Fortigate Hairpin NAT

KB ID 0001781

Problem

Imagine the following scenario, you have a PUBLIC web server and it’s either in the same network your uses are or attached to a DMZ on your FortiGate.

So above our users open a web browser and attempts to go to www.ubique.com (1) Their PC will do a DNS lookup for www.ubique.com and (in this case) a public web server returns an ip of 192.168.100.200 (2). The browser then attempts to HAIRPIN to that IP which is external to your FoirtiGate and the traffic is blocked.

FortiGate Hairpin Solution

If you have internal DNS servers you can of course solve this problem with Split DNS with a Cisco firewall, you could also solve this problem with DNS Doctoring, In fact if your from a Cisco background then even the name Hairpin is confusing because in Cisco when we mention Cisco Hair pinning we are usually talking about VPN traffic. Anyway I digress.

So to replicate the scenario above, i.e. it being broken on my LAN PC, I cannot browse to that site, and you can see my DNS is resolving to its public IP.

Polices and Objects > Virtual IPs > New > Virtual IP > Give it a Name > Interface  = any > Set External IP > Set Internal IP > Note: You don’t have to set port forwarding but I’m only using TCP 80 > OK.

I already Have a Virtual IP: If your existing web server already has a Virtual IP object MAKE SURE it’s NOT bound to the outside interface, (or you won’t be able to select it in a minute). If you can’t edit it (because it’s in use), then you might need to remove it from the existing policy, and recreate it.

Policy and Object > Firewall Policy > Create New > Give the Policy a Name > Set the incoming and outgoing interface to the internal one > Source =  All > Destination > the Virtual IP you just Created > Schedule = always > Service = HTTP  > Disable NAT > OK.

I can’t see Virtual IP in the Policy:  Then it’s either bound to an interface that ISN’T the inside one, or you have Central NAT enabled. If you don’t want to change your global NAT policy create an address object for the internal IP and use that instead.

Now the website should work

Related Articles, References, Credits, or External Links

NA

Fortigate: One to One (Static NAT)

KB ID 0001716

Problem

If you have a host that you want to be able to access from the outside of the firewall e.g. a webserver then this is the process you want to carry out. I didn’t find this process particularly intuitive and it highlighted why I don’t like GUI management interfaces, (in 6.4 the menu names have changed, this rendering a million blog pages inaccurate!)

I’m setting this up in EVE-NG on the work bench and this is what I’m trying to achieve;

So to access my web server from ‘outside‘ the firewall I need to give it a NATTEDpublic‘ address on 192.168.100.0/24. Here the server is on the LAN if yours is in a DMZ then substitute the DMZ interface for the inside one I’m using.

Solution

First task is to create a ‘Virtual IP‘, this will be the ‘public IP‘ that the web server will use. From the management interface > Policy and Objects > Virtual IPs > Create  New > Virtual IP

‘Give it a sensible name, and add a comment if you wish  >  Set the interface to the public facing port > Type, set to ‘Static NAT‘ > External IP, (although it says range just type in the single public IP) > Internal IP =  Enter the LAN IP > OK.

Firewall Policy > Create New.

Note: If your firewall is older then 6.4 the tab is called ‘IPv4 Policy

Give the entry a name > Incoming interface = the public interface > Outgoing Interface = the inside/LAN interface > Source = ALL > Destination = SET TO YOUR VIRTUAL IP > Schedule = Always > Service = ALL (though you can of course select http and or https in production) > DISABLE NAT. (Trust me I know that makes no sense) > OK.

Just to prove this is not all ‘Smoke and Mirrors‘ here’s my topology running in EVE-NG, and my external host (Named: Public-Client) Browsing to 192.168.100.110, and the Fortigate translates that to 192.168.1.123

Related Articles, References, Credits, or External Links

FortiGate Port Forwarding

EVE-NG Deploying Fortigate v6 Firewalls

TinyCore Linux: Build a ‘Persistent’ Web Server

TinyCore Linux: Build a ‘Persistent’ Web Server

KB ID 0001697

Problem

Recently I was building a lab for testing load balancing, and needed some web servers, I could have built three Windows servers, but I wanted to run them in EVE-NG, so they had to be as light as I could make them. I chose TinyCore Linux, (I know there are smaller options, but it’s light enough for me to run, and work with).

The problem occurs when you reboot the TinyCore host, it (by default) reverts back to its vanilla state, (that’s not strictly true, a couple of folders are persistent).

So I had to build a server that would let me SFTP some web content into it and allow me to reboot it without losing the web content, settings, and IP address.

Step 1: Configure TinyCore IP & Web Server

This is a two step procedure, firstly I’m going to give it a static IP.

[box]

sudo ifconfig eth0 192.168.100.110 netmask 255.255.255.0
sudo route add default gw 192.168.100.1

[/box]

I don’t need DNS, if you do, then simply edit the resolve.conf file;

[box]

sudo vi /etc/resolv.conf
Add a value e.g.
Nameserver 8.8.8.8

[/box]

If you are scared of  the VI editor see Using the VI Editor (For Windows Types)

To connect via SSH/SFTP you will need opnessh installing, and to run the website, we will use Busybox, to install those, do the following;

[box]

tce-load -wi busybox-httpd.tcz
tce-load -wi openssh

[/box]

You will now need to set a password for the root account, (so you can log on and trasfer web files in!)

[box]

su
passwd
Type in, and confirm a new password!

[/box]

Start the OpenSSH, and TFTP services;

[box]

cd /usr/local/etc/init.d/
./openssh start
cd /etc/init.d/services/
./tftpd start

[/box]

Now create a basic web page, (index.html) which you can update later. Setup the website, then copy that file to a location that will be persistent (you will see why later).

[box]

cd /usr/local/httpd/bin
sudo ./busybox httpd -p 80 -h /usr/local/httpd/bin/
sudo vi index.html {ENTER SOME TEXT TO TEST, AND SAVE}
sudo mkdir /mnt/sda1/wwwsite/
sudo cp /usr/local/httpd/bin/index.html /mnt/sda1/wwwsite/index.html

[/box]

At this point, (if you want) you can use your favourite SFTP client, (I recommend FileZilla or WinSCP) and copy in some live web content to /mnt/sda1/wwwsite/ But ensure the home/landing page is still index.html though!

Step 2: Make TinyCore Settings ‘Persistent’

There may be better ways to do this, this just worked for me, and made sense! There’s a shell script that is executed as the TinyCore machine boots (bootlocal.sh) so if you edit that file and put in the commands to configure the IP, copy the website files from the permanent mount folder, start the web server, then start SSH and TFTP, you end up with a server doing what you want, every time the server boots.

[box]

sudo vi /opt/bootlocal.sh

ADD THE FOLLOWING TO THE BOTTOM OF THE FILE;

sudo ifconfig eth0 192.168.100.110 netmask 255.255.255.0 
sudo route add default gw 192.168.100.1
cp /mnt/sda1/wwwsite/index.html /usr/local/httpd/bin/index.html
cd /usr/local/httpd/bin/
Sudo ./busybox httpd -p 80 -h /usr/local/httpd/bin/
cd /usr/local/etc/init.d/
./openssh start
cd /etc/init.d/services/
./tftpd start

[/box]

Save and exit the file, then finally BACKUP THE CHANGES with the following command;

[box]

filetool.sh -b

[/box]

Related Articles, References, Credits, or External Links

NA

Certificate Chain Incomplete

KB ID 0001570

Problem

The certificate here at PNL expired over the weekend, I got a new one and installed it. All appeared to be fine until I did an online check to make sure it was OK. 

The server’s certificate chain is incomplete

Solution

I had this problem once before, back then I was using Apache and CentOS7, and things were a little different, (now I’m using NGINX and Ubuntu 18.04). Essentially you see this error because you have bought a ‘cheap‘ SSL certificate. There’s nothing wrong with that per se, but they tend to be issued from an ‘Intermediate CA‘. Again there’s nothing wrong with that either, but to improve your score you need to ‘Embed‘ the intermediate certificate, into your SSL certificate, (or all the intermediates back to a Root CA Server, if you have multiple intermediate certificates!) 

Here I have ONE intermediate, (which is pretty normal.)

There a no special tools you require to be able to do this, other than a simple text editor, you open your SSL certificate and ‘Paste” the intermediate certificate on the bottom. (DO NOT ADD ANY EXTRA SPACES). Like so;

Note: As you can see, you DON’T put the Root CA certificate at the bottom, (clients should already have them!) I made this mistake then got the following error;

[box]

Jun 23 14:12:29 localhost nginx[1197]: nginx: [emerg] PEM_read_bio_X509("/etc/nginx/ssl/www_petenetlive_com.crt") failed (SSL: error:0906D066:PEM routines:PEM_read_bio:bad end line)
Jun 23 14:12:29 localhost nginx[1197]: nginx: configuration file /etc/nginx/nginx.conf test failed

[/box]

Retry your test.

Related Articles, References, Credits, or External Links

NA

Citrix NetScaler – Simple HTTP Site Load Balancing

KB ID 0001188 

Problem

Here is the simplest load balancing scenario I can think of, I’ve got two web servers, (on http port 80) and I’m presenting them though my NetScaler as an HTTP (Virtual Server).

 

Solution

First we add the ‘back-end’ servers. Connect to the management IP of your NetScaler and login > Configuration > Traffic Management  > Load Balancing > Servers > Add.

Define a name for the first server and enter its IP address > Create.

Repeat to add the second internal web server. 

Now I’m going to group these servers together in a ‘service group’, (you don’t have to, you can present them individually to the virtual server you will create in a minute if you prefer). Configuration > Traffic Management  > Load Balancing > Service Groups > Add.

Name the group and set the protocol to HTTP  > OK.

When created, you will see it says ‘No Service Group members’  > Click there.

Select ‘Server Based’ > Click the search arrow.

Tick them all > Select.

Set the port (HTTP is TCP port 80) > Create.

OK.

Now we need to add a monitor, this is what the NetScaler will use to monitor the service availability of your ‘back-end’ servers on TCP port 80 (HTTP). Click Monitors.

This confused me for a while, selecting things on the right, drops them at the bottom of the main page > Click ‘No service Group Monitor Binding’.

NetScaler has a monitor for http pre-configured, so I’m going to use that > Click the search arrow.

Click ‘http’  > Select.

Bind.

Done.

Now we tie all that together in a ‘Virtual Server’ > Configuration > Traffic Management  > Load Balancing > Virtual Servers > Add.

Give the Virtual Server a name > Protocol is HTTP > Specify the IP address (this will be the VIP the NetScaler presents to the outside world)  > Port 80 > OK.

Now we need the add the group we created earlier, click where it says ‘No load balancing Virtual Servers Service Group Binding’.

 

Click the search arrow.

Click the group you created earlier > Select.

Bind.

Continue.

Done.

Save your hard work.

You should be green across the board.

To test this I put a different web ‘welcome’ page on both of the servers, that way as I refresh the page I can see that the NetScaler is doing its job and balancing the requests across both back-end web servers.

 

Related Articles, References, Credits, or External Links

NA

Mac OSX and Linux – Quick and Dirty Web Server

KB ID 0001157 

Problem

I was clearing out some old emails yesterday, and saw one my colleague Steve had sent me. It was info on how to fire up a quick web server on your mac. It wasn’t until I took a look at it, I realised how handy it was.

After some reading, I found that it was not only possible on a mac, but on other flavours of Linux as well, (as long as they support ‘python’ and have it loaded).

WHAT USE IS THAT? What if you want to send a large file to a colleague? Yes you could use USB drives or dropbox, but executing one command is a lot quicker. Or what if you are on a site where everything is locked down, and only a few ports are open but you need to get a file somewhere, do a quick nmap scan and you can download your files over a different port.

Solution

First open a terminal window, then navigate to the folder you want to ‘serve’. Then simply execute the following command;

[box]

python -m SimpleHTTPServer 8080

[/box]

Note: Where TCP port 8080 is the port you want to use.
Then simply browse to https://{Your-IP-Address}:8080

BE AWARE: You shouldn’t see a problem if you use any port ABOVE 1024, however if you chose a lower port, you may see ‘Permission Denied’ errors.

To address that ‘sudo’ the command, (unless you are logged into Linux as root!)

Related Articles, References, Credits, or External Links

NA

Can I delete _vti_inf.html and the _vti folders?

KB ID 0000742 

Problem

I was doing some site tidying this week, usually If I don’t know what something is I leave it alone, but I was on a mission! I had a bunch of files/folders in the root of my website, that, a) I didn’t know what they were doing, and b) wanted to delete.

File: _vti_inf
Folders: _private, _vti_bin, _vti_cnf, _vti_log, vti_pvt, _vti_txt

Solution

As it turns out these folders are needed for FrontPage and FrontPage Extensions. I CAN simply delete them, but since my web host provides me with cPanel access to the website, I can simply disable the extensions there, and this removes all the junk for me. (I don’t intend to use FrontPage).

1. Log into cPanel, locate FrontPage Extensions.

2. Uninstall Extensions.

3. You should see something similar.

4. Now we are a bit less cluttered.

Related Articles, References, Credits, or External Links

NA

RSA SecurID Error – ‘106: The Web server is busy. Please try again later’

KB ID 0000975 

Problem

Not the most descriptive of errors! In fact this has got nothing to do with the busyness of the web server at all.

Solution

What’s actually happening is the RSA agent on this machine (in this case a web server) cannot communicate with the RSA Authentication Manager. In my case the web server was in a DMZ, and the RSA Authentication Manager Appliance was in another DMZ. The ports required (TCP 5500, UDP 5500, and TCP 5580). were not open from the agent to the appliance. Once I fixed that, we were up and running.

Related Articles, References, Credits, or External Links

NA

Windows Server – Installing IIS and PHP

KB ID 0000879

Problem

What used to be a complicated task has been simplified greatly by the Microsoft Web Platform installer, the process of adding PHP is the same for Windows 8,(though to install IIS you need to enable that as a windows feature (run appwiz.cpl > Turn Windows feature on or off).

Solution

1. From Server Manager (ServerManager.exe) > Manage > Add Roles and Features > Follow the wizard and in the Server Roles section tick ‘Web Server IIS‘.

2. At the role Services selection expand Application Deployment > Select CGI >Complete the wizard and let the role install.

3. Once complete, open a web page and navigate to http://localhost and you should be greeted with the following.

4. Download the Microsoft Platform Web Installer.

5. Run the installer > Products > Frameworks > PHP {version} > Add.

6. I Accept > The software will install.

7. To test open notepad and create a file with the following;

[box]
<?php phpinfo(); ?>
[/box]

8. Save the file into {Drive Letter}:inetpubwwwroot > Change the file type to ‘All Files’ > call it phpinfo.php > Save.

Note: The drive letter will usually be C: unless you have moved the IIS root folder.

9. To test PHP > open a browser and navigate to http://localhost/phpinfo.php > You should see something like the following.

 

Related Articles, References, Credits, or External Links

NA

IIS – ‘This Web site cannot be started. Another Web site may be using the same port’.

KB ID 0000660 

Problem

After being unable to access my Exchange Management console, it turns out the default website had stopped. When I attempted to start it I was greeted with this error.

Solution

1. Nothing was using the usual web ports (80 and 443) which I found out by running the following two commands;

[box]netstat -aon | find “:80″</p> <p>netstat -aon | find “:443″[/box]

Note: If you do have a process using these ports, it will be sown with its PID. To find out what that PID is, right click your Task bar > Launch Task Manager > Processes Tab > View > Select Columns > Turn on the PID column > locate the PID and investigate.

2. My problem was there was a ‘Binding’ to https that had no information in it? Right click the website > Edit Bindings > here you can remove any spurious entries. (Warning: if you’re unsure, document any binding before you remove it – just in case).

Related Articles, References, Credits, or External Links

NA