All posts by admin

Replacing my Cisco Firewall with PFSENSE!

I have been getting a little bothered by Cisco lately. For starters we have been having all sorts of issues with hardware failure at one of my clients. And even though we have a HA arrangement with the ASA 5545x firewalls, the connections are dropped and the fail-over is far from seamless. I have also had quite a bit of trouble with my aging PIX 506E that serves as a simple firewall with VPN for remote management. Everything works, but i cannot access certain internal hosts over the VPN, and new NAT rules added do not work.

 

So This week i replaced the firewall with PFsense on commodity hardware I had decommissioned earlier this year. (http://www.supermicro.com/products/system/1U/5015/SYS-5015M-MF_.cfm)

 

The goal was to deploy the firewall with two interfaces and add IPSEC vpn for remote management. I had some issues but they were resolved to my satisfaction. I am posting this to help others who decide to move away from Cisco, whatever the reason.

 

First, download the appropriate ISO to install your firewall software on the computer of your choice.

http://www.pfsense.org/mirror.php?section=downloads

 

Next burn the ISO to a dvd (i used IMGBURN: http://www.imgburn.com/)

 

Find a computer with two network interface cards. (or buy one of the approved devices here: http://store.netgate.com/Netgate-FW-7541-P1846C83.aspx )

boot the computer off the DVD and proceed with the installation. (i used the livecd and chose the install locally option)

 

During the install, choose which Network interface will be your LAN and which will be your WAN. You can also setup VLANs at this time or do that later.

 

The install and configuration is similar to many firewalls i have used, I didnt use any guide or walkthrough when installing and if you have installed a sonicwall, netscreen / juniper / ASA firewall you wont need much if any help. really easy and self explanatory.

 

I used the following post to configure VPN settings on the firewall and client software (shrewsoft: https://www.shrew.net/download/vpn)

https://doc.pfsense.org/index.php/IPsec_for_road_warriors_in_PfSense_2.0.1_with_PSK_in_stead_of_xauth

 

In the end it connected right away but i was unable to get to any hosts on the far side. after turning on debugging on the firewall for ipsec and doing the trace tool from shrewsoft i was unable to find any way to get traffic to flow across the VPN. Until I looked at the firewall logs, by default, the firewall does not allow anything over the IPSEC interface. I fixed that by adding a rule to allow all traffic coming from the IPSEC interface to access the LAN subnet on all protocols. This solved the issue, and it is working well. We have tested multiple connections to this vpn and it works well.

 

Next I will be configuring log aggregation and load balancing. Someday I may even roll this into production environments. I really like the simplicity and the fact that you can have several features combined on one appliance, such as firewall, load balancer, traffic shaper etc.

 

 

 

 

 

DIY flexible cable ties (CHEAP)

geartie

I bought some reusable wire ties from MicroCenter (GearTie was the brand i bought: http://www.ebay.com/itm/GEARTIE-REUSABLE-rubber-twist-tie-/131065447831?pt=LH_DefaultDomain_0&hash=item1e841c0597) and cleaned up my cabling quite a bit. In retrospect, it was not very inexpensive and i was thinking there had to be a better alternative. Today on Lifehacker i ran across a DIY showing how to make your own reusable wire ties and i thought i would share.

 

http://www.instructables.com/id/DIY-flexible-tie-ties-CHEAP/

 

Here is what i bought from ebay to make my own:

550 7 Strand Type III Mil-Spec Survival Paracord – 10′, 25′, 50′, 100′      200 colors and counting MADE IN USA Free Fast Shipping!

http://www.ebay.com/itm/380453634026

I chose the Acid Purple

paracord

 

40 Feet of Aluminum Ground Wire NIP Radio Shack #15-035

http://www.ebay.com/itm/40-Feet-of-Aluminum-Ground-Wire-NIP-Radio-Shack-15-035-/131056955876?pt=LH_DefaultDomain_0&hash=item1e839a71e4

groundwire

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Here is what is should look like when completed (mine will be purple though)

wiretie

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

I will post some pictures once i make mine, i went with the Acid purple paracord, since i thought it was different. You can buy a large number of colors from that vendor. I will keep some of these in my toolbox and some will get used in my entertainment center.

 

Feel free to comment on other inexpensive cable management solutions.

Another method of providing HA for microsoft print servers

printers

Good evening, Microsoft used to have a supported method of providing HA for print servers. It utilized MS cluster services and provided a way to guard against an outage on the OS that would interrupt printing for your users. This had been around for some time and was completely abandoned with the release of server 2012. Now they are providing HA by using the Hypervisor and a silly monitor that starts the server on another node.

 

I see two problems with this approach. Why is this any better than just using VMWARE and having a single print server. It also does not scale, which for large Citrix deployments IS a big issue.

I found that you can load balance print servers, if you already have a Netscaler or an F5 Big IP, this is fairly easy.

 

Here are the issues you will encounter

 

1. Persistence is key (make sure to at least use source IP as the persistence)

2. New security features in windows will not allow the job to be processed if the job is originally sent to another name (the CNAME or A record used to point to the VIP)

3. Drivers and naming conventions used across both servers must be kept in sync.

4. You will need to decide your desired method of health check on the servers to take them out of the loop when a spooler is stuck, or server is down.

5. Do not call Microsoft for help. They have stated this is officially not supported. Which i do not care. It works well and is better than the method they have released. I will not call them for support

 

I will further document all my steps, screenshots and all the ins and outs as time permits.

 

here is the dump of my settings for now:

Details of the registry settings to be applied at each node in the cluster (each print server)

Disable “strict name checking”

 

Locate and select the following key in the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters

On the Edit menu, click Add Value, and then add the following registry value:
Value name: DisableStrictNameChecking
Data type: REG_DWORD
Radix: Decimal
Value: 1

Disable Loopback Check

1. Click Start, click Run, type regedit, and then click OK.
2. In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. Right-click Lsa, point to New, and then click DWORD Value.
4. Type DisableLoopbackCheck, and then press ENTER.
5. Right-click DisableLoopbackCheck, and then click Modify.
6. In the Value data box, type 1, and then click OK.
7. Quit Registry Editor, and then restart your computer.

Configure Optional Names (the DNS Name of the Virtual Server)

Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters,
then create the OptionalNames value, you can enter a list of names. (This should be the DNS name setup for the VIP.)
Restart the computer, and the server will then respond to any of the names you listed.

Add the following to the registry to work around DNSONWIRE in windows 2008 R2 SP1 (may 2012, TBD)

reg add HKLM\SYSTEM\CurrentControlSet\Control\Print /v DnsOnWire /t REG_DWORD /d 1

 

Create a Host file on each print server referencing the name of the VIP and the local ip address

Edit the hosts file located in c:\windows\system32\drivers\etc

If you used an A record for your VIP, then type the netbios and FQDN along with the ip of that server.

stsprint                     10.100.10.59

stsprint.fpfnet.local    10.100.10.59

 

reference this document: http://support.microsoft.com/kb/2546625 for an example of a CNAME.

here are some references i found with sometimes conflicting info, but it was helpful:

 

https://devcentral.f5.com/questions/load-balancing-print-server

https://devcentral.f5.com/questions/ms-print-servers

https://devcentral.f5.com/questions/irule-to-modify-the-client-ip-to-virtual-server-ip#30522

http://forums.citrix.com/thread.jspa?threadID=295586

http://support.microsoft.com/kb/2546625

http://support.microsoft.com/kb/979602

 

anyway, i am done for tonight, it is working with a basic health check and i will continue tomorrow.

If you have any questions, please feel free to ask.

 

Michael

 

Quick update to this post, this is now in production and working well. We used the PrintBRM tool to syncronize the print queue’s on the servers which is working quite nicely (http://ss64.com/nt/printbrm.html)

I would still like to use a better health check method on the Netscaler to ensure the spooler is functional, however what we have in place now works well.

 

How to disable Internet Explorer Compatibility mode for Intranet Zone

IE compatibility mode causes some weird behavior for some websites, i had a recent request to disable this feature for our Citrix users. We use RES workspace manager to control user experience, so this request was to make this possible without creating a GPO and to only have it apply to a specific group. In the end the change was quite simple, the following Hkey current user setting controls this behavior.

HKCU\Software\Microsoft\Internet Explorer\BrowserEmulation"\  AllSitesCompatibilityMode (REG_DWORD) = "0"
HKCU\Software\Microsoft\Internet Explorer\BrowserEmulation"\  IntranetCompatibilityMode (REG_DWORD) = "0"

 

You can use the “AllSitesCompatibilityMode” entry to disable compatibility mode for all sites, or the Intranetcompatibilitymode entry to only disable compatibility mode for sites in the Intranet zone.

 

 

How to grant permissions for mssqlserver when copying database to SQL server 2012

Ran across this fun issue today, we had to migrate a database to a new server as part of a deployment and when we tried to attach the database, we received a permissions error. Well after checking permissions on the source, the permissions that were missing were the MSSQLSERVER – Full Control.

The actual account is called : NT SERVICE\MSSQLSERVER

This is not a standard account, it does indeed have a SID, but you cannot add this in the normal way. The account listed is a service account and we found the answer here:

 

http://social.msdn.microsoft.com/Forums/sqlserver/en-US/9e6bb2de-8fd0-45de-ab02-d59bbe05f72e/servicedatabase-accounts-nt-servicemssqlserver-nt-servicesqlserveragent-what-are-they-for?forum=sqlsecurity

 

here is the solution we found to be helpful:

Described in the very complicated Books Online topic Configure Windows Service Account and Permissions http://technet.microsoft.com/en-us/library/ms143504(v=sql.110).aspx in the section Windows Privileges and Rights. The per service SID should be assigned the access permission on the file location, in your case somewhere on the D drive. To grant that permission, right-click the file system folder, and then click Properties. On the Security tab, click Edit and then Add. Now you are in the Select Users, Computer, Service Account, or Groups dialog box. Click Locations, and then at the very top of the location list, select your computer name, and then click OK. Now in the Enter the object names to select box, provide the name of the per service SID listed on that Books Online topic. For the Database Engine per service SID, use  NT SERVICE\MSSQLSERVER for a default instance, or  NT SERVICE\MSSQL$InstanceName for a named instance. Click Check Names, it will tell you name not found, then click OK, and it will pop up a Multiple Names Found dialog box. (At least it does on my computer.) Now select MSSQLSERVER and click OK a couple of times to back up. Eventually you get back to the spot where you can allow full control to the per service SID. Repeat for the SQL Server Agent account if you need to.

In addition we set the “owner” of the files to this service account as well.

I guess we could have just done a backup and restore, or just done the copy database wizard, but this should still be an option where downtime from stopping the services is not an issue.

 

 

 

Inexpensive temp monitoring for data closets or small server rooms

A college introduced me to this product today, the Watchdog 15. a small self contained monitoring solution for small server rooms and data closets.

http://www.itwatchdogs.com/DataSheets/WatchDog15%28P%29_Datasheet_%2820120822%29.pdf

 

wd15_datasheet_2012-08-22 - WatchDog15(P)_Datasheet_(20120822).pdf - Mozilla Firefox

I have not used these, but i thought i would share. I may pick one of these up for a customer who has a large number of IDF closets around and no managed APC unit to buy the dongle to monitor temp.

Low on disk space on Windows 2008 R2 SP1? cleanup some space with the DISM tool.

I have had this issue from time to time, mostly when running SSD drives on Hyper-V hosts with limited storage (EG: 146GB or so)

Running this command free’s up like 4GB or more. so it can be a lifesaver when you are running too lean. The real fix is larger partitions for the OS. We have started using 100GB as the standard instead of smaller drives and that has helped. However, you still need to keep things clean. This command will remove unneeded files from the hard drive and has no side effects, the files removed are for architectures you do not have and service pack files that were superseded by other patches.

Problem statement:

Your server is critically low on space on the C: drive. This happened sometime after installing SP1 on your server. (This also can happen on Windows 7 SP1)

 

Solution:

Run the Cleanup tool from an administrator elevated command prompt

dism /online /cleanup-image /spsuperseded

 

Before running the cleanup tool:

before cleanup tool

 

While Running the tool:

running tool

 

Free Space after running the tool:

After running tool

More information on this command:

http://blogs.technet.com/b/joscon/archive/2011/02/15/how-to-reclaim-space-after-applying-service-pack-1.aspx

 

 

 

Valve Announces Steam Machine!

pic

Have questions, here are some answers:

 

Questions!

When can I buy one?!
Beginning in 2014, there will be multiple SteamOS machines to choose from, made by different manufacturers.
I’m pretty happy with my PC Gaming setup, do I have to buy a new piece of hardware now?
No. Everything that we’ve been doing on Steam for the last 10 years will continue to move forward.
If you guys are delivering an OS to hardware manufacturers, why is Valve also making its own box?
We’re conducting a beta of the overall Steam living-room experience, so we needed to build prototype hardware on which to run tests. At Valve we always rely on real-world testing as part of our design process. The specific machine we’re testing is designed for users who want the most control possible over their hardware. Other boxes will optimize for size, price, quietness, or other factors.
How will you choose the 300 beta participants?
A small number of users (30 or less) will be chosen based on their past community contributions and beta participation. The remainder will be chosen at random from the eligible pool.
Should I create lots of Steam accounts to increase my chances of getting selected?
No, that won’t work.
What are the specs of the Valve prototype?
We’ll tell you more about it soon. Remember, there will ultimately be several boxes to choose from, with an array of specifications, price, and performance.
Where’s a picture of it? How big is it?
We promise we’ll tell you more about it soon.
When will the prototypes ship?
This year.
Will beta testers be allowed to share info about their experience and post pictures and opinions online?
Yes, that really is the whole point. The input from testers should come in many forms: bug reports, forum posts, concept art, 3D prints, haikus, and also very publicly stated opinions.
Will I be able to build my own box to run SteamOS?
Yes.
Can I hack this box? Run another OS? Change the hardware? Install my own software? Use it to build a robot?
Sure.
Can I download the OS to try it out?
You will be able to download it (including the source code, if you’re into that) but not yet.
If I’m not in the beta, how can I help and contribute feedback?
The Steam Universe Group is where feedback is being collected. Most areas of the group will remain open for participation by all Steam users. Some may be limited to beta participants only, but there will be plenty of ways to contribute feedback for everyone.
What games will be available during the beta?
The nearly 3,000 games on Steam. Hundreds already running natively on the SteamOS, with more to come. The rest will work seamlessly via in-home streaming.
What is SteamOS? What’s included?
Here’s a link to what we said earlier about SteamOS. We’ll have more details to tell you, soon.
Am I going to be using a mouse and a keyboard in the living-room?
If you want. But Steam and SteamOS work well with gamepads, too. Stay tuned, though – we have some more to say very soon on the topic of input.