Cisco ASA and AD integration to block specific users from VPN access

Most administrators realize the need for a centralized and single point of authentication for your network since you don't want separate credentials for every application. Active Directory provides a simple way for you to leverage the credentials that your users already use for a multitude of reasons, such as your VPN access. Cisco ASA's provide a simple way to integrate with AD or any other LDAP provider but unfortunately there is not a way to keep out certain users or groups with this method. You probably do not want to provide access to everyone in your company or every user for that matter to your VPN. There is not a simple click in order for this feature to be turned on and you must visit the CLI. You need to map the Deny or Allow dial in access in Active Directory to be something that the ASA can understand. This will provide a simple way to block VPN access to your network once you have this set up. Here is some sample config:

!--- The LDAP attribute map. msNPAllowDialin is

mapped to cVPN3000-IETF-Radius-Class

!--- A value of FALSE is mapped to a value of NOACCESS

!--- A value of TRUE is mapped to a value of ALLOWACCESS

ldap attribute-map CISCOMAP

map-name msNPAllowDialin cVPN3000-IETF-Radius-Class

map-value msNPAllowDialin FALSE NOACCESS

map-value msNPAllowDialin TRUE ALLOWACCESS

!--- AAA server configuration

aaa-server LDAPGROUP protocol ldap

aaa-server LDAPGROUP host 172.18.254.49

ldap-base-dn dc=rtpsecurity, dc=cisco, dc=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *

ldap-login-dn CN=Administrator,CN=Users,DC=rtpsecurity,DC=cisco,DC=com

server-type microsoft

ldap-attribute-map CISCOMAP

!--- The NOACCESS group policy.

!--- vpn-simultaneous-logins is 0 to prevent access

group-policy NOACCESS internal

group-policy NOACCESS attributes

vpn-simultaneous-logins 0

vpn-tunnel-protocol IPSec webvpn

webvpn

svc required

!--- The ALLOWACCESS group policy

group-policy ALLOWACCESS internal

group-policy ALLOWACCESS attributes

banner value This is the ALLOWACCESS Policy

vpn-tunnel-protocol IPSec webvpn

webvpn

svc required

!--- The tunnel group that users connect to

tunnel-group TESTWEBVPN type webvpn

tunnel-group TESTWEBVPN general-attributes

address-pool CISCOPOOL

authentication-server-group LDAPGROUP

tunnel-group TESTWEBVPN webvpn-attributes

group-alias TestWebVPN enable

Advanced Disk Based Option of Symantec BackupExec - a waste

You may have read some marketing material about the Advanced Disk Based Option (ADBO) for BackupExec that allows you to take a snapshot of a LUN and then transfer the LUN to your backup server in order for the backup to take place directly to your backup server. This is a great idea and would dramatically reduce backup times for key applications since snapshots of a LUN are done in a few seconds. Unfortunately, the implementation of this product is not practical.

The major gripe I have is the fact that in order for this to work, all of your OS's that you are snapshotting from must be the same exact version as your backup server. If you are running a data center, you know that getting every server to the exact same version is next to impossible. Apparently the reasoning behind this is the fact that it relies on VSS (volume shadow copy) as the engine to perform the actual snapshot of the data and NOT the SAN provider itself. Since each VSS engine is different in various OS's (Windows 2003 vs 2003 64 bit vs 2003 R2 vs etc. etc. etc.) then it will not work.

I can't stress how ridiculous this is and how much of a hindrance to implementation this must be for folks. Dell has even marketed this integration in their marketing guides for Equallogic and how there is a partner relationship between Symantec and Dell. Do not let these guides fool you because this one is a show stopper that is hard to overcome.

This is true not only with version 12.5 of BackupExec but also the latest 2010 version as well.

Move your BackupExec Database files location

http://seer.entsupport.symantec.com/docs/281824.htm

One of the things that BackupExec has managed to make more difficult than it needs to be is to change the physical location of the database files used in BackupExec. You would think that if you change the location of the database files inside of SQL Server that this would be enough however you would be mistaken. There is a registry key in the above mentioned article that you need to tell the BackupExec service where these files are located. I still am not quite sure as to why you have to do this, but if you fail to do it the files will automatically be put back to its original location.

I ran into this during a SAN migration recently where I attempted to move my BackupExec database from a local C drive over to the SAN. After moving the database files and starting up the database to confirm the move had taken place - BackupExec happily changed everything I had just done. After some head scratching I found the above article which mentioned the magical registry key.

Prometric testing - support is a joke

I have used Prometric testing centers several times throughout my career to take IT certification tests and only had a problem one time when the particular testing center I was using wasn't open the day I was scheduled to take the test. No big deal and I was able to get it rescheduled without a hassle. Unfortunately, I have ran into a problem because of a medial emergency surrounding my mother in law and I was unable to cancel or reschedule the test before the 24 hour window was up. I had to run out of town and be with my family during this time and never even thought about the test until the next morning. I attempted to call Prometric and was told that according to policy I was going to have to forfeit my testing fee of $200 for the Apple certification test I had already paid for. The lady said I had to fax a written request for reimbursement and I would have an answer within 48 hours. Frustrated, I decided to attempt that and faxed a written request stating my hardship in order to try to get the test rescheduled.

48 hours passed and I never heard from Prometric so I decided to give them a call. Magically they said they never got the fax and now I would also need a doctors excuse in order to be excused from the test. Keep in mind that all I wanted to do was simply reschedule a test I already paid for - not cancel completely or get my money back.

I finally was able to get the doctors excuse and faxed it today to see if I can get my money back. I went ahead and rescheduled the test and paid for it again because I was tired of waiting for them. Unfortunately they are the only game in town as far as taking tests but this support has been horrible.

Dell EqualLogic SAN HeadQuarters 2.0

Dell EqualLogic SAN HeadQuarters 2.0: Providing In-Depth Information for Enhanced SAN Management

One of the knocks in my previous article about our new PS6500 SAN's centered around performance monitoring. Lucky for me a user commented on my post about SAN Headquarters 2.0 which is something I had not heard of before. I quickly downloaded it and took it for a spin - this was EXACTLY what I was looking for but could not find via the web interface to the SAN itself. Great performance data and easy access to all of your SAN's across your enterprise.

I will be messing with this tool over the next few days but you can safely strike that complaint from my list. I just wish my sales rep would have told me about this tool to begin with!

Dell Equallogic PS6500 SAN's - impressions

I have had the pleasure of working with two Dell Equallogic PS6500 SAN's over the past month or so and I thought it would be a good idea to put my ideas out there.

I am going to start with my complaints with the product because overall I am very happy with our purchase. However, with any product there is always room for improvement.

My biggest gripe is the performance monitoring aspect of the SAN itself. This is obviously a big deal to data administrators and probably more so in the iSCSI world where bandwidth is everything. The performance monitoring is basically watered down to the point of being too simplistic. I would like to see more raw data and less Java induced graphs. I realize that the target market for these SAN's are businesses who do not have SAN experience on staff but there should be some better tools to go deeper into looking at performance.

I have spoken about the firmware update process in the past, but I still feel this needs attention. I am not sure why the SAN itself cannot go out and grab the new firmware - then alert the administrator that new firmware is available if you want to update. It feels cumbersome to go through the manual steps of getting the firmware updated for the box.

The Auto Snapshot Manager software which is part of Dell's Host Integration Toolkit is a nice idea but the software feels a bit flaky to me. There are two editions that I have used - one is for Windows Applications and one is for VMWare. The Windows edition will make "application aware" snapshots of SQL Server/Exchange databases so you could actually restore from that snapshot without the worry of data corruption. The software works as expected but after a reboot sometimes the manager will not know how to find the vss-control volume (the volume that the software uses to induce the volume shadow copy aware snapshot) so you have to go back into the iSCSI initiator and and connect to the volume before it will work. The VMWare piece is for some reason a web-based piece of software that looks like an afterthought in appearance but does actually work. I don't like the ability to not be able to send email alerts for failed snapshots with the VMWare package but I hope that is something that will be fixed soon.

I have not tried the replication piece yet as I am waiting for the 100 megabit point to point Cogent circuit to be installed to my second data center but I am anxious to see how it works in the real world.

Overall, I am very happy with the SAN's and still recommend them but there is some room for some minor improvement along the way.

VMware KB: USB devices not supported in ESX host virtual machines

VMware KB: USB devices not supported in ESX host virtual machines

I am going through a virtual server migration at one of my data centers. The idea of moving away from older, non-standard hardware and going to a virtual platform is exciting for any IT nerd but there are some pitfalls along the way that you must keep into account. One of these pitfalls is around USB devices that your servers may use today. One of the applications that we use has an old USB Key that is used for license verification. Unfortunately, ESX/ESXi does not support adding USB devices to individual virtual machines. Apparently this support is in the works but you have to buy a USB over IP device in order to make it work properly. Who knew?

It goes to show that when you plan on doing a large scale conversion, you need to think about everything that the server does and to make sure it is supported on a virtual platform before you dig in. Support is probably a bad word since there are still many vendors out there that will not officially support their software on a virtual machine (Hello Landmark!). Of course their software will run just fine on a VM but when you call them, do not under any circumstances tell them it is running under a VM or they will stop talking to you immediately.

VMware ESX/ESXi 4.0 not working with Intel Dual/Quad PCIe NICS

VMware ESX/ESXi 4.0 Driver CD for Intel 82575 and 82576 Gigabit Ethernet Controller

Even after installing update 1 for ESX/ESXi 4.0, the OS still will not see these NIC's as being available to your system. Apparently after talking to VMWare support, there is an updated IGB driver available that you can download although it is a bit hidden on VMWare's website.

You will want to SCP this over to your server and then follow the instructions for an offline installation. The only problem is that you will have to take your ESX server into maintenance mode to do the update. Once it is done and you reboot, you can then see the NIC's and use them as part of your VM configuration.

Configure port forwarding on Juniper routers and ScreenOS

Juniper Networks - ScreenOS Cookbook Recipe 8.7 - Configure Destination PAT (Port Address Translation) - Knowledge Base

There is no easy way to say this but if you are used to dealing with Cisco devices over the years and are suddenly thrust in front of a Juniper device - you will think that Juniper is very weird. I am sure there are folks who absolutely love Juniper but for me I personally don't like dealing with them. In any event, if a client has a Juniper device and you need to configure it, you dive right in and make the best of it.

One of the things that I find odd is the way that port forwarding works on the device. Once you see it you will think it makes perfect sense but unfortunately the documentation on the subject is lacking.

For example, lets assume your firewall has an external interface on 1.1.1.1 and you have 4 usable IP addresses. You want to host an internal WWW server on 192.168.1.10 that is connected to the internal LAN. Here is the syntax to make this work:

set arp NAT-DST
set address untrust server-www-public 1.1.1.1/32
set policy from untrust to untrust any server-www-public http nat dst ip 192.168.1.10 port 80 permit

The weird part for me was the untrust to untrust which didn't make a whole lot of sense. In any event, that will work.

Now, what if you wanted to host something via NAT that came through the external IP of the firewall interface?

In this case, we need to change the admin port of the firewall to something different if we want to host WWW traffic and then do the NAT'ing:

set admin port 8080
set service "HTTP-8080" protocol tcp src-port 1024-65535 dst-port 8080-8080
set interface ethernet0/0 vip untrust-ip 80 "HTTP-8080" 192.168.1.10
set policy id 1 from untrust to trust any vip(ethernet0/0) HTTP permit

A bit odd but gets the job done. Good luck.

Configuring Volume Shadow Copy on Windows Server 2008 - Techotopia

Configuring Volume Shadow Copy on Windows Server 2008 - Techotopia

Just a quick heads up for anyone configuring shadow copies on Windows Server 2008 - you no longer can right click on the volume under My Computer to enable shadow copies. You have to go into disk management and enable on each volume there first. I am not sure why they made this change but if you start scratching your head and wondering where it went - this is how you will find it.

DisableMSI and Windows Server 2008 R2

DisableMSI (Windows)

When I install Server 2008 R2 I have came across a weird problem that will prevent me from running any MSI installation program even though I am an administrator on the box.

The system administrator has set policies to prevent this installation

Of course, I haven't set any policies to prevent this but I found the following registry key which will override this setting. Apparently by default the policy with R2 is to disable all installs of MSI's - fairly draconian but better than the default I guess:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

REG_DWORD

DisableMSI set to 0

Windows Server 2008 R2 - adprep

Adprep

Windows Server 2008 R2 has added some additional Active Directory objects that need to be imported into your domain and forests before it can become a domain controller. The tool that you will need to use to get your forest/domain ready for this new OS is called "adprep" and it can be found in your Windows Server 2008 R2 CD. Unlike previous versions of adprep, R2 includes a 32-bit (adprep32.exe) and a 64-bit (adprep.exe) copy for you to use. You have to run this tool on an existing domain controller so know your architecture before you start copying around the folder to your servers. You will need to do the following:

adprep /forestprep

adprep /domainprep

adprep /rodcprep

The first command will add the necessary objects into your forest, then add the necessary objects into your domain and finally it will prep your domain for the new concept that is read-only domain controllers. Once you have ran these commands and AD has replicated throughout your network, you can safely run dcpromo.exe from your Windows 2008 R2 server and make it a domain controller.

PS6500E installation and configuration

One of the nice things about setting up a Dell Equallogic SAN is how amazingly simple it is to configure. You would think that for an expensive piece of equipment that it would be harder to configure and get going, but fortunately that is not the case.

After unpacking all 48 hard drives and inserting them into the chassis which definitely took quite a bit of time, plugging in three power cables and inserting an ethernet cable - it took right off. I was pretty impressed with the fact that none of the drives that shipped with the unit was bad - you would usually expect at least one to be bad out of 48 but not in this case. I inserted the Dell Configuration assistant CD into one of my servers and was able to run the remote configuration assistant where I got to set up the networking information and set the initial passwords and group membership. Since this was my first SAN, I set it up in its own group and assigned it a static IP address. I created a single storage pool of RAID5 in order to begin my testing and then the unit was up and functional.

I was able to log in to the web interface to the unit and do some more configuration and take a look at all of the settings. One thing I noticed was that the firmware was out of date on the unit but you cannot download directly from the SAN - you must first set up an Equallogic support account and then download the firmware separately. This was a bit of a pain and hopefully something that can be a bit more automated in the future.

Right now I have two volumes configured with IP address access going to a VMWare ESX server and a Windows 2003 Server for testing purposes. The Microsoft iSCSI initiator installation is very straight forward and setting up my targets were very simple.

I enabled SNMP monitoring through Solarwinds Orion and so far everything looks good.

Modifying the All Users profile in Vista or Windows Server 2008

The Virtual World of Peter Fitzsimon : Modifying the All Users profile in Vista or Windows Server 2008

Another strange thing about Windows Server 2008 is the new location of the all users profile:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

This is another oddity and I am not really sure why it was changed but in any event if you run BGInfo like I do, you will want to place your shortcut here for it to run on every user login.

Installing VMware vCenter on Windows Server 2008 R2

Installing VMware vCenter prerequisites on Windows Server 2008 R2 | Servers and Storage | TechRepublic.com

Windows Server 2008 R2 is now officially supported as a VMWare VCenter server since 4.0 update 1 has been released. However, you may run into some difficulty getting it installed as things are a bit different in the Windows 2008 world.

One of the most common mistakes is how to add a 32bit DSN to your system since Windows 2008 is 64-bit. If you launch the ODBC Administrator from the start menu, this gives you the 64bit drivers which is not supported with VCenter at this time. You need to launch the DSN configuration from the command line in order to get the 32bit drivers:

c:\windows\syswow64\odbcad32.exe

This will allow you to create a 32bit DSN assuming you have installed the 32bit SQL Server client drivers on your box.

Once this is set up, the rest is pretty easy and will work without trouble.

VMware Site Recovery Manager Service installation logs

VMware Site Recovery Manager Service Account « Jeremy Waldrop's Blog

Today I ran into a problem installing Site Recovery Manager 4.0 update 1 where it would attempt to start the service and fail. The error message told me to check the server logs but I could not find any documentation on where these would be. Luckily I ran across this blog entry which details the location of the installation logs:

C:\Documents and Settings\All Users\Application Data\VMware\VMware Site Recovery Manager\Logs

I have no idea why VMWare would choose to put these logs in this odd location but once you are there you can quickly determine why the service is not starting. My problem was with SQL Server authentication which I was quickly able to correct and get the service to start properly.