(602) 445 9816Sales@VelocityTech.org

Posts Taged ssl

How to configure Netgear ReadyNAS to have a Godaddy or 3rd party SSL certificate

 

Use SSH to login to your device:
Username will be root, password will be the same as the admin password.
type in the following commands:
cd /etc/ssl	-changes your directory
openssl genrsa -des3 -out private/ReadyNAS_caCert.pem 2048	-Choose a pass phrase, I did not have to enter in this pass phrase anywhere else.
openssl rsa -in private/ReadyNAS_caCert.pem -out private/ReadyNAS_caCertwithoutPW.pem	-Choose a pass phrase, I did not have to enter in this pass phrase anywhere else.
openssl req -new -key private/ReadyNAS_caCertwithoutPW.pem -out ReadyNASReq.pem	-This will start a process of asking you questions to create your CSR that you will need to provide your SSL certificate provider. Please fill out to the best of your abilities.

Use WinSCP to login to your device:
File protocol - SFTP
Username will be root and the password will be the same as the admin password again.
Once you are logged in navigate to /etc/ssl
Open ReadyNASReq.pem in notepad, copy and paste contents of this file into certificate request for your SSL provider (GoDaddy).
Depending on your provider you should be able to download your certificate as soon as within 5 minutes. Please download the certificate for Apache servers, this will give you a zip file. Extract the files and open the file that does NOT include "bundle" in the name and copy the contents to your clipboard.
Using WinSCP create a file named ReadyNASCert.pem in the Netgear ReadyNAS /etc/ssl directory, open it with notepad and paste the contents we copied in the previous step, save and close the ReadyNASCert.pem file.
In WinSCP navigate to /etc/frontview/apache and open the apache2.pem file in notepad
Navigate to /etc/ssl/private and open the ReadyNAS_caCertwithoutPW file and copy the contents. Paste them into the apache2.pem file.
Navigate to /etc/ssl and open the ReadyNAS.pem file in notepad and copy its contents and paste them into this same apache2.pem file, save and close apache2.pem file.
Here is a sample of what your apache2.pem file should look like when you are finished:
Continue Reading

How to install a Godaddy SSL certificate on a Cisco ASA firewall

The first step in getting an SSL certificate for your Cisco ASA is to generate a CSR request.

1.  Open ASDM > Configuration > Device Management

2.  Certificate Management > Identity Certificates > Add

3.  Add a New Identity Certificate > New

4.  Click the “Enter new key pair name” radio button.  Enter your FQDN of your firewall (VPN.MyDomain.com)

5.  Change the size to 2048

6.  Click generate now.

7.  On the next screen choose the following attributes and fill in the values then click add.

CN = FQDN of your domain (vpn.MyDomain.com)

OU = Department of your business responsible (IT)

O = Legal name of organization

C = Country abbreviation (US)

ST = State abbreviation (AZ)

L = City (Scottsdale)

8.  Click ok once these are all added

9.  Click advanced

10.  In the FQDN type again your FQDN (Vpn.MyDomain.com)

11.  Click Ok and Add Certificate.

12.  You will be prompted to save this certificate to your PC which you should do.

13.  Login to your Godaddy account and copy and paste all the text from the CSR.

14.  Once you submit your CSR you can download the certificate to your PC in .crt format.

15.  Go back to the ASDM Certificate Management > Identity Certificates.  Select your previously generated CSR and click the install button.  Browse to the .crt file you were provided with from Godaddy.

16.  Now that you have installed the certificate you must tell the ASA to use it for SSL.  To do this in the Device Management on the ASA browse to advanced > SSL settings.

17.  Select the interface for your VPN clients and click edit.  Now select your new certificate

 

Congrats you should now be able to brose to your external web interface and see it is a trusted site!

 

 

 

 

 

Continue Reading

How to create a self-signed certificate in Exchange 2010

Very simple

Open Exchange Shell New-ExchangeCertificate

Continue Reading

Redirect port 80 on exchange 2010 to ssl or 443 for OWA or Outlook Web Access

You must use caution when changing the IIS settings for Exchange 2010.  The reason is simple.  Powershell or the Exchange management console EMC uses IIS to manage Exchange.  So if you incorrectly change settings you will render your Exchange EMC and Powershell useless.

VERBOSE: Connecting to cas01.testDomain.com
[cas01.testDomain.com] The WinRM service cannot process the request because the request needs to be sent to a different machine. Use the redirect information to send the request to a new machine.  Redirect location reported: https://owa.testDomain.com/owa/PowerShell. To automatically connect to the redirected URI, verify “MaximumConnectionRedirectionCount” property of session preference variable “PSSessionOption” and use “AllowRedirection” parameter on the cmdlet.
    + CategoryInfo          : OpenError: (System.Manageme….RemoteRunspace:RemoteRunspace) [], PSRemotingTransportRedirectException
    + FullyQualifiedErrorId : PSSessionOpenFailed

First thing you’ll want to do is go to your default website and change the redirect.  Use the settings from this image below.  Use them exactly, you have been warned.

Once that is complete you have to uncheck redirect on all of these sub directories.

  • aspnet_client
  • Autodiscover
  • ecp
  • EWS
  • Microsoft-Server-ActiveSync
  • OAB
  • PowerShell
  • Rpc

Exchange, Exchweb, and Public virtual directories should redirect to /owa.

Now if you try to open Internet Explorer you will receive a HTTP 403.4 error.  That is because SSL is required.  Select the default website just like the image below and remove the SSL requirement.

Once again you will have to go through these virtual sub directories and make sure the SSL box IS checked!

  • Autodiscover
  • ecp
  • EWS
  • Microsoft-Server-ActiveSync
  • OAB
  • owa
  • Rpc

Warning: If you require SSL for the PowerShell virtual directory, you will render Remote PowerShell inoperable!

Continue Reading

Getting Started with Exchange 2010

As most know Exchange 2010 is the latest version of Microsoft’s email server.  I wanted to write a short description of the software and outline its features. 

Like its predecessor Exchange 2010 requires that you run it on an x64 platform.  32-bit processing is surely but slowly becoming a thing of the past.  In 2010 however you must also be running Windows 2008 SP2 or 2008 R2.  One of the major decisions you’ll have to make is whether to select the standard or enterprise edition.  This basically boils down to how many stores you need.  Standard supports 5 stores per server as to where Enterprise you can do 50+.   As far as the client side CAL’s are concerned you must purchase the 2008 enterprise CAL’s if you wish to do unified messaging.  There is not however a limitation in the software.  It is simply a licensing issue.  Which means you’ll still have the ability to access unified messaging but it will not be licensed correctly.   Another feature Microsoft has decided to keep is the JET EDB database.  It has been rumored in the past that Microsoft would start using SQL server to house the Exchange database.  This is not the case. 

If you ever worked with recovery storage groups in Exchange 2003 or 2007 you will no longer find those in 2010.  As well you will not be able to find routing groups.  All of the Exchange 2010’s routing is done through active directory sites and services.  So you must make sure that you have properly configured your sites before moving forward with Exchange.  It is essential to Exchange 2010 functioning properly.  As with Exchange 2007 Microsoft still is trying to deemphasize public folders.  Their goal is to eventually replace these with their Sharepoint product. 

Another major feature of Exchange 2007 and 2010 is their ability to reject email at the gateway.  The Edge transport server allows you to configure ADAM and active directory lightweight services to query AD.  This allows you to get a list of valid email address and push them out to the border of your network.  If the edge server detects that someone is trying to send email to the inside of your organization and the user does not exist it is dropped immediately.  This saves on memory and processing power internally so that you don’t have to deal with spam. 

Additionally with Exchange 2007 and 2010 you get the ability to create UNC direct file access paths.  This way in OWA when a user needs a file on a network share they can grab it without needing a cumbersome VPN client.  Outlook anywhere also remains widely the same in 2007 and 2010.  It basically encapsulates your RPC packets into https packets.  This allows you to traverse your firewall without opening any additional ports.  Therefore giving users access to their email from Outlook wherever they may travel. 

One of the greatest new features of Exchange 2010 in my opinion is database availability groups or DAG.  This is essentially the same thing as CCR in Exchange 2007.  Anyone who has tried to configure CCR, LCR, or SCR in Exchange 2007 knows that it can be quite the process.  Microsoft simplified this with DAG’s in 2010.  It allows you to keep 16 copies of a users mailbox for redundancy and disaster recovery.  It does this through a process called log shipping.  Where 1MB files are created and then played into the database.  This allows you to keep a backup of your server at another physical location for disaster recovery or have two Exchange servers running next to each other.

Another nice feature in 2010 is the fact that the client access server or CAS redirects your client to their database server that houses their mailbox.  You no longer need to specify the location of your server in Outlook.  The CAS parses AD and redirects them automatically.  Therefore there is no hard coding.  This makes the transition for failover a lot easier. 

As most of you know who have used Exchange 2007 the GUI is simply a front end to Microsofts command line utility called EMS or Exchange Mangement Shell.  Anything you do in the GUI is converted to a command and executed against your server.  I would personally say you have about 90% functionality in the GUI as opposed to EMS.  However, EMS definitely makes the process a lot easier if you need to apply a setting to multiple objects at the same time. 

As with Exchange 2007 you still have the same five roles edge transport, hub transport, client access server, mailbox, and unified messaging.  Inside of these five roles only the edge transport server must be installed separately from the rest of the servers.  Everything else can be ran on one box.  Although this is not recommend for performance reasons.  The reason why the edge server is standalone is it was meant to sit in your DMZ or on the border of your network.  Absorbing the hits so your internal servers are not affected.  It has features such as safelist aggregation where Outlook client rules are brough outside to it so that it can apply those rules before the message ever enters your internal network. 

The hub server still is the same as Exchange 2007 it routes your messages internally and holds compliancy rules.  You can also run a command against it to install antispam featureset.  This way if you don’t have an edge transport server you can use it to receive outside mail directly.  Although this is not recommended by Microsoft.

The CAS server or client access server is meant to interface with your internal and external clients.  As stated before it automatically redirects your Outlook clients so that you don’t need to hardcode their mailbox server.  It also accepts connections from smart phones, OWA, etc.  It is basically your clients interface to your Exchange infrastructure.

If you wish to monitor your Exchange 2010 infrastructure Microsoft has made a plugin for their SCOM or system center operations manager.  This is Microsoft’s MOM replacement that allows you to montior your servers.

In Exchange 2010 you will no longer see SCR, LCR, or CCR.  They have been superceded by DAG or database availability groups.  This makes configuring database replication a lot smoother.  DAG’s also allow for your data to reside across multiple servers.  You can also have multiple DAG’s.   This is a great feature because if half of your users are in one DAG group and it goes down the other half are not even affected.  Other benefits are reduced restore time since you’re not restoring all of your users’ data only the ones in that DAG.  You can also have separate exchange policies for different DAG’s.  So if your management is in one and your regular users are in another you can change the rules that apply to them.  This is a great way to mitigate risk by distributing your load. 

As far as the enterprise and standard software go they are both installed from the same media.  It is just different license keys that you input that determine what version you are installing.  It is also upgradable.  You can go from trial to standard to enterprise.  However, you cannot downgrade backwards from enterprise to standard or standard to trial. 

In order to install Exchange 2010 your domain and forest functional level must be at 2003.  Also each site which contains Exchange 2010 must also contain a 2003SP2 domain controller or 2008 domain controller.  We recommend you have your domain running 2008R2 domain controllers however. 

Exchange still uses EAS or exchange active sync for mobile devices.  This way your contacts, calendar, email, etc. are all tightly integrated with your Windows mobile devices.

One common misconception that people have is Exchange enterprise must be installed on server enterprise software.  Or that server enterprise software cannot have Exchange standard installed on it.  Both of these are fallacies. 

When you begin your Exchange installation you should give serious consideration to how you configure your arrays.  Exchange is a very read/write intensive application.  Therefore you should separate your OS, log files, and database all on separate arrays.  If this is not possible it is then recommended that you at least put yoru OS and log files on one array and your database files on another.  The reason for this is simple.  The log files are write intensive and the database files are read intensive.  Separate these two out can speed up your disk I/O.

Memory requirements in Exchange 2010 have pretty much gone unchanged.  Start your server with 2GB of memory and then 5MB for every mailbox user.  I would also personally recommend to have a minimum of 4GB.  Memory is cheap enough these days that the benefit of having more of it outway the cost.

Although the databases in Exchange can grow very large we do not recommend that you go over 100GB.  This can become cumbersome to work with and decrease performance on your server.

If you wish to remotely manage your Exchange server you can install the management tools.  They will install on Vista SP2 and higher or server 2008 SP2 or higher.  This way you do not have to remotely login to your Exchange server to make all of your changes.

As far as your site layout goes you should also plan on having a global catalog server in every location that contains a mailbox server.  This is recommended by Microsoft and will reduce WAN traffic. 

Exchange has also setup a new permissions setup which they refer to as RBAC or role based access control.  From this you get 5 roles to manage your exchange infrastructure.  They are Organization management, view only organization management, recipient management, records management, and GAL synchronization management.

Another thing you should consider before installing Exchange 2010 is to make sure your domain is setup properly.  You can use tools such as NETDIAG and DCDIAG to verify this.  In order to install Exchange 2010 you’re going to need to be a member of domain admins, enterprise admins, and schema admins.  You will also want to add connect.microsoft.com and download.microsoft.com to your trusted sites list in IE.  Other pieces of software that must be installed are .NET 3.5, Windows remote management 2.0, powershell v2, 2007 office converter microsoft filter packs.  If you are installing the mailbox role you must also have AD services remote management tools.

Before starting the install you must prepare your schema by running setup /ps if it fails delete the contents of c:windowstemp, copy the files from your CD to yoru hard drive and rerun setup /ps.  You must then run setup /prepareAD /OrganizationName:MyCompany where “MyCompany” can be replaced by your organization name.

You must then prepare the prerequisites by running the following commands.

  • ServerManagerCMD -install RSAT-ADDS
  • ServerManagerCMD -install Web-Server
  • ServerManagerCMD -install Web-ISAPI-Ext
  • ServerManagerCMD -install Web-Metabase
  • ServerManagerCMD -install Web-Lgcy-Mgmt-Console
  • ServerManagerCMD -install Web-Basic-Auth
  • ServerManagerCMD -install Web-Digest-Auth
  • ServerManagerCMD -install Web-Windows-Auth
  • ServerManagerCMD -install Web-Dyn-Compression
  • ServerManagerCMD -install Net-http-Activation
  • ServerManagerCMD -install RPC-over-http-Proxy
  • Once this is complete reboot your server.  You are now ready to run Setup.com /mode:install /roles:H,C,M the H,C,M install hub cas and mailbox roles.

    Once your install is complete run the Exchange BPA or best practice analyzer.

    In order to install the Edge server you’ll want to make sure you’re running 2008 standard with SP2.  You’ll need .NET 3.5, remote management 2.0, powershell v2, AD LDS (can be installed via servermanagerCMD -i ADLDS).  For the edge server to work in a DMZ you’ll need to open ports 50389-50636.  Then run new-EdgeSubscription -filename “c:tempEdgeSubscriptionInfo.xml”  Copy that generated file to your hub server you can import it in the GUI and run start-edgeSubscription from EMS.  You can test this once it is imported to verify it is working properly by using test-EdgeSubscription from EMS.

    I would personally recommend using a RBL provider to stop spam from entering your organization.  One example of this is SpamHaus.  This queries the connecting server to a black list of IP’s and blocks communcation if it is found on the list.  This one feature can drastically cut down on spam.

    Another item you have to address is purchasing a SAN certificate for your Exchange server.  Exchange has moved to a secure by default mentality.  You will find connecting to OWA or using activesync become very painful if you try to issue your own SSL certificates.

    Another security improvement in Exchange 2007 and 2010 is that all intracommunication is secure and encrypted.  TLS is used for all server to server communication internally.  RPC is used for your Outlook clients to communicate with your servers.  SSL is configured for all external client communication including, OWA, activesync, etc.

    Opportunistic TLS is a new feature where your Exchange server will no long try to send via SMTP by default.  It will first send a STARTTLS command to use TLS to encrypt external SMTP communication with other servers.  If the other server however does not support this it will revert to unsecure communications.

    Still included in Exchange 2010 is the ability to use a journaling mailbox to track all of your emails.  This is required by some organizations.  Keep in mind that this feature can increase your processor and memory usage by 25%.  So you should make sure your server has plenty of resources before turning on this feature. 

    One of the requirements as previously stated is that Exchange 2010 must be running active directory 2003.  Even though 2008 is recommended if you are running Cisco Unified Messaging 4.2(1) or lower it is NOT compatible with active directory 2008. 

    When you upgrade your active directory infrastructure it is recommended that you create a virtual machine using Microsoft Hyper-v or Vmware.  Make the virtual machine an additional domain controller and make it a global catalog.  This way if your upgrade takes  turn for the worst you have data that is intact if you have to downgrade.  Do not forget to unplug it from the network before doing the upgrade.  If you need to revert back you can use NTDSUTIL to seize the roles.

    If for whatever reason you need to create a scratch installation of a domain you can always use the ADMT utility to move users, groups, computers, service accounts, and trusts.

    To migrate from 2003 Exchange to 2010 the overview is as follows.  First you must be running Exchange 2003 with service pack 2.  Your active directory domain and forest functional levels must be 2003 and at least one global catalog has to be 2003 server with SP2.  Instal AD LDIFDE tools on 2008 to upgrade your schema.  Upgrade your Exchange Schema.  Transfer OWA, activesync, and Outlook anywhere to the CAS server.  Install/upgrade hub server.  Transfer the mail flow to the hub transport server.  Install mailbox servers and DAG if required.  Move your public folder replicas using pfmigrat.wsf or PFRecursive.PS1.  Move your mailboxes.  Rehome OAB.  Rehome public folder heirarchy.  Transfer public folder replicas.  Delete 2003 public and private stores.  Delete routing group connectors.  Delete RUS using ADSIEdit.  Uninstall Exchange 2003.

    To migrate from 2007 Exchange to 2010 the process is a little less.  Make sure your Exchange 2007 server is running SP2.  Make sure your domain and forest is at 2003 functional level.  Global catalog server is at 2003 SP2.  Use AD LDIFDE tools to upgrade your schema.  Prepare schema.  CAS server.  Transfer OWA.  Install hub transport.  Transfer mail to hub transport.  Use AddReplicatoPFRecursive.Ps1 to move your public folder replications.  Move your mailboxes.  Rehome OAB.  Transfer public folder replica.  Delete public and private stores.  Uninstall Exchange 2007.

    Continue Reading

    If you are using SSL and forms based authentication Activesync will be broken

    In order to resolve this issue you must perform the following steps on your Exchange box.

    Disable the forms-based authentication for the Exchange virtual directory

    To create a secondary virtual directory for Exchange that is based on steps 1 through 7 of the following procedure, make sure that forms-based authentication is disabled for the Exchange virtual directory before you make the copy. Before you follow these steps, disable forms-based authentication in Exchange System Manager. Then restart Internet Information Services (IIS). To do this, follow these steps:

    1. Open Exchange Manager.
    2. Expand Administrative Groups, expand the first administrative group, and then expandServers.
    3. Expand the server container for the Exchange Server 2003 server that you will be configuring, expand Protocols, and then expand HTTP.
    4. Under the HTTP container, right-click the Exchange Virtual Server container, and then clickProperties.
    5. Click the Settings tab, clear the Enable Forms Based Authentication check box, and then click OK.
    6. Close Exchange Manager.
    7. Click Start, click Run, type IISRESET/NOFORCE, and then press ENTER to restart Internet Information Services (IIS).

    Create a secondary virtual directory for Exchange server

    You must use Internet IIS Manager to create this virtual directory for Exchange ActiveSync and Outlook Mobile Access to work. If you are using Windows Server 2003, follow these steps:

    1. Start Internet Information Services (IIS) Manager.
    2. Locate the Exchange virtual directory. The default location is as follows:
      Web SitesDefault Web SiteExchange
    3. Right-click the Exchange virtual directory, click All Tasks, and then click Save Configuration to a File.
    4. In the File name box, type a name. For example, type ExchangeVDir. Click OK.
    5. Right-click the root of this Web site. Typically, this is Default Web Site. Click New, and then click Virtual Directory (from file).
    6. In the Import Configuration dialog box, click Browse, locate the file that you created in step 4, click Open, and then click Read File.
    7. Under Select a configuration to import , click Exchange, and then click OK.

      A dialog box will appear that states that the “virtual directory already exists.”

    8. Select the Create a new virtual directory option. In the Alias box, type a name for the new virtual directory that you want Exchange ActiveSync and Outlook Mobile Access to use. For example, type exchange-oma. Click OK.
    9. Right-click the new virtual directory. In this example, click exchange-oma. ClickProperties.
    10. Click the Directory Security tab.
    11. Under Authentication and access control, click Edit.
    12. Make sure that only the following authentication methods are enabled, and then click OK:
      • Integrated Windows authentication
      • Basic authentication
    13. On the Directory Security tab, under IP address and domain name restrictions, clickEdit.
    14. Click the option for Denied access, click Add, click Single computer and type the IP address of the server that you are configuring, and then click OK twice.
    15. Under Secure communications, click Edit. Make sure that Require secure channel (SSL) is not enabled, and then click OK.
    16. Click OK, and then close the IIS Manager.
    17. Click Start, click Run, type regedit, and then click OK.
    18. Locate the following registry subkey:
      HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMasSyncParameters
    19. Right-click Parameters, click to New, and then click String Value.
    20. Type ExchangeVDir, and then press ENTER. Right-click ExchangeVDir, and then clickModify.

      NoteExchangeVDir is case-sensitive. If you do not type ExchangeVDir exactly as it appears in this article, ActiveSync does not find the key when it locates the exchange-omafolder.

    21. In the Value data box, type the name of the new virtual directory that you created in step 8. For example, type /exchange-oma. Click OK.
    22. Quit Registry Editor.
    23. Restart the IIS Admin service. To do this, follow these steps:
      1. Click Start, click Run, type services.msc, and then click OK.
      2. In the list of services, right-click IIS Admin service, and then click Restart.
    24. If you want to reuse Forms-based Authentication on the Exchange server, follow these steps to re-enable Forms-based Authentication on the /Exchange virtual directory in Exchange System Manager.
      1. Open Exchange Manager.
      2. Expand Administrative Groups, expand the first administrative group, and then expand Servers.
      3. Expand the server container for the Exchange Server 2003 server that you will be configuring, expand Protocols, and then expand HTTP.
      4. Under the HTTP container, right-click the Exchange Virtual Server container, and then click Properties.
      5. Click the Settings tab, click to select the Enable Forms Based Authenticationcheck box, and then click OK.
      6. Close Exchange Manager.
      7. Click Start, click Run, type IISRESET/NOFORCE, and then press ENTER to restart Internet Information Services (IIS).

    Note If the server is Microsoft Windows Small Business Server 2003 (SBS), the name of the Exchange OMA virtual directory must be exchange-oma.

    The integrated setup of Microsoft Windows Small Business Server 2003 creates the exchange-omavirtual directory in IIS. Additionally, it points the ExchangeVDir registry key to /exchange-omaduring the initial installation. Other SBS wizards, such as the Configure E-mail and Internet Connection Wizard (CEICW) also expect the virtual directory name in IIS to be exchange-oma.

    Continue Reading