Mac access ACL require a higher end switch while 802.1x authentication is a pretty heavy setup and needs to manage a mac address database on a Radius server. Port security allows you to accept some mac addresses on a port but what if you don’t have an exhaustive list? Or if you want to deny a mac to access a specific vlan?
All Cisco switches have a basic feature that lets you configure static mac addresses. Here are 2 simple commands that will help in different scenarios.
Deny a Mac Address on a VLAN
You want to prohibit a machine to be on a specific vlan because that vlan has special permissions such as internet access for example while others don’t. You can deny a specific mac address on a particular vlan with the “drop” option:
Cisco(config)# mac address-table static 0023.64a4.0e8c vlan 49 drop
Cisco(config)# do show mac address
49 0025.64a4.0e8c STATIC Drop
Force a Mac Address on a VLAN
You can make it work the other way around. Force a mac address to work on a particular vlan and port only, to make sure it is isolated from the rest of the network (if the vlan is configured that way). Think of that old Windows XP running an old piece of software you cannot get rid of 🙂
Cisco(config)# mac address-table static 0023.64a4.0e8c vlan 48 int fa0/35
Cisco(config)# do show mac address
48 0025.64a4.0e8c STATIC Fa0/35
This prevents anyone to access the wrong vlan just moving the network cable to another port – intentionally or accidentally – if he has access to the network cabinet.
Client Access can be deployed by GPO with the MSI file provided in the installation directory. However you will have to create a MST file containing custom parameters that will add up to the MSI.
Create a Transform file
The transform file contains customized settings you may apply to the software you are going to deploy via group policy. The MSI does not need to be changed.
Download Instedit to customize the MSI file. Run Instedit and click on File -> Open and browse to image32\cwbinstall.msi. The MST (Tranform file) will also apply to the 64 bit package in a next step. In the top menu, click Transform -> New Transform Create Tranform.mst in the same folder.
We will now modify the MST. Click on the Property table, then on the right hand pane, right click -> Add row Fill in Property and Value Ex: CWBPrimaryLang/MRI2928 for French as default language Click Save in the File menu. All the changes will be saved in the new MST file. The MSI remains as is.
Some useful properties you can change in the Property table: CWBInstallType: Complete/Custom/PC5250User (only valid on a first time installation) CWBPrimaryLang: MRI2928 In the Feature table: Set level to 1 on features you want to install The full list is available at http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzaij/rzaijfeattree.htm
Note: If iSeries Client Access is already installed on the computer you’re running the GPO on, it will not overwrite the list of installed features. It will just upgrade the software. What a pity! 2 workarounds: – Uninstall Client Access and run a GPO with the new features listed in the MST file – Run manually msiexec /i cwbinstall.msi ADDLOCAL=feature (where feature is the requested feature such as dotnet or whatever)
Note: Setup will display in the default language as well as in “All Programs” menu as explained on IBM. The language selection is only available when running setup.exe. However, the menu bar within applications will be installed as requested in CWBPrimaryLang.
How do I use the MST?
You can run the transform on a test machine from the command line to make sure it does what you want:
If everything’s alright, you can create a Group Policy Object 1. Create a new Software Installation Package in the Computer Settings node of Group Policy Object Editor. 2. Select the cwbinstall MSI file, and then click Advanced (This is the ONLY opportunity you will have to apply a transform to this Package). 3. For the 32-bit package, on the deployment tab, click Advanced, and untick “Make this 32-bit X86 application available to Win64 machines” 3. On the Modifications tab, click Add and select the MST file you created previously. 4. If you have both 32 and 64 bits operating systems on your network, add a second software within the same GPO, and select the 64-bit iSeries application. The system will choose the right software when applying the GPO
Service Packs and Prerequisites
For better stability, you should install the latest iSeries Client Access service pack on top of the original software. Download Microsoft Visual C++ 2005 Redistributable SP1 Security update – This is a service pack requirement – vcredist_x86.EXE and vcredist_x64.EXE on Microsoft. Download the 32 and 64 bit latest service packs on IBM SP Download page. Extract vcredist_xXX.exe with 7zip or another software to get the MSI and CAB files.
Pre-install the service pack executable on a computer and choose to unpack the files in a permanent folder. Copy the folder content to your default installation image, overwriting older files. As for the vcredist, create a new GPO with the 32 and 64-bit MSI (Don’t untick the 32-bit compatibility as 64-bit OS need both 32 and 64-bit Visual C++).
Change the GPO order so client Access runs after vcredist: Click on the OU; On the right pane, make sure Client Access has position number 1 (it’s in the reverse order, first line executes last!) Redeploy the Client Access GPO with the built-in service pack
RSOP
You can check the deployment went ok with the usual Microsoft tools such as rsop.msc or gpresult.
You have freed up a lot of space on your hyper-v virtual machine and tried to compact the vhd file but no luck, it doesn’t shrink as much as it should.
Here are a few things I tried to optimize disk space: – Defragmentation – Shrink volume from the VM disk manager – Defrag adding the vhd on another VM as a secondary drive so system files can be defragmented – Generate a new vhd from the original copy Nothing seems to be working!
The problem is that NTFS deletes files from the directory structure, but does not cleanse space freed up by removed files. And that space isn’t released while compacting. This is why there are a lot of tools able to recover deleted files, as long as other files have not taken released space.
In order to get all the free space back, you can use sdelete from the excellent Microsoft sysinternals tools. sdelete lets you securely erase any file data that exists in the unallocated portions of a disk, meaning filling space with zeros. That includes files you have already deleted or encrypted. Download sdelete and run this short command on the virtual machine if you want to clean the C: drive:
sdelete -z C:
sdelete does not say much, you don’t even know how much space you just saved. it all depends on how much cleanup you have done beforehand.
You can now successfully compact the vhd file which size will match space really used.
You are about to migrate mail servers to Exchange 2013? Here are a few issues I came across while migrating to Microsoft Exchange 2013. Please read first.
1/ I had to add all Exchange servers DNS entries in C:\Windows\System32\drivers\etc\hosts, since email got stuck in queues. I was also getting timeouts while sending emails (some sessions would never get a response to the last dot ending the message). Could this be due to IPv6 name resolution? Maybe. There is no choice anyway as it is not recommended to disable IPv6 on Exchange 2013. IPv6 is also enabled on my Domain Controller though.
2/ When adding a receive connector, make sure to select “FrontEndTransport” but “HubTransport”. If you do, you will end up with the SMTP service crashing every few hours and will not receive mail at all! Sounds insane, but a lot of administrators have experienced it. Check this Microsoft post.
3/ Public folders migration hasn’t worked although I followed Microsoft documentation. I could not even remove them since they were created on a previous Exchange version. My last resort was to remove the entry with Microsoft ADSI Edit tool on the domain controller.
4/ When installing Cumulative Update 3, EMC (Exchange Management Console) wouldn’t start, but was throwing an Access denied exception, as mentioned here.
That is a lot of shit going on for a new release supposed to be stable! Please upgrade to SP1 and apply all following CUs. Hoping Microsoft fixed these issues!
Microsoft Exchange traffic can be load-balanced with Microsoft NLB but it requires to set up 4 Exchange servers for the sake that NLB isn’t compatible with Exchange cluster. Most Microsoft guys do not recommend it. Among NLB downsides, Exchange services are monitored with a basic ping, meaning the service is considered to be active even if Exchange services have been turned off.
Hardware-based Exchange load balancers are recommended in most setups but are pretty expensive. Since I am going to virtualize Exchange servers on Hyper-v, a software-based load-balancer make sense naturally. This is what brings me down to Linux Virtual Server (LVS) for no extra cost with very little resources.
Linux and Microsoft hardest defenders may not be happy with it but, Linux Redhat is fully supported on Hyper-V and has been optimized with a few enhancements.
Network
Each Exchange virtual machine will be hosted on a different physical server along with a Linux VM for redondancy. The active load-balancer (Master LB1) will distribute packets to the “real” servers through a private network. The private network needs to be connected to a physical port so VMs on the 2 machines can see each others.
Create the 2 networks and 4 VMs in Hyper-v giving 1 and 2 NICs to Exchange and LVS servers respectively. Assign IPs accordingly to your network topology.
Load Balancer Setup
First edit /etc/sysctl.conf to allow ip forwarding:
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
Then reboot or run sysctl -p /etc/sysctl.conf
As a main direction, you can follow Redhat LVS manual. Set a password running piranha-passed on the Linux server that is going to be the master and start pulse and piranha-gui services.
You should be able to reach the conf page on port 3636 with a web browser ie http://IP:3636. Log in with piranha as username and the password you set above.
Once logged on Piranha configuration webpage, fill in “Global Settings” and “Redundancy” pages. It is pretty straightforward: the virtual gateway for real servers will go on sub- interface eth1:1. I didn’t tick “Monitor link” nor “Use sync daemon” since it wouldn’t work on my setup.
This is where we get to the point. We could create a virtual server for each port to monitor. I decided not to but mark all packets, so we need to monitor one service only. No need to write different monitoring scripts. You can indeed do so if you’d like to.
I monitor port 80 since Exchange listens on HTTP. Set a number in the firewall mark field to group all ports to be redirected: I’ve set 80 but it could be anything else really, it’s only a tag. Just remember to set the same number in iptables below. I chose to set the IP address on eth0:3: I’ll let you know why later on. Add the 2 real servers IP and leave the default monitoring script in the last tab.
Iptables Rules
We’ll now set up iptables to mark packets with number 80. Iptables will filter (1st part below) and mark (2nd part) packets. Here’s what I have in /etc/sysconfig/iptables:
# Generated by iptables-save v1.4.7
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [353:70931]
:OUTPUT ACCEPT [908:61941]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3636 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2525 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 717 -j ACCEPT
-A INPUT -d 192.168.1.36/32 -j ACCEPT
-A INPUT -d 192.168.1.37/32 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i eth0 -o eth1:1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1:1 -o eth0 -j ACCEPT
COMMIT
# Generated by iptables-save v1.4.7
*mangle
:PREROUTING ACCEPT [87155:9160406]
:INPUT ACCEPT [82925:8666308]
:FORWARD ACCEPT [3859:469324]
:OUTPUT ACCEPT [64873:3999893]
:POSTROUTING ACCEPT [68732:4469217]
-A PREROUTING -d 192.168.1.35/32 -p tcp -m tcp --dport 80 -j MARK --set-xmark 0x50/0xffffffff
-A PREROUTING -d 192.168.1.35/32 -p tcp -m tcp --dport 443 -j MARK --set-xmark 0x50/0xffffffff
-A PREROUTING -d 192.168.1.35/32 -p tcp -m tcp --dport 25 -j MARK --set-xmark 0x50/0xffffffff
-A PREROUTING -d 192.168.1.35/32 -p tcp -m tcp --dport 2525 -j MARK --set-xmark 0x50/0xffffffff
-A PREROUTING -d 192.168.1.35/32 -p tcp -m tcp --dport 587 -j MARK --set-xmark 0x50/0xffffffff
-A PREROUTING -d 192.168.1.35/32 -p tcp -m tcp --dport 465 -j MARK --set-xmark 0x50/0xffffffff
-A PREROUTING -d 192.168.1.35/32 -p tcp -m tcp --dport 717 -j MARK --set-xmark 0x50/0xffffffff
COMMIT
Note iptables converts mark numbers in hexa, ie 80 becomes 0x50. The main configuration is over. Now remain the 2nd load balancer for Exchange, real servers remote access and NAT. Let’s check this out.
Exchange Servers Management
Backend servers Exchange1&2 can be managed from hyper-v but this is far from being handy, you want to connect straight to them. In order to manage the 2 servers, I created 2 extra virtual servers on LVS that always redirect to the same IP, though only one real server.
I used to mark packets with number 1 & 2, respectively for Exchange1 and Exchange2, and added the following lines to iptables.
-A PREROUTING -d 192.168.15.36/32 -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -d 192.168.15.37/32 -j MARK --set-xmark 0x2/0xffffffff
Restart pulse and iptables services and you should get the following interfaces:
[root@lb1 ~]$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:15:5D:0F:29:0E
inet addr:192.168.1.33 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::215:5dff:fe0f:290e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:481004253 errors:0 dropped:73168 overruns:0 frame:0
TX packets:305264787 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:380465051896 (354.3 GiB) TX bytes:204324705710 (190.2 GiB)
Interrupt:9 Base address:0x6000
eth0:1 Link encap:Ethernet HWaddr 00:15:5D:0F:29:0E
inet addr:192.168.1.36 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:9 Base address:0x6000
eth0:2 Link encap:Ethernet HWaddr 00:15:5D:0F:29:0E
inet addr:192.168.1.37 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:9 Base address:0x6000
eth0:3 Link encap:Ethernet HWaddr 00:15:5D:0F:29:0E
inet addr:192.168.1.35 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:9 Base address:0x6000
eth1 Link encap:Ethernet HWaddr 00:15:5D:0F:29:0F
inet addr:10.0.1.33 Bcast:10.0.1.255 Mask:255.255.255.0
inet6 addr: fe80::215:5dff:fe0f:290f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:320686576 errors:0 dropped:0 overruns:0 frame:0
TX packets:425280520 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:209496440714 (195.1 GiB) TX bytes:375879165808 (350.0 GiB)
eth1:1 Link encap:Ethernet HWaddr 00:15:5D:0F:29:0F
inet addr:10.0.1.254 Bcast:10.0.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
You can now reach Exchange1 & 2 on IPs 192.168.1.36 & .37.
Let Real Servers Connect to the Outside
A major problem is the real servers cannot connect to the outside world since they’re on a private network. This can be achieved with a NAT rule on the LVS server. Add this up to iptables:
You can find out more about IP Masquerading on this HOWTO Restart the pulse service once you’re happy with the LVS conf, and copy it over to the backup server along with the iptables conf file. You can use scp on this purpose: scp /etc/sysconfig/ha/lvs.cf lb2:/etc/sysconfig/ha/lvs.cf scp /etc/sysconfig/iptables lb2:/etc/sysconfig/iptables Providing lb2 is registered in your DNS. DO this everytime you make a change either on LVS or iptables.
RDP Monitoring
Instead of monitoring port 80 on Exchange1 and Exchange2, it is best to check RDP. Download check_x224 (written for Nagios) to /usr/local/bin for instance
$ cd /usr/local/bin/
$ chmod +x check_x224
Edit the script and remove the following block: if elapsed > critical_sec: print(‘x224 CRITICAL: RDP connection setup time (%f) was longer than (%d) seconds’ % (elapsed,critical_sec)) sys.exit(2) if elapsed > warning_sec: print(‘x224 WARNING: RDP connection setup time (%f) was longer than (%d) seconds’ % (elapsed,warning_sec)) sys.exit(1)
Edit and replace all print(‘x224 OK. Connection setup time: %f sec.|time=%fs;%d;%d;0’ % (elapsed,elapsed,warning_sec,critical_sec)) instances with print(‘OK’)
and type in “Sending Program” on Piranha virtual server’s monitoring script: /usr/local/bin/check_x224 -H 10.0.1.1 for Exchange1; Replace IP for Exchange2.
This will return OK if RDP is up on the Exchange server.
Persistence and Failover
You have to set a value in the virtual server persistence setting (600 here) so LVS keeps redirecting packets to the same server for the time being. If you don’t, packets from a unique client would be load-balanced to multiple servers and connections wouldn’t be established. If a real server goes down, persistence keep sessions bound to the crashed server making the service unavailable. To avoid this behaviour, add the following lines to /etc/sysctl.conf and run sysctl -p to make changes persistent upon reboot:
The first line drops sessions to a real server that’s become unavailable. The Second does the same when a real server is removed from the conf. All useful information is available on http://www.austintek.com.
If sysctl -p returns an error upon reboot on your Redhat distribution
error: "net.ipv4.vs.expire_quiescent_template" is an unknown key
error: "net.ipv4.vs.expire_nodest_conn" is an unknown key
You need to load ip_vs module at boot time. Create the following executable file:
It is interesting to check ipvsadm’s manual as well. It gives the ability to check live sessions for instance:
$ ipvsadm -Lcn
DNS registration in AD
One last thing: Exchange servers will register in AD with their private IPs. Edit DNS records on your Domain controller with external IPs so name resolution returns the correct values. Make sure to disable the DNS auto registration in the IPv4 settings of your network cards if you don’t want your DNS settings to be overwritten. It is also best to add your Exchange servers internal IPs in their host file so they communicate straight to each other.
Exchange Server Maintenance
If you upgrade an Exchange server, you’re better off disabling it so noone makes a new connection while services go up and down. Run
to set the weight to 0. Replace with 1 to set it back to 1. Current connections won’t drop to the other server until services go down but noone will connect until the weight gets back to 1.
