KB ID 0001250 Dtd 26/10/16

Problem

A client had moved a domain joined server into their DMZ, and while they had opened the correct ports for Domain Authentication on their firewall, no one had considered the certificates on the server which had expired, and could not be renewed. 

Some research, pointed me towards Certificate Enrolment Web Service. Its job is to let clients enrol and renew certificates, from either non domain joined machines, or machines that cannot contact your PKI environment. This was just what I needed, I just need to test the concept. So I built a domain, setup a CA, and a DMZ (with the same firewall as my client, a Cisco ASA). Then moved a domain client into the DMZ, domain authentication as setup as follows;

Cisco ASA – Allowing Domain Trusts, and Authentication

Solution

Before starting I would suggest creating a 'service account'  to run the enrolment service, you need to be an admin to install the services but this account does not need to be. (It does need to be in the LOCAL IIS_USERS group on your CES/CEP server(s)). Below you will see I've named my user svc_ca.

You need to already have a PKI/CA setup. You can split the CES 'Web Service' and CEP 'Policy Web Service' across different hosts if you want, but for this example I'm simply putting both roles on the same server.

Then you need to run the post deployment configuration.

Again I'm configuring both roles at the same time.

I've only got one, but choose the CA server on which to house the CES role.

As I mentioned above, I'm using Windows authentication, if you are deploying certs to a DMZ, yours may be better set to username/password.

Specify your service account, you created earlier.

Again choose your authentication method.

Now you need to create a 'Service Principle Name' SPN for your service account, that's tied to your Certificate Enrolment Web Services server. Open an Administrative Command Window on the CES server and issue the following command;

Now your user has an SPN, they will get another 'Tab' on their user object, called 'Delegation' Add in the CES server for the following service types.

• HOST
• rpcss

On your certificate enrolment policy server, open the Internet Information Servers (IIS) Management console. Expand {Server-Name} > Sites > Default Web Site > ADPolicyProvider_CEP_Kerberos > Application Settings.

Locate the Friendly Name section > Enter a descriptive name for your CEP portal > OK.

Open an Administrative Command Window > Issue an IISRESET command.

Setup Enrolment Policies

To actually use the CES/CEP service your client needs to know where it is, there are TWO methods of letting them know, you can either use the certificate snap-in, or use a 'Local Group Policy' on the target machines.

Managing Enrolment Policies With Certificates Snap-In

Windows Key+R > MMC {Enter} > File > Add/Remove Snap-In > Certificates > Local Computer > When the console opens > Action > All Tasks > Advanced Operations > Manage Enrolment Policies.

Add > Enter the URI of the CEP Server;

Validate Server > Add.

Managing Enrolment Policies With Certificates Local Group Policy

Windows Key+R > gpedit.msc {Enter} > Computer Configuration > Windows Settings > Security Settings > Public-Key Policies > Certificate Services Client - Certificate Enrolment Policy.

Add > Enter the URI of the CEP Server;

Validate Server > Add.

If you already have an Active Directory Enrolment Policy listed, make sure it's NOT selected, and your newly created CES policy is set as default > Apply.

Enrol Or Renew Certificates From CES

Now if you attempt to enrol for a certificate, your machine will use the CES policy.

Related Articles, References, Credits, or External Links

URI Was Validated Successfully But there Was No Friendly Name Returned

Certificate Enrolment – URI This ID conflicts with an Existing ID

KB ID 0001251 Dtd 22/10/16

Problem

At a client this week, they were having a LOT of mail flow problems. Looking at the queue viewer, I could see that all their mail was sat in queues waiting to go into their mails stores. There was a queue for each mail store, and the error on each was "451 4.4.0 DNS query failed Exchange Server error in message queue". Looking in the Application log it was full of Event ID 205, and 16025 Errors Stating;

Source MSExchange Common

No DNS servers could be retrieved from network adapter {GUID} Check that the computer is connected to a network and that the Get-NetworkConnectionInfo cmdlet returns results.

OR

No DNS servers could be retrieved from network adapter {GUID}. Verify that the computer is connected to a network and that the Get-NetworkConnectionInfo cmdlet returns results.

Solution

First you need to get the 'Identity" of your actual network card with a Get-NetworkConnectionInfo command, (make sure the correct DNS settings are set for this NIC, i.e. it's not pointing to a PUBLIC DNS server!)  Once you have it, change the Transport service to use this new ID, with a Set-TransportServer command.

Then Restart the Microsoft Exchange Transport Service and the Microsoft Exchange Mailbox Transport Service.

Related Articles, References, Credits, or External Links

NA

KB ID 0001252 Dtd 28/10/16

Problem

I tried to get access to OWA on my Exchange 2016 server, and was greeted with this;

Something Went Wrong
We’re having trouble getting to your mailbox right now.Please refresh the page or try again later

Solution

I’ve pointed it out on the image above, but it’s easy to miss, look at the time stamp on the error, and compare it to the correct time. The two are not the same.

This is a known problem on both Exchange 2013, and Exchange 2016. It’s fixed in one of the cumulative updates, I was still on the RTM install version, so I updated it.

After that it worked fine.

Related Articles, References, Credits, or External Links

Microsoft Exchange Server Build Numbers

KB ID 0001253 Dtd 29/10/16

Problem

This is the process for setting up both physical and virtual Barracuda Email Security Gateway Appliances, (formally Barracuda Spam Firewall).

Note: This walk though sets out the basic functions to get your appliance working and inspecting email, it's not an exhaustive list of all the features of the appliance.

Solution

Before you start, I'm making the assumption if you have a physical appliance, it's racked and connected to the correct network. Or if you are using a virtual appliance it's been deployed from OVA and connected to the correct network.

Barracuda Email Gateway Initial Setup

To get access to the appliance the default username password is admin and admin.

Navigate to TCP/IP Configuration > Enter the IP addressing information, then ensure you SAVE the config.

You will also need to enter the licence token, that was supplied to you from your reseller, again make sure you SAVE the configuration.

Exit, and you are prompted to type YES, the system will reboot.

Barracuda Email Gateway Mail Configuration.

Once the appliance has rebooted, you can connect to it though a web browser (via https). The username and password will still be admin/admin. First task is to update the appliance to the latest version. (Advanced > Firmware Update) You may need to do this a few times and each update will require a reboot of the appliance.

Basic > Administration > Email Notifications: Setup an email address for system alerts, and a system contact email address. Save the changes.

On the same tab > Change the tine zone > (This may require another reboot).

Basic > IP Configuration: Destination Mail Serber TCP/IP Configuration > Enter the details of your exchange server (MS Exchange Note:  that already has a configured receive connector). Use the 'Test Email Connection' button to make sure it's working. Also set a local hostname and domain name, WARNING don't use the default one of Barracuda, as this is displayed to the outside world, (best not to advertise, your email filter vendor).

Domains > Domain Manager: Add in all the domains the you want to filter email for

Barracuda Manage Domains or Manage Globally

IMPORTANT: You can change settings for each individual domain, (handy if you filter email domains for a lot of different customers). Or you change settings globally. To manage an individual domain, navigate to Domain > Domain Manager > Select the domain and click Manage Domain. From this point forward you are only changing settings for this managed domain. You return to global configuration by clicking 'Manage System".

I've mentioned this now, because the next steps are carried out 'per domain'.

For each Exchange Managed (i.e. Active Directory Domain.) Users > LDAP Configuration >  Change Exchange Accelerator /LDAP Verification  to "Yes" > Enter the FQDN of one of your domain controllers > LDAP Port (use 389 or 3268)  > Then enter the 'Distinguished Name' and password for a domain user. Make sure the test passes before you proceed.

How to Find a Distinguished Name? Run the following dsquery command;

Why Have you just done this? Because now Barracuda will reject all mail sent to this domain, for users that do not exist. This is because spammers will bulk mail known good domain names with random names in the hope of getting lucky. Repeat for any other domains you are authoritative for. But Ensure you use a machine email address of the domain you are protecting like so;

Back in global configuration > I'm going to set Quarantine, on a user by user basis (rather than globally). Basic > Quarantine enable per-user, then enter an email and the FQDN of the Barracuda appliance > Save.

Basic > Spam Checking: The actual levels you want may require some tuning, this is a good place to start. You would normally use either Quarantine or Tagging, Im setting the appliance to block at level 6 and quarantine at level 3. (Note: These levels are scores that Barracuda assigns to the emails, that grade the likelihood of them being spam). 

The Barracuda, (like most email platforms) wont accept email from any ip/host/subnet unless you allow it. So that your email server can send mail though the Barracuda you need to add it in. Basic > Outbound > Relay Using Trusted IP/Range >Enter either the IP addresses of your mail servers, or the subnet they are on.

Configure Exchange 2013/2016 To Send Mail via Barracuda

I know there are many Email platforms but I'm using Exchange 2016, to send email via this appliance you need to add it as a "Smart Host" on the Exchange Organisations 'Send Connector'. Log into Exchange Admin Center > Mail Flow > Send Connector > Select the connector > Edit.

Delivery Tab > Enter the FQDN or IP of the Barracuda > Save.

Then restart the Microsoft Exchange Transport Service. 

Exchange Receive Connector: You probably already have a receive connector, configured for internet email (i.e set to anonymous, for port 25). In some Exchange deployments, you may need to add a connector for the Barracuda and allow it to relay mail through Exchange.

Repoint Mail 'Feed' To Barracuda

How you do this depends on your network setup, and firewall vendor. If you already have mail coming into your mail server then you are probably doing one of the following;

• Port Forwarding SMTP (TCP Port 25) from your public IP, to the internal IP of the mail server.
• Statically NATTED a public IP address, to the internal/private IP of the Mail server, and opened SMTP (TCP Port 25) to that IP.

In either case, you need to change the private IP address that mail is pointing to from your mail server to the Barracuda IP. If you are using a Cisco Firewall or Router, Ive already written some articles that may help, take a look at the following.

Cisco PIX / ASA Port Forwarding

Add a Static (One to One) NAT Translation to a Cisco ASA 5500 Firewall

Juniper (JUNOS) SRX – Static ‘One-to-One’ NAT

Cisco Routers – Port Forwarding

Changing Pubic IP Address Warning

Be aware if you change the public IP address that you accept mail on, you need to change your DNS MX Records to match, (if you use SPF records those may also need changing). See the following article;

Setting up the Correct DNS Records for your Web or Mail Server

All being well, you should now see mail flowing through the Barracuda (Massage Log).

Related Articles, References, Credits, or External Links

NA

KB ID 0001254 Dtd 07/11/16

Problem

Out of the box, if you want to log into Outlook Web App, you need to use the Domain\Username format, like so;

Seeing as how Microsoft are making a big song and dance about using UPN's to log into Office 365, I thought they might have changed from the NT4 way of doing things, but hey what do I know?

As we all know users are stupid, Domain\Username is up there with string theory and quantum mechanics. So how do you change the format to simply Username?

Solution

Log into the Exchange eAdmin Center > Servers > Virtual Directories > Locate OWA > Edit.

Authentication Tab > Use Forms Based Authentication > User name only >Browse > Select your domain > OK > OK.

Now on the server that's hosting the OWA Website you need to Restart IIS.

Now your users can authenticate with just their username.

Exchange Admin Center Logon Note

This will also change the login method for the Exchange Admin Center website (ECP). because by default it has this set in it's properties;

Related Articles, References, Credits, or External Links

KB ID 0001255 Dtd 08/11/16

Problem

This was surprisingly easier than I was expecting! Special thanks to  Steve for letting me loose on his test network for the Meraki end of the tunnel. Here I'm using an MX 64 Security appliance, and a Cisco ASA 5510. 

Solution

Configuring Meraki MX Device for VPN to a Cisco ASA

From your Meraki dashboard > Security Appliance > Site To Site VPN.

If you have no VPNs setup then you will need to select 'Hub', then scroll down to 'Non-Meraki VPN Peers' > Add a peer.

Give the tunnel a name > Public IP is the address of the ASA > Private Subnets is the network(s) behind the ASA > Preshare secret is a shared key you will enter on the ASA (below). Above select all the networks you have behind the Meraki that you want to participate in the VPN and set their 'Use VPN' Status to 'Yes'

Note: If you click the IPSEC policy you will see what it wants to use for phase 1 and phase 2 of the VPN tunnel. BE AWARE: By default PFS (Perfect Forward Secrecy) is disabled. If you setup your AS VPN from within the ASDM wizard this may be enabled on the ASA. More reason to use the command line options I give you below!

If you don't know the public IP of your Meraki device, here is where to find it (so you can use it when configuring the ASA).

Configuring Cisco ASA5500 for VPN to a Meraki MX Device

To make things simple, change the values in RED below then you can paste in the command to your Cisco ASA.

WARNING: Below I use a crypto map called CRYPTO-MAP If you already have one then CHANGE the name to match your existing one ('show run crypto map' will show you). e.g. if yours is called outside_map  then change the entries below to outside_map 2.

Note: This config uses newer (post 8.3) NAT commands.

!
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 12800
!
object network OBJ-This-Site
subnet 192.168.100.0 255.255.255.0
object network OBJ-Meraki-Site
subnet 192.168.102.0 255.255.255.0
!
access-list MERAKI-INTERESTING-TRAFFIC extended permit ip object OBJ-This-Site object OBJ-Meraki-Site
nat (inside,outside) source static OBJ-This-Site OBJ-This-Site destination static OBJ-Meraki-Site OBJ-Meraki-Site no-proxy-arp route-lookup
!
tunnel-group 203.0.113.1 type ipsec-l2l
tunnel-group 203.0.113.1 ipsec-attributes
pre-shared-key 123456
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev1 transform-set MERAKI-TRANSFORM esp-aes-256 esp-sha-hmac
!
crypto map CRYPTO-MAP 1 match address MERAKI-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set peer 203.0.113.1
crypto map CRYPTO-MAP 1 set ikev1 transform-set MERAKI-TRANSFORM
crypto map CRYPTO-MAP interface outside
!

Related Articles, References, Credits, or External Links

NA

KB ID 0001256 Dtd 09/11/16

Problem

This was asked as a question on Experts Exchange this week, and it got my interest. A quick search turned up a bunch of posts that said, yes this is possible, and you deploy it with FreeRADIUS and it works great. The problem was, a lot of the information is a little out of date, and some of it is 'wrong enough' to make the non-technical types give up. But I persevered, and got it to work.

Disclaimer: This is not an exercise in deploying AnyConnect, I've got that covered to death all over the website, use the search function above, or simply go to the following article;

Cisco ASA 5500 AnyConnect Setup From Command Line

So before proceeding I'll assume you have AnyConnect setup, and you can connect with a local username.

Disclaimer 2: Please don't email me with questions like, "Can I take this and integrate it with Active Directory, eDirectory" etc. Or "I'm trying to get this to work with 'insert name of some Linux distro" and I'm getting an error. 

Prerequisite: You will need to have the Google-Authenticator app on a device, (probably an IOS or Android phone), and have that running, and ready to accept a new identity/account.

Solution

Setup FreeRADIUS

I'm not a Linux guru, I just downloaded the latest version of Ubuntu Server (16.04.1 at time of writing). and deployed it as an ESX host.

Non Linux Types Note: A lot of the commands below require you to either be logged on as root, or 'su' to root, (if that's not an option, you will need to prefix the commands with 'sudo'.

Ubuntu Enable Root Account: I quickly learned that these days the root account is disabled, (for sensible reasons). However because of the way FreeRADIUS works, it needs to run under the root account.

sudo passwd root
ENTER AND CONFIRM PASSWORD
sudo passwd -u root

Ubuntu: Install Prerequisites: We need to get all current updates, then install NTP, (because the authenticator keys are time specific). Then there are some tools that we will need to install the Google Authenticator software. 

apt-get update
apt-get install autotools-dev
apt-get install autoconf
apt-get install libtool
apt-get install ntp
apt-get install build-essential libpam0g-dev freeradius git libqrencode3 

Install Google Authenticator: This is quite cool, (if like me you don't do a lot of Linux). We need to connect to a folder on a web server, then move into that 'Directory' and install the software. 

cd ~
git clone https://github.com/google/google-authenticator.git
cd google-authenticator/libpam/
./bootstrap.sh
./configure
make
make install

 Configuring FreeRADIUS and Google-Authenticator 

Ubuntu has nano installed by default thats what I'm going to use, if you're a sandal wearing 'vi' user, then feel free to use that instead.

First we are going to change FreeRADIUS, so it runs under the 'root' account.

At the bottom of the file, change the user and group from freerad to root, save the file and exit.

Like so:

Next we are going to create a group called radius-disabled, then if you need to deny a user access, you can simply make them a member of this group.

Then configure FreeRADIUS to reject members of that group.

Locate the lines indicated below;

Change and un-comment them, to add the following text;

DEFAULT Group == "radius-disabled", Auth-Type := Reject
        Reply-Message = "Your account has been disabled."
DEFAULT Auth-Type := PAM

So it looks like below, then save and exit the file;

Enable Pluggable Authentication Mode (PAM): Edit the following file;

Locate the line with 'pam' in it and uncomment it (remove the hash/pound sign), like so

Before;

After;

Exit and save the changes.

Configure FreeRADIUS to use Google Authenticator: Edit the following file;

Locate all the lines that start with an '@' symbol and comment them out, (prefix them with a "#"), then paste the following text onto the end of the file;

auth requisite /usr/local/lib/security/pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass

Before;

After;

Testing Google-Authenticator and FreeRADIUS

The easiest way to do this is setup a test user, then create a password for them, then assign a Google-Authenticator Code to that user, on your Linux server;

adduser tommytester
ENTER AND CONFIRM PASSWORD
su tommytester
ENTER THE PASSWORD
google-authenticator

Now you can either scan the QR code into the Google Authenticator app on your phone, or type in the 'secret-key'. 

Once done, you should be looking at a 6 digit number, that changes every 30 seconds;

Test Authentication on the FreeRADIUS Server first! To do that issue the following command;

Note: the password for tommytester is 'password' and the 6 digit code is added to the end of it, the testing123 value is set within FreeRadius in the /etc/freeradius/clients.conf file.

Successful Authentication

tommytester@RADIUS-HOST:/home/petelong$ radtest tommytester password302971 localhost 18120 testing123
Sending Access-Request of id 165 to 127.0.0.1 port 1812
 User-Name = "tommytester"
 User-Password = "password302971"
 NAS-IP-Address = 192.168.110.85
 NAS-Port = 18120
 Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=165, length=20
tommytester@RADIUS-HOST:/home/petelong$

Unsuccessful Authentication

tommytester@RADIUS-HOST:/home/petelong$ radtest tommytester password302973 localhost 18120 testing123
Sending Access-Request of id 36 to 127.0.0.1 port 1812
 User-Name = "tommytester"
 User-Password = "password302973"
 NAS-IP-Address = 192.168.110.85
 NAS-Port = 18120
 Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=36, length=20
tommytester@RADIUS-HOST:/home/petelong$

Troubleshooting: If there's a problem, make sure that the time on the FreeRADIUS server is correct, (is NTP getting blocked at the firewall?) Then what I do is, SSH into the server from another session, and enable debugging, then back at the console test authentication again, then you can see the debugging output on the other screen, which will point you in the right direction.

To enable debugging;

service freeradius stop
freeradius -XXX

Add the Cisco ASA Firewall as a RADIUS Client: You need to add the firewall as a 'client' before it can authenticate. Edit the following file;

Add the following test to the end of the file, (cisco123 is the shared secret we will enter on the ASA later);

client 192.168.110.1 {
 secret = cisco123
 shortname = CiscoASA
 nastype = cisco
}

Configure Cisco ASA for FreeRADIUS Authentication

On the ASA you create an AAA group, set its authentication type to RADIUS, then add the FreeRADIUS server as a host, specify the secret key you used above. REMEMBER you need to specify the ports or authentication will fail, (you get a no response error).

aaa-server PNL-RADIUS protocol radius
aaa-server PNL-RADIUS (inside) host 192.168.110.85
 authentication-port 1812
 accounting-port 1813
 key cisco123
 radius-common-pw cisco123
 exit

 The ASA also need to have the correct time for authentication to work, I've covered that elsewhere, run through the following article;

Cisco ASA – Configuring for NTP

Change AnyConnect AAA Authentication Method: With nothing set, your AnyConnect is probably using its LOCAL database of usernames and passwords, we now need to change it to use the RADIUS host we just setup. You do that in the AnyConnect's 'tunnel-group general-attribures'  section. Issue a show run tun command, to see the tunnel groups listed.

Petes-ASA# show run tun
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
 address-pool ANYCONNECT-POOL
 default-group-policy GroupPolicy_ANYCONNECT-PROFILE
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
 group-alias ANYCONNECT-PROFILE enable

Then add your RADIUS GROUP as the authentication server.

Petes-ASA# tunnel-group ANYCONNECT-PROFILE general-attributes 
Petes-ASA(config-tunnel-general)# authentication-server-group PNL-RADIUS

Test RADIUS Authentication on the Cisco ASA First: I've covered this in the past see the following article;

Cisco – Testing AAA Authentication (Cisco ASA and IOS)

Remember that the password will be the user password, followed by the 6 digit number displayed on the authenticator.

Petes-ASA# test aaa-server authentication PNL-RADIUS host 192.168.110.85 username tommytester password password125689
INFO: Attempting Authentication test to IP address <192.168.110.85> (timeout: 12 seconds)
INFO: Authentication Successful
Petes-ASA#

Or. if you prefer to use the ASDM;

Finally you can test authentication from your remote AnyConnect client.

Related Articles, References, Credits, or External Links

NA

KB ID 0001257 Dtd 10/11/16

Problem

I've written about transferring and sizing FSMO roles, (Flexible Single Master Operations) before, see the following article;

Transferring Your FSMO Roles

Now you have a PowerShell Commandlet to help 'Move-ADDirectoryServerOperationMasterRole'.

Solution

As before you can view your FSMO role holders, by using the following command.

To transfer them to another server, (in the case a host called LAN-2016.

If you can't be bothered to type the names, you can also use numbers, i.e.

• PDCEmulator 0
• RIDMaster 1
• InfrastructureMaster 2
• SchemaMaster 3
• DomainNamingMaster 4

Obviously this will move them all, omit any you don't want to move!

How to Seize FSMO Roles In Server 2016

Easy! Same command as above, but you put the '-Force' switch on the end of the command, i.e.

Related Articles, References, Credits, or External Links

NA

KB ID 0001258 Dtd 16/11/16

Problem

If you have a complicated network, you can spend more time finding out how it's configured, than actually doing any work on it!

Today I had a client that needed some changes made on their LAN, I knew their name, and their network address, and common sense told me which of the core switches they were connected to.

Solution

A quick search on the client name told me what VRF they were in, and what VLAN they were in (3000), let's have a look at that;

Petes-Core-SW#show run vlan 3000
Building configuration...

Current configuration:
!
vlan 3000
 name CORP:NET
end

That doesn't yield much more than I already know, so I can either do this and get a LOT of information;

Petes-Core-SW#show interfaces vlan 3000
Vlan3000 is up, line protocol is up
 Hardware is EtherSVI, address is c062.6be3.3000 (bia c062.6be3.9d40)
 Description: CORP:NET
 Internet address is 192.168.1.100/24
 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
 reliability 255/255, txload 1/255, rxload 1/255
 Encapsulation ARPA, loopback not set
 Keepalive not supported
 ARP type: ARPA, ARP Timeout 04:00:00
 Last input 00:00:00, output never, output hang never
 Last clearing of "show interface" counters never
 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
 Queueing strategy: fifo
 Output queue: 0/40 (size/max)
 5 minute input rate 254000 bits/sec, 115 packets/sec
 5 minute output rate 504000 bits/sec, 119 packets/sec
 L2 Switched: ucast: 22179333 pkt, 1561846492 bytes - mcast: 0 pkt, 0 bytes
 L3 in Switched: ucast: 471521755 pkt, 367932934560 bytes - mcast: 0 pkt, 0 bytes
 L3 out Switched: ucast: 493390206 pkt, 464908773459 bytes - mcast: 0 pkt, 0 bytes
 475554223 packets input, 366284328453 bytes, 0 no buffer
 Received 0 broadcasts (1116 IP multicasts)
 0 runts, 0 giants, 0 throttles
 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
 493591347 packets output, 462947525840 bytes, 0 underruns
 0 output errors, 0 interface resets
 0 output buffer failures, 0 output buffers swapped out

Or a more sensible;

Petes-Core-SW#show run interface vlan 3000
Building configuration...



Current configuration : 160 bytes
!
interface Vlan3000
 description CORP:NET
 mac-address c062.6be3.3000
 vrf forwarding CORP:NET
 ip address 192.168.1.100 255.255.255.0
end

Find What VLAN An IP Address Is In

If you have the opposite problem, i.e. you know the IP, (or a part of the IP). You can get the VLAN number like so;

Petes-Core-SW#show ip int br | incl 192.168.1.100
Vlan3000               192.168.1.100     YES NVRAM  up                    up

Related Articles, References, Credits, or External Links

NA

KB ID 0001259 Dtd 22/11/16

Problem

This tripped me up once before, and I didn't document it! Normally if you have a console session open with your FirePOWER Module, (that you opened with a 'session sfr' command), then you can just quit, and exit back to the firewall by typing 'exit', like so;

ciscoasa# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.

Cisco ASA5512 v6.1.0 (build 330)
firepower login: admin
Password:******
Last login: Tue Nov 22 15:49:51 UTC 2016 on pts/0

> exit
Remote card closed command session. Press any key to continue.
Command session with module sfr terminated.
ciscoasa# 

But if you have a console session open with the module, (that you opened with a 'session sfr console' command), then typing exit simply dumps you back at the login screen!

ciscoasa(config)# session sfr console


asasfr-boot>exit


Cisco FirePOWER Services Boot Image 6.1.0

asasfr login:

Solution

Well that's annoying! You need to log back into the SFR module, then exit with the following key sequence;

Press 'Ctrl+Shift+6'

Then release those keys and press 'x'

Related Articles, References, Credits, or External Links

NA

KB ID 0001260 Dtd 23/11/16

Problem

I've covered Cisco IPSEC Remote VPNs a long time ago, and I've also blogged about the Cisco IPSEC VPN Client Software. Yes you can get the Cisco VPN Client Working on Windows 10, but can you imagine rolling that out to a few hundred users?

The bottom line is Remote Cisco IPSEC VPN is a dead technology, Cisco, (and Me!) want you to use AnyConnect. For a couple of users you can use the work arounds above, but that wont scale well. So if you don't want to ditch IPSEC VPN, then you will have to go with third party software to connect to your device. In this example I will use the NCP Secure Entry Client.

Solution

Configure the ASA, I've done this to death in the past, (read the links above), so here's the config (taken from a firewall running version 9.x) to copy and paste in.

!
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
crypto ipsec ikev1 transform-set TS-IPSEC-VPN esp-3des esp-sha-hmac
!
ip local pool PNL-POOL-IPSEC 192.168.198.1-192.168.198.254 mask 255.255.255.0
!
access-list SPLIT-TUNNEL standard permit 192.168.100.0 255.255.255.0
!
group-policy IPSEC-VPN internal
group-policy IPSEC-VPN attributes
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 dns-server value 192.168.100.10
 vpn-simultaneous-logins 3
 default-domain value petenetlive.com
!
tunnel-group IPSEC-VPN type remote-access
tunnel-group IPSEC-VPN general-attributes
 address-pool PNL-POOL-IPSEC
 default-group-policy IPSEC-VPN
 authentication-server-group LOCAL
tunnel-group IPSEC-VPN ipsec-attributes
 ikev1 pre-shared-key Cisco123456
!
crypto dynamic-map DYNAMIC-CRYPTO-MAP 65535 set ikev1 transform-set TS-IPSEC-VPN
!
crypto map CRYPTO-MAP 65535 ipsec-isakmp dynamic DYNAMIC-CRYPTO-MAP
!
crypto map CRYPTO-MAP interface outside
!
crypto ikev1 enable outside
!
object network OBJ-IPSEC-SUBNET
 subnet 192.168.198.0 255.255.255.0
!
nat (inside,outside) source static any any destination static OBJ-IPSEC-SUBNET OBJ-IPSEC-SUBNET no-proxy-arp route-lookup
!

Points to Note:

• I'm using 3DES and SHA1 for Phase 1 (ISAKMP,) and phase 2 (IPSEC).
• The Network behind my ASA is 192.168.100.0/24.
• I've allocated 192.168.198.0/24 to my remote VPN clients. (If you have a complicated network, ensure this is routable from the LAN back to the firewall!)
• I've enabled split tunnelling.
• My interfaces are called inside and outside, yours might be different!
• Crypto Map Warning: If you already have a crypto map applied to the outside interface use the name of the existing one (i.e NOT CRYPTO-MAP,) or your exiting VPN's will stop working! Issue a 'show run crypto map' command to check.
• I have not enabled PFS. (If I had it would have been in the crypto map).

Configure NCP Entry Client

OK it's not free, but you do get a 30 day trial to give it a test run an see if you like it. Once installed and rebooted launch the software. Configuration > Profiles > Add/Import > Link to Corporate Network Using IPSEC > Next

Note: As indicated below if you have a PCF file you can import that. 

Give the profile a name i.e. 'Connection to Office' > Next > Communication Medium = LAN (over IP) > Next > Gateway = Public name or IP of your Cisco ASA > User ID details is the username and password that you need to enter to connect. (Note: Not the Group name and pre-shared key) > Next.

Usernames should be supplied by your firewall admin (tell them to issue a 'show run | begin username' command).

Exchange Mode = Aggressive Mode > PFS Group = {blank} > Next > Local Identity IKE Type = 'Free string used to identify groups' > ID = {Your Tunnel Group-Name} > Shared Secret = {Your Group Pre-Shared-Key} > Next.

Tunnel group name, and Pre-Shared Keys also need to be given to you by your firewall admin. Ask them to run  'more system:running-config | begin tunnel-group' if they don't know.

Change IP Address Assignment to IKE Config Mode > Next > Firewall (leave it off) > Finish.

OK > Click switch to enable.

It Wont Work?

On the client you can go to Help > Logbook to see what the problem is.

On the firewall debug crypto isakmp 255 will debug phase 1 and debug crypto ipsec sa 255 will debug phase 2.

Related Articles, References, Credits, or External Links

NA

KB ID 0001261 Dtd 24/11/16

Problem

EZVPN is a technology that lets you form an ISAKMP/IPSEC VPN tunnel from a site with a dynamically assigned IP (EZVPN Client,) back to a device with a static IP (EZVPN Server).

I've called this EZVPN revisited, because this is a technology I've talked about before. So why am I here again? Well back then I used the ASDM. If you do that now, you need to go in and mess about with things to get it to work properly. Last week a client was asking me about buying a 5505 for his home, and putting a VPN into his place of work. Obviously he did not have a static IP at home, which was why I suggested EZVPN.

So it's time to 'Man Up' and get to grips with the CLI. In the example below my corporate LAN is behind a Cisco ASA 5515-X, and my 'Home Office' is behind a Cisco ASA 5506-X, (you can use a 5508-X as well, or an old 5505).

Solution

So How does EZVPN Work? Well there's no separate/special technology, it's a good old fashioned Client IPSEC VPN. The one we used to use the OLD IPSEC VPN client for, (yes the one that went end of life - in 2011!)

But instead of using a piece of software to supply the username/password and the group/pre-shared-key, you configure a hardware device to supply those details. This enables the hardware device to bring up a software client VPN session. There are two methods of doing this, Client Mode and Network Extension Mode (NEM).

• Client Mode: Works exactly like the VPN client software, and leases an IP address from a pool of IP addresses supplied by the ASA, (or a DHCP server).
• Network Extension Mode: This works like a 'proper' site to site VPN, insofar as, all the IP addresses on the client/remote site can be addressed from the main site. 

I'm going to use Network Extension Mode for this example, I'm also going to enable 'Split tunnelling' so that only VPN traffic goes over the VPN.

Remote EZVPN Client WARNING

The client that 'dials in' cannot be running any other VPN solution. In fact it can't even have IKE policies defined, (even if they are not in use).

Configure the EZVPN Server

The bulk of the work is on the main site ASA.

!
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
crypto ipsec ikev1 transform-set TS-IPSEC-VPN esp-3des esp-sha-hmac
!
access-list SPLIT-TUNNEL standard permit 192.168.100.0 255.255.255.0
!
group-policy IPSEC-VPN internal
group-policy IPSEC-VPN attributes
 password-storage enable
 nem enable
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 vpn-simultaneous-logins 3
!
tunnel-group IPSEC-VPN type remote-access
tunnel-group IPSEC-VPN general-attributes
 default-group-policy IPSEC-VPN
 authentication-server-group LOCAL
tunnel-group IPSEC-VPN ipsec-attributes
 ikev1 pre-shared-key Cisco123456
!
crypto dynamic-map DYNAMIC-CRYPTO-MAP 65535 set ikev1 transform-set TS-IPSEC-VPN
!
crypto map CRYPTO-MAP 65535 ipsec-isakmp dynamic DYNAMIC-CRYPTO-MAP
!
crypto map CRYPTO-MAP interface outside
!
crypto ikev1 enable outside
!
object network OBJ-EZVPN-SUBNET
 subnet 10.254.254.0 255.255.255.0
!
nat (inside,outside) source static any any destination static OBJ-EZVPN-SUBNET OBJ-EZVPN-SUBNET no-proxy-arp route-lookup
!
username EZVPNSite1 password P@ssword123
!

Points to Note:

• I'm using 3DES and SHA1 for Phase 1 (ISAKMP,) and phase 2 (IPSEC).
• The Network behind my main site ASA is 192.168.100.0/24.
• The Network behind my eemote site ASA is 192.168.100.0/24.
• I've enabled split tunnelling.
• My interfaces are called inside and outside, yours might be different!
• Crypto Map Warning: If you already have a crypto map applied to the outside interface use the name of the existing one (i.e NOT CRYPTO-MAP), or your exiting VPN's will stop working! Issue a 'show run crypto map' command to check.
• I have not enabled PFS. (If I had it would have been in the crypto map).

Configure the EZVPN Server

The remote site(s) are easy.

!
vpnclient server 198.100.51.1
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup IPSEC-VPN password Cisco123456
vpnclient username EZVPNSite1 password P@ssword123
vpnclient enable
!

Adding Additional EZVPN Sites

To add another site in Client Mode you would simply add another username and password, on the EZVPN server. With Network Extension Mode then you would add an object and NAT exemption on the main site, then setup a new username and password for that site like so;

New Site EZVPN Server Config

!
object network OBJ-EZVPN-SUBNET-2
 subnet 10.254.254.0 255.255.255.0
!
nat (inside,outside) source static any any destination static OBJ-EZVPN-SUBNET-2 OBJ-EZVPN-SUBNET-2 no-proxy-arp route-lookup
!
username EZVPNSite2 password P@ssword456
!

New Site EZVPN Client Config

You just need the new username and password;

!
vpnclient server 198.100.51.1
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup IPSEC-VPN password Cisco123456
vpnclient username EZVPNSite2 password P@ssword456
vpnclient enable
!

Related Articles, References, Credits, or External Links

NA

KB ID 0001262 Dtd 24/11/16

Problem

Once upon a time, adding a domain controller that was running a newer version of the Windows Server family involved opening command line and schema prepping, and GP prepping etc. Now all this happens in the background while the wizard is doing the heavy lifting for you.

Solution

Obviously the server needs to be a domain member first!

With a vanilla install Server Manager will open every time you boot, (unless you’ve disabled it!) To open it manually, run ‘servermanager.exe’  > Manage > Add Roles and Features.

I usually tick the ‘Skip this page by default’ option > Next.

Role Based… > Next.

Ensure the local server is selected, (if you are managing another server, you can of course do the role install from here as well, but let’s keep things simple) > Next.

Select Active Directory Domain Services > Next.

Next.

Next.

Ensure ‘Restart’ is selected > Next.

Next.

Promote Windows 2016 Server To Domain Controller

Back in Server Manager > In the ‘Notifications’ section, click the warning triangle > ‘Promote This Server To Domain Controller’.

Assuming you already have a domain, and this is not a greenfield Install > Add a domain controller to an existing domain > Next.

Type and confirm a Directory Services Restore Mode Password (DSRM,) make it something you will remember in a crisis, or store it securely somewhere > Next.

This is fine, You see this error because it’s trying to create a delegation for this DNS zone, and there isn’t a Windows server above you in the DNS hierarchy. For example if your domain name is petelnetlive.co.uk > Then I do not have access to create a delegation in the .co domain space. (So you can safely ignore) > Next

If you have a backup of AD you can ‘Install From Media’. This used to be handy on remote sites that had awful bandwidth, as it saved you having to replicate a large Active Directly over a ‘pants’ connection > I’ve not had to do that in a long time > Next.

Unless you want to change the default AD install locations > Next.

Next.

Read any warnings  > Install

Go have a coffee, we ticked ‘reboot’ earlier so it will complete, then reboot the server, which will come back up as a domain controller.

You will notice, (if you’re interested,) that your schema version is now 87 (Server 2016).

Find out your Domain Schema Version

Related Articles, References, Credits, or External Links

NA

KB ID 0001263 Dtd 30/11/16

Problem

You have been able to manage your firewalls Internal SFR module for  while using the ASDM

Setup FirePOWER Services (for ASDM)

For most people that’s fine, but if you have a lot of FirePOWER devices to manage that does not scale well. In those cases you should use theFMC  (FirePOWER Management Center). Here ‘Im going to use the Vmware virtual appliance, (at time of writing there is no Hyper-V version).

This lets you create policies centrally and then deploy them to your devices in bulk.

Solution

Deploy the FirePOWER Management Center Appliance

Obviously before you start you need to have VMware (ESX or vCenter). With 250GB of storage free, (you can deploy it thin provisioned). You will also need to allocate 8GB of RAM and 4 virtual CPUs. Whichever network (or VMware port Group) you connect the appliance to it needs to have IP connectivity to the devices you intend to manage.

Download the FMC Appliance: Be aware it downloads in tar.gz format so on a Windows machine you will need something like 7Zip to uncompress the files. You WONT find the file under the firewalls, they are listed under;

Downloads > Produces > Security > Firewalls > Firewall Management > Firepower Management Center Virtual Appliance

Make Sure: You download the same version that is installed on the modules you want to manage! (‘show module’ on the ASA will yell you).

Get the files extracted and on a machine that you can access your VMware infrastructure from;

The appliance comes in OVF format if you are unsure how to import an OVF file see the following article;

VMware vSphere – How to Import and Export OVF and OVA Files

You will need to accept the EULA, then set the admin password, and some basic IP settings.

I’ve got IPv6 disabled, if you want to address the appliance with IPv6 enter the details here.

Even after the appliance has been imported and powered on it can take 20-30 minutes before you can log on. At this point I would go and do something else. If you really must, then open a ‘console’ session and wait until the logon prompt is shown. You can then logon to the web portal.

Go to System > Updates > Download and install any updates > Visit both the ‘Rule Updates’ and the ‘Geolocation Updates’ tabs and set a time to download them.

Don’t Install the licences Just Yet! Add your devices to the FMC first, then if there’s a problem and you need to rebuild/redeploy, you don’t have to go cap in hand to Cisco licensing to get the licences re-armed. To add the SFR devices see the following article;

Cisco Add FirePOWER Module to FirePOWER Management Center

Network Discovery: Older version of the FMC used to only look for RFC 1918  IP ranges, This was changed at some point to 0.0.0.0/0 so you couldn’t misconfigure the system by having a private address space internally for example. This was a good idea but Ive seen some firewalls fall over trying to run discovery on every IP address they see!  So lets manually add in our subnets. Objects > Object Management > Add Network > Add Object > Add one for you internal network(s).

Policies > Network Discovery > Remove the 0.0.0.0 Rule.

Create a new discovery rule using just your subnet(s).

Adding Licences To FirePOWER Management Center

You used to have to licence the appliance itself, after version 6 you don’t need to do that, if you have a licence and you try and apply it nothing happens and you just see this message;

Note: FireSIGHT is the old name for FirePOWER Management Center.

What Licences do I need to Add? Your Next Generation Firewalls now come with a ‘CONTROL LICENSE‘ in the box, it is in a large white card envelope, you don’t need to open it the number you need is on the front of the envelope. You add a control licence for every device you want to manage (they do not expire).

System > Licences > Classic Licenses > You need to take a note of the ‘Licence Key’, (which is the MAC address of the appliance with a 66 in front of it). This is the serial number you need to enter on the Cisco licensing portal.

When you get the licence back, if you open it in a text editor, it will look like this (its essentially a digital certificate). Copy everything from ‘— BEGIN‘ to ‘License —‘ 

Paste in the text > Submit License.

Repeat for each licence (IDS, AMP, URL Filtering ,etc)

You will also need to allocate the licenses to devices. Devices > Device Management Select the Device in question > Edit.

Device > License Section >Edit > Allocate accordingly.

Configuring FirePOWER Intrusion Policy

To use an intrusion policy the devices each need a ‘Protection‘ licence. Note: You get a protection licence now automatically when you add a CONTROL licence, but you still need to pay a subscription to legally obtain the updates.

Policies > Intrusion > Create Policy.

Give the policy a recognisable name > Create and Edit policy.

The policy it creates is based on the ‘Balances Security and Connectivity’ Template. You might want to add a few extra rules > Rules > Blacklist > Select All.

Rule State > Drop and Generate Events.

Repeat for ‘Malware’. Note: This does NOT require and AMP licence@

Repeat for  PUA (Probably Unwanted Applications).

Repeat for ‘Indicator Compromise‘.

Repeat for ‘Exploit Kit‘.

Search for ‘1201’ and locate the ‘INDICATOR-COMPROMISE 403 Forbidden’ rule and DISABLE IT.

Policy Information > Commit Changes > OK.

Note: To be used, the Intrusion policy needs to be declared in an Access control policy (or set as a Default Action).

Also in the Access Policy set the logging to ‘Log at the end of connection‘.

As mentioned above you can also set it as the ‘Default Action‘.

Configuring FirePOWER AMP and File Policy

You need an AMP, (subscription based licence) to enable the ‘Malware Cloud Lookup, or Block Malware‘ Actions, but you can have a file policy and block specific file types.

Polices > Access Control > Malware and File > New File Policy.

Give the policy a name you will remember > Save.

Action = Malware Cloud lookup > Add in the files you want to scan > Below I’ve set it to store unknown files > Save.

Then create another rule below that that detects all files.

As above the file policy wont be applied to anything unless you specify it in an access policy.

In the rule also set the logging to ‘log at the end of connection’.

Configuring FirePOWER URL Filtering Policy

You need to have a URL filtering licence allocated to the devices you want to use this policy on.

Unlike File policies and Intrusion policies, URL filtering is configured directly on your Access Control policy > Add Rule.

Here’s an example of blocking some categories you don’t want viable in tour organisation.

In a rule that only has URL filtering set the login to ‘Log at the beginning of the conneciton‘.

When done, don’t forget to ‘Deploy‘ the new policy to your managed devices. Deploy > Select Devices > Deploy.

hen Related Articles, References, Credits, or External Links

NA

KB ID 0001264 Dtd 19/12/16

Problem

Whenever Office needs updating on my Mac I just hit OK and let it do its own thing. I did that this morning, and went and got a coffee. It was a while later that I noticed that when I needed to add an attachment to an email I got this;

Now that might look fine, but in the left hand pane ‘Favourites’ is missing, it should look like this;

If I opened launcher it was fine, it was only from Microsoft Office applications that I had a problem, e.g. If I opened Word and tried to open a document, it was also broken. For me this is a headache, to get to my ‘working’ folder I need to click down though about 10 layers of folders, which is OK once or twice, but VERY ANNOYING to do repeatedly all day!

Solution

In your Mac look in your home directory for the Library folder, (it’s hidden by default, so either enable viewing of hidden files, or press the Alt Key). Inside that folder there is another folder called preferences, and in there a file called com.apple.finder.plist take a copy of this file then delete it. At this point I restarted my Mac and everything was fixed.

Related Articles, References, Credits, or External Links

NA

KB ID 0001265 Dtd 20/12/16

Problem

Here I'm upgrading from version 6.0 to 6.5, the process creates a new vCenter appliance, then migrates all your settings into it, finally it then shuts down the old appliance and brings up the new one.

vCenter 6.5 Upgrade Paths

ESX (Host) Versions Supported by vCenter 6.5

• VMware vSphere Hypervisor (ESXi) 6.5.0
• VMware vSphere Hypervisor (ESXi) 6.0.0 U2
• VMware vSphere Hypervisor (ESXi) 6.0.0 U1
• VMware vSphere Hypervisor (ESXi) 6.0.0
• VMware vSphere Hypervisor (ESXi) 5.5 U3
• VMware vSphere Hypervisor (ESXi) 5.5 U2
• VMware vSphere Hypervisor (ESXi) 5.5 U1
• VMware vSphere Hypervisor (ESXi) 5.5

Note: If you are on vSphere 4 (or earlier), you need to upgrade to version 5.5 first;

Upgrade vSphere 4 Environment to vSphere 5

Solution

Before Starting: Backup or snapshot your existing vCenter appliance.

Download the ISO file for the vCenter Appliance from VMware, and mount it on a machine that has network connectivity to the vCenter Appliance, and the ESX host that it is hosted on. Then navigate to;

And run the installer.exe file.

Upgrade.

Next.

Agree > Next.

Put in the details for your existing vCenter Appliance, and the ESX host it is mounted on > Next.

Note: You can get those details from either the VI client, or the web client;

Accept the certificate warning, (if you have installed trusted certificates, as per the following article, you wont see this message) > Yes.

vSphere 6 vCenter Appliance – Replacing Certificates

Enter the details for the NEW ESX Server, this can obviously be the same as the source one, I'm just moving it to the newer of my two hosts > Next.

You may then get a certificate warning from the ESX box that vCenter is to be hosted on. (If you have installed trusted certificates, as per the following article, you wont see this message) > Yes.

VMware ESXi6 – Replacing the Default Certificates

Enter the VM name for the new vCenter appliance. (Note: That's VM name NOT hostname, it will get that, (post migration), from the source vCenter appliance) > Next.

WARNING: This password has to be complex, and WONT get overwritten with the migration process. My root password was not complex enough, so post migration I had to go back into the appliance, and change the password back. So take a note of the password you use.

Select your deployment sizes, (as shown in the examples) > Next.

Select a datastore for the appliance to live on > Next.

Supply some IP details for the new appliance to use, (until the settings are migrated from your old one) > Next.

Read the summary > Finish.

The new appliance will be created and powered on, (this can take a while), when complete > Continue.

Commence stage 2, (migrate your settings into the new appliance) > Next.

The server details will be 'Pre Populated' from stage one > Next  > You may receive a warning about DRS, either disable DRS on the cluster or (as suggested) ensure it's NOT set to fully automated > OK > Configuration  > Next.

I personally always untick the CEIP > Next.

Tick to confirm you have backed up vCenter > Finish.

OK.

Time for a coffee again, from this point forward everything is automated > when complete > Close.

The new vCenter you can now manage with the, (much improved) HTML5 management portal.

Related Articles, References, Credits, or External Links

VMware Upgrading the vSphere Virtual Center Appliance

KB ID 0001266 Dtd 23/12/16

Problem

I got asked to do this at work this week, PLEASE BE AWARE, moving users about within AD may drastically change the way your 'User Group Policies' are being applied. So do some Group Policy Modelling beforehand, to avoid any problems.

Solution

In the example above, I've got ten users in a security group called 'Source-Group'. For simplicity, they are all in the same source OU as well, (but they don't have to be). I want to move the users within the Source-Group to the OU Called Target-OU.

Open an administrative PowerShell Window.

(Note: I'm on a domain controller, you might want to load the AD module fist 'Import-Module ActiveDirectory')

Then execute the following command;

Related Articles, References, Credits, or External Links

NA

KB ID 0001267 Dtd 04/01/17

Problem

I was messing around with some GPO’s for  client today to replace ‘Edge’ as the default browser, (with IE11). To make the whole process more efficient, I wanted to use a WMI filter toapply the policy only to Windows 10 machines. Before this used to be simple enough, you just set the Windows version in a WMI query. But because it searches for a string e.g. 6.1 (for Windows 8.1), that’s great, and Windows 10 is version 10, so that should be simple yes? Well no, because it’s a string WMI sees the 1 at the beginning, and thinks its lower than 6.1 ‘duh’. You can get around this will a small modification on the search string.

Solution

In the Group Policy Management Console > Forest  > Domains > {domain-name} > WMI Objects > New > Call it Windows 10  >  Set the parameters as below;

Namespace: root\CIMv2

Query: select * from Win32_OperatingSystem where Version like “10.%” and ProductType=”1″

Note: If you don’t set the ProductType, it will apply to Server 2016 as well.

When you click Save don’t worry if you get an error;

Either the namespace entered is not a valid namespace on the local computer or you do not have access to this namespace on this computer. It is possible this is a valid namespace on the remote computer(s). If you wish to use this namespace, press OK. Press cancel to choose another namespace.

I ignored the error above, and it worked fine.

You can now change the policy that you want only to apply to Windows 10, and apply the WMI filter.

How to See If it will work: From within the GPMC console, you can run a group policy results session, to make sure the WMI filter applies as expected.

Related Articles, References, Credits, or External Links

NA

KB ID 0001268 Dtd 07/01/17

Another guest post from Daniel Newton

Problem

I’ve had windows for years; I knew the OS inside out. Recently, I switched to Mac. But I wondered how to edit the hosts file for my VPN connections and my servers. After some research, I found out how to do it and thought I will document it on PeteNetLive!

Solution

Open a terminal session and type in the following command;

Note: I’m using nano for this but you can use vi to edit the document (sudo vi /etc/hosts).

You’ll be prompted to enter your password.

Then you will get this screen;

Type in an entry for example (Note: This is not my IP or my company’s IP!);

To Save, Press Control and O and Enter.

To Exit, press Control and X.

Related Articles, References, Credits, or External Links

NA

KB ID 0001269 Dtd 07/01/17

Problem

There used to be a GPO called  "Internet Explorer Maintenance" that you could set your Internet Explorer settings, i.e. Proxy server settings, home pages etc.

This has now gone, and has been replaced with a group policy preference.

Solution

From the Group Policy Management Console > Locate the OU containing the USERS  you want to link the policy to and create a new policy, then give it a sensible name.

Edit the policy.

Navigate to;

Select > New > "Internet Explorer {version}".

Note: Internet Explorer 10 settings, will also apply to Internet Explorer 11.

This takes a little bit of getting used to, things underlined in GREEN will be enforced with the policy, things underlined in RED will not be enforced. For each change you make you need to press F5 to make it 'go green', (or F6 makes all settings on the current TAB go green).

Manage IE Proxy Settings via GPO

Connections > LAN Settings > Enable 'Use a proxy server...'  > Put in the proxy IP/Name and port number > Tick bypass proxy server for local addresses > If you need to add proxy exemptions you can go to advanced settings.

Ensure all settings are underlined green before you exit.

Manage IE Home Page(s) Settings via GPO

General Tab > Home Page > Add each new page as a new line.

Note: I like to open Tabs and set each new tab to open the first home page as well.

Again ensure all settings are underlined green before you exit.

Apply  > OK  >You will see there is now a configuration entry > Close and exit the policy editor.

You can then force a policy update on the OU you have deployed the policy to. Or run gpupdate /force on a test client.

Related Articles, References, Credits, or External Links

Defining / Locking and Managing Proxy Settings