Can’t ping the domain controller via FQDN while on the internal network? Trouble accessing any of the internal domains that are available via Direct Access while on your internal network?
This is a quick blog post to document an error I encountered that took me a while to figure out, as is typical with errors that are caused by configuration mistakes, yes self-inflicted. In the Microsoft Unified Access Gateway administration documentation for configuring Direct Access (DA), it says 2 things that are extremely important but does not emphasize just how important they are, or the errors that will be encountered if they are not followed.
Your Network Location Server (NLS), which must be able to serve HTTPS requests, is used by your DA clients to determine whether they are on the internal network, this site must not and cannot be accessible through DA or any other means from outside your network, so make sure the HTTPS resource is NOT something you need to access from external networks. If your clients can access the NLS then they will not attempt a DA connection. If they cannot access the server, then they will attempt a DA connection. There are a few key points to this server that also cannot be overlooked.
Continue reading Direct Access Computers Can’t Ping Domain Controller on Internal Network?
I’ve been using internally generated SSL certificates for testing and publishing, as most developers, IT pros, and DIY people have, and though it works, it can be a little frustrating when dealing with CRLs and OCSP Responders if you don’t want to receive warnings from browsers and applications about them being untrusted. For public facing sites, there’s a vendor that is now providing free certificates and an excellent toolbox for managing them.
Read on for more info or take the link: https://www.startssl.com.
Continue reading Free SSL Certificates for Public Domains and Sub-Domains via StartSSL
I recently found a feature that allows you to quickly migrate the management network from a Distributed Virtual Switch (dvSwitch) to a vStandard Switch (vSwitch). It’s really simple actually. Just log on to a host physically or via iLO, not through the vSphere Client, and select “Restore Standard Switch”.
Continue reading vSphere: Migrate Management Network from dvSwitch to vStandard Switch
I recently set out to recreate my vCenter installation since I was still running on Windows Server 2003 R2 64-bit and wanted to the set it up on Windows Server 2008 R2. The problem here was that my Management Network was attached to a dvSwitch (Distributed Virtual Switch). I’ll briefly outline the process of how I removed each host (3 hosts in total) from vCenter, attaching the host to the brand new vCenter installation with only about 10 minutes total virtual machine (VM) downtime. This can actually be done with no downtime if planned properly and aware of the possible hiccups.
The new environment is now up and running, and after refining the process (poking around a lot), it only takes about 10 minutes to move each host. This was done on vSphere 5 (moving from vSphere 5 to Update 1).
Continue reading vSphere: Move Hosts to New vCenter Server
I check my site logs pretty often to find out how people are arriving at this blog and have seen an increase in traffic that points to an exchange I had with a visitor about Vyatta blocking email attachment downloads. I wanted to post this quick entry so that people looking for a quick fix could get to this without running through the complete conversation on the other post: http://d3planet.com/rtfb/2009/11/02/vyatta-firewall-basics-and-configuration/
Here’s the quick and dirty solution:
Problem: Vyatta is blocking download of email attachments. This solution only applies if your implementation is using the web proxy and squidguard URL filtering.
Solution: Use the following command to get Vyatta to allow IP addresses to be called directly.
set service webproxy url-filtering squidguard allow-ipaddr-url
set service webproxy url-filtering squidguard rule XX allow-ipaddr-url
Keep reading for more info on the issue…
Continue reading Vyatta Blocking Email Download of Attachments
Vyatta is a powerful enterprise class software router that has some really incredible features. It has a CLI (command line interface) as well as a web interface. I’ve gotten a few requests about configuring it as a front system but until now have only really worked with Vyatta as a pure routing appliance internal to my network. It has been my traffic cop between my lab subnet, user subnet, and server subnet but now I’ll try to configure it as a front end based on an exchange I had on another thread.
This should be able to give you some examples with getting started using Vyatta as a front firewall.
If you don’t have the software, you can download a free version, called Vyatta Core, from Vyatta’s website. You have to register, but don’t worry, they won’t spam you and they have extensive documentation on the product that you can pull down after registering. It’s an excellent resource to learn and practice your routing skills, especially since you can stand up the product on random hardware or in a virtual machine. Vyatta even has downloads specific to VMware implementations. Check it out and come back if you’re interested in seeing this post through. http://www.vyatta.com.
And now for the good part.
Continue reading Create a Router with Front Firewall using Vyatta on VMware Workstation
Tonight I decided to go on the magical journey of upgrading my ESX 3.5 environment to vSphere using the Host Update Utility. I’m usually a firm believer in ‘If it ain’t broke, don’t fix it!’ but this time I decided to take the plunge and see what happens.
A few months ago, I ran through the Host Update Utility and failed a hardware compatibility check. I was running a few Intel Pro/100 NICs that ESX 3.5 was more than happy to work with but vSphere said, NO WAY. After tracking down a few Broadcom 5701 NICs, installing them without a hiccup, I honestly still considered sticking with ESX 3.5, but after talking to a few friends who have had no trouble with their upgrades, I figured the most that I had to lose was a little time. I ran through the wizard again, of the Host Update Utility, it complained about nothing this time and continued.
After a short while, maybe 10 minutes or so, I was up and running on vSphere 4. No hiccups! I immediately started booting up VMs. I ran into my first problem. 🙂
Continue reading Upgrading ESX 3.5 to vSphere 4 Using Host Update
For a post that is a little more advanced, try this one: Create a Router With Front Firewall Using Vyatta on VMware Workstation.
Otherwise… read on. 🙂
A few weeks ago, I installed Vyatta Open Source as a router internal to my network to see how it handled traffic between multiple subnets. To put it plainly, it worked like a champ! I put the router in place, assigned IP addresses to the NICs (network interface cards), and let the system do its thing. It now connects traffic between my physical network, my production virtual network, and my virtual lab running on ESX 3.5. I can easily manage most firewalls and routers that have a GUI but Vyatta presented a new challenge to me. In the case of this system, for some tasks it’s a lot easier to use the command line interface (CLI).
So without further ado, here’s the basics of Vyatta’s firewall.
Continue reading Vyatta Firewall Basics and Configuration
Windows 7, along with Windows Vista, both have issues interacting with Buffalo Terastation and similar Buffalo products. This is due to updated NTLM security settings in both Windows 7 and Vista. The un-patched behavior is continued prompts to log in / authenticate to the NAS.
Buffalo has released a registry patch that allows Windows 7 and Vista to connect to their Terastation NAS products, by lowering the security level to Windows XP compatible NTLM security. This is a downgrade, but I have thus far had no problem with it. Check out the readme below that’s included in the download:
This registry patch files enables Windows(R) Vista(TM) PCs to
work with Buffalo NAS products. This patch is installed
directly onto Windows Vista PCs.
WARNING: This file is only for use on Vista PCs, it is NOT
required or supported on any other operating system.
This patch is only required when using one of the following
Buffalo NAS products:- LinkStation (HD-HLAN)
– Gigabit LinkStation (HG-HGLAN)
– LinkStation Home Server (HS-DGL)
– TeraStation (HD-DTGL/R5)
– TeraStation Home Server (HS-DTGL/R5)
– TeraStation Pro (TS-TGL/R5)
1) Double click on the Buffalo_NAS_Vista_Support.reg file
2) Press the ‘Yes’ button when prompted.
3) Press the ‘OK’ button to exit the patch file.
4) Restart your Vista computer.
Applying this patch lowers the NTLM authentication
level to be compatible with some of Buffalo’s NAS products.
This NTLM authentication level is equivalent to the level
used in Windows XP.
Continue reading Get Windows 7 Working with your Terastation
I’ve been running multiple subnets in my lab, and been dealing with the pain of having to VPN into each separate subnet when needing to make a change, test something, or deploy something. It’s been a learning experience and I’ve configured both OpenVPN and ISA Server 2006 VPN’s and successfully bounced around the various networks as necessary, but it’s been a real pain to have to VPN into one network, grab files, and then VPN into a different network to test and deploy those files, as an example. So I began a hunt for an open source router that would give me more control than Untangle, which is an excellent open source routing and firewall tool. Simply put, I wanted finer grained control than Untangle is designed to supply. As an example, I wanted to be able to filter network traffic based on mac addresses instead of IP addresses.
In my search, I came across Vyatta, which is an open source networking package that likes to compare itself to Cisco in functionality and control. I decided to check out their site and found that they offer a free ‘Community Edition’. I looked at the features of the community edition, then checked the VMware Appliances site and found that Vyatta has a pre-built VMware appliance. NICE! I filled out a short registration form, downloaded the appliance and all the documentation, which is thick to say the least, and fired up the appliance in VMware Workstation.
Continue reading Vyatta Community Edition, Open Source Router