Cisco FTD (and ASA) Creating AnyConnect Profiles

KB ID 0001685

Problem

A few days ago I did an article on Deploying Cisco AnyConnect with the Cisco FTD, there I glossed over the AnyConnect profile section. For a long time now, we have been able to edit the AnyConnect profile from within the firewall (if we are running ASA code!) But for the FTD we need to take a step backwards and go back to using the ‘offline’ AnyConnect profile editor.

Solution

Firstly you need to download the offline profile editor, you will find it on the Cisco AnyConnect Mobility Client download page;

I wont insult your intelligence, the setup is straight forward;

Launch the editor, and the screen you will see is exactly the same as you would normally see while using the profile editor in a Cisco ASA, (when launched from within the ASDM).

Note: I’m not going to go though all the settings, (this post would become immense!) Typically I allow remote (RDP) connections, and set the public FDQN for my AnyConnect profile.

Once you have finished, you can simply save the settings as an XML file.

Import an AnyConnect ‘Profile XML File’ into Cisco ASA

As mentioned above with all ‘modern’ versions of the ASDM/AnyConnect client you can create and edit an AnyConnect profile directly from within the ASDM. But (for completeness) here’s how to import one you created externally, (or exported form another firewall).

Configuration >Remote Access VPN > Network (Client) Access > AnyConnect Client Profile > Import.

Import an AnyConnect ‘Profile XML File’ into Cisco FTD

Objects > AnyConnect Client Profiles > Create AnyConnect Client Profile > Give it a name > Upload.

Browse to, and select the previously created XML file > Open.

Then save and deploy the changes (this takes ages!).

You can now select this ‘profile file’ when setting up AnyConnect, or edit any existing AnyConnect Remote Access VPN configuration, and add this profile to it.

Related Articles, References, Credits, or External Links

Cisco Firepower 1010 Configuration

RDS – Custom Start Menu (Remove Administrative Tools)

KB ID 0001207 

Problem 

Why is it so difficult to remove Administrative tools! The one folder you might not want your users having access to is on everyones start menu by default? I’ve seen posts saying to change the permissions so users can’t run the snap-in’s in that folder, and other posts that suggest removing it from the ‘all users’ profile, and yet more posts that say remove it in preferences with a post Vista start menu. NONE OF THAT WORKED?

This solution is for Windows Server 2012 R2, if you’re running an earlier version then I invite you to post a decent solution a the bottom of the page.

What I did was create a Custom Start screen, then exported that to XML, then configured all my users to use that start screen.

Solution

Log in as an administrator, and tailor the start screen to how you would like if for your users.

Then open a PowerShell session and export the settings to an XML file. I’ve already setup a network share on the RDS server itself to store the XML file in, (grant users ‘read‘ rights to the share).

[box]

Export-StartLayout -Path \\{server-name}\{share=name}\{file-name.xml} -As xml

[/box]

Now on the GPO linked to your RDS Server(s) add the following;

[box]

Computer Configuration > Administrative Templates > Start Menu and Taskbar > Start Screen Layout

[/box]

Enable the policy, and point it to the file you exported above. Then either force a policy refresh or wait a while for the new policy to take effect.

Related Articles, References, Credits, or External Links

NA

RSS Error – Your feed appears to be encoded as “UTF8”, but your server is reporting “US-ASCII”

KB ID 0000889 

Problem

I don’t validate and check the sites RSS feed as often as I should, but post server migration I got this error;

This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.
Your feed appears to be encoded as “UTF8”, but your sever is reporting “US-ASCII”

Solution

As you can see by the section I’ve indicated above, I can see where the UTF-8 is being set on the page. I just need my server (CentOS with Apache2) to allow it.

1. Edit (or create a file in the same directory as the RSS XML file) .htaccess and add the following lines to the end.

[box]

# Add the UTF-8 Character Set
AddCharset UTF-8 .xml

[/box]

2. The restart Apache.

[box]

service https restart

[/box]

Related Articles, References, Credits, or External Links

NA

RSA Authentication Manager – Importing SecureID Tokens

KB ID 0001080 

Problem

It’s been a while since I had to do this, you used to simply take a number from the token pack, import it into the RSA Authentication Manager, job done. Now the tokens are shipped to you encrypted, you need to register them with RSA, decrypt them, then import them.

Solution

1. The tokens come with the licenses encrypted, on an accompanying CD. Go to the URL specified on the CD.

2. Good job I was alone and had no CD drive! Anyway the two numbers you need to enter on the website to register are;

  • Token Pack ID: On the sleeve, and on the CD
  • Confirmation Number : On the CD

3. When you have finished registration you will download a .zip file, save it somewhere sensible.

4. Put the CD in a computer > Run the ‘Run the Token Decryption Utility’ > You will need to give it the .zip file you downloaded and a password.

5. When complete, you will be given two files, an XML file that has all your token information.

6. And a password file, that gives you a password to import the XML file with.

7. Armed with these two files log into the ‘Security Console’ > Administration > SecureID Tokens > Import Tokens Job > Add New.

8. Give the job a name accept all the defaults and browse to the XML file, then copy and paste in the password form the text file and run the import job. Check on the completed tab to make sure it was a success.

Related Articles, References, Credits, or External Links

NA

Windows – Export / Recover WEP and WPA Wireless Keys

KB ID 0001015 

Problem

If you need to connect to your wireless network with a new machine and have forgotten the key, you can view the WEP or WPA key in cleartext using the following procedure on a machine that has connected before.

Solution

1. First launch PowerShell, ensure you ‘Run as administrator‘.

2. To show all the wireless profiles stored on this machine, issue the following command;

[box]

netsh wlan show profiles

[/box]

3. From the output above, the wireless profile I want the key for, is called SMOGGYNINJA-N. Note: This is the same as the Wireless networks SSID. To view the wireless key in clear text use the following command;

[box]netsh wlan show profiles name=”SMOGGYNINJA-N” key=clear[/box]

You can also export the profile from one PC to another one, (so you don’t have to enter the key on the new PC), with the following two commands.

To Export a Wireless Profile

[box]md c:WiFi
netsh wlan export profile “SMOGGYNINJA-N” folder=c:Wifi [/box]

To Import a Wireless Profile

Copy the WiFi folder you created in the step above, to the new PC/Laptop. Then execute the following command. Note: Change the section in red to match the path to your XML file.

[box]netsh wlan add profile filename=”c:WiFiWi-Fi-SMOGGYNINJA-N.xml” user=current[/box]

Related Articles, References, Credits, or External Links

Hacking Wireless WEP Keys with BackTrack and Aircrack-ng

Deploy ODBC Settings via Group Policy

KB ID 0000805 

Problem

I’ve briefly mentioned this before when I wrote about Group Policy Preferences so when I had to do this on-site this week, I jumped straight into the group policy management console, and found that because my ODBC connection was using SQL authentication (with the SQL sa account), this would NOT WORK, (it only works with Windows authentication and even then it needs a tweak). If you are using SQL authentication jump down to the bottom of the article.

Solution

NOTE: Below I’m dealing with user DSN ODBC connections, so I’m looking at User Policies, if you want to send out Machine DSN ODBC connections then you need to be looking at Computer Policies.

Deploy ODBC Settings via Group Policy Preferences (Windows Authentication)

The GPP is pretty easy to locate you will find it in;

[box]

User Configuration > Preferences > Control Panel Settings > Data Sources

OR

Computer Configuration > Preferences > Control Panel Settings > Data Sources

[/box]

However you will find there is a bug in the system which means it does not deploy.

ODBC Settings fail to Deploy via GPO

1. Locate the ODBC connection that you are trying to deploy > right click > Copy.

2. Right click your desktop and ‘paste’ > You will get an XML file > Open it with notepad > Delete the username and the cpassword information > Save the file.

3. Then delete the original ODBC file from your group policy.

4. Drag the XML file into the policy, in its place > Select ‘Yes’ to import it.

WARNING: Do not open its settings/properties from this point forward, or it will break again.

Getting ODBC Settings from a Clients Registry

1. You may wish to locate and extract the ODBC settings from a working client, you can locate the settings in a working client machines registry and simply export them so you can import them on a target machine, or deploy them via GPP or logon script.

[box]

User DSN's
Computer>HKEY_CURRENT_USER>Software>ODBC>ODBC.INI
Machine DSN's 
Computer>HKEY_LOCAL_MACHINE>Software>ODBC>ODBC.INI

[/box]

2. Simply right click the key that corresponds to the ‘name’ of the ODBC connector that you wish to export, > right click > Export > Save.

Deploy ODBC Settings via Group Policy Preferences (SQL Authentication)

In this example I’ve merged the ODBC connection details into the registry, you could just as easily set them up manually, as long as they exist, either on the machine you are creating the policy on, or another machine you have ‘remote registry’ rights to.

1. Create or edit a group policy and navigate to;

[box]User Configuration > Preferences > Windows Settings > Registry > Collection
[/box]

Select New > Registry Wizard.

2. Select where you want to collect the registry information from > Next.

3. Navigate to;

[box]

User DSN's
Computer>HKEY_CURRENT_USER>Software>ODBC>ODBC.INI
Machine DSN's 
Computer>HKEY_LOCAL_MACHINE>Software>ODBC>ODBC.INI

[/box]

Select the OBDC name that corresponds to the one you want to collect, then select all the settings within that key > Finish.

4. The finished GPP should look like this > Close the policy editor.

 

Related Articles, References, Credits, or External Links

NA

WDS – “The Network Path was not found” when adding an Unattend file

KB ID 0000487

Problem

Saw this last week, while trying to use an unattended file for the roll out of some machines with WDS.

Every time you try and enter a value you get “The network path was not found” error, no combination of file path or UNC path seems to cure the problem.

Solution

This is a “work around” not a fix, essentially it will not accept any value you put into the path without throwing and error. If you close and reopen this page the value you enter has not been accepted.

So we are going to populate the entry by editing the registry, if you go back and view the entry afterwards it will STILL ERROR but the value will say put and the unattended file will work (providing the path you specify is correct of course!)

1. On the WDS server >Start > regedit {enter}.

2. Navigate to:

[box]HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWDSServerProvidersWdsImgSrvUnattend[/box]

3. Locate the “Enabled” value and change it from 0 to 1.

4. Below this key you will see there is a key for each “image processor type”. I’m adding a 32 bit (x86) Unattended file so expand that, and set the “FilePath” value to your unattended xml file (Note: the path is from the WDS root directory, keep it simple and put your unattended file in the WDSClientUnattend folder. In this example mines called WDSClientUnattend.xml).

5. Finally restart the “Windows Deployment Services Server” service.

 

Related Articles, References, Credits, or External Links

NA

WDS – Unattended file – Removing /Formatting Drive Partitions

KB ID 0000490 

Problem

Over the last couple of years I’ve done a lot of imaging of School PC’s I don’t know why but they come with a myriad of different drive and partition configurations. Even big vendors like HP and Dell ship their machines with recovery partitions these days.

If you are imaging with WDS this can cause a problem so what I usually want to do is remove all the partitions, create one big one that takes up all the drive, and format it as NTFS.

Solution

Before you begin make sure you are clued up on working with WDS unattended files, run through my instructions here.

The following procedure needs to be added to the WDS Unattended file NOT the unattended file for the image, (again run through KB0000180 if you are unsure.)

1. While editing your Unattended answerfile you need to locate, “Microsoft-Windows-Setup_neutral” and add “DiskConfiguration” to the “1 windowsPE” component.

2. Right click it and add a disk > Set Disk ID = 0 > Set WillWipeDisk = true.

3. Right Click > Create Partition > Set Extend = true > Set Order = 1 > Set Type = Primary.

4. Select Modify Partitions > Set Active = true > Set Extend = false > Set Format = NTFS > Set Label = SYSTEM > Set Letter = C > Set Order = 1 > Set Partition ID = 1.

5. This procedure will add the following to your unattended file.

 

Related Articles, References, Credits, or External Links

NA

WDS – Unattended file – Joining a Domain Automatically

KB ID 0000494 

Problem

During a large rollout the more things you can automate the better, before you continue though be aware of one thing…

You can only automatically join a client to a domain if it has an auto generated random machine name!*

*Note: This is not 100% true, if you pre-stage the computer objects into Active Directory with the GUID of the machine (you can see this on the screen at pXe boot time, or get it from the BIOS) Then you can auto join the machines and they will come in with the correct name. However, if you have a large number of machines to build, this is more time consuming than simply renaming them after they have been imaged.

Solution

Before you begin make sure you are clued up on working with WDS unattended files, run through my instructions here.

The following procedure needs to be added to the images unattended file NOT the WDS Unattended file, (again run through KB0000180 if you are unsure.)

1. While editing your unattended answerfile you need to locate, “Microsoft-Windows-Shell-Setup_neutral”, add it to pass 4 (Specialize) and set the ComputerName entry to * (an asterisk).

Note: In this section you can also enter to windows product code, and owner details, as well as your time zone.

2. Then locate, “Microsoft-Windows-UnattendedJoin”, add it to pass 4 (Specialize). Set the JoinDomain entry to the name of your domain. Set UnsecureJoin to “true”.

4. This procedure will add the following to your unattended file.

 

Related Articles, References, Credits, or External Links

Windows Deployment Services (On Server 2008 R2) Deploying Windows 7

Windows Deployment Services (Server 2003) Deploying Windows XP

 

Windows Deployment Services – Asks for Locale and Keyboard

KB ID 0000734 

Problem

Seen when deploying images with WDS, even though you have specified language, and keyboard settings in your answerfile. The system still asks you to set the language and keyboard options. For a couple of machines you might put up with this, but for a few thousand machines it can get quite annoying!

Solution

There is a reason it’s doing this, and it’s because the next thing it asks you to do is authenticate to the WDS server like so;

if there was a problem you might not be able to log in, (because you are using complex passwords like all good sysadmins) and all those ‘special characters’ can be on lots of different keys, with lots of different languages and keyboard layouts.

So to stop it asking for language settings, set the answerfile to auto authenticate to WDS. You do this by adding the ‘Windows Deployment Services‘ sub component, from the ‘Microsoft-Windows-Setup_neutral‘ component. Add it to the ‘1 windowsPE‘ pass and fill in the credentials accordingly.

Note: This is set in the WDS Unattended answerfile, NOT the one for the image you are deploying.

Adding via System Image Manager

Adding to the Answerfile (via XML)

Related Articles, References, Credits, or External Links

NA