Cisco ASA and AD integration to block specific users from VPN access

Most administrators realize the need for a centralized and single point of authentication for your network since you don't want separate credentials for every application. Active Directory provides a simple way for you to leverage the credentials that your users already use for a multitude of reasons, such as your VPN access. Cisco ASA's provide a simple way to integrate with AD or any other LDAP provider but unfortunately there is not a way to keep out certain users or groups with this method. You probably do not want to provide access to everyone in your company or every user for that matter to your VPN. There is not a simple click in order for this feature to be turned on and you must visit the CLI. You need to map the Deny or Allow dial in access in Active Directory to be something that the ASA can understand. This will provide a simple way to block VPN access to your network once you have this set up. Here is some sample config:

!--- The LDAP attribute map. msNPAllowDialin is

mapped to cVPN3000-IETF-Radius-Class

!--- A value of FALSE is mapped to a value of NOACCESS

!--- A value of TRUE is mapped to a value of ALLOWACCESS

ldap attribute-map CISCOMAP

map-name msNPAllowDialin cVPN3000-IETF-Radius-Class

map-value msNPAllowDialin FALSE NOACCESS

map-value msNPAllowDialin TRUE ALLOWACCESS

!--- AAA server configuration

aaa-server LDAPGROUP protocol ldap

aaa-server LDAPGROUP host 172.18.254.49

ldap-base-dn dc=rtpsecurity, dc=cisco, dc=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *

ldap-login-dn CN=Administrator,CN=Users,DC=rtpsecurity,DC=cisco,DC=com

server-type microsoft

ldap-attribute-map CISCOMAP

!--- The NOACCESS group policy.

!--- vpn-simultaneous-logins is 0 to prevent access

group-policy NOACCESS internal

group-policy NOACCESS attributes

vpn-simultaneous-logins 0

vpn-tunnel-protocol IPSec webvpn

webvpn

svc required

!--- The ALLOWACCESS group policy

group-policy ALLOWACCESS internal

group-policy ALLOWACCESS attributes

banner value This is the ALLOWACCESS Policy

vpn-tunnel-protocol IPSec webvpn

webvpn

svc required

!--- The tunnel group that users connect to

tunnel-group TESTWEBVPN type webvpn

tunnel-group TESTWEBVPN general-attributes

address-pool CISCOPOOL

authentication-server-group LDAPGROUP

tunnel-group TESTWEBVPN webvpn-attributes

group-alias TestWebVPN enable

Advanced Disk Based Option of Symantec BackupExec - a waste

You may have read some marketing material about the Advanced Disk Based Option (ADBO) for BackupExec that allows you to take a snapshot of a LUN and then transfer the LUN to your backup server in order for the backup to take place directly to your backup server. This is a great idea and would dramatically reduce backup times for key applications since snapshots of a LUN are done in a few seconds. Unfortunately, the implementation of this product is not practical.

The major gripe I have is the fact that in order for this to work, all of your OS's that you are snapshotting from must be the same exact version as your backup server. If you are running a data center, you know that getting every server to the exact same version is next to impossible. Apparently the reasoning behind this is the fact that it relies on VSS (volume shadow copy) as the engine to perform the actual snapshot of the data and NOT the SAN provider itself. Since each VSS engine is different in various OS's (Windows 2003 vs 2003 64 bit vs 2003 R2 vs etc. etc. etc.) then it will not work.

I can't stress how ridiculous this is and how much of a hindrance to implementation this must be for folks. Dell has even marketed this integration in their marketing guides for Equallogic and how there is a partner relationship between Symantec and Dell. Do not let these guides fool you because this one is a show stopper that is hard to overcome.

This is true not only with version 12.5 of BackupExec but also the latest 2010 version as well.

Move your BackupExec Database files location

http://seer.entsupport.symantec.com/docs/281824.htm

One of the things that BackupExec has managed to make more difficult than it needs to be is to change the physical location of the database files used in BackupExec. You would think that if you change the location of the database files inside of SQL Server that this would be enough however you would be mistaken. There is a registry key in the above mentioned article that you need to tell the BackupExec service where these files are located. I still am not quite sure as to why you have to do this, but if you fail to do it the files will automatically be put back to its original location.

I ran into this during a SAN migration recently where I attempted to move my BackupExec database from a local C drive over to the SAN. After moving the database files and starting up the database to confirm the move had taken place - BackupExec happily changed everything I had just done. After some head scratching I found the above article which mentioned the magical registry key.

Prometric testing - support is a joke

I have used Prometric testing centers several times throughout my career to take IT certification tests and only had a problem one time when the particular testing center I was using wasn't open the day I was scheduled to take the test. No big deal and I was able to get it rescheduled without a hassle. Unfortunately, I have ran into a problem because of a medial emergency surrounding my mother in law and I was unable to cancel or reschedule the test before the 24 hour window was up. I had to run out of town and be with my family during this time and never even thought about the test until the next morning. I attempted to call Prometric and was told that according to policy I was going to have to forfeit my testing fee of $200 for the Apple certification test I had already paid for. The lady said I had to fax a written request for reimbursement and I would have an answer within 48 hours. Frustrated, I decided to attempt that and faxed a written request stating my hardship in order to try to get the test rescheduled.

48 hours passed and I never heard from Prometric so I decided to give them a call. Magically they said they never got the fax and now I would also need a doctors excuse in order to be excused from the test. Keep in mind that all I wanted to do was simply reschedule a test I already paid for - not cancel completely or get my money back.

I finally was able to get the doctors excuse and faxed it today to see if I can get my money back. I went ahead and rescheduled the test and paid for it again because I was tired of waiting for them. Unfortunately they are the only game in town as far as taking tests but this support has been horrible.

Dell EqualLogic SAN HeadQuarters 2.0

Dell EqualLogic SAN HeadQuarters 2.0: Providing In-Depth Information for Enhanced SAN Management

One of the knocks in my previous article about our new PS6500 SAN's centered around performance monitoring. Lucky for me a user commented on my post about SAN Headquarters 2.0 which is something I had not heard of before. I quickly downloaded it and took it for a spin - this was EXACTLY what I was looking for but could not find via the web interface to the SAN itself. Great performance data and easy access to all of your SAN's across your enterprise.

I will be messing with this tool over the next few days but you can safely strike that complaint from my list. I just wish my sales rep would have told me about this tool to begin with!

Dell Equallogic PS6500 SAN's - impressions

I have had the pleasure of working with two Dell Equallogic PS6500 SAN's over the past month or so and I thought it would be a good idea to put my ideas out there.

I am going to start with my complaints with the product because overall I am very happy with our purchase. However, with any product there is always room for improvement.

My biggest gripe is the performance monitoring aspect of the SAN itself. This is obviously a big deal to data administrators and probably more so in the iSCSI world where bandwidth is everything. The performance monitoring is basically watered down to the point of being too simplistic. I would like to see more raw data and less Java induced graphs. I realize that the target market for these SAN's are businesses who do not have SAN experience on staff but there should be some better tools to go deeper into looking at performance.

I have spoken about the firmware update process in the past, but I still feel this needs attention. I am not sure why the SAN itself cannot go out and grab the new firmware - then alert the administrator that new firmware is available if you want to update. It feels cumbersome to go through the manual steps of getting the firmware updated for the box.

The Auto Snapshot Manager software which is part of Dell's Host Integration Toolkit is a nice idea but the software feels a bit flaky to me. There are two editions that I have used - one is for Windows Applications and one is for VMWare. The Windows edition will make "application aware" snapshots of SQL Server/Exchange databases so you could actually restore from that snapshot without the worry of data corruption. The software works as expected but after a reboot sometimes the manager will not know how to find the vss-control volume (the volume that the software uses to induce the volume shadow copy aware snapshot) so you have to go back into the iSCSI initiator and and connect to the volume before it will work. The VMWare piece is for some reason a web-based piece of software that looks like an afterthought in appearance but does actually work. I don't like the ability to not be able to send email alerts for failed snapshots with the VMWare package but I hope that is something that will be fixed soon.

I have not tried the replication piece yet as I am waiting for the 100 megabit point to point Cogent circuit to be installed to my second data center but I am anxious to see how it works in the real world.

Overall, I am very happy with the SAN's and still recommend them but there is some room for some minor improvement along the way.

VMware KB: USB devices not supported in ESX host virtual machines

VMware KB: USB devices not supported in ESX host virtual machines

I am going through a virtual server migration at one of my data centers. The idea of moving away from older, non-standard hardware and going to a virtual platform is exciting for any IT nerd but there are some pitfalls along the way that you must keep into account. One of these pitfalls is around USB devices that your servers may use today. One of the applications that we use has an old USB Key that is used for license verification. Unfortunately, ESX/ESXi does not support adding USB devices to individual virtual machines. Apparently this support is in the works but you have to buy a USB over IP device in order to make it work properly. Who knew?

It goes to show that when you plan on doing a large scale conversion, you need to think about everything that the server does and to make sure it is supported on a virtual platform before you dig in. Support is probably a bad word since there are still many vendors out there that will not officially support their software on a virtual machine (Hello Landmark!). Of course their software will run just fine on a VM but when you call them, do not under any circumstances tell them it is running under a VM or they will stop talking to you immediately.