When attempting to contact a server running the Certification Authority Web Enrolment role, you may see the following error.
In order to complete certificate enrolment, the Web site for the CA must be configured to use HTTPS authentication
Solution
The correct fix is to set the web server (IIS) to serve the certificate website securely using https, though you can just set Internet explorer to ‘work’ from your client machine if you are in a hurry.
Make Internet Explorer Accept Your Certification Authority
Note: This would need to be done on every machine that you wanted to access the Certificate Services web portal from.
1. From within Internet Explorer > Internet Options > Security > Trusted Sites > Sites.
2. Untick ‘Require server verification (https:) for all sites in this zone’ > Then add in the URL of the CA > Close.
3. With Trusted sites still selected > Custom level > ‘Initialize and script ActiveX controls not marked as safe for scripting’ > Enable > OK > Yes.
4. Restart the browser and try again.
Set IIS to serve Certificate Services Securely (via https).
This assumes you have your CA and the web portal installed correctly.
1. On the Certificate Services Server > Launch IIS Manager > Expand {server-name} > Sites > Default Web Site > Right Click > Edit Bindings > https > Edit > Select the self signed server certificate [NOT the CA ONE] > OK.
Note: If https is missing simply add it!
2. Expand Default Web Site > Certsrv > SSL Settings.
3. Tick ‘Require SSL’ > Apply.
4. That should be all you need, if it does not take effect straight away then drop to command line and run iisreset /noforce.
Related Articles, References, Credits, or External Links
If you have a Meraki Security device and have enabled ‘Content Filtering’, instead of a nice ‘block-page’ informing you why you are being blocked you may see this;
http://wired.meraki.com:8090
This is happening because your Corporate DNS is resolving ‘wired.meraki.com’ to 54.241.7.184, which you can also see if you look at the URL you are trying to connect to it on port 8090. A quick nmap of that IP will tell you port 8090 is not open, (only port 80 and port 443 are).
This is happening because if you were to use your Meraki Device for DNS forward lookups, it would ‘DNS Doctor’ the return DSN packet and insert its own IP address in there instead. That’s fine but most corporate networks don’t want to use their Meraki devices for DNS forward lookups.
The easiest way to resolve the problem, is with your own corporate DNS servers.
Solution
First you need the inside IP of your Meraki device(s). You can get these from the Meraki Dashboard (Security Devices > Addressing and VLANS). If you browse to that IP, you should se something similar to below;
Armed with that information, go to one of your DNS Servers, and create a new forward lookup zone.
Next > Primary zone > Next > To all DNS Servers… > Next.
Zone Name = wired.meraki.com > Next > Allow only Secure… > Next > Finish.
In the newly created zone, create a ‘New Host (A or AAAA) record.
Enter the Inside IP or your MX device (only) > Add Host > Repeat for each Meraki device, if you have more than one.
Now you will receive a slightly more friendly blocked page.
Related Articles, References, Credits, or External Links
The DNS server was unable to create a name in memory for name “<host name>” in zone “<zone name>” in the Active Directory. This directory name is ignored. Use the DNS console to recreate the records associated with this name or check that the Active Directory is functioning properly and reload the zone. The event data contains the error.
DNS cant be updated with the name of something thats trying to add itself to DNS.
Solution
This is due to DNS nodes that have characters in them windows does not like (e.g. ! ‘ etc) you can delete them in the following way
Start > run > dsa.msc
View > Advanced Features
Domain name > System > Microsoft DNS
Note any records for reverse DNS zones that longer exist should be removed from here at this point
Then locate then offending entries (they will have a type of ‘dnsnode’) and delete them.
However if you have machines on the network that are going to “re-register” themselves (e.g Apple Mac’s Firewalls and routers – then the problem will reoccur)
If the problem does reoccurs then you need to go to the DNS server and ALLOW names it does not allow by default (note this is not recommended by Microsoft) If you want to do this.
On the DNS server Start > Administrative tools > DNS
Right click the server name > properties > Advanced
Change the Name Checking section to “All Names”
Restart the DNS Server service (or right click the Server name > All tasks > Restart
Related Articles, References, Credits, or External Links
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is “”. The event data contains the error.
and
The DNS server was unable to complete directory service enumeration of zone .. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is “”. The event data contains the error.
If the 4004 and 4015 events only appear at start up, you get these events because your zones are stored in AD and you only have one Domain Controller. AD cannot start with DNS, and when DNS starts, because AD has not started, DNS cannot load the zones in AD. The error goes away if you have two or more DCs with DNS installed, or if you use standard primary zones.
Solution
Add a second domain controller or Ignore the error.
Related Articles, References, Credits, or External Links
Setting up split DNS is something I usually do if I’m setting up a new Microsoft Exchange Server. Primarily this is because of certificates that are used on the Exchange Server like so;
Now, as anyone who has purchased a Universal Comms/SAN (Subject Alternative Name) certificate will know that you can put the internal name of the server on the certificate as well e.g. ex1.abc.local.
Well that’s fine, but after 1st November 2015 you can no longer put a domain name on a certificate that you are not the registered owner of. As a lot of them are things like domainname.local or even worse, a domain name that is registered externally to someone else! then you CAN’T PURCHASE THEM.
Here’s the official line;
“As of the Effective Date of these Requirements, prior to the issuance of a Certificate with a Subject Alternative Name (SAN) extension or Subject Common Name field containing a Reserved IP Address or Internal Server Name, the CA shall notify the Applicant that the use of such Certificates has been deprecated by the CA / Browser Forum and that the practice will be eliminated by October 2016. Also as of the Effective Date, the CA shall not issue a certificate with an Expiry Date later than 1 November 2015 with a SAN or Subject Common Name field containing a Reserved IP Address or Internal Server Name. As from 1 October 2016, CAs shall revoke all unexpired Certificates.”
Solution
So you can either setup split DNS, or setup your own domain CA and start issuing different certificates for different roles, i.e. have a self signed certificate with the local server name on it for the Exchange Mailbox role.
Split DNS – Option 1 (Handy for a single (or few) URLS
Note: Thanks to Scott Bauer
1. On the DNS Server > Windows Key +R > dnsmgmt.msc. Here you can see I’ve got an unregistered domain name that I’m using internally (company.local).
2. Right click ‘Forward Lookup Zone’ > New Zone.
3. Next > Primary Zone > Next > To all DNS servers on domain controllers in this domain > Next > Type in the Zone name > Next > Allow only secure… > Next > Finish.
Note: The Zone name should be the FULL NAME that is the common name on your certificate, i.e: On the certificate in the first diagram above the name is mailgate.petenetlive.com, so in that case the zone name would be mailgate.petenetlive.com.
Note: If its a website, it would be www.petenetlive.com, or an ftp site ftp.ptenetlive.com.
In your new domain zone create a ‘New Host (A or AAAA)’ record > LEAVE THE HOSTNAME BLANK > Enter its private/internal IP address > Add Host.
Note: Here I’ve got ‘Create associated pointer (PTR) record ticked, if you do the same, and do not have a reverse lookup zone configured, you will get an error, don’t panic.
Split DNS – Option 2 (Handy if you have many URL’s)
1. On the DNS Server > Windows Key +R > dnsmgmt.msc. Here you can see I’ve got an unregistered domain name that I’m using internally (abc.local).
2. Right click ‘Forward Lookup Zone’ > New Zone.
3. Next > Primary Zone > Next > To all DNS servers on domain controllers in this domain > Next > Type in the Zone name > Next > Allow only secure… > Next > Finish.
Note: The Zone name is the public registered domain name that is on your certificate, i.e: On the certificate in the first diagram above the name is mailgate.petenetlive.com, so in that case the zone name would be petenetlive.com.
4. In your new domain zone create a ‘New Host (A or AAAA)’ record > Give it the host name on the certificate (in our example that would be mailgate) > Enter its private/internal IP address > Add Host.
Note: Here I’ve got ‘Create associated pointer (PTR) record ticked, if you do the same, and do not have a reverse lookup zone configured, you will get an error, don’t panic.
5. Now make sure when you ping the name on the certificate the correct private/internal IP address responds.
Gotchas – There is a Possible Problem With Doing This
Using the example above I’m now running an authoritative DNS server for the domain petenetlive.com, if my internal clients now want to got to www.petenetlive.com it will fail. Note: this is not a problem if you choose option 1.
So if your public website used the same domain name as your Exchange server you need to do a little more work.
Note: This is not just for www, if you have ftp or any other public registered host records you will need to do this for them as well.
1. First on a machine that can still access www.domain-name.com find out the correct public IP address for it using the nslookup command like so;
[box]
nslookup www.domain-name.com[/box]
So mines returned a public IP address of 123.123.123.123
2. In your new DNS zone, create another A/Host record called www and enter the public IP Address of the website.
Now www.petenetlive.com will be resolved, because there’s a host called www in the zone called petenetlive.com that resolves to the correct IP address, (which is how web pages work anyway!)
Related Articles, References, Credits, or External Links
Setting up ‘Static NAT’ is the process of taking one of your ‘spare’ public IP addresses, and permanently mapping that public IP to a private IP address on your network.
In the example above I want to give my web sever which has an internal IP address of 192.168.1.10/24, the public IP address of 1.1.1.5/24. So if someone out on the Internet wants to view my website, they can browse to http://1.1.1.5 (or a URL that I’ve pointed to 1.1.1.5 like http://www.mywebsite.com). Then that traffic will be NATTED, on the firewall for me.
Solution
1. Create a rule-set from the ‘untrust’ zone. Then add a rule to that rule-set, that has a destination of 1.1.1.5/32, and finally set it to NAT that traffic to 192.168.1.10/32.
[box]login: root
Password: *******
— JUNOS 12.1X44-D30.4 built 2014-01-11 03:56:31 UTC
[edit]
root@FW-02# set security nat static rule-set UNTRUST-TO-TRUST from zone untrust
[edit]
root@FW-02# set security nat static rule-set UNTRUST-TO-TRUST rule NAT-RULE-1 match destination-address 1.1.1.5/32
[edit]
root@FW-02# set security nat static rule-set UNTRUST-TO-TRUST rule NAT-RULE-1 then static-nat prefix 192.168.1.10/32
[/box]
2. Set the firewall to proxy-arp (advertise your pubic IP address with is MAC address), then add the web server to the global address book.
Note: ge-0/0/0.0 is the physical address you are advertising the new IP address from, on firewalls in a failover cluster you would use the Reth address i.e. reth0.0
[edit]
root@FW-02# set security address-book global address WEB-SERVER 192.168.1.10/32
[/box]
3. Allow traffic OUT from the web server. Here I’m letting out all ports, if you wanted just web traffic then use the keyword junos-http (TCP Port 80 (http)).
[box]
[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT match source-address WEB-SERVER
[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT match destination-address any
[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT match application any
[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT then permit
[/box]
4. Then allow traffic IN to the web server, (here I’m locking it down to just http).
[box] [edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN match source-address any
[edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN match destination-address WEB-SERVER
[edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN match application junos-http
[edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN then permit
Juniper Allowing Traffic To Custom Ports And Applications
1. Although Juniper have a lot of built in ‘applications’ you can allow, what if you want to create your own? Below I’ll create a custom application for Remote Desktop Protocol (TCP port 3389).
[box] [edit]
root@FW-A# set applications application APP-RDP protocol tcp
[edit]
root@FW-A# set applications application APP-RDP destination-port 3389
[/box]
2. You could now use this application in your security policies e.g.
IOS 11.2 gave us CBAC, and IOS 12.4(6)T gave us the Zone Based Firewall. You can still use either, (providing you are running the correct IOS, or in the case of version 15 and upwards, added the correct license, ‘securityK9’). For older IOS versions usually you want the advipservices version of the IOS).
Solution
Run the following command to see if you have the correct license installed.
[box]
Petes-Router#show license features
[/box]
Cisco IOS Setup CBAC (IOS Firewall Classic)
1. Declare the protocols you want to inspect.
[box]
Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#ip inspect name IOS-FW tcp
Petes-Router(config)#ip inspect name IOS-FW udp
Petes-Router(config)#ip inspect name IOS-FW icmp
[/box]
2. Apply that inspection inbound on the inside interface (that’s traffic going out).
[box]
Petes-Router(config)#interface FastEthernet 0/1
Petes-Router(config-if)#ip inspect IOS-FW in
Petes-Router(config-if)#exit
Petes-Router(config)#
[/box]
4. Apply the inspection inbound on the outside interface (for traffic coming in). And then save the changes.
Note: If you have VPN traffic this will NOT break it.
[box]
Petes-Router(config)#interface Dialer0
Petes-Router(config-if)#ip inspect IOS-FW in
Petes-Router(config-if)#exit
Petes-Router(config)#exit
*Mar 1 00:05:29.875: %SYS-5-CONFIG_I: Configured from console by console
Petes-Router#wr mem
Building configuration...
[OK]
Petes-Router#
[/box]
Cisco Zone Based Firewall Setup
The config on ZBF can get quite complicated, I’m simply going to allow traffic out, and block all traffic coming in (apart from traffic that will be coming in over VPN).
Note: CBAC Settings (if used), must be removed before configuring ZBF.
1. The first thing to do is setup the zones, I only have a LAN an WAN to worry about.
[box]
Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#zone security SZ-INSIDE
Petes-Router(config-sec-zone)#description Local Area Network
Petes-Router(config-sec-zone)#zone security SZ-OUTSIDE
Petes-Router(config-sec-zone)#description Wide Area Network (Internet)
Petes-Router(config-sec-zone)#exit
[/box]
2. Create two ACLs to decide which traffic you want to allow in and out. Note: I’ve also added the subnets for my remote VPN network. I will allow out www (TCP 80), https (TCP 443), and DNS (TCP 53). Inbound everything is blocked apart from my VPN traffic.
Note: I’m not covering setting up the VPN, if you want to know how to do that, see the following article;
Then for each ACL I’m creating a class-map, it’s the class-map that decides what traffic will be inspected, (by inspected, in ZBF terms we mean allowed).
[box]
Petes-Router(config)#ip access-list extended ACL-OUTBOUND
Petes-Router(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Petes-Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any eq www
Petes-Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any eq 443
Petes-Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any eq 53
Petes-Router(config-ext-nacl)#class-map type inspect match-all CM-OUTBOUND
Petes-Router(config-cmap)#match access-group name ACL-OUTBOUND
Petes-Router(config-ext-nacl)#exit
Petes-Router(config)#ip access-list extended ACL-INBOUND
Petes-Router(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
[/box]
3. Define what to do with the (matched) traffic with a policy-map, this can be set to inspect, log , or drop. We set it to inspect our traffic, and drop, then log everything else.
[box]
Petes-Router(config)#policy-map type inspect PM-OUTBOUND
Petes-Router(config-pmap)#class type inspect CM-OUTBOUND
Petes-Router(config-pmap-c)#inspect
%No specific protocol configured in class CM-OUTBOUND for inspection. All protocols will be inspected
Note: The Above is not really true - we have defined the port in the ACL
Petes-Router(config-pmap-c)#class class-default
Petes-Router(config-pmap-c)#drop log
Petes-Router(config-pmap-c)#exit
Petes-Router(config-pmap)#exit
Petes-Router(config)#policy-map type inspect PM-INBOUND
Petes-Router(config-pmap)#class type inspect CM-INBOUND
Petes-Router(config-pmap-c)#inspect
%No specific protocol configured in class CM-INBOUND for inspection. All protocols will be inspected
Note: The Above is fine, it drops everything that's not VPN traffic anyway.
Petes-Router(config-pmap-c)#class class-default
Petes-Router(config-pmap-c)#drop log
Petes-Router(config-pmap-c)#exit
Petes-Router(config-pmap)#exit
[/box]
4. The last task is to create zone-pairs for the outbound and inbound traffic, then apply our policy-map to them with a service-policy.