Keith Smith - My Blog - Twitter @_KeithIT

Network

Keith Smith - My Blog - Twitter @_KeithIT > Network

Let's Encrypt redirect with KEMP load balancer

Sunday, November 10, 2019 - Posted by Keith A. Smith, in Network, Automation, Microsoft

PKI Management is a huge PITA, in a near future I will post how I've automated PKI renewals and installation of certificates. In this post I wanted share a method managing certificate renewals in an environment that has multiple web servers and a KEMP load balancer in front with a central server for certificate management. The Load balancer rules will send traffic with the /.well-known/acme-challenge/ to the certificate management server and all other 80 traffic gets redirected to 443.


You will need to create a virtual service with two subVS's.




Open the virtual service then add the first SubVSs





The first subVS weight should be 1100 and Not Available Redirection Handling Error code set to 302 and the Redirect URL set to https://%h%s.




The second SubVS has a weight of 1000 and has the IIS server I use to create my Let's Encrypt certs set as the real server.





Create a content rule named Lets_Encrypt, Rule Type is Content Matching, Match Type is Regular Expression, Header Field is left blank, Matching String is /^\/.well-known/ and ignore case is checked.




Now enabled Content Switching at the VS. I then added all my Content rules for my domains to the first SubVS so they will be redirected to HTTPS then I added the Lets_Encrypt Content Rule to the second SubVS.




To download the exported file, visit my github repo https://github.com/KeithIT-Dev/Kemp






-End

View Comments 0 Comments
Share Post   


Still a bunch of cool tools from Sysinternals

Friday, September 13, 2019 - Posted by Keith A. Smith, in Network, Microsoft


You can point your favorite browser to http://live.sysinternals.com/ to access to any Sysinternals tool. If you would like do it the "old school way" you can open up Windows Explorer (if you are on windows) and point it to \\live.sysinternals.com\ to browse and launch any Sysinternals app. These tools have been a staple for most of us that have been in field for a while now, it's good to see them still being developed.


-End

View Comments 0 Comments
Share Post   


Unitrends to Nakivo

Wednesday, December 12, 2018 - Posted by Keith A. Smith, in Network, VMware, Microsoft

Six years ago I was still using LTO tapes as a primary backup method with backup exec to backup several terabytes of data from various servers. Some of the backups would take days to complete; some would complete successfully while others would complete with errors and on the flip side the recovery of data would take even longer than the backups would conclude with the high chance that the one wouldn't be able to recover anything at all. It was well past time to move from tapes to a D2D for backups; I started performing bake off's between may products at the time. The unitrends solution beat all the other D2D solutions by a wide margin, one of the many things that I liked about unitrends was that they didn't charge per client and they had an appliance that they had built and would support. As time had progressed the unitrends solution started to show it's age and has become very costly at renewal time, this is something that I've experienced multiple times as I've implemented the solution at many organizations.  The renewal costs have pushed many customers to go back to the drawing board (as a lot of customers had built their entire DR/BC plans around the unitrends solution) and evaluate other solutions. The unitrends solution had been a go-to for me for a long time when it came to designing DR/BC architecture; I now find myself saying goodbye to the unitrends solution in favor of the Nakivo for a D2D solution. The Nakivo backup and recovery solution is entirely web-based and comes as a virtual appliance, a package on a NAS or can be installed on a server you provision running *nix or windows. I've found the transition to quite pleasant, the support has been very knowledgeable, and the administration has been straightforward to navigate.


-End

View Comments 0 Comments
Share Post   


Password Recovery in AOS

Wednesday, November 29, 2017 - Posted by Keith A. Smith, in Network

Recovering passwords requires direct physical access to a unit. This procedure cannot be performed remotely over Telnet, SSH, or the Web GUI. First, connect a straight through serial cable to the console port of the unit. Second, configure a VT100 session (i.e. HyperTerminal or ProComm) using the following settings: 9600 bps, 8 bits, no parity, 1 stop bit and no flow control. Lastly, reboot the unit by removing the power. As the unit boots, you will be given the opportunity to break into bootstrap mode by pressing the ESC key within 5 seconds. While in the monitor mode issue the following commands:

Bootstrap# bypass passwords

Bootstrap# boot
Notice that you are issuing the boot command not the reload command following the bypass passwords command. Once the unit has finished booting up, you can issue the enable command and you will not be required to enter the privileged (i.e. enable) password. Once you are in privileged mode, you can view the configured passwords by using the show run command. A new password can also be entered by going into global configuration mode by using config terminal command and issuing the enable password command where is the new password. Also remember to change any Telnet, SSH or Web GUI passwords if necessary.

Below is a sample output of these steps:

Router (1200990L1)
Executing bootstrap...
ram: 268435456 bytes of RAM detected.
Serial Number: LBADTNXXXXXXXXX
Bootstrap version: 11.04.1.B2, checksum: 0F3C, Wed Nov 29
vfs: NONVOL: 120 tracks, 128 sectors/track, 1024 bytes/sector.
eth0/1: initializing...
eth0/1: MAC address is 00:A0:C8:XX:XX:XX
bootstrap: Checking boot configuration...
bootstrap: Primary image is 'NONVOL:/NV5305A-12-01-07b-E.biz'.
bootstrap: User escaped to command line interface.
cli: starting command line interface...
cli: starting user interface


Press '?' for help.
bootstrap#bypass passwords
bootstrap#boot



In case anyone comes across this in the future, instead of the command "bypass passwords", you can alternately use "bypass startup-config" then "boot". This will boot the system with a blank/default config. Once you get into enable mode you can enter  "copy running-config startup-config" to re-apply the default config while leaving you at the enable prompt (effectively skipping the login and enable password prompts), or you can just manually reconfigure the box in case you really messed things up.

-End

View Comments 0 Comments
Share Post   


WatchGuard Wireless, AP320 Access Points Review

Thursday, June 15, 2017 - Posted by Keith A. Smith, in Network

I’m a big fan of WatchGuard, and I’ve been using their appliances for some time now. Some other people I know have had concerns about the quality of the firmware or WatchGuard Fireware OS, and I can say that this was an issue in the earlier versions (pre-2014) when the UI was flash based. Since 2014 the UI has significantly improved, I generally get the kit with five years’ live security, knowing at the end of that five years, the kit is probably going to be obsolete and a refresh will be required anyway.

I had never used the WatchGuard Ap's before this deployment, after doing some research I saw that they integrate very tightly with the firewalls and the Dimension products, so I decided to give them a shot.  I think personally the units look great, they’re very discreet and very powerful.




They have 2 Radio’s (5GHz and 2.4GHz), 6 antennas, Up to 1.3 Gbps for 11ac Up to 450 Mbps for 11n, up to 8 SSID’s per radio, PoE, support for all the wireless standards (802.11 a/b/g/n/ac) and Fast Roaming and Band Steering.


The Wi-Fi AP's also comes boxed with a ceiling mount kit and even more useful an T-rail ceiling mounting kit which is nice for most commercial offices.



In my case, I had to "macgyver" a mounting solution for our AP’s using L shelf brackets + chrome head screws + automotive fasteners that I purchased from a local ACE hardware store shown below since none of our locations have T-rail ceiling or anything close to it.

 
                       

The Wi-Fi AP's also run PoE and I’m currently using a few HP 3500 Series PoE switches to provide power to them. By using PoE to power, the Access Points which great because I can also reboot any AP by turning off the PoE for that port should any of the AP's have issues down the line.

I have configured a few VLAN’s with each AP320 broadcasting wireless networks. I currently have the AP320’s set to auto regarding the channels and so it does a lot of the work in working out which channel to run on for me to ease wireless congestion. They were very easy to deploy, and wireless SSID configuration was deployed very quickly thanks to the firewall acting as the wireless controller. I've also found the updates for the AP's to be basic and can be done from the firewall (acting as the wireless controller) in a few clicks.

When you have multiple WatchGuard firewalls and WatchGuard access points it's best to use the WatchGuard System Manager  for managing all of this. The monitoring of this is also great, I can see at any point any wireless device, which AP it is connected to, the traffic volume and also its signal strength etc.

One of the issues that I ran into was a few of the AP’s rebooting during of the work hours, which as you can imagine was somewhat annoying. Initially, I though this issue was caused by HP 3500 PoE switches, but after directly connecting in a 12v 1.25A PSU it kept happening. The HP switch firmware did have a defect (PoE CR_0000207335) in the version that was running on the switches at the time of the AP deployment, however I was able to resolve that by contacting HPE support and applying the supplied software update. After the software updates for the HP PoE switches had been applied, I opened a case with WatchGuard support about the AP320's randomly crashing and restarting. I had all the latest firmware installed for the AP's at the time I  submitted the fault reports to WatchGuard, after the support person investigated the fault reports they agreed was a newly discovered bug (bug "AP-17"), which as of right now is still being worked on.

Technical Details
This bug
(bug "AP-17") is related to the DFS channels being used and the scan interval. At this time the bug isn't resolved, but the workaround to this was to set the wireless scan interval to 24 hours in the Gateway Wireless Controller Settings. Here is a link on how to do this http://www.watchguard.com/help/docs/fireware/11/en-US/Content/en-US/wireless/ap_global_settings_c.html

You can also configure the channels manually to further reduce this issue. Be sure to select non-DFS channels. DFS channels are 50 through 144.


All in all, I’m very happy with the AP’s and the support has always been great from WatchGuard which is one of the many reasons I like company. Once the bug above is resolved, I will call this a successful deployment. I found the WatchGuard AP's to be easily scalable and easy to manage, these devices are built with quality can fit any long-term wireless solution.



-End


View Comments 0 Comments
Share Post   


Page  123...4>