Windows Server 2012 R2 server hardening and best practices

July 30th, 2017

You can search for Windows Server hardening until you’re blue in the face, and find a little bit here and there. The sum of the parts are still less than the whole of this article. I’m going to provide you with my own personal hardening guidelines, as well as the Powershell code/GPO settings to easily implement them. In addition, I’m going to throw in some best practices. That said, every environment is different… so… do your own testing and research, but feel free to use this as your baseline.

Powershell

Set TcpTimedWait to 30 seconds to avoid running out of ephemeral ports

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' -name TcpTimedWaitDelay -propertytype dword -value 30 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' -name TcpTimedWaitDelay -value 30 -errorAction SilentlyContinue | Out-Null

Set Priority Separation to background services

Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\PriorityControl' -name Win32PrioritySeparation -value 24 -errorAction SilentlyContinue | Out-Null

Disable NIC power management

new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0000' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0001' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0002' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0003' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0004' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0009' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0010' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0012' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0013' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0014' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0015' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0016' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0017' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0018' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0019' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0020' -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0000' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0000' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0001' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0001' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0002' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0002' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0003' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0003' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0004' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0004' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0009' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0009' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0010' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0010' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0012' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0012' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0013' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0013' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0014' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0014' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0015' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0015' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0016' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0016' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0017' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0017' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0018' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0018' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0019' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0019' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0020' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0020' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null

Turn UAC off since it just gets in the way and doesn’t add as much security as Microsoft tried to sell us on

Set-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -name ConsentPromptBehaviorAdmin -value 0 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -name EnableLUA -value 0 -errorAction SilentlyContinue | Out-Null

Set DEP to Opt-In

bcdedit /set nx OptIn | Out-Null

Configure WinRM

winrm quickconfig -quiet | Out-Null

Enable Windows Firewall

netsh advfirewall set allprofiles state on | Out-Null

Disable Server Manager from running at login

schtasks /change /disable /tn "\Microsoft\Windows\Server Manager\ServerManager" | Out-Null

Disable IE (make sure you have Chrome installed… or don’t use web browsing at all on the server and use a central software repo)

dism /online /disable-feature /featurename:Internet-Explorer-Optional-amd64 | Out-Null

Disable SMBv1. If you have any vendors at all still using SMBv1, open up a support ticket every day until they fix it. That’s just stupid.

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi | Out-Null
sc.exe config mrxsmb10 start= disabled | Out-Null
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force | Out-Null
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol -NoRestart | Out-Null

Rename the Administrator account

$admin=[adsi]“WinNT://./Administrator,user”
$admin.psbase.rename(“therealadmin”)

Configure NTP

sc config w32time start= auto > nul
sc start w32time > nul
timeout 5
w32tm /config /syncfromflags:domhier /update > nul

Configure Windows to dump full memory.dmp file

wmic recoveros set debuginfotype = 1 > nul

Group Policy

Disable last username (because there are python scripts out there that can scrub usernames using OCR via RDP). Yea, it’s that easy for people to find usernames to bruteforce on your network. We’re also going to disable cached logons, it’s too easy for attackers to exploit these saved credentials.

Computer>Policies>Windows Settings>Security Settings>Local Policies/Security Options>Interactive Logon

Interactive logon: Do not display last username: Enabled
Interactive logon: Number of previous logons to cache: 0

Enable SMB signing. Without it you’re basically giving your network away to attackers.


Computer>Policies>Windows Settings>Security Settings>Local Policies/Security Options>Microsoft Network Client

Microsoft Network client: Digitally sign communication (if server agrees): enabled

Computer>Policies>Windows Settings>Security Settings>Local Policies/Security Options>Microsoft Network Server

Microsoft Network server: Digitally sign communication (always): enabled
Microsoft Network server: Digitally sign communication (if client agrees): enabled

Full paranoia mode… let’s clear that pagefile at shutdown.


Computer>Policies>Windows Settings>Security Settings>Local Policies/Security Options>Shutdown

Shutdown: Clear virtual memory pagefile: enabled

Disable WPAD because it leaks NTLMv1 hashes which are easy to crack.


Computer>Policies>Windows Settings>Security Settings>System Services

WinHTTP Web Proxy Auto-Discovery Service (Startup Mode: Disabled)

Turn off LLMNR, because poisoning is bad mmmmkay.


Computer>Policies>Administrative Templates>Network/DNS Client

Turn off multicast name resolution: enabled

Turn off wdigest, another leaky NTLM hash hole.


Computer>Preferences>Windows Settings>Registry

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
UseLogonCredential 0x0 (DWORD)

Enable NLA for Remote Desktop. There’s zero reason NOT to do this.


Computer>Administrative Templates>Windows Components>Remote Desktop Services>Remote Desktop Session Host/Security

Require user authentication for remote connections by using Network Level Authentication

Change DNS TTL to 300 seconds (5 minutes) instead of the default. If something happens and the IP changes, this will minimize the outage for clients.


Computer>Administrative Templates>Network>DNS Client

TTL value for A and PTR records: enabled, 300 seconds

… and that’s all I have. These are lessons learned through various security audits and technical issues I’ve run into over the years. I deploy these to every server that gets spun up, and recently received praise from the guys at Rapid7 during our last security audit. I made it very difficult for them 🙂

Did you find value in this article?
Feel free to donate!
BTC 13QFVycCaP3QV8uRXKSm7picypE1a2gLYx
LTC LPA3M2mHcwJG5WpKi8oyS2RiJoLHt1bXyw
ETH 0x0cd8434f8C47fC2d92197748958824B8e7bFD2f2

The “easy” way to setup a Nutanix Disaster Recovery site

July 30th, 2017

Nutanix is great for many reasons, I won’t go into all of them here, but one of my favorite features is the asynchronous replication. If your environment is configured correctly, setting up a disaster recovery environment can be super simple.

Let’s start with prerequisites:

  • At least 2 sites running Nutanix
  • Network infrastructure capable of configuring VRFs
  • Virtual IPAM solution, or duplicate IPAM hardware for test/dev
  • Asynchronous replication is already configured to the remote site

Now, let’s make some assumptions. Your corporate network is 10.0.0.0/16, and you have multiple subnets for various things. The only subnet we care about for this scenario are the subnet(s) added to networking within Nutanix. Let’s pretend it’s a single subnet, 10.0.1.0/24, on VLAN 101. Your second site can be any site; dedicated to disaster recovery or ROBO. Networking for the DR site is irrelevant for now.

The first thing we’re going to do is plan out the DR networking requirements. You have 1 or more PDs being replicated on a single VLAN. The remote site probably has it’s own networking. There are a whole bunch of things we could probably do (VXLAN for instance), but we’re going to make this simple. VRFs allow us to create duplicate networks without having a conflict on interfaces or in routing tables. You’ll need a single VRF and 1 VLAN assigned to that VRF. I’m going to use Brocade VDX (NOS) in this example.

First, the VLAN interfaces. Remember how I said we only needed 1? Yea, well… you could probably get away with 1 but I like to use /30 for firewalls, so we’ll add that now as well as the WAN VLAN. I’ll explain later. We’ll be making all of these changes to the switching/routing infrastructure at your disaster recovery site.

int vlan 1099
name DR_WAN
int vlan 1100
name DR_FWP2P
int vlan 1101
name DR_SUBNET10_1

Now I’m going to define the VRF. The VDX in my example is running in a VCS fabric. The default gateway will come into play later. Also, we’re enabling OSPF to make things easy.

rbr 1
vrf dr-vrf
address-family ipv4 unicast
ip route 0.0.0.0/0 10.255.255.1
router ospf vrf dr-vrf
area 0

Next up, we’re going to setup the router interfaces. I’m going to assume you use DHCP and have 2 DHCP servers. I actually prefer to use DHCP and DHCP reservations for servers (cattle not pets; see devops mentality). The IPAM solution I use has great APIs that are leveraged during the automated build process to automatically reserve an IP in a pool of addresses. The WAN VLAN does not require a routed interface, we just need that layer 2 connection.


interface Ve 1100
vrf forwarding dr-vrf
ip ospf area 0
no ip proxy-arp
ip address 10.255.255.2/30
no shutdown
interface Ve 1101
vrf forwarding dr-vrf
ip ospf area 0
ip dhcp relay address 10.0.1.10
ip dhcp relay address 10.0.1.11
no ip proxy-arp
ip address 10.0.1.1/24
no shutdown

At this point, we now have 3 VLANs on a VRF with two routed interfaces. The next step would be to add all 3 VLANs, 1099-1100 and 1101 to all of your Nutanix interfaces, and also into Prism networking. I typically use the VLAN name in the switch as the name in Prism for consistency. Once the VLANs are added, you will go into the Protection Domains at both sites and remap the production network to the DR VRF network.

Now… why the firewall VLAN? To make things REALLY easy, I recommend using a permanent virtual firewall that is always running in your DR environment. Several vendors offer virtual instances now, and many of them will offer discounted rates for non-production environments. This applies to load balancers as well… If you use the same vendor, likely, you can backup and restore the config periodically so that the firewall and load balancers are always ready for a DR event. You will need a dedicated internet connection, or at the very least, a spare dedicated IP you can assign to the DR firewall (which would end up reusing a pre-existing WAN VLAN or moving WAN connections to a switched VLAN). You will likely not be able to use your ROBO firewall due to IP and routing conflicts (firewalls are not VRF aware), hence a separate virtual firewall. In this case, I’m using VLAN 1099.

WAN connection -> switch port on VLAN 1099 -> VLAN 1099 added to all Nutanix interfaces -> VLAN 1099 assigned to virtual firewall NIC 1 “WAN”
VLAN 1100 added to all Nutanix interfaces -> VLAN 1100 assigned to virtual firewall NIC 2 “LAN”

Configure your firewall appropriately. I assigned 10.255.255.2 to the switch, so assign 10.255.255.1 to the firewall LAN interface. Assign an appropriate IP to your WAN interface. You have a lot of remote access options here… SSL VPN, IPSEC VPN, RemoteApp (if you are a Windows environment), Citrix, etc. Essentially however your users typically access your production environment will be how you want to configure your DR firewall. You can use Amazon’s Route53 or DNSMadeEasy for DNS failover, or a specific DR DNS record. For example, if production users goto remote.whateveryourdomainis.com, then DR would be remote-dr.whateveryourdomainis.com. The rest is user education.

So, to recap, we have our PDs mapped to our new VRF network. A virtual firewall that mimics our production firewall, with it’s own dedicated IP. At this point you can activate the PD on the ROBO site. All of the VMs will get added to Prism… double check the VLAN assignment if you wish. Power everything up. Your self contained DR is now ready to go. If your team is compartmentalized (network admins, server admins, Nutanix admins, etc.) this may be more difficult to accomplish as it requires a great deal of teamwork. However, I highly recommend this route as it is extremely easy to setup, test and run. When you’re done testing, shut everything down and deactivate the PD.

If you have a DMZ in addition to a production network, you can create a second VRF or add the DMZ network to the same VRF as production. This would obviously remove security constraints, but in a DR scenario… what do you want to be troubleshooting? ACLs and multiple VRFs? or would you rather focus on restoring access to end users… Every environment is unique, some environments will require mirrored security constraints. Others will not, and for those I suggest dumping ALL VLANs into a single DR VRF for simplicity.

Did you find value in this article?
Feel free to donate!
BTC 13QFVycCaP3QV8uRXKSm7picypE1a2gLYx
LTC LPA3M2mHcwJG5WpKi8oyS2RiJoLHt1bXyw
ETH 0x0cd8434f8C47fC2d92197748958824B8e7bFD2f2

Small Business Server 2011 migration issues

March 7th, 2011

Here are some of the common issues I’ve run into on back to back migrations from Microsoft Small Business Server 2003 to Small Business Server 2011:

Error: Object not found when trying to migrate mailboxes from Exchange 2003
Solution: Add the SBS 2011 computer object to the “Exchange Domain Servers” group manually. Reboot SBS 2011 to complete the process.

Error: Trying to login to Outlook Web Access results in IIS server error 500
Solution: Ensure that the Microsoft Exchange Forms-Based Authentication service is started. One way to ensure this starts in the future is to modify the service to be Automatic (Delayed).

How To: Easiest way to migrate shares from SBS 2003 to SBS 2011
Ycopy (has a easy to use GUI interface)

How To: Migrating Recipient Policies and Address Lists
Get-EmailAddressPolicy | where {$_.RecipientFilterType -eq "Legacy"} | Set-EmailAddressPolicy -IncludedRecipients AllRecipients
Set-AddressList "All Users" -IncludedRecipients MailboxUsers
Set-AddressList "All Groups" -IncludedRecipients Mailgroups
Set-AddressList "All Contacts" -IncludedRecipients MailContacts
Set-AddressList "Public Folders" -RecipientFilter {RecipientType -eq "PublicFolder"}
Set-GlobalAddressList "Default Global Address List" -RecipientFilter {(Alias -ne $null -and (ObjectClass -eq 'user' -or ObjectClass -eq 'contact' -or ObjectClass -eq 'msExchSystemMailbox' -or ObjectClass -eq 'msExchDynamicDistributionList' -or ObjectClass -eq 'group' -or ObjectClass -eq 'publicFolder'))}

Outlook error: Cannot open default mail folders
Option 1. Verify the MS Exchange RPC Client Access service is running
Option 2. Set-RpcClientAccess –Server server_name –EncryptionRequired $False

Running Barracuda Spam and Virus Firewall 300 out of Hyper-V

March 2nd, 2011

First of all, thanks very much to this blog: http://blog.shiraj.com/?p=49 without it, I wouldn’t have been able to get as far as I did. Anyways, now on to virtualizing a Barracuda Spam and Virus Firewall–

Things you will need:
1. Barracuda E-mail Spam Filter
2. Windows 2008 R2 Hyper-V server (VMWare probably works too… only thing I wouldn’t be sure of is how VMware portrays the mount points and what drivers it uses for legacy network adapters)
3. Acronis True Image (or similar bootable “ghosting” media)

The first step is to make an image of a Barracuda. Using the BIOS code from the aforementioned blog, login to the BIOS of the Barracuda and enable Boot from CD as the first boot option. Then connect a USB CD-ROM drive with Acronis True Image. Also connect a USB hard drive with enough space to accommodate at least 32GB worth of data.

Create the TIB image of the entire drive. Remove the USB drive when you are done and connect it to your Windows 2008 R2 Hyper-V server. Create a new virtual machine with 1 CPU, about 1GB RAM (my 300 only came with 512mb… max 2GB according to the motherboard specifications) and a legacy adapter. I also turned on Windows NT CPU support just to play it safe. Remove the SCSI controller and create a fixed 32gb VHD for the OS. Attach an ISO of Acronis True Image and boot the VM to Acronis.

I created a second VHD in the host OS and copied the TIB file into it, then mounted the VHD as a secondary IDE drive. This was the easiest way to get the VM to restore the TIB file… plus at any time I can reboot into Acronis and reimage my system.

Restore the image and reboot. You will want to follow the steps from the previously mentioned blog to gain root access. This is necessary to make the network card work. Once you have root access, modify the /etc/modules.conf file. Change the eth0 alias to use “tulip” instead of “via-rhine.” Type modprobe tulip to verify, then ifconfig to double check eth0 is now available.

This is a great way to avoid having to purchase instant replacement, and in a suitable backup environment… disaster recovery is a breeze if you backup your virtual machines for instant disaster recovery. Creating the image doesn’t void the warranty as long as you can avoid opening the case. However, if you ever experience problems… hopefully they don’t notice your hardware specs 🙂 I’m not sure how much lspci differs from appliance to virtual machine, I haven’t gotten that deep into it yet.

Just an FYI, if you ever need to manually update firmware because the web interface is broken… look for /home/emailswitch/code/firmware/current/bin/update.pl and run update.pl with the argument “firmware”

i.e. ./update.pl firmware

Add -c at the end to perform a check only.

Just about every function of the web site is a perl script… doing some cat/grep operations on the index.cgi should help you out if you are ever in a bind.

Lab in a Box

March 2nd, 2011

If you are on a budget, but you have a Cisco PIX 515, Cisco layer-3 switch (I’m using a 3550) and a HP DL/ML 3-series server, you can create an entire lab with just these three devices. Obviously, it doesn’t have to be Cisco or HP… but as long as the Firewall supports trunking and VLAN subinterfaces, the switch supports VRF routing and the server supports trunking/vlans, then you should be able to modify this to work for any setup accordingly.

Lets start with the core switch, here is relevant config from the 3550 I’m using:

ip vrf INET
rd 2600:2
route-target export 2600:2
ip vrf NET1
rd 2600:3
route-target export 2600:3
ip vrf NET2
rd 2600:4
route-target export 2600:4

interface FastEthernet0/1
description Trunk to HP Server
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2-4
switchport mode trunk
no ip address
spanning-tree portfast

interface FastEthernet0/10
description Uplink to PIX Outside
switchport access vlan 2
switchport mode access
no ip address
spanning-tree portfast

interface FastEthernet0/11
description Trunk to PIX Inside
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 3-5
switchport mode trunk
no ip address
spanning-tree portfast

interface Vlan2
description LAB-INET
ip vrf forwarding INET
ip address 1.1.1.1 255.255.255.0

interface Vlan3
description LAB-NET1
ip vrf forwarding NET1
ip address 192.168.10.254 255.255.255.0

interface Vlan4 description LAB-NET2
ip vrf forwarding NET2
ip address 192.168.20.254 255.255.255.0

ip route vrf NET1 0.0.0.0 0.0.0.0 192.168.10.1
ip route vrf NET2 0.0.0.0 0.0.0.0 192.168.20.1

Here is the relevant config on the Cisco PIX:

interface Ethernet0
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0

interface Ethernet1
no nameif
security-level 100
no ip address

interface Ethernet1.10
vlan 3
nameif inside-net1
security-level 100
ip address 192.168.10.1 255.255.255.0

interface Ethernet1.20
vlan 4
nameif inside-net2
security-level 100
ip address 192.168.20.1 255.255.255.0

access-list OUTSIDE_IN extended permit ip any any

global (outside) 6 1.1.1.4
global (outside) 7 1.1.1.5

nat (inside-net1) 6 192.168.10.0 255.255.255.0
nat (inside-net2) 7 192.168.20.0 255.255.255.0

access-group OUTSIDE_IN in interface outside

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

On the HP server, configure the trunk interface to have vlan 1, vlan 2, vlan 3 and vlan 4 (name the interfaces appropriately, assign them IP addresses). I used the following IPs:

vlan 1 (n/a)

vlan 2 1.1.1.3

vlan 3 192.168.10.2

vlan 4 192.168.20.2

Then, on the HP server install VMWare Server (free). Configure the VM networks to be bridged to vlan 2, 3 and 4.

Provision a virtual server on each interface and assign a corresponding bridged network.

You now have an “internet” server and two “private” servers behind NAT. On the “internet” server, setup DNS and assign the other servers to use it for DNS.

To test that I had NAT and firewall working properly, I installed IIS on each server and configured a host header and the appropriate DNS A records on the “internet” server.

I set each website to use index.asp (enabled ASP first) and used the following code:

<html>
<head>
<title>Teh Interwebs</title>
</head>
<body>
Welcome to teh interwebs.
Your IP Address = <%=Request.ServerVariables("REMOTE_ADDR")%>
</body>
</html>

You should be able to hit each website and have the correct “WAN” IP address display on each website. If you can successfully hit the “internet” from each server, and each server from the “internet” then you have a working setup. You can now dcpromo, install Exchange… do whatever it is that you want to test. Modify my setup slightly, and you can test DMZ configurations, among other things.

How To: Updating Trixbox to support additional multi purpose lines (Grandstream)

January 24th, 2011

This example is for a Grandstream GXP2010. The basic logic behind it applies to the other Grandstream phones as well (GXP2000, 2020, etc). You can extend this further to include the ability to program extension modules as well.

Step 1: Update the device edit page
nano /var/www/html/maint/modules/endpointcfg/templates/endpoint_Grandstream_edit.tpl

Add the following code to increase 7 multi purpose keys to 18 keys


{translation charString = $MULTIPURPOSEKEY8 language = $trixbox_language} {translation charString = $MODE language = $trixbox_language}:{html_options name=key8_mode options=$key_mode_list selected=$phone.key8_mode} {translation charString = $NAME language = $trixbox_language}:
{translation charString = $NUMBER language = $trixbox_language}:
{translation charString = $MULTIPURPOSEKEY9 language = $trixbox_language} {translation charString = $MODE language = $trixbox_language}:{html_options name=key9_mode options=$key_mode_list selected=$phone.key9_mode} {translation charString = $NAME language = $trixbox_language}:
{translation charString = $NUMBER language = $trixbox_language}:
{translation charString = $MULTIPURPOSEKEY10 language = $trixbox_language} {translation charString = $MODE language = $trixbox_language}:{html_options name=key10_mode options=$key_mode_list selected=$phone.key10_mode} {translation charString = $NAME language = $trixbox_language}:
{translation charString = $NUMBER language = $trixbox_language}:
{translation charString = $MULTIPURPOSEKEY11 language = $trixbox_language} {translation charString = $MODE language = $trixbox_language}:{html_options name=key11_mode options=$key_mode_list selected=$phone.key11_mode} {translation charString = $NAME language = $trixbox_language}:
{translation charString = $NUMBER language = $trixbox_language}:
{translation charString = $MULTIPURPOSEKEY12 language = $trixbox_language} {translation charString = $MODE language = $trixbox_language}:{html_options name=key12_mode options=$key_mode_list selected=$phone.key12_mode} {translation charString = $NAME language = $trixbox_language}:
{translation charString = $NUMBER language = $trixbox_language}:
{translation charString = $MULTIPURPOSEKEY13 language = $trixbox_language} {translation charString = $MODE language = $trixbox_language}:{html_options name=key13_mode options=$key_mode_list selected=$phone.key13_mode} {translation charString = $NAME language = $trixbox_language}:
{translation charString = $NUMBER language = $trixbox_language}:
{translation charString = $MULTIPURPOSEKEY14 language = $trixbox_language} {translation charString = $MODE language = $trixbox_language}:{html_options name=key14_mode options=$key_mode_list selected=$phone.key14_mode} {translation charString = $NAME language = $trixbox_language}:
{translation charString = $NUMBER language = $trixbox_language}:
{translation charString = $MULTIPURPOSEKEY15 language = $trixbox_language} {translation charString = $MODE language = $trixbox_language}:{html_options name=key15_mode options=$key_mode_list selected=$phone.key15_mode} {translation charString = $NAME language = $trixbox_language}:
{translation charString = $NUMBER language = $trixbox_language}:
{translation charString = $MULTIPURPOSEKEY16 language = $trixbox_language} {translation charString = $MODE language = $trixbox_language}:{html_options name=key16_mode options=$key_mode_list selected=$phone.key16_mode} {translation charString = $NAME language = $trixbox_language}:
{translation charString = $NUMBER language = $trixbox_language}:
{translation charString = $MULTIPURPOSEKEY18 language = $trixbox_language} {translation charString = $MODE language = $trixbox_language}:{html_options name=key18_mode options=$key_mode_list selected=$phone.key18_mode} {translation charString = $NAME language = $trixbox_language}:
{translation charString = $NUMBER language = $trixbox_language}:
{translation charString = $MULTIPURPOSEKEY18 language = $trixbox_language} {translation charString = $MODE language = $trixbox_language}:{html_options name=key18_mode options=$key_mode_list selected=$phone.key18_mode} {translation charString = $NAME language = $trixbox_language}:
{translation charString = $NUMBER language = $trixbox_language}:

Step 2: Update SQL tables. This works best if you remove all phones first, otherwise it gets a bit complicated.

Use this to dump:mysqldump -c -u root -ppassw0rd endpoints Grandstream > endpoints.Grandstream.sql

Edit the file you just made by adding the following (should be obvious where):

`key8_mode` varchar(255) NOT NULL default '',
`key8_name` varchar(255) NOT NULL default '',
`key8_userid` varchar(255) NOT NULL default '',
`key9_mode` varchar(255) NOT NULL default '',
`key9_name` varchar(255) NOT NULL default '',
`key9_userid` varchar(255) NOT NULL default '',
`key10_mode` varchar(255) NOT NULL default '',
`key10_name` varchar(255) NOT NULL default '',
`key10_userid` varchar(255) NOT NULL default '',
`key11_mode` varchar(255) NOT NULL default '',
`key11_name` varchar(255) NOT NULL default '',
`key11_userid` varchar(255) NOT NULL default '',
`key12_mode` varchar(255) NOT NULL default '',
`key12_name` varchar(255) NOT NULL default '',
`key12_userid` varchar(255) NOT NULL default '',
`key13_mode` varchar(255) NOT NULL default '',
`key13_name` varchar(255) NOT NULL default '',
`key13_userid` varchar(255) NOT NULL default '',
`key14_mode` varchar(255) NOT NULL default '',
`key14_name` varchar(255) NOT NULL default '',
`key14_userid` varchar(255) NOT NULL default '',
`key15_mode` varchar(255) NOT NULL default '',
`key15_name` varchar(255) NOT NULL default '',
`key15_userid` varchar(255) NOT NULL default '',
`key16_mode` varchar(255) NOT NULL default '',
`key16_name` varchar(255) NOT NULL default '',
`key16_userid` varchar(255) NOT NULL default '',
`key17_mode` varchar(255) NOT NULL default '',
`key17_name` varchar(255) NOT NULL default '',
`key17_userid` varchar(255) NOT NULL default '',
`key18_mode` varchar(255) NOT NULL default '',
`key18_name` varchar(255) NOT NULL default '',
`key18_userid` varchar(255) NOT NULL default '',

and this (also rather obvious):

, `key8_mode`, `key8_name`, `key8_userid`, `key9_mode`, `key9_name`, `key9_userid`, `key10_mode`, `key10_name`, `key10_userid`, `key11_mode`, `key11_name`, `key11_userid`, `key12_mode`, `key12_name`, `key12_userid`, `key13_mode`, `key13_name`, `key13_userid`, `key14_mode`, `key14_name`, `key14_userid`, `key15_mode`, `key15_name`, `key15_userid`, `key16_mode`, `key16_name`, `key16_userid`, `key17_mode`, `key17_name`, `key17_userid`, `key18_mode`, `key18_name`, `key18_userid`

Use this to restore the table: mysql -u root -ppassw0rd endpoints < endpoints.Grandstream.sql

Step 3: Update Grandstream defaults:

nano /tftpboot/Grandstream_GXP2010_Default.txt

Add:

# Multi Purpose Key 8
# ------------------------------------------

# Account. 0 - Account 1, 1 - Account 2, 2 - Account 3, 3 - Account 4
P354 = 0

# Multi Purpose Key 9
# ------------------------------------------

# Account. 0 - Account 1, 1 - Account 2, 2 - Account 3, 3 - Account 4
P358 = 0

# Multi Purpose Key 10
# ------------------------------------------

# Account. 0 - Account 1, 1 - Account 2, 2 - Account 3, 3 - Account 4
P362 = 0

# Multi Purpose Key 11
# ------------------------------------------

# Account. 0 - Account 1, 1 - Account 2, 2 - Account 3, 3 - Account 4
P366 = 0

# Multi Purpose Key 12
# ------------------------------------------

# Account. 0 - Account 1, 1 - Account 2, 2 - Account 3, 3 - Account 4
P370 = 0

# Multi Purpose Key 13
# ------------------------------------------

# Account. 0 - Account 1, 1 - Account 2, 2 - Account 3, 3 - Account 4
P374 = 0

# Multi Purpose Key 14
# ------------------------------------------

# Account. 0 - Account 1, 1 - Account 2, 2 - Account 3, 3 - Account 4
P378 = 0

# Multi Purpose Key 15
# ------------------------------------------

# Account. 0 - Account 1, 1 - Account 2, 2 - Account 3, 3 - Account 4
P382 = 0

# Multi Purpose Key 16
# ------------------------------------------

# Account. 0 - Account 1, 1 - Account 2, 2 - Account 3, 3 - Account 4
P386 = 0

# Multi Purpose Key 17
# ------------------------------------------

# Account. 0 - Account 1, 1 - Account 2, 2 - Account 3, 3 - Account 4
P390 = 0

# Multi Purpose Key 18
# ------------------------------------------

# Account. 0 - Account 1, 1 - Account 2, 2 - Account 3, 3 - Account 4
P394 = 0

Step 4: Edit global variables for Grandstream conversion

edit /var/www/html/maint/modules/endpointcfg/libs/trixbox.php and add the following:
$GrandstreamConvert[‘key8_mode’] = 353 ;
$GrandstreamConvert[‘key8_name’] = 355 ;
$GrandstreamConvert[‘key8_userid’] = 356 ;
$GrandstreamConvert[‘key9_mode’] = 357 ;
$GrandstreamConvert[‘key9_name’] = 359 ;
$GrandstreamConvert[‘key9_userid’] = 360 ;
$GrandstreamConvert[‘key10_mode’] = 361 ;
$GrandstreamConvert[‘key10_name’] = 363 ;
$GrandstreamConvert[‘key10_userid’] = 364 ;
$GrandstreamConvert[‘key11_mode’] = 365 ;
$GrandstreamConvert[‘key11_name’] = 367 ;
$GrandstreamConvert[‘key11_userid’] = 368 ;
$GrandstreamConvert[‘key12_mode’] = 369 ;
$GrandstreamConvert[‘key12_name’] = 371 ;
$GrandstreamConvert[‘key12_userid’] = 372 ;
$GrandstreamConvert[‘key13_mode’] = 373 ;
$GrandstreamConvert[‘key13_name’] = 375 ;
$GrandstreamConvert[‘key13_userid’] = 376 ;
$GrandstreamConvert[‘key14_mode’] = 377 ;
$GrandstreamConvert[‘key14_name’] = 379 ;
$GrandstreamConvert[‘key14_userid’] = 380 ;
$GrandstreamConvert[‘key15_mode’] = 381 ;
$GrandstreamConvert[‘key15_name’] = 383 ;
$GrandstreamConvert[‘key15_userid’] = 384 ;
$GrandstreamConvert[‘key16_mode’] = 385 ;
$GrandstreamConvert[‘key16_name’] = 387 ;
$GrandstreamConvert[‘key16_userid’] = 388 ;
$GrandstreamConvert[‘key17_mode’] = 389 ;
$GrandstreamConvert[‘key17_name’] = 391 ;
$GrandstreamConvert[‘key17_userid’] = 392 ;
$GrandstreamConvert[‘key18_mode’] = 393 ;
$GrandstreamConvert[‘key18_name’] = 395 ;
$GrandstreamConvert[‘key18_userid’] = 396 ;

Now add your devices and reboot your phones… The same logic can be used to add functionality for extension modules and newer Grandstream phones (the newest GXP2010 added several multi purpose buttons)

Configuring internet failover on Cisco PIX or ASA running 8.0+

November 17th, 2010

Here is how to do redundant ISP links on Cisco ASA 8.x:


sla monitor 111
type echo protocol ipIcmpEcho interface outside
num-packets 4
frequency 10

sla monitor 112
type echo protocol ipIcmpEcho interface backup
num-packets 4
frequency 10

sla monitor schedule 111 life forever start-time now
sla monitor schedule 112 life forever start-time now

track 1 rtr 111 reachability
track 2 rtr 112 reachability

route outside 0.0.0.0 0.0.0.0 1 track 1
route outside 0.0.0.0 0.0.0.0 10 track 2

Example NAT configuration:

global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

Configuring internet failover on a Cisco 2800 series router

November 17th, 2010

This is, in my opinion, the best way to do a failover configuration for 2 ISP links:

track 100 ip sla 100 reachability
delay down 10 up 20

track 101 ip sla 101 reachability
delay down 10 up 20

ip local policy route-map LocalPolicy

ip nat inside source route-map DYN_NAT interface <WAN1 Interface> overload
ip nat inside source route-map FAILOVER_NAT interface <WAN2 Interface> overload

ip route 0.0.0.0 0.0.0.0 <ISP1 Gateway> track 100
ip route 0.0.0.0 0.0.0.0 <ISP2 Gateway> 10 track 101
ip route 0.0.0.0 0.0.0.0 <ISP1 Gateway> 250
ip route 0.0.0.0 0.0.0.0 <ISP2 Gateway> 251

ip access-list extended PingISP_A
permit icmp host <WAN1 Interface IP> host 8.8.8.8

ip access-list extended PingISP_B
permit icmp host <WAN2 Interface IP> host 8.8.8.8

ip sla 100
icmp-echo 8.8.8.8 source-interface <WAN1 Interface>
ip sla schedule 100 life forever start-time now

ip sla 101
icmp-echo 8.8.8.8 source-interface <WAN2 Interface>
ip sla schedule 101 life forever start-time now

access-list 107 permit ip <LAN subnet> <LAN inverse mask> any
access-list 108 permit ip <LAN subnet> <LAN inverse mask> any

route-map FAILOVER_NAT permit 10
match ip address 107
match interface <WAN2 Interface>

route-map DYN_NAT permit 10
match ip address 108
match interface <WAN1 Interface>

route-map LocalPolicy permit 10
match ip address PingISP_A
set ip next-hop <ISP1 Gateway>
set interface <WAN1 Interface>

route-map LocalPolicy permit 20
match ip address PingISP_B
set ip next-hop <ISP2 Gateway>
set interface <WAN2 Interface>

If you need to do static NAT you would do basically the same thing:

route-map STAT_NAT permit 10
match ip address 109
match interface <WAN1 Interface>

route-map FAILOVER_SNAT permit 10
match ip address 110
match interface <WAN2 Interface>

Unable to create VPN sessions

September 3rd, 2010

If you receive any of the following errors in your event log when trying to establish a VPN session or PPP session, then the fix for you is listed below. I noticed this when trying to establish a VPN session through a Netgear VPN box. I checked my event logs and found the event IDs listed below.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Description:
The Remote Access Connection Manager service terminated with the following error:
The specified procedure could not be found.

Event Type: Error
Event Source: Rasman
Event Category: None
Event ID: 20063
Description:
Remote Access Connection Manager failed to start because the Point to Point Protocol failed to initialize. The specified procedure could not be found.

Event Type: Error
Event Source: RemoteAccess
Event Category: None
Event ID: 20070
Description:
Point to Point Protocol engine was unable to load the C:\Program Files\Symantec AntiVirus\SymRasMan.dll module. The specified module could not be found.

Quote from http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008010718082848

“To work around this problem, restore the registry string values with the following variable path to rastls.dll:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13
ConfigUiPath %SystemRoot%\System32\rastls.dll
IdentityPath %SystemRoot%\System32\rastls.dll
InteractiveUIPath %SystemRoot%\System32\rastls.dll
Path %SystemRoot%\System32\rastls.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\25
ConfigUiPath %SystemRoot%\System32\rastls.dll
IdentityPath %SystemRoot%\System32\rastls.dll
InteractiveUIPath %SystemRoot%\System32\rastls.dll
Path %SystemRoot%\System32\rastls.dll”

Microsoft Outlook: “the account you have added is not fully configured” error

August 10th, 2010

I recently discovered a fix for the rare but annoying “the account you have added is not fully configured” when attempting to add an Exchange mailbox in Outlook 2003. I discovered it by mentioning it to a co-worker who happened to know about this rare issue– which is not documented anywhere that I searched (brief Google search including Microsoft KB or Experts Exchange). I probably didn’t give it my best effort, but nonetheless, the fix was incredibly simple.

The fix is to search for mapisvc.inf and delete both instances (windows/system32 and program files/common files), then re-create the Outlook profile which will be wiped out as a result.