PeteNetLive https://www.petenetlive.com Technology that 'Just Works' Wed, 03 Mar 2021 22:42:26 +0000 en-GB hourly 1 https://wordpress.org/?v=5.5.3 Azure Traffic Manager (DNS Failover) https://www.petenetlive.com/kb/article/0001740 https://www.petenetlive.com/kb/article/0001740#respond Wed, 03 Mar 2021 09:23:37 +0000 https://www.petenetlive.com/?p=16487 KB ID 0001740 Problem Why Azure Traffic Manager? I had to price up a hardware load balancer (ADC)  a couple of weeks ago for a client. I wont mention the vendor, (though I’m sure you can guess). Over 3 years it was going to cost (for a pair) about £100k, (so about 33k a year). […]

The post Azure Traffic Manager (DNS Failover) first appeared on PeteNetLive.]]>
KB ID 0001740

Problem

Why Azure Traffic Manager? I had to price up a hardware load balancer (ADC)  a couple of weeks ago for a client. I wont mention the vendor, (though I’m sure you can guess). Over 3 years it was going to cost (for a pair) about £100k, (so about 33k a year). That included the global DNS failover, this was so they, (the client) could fail over their services between multiple data centres.

OK there are other ADC vendors, and there’s even some budget vendors, I could use ARR, or even deploy NGINX. (Though supporting those deployments is another matter!) Whilst discussing this with my colleagues, the consensus was “We would be better deploying Azure Traffic Manager”. So I though I’d take a look to see just how difficult that was to deploy.

What is Azure Traffic Manager? Essentially a cloud based ADC that can provide availability and DNS failover, between Azure regions, and (more importantly in my case)  ‘External‘ endpoints, (so on premises, multiple data centres, other public clouds, etc.)

What Does Azure Traffic Manager Cost? Therein lies most people’s ‘bug-bear‘ with public cloud, that’s hard to quantify. So per million DNS lookups it’s £0.403p a month (up to a billion DNS queries,) THEN £0.28p per million DNS queries (over a billion) per month. I’m not sure how you would begin to calculate that? I can tell you how many people are on this website while you are reading this text, and how many hits we get a month, but DNS queries?

I no longer host my own DNS, I used to, but it was getting hammered by script kiddies 24/7 and my servers were just using processor cycles to do nothing productive. So I pay someone else to host my records now. I asked them..

DNS Queries

Additionally you pay: £0.403p a month per (basic) monitored external endpoint or £1.41 a month per (rapid) monitored external endpoint.

I’m being a little disingenuous to Microsoft, in their defence this is a traffic management solution NOT a web load balancing/HA solution. If you look at it from that perspective then DNS queries is a better measurement than ‘web-hits‘ or ‘page-impressions’. But you will be billed on multiples of something that you have no control over and you have to just ‘Trust’ that when Microsoft tells you you’ve had 36 million DNS lookups then that’s correct.

Deploy Azure Traffic Manager

From the Azure portal > Create a Resource.

Azure Create Resource

You will need to search for ‘Traffic Manager Profile” > Create.

Azure Traffic Manager Profile

Give it a sensible name > Set the routing meshing to Priority > Pick a Resource group (or create a new one) > Select your resource group location > Create.

Azure DNS Load Balance

Locate your traffic manager profile (look under all resources if you can’t find it) > Configuration.

Traffic Manager Configuration

Drop the DNS TTL to 30 seconds > I’m monitoring HTTPS on Port 80> Leave the probing interval on 30 seconds > Save.

Note: this will take 3 lots of 30 seconds before it will fail over (90 seconds). If you drop the poll interval to 10 seconds then you get billed the additional ‘fast interval charges‘ I mentioned above). You can set it to 0 lots of 10 seconds to make it fail over quicker, but that’s more expensive.

Traffic Manager Polling

Endpoints > Add.

Traffic Manager Add Endpoints

Add your primary site in with a priority of ‘1’, the repeat for your standby site(s), with lower priorities.

Traffic Manager Externla Endpoint

Before testing, make sure all the endpoints are ‘Online‘.

Traffic Manager Endpoint Online

Overview > Copy the DNS name.

Azure Failover DNS

In your own DNS config, simply create a CNAME DNS record to point to the Azure one you copied above.

Azure Failover DNS CNAME

Testing Azure Traffic Manager

First let’s test Azure > Ping the domain name you coped from the Azure portal, you will notice it resolves to my primary site IP (that wont respond to pings, but that’s not important for testing. Power off the primary endpoint (or disconnect its NIC). And wait 90 seconds. Then ping it again, this time the IP address it responds to has changed to my secondary endpoint. That proves the Azure Traffic Manager works.

Test Azure DNS Failover

To illustrate I’ve got a slightly different web page on my primary and secondary external node, just to prove its working.

Prove Azure DNS Failover

Related Articles, References, Credits, or External Links

NA

The post Azure Traffic Manager (DNS Failover) first appeared on PeteNetLive.]]>
https://www.petenetlive.com/kb/article/0001740/feed 0
Free Exchange Certificate https://www.petenetlive.com/kb/article/0001739 https://www.petenetlive.com/kb/article/0001739#respond Tue, 02 Mar 2021 08:38:23 +0000 https://www.petenetlive.com/?p=16462 KB ID 0001739 Problem A couple of weeks ago I wrote an article about getting free certificates for IIS with ‘Let’s Encrypt’. Last week the renewal for my ‘test’ Exchange server’s certificate came though. So I thought “Why don’t I try and get a ‘Free Exchange Certificate’?” Free Exchange Certificate Before we start let’s take […]

The post Free Exchange Certificate first appeared on PeteNetLive.]]>
KB ID 0001739

Problem

A couple of weeks ago I wrote an article about getting free certificates for IIS with ‘Let’s Encrypt’. Last week the renewal for my ‘test’ Exchange server’s certificate came though. So I thought “Why don’t I try and get a ‘Free Exchange Certificate’?”

Free Exchange Certificate

Before we start let’s take a moment to take a look at our existing Exchange Certificate, as you can see it’s a publicly signed and trusted certificate, the only thing wrong with it, is it’s going to expire in a couple of weeks, yours may have already expired, or you may be running a self signed SSL certificate, (horror!)

Exchange Free Certificate

To do all the heavy lifting you need a peice of software, the easiest (I’ve seen) is win-acme (at time of writing the latest version is 2.1.14.996) you simply download it as a zip file.

Free Certificate Let's Encrypt

Extract the contents of that zip file to a folder on your hard drive.

win-acme free IIS certificate

Apply For & Install the Free Exchange Certificate

Open an administrative command prompt > Navigate to the folder you just created > run wacs.exe

Install Let's Encrypt Certificate in IIS

WARNING: Some other run throughs I’ve read, have different option numbers, (wacs.exe has obviously been updated). So instead of just posting the Number to select I’ll post the Option, then put the number, (or letter) of that option in brackets, (in case they change the option numbers again!)

Create a new certificate (full options) {m} > Manual Input {2}.

Free Exchange Certificate

Manual Input {2} > Enter the public filly qualified domain name(s) of your exchange server (spectated by commas) > Press Enter to accept the default friendly name (unless you want to specify your own).

Get a Free Exchange Certificate

[http-01] Serve certification files from memory {2} > RSA Key {2}. 

Note: You will need TCP Port 80 open to the Exchange server for this to work, (in most cases you will only have HTTPS or TCP Port 443 open!)

Aquire a Free Exchange Certificate

Windows certificate store {4} > No (additional) store steps {5}.

How to Get a Free Exchange Certificate

Create or update https binding in IIS {1} > Default Web Site {1} > Start external script or program {3} > Paste in the following;

./Scripts/ImportExchange.ps1

Let's Encrypt Exchange

At the prompt paste in the following;

'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'

No (additional) installation steps {4}.

Free Let's Encrypt Exchange SAN Certificate

No, (or it will open the terms and conditions in another window) > Yes (your soul now belongs to Let’s Encrypt!) > Type in an email address  > Quit {q}

Free Let's Encrypt Exchange Autodiscover Certificate

Now reconnect to either OWA or the Exchange Admin Center > And you should see you have a new certificate.

Replace Exchange Certificate with Free one

It only lasts three months! That’s correct but;

Let’s Encrypt Free Exchange Certificate Auto Renewal

As well as getting your certificate, win-acme also created a scheduled task to check your certificate validity and renew it before it expires. Cool eh?

Lets Encrypt auto renew

Where Does Win-ACME Store its information

Good question, it took me a little while to find that out, essentially once ran it creates a new folder in %programdata% (That’s a hidden folder on the C drive usually) called win-acme all your settings are in there, so if you make a mistake like enter the wrong email address, you can delete this folder and start again.

How To Remove Let’s Encrypt Exchange Free Certificate & Settings

  1. Remove the certificate from Exchange Admin Center.
  2. Remove the win-acme folder from %Programdata%.
  3. Delete the scheduled update task from ‘Task Sheduler‘.

Related Articles, References, Credits, or External Links

NA

The post Free Exchange Certificate first appeared on PeteNetLive.]]>
https://www.petenetlive.com/kb/article/0001739/feed 0
Leave Domain: “A general network error occurred’ https://www.petenetlive.com/kb/article/0001738 https://www.petenetlive.com/kb/article/0001738#respond Thu, 18 Feb 2021 17:35:20 +0000 https://www.petenetlive.com/?p=16437 KB ID 0001738 Problem After a recent lab on the test bench, I ended up with a 2008  x32 standard server. It took me a while to get this setup and running, so I wanted to keep it (or turn it into a VMware template should I ever need  another). But first I needed to […]

The post Leave Domain: “A general network error occurred’ first appeared on PeteNetLive.]]>
KB ID 0001738

Problem

After a recent lab on the test bench, I ended up with a 2008  x32 standard server. It took me a while to get this setup and running, so I wanted to keep it (or turn it into a VMware template should I ever need  another). But first I needed to ‘remove it’ from  the domain it was in. However, when attempting to do so this happened;

A general network error occurred

Computer Name /Domain Changes

The following error occurred validating the name “Host-Name”
A general network error occurred

That stinks of DNS? But the machine could resolve DNS, ping the domain name, was authenticated to the domain, and could ping itself by netbios name and FQDN?

Leave Domain (via Command Line)

With modern servers and clients we can simply ‘force’ a machine out of the domain with some PowerShell. In an old machine like this (2008 ran Powershell version 1 natively) those commands are not open to us. So to solve the problem I had to go a little more ‘old school’

Remember – You will need to either know the local administrator password, or a local account with administrative access before you drop it out of the domain, (or post reboot you wont be able to login!)

Open an administrative command window, and execute the following command;

netdom remove %computername% /domain:{your-domain-name} /force

leave domain via command line

This will remove the machine from the domain, and drop it in a workgroup that that has the same name as the domain (in this  case TESTBENCH).

Related Articles, References, Credits, or External Links

NA

The post Leave Domain: “A general network error occurred’ first appeared on PeteNetLive.]]>
https://www.petenetlive.com/kb/article/0001738/feed 0
O365 with Duo MFA (Without a P1 License?) https://www.petenetlive.com/kb/article/0001737 https://www.petenetlive.com/kb/article/0001737#respond Tue, 16 Feb 2021 08:37:26 +0000 https://www.petenetlive.com/?p=16417 KB ID 0001737 Problem Working for a cloud service provider, (and a Duo partner). I get a lot of queries about Duo MFA for Office 365. Typically (I think) the best solution is to enable Azure Conditional Access and couple that with Trusted sites, so clients get challenged when out on the road, but not […]

The post O365 with Duo MFA (Without a P1 License?) first appeared on PeteNetLive.]]>
KB ID 0001737

Problem

Working for a cloud service provider, (and a Duo partner). I get a lot of queries about Duo MFA for Office 365. Typically (I think) the best solution is to enable Azure Conditional Access and couple that with Trusted sites, so clients get challenged when out on the road, but not in the office. The drawback of this is Azure Conditional Access requires a P1 License, at time of writing that’s about $6 a month on top of you normal 365 licence. So it can work out expensive.

A couple of weeks ago, I was on a call with a client who wanted to use Duo Access Gateway to provide Duo MFA to their 365 tenancy. I’ve done the same thing for other clients with ADFS before, Basically you are just Federating a DAG into your Azure AD, rather than Federating an ADFS Server

This is what it looks like;

Duo MFA: DAG & Office 365 Pre-Requisites

  • Azure AD Sync needs to be setup, and a registered domain setup in your office 365 tenancy. (NOT the onmicrosoft domain!)
  • You need (at least) Duo MFA licensing to deploy. One level above free ($30 for a year).
  • DAG Server 2 x CPU, 4GB RAM, 60Gb HDD (Windows Server 2012 or newer (2019 supported) Note: You can also deploy DAG on Linux.
  • DAG Server should be in a DMZ, (not domain joined).
  • DAG Server needs IIS role installing.
  • DAG Server needs TCP Port 443 open (outbound) to Duo.
  • DAG Server needs TCP Port 443 open (Inbound) to Duo on the public IP address that your public DNS record is pointing to.
  • Download PHP (in Zip file format) Keep the Zip file handy.
  • Install a publicly signed SSL certificate (Common name or SAN must match the public DNS name). 

Note: Duo have great walkthroughs and videos on their site, this article is just to tie the various steps together.

Installing Duo MFA DAG

To setup IIS just use the following Powershell commands

import-module servermanager
add-windowsfeature Web-Server, Web-Mgmt-Tools, Web-CGI, NET-Framework-Core, Web-Asp-Net45, Web-Scripting-Tools

Install IIS with PowerShell

Install and Bind a Publicly Signed Certificate: Let’s do this for free with Let’s Encrypt! See the following article.

Free Certificate for IIS with Let’s Encrypt

Download the newest version of PHP in zip format. and drop it on your desktop, then run the Duo Windows installer. You may be prompted to install the C++Runtime software (which may require a reboot). Post reboot the installer will launch.

Deploy Duo MFA DAG

Browse to and select the PHP Zip file > Next > Select the correct server hostname (if it’s not listed, then you need to enter it in the ‘hostname’ section of the https binding in IIS manager > Next > If you want to manage the DAG from any other IP addresses enter them > Next > Install.

Install Duo DAG

When done  launch the ‘Configure’ page > Create an access password > Submit.

Configure Duo DAG

Configure Duo DAG Active Directory LDAPS Access

In the next step we need a copy of your CA Certificate (the CA that issued your domain controller(s) kerberos certificates). If you have just glazed over have a read of the following article;

Get Ready for LDAPS Channel Binding

Configure Duo DAG

From the DAG console > Authentication Source > Configure Sources > Select Active Directory* > Enter the FQDN of a domain controller, (the DMZ server needs to be able to resolve this I suggest putting it in the server hosts file).  > Port will be 636 (LDAPS) > Select LDAPS > Scroll down.

*You cant use Azure as a authentication source for Office365 MFA, (counter intuitively!)

Configure Duo DAG Active Directory LDAPS

Browse to and select the CA certificate you downloaded above > Set the attributes to “mail,sAMAccountName,userPrincipalName,objectGUID” > Search Base (I’m setting it to the top of my active directory e.g. ‘DC=pnl,DC=com’ > Search Attributes (I’ve set the same as the attributes above) > Search Username, set to a normal domain user account, (I’ve set-up a service account that’s just a member of ‘domain  users’ > Scroll down  > Type in the users password > Save Settings.

Configure Duo DAG Active Directory Connection

What should happen is, it should say LDAP Bind Successful, if it does not;

  • Make sure TCP Port 636 is open from the DMZ server to the Domain Controller(s)
  • Make sure you used the domain controller FQDN NOT its IP address, (the IP address is NOT on the Kerberos certificate).
  • Install the Remote Server Admin tools for ADDS – this will give you access to LDP exe which you can test LDAPS connectivity with (I’ve written about LDP before, use the search box above).

When happy, ensure Active Directory is set as the Active Source.

Configure Duo DAG Active Directory Source

Federate Duo DAG With Azure Active Directory

Within the Duo DAG management console > Applications > Metadata > Download the Certificate  > Copy all the URLS to a notepad file.

Duo MFA DAG Metadata

 Copy the notepad file, and the certificate, to a domain joined server/PC that has the the Azure Active Directory Module for Powershell installed.

Duo DAG PowerShell

Execute the following commands, (change the values in RED to match your own);

Connect-MsolService
Log into your Tenancy, when prompted

get-msoldomain -domain your-domain-name.com

Make sure it says 'Managed' and NOT 'Federated'!
$dom = "your-domain-name.com"
$url = "https://portal.petenetlive.co.uk/dag/saml2/idp/SSOService.php"
$uri = "https://portal.petenetlive.co.uk/dag/saml2/idp/metadata.php"
$logoutUrl = "https://portal.petenetlive.co.uk/dag/saml2/idp/SingleLogoutService.php?ReturnTo=https://portal.petenetlive.co.uk/dag/module.php/duosecurity/logout.php"
$cert=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\dag.crt")
$certData = [system.convert]::tobase64string($cert.rawdata)
Set-MsolDomainAuthentication –DomainName $dom -Authentication Federated -PassiveLogOnUri $url -ActiveLogOnUri $url -IssuerUri $uri -LogOffUri $logoutUrl -PreferredAuthenticationProtocol SAMLP -SigningCertificate $certData

get-msoldomain -domain your-domain-name.com
NOW it should say 'Federated'!

Duo DAG Federated to O365

Duo MFA Protect Office 365

Log into your Duo online admin console > Protect an application > Locate Office 365 (2FA with SSO self hosted) > Protect.

Duo Protect O365

Unless ALL your mail clients* support modern authentication then tick “Allow legacy mail clients that only support basic auth to bypass 2FA” 

*Modern Authentication Supported on: Outlook 2013 (or newer), older Android mail clients don’t, though on modern versions of Android that you can install MS Outlook on does. Modern Apple IOS devices support modern authentication.

Click ‘Save Configuration‘.

Duo Protect O365 DAG

Click “Download your Configuration File” this will download a JSON configuration file, put it somewhere your Duo DAG server can get to.

Duo Download config File O365

Add Office 365 MFS to Duo DAG

Back on the DAG server > Applications > Browse > Select the JSON file you downloaded above.

Duo Upload JSON File O365

Open a web page, and try to log into office 365, after  you’ve entered your username, you should be forwarded to your DAG for 2FA

Duo 2FA Office 365

Related Articles, References, Credits, or External Links

NA

The post O365 with Duo MFA (Without a P1 License?) first appeared on PeteNetLive.]]>
https://www.petenetlive.com/kb/article/0001737/feed 0
Free Certificate for IIS with Let’s Encrypt https://www.petenetlive.com/kb/article/0001736 https://www.petenetlive.com/kb/article/0001736#respond Thu, 11 Feb 2021 17:26:37 +0000 https://www.petenetlive.com/?p=16388 KB ID 0001736 Problem I’ve been aware of Let’s Encrypt for a while, they are a non profit Certification Authority, who will provide you with a free certificate, and you can use them for most things you want to secure with a digital certificate. The only reason I’ve never used them in the past is, […]

The post Free Certificate for IIS with Let’s Encrypt first appeared on PeteNetLive.]]>
KB ID 0001736

Problem

I’ve been aware of Let’s Encrypt for a while, they are a non profit Certification Authority, who will provide you with a free certificate, and you can use them for most things you want to secure with a digital certificate. The only reason I’ve never used them in the past is, their certificates have a short (3 month) lifespan, and I see enough things breaking when people forget to renew 12 month certificates! This site went down a couple of years ago because the certificate expired while I was on holiday in Las Vegas, and is was a pain to get fixed!

I’ve got some work coming up that requires me to have a publicly signed certificate, so I thought I’d give it a whirl, it was incredibly easy and painless.

  • Server OS (Server 2019 Standard build 1809)
  • IIS Version 10.0.17763.1

Free Certificate Prerequisites

Obviously you need a Windows server, with the IIS role installed, and a website that you want to secure. It does not already need to have a certificate or have https configured, if you have or have not already done that it will all be reconfigured for you! In additional you need a publicly registered domain name, you’re on my website so you know I have one of those, and finally a DNS host record (A Record) that you will use to browse to the web server. The will be ‘stamped’ onto the certificate as the certificate common name (CN).

The website will need to be publicly accessible via TCP Port 443 (https) on the IP address you’ve set in public DNS.

To do all the heavy lifting you need a peice of software, the easiest (I’ve seen) is win-acme (at time of writing the latest version is 2.1.14.996) you simply download it as a zip file.

Free Certificate Let's Encrypt

Extract the contents of that zip file to a folder on your hard drive.

win-acme free IIS certificate

Apply For & Install the Free Certificate

Open an administrative command prompt > Navigate to the folder you just created > run wacs.exe

Install Let's Encrypt Certificate in IIS

Press ‘n‘ for create certificate.

Free IIS Certificate

I’ve only got one website, you may be hosting multiple sites, select the appropriate number.

Free web certificate

I’m replacing every binding (you can have multiple bindings per site, but I’ve never seen that myself) > It then shows the bindings it finds > Select ‘A’ for all.

IIS10 Free Certificate

Yes to continue > No (unless you want the EULA to open in a web window for you to read) > Yes to agree to the terms (without reading them, shame on you!) > Enter a contact email address.

Server 2019 Free Web Certificate

The software will go and get your certificate, install it, and bind it to your website. If it fails at this point it’s usually because the name for the certificate does not match your public DNS name, or the firewall is stopping your traffic.

Lets Encrypt IIS Server 2019

Force IIS to Use Let’s Encrypt Free Certificate

To force client to use HTTPS and not HTTP, you will need to tick the option below (Require SSL);

IIS force HTTPS connection

If you take a look at your certificate you will see it’s got a three month lifespan, BUT, you dont have to worry about renewing it because…

Lets Encrypt 3 months

Let’s Encrypt Free Certificate Auto Renewal

As well as getting your certificate, win-acme also created a scheduled task to check your certificate validity and renew it before it expires. Cool eh?

Lets Encrypt auto renew

Where Does Win-ACME Store its information

Good question, it took me a little while to find that out, essentially once ran it creates a new folder in %programdata% (That’s a hidden folder on the C drive usually) called win-acme all your settings are in there, so if you make a mistake like entering the wrong email address, you can delete this folder and start again.

How To Remove Let’s Encrypt IIS Free Certificate & Settings

  1. Remove the certificate from IIS.
  2. Remove the win-acme folder from %Programdata%.
  3. Delete the scheduled update task from ‘Task Sheduler‘.

Related Articles, References, Credits, or External Links

NA

The post Free Certificate for IIS with Let’s Encrypt first appeared on PeteNetLive.]]>
https://www.petenetlive.com/kb/article/0001736/feed 0
Outlook URL Shortening? https://www.petenetlive.com/kb/article/0001735 https://www.petenetlive.com/kb/article/0001735#respond Mon, 08 Feb 2021 12:28:33 +0000 https://www.petenetlive.com/?p=16364 KB ID 0001735 Problem Outlook URL: I first noticed this a few weeks ago, When copying and pasting a URL into an email it shortens the URL and  gives it the pages title. At first i thought my firms Devs had changed  the way our CRM works, but then  I noticed it happening with SharePoint […]

The post Outlook URL Shortening? first appeared on PeteNetLive.]]>
KB ID 0001735

Problem

Outlook URL: I first noticed this a few weeks ago, When copying and pasting a URL into an email it shortens the URL and  gives it the pages title. At first i thought my firms Devs had changed  the way our CRM works, but then  I noticed it happening with SharePoint URLs as well, this is  what I mean;

Outlook URL Shortened

I don’t have a problem with it, in fact I much prefer it! However I got an email this morning from someone asking how to turn it off.  As it transpires it has nothing to do with Outlook at all.  It’s a feature of the Microsoft Edge browser.

Outlook URL Shortening is Really Microsoft Edge 

Within Microsoft Edge > Preferences > Share, Copy, and Paste > Select your preference, if you want  to disable this feature select ‘Plain Text’

Outlook URL Shortener Edge

And now the actual URL will be posted.

Outlook Paste Full URL

Related Articles, References, Credits, or External Links

NA

The post Outlook URL Shortening? first appeared on PeteNetLive.]]>
https://www.petenetlive.com/kb/article/0001735/feed 0
FortiGate Securing Remote Administration https://www.petenetlive.com/kb/article/0001734 https://www.petenetlive.com/kb/article/0001734#respond Fri, 05 Feb 2021 13:02:47 +0000 https://www.petenetlive.com/?p=16350 KB ID 0001734 Problem When considering Securing FortiGate  remote administration, I’ve written about changing the https management port to something other than TCP 443 before, I suppose that’s security by obfuscation (though even a script kiddy with one hours experience, will be able to spot an html responses).  Typically with other vendors you limit remote […]

The post FortiGate Securing Remote Administration first appeared on PeteNetLive.]]>
KB ID 0001734

Problem

When considering Securing FortiGate  remote administration, I’ve written about changing the https management port to something other than TCP 443 before, I suppose that’s security by obfuscation (though even a script kiddy with one hours experience, will be able to spot an html responses).  Typically with other vendors you limit remote administration access, to specific IP addresses (or ranges). So how to do the same in Fortigate?

FortiGate Trusted Hosts

With FortiGate the approach is slightly different, (to Cisco anyway) in that, you allow access from ‘Trusted Hosts‘ and you do that ‘Per Administrator’ not for the entire remote access solution (like HTTPS or SSH). On reflection I like this, because by default you will have a user called ‘admin’ and an attacker will ‘possibly’ know that. With FortiGate you can restrict the admin account so it can only log on from inside, or from management hosts/networks or from an Out of Band management network.

You can also give an administrative password to one partner and only allow access from that partner’s public IP/Range, or if like my firm we need to support a lot of firewalls we can hard code this into our default deployments and retain remote administration. (Though FortiManager is the direction you want to be headed in, for that!)

Configure FortiGate ‘Per Administrator’ Trusted Hosts.

System > Administrators > Create New > Administrator.

FortiGate Secure access

Create a username/password > Select the admin level required > Enable ‘Restrict Login to Trusted Hosts’

FortiGate Trusted Hosts

Here’s an example where the admin account can only manage the firewall form the 192.168.1.0/24 network, and a management host 192.168.2100.3 For ‘external‘ access I’ve got a new administrator, who can get access from my management host, (for belt and braces), a single public network, and a public IP address.

FortiGate harden administration

Related Articles, References, Credits, or External Links

NA

The post FortiGate Securing Remote Administration first appeared on PeteNetLive.]]>
https://www.petenetlive.com/kb/article/0001734/feed 0
FortiGate LDAPS Authentication Failure https://www.petenetlive.com/kb/article/0001733 https://www.petenetlive.com/kb/article/0001733#respond Fri, 29 Jan 2021 13:33:06 +0000 https://www.petenetlive.com/?p=16339 KB ID 0001733 Problem Here’s a brief one that tripped me up a couple of weeks ago, I was deploying FortiGate LDAPS authentication for some FortiClient SSL VPN connections into a FortiGate firewall like so; Despite my best efforts I was getting authentication failures? If I tested the username and password in the GUI web management […]

The post FortiGate LDAPS Authentication Failure first appeared on PeteNetLive.]]>
KB ID 0001733

Problem

Here’s a brief one that tripped me up a couple of weeks ago, I was deploying FortiGate LDAPS authentication for some FortiClient SSL VPN connections into a FortiGate firewall like so;

FortiGate LDAPS

Despite my best efforts I was getting authentication failures? If I tested the username and password in the GUI web management portal, that worked fine?

Testing FortiGate LDAPS

First step is to test authentication at command line, like so;

Forti-FW # diag test auth ldap My-DC test.user Password123
authenticate 'test.user' against 'My-DC' failed!

Note: My-DC is the domain controller, test, user is the username, and Password123 is the password for my AD user. (The fact I need to explain that is depressing, but c’est la vie).

So despite what the GUI is telling me, authentication is actually failing, remember I’m using LDAPS, so the FortiGate needs to have the CA certificate, (that issued the Kerberos certificates on my domain controller(s)), in its trusted CA list! And TCP port 636 needs to be open between the firewall and the domain controllers.

Debugging FortiGate LDAPS

So now we need to debug what’s going on;

Forti-FW # diagnose debug enable
Forti-FW # diagnose debug application fnbamd 255
Debug messages will be on for 30 minutes.

Then simply attempt to authenticate via FortiClient, or recall the ‘diag test’ command from above.

Forti-FW # diag test auth ldap My-DC test.user Password123
[1932] handle_req-Rcvd auth req 1296531457 for test.user in My-DC opt=0000001b prot=0
[424] __compose_group_list_from_req-Group 'My-DC', type 1
[617] fnbamd_pop3_start-test.user
[970] __fnbamd_cfg_get_ldap_list_by_server-
[976] __fnbamd_cfg_get_ldap_list_by_server-Loaded LDAP server 'My-DC'
[1131] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 1
[1713] fnbamd_ldap_init-search filter is: sAMAccountName=test.user
[1722] fnbamd_ldap_init-search base is: dc=testbench,dc=co,dc=uk
[1146] __fnbamd_ldap_dns_cb-Resolved My-DC:192.168.1.122 to 192.168.1.122, cur stack size:1
[919] __fnbamd_ldap_get_next_addr-
[1152] __fnbamd_ldap_dns_cb-Connection starts My-DC:192.168.1.122, addr 192.168.1.122 over SSL
[874] __fnbamd_ldap_start_conn-Still connecting 192.168.1.122.
[591] create_auth_session-Total 1 server(s) to try
[1097] __ldap_connect-tcps_connect(192.168.1.122) failed: ssl_connect() failed: 337047686 (error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed).
[930] __ldap_error-My-DC:192.168.1.122, addr 192.168.1.122
[725] __ldap_stop-Conn with 192.168.1.122 destroyed.
[919] __fnbamd_ldap_get_next_addr-
[902] __ldap_try_next_server-No more server to try for 'My-DC'.
[785] __ldap_done-svr 'My-DC'
[755] __ldap_destroy-
[2870] fnbamd_ldap_result-Error (3) for req 1296531457
[217] fnbamd_comm_send_result-Sending result 3 (nid 0) for req 1296531457, len=2044
authenticate 'test.user' against 'My-DC' failed!
Forti-FW # [747] destroy_auth_session-delete session 1296531457
[755] __ldap_destroy-
[1764] fnbamd_ldap_auth_ctx_free-Freeing 'My-DC' ctx
[2099] fnbamd_ldap_free-Freeing 'My-DC'

OK so it’s SSL related? For SSL to work you need the following;

  1. To trust the CA that issued the certificate
  2. To be able to resolve (via DNS) the common name (or Subject Alternative Name) on the certificate
  3. If you’ve specified the LDAP server by IP address the IP address of the server needs to be on the certificate as a Subject Alternative Name (SAN).
  4. Your firewall and the AD/LDAP server need to have compatible SSL ciphers.

So I had number 1 covered, and the chance of it being number 4 are rare, (server and firewall are fully updated).

So my problem was initially number 2 I’d specified the LDAPS server via its internal IP. I needed to use its FQDN, then of course the firewall needed to be able to resolve that IP with a DNS lookup (try execute ping server-name.doman-name if you’re unsure!)

Forti-FW # execute ping win-server.testbench.co.uk
Unable to resolve hostname.  <---OOPS THAT'S NOT GOOD!

Forti-FW # execute ping 192.168.1.122 <---CONNECTIVITY IS OK!
PING 192.168.1.122 (192.168.1.122): 56 data bytes
64 bytes from 192.168.1.122: icmp_seq=0 ttl=128 time=5.4 ms
64 bytes from 192.168.1.122: icmp_seq=1 ttl=128 time=2.0 ms
64 bytes from 192.168.1.122: icmp_seq=2 ttl=128 time=1.9 ms
^C
--- 192.168.1.122 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 1.9/3.1/5.4 ms

Once DNS was setup correctly;

Forti-FW # execute ping win-server.testbench.co.uk
PING win-server.testbench.co.uk (192.168.1.122): 56 data bytes
64 bytes from 192.168.1.122: icmp_seq=0 ttl=128 time=1.9 ms
64 bytes from 192.168.1.122: icmp_seq=1 ttl=128 time=2.3 ms
64 bytes from 192.168.1.122: icmp_seq=2 ttl=128 time=2.1 ms
^C
--- win-server.testbench.co.uk ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss <---BOOM THAT'S BETTER
round-trip min/avg/max = 1.9/2.1/2.3 ms

Then retest.

Forti-FW # diag test auth ldap My-DC test.user Password123
authenticate 'test.user' against 'My-DC' succeeded!
Group membership(s) - CN=GS-VPN-Users,OU=Securty-Groups,DC=testbench,DC=co,DC=uk
                      CN=Domain Users,CN=Users,DC=testbench,DC=co,DC=uk

Related Articles, References, Credits, or External Links

NA

The post FortiGate LDAPS Authentication Failure first appeared on PeteNetLive.]]>
https://www.petenetlive.com/kb/article/0001733/feed 0
Windows File Server Migration (Maintain Share & NTFS Permissions) https://www.petenetlive.com/kb/article/0001201 https://www.petenetlive.com/kb/article/0001201#comments Wed, 27 Jan 2021 18:41:09 +0000 http://www.petenetlive.com/?p=6244 KB ID 0001201 Problem When attempting a File Server Migration why isn’t this better publicised? Did you know Microsoft have a set of Migration tools, and one of them is for file servers? Now traditionally I’d use RoboCopy or XCopy to migrate files and folders, and for ‘User Profiles’ I would normally back them up, and […]

The post Windows File Server Migration (Maintain Share & NTFS Permissions) first appeared on PeteNetLive.]]>
KB ID 0001201

Problem

When attempting a File Server Migration why isn’t this better publicised? Did you know Microsoft have a set of Migration tools, and one of them is for file servers? Now traditionally I’d use RoboCopy or XCopy to migrate files and folders, and for ‘User Profiles’ I would normally back them up, and restore them to the new server. This is because the file permissions on ‘correctly deployed’ user profiles mean you can’t open them.

How about a tool, that migrates all the files, folders and profiles while maintaining all the NTFS permissions, AND Share permissions!

Windows File Server Migration Tools

Source Server Pre-requisites

  • Server 2003: .Net 2.0 (With SP1), and PowerShell 2.0, and 25MB free drive space.
  • Server 2008: PowerShell and 25Mb free drive space.
  • Server 2008 R2 and Newer: 25Mb free drive space.
  • All: UDP port 7000 needs to be open, from source to the destination server.

File Server Migration Server 2008 to Server 2019

File Server Migration from Server 2003!

  • Source Server: Windows Server 2003 Standard x64 (x86 supported as well)
  • Destination Server: Windows 2012 R2 Data Center 2012 

Source Server: Here you can see my user profiles, I’ll do the migration with them, as usually they are the most ‘challenging’.

User Profiles Cannot Access

You need to create a shared folder on the Source Server, I’ve just granted everyone full control, (this is just for the migration tools).

Server Migration Tools Share

 

Destination  Server: Open a PowerShell windows and install the tools with the following command;

Install-WindowsFeature Migration –ComputerName {computer-name}

Servr 2012 File Migraiton Tools

Open an administrative command window > Now you need to deploy the migrations tools to the share on the destination server, to do that use the following command;

cd C:\Windows\System32\ServerMigrationTools

SmigDeploy.exe /package /architecture amd64 /os WS03 /path \\{Destination-Server}\{folder-name}

Note: For x86 (32 bit) source servers use x86 instead of amd64. WS03 (Windows Server 2003), WS08 (Windows Server 2008), WS08R2 (Windows Server 2008 R2), and WS12 (Windows Server 2012).

Deploy Server 2012 File Migraiton Tools

Source Server: Open the folder you created earlier and within it you will find another folder that has the tools in. Open an administrative command window and change to this directory > then execute the following command;

.\smigdeploy

Another PowerShell window will open, leave it open, and return to the destination server.

Smig Tools Source Server

Destination Server: Here I’ve created a folder that I’m going to migrate into.

Smig Migration Target Share

Destination Server: Open a PowerShell window and issue the following two commands;

add-pssnapin microsoft.windows.servermanager.migration

Receive-SmigServerData

You will be asked to provide a password, (use what you want, but remember it, you will need it in a minute).

You now have a five minute window to get the migration running, or you will need to re-issie the last command again. 

Source Server: Return to your open PowerShell Window, and issue the following command;

Send-SmigServerData -ComputerName {destination-computer-name} -SourcePath {path-to-source-folder} -DestinationPath {path-to-destination-folder} -include all -recurse

Supply the password, then go and put your feet up.

Smig Migration Start

Destination Server: You can watch progress here.

Smig Destination Server

Profiles migrated! And permissions intact.

Smig Migrated Profiles

Don’t forget to change the path to the user profile, on the user(s) user object(s) in Active Directory.

User Profile Path

If you have a lot you can do them in bulk by multi-selecting the users.

Change User Profile Path On Mass

 

Related Articles, References, Credits, or External Links

XCOPY – Insufficient Memory

Migrating – Folders and Share Permissions

The post Windows File Server Migration (Maintain Share & NTFS Permissions) first appeared on PeteNetLive.]]>
https://www.petenetlive.com/kb/article/0001201/feed 12
Domain Join SID Error https://www.petenetlive.com/kb/article/0001732 https://www.petenetlive.com/kb/article/0001732#respond Tue, 26 Jan 2021 09:36:31 +0000 https://www.petenetlive.com/?p=16321 KB ID 0001732 Problem Thankfully I don’t see a SID error very often these days; The following error occurred when attempting to join the domain ‘{domain-name} The domain join cannot be completed because the SID of the domain you attempted to join was identical to the SID of this machine. This is a symptom of an improperly […]

The post Domain Join SID Error first appeared on PeteNetLive.]]>
KB ID 0001732

Problem

Thankfully I don’t see a SID error very often these days;

Cannot Join Domain SID Error

The following error occurred when attempting to join the domain ‘{domain-name}

The domain join cannot be completed because the SID of the domain you attempted to join was identical to the SID of this machine. This is a symptom of an improperly cloned operating system install. You should run Sysprep on this machine in order to generate a new machine SID.

Resolve SID Errors (Joining Domains)

In my case it was a server I was deploying into EVE-NG and I hadn’t ran says-rep on the image, (typically I only need one Windows server in my EVE-NG labs, but this time I needed another), so then I added a second and tried to add it to a domain, this happened. I should know better really!

If you have ever deployed or imaged Windows you can probably guess what the fix is, ‘Run Sysprep‘.

Note: I will probably get emails saying ‘Why not just run NewSID?’, well because it’s not officially supported any more, and sysprep is.

Navigate to C:\Windows\System32\Sysprep and run sysprep.exe > Tick the ‘Generalize’ option > Set the Shutdown option to ‘Reboot” > OK.

Fix Domain Join SID Error

Go and have a coffee, when the server reboots, run though the OOBE setup, and try to join the domain again.

Related Articles, References, Credits, or External Links

NA

The post Domain Join SID Error first appeared on PeteNetLive.]]>
https://www.petenetlive.com/kb/article/0001732/feed 0