Configuring Cisco HSRP

KB ID 0000946 

Problem

Cisco HSRP: Normally your client machines have one route off the network, (their default gateway). But what if that goes down? HSRP aims to solve this problem by assigning a ‘Virtual IP address’ to your default gateway (or default route). So that IP can be shared amongst two or more possible devices (routers, or layer 3 switches).

Above, we have a client 192.168.1.10 that has two possible routes off the network, (.254 and .253). We will setup a virtual IP of .250 and both routers can use that IP, (if they are the active gateway). Below is a brief overview of how to set it up.

Deploy Cisco HSRP

Setting up Cisco HSRP

1. On the first router (Router0), add the standby IP address (192.168.1.250) the ‘1’ denotes the standby group (a number from 0 to 4096). It comes up as standby, then after it has checked (via multicast address 224.0.0.2 on UDP port 1985). It finds no other live HSRP devices using that IP address so it becomes ‘Active’.

[box]

Router0>enable
Router0#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router0(config)#interface GigabitEthernet0/0
Router0(config-if)#standby 1 ip 192.168.1.250
Router0(config-if)#

%HSRP-6-STATECHANGE: GigabitEthernet0/0 Grp 1 state Speak -> Standby

%HSRP-6-STATECHANGE: GigabitEthernet0/0 Grp 1 state Standby -> Active

Router0(config-if)#

[/box]

2. Repeat this on the second Router, this one discovers the ‘Active’ router and sets itself up as ‘Standby’.

[box]

Router1>
Router1>enable
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface GigabitEthernet0/0
Router1(config-if)#standby 1 ip 192.168.1.250
Router1(config-if)#
%HSRP-6-STATECHANGE: GigabitEthernet0/0 Grp 1 state Speak -> Standby

Router1(config-if)#

[/box]

3. You can prove this by running show standby (or do show standby in configure terminal mode).

[box]

Router0

Router0#show standby
GigabitEthernet0/0 - Group 1 (version 2)
State is Active
8 state changes, last state change 00:02:02
Virtual IP address is 192.168.1.250
Active virtual MAC address is 0000.0C9F.F001
Local virtual MAC address is 0000.0C9F.F001 (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.055 secs
Preemption disabled
Active router is local
Standby router is 192.168.1.253
Priority 100 (default 100)
Group name is hsrp-Gig0/0-1 (default)
Router0#

Router1

Router1#show standby
GigabitEthernet0/0 - Group 1 (version 2)
State is Standby
3 state changes, last state change 00:10:44
Virtual IP address is 192.168.1.250
Active virtual MAC address is unknown
Local virtual MAC address is 0000.0C9F.F001 (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.125 secs
Preemption disabled
Active router is 192.168.1.254
Standby router is local
Priority 100 (default 100)
Group name is hsrp-Gig0/0-1 (default)
Router1#

[/box]

4. That is HSRP configured! However there are a few changes you might want to make, for example, what if one router had a 100MB leased line, and the other was a 2MB ADSL line, you would want the fastest one to be in use, (as long as it was up). To achieve that, give the router with the fastest connection a higher priority (you may notice above, that by default the priority is 100). Be aware, even if a router has the highest priority, it wont ‘seize’ the virtual IP, it just sits and waits until it’s available. For our 100MB and 2MB example that’s not good. We would want Router1 to seize the virtual IP as soon as it can. To do that we need to set it to preempt. (Note: This process is called ‘launching a coup’).

[box]

Router1(config)#interface GigabitEthernet0/0
Router1(config-if)#standby 1 priority 105
Router1(config-if)#standby 1 preempt

[/box]

5. At this point it’s important to say, that in our scenario we would also need to setup a virtual IP for the ‘other side’ of the routers (i.e their GigabitEthernet 0/1 interfaces), or the remote client (172.16.1.10) would not be able to return our ‘pings’ or get any traffic back to us. So lets setup a virtual HSRP address on that side as well. Notice I just use another standby group number.

Note: To work the remote host 172.16.1.10 will need its default gateway changing to the HSRP Virtual IP of 172.16.1.250.

[box]

Router0 

Router0(config)#interface GigabitEthernet0/1
Router0(config-if)#standby 2 ip 172.16.1.250
Router0(config-if)#

Router1

Router1(config)#interface GigabitEthernet0/1
Router1(config-if)#standby 2 ip 172.16.1.250
Router1(config-if)#

[/box]

6. Finally we have set Router0 with the highest priority and set it to seize the virtual IP as soon as it can. But what if another interface on Router1 goes down? e.g. If the GigabitEthernet 0/1 interface were to go down, HSRP would not do anything because it’s tracking both the GigabitEthernet 0/0 interfaces, so communications would fail.

To solve the problem we need to tell it which interfaces to ‘Track’. In our example we need to track GigabitEthernet 0/1, if that goes down we need to give the virtual IP address to the standby ‘router’. This works because once we tell it to ‘track’ the GigabitEthernet 0/1 interface, if that were to fail it will DECREMEMT the routers priority by 10. So for Router0 its priority would drop to 95, this is five less than the default value of 100 (on Router1). But Remember, at the moment that fail-over would still fail, unless you allow Router1 to preempt and launch a coup.

[box]

Router0 

Router0(config)#interface GigabitEthernet0/0
Router0(config-if)#standby 1 track GigabitEthernet0/1
Router0(config-if)#

Router1

Router1(config)#interface GigabitEthernet0/0
Router1(config-if)#standby 1 preempt
Router1(config-if)#

[/box]

7. We can see that by running a ‘show standby’ on Router0.

[box]

Router0#show standby
GigabitEthernet0/0 - Group 1 (version 2)
State is Active
7 state changes, last state change 00:00:31
Virtual IP address is 192.168.1.250
Active virtual MAC address is 0000.0C9F.F001
Local virtual MAC address is 0000.0C9F.F001 (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.81 secs
Preemption enabled
Active router is local
Standby router is 192.168.1.253, priority 115 (expires in 7 sec)
Priority 115 (configured 115)
Track interface GigabitEthernet0/1 state Up decrement 10
Group name is hsrp-Gig0/0-1 (default)
GigabitEthernet0/1 - Group 2 (version 2)
State is Active
6 state changes, last state change 00:00:28
Virtual IP address is 172.16.1.250
Active virtual MAC address is 0000.0C9F.F002
Local virtual MAC address is 0000.0C9F.F002 (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.81 secs
Preemption disabled
Active router is local
Standby router is 172.16.1.253
Priority 100 (default 100)
Group name is hsrp-Gig0/1-2 (default)
Router0#

[/box]

Related Articles, References, Credits, or External Links

NA

ADMT (Active Directory Migration Tool) Domain Migration – Part 1

KB ID 0001305

Problem

I’ve not used ADMT for ages, I’ve got a domain migration to do soon, so I thought I’d get on the bench and have a reminder. Although ADMT 3.2 was ‘re-jigged’ to support Server 2012 R2, I’m still going to install it on Server 2008 R2. I’ve got a test domain built to migrate from, and a new domain setup ready to migrate into.

  • Old/Source Domain: olddomain.com
  • Old/Source Domain Controller: Source-DC.olddomain.com
  • New/Target Domain: newdomain.com
  • New/Target Domain Controller: Target-DC.newdomain.com

 

Solution

ADMT – DNS Setup

The old domain needs to be able to resolve names in the new domain, and the new domain needs to be able to resolve names in the old domain. To achieve this you need to setup ‘Conditional Forwarding’ in each domain for the other one.

Don’t worry if it looks like there’s a problem as long as the DNS servers can se each other, (and there’s no firewall in-between blocking TCP and UDP port 53). Just add in the DNS server give it a while then re-open the forwarders settings and it should have ‘gone-green’.

You can test it’s working by pinging BOTH the old and new domain names, in BOTH domains.

In addition, we want all machines (in both domains) to set their primary DNS Suffix, to their own domain, and their DNS suffix search list to look for their own domain first, then the other domain. The easiest way to do that is via group policy.  On a domain controller > Administrative Tools > Group Policy Management Console.

It’s better practice to ‘link’ your policy to the actual OU that your computers are in, to keep things simple, (and because I’m lazy) I’m going to link my policy to the root of the domain.

 

Edit the policy you have just created.

Navigate to;

[box]Computer Configuration > Policies > Administrative Templates > Network > DNS Client > [/box]

Setting: Primary DNS Suffix: Set to current domain.

Setting: DNS Suffix Search List: Set to current domain ‘comma‘ other domain.

Then wait or Force a Group Policy Update, to test visit a machine and issue an ‘ipconfig /all‘ command;

Above: you can see both the policies have taken effect.

Repeat the procedure in the new domain, (but the domain names will be the opposite way round) like so;

ADMT – Creating Domain Trust

Both domains need to trust each other for the migration to take place. If you have two simple domains like I do a “two way domain trust” is fine. You would only need a ‘forest-trust‘ if you were migrating from/to root and sub domains for example.

As the name implies Trusts are setup from Administrative tools > Active Directory Domains and Trusts. You can setup the whole thing from one domain, below I’m creating it in the old domain.

Welcome Screen  = Next > Provide the name to the ‘other’ domain > Next > External Trust > Next.

Two Way > Next > Both this domain and the specified domain > Next > Provide administrative credentials for the ‘other’ domain > Next.

Domain wide authentication > Next > Domain wide authentication > Next > Next.

Next > Yes. Confirm outgoing trust > Next > Yes. Confirm incoming trust > Next.

Finish > READ the warning about SID history, we will have to mess about with SID History filtering a bit further on > OK.

This step is not really necessary, (it’s just for peace of mind). I do this in BOTH domains and validate each trust, (so you will do this four times).

Select the trust > Properties > Validate > Type in credentials > OK > Type in Credentials > OK > OK.

ADMT – Users / Admins and Rights Assignment

 Create the user that will do all the hard work in the NEW domain. Then add that user to the domain admins group (again in the NEW domain).

Username: ADMTAdmin (Can be anything you want, but I’ll refer to this username throughout).

Over in the OLD domain, you won’t be able to add your ADMT user into the domain admins group, you need to add the ADMTAdmin account from the NEW domain into the Builtin\Administrators group on the OLD domain.

Additionally: the ADMTAdmin user needs to have local administrative rights to all the machines in the OLD domain. The easiest way to do that is again with a group policy.

In the OLD domain create a group, (Type: Domain Local)

Group Name: GP-ADMT-Admins, (again you can call it something else if you want).

Add your ADMTAdmin account to this group, (Note: I like to add the domain admin account for the NEW domain as well, though that’s not necessary).

On a domain controller > Administrative Tools > Group Policy Management Console.

Once Again: It’s better practice to ‘link’ your policy to the actual OU that your computers are in, to keep things simple, (and because I’m lazy) I’m going to link my policy to the root of the domain.

Edit the policy you have just created;

Navigate to;

[box]Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups[/box]

Add Group > Select GP-ADMT-Admins > OK > Add (bottom option) > Administrators > OK.

Setup correctly it should look like this;

To Test: On a client Open an administrative command window > and run ‘gpresult-R’.

Or the best test is, make sure that the GP-ADMT-Admins group is actually in the local admins group.

ADMT – Database Requirements

OK, a lot of posts say don’t install ADMT/SQL on a domain controller. That’s not strictly true, you can install ADMT and SQL on a domain controller, in fact that’s what Im going to do (there are a few commands and extra steps that I will point out below).

You can you use full blown SQL if you like, but it’s just as easy to use SQL Express 2008 SP1 > Download and run > Instalation > New SQL Server stand-alone installation or add features to an existing installation.

Accept the defaults > In feature Installation select ‘Database Engine Services’.

Accept the named instance ‘SQLExpress’.

Keep accepting defaults until you get to ‘Server configuration‘ page, add in the ADMTAdmin account.

Then add in your ADMTAdmin account again. (Once again theres nothing wrong with adding the domain admin account as well).

ADMT – Additional SQL Steps For Domain Controllers

Open an administrative command window > and run the following commands;

[box]

NET LOCALGROUP SQLServerMSSQLUser$Target-DC$SQLEXPRESS /ADD
SC SHOWSID MSSQL$SQLEXPRESS
{Copy the SID to the clipboard you will need it in a minute}
MD %SystemRoot%\ADMT\Data
ICACLS %Systemroot%\ADMT\Data /grant *{Paste the SID from above}:F
i.e.
ICACLS %systemroot%\ADMT\Data /grant *S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133:F

[/box]

ADMT – Downloading and Installing ADMT

Download the ADMT software, if that link ever dies use this one. Download ADMT 3.2. Launch the installer and accept all the defaults until you get to database selection, use .SQLEXPRESS

No we don’t want to import and data from an existing database > Next > Finish.

We can now open the ‘Active Directory Migration Tool’ management console.

 In Part Two we will look at SID filtering, setup a password export server, and do some group policy work.

Related Articles, References, Credits, or External Links

NA

Barracuda Email Security Gateway Setup and Deployment

KB ID 0001253 

Problem

This is the process for setting up both physical and virtual Barracuda Email Security Gateway Appliances, (formally Barracuda Spam Firewall).

Note: This walk though sets out the basic functions to get your appliance working and inspecting email, it’s not an exhaustive list of all the features of the appliance.

Solution

Before you start, I’m making the assumption if you have a physical appliance, it’s racked and connected to the correct network. Or if you are using a virtual appliance it’s been deployed from OVA and connected to the correct network.

Barracuda Email Gateway Initial Setup

To get access to the appliance the default username password is admin and admin.

Navigate to TCP/IP Configuration > Enter the IP addressing information, then ensure you SAVE the config.

You will also need to enter the licence token, that was supplied to you from your reseller, again make sure you SAVE the configuration.

Exit, and you are prompted to type YES, the system will reboot.

Barracuda Email Gateway Mail Configuration.

Once the appliance has rebooted, you can connect to it though a web browser (via https). The username and password will still be admin/admin. First task is to update the appliance to the latest version. (Advanced > Firmware Update) You may need to do this a few times and each update will require a reboot of the appliance.

Basic > Administration > Email Notifications: Setup an email address for system alerts, and a system contact email address. Save the changes.

On the same tab > Change the tine zone > (This may require another reboot).

Basic > IP Configuration: Destination Mail Serber TCP/IP Configuration > Enter the details of your exchange server (MS Exchange Note:  that already has a configured receive connector). Use the ‘Test Email Connection’ button to make sure it’s working. Also set a local hostname and domain name, WARNING don’t use the default one of Barracuda, as this is displayed to the outside world, (best not to advertise, your email filter vendor).

Domains > Domain Manager: Add in all the domains the you want to filter email for

Barracuda Manage Domains or Manage Globally

IMPORTANT: You can change settings for each individual domain, (handy if you filter email domains for a lot of different customers). Or you change settings globally. To manage an individual domain, navigate to Domain > Domain Manager > Select the domain and click Manage Domain. From this point forward you are only changing settings for this managed domain. You return to global configuration by clicking ‘Manage System“.

I’ve mentioned this now, because the next steps are carried out ‘per domain’.

For each Exchange Managed (i.e. Active Directory Domain.) Users > LDAP Configuration >  Change Exchange Accelerator /LDAP Verification  to “Yes” > Enter the FQDN of one of your domain controllers > LDAP Port (use 389 or 3268)  > Then enter the ‘Distinguished Name’ and password for a domain user. Make sure the test passes before you proceed.

How to Find a Distinguished Name? Run the following dsquery command;

[box]dsquery user –name “User Name”[/box]

Why Have you just done this? Because now Barracuda will reject all mail sent to this domain, for users that do not exist. This is because spammers will bulk mail known good domain names with random names in the hope of getting lucky. Repeat for any other domains you are authoritative for. But Ensure you use a machine email address of the domain you are protecting like so;

Back in global configuration > I’m going to set Quarantine, on a user by user basis (rather than globally). Basic > Quarantine enable per-user, then enter an email and the FQDN of the Barracuda appliance > Save.

Basic > Spam Checking: The actual levels you want may require some tuning, this is a good place to start. You would normally use either Quarantine or Tagging, Im setting the appliance to block at level 6 and quarantine at level 3. (Note: These levels are scores that Barracuda assigns to the emails, that grade the likelihood of them being spam). 

The Barracuda, (like most email platforms) wont accept email from any ip/host/subnet unless you allow it. So that your email server can send mail though the Barracuda you need to add it in. Basic > Outbound > Relay Using Trusted IP/Range >Enter either the IP addresses of your mail servers, or the subnet they are on.

Configure Exchange 2013/2016 To Send Mail via Barracuda

I know there are many Email platforms but I’m using Exchange 2016, to send email via this appliance you need to add it as a “Smart Host” on the Exchange Organisations ‘Send Connector’. Log into Exchange Admin Center > Mail Flow > Send Connector > Select the connector > Edit.

Delivery Tab > Enter the FQDN or IP of the Barracuda > Save.

Then restart the Microsoft Exchange Transport Service. 

Exchange Receive Connector: You probably already have a receive connector, configured for internet email (i.e set to anonymous, for port 25). In some Exchange deployments, you may need to add a connector for the Barracuda and allow it to relay mail through Exchange.

Repoint Mail ‘Feed’ To Barracuda

How you do this depends on your network setup, and firewall vendor. If you already have mail coming into your mail server then you are probably doing one of the following;

  • Port Forwarding SMTP (TCP Port 25) from your public IP, to the internal IP of the mail server.
  • Statically NATTED a public IP address, to the internal/private IP of the Mail server, and opened SMTP (TCP Port 25) to that IP.

In either case, you need to change the private IP address that mail is pointing to from your mail server to the Barracuda IP. If you are using a Cisco Firewall or Router, Ive already written some articles that may help, take a look at the following.

Cisco PIX / ASA Port Forwarding

Add a Static (One to One) NAT Translation to a Cisco ASA 5500 Firewall

Juniper (JUNOS) SRX – Static ‘One-to-One’ NAT

Cisco Routers – Port Forwarding

Changing Pubic IP Address Warning

Be aware if you change the public IP address that you accept mail on, you need to change your DNS MX Records to match, (if you use SPF records those may also need changing). See the following article;

Setting up the Correct DNS Records for your Web or Mail Server

All being well, you should now see mail flowing through the Barracuda (Massage Log).

Related Articles, References, Credits, or External Links

NA

Using Openfiler and vSphere ESX / ESXi 5

KB ID 0000380

Problem

Openfiler is a free NAS / SAN prebuilt Linux distribution, that can provide iSCSI storage to your VMware environment, it’s ideal for small setups (This video was made with all the devices running in VMware workstation 7, on my laptop. That’s two ESXi servers, a vCenter server, and the Openfiler iSCSI target server).

Solution

Related Articles, References, Credits, or External Links

Openfiler Thanks to VMware for the free copy of VMware Workstation.

 

Windows Server 2012 – Deploying SSTP VPNs

KB ID 0000819

Problem

SSTP gives you the ability to connect to your corporate network from any location that has an internet connection, and is not filtering https. This port is usually open for normal secure web traffic. Traditional VPN connections require ports and protocols to be open for them to work, which makes a solution that runs over TCP port 443 attractive.

Thoughts: While I can see why this is a good idea, Microsoft has basically changed some existing protocols so they work on a port that wont be blocked by most firewalls. This is not a new approach, (Microsoft did it before with RPC over HTTP). I can’t help feeling that the more traffic we push over ports 80 and 443, sooner or later security/firewall vendors are going to statefully inspect/block traffic that isn’t supposed to be on that port. (If you think ‘that would never happen!’ Try running an Exchange Server through a Cisco firewall with SMTP inspection turned on). Anyway, it’s there, I’ve been asked to do a walkthrough, so read on,

Solution

I’ve got a Windows 2012 Server already setup, it’s a domain controller, and is running DNS. You don’t have to have the same server running SSTP/RRAS but in this lab environment that’s what I’m doing. In addition my remote VPN clients will get an IP address from my normal corporate LAN.

1. On the server I have two network cards installed, the first (NIC1) is the normal network connection for the server, the second (NIC2) will be the one that the remote clients get connected to (once they have authenticated to NIC1).

2. Make sure the Internet facing NIC has good comms, and works OK.

3. NIC2 as you can see, does not even need a default gateway.

Windows Server 2012 Add Certificate Services

I’m going to use a ‘self signed’ certificate, if you have purchased one, then skip this section.

4. From Server Manager (ServerManager.exe) > Add Roles and Features > Next > Next > Next > Select > Active Directory Certificate Services.

5. Add Features > Next > Next > Next > Tick ‘Certificate Authority Web Enrolment’.

6. Add Features > Next > Next > Next > Install > Close > From the warning (top right) > Configure Active Directory Certificate Services on this server.

7. Next.

8. Select both Certificate Authority and Certificate Authority Web Enrolment > Next.

9. Next > Next > Next > Next > Next > Next > Next > Configure > Close > Close Server Manager.

10. Open a Microsoft Management Console.

11. File > Add Remove Snap-in > Certificate Authority > Add > Local computer > Finish > OK.

12. Drill down to Certificate Templates > Manage.

13. From the list that appears locate IPsec > Right Click > Duplicate Template.</p:

14. General tab > Change the name to SSTP-VPN.

15. Request Handling tab > Tick ‘Allow private key to be exported’.

16. Subject Name tab > Tick ‘Supply the request’ > Click OK when prompted.

17. Extensions Tab > Select the Application Policies entry > Edit.

18. Add > Locate the ‘Server Authentication’ policy > OK > OK > Apply > OK > Close the Certificate Template console.

19. From the Certificate templates Folder > New > Certificate Template Issue.

20. Locate the SSTP-VPN entry > OK > Close the MMC.

SSTP Firewall Setup

In this example my server is behind a corporate firewall. If yours is internet facing then you may simply want to add an exception/rules for allowing https/TCP443. My server will ultimately have a public IP address that resolves to its public name (vpn.pnl.com) so I just need to allow the ports in. If your server does not have its own public IP address, then you may need to setup port forwarding instead. You will see later I’m also going to use TCP 80 (normal HTTP) to access my certificate services remotely, so I’ve got that open as well. You may want to access certificate services via HTTPS instead in a corporate environment.

21. On this server I’m simply going to disable the firewall > Start > Run > firewall.cpl {enter} > Turn Windows Firewall on or off > Set as appropriate.

Grant users SSTP VPN/Dial-in rights.

22. Make sure that any user who wants to access the SSTP VPN has had their Dial-in set to ‘allow access’.

Windows 2012 Server Install and Configure RRAS for SSTP

23. From Server Manager (ServerManager.exe) > Add Roles and Features > Next > Next > Next > Select > Network Policy and Access Services.

24. Add Features > Next > Next> Next > Next > Install > Close.

25. Back at Server Manager (ServerManager.exe) > Add Roles and Features > Next > Next > Next > Select ‘Remote Access’.

26. Add Features > Next > Next > Next > Tick ‘Routing’ > Next > Install.

27. Close.

Note: At this point you may see the warning that there are additional steps to take, (to configure routing an remote access), if so you can launch and then close this wizard because we will do it manually.

28. Close Server Manager > Open a new MMC > File > Add/Remove Snap-in > Certificates > Add > Computer account > Finish > OK.

29. Expand Personal > Certificates > All Tasks > Request New Certificate.

30. Locate the SSTP-VPN entry > Click the ‘More information required..’ link.

31. Change the Type to common name > Enter the public name of the SSTP VPN server > Add > OK.

Note: This will be the common name on the certificate, i.e. vpn.pnl.com, which will need a public A/Host record creating for it in your public DNS, (speak to your ISP or DNS hosting company). That way when your remote clients go to https://vpn.pnl.com they wont get an error, (providing you imported the root cert correctly on THAT machine).

32. Tick the certificate > Enrol.

33. Finish > Close the MMC.

34. Windows Key+R > rrasmgmt.msc > OK.

35. Right click the server > Configure and Enable Routing and Remote Access.

36. At the Wizard > Next > Next > Tick VPN > Next.

37. Select NIC1, In this case I’m unticking the ‘Enable security’ option, (or is disables RDP and locks the NIC down) > Next.

38. I’m going to use this server so select the bottom option > Next.

39. New > Create a range of IP addresses. (Note: You may need to exclude these from your existing DHCP scope) > OK > Next.

40. Next.

41. Finish > OK > OK > At this point you will see the services restarting.

42. Right click the server > Properties.

43. Security tab > Change the certificate to the one we created > Apply > Yes > OK > Close the console.

Windows Server 2012 – Connect to SSTP from a Remote Client

At this point I have the correct ports open on the firewall, and I’m on a Windows 7 client outside the corporate network.

44. Because we are using a self signed certificate, we need to get the client to trust it. We can give the user the root certificate, or they can connect and download it, here I’m connecting to the Certificate Services web portal. Note: Remember that’s on the same server.

45. Supply your domain credentials > OK > Download a CA Certificate > Download CA Certificate > Save As.

46. Put the certificate somewhere, and call it something sensible.

47. Now launch an MMC on the client machine, and add the certificate snap-in (for ‘computer account’).

48. Drill down to Trusted Root Certification authorities > Certificates > All Tasks > Import > Navigate to, and select the certificate you just downloaded.

Note: If you double click the cert and import it manually, then it gets put into the user account NOT the computer account, and this will cause you problems. (Error 0x800b0109).

Registry Key Required for SSTP Access

The title is not really true, but as we are using a self signed certificate the client cannot check the CRL for the CA. Even with some purchased certificates you may need to to do this.

49. Open the registry editor and navigate to:

[box]
HKLM > SYSTEM > Current > CurrentControlSet > services > SstpSvc > Parameters
[/box]

50. Create a new 32 bit DWORD called NoCertRevocationCheck and set its value to 1 (one).

Setup a SSTP VPN Connection

51. Open the Network and sharing Center.

52. Setup a new connection or network.

53. Connect to a workplace.

54. Use my Internet Connection.

55. Supply the Internet Address (that matches the common name you used above) > Next.

56. Supply your domain credentials > Connect.

57. Connected successfully.

Note: If it fails at this point, it usually gives you an error code you can Google, or it gives you the option of logging for you to troubleshoot.

58. Just to prove I’m connected, this client can ping the SSTP servers private address.

 

Related Articles, References, Credits, or External Links

NA

Windows Server 2008 R2 Deploying Applications with RemoteApp

KB ID 0000528

Problem

RemoteApp is a solution for delivering applications to your users from a Remote Desktop Services Server.

Why would you want to do this? Imagine you only had one copy of office to update in your entire organisation when a new service pack or security update is released., or Adobe bring out a new version of Dreamweaver that’s on all your machines – you simply update the master copy on the RDS server, or redeploy new RemoteApps.

In the following example I’ll configure the server, and create a RemoteApp application (Word 2010) and finally, deploy it to my domain clients.

Client requirements: Windows XP (SP2), Windows Vista, Windows 7, Windows Server 2003 SP2, Windows Server 2008, and Windows Server 2008 R2.

Note: For XP and Server 2003 clients you need to have installed Remote Desktop Connection (Terminal Services Client 6.0).

Solution

1. On a 2008 R2 Server (That’s a domain member), Start > Run > CompMgmtLauncher.exe {enter} > Roles > Add Roles > Remote Desktop Services > Add the following “Role Services” > Remote Desktop Session Host > Remote Desktop Web Access > (If you do not have a RDS Licensing services Licencing server add that also).

2. Select “Network Level Authentication” >Select your licensing mode > Add in the user(s) and/or group(s) you want to grant access to > Set your client experience options > Set the scope for the licensing server (per forest or per domain) > When complete let the server reboot.

3. If you do not already have a RDS Licensing server then activate the Licensing Server and follow the instructions. (Start > Administrative Tools > Remote Desktop Services > Remote Desktop Licensing Manager).

4. Then Start > Administrative Tools > Remote Desktop Services > Remote Desktop Session Host Configuration > Locate Licensing > And click the “Not Specified” > Then add in the licencing server you just activated.

5. Install and configure the applications you want to deploy. Then Start > Administrative Tools > Remote Desktop Services > RemoteApp Manager > Add RemoteApp Programs > Install and configure the desired application.

6. Add the computers that need access to RemoteApp(s) to the LOCAL group on the RDS server called “TS Web Access Computers”.

8. In the RemoteApp Manager select “Create Windows Installer Package” follow the instructions and put the resulting .msi file in a network share that your domain clients can access.

9. Send out the .msi file generated to your clients by group policy.

10. By default your deployed RemoteApps will be listed on the clients start menu under “Remote Programs”.

Related Articles, References, Credits, or External Links

Server 2008 – Terminal Server (Remote Desktop Services) Licensing

Server 2008 R2 Install and Configure Remote Desktop Services (Web Access)

Deploying Exchange 2013

Part Three – Deploying Exchange 2013 On a ‘Greenfield Site’

KB ID 0000730

Problem

In part one and part two we looked at what to consider, and what you need to be doing before you reach for the install DVD. Now we will run through a complete Exchange deployment on a fresh site with no existing mail system.

Items covered below

Install Exchange Server 2013

Exchange 2013 Post Install Configuration Tasks

Enter the Exchange 2013 Server Product Key

Exchange 2013 Create a Default Send Connector

Exchange 2013 Adding a Domain Name as an Accepted Domain

Adding New Email Addresses to the Default Email Address Policy

Exchange 2013 Additional Post Installation Tasks

Moving Exchange 2013 Database(s)

Exchange 2013 Apply for, and Install a Third Party Certificate

Exchange 2013 Setting up ‘Split DNS’ for your Exchange Certificate

Exchange 2013 Test Mail Flow

Solution

Exchange Prerequisites

å

I’ve already written extensively about the hardware, software and environment requirements for Exchange 2013. Please run through the following article before you start.

Deploying Exchange 2013Part One – Prerequisites for Windows Server 2012

With a fully updated Windows Server 2012, that is a domain member your main three pre deployment tasks are to install the following pieces of software.

1. Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit.

2. Microsoft Office 2010 Filter Pack 64 bit

3. Microsoft Office 2010 Filter Pack 64 bit

Install Exchange Server 2013

1. Insert the install DVD and auto-run the setup.

2. Next > Let it check for updates.

3. Next.

4. It will copy the setup files to the server.

5. Next.

6. Accept the EULA > Next.

8. Next.

9. Select the roles required, I’m just having one server so I’m selecting both > Next.

Note: Current Microsoft thinking is to NOT separate out roles like you did with Exchange 2007 and 2010, if you deploy multiple servers deploy multiple roles.

10. Set the install path for the Exchange program files. If you change form the default, and you are deploying multiple Exchange servers, try to keep the path the same for all > Next.

11. Select an Organization name > Next.

12. Select if you want to disable the built in malware protection or not.

Note: Malware protection is now based on Forefront. Only consider disabling this if you plan to deploy some third party malware/AV scanning software.

13. You should get a warning telling you that once complete you will not be able to install Exchange 2010 > Next.

14. Setup will progress (Approx 45 minutes).

15. When done > you can tick the box and launch the ‘Exchange Admin Center’. BUT At this point I would run a full Windows update and reboot the server.

Exchange 2013 Post Install Configuration Tasks

1. To launch the new ‘Exchange Admin Center’, navigate to https://localhost/ecp.

2. Sign in.

Enter the Exchange 2013 Server Product Key

3. Navigate to Server > {Server-Name} > Enter Product Key.

4. Type in your 25 character product key > Save.

5. Read the warning > OK.

6. Windows Key+R > services.msc {Enter} > Locate and restart the ‘Microsoft Exchange Information Store’ service.

Exchange 2013 Create a Default Send Connector

Without configuring a send connector, your outbound/internet destined mail will sit on the outbound queue with the following error.

 ‘A matching connector cannot be found to route the external recipient’

7. Navigate to > Mail flow > Send Connector > Add.

8. Give the connector a name and select ‘Internet’ as it’s use > Next.

9. By default it will select where to send the email based on the DNS name of the recipient, however some people route all their mail via a smart host, (this can be a server or IP address at your ISP or a mail filtering provider). If you use a smart host you will probably already know, in most cases you will want the default option of ‘MX record associated with recipient domain’ > Next.

10. Add.

11. Set the FQDN to asterisk > Save.

12. Add > Then select the Exchange Server.

13. Finish.

Exchange 2013 Adding a Domain Name as an Accepted Domain

14. Whilst in the Mail Flow section > Accepted Domains > Add.

15. Give the entry a name > Type in your domain name > Save > Repeat for any additional domain names.

Adding New Email Addresses to the Default Email Address Policy.

16. Whilst in the Mail Flow section > email address policies > With the default policy selected > Edit (pencil icon).

17. Email address format.

18. Add.

19. Select the domain > Select the name format > If this email address will be the default/reply address then select the bottom tick box > Save > Repeat for each additional email address you want to apply to your users, but only one can be the reply address.

20. When finished > Save.

21. Read the warning > OK.

22. Apply.

23. Yes.

Exchange 2013 Additional Post Installation Tasks.

Moving Exchange 2013 Database(s)

1. Create a folder on the destination drive/volume.

2. First see where the database is now. From within the Exchange admin center (https://localhost/ecp) > Servers > Databases > Select the database to be moved > Edit (pencil icon).

3. Take a note of the database path, and the database filename (filename.edb).

4. Launch the Exchange Management Shell.

5. Execute the the following PowerShell command;

Answer Y to the questions (or A for all).

6. Now you can check that the database has mounted, and is in its new location.

Exchange 2013 Apply for, and Install a Third Party Certificate

1. From within the Exchange admin center (https://localhost/ecp) > Certificates > Add.

2. Self signed certificates are literally more trouble than they are worth, you need to BUY A CERTIFICATE! > Next.

3. Give the request a name > Next.

4. We don’t want a wildcard certificate > Next.

Note: A wildcard certificate is a certificate that has a name like ‘*.domain.com’.

5. Select the Exchange Server > Next.

6. Select the internet Outlook Web App and Edit (pencil icon).

7. Type in the publicly addressable domain name of the Exchange Server > OK.

8. Set the public name of the Autodiscover service > OK > Next.

9. MAKE SURE that the OWA public name is IN BOLD as this will be set as the ‘common name’ on the certificate > Next.

10. Type in your details > Next.

11. Select a share to save the certificate request in > Finish.

Note: This share must already exist, with the correct permissions, if in doubt watch the video above.

12. Now you should have a pending request.

13. Take the certificate request that it has generated (in PIM format), and send that to your certification authority, the link below will take you straight to the correct certificate you need;

Exchange 2013 Server Certificates.

14. Once complete and you have received your new certificate back again > Select the pending request > Complete.

15. Supply the path to the certificate > OK.

16. Now you need to assign Exchange services to the certificate> with it selected > Edit (pencil icon).

17. I’m not using unified messaging or POP, so I’ve just selected SMTP, IMAP and IIS > Save.

18. Yes to overwrite the existing certificate.

19. Now lets make sure its worked, open https://localhost/owa > it will error because the URL is wrong > continue to this website.

20. Open the certificate and check it is correct. (here mine has a common name of mail.petenetlive.com).

Exchange 2013 Setting up ‘Split DNS’ for your Exchange Certificate

Note: You only need to set this up if your private/internal, and public/external domain names are different.

21. To avoid annoying DNS and certificate errors on your internal network, your best bet is to setup ‘Split DNS’. Create a forward lookup zone that matches your PUBLIC domain name. Then inside this zone create an A/Host record for mail that points to the internal IP of your Exchange Server. And another for Autodiscover that points to the same IP address.

WARNING: If you do this, and have a www.yourdomainname.com website hosted externally, you will find that your internal users can no longer get to it! If that happens create an additional A/Host record for a host called www and point its IP address to the public IP address of your website (you may also need an FTP entry if you use that externally as well).

22. Now open a web browser and navigate to the public name of your mail sever, this time it SHOULD NOT ERROR.

Exchange 2013 Test Mail Flow

1. Log into OWA, and send a test email to an internal email address (on a new deployment you probably only have Administrator as a mailbox, so send yourself an email).

2. Then send a test email out to a public email address.

Note: If this fails, check it has left the Exchange Organization by looking at the Queue Viewer.

Exchange 2013 – Where is the Queue Viewer?

.

3. Once you know mail is flowing out test mail in, if this fails make sure you have an MX Record and an A/host record pointing to your Exchange 2013 Server.

Setting up the Correct DNS Records for your Web or Mail Server

Also ensure that TCP port 25 (SMTP) is open to the Exchange Server, (or ‘port forwarded’ to it). And if not add TCP 443 That’s HTTPS, so it is also open/forwarded for OWA, Outlook Anywhere and ActiveSync to work.

 

Related Articles, References, Credits, or External Links

NA

Exchange 2010 (c/w SP1) Install – Greenfield Site

(Installing on Server 2008 R2)

KB ID 0000416

Problem

Microsoft have not only slipstreamed the service pack into the install media, they have (Finally!) got the install routine to put in all the usual pre-requisites, roles, and features, that you had to do yourself before. (With the exception of the Microsoft 2010 filter pack, but even then you can do that after the install).

The procedure below was done on a single server in a test environment, to demonstrate the simplified procedure, it IS NOT good practice to install Exchange (any version) on a domain controller.

Solution

Before Site Visit

1. Have your install media downloaded and ready to go (Make sure you also have the unlock codes for Exchange – or you will have 119 days to licence it, post install).

2. Does your current anti virus solution support Exchange 2010? Do you need an upgrade?

3. Does your current backup software support Exchange 2010? Do you need to purchase extra remote agents or updates?

Before Deploying Exchange 2010

1. Depending on what documentation you read, some say that the global catalog server(s) in the current site need to be at least Server 2003 SP2. Other documentation says the schema master needs to be at least Server 2003 SP2. Let’s hedge our bets, and make sure that ALL the domain controllers are at least Server 2003 SP2 🙂

2. Your domain and forest functional levels need to be at Windows Server 2003.

3. Don’t forget – your server needs to be x64 bit (the video below was shot on a Server 2008 R2 server).

4. Make sure both the server you are installing on, and the Windows domain, are happy (get into the event viewers of your servers and have a good spring clean before deploying Exchange 2010).

5. Install the Office 2010 Filter Pack, and the Office 2010 Filter Pack Service Pack 1.

6. Install the roles required with the following PowerShell Commands;

[box]

Import-Module ServerManager

For Client Access, Hub Transport, and the Mailbox roles issue the following command;

Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy,Web-WMI -Restart

For Client Access and Hub Transport server roles issue the following command;

Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy,Web-WMI -Restart

For only the Mailbox role issue the following command;

Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server -Restart

For only the Unified Messaging role issue the following command;

Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Desktop-Experience -Restart

For only the Edge Transport role issue the following command;

Add-WindowsFeature NET-Framework,RSAT-ADDS,ADLDS -Restart

[/box]

7. Set the Net.Tcp Port Sharing Service for Automatic startup by running the following command;

[box]Set-Service NetTcpPortSharing -StartupType Automatic[/box]

Exchange 2010 (c/w SP1) Install – Greenfield Site

The single best thing Microsoft has done with the SP1 install media, is to include this tick box.

Related Articles, References, Credits, or External Links

How To Install Exchange 2016 (Greenfield Site)

SmoothWall site to site (IPSEC) VPN to Cisco ASA

KB ID 0000436 

Problem

You would like to put in a site to site VPN from a site that has a SmoothWall firewall to another site that has a Cisco ASA.

Note: This procedure was carried out on a SmoothWall UTM 1000 Series appliance, and uses a pre-shared key to authenticate the VPN.

Solution

1. For The Cisco end of the configuration, you can configure it from command line see here, or from the ASDM see here..

2. Connect to the SonicWall’s web management console. Navigate to VPN > IPSEC subnets.

2. Set as follows,

Name: Can be anything give it a recognisable name.
Enabled: Tick.
Local IP : Leave blank.
Local Network: The network behind the SmoothWall.
Local ID Type: Local IP
Local ID Value: Leave blank.
Remote IP or Hostname: The outside IP of the Cisco ASA.
Remote Network: The subnet address behind the Cisco ASA.
Remote ID Type: User Specified IP Address.
Remote ID value: The outside IP of the Cisco ASA.
Authenticate by: Preshared Key.
Preshared Key: The same key you entered on the Cisco ASA e.g. This1sak3y
Preshared Key again: Repeat above.
Use Compression: Leave un-ticked.
Initiate the connection: Tick.

Advanced Options

Local Certificate: Default.
Interface: PRIMARY.
Perfect Forward Secrecy: Tick.
Authentication type: ESP
Phase 1 cryptographic algo: 3DES
Phase 1 hash algo: SHA
Phase 2 cryptographic algo: 3DES
Phase 2 hash algo: SHA
Key Life: 60.
IKE Lifetime: 30

3. Finally press “Add”.

Note: To edit an existing tunnel, in the summary at the bottom place a tick in the “Mark” box then click “Edit”.

4. Normally that should be all you need to do, however you may also need to allow zone bridging, select networking > zone bridging.

5. Set as follows,

Source Interface: IPSec
Destination interface: Port that the hosts inside the SmoothWall are plugged into.
Bi-directional: Tick.
Protocol: ALL
Source IP: 0.0.0.0/0
Destination IP: The subnet behind the SmoothWall.
Service: User Defined
Port: Leave Blank
Comment: Put in a sensible text comment.
Enabled: Tick

6. Finally press “Add”.

Note: To edit an existing zone bridge, in the summary at the bottom place a tick in the “Mark” box then click “Edit”.

 

Related Articles, References, Credits, or External Links

NA

 

iPhone and iPad – Configure the Cisco VPN Client

KB ID 0000360

Problem

You have already configured a Cisco ASA / PIX device to provide Client VPN connectivity, and you now wish to configure the iPhone/iPad Device.

Solution

Note: The screen shots are taken from an iPhone running (4.2.1) the process for iPad is the same.

1. Select Settings.

2. Select General.

3. Select Network.

4. Scroll to the bottom of the page and select VPN.

5. Add VPN Configuration.

6. Select IPSec.

7. Description = the connection a simple name > Server = Either the IP address or public name of the firewall > Account > Your username.

8. Group Name = Is the VPN group configured on the firewall > Secret = Is the shared secret for this Group Name.

Where do you get this information from? Basically from your IT department, they can find out by issuing a “more system:running-config” command on the firewall

code?

9. Flick the VPN switch to “On”.

10. Enter your username and password > OK.

11. It may say “Starting” for a while.

12. “Connected” is what we are looking for.

14. For the duration of the connection you will see the “VPN” icon on the phones information bar.

 

Related Articles, References, Credits, or External Links

NA