There used to be a GPO called “Internet Explorer Maintenance” that you could set your Internet Explorer settings, i.e. Proxy server settings, home pages etc.
This has now gone, and has been replaced with a group policy preference.
Solution
From the Group Policy Management Console > Locate the OU containing the USERS you want to link the policy to and create a new policy, then give it a sensible name.
Edit the policy.
Navigate to;
[box]User Configuration > Preferences > Control Panel Settings > Internet Settings[/box]
Select > New > “Internet Explorer {version}”.
Note: Internet Explorer 10 settings, will also apply to Internet Explorer 11.
This takes a little bit of getting used to, things underlined in GREEN will be enforced with the policy, things underlined in RED will not be enforced. For each change you make you need to press F5 to make it ‘go green’, (or F6 makes all settings on the current TAB go green).
Manage IE Proxy Settings via GPO
Connections > LAN Settings > Enable ‘Use a proxy server…’ > Put in the proxy IP/Name and port number > Tick bypass proxy server for local addresses > If you need to add proxy exemptions you can go to advanced settings.
Ensure all settings are underlined green before you exit.
Manage IE Home Page(s) Settings via GPO
General Tab > Home Page > Add each new page as a new line.
Note: I like to open Tabs and set each new tab to open the first home page as well.
Again ensure all settings are underlined green before you exit.
Apply > OK >You will see there is now a configuration entry > Close and exit the policy editor.
You can then force a policy update on the OU you have deployed the policy to. Or run gpupdate /force on a test client.
Related Articles, References, Credits, or External Links
You can stack Cisco 3750-X Switches in groups of up to 9 switches, and they can then be managed as one switch. Here I’ve got 2 switches.
Solution
Removing 3750-X Switches Stack Configuration
One of my switches had already been in a stack, so I needed to remove its stack configuration. It thought it was switch 4 in the stack so I issued the following commands;
[box]
Switch(config)# no switch 4 provision
Switch(config)# wr mem
[/box]
Cisco 3750-X Configure Stacking
Don’t connect any stacking cables yet, decide which switch is going to the the ‘master’ and log onto that switch, and issue the following commands;
[box]
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#switch 1 priority 15
Changing the Switch Priority of Switch Number 1 to 15
Do you want to continue?[confirm] {Enter}
New Priority has been set successfully
Switch(config)#do write mem
Building configuration...
[OK]
Switch(config)#do reload
Proceed with reload? [confirm] {Enter}
[/box]
When the switch reloads you will see.
[box]
Waiting for Stack Master Election...
SM: Waiting for other switches in stack to boot...
###############################################################
[/box]
At this point you can connect the stack cables and power on the second switch. With multiple switches connect each stack port one, to the switch below’s stack port two. Then on the last switch connect its stack port one back to stack port two on the top switch, (so there is a ‘ring’.)
If you have more than two switches you can set their priority (as you did above) priority 15 will always win the ‘elections’ and be the master switch, number the rest accordingly. The default is ‘1’ so if you don’t then it works out the order based on MAC addresses, (which is not good!).
When all the switches are booted, check all is well;
[box]
Switch#show switch
Switch/Stack Mac Address : 74a2.e69a.0c00
H/W Current
Switch# Role Mac Address Priority Version State
----------------------------------------------------------
*1 Master 74a2.e69a.0c00 15 3 Ready
2 Member 204c.9e5f.4000 1 3 Ready
Switch#show ip int brief
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES NVRAM administratively down down
FastEthernet0 unassigned YES NVRAM administratively down down
GigabitEthernet1/0/1 unassigned YES unset down down
GigabitEthernet1/0/2 unassigned YES unset down down
GigabitEthernet1/0/3 unassigned YES unset down down
GigabitEthernet1/0/4 unassigned YES unset down down
{----------------Output Removed For the Sake of Brevity---------------------}
GigabitEthernet1/1/1 unassigned YES unset down down
GigabitEthernet1/1/2 unassigned YES unset down down
GigabitEthernet1/1/3 unassigned YES unset down down
GigabitEthernet1/1/4 unassigned YES unset down down
Te1/1/1 unassigned YES unset down down
Te1/1/2 unassigned YES unset down down
GigabitEthernet2/0/1 unassigned YES unset down down
GigabitEthernet2/0/2 unassigned YES unset down down
GigabitEthernet2/0/3 unassigned YES unset down down
{----------------Output Removed For the Sake of Brevity---------------------}
GigabitEthernet2/1/1 unassigned YES unset down down
GigabitEthernet2/1/2 unassigned YES unset down down
GigabitEthernet2/1/3 unassigned YES unset down down
GigabitEthernet2/1/4 unassigned YES unset down down
Te2/1/1 unassigned YES unset down down
Te2/1/2 unassigned YES unset down down
Switch#
[/box]
Make sure your stack cabling is OK;
[box]
Switch# show switch stack-ports summary
Switch#/ Stack Neighbor Cable Link Link Sync # In
Port# Port Length OK Active OK Changes Loopback
Status To LinkOK
-------- ------ -------- -------- ---- ------ ---- --------- --------
1/1 OK 2 50 cm Yes Yes Yes 1 No
1/2 OK 2 50 cm Yes Yes Yes 1 No
2/1 OK 1 50 cm Yes Yes Yes 1 No
2/2 OK 1 50 cm Yes Yes Yes 1 No
Switch# show switch stack-ring speed
Stack Ring Speed : 32G
Stack Ring Configuration: Full
Stack Ring Protocol : StackWisePlus
Switch#
[/box]
If you are also using XPS redundant power cables remember that’s only supported for up to four switches, (without an extra XPS-2200 rack power unit). I power off the switches before I fit these.
Why do they have green and yellow ends: If you look on the switch you will see the ‘socket’ is marked with a yellow and a green ‘semi-circle’. that means a green end or a yellow end can be plugged into that socket.
That makes no sense, so anything can plug into anything, why colour code them? That’s because there is a different cable that has a ‘red’ end on it for plugging into an XPS-2200 rack power supply, like this;
Then to test your XPS Power Cables.
[box]
Switch>show env power all
SW PID Serial# Status Sys Pwr PoE Pwr Watts
--- ------------------ ---------- --------------- ------- ------- -----
1A C3KX-PWR-350WAC LIT18410MD4 OK Good Good 350/0
1B Not Present
2A C3KX-PWR-350WAC LIT18410JJ3 OK Good Good 350/0
2B Not Present
Switch#show stack-power neighbors
Power Stack Stack Stack Total Rsvd Alloc Unused Num Num
Name Mode Topolgy Pwr(W) Pwr(W) Pwr(W) Pwr(W) SW PS
-------------------- ------ ------- ------ ------ ------ ------ --- ---
Powerstack-2 SP-PSS Ring 700 320 380 0 2 2
Power Stack Port 1 Port 1 Port 2 Port 2
SW Name Status Neighbor SW:MAC Status Neighbor SW:MAC
-- -------------------- ------ ---------------- ------ ----------------
1 Powerstack-2 Conn 2:204c.9e5f.4000 Conn 2:204c.9e5f.4000
2 Powerstack-2 Conn 1:74a2.e69a.0c00 Conn 1:74a2.e69a.0c00
[/box]
Stack Power Profiles (Setting Up)
Stack Power Modes
Default (Power sharing Mode): All the power from all the power supplies, is aggregated together, and no power is reserved – if a power supply failed there is a chance that there might not be enough power.
Redundant Mode: The power supplied by the largest power supply in the stack, is taken away from the total power output in case there is an outage.
Stand Alone Mode: Stops a switch participating in a power stack completely.
Each mode can be configured to run strict, or non-strict, (with the exception of a stand alone mode).
Strict: If actual power drops below budgeted power, things may get powered down. Non Strict: Actual power can run above budgeted power, if that extra power is available.
You have two ASA firewalls deployed in Active/Standby failover configuration, and need to upgrade either the operating system or the ASDM. As you already have a high availability solution you do not want any downtime.
Before we start, we need to make sure we know the difference between primary, secondary, active and standby.
From the rear (Active=Green, Standby=Amber)
The Primary and Secondary firewalls are physical firewalls, the primary will always be the primary, and the secondary will always be the secondary. (Unless you manually change the configuration to force things otherwise!).
The Active firewall will be the firewall that’s passing traffic and in operation, and the Standby firewall is sat waiting to take over, each physical firewall can be either active or standby.
Solution
To get updates from Cisco you need to have a valid support agreement for your firewalls and a Cisco CCO account to log in with. (download link)
In this example, I’m going to upgrade both the firewalls from 8.4(5) to 9.1(1), and the ASDM from version 7.1(1) to 7.1(1)-52. When we start, the primary firewall is the active firewall.
In the past I’ve upgraded from 8.2(5) to 8.4(5), and (here) 8.4(5) to 9.1(1). I’ve never had a problem HOWEVER, DO NOT ATTEMPT an upgrade until you have a good backup of the config.
1. First you need to upload the software to the flash memory on BOTH firewalls, you can either connect to the ASA via command line and TFTP them there, or connect to the ASDM and upload them from your PC/Laptop. If you have an AnyConnect XML profile take a backup of that also (I’ve seen them disappear).
UPLOAD THE OPERATING SYSTEM
Petes-ASA> enablePassword:*********
Petes-ASA#copy tftp flash
Address or name of remote host []? 10.0.0.127
Source filename []? asa911-k8.bin
Destination filename [disk0]? asa911-k8.bin
Accessing tftp://10.1.0.127/asa911-k8.bin.. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
<<<<Removed lots for the sake of Space>>>>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:asa911-k8.bin... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!
<<<<Removed lots for the sake of Space>>>>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
27260928 bytes copied in 49.250 secs (556345 bytes/sec)
UPLOAD THE ASDM SOFTWARE
Petes-ASA#copy tftp flash
Address or name of remote host []? 10.0.0.127
Source filename []? asdm-711-52.bin
Destination filename [disk0]? asdm-711-52.bin
Accessing tftp://10.1.0.127/asdm-711-52.bin.. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
<<<<Removed lots for the sake of Space>>>>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:asdm-711-52.bin... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!
<<<<Removed lots for the sake of Space>>>>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
17790720 bytes copied in 32.200 secs (555960 bytes/sec)
[/box] Upload via ASDMConnect to the ASDM > Tools > File Management > File Transfer > Between Local PC and Flash > Navigate to the file(s) on your local machine > Upload.
REMEMBER TO DO THIS FOR BOTH FIREWALLS!Note: You can copy the file to the standby firewall’s flash memory, from the primary firewall, using the following syntax (though I usually just swap the console cable over!).
2. On the Primary Active Firewall, set the new OS as the default, below I check to see what file the ASA will boot from, then I change it to the new one, finally I remove the link to the old file. You don’t need to carry out the last step, but I like to leave things tidy.
[box]
Petes-ASA# show running-config boot system
boot system disk0:/asa845-k8.bin
Petes-ASA# configure terminal
Petes-ASA(config)# boot system disk0:/asa911-k8.bin
Petes-ASA(config)# no boot system disk0:/asa845-k8.bin
Petes-ASA# show running-config boot system
boot system disk0:/asa911-k8.bin
[/box]
3. If you are also upgrading the ASDM, you need to set the new one as the default image.
[box]
Petes-ASA(config)# asdm image disk0:/asdm-711-52.bin
Petes-ASA(config)# show run asdm image
asdm image disk0:/asdm-711-52.bin
no asdm history enable
[/box]
4. Save the changes.
[box]
Petes-ASA(config)# write mem
Building configuration...
Cryptochecksum: e150e036 036082e0 6d054a3d 1c7fd9fa
16257 bytes copied in 3.350 secs (5419 bytes/sec) [OK]
[/box]
5. Whilst still on the primary active firewall, you need to reboot the secondary standby firewall with the following command:
[box]
Petes-ASA(config)# failover reload-standbyYOU MAY SEE A WARNING LIKE THE FOLLOWING - THIS IS OK
************WARNING****WARNING****WARNING********************************
Mate version 9.1(1) is not identical with ours 8.4(5)
************WARNING****WARNING****WARNING********************************
Beginning configuration replication: Sending to mate. End Configuration Replication to mate
Petes-ASA(config)#
[/box]
6. This may take a little while, remember it has to reboot, and depending on the version you are upgrading to, may need to change some of the config i.e. in this case of upgrading pasr 8.3 (and newer) all the NAT rules need to be changed. You can check to see if it’s back online by issuing a ‘show failover command (whilst still on the primary firewall). You will know when the secondary firewall is up and ready as you will see ‘Secondary – Standby Ready’.
Note: If you can see the status lights on the standby firewall watch for them to be green,green,amber,green,off (ASA5510).
Warning: Due to the limitations of HTML, your output will be formatted a little differently, you will see the output displayed like this, but the text is the same.
[box]
Petes-ASA(config)# show failover
Failover On Failover unit Primary Failover LAN Interface:
failover Management0/0 (up)
Unit Poll frequency 1 seconds,
holdtime 3 seconds
Interface Poll frequency 3 seconds,
holdtime 15 seconds
Interface Policy 1
Monitored Interfaces 3 of 110 maximum
Version: Ours 8.4(5), Mate 9.1(1)
Last Failover at: 13:25:54 GMT/BST Dec 6 2012
This host: Primary - Active Active time: 350 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(5)) status (Up Sys)
Interface outside (123.123.123.123): Normal (Monitored)
Interface inside (10.0.0.254): Normal (Monitored)
Interface backup (234.234.234.235): Normal (Monitored)
slot 1: ASA-SSM-10 hw/sw rev (1.0/CSC SSM 6.2.1599.0) status (Up/Up)
Logging port IP: 10.0.0.252/24 CSC SSM, 6.2.1599.0, Up
Other host: Secondary - Standby Ready <<<<<< Here we go!
Active time: 326 (sec) slot 0: ASA5510 hw/sw rev (2.0/9.1(1)) status (Up Sys)
Interface outside (123.123.123.124): Normal (Monitored)
Interface inside (10.0.0.249): Normal (Monitored)
Interface backup (234.234.234.234): Normal (Monitored)
slot 1: ASA-SSM-10 hw/sw rev (1.0/CSC SSM 6.3.1172.0) status (Up/Up)
Logging port IP: 10.0.0.248/24
CSC SSM, 6.3.1172.0, Up
Stateful Failover Logical Update Statistics
Link : failover Management0/0 (up)
Stateful Obj xmit xerr rcv rerr
General 1709 0 491 49
sys cmd 58 0 58 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 896 0 244 48
UDP conn 280 0 45 1
ARP tbl 474 0 141 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 1 0
VPN IKEv1 P2 1 0 1 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 0 0 1 0
Logical Update Queue Information Cur Max Total Recv Q: 0 24 2101 Xmit Q: 0 1 2311
Petes-ASA(config)#
[/box]
7. Now you need to force a failover to the secondary firewall, (again do this on the primary active firewall).
[box]
Petes-ASA(config)# no failover active
Petes-ASA(config)#
Switching to Standby
[/box]
8. Now reboot the primary firewall and that should boot to its new operating system.
[box]
Petes-ASA(config)# reload
Proceed with reload? [confirm] {Enter}
[/box]
9. Once complete, log back in and you can make the primary firewall active once more.
[box]
Petes-ASA>
Detected an Active mate Beginning configuration replication from mate.
Petes-ASA>
End configuration replication from mate.
Petes-ASA> en
Password:*********
Petes-ASA# configure terminal
**** WARNING **** Configuration Replication is NOT performed from Standby unit to Active unit. Configurations are no longer synchronized.
Petes-ASA(config)# failover active
Switching to Active
[/box]
Related Articles, References, Credits, or External Links