I’ve only setup the one server, you can add more Infrastructure and Application servers in the Remote Access Management Console.
28. Because I can resolve that, I can access resources on that server like UNC paths.
29. To access shared resources.
Step 6 Monitoring Remote Access Clients
30. Back on the Direct Access server, you can see the remote clients under ‘Remote Client Status’.
31. Right click each one for a more detailed view.
Related Articles, References, Credits, or External Links
When I first started in IT, I went and did my Cisco CCNA. So I learned that to connect Cisco switches and pass VLAN traffic between them, I needed to create a ‘Trunk’ to pass the VLAN traffic. Fast forward a few years, and I now work for an HP reseller. Very early on I came to realise that what HP called a ‘trunk’ was very different from what I had been taught. Below is an article I did a while ago about setting up HP Trunks.
I was in some HP/Wireless training last week and once again I was struggling with their terminology, so today I lined up a bunch of switches on the test bench and worked out the differences.
Scenario 1 Configuring Cisco Catalyst Switches with VLANs.
In ‘Ciscoland’ All ports are either in access mode or trunk mode, the access mode allows the port to communicate with the VLAN. The trunk mode carries the VLAN traffic to another switch (or device). So to replicate the diagram above, this is what you would need to do. (Note: For older switches like the 3550XL the VLAN commands are a little different see here)
[box]
Switch01>
Switch01>enable
Password: xxxxxxxx
Switch01#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch01(config)#vlan 10
Switch01(config-vlan)#name Admin
Switch01(config-vlan)#exit
Switch01(config)#vlan 20
Switch01(config-vlan)#name Data
Switch01(config-vlan)#exit
Switch01(config)#int f0/2
Switch01(config-if)#switchport mode access
Switch01(config-if)#switchport access vlan 10
Switch01(config-if)#exit
Switch01(config)#inf f0/16
Switch01(config-if)#switchport mode access
Switch01(config-if)#switchport access vlan 20
Switch01(config-if)#exit
Switch01(config)#int f0/23
Switch01(config-if)#switchport mode trunk
Switch02(config-if)#switchport trunk allowed vlan 1,10,20
Switch01(config-if)#exit
Switch01(config)#exit
Switch01#write mem
Building configuration...
[OK]
Switch01#
Switch02>
Switch02>enable
Password: xxxxxxx
Switch02#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch02(config)#vlan 10
Switch02(config-vlan)#name Admin
Switch02(config-vlan)#exit
Switch02(config)#vlan 20
Switch02(config-vlan)#name Data
Switch02(config-vlan)#exit
Switch02(config)#int f0/2
Switch02(config-if)#switchport mode access
Switch02(config-if)#switchport access vlan 10
Switch02(config-if)#exit
Switch02(config)#inf f0/15
Switch02(config-if)#switchport mode access
Switch02(config-if)#switchport access vlan 20
Switch02(config-if)#exit
Switch02(config)#int f0/1
Switch02(config-if)#switchport mode trunk
Switch02(config-if)#switchport trunk allowed vlan 1,10,20
Switch02(config-if)#exit
Switch02(config)#exit
Switch02#write mem
Building configuration...
[OK]
Switch02#[/box]
Scenario 2 Configuring HP Switches with VLANs.
With HP switches the terminology is different, here switch ports are either tagged members or untagged members of a VLAN.
What’s the difference between tagged and untagged? If a port is a tagged member it passes the VLAN information with the traffic it sends. If it is untagged it sends the VLAN traffic without adding in the VLAN tag. So you would only make a port a tagged member if the device that is plugged into it is VLAN aware, i.e. another switch, router, or machine with a VLAN aware NIC. (Note: The VLAN tag is the ID that gets inserted into the head of a network packet). So to do exactly the same as we did in scenario 1, but with HP switches, you would do the following:
BE AWARE: Any single port can only be untagged on one VLAN. Out of the box all ports are untagged on VLAN 1 (or the default VLAN), so if you untag a port into VLAN 20 (for example) it will automatically remove the ‘vlan 1 untagged’ property for that port.
Scenario 3 Setting up HP Switches with Trunked VLANs
Remember with HP a Trunk is adding together lots of links, (if you’re a Cisco head think of port-channeling). So here we create a trunk, then use that trunk to pass tagged VLAN traffic across the switches.
Scenario 4 Setup VLANs via HP Trunks and Cisco Port Channels
Now we have gone full circle, we know what all the differences are, the final part is to get them to talk to each other. So I’ll set up a two cable HP Trunk, and connect it to Cisco LACP port channel, and then finally add in the VLAN traffic.
[box]
Switch01> enable
Password:xxxxx
Switch01# configure terminal
Switch01(config)# vlan 10 name Admin
Switch01(config)# vlan 20 name Data
Switch01(config)# vlan 10
Switch01(vlan-10)# untagged 6
Switch01(vlan-10)# exit
Switch01(config)# vlan 20
Switch01(vlan-20)# untagged 16
Switch01(vlan-20)# exit
Switch01(config)# trunk 21,23 Trk1 LACP
Switch01(config)# vlan 10
Switch01(vlan-10)# tagged Trk1
Switch01(vlan-10)# exit
Switch01(config)# vlan 20
Switch01(vlan-20)# tagged Trk1
Switch01(vlan-20)# exit
Switch01(config)# write mem
Switch01(config)#
Switch02>
Switch02>enable
Password: xxxxxxx
Switch02#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch02(config)#vlan 10
Switch02(config-vlan)#name Admin
Switch02(config-vlan)#exit
Switch02(config)#vlan 20
Switch02(config-vlan)#name Data
Switch02(config-vlan)#exit
Switch02(config)#int f0/2
Switch02(config-if)#switchport mode access
Switch02(config-if)#switchport access vlan 10
Switch02(config-if)#exit
Switch02(config)# interface range fa0/23 - 24
Switch02(config-if-range)# spanning-tree portfast trunk
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
Switch02(config-if-range)# channel-protocol lacp
Switch02(config-if-range)# channel-group 1 mode active
Creating a port-channel interface Port-channel 1
Switch02(config-if-range)# interface port-channel 1
Switch02(config-if)# switchport mode trunk
Switch02(config-if-range)#switchport trunk allowed vlan 1,10,20
Switch02(config-if)#exit
Switch02(config)#exit
Switch02#write mem
Building configuration...
[OK]
Switch02#
[/box]
Setting up VLANs on older Cisco Switches
Here’s an example using the older vlan database commands.
[box]
Switch01>
Switch01>enable
Password:
Switch01#
Switch01#vlan database
Switch01(vlan)#vlan 10 name Admin
VLAN 10 modified:
Name: Admin
Switch01(vlan)#vlan 20 name Data
VLAN 20 modified:
Name: Data
Switch01(vlan)#exit
APPLY completed.
Exiting....
Switch01#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch01(config)#int f0/2
Switch01(config-if)#switchport mode access
Switch01(config-if)#switchport access vlan 10
Switch01(config-if)#exit
Switch01(config)#int f0/16
Switch01(config-if)#switchport mode access
Switch01(config-if)#switchport access vlan 20
Switch01(config-if)#exit
Switch01(config)#int f0/23
Switch01(config-if)#switchport mode trunk
Switch01(config-if)#switchport trunk encapsulation dot1q
Switch02(config-if-range)#switchport trunk allowed vlan 1,10,20
Switch01(config-if)#exit
Switch01(config)#exit
Switch01#write mem
Building configuration...
Switch01#[/box]
Related Articles, References, Credits, or External Links