Thursday, 24 December 2009
Not a major issue you may think as all the computers at work are all Windows devices.
As you can see in the previous post, we were in the process of replacing our mobile telephones at work, and as part of the rollout, I wanted to offer IAG via the mobile phone. I know it works(albeit very slowly) on a Blackberry and (pretty well with 3G) on iPhones.
Now if we were issuing mobile devices with internet access to the staff, I not only want them able to access the IAG, I also want to give them the ability to access our CRM system.
My choices were to look at Windows Mobile devices, but there is either a comprise on cost or functionality, or find a way to get CRM available on other browsers.
A bit of Googling from Neil Langridge (Marketing Manager for e92plus) turned up the following links:
After following the instructions on installing the 28Mb file, we then started testing.
I used Firefox, Safari, Opera and Chrome as my test browsers and they all worked perfectly. The view is slightly cut down, but we now have CRM on other browsers.
The next step was publishing this on IAG as a Generic Web Application (as I did for CRM on IE). Remember to use the server name, correct port number as well as the /m after the URL. I created an access policy to check the users browser, so that if they are using IE they have two icons (one for full blown CRM, and other for the "streamlined" version), and if they are using a non-IE browser they only see the "streamlined" version of CRM.
I have been playing with a number of mobile phones recently, and this works perfectly on Blackberrys, iPhones, Nokia and HTC Windows Mobile devices.
I was given a couple of test phones to trail ActiveSync on a Windows Mobile and a Nokia device.
First off, I had to ensure ActiveSync was enable on the Exchange server, and fortunately a "vanilla" build of Exchange 2007 haas it enable on install.
The thing was the create a NAT rule on my firewall to allow the ActiveSync traffic from the intenet to the Exchange server. This was only a temporary rule while I was testing ActiveSync worked, before the rule was removed again.
My security/paranoia head would not allow me to leave this rule in place, as I would not recommend to anyone to have a rule that allows direct connectivity from the internet to any mail server. (BTW that also includes email, as there are plenty of mail relay options, such as a Barracuda Spam Firewall - Blog post for another day!)
Here at e92plus as the saying goes "We eat our own dog food", where we use a Celestix WSA IAG appliance as a remote access solution.
The next step was for me to create way for the mobile device to connect to my Exchange server, without a direct connection. I configured one of our external IP addresses to NAT into the DMZ of our firewall. I then had to add an additional IP address on the external adapter of the Celestix WSA appliance to match the DMZ IP address of the NAT rule. I also created a new prefix for our domain, and mapped that to the external IP address I'm using.
Now on to IAG, create a new webmail trunk and selected ActiveSync. I defined the domain, selected the DMZ IP address, defined the details of my Exchange server, aand then activated the configuration.
I took the Trusted Root Certificate from my Exchange server and applied that to the IAG appliance.
From the mobile devices, I defined the domain, username and password. For the server address, I use the new IAG portal address.
It worked perfectly on the demo Nokia E63 and the HTC Touch, although the interfaces were different the information required to login was the same. This allows the devices to sync up emails, contacts, calendar and tasks.
After much deliberation, I decided that I wanted an iPhone as my mobile device. Although I am still waiting for the SIM to be activated, ActiveSync is syncing my email, contacts and calendar via my wireless network, so once the iPhone can get onto the O2 3G network, it will be working as it should!
For added security/paranoia, on the Exchange server I have also enabled mandatory passwords on the device, madatory encryption of the storage and the ability to remote wipe the devices, so pretty much the core features of a Blackberry server, at a much lower cost!
Tuesday, 24 November 2009
Just feed the logs into a Syslog server, sounds easy...
- Start up the IAG Configuration application
- Select 'Admin' at the top and select 'Event logging'
- Select the 'Syslog' tab and enter in the details of your Syslog server
Sometimes, we just want an easy solution.... and here is one!
I've had a play with a freeware Syslog server called Syslog Watcher, which works very well with this integration, but would welcome any recommendations for Syslog software.
Sunday, 15 November 2009
We start to take it one step further where we monitor/filter the users web traffic; we scan inbound (and sometimes outbound) emails; we secure inbound traffic to our networks with a combination of anti virus software, firewalls, reverse proxying, NACs, SSL-VPNs with access policies and two factor authentication; we secure our internet facing services with web application firewall, but this level of protection is often to prevent threats from outside of our organisation.
We all hope we can trust our work colleagues and employees, but an often overlooked security option is what our internal staff may either intentionally or unintentionally cause harm to the the internal systems.
I have a seen a few endpoint protection solutions, and they are either lacking in functionality, or have a wealth of features coupled with a price tag.
I was asked to trial a new offering from Cyberoam, who have previously focused on UTM firewalls and SSL-VPN solutions, but looking to expand their security offering have now produced an endpoint solution, which they have called Cyberoam Endpoint Data Protection (aka Cyberoam EDP).
The Cyberoam EDP solution comes with four components, where you can pick and choose which components you require.
- Device Management
- Application Control
- Asset Management
- Data Protection and Encryption
The Device Management component allows you to define which hardware components can be used on your endpoints. So you can limit access to hardware which are either build in or plugged in, such DVD writers, USB memory sticks, external hard disk drives, etc.
The Application Control component allows the access and blocking of applications, such as peer to peer and IM from either a legality or IT policy persepective, or software such as Photoshop and Office, where you can ensure that they software is only used on certain hardware to maintain correct license useage of software (ie not allow the software to run on more machines that you are legally allowed to)
The Asset Management component allows the auditing and tracking on hardware on your network, and what software is installed where. There is also version tracking, so you can see hardware and software changes within your network.
The Data Protection and Encryption component allows you to create policies to prevent data from leaving your company. These policies can be applied to email, IM and removeable devices, so certain file types or file names can not leave via these transport methods. You also shadow message transfers, so you have records of IM conversations and emails!! The encryption fucntion is for removeable media or when files are transferred.
I tested this on my network and all the functions works perfectly in my test environment, but the limitation was that Windows 7 operating systems and 64-bit operating systems were not supported at time of testing. ( I had a number of Windows 7 machines work perfectly and a couple that did not work, as well as some fuctionality from a 64-bit Windows 7 laptop) The Windows 7 element of the software is currently being tested and a fully supported version of the software is due out soon.
I believe this prodcut will give enterprise levels of security to the SME market.
More information as well as a 30 day free trail is available here: http://www.cyberoam.com/endpointdataprotection.html
If you try it, I'd be interested in your feedback. :)
Friday, 6 November 2009
The only way to create IAG in a highly available configuration, is to put the IAG solution behind a front end load balancer. A common question I get asked is why do I recommend a pair of load balancers... well why would specify a solution with multiple application servers, only to place them behind a single load balancer and risk moving your single of failure from the application server, to the load balancing solution.
There are some simple instructions on how to configure the Celestix Load Balancers (CLB) and well documented in the manuals, but here are some headline points when configuring the solution for Direct Server Return (DSR), where the load balancer coming into the IAG solution, but outbound (as the name suggests) the IAG solution will go directly back to the client, rather than through the load balancer.
- Configure the IAG external IP address to the be the virtual server IP address
- Ensure DSR is selected in the advanced settings
- Under the Healthcheck option for the target, ensure PING is off, but check TCPOpen ais enabled for 443,2,10
- Ensure all IP addresses are unique, including gateways, servers, engines, etc.
- Create an ISA rule to allow access from the CLB range to the Local Host, for port 443.
- Create loopback adapters for the WSA appliance, ensuring that there is no gateway, and within advanced ssettings, the Interface Metric is set to 254
- Ensure VRRP is enable, where both appliances have the same VRID, ensure the Master has a priority of 1 and the backup of 254, on a different network
- Ensure the local host files that the server name points to the VIP
I had a pretty unique situation today, where four portals were configured on two IAG appliances, with virtual IPs and load balancers.
We ended up using 14 external IP addresses, VIP for each portal (4 external IPs), an external IP for each portal on each appliance (8 external IPs), and a unique IP for each load balancer (2 external IPs). It's very rare to have this many real IPs to play with, but the same principle would apply, if these IPs were internal ones behind a NAT'ing device, which would only have required 4 external IPs (one for each portal)Ensure you understand the customer requirements and follow the manual.
Good luck with maaking your IAG solutions highly available! :)
Tuesday, 6 October 2009
There are less than 30 MVPs in the Microsoft Forefront arena worldwide, so you can understand the prestige of this award.
Well done Richard, it's a honour working with you and keep up the good work! :)
I realised the other day that I hadn't updated the issue that was encountered within this blog post about ActiveSync on IAG.
Well the issue turned out to be certificate related. The Exchange server was using a self signed certificate, so the trusted root certificate had to be added to the mobile devices.
There is some well documented information with regards to configuring Exchange 2003 ActiveSync using a self-signed SSL certificate.
Export the root certificate
- On the Certificate Authority that issued the certificate to the Exchange server, open the Control Panel and double click Internet Options. NOTE - this guide assumes that you are using a Microsoft CA.
- Click on the Content tab and then on the Certificates button.
- Click on the Trusted Root Certification Authorities tab.
- Locate the trusted root certificate for your domain. It is vital that the certificate be trusted rather than be listed under any other tab. Select the certificate and click on the Export button.
- The Export Certificate Wizard will be displayed, click Next.
- Select the option to export the certificate in DER encoded binary X.509 (.CER) format and click Next.
- Enter a name for the certificate and specify where you would like the file saved. Click Next,
- Finish and then OK.
Install the root certificate onto the client device
- Now locate the .cer file created and copy it to your PDA via Microsoft ActiveSync to any folder on the device (for a Windows Mobile device), or using the appropriate synchronisation software for your device. Alternatively the file could also be saved to a memory card or transferred via Bluetooth.
- On the PDA, open File Explorer and browse to the folder where you saved the certificate.
- Tap on the icon for the certificate and tap Yes to install it when prompted.
- On a Windows Mobile device, tap on Start → Settings → System → Certificates → Root and verify that the certificate is listed.
- You are now ready to use Server ActiveSync securely, using your own SSL certificate.
There is also some useful troubleshooting information here: http://blogs.technet.com/edgeaccessblog/archive/2008/07/29/publishing-microsoft-activesync-through-iag-2007-part-2-of-2.aspx
Saturday, 3 October 2009
It was great to meet the senior management team of Barracuda, and meet people so driven and inspired by them.
It was also a good opportunity to meet existing e92plus resellers and our Dutch work colleagues from e92plus NL, as well as meet other resellers from around EMEA. It was good to meet Keith, who recognised me from this blog!
The product the caused the most buzz at the conference was the new Barracuda Backup Service.
Using a Barracuda appliance and software agents, you will be able to back up the servers within your organisation. This will obviously give a great alternative to existing tape back ups, but easy restoration and aaccessibility to your data as the appliance is onsite.
Obviously, you will say, what if something were to happen to the building, datacentre, appliance, etc, well the other component of the service is an offsite back solution. Previously this service was only available in the States, but due to some data laws within Europe, the data should not be store outsite of certain countries or Europe. The new datacentres for this European wide launch of this solution will be based in the UK, with new datacentres opening around Europe as and when.
This will allow data to be backed up onsite and allow quick restoration. In a DR situation, the data can be restore from the datacentres. You are able to select which data is sent offsite, so you are able to stop certain data from leaving your organisation.
More detailed information on the Barracuda website regarding the Barracuda Backup Service
The product is officially being launched on the 14th October at Storage Expo 2009 , and e92plus are holding sales training on 23rd October
How much is the service, well aside from the appliance and subscription cost, the offsite data storage is purchased in 100GB chunks, at only....... €69 per month per 100GB!!!
Work out the cost of your existing tape solution, and the savings will become obvious.
Thursday, 1 October 2009
I have a number of Virtual PC guests which use the old version of Virtual PC. I have obviously install Virtual PC RC, in order to achieve the XP Mode, which allows me to use IAG within the 64 bit environment.
My older Virtual PC files don't work in Virtual PC RC!!
So sensing a time for change and to purge the elements I don't use, I recreated the Virtual PC sessions on VPC RC. It's at this point, I think I should try out UAG in a demo environment, but as I have to use Windows 2008 R2 Beta, I discover that Virtual PC doesn't support a 64 bit environment and I seem to get jerky guest sessions unless I allocate a lot of memory and install the integration software, so what are my alternatives:
I have used VMWare Server in the past, and although the software supports 64 bit clients, but the amount of services the software uses up, makes me investigate how to stop these services when I don't use VMWare. I end up switching all the VMWare services to Manual, and then create a batch file to initiate them.
After much snooping and Googling, I discover Sun VirtualBox
I find that it is very easy to use, it will support 64 bit clients (which seems to be better tab) and it is effiecient with its resources (unlike VMWare)
Sun VirtualBox is now my main client for any virtualised environment!! (and best of all, it's free!!)
Thursday, 24 September 2009
After QA testing from Celestix, IAG SP2 Update 2 is now available from the Celestix website.
The following issues are addressed with this update:
- Fixed erroneous IAG behavior when headers contain blank characters
- For trunks which do not publish an AAM application, the IAG Session cookie will be a site cookie instead of a domain cookie
- Fixed bug for supporting Citrix XenApp5 application
- Fixed parsing of text/html response Content-type (not binary) body using Chunked encoding type
- Fixed a failure occurring when using IAG’s Socket Forwarding client component on a Citrix terminal server
- Fixed a SharePoint Persistent Cookie Name Race Condition
- Fixed an Authorization Key Header memory Corruption while using an "Authorization Key" header
- Fixed a failure in the endpoint detection policy of AVG on the client computer (mistyped value in the detection policy expression)
- Fixed an Incorrect header removal when header is substring of another header
- Fixed Day Light Saving change leading to a deletion of Internalsite and Portal rules
- The communication between Windows Mobile 6.1 and Exchange 2007 SP1 has changed slightly due to the updating of the EAS protocol to EAS v12.1 – added support/fix for it
- Enabling above 2KB http header request by modifying the following registry key (MaxAllHeadersLen), to prevent SNT from throwing the following error to the client: "Allow http header block of a request to exceed 2KB and avoid SNT throwing an error"
- Fixed non English locales inconsistent encoding/decoding detection
- Fixed few issues related to FormLogin authentication
- Modified the rule-set that broke Java SSL Wrapper
- Added support iPhone and Blackberry support
- Fixed non-IE detection security issues
Now I hope we are all aware that 64-bit Windows operating systems are not supported by IAG. I know there were rumours of 64-bit support being released with IAG SP 2 Update 2, but that is not the case. We will discuss this update is a later blog posting.
Well I was fortunate enough to be provided with a new work laptop, which has a faster processor, bigger hard disk and more importantly 4GB RAM. I did initially install Windows 7 Enterprise 32-bit, but was disappointed to only see that 3GB was recognised by the OS (I would have lived with only 3.25-3.5GB being seen), so I bit the bullet and installed Windows 7 Enterprise 64-bit so that all the RAM is seen and can be used.
I know that Windows 7 64-bit will allow you to install applications as either 32 or 64 bit, so some things like Java should be installed twice to work with both 32 and 64-bit IE browsers, will specific 32 bit applications an be installed and used. That said, despite the workaround detailed for Windows 7 32 bit, this does not work in Windows 7 64 bit!
Luckily, Microsoft have a Windows XP Mode as a solution: http://www.microsoft.com/windows/virtual-pc/download.aspx
By installing Windows Virtual PC RC and Windows XP Mode RC, it will allow you to run a virtualised version of XP on your Windows 7 desktop. There are not additional licenses to consider, but you will need a processor with either Intel® Virtualization Technology or AMD-V™ feature turned on. I downloaded this application from the Intel website to check that my processor supported this feature from here: http://www.intel.com/support/processors/tools/piu/
I found these step by step instructions on Windows 7 XP Mode, which I found very useful: http://lifehacker.com/5245396/set-up-and-use-xp-mode-in-windows-7
Once installed and working, I also installed Avira Premium Security Suite software to remove the Microsoft Security Centre red shield.
I created a shortcut into the all users folder of the virtualised desktop, to my IAG website. This also placed the shortcut into the start menu of my Windows 7 Enterprise 64 bit. By clicking the link, it will start up an IE browser to my IAG appliance from the XP virtual environment, which gives a pretty seamless experience and I retain full IAG functionality.... phew!!!
Tuesday, 22 September 2009
People always assume that any hosted (or Software as a Service - SaaS, for the hip and groovy Twitter generation) solution is more expensive, but it's just a common misconception, along with other common myths:
- Cost - It will be more expensive than an appliance or software
- Control - You will lose control of the solution
- Data Leaks - The soution will not be able to protect from data leakage
- Security/Privacy - Your email will not be secure
- Reliability - The solution will not be reliable
Well these should be addressed:
- Cost - Have all costs been taken into account, including additional hardware, subscriptions, bandwidth, storage, electricity and labour!
- Control - Websense provides 24x7 control, including policy control, user/group policies, LDAP synchronisation, message search facilities, end user quarantine and flexible reporting.
- Data Leaks - Websense includes built in data leak protection, including dictionaires, deep content inspection and custom dictionaires with support for regular expressions.
- Security/Privacy - Websense is just another hop in the chain for the email. Websense is ISO27001 certified, and TLS can be used to create a secure channel to the Websense datacentres.
- Reliability - Websense provides a 99.999% availability SLA
To summarise the Websense Hosted Email Security:
- Increased protection, coupled with an SLA
- Reduce costs
- Retain control
Why wouldn't you use the hosted solution???!!!
A seemingly straight forward IAG implementation, with straight forward requirements:
The applications required were OWA and Citrix XenApp, with RDP as a nice to have. The authentication methods were Windows AD and VASCO. Basic customisation and guidelines about housekeeping and DR.
We were replacing a SonicWALL SSL-VPN solution, which works in a single NIC configuration, so a number of services were needed from the appliance back into the LAN. We started by reviewing the firewall rules, removing the existing SonicWALL SSL-VPN rules, and creating a port 80 and 443 access on the WAN side of the Celestix appliance, as well double checking existing NAT rules to ensure that the external side was accessible through the internet.
The authenication methods were straight forward, but an oversight on the VASCO delayed the deployment, but after creating the backend to point at the IAG appliance, it was up and running!
OWA worked fine, but oddly RDP didn't work back to the blade servers, but did the Celestix appliance. Obviously a configuration on the blade servers need to be modified, but not really my field of expertise. Apparently this blade server setup can be configured with a web interface, so that could be published as a generic web app, when it's up and running.
The existing SSL certificate on the SonicWALL was moved to the Celestix appliance, after creating the CSR file from within IIS and getting the supplier to reissue the certificate. It was getting late, but the certificate wasn't working. We were unable to access the website, but we could with the self signed certificate. My gut feel was an issue with either the CSR file, or the creation of the CER file. We reverted back to the self signed certificate, but the customer was going to recreate the CSR file and get another reissue..... I found out today that this solved the issue!! (Phew!)
The reason for this blog entry was really due to the issue we encountered with the Citrix XenApp! Having deployed a number of Celestix appliances to work with Citrix Presentation Servers, I was quite confident that there really wouldn't be much difference with XenApp..... (How wrong I was!!)
I published the XenApp server and all seemed to work, but when you start up the application, we recieved the following message: Error: Cookies Required
My gut feel was that as XenApp worked before the issue lay with the configuration within IAG. After a bit of searching, we found this Citrix article: http://support.citrix.com/article/CTX117597
Saturday, 19 September 2009
A bit of Googling found these instructions:
- Copy the folder located here from your Celestix WSA appliance: C:\Whale-Com\e-Gap\utils\OfflineClientSetup to a temporary location on your computer
- Find "Setup.exe" and set the compartibility mode to "Windows Vista SP2"
- Find "ComponentsConfig.xml", and edit the Network Connector entry so install="1"
- Run the setup.exe (as administrator)
- Select either normal or custom, depending on what is required
- Ignore the error "Can not register Whale Client Components whlvaw.dll" and finish the program
- Start up the Command Prompt as Administrator, then start up Powershell within the command shell
- Switch to the path "C:\Program Files\Whale Communications\Client Components\3.1.0″
- Execute the command: "regsvr32 whlvaw.dll" (Attention: Ignore the Warning about the Driver installation and select YES)
- The Network Connector should work as long as you start Internet Explorer as Administrator, because the file "whlioc.exe" & "whliocsv.exe" require local administrator rights.
The original post is here: http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/a7ca54cc-60e7-467a-961c-fc4b32151249 - Thanks Joerg! :)
Wednesday, 16 September 2009
Can IAG to used to protect internal systems? Yes, but you have to get your networking principles correct!
Although I have not done this, I understand the principle and I know where this has been deployed.
Imagine you run a datacentre (a proper datacentre, and not a glorified server room!!!) where physical security is as important as network security.
With an IAG server deployed to service a datacentre, you no longer have to give physical access to your datacentre for software installation/configuration/reconfiguration.
So in reception you have a number of PCs which can access the external side of the IAG appliance. The authenication is set up using one time password (OTP) solution, so they are only able to access the server this one time. You could also restrict access to the trunk to only the computers in reception.
When they log, they can either be presented with a portal showing the RDP connections to the servers they look after, or have the start up application as the RDP session itself, rather than present a portal.
Just remember than you still need to have two network segments for this to work, as IAG can not run in a single NIC setup as explained previously in this blog.
We started by configuring the Celestix Load Balancer (also known as CLB), after configuring the solution we were informed that the internet lines would be a number of weeks away, and we would not know whether the IPs that would be provided would be either external internet facing IP addresses, or NAT'd internal addresses. Why would this be an issue?
Well the customer wanted four IAG portals to be created, and as each portal would have to be created on both appliances. With the CLB in front of the IAG appliances, the way the IP addresses are presented will impact on how to deploy the solution.
If the addresses are external facing, we would need 12 external IP address, three for each portal (one on each appliance, and one for the virtual IP). If the addresses are NAT'd, then there would only be a need for one external address as the virtual IP on each portal.
We only configured one IAG appliance, and then backed up and restored the configuration on the second IAG appliance. Obviously the IP addressing needs to be changed, and the certificate information to be modified, but that was pretty much it.
We were deploying OWA, Sharepoint, Citrix, Mapped Drives, File Access, RDP and an IIS based intranet site.
From an authentication perspective, we looked at AD, AD & HOTPin, AD & Vasco Middleware (RADIUS) and just HOTPin. As expected the authentication methods were straight forward and I got a chance to use HOTPin a bit more. We configured HOTPin on the primary box, and had the secondary box referencing the primary box. You only have to allow port 10000 access between the appliances, and using local administration credentials is fine. The only pain was HOTPin not scanning AD correctly in subtrees, which means each OU would need to be defined when importing users, but I'll let Celestix know about that.
We also encoutered the Java issue, so that was resolved using the fix from one of my previous blog posts.
We can only complete the deployment, once we know how the IPs will be presented.... which will also impact the way we can balance the load (do we use DSR or not, VRRP, Loopback adapter configuration, etc, etc).... Let's see!
Thursday, 10 September 2009
Pretty straightforward today, where we used Windows 2003 and a RADIUS based authenication solution called SecureIT.
Applications we deployed were OWA, a couple of intranet sites, RDP session and Network Connector.
The appliance was deployed in a workgroup, so we needed to use FQDN for the internal servers.
SecureIT requires the IAG server to be defined within the software, which includes IP address and which ports to use.
There was an issue with the Network Connector, which seem to lie with the authenication methods defined and changed. We needed to define both AD and SecureIT as the authentication methods, and then re-define the Network Connector.
There was an issue with the external IP address, but fortunately we could prove it works with a crossover cable and a laptop defined with an IP address on the external range.
Tuesday, 8 September 2009
Yes, IAG will work with VASCO!
VASCO Middleware and Identikey use the RADIUS protocol, and RADIUS can be configured as one of the authenication methods on IAG.
You will need to define the VASCO server, along with the correct ports and shared secret.
I would configure Windows AD authentication and VASCO, so the user would need to login with AD username, AD password and VASCO one time password.
In the past, I have installed VASCO Middleware on the IAG appliance, but this would be subject to the number of users/tokens required. Unless you are looking at single figures of VASCO tokens, I would recommend that the VASCO server be installed somewhere else.
I knew that this proof of concept was more demanding, as we were looking to use AD, RSA and KCD authentication, and deploy a number of applications.
The trunk was created and it was configured to use RSA (via ACE server) and Windows 2003 (using KCD), but with this configured the login page would not be delivered.
We agreed to disable the KCD in order to carry on with the POC. The next issue was RSA!! The RSA client is installed on the appliance, but required RSA files to be copied on to the appliance to get it to work. I don't deal with RSA, but fortunately the customer resolved this.
After a little confusion about RPC access, we should be clear. The IAG appliance does not support the use of ISA features!! The ISA is there for the SSL-VPN and the ISA features should not be used for anything else!
We deployed OWA, Citrix, Sharepoint, File Access (using a NetApp filer), Network Access, RDP sessions, telnet, as well as discussed policies and customisation.
Outlook access was being left on the MSA appliance, where ISA would manage the RPC connection.
I expected difficulties with the NetApp filer, but as it can be accessed via NETBIOS, all the shares were visable through the File Access application.
The POC went smoothly and it was fortunate that I was working with someone technical! Some of the issues I'd normally have to work around with HOST files or self signed certificates were avoided as the customer knew what to expect! Thanks Matt!
Monday, 7 September 2009
I didn't manage to speak to the end user before this proof of concept, but I was pretty confident that I could deal with most situations.
Luckily we were deploying OWA, Citrix, Sharepoint and RDP sessions.
It all went swimmingly and the only difference was that we were using an external IP address directly on the appliance, instead of using a DMZ. This was fine until....
We tried to deploy an additional trunk for third parties/contractors, and this was where using two external IP addresses on the NIC (one as an aliase) we came unstuck.
The box would only hold one external IP address, and would not release it correctly to allow access for the other trunk.
Previously when I have deployed a similar solution, we were using DMZ addresses, so that seemed like the logical solution.
Once the firewall was configured correctly within the DMZ with the correct NAT rules, it worked perfectly!
Thursday, 3 September 2009
Sunday, 30 August 2009
Friday, 28 August 2009
I created a bootable memory stick so that I could install Windows 7 on my Advent 4211 netbook (MSI Wind clone) and have done the same for a few friends who are not so computer literate.
This website gives very good step-by-step instructions on how to do this: http://www.intowindows.com/how-to-install-windows-7vista-from-usb-drive-detailed-100-working-guide/
Bear in mind you will need a Vista or Windows 7 machine in order to create this.
Thursday, 27 August 2009
As you may have a gathered I do a lot of work with the Celestix WSA appliance, deploying numerous solutions as well as carrying out proof of concepts and web demonstrations.
I've been trailing Celestix HOTPin for a little while on my demo Celestix WSA applaince. What is Celestix HOTPin?
Celestix HOTPin is a two factor authentication solution. Just to reitterate what different factors of authenication there are, we can provide:
- Something you know - Passwords, PINs, etc.
- Something you are given - One time passwords, tokens, etc.
- Something you are - Fingerprint, iris scan, etc.
To have a two factor authenication solution, you should ensure that your users utilise two of these methods as authenication.
Celestix HOTPin is a one time password (OTP) solution, but rather than use the traditional method of hardware tokens, the passwords are generated on soft tokens. A soft token, is a piece of code that can run on other hardware, rather than require a dedicated piece of hardware such as a token.
Celestix HOTPin will run on Blackberry, iPhone and Smartphone/Windows Mobile devices, as well as 32-bit Windows machine. The software can be protected with a PIN, so even if your mobile telephone or laptop is found, the PIN should protect the OTP from being generated.
If you have an SMS gateway (a device that can send text messages from your network) then OTP can be generated by Celestix HOTPin and SMS'd over to the mobile device. A great back up solution, which does not require software to be loaded on a mobile device, but no so great is your are in a reception blackhole unable to get a mobile signal!!
The Celestix HOTPin software currently integrates with the Celestix WSA appliance, which saves the need to additional hardware to run this solution. The software is managed centrally on the Celestix WSA appliance, via a very familiar interface if you are use to the Celestix products.
As mentioned before I have been running this on my trial appliance, where I have deployed both the 32-bit Windows client, and the Blackberry client. Both of them do exactly what you expect, they generate a OTP!!
In my demostration environment, I check for a number of items at the login page, including:
- Windows AD Username
- Windows AD Password
- Celestix HOTPin (PIN & OTP)
I'm so happy with how easy it is to install and manage, I will be deploying this into my live environment that we use at e92plus.
If you want to see a demostration of the Celestix WSA appliance with the various authentication methods running, please contact www.e92plus.com and we organise a web demo.
Tuesday, 25 August 2009
Probably best to start with the basics first, and some more useful information gathered along the way.
The starting point with most application should be this document regarding applications that IAG is aware of: IAG Application Aware [1.0Mb]
Someone pointed me towards these Microsoft blog entries, which gives a little more detail:
Publishing Microsoft Activesync through IAG2007 - Part 1 of 2
Publishing Microsoft Activesync through IAG2007 - Part 2 of 2
Another useful component is this Microsoft Exchange Server Remote Connectivity Analyser, which can test the connections to ensure your configuration works. (Thanks Andrew for showing me this, it will be very useful!)
The analyser will allow you to check the connection including SSL certificates and server name, connection to the trunk, AD authentication, connection to the Exchange server and the OPTIONS commands.
The issues we had today were regarding the OPTIONS commands, as everything else seems to work. More investigation to follow..... and hopefully an answer!
Thursday, 20 August 2009
Strangely in a matter of minutes I had two very similar questions, from two different resellers working with different end users.
They looked at the Barracuda Web Filter as it was a very cost effective URL filtering solution. The issue was that did not want to deploy it as an in-line/transparent deployment due to a couple of reasons.
First off, what is an in-line/transparent deployment? This is where the solution will sit between the firewall and main switch, and transparently monitor the traffic, and intercept the internet traffic as necessary.
The other deployment is to use the solution as a forward proxy, where all the internal traffic is routed to the proxy server, and as the name suggests, will go out to the internet on behalf of the computer making the internet request.
The transparent deployment has a number of advantages, such as supporting application blocking, automatic pass-through if there is a system failure (on the 310 or above), the client browsers will not need to be modified and the client's IP address will be passed to the firewall. The downside is that during the initial setup there will be an interuption to the network traffic and some static routes may need to be configured.
With the forward proxy deployment there will be no need to interupt the network traffic, and static routes will not need to be configured. The flip side, is that as the Web Filter will only be able to scan the outbound HTTP traffic, it will not be able to block by applications listed, IP addresses specified or by specified ports. It will not be able to sacan non-HTTP traffic for viruses or spyware, and the cleint browser must be populated with the proxy server IP address.
The first customer I spoke to today had a highly distributed network, with a large number of subnets and VLANs, where as the second customer had complicated double layer router set up, with crossed and looped patching, so unable to find a single cable to intercept.
The two customers had a common comment, which was the Barracuda website did not highlight it was possible to use the Barracuda Web Filter as a forward proxy. As ever, I would recommend the services of a good distributor, before saying no!!!
Wednesday, 19 August 2009
They were having issues connecting their PC to an IAG solution! For some reason, since the AV change from McAfee to Avira, they were unable to access an IAG solution. The IAG solution was not deployed or implemented by e92plus, so it was just fortunate that I work with both products.
My initial reaction to the description of the problem, was that the IAG solution was not up to date, and lacked IAG SP2, which would give WMI recognition which works with all versions of Avira. Prior to SP2, IAG would only recognise Avira V6 or V7. The reseller checked with the IAG supplier and it turns out that SP2 is already installed.
My colleague tried to access the site from an XP machine running Avira 8, and was able to access it. The reseller had installed the latest version of Avira Professional which is version 9, and the assumption was that was the problem. I tried to access the site from an Vista machine running Avira 9, and again I was able to access the site!
With a bit more digging, it turns out that the endpoints must meet three criteria before they are able to login.
- Must have an anti-virus application running
- Must have a software firewall running
- Must have the IAG components installed and running
So at e92plus we also use an IAG appliance, which would explain why we were able to access the site. This would mean that our machines meet the above requirements as all these components were installed.
Checking with the reseller, we highlighted that without the IAG components installed, it would not work. These components will require adminsitrative rights to install. Despite their frustration, I was not able to help from an IAG perspective, but pointed them in the right direction, as the offline installation package may be required due to a corrupted installation, or not having adminstrative rights when the initial installation was run.
They were able to access the site from both Vista and XP machines with Avira version 9, as well as e92plus proving that we were able to access from Vista and XP machines with both Avira version 8 and 9.
The issue that the reseller now has is that on site, it will not work with their client's machines, and the finger was pointed at Avira.
I can catergorically say, I don't believe the issue to lie with Avira, as we were able to prove from a number of machines that it works. Despite this, it was requested that we escalate this with Avira, and they also see no issue with their product!!
Although I understand our resellers frustration, the troubleshooting needs to be with the IAG side or the client installation, rather than the AV! The troubleshooting should start with the log files from the IAG server, but as the supplier of the IAG solution seems reluctant to help our reseller, so they are stuck between a rock and hard place!!
We had a number of applications to install, including OWA, Intranet site and RDP which all were very straight forward.
They run a number of Citrix servers, but we had an issue publishing this. Publishing as a browser embedded application, we had issues as we could not apply a root certificate to the broswer. The end user will create a web based Citrix environment, which I will remotely configure once this has been deployed.
I got a call from a reseller, where there was an issue with an RDP session, where the application would start up the Windows Remote Desktop Client, but would not populate the server name. The fix is to set the Initial Server as the server you want to RDP to.
There was also a query about how use local drives within an RDP session. It's something I've struggled with in the past, but as it wasn't essential I didn't get a chance to get a definitive answer. Something to look into...
Tuesday, 18 August 2009
I work with Websense a lot as well, and it's easy to forget that Websense not only provide web filtering, but also email and data security products.
Today, I ran a web demo for a Websense Web Security solution, which runs perfectly in an ISA environment, including the Celestix MSA appliances. The discussion turned to Web 2.0 and user generated content, where a solution such as Websense Web Security Gateway comes into its own.
Websense WSG, has to run on a Linux platform and will not run on Windows. This solution can be the proxy and cache server, negating the need for a third party proxy such as Bluecoat or Microsoft ISA server.
WSG runs an anti virus scanner at the gateway, which is not supplied with Websense Web Security, but could be an add-on for Microsoft ISA server, where something like Avira AntiVir for ISA Server would work.
Another shortcoming of Websense Web Filter or Web Security is that it can not deal with user generated content or SSL encrypted content.
Traditional web filtering solutions can not filter feeds into pages such as iGoogle. The page is "seen" as being google.com so completely allows it, the problem is that iGoogle can have feeds from Hotmail, GMail, Facebook, etc which are normally blocked. By using WSG, the individual feeds can be allowed, blocked, quota'd or confirmed.
Traditional web filtering solutions will not be able to filter SSL packets, but the Linux gateway will be able to be the "man in the middle", where it will be able to decrypt, inspect, and either discard the packet or re-encrypt the packet and forward it on.
Content inspection can also be carried out on the fly!!
With all these features of dynamic user content filtering, SSL filtering, on the fly content filtering, why are users on jumping at this product? The issue is not really price, but rather the Linux server that the software must run on!! It's amazing how many people are still put off my Linux!!
Monday, 17 August 2009
They currently run VASCO, but found it a bit of a hassle having to issue and manage tokens, and it would not allow for pandemic situation, where there would be a need for more people than usual to have access to a remote solution.
There was mention of some solutions that relied on grids, picture, icons, keys on screens or security questions.
I had to take a step back and talk about two factor authentication, which should be:
- Something you know - Username, password, passphrase, answers to static questions
- Something you are given - One time password, digital certificates
- Something you are - Biometrics, such as fingerprint, iris scan
If you are using a solution that still relies on something you know, such your username and password, along with a picture/icon you know, it surely is still just one factor of authenication, albeit a strong one. This may stop brute force attacks on keyloggers, but all the security is all based on information you know. As we all the know, security is normally compromised by the human element!
Although it can be an administrative overhead running a Vasco solution, you don't have to pre-issue the tokens. Send an unassigned token to the user, and get them to log into a self assignment website. This will obviously remove the need for the administrator to go through the time consuming process of assigning a token and then posting it out to a user. There is also a security concern as the token is already assigned, and the user details are probably on the envelope!!
As VASCO can work with an existing RADIUS server, which is normally considered "AAA" or triple A. The "AAA" stands for Authentication, Authorisation and Accounting. The VASCO server will carry out the Authenication component, but a RADIUS server can then deal with the authorisation and the accounting. This way we can be sure of who the user is, what services they can access and account of what they have used.
There was also a comment about not liking hard tokens, so why not use VASCO tokens that run on mobile phones, soft tokens to run on a computer, or an SMS solution to text the one time password out to mobiles.
Friday, 14 August 2009
It was a pleasent surprise to be invited by my boss to attend this event from a technical perspective. I'm hoping this will give me a better insight into the product roadmap, as well as how to effectively structure proof of concepts.
It will also be interesting to look round Prague as I have never been there before.
Anyway.... a couple of IAG bits to cover:
1) An evaluation that needed to be scoped! Some interesting bits as they want to look at: RSA (ACE), Celestix HOTPin, KCD and Windows 2003 AD authentication, with OWA, Sharepoint, File Access and Citrix (Web & client based). I'm confident with all the components, except for the KCD. Anyone who has ever worked with KCD, will not it's not always straight forward! Research will happen next week, so we'll see from there.
2) Pre-sales call, where we needed to be able to publish Terminal Server and use Swivel as the authentication method. IAG can either "pop" the RDP client and create a secure tunnel to connect the client to the Terminal Server, or to connect to TSWeb, which will then connect to the terminal server. It's not like AEP Netilla, which will start up a Java RDP client, which will allow any machine with Java to be able to connect to a Terminal Server. As for Swivel, I know a number of IAG/Whale Communication partners that use Swivel as the authentication method, but not something I've used. If it's based on RADIUS, then the only thing that the customer will need to investigate is how to ensure the webpages are displayed correctly.
A few things to look up to learn a bit more, so KCD and Swivel research!!
Tuesday, 11 August 2009
In fact, my eyes are being checked to see if they are suitable for treatment in the morning, and if all goes well they will be lasered in the afternoon. If I am suitable, then there won't be any updates for a little bit.
Wish me luck!!!
We tried the VMWare View configuration first, but it seems that the Security Server element wasn't deployed, so they cracked on a deployed one!!
We spent a little getting the IP phone working, but it seems that the ports that I Googled didn't let it work!! We ran Wireshark, but nothing showed up that we didn't already allow. The conclusion was to do one of two things; call up the supplier and see if they can shed any light on the port configuration, or utilise the NAT feature on the IP softphone, which would allow the traffic to traverse the firewall and not use the SSL-VPN!
We ran through the customisation element of the IAG appliance. Initally we used the component on the Celestix web UI, which avoids the need for looking at the coding. The next element was the look at how to manually modify the site.
This guide was written by Michael Riva, who attended the same IAG course as me, which helps with the basics:
Also check out the manual (the link of which is below) which was written by someone technical, so you are not treated like an idiot!!
We also installed CAPTCHA on to the appliance, which requires a sub-400Kb file to be installed on the appliance, and some minor changes to the URL sets to make it work. What is CAPTCHA, well more information here: http://www.captcha.net/ Contact Celestix for more information as to how you can get this on your Celestix WSA appliance.
We ended the day talking about administrative tasks, backing up configurations and most importantly... changing all the default passwords!!
Another happy customer! It's great to be involved from the beginning, carrying out the webinar and presales component, understanding the customer's requirements, architecting the solution, scoping out the implementation, then carry out the implementation! :)
Monday, 10 August 2009
This was a slightly different implementation as the firewall is hosted offsite and they don't have a traditional DMZ. After a couple of chats with the ISP, we managed to get a new subnet implemented, creating a virtual DMZ. Bear in mind that IAG can not be deployed a single NIC server, it needs to have an external and internal zone.
The customer had a number of requirements, including OWA 2007, SharePoint, RDP access, an intranet site, file access and granular endpoint/access policies, which all go swimmingly. As well as ensuring that the appliance was correctly service packed to SP2 Update1.
The challenges today (and there are always challenges with an IAG installation) included SSH connections to Linux servers, and Telnet terminal emulation application. These were made to work as bespoke client/server applications, along with automatic startup of the associated applications and the correct switches to start them up on the correct screens. These should have been straight forward, but as everyone uses different clients, the testing of the various switches took a bit of time. There was also an issue with a static route, but was dictated incorrectly, but as ever check the obvious first, such as..... manually entered IP addresses!!
So a fair chunk done for the day, but two things left me scratching my head. Two outstanding applications need to be dealt with, as I have never seen or used either before. The first was a VMWare View implementation and a Mitel 8602 IP Softphone. As I'm in a hotel tonight, it gave me a chance to do some Googling and see if any of this helps.
VMWare View (Deploy as a browser embedded application)
Frontend: Ports 80 & 443
Backend: Ports 3389 (RDP), 4001 (JMS) and 8009 (AJP13)
Mitel 8602 IP Softphone (Deploy as a client/server application)
5566 - TCP
5567 - UDP
5004 to 5069 - TCP
6004 to 6247 - TCP & UDP
We'll see if those fix the issues tomorrow! Then it only leaves customisation, administration overview and housekeeping, which means a packed day ahead!
Sunday, 9 August 2009
The range currently includes the Celestix MSA (Microsoft ISA appliance), Celestix WSA (Microsoft IAG SSL-VPN appliance), Celestix Load Balancer (Linux based load balancer) and Celestix HOTPin (Celestix's own two factor authentication solution). As a number of the deployments from e92plus are Websense Web Filter/Web Security integrated with ISA server, there will be a requirements to understand that as well.
Previously this role was covered by me, which was fine when we had a lower volume of calls, but as the Technical Manager, I have a number of other tasks to cover as well. The idea is to remove the day-to-day Celestix requirement from me and have a dedicated engineer. Obviously I'll be there to as a back up and mentor whoever takes on this role.
For those interested, here is the job description
Feel free to contact me on the blog address, if you are interested in this role, or have any questions.
Friday, 7 August 2009
- MCSE:Security 2003
- MCSA:Security 2003
- MCTS:ISA 2006
My current bedtime reading is this: http://www.dummies.com/store/product/CISSP-For-Dummies-2nd-Edition.productCd-0470124261.html
It's only to whet my appetite, until I have the time to read the proper books!
The fix (found here: http://forums.forefrontsecurity.org/?g=posts&m=553):
The default rule set blocking the java-client, so make the following changes to the URL list:
_helperagent_mac_helperagent_lin_helper)\.jar) change Parameters value Reject to: Ignore
Duplicate rule 29: Change URL value of new rule to: /internalsite/com/whale/sslvpnclient/whalesslvpnclient/class.class
It worked for my Firefox users, but didn't impact me using ActiveX clients on IE8.
It's an remote application delivery platform or as some would call it.... an SSL-VPN.
It's a way of delivering the applicatons you use internally at work, to an external audience via HTTPS.
The IAG can interogate computers to check what operating system it runs, whether there are specific applications running (such as anti-virus software, software based firewalls, etc), whether the computer is a member of a domain, etc.
By coupling endpoint checks, along with user credentials, granular understanding of applications, reporting and monitoring. We have a secure delivery method, as we can ensure correct users, can access correct applications, with approved computers, and be able to see who, accessed what and when. Sounds pretty comprehensive!!
This product originally was made by Whale Communications and was developed about ten years ago, prior to being bought out my Microsoft. This software platform is avalable on the Celestix WSA appliance. If you are based in the UK and want to evaluate an appliance, contact e92plus on 020-8274 7000
Some useful resources for those new to IAG are available here:
Celestix WSA Quick Start Guide [3.8Mb]
Microsoft IAG User Guide [3.32Mb]
Microsoft IAG Advanced User Guide [2.77Mb]
Microsoft IAG 2007 Service Pack 2 - Notes
Microsoft ActivePerl (which must be installed prior to SP2) [15.8Mb]
Microsoft IAG 2007 Service Pack 2 [36.5Mb]
Microsoft IAG 2007 Service Pack 2 Update 1 - Notes
Microsoft IAG 2007 Service Pack 2 Update 1 [19.8Mb]
Celestix make hardened Windows appliances that run Microsoft ISA Server, and Microsoft IAG Server.
I have been a Microsoft Certified Professional (MCP) since 1998... (yes, I'm that old and then some!) and have worked with NT3.51 through to Windows 2008.
It seemed like the logical step for me to take the Celestix product range under my wing.
I started playing with Windows ISA 2006 nearly three years ago, but a majority of these deployments have been as a proxy and cache, but have seen the other flavours as well.
Any way the point of this post is to list the useful resources that have helped me along the way:
http://www.isaserver.org/ - A proper ISA guru - Thanks Tom! :)
http://blog.msfirewall.org.uk/ - Jason Jones of Silversands is an MVP based in the UK
http://tmgblog.richardhicks.com/ - Recently I meet Richard Hicks of Celestix, and this is his blog
The exam covers all aspects learnt in the last two days and is an open book exam which I know some people love and some people hate. I have to say that in the "real world" you'd be able to look at the product, speak to people, refer to manuals, use Google, etc, so I agree with open book exams.
Fortunately, I passed the exam to gain more VASCO qualifications. That now means I'm a VASCO Certified Engineer (VCE) for Middleware 3.0, aXsGUARD 7.0 and now Identikey 3.1. As I passed with over 80%, it also qualifies me to carry out training in this product as well.
e92plus are now an Authorised Training Centre for VASCO Identikey, as well an ATC for Websense and Cyberoam.
We'll start to run the certified training course for VASCO Identikey 3.1 from September 2009, so I may see you soon! :)
Thursday, 6 August 2009
RSA?? Nope, although that's probably the answer, if you spoke to someone in the UK or US.
Speak to someone in Europe or from the banking industry, then the answer would be.... VASCO!
VASCO provide tokens to commerical banking worldwide and in fact all verticals, but as such have more functioning tokens in the real world than any other token provider.
I spent today in technical training, learning more about VASCO Identikey 3.1. Vasco is one of the vendors that we distribute for at e92plus.
Initial reaction is that it's much better structured than the old VASCO Middleware 3.0 course. I'd highly recommend this course for someone new to two factor authentication, as well as someone who has experience of other solutions.
Advantages over Middleware, include a web interface, reporting, much improved AD integration and a SOAP interface. More to come tomorrow, along with an exam!!