Archive for the ‘Firewalls’ Category

Cisco/Linksys Bad Gateway

Recently after installing a new Linksys (Cisco) EA6300 router we received a “502 – Bad Gateway” error message when trying to access the web management page.

image

(Note: the IP in the image is correct for this site, but the default of course is 192.168.1.1)

Installation of the router and configuring went as expected, and internet access by client machines was fine, but after completion and reboot the Bad Gateway message appeared when trying to log back into the router. This seems to be a common issue with numerous models not just the EA6300, but also the EA6500, EA4500, EA2700, E4200, E1200, and more.  There are numerous posts about this issue on many blogs and message boards, all of which suggest starting to resolve by pressing the reset button.  If you have a detailed configuration with custom IP configurations, port forwards, DDNS and more, that would be quite a nuisance and time consuming.

We discovered simply disconnecting the WAN / Internet connection to the router and refreshing the web management page allowed access and log in.  Once logged on the WAN connection could be reconnected.  Logging out and back in reproduced the problem.  The solution was to gain access as described and then using the built-in utility update the router’s firmware.  Once updated there were no further problems.

Access local and VPN network Simultaneously

There are constantly questions in various forums; “how do I maintain internet access through my local router while connected to a VPN”, or “ how do I access my local TCP/IP printer while connected to a VPN”.  It is pretty basic but for those that don’t understand I thought I would address this in a blog so that in future I can just provide a pointer.

There is a security feature in almost all VPN configurations that blocks all local network connections while connected to the corporate network, via a VPN.  This is to provide some degree of security by preventing someone with malicious intent from reaching the corporate server using your PC/Laptop as a stepping stone.   It basically isolates your device from the world around you so that Johnny playing video games in the next room cannot route traffic through your PC to the corporate site.  Or, consider an Internet Cafe’ where you are on the same local network as total strangers.   Either through the shared Wi-Fi connection, or even an “Ad Hoc” wireless connection, the person at the next table could conceivably route packets through your wireless device directly to head office.  Granted, there are many security features in place, or at least there should be, such as firewalls and NTFS security permissions to protect your corporate data, similar to the security corridor from the 60’s & 70’s TV show Get Smart, but the more of these doors left open, the easier it is for hackers.  Everything can be hacked.  If you don’t believe me have a look at the following Ted Talks video by Avi Rubin; “All your devices can be hacked”.

In order to simultaneously access the local and remote VPN network you need to enable a feature called split-tunneling.  Due the security reasons outlined above, I do not recommend enabling this, however in some cases it is necessary or perhaps you just wanted to know why.  If you have an Enterprise VPN solution such as Cisco, Watchguard, Sonicwall, or others, as an end user cannot enable split-tunneling.  It is managed by the VPN appliance and will require the administrator to configure and enable if they see a need to do so.   However if you are using a Windows VPN client you can edit the configuration to allow split-tunneling.  To do so open Control Panel, select Network and Sharing Center, and then choose “Change Adapter Settings”.   This will work on XP and earlier clients as well but the path to the adapters is slightly different.  Locate the VPN/PPP adapter, right click on it and choose properties.  In the resulting window select Networking, highlight Internet Protocol Version 4 (TCP/IPv4) and click properties, click Advanced, and in the resulting window un-check “Use Default Gateway on remote network.  When checked, its default state, it forces all traffic through the remote site.  Un-checking allows access to the local network and gateway.

image

Again remember this is a security feature and should not be reconfigured unless necessary and you are aware of the risks.

Configure Siemens SE567 router to allow VPN access

 

I have been asked a few of times how to configure a BellAliant Siemens SE567 router / modem to allow VPN access to a server, using PPTP.

When accessing a PPTP VPN server through a router, three primary conditions must exist.  Numbers 1 and 2 we can configure, 3 is dependent on your ISP.

  1. The router must be configured to  forward PPTP traffic to the VPN (RRAS) server using port 1723
  2. The router must be configured to allow GRE traffic (Generic Routing Encapsulation).   GRE  like, TCP and UDP, is a protocol.  GRE is protocol 47, not port 47 which is often incorrectly documented.  GRE is not really forwarded like services, but rather enabled.
  3. The ISP must allow PPTP/GRE traffic.  A few ISP’s intentionally block PPTP/GRE traffic.

GRE is enabled in different ways on different routers. Some have an option “Enable PPTP pass-through” others you forward the PPTP service which includes port 1723 and enabling GRE, and still others require specific commands.  The Siemens SE567 requires two rules, one for PPTP and one for GRE.  Generally Bell Aliant does not block this traffic.

Log into the Seimens unit and click “Advanced” at the top, then “Applications” on the left, followed by “Port Mapping Setup” in the menu.

image

First select the application “PPTP” and in the “redirect selected protocol/application to IP Address” box put the IP address of the server, in this case 192.168.2.20, and click “Apply.”

image

Next in the protocol box select GRE and again in the “redirect selected protocol/application to IP Address” box put the IP address of the server.

image

Done !

image

Note:  the other ports shown in the example, 443 and SMTP/25, are unrelated to the PPTP VPN and just there to show other service configurations.

Remote PC firewall on or off ?

I was asked; “how can I tell from a command line if the firewall is enabled on a PC on our network, using a command line?”

Netsh is a very powerful tool for querying and setting the status of most anything network related. There are both the ‘netsh firewall’ and ‘netsh advfirewall’ options depending if XP, or Vista and newer.  I will deal with the advanced firewall as it is commonly used with Vista and Win 7 these days. The following command will return the available options:

C:\>netsh advfirewall show

The following commands are available:

Commands in this context:
show allprofiles – Displays properties for all profiles.
show currentprofile – Displays properties for the active profile.
show domainprofile – Displays properties for the domain properties.
show global    – Displays the global properties.
show privateprofile – Displays properties for the private profile.
show publicprofile – Displays properties for the public profile.
show store     – Displays the policy store for the current interactive session.

As you are aware the Advanced firewall can be set differently for domain, home, or public networks.  We are concerned with how it is set now, while on our network so we will use the show currentprofile option.  The result returns numerous details. By piping the results to the find command we can limit the output and simply determine if the Windows firewall is on or off  ( note: /I ignores case of the text in quotes):

C:\>netsh advfirewall show currentprofile |find “State” /I
State                                 OFF

Chances are you will not want to run to the machine to check so you can make use of Sysinternals/Microsoft’s PSexec to run netsh, or any command, on a remote machine.  You will need to run this with admin privileges for the remote machine. Therefore it is generally done from the server using a domain admin account.

C:\PSTools>psexec \\PC1 netsh advfirewall show currentprofile |find “state” /I

PsExec v1.98 – Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals – http://www.sysinternals.com

Starting netsh on PC1…ice on PC1…
State                                 OFF
(the output will often end with the following when run remotely: netsh exited on PC1 with error code 0.)

PSexec can be downloaded for free from: http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

Configuring Hyper-V Core

There are already dozens of articles relating to configuring Microsoft’s Hyper-V Server 2008 R2 (the free core version), however a colleague’s intimidation of command line server management inspired me to post my notes to ease his mind and perhaps those of a few readers as well.  Yes, it is a command line only version of server 2008 R2, with only a 15 line/option GUI to assist with the most basic configurations……..

image

Yet, after some minor configuration and enabling some basic services, you can manage the server in a very similar way you would manage others servers with; Hyper-V Manager, administrative tools, remote access, a file explorer, and even a web browser.

It is worth noting that there are definite advantages to using this version of Hyper-V.  It is free, it supports more than 32GB of RAM (server 2008 R2 standard does not, you need Enterprise or Datacenter editions), smaller footprint, and a somewhat limited attack surface.

Notes:

  • I am assuming Hyper-V core is successfully installed and you are at the point of configuring, if not the following links may help you get to this point Test Hyper-V compatibility, Step-by-Step Guide to Getting Started with Hyper-V
  • The assumption in this configuration is the Domain Controller and DNS server will be a virtual machine on the Hyper-V host. As a result it is recommended the Hyper-V host is not joined to the domain as no domain logon server will be available until after the guest VM has been started.
  • “Management PC” refers to the PC, or server, from which you wish to manage the Hyper-V host
  • All command line entries below, on both server and management PC, must be done from an elevated command prompt. On the server the default is elevated, which is confirmed by the “Administrator” on command window title bar

Server Configurations (Hyper-V host):

Run native Hyper-V GUI configuration tool:

  • The configuration tool (as in image above, should automatically start at logon but if not, from a command line, enter sconfig
  • Item #1: Leave as a workgroup
  • Item #2: Enter the computer name
  • Item #8: Configure the network: Use a static IP.  I recommend at least primary server be an internal DNS server, secondary an ISP. (Keep in mind on a domain joined server/PC you should not combine internal and public DNS servers, but this is not domain joined).  Best practices suggests 2 NIC’s should be enabled, one for management and the other for use by VM’s, though this is not necessary.
  • Item #9: Set date and time
  • Item #5: Set Windows update settings auto or manual.
  • Item #6: Download and install all updates, reboot as necessary
  • Item #3: Add any local admin accounts. I recommend adding new account with a name matching the login account of the remote management PC.  The names must match for some services to work.
  • Item #4: Configure remote management by enabling sub-options 1 to 3
  • Item #7: Enable remote desktop access (note this is still command line only)
  • Item #15 Exit to a command line

DNS:

As stated the Hyper-V machine is not a member of the domain, therefore it is recommended the following additions be made to assist with name resolution

Use the Hosts file to allow the Hyper-V host to resolve the name of the management PC.  From an elevated command prompt , open the Hosts file using Notepad by entering: notepad c:\Windows\System32\drivers\etc\hosts .  Add a record in the Hosts file for your management PC/s using

IP <tab> Pc’s DNS name <tab> # a note (optional) <enter>
eg: 192.168.123.123     PCname.MyDomain.local    # management PC

(Note: it is very important hit return, after every entry including the last line, and then save. For more information about Hosts and Lmhosts files, and their syntax see: https://blog.lan-tech.ca/2012/04/26/hosts-and-lmhosts-files/

Add the domain suffix to the domain search list within the registry to further assist with DNS name resolution.  Start the registry editor using regedit and locate the following registry key:

     HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\SearchList

Then add your domain suffix such as mydomain.local (separate multiple suffixes, if needed, with commas)

Permissions:

To configure additional permissions on the Hyper-V host download Hvremote.wsf from:   http://archive.msdn.microsoft.com/HVRemote  to a USB drive or CD.  Then from a command line copy HVremote to local directory such as Temp folder.  DOS commands are as follows (assume HVremote is on a USB drive labeled D:

cd\
md Temp
copy D:\FolderName\hvremote.wsf  C:\Temp\hvremote.wsf

Run the following commands from the directory where hvremote is located to grant Hyper-V administrators the necessary permissions to do so.  This asdds the admin to the “Distributed COM User’s group”. Again from an elevated command prompt, run the following command using the user you created under Item #3 above in the initial configuration GUI.

     Cscript hvremote.wsf /add:user

If this is the first time hvremote has been used to add a user a reboot may be required

Firewall:

The necessary firewall exceptions should have been enabled by Item #’s 3 & 7 above.  You may also want to be able to ping (IPv4) the server for testing. To do so from a command line enter:

netsh firewall set icmpsetting 8

Or use the new command for “Windows Firewall with advanced Security”

     netsh advfirewall firewall add rule name=”ICMP Allow incoming V4 echo request” protocol=icmpv4:8,any dir=in action=allow

(Note: if cutting and pasting the above command, you will have to substitute the quotation marks using your keyboard.  This site’s/font’s quotation marks are not standard ascii characters)

For additional firewall information relating to pings see:  http://dpotter.net/technical/2010/02/enable-ping-on-windows-server-2008-2/


Management PC Configurations:

DNS:

If the PC is a member of a domain, you can add a Host (A) record to the DNS management console for the Hyper-V host, or you can make an entry in the management PC’s Hosts file similar to the instructions for the server. This will ‘point’ this to the server such as:

IP <tab> Server’s DNS name <tab> # a note (optional) <enter>
eg: 192.168.123.123     HVServerName.MyDomain.local     # Hyper-V host

Permissions:

As on the Hyper-V host, download HVremote from http://archive.msdn.microsoft.com/HVRemote  or copy from your USB Key to a local directory as below:

     cd\
md Temp
copy D:\FolderName\hvremote.wsf C:\Temp\hvremote.wsf

Using an elevated command prompt run the following commands from the directory where HVremote is located.  Where the Hyper-v host is not part of the domain you must enable anonymous DCOM access using:

     Cscript hvremote.wsf /mode:client /anondcom:grant

This one command must be run from an non-elevated command line:

Cmdkey /add:ServerComputerName /user:ServerComputerName\UserName /pass:UserPassword

Firewall:

There are 4 Hyper-V Management Client firewall exceptions that need to be enabled.  Running the following command, from an elevated command prompt, will do so:

     Cscript hvremote.wsf /mode:client /FirewallHyperVClient:Enable

You also need allow rules for MMC exceptions (management consoles) which can be applied with:

    Cscript hvremote.wsf /mode:client /mmc:enable

If you have other 3rd party firewall software installed, you need to manually configure it with the same exceptions.

If you wish to use the Disk Management component of the Computer Management MMC for the remote host, you need to enable the inbound “Remote Volume Management – Virtual Disk Service Loader (RPC)” exception with:

     netsh advfirewall firewall set rule name=”Remote Volume Management – Virtual Disk Service Loader (RPC)” new enable=yes

You also have to set the “Virtual Disk service” on the Hyper-V server to Automatic and start it.

sc config vds start= auto
sc start vds
    (not needed if rebooting – will automatically start)

Reboot:

To apply all changes a reboot of the PC is recommended.

Testing connectivity:

When complete test and review the output using the commands below.  For details and troubleshooting download the documentation for HVRemote from:  http://archive.msdn.microsoft.com/HVRemote

From the server:

     Cscript hvremote /mode:server /show /target:clientcomputername

From the client PC:

Cscript hvremote /mode:client /show /target:ServerComputerName


Remote Management Tools:

RSAT tools:

Download and install RSAT (Remote Server Administration Tools) on the management PC making sure you have the RSAT version compatible with that PC’s operating system. The link for Win7 SP1 is below.  With these tools you can now connect the Hyper-V host and manage it from a PC using  all those familiar tools like Computer Management, Disk Management, Windows Firewall with Advanced security, Task Sheduler, etc., and of course the most important; Hyper-V manager which will allow you to create and manage your VM’s the same as you would if you had the full GUI version of Server 2008 R2 as a host.

http://www.microsoft.com/download/en/details.aspx?id=7887

Remote Console (RDP):

You can access the Hyper-V console (still command line only) using a standard RDP connection. You can also install “Portable Apps” which you can then run from an RDP session.  See further down in this list of Remote management tools.

     Mstsc -v:<Hyper-V host name>

Portable Apps:

You can run standard “portable apps” on the console, or during a remote desktop session such as:

Windows Explorer Equivalent A43:

http://www.alterion.us/a43/index.html

Firefox Web Browser (for security reason web browsing from the host is not recommended):

http://portableapps.com/apps/internet/firefox_portable

Others:

http://www.portablefreeware.com/all.php

Powershell:

To remotely run PowerShell you will need Powershell 2. which is available from Windows updates. To install and enable please see the following article http://geekswithblogs.net/twickers/archive/2009/11/04/136013.aspx  With it from the Host console, or remotely, you can manage many services using scripts/cmdlets from:

http://pshyperv.codeplex.com/

Others:

http://www.portablefreeware.com/all.php

PSExec:

PSExec is a tool developed by Sysinternals, now Microsoft that allows you to run DOS commands on remote machines:

http://technet.microsoft.com/en-us/sysinternals/bb897553

Hyper-V Monitor Gadget:

A great desktop gadget for monitoring the status of your Hyper-V servers, status and perfomance, as well as the ability to start and stop.  Requires permissions and services as outlined earlier.

http://hypervmonitor.codeplex.com/


Additional Resources:

Configure Hyper-V Remote Management in seconds

http://blogs.technet.com/b/jhoward/archive/2008/11/14/configure-hyper-v-remote-management-in-seconds.aspx

Full HVRemote documentation and download:

http://archive.msdn.microsoft.com/HVRemote/Release/ProjectReleases.aspx?ReleaseId=3084

Install and Configure Hyper-V Tools for Remote Administration

http://technet.microsoft.com/en-us/library/cc794756(WS.10).aspx

How to use the “netsh advfirewall firewall” context

http://support.microsoft.com/kb/947709

How to Enable Remote Administration of Server Core via MMC using NETSH

http://blogs.technet.com/b/askds/archive/2008/06/05/how-to-enable-remote-administration-of-server-core-via-mmc-using-netsh.aspx

Rogue DHCP Servers

On occasion you may be consulted about network issues which suggested a rogue or unknown DHCP server present on the network.  This can show up is several ways including the discovery of a PC with incorrect IP addressing, most often the wrong DNS server, or in an SBS environment the SBS DHCP service has shut down due to the presence of another DHCP server.  The dilemma is how to locate it.  There are a few tools that can be helpful with the process.

You may also have a case of an unknown device in the DHCP management console under address leases.  Some of these tools can be useful in isolating those as well.

Determine the DHCP server’s IP:

The first step is to locate the DHCP server’s IP.  You may be fortunate and have discovered the incorrect addressing on a PC.  In this case the DHCP server will be listed in the IPconfig /all results.  Alternatively you can use two different tools.

The first is Microsoft’s DHCPloc.exe (DHCP locator).  It can be downloaded as an individual executable from http://www.petri.co.il/download_free_reskit_tools.htm or as part of the Server Support Tools on the server’s installation CD.

Warning:  DHCPloc should not be run on the DHCP server itself.  Doing so can cause the DHCP server to stop responding to DHCP requests.

At a command line, from the directory where you have saved DHCPloc enter
  DHCPloc.exe <the workstation’s IP>
You may have to hit enter twice. You will be prompted to enter d, q, or h. Enter d for discover, and again you may have to hit enter twice.  It should return the IP of the DHCP server, or servers, and an offered DHCP address.
DHCPloc syntax:
http://technet.microsoft.com/en-us/library/cc778483.aspx

You may want to temporarily disable the network’s default DHCP service while running these tests.

image

The second method is to use Wireshark, from http://www.wireshark.org, a network packet analyzer and a much a more powerful tool.  Install Wireshark on a workstation, start a scan, and run an ipconfig /release and /renew to force a DHCP request.  Once complete you can filter the log by protocol and locate the DHCP related packets.  Do this quickly as Wireshark collects a substantial amount of data very quickly.  There are tutorials available to become familiar with Wireshark.

image

 

Find the MAC Address:

With any luck you now have the IP of the DHCP server.  Next is to find the device’s MAC address.  By now it should have been recorded in the arp table, but if not try pinging the IP.  Then from a command line run  arp –a  or arp –a |find “IP address”  to recover the MAC address of the device.

image

 

Determine the Manufacturer:

The fist 6 characters of the MAC address are assigned to the manufacturer, therefore we may be able to determine the make of the device in question.  In the example above we would use 00-15-5d  in conjunction with a site such as  http://standards.ieee.org/develop/regauth/oui/public.html and determine the registered manufacturer/vendor was Microsoft Corporation.  This may or may not be helpful since in this case it simply indicates it is a Virtual machine.  Often it will provide results such as Cisco-Linksys, D-Link Corp., Apple Inc. which may give you a better indication as to the type of device, perhaps a Linksys router installed by an employee to add wireless to his or her office.

image

 

Locate the device:

Physical location is much harder to establish, especially if it has been intentionally hidden.  It is always best practice to keep a floor plan with all network drops and to disconnect any unused network drops at the patch panel, but it doesn’t do much to protect you.  If you have managed switches you can locate the port to which the IP or MAC address is connected and start tracing from there.  However, if you do not have managed switches you are best to run a continuous ping  (ping  –t 192.168.19.21) and start unplugging cables at the patch panel until you have dropped packets .  A little crude, but effective.

I will publish an article in the near future to more proactively address this issue using DHCP filtering.

Configure Cisco ASA for SBS 2008/2011 Network using CLI

I recently posted an article entitled “Configure Cisco ASA for SBS 2008/2011 Network using ASDM” which uses the GUI, a very lengthy process, but perhaps easier to understand for those not familiar with the Cisco Command Line Interface (CLI) like me.  However, I did promise to also post the handful of necessary commands to achieve the same thing using the command line. Please find the matching commands below using the same options and sample IP’s as in the previous post. You may wish to review the previous article should you require an explanation of why the various command are necessary. Note: this was done using ASA Version 8.2(5).

Basic router configuration; router name, domain, outside/WAN static IP and subnet mask, and management access:

hostname Cisco-ASA5505
domain-name MyDomain.local
Interface vlan2
ip address  123.123.123.123 255.255.255.248
no http 192.168.123.0 255.255.255.0 inside
http 192.168.123.0 255.255.255.0 inside
no telnet 192.168.123.0 255.255.255.0 inside
telnet 192.168.123.0 255.255.255.0 inside
enable password MyPassword

Disable DHCP on the Inside/LAN interface and set inside/LAN IP:

no dhcpd enable inside
Interface vlan1
no ip address
ip address  192.168.123.254 255.255.255.0
same-security-traffic permit inter-interface

Set default gateway on Outside/WAN interface:

route outside 0.0.0.0 0.0.0.0 123.123.123.121 1

Configure port forwarding for port 25 (SMTP/Exchange), port 443 (Https/RWW/RWA/OWA/Sharepoint), and port 987 (Sharepoint):

name 192.168.123.10 SBS-Server
asdm location 192.168.123.10 255.255.255.255 inside

static (inside,outside)  tcp interface 25 192.168.123.10 25 netmask 255.255.255.255 tcp 0 0 udp 0
static (inside,outside)  tcp interface 443 192.168.123.10 443 netmask 255.255.255.255 tcp 0 0 udp 0
static (inside,outside)  tcp interface 987 192.168.123.10 987 netmask 255.255.255.255 tcp 0 0 udp 0

access-list outside_access_in remark Allow SMTP traffic
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in remark Allow SSL-OWA-RWA Traffic
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in remark Allow SharePoint traffic
access-list outside_access_in extended permit tcp any interface outside eq 987
access-group outside_access_in in interface outside

Allow pings from LAN to Internet:

policy-map global_policy
class inspection_default
inspect icmp

Allow Tracert (requires ping policy changes above):

access-list outside_access_in line 3 remark Allow Tracert
access-list outside_access_in line 4 extended permit icmp any any

Save:

write mem

Configure Cisco ASA for SBS 2008/2011 Network using ASDM

Following is an outline as to how to configure a Cisco ASA 5505 for an SBS 2008/2011 network, including basic router configurations, IP addressing, and port forwarding, using the GUI/ASDM. The ASDM version used at the time of writing is 6.4(5), and ASA Version 8.2(5).  For the record this can be accomplished much more easily from the CLI/Command Line Interface, but we SBS folk tend to like to do things from a GUI.  I will however post a follow-up article outlining how to do so from the CLI, using only a handful of commands. [Updte: for CLI instructions see: https://blog.lan-tech.ca/2012/01/25/configure-cisco-asa-for-sbs-20082011-network-using-cli/ ]

It is assumed the ASA is still set to factory defaults. If so, skip to “Basic Router configuration”.

Reset to factory defaults:

Since this article is dedicated to using the ASDM console, to reset from within, simply log on, select “File” from the menu, and then “Reset Device to the Factory Default Configuration”.  If you do not have access to the ASDM console, i.e. you do not know the IP, you can use the blue console cable and access through Telnet. Once connected to the CLI (Command Line Interface) enter the following commands:

  • enable
  • config t
  • config factory-default  (press the space bar a few times when “more” is displayed to get back to the prompt)
  • reload save-config noconfirm  (to write to flash memory)
  • the unit will reboot with factory defaults

Basic Router configuration:

We will run the Start up Wizard to do the basic configuration. During the process do not make changes to the internal interface IP or Internal DHCP settings.

Launch the ASDM using https://192.168.1.1 , choose to ignore the certificate error, and select “run Startup Wizard”. When prompted for a username and password leave both blank. You can also start the wizard from within the ASDM from the menu under Wizards, Startup Wizard.

[ Edit: In case it is confusing; after publishing it was pointed out you can see the 192.168.111.254 current ASA address in the title bar. Please ignore, it is unrelated to the configuration. ]

Starting Point: In the first window accept the default “modify existing configuration” and click next.

image

Basic Configuration:  If you like you can change the ASA Host Name and domain, but I is not necessary. I strongly recommend changing the password, and make it secure. When you log back in later the user name will still be blank.

image

Interface Section: Leave all a defaults.

image

Switch Port Allocation:  Again the defaults are fine for this configuration.

image

Interface IP Address Configuration: Presumably you have been assigned a static public IP by your ISP where you are running a mail server. If so select “Use the following IP address”, enter the appropriate IP and subnet mask under “Outside Address”. (Note: you will need to add a static route for the default gateway later)

If  using DHCP with your ISP, select “Use DHCP” and check “Obtain default route using DHCP” (which will automatically add the default gateway).  When using DHCP you will probably also want to set up a DDNS service.  To do so see the following article: Using DDNS Services with SBS 2008/2011

The wizard will not allow you to continue without entering a DMZ address.  You will not be using the DMZ in this configuration so simply pick a private IP outside of any subnet you plan to use, and select a subnet mask of 255.255.255.0, if presented with a DMZ related error you can ignore.

image

DHCP Server:  We will deal with DHCP later along with the inside interface IP. Leave the current defaults “Enable DHCP” and the IP range for now.

image

Address Translation (NAT/PAT):  You will want to use PAT, so accept the defaults.

image

Administrative Access:  This determines from which IP’s or subnets you can access the ASA 5505 to manage it, and using which protocols. The current default is using the ASDM from the 192.168.1.0 subnet. If you plan to change the IP of the router to a different subnet you need to add it now, before making changes to the inside interface’s IP.  Assuming you later plan to use 192.168.123.0/24 (/24 = subnet mask 255.255.255.0) for your local network, I recommend adding that subnet to the inside interfaces, using two rules, one for HTTPS/ADSM and the other for Telnet, by clicking the “edit” button”.  Leave the “Enable HTTP server for HTTPS/ASDM access to this ASA” checked near the bottom.

image

Startup Wizard Summary: This page displays a summary of your choices. Review and click finish.

image

Disable DHCP:  Assuming you are running SBS 2008/2011 Standard and not SBS 20011 Essentials, you will need to turn off DHCP on the inside interface of the Cisco as the SBS server should most definitely be the DHCP server. If not convinced see: Do I absolutely have to run DHCP on SBS 2008?  If running SBS Essentials the default is to have the router as the DHCP server, though it does not have to be. To disable DHCP, log back into the ASDM if you are no longer connected, and navigate to; Configuration | Device Management | DHCP | DHCP Server | highlight the inside interface and click Edit” | uncheck “Enable DHCP server”. Then click OK and Apply at the bottom.

image

Change Inside interface (LAN) IP:  As mentioned earlier, for the purposes of this article we will use 192.168.123.x (properly represented as 192.168.123.0/24) and choose 192.168.123.254 as the router inside interface IP but for your configuration match the current subnet of your SBS server.

This will be the gateway IP for PC’s and servers on the SBS network. Navigate to: Configuration | Device Setup | Interfaces | Highlight the inside interface and select Edit and change the IP to that of your choosing. Click OK, then check the box “ Enable traffic between two or more hosts connected to the same interface” at the bottom, and Apply.

Note: Should you choose to enable a VPN, using the Cisco or the SBS built-in VPN, the site from which a client connects, must use a different Network ID (Subnet) than that of the SBS LAN. As a result, nobody connecting from a remote site that uses 192.168.1.x locally can connect to resources on this network. Therefore it is always a best practice to avoid common subnets like; 192.168.0.x, 192.168.1.x, 192.168.2.x, 192.168.100.x 10.0.0.x, and 10.10.10.x. However if your SBS is already configured you would need to change the network addressing for the entire network. In the event you were to choose to do so make sure you use the wizard for changing the server IP located under SBS console | networking | Connectivity | Connect to the Internet.  You also have to change any DHCP scopes, reservations, exclusions and device with statically assigned IP’s such as printers.

image

Add a static route for the router’s default gateway:  As mentioned before if you have with a static public IP assigned to the outside interface, you also have to create a static route to assign a default gateway to allow the router Internet access.  To do so select Device Setup | expand routing | Static Routes | and on the right click Add.  Select the outside interface, choose “any” for the Network from the drop down list and insert the gateway address assigned by the ISP, with a metric of 1.  The remaining items should retain the default settings. Click OK and Apply.

image

If you have not already done so, I would recommend saving all changes at this point by selecting from the menu File and then “Save running configuration to flash”, or at ant point simply press Ctrl+S to save.

Configure port forwarding:

SBS requires several ports be forwarded for various services.  Below is an outline as to how to configure port forwarding for SMTP (port 25). You will need to do this for each of the services in the following list that you plan to use:

  • SMTP port 25 Exchange
  • HTTPS / SSL port 443  Outlook web Access, Remote Web Workplace (Remote Web Access), and SharePoint
  • SharePoint custom port 987  (SBS 2003 not required)
  • RWW & Sharepoint 4125  (SBS 2003 only, not required for SBS 2008/2011)
  • PPTP port 1723 SBS VPN. The Cisco VPN is far more secure and moves authentication to the perimeter of the network. Far better to use it than the SBS VPN since it is included with the ASA 55050
  • RDP port 3389 (Definitely not recommended. Much safer to use RWW/RWA)

Add a NAT Rule:  Login into the ASDM, remembering to use the new IP address of the router. Navigate to Firewall | NAT Rules. on the right under addresses there is an option to +Add, select this and then Network Object. Enter the name of the Object, in this case the SBS, enter the IP (in our example 192.168.123.10) and  a subnet mask of 255.255.255.255.  (Adding a network object is not completely necessary but makes reviewing configurations at a later date easier to understand as items are referenced by name rather than IP)

image

Next in the same Window, under “Configuration > Firewall  NAT Rules” in the tile bar, click +Add and select Add Static NAT Rule. In the resulting window set the “Original” Interface to inside and next to source click the drop down list button. Select your new object (SBS-Server in this example).  Set “Translated” Interface to outside, and check the box to “use interface IP address”.  Select Enable Port Address Translation (PAT), TCP, and enter either the port number, or in the case of most services you can enter the service name, if it is known to the Cisco router. A drop down list of known service will appear when you start to type the service name if one exists. If using non-standard services, enter the port number using the format tcp/987. The Original and Translated ports in this case should be the same.

image

Click OK and this will add the rule to the list of static rules.

image

Add an Access Rule:  Next, again in the firewall section, Navigate to Access Rules | Add | Add Access Rule.  Change the Interface to Outside, the Source will be “any”, Destination the outside interface, Service can again be selected from the drop down list, and add a description if you like.  Leave the “More Options” section set to defaults. Click OK and Apply.

image

Repeat the above steps for all services you will be using, probably HTTPS/443 and SharePoint/987, and don’t for get to save ( Ctrl+S) when complete.

This should complete the SBS requirements.

Additional Features you may wish to enable:

  • To enable pinging of internet IP’s from the LAN for testing, navigate to: Configuration | Firewall | Service Policy Rules | highlight the policy under Global Policy and click edit | Rule Actions | check the box for ICMP | click OK and Apply.
  • To allow Tracert to internet IP’s, add the ICMP rule above, then while still under the Firewall configuration switch to the Access Rules item click Add | Add Access Rule | then set the interface outside, action is Permit, and Source/Destination is any. Under Service, enter icmp, it should auto-fill or you can use the drop down list line and click OK.  Click OK again in the Add Access Rule dialog and Apply the results to finish the process.

SBS 2011 Reports Showing Firewall Disabled

Some people are discovering the SBS daily reports are showing the Windows Firewall is not enabled, Windows Firewall is not running, when in fact it is definitely enabled.  In several of the cases I have seen you can resolve by renaming the Repository folder.  To do so:

  • Open the Services management console and stop the “Windows Management Instrumentation” service.  If it keeps restarting, you may have to temporarily set to disabled.
  • Locate the “Repository” folder in C:\Windows\System32\wbem\ and rename to something like OLD_Repository .  Rename rather than delete the folder so you can revert back if for some reason it were necessary.
  • Restart/re-enable the “Windows Management Instrumentation” service
  • Reboot

Sage Simply Accounting (Sage 50) Firewall Rules

When installing Simply accounting (in this case specifically Simply 2011) it requires opening firewall ports on the server to allow clients to use the Connection Manager to access data . Simply provides the following information in its help files:

image

However for most installations you only require 4 rules. You can use the server’s “Windows Firewall with Advanced Security” console to manually create a each rule one by one by generating new rules, browsing to the related service (.exe), and set to “allow”, or you can use a command line and netsh to create the rules. Again a little tedious entering each lengthy command one at a time.

The easiest method is to use a simple batch file with the four commands included in the script below. To make the batch file a little more informative I have added a few lines with description, the ability to opt out, and to be able to verify each command completed successfully. However using just the 4 netsh lines is all you require. The netsh commands included are tailored to only allow access from the local subnet for added security.

Simply copy the lines below to notepad and save as a batch file using a name like AddRules.bat  There are a few related notes:

  • When saving use quotes around the name such as “AddRules.bat” in the Notepad ‘save as’ box, to ensure the .txt suffix will not be added to the name
  • Each netsh commands is one single line. It is wraps in the blog article.
  • When ready to run the batch file right click on it and choose “run as administrator (i.e. elevated privileges)

————————————————————————–

Echo Off
CLS
Echo  Batch file to configure Windows Firewall
Echo    for Sage Simply Accounting 2011 using
Echo      Windows Firewall with Advanced Security
Echo        [Access will be limited to local subnet]
Echo.
Echo click Ctrl+C to escape
Pause
Echo on

netsh advfirewall firewall add rule name=”Simply Connection Manager” dir=in program=”C:\Program Files (x86)\Winsim\ConnectionManager\SimplyConnectionManager.exe” remoteip=localsubnet action=allow

netsh advfirewall firewall add rule name=”Simply Tray Icon” dir=in program=”C:\Program Files (x86)\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe” remoteip=localsubnet action=allow

netsh advfirewall firewall add rule name=”Simply MySQL” dir=in program=”C:\Program Files (x86)\Winsim\ConnectionManager\MySqlBinary\5.0.38\mysql\mysqld-nt.exe” remoteip=localsubnet action=allow

netsh advfirewall firewall add rule name=”Simply MySQL Admin” dir=in program=”C:\Program Files (x86)\Winsim\ConnectionManager\MySqlBinary\5.0.38\mysql\mysqladmin.exe” remoteip=localsubnet action=allow

Echo off
Echo  “ok” should have been displayed after each rule was applied
Echo     Refresh Windows Firewall with Advanced Security to view added rules
Pause
Exit

Update/Note:  I have noticed when cutting and pasting from this article the quotation marks become unrecognized characters on most systems.  Simply paste the abov text in notepad and use Find & Replace to replace all with standard keyboard quotation characters.

Tag Cloud