Setup FTP Server with Windows Server

KB ID 0000342

Problem

You want to Setup FTP on your Windows Server, (and more importantly make it work without disabling the firewall.) Below are the procedure you will need to carry out.

Note: For older Windows Operating systems like Server 2012, click here, or for Server 2008, click here.

Setup FTP Server (Windows Server)

Setup FTP on Windows Server 2012 (Including firewall setup)

 Setup FTP on Windows Server 2008 R2 (Including firewall setup)

Firewall Configuration for FTP on Server 2008 R2 (Included in the Video above).

>

Related Articles, References, Credits, or External Links

NA

Fortigate to Cisco ASA Site to Site VPN

KB ID 0001717

Problem

Continuing with my ‘Learn some Fortigate‘ theme’. One of the basic requirements of any edge firewall is site to site VPN. As the bulk of my knowledge is Cisco ASA it seems sensible for me to work out how to VPN both those firewalls together, like so;

Well that’s the pretty picture, I’m building this EVE-NG so here’s what my workbench topology looks like;

Disclaimer (Read First! Especially before posting any comments!)

Fortinet prides itself on you not needing to use the CLI, (until you actually need to use the CLI of course!) But both ends are configured using the GUI and ASDM. This is designed for the ‘Let’s just make it work, who cares what’s going on under the hood‘ generation. Which means it enables IKEv1 NOT IKEv2 on the Fortigate, and BOTH IKEv1 and IKEv2 gets enabled on the Cisco ASA. Couple that with all the weak Crypto sets that get enabled, because someone might have a hardware firewall from 1981 or something! So in production I’d consider doing things a little more manually. I will post another article on the same subject, but then I’ll make the tunnel as secure as I can, (watch this space). This is an exercise in getting the tunnel up and making it work.

Tech Note: If you just use both wizards it wont work, thankfully I could debug the tunnel on the Cisco ASA to work out why. Fortinet sets all the DH groups to 5, and Cisco sets them all to 2. And Fortinet enables PFS and Cisco don’t. (They do on older versions of the OS, but not on the newer ones).

Create IKE/IPSec VPN Tunnel On Fortigate

From the web management portal > VPN > IPSec Wizard  > Give the tunnel a name > Change the remote device type to Cisco > Next.

Give it the ‘public’ IP of the Cisco ASA > Set the port to the ‘outside’ port on the Fortigate > Enter a pre-shared key, (text string, you will need to enter this on the Cisco ASA as well, so paste it into Notepad or something for later) > Next.

Local interface will be in the ‘inside’ interface on the Fortigate > Enter the local subnet(s) > Enter the remote (behind the ASA) subnet(s) > Next.

Review the settings > Create.

Select IPSec Tunnels > Select the new tunnel  > Edit.

Convert to Custom Tunnel.

Phase 1 Proposal > Edit.

Add in Diffie Hellman Group 2

Phase 2 Selectors > Edit > Advanced > Untick Enable Perfect Forward Secrecy > OK.

Create IKE/IPSec VPN Tunnel On Cisco ASA (ASDM)

Connect to the ASDM > Wizards  > VPN Wizards > Site-to-Site VPN Wizard > Next.

You should already have an object for your Local Network add that in > Then add in a new Network Object for the remote (behind the Fortigate) subnet. MAKE SURE that the new object is selected as the Remote Network > Next.

Enter the Pre-Shared key you used (above)  > Next > Tick to DISABLE NAT > Next > Finish.

Tech Note: Look at all those Ciphers/Hashing/Additional Protocols that are about to be turned on! 🙁 That’s why I work at command line.

Finally you will need to send some traffic over the tunnel to ‘bring it up’.

If you have a problem, see the debugging/troubleshooting links below.

Related Articles, References, Credits, or External Links

Troubleshooting Phase 1 Cisco Site to Site (L2L) VPN Tunnels

Troubleshooting Phase 2 Cisco Site to Site (L2L) VPN Tunnels

Configuring Cisco HSRP

KB ID 0000946 

Problem

Cisco HSRP: Normally your client machines have one route off the network, (their default gateway). But what if that goes down? HSRP aims to solve this problem by assigning a ‘Virtual IP address’ to your default gateway (or default route). So that IP can be shared amongst two or more possible devices (routers, or layer 3 switches).

Above, we have a client 192.168.1.10 that has two possible routes off the network, (.254 and .253). We will setup a virtual IP of .250 and both routers can use that IP, (if they are the active gateway). Below is a brief overview of how to set it up.

Deploy Cisco HSRP

Setting up Cisco HSRP

1. On the first router (Router0), add the standby IP address (192.168.1.250) the ‘1’ denotes the standby group (a number from 0 to 4096). It comes up as standby, then after it has checked (via multicast address 224.0.0.2 on UDP port 1985). It finds no other live HSRP devices using that IP address so it becomes ‘Active’.

[box]

Router0>enable
Router0#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router0(config)#interface GigabitEthernet0/0
Router0(config-if)#standby 1 ip 192.168.1.250
Router0(config-if)#

%HSRP-6-STATECHANGE: GigabitEthernet0/0 Grp 1 state Speak -> Standby

%HSRP-6-STATECHANGE: GigabitEthernet0/0 Grp 1 state Standby -> Active

Router0(config-if)#

[/box]

2. Repeat this on the second Router, this one discovers the ‘Active’ router and sets itself up as ‘Standby’.

[box]

Router1>
Router1>enable
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface GigabitEthernet0/0
Router1(config-if)#standby 1 ip 192.168.1.250
Router1(config-if)#
%HSRP-6-STATECHANGE: GigabitEthernet0/0 Grp 1 state Speak -> Standby

Router1(config-if)#

[/box]

3. You can prove this by running show standby (or do show standby in configure terminal mode).

[box]

Router0

Router0#show standby
GigabitEthernet0/0 - Group 1 (version 2)
State is Active
8 state changes, last state change 00:02:02
Virtual IP address is 192.168.1.250
Active virtual MAC address is 0000.0C9F.F001
Local virtual MAC address is 0000.0C9F.F001 (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.055 secs
Preemption disabled
Active router is local
Standby router is 192.168.1.253
Priority 100 (default 100)
Group name is hsrp-Gig0/0-1 (default)
Router0#

Router1

Router1#show standby
GigabitEthernet0/0 - Group 1 (version 2)
State is Standby
3 state changes, last state change 00:10:44
Virtual IP address is 192.168.1.250
Active virtual MAC address is unknown
Local virtual MAC address is 0000.0C9F.F001 (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.125 secs
Preemption disabled
Active router is 192.168.1.254
Standby router is local
Priority 100 (default 100)
Group name is hsrp-Gig0/0-1 (default)
Router1#

[/box]

4. That is HSRP configured! However there are a few changes you might want to make, for example, what if one router had a 100MB leased line, and the other was a 2MB ADSL line, you would want the fastest one to be in use, (as long as it was up). To achieve that, give the router with the fastest connection a higher priority (you may notice above, that by default the priority is 100). Be aware, even if a router has the highest priority, it wont ‘seize’ the virtual IP, it just sits and waits until it’s available. For our 100MB and 2MB example that’s not good. We would want Router1 to seize the virtual IP as soon as it can. To do that we need to set it to preempt. (Note: This process is called ‘launching a coup’).

[box]

Router1(config)#interface GigabitEthernet0/0
Router1(config-if)#standby 1 priority 105
Router1(config-if)#standby 1 preempt

[/box]

5. At this point it’s important to say, that in our scenario we would also need to setup a virtual IP for the ‘other side’ of the routers (i.e their GigabitEthernet 0/1 interfaces), or the remote client (172.16.1.10) would not be able to return our ‘pings’ or get any traffic back to us. So lets setup a virtual HSRP address on that side as well. Notice I just use another standby group number.

Note: To work the remote host 172.16.1.10 will need its default gateway changing to the HSRP Virtual IP of 172.16.1.250.

[box]

Router0 

Router0(config)#interface GigabitEthernet0/1
Router0(config-if)#standby 2 ip 172.16.1.250
Router0(config-if)#

Router1

Router1(config)#interface GigabitEthernet0/1
Router1(config-if)#standby 2 ip 172.16.1.250
Router1(config-if)#

[/box]

6. Finally we have set Router0 with the highest priority and set it to seize the virtual IP as soon as it can. But what if another interface on Router1 goes down? e.g. If the GigabitEthernet 0/1 interface were to go down, HSRP would not do anything because it’s tracking both the GigabitEthernet 0/0 interfaces, so communications would fail.

To solve the problem we need to tell it which interfaces to ‘Track’. In our example we need to track GigabitEthernet 0/1, if that goes down we need to give the virtual IP address to the standby ‘router’. This works because once we tell it to ‘track’ the GigabitEthernet 0/1 interface, if that were to fail it will DECREMEMT the routers priority by 10. So for Router0 its priority would drop to 95, this is five less than the default value of 100 (on Router1). But Remember, at the moment that fail-over would still fail, unless you allow Router1 to preempt and launch a coup.

[box]

Router0 

Router0(config)#interface GigabitEthernet0/0
Router0(config-if)#standby 1 track GigabitEthernet0/1
Router0(config-if)#

Router1

Router1(config)#interface GigabitEthernet0/0
Router1(config-if)#standby 1 preempt
Router1(config-if)#

[/box]

7. We can see that by running a ‘show standby’ on Router0.

[box]

Router0#show standby
GigabitEthernet0/0 - Group 1 (version 2)
State is Active
7 state changes, last state change 00:00:31
Virtual IP address is 192.168.1.250
Active virtual MAC address is 0000.0C9F.F001
Local virtual MAC address is 0000.0C9F.F001 (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.81 secs
Preemption enabled
Active router is local
Standby router is 192.168.1.253, priority 115 (expires in 7 sec)
Priority 115 (configured 115)
Track interface GigabitEthernet0/1 state Up decrement 10
Group name is hsrp-Gig0/0-1 (default)
GigabitEthernet0/1 - Group 2 (version 2)
State is Active
6 state changes, last state change 00:00:28
Virtual IP address is 172.16.1.250
Active virtual MAC address is 0000.0C9F.F002
Local virtual MAC address is 0000.0C9F.F002 (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.81 secs
Preemption disabled
Active router is local
Standby router is 172.16.1.253
Priority 100 (default 100)
Group name is hsrp-Gig0/1-2 (default)
Router0#

[/box]

Related Articles, References, Credits, or External Links

NA

Cisco ASA Site to Site VPN ‘Using ASDM’

KB ID 0000072

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

Do the same from command line

Below is a walk-through for setting up one end of a site to site VPN Tunnel using a Cisco ASA appliance – Via the ASDM console. Though if (like me) you prefer using the Command Line Interface I’ve put the commands at the end.

click image for full subnet information

Solution

VPN Setup Procedure carried out on ASDM 6.4

Note: The video above uses IKE v1 and IKE v2, in reality you would choose one or the other, and for IKE v2 both ASA 5500 firewalls need to be running OS 8.4(1) or above.

VPN Setup Procedure carried out on ASDM 5.2

1. Open up the ADSM console. > Click Wizards > VPN Wizard.

2. Select “Site-to-Site VPN” > Next.

3. Enter the Peer IP address (IP of the other end of the VPN tunnel – I’ve blurred it out to protect the innocent) > Select “Pre Shared Key” and enter the key (this needs to be identical to the key at the other end. > Give the tunnel group a name or accept the default entry of its IP address. > Next.

4. Choose the encryption protocol (DES, 3DES, AES-128, AES-192, or AES256), choose the Authentication Method (SHA or MD5), and choose the Diffie Hellman Group (1, 2, 5 or 7). Note the other end must match, this establishes phase 1 of the tunnel. > Next.

5. Now select the Encryption Protocols (DES, 3DES, AES-128, AES-192, or AES256), choose the Authentication method (SHA, MD5 or None). Note this is for phase 2 and will protect the encrypted traffic “In Flight”. > Next.

6. Now you need to specify what traffic to encrypt, on the left hand side enter the network or host details (of what’s behind the ASA you are working on), and on the right hand side the IP address of the network or host that’s behind the other VPN endpoint.  Note the other end should be a mirror image. > Next.

7. Review the Settings (Note I’ve blurred the IP address out again) > Next.

8. Back at the ASDM console commit the settings to the ASA memory, Click File > “Save Running Configuration to Flash.”

ASA 5500 VPN Setup from command line

[box]

object network Site-A-SN
subnet 192.168.1.0 255.255.255.0
object network Site-B-SN
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) source static Site-A-SN Site-A-SN destination static Site-B-SN Site-B-SN
access-list outside_1_cryptomap extended permit ip object Site-A-SN object Site-B-SN
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer {Other Ends IP Address}
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group {Other Ends IP Address} type ipsec-l2l
tunnel-group {Other Ends IP Address} ipsec-attributes
ikev1 pre-shared-key 12345678901234567890asdfg

[/box]

ASA 5500 VPN for Version 8.2 and older firewalls

[box]

access-list outside_20_cryptomap extended permit ip 10.254.254.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.254.254.0 255.255.255.0 10.1.0.0 255.255.0.0
nat (inside) 0 access-list inside_nat0_outbound
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer {Other Ends IP Address}
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group {Other Ends IP Address} type ipsec-l2l
tunnel-group {Other Ends IP Address} ipsec-attributes
pre-shared-key 12345678901234567890asdfg

[/box]

 

Related Articles, References, Credits, or External Links

Original article written 09/11/09

Troubleshooting Phase 1 Cisco Site to Site (L2L) VPN Tunnels

Troubleshooting Phase 2 Cisco Site to Site (L2L) VPN Tunnels

Cisco ASA AnyConnect VPN ‘Using CLI’

KB ID 0000943

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco FTD running ASA Code.

Also See Cisco ASA AnyConnect VPN ‘Using ASDM’

This procedure was done on Cisco ASA (post) version 8.4, so it uses all the newer NAT commands. I’m also going to use self signed certificates so you will see this error when you attempt to connect.

Solution

1. The first job is to go get the AnyConnect client package(s), download them from Cisco, (with a current support agreement). Then copy them into the firewall via TFTP. If you are unsure how to do that see the following article.

Install and Use a TFTP Server

[box]

Petes-ASA(config)# copy tftp flash

Address or name of remote host [10.254.254.183]? 192.168.80.1

Source filename []?anyconnect-win-4.7.02036-webdeploy-k9.pkg

Destination filename [anyconnect-win-4.7.02036-webdeploy-k9.pkg]? {Enter}

Accessing tftp://192.168.80.1/anyconnect-win-4.7.02036-webdeploy-k9.pkg
.........!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

4807912 bytes copied in 549.790 secs (8757 bytes/sec)
Petes-ASA(config)#

[/box]

2. Create a ‘pool’ of IP addresses that the ASA will allocate to the remote clients, also create a network object that covers that pool of addresses we will use later.

[box]

Petes-ASA(config)# ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
Petes-ASA(config)# object network OBJ-ANYCONNECT-SUBNET
Petes-ASA(config-network-object)# subnet 192.168.100.0 255.255.255.0

[/box]

3. Enable webvpn, set the package to the one you uploaded earlier, then turn on AnyConnect.

[box]

Petes-ASA(config)# webvpn
Petes-ASA(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
Petes-ASA(config-webvpn)# tunnel-group-list enable
Petes-ASA(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.8.02042-webdeploy-k9.pkg 1 
Petes-ASA(config-webvpn)# anyconnect enable

[/box]

4. I’m going to create a LOCAL username and password, I suggest you do the same, then once you have proved it’s working OK, you can. change the authentication method, (see links below). I’m also going to create an ACL that we will use for split-tunneling in a minute.

[box]

Petes-ASA(config)# username PeteLong password Password123
Petes-ASA(config)# access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0

[/box]

5. Create a group policy, change the values to match your DNS server(s), and domain name accordingly.

[box]

Petes-ASA(config)# group-policy GroupPolicy_ANYCONNECT-PROFILE internal
Petes-ASA(config)# group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
Petes-ASA(config-group-policy)# vpn-tunnel-protocol ssl-client
Petes-ASA(config-group-policy)# dns-server value 10.0.0.10 10.0.0.11
Petes-ASA(config-group-policy)# split-tunnel-policy tunnelspecified
Petes-ASA(config-group-policy)# split-tunnel-network-list value SPLIT-TUNNEL
Petes-ASA(config-group-policy)# default-domain value petenetlive.com

[/box]

6. Create a matching tunnel-group that ties everything together.

[box]

Petes-ASA(config-group-policy)# tunnel-group ANYCONNECT-PROFILE type remote-access
Petes-ASA(config)# tunnel-group ANYCONNECT-PROFILE general-attributes
Petes-ASA(config-tunnel-general)# default-group-policy GroupPolicy_ANYCONNECT-PROFILE
Petes-ASA(config-tunnel-general)# address-pool ANYCONNECT-POOL
Petes-ASA(config-tunnel-general)# tunnel-group ANYCONNECT-PROFILE webvpn-attributes
Petes-ASA(config-tunnel-webvpn)# group-alias ANYCONNECT-PROFILE enable

[/box]

7. Then stop any traffic that is going to, (or coming from) the remote clients from being NATTED.

[box]

Petes-ASA(config)# nat (inside,outside) 2 source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup

[/box]

8. Save the changes.

[box]

PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425

8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#

[/box]

9. Give it a test from a remote client.

AnyConnect Commands to Copy and Paste

Simply change the values shown in red;

[box]

!
ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
!
object network OBJ-ANYCONNECT-SUBNET
 subnet 192.168.100.0 255.255.255.0
!
webvpn
enable outside
tunnel-group-list enable
anyconnect image disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg 1
anyconnect enable
!
username PeteLong password Password123
!
access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.0.0.0
!
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
vpn-tunnel-protocol ssl-client
dns-server value 10.0.0.10 10.0.0.11
wins-server none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value petenetlive.com
!
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
default-group-policy GroupPolicy_ANYCONNECT-PROFILE
address-pool ANYCONNECT-POOL
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
group-alias ANYCONNECT-PROFILE enable
!
nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
!

[/box]

Related Articles, References, Credits, or External Links

Cisco ASA AnyConnect VPN ‘Using ASDM’

AnyConnect: Allow ‘Local’ LAN Access

Cisco AnyConnect – Essentials / Premium Licences Explained

Cisco AnyConnect – PAT External VPN Pool To An Inside Address

AnyConnect (AAA) Authentication Methods

Kerberos Authentication (Cisco ASA)

LDAP Authenticaiton (Cisco ASA)

RADIUS Authentication(Cisco ASA)

Duo 2FA Authentication (Cisco ASA)

Cisco – Testing AAA Authentication (Cisco ASA and IOS)

Office 365: Migrating To Exchange Online

KB ID 0001418

Problem

This is Part-One of a migration from ‘on-premise’ Microsoft Exchange, to Office 365 (Exchange Online). I’m using my spare ‘test domain’ (.co.uk). And I’m using the 5 user E3 Office 365 subscription that the good folk at Microsoft let me have, as part of my MVP benefits.

Note: I’m using Exchange 2016, with a ‘full-hybrid’ migration into Office 365.

Step 1: Pre-Requisites

DNS: You will need access to the DNS records for your public domain, both to ‘prove’ it is your domain, and to divert mail flow, and client requests to Exchange online, rather than your on premise Exchange.

Licenses/Subscription: You need an office 365 subscription, and available licences for all the users you want to migrate. At time of writing the minimum subscription level that includes Exchange Online is E3. (Note that’s not strictly true, you do get Exchange online with E1, but you dont get any office products, so I’ve never seen an E1 licensed migration). You’ll need to have access to Office 365 with a ‘global administrator‘ account.

Backups: Not really a pre-requisite, but how are you going to backup your cloud mailboxes? As far as Microsoft is concerned, your online email gets deleted after its retention period, (amount of time after a user deletes it, i.e. up to 100 days). If your business continuity plan, requires you to keep mail ‘x‘ years, then you will need to think about Azure Backup, or a third party backup solution.

Existing Exchange: Unless you are going to use a third party migration tool, then your on premise Exchange needs to be at Exchange 2010. So if you’re still at Exchange 2007/2003/2000, then you need to either; 1) Upgrade your on-prem Exchange, 2) Do another on-prem migration before you start, or 3) Purchase a third part migration tool. Note: With Exchange 2007 you can add one Exchange 2010 Exchange server, then migrate.

Certificates: You MUST HAVE a certificate on your Exchange that is publicly singed by a third party certificate vendor. There’s no excuse to use self signed certificates these days, (for Exchange). For this exercise I bought a certificate for a year and it cost me less than ten dollars, thats half the price of a one users monthly licence for Office 365? WARNING even with a correctly setup PKI environment with publicly published CRLs etc, your own certificates wont work, and you wont find out what’s wrong, until you have migrated users, and carnage/downtime will ensue! BUY A CERTIFICATE: I’d recommend a wildcard cert for your public mail domain.

 

User UPN’s: I’ve already covered this before in the past, things will be a lot easier, if you change all your users UPN’s to match their Email addresses.

 

For more information, see the following article;

Changing Domain Users’ ‘User Logon Names’ and UPN’s

Step 2: Onsite Preparation

Fail to prepare – prepare to fail.

What most people fail to do is make sure both their AD domain, and existing Exchange is healthy, (just because everything appears to be working, doesn’t mean everything is healthy). Install the latest cumulative update for your on-premise Exchange server ,and dig into the logs to make sure everything is as it should be!

Mailbox Replication Proxy Service

MRS Proxy is at the same solution we use for ‘cross-forest’ mailbox migrations, and your on-prem Exchange will act as the MRS proxy for your mailbox migration. To enable MRS Proxy: Exchange Admin Center > Servers > Virtual Directories > EWS > Edit.

General > Enable MRS Proxy Endpoint > Save

You can also check the service is running, (Windows Key +R > Services.msc {Enter}).

Exchange 2010 Note: If you’re running Exchange 2010, you can enable MRS Proxy with the following PowerShell command;

[box]Set-WebServicesVirtualDirectory -Identity “EWS (Default Web Site)” -MRSProxyEnabled $true -MRSProxyConnections 50[/box]

Azure Active Directory Connector

You can download the Azure AD connector from Microsoft, it can be installed on any member server. It will replicate your users and groups etc, into Office 365. Download and execute the installer > Tick ‘I agree….’ >  Continue.

Use Express Settings.

Note: You would only NOT use Express settings if you only wanted to replicate certain groups or sub domains, or if you wanted to use ADFS, (for example because you already had Azure secured services).

Provide your office 365 logon details > Next.

Provide logon details for your on-premise domain > Next.

You will probably only see your local domain, and it will be flagged ‘Not Added’ that’s fine, below you can see my public domain because it’s already been added to office 365, (I’ll cover that later) > Next.

Tick ‘Exchange hybrid deployment’ > Install.

Read and act on any warnings > Exit.

Note: If, (as above) it asks you to enable the ‘AD Recycle bin’, see the following post;

Windows Server 2016: Active Directory Recycle Bin

It will take a while, (depending on the size of your AD,) to replicate.

After a while you will start to see all your users appear in your office 365 portal, as they are replicated across.

Enable Exchange Hybrid Deployment

Back in Exchange admin Center > Hybrid > Configure > Sign into Office 365.

Once authenticated, notice the URL changes to Exchange online! > Configure.

Click here > Install.

Run.

Next.

I only have one on-premise Exchange server, so that’s selected,( if you had multiple servers, choose the one you want to use) > Next.

Sign in.

Once authenticated > Next.

Full Hybrid > Next.

Enable.

You need to create a ‘text’ record in your public DNS to proceed.

So I’ve jumped on my public DNS host management portal, and created the text record required.

Tick ‘I have created…..’ > Verify > Next.

I dont have any ‘Edge Transport Servers’ > Next.

Again I only have one, if you have multiple CAS servers, select the one you want > Next.

And again for the ‘Send Connector’ select the CAS server that will connect to Office 365 > Next.

Select your certificate. MAKE SURE it has selected a publicly signed one, NOT a self signed one! > Next.

Enter the correct public FQDN for your on-prem Exchange > Next.

Note: This must match either the CN on your certificate, or if it’s a wildcard certificate, the domain must be the same.

Update

Close

So far so good, in Part Two, I’ll add my public domain to my Office 365 account and start migrating some users.

 

Related Articles, References, Credits, or External Links

NA

Windows Folder Redirection

KB ID 0000467 

Problem

Q: What is Folder Redirection?

A: Essentially you can take folders that hold things like your “My documents” or your “Favorites” folder, and put them out on a network server, which is great if you want to back that sort of information up for disaster recovery.

Q: What’s the difference between this and a roaming / roving profile?

A: Folder redirection keeps information on a server and you access it remotely, Roaming profiles are designed to sync that information (and your WHOLE user profile) backwards and forwards to a network share as your users logon and log off.

Q: What folders can be redirected?

A: From Server 2008 onwards, and with Windows 7 clients and above, the following can be redirected.

  • AppData(Roaming)
  • Desktop
  • Start Menu
  • Documents
  • Pictures
  • Music
  • Videos
  • Favorites
  • Contacts
  • Downloads
  • Links
  • Searches
  • Saved Games

Solution

1. On a server create a folder to hold the redirected data, In this case you will notice I’ve called my share Redir$ (The dollar sign just means it’s a hidden share, and can’t be seen if people are network browsing).

Folder Redirection: Permissions for the Root Folder

2. Set the share permissions to Everyone: Full Control (Don’t worry we will secure it with NTFS permissions).

3. On the security tab of the folder click advanced.

4. For Server 2012 / 2016 you should see something like this;

For Server 2008 and older it should look more like this;

5. For server 2012 / 2016 Disable Inheritance and select ‘Convert’.

For 2008 and older, untick “Include Inheritable permissions from this objects parent” > At the warning click “Add”.

6. Select each User in turn (You will need to add the Everyone group) > Then Edit the permissions so that they are as follows.

  • CREATOR OWNER – Full Control (Apply onto: Subfolders and Files Only).
  • System – Full Control (Apply onto: This Folder, Subfolders and Files).
  • Domain Admins – Full Control (Apply onto: This Folder, Subfolders and Files).
  • Everyone – Traverse Folder/Execute File (Apply onto: This Folder Only).
  • Everyone – List Folder/Read Data (Apply onto: This Folder Only).
  • Everyone – Read Attributes (Apply onto: This Folder Only).
  • Everyone – Create Folder/Append Data (Apply onto: This Folder Only).

2012 / 2016

‘Show Advanced Permissions’

2008 and older.

7. Now REMOVE BOTH the entries for USERS > Apply  > OK.

7. On your domain controller open the Group Policy Management Console, (Under Administrative Tools) and either create a new USER policy of edit one that already linked to the users you want to enforce this policy upon.

8. I prefer to create a new policy and call it something sensible so if there’s a problem it’s easy to find in the future.

9. Navigate to:

[box]User Configuration > Policies > Windows Settings > Folder Redirection[/box]

Locate the folder you want to redirect (In this case its just the documents folder) > Right click > Properties.

10. I’m going to redirect all my users documents to the one folder I created earlier, so I will choose basic.

Note: You can choose “Advanced” and redirect different groups folders to different locations.

Enter the path to the root folder AS A UNC PATH, DONT click the browse button and browse to it.

11. I’m going to accept the defaults on the settings tab, the option I’ve highlighted creates the folders with exclusive rights on the folders for the user in question and SYSTEM, so the domain admin had no access (this is OK, it’s the same way user profiles work, you can still back them up).

12. Now as your users log on their folders will be redirected to the share you setup.

Backing up Redirected Folders

13. Even with exclusive rights you can still back this data up:

Related Articles, References, Credits, or External Links

Original Article written 22/06/11

Ubuntu: Setting Up a WordPress Website with LEMP – Part 2

KB ID 0001319 

Problem

Back in part one we deployed the server and setup our database, now we are going to setup our nginx web server, and get it to work with PHP.

Solution

Install NGINX

To get the nginx package installed;

[box]sudo apt install nginx[/box]

Now ensure nginx is set to start automatically with the server, and manually start the service.

[box]

sudo systemctl enable nginx
sudo systemctl start nginx

[/box]

Make sure it’s up and running;

[box]systemctl status nginx[/box]

Now the test if the web server is up and running, get the IP address (ifconfig), and browse to the IP address and you should see the nginx welcome page.

Note: If you get a 403 error, issue a ‘cp index.nginx-debian.html index.html‘ command and try again.

Install PHP7

Run the following command;

[box]sudo apt install php7.0-fpm php7.0-mbstring php7.0-xml php7.0-mysql php7.0-common php7.0-gd php7.0-json php7.0-cli php7.0-curl[/box]

Start the service and check it’s running;

[box]

sudo systemctl start php7.0-fpm
systemctl status php7.0-fpm

[/box]

Now to enable nginx to pass information to the FastCGI server (allows php scripts to be executed outside the web server). Your nginx install should be taking its settings from a configuration file ‘/etc/nginx/sites-enabled/default’.  To make sure execute an ‘nginx -t’ command. We need to edit that file.

Note: Below you will want to change the values in red to match your server, and the values in blue are optional. You can remove all the contents of the existing file and paste in the following.

To Edit;

[box]sudo nano /etc/nginx/sites-enabled/default[/box]

[box]

# Default server configuration

server {
listen 80 default_server;
listen [::]:80 default_server;

# Set The Root Directory for the Entire Website

    root /var/www/html/;

# Adding index.php to the list if you are using PHP

    index index.html index.htm index.nginx-debian.html;

# Add The Server IP Address or FQDN

    server_name 123.123.123.12;

# Auto Remove and re-write .htm from requests (to maintain old back-links)

    rewrite ^(/.*)\.htm(\?.*)?$ $1$2 permanent;

# The following does the WordPress Rewrites for the permalinks

      location / {
        index index.php index.html index.htm;
        try_files $uri $uri/ /index.php?$args;
      }

# Allow the user to Cache Static files for 1 year

      location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
        expires 365d;
      }

# pass PHP scripts to FastCGI server

     location ~ \.php$ {
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
    include snippets/fastcgi-php.conf;
  }
}

[/box]

Now save and exit the file, make sure its ok by running;

[box]nginx -t[/box]

Providing it says ‘successful’ restart nginx.

[box]sudo systemctl reload nginx[/box]

Testing PHP7 Works

Make sure we are up and running on version 7.

[box]php –version[/box]

Now just to be sure we are going to create a test page,  put in some PHP and make sure it works.

Create a file;

[box]sudo nano /var/www/html/test.php[/box]

Pete in the following;

[box]<?php phpinfo(); ?>[/box]

Save and exit the file, then browse to http://{ip-address}/test.php it should look something like the image below.

It’s considered bad practice to have that file on the server, so lets delete it with the following command;

[box]sudo rm /var/www/html/test.php[/box]

 

That’s us with a fully functioning nginx web server thats processing PHP, in part three we will install WordPress, connect it to the database we made easier, and then you will be ready to start posting.

Related Articles, References, Credits, or External Links

NA

ADMT (Active Directory Migration Tool) Domain Migration – Part 1

KB ID 0001305

Problem

I’ve not used ADMT for ages, I’ve got a domain migration to do soon, so I thought I’d get on the bench and have a reminder. Although ADMT 3.2 was ‘re-jigged’ to support Server 2012 R2, I’m still going to install it on Server 2008 R2. I’ve got a test domain built to migrate from, and a new domain setup ready to migrate into.

  • Old/Source Domain: olddomain.com
  • Old/Source Domain Controller: Source-DC.olddomain.com
  • New/Target Domain: newdomain.com
  • New/Target Domain Controller: Target-DC.newdomain.com

 

Solution

ADMT – DNS Setup

The old domain needs to be able to resolve names in the new domain, and the new domain needs to be able to resolve names in the old domain. To achieve this you need to setup ‘Conditional Forwarding’ in each domain for the other one.

Don’t worry if it looks like there’s a problem as long as the DNS servers can se each other, (and there’s no firewall in-between blocking TCP and UDP port 53). Just add in the DNS server give it a while then re-open the forwarders settings and it should have ‘gone-green’.

You can test it’s working by pinging BOTH the old and new domain names, in BOTH domains.

In addition, we want all machines (in both domains) to set their primary DNS Suffix, to their own domain, and their DNS suffix search list to look for their own domain first, then the other domain. The easiest way to do that is via group policy.  On a domain controller > Administrative Tools > Group Policy Management Console.

It’s better practice to ‘link’ your policy to the actual OU that your computers are in, to keep things simple, (and because I’m lazy) I’m going to link my policy to the root of the domain.

 

Edit the policy you have just created.

Navigate to;

[box]Computer Configuration > Policies > Administrative Templates > Network > DNS Client > [/box]

Setting: Primary DNS Suffix: Set to current domain.

Setting: DNS Suffix Search List: Set to current domain ‘comma‘ other domain.

Then wait or Force a Group Policy Update, to test visit a machine and issue an ‘ipconfig /all‘ command;

Above: you can see both the policies have taken effect.

Repeat the procedure in the new domain, (but the domain names will be the opposite way round) like so;

ADMT – Creating Domain Trust

Both domains need to trust each other for the migration to take place. If you have two simple domains like I do a “two way domain trust” is fine. You would only need a ‘forest-trust‘ if you were migrating from/to root and sub domains for example.

As the name implies Trusts are setup from Administrative tools > Active Directory Domains and Trusts. You can setup the whole thing from one domain, below I’m creating it in the old domain.

Welcome Screen  = Next > Provide the name to the ‘other’ domain > Next > External Trust > Next.

Two Way > Next > Both this domain and the specified domain > Next > Provide administrative credentials for the ‘other’ domain > Next.

Domain wide authentication > Next > Domain wide authentication > Next > Next.

Next > Yes. Confirm outgoing trust > Next > Yes. Confirm incoming trust > Next.

Finish > READ the warning about SID history, we will have to mess about with SID History filtering a bit further on > OK.

This step is not really necessary, (it’s just for peace of mind). I do this in BOTH domains and validate each trust, (so you will do this four times).

Select the trust > Properties > Validate > Type in credentials > OK > Type in Credentials > OK > OK.

ADMT – Users / Admins and Rights Assignment

 Create the user that will do all the hard work in the NEW domain. Then add that user to the domain admins group (again in the NEW domain).

Username: ADMTAdmin (Can be anything you want, but I’ll refer to this username throughout).

Over in the OLD domain, you won’t be able to add your ADMT user into the domain admins group, you need to add the ADMTAdmin account from the NEW domain into the Builtin\Administrators group on the OLD domain.

Additionally: the ADMTAdmin user needs to have local administrative rights to all the machines in the OLD domain. The easiest way to do that is again with a group policy.

In the OLD domain create a group, (Type: Domain Local)

Group Name: GP-ADMT-Admins, (again you can call it something else if you want).

Add your ADMTAdmin account to this group, (Note: I like to add the domain admin account for the NEW domain as well, though that’s not necessary).

On a domain controller > Administrative Tools > Group Policy Management Console.

Once Again: It’s better practice to ‘link’ your policy to the actual OU that your computers are in, to keep things simple, (and because I’m lazy) I’m going to link my policy to the root of the domain.

Edit the policy you have just created;

Navigate to;

[box]Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups[/box]

Add Group > Select GP-ADMT-Admins > OK > Add (bottom option) > Administrators > OK.

Setup correctly it should look like this;

To Test: On a client Open an administrative command window > and run ‘gpresult-R’.

Or the best test is, make sure that the GP-ADMT-Admins group is actually in the local admins group.

ADMT – Database Requirements

OK, a lot of posts say don’t install ADMT/SQL on a domain controller. That’s not strictly true, you can install ADMT and SQL on a domain controller, in fact that’s what Im going to do (there are a few commands and extra steps that I will point out below).

You can you use full blown SQL if you like, but it’s just as easy to use SQL Express 2008 SP1 > Download and run > Instalation > New SQL Server stand-alone installation or add features to an existing installation.

Accept the defaults > In feature Installation select ‘Database Engine Services’.

Accept the named instance ‘SQLExpress’.

Keep accepting defaults until you get to ‘Server configuration‘ page, add in the ADMTAdmin account.

Then add in your ADMTAdmin account again. (Once again theres nothing wrong with adding the domain admin account as well).

ADMT – Additional SQL Steps For Domain Controllers

Open an administrative command window > and run the following commands;

[box]

NET LOCALGROUP SQLServerMSSQLUser$Target-DC$SQLEXPRESS /ADD
SC SHOWSID MSSQL$SQLEXPRESS
{Copy the SID to the clipboard you will need it in a minute}
MD %SystemRoot%\ADMT\Data
ICACLS %Systemroot%\ADMT\Data /grant *{Paste the SID from above}:F
i.e.
ICACLS %systemroot%\ADMT\Data /grant *S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133:F

[/box]

ADMT – Downloading and Installing ADMT

Download the ADMT software, if that link ever dies use this one. Download ADMT 3.2. Launch the installer and accept all the defaults until you get to database selection, use .SQLEXPRESS

No we don’t want to import and data from an existing database > Next > Finish.

We can now open the ‘Active Directory Migration Tool’ management console.

 In Part Two we will look at SID filtering, setup a password export server, and do some group policy work.

Related Articles, References, Credits, or External Links

NA

How To Install Exchange 2016 (Greenfield Site) – Part 2

KB ID 0001302

Problem

Back in Part-One, we looked at all the things to consider before you start to install Exchange 2016. Now we will start installing software, and getting to a point where we can configure Exchange 2016 and carry out some post deployment.

Solution

Your forest functional level needs to be at ‘Windows Server 2008’ before you can install Exchange 2016.

The server you intend to deploy Exchange on, needs to be a domain member server.

To save you any hassle, make sure your intended server is fully updated.

The server needs .Net installing, the versions, (at time of writing ) are;

  • Exchange 2016 CU3 Req.Net 4.5.2 (or greater).
  • Exchange 2016 CU5 Req.Net 4.6.2 (or greater).
  • Exchange 2016 CU6 Req.Net 4.7.2 (or greater).

Exchange 2016 Roles/Features Windows Server 2016

As with previous versions of Exchange there’s a long list of roles and features that needed to be added, open an administrative PowerShell Window and run the following;

[box]

Install-WindowsFeature NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS, Server-Media-Foundation

[/box]

Exchange 2016 Roles/Features Windows Server 2012 (2012 R2)

As with previous versions of Exchange there’s a long list of roles and features that needed to be added, open an administrative PowerShell Window and run the following;

[box]

Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS

[/box]

You will also need to install the ‘Unified Communications Managed API 4.0 Runtime‘ software. Note: Not required if you are only installing the management tools.

Windows Server 2016 Only: You should already have update KB3206632 as we updated the server above, if you skipped that step you need to pre install that update, so update now!

Installing Exchange 2016

If you downloaded the Exchange media as a .iso file mount it and let it autoplay. If you extracted the software run Setup.exe. The first thing it will do is look to see if it has any updates.

Files will get copied over > Next > You will be presented with an introduction > Next.

Accept the EULA > Next > I usually just accept the recommended settings > Next.

Select either Mailbox server, Edge Transport server, or just the management tools > Next > Select the location that you want to install Exchange to > Next.

Note: Although in the example below, I’m using the ‘C:’ drive, for production I would always install Exchange onto a separate volume to the OS.

I usually accept the default organisation name of ‘First Organisation’ you can change it if you with, but choose wisely because you can’t change it once installed > Next > Unless you have a specific requirement to disable the built in malware protection, leave it enabled > Next.

Exchange now does a quick check to make sure it’s happy to progress, you will always get a couple of warnings, if it complains about anything else rectify it and click ‘recheck’, once you are happy click Next.

Setup progress takes ages! Seriously go to lunch at this point > Next > Once completed Ive ticked the box to open the Exchange Admin Center, but nearly every time I’ve done this it fails. Your best bet is to reboot the server, go and have a coffee then come back and open a browser window and navigate to https://{server-FQDN}/ecp 

In Part 3, we will look at post install tasks.

Related Articles, References, Credits, or External Links

How To Install Exchange 2016 (Greenfield Site) – Part 1