Having your ESX Server running the correct time is quite important, and before you visit this subject, I would suggest you MAKE SURE the time is set in the ESX Servers BIOS, ie the internal clock is set correctly first. I’ve lost count of the amount of times I’ve seen Windows domains fall over because the ESX host has reverted to its BIOS time and replicated that time to its guests, suddenly your domain clocks are two years apart and carnage ensues!
Throughout this procedure I will be setting my VMware environment to sync time with a LOCAL windows domain controller, some may argue if the domain controller is a virtual machine in a virtual environment that this is a BAD IDEA. I understand that argument (but this is my test network). In production I would rather have my devices getting time synchronised from a public reliable public time source.
Solution : ESX NTP
Step 1: vCenter NTP
Assuming you have already set time correctly on you domain controller as per this article. Then the next step is to configure you vCenter server(s) NTP time source. note: If you are using stand-alone ESX Servers please skip this section.
Note: For this to work the hosts need to be able to communicate with the time servers over NTP (UDP Port 123), ensure your firewall has this port open to the NTP source or time sync will fail.
Connect you your vCenter(s) direct admin console https://{ip-or-domain-name}:5400 log in as root. Navigate to Time > Select the correct Time Zone (Note: there is GMT but no BST So if you’re in the UK select Europe/London). Under Time Synchronization > Edit > Mode = NTP > Time Servers = the IP(s) of you time sources > Save.
Have a coffee, eventually it should look like this.
Step 2: ESX NTP (Directly)
Note: If you are managing ESX hosts via vCenter skip to the next section, this procedure is used to set NTP on an ESX host directly. Connect to the management console of your ESX Server. Navigate to Manage > System > Time & Date > Edit NTP Settings.
Select “Start and Stop with Host” > Enter the IP addresses or names of the NTP Source(s) > Save.
Step 2: ESX NTP (via vCenter)
Connect to vCenter and select your first ESX host > Configure > Time configuration > Add Service > Network Time Protocol > Enter the IP addresses(s) or name(s) of you NTP Server(s) > OK.
At this point go and have a coffee > Hit Refresh > ONCE there’s an entry under Last Time Sync > Test Services.
The output should look something like this
ESX NTP For OLDER versions of vSphere
Connect to the host (or vCenter and drill down to the host(s)). Select the host in question > Configuration > Time Configuration > Properties > Tick NTP Client Enabled > Options > Add > Add in your public time server IPs > Tick ‘Restart NTP Service to apply changes’ > OK > OK.
Note: I’m in the UK so I’m using two time servers in this country, you may want to use one closer to home.
Note: If all these details are IN RED, then it has failed to sync, either be patient, try putting the host into and out of maintenance mode, or reboot it, if it continues to fail check it can see the public time servers on UDP port 123.
Related Articles, References, Credits, or External Links
NDES, is the name for what we used to call MSCEP, which was an ‘add-on’ for the Server 2003 family of servers. In Server 2008 it was renamed to NDES. It is a role service that runs on a Certificate Services Server, and is used to create a registration authority (RA) that can issue certificates from your PKI infrastructure to network devices, i.e. Routers, Firewalls and Switches.
Solution
Installing Network Device Enrollment Service
I’m assuming you already have an Active Directory Certificate Services Server setup, if not you can deploy that and add in NDES at the same time.
1. Either: Launch Server Manager > Manage > Add Roles and Features > Below Active Directory Certificate Services select Network Device Enrollment Service.
2. Or: From within PowerShell run the following command;
1. Create a domain user (below I’ve called it SVC_NDES) > Add that user to the IIS_IUSRS group on the CA server.
2. From within Server Manager launch the post deployment configuration wizard.
3. Next.
4. Select Network Device Enrollment Service, (if not already selected).
5. Change the account details, to the service account you created above.
6. Enter the details that will be used to enroll the RA certificate.
7. Accept the defaults > Next.
8. Configure.
9. Close.
10. Launch the Certificate Authority management console > Certificate Templates > Right Click > Manage.
11. Open the properties of the ‘IPSec (Offline request)’ certificate > Security Tab > Make sure the account you created (above) has the ‘Enroll’ permission.
NDES Disable Password Requirement.
I’ve read a few blogs and articles that say;
“There is no way for Cisco devices to supply the required password to enroll with NDES/MSCEP, so you need to disable the requirement for a password.”
This is NOT TRUE, however the whole point of issuing certificates via your PKI infrastructure, is that it can scale dramatically. If you are creating passwords and embedding those passwords in all your enrollments, it can get a little unwieldy. So it may be sensible to remove the password requirement.
Update: 22/10/21: You may also need to recycle the SCEP application pool in IIS (on the Certificate Services Server)
From IIS Manager > CA > Application Pools, SCEP. > From the right hand panel > Advanced Settings. > Set Load User Profile to ‘True‘ > OK.
Again in the right panel > Recycle > From IIS Manager > Sites > Default Web Site. > From the right panel, click Restart.
Below you can see the difference, with the password requirement enforced, and without.
2. Restart the Certificate Services Service;
[box] net stop certsvc net start certsvc [/box]
NDES More Password Options and Renewing Certificates
If you do want the more secure option of using passwords, but don’t want to ad a new password every time you have a new enrollment, you can specify that the password does not expire after the default 60 minutes, in fact it never expires. This is handy if you want to renew certificates without generating new passwords. To do that carry out the following procedure;
[box] HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Cryptography > MSCEP[/box]
Create a new 32 bit DWORD value called ‘DisableRenewalSubjectNameMatch’ Set the value to 1 (one).
3. If (as above), you are running NDES under a service account, ensure that account has full control of the MSCEP key. (Again don’t forget to restart the Certificate Server service.)
IIS Query String Problem
You may find that with the default IIS settings you may encounter some problems. This is because (by default) IIS will only accept a Query String that’s less than 2048 characters long. If that happens you may see the following errors;
Request URL Too Long
HTTP Error 414. The request URL is too long.
HTTP Error 404.15 – Not Found
The request filtering module is configured to deny a request where the query string is too long.
I was in a forum last week and someone asked, “Can I enable Azure MFA, on my RADIUS server, to secure access to my switches and routers etc”. It turns out if you want to enable Azure MFA with Microsoft NPS it’s actually quite simple.
So, I’m using RADIUS auth (above) on my NPS server, and it’s simply checking the authenticating user is a member of a domain security group. Once it has satisfied that requirement, it will authenticate against my Azure AD, which will trigger an MFA event, (in my case send a request to the Microsoft Authenticator Application on my Android Phone).
Azure MFA With Microsoft NPS Pre-Requisites
The remote user needs EITHER an Azure P1 License, or a Microsoft 365 license.
“But I can use the Authenticator App with my Office 365 subscription?”
Well yes you can, but we are not authenticating to office 365 are we?
Below you can prove the licence is allocated in Office 365
And the same in Azure AD.
Now your user needs to have MFA enabled, (this should be pretty obvious), to use the Microsoft authenticator application the USER chooses that method of authentication, when you enable MFA for them (the first time they login). You can re-force that, from the following screen if you wish.
Now for some reason installing NPS does not open the correct ports on the Windows Firewall? So issue the following command;
[box]
Get-NetFirewallRule -DisplayGroup "Network Policy Server" | where DisplayName -like "*RADIUS*" | Set-NetFirewallRule -Service Any
[/box]
Azure MFA With Microsoft NPS: Domain (on Premises and Azure AD)
You will need to know what your Azure Tenant ID is, keep a copy of this handy either in notepad or on the clipboard because you will need it in a minute.
Below you can see I’ve got my domain user, their remote access (Dial In Tab) is set to control access though policy, and I’ve placed them in a security group called SG-Azure-MFA.
Configure NPS for RADIUS Access
Note: You may already have this configured, if so please skip to the next section.
The first task is to define the RADIUS CLIENT, in my case it will be a Cisco firewall, yours could be any device that requires RADIUS authentication. Locate REDIUS Clients > New > Provide a ‘Friendly Name’ (REMEMBER WHAT IT IS) > Enter its IP address > Then provide and confirm a shared secret (think of it like a password, you will need to add this to the radius clients config) > OK
Policies > Network Policies > New > Give it a sensible name > Next.
Add in a ‘Condition‘ for User Group, then add in the user group you created/used above.
Add in another ‘Condition‘ > Set the friendly name to the one you used when you created your RADIUS client.
Accepts all the defaults until you get to Configure Authentication Methods > Tick ‘Unencrypted Authentication (PAP, SPAP)’> Click yes if you want to read the warning > Next > Accept all the defaults from this point forward.
Remember to RAISE the RADIUS timeout, by default its 10 seconds, I raised it to 30 seconds.
And on my phone I get prompted to allow
Authentication successful!
Troubleshooting (NPS Azure MFA Not Working)
Event ID 6274: The Request Was Discarded by a third-party extension DLL file.
This happens when the user you are authenticating does not have the correct license in Azure (or you have just allocated the license and have not waited for a while).
Full Error
[box]
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 15/07/2021 16:42:58
Event ID: 6274
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: PKI-02.pnl.com
Description:
Network Policy Server discarded the request for a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: PNL\tanya.long
Account Name: tanya.long
Account Domain: PNL
Fully Qualified Account Name: pnl.com/PNL/Users/Tanya Long
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: -
Calling Station Identifier: -
NAS:
NAS IPv4 Address: 192.168.254.254
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: 6
RADIUS Client:
Client Friendly Name: Firewall
Client IP Address: 192.168.254.254
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: NP-Azure-MFA
Authentication Provider: Windows
Authentication Server: PKI-02.pnl.com
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Reason Code: 9
Reason: The request was discarded by a third-party extension DLL file.
[/box]
Event ID 6273: An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection
In my case I had re-install the NPS Azure extension.
Full Error
[box]
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 15/07/2021 17:24:39
Event ID: 6273
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: PKI-02.pnl.com
Description:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: tanya.long
Account Domain: PNL
Fully Qualified Account Name: PNL\tanya.long
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: -
Calling Station Identifier: -
NAS:
NAS IPv4 Address: 192.168.254.254
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: 10
RADIUS Client:
Client Friendly Name: Firewall
Client IP Address: 192.168.254.254
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: PKI-02.pnl.com
Authentication Type: Extension
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 21
Reason: An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.
[/box]
Related Articles, References, Credits, or External Links
Let’s say you want to RDP to a remote server (imagine such a thing!) But some doofus didn’t enable RDP? Well you can enable Remote Desktop via group policy and wait a while. I used to connect to the registry remotely and change the key that enabled RDP, but now you can do it with a simple PowerShell command. Not only will it enable Remote Desktop, it will also allow RDP on the Windows firewall (if enabled).
Enable Remote Desktop (Powershell)
First install the module, then execute the command;
You want to Setup FTP on your Windows Server, (and more importantly make it work without disabling the firewall.) Below are the procedure you will need to carry out.
Note: For older Windows Operating systems like Server 2012, click here, or for Server 2008, click here.
Setup FTP Server (Windows Server)
Setup FTP on Windows Server 2012 (Including firewall setup)
Setup FTP on Windows Server 2008 R2 (Including firewall setup)
Firewall Configuration for FTP on Server 2008 R2 (Included in the Video above).
>
Related Articles, References, Credits, or External Links
With older versions of Horizon View, we simply deployed another Connection server and called it a Security Server. The drawback of that is, it requires another Windows licence. You can now deploy VMware UAG (Unified Access Gateway), try to think of it as a ‘Netscaler for VMware’, and like other VMware solutions it’s a small appliance built on VMware’s ‘Photon’ Linux.
Below is a typical deployment and shows you the ports you will be required to open on your firewall to make this work;
You can deploy multiple UAGs and have them behind a load balancer, or point individual UAGs to separate Horizon Connection servers. Her I’m simply deploying one internal Horizon Connection Server, and one VMware UAG in my DMZ.
Step 1: Deploy the UAG Appliance
I’ve covered deploying OVA files before, but essentially download the OVA, and within your vSphere client select deploy OVF template. Navigate to, and select the OVA file you have downloaded from VMware > Next.
Select your Datacenter and optionally folder > Next.
Pick where you want to deploy the appliance (Cluster etc.) > Next.
Review your settings > Next.
I’m deploying into a DMZ so there will be no shortcutting the firewall! > Single NIC > Next.
Select the storage you want to deploy the appliance to > Next.
Confusingly, (as we have picked single NIC?) set them all to the correct port group > Next.
Specify the IP address > Scroll down.
Complete the DNS and IP settings > Give the appliance a name > scroll down.
Untick CEIP > Set the admin, (needed for the web front end), and root (needed for console login) passwords.
Select the edition to deploy (based on your licence) > Next.
Review the settings > Finish.
Step 2: UAG Pre Configuration Tasks
To allow users to access Horizon machines externally, you need to ensure you have granted Remote Access Rights in Horizon Administrator, Note: This is in addition to any Entitlements you have already setup for the machine pools.
Take a copy of the Thumbprint, from the Horizon Connection Server you will be pointing the UAG at, keep it handy you will need it in a minute.
Optionally
If your UAGs are going into a DMZ there’s a chance that they wont be able to resolve internal domain names, (you can specify internal IP addresses of course). I prefer to enter the names/FQDNs of my connections servers, in the appliances hosts file, so it can be resolved. Log into the console as root;
[box]
vi /etc/hosts
[/box]
If you’re unsure how to use vi, (i.e you don’t wear sandals, or have a ginger pony tail.) Press I (insert) make your changes > Press Esc > Type :wq {Enter}.
Step 3: Configure UAG for Horizon
Connect to the UAG with a web browser (https{ip-address}:9443) > Login with the admin account > ‘Configure Manually’.
Optional: Add Certificate
If you have a publicly signed certificate, the easiest way to import it is with a PFX file and a password, (use the search box above, I’ve covered creating PFX files many times). You need to go to Advanced Settings > TLS Server Certificate Settings > Select admin and internet interfaces, (as required) > Browse to the PFX file and enter the password you set, (for the pfx file!) > Save.
General Settings > Edge Service Settings > SHOW > Horizon Settings > Enable Horizon > Save.
Enter the URL of the internal connection Server, and the Thumbprint you took note of, (above) > Enable PCOIP.
Set the external PCIOP URL to the external IP of the UAG, (or load balancer if using one) and add :4172 to the end, Enable Blast > Set the public URL of the UAG, (or load balancer if using one) and add :443 to the end. Enable Tunnel, and set the same URL again with :443 on the end. If you want to, open the ‘more options’ section and take a look at the optional settings, though I’m leaving everything else on the default settings > Save.
Have a cup of coffee, refresh the page a few times > Log off and back on again, and hopefully all the options should ‘go green‘. If not, check the firewall ports, and make sure the UAG can resolve the name of the connection server.
Over in Horizon Administrator > Select each internal connection server and remove ‘Secure Tunnel‘, PCOIP Secure Gateway, and select ‘Do not use Blast Secure Gateway‘ > OK.
You can register the UAGs, in the Gateway section, but you wont see anything change until they have been used ‘in anger’.
You can now test externally by trying to connect with a Horizon Client.
Related Articles, References, Credits, or External Links
Given the amount of deployments I do, it’s surprising that I don’t use KMS more often. Like most technical types, I find a way that works for me, and that’s the way I do things from then on. However these last few weeks I’ve been putting in a new infrastructure for a local secondary school. Their internet access is through a proxy server, that refuses to let Windows activation work. Unfortunately the “Administrators” of this proxy server were not disposed to give me any help, or let me anywhere near it, to fix it.
So after activating a dozen servers over the phone, I decided enough was enough “I’m putting in a KMS Server!”
I’m deploying KMS on Windows Server 2008 R2, and it is for the licensing and activation of Serer 2008 R2 and Windows 7. I will also add in the licensing KMS mechanism for Office 2010 as well.
Note: If you are using Server 2003 it will need SP1 (at least) and this update.
Solution
To be honest it’s more difficult to find out how to deploy a KMS server, than it actually is to do. I’ve gone into a fair bit of detail below but most of you will simply need to follow steps 1-4 (immediately below). In addition, after that I’ve outlined how to deploy KMS from command line. Then how to test it, and finally how to add Microsoft Office 2010 Licenses to the KMS Server.
Install Microsoft Windows 2008 R2 Key Management Service (EASY)
1. The most difficult part is locating your KMS Key! If you have a Microsoft License agreement, log into the the Microsoft Volume License Service Center, and retrieve the KMS License Key for “Windows Server 2008 Std/Ent KMS B”
Note: To License/Activate Server 2008 R2 AND Windows 7 THIS IS THE ONLY KEY YOU NEED. You do NOT need to add additional keys for Windows 7. (You DO for Office 2010, but I’ll cover that below).
2. Armed with your new key, you simply need to change the product key on the server that will be the KMS server, to the new key. Start > Right Click “Computer” > Properties. (Or Control Panel > System). Select “Change Product Key” > Enter the new KMS Key > Next.
3. You will receive a warning that you are using a KMS Key > OK. You may now need to activate your copy of Windows with Microsoft, this is done as normal, if you can’t get it to work over the internet you can choose to do it over the phone.
4. In a corporate environment (behind an edge firewall) you may have the local firewall disabled on the server. If you do NOT then you need to allow access through the local firewall for the “Key Management Service”, (this runs over TCP port 1688). To allow the service, Start > Firewall.cpl {enter} > Allow program or feature through Windows Firewall” > Tick Key Management Service > OK.
Note: Should you wish the change the port the service uses, you can do so with the following command, i.e. to change it to TCP Port 1024;
[box]
cscript c:\Windows\System32\slmgr.vbs /SPrt 1024
[/box]
That’s It! That is all you should need to do, your KMS Server is up and running.
Install Microsoft Windows 2008 R2 Key Management Service from Command Line
You will notice below that I’m running these commands from command windows running as administrator (Right click “Command Prompt” > Run as administrator).
Note: To License/Activate Server 2008 R2 AND Windows 7 THIS IS THE ONLY KEY YOU NEED. You do NOT need to add additional keys for Windows 7. (You DO for Office 2010, but I’ll cover that below).
2. Providing the command runs without error, we have just changed the product key for this Windows server to be the KMS key.
3. Now we need to activate the Windows Server > Run the following command;
[box]
c:\Windows\System32\slui.exe
[/box]
Select “Activate Windows online now” > Follow the on screen prompts.
4. When complete, it should tell you that it was successfully activated.
5. In a corporate environment (behind an edge firewall) you may have the local firewall disabled on the server. If you do NOT then you need to allow access through the local firewall for the “Key Management Service”, (this runs over TCP port 1688). To allow the service, Start > Firewall.cpl {enter} > Allow program or feature through Windows Firewall” > Tick Key Management Service > OK.
Note: Should you wish the change the port the service uses, you can do so with the following command, i.e. to change it to TCP Port 1024;
[box]
cscript c:\Windows\System32\slmgr.vbs /SPrt 1024
[/box]
That’s It! That is all you should need to do, your KMS Server is up and running.
Testing the Key Management Server
Before it will start doing what you want it to, you need to meet certain thresholds, with Windows 7 clients it WONT work till it has had 25 requests from client machines. If you are making the requests from Windows 2008 Servers then the count is 5. (Note: For Office 2010 the count is 5 NOT 25)
Interestingly: On my test network I activated five Windows 7 machines, then one server, and it started working.
Windows 7 and Windows 2008 R2 have KMS Keys BUILT INTO THEM, if you are deploying/imaging machines you should not need to enter a key into them (unless you have entered a MAK key on these machines then you will need to change it to a client KMS Key). These are publicly available (see here).
1. The service works because it puts an SRV record in your DNS, when clients want to activate, they simply look for this record before they try and activate with Microsoft, if they find the record, they activate from your KMS Server instead. If you look on your domain DNS servers, expand “Forward Lookup Zones” > {your domain name} > _tcp > You will see an entry for _VLMCS that points to your KMS Server.
2. From your client machines you can test that they can see the SRV record, by running the following command;
[box]
nslookup -type=srv _vlmcs._tcp
[/box]
Note: If this fails, can your client see the DNS server? And is it in the domain?
3. There is no GUI console for KMS to see its status, so run the following command on the KMS server;
[box]
cscript c:\Windows\System32\slmgr.vbs /dli
[/box]
4. As I’ve mentioned above, with Windows clients you need 25, and Windows Servers you will need 5 requests before KMS will work, before this you will see;
Windows Activation
A problem occurred when Windows tried to activate. Error Code 0xC004F038
5. For each of these failures, look-in the KMS Server, and the “Current count” will increment by 1 till it starts to work). In a live environment this wont be a problem, (You probably wont be looking at KMS with less than 25 clients!). On a test network just clone/deploy a load of machines until you hit the threshold.
Troubleshooting KMS Clients
To make things simple the command to execute on the clients, is the same command that you run on the KMS server to check the status.
[box]
cd c:\windows\system32
slmgr /dli
[/box]
For further troubleshooting, see the following links.
In addition to servers and clients, KMS can activate and handle Office 2010 licenses as well. You simply need to add in Office support, and your Office 2010 KMS key. As mentioned above, unlike Windows clients, you only need five requests to the KMS server before it will start activating Office 2010 normally.
1. First locate your Office 2010 KMS Key! If you have a Microsoft License agreement, log into the the Microsoft Volume License Service Center, and retrieve the KMS License Key for “Office 2010 Suites and Apps KMS”
Note: As with Windows 7, and Server 2008 R2, Office 2010 comes with a KMS key already installed, if you have changed the key to a MAK key you can change it back using the Microsoft public KMS keys (see here).
FirePOWER Management Center, will give you a wealth of information on traffic/threats etc. Usually it will tell you what IP the offenders are on, but if you want to know what a USER is doing, then that means you have to look though logs see who had what IP, at what time etc.
So you can install the FirePOWER User Agent on a machine, (this can be a client machine, though I usually put it on a member server). You then tell the the user agent to monitor your active directory server(s) and it keeps a record of which user is where, which it reports back to the FMC for its dashboards and logs.
Note: This is for Version 6.0.0
You will need to create a user in your domain to query AD with, (just a member of domain users is fine). I typically use svc_firepower as the username.
Solution
Your first challenge is to find the software, you would think it would be with the firewalls or the appliance but no!
In the FMC > System > Integration >Identity Sources > User Agent > New Agent > Supply the IP of the server that you are going to install the agent on > OK > Save.
On the DOMAIN CONTROLLER(S) that you will point the agent at, make sure WMI is open on the firewall
On the DOMAIN CONTROLLER(S) that you will point the agent at, run wmimgmt.msc > WMI Control Local > Properties > Security > Root > cimv2 > Security.
Grant your firepower user Remote Enable > Apply > OK.
On the DOMAIN CONTROLLER(S) that you will point the agent at, run comexp.msc > Console root > Computers > My Computer > Properties > COM Security > ‘Launch and Activation Permissions’ Section > Edit Limits.
Grant your FirePOWER account the Remote Launch and Remote Activation permissions > Apply > OK.
On the Default Domain Controllers Group Policy > Computer configuration >Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Manage Auditing and security log >Add in your FirePOWER user.
Note: Allow time for the policy to apply, (or run ‘gpupdate /force‘, or simply force the policy from the GPMC.msc console, (if your domain is 2012)).
On the server/machine that you want to install the agent on, run setup.exe (1), if you run setup.msi (2) then only the agent is installed and it will error if you try and launch it.
Open the agent and add in your domain controllers.
Note: Sometimes, you may have the following problem;
Before on Part One we setup our RANCID and ViewVC server ready to start backing up our devices, now we will look at adding the devices, and automating the backup process.
Solution
To add a Cisco device you need to do TWO things*. Firstly you need to add and entry in the ‘router.db‘ file that lives in the ‘Group’ folder you created back in part one. Secondly you need to add the access details, you do this in the ‘.cloginrc‘ file.
*Note: There’s really three things, but we have already setup the rancid.conf file and created the groups.
I’m going to add my Cisco ASA firewall to the router.db file thats in the Firewalls group.
[box]
nano /usr/local/rancid/var/Firewalls/router.db
[/box]
You enter devices in the following format;
{ip-or-hostname};cisco;up
OR
{ip-or-hostname};cisco;up; LOCATION: {Your test here}
Note: If you have a device that goes down for maintenance, or is retired but you want to retain its config you change the keyword up to down and Rancid wont try and back it up.
REMEMBER: I have Firewalls and a Switches (Groups) created, so I will add in my switch into the Switches router.db file exactly the same as I did above;
For the system to access the remote devices, it needs to know how to gain access, (method}, and a username and password, these are setup in the .cloginrc file. This is the file Rancid uses for Cisco devices if you look in the folder that the file lives in, you will see other login files for other vendors.
[box]
nano /home/rancid/.cloginrc
[/box]
Adding Cisco Device Logins
You will notice (screenshot above, and text below) I’ve used two different methods, the reason I have done this is because the first item (the device on 192.168.100.119) is a Cisco IOS device (it’s actually a CSR1000,) and when I logon as the rancid-user I am ‘automatically’ logged on in enable mode. Cisco ASA Firewalls (like the second entry) only very recently had the ‘auto-enable’ feature added to them (version 9.2(1)) so for older models, you have to login, and then go to enable mode, and then enter a second password. This is why the second entry has two passwords, usually they are the same, but if a specific enable password has been set on the firewall they will NOT be.
[box]
Cisco Router / Switch Example
# You can enter some sensible text here to define the device below
add user {ip-or-hostname} {username}
add password {ip-or-hostname} {password}
add method {ip-or-hostname} {ssh or telnet}
add autoenable {ip-or-hostname} 1
#
Cisco ASA Firewall Example
# You can enter some sensible text here to define the device below
add user {ip-or-hostname} {username}
add password {ip-or-hostname} {password} {enable-password}
add method {ip-or-hostname} {ssh or telnet}
#
[/box]
Now we are pretty much setup, you can test your configuration by running the following command;
[box]
/usr/local/rancid/bin/rancid-run
[/box]
It wont return any output but if you browse to your ViewVC total you ‘should’ now see the configs have been added;
Troubleshooting Rancid
If you do a test run and it appears nothing has happened then you can look at the logs to see what went wrong.
[box]
cd /usr/local/rancid/var/logs/
ls
nano {log-name}
[/box]
Usually it will give you an error that will point you in the right direction, if the file is completely empty, (i.e. a start time and and end time and nothing else). This usually indicates an error in the router.db file.
Scheduling Rancid Backups
This is done with crontab, which means we need to edit it with vi (I don’t like vi either, see the following article for a 2 minute crash course).
And all was well, then a week later I got an email…
One of our teachers is doing a project with MATHS and ICT involving bitcoin. Basically, he has something called BITCOIN CORE WALLET installed and it used to work with the old Firewall.
I’ve installed it on my work laptop and taken it home on my Internet connection & it works fine.
BUT, when I bring it back into school, its failing. When I bypass the Firewall, it also works – so I guess IPS/AMP is blocking something.
The software seems to start and then download/sync “stuff” for bitcoin.
In school it tries and then says “NO block source available“
Google seems to hint towards network issues.
If definitely did work, as the teacher has screen grabs of it working.
Any ideas what could be blocking this ?
Now Bitcoin uses a series of ledgers that update each other around the world, (to make it resilient). So if the FirePOWER was the culprit, then it was either identifying it as a bot, or I had a rule specifically blocking Bitcoin?
Solution
Note: Bitcoin does need TCP port 8883 open, but that didn’t seem to be the problem.
Thankfully on the monitoring tab, as soon as I logged in, the answer was staring me in the face, (I had to change the time frame to last 30 days first).
Not only does it confirm the FirePOWER IDS blocked it, but it also told me which ‘Rule’ it had matched, (PUA-OTHER Bitcoin outbound request attempt). PUA stands for Probably Unwanted Application, in case you were wondering. Edit your IDS policy, and search for ‘Bitcoin’.
I’ll leave the Malware rules alone, but I’ll allow both the PUA-Bitcoin rules, (i.e. set them to ‘Disable’).
Then don’t forget, you need to deploy the new FirePOWER policy and ensure that your access control policy says it’s up to date on all devices, before you test again. If you’re unsure how to do that, see the link I posted above.
Related Articles, References, Credits, or External Links