PeteNetLive https://www.petenetlive.com Technology that 'Just Works' Wed, 12 Aug 2020 16:32:23 +0000 en-GB hourly 1 https://wordpress.org/?v=5.4.2 Azure: Point to Site VPN From mac OS? https://www.petenetlive.com/KB/Article/0001693 https://www.petenetlive.com/KB/Article/0001693#respond Wed, 12 Aug 2020 16:32:23 +0000 https://www.petenetlive.com/?p=15572 KB ID 0001693

Problem

We mac users always get overlooked. If I had a pound for every time I’ve heard ‘Yeah we don’t support macs?” I would be a rich man. But thankfully this makes us work things out for ourselves usually!

So recently I did a article Azure: Point To Site VPN (Remote Access User VPN) but what if you want to use the same solution for a remote mac user?

Solution

Firstly you will want to download the VPN package (and have a valid client/user certificate, [see the link above]).

Download VPN Cient Azure

Obviously the installer is for Windows, but within the ZIP file you download, it has a copy of the XML file with the settings in it, and a copy of the Root CA certificate you used.

So your first job is to ‘import‘ the client certificate, it will be in PFX format, (if you followed my instructions), so you will need to supply the password you specified when creating the PFX file (not the mac password), when prompted to install it (double click on it).

macosx import pfx file

The engineer in me isn’t quite sure why the client needs the Root CA certificate on it, (because that’s not how certificates work!) But Microsoft insist it’s necessary, so also double click and install the Root CA Certificate, (it’s inside the VPN Package).

macosx import Root CA Cert

You don’t need to install VPN software onto the mac, (it has its own built in). Click the Apple Logo > System Preferences > Network > Add > Interface = VPN > VPN Type = IKEv2 > Service Name = Azure-Client-VPN > Create.

macosx Cilient VPN to Azure

Now open the XML file from within you VPN client software ZIP file, and locate the FQDN of the ‘Gateway’ address in Azure > Copy it to the clipboard.

macosx Cilient VPN to Azure server name

Paste the server address into BOTH Server Address AND Remote ID > (Leave Local ID blank for now) > Authentication Settings

WARNING: I’m using mac OS Catalina, so I choose ‘None’ (NOT CERTIFICATE). But for mac OS Mojave (and older) CHOOSE CERTIFICATE). It’s a bug that causes an error (see below) if you don’t.

macosx Cilient VPN IKEv2 to Azure

Select > Choose the CLIENT certificate you imported earlier, (Take note of the name in brackets, this is the common name on the certificate). You will need this in a minute!  > Continue > OK.

mac Cilient VPN to Azure

Put the Common Name from the certificate into the Local ID section > Apply > Connect.

mac Azure Point to Site VPN

All being well it should connect, (though it may prompt for you to enter your user password). BY DEFAULT the option ‘Show VPN Status in Menu Bar‘ should be ticked, if it isn’t then tick it.

mac Azure Point to Site VPN

With that option ticked, you can connect and disconnect the VPN quickly without needing to go back into System Preferences like so;

mac Azure VPN Connect and Disconnect

Error: VPN Connection, ‘An unexpected error occurred’

mac Azure Point to Site VPN error

Remember above when I said choose ‘None‘ for Catalina, NOT certificate? Well this is what happens if you choose certificate!

Related Articles, References, Credits, or External Links

NA

]]>
https://www.petenetlive.com/KB/Article/0001693/feed 0
Azure: Point To Site VPN (Remote Access User VPN) https://www.petenetlive.com/KB/Article/0001692 https://www.petenetlive.com/KB/Article/0001692#respond Wed, 05 Aug 2020 12:28:27 +0000 https://www.petenetlive.com/?p=15546 KB ID 0001692

Problem

Given my background I’m usually more comfortable connecting to Azure with a Route Based VPN from a hardware device, like a Cisco ASA. I got an email this afternoon, a client had a server in a private cloud and a server in Azure, they needed to transfer files from the Azure server to the server in the private cloud. Now on further investigation this client had a Cisco vASA so a VPN was the best option for them, (probably).

But what if they didn’t? Or what if they were ‘working from home’ and needed to access their Azure servers that were not otherwise publicly accessible?

Well the Microsoft solution for that is called an ‘Azure Point to Site VPN‘, even though in the current Azure UI they’ve called it ‘User VPN Configuration‘, because ‘Hey! Screw consistency and documentation that goes out of date every time a developer has a bright idea, and updates the UI’ Note: I have a thing about things being changed in GUIs!

Azure Remote Access VPN Point To Site

So regardless whether you are on or off the corporate LAN, you can connect to your Azure Virtual Networks.

Solution

This is not a full Azure tutorial, I’m assuming, as you want to connect to existing Azure resources, you will already have most of this setup already. But, just to quickly run through. You will need a Resource Group, and in that Resource Group you will need a Virtual Network. (Note: I like to delete the ‘default‘ subnet and create one with a sensible name).

Azure vNet

So far so good, within your virtual network you will need to create, (if you don’t already have one,) a ‘Gateway Subnet‘. To annoy the other network engineers, I’ve made it a /24, but to be honest a /29 is usually good enough).

Azure Virtual Network

Now to terminate a VPN, you need a ‘Virtual Network Gateway‘.

Azure Remote VPN

Make sure it’s set for VPN (Route Based) > Connected to your Virtual Network  > Either create (or assign) a public IP to it. I told you I’d be quick, however the Gateway will take a few minutes to deploy, (time for a coffee.)

Azure Virtual Network Gateway

For the purpose of this tutorial I’ll just create some certificates with PowerShell, (a root CA cert, and a client cert signed by that root certificate). This wont scale very well in a production environment. I’d suggest setting up a decent PKI infrastructure, Then using auto-enrolment for your users to get client certificates. However for our run through, execute the following TWO commands;

$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=Azure-VPN-Root-Cert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign

New-SelfSignedCertificate -Type Custom -DnsName Azure-VPN-Client-Cert -KeySpec Signature -Subject "CN=Azure-VPN-Client-Cert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

Azure Generate VPN Certificates

Now launch ‘certmgr‘ and you will see the two certificates. Firstly, export the client certificate.

Export Azure Generate VPN CertificatesYes you want to export the private key > You want to Save it as a .PFX file > Create a password for the certificate (MAKE NOTE OF IT!) > Save it somewhere you can get to, (you will need it in a minute).

Export Azure Generate VPN Certificates to PFX

Secondly, export the Root CA certificate.

Export Azure Root VPN Certificates

 You DON’T export the private key > Save as Base-64 encoded > Again save it somewhere sensible, you will also need it in a minute.

Export Azure Client VPN Root Certificates

Open the ROOT CA CERT with Notepad, and copy all the text BETWEEN —-BEGIN CERTIFICATE—- and —-END CERTIFICATE—- Note: This is unlike most scenarios, when working with PEM files, where you select everything, (it tripped me up!)

Copy Certificate Information

Back in Azure > Select your Virtual Network Gateway > Select ‘User VPN Connection’ (seriously, thanks Microsoft be consistent eh!) > ‘Configure now‘.

Azure Client VPN Configuration

Pick an address pool for your remote clients to use, (make sure it does not overlap with any of your assets, and don’t use 192.168.1.0/24, or 192.168.0.0/24, Note: These will work, but most home networks use these ranges, and let’s not build in potential routing problems before we start!)

Choose IKEv2 and SSTP > Authentication Type = Azure Certificate > Enter your Root CA details, and paste in the PEM text, you copied above > Save > Time for another coffee!

Azure Point to Site VPN

When is stopped deploying, you can download the the VPN client software.

Azure Download VPN Client

Azure Point to Site (User VPN) Client Configuration

So for your client(s) you will need the Client Certificate, (the one in PFX format,*) and the VPN Client software >  Double click the PFX file > Accept ‘Current User‘.

*Note: Unless you deployed user certificates already, and your corporate Root Cert was entered into Azure above.

Azure Deploy VPN Client Cetiificate

Type in the certificate password you created above > Accept all the defaults.

zure Deploy VPN Client

Yes.

Azure Deploy VPN Client Cetiificate Warning

Now install the Client VPN software, you may get some security warnings, accept them and install.

Azure Deploy VPN Client Software

Now you will have a configured VPN connection. I’m a keyboard warrior so I usually run ncpa.cpl to get to my network settings, (because it works on all versions of Windows back to NT4, and ‘developers’ haven’t changed the way it launches 1006 times!)

Launch Azure VPN Client

Launch the Connection > Connect > Tick the ‘Do not show…‘ option > Continue > If it works, everything will just disappear and you will be connected.

Connect Azure VPN Client

Related Articles, References, Credits, or External Links

NA

]]>
https://www.petenetlive.com/KB/Article/0001692/feed 0
Veeam: Backup to Public Cloud? https://www.petenetlive.com/KB/Article/0001691 https://www.petenetlive.com/KB/Article/0001691#comments Tue, 04 Aug 2020 13:19:14 +0000 https://www.petenetlive.com/?p=15507 KB ID 0001691

Problem

I’ve always been a fan of Veeam, I’ve championed it for years, as a consultant and engineer I want solutions that are easy to deploy, administer, and upgrade, that cause no problems. Like all things that are easy to use, and gain a lot of popularity, Veeam is starting to get DESTROYED BY DEVELOPMENT. What do I mean? Well, things that were simple and easy to find now require you to look at knowledge base articles and pull a ‘frowny face’. Also the quality of support has gone dramatically downhill. We stand at the point where another firm can come in and do what Veeam did, (march in and steal all the backup & replication revenue worldwide, with a product that simply works and is easy to use).

I digress (sorry). So you want to backup to public cloud yes?

Solution

Well then, you log into Veeam look at your backup infrastructure, and simply add an External Repository and backup to that? NO! That would be common sense, (and the way Veeam used to to things). External Repositories are not for that, Veeam points this out when you try and add one;

So how do you backup to public cloud? (I know other vendors are available, but we are talking primarily about Azure and AWS). Well to do that you need to be more familiar with Scale Out Backup Repositories (SOBR).

With an SOBR you can add ‘cloud storage’ i.e. Azure Cold Blob storage or AWS S3, as ‘Capacity Tier‘ storage.  How is the Capacity Storage Tier Used? Well theres two options, ‘Backup to Capacity after x Days’ or ‘Backup to Capacity Tier as soon as backup are created‘. like so;

  1. Send your backup to a Scale Out Backup Repository.
  2. The backup gets placed into the Performance Tier.
  3. Option 1: Copy to Cloud after x Days, or Option 2: Copy to cloud immediately.

Note: This is configured on the SOBR configuration NOT on individual backup jobs/sets.

Adding Azure Cold Blob Storage

Well before you can add cloud storage to a SOBR you need to add it to Veeam, how’s that done? Well firstly you need to create an Azure Storage account.

Create StorageAccount in Azure

Then generate an ‘Access Key‘.

Veeam Add Azure Storage Account Access Keys

Then create a ‘Container‘ in your storage account.

Veeam Add Azure Storage Account Container

Then within Veeam > Options > Manage cloud credentials > Add > Add Azure Storage Account > Enter the Storage account and Access Key > OK.

Veeam Add Azure Storage Account

Adding ‘Cloud Storage’ as ‘Capacity Tier’ to a Scale Out Backup Repository

Either create a new Scale Out Backup Repository, (Backup Infrastructure > Scale Out Backup Repository,) or edit an existing one. When you get to Capacity Tier > Tick the ‘Extend..’ option > Add > Microsoft Azure Blob Storage.

Veeam Add Azure Blob Storage

Azure Blob Storage > Give the storage a name > Next.

Veeam Add Azure Cold Blob

Select the storage account you created above > Select your Gateway Server (usually the Veeam B&R server but it does not have to be) > Next > Browse.

Veeam Add Azure Cold Blob Folder

Select or create a new folder > Limit the amount of space to use (if required) > Next > Finish.

Veeam Add Azure Cold Blob Storage Limit

What about AWS? Well Microsoft kindly give me a certain amount of ‘free‘ Azure credits every month so it’s easy to showcase their product, (I use this for learning and PNL tutorials), so Microsoft pretty much get the benefit. I know AWS have a free tier and a trial tier, but honestly after spending 2 hours trying to find out what you actually get, and am I going to get stung on my credit card bill If I do ‘xyz‘ I lost all interest!

AWS, be like Veeam used to be, make it easy! AWS is like flying with Ryanair,

Oh so you want a seat? That will be and extra £x a month, and for every trip to the toilet will be an extra £x a month. Will you be wanting nuts? Because we charge by the nut, and no one knows how many nuts are in each bag, so it will be different every time, and speaking of time if you want to look at the clock that will be £x a month also!

People will email me and complain Azure is the same, and to an certain extent I will agree, but nothing will change until, public cloud providers start charging fixed prices for things, so IT departments can work out what the Opex is going to be e.g. like private cloud providers do! Of course working for a private cloud provider maybe I’m a little biased? 

Related Articles, References, Credits, or External Links

NA

]]>
https://www.petenetlive.com/KB/Article/0001691/feed 2
PowerCLI: Get All Snapshot Information https://www.petenetlive.com/KB/Article/0001690 https://www.petenetlive.com/KB/Article/0001690#respond Mon, 03 Aug 2020 12:35:27 +0000 https://www.petenetlive.com/?p=15498 KB ID 0001690

Problem

This was asked on EE today, and it was an interesting one so I wrote it up. How to locate all the Snapshots in your VMware virtual infrastructure, and see how much space they are taking.

Solution

Use the following PowerCLI;

Get-Snapshot * | Select-Object -Property VM, Name, SizeGB, Children | Sort-Object -Property sizeGB -Descending | ft -AutoSize

Related Articles, References, Credits, or External Links

NA

]]>
https://www.petenetlive.com/KB/Article/0001690/feed 0
AnyConnect: Allow ‘Local’ LAN Access https://www.petenetlive.com/KB/Article/0001689 https://www.petenetlive.com/KB/Article/0001689#respond Wed, 22 Jul 2020 09:06:34 +0000 https://www.petenetlive.com/?p=15443 KB ID 0001689

Problem

Note: This WONT WORK if you ‘force-tunnel’ or ‘tunnel-all’ remote VPN traffic, (if you are unsure Google ‘what’s my ip’ > Take note of it > Connect to AnyConnect and repeat the procedure, if your public IP address has changed to the IP address of the ASA then you force-tunnel/tunnel-all traffic).

With more people remote working now, I’m getting a lot more questions about RA-VPN and particularly AnyConnect. By default when connecting to any Cisco remote access VPN, it pretty much stops you connecting to anything outside the VPN tunnel, (unless you enable Split Tunnelling). This includes stopping you talking to assets on your remote network also.

This is basically ‘Good practice’, as a corporate entity you have authenticated a remote machine NOT the entire network it is on! But what happens when your MD want to print a work document on his/her home printer? Or you have a NAS drive at home with documents on it you can access while connected to the VPN?

AnyConnect-Local-LAN-Access

Well, then you can ‘make a judgement call’ to whether or not you want to enable ‘Local LAN Access’ for your remote clients.

Full Disclosure: While this does not let everything on the remote clients LAN connect to the corporate network. If another client on a remote network was infected and compromised, and it proliferated its infection via the LAN,  (to your authenticated remote client), then that client could infect the corporate network. This is what’s known as a ‘pivot attack’.

Solution

Assuming you are happy to enable local LAN access its a TWO STEP procedure. Firstly you enable Local LAN Access on the AnyConnect Client Profile, then you enable split tunnelling and allow all networks, (because you don’t know what all the remote network addresses may be). 

Step 1: Add Local LAN Access to the AnyConnect Client Profile

If you are unfamiliar with ‘AnyConnect Client profiles’, they are simply XML files that are applied to to an AnyConnect Connection Profile, I already have one so I just need to edit it, And tick ‘Local LAN Access’.

AnyConnect Alow LAN Access

What If you Don’t Already Have One? Not a problem. In the ASDM > Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile > Add > Give it a name > Set the Group Policy to your AnyConnect Group Policy > OK > Apply > Edit.

What Does User Controllable Mean? It means your users can enable or disable it, (see below.) If you untick this then they wont have that option.

AnyConnect Alow LAN Access User Controllable

Step 2: Add 0.0.0.0/32 to Split Tunnelling

You configure split tunnelling in your AnyConnect Group-Policy (ASDM > Configuration > Remote Access VPN > Network (Client) Access > Group Policies) Locate yours and edit it, navigate to Advanced > Split Tunnelling > Policy: Untick inherit, and set to Exclude Network List Below > Network List: Untick Inherit and click Manage.

Firstly: Create an ACL and call it “ACL-Local-LAN-Access’ > OK

Secondly: Select the ACL you just created and add an ACE to it > permit 0.0.0.0/32 > OK > OK > OK > Apply > File > Save Running Configuration to Flash.

Your remote workers will need to disconnect and reconnect before it will take effect. In some cases with older clients they need to reboot, (or have the AnyConnect service stopped  and restarted.) If you experience problems make sure your clients have got the new XML file with;

<LocalLanAccess UserControllable="true">true</LocalLanAccess>

inside it, to find out where those files are stored see THIS POST.

Related Articles, References, Credits, or External Links

NA

]]>
https://www.petenetlive.com/KB/Article/0001689/feed 0
VMware Converter ‘A file I/O Error Occurred’ https://www.petenetlive.com/KB/Article/0001688 https://www.petenetlive.com/KB/Article/0001688#respond Mon, 20 Jul 2020 12:59:58 +0000 https://www.petenetlive.com/?p=15428 KB ID 0001688

Problem

It seems every time I use VMware Converter, there’s some new error that jumps up and makes me stumble!

Yesterday the problem was;

FAILED: A file I/O error occurred while accessing

VMWare Converter Error IO

Solution

Some searching told me this is actually a DNS problem, (where the converter could not resolve the DNS name of the machine being converted). BUT I had put the FQDN directly into this machines ‘hosts file’ so I doubt that was my problem. I suspect it was the fact that this machine was presenting a certificate that wasn’t trusted was actually the problem.

But either way the way to fix it is to re-queue the job again, but this time choose “Use proxy mode“.

Fix VMWare Converter IO Error

Then it worked fine.

Related Articles, References, Credits, or External Links

NA

]]>
https://www.petenetlive.com/KB/Article/0001688/feed 0
Patch Your DNS Servers! SigRed https://www.petenetlive.com/KB/Article/001687 https://www.petenetlive.com/KB/Article/001687#comments Wed, 15 Jul 2020 11:06:48 +0000 https://www.petenetlive.com/?p=15378 KB ID 0001687

Problem

WARNING: This is rated 10 on the CVSS scale.

Affected Server OS: Windows 2003, Windows 2008, Windows 2008 R2, Windows 2012, Windows 2012 R2, Windows 2016, Windows 2019

Yesterday Microsoft released a critical notice (KB4569509) to address vulnerabilities identified in (CVE-2020-1350). Basically it allows a remote attacker to perform remote code execution on your DNS servers (unless you patch them!) The reason its so important is that its considered ‘wormable’, (can jump from machine to machine with our user interaction).

To see how easy that is to do, watch the video below;

To be attacked from an external source the DNS Server has to be publicly addressable, however if you have a compromised machine in your network, it wont be long before a malicious payload can be delivered from that vector also.

Solution

The correct fix is to update you servers from Windows Update as soon as possible! However if you want to protect yourself in the interim.

You need to make a slight change in the Windows DNS Server registry. I’ve written the PowerShell out, to save you poking around in the registry, it will change the key for you, and then restart the DNS Service.

# Set DNS Registry Key (Vulnerability CVE-2020-1350)
$RegKey ="HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters"
Set-ItemProperty -Path $RegKey -Name TcpReceivePacketSize  -Value 0xFF00
Get-ItemProperty -Path. -Name TcpReceivePacketSize
Restart-Service DNS

If you have a Cisco Firewall you can use the default DNS inspection to mitigate this, RFC 1035 define DNS packets should be less than 512 bytes. But Window uses EDNS so you may have “message-length maximum client auto” in your config, If you remove that, and change the maximum allowed size to 65280 you will mitigate THIS problem. Though I don’t like that as a solution, (unless you have a lot of DNS servers to update, and want to throw in a quick fix while you patch them all). 

Note: This vulnerability has existed for 17 years! But now it’s public knowledge, so the clock is ticking before it gets exploited, ACT NOW!

Related Articles, References, Credits, or External Links

NA

]]>
https://www.petenetlive.com/KB/Article/001687/feed 4
Cisco FTD: AMP/URL Filtering/Threat Detection and AVC https://www.petenetlive.com/KB/Article/0001686 https://www.petenetlive.com/KB/Article/0001686#respond Wed, 15 Jul 2020 07:35:05 +0000 https://www.petenetlive.com/?p=15369 KB ID 0001686

Problem

This brings me to the end of my recent FTD articles. Although this is not a complete run though of all the capabilities, it will point you in the right direction to enable;

Solution

Each of these is a ‘Licensed Feature‘ which means it’s going to cost you. Not only that, but  you need to have the licences in your Cisco Smart Account before you start.

Connect to the FTD via the FDM web console. > Smart Licence > View Configuration > Enable Threat, Malware, and URL License.

Enable FTD Licenses Threat URL and Malware

Make sure it looks like this, before proceeding.

Enable FTD Licenses Threat URL and Malware

Mines got a ‘vanilla’ (factory default) policy, (allow everything out). But it’s set to TRUST, you need to change that to ALLOW, (you can’t do advanced inspection while it’s set to trust) > OK.

FTD Edit Access Rule

FTD: Enable IDS/IPS Intrusion Policy

With a policy access rule selected > Intrusion Policy > Enable > Select the level you want (they are pretty self explanatory, and if you have worked with Cisco IDS before you will be familiar) > OK.

Note: By default the FTD will be in IPS mode (prevention), If you want to change to IDS mode (detection). Then select policies > Security Policies > Intrusion > Inspection Mode > Edit > Chose ‘detection’ > OK

FTD Enable Intrusion Detection

FTD: Enable AMP Policy

While in the access policy > File Policy > Block Malware All > OK.

FTD Enable AMP Malware Inspection

FTD: Enable URL Filtering Policy

Now we need to create a new access rule and set its action to BLOCK. Create (add) a new access rule > Make sure it is ABOVE your default TRUST or ALLOW rule > Give it a name > Set the action to BLOCK > Then I’m simply adding the inside zone as the source, and the outside zone as the destination > URLs.

FTD Enable URL Filtering

Then simply add in either the individual URLs you want to block. Or (more sensibly) the URL Category, i.e. Adult, Social Networking, or Gambling etc.  you want to block > OK > OK.

FTD Enable URL Filtering

FTD: Enable Application Inspection (AVC)

Cisco have had AVC for a long time, but not many people use it, it’s the ability to perform up-to layer 7 (application layer) inspection and blocking. So let’s say you want to let your employees use LinkedIn but you don’t want them to use the job search, you can block that, or you want to block BitTorrent traffic, you can also do that with AVC. There are thousands of different options.

Like URL filtering you need to enable this on an access rule that’s set to BLOCK (here I’m lazily adding to the same one as my URL blocking, I suggest in production you create one just for AVC).

FTD AVC Application Filtering

DONT FORGET: No changes will be applied untill you save and deploy the changes. (WHICH TAKES AGES!)

Related Articles, References, Credits, or External Links

Cisco Firepower 1010 Configuration

]]>
https://www.petenetlive.com/KB/Article/0001686/feed 0
Cisco FTD (and ASA) Creating AnyConnect Profiles https://www.petenetlive.com/KB/Article/0001685 https://www.petenetlive.com/KB/Article/0001685#respond Tue, 07 Jul 2020 18:05:29 +0000 https://www.petenetlive.com/?p=15349 KB ID 0001685

Problem

A few days ago I did an article on Deploying Cisco AnyConnect with the Cisco FTD, there I glossed over the AnyConnect profile section. For a long time now, we have been able to edit the AnyConnect profile from within the firewall (if we are running ASA code!) But for the FTD we need to take a step backwards and go back to using the ‘offline’ AnyConnect profile editor.

Solution

Firstly you need to download the offline profile editor, you will find it on the Cisco AnyConnect Mobility Client download page;

FTD -AnyConnect Profile Editor

I wont insult your intelligence, the setup is straight forward;

Cisco AnyConnect Profile Editor

Launch the editor, and the screen you will see is exactly the same as you would normally see while using the profile editor in a Cisco ASA, (when launched from within the ASDM).

Cisco AnyConnect Profile Editor Settings

Note: I’m not going to go though all the settings, (this post would become immense!) Typically I allow remote (RDP) connections, and set the public FDQN for my AnyConnect profile.

Once you have finished, you can simply save the settings as an XML file.

Cisco AnyConnect Profile Editor Export XML

Import an AnyConnect ‘Profile XML File’ into Cisco ASA

As mentioned above with all ‘modern’ versions of the ASDM/AnyConnect client you can create and edit an AnyConnect profile directly from within the ASDM. But (for completeness) here’s how to import one you created externally, (or exported form another firewall).

Configuration >Remote Access VPN > Network (Client) Access > AnyConnect Client Profile > Import.

Cisco ASA Import AnyConnect Profile XML

Import an AnyConnect ‘Profile XML File’ into Cisco FTD

Objects > AnyConnect Client Profiles > Create AnyConnect Client Profile > Give it a name > Upload.

Cisco FTD Import AnyConnect Profile XML

Browse to, and select the previously created XML file > Open.

Cisco FTD Upload AnyConnect Profile XML

Then save and deploy the changes (this takes ages!).
Cisco FTD Save and Deploy

You can now select this ‘profile file’ when setting up AnyConnect, or edit any existing AnyConnect Remote Access VPN configuration, and add this profile to it.

Related Articles, References, Credits, or External Links

Cisco Firepower 1010 Configuration

]]>
https://www.petenetlive.com/KB/Article/0001685/feed 0
Outlook (for macOS) Notifications Stopped Working https://www.petenetlive.com/KB/Article/0001684 https://www.petenetlive.com/KB/Article/0001684#respond Thu, 02 Jul 2020 20:46:01 +0000 https://www.petenetlive.com/?p=15333 KB ID 0001684

Problem

Like most of us I spend my working day based around Outlook calendar meetings and entries, I’ve even got birthdays and anniversaries in there. So recently when the notification pop-ups stopped working, it was a potential problem. Occasionally I could hear the notification ‘sound’, but I had to open outlook and change to the notification window to see them. When you are as absent minded as me, that’s a recipe for disaster.

I don’t know if it was a macOS update or a Microsoft Office update that had broken it, (or if I’d done something stupid myself!).

Solution

I tried a few solutions but this is the only one that worked. Click the ‘Apple Icon’ (top left) > System Preferences > Notifications > Scroll down and select Outlook > On your keyboard press the ‘Delete/Backspace’ key, to remove Outlook > Close system preferences.

If Outlook is open close it > Open Outlook > At the notification prompt > Click ‘Allow’.

The problem ceased.

Related Articles, References, Credits, or External Links

NA

]]>
https://www.petenetlive.com/KB/Article/0001684/feed 0