FSSO FortiGate Single Sign On

FSSO  KB ID 0001786

If you are applying polices with your FortiGate, e.g. Web Filtering or IPS, then the ability to track actual users rather than IP addresses is advantageous, it’s all very well blocking access to adult material or gambling sites, from the corporate network, but most companies want to know WHO is attempting to connect to what and when. 

To do that the firewall needs to learn what users are where, we can make all users actively authenticate to the firewall as they attempt to get on the web, but that does not make for a great user experience, it’s better to passively learn where your users are, and what machines they are using, then we can the use that in a policy. (let’s not get to far ahead for the moment).

Q. How do we learn where your users are, and what machines they are on?

A. FSSO

To enable FSSO you need to understand the difference between two pieces of software, the FSSO Collector, and FSSO DC Agent. The DC Agent (as the name implies) run on each of your DCs, it captures login events and then does DNS lookups to see what machines people are using. The Collector takes the output from one or more DC Agents and collates it for the firewall, it does not have to run on a domain controller (but it can).

I only have one server! Well thats OK, both the collector and agent can be on the same box

However most networks will have multiple Domain Controllers, so your FSSO topology may look a little more like this.

Or if you have an even larger network, you may want to build in a backup collector(s)

Deploy FSSO

In my small test environment I’m going to put the collector and agent on a single DC. Your first challenge is actually getting the FSSO software. Log into your FortiCloud portal and proceed as if you want to download some FortiGate firmware.

Then in the version of FortiGate firmware that matches your firewall you will find an FSSO directory, (unless your’e in the dark ages your domain controllers will be x64 bit) so in my case I want FSSO_Setup5.0.0306_x64.exe (that will download the collector setup, that also includes the DC Agent software as well, which you can also download separately if you wish).

Install Collector

Accept the EULA, change the install directory if you don’t want it on the C: Drive > Enter some administrative credentials > Next.

My FortiGate has LDAPS Lookups so I’m going for Advanced > Next.

Install > When complete, Im installing the DC Agent on the same server so MAKE SURELaunch DC Agent Install WizardIS ticked, and click finish.

Warning: Installing a DC Agent will result in the reboot of this DC, (you might want to do the next step out of hours).

Install DC Agent

Accept the defaults > Next > Select the Domain > Next > Select any user(s) you want to be exempt > Next.

Select DC Agent Mode > Next > It will prompt for a reboot, let it do so.

Post reboot launch FortiGate Single Sign On Agent Configuration > And change the password to something memorable, (you will need to enter this onto the FortiGate in a minute).

Register FSSO on FortiGate

Back on the Fortigate > Security Fabric EXTERNAL Connectors > FSSO Agent on Windows AD.

Give it a sensible name > Enter the IP address and the password you set above > Apply and Refresh > OK.

You will know it’s working because it will give you a free up arrow (it can take a little while, be patient).

Create FSSO Groups

Now you can add GROUPs based on FSSO learned groups, like so.

Once you have the FSSO groups defined, you can use them in policies. Below I’ve added Domain Users to my default outbound policy.

WARNING: If you have any devices, or assets that need access out you will need to add a new rule to alow them out explicitly before this rule, or their internet access will suddenly stop.

 

Monitor FSSO Events

To make sure the system is working you can go to Events > User Events > Make sure your user logon activity is getting logged.

Related Articles, References, Credits, or External Links

FSSO Handbook

ADMT (Active Directory Migration Tool) Domain Migration – Part 1

KB ID 0001305

Problem

I’ve not used ADMT for ages, I’ve got a domain migration to do soon, so I thought I’d get on the bench and have a reminder. Although ADMT 3.2 was ‘re-jigged’ to support Server 2012 R2, I’m still going to install it on Server 2008 R2. I’ve got a test domain built to migrate from, and a new domain setup ready to migrate into.

  • Old/Source Domain: olddomain.com
  • Old/Source Domain Controller: Source-DC.olddomain.com
  • New/Target Domain: newdomain.com
  • New/Target Domain Controller: Target-DC.newdomain.com

 

Solution

ADMT – DNS Setup

The old domain needs to be able to resolve names in the new domain, and the new domain needs to be able to resolve names in the old domain. To achieve this you need to setup ‘Conditional Forwarding’ in each domain for the other one.

Don’t worry if it looks like there’s a problem as long as the DNS servers can se each other, (and there’s no firewall in-between blocking TCP and UDP port 53). Just add in the DNS server give it a while then re-open the forwarders settings and it should have ‘gone-green’.

You can test it’s working by pinging BOTH the old and new domain names, in BOTH domains.

In addition, we want all machines (in both domains) to set their primary DNS Suffix, to their own domain, and their DNS suffix search list to look for their own domain first, then the other domain. The easiest way to do that is via group policy.  On a domain controller > Administrative Tools > Group Policy Management Console.

It’s better practice to ‘link’ your policy to the actual OU that your computers are in, to keep things simple, (and because I’m lazy) I’m going to link my policy to the root of the domain.

 

Edit the policy you have just created.

Navigate to;

[box]Computer Configuration > Policies > Administrative Templates > Network > DNS Client > [/box]

Setting: Primary DNS Suffix: Set to current domain.

Setting: DNS Suffix Search List: Set to current domain ‘comma‘ other domain.

Then wait or Force a Group Policy Update, to test visit a machine and issue an ‘ipconfig /all‘ command;

Above: you can see both the policies have taken effect.

Repeat the procedure in the new domain, (but the domain names will be the opposite way round) like so;

ADMT – Creating Domain Trust

Both domains need to trust each other for the migration to take place. If you have two simple domains like I do a “two way domain trust” is fine. You would only need a ‘forest-trust‘ if you were migrating from/to root and sub domains for example.

As the name implies Trusts are setup from Administrative tools > Active Directory Domains and Trusts. You can setup the whole thing from one domain, below I’m creating it in the old domain.

Welcome Screen  = Next > Provide the name to the ‘other’ domain > Next > External Trust > Next.

Two Way > Next > Both this domain and the specified domain > Next > Provide administrative credentials for the ‘other’ domain > Next.

Domain wide authentication > Next > Domain wide authentication > Next > Next.

Next > Yes. Confirm outgoing trust > Next > Yes. Confirm incoming trust > Next.

Finish > READ the warning about SID history, we will have to mess about with SID History filtering a bit further on > OK.

This step is not really necessary, (it’s just for peace of mind). I do this in BOTH domains and validate each trust, (so you will do this four times).

Select the trust > Properties > Validate > Type in credentials > OK > Type in Credentials > OK > OK.

ADMT – Users / Admins and Rights Assignment

 Create the user that will do all the hard work in the NEW domain. Then add that user to the domain admins group (again in the NEW domain).

Username: ADMTAdmin (Can be anything you want, but I’ll refer to this username throughout).

Over in the OLD domain, you won’t be able to add your ADMT user into the domain admins group, you need to add the ADMTAdmin account from the NEW domain into the Builtin\Administrators group on the OLD domain.

Additionally: the ADMTAdmin user needs to have local administrative rights to all the machines in the OLD domain. The easiest way to do that is again with a group policy.

In the OLD domain create a group, (Type: Domain Local)

Group Name: GP-ADMT-Admins, (again you can call it something else if you want).

Add your ADMTAdmin account to this group, (Note: I like to add the domain admin account for the NEW domain as well, though that’s not necessary).

On a domain controller > Administrative Tools > Group Policy Management Console.

Once Again: It’s better practice to ‘link’ your policy to the actual OU that your computers are in, to keep things simple, (and because I’m lazy) I’m going to link my policy to the root of the domain.

Edit the policy you have just created;

Navigate to;

[box]Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups[/box]

Add Group > Select GP-ADMT-Admins > OK > Add (bottom option) > Administrators > OK.

Setup correctly it should look like this;

To Test: On a client Open an administrative command window > and run ‘gpresult-R’.

Or the best test is, make sure that the GP-ADMT-Admins group is actually in the local admins group.

ADMT – Database Requirements

OK, a lot of posts say don’t install ADMT/SQL on a domain controller. That’s not strictly true, you can install ADMT and SQL on a domain controller, in fact that’s what Im going to do (there are a few commands and extra steps that I will point out below).

You can you use full blown SQL if you like, but it’s just as easy to use SQL Express 2008 SP1 > Download and run > Instalation > New SQL Server stand-alone installation or add features to an existing installation.

Accept the defaults > In feature Installation select ‘Database Engine Services’.

Accept the named instance ‘SQLExpress’.

Keep accepting defaults until you get to ‘Server configuration‘ page, add in the ADMTAdmin account.

Then add in your ADMTAdmin account again. (Once again theres nothing wrong with adding the domain admin account as well).

ADMT – Additional SQL Steps For Domain Controllers

Open an administrative command window > and run the following commands;

[box]

NET LOCALGROUP SQLServerMSSQLUser$Target-DC$SQLEXPRESS /ADD
SC SHOWSID MSSQL$SQLEXPRESS
{Copy the SID to the clipboard you will need it in a minute}
MD %SystemRoot%\ADMT\Data
ICACLS %Systemroot%\ADMT\Data /grant *{Paste the SID from above}:F
i.e.
ICACLS %systemroot%\ADMT\Data /grant *S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133:F

[/box]

ADMT – Downloading and Installing ADMT

Download the ADMT software, if that link ever dies use this one. Download ADMT 3.2. Launch the installer and accept all the defaults until you get to database selection, use .SQLEXPRESS

No we don’t want to import and data from an existing database > Next > Finish.

We can now open the ‘Active Directory Migration Tool’ management console.

 In Part Two we will look at SID filtering, setup a password export server, and do some group policy work.

Related Articles, References, Credits, or External Links

NA

Cisco IOS – DHCP Helper (DHCP Relay) – IP-Helper Setup

KB ID 0001168 

Problem

Cisco documentation calls this a ‘DHCP Relay’, and uses the command IP-Helper, and I usually call this DHCP Helper, just to confuse everyone. To be fair the term DHCP Relay is an industry standard, it’s not particular to Cisco (as you will see later when I Wireshark the traffic).

So If you are reading this you have a DHCP server and you want to use it to lease addresses to clients that are on a different network segment (layer 2, or layer3).

To do that you need an agent to be on the same network segment as the client listening for DHCP requests, when it receives one it talks to the DHCP server on the clients behalf and gets the correct address.

Solution

Example 1 Cisco Router

Here we need to lease two different DHCP scopes to two different network segments, R1 will act as the IP-Helper for both of those networks, R2 and R3 will get their IP addresses from the correct DHCP scope.

This works because each (client facing) interface on R1 has an IP-Helper address defined that points to the DHCP server.

So How Does It Know Which Scope To Lease From? This is because the Router supplies the IP address of a RELAY AGENT, which is just the IP address of the physical interface that intercepted the DHCP request. When it asks for an IP address from the DHCP server, the Server leases an address from the same range, (again I’ve tracked all this in Wireshark below).

IP-Helper Router Configuration

[box]

R1 Config

!
interface GigabitEthernet0/0
 description Uplink to DHCP Server
 ip address 10.2.2.254 255.255.255.0
 negotiation auto
!
interface GigabitEthernet2/0
 description Uplink to 192_168_2_0
 ip address 192.168.2.1 255.255.255.0
 ip helper-address 10.2.2.10
 negotiation auto
!
interface GigabitEthernet3/0
 description Uplink to 192_168_3_0
 ip address 192.168.3.1 255.255.255.0
 ip helper-address 10.2.2.10
 negotiation auto
!
ip route 0.0.0.0 0.0.0.0 10.2.2.10
!


R2 Config

!
interface GigabitEthernet2/0
 description Uplink to R1
 ip address dhcp
 negotiation auto
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet2/0
!

R3 Config

!
interface GigabitEthernet3/0
 description Uplink to R1
 ip address dhcp
 negotiation auto
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet3/0
!

[/box]

You can see this works because the DHCP server has matching scopes for both network segments. (Yes one of my test servers is 2003, you’re going to see some Windows XP in a minute!

Well that’s fine for routers, but what about machines? They send a DHCP Discover just like any other client. I’ve replaced one of the routers with an actual machine.

With its network card set to DHCP you will again get a lease from the correct scope, because the Router brokered it for us.

Back on the DHCP server you can see the lease to the windows XP machine entered in the current scope leases, It knows the name of the client because (as you will see below) the relay agent (Router) passed that information (along with the MAC address of the client) to the DHCP server.

Example 2 Cisco Switches

OK, I did the routers first because I find it easier to explain things at layer 3. Not that you can’t create sub interfaces on the router, add those sub interfaces to VLANs, and run DHCP relays from them. But in most cases you will be setting up DHCP helpers on switches. Here the principle is the same but you define the ip-helper on the VLAN, (unless it’s routed port then treat it the same as a router interface). Let’s modern things up a bit, and use a 2012 R2 DHCP server, and some Windows 8 clients.

I need to lease addresses from my second scope to clients in VLAN 200, (the other client and server are in the same VLAN, so that will just work. (Remember a VLAN is a broadcast domain, and DHCP is using broadcasts).

Here’s the two scopes setup on the 2012 server;

And my client, (DHCP Client in VLAN 200) gets the correct IP.

IP-Helper Switch Configuration (VLANS)

[box]

SW1 Config

interface FastEthernet1/0/1
 description Uplink to DHCP Server
 switchport access vlan 100
 switchport mode access
 spanning-tree pordtfast
!
interface FastEthernet1/0/4
 description Uplink 192_168_200_0
 switchport access vlan 200
 switchport mode access
 spanning-tree pordtfast
!
interface FastEthernet1/0/5
 description Uplink 192_168_100_0
 switchport access vlan 100
 switchport mode access
 spanning-tree portfast
!
interface Vlan200
 ip address 192.168.200.1 255.255.255.0
 ip helper-address 192.168.100.10
!

IF YOU HAVE MULTIPLE/FAILOVER IP-HELPERS OR SPLIT SCOPES YOU CAN ADD A SECOND 
ADDRESS LIKE SO;

!
interface Vlan200
 ip address 192.168.200.1 255.255.255.0
 ip helper-address 192.168.100.10
 ip helper-address 192.168.100.15
!

[/box]

Analysing (Packet-Sniffing) DHCP Relay Sequence with Wireshark

Other packet sniffers are available, but I’ve got a soft spot for Wireshark. To filter DHCP traffic you can use the following ‘filter’.

bootp.option.type == 53

DHCP works by using four messages, (which I remember using the acronym DORA: Discover, Offer, Request, Acknowledge). If you sniff the traffic on the DHCP server, you can watch this process being brokered by your DHCP Relay Agent.

Discover

Offer

Request

Acknowledge

And just to prove it’s not all ‘smoke and mirrors’, here’s the client with the leased address, showing a matching MAC address, and hostname.

Related Articles, References, Credits, or External Links

NA

GNS3 – Initial Setup, Adding Routers, Hosts, and ASA Firewalls

KB ID 0000927 

NOTE: THIS ARTICLE IS FOR THE OLD VERSION OF GNS3

GO HERE FOR THE NEW ONE

Problem

I dip into GNS3 every so often, (depending on what I’m working on). And each time I install it, I spend just as long remembering how to set it up, as I do using it! So, if for no other reason than I can use this page as a reference in future, here’s how to get it up and running.

Solution

Note: At time of writing he latest version is 8.6

1. Download GNS3, I accept all the defaults (I actually tick to install SuperPuTTy, as tabbed console windows can be handy when using GNS3). Launch the program, you will be greeted with the following setup wizard. Select Option 1.

Note: You can do the same in future, by going to Edit > Preferences

2. Check that the path to the ‘projects’ and your ‘images’ folder are where you want them to be. The defaults are fine but if you run GNS3 on several machines you might want to choose something like Dropbox > Apply > OK.

3. Option 2.

4. Click Test Settings > Have patience, it can take a couple of minutes > Apply > OK.

Adding Router Images to GNS 3

5. Option 3

Note: You can visit the same section in future by clicking Edit > IOS Images and Hypervisors.

6. Image file > Browse to the image you want to import. Here on GNS3 8.6 you can select the filename.bin file, with older versions you need to extract that file to a filename.image file.

Note: You need to legally download these images from Cisco. This means you need a Cisco CCO account, and a valid support agreement. DO NOT email me and ask for Cisco IOS images, (I will just ignore you!).

7. As mentioned above, it will convert my filename.bin image to an extracted filename.image file > Yes.

8. Set the Router platform and model > In the IDLE PC section click Auto calculation > This can take a while.

Note: You can do this later from the main workspace, and test a range of settings. I you don’t do this your virtual network devices will eat all your CPU power!

9. When complete click Close > Save > Close.

10. You can now start that model router to the workspace and use it. Repeat for each model of router you want to add.

Adding a Host to GNS3

Having a host machine for you labs is handy, usually you just need to be able to ping, or perform tracerts. So you can download a small Linux image from GNS3. There are a few options but I prefer linux-microcode.

11. Edit > Preferences.

n

12. Quemu > Quemu Guest > Give it an identifier name (can be anything) > Browse to, and select the image you downloaded.

13. Save > OK > Apply.

14. You can now drag a Quemu Guest machine onto the work space, and console into it.

Adding a Cisco ASA to GNS3

Yes you can add Cisco PIX as well, but there’s not many of them left in the wild.

15. Edit > Preferences > Quemu > ASA > Give it an identifier name (can be anything) > Set the RAM to 1024 > Set the Qemu options to;

[box]

-vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32

[/box]

Set the Kernel cmd line option to;

[box]

-append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536

[/box]

16. You need two files to run the ASA, an initrd file and a kernel file. You need to create these from a legally obtained copy of the asa843-k8.bin file.</p?

Should you wish to locate these files form a less reputable source you are looking for
asa842-initrd.gz and asa842-vmlinuz, again don’t email me for them! If you are too stupid to use a search engine, then technical ninjary is not the correct career choice for you.

17. Finally select the vmlunuz file > Open.

18. Save > OK > Apply.

19. You can now drag an ASA onto the workspace and console into it (it takes a while, be patient). When the ASA starts it has all the licenses disabled, to add them you need to change the ASA’s activation key. An ASA Activation key is usually linked to the serial number of the ASA, in this case we don’t have a serial number, (that’s not strictly true, if you check, it’s something like 12345678). So I will publish a working activation key*

*Disclaimer, this will only work on this virtual ASA, and it’s published elsewhere on the Internet, if I receive a request to remove it I will do so.

Another ‘quirk’ is every time you add a new ASA to the workspace, you need to go through this process, if you enter the commands below you can issue a reload and also save the ASA, without the need to re-enter the activation key.

[box]

activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
{This can take 5-10 minutes}
copy running-config startup-config
{Enter}
copy startup-config disk0
{Enter}

[/box]

20. When it comes back up, (again it will take a few minutes). Your can check your ASA’s licensed features.

Related Articles, References, Credits, or External Links

Connecting GNS3 to VMware Workstation

Exchange 2010 Service Pack 2 Fails ‘Readiness Checks’

KB ID 0000720

Problem

When attempting to install Service Pack 2 on an Exchange 2010 Server the ‘Readiness Checks’ fail for the Client Access Role,

Client Access Role Prerequisites
Failed
Error:
The 'IIS 6 WMI Compatibility' component is required. Install the component via Server Manager.
Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=0a71c4f6-68de-40f7-94cf-74b73cbda37b
Error:
The 'Client Certificate Mapping Authentication' component is required. Install the component via Server Manager.
Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=41a25c5e-0d39-4e55-a1f0-7be885982236
Error:
The 'Directory Browsing' component is required. Install the component via Server Manager.
Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=41a25c5e-0d39-4e55-a1f0-7be885982236
Error:
The 'HTTP Errors' component is required. Install the component via Server Manager.
Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=41a25c5e-0d39-4e55-a1f0-7be885982236
Error:
The 'HTTP Logging' component is required. Install the component via Server Manager.
Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=41a25c5e-0d39-4e55-a1f0-7be885982236
Error:
The 'HTTP Redirection' component is required. Install the component via Server Manager.
Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=41a25c5e-0d39-4e55-a1f0-7be885982236
Error:
The 'Tracing' component is required. Install the component via Server Manager.
Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=41a25c5e-0d39-4e55-a1f0-7be885982236
Error:
The 'Request Monitor' component is required. Install the component via Server Manager.
Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=41a25c5e-0d39-4e55-a1f0-7be885982236
Error:
The 'Static Content' component is required. Install the component via Server Manager.
Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=41a25c5e-0d39-4e55-a1f0-7be885982236

Solution

There are simply more server roles now required for an Exchange Server that has the Client Access Server role.

You can bypass the error by running the update with the ‘/Mode:Upgrade /InstallWindowsComponents’ switch on the end of it like so;

[box]Setup /Mode:Upgrade /InstallWindowsComponents[/box]

Adding required CAS Roles for Exchange SP2 Manually

I prefer to do things myself, so you can add all the roles from PowerShell.

1. All Programs > Accessories > Windows PowerShell > execute the following command;

[box]Import-Module ServerManager[/box]

2. Then execute the following command;

[box]Add-WindowsFeature Web-WMI,Web-Asp-Net,Web-ISAPI-Filter,Web-Client-Auth,Web-Dir-Browsing,Web-Http-Errors,Web-Http-Logging,Web-Http-Redirect,Web-Http-Tracing,Web-Request-Monitor,Web-Static-Content[/box]

3. Then re-run the SP2 setup.

Related Articles, References, Credits, or External Links

NA

Exchange 2000 Install Step by Step

KB ID 0000255

Problem

It’s been so long since I did this, I thought I’d document it this time round, as it’s probably going to be the last time I ever do it.

Solution

Pre – Requisites

1. A server running Windows Server 2000 (Standard or Advanced). It must be a domain member server (it can be a domain controller but that’s not recommended). It must also be able to see a properly configured DNS server.

2. The Server needs to have at least a 166 Mhz processor, have 128MB of RAM and 4GB free disk space.

3. Before you start make sure you have good backups of this server and your active directory.

4. Inspect your server event logs to make sure everything is running cleanly before you start. Consider running netdiag from the Windows 2000 support tools.

5. You will also need a copy of the Server 2000 CD handy.

6. Make sure your server is fully up to date with windows updates.

Step 1 Prepare The Server.

1. IIS is installed with 2000 server by default, you need to add NNTP and SMTP. Start > Run > appwiz.cpl > Add Remove Windows Components > Internet Information Services > Details.

2. Tick NNTP service and SMTP Service > OK > Next > Point at the Windows Server install CD or a local copy of the i386 directory > OK.

3. MS KB 262068 states that one subnet must exist, Click Start > Programs > Administrative Tools > Active Directory Sites and Services > Right click Subnet’s > New Subnet > Type in the subnet and subnet mask > Select the site to assign the subnet to (Note: By default it will be Default-First-site-Name) > OK.

Step 2 Extend the Schema

1. Insert the Exchange 2000 CD, Click Start > Run > cmd {Enter}

2. At command line D:setupi386setup /forestprep {Enter}

3 At the welcome Page Click Next > I Agree > Next.

4. Type in the 25 Character Unlock Code > Next > Next > Create New Exchange Organization > Next.

5. Either enter a name for the Exchange organization or accept the default of “First Organization” > Next.

6. Accept the default of the domain administrator (Unless you specifically want to use a different Schema admin account) > Next.

7. The AD Schema will be extended, this takes about 5 minutes > When dons Click Finish.

Step 3 Extend the Domain

1. Back at command D:setupi386setup /DomainPrep {Enter}

2. At the welcome Page > Next > I Agree > Next.

3. Type in the 25 Character Unlock Code > Next > If you get a security warning click OK.

4. The domain will be prepared , this takes about 1 minute > When done > Finish.

Step 4 Install Exchange 2000

1. Back at command D:setupi386setup.exe {Enter}

2. At the welcome page > Next > I Agree > Next.

3. Type in the 25 Character Unlock Code > Next > Next > Select “I agree that I have read and agree to be bound by the license agreements for this product” > Next.

4. Click Next > Exchange will install > When done > Finish.

5. Reboot the server.

Step 6 – Update

1. Download and install service pack 3.

2. Download and install the “Update roll up for Exchange 2000”.

Step 7 Configure Exchange

1. Launch the Exchange administration console, Start > Programs > Microsoft Exchange System Manager. I like to see the administrative groups and routing groups so right click the top level > Properties > Tick “Display Routing Groups” > Tick “Display administrative groups” > Apply > OK > OK.

2. To ensure your email addresses will be correct > Expand recipients > Recipients policies > Default Policy > Properties > Email address policy. (Note you can add in new domain names to the global policy here as well).

3. Ensure that your public mail records (MX Records) are either pointing directly to the Exchange server, or your corporate router or firewall is passing SMTP (TCP Port 25) traffic to the server.

4. If you send your mail out via an SMTP smart host add it as follows, Expand “Administrative Groups” > “First Administrative group” (Note: yours may be named differently) > Servers > {server name} > Protocol > SMTP > Right click the “Default SMTP Virtual Server > Properties > Delivery Tab > Advanced > Enter your smart host (Note: If you don’t know whether you have a smart host you probably don’t have one).

Step 8 Mail Enable Your Users.

1. Start > Run > dsa.msc {enter}

2. Locate your user(s). Right click them > Exchange Tasks > Next > Create Mailbox > Next > Next > When done click finish.

 

Related Articles, References, Credits, or External Links

NA

Setup and Configure HP Wireless E-MSM720 Wireless Controller with HP E-MSM430 Access Points

KB ID 0000692 

Problem

We got some ‘demo stock’ in the office this week, I don’t do a lot of wireless, so I thought I would get it setup and have a look to see how easy/difficult it was.

Hardware used

HP E-MSM720 Premium Mobility Controller (J9694A)
HP E-MSM 430 Wireless N Dual Radio Access Point (J9651A)
HP HP 2915-8G-P-o-E Switch (J5692A)

The switch and controller are ‘tiny’ so if you want to put them in a cabinet you will need some ‘big brackets’, (or a shelf). I was disappointed that the controller didn’t have PoE on it (hence the reason we were supplied the switch). I was also disappointed the Access Point didn’t come with a network cable (seriously these things are pennies – and if a client buys hundreds of these things, someone will forget they also need an equal amount of network cables). In addition they are PoE, so you don’t get a power cable (or power injector) – so you cant even power them on without the network cable. That said all the gear is typical good quality HP Stuff. The documentation consists of a “quick setup sheet” for each piece of hardware and all the manuals are Online. I’m not a fan of manufacturers documentation at all, and HP’s is the same as most major vendors, to long, too complicated and to difficult to find what I’m looking for – I spent half a day reading pdf documents just trying to get the guest network working (a feat I will accomplish below with about three sentences and the same amount of pictures!)

Also See: Manually Configuring HP Wireless (MSM 720 controller) for Public and Private Wireless Networks

Solution

Initial Setup E-MSM720 Wireless Controller

1. Connect the controller to your network (Note: Don’t use the two dual personality ports 5 and 6).

2. The controller sets itself up on 192.168.1.1 put yourself on the same network range (see below).

3. Connect to https://192.168.1.1.

4. The MSM720 Default username and password are both admin.

5. Accept the EULA > Skip Registration > Set country > Save > Set the new password > Save.

6. Configure Initial Controller Settings > Start.

7. Set System name > Location > Contact > Login Message > Next > We’ve just set the Password so leave it blank > Next.

8. Enable/disable management interfaces > Next > Configure the network interfaces > Next.

These are allocated as follows, (out of the box!)

And are controlled by these two settings,

9. Set the time and timezone > Next > Apply.

Configure a Corporate WLAN with the E-MSM720 Wireless Controller

1. If not already there, select ‘Automated Workflow’ > Configure a wireless network for employees > Start.

11. Create an SSID > Next > Set the WPA Key > Next.

12. Choose what access points to apply these settings to > Next > Apply.

Note: At this point I had not powered on or touched the access points, so I just selected ‘All’.

Configure a ‘Guest’ WLAN with the E-MSM720 Wireless Controller

I had a nightmare getting this running, until I fully understood the VLAN, IP address and interface allocation, but if you set things up as specified above it will just work.

1. Automated Workflows > Create a wireless network for guests > Start.

2. Create and SSID > Next > Configure guest authentication (or leave open) > Set IP Settings for clients > Next.

3. Select APs to apply to > Next > Apply.

Setup the HP E-MSM 430 Wireless N Dual Radio Access Point

Well you have already done all the work! Simply connect the AP to a POE capable network outlet.

By default the AP is in ‘Controlled’ mode, so it will start looking for a controller as soon at it powers on, it can take a little while to boot (go get a coffee), you will see it appear in the controllers web interface when its pulled its configuration down.

Updating Firmware MSM70 and MSM430

Very slick! update the firmware package on the controller, and it will update all the access points for you.

Final thoughts

This is good quality gear, it has built in support for IPSEC, SSL, RADIUS and a myriad of other features that you would expect to find on an enterprise class wireless solution. HP might be concerned by their lack of wireless sales, but they could make the experience with these things better by making the web interface easier to navigate, (ask someone who has never used it before to delete a wireless network! – over 90 minutes it took me to locate the VSC bindings section to remove that!) I’ve already mentioned the documentation, I appreciate that it needs to be comprehensive but come on!

Related Articles, References, Credits, or External Links

HP E Series Wireless – Cannot Access Local LAN

Manually Configuring HP Wireless (MSM 720 controller) for Public and Private Wireless Networks

 

GNS3 – Initial Setup, Adding Routers, Hosts, and ASA Firewalls

KB ID 0001079 

Problem

I dip into GNS3 every so often, (depending on what I’m working on). And each time I install it, I spend just as long remembering how to set it up, as I do using it! So, if for no other reason than I can use this page as a reference in future, here’s how to get it up and running.</p?

Solution

Note: At time of writing the latest version is 1.3.6</p?

1. Download GNS3, I usually accept all the defaults.

2. Edit > Preferences > Check that the path to the ‘projects’ and your ‘images’ folder are where you want them to be. The defaults are fine but if you run GNS3 on several machines you might want to choose something like Dropbox > Apply > OK.

Adding Router Images to GNS 3

3. Dynamips > IOS Routers > New > Add in your route images > Follow instructions.</p?

Note: DONT Email me and ask for router images, go to Cisco and get them legally, (or use Google).

4. Make sure you take the time to calculate the ‘Idle-PC finder’ value for each router, or in large topologies you might quickly eat all your CPU power!

5. Continue adding routers as required.</p?

6. You can now drag a router onto the workspace and power it on.

Adding a Cisco ASA to GNS3

Yes you can add Cisco PIX as well, but there’s not many of them left in the wild.

7. Edit > Preferences > Qemu > Qemu VMs > Add > Set the type to ASA 8.4(2).

8. You need two files to run the ASA, an initrd file and a kernel file. You need to create these from a legally obtained copy of the asa843-k8.bin file.</p?

Should you wish to locate these files form a less reputable source you are looking for
asa842-initrd.gz and asa842-vmlinuz, again don’t email me for them! If you are too stupid to use a search engine, then technical ninjary is not the correct career choice for you.

9. You can now drag an ASA onto the workspace and console into it (it takes a while, be patient). When the ASA starts it has all the licenses disabled, to add them you need to change the ASA’s activation key. An ASA Activation key is usually linked to the serial number of the ASA, in this case we don’t have a serial number, (that’s not strictly true, if you check, it’s something like 12345678). So I will publish a working activation key*

*Disclaimer, this will only work on this virtual ASA, and it’s published elsewhere on the Internet, if I receive a request to remove it I will do so.</p?

Another ‘quirk’ is every time you add a new ASA to the workspace, you need to go through this process, if you enter the commands below you can issue a reload and also save the ASA, without the need to re-enter the activation key.

[box]

activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
{This can take 5-10 minutes}
copy running-config startup-config
{Enter}
copy startup-config disk0:
{Enter}

[/box]

10. When it comes back up, (again it will take a few minutes). Your can check your ASA’s licensed features.</p?

Adding a Host to GNS3

Having a host machine for you labs is handy, usually you just need to be able to ping, or perform tracerts. So you can download a small Linux image from GNS3. There are a few options but I prefer linux-microcode.

11. Edit > Preferences > Qemu > Qemu VMs > Add > Set the type to default.

n

12. Give it a sensible name.

13. Navigate to, and select the disk image you downloaded above.

14. You can now drag a Qemu Guest machine onto the work space, and console into it.

Related Articles, References, Credits, or External Links

Connecting GNS3 to VMware Workstation

Set up a PIX Firewall with the PDM

KB ID 0000217

Problem

The following procedure is a complete run though on setting up a Cisco PIX Firewall (PIX 501, 506, 506E, 515, 515E, 520, 525, or 535) via the HTTPS GUI front end (PDM). Note: the PDM will only work with firewall operating systems BEFORE version 7.x.(x). Therefore PIX platforms that are 515E, 525 or 535 should be running version 7.x(x) or above and should be web managed via the ASDM. Unless you are out of support contract and are stuck with the PDM.

This assumes that the PIX has been set to factory defaults. (i.e. the inside IP address is 192.168.1.1, DHCP is enabled inside and https access has been allowed to 192.168.1.0/24). If in doubt perform a factory reset.

Note: the PDM is an OLD piece of technology, if you cant connect to it from your PC then the culprit is nearly always Java, your version is TO NEW, use the one in the download section. Also you CANT connect thought a proxy server, so bypass/disable that as well.

Solution

Related Articles, References, Credits, or External Links

NA

Cisco ISE NFR Appliance Setup

KB ID 0001066

Problem

The Cisco ISE NFR appliance is for demos and test bench use, I’m currently building a test lab for ISE so I spun a copy up. I looked at the associated ReadMe.pdf for instructions on the basic setup, and found a hyper-link to the instructions, that didn’t work! bah.

Solution

The appliance comes as an OVA file for importation into vSphere/ESX, I’m assuming you have already imported the appliance.

VMware vSphere – How to Import and Export OVF and OVA Files

1. Default username and Password: Username admin Password ISEc0ld

Cisco ISE NFR Setup Basic IP Addressing.

2. By default the appliance has an IP address of 10.1.100.21, you can see that at CLI.

[box]ise/admin# show interface[/box]

3. Or here you can see the IP address in the vSphere console.

4. To change the IP (Note: The ISE appliance has two virtual NIC’s I’m just changing the default ones IP address).

[box]
ise/admin# configure
ise/admin(config)# interface GigabitEthernet 0
ise/admin(config-GigabitEthernet)# ip address 192.168.200.12 255.255.255.0

Enter ‘Y’ to restart the services.

[/box]

[box] ise/admin(config-GigabitEthernet)# exit
ise/admin(config)#
ip default-gateway 192.168.200.1[/box]

Cisco ISE NFR Set Hostname and DNS Information

6. To change the appliances default domain;

[box]
ise/admin(config)# ip domain-name pnltest1.com

Enter ‘Y’ to restart the services.

[/box]

7. To set the DNS server to use for local lookups;

[box]ise/admin(config)# ip name-server 192.168.200.10

Enter ‘yes’ to restart the services.

[/box]

8. To set the Hostname, simply use the following syntax;

[box]ise/admin(config)# hostname ISE-01 [/box]

Cisco ISE NFR Set NTP Information

9. To set the timezone;

[box]ise/admin(config)# clock timezone GB [/box]

10. To set the NTP servers it’s a little more convoluted, you can have up to three, two are already configured. If you try and delete the pre-configured ones it will error. So you need to add one, then delete the two factory ones, then you can add up to another two.

[box]

To Add an NTP Server

ise/admin(config)# ntp server 123.123.123.123
To Remove an NTP Server

ise/admin(config)# no ntp server 123.123.123.123

[/box]

11. As usual NTP can take a while to synchronise, I’d go and have a coffee at this point, to test;

[box]ise/admin(config)# show ntp [/box]

12. Save your changes.

13. At this point you should be able to get to the web console.

14. Logged in successfully.

 

Related Articles, References, Credits, or External Links

NA