VMware Unified Access Gateway: Horizon Deployment

KB ID 0001605

Problem

With older versions of Horizon View, we simply deployed another Connection server and called it a Security Server. The drawback of that is, it requires another Windows licence. You can now deploy  VMware UAG (Unified Access Gateway), try to think of it as a ‘Netscaler for VMware’, and like other VMware solutions it’s a small appliance built on VMware’s ‘Photon’ Linux.

Below is a typical deployment and shows you the ports you will be required to open on your firewall to make this work;

You can deploy multiple UAGs and have them behind a load balancer, or point individual UAGs to separate Horizon Connection servers. Her I’m simply deploying one internal Horizon Connection Server, and one VMware UAG in my DMZ.

Step 1: Deploy the UAG Appliance

I’ve covered deploying OVA files before, but essentially download the OVA, and within your vSphere client select deploy OVF template. Navigate to, and select the OVA file you have downloaded from VMware > Next.

Select your Datacenter and optionally folder > Next.

Pick where you want to deploy the appliance (Cluster etc.) > Next.

Review your settings > Next.

I’m deploying into a DMZ so there will be no shortcutting the firewall! > Single NIC > Next.

Select the storage you want to deploy the appliance to > Next.

Confusingly, (as we have picked single NIC?) set them all to the correct port group > Next.

Specify the IP address > Scroll down.

Complete the DNS and IP settings > Give the appliance a name > scroll down.

Untick CEIP > Set the admin, (needed for the web front end), and root (needed for console login) passwords.

Select the edition to deploy (based on your licence) > Next.

Review the settings > Finish.

Step 2: UAG Pre Configuration Tasks

To allow users to access Horizon machines externally, you need to ensure you have granted Remote Access Rights in Horizon Administrator, Note: This is in addition to any Entitlements you have already setup for the machine pools.

Take a copy of the Thumbprint, from the Horizon Connection Server you will be pointing the UAG at, keep it handy you will need it in a minute.

Optionally

If your UAGs are going into a DMZ there’s a chance that they wont be able to resolve internal domain names, (you can specify internal IP addresses of course). I prefer to enter the names/FQDNs of my connections servers, in the appliances hosts file, so it can be resolved. Log into the console as root;

[box]

vi /etc/hosts

[/box]

If you’re unsure how to use vi, (i.e you don’t wear sandals, or have a ginger pony tail.) Press I (insert) make your changes > Press Esc > Type :wq {Enter}.

Step 3: Configure UAG for Horizon

Connect to the UAG with a web browser (https{ip-address}:9443) > Login with the admin account > ‘Configure Manually’.

Optional: Add Certificate

If you have a publicly signed certificate, the easiest way to import it is with a PFX file and a password, (use the search box above, I’ve covered creating PFX files many times). You need to go to Advanced Settings > TLS Server Certificate Settings > Select admin and internet interfaces, (as required) > Browse to the PFX file and enter the password you set, (for the pfx file!) > Save.

General Settings > Edge Service Settings > SHOW > Horizon Settings > Enable Horizon > Save.

Enter the URL of the internal connection Server, and the Thumbprint you took note of, (above) > Enable PCOIP.

Set the external PCIOP URL to the external IP of the UAG, (or load balancer if using one) and add :4172 to the end, Enable Blast > Set the public URL of the UAG, (or load balancer if using one) and add :443 to the end. Enable Tunnel, and set the same URL again with :443 on the end. If you want to, open the ‘more options’ section and take a look at the optional settings, though I’m leaving everything else on the default settings > Save.

Have a cup of coffee, refresh the page a few times > Log off and back on again, and hopefully all the options should ‘go green‘. If not, check the firewall ports, and make sure the UAG can resolve the name of the connection server.

Over in Horizon Administrator > Select each internal connection server and remove ‘Secure Tunnel‘, PCOIP Secure Gateway, and select ‘Do not use Blast Secure Gateway‘ > OK.

You can register the UAGs, in the Gateway section, but you wont see anything change until they have been used ‘in anger’.

You can now test externally by trying to connect with a Horizon Client.

Related Articles, References, Credits, or External Links

NA

Load Balance IIS with Microsoft ARR

KB ID 0001573

Problem

If you have a lot of IIS servers, and want to load balance between them, then you can either buy a load balancer, or use Microsoft ARR (Application Request Routing). Note: ARR does a lot more than simply load balancing, e.g. it can perform caching, and complex web routing, and even SSL offloading. Here we are just looking at load balancing.

I’m going to deploy TWO ARR servers in my DMZ, here I’ve got two ‘back-end’ IIS web servers, (you may have many more.)

WHY ARR?: Rather than use WAP (Web Application Proxy,) or a connection broker, ARR is application aware, i.e. it WONT attempt to serve pages from a broken IIS server, e.g. if the host server is online, but the site to IIS is broken for instance.

WHY TWO?: Well we are talking about balancing and availability, I’m deploying two so the event one fails, the other one will still be online, you can have these running on different hypervisors, or even in different datacenters, for added resiliency.

Deploy Network Load Balancing (NLB)

Our first task is to deploy NLB this will create a ‘Virtual IP’ for both of the ARR servers to use.

NLB is a ‘Feature‘ to enable it, launch Server Manager > Manage > Add Roles and Features > Next > Next > Next > Next > Tick ‘Network Load Balancer‘ > Next > Next > Finish.

Launch ‘Network Load Balancing Manager’.

New Cluster.

Add in the first host > Connect > Next.

Check the IP > Next.

Add a ‘Cluster IP’, (this is the IP that you will connect to for services), and is the ‘Shared’ IP > OK > Next.

Next.

Next.

Repeat the procedure to add the additional IP(s).

You will need to make the NLB IP is ‘Publicly Available,’ and open HTTP/HTTPS as required. Also the ARR hosts will need HTTP/HTTPS (as required) open to the internal IIS servers. I usually test all that at this point.

Deploy ARR and ‘URLRewrite’ for Load Balancing

ARR and URL rewrite are both IIS components, but you don’t need to install IIS yourself. You can if you wish, and then install URL Rewrite THEN ARR (In that order!) But it’s much simpler to download and use the ‘IIS Web Platform Installer‘.

Launch the Web Platform Installer, and do a search for URL > Select URL Rewrite > Add > Repeat the process, searching for ARR, and add Application Request Routing version 3, (Not the 2.5 version at the top!) > Next > Follow the wizard and complete the install.

Launch IIS Manager > Now you will see you have a new option ‘Server Farm‘ > Create Server Farm.

Give your server farm a name > Next > Add in all the ‘Back-end’ IIS servers > Finish.

You will get a pop-up asking if you want to create a URL rewrite rule. In this case we want a simple rewrite rule as we are doing plain old load balancing and we have no special requirements, so Select YES. (Only click No if you have specific rewrite requirements and you want to set them up manually).

Now test externally. WARNING don’t expect the page to ‘flip over’ every time, remember ARR is caching these web requests, and your browser will also be performing web page cashing, use a couple of browsers and wait a minute or two between refreshes to make sure that all the web servers are being used!.

Related Articles, References, Credits, or External Links

NA

Presenting Exchange 2019 With WAP and ADFS

KB ID 0001546

Problem

I’ve used WAP (Web Application Proxy) to present Remote Desktop Services before, but never for Microsoft Exchange. It came up as a possible requirement for a client this week, so I thought I’ll work it out on the bench. here’s the topology;

Exchange: Exchange 2019 Standard

Server OS: Server 2019 Datacenter

Solution – Step 1 Deploy ADFS

If you are going to use ‘self signed’ certificates then before you deploy ADFS, (Active Directory Federation Services,) you will want to Deploy Certificate Services. Here I’m going to use a self signed wildcard certificate. In production however, I would suggest you use a wildcard certificate signed by a public CA authority. (Click the Certificate link above).

To deploy ADFS simply follow the steps in this article;

Deploy Active Directory Federation Services

Solution – Step 2 Configure ADFS for OWA and ECP

There are a few ‘Web’ Services that Exchange provides, Outlook Web App, and Exchange Control Panel (Exchange Administration Centre), are ‘tied’ together and need to be presented in the same way, so we will cover them first.

IMPORTANT: You need to change OWA and ECP together, BE AWARE that means your Exchange Administration panel will be secured by ADFS, (and ADFS ONLY!) So you may need to change the way you do Exchange administration, (or leave one Exchange server without ADFS secured ECP for internal management).

So you create the ‘trusts’ for OWA and ECP in ADFS, then the WAP server will use those ‘trusts’. CARRY OUT THE FOLLOWING PROCEDURE TWICE, once for OWA, and once for ECP.

Open the ADFS management console > Relying Party Trusts > Add Relying Part Trust > (With ‘claims aware’ selected) > Next.

Enter data about the relying party manually > Next.

Give the trust a name e.g. ‘Outlook Web App’ > Next.

Next

Enter the ORL for OWA (with a trailing slash) e.g. https://mail.domainname.com/owa/

Permit everyone > Next.

Next

Close.

NOW REPEAT THE ABOVE PROCEDURE FOR ECP (https://mail.domain.com/ecp/)

ADFS Create “Claims Issuance Policies”

Why are you doing this? This allows you to connect to the WAP server and enter your username and password ONCE. To enable you to only supply usernames and passwords once, you need two things, 1) Claims Issuance Policies, that can query AD and collect your UPN and check your password, and 2) Exchange set to allow ADFS authentication, (instead of the usual basic, and ‘forms based’ authentication is uses for OWA and ECP out of the box).

AGAIN CARRY THIS PROCEDURE OUT TWICE, ONCE FOR OWA AND ONCE FOR ECP

From ADFS Management > Relying Party Trusts > Select your OWA Trust > Edit Claim Issuance Policy > Add Rule.

Select ‘Send claims using a custom rule’ > Next.

Client Rule Name: AD-User

Custom Rule:

[box]

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"), query = ";objectSID;{0}", param = c.Value);

[/box]

Click ‘Finish’.

Add a second rule > Again choose ‘Send Claims Using a Custom Rule’ > Next.

Client Rule Name: AD-UPN

Custom Rule:

[box]

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";userPrincipalName;{0}", param = c.Value);

[/box]

Click ‘Finish’.

You should end up with something like this;

NOW REPEAT THIS PROCEDURE FOR THE ECP

Solution – Step 3 Deploy and Configure WAP

Firewall Requirements

  • The WAP server either needs a Static public IP address that is registered in public DNS to the URLS you will be pointing to it, or HTTPS port forwarding form the firewalls outside IP address to the internal IP of the WAP server, (if you don’t have spare public IP addresses).
  • WAP Server requires TCP Port 443 (HTTPS) open TO it from the outside world.
  • WAP Server requires TCP Port 443 (HTTPS) open FROM it to BOTH the exchange server and the ADFS Server.

Installing Web Application Proxy

To be honest, this is pretty simple, the server itself does not have to be a domain member (which is good for a DMZ server!) For productions I’d disable the local administrator account and harden the server somewhat also. Make sure you have a copy of your wildcard certificate on this server also.

Server Manger > Manage > Add Roles and Features > Next > Next > Next > ‘Remote Access’ > Next > Next > Next > “Web Application Proxy” > Next > Install

Or use the following PowerShell;

[box]

Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools

[/box]

Launch the post deployment configuration wizard > Next.

Enter the FQDN of your ADFS Server, and administrative credentials > Next > Select Your Wildcard Certificate > Next.

Configure > Close.

All being well the Remote Access management console should open and should show ‘All Green’ on the Operational Status.

Configure Web Application Proxy for OWA and ECP

Navigate to > Configuration > Web Application Proxy > Publish > Next.

Select Active Directory Federation Services > Next > Select ‘Web and MSOFBA > Next.

Select the ‘Relying Trust’ object that WAP can see for Outlook Web app > Next > Give the Published Rule a Name > Set the Public URL > Select the wildcard certificate > Set the Backend URL > Next.

Publish > Close.

REPEAT TO PUBLISH ECP

When you have finished it should look something like this;

x

Solution – Step 4 Configure Exchange for ADFS Authentication

Your Exchange needs a copy of the ADFS Signing certificate, this certificate is a ‘self signed’ certificate created on the ADFS server itself, you can find it here;

By Default this certificate only lasts a year, and will need to be manually imported onto Exchange, you can change the certificate duration by suing the following PowerShell and changing the Day value, (in this example to three years).

Exporting the ADFS Signing Certificate

With the certificate selected, navigation to the ‘Details‘ tab > Copy to File > Follow the instructions, (accept the defaults).

Importing the ADFS Signing Certificate Into Exchange

Physically copy the exported certificate to the Exchange server, and double click it > Install Certificate > Local Machine > Next > Place Into the Following Store > Trusted Root Certification Authorities > Next > Finish.

Now the certificate has been imported you need to get its thumbprint, open and Exchange Administration Console, and issue the following command. locate the ADFS certificate and copy its thumbprint to the clipboard.

[box]

Set-Location Cert:\LocalMachine\My; Get-ChildItem | Format-List FriendlyName,Subject,Thumbprint

[/box]

 

Set that certificate as the ADFS certificate for your mail organisation with the following command;

[box]

Set-OrganizationConfig -AdfsIssuer https://{ADFS-FQDN}/adfs/ls/ -AdfsAudienceUris "{OWA-URL}","{ECP-URL}" -AdfsSignCertificateThumbprint "{Thumbprint}"

[/box]

Finally you need to set the OWA and ECP virtual directories to accept ADFS authentication, then restart the IIS services, to make the changes take effect.

[box]

Set-EcpVirtualDirectory -Identity "EX-SERVER\ecp (Default Web Site)" -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false


Set-OwaVirtualDirectory -Identity "EX-SERVER\owa (Default Web Site)" -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false  -WindowsAuthentication $false

net stop was /y

net start w3svc

[/box]

 

In 

In PART TWO we will publish Outlook Anywhere, Active Sync, EWS, OAB, MAPI and Autodiscover.

Related Articles, References, Credits, or External Links

NA

RSA SecurID Error – ‘106: The Web server is busy. Please try again later’

KB ID 0000975 

Problem

Not the most descriptive of errors! In fact this has got nothing to do with the busyness of the web server at all.

Solution

What’s actually happening is the RSA agent on this machine (in this case a web server) cannot communicate with the RSA Authentication Manager. In my case the web server was in a DMZ, and the RSA Authentication Manager Appliance was in another DMZ. The ports required (TCP 5500, UDP 5500, and TCP 5580). were not open from the agent to the appliance. Once I fixed that, we were up and running.

Related Articles, References, Credits, or External Links

NA

PowerShell Web Access

KB ID 0001036

Problem

One of my goals for this year is to become more proficient with PowerShell. During my studies I came across PowerShell Web access and thought it was so cool, I’d have a play with it.

What is PowerShell Web Access?

It’s a web service that runs on a Server 2012 IIS web server. It lets you remote connect to that host (via https) and then launch a PowerShell secure connection to any machine in your network. So by deploying a secure bastion host in your DMZ you can manage your infrastructure via PowerShell, you don’t even need to have PowerShell on your remote machine, (as demonstrated below) that machine does not even have to be Windows. It just needs a browser that can run JavaScript and can accept cookies.

You Expect Me to Open All My Servers To Remote Management?

In a word yes, in fact if you have server 2012 or newer they already are, and if you have not already enabled the Windows Remote Management Service, on your legacy machines, DO SO! If not all the modern domain management tools will gradually stop working. As far as Microsoft is concerned PowerShell is the tool that all the management tools will be built on.

In fact if you are a security conscious type, you probably already have domain services in your DMZ, think of this as a secure ‘reverse-proxy’, whose traffic is secured by SSL and Kerberos.

Solution

Setting Up PowerShell Remote Access

1. PowerShell web access is a ‘windows feature’ add it with the following command;

[box]

Add-WindowsFeature WindowsPowerShellWebAccess
[/box]

 

2. Now it’s available you can install it like so;

[box]

Install-PswaWebApplication

Note: My Target server is already running IIS and has a certificate binding for https, yours probably does not, if so generate a self signed certificate and assign it like so;

Install-PswaWebApplication –UseTestCertificate

Obviously in production replace this certificate with either a publicly signed one, or one form your own PKI environment.

[/box]

3. Now you need to allow access, the following allows all users to all machines to do everything (Note: I would not recommend this for a production environment, see next step).

[box]Add-PswaAuthorizationRule * * *[/box]

4. As I said above, lets be a little more secure, I’ve created a computer group, for my target computers, and a user group for my remote PowerShell admins. As above, I’ve not filtered what the users can do, you could give granular remote access to different levels of administrative groups using this, if that’s a requirement see this article.

[box]

Add-PswaAuthorizationRule -ComputerGroupName petenetlivePSComputers -UserGroupName petenetlivePSAdmins -ConfigutationName *

[/box]

5. So now if you connect to the server over https, (it creates a virtual directory called pswa) so we will need to go to https://{ip address or hostname}/pswa.

PowerShell Web Access – It Doesn’t Work!

If at this point there’s a problem, ensure the server and the client you are trying to connect to have comms, (can they ping each other by name and IP). Most importantly the machine you need to connect to needs to have WinRM running and its firewall configuring properly.

Configure Windows Remote Management for a Single Host

From an elevated command prompt execute the following command and follow the on-screen prompts;

[box]WinRM QuickConfig [/box]

Configure Windows Remote Management via Group Policy

A better approach would be to configure you hosts via GPO. You can find the correct GPO at;

[box]

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service > Allow remote server management through WinRM
On Server 2008 R2 and older the policy will be called 'Allow automatic configuration of listeners'

[/box]

Enable the policy and select which networks you want to allow remote connections from, above I’ve simply used asterisks to denote ‘all addresses’.

Providing all is well, you should have PowerShell access.

 

PowerShell from an Apple IOS Device (iPad shown)

PowerShell from an Android Device (Samsung Note shown)

Related Articles, References, Credits, or External Links

NA

Publishing Exchange OWA using ISA

KB ID 0000090 

Problem

Those of you who know me will know that Cisco ASA is my weapon of choice in the firewall department. Now before the ISA brigade start emailing me telling me about “Application Layer Inspection” etc etc, that’s not because I think the ASA is better, cheaper or more effective, but because it’s “What I know”.

To be honest I’ve not installed ISA since version 2000, where what I really needed was MS Proxy 2.0 (now there was a product that did exactly what it said on the “Tin”), and that was a horrible experience which left me adverse to ever using ISA again. However I accept that version 2004/2006 is a damn good firewall.

So the other day when I was asked “Can we publish Outlook Web Access, on an ISA Server, that will be in the DMZ of a PIX?” I inwardly groaned, and despite me suggesting every possible other way of doing it, I bit the bullet and disappeared to the test bench with a copy of ISA and a large coffee.

Before you start !

OK, obviously we want to do this securely using SSL (that’s 128bit encryption) which means we need to use Certificates. Before you all glaze over or run away, this is simple, either buy one or install certificate services on your server and make one.

The single most IMPORTANT thing you need to do is make sure the certificate name resolves internally to the Exchange Server and publicly to the Outside Interface of the ISA server (or the public IP of the exchange box – if it uses a public address).

For Example

Certificate is called owa.mydomain.co.uk
Internally owa.mydomain.co.uk should point to the exchange box running OWA (you may need to set up split DNS for this).
Externally  owa.mydomain.co.uk should point to the Outside Interface of the ISA Server (or a static public address for the Exchange Box).

Solution

Step 1 Install ISA

1. OK, I’m assuming you don’t already have an ISA server, if you do then skip this bit and go straight to Step 2 (not box 2 below). Before ISA is installed ensure your server is service packed up and has the correct IP addresses on the correct interfaces – It may be worth naming the interfaces first for simplicity later (INSIDE, OUTSIDE and DMZ, or LAN, WAN and DMZ for example)

2. Let the CD/DVD Auto-run or locate ISAAutorun.exe file the CD and run that. From the splash screen select “Install ISA Server2006”.

3. Set up files will be extracted.

4. At the welcome screen > Next.

5. Accept the EULA, > Next.

6. Enter the details and unlock code as appropriate.

7. Install both ISA Server and Configuration Storage Server > Next.

8. Create a new enterprise, then at the warning screen > Next.

9. You now need to specify networks – you can do this later or add more in at a later date, but lets do it now > Add.

10. Add adaptor.

11. Add the adaptors for the Inside and Outside (and DMZ etc as applicable) > OK.

12. Review the information > Next.

13.If you have older (9x and NT) clients select allow non encrypted firewall connections > Next.

14.At the services warning screen > Next.

15. Install.

16. Go and have a coffee.

17. There is a distinct lack of spinning cogs on things these days don’t you think?

18. Job done! You can tick the box to launch the configuration wizard if you want, but we are not going to need that to do this job > Finish.

Step 2 Export the Exchange Web Certificate

OK, Im assuming you allready have Exchange Outlook Web Access secured using SSL – You need to export the certificate from the Exchange Server to the ISA Box .

1. Open IIS Manager (Start > Administratove Tools > Internet Information Services Manager) > Expand > Server-name > Websites > Right Click Default Web Site” > Properties.

2. Directory security tab > server certificate button.

3. Next.

4. Export the certificate to a .pfx file > Next.

5. Choose a location to save the file (removable media or USB key would be handy)..

6. Don’t panic if it says at some point its FAT formatted (it will still work) > OK > Next.

7. Enter a password > confirm the password > Next.

8. Next.

9. Finish.

Step 3 Import the Certificate into ISA

1. Take the .pfx file to the ISA Server, log in > Start > Run > mmc {enter}

2. Add/Remove Snap In.

3. Add.

4. Scroll down and select “Certificates” > Add.

5. Select computer account.

6. Select “local computer” > Finish > Close > OK to return to the console so you are looking at the certificate console.

7. Expand Certificates > Personal > Certificates (note you may need to stop at personal if the certificates sub folder does not exist – this happens if there are NO certificates on the server already) >Right Click in the right hand window > All Tasks > Import.

8. Next.

9. Browse to the pfx file (Note Change “files of type” to “All Files (*.*)” > Open > Next.

10. Enter the password you gave the certificate > Next.

11. Next.

12. Finish.

Step 4 Publish OWA with ISA

1. Launch the ISA Management Console > Navigate to > Arrays > Server-name > Right Click “Firewall Policy (Server-name)” > New > “Exchange Web Client Access Publishing Rule.”

2. Give the rule a name e.g. Exchange > Next.

3. OWA, OMA and Active Sync > Next.

4. Select “Publish a single web site or load balancer” > Next.

5. Select “Use SSL to connect to the published Web server or server farm using HTTP (Recommended)” > Next.

6. Internal Site name e.g. server1 > Tick Use Computer name or IP address and enter the IP address of the exchange box e.g. 172.254.254.1 > Next.

7. Public Name > enter the public name e.g. owa.yourdomain.co.uk (clients need to be able to resolve this on the internet).

8. At The Web Listener Page > New.

9. Give it a name e.g. ExchSSL.

10. Require SSL secured connections with Clients > Next.

11. Select the External Interface > Click Select IP Addresses.

12. Tick “Specified IP Addresses..” > OK > Next.

13. Select “Use a single cert for web Listener” > Click Select Certificate > Select the Certificate you imported earlier > Select > Next.

14. “HTML Form Authentication” > Select Windows (Active Directory) > Next.

15. Untick Enable SSO > Next.

16. Finish.

17 Next.

18. Next.

19. Next.

20. Finish.

21. Click the “Apply” Button at the top.

22. When its done click OK.

Step 5 Test It

1. Fire up an internet Explorer connection and accept the Certificate.

2. Log in.

3.You are up and running.

Related Articles, References, Credits, or External Links

NA

Cisco ASA5505 Setup (Via ASDM)

KB ID 0000067

Problem

Regular visitors to PNL will know I much prefer to do things at command line, but I appreciate most people trying to set up a new firewall will want to use the GUI.

Before you start you will need to know what IP addresses you want to use, what password you want to use etc.

Solution

1. You get two network cables in the box, connect your PC/Laptop to Ethernet port 1 (See the photo, that’s the second one in from the right – By default Ethernet port 0 is used for outside on an ASA, though this can be changed). Power on the ASA.

2. Your PC has to be set to get an IP address dynamically, the ASA will lease it an address, and the ASA will take the ip address of 192.168.1.1 on its inside interface. here’s the result of an “ipconfig” command to prove it worked.

3. Open an IE (Or Firefox) window and navigate to https://192.168.1.1

4. Standard stuff, click “Continue to this website”.

5. Leave both box’s blank and click OK.

6.Click “Run Startup Wizard Applet”.

7.Click Yes (Isn’t Java annoying!)

8. More annoying Java just click OK.

9. After some time we will at last arrive at the startup wizard. We want to modify it so > Next.

10. Give the firewall a hostname, domain name and set the password (note it uses the names to generate an RSA Key remember this if you ever change them in future) > Next.

11. We don’t want this > Next.

12. OK We now set the outside IP address, don’t mess with the VLAN information, in this case my outside Interface is going to get its IP address automatically via DHCP, if yours is static then Select “Use the following IP address and type in the IP address and subnet mask > Next.

13 Now the inside interface, TRUST ME leave it on 192.168.1.1. Even if that’s NOT want you want, if you change it here then when you get to the end it will all fail, because you have a DHCP address leased on an IP that’s on a different range. We will change the IP address of this interface at the end! > Next.

14. This page is for setting up a DMZ, which (unless you’ve purchased the Security Plus Licence) you wont be using anyway. > Next.

15. Leave Interface 0 on the outside and everything elapse on the inside VLAN (unless you want to allocate ports to your DMZ) > Next.

16 Tick the bottom option > Next.

17 On the route page – you have the option to enter internal and external routes – if your outside interface gets its IP details by DHCP then you can leave all blank, if your on a static then you will need to supply the IP of your ISP router as the default route outside (route 0.0.0.0 0.0.0.0). If it make more sense think of this as the firewall’s default gateway.

18 Mines DHCP so I’ll just click Next..

19. Once again TRUST ME leave this alone we will change this later > Next.

20. There about 2 chapters of textbook on this subject – we are going to use PAT and use the IP address of the outside interface. (all internal traffic will appear to the outside world to have come from that IP address.) > Next.

21 On administrative access click Add > Now add ASDM access for either a client or the network that the firewall IS GOING TO connect to >OK.

22. You might also want to add Telnet access for the the above as well.

23. Notice we have access for the 192.168.1.0 network AND the network we are going to be on when we are finished. > Next.

24. We are not going to be using this > Next.

25. Have a quick review > Tick “Launch ASDM after configuring ASA” > Finish

Remember when you log into the ASA now you have changed the password! (Leave the username blank)

 

26. Now we will sort the inside interface out > From the ASDM > Configuration > Properties > DHCP Server > Inside > Edit.

27 Un tick the “Enable DHCP Server” > (Or set according to your DHCP requirements > OK

28. Apply

29. Configuration > Interfaces > Inside > Edit

30. Set the correct IP address and subnet mask > OK.

31. .Apply. > At the warning click OK

32.Settings will be applied. DO NOT TURN OFF THE FIREWALLS POWER SUPPLY.

33. Fair enough we cant talk to it because we changed its IP address :).

34. Change your IP address so you can communicate with the firewall on its new IP address.

35. As before launch your browser and connect to the internal IP address (remember its https).

36. Username = blank > Password you set earlier > OK.

37. File > Save running config to flash.

38. Apply > All Finished.

 

Do the same thing from command line

[box]

hostname Petes-ASA
domain-name petenetlive.com
interface vlan1
ip address 192.268.1.1 255.255.255.0
interface vlan2
ip address dhcp setroute
http 10.254.254.0 255.255.255.0 inside
telnet 10.254.254.0 255.255.255.0 inside
interface vlan3
no shutdown
ip address 172.16.254.1 255.255.0.0
nameif DMZ
same-security-traffic permit intra-interface
enable password password123
no dhcp address 192.168.1.1-192.168.1.254 inside

[/box]  

Related Articles, References, Credits, or External Links

NA

ASA 5500 Adding a DMZ Step By Step

KB ID 0000316 

Problem

Assuming you have a working ASA 5500 and you want to add a DMZ to it, this is the process.

Assumptions

1. Networks,

a. Inside network is 10.1.0.0 255.255.0.0 b. Outside network is 123.123.123.120 255.255.255.248 c. DMZ network is 172.16.1.0 255.255.0.0

2. Interfaces,

a. Inside Interface is 10.1.0.254 b. Outside Interface is 172.16.1.254 c. DMZ Interface is 172.16.1.254

3. The Web server in the DMZ will have the following IP addresses,

a. DMZ IP address 172.16.1.1 b. Public IP address 123.123.123.124

4. From the Internet you want to allow web traffic and secure web traffic (http/www and https/ssl) to the DMZ Server.

5. The DMZ Server needs to speak to a database server on the inside LAN, on TCP port 1433.

 

Solution

Step 1: Setup the DMZ Interface

1. Firstly connect to the ASA log in and go to enable mode.

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********

[/box]

2. Go to configure terminal mode and set up the DMZ interface (In this case Ethernet0/2).

[box]

PetesASA# configure terminal
PetesASA(config)# interface Ethernet0/2
PetesASA(config-if)# nameif DMZ
PetesASA(config-if)# security-level 50
PetesASA(config-if)# ip address 172.16.1.254 255.255.0.0
PetesASA(config-if)# no shutdown
PetesASA(config-if)# exit

[/box]

Step 2: Setup the DMZ NAT

Before we worry about the NAT, we need to find out what version of code the ASA is running, (configuration of NAT changes in version 8.3).

Find out your Cisco ASA version (Operating system and ASDM)

ASA Version 8.3 and Newer DMZ NAT

1. Allow the IP addresses in the DMZ to be NATTED to the outside IP address, (we will set up a static translation for the DMZ host in a minute).

[box]

PetesASA(config)# object network DMZ-subnet
PetesASA(config-network-object)# subnet 172.16.1.0 255.255.0.0
PetesASA(config-network-object)# nat (DMZ,outside) dynamic interface
PetesASA(config-network-object)# exit
PetesASA(config)#

[/box]

2. Specify the public IP of the DMZ host.

[box]

PetesASA(config)# object network DMZ-Host-EXT
PetesASA(config-network-object)# host 123.123.123.124
PetesASA(config-network-object)# exit
PetesASA(config)#

[/box]

3. Create a static NAT translation for the public ip of the DMZ host, to its private IP.

[box]

PetesASA(config)# object network DMZ-Host-INT
PetesASA(config-network-object)# host 172.16.1.1
PetesASA(config-network-object)# nat (DMZ,outside) static DMZ-Host-EXT
PetesASA(config-network-object)# exit
PetesASA(config)#

[/box]

ASA Version 8.2 and Older DMZ NAT

1. I like to name the DMZ entities IP addresses so things look neat.

[box]

PetesASA(config)# name 172.16.1.1 DMZ-Host-Private-IP
PetesASA(config)# name 123.123.123.124 DMZ-Host-Public-IP2. Set a some NAT statement to handle traffic flow. (assuming you have a matching global statement like global (outside) 1 xxx - "show run global" will tell you).

[/box] [box]

PetesASA(config)# nat (DMZ) 1 0.0.0.0 0.0.0.0

[/box]

Note We are only going to have one DMZ host, and it will have a static mapping – if you had many DMZ hosts then also add “global (DMZ) 1 interface”.

3. Now add some static mappings.

[box]

PetesASA(config)# static (DMZ,outside) DMZ-Host-Public-IP DMZ-Host-Private-IP netmask 255.255.255.255
PetesASA(config)# static (inside,DMZ) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
PetesASA(config)# static (inside,DMZ) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

[/box]

Step 4: Create ACL’s to Allow Traffic

Once again there’s a slight change in the syntax based on the ASA version, after version 8.3 you allow access to the ‘Pre-Natted’ address, but before version 8.3 you allowed access to the ‘Post-Natted’ address.

ASA Version 8.3 and Newer Access Lists

1. To let people from outside you need to either create an access-list or add some rules to any existing inbound access-list. (“show run access-group” will tell you, look for an ACL applies “in” to the outside interface e.g. “access-group outbound in interface inside”. We will assume I don’t have one so I’ll need the access-group at the end..

[box]

PetesASA(config)# access-list inbound extended permit tcp any object DMZ-Host-INT eq www
PetesASA(config)# access-list inbound extended permit tcp any object DMZ-Host-INT eq https
PetesASA(config)# access-group inbound in interface outside

[/box]

2. Now to allow the DMZ host to get to the database server I’m going to allow TCP 1433.

[box]PetesASA(config)# access-list DMZ-outbound permit tcp object DMZ-Host-INT host 10.1.0.100 eq 1433 PetesASA(config)# access-group DMZ-outbound in interface DMZ[/box]

ASA Version 8.2 and Older Access Lists

1. To let people in from the outside you need to either create an access-list or add some rules to any existing inbound access-list. (“show run access-group” will tell you, look for an ACL applies “in” to the outside interface e.g. “access-group outbound in interface inside”. We will assume I don’t have one so I’ll need the access-group at the end.

[box]PetesASA(config)# access-list inbound extended permit tcp any host DMZ-Host-Public-IP eq www PetesASA(config)# access-list inbound extended permit tcp any host DMZ-Host-Public-IP eq https PetesASA(config)# access-group inbound in interface outside 2. Now to allow the DMZ host to get to the database server I’m going to allow TCP 1433.

PetesASA(config)# access-list DMZ_outbound extended permit tcp host DMZ-Host-Private-IP host DMS-SQL eq 1433 PetesASA(config)# access-group DMZ_outbound in interface DMZ[/box]

Step 5: Save the changes

8. Finally save the configuration.

[box]

PetesASA(config)#
write mem
Building configuration...
Cryptochecksum: 5417d5a1 bee8b082 16c6f19d b3839f139379 bytes copied in 1.410 secs (9379 bytes/sec)
[OK]

[/box]

Related Articles, References, Credits, or External Links

Original Article Written 27/08/10

IP Address Conflicts with VMware ESX and Cisco ASA

KB ID 0000635

Problem

My colleague was setting up a DMZ server for one of our clients, it was a virtual server that was presented to the DMZ of a Cisco ASA 5510. Every time he gave it a static IP address it popped up an IP address conflict (no matter what the IP address was).

Windows has detected an IP address conflict
Another computer on this network has the same IP address as this computer. Contact your network administrator for help resolving this issue. More details are available in the Windows event log.

He asked me to set up DHCP for the DMZ to see if that would cure the problem, which I did. However that also refused to work either.

Windows IP Configuration
An error occurred while renewing interface Local Area Connection : The DHCP client has obtained an IP address that is already in use on the network. The local interface will be disabled until the DHCP client can obtain a new address.
An error occurred while releasing interface. Loopback Pseudo-Interface 1 : The system cannot find the file specified.

Solution

Turns out this is a known problem, and is pretty easy to rectify.

Option 1 (On the ASA)

1. Connect to the ASA via command line, log in and then go to enable mode

[box]

Password:******
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********

[/box]

2. Enter configure terminal mode then disable proxy ARP on the interface that’s presented to the problem network, (in this case the interface is called DMZ).

[box]

PetesASA# configure terminal
PetesASA(config)# sysopt noproxyarp DMZ

[/box]

3. Save the changes.

[box]

PetesASA# >write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#

[/box] Note: You can also disable proxy arp in the nat tranlation, with the no-proxy-arp like so; [box] PetesASA(config)# nat (inside,DMZ) source static Inside-LAN Inside-LAN destination static Inside-LAN Inside-LAN no-proxy-arp [/box]

Option 2 (On the affected machine)

Note: This is is for Windows based clients. 1. Start > Run > regedit {Enter}. 2. Navigate to;

[box]

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters

[/box]

3. Create a new DWORD value called ‘ArpRetryCount’ and set its value to 0 (Zero).

4. Reboot.

Related Articles, References, Credits, or External Links

NA

ASA 5505 Determine Your License Version

KB ID 0000701

Problem

If you are having problems with internal clients NOT getting through the firewall, the license on your ASA 5505 may be ‘to small’.

ASA 5505 License Differences

Essentially the licenses come in 10 user, 50 user, and unlimited*. You can also have a Security Plus License, this increases IPSEC VPN’s from 10 to 25, and adds Active/Standby failover, Dual ISP Support, and DMZ Support.

*Note: These figures are the concurrent total users, for internal clients making connections through the firewall, from the internal VLAN to the external VLAN (not between internal VLANS). If you have no default route defined then the limit is placed in ALL hosts on ALL VLANS.

From Cisco 

In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit when they communicate with the outside (Internet VLAN), including when the inside initiates a connection to the outside as well as when the outside initiates a connection to the inside. Note that even when the outside initiates a connection to the inside, outside hosts are not counted towards the limit; only the inside hosts count. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the outside Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view host limits.

Solution

To locate your license version issue the following command whilst in enable mode. ‘sho ver or show version’.

code?

ASA 5505 10 User License

ASA5505 50 User License

ASA 5505 Unlimited License

ASA 5505 Security Plus License

Related Articles, References, Credits, or External Links

Find out your Cisco ASA version (Operating system and ASDM)

Cisco ASA 5500 – Adding Licenses