You want to Setup FTP on your Windows Server, (and more importantly make it work without disabling the firewall.) Below are the procedure you will need to carry out.
Note: For older Windows Operating systems like Server 2012, click here, or for Server 2008, click here.
Setup FTP Server (Windows Server)
Setup FTP on Windows Server 2012 (Including firewall setup)
Setup FTP on Windows Server 2008 R2 (Including firewall setup)
Firewall Configuration for FTP on Server 2008 R2 (Included in the Video above).
>
Related Articles, References, Credits, or External Links
Openfiler is a free NAS / SAN prebuilt Linux distribution, that can provide iSCSI storage to your VMware environment, it’s ideal for small setups (This video was made with all the devices running in VMware workstation 7, on my laptop. That’s two ESXi servers, a vCenter server, and the Openfiler iSCSI target server).
Solution
Related Articles, References, Credits, or External Links
Openfiler Thanks to VMware for the free copy of VMware Workstation.
Deploying GFI MailArchiver with Exchange 2010, Using the Outlook Connector, Importing and Exporting Data.
KB ID 0000666
Problem
I’ve been involved with Exchange for a long time, either being directly responsible for it, or supporting others that do. And like all systems it would run a lot smoother if you kept users away from it! But unfortunately you can’t, so your system is probably full of users “Deleted Items” and “Sent Items” and a copy of every email that some users have ever received “Because I might need them”. And for years I’ve been saying “It’s a messaging system not a file storage system” and lecturing users about tidying up their inbox. Yes you can setup retention policies but most people don’t.
Even if you do have conscientious users, some of them click “Yes” when Outlook asks them “Would you like to Auto-Archive your old messages now?” Then you have PST files all over the place getting corrupted and not getting backed up.
In addition, just as techs like me are shouting at users to delete things, businesses are now finding that they need to keep ALL their digital messaging for things like Sarbanes-Oxley and Freedom of Information enquiries. Yes I’m sure you back up your Exchange server but what if you needed to produce a message thread about a particular project that was two years ago in the middle of a month?
Archiving
Is the process of taking a copy of mail messages as they pass through Exchange and copying them off to an external location, in this case a database. The advantage of doing this is that database can be on cheaper midline storage and (potentially) keeps the Exchange database sizes down. With Exchange this is done by setting up Journaling (that’s the process of sending a copy of all [or specified] mail to a journal users mailbox). MailArchiver then takes this mail and put it into its database.
Advantages
1. Performance: Getting all the ‘Old’ Data out of the exchange databases makes them smaller, and more efficient.
2. Elimination of PST files: There’s a big list of reasons why I don’t like PST files. If you’ve ever had a user lose email because of them, then as far as they’re concerned its YOUR fault. There are tools to import PST file into the database, (and to export as well).
3. Disaster Recovery: How nice would it be, the next time users email message ‘disappears’ (Users never delete emails they just disappear), they could restore it themselves, from within Outlook. the Outlook Mail Connector software will do this. Also your backup window for Exchange will be a lot smaller.
4. Compliance: Saving a copy of all messages in a database has the advantage, that it’s searchable, and you can export the data you find in a format that you can import straight back into Exchange or send to someone.
5. Investigation: MailArchiver provides some powerful search and reporting tools. If your HR department needed to see who said what to who about projectXYZ then using conventional methods would be a nightmare.
Solution
GFI MailArchiver 2012 Installation and Configuration
Enabling Journaling in Exchange 2010
Note: GFI Mail Archive setup can do this for you but I prefer to do things manually.
1. Launch the Exchange System Management Console > Recipient Configuration > Mailbox > New Mailbox.
2. User Mailbox > Give it a name and set the password > Don’t create an archive > New > Finish.
3. Option 1: Standard Journaling can be enabled on a mailbox store > Organisational Configuration > Mailbox > Locate the store> Properties.
4. Maintenance tab > Tick Journal recipient then browse for the user you created > Apply OK.
5. Option 2: (Note: Requires an Exchange Enterprise CAL) This is set up using a Journaling rule > Organizational Configuration > Hub Transport > Journal Rules > New Journal Rule.
6. Give the rule a name > Browse for the user you created earlier > Set the scope (in most cases you will want global) > New > Finish.
7. To test it’s working send and email then log on as your ‘Journal’ user and make sure you have a copy in the inbox.
Installing GFI MailArchiver 2012
8. Before installing the GFI MailArchiver server needs the Exchange MAPI Client and Collaboration Data Objects 1.2.1 (Unless you are installing it on the Exchanges server).
9. Also (though not essential) I prefer to disable IE Enhanced Security Configuration, so IE wont get upset with the management console.
10. You can add the URL to trusted sites if you want, but I’m not a fan of IE ESC anyway so I simply disable it.
11. Now run the GFI MailArchiver installer.
12. Now this I DO LIKE, why can’t Exchange do this! These are the server pre-requisites, rather than just falling over and giving you an error (I’m looking at you Windows Exchange Developers!) It offers to do the hard work for you. It takes a while though, best go for a coffee at this point > Next > Select whether you want to check for a newer version > Accept the EULA > Set the destination folder > Next.
13. Here the default setting, WARNING if you already have web services on this server (or even UPS software using port 80), have a common sense check.
Note: If you are not sure, the following command will tell you if port 80 (http) is in use;
[box]netstat -aon | find “:80″[/box]
14. Select Install > Finish.
Configuring MailArchiver 2012
15. The GFI MailArchiver management console will launch > Configure.
16. Next.
17. Enter your licence key and select verify licence key > Next.
18. Next.
19. In this example I’m using the Firebird database, in a production environment you should be using SQL server > Next.
20. Change the paths if required > Enter some domain credentials> Next.
21. Next
22. Next
23. Next
24. I’m selecting Auto > Next
25. As I set the user up myself I’m choosing Manual > Next.
26. Exchange Web Services seems to be less problematic > Enter your Journal user account > Next.
27. Next.
28. Finish.
29. We are now up and configured.
GFI MailArchiver – Outlook Connector, Import and Export
GFI MailArchiver – Using the Outlook Connector
30. Firstly you need to enable ‘Mailbox Folder Structure Retrieval’ on the GFI server > Launch the MailArchiver Management console.
31. Mailbox Folder Structure Retrieval.
32. Change Settings.
33. Enter a user account to connect to Exchange Web Services with, here I’m using my domain admin, whichever account you use needs to have administrative access on the Exchange and the GFI server. It also (domain admin included) needs the following Powershell commands running on the Exchange server before it will work, (change the user name to match your own);
36. I’ve already got a client PC setup with Outlook 2010.
37. I’m just connecting to the GFI servers management URL from the client and downloading the Outlook Connector.
Note: The versions are for Outlook 32 bit and Outlook 64 bit, even if your Windows client is 64 bit you may still be running 32 bit Outlook/Office. If you get it wrong it will tell you your version of Office is not supported.
38. Install the client software, accept the defaults, all you need to specify is the URL of the GFI MailArchiver server.
39. Now when your user opens Outlook, they get an additional mailbox called “GFI MailArchiver Mailbox” that carries a copy of ALL the users mail (Note: Not the mail from before the product was installed, to import that see the import section below, and choose ‘Import for Exchange mailbox’. In addition each user now has a MailArchiver tool bar from which they can search for their mails.
Note: If a user ‘loses’ a mail they can simply drag a copy from their GFI mailbox to their live inbox.
GFI MailArchiver – Importing Data from PST Files
Note: To do this the machine needs to have Outlook installed on it (and NOT Outlook 64 bit!)
40. Launch the GFI MailArchiver Import and Export Tool.
41. Import from .pst files.
42. Add PST file > Browse to your PST file > Open.
43. Select the folder(s) required > Next
44. Select a date range > Select the user that will own the imported data > Next.
Note: I’d rather have an “Import Everything” option!
45. When complete > Finish.
46. Now that user will have the imported mail as well (Note: The default view is “Emails in last 30 days” so don’t panic if you don’t see it all).
GFI MailArchiver – Exporting Data to PST File
47. Launch the GFI MailArchiver Import and Export Tool.
48. Enter the URL of the GFI server > Verify > Ensure it says OK > Next.
49. Select what you want to export (I’m going to search for email containing particular words) > Next.
50. Type in your search text > Find > Next.
51. Here you can restore the mail to a mailbox, export it to .msg or .eml format, or my old nemesis .pst files, I’ll choose the latter > Next.
52. And there’s my .pst file, ready to be sent out to satisfy my freedom of Information enquiry.
Related Articles, References, Credits, or External Links
One great new feature of Server is bult in network ‘Teaming’. To do this normally takes some third party software, either form the server vendor (HP Teaming) or from the NIC manufacturer.
It utilises a new Windows feature called LBFO, this lets you both aggregate links, and have links available in the event of failover.
Note: NIC Teaming only supports up to 32 network cards.
Solution
1. Launch Server manager > All Servers > Select the server you ant to create a team on > Right Click > Configure NIC Teaming.
2. Select the NICs you want to add to the team > Right Click > Add to New Team.
3. Give the Team a name > OK.
Note: By default ‘Switch independent’ will be selected, this is probably what you want (see below) > OK.
Windows Server 2012 NIC Teaming Modes
Static Teaming: Requires configuration on the switch, which must be configured for IEEE 803.3ad (draft v1).
Switch Independent: Generally requires no switch configuration and can be connected to multiple switches.
LACP: Requires configuration on the switch, which must be configured for IEEE 802.1ax, and support LACP. Note: On a Cisco Catalyst this would be a port-channel, on an HP Networking switch this would be called an LACP trunk.
4. Now if you look under ‘Network Connections’ you will see a new one with the name you created.
5. Configure this new Teamed NIC, and simply treat it as a single network card.
Configure Teaming via PowerShell
To do the same as we did above use the following command;
[box]
New-NetLbfoTeam -Name TEAM -TeamMembers NIC1,NIC2,NIC3,NIC4 -TeamingMode SwitchIndependent
[/box]
Related Articles, References, Credits, or External Links
SSTP gives you the ability to connect to your corporate network from any location that has an internet connection, and is not filtering https. This port is usually open for normal secure web traffic. Traditional VPN connections require ports and protocols to be open for them to work, which makes a solution that runs over TCP port 443 attractive.
Thoughts: While I can see why this is a good idea, Microsoft has basically changed some existing protocols so they work on a port that wont be blocked by most firewalls. This is not a new approach, (Microsoft did it before with RPC over HTTP). I can’t help feeling that the more traffic we push over ports 80 and 443, sooner or later security/firewall vendors are going to statefully inspect/block traffic that isn’t supposed to be on that port. (If you think ‘that would never happen!’ Try running an Exchange Server through a Cisco firewall with SMTP inspection turned on). Anyway, it’s there, I’ve been asked to do a walkthrough, so read on,
Solution
I’ve got a Windows 2012 Server already setup, it’s a domain controller, and is running DNS. You don’t have to have the same server running SSTP/RRAS but in this lab environment that’s what I’m doing. In addition my remote VPN clients will get an IP address from my normal corporate LAN.
1. On the server I have two network cards installed, the first (NIC1) is the normal network connection for the server, the second (NIC2) will be the one that the remote clients get connected to (once they have authenticated to NIC1).
2. Make sure the Internet facing NIC has good comms, and works OK.
3. NIC2 as you can see, does not even need a default gateway.
Windows Server 2012 Add Certificate Services
I’m going to use a ‘self signed’ certificate, if you have purchased one, then skip this section.
4. From Server Manager (ServerManager.exe) > Add Roles and Features > Next > Next > Next > Select > Active Directory Certificate Services.
5. Add Features > Next > Next > Next > Tick ‘Certificate Authority Web Enrolment’.
6. Add Features > Next > Next > Next > Install > Close > From the warning (top right) > Configure Active Directory Certificate Services on this server.
7. Next.
8. Select both Certificate Authority and Certificate Authority Web Enrolment > Next.
9. Next > Next > Next > Next > Next > Next > Next > Configure > Close > Close Server Manager.
10. Open a Microsoft Management Console.
11. File > Add Remove Snap-in > Certificate Authority > Add > Local computer > Finish > OK.
12. Drill down to Certificate Templates > Manage.
13. From the list that appears locate IPsec > Right Click > Duplicate Template.</p:
14. General tab > Change the name to SSTP-VPN.
15. Request Handling tab > Tick ‘Allow private key to be exported’.
16. Subject Name tab > Tick ‘Supply the request’ > Click OK when prompted.
18. Add > Locate the ‘Server Authentication’ policy > OK > OK > Apply > OK > Close the Certificate Template console.
19. From the Certificate templates Folder > New > Certificate Template Issue.
20. Locate the SSTP-VPN entry > OK > Close the MMC.
SSTP Firewall Setup
In this example my server is behind a corporate firewall. If yours is internet facing then you may simply want to add an exception/rules for allowing https/TCP443. My server will ultimately have a public IP address that resolves to its public name (vpn.pnl.com) so I just need to allow the ports in. If your server does not have its own public IP address, then you may need to setup port forwarding instead. You will see later I’m also going to use TCP 80 (normal HTTP) to access my certificate services remotely, so I’ve got that open as well. You may want to access certificate services via HTTPS instead in a corporate environment.
21. On this server I’m simply going to disable the firewall > Start > Run > firewall.cpl {enter} > Turn Windows Firewall on or off > Set as appropriate.
Grant users SSTP VPN/Dial-in rights.
22. Make sure that any user who wants to access the SSTPVPN has had their Dial-in set to ‘allow access’.
Windows 2012 Server Install and Configure RRAS for SSTP
23. From Server Manager (ServerManager.exe) > Add Roles and Features > Next > Next > Next > Select > Network Policy and Access Services.
24. Add Features > Next > Next> Next > Next > Install > Close.
25. Back at Server Manager (ServerManager.exe) > Add Roles and Features > Next > Next > Next > Select ‘Remote Access’.
26. Add Features > Next > Next > Next > Tick ‘Routing’ > Next > Install.
27. Close.
Note: At this point you may see the warning that there are additional steps to take, (to configure routing an remote access), if so you can launch and then close this wizard because we will do it manually.
28. Close Server Manager > Open a new MMC > File > Add/Remove Snap-in > Certificates > Add > Computer account > Finish > OK.
29. Expand Personal > Certificates > All Tasks > Request New Certificate.
30. Locate the SSTP-VPN entry > Click the ‘More information required..’ link.
31. Change the Type to common name > Enter the public name of the SSTPVPN server > Add > OK.
Note: This will be the common name on the certificate, i.e. vpn.pnl.com, which will need a public A/Host record creating for it in your public DNS, (speak to your ISP or DNS hosting company). That way when your remote clients go to https://vpn.pnl.com they wont get an error, (providing you imported the root cert correctly on THAT machine).
35. Right click the server > Configure and Enable Routing and Remote Access.
36. At the Wizard > Next > Next > Tick VPN > Next.
37. Select NIC1, In this case I’m unticking the ‘Enable security’ option, (or is disables RDP and locks the NIC down) > Next.
38. I’m going to use this server so select the bottom option > Next.
39. New > Create a range of IP addresses. (Note: You may need to exclude these from your existing DHCP scope) > OK > Next.
40. Next.
41. Finish > OK > OK > At this point you will see the services restarting.
42. Right click the server > Properties.
43. Security tab > Change the certificate to the one we created > Apply > Yes > OK > Close the console.
Windows Server 2012 – Connect to SSTP from a Remote Client
At this point I have the correct ports open on the firewall, and I’m on a Windows 7 client outside the corporate network.
44. Because we are using a self signed certificate, we need to get the client to trust it. We can give the user the root certificate, or they can connect and download it, here I’m connecting to the Certificate Services web portal. Note: Remember that’s on the same server.
45. Supply your domain credentials > OK > Download a CA Certificate > Download CA Certificate > Save As.
46. Put the certificate somewhere, and call it something sensible.
47. Now launch an MMC on the client machine, and add the certificate snap-in (for ‘computer account’).
48. Drill down to Trusted Root Certification authorities > Certificates > All Tasks > Import > Navigate to, and select the certificate you just downloaded.
Note: If you double click the cert and import it manually, then it gets put into the user accountNOT the computer account, and this will cause you problems. (Error 0x800b0109).
Registry Key Required for SSTP Access
The title is not really true, but as we are using a self signed certificate the client cannot check the CRL for the CA. Even with some purchased certificates you may need to to do this.
49. Open the registry editor and navigate to:
[box]
HKLM > SYSTEM > Current > CurrentControlSet > services > SstpSvc > Parameters
[/box]
50. Create a new 32 bit DWORD called NoCertRevocationCheck and set its value to 1 (one).
Setup a SSTP VPN Connection
51. Open the Network and sharing Center.
52. Setup a new connection or network.
53. Connect to a workplace.
54. Use my Internet Connection.
55. Supply the Internet Address (that matches the common name you used above) > Next.
56. Supply your domain credentials > Connect.
57. Connected successfully.
Note: If it fails at this point, it usually gives you an error code you can Google, or it gives you the option of logging for you to troubleshoot.
58. Just to prove I’m connected, this client can ping the SSTP servers private address.
Related Articles, References, Credits, or External Links
You would like to connect Microsoft Outlook to your Gmail account.
Solution
1. If Outlook does not have an account already it will prompt you when it launches, if you are adding an account click Tools >Account settings > Add.
2. If you are in a domain environment it will try and auto configure your account, but you want to set things up manually, select “Manually configure server settings…”
3. We are setting up an IMAP account, so select Internet E-mail.
4. Note: To configure an IMAP account you need to enable IMAP in your Gmail settings > Log in > Settings > Forwarding and POP/IMAP > Enable IMAP > Save settings.
5.Enter you account details > the incoming server is imap.gmail.com the outgoing server is smtp.gmail.com > remember to tick “Remember password” > More settings.
6. On the Advanced tab > set the IMAP port to 993 > set IMAP to use SSL > Set the SMTP port to 25 > Set SMTP to use TLS.
7. Select the Outgoing server tab > tick the box “My Outgoing server (SMTP) requires authentication” > And “Use the same settings as my incoming mail server” is selected. > OK.
8. Next > Finish.
Related Articles, References, Credits, or External Links
A few weeks ago my boss asked me to take a look at Microsoft Lync. Because he was interested in the Lync Client (formally Microsoft Communicator) for instant messaging.
Decent info is a bit thin on the net, and I don’t have the patience to read stupidly long PDF files. So to redress the balance I thought I would publish my findings below.
Solution
Note: The following procedure is carried out on Server 2008 R2 with Windows 7 Clients, on my VMware test network.
Walkthrough
I know a lot of people don’t like watching videos so heres my notes:
Pre-Requisites
1. Download and install, Microsoft Silverlight. (link)
2. IIS (Roles > Add Roles > Web Server IIS) > Next.
Also add:
i. ASP.NET
ii. Logging Tools
iii. Tracing
iv. Client Certificate Mapping Authentication.
v. Windows Authentication
vi. IIS Management Scripts and Tools
Next > Install > Finish.
3. RSAT Tools (Features > Add Features > Remote Server Administrative Tools > ADDS and LDS Tools) > Next > Install > Close > Select Yes to Reboot > Post Reboot Installation will continue > Close.
4. Have a Certification authority set up in your domain. OR a certificate ready for the Lync Server to import.
Install
1. Run Setup > It will ask to Install C++ let it do so.
2. Once it’s finished, It will ask for the install location > change if required > Install.
3. Accept the EULA > OK.
4. When the Deployment Wizard starts > Select “Prepare Active Directory”.
5. Prepare Schema > Run > Next > Finish.
6. Allow domain replication.
7. Prepare Current Forest > Run > Select Local Domain > Next > Finish.
8. Allow domain replication.
9. Prepare Domain > Run > Next > Finish.
10. When all are completed, add your administrators to the newly created AD group CSAdministrators > Then click “Back” to return to the main page of the Deployment Wizard.
11. Prepare First Standard Edition Server > Next > SQL Express will install > Finish.
12. Install Topology Builder > It installs very quickly and gets a green tick when complete.
13. Start > All Programs > Microsoft Lync Server 2010 > Lync Server Topology builder > When promoted select > New Topology > OK.
14. Save the topology as requested.
15. Under “Primary SIP Domain” > enter your domain name > Next.
16. Enter any additional domains if required > Next.
11. Give the site a name and description > Next.
12. Enter site details > Next > With the option to “Open the new front end wizard..” selected > Finish.
13. At the “Define a new front end pool” wizard > Next > Enter the FQDN of the server and select Standard Edition > Next.
14. Select features (Everything except PSTN, because I don’t have a PSTN gateway) > Next.
15. Choose to Collocate Mediation Server > Next.
16. Don’t add any further server roles > Next > Next.
17. Let it create a new share > Next.
(Note manually create the share and make sure it has appropriate permissions).
18. Set external URL if required > Next > we are not adding PSTN > Finish.
19. On the Topology Builder Select > Edit Properties > Central Management Server.
20. Add in the admin URL (Note: Make sure this resolves in DNS), and FQDN of the server > OK.
21. Select Publish Topology > Next > Next > Finish.
22. Re-launch or swap back to the Lync Server Deployment Wizard > Select Install or Update Lync Server System.
24. Run step one “Install Local Configuration Store” > Select “Retrieve directly…” > Next > Finish.
25. Run Step two “Setup or Remove Lync Server Components” > Next > (If you get a Prerequisite installation failed: Wmf2008R2 click the link) > Finish.
26. Run Step three “Request, Install, or Assign Certificates” > Request > Next > Send request immediately > Next.
27. Select your CA > Next > Next > Next.
28. Choose a friendly Name > Next.
29. Fill in your Organisation information > Next > Enter country > State and City > Next > Next > Next > Next > Next > Next > Finish. > Close.
30. Run Step 4 “Start Services” > Next > Finish.
31. Check the service status if you wish.
32. Close the deployment wizard.
Launch “Lync Server control Panel” and Configure
1. Launch the ” Lync Server Control Panel” > Log in with an admin account (created above at step 10).
2. Navigate to Users > Add.
3. Add in your users and assign them to your pool.
Post Install Tasks
1. You need to create a DNSSRV (Service Location) so the client can locate the Lync server:
i. service: _sipintenaltls
ii. Protocol: _tcp
iii. Port Number: 5061
iv. Host offering service: the FQDN of the Lync Server.
Install the ‘Lync Client’ on the client machines.
Related Articles, References, Credits, or External Links
We got some ‘demo stock’ in the office this week, I don’t do a lot of wireless, so I thought I would get it setup and have a look to see how easy/difficult it was.
Hardware used
HP E-MSM720 Premium Mobility Controller (J9694A)
HP E-MSM 430 Wireless N Dual Radio Access Point (J9651A)
HP HP 2915-8G-P-o-E Switch (J5692A)
The switch and controller are ‘tiny’ so if you want to put them in a cabinet you will need some ‘big brackets’, (or a shelf). I was disappointed that the controller didn’t have PoE on it (hence the reason we were supplied the switch). I was also disappointed the Access Point didn’t come with a network cable (seriously these things are pennies – and if a client buys hundreds of these things, someone will forget they also need an equal amount of network cables). In addition they are PoE, so you don’t get a power cable (or power injector) – so you cant even power them on without the network cable. That said all the gear is typical good quality HP Stuff. The documentation consists of a “quick setup sheet” for each piece of hardware and all the manuals are Online. I’m not a fan of manufacturers documentation at all, and HP’s is the same as most major vendors, to long, too complicated and to difficult to find what I’m looking for – I spent half a day reading pdf documents just trying to get the guest network working (a feat I will accomplish below with about three sentences and the same amount of pictures!)
1. Connect the controller to your network (Note: Don’t use the two dual personality ports 5 and 6).
2. The controller sets itself up on 192.168.1.1 put yourself on the same network range (see below).
3. Connect to https://192.168.1.1.
4. The MSM720 Default username and password are both admin.
5. Accept the EULA > Skip Registration > Set country > Save > Set the new password > Save.
6. Configure Initial Controller Settings > Start.
7. Set System name > Location > Contact > Login Message > Next > We’ve just set the Password so leave it blank > Next.
8. Enable/disable management interfaces > Next > Configure the network interfaces > Next.
These are allocated as follows, (out of the box!)
And are controlled by these two settings,
9. Set the time and timezone > Next > Apply.
Configure a Corporate WLAN with the E-MSM720 Wireless Controller
1. If not already there, select ‘Automated Workflow’ > Configure a wireless network for employees > Start.
11. Create an SSID > Next > Set the WPA Key > Next.
12. Choose what access points to apply these settings to > Next > Apply.
Note: At this point I had not powered on or touched the access points, so I just selected ‘All’.
Configure a ‘Guest’ WLAN with the E-MSM720 Wireless Controller
I had a nightmare getting this running, until I fully understood the VLAN, IP address and interface allocation, but if you set things up as specified above it will just work.
1. Automated Workflows > Create a wireless network for guests > Start.
2. Create and SSID > Next > Configure guest authentication (or leave open) > Set IP Settings for clients > Next.
Setup the HP E-MSM 430 Wireless N Dual Radio Access Point
Well you have already done all the work! Simply connect the AP to a POE capable network outlet.
By default the AP is in ‘Controlled’ mode, so it will start looking for a controller as soon at it powers on, it can take a little while to boot (go get a coffee), you will see it appear in the controllers web interface when its pulled its configuration down.
Updating Firmware MSM70 and MSM430
Very slick! update the firmware package on the controller, and it will update all the access points for you.
Final thoughts
This is good quality gear, it has built in support for IPSEC, SSL, RADIUS and a myriad of other features that you would expect to find on an enterprise class wireless solution. HP might be concerned by their lack of wireless sales, but they could make the experience with these things better by making the web interface easier to navigate, (ask someone who has never used it before to delete a wireless network! – over 90 minutes it took me to locate the VSC bindings section to remove that!) I’ve already mentioned the documentation, I appreciate that it needs to be comprehensive but come on!
Related Articles, References, Credits, or External Links
Private SSID will be on the normal corporate LAN (In this case 172.16.254.0/24).
Public SSID will get its IP addressing from the controllers DHCP Server. (10.220.0.0/16).
The Wireless traffic will traverse the corporate LAN (After being natted on the controller) as 10.210.0.0/16.
My LANDNS Servers are 172.16.254.1 and 172.16.254.2.
Solution
HP Switch Configuration.
1. The switch must be performing LAN routing, if the LAN’s default gateway is a firewall that needs rectifying first. (where 172.16.254.200 is the firewall).
[box]ip routing
ip route 0.0.0.0 0.0.0.0 172.16.254.200[/box]
[box]ip dns server-address priority 1 172.16.254.1[/box]
3. Declare a VLAN for the guest VLAN (210), name it, and give it an IP address > Add a Port (A1) to that VLAN which will connect to the Internet Port of the MSM Controller (Port5).
[box]vlan 210
name WIRELESS-TRAFFIC
ip address 10.210.0.1 255.255.255.0.0
untagged A1 [/box]
4. Tag This VLAN on the ‘Inter Switch’ Links from the core switch to the firewall/perimeter device.
[box]tag D24[/box]
5. Save the Switch changes with a write mem command.
Configure the Cisco ASA To Allow the Wireless Traffic out.
Actions for different firewall vendors will vary but you need to achieve the following;
Make sure that a client on the 10.210.0.0/16 network can get access to the Internet
To do that you will need to achieve the following;
Make sure that the 10.210.0.0/16 network has http and https access allowed outbound on the firewall.
Make sure that 10.210.0.0/16 is getting NATTED through the firewall to the public IP address.
1. Connect to the firewall > Allow the Wireless Traffic out.
[box]
access-list outbound extended permit ip 10.210.0.0 255.255.0.0 any
Note: this permits ALL IP traffic you might prefer
access-list outbound extended permit ip 10.210.0.0 255.255.0.0 any eq http
access-list outbound extended permit ip 10.210.0.0 255.255.0.0 any eq https
Note2: This also assumes you have an ACL called outbound applied to traffic that is destined outbound (show run access-group will tell you)
[/box]
2. Perform NAT on the new wireless outbound traffic.
5. At this point plug a PC/Laptop into the core switch (Port A1) and make sure you can get Internet access (‘you will need a static IP on the 10.210.0.0 range).
Configure the HP MSM 720 Controller
MSM 720 Initial Setup and IP Addressing.
1. Connect to to the MSM 720 controller (Port 1) 192.168.1.1 (username admin, password admin).
2. Go though the initial setup > Stop when you get to the Automated workflows screen (simply press Home).
3. Setup Access Network: Home > Network > Access Network > Set the Addressing and Management IP addresses like so;
Addressing 172.16.254.115/24
Management address 172.16.254.116/25
Save.
Note: There’s two because you can separate the management traffic off to another subnet if you wish.
4. Connect Port 1 on the MSM controller to ANY normal port on the Switch (which will be untagged in VLAN 1) >Then connect to the Controller on its new IP https://172.16.254.115.
5. Setup Internet Network: Home > Network > Internet Network > Static.
6. Configure > IP = 10.210.0.2 > Address Mask 255.255.0.0 > Save (don’t worry if you get a warning about DNS).
7. Connect Port 5 on the MSM to Port A1 on the switch (the one you untagged in VLAN 210).
8. Setup DNS: Home > Network > DNS > Enter the Primary LANDNS servers (172.16.254.1 and 172.16.254.2).
9. Tick DNS Cache > Tick DNS Switch over > Tick DNS interception > Save.
10. Setup Default Route: Home > Network > IP Routes > Add.
11. Enter 10.210.0.1 with a Metric of 1 > Add.
12. Setup DHCP (Note: you will create the scope later)
Obviously only complete this step if you want the Controller to act as a DHCP server for your ‘Public’ Wireless network.
13. Enter the domain name > change Lease tome to 1500.
Note: At this point it automatically fills in DHCP Settings (these will NOT be used don’t panic!)
14. REMOVE the tick form Listen for DHCP Requests on ‘Access Network’
15. MAKE SURE there is a tick in the ‘Client data tunnel’ box > Save.
HP MSM 720 Configure Wireless Access Public and Private
For this procedure we will rename the default VSC which is called HP.
1. Home > Controller (on the left) > VSCs) > HP > Change the Profile name for HP to “Private” > Untick Authentication > Untick Access control.
2. Change the SSID from HP to ‘Private’ > Tick Broadcast Filtering.
3. Ensure Wireless security filters is unticked.
4. Tick Wireless Protection > Set the mode to WPA2 (AES/CCMP) > Change Key Source to ‘Preshared Key’ > Enter and confirm the WPA Password > Save (at the bottom of the screen).
5. Setup Public/Guest VSC: Home > VSC’s > Add New VSC Profile.
6. Set the profile name to ‘Public’ > MAKE SURE authentication and access control ARE ticked.
7. Change the SSID to Public > Tick broadcast filtering.
8. Change Allow Traffic between wireless clients to NO > Expand Client Data Tunnel > Tick ‘always tunnel client traffic’.
9. Ensure Wireless Protection is unticked.
10. If you require HTML based logins, tick that (Note: You will need to create a user later, if you enable this).
11. If using the controller for DHCP > Enable the DHCP Server and specify;