After a colleague deployed Citrix for a customer the other day, they complained that they had a mac user that was getting certificate errors. They had a publicly signed wildcard certificate, but this user was still having problems.
After I heard a few “tell him to stop using a mac” comments, I said, “I’m using a MacBook here, would you like me to test it?” The URL opened fine in Safari, and the certificate looked good (all green), I was prompted to install the Citrix receiver, and was presented with a session to open, when I did so, I got this;
You have chosen not to trust {Certificate-Name} the issuer of the servers security certificate.
Solution
Head over to https://www.sslchecker.com and put your Citrix URL in and check it, I found this. So I downloaded the two certificates it said I was missing.
Note: For someone who works with certificates, this makes no sense, (as I got to the portal without an error). I had to trust the root CA, and its intermediate CA, (what’s being called a Chain Cert below). But I thought I’d play along to see what happened.
‘Double Click’ each downloaded certificate, then choose ‘Add’, (repeat for each certificate in the chain).
Close any open Citrix receiver sessions, restart you browser, and try again.
Related Articles, References, Credits, or External Links
If you have a Meraki Security device and have enabled ‘Content Filtering’, instead of a nice ‘block-page’ informing you why you are being blocked you may see this;
http://wired.meraki.com:8090
This is happening because your Corporate DNS is resolving ‘wired.meraki.com’ to 54.241.7.184, which you can also see if you look at the URL you are trying to connect to it on port 8090. A quick nmap of that IP will tell you port 8090 is not open, (only port 80 and port 443 are).
This is happening because if you were to use your Meraki Device for DNS forward lookups, it would ‘DNS Doctor’ the return DSN packet and insert its own IP address in there instead. That’s fine but most corporate networks don’t want to use their Meraki devices for DNS forward lookups.
The easiest way to resolve the problem, is with your own corporate DNS servers.
Solution
First you need the inside IP of your Meraki device(s). You can get these from the Meraki Dashboard (Security Devices > Addressing and VLANS). If you browse to that IP, you should se something similar to below;
Armed with that information, go to one of your DNS Servers, and create a new forward lookup zone.
Next > Primary zone > Next > To all DNS Servers… > Next.
Zone Name = wired.meraki.com > Next > Allow only Secure… > Next > Finish.
In the newly created zone, create a ‘New Host (A or AAAA) record.
Enter the Inside IP or your MX device (only) > Add Host > Repeat for each Meraki device, if you have more than one.
Now you will receive a slightly more friendly blocked page.
Related Articles, References, Credits, or External Links
A while ago my colleague was struggling to get into a vCenter server. Normal https (TCP 443) wasn’t letting him in, I knew you could manage the appliance directly, (but I couldn’t remember the port number!) He knew there was an alternate port number, but we didn’t know what it was.
Solution
vCenter Appliance (Direct) Management Port
TCP: 5480
i.e. https://{ip-or-host-name}:5480
vCenter / vSphere Management Port
TCP: 443
i.e. https://{ip-or-host-name}
vCenter / vSphere Alternative Management Port
TCP: 9443
i.e. https://{ip-or-host-name}:9443
Note: You can also connect to the PSC, (Platform Services Controller) If you installed this role on the same appliance. The URL for that is https://{ip-or-host-name}/psc
Related Articles, References, Credits, or External Links
Activation occurs over TCP 80 and 443, so usually this will not trip you up. However if you are on a site with a very restrictive firewall config, then you might want to add the following.
Solution
I’ll break with the norm, and just post the config in its entirety, (just remove the comments in red.)
[box]
!The Firewall needs a domain name of its own.
!
domain-name petenetlive.com
!
!Setup DNS Lookups so the firewall can resolve the FQDNs we are going to use.
!
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
!
!Create objects for each of the activation FQDN's.
!
object network Obj-go.microsoft.com
fqdn go.microsoft.com
object network Obj-wpa.one.microsoft.com
fqdn wpa.one.microsoft.com
object network Obj-crl.microsoft.com
fqdn crl.microsoft.com
object network Obj-wwwtk2test1.microsoft.com
fqdn wwwtk2test1.microsoft.com
object network Obj-wwwtk2test2.microsoft.com
fqdn wwwtk2test2.microsoft.com
object network Obj-db3.sls.microsoft.com
fqdn db3.sls.microsoft.com
!
!Create objects for each of the activation subnets.
!
object network Obj-MS-Activation-Subnet-1
subnet 64.4.0.0 255.255.192.0
object network Obj-MS-Activation-Subnet-2
subnet 65.52.0.0 255.252.0.0
!
!Create an object group that holds all the objects.
!
object-group network Obj-GP-MS-Activation
network-object object Obj-go.microsoft.com
network-object object Obj-wpa.one.microsoft.com
network-object object Obj-crl.microsoft.com
network-object object Obj-wwwtk2test1.microsoft.com
network-object object Obj-wwwtk2test2.microsoft.com
network-object object Obj-db3.sls.microsoft.com
network-object object Obj-MS-Activation-Subnet-1
network-object object Obj-MS-Activation-Subnet-2
!
!Create a service object for the activation ports.
!
object-group service Obj-SVC-MS-Activation tcp
port-object eq www
port-object eq https
!
!Allow the traffic Out (SEE THE WARNING BELOW!)
!
access-list outbound extended permit tcp any object-group Obj-GP-Microsoft-Activation object-group Obj-SVC-MS-Activation
[/box]
Warning: Before Executing the access-list command, make sure the ACL name matches your existing ACL. In the example above I’ve used outbound, See the following article for clarification;
I had a load of Cisco Catalyst 3560 switches that needed ‘ipbase’ licenses adding to them today. I’ve messed about with plenty of ASA license upgrades before, but not switches.
Solution
1. First thing you need is a Cisco PAK, this may be in an email or turn up in a cardboard envelope.
2. Go to http://www.cisco.com/go/license and log in (if you don’t already have a Cisco CCO account you can create one for free). Enter your PAK and select ‘fulfil’.
3. Select ‘All Quantities’ > Next.
4. Enter your product ID and serial number (see below).
To locate your Product ID (PID), and serial number (SN), on the switch issue a ‘show license udi’ command.
5. Accept the agreement > ensure your email address is correct > Submit.
6. Select ‘Download’ to get the license straight away (it will get emailed to you shortly).
Note: If it does not turn up in your email, check your junk email folder, I’m sure Microsoft Outlook does this on purpose!
7. You will have a file with a big long name and a .lic extension. If you want you can copy this onto the switch via TFTP, but let’s keep things simple and use a FAT32 formatted USB drive.
8. Before we start let’s check the license on the switch. I’m running my ipbase license on an evaluation, this is what we are going to add a permanent license for.
[box]
Petes-Switch#show license
Index 1 Feature: ipservices
Period left: 8 weeks 4 days
License Type: Evaluation
License State: Active, Not in Use, EULA not accepted
License Priority: None
License Count: Non-Counted
Index 2 Feature: ipbase
Period left: 7 weeks 5 days
License Type: Evaluation
License State: Active, In Use
License Priority: Low
License Count: Non-Counted
Index 3 Feature: lanbase
Period left: Life time
License Type: Permanent
License State: Active, Not in Use
License Priority: Medium
License Count: Non-Counted
Petes-Switch#
10. Then copy the .lic file to the switches flash memory.
[box]
Mar 30 04:13:18.466: %USBFLASH-5-CHANGE: usbflash0 has been inserted!
Petes-Switch#copy usbflash0: flash:
Source filename []? FDO1818X123_201410200338212345.lic
Destination filename [FDO1818X123_201410200338212345.lic]? {Enter}
Copy in progress...C
1152 bytes copied in 0.041 secs (28098 bytes/sec)
Petes-Switch#
[/box]
11. Install the new license.
[box]
Petes-Switch#license install flash:/FDO1818X123_2014102003382212345.lic
Installing licenses from "flash:/FDO1818X123_2014102003382212345.lic"
Installing...Feature:ipbase...Successful:Supported
1/1 licenses were successfully installed
0/1 licenses were existing licenses
0/1 licenses were failed to install
Petes-Switch#
Mar 30 04:19:35.643: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = c3560x
Next reboot level = ipbase and
License = ipbase
Mar 30 04:19:36.146: %LICENSE-6-INSTALL: Feature ipbase 1.0 was installed in this device.
UDI=WS-C3560X-24T-L:FDO1818X123;
StoreIndex=1:Primary License Storage
Petes-Switch#
[/box]
12. The license wont take effect until you reload the switch.
[box]
Petes-Switch#write mem
Building configuration...
[OK]
Petes-Switch#reload
Proceed with reload? [confirm]{Enter}
Mar 30 04:20:43.104: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload command.
[/box]
13.Post reboot, check and the license should now be permanent.
[box]
Petes-Switch#show license
Index 1 Feature: ipservices
Period left: 8 weeks 4 days
License Type: Evaluation
License State: Active, Not in Use, EULA not accepted
License Priority: None
License Count: Non-Counted
Index 2 Feature: ipbase
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Priority: Medium
License Count: Non-Counted
Index 3 Feature: lanbase
Period left: Life time
License Type: Permanent
License State: Active, Not in Use
License Priority: Medium
License Count: Non-Counted
Petes-Switch#
[/box]
Related Articles, References, Credits, or External Links
VMware View is a big product, deploying it can be daunting, and if you’re not sure what you’re doing it’s pretty easy to deploy ‘misconfigured’, or at the very least not configured as well as it should. I’m going to run though most requirements, but it would seem sensible to break this up into a few different articles.
Solution
Configuring Windows Active Directory for VMware View
1. Before you start, on your domain controller open active directory users and computers (dsa.msc). Create an OU for your View Desktops, also to make administration easier create a separate OU for any linked clones you are going to deploy. In the example below I’ve nested one inside the other to keep my AD neat and tidy.
2. Also whilst in AD users and computers, create some groups, one for ViewUsers, and one for ViewAdministrators. Add in your users to the groups as required.
Note: You can call the groups whatever you like, and have as many different groups as you like.
3. Now connect to your Virtual Center Server, and add the domain ViewAdministrators group to the LOCAL Administrators group on that server.
Installing and configuring VMware View 5
4. Run the installer for VMware Connection Server (there is a x32 and an x64 version, make sure you download the correct one as VMware call the x64 bit version VMware-viewconnectionserver-x86_64-5.0.1-640055.exe, which at first glance looks like a x32 bit file). Accept all the defaults until you see the following screen, and select View Standard Server.
View Standard Server: Select if this is the first Connection Server you are deploying. View Replica Server: Select this if you already have a connection server and you want to copy the configuration from that server, once in operation it just becomes a standard replica server. View Security Server: Usually placed on an edge network or in a DMZ to broker connection requests. View Transfer Server: Only required if your clients are going to use ‘Local Mode’ for their View desktops..
5. Accept all the defaults and finish the installation.
6. Connect to the VMware View administrator console, this is a web connection to https://{Connection-server-name/admin Note: Adobe Flash is required for it to work.
7. The first time you connect it will take you straight to View Configuration > Product Licencing and Usage > Select “Edit Licence” and type/paste in your licence key.
8. To point the connection server to your virtual center server, select View Configuration > Servers > vCenter Server section > Add.
9. Give it the vCenter server name, and a username and password for a user who is a member of your ViewAdministrators group.
Note: If your vCenter server has VMware composer installed this is where you would enable it. At this time I do not, but I will return here later after I’ve installed it when I cover VMware Composer and ‘linked clones’.
Related Articles, References, Credits, or External Links
The ability to administer vCenter via a web browser is nothing new, vCenter has had a web console in previous versions.
vCenter vSphere 4 Web Client (Web Access)
The version with vSphere 5 is much more feature rich. Like the VMware vSphere client it talks directly to the vCenter vSphere API, but unlike previous web access, the component needs to be installed and configured before you can use it.
What the Web Client Can Do
1. Connect to a vSphere vCenter server.
2. Can be used on non Windows machines (VI Client is Windows only).
3. Deploy Virtual Machines (Including deployment from Templates).
Prerequisite: The vCenter server needs to have Adobe Flash installing on it to access the management console.
1. From the vCenter Installer media select “VMware vSphere Web Client (Server) > Install > Follow the on screen prompts.
2. Accept all the defaults, note the secure port number we will be using that later (TCP Port 9443).
3. Once installed > On the vCenter server itself open a browser window > navigate to > https://{servername}:9443/admin-app > Select “Register vCenter Server”.
vSphere Web Client Supported Browsers: Internet Explorer (7 or newer) and Firefox (3.5 or newer), I’ve tried Chrome, it works, but some functionality is lost. (anything that requires the plug in i.e. console connections).
4. Enter the details for the vCenter server > Take note of the URL for your client to access (https://{servername}:9443/vsphere-client) > Register.
5. You will probably be using self signed certificates to tick the box and select “Ignore”.
6. That’s the server configured and ready to go.
Step 2 – Access the vCenter from web client
1. Open a browser window and navigate to https://{servername}:9443/vsphere-client> You may receive a warning about the certificate (because it’s self signed) click to continue > Enter your credentials > Login.
2. The first time you connect it launches the welcome splash screen > tick “Do not show..” and close the window. (Note you can launch it again from the help menu).
Note: If you see this error:
Connection Error
Unable to connect to vCenter Inventory Service –
https://{servername}:10443
Check on the vCenter server to make sure this service is running.
3. You should then be connected, and be able to browse your virtual infrastructure.
4. You can “console” onto your VM’s (Note: will need a plug in installing your browser will prompt you to accept/install).
Related Articles, References, Credits, or External Links
ESXi comes with a self signed certificate, and for most people thats fine, but some clients want to have a ‘Trusted’ certificate on theirs, and have their own PKI infrastructure for issuing them.
Below I will generate a new certificate for my ESXi server using the Active Directory Certificate Services role on Windows Server 2012. Then replace the self signed certificate with my new one.
Solution
Generating a Certificate Request From the ESXi Server
1. Before we start there are a couple of hoops to jump through, and a Windows machine (it does not mater which one), install the following tow pieces of software;
Microsoft Visual C++ 2008 Redistributable Package (x86) and Shining Light Productions installer for OpenSSL x86 version 0.98r (or later)
Accept all the defaults and it should install to C:OpenSSL-Win32 go there, and in the bin directory make a backup of the openssl.cfg file.
2. Open the original openssl.cfg file and delete everything out of it, then paste in the following text, replace the values in red with your own, and save the file.
You will notice rui.csr has been created in the bin directory this is the file you need to request your certificate, if you open the file with Notepad you can copy the text.
Submit the Certificate Request and Get an ESX Certificate From a Windows CA
4. Open the web console of your certificate services server (it needs to be running the Certification Authority Web Enrollment role). The URL is usually http://{servers IP or Name}/Certsrv. Select ‘Request a certificate’.
5. Advanced certificate request.
6. Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
7. Paste in the text from your csr file (with no extra spaces!). Set the Certificate Template to ‘Web Server’ (the default lifetime for the Web Server template is 2 years. If you require longer, I suggest you clone the Web Server Template, change the lifetime and republish it in Active Directory Certificate Services).
8. Base 64 encoded> Download certificate.
9. Save the file as rui.cer and put it in the bin directory.
10. ESX needs the certificate to be in x509 format, so open a command window and execute the following commands;
[box]
cd C:OpenSSL-Win32bin
openssl x509 -in rui.cer -out rui.crt
12. Connect to the ESX host via SSH, and make a backup of the current keys (just in case).
[box]
cd /etc/vmware/ssl
mv rui.crt backup.rui.crt
mv rui.key backup.rui.key
[/box]
13. Using WinSCP copy the rui.crt and the rui.key files from the bin directory, to the /etc/vmware/ssl directory on your ESX host. WARNING: Set the copy type to ‘Text’ or ASCII or you may get some strange results.
14. Then either restart the management agents, or from your SSH session execute the following command;
[box]/sbin/services.sh restart[/box]
15. The simplest way to check is browse to the FQDN or your ESX host (the same name you used as the common name in step 2), and take a look at the certificate.
Related Articles, References, Credits, or External Links
Despite my best efforts to keep working with the VMware VI client, my recent move to a MAC has finally forced me to start using the web client. So when I rebuilt my vCenter this week, I went out of my way to use that.
Note: If you have your vCenter and Platform Services Controller (PSC) separated, the use the following article instead;
I’m assuming you have a default install of vCenter and you have also installed the SSO options (this would be the default). You should also have taken note of the administrator@vsphere.local password you entered when you installed vCenter.
1. Log into the vCenter with the vSphere Web Client, as administrator@vsphere.local
Navigate to Administration > Single Sign On > Configuration > Identity Sources > Select your domain and set it as the default domain.
2. Note: If your domain is not listed (you didn’t add it during the install of vCenter for example), then simply add it first.
3. Users and Groups > Groups > Administrators > Add > Change the domain to yours > Locate the user (or group) > Add > OK.
4. Now you need to grant rights, the simplest way is to grant rights at the vCenter level, and then those rights will cascade down to the Datacenter(s), Clusters, Hosts, and Virtual Machines.
Home > vCenter Servers > Select your vCenter > Manage > Permissions > Add.
5. Select the Administrator role > Add > Select your domain > Locate the users and groups you want to ad > Add > OK.
Related Articles, References, Credits, or External Links
It’s been a while since I had to do this, you used to simply take a number from the token pack, import it into the RSA Authentication Manager, job done. Now the tokens are shipped to you encrypted, you need to register them with RSA, decrypt them, then import them.
Solution
1. The tokens come with the licenses encrypted, on an accompanying CD. Go to the URL specified on the CD.
2. Good job I was alone and had no CD drive! Anyway the two numbers you need to enter on the website to register are;
Token Pack ID: On the sleeve, and on the CD
Confirmation Number : On the CD
3. When you have finished registration you will download a .zip file, save it somewhere sensible.
4. Put the CD in a computer > Run the ‘Run the Token Decryption Utility’ > You will need to give it the .zip file you downloaded and a password.
5. When complete, you will be given two files, an XML file that has all your token information.
6. And a password file, that gives you a password to import the XML file with.
7. Armed with these two files log into the ‘Security Console’ > Administration > SecureID Tokens > Import Tokens Job > Add New.
8. Give the job a name accept all the defaults and browse to the XML file, then copy and paste in the password form the text file and run the import job. Check on the completed tab to make sure it was a success.
Related Articles, References, Credits, or External Links