Posts made in February, 2015

Websense Cloud Security – Users stopped appearing in reports

Posted by on 24 Feb, 2015 in Security, Websense | 1 comment

Setup:

  • Websense Cloud Security Installed and Configured
  • Websense endpoint installed on users machines.
  • Users and groups synced up from Active Directory using DirSyncClient (DSC)

 

Problem:

Users stopped appearing in the Websense reports catalogue and if you run any reports from the reports builder they do not appear in the results

 

Solution:

Log into the Triton portal. Select Account > End Users > Search for all users ending with nosuchdomain.autoregistration.proxy. Delete all users ending with nosuchdomain and run another DSC to make sure there are no more nosuchdomain users appearing.  Wait about 10-15 minutes and the users should start appearing in the reports.

Read More

Microsoft – Licencing

Posted by on 18 Feb, 2015 in Licencing, Microsoft | 0 comments

We were audited last year by Microsoft as we were on the software assurance (SA) program and our 3 year agreement was coming to an end. Speaking to a Microsoft licensing specialist during the audit I found out some interesting information about licensing Microsoft Software. Some I already knew others I did not. This post may be useful if you are being audited or looking to purchase software. Only some of the information below was relevant to the company I work for but thought I would add everything I found out as it may help someone in the future.

 

Physical/Virtual Server Licences

 

If you purchase a server licence (e.g. server 2012 standard open/SA licence) most people know that you are licenced to install the operating system on a physical server with up to 2 CPUs. You can also use that licence on a Virtual platform such as VMware to create two virtual servers (on the same host).

 

VDA Licences

 

If you are on the software assurance program and you have purchased the Microsoft Professional Desktop Platform (Which includes OS, Office, Core CAL suite). This includes licences for you to also run a virtual instance of Windows Desktop OS at no additional charge as being on the SA program includes a VDI licence. Once the SA finishes and you do not renew your SA subscription then you either have to remove the virtual desktop images or pay a VDI licence for every physical desktop/user that wants to connect to the virtual instance. So if you have 20 users that may connect to a single virtual windows 8 VM now and again then you need to buy 20 VDI licences which are quite expensive (about £90 per user/device per year)

 

Virtual Servers with Multiple Hosts and Shared Storage

 

This is one of the most interesting bits of information I found from the Microsoft licencing specialist. If you have let’s say you have 2 hosts with shared storage and you have 5 server 2008/2012 VM’s running on each host. With SA you are allowed to move the VM’s (i.e. vMotion/HA failover) as many times as you like. You also need to licence the VM for each host. Example, if you have 2 hosts and you purchase a server 2008/2012 licence. The licence allows you 2 VM instances. But you need to Licence the VM for each host as you can move the VM from host to host so where you could have 2 VM’s running on a single host, if you have 2 hosts with shared storage you can only have a single VM with the 2 VM licences (One licence per host).

If you terminate your SA subscription or you don’t have SA and you purchase open licences then you can only move a VM from one host to another every 90 days. So if a host fails and the HA failover kicks in then you will have 10 VM’s running on a single host. When the failed host is repaired you are not allowed to move the VM’s back until the 90 days has been reached! You could move them back and Microsoft will not know unless they ask for you Virtual hypervisor log files. However if you want to make sure you are covered then the way to go is to purchase Windows server Datacentre edition for each host. This is because the data centre edition allows you to run as many VM’s as you like on each host and according to the specialist I spoke to is not effected by the 90 day limit.

 

SharePoint – On premise

 

Before moving to Office 365 we were trialling SharePoint internally. What I found was that if you are going to be hosting SharePoint yourselves internally then you need to be aware that you will need a SQL CAL for each user that will be using SharePoint and also have a SharePoint CAL.

 

Terminal Server CAL’s

 

If you have Terminal Server then Terminal Server CAL’s are required for every user that will use the terminal server. So if you have a 50 employees and a single terminal server which they may log into now and again but only about 5 users will ever be on the server at the same time then you still need to purchase 50 CAL’s.

 

Conclusion

 

This post only covers a tiny bit of the very large world of Microsoft licences so it does not cover everything about licensing and all the benefits of a SA subscription. However if you are taking part in the SAM audit or looking at not renewing your SA subscription. Then it may help in your decision.

 

As Microsoft licences are constantly changing make sure you check with a licensing specialist with what you require before purchasing/renewing any licences as the below maybe incorrect at time of reading.

 

Useful Links:

 

 Core Cal Suite

 

http://www.microsoft.com/licensing/about-licensing/briefs/cal-suites.aspx

 

VDA

 

http://searchvirtualdesktop.techtarget.com/feature/Demystifying-Microsoft-virtual-desktop-licensing-SA-vs-VDA-vs-CDL

 

Software Assurance

 

http://www.microsoft.com/en-gb/licensing/software-assurance/default.aspx

http://www.microsoft.com/licensing/software-assurance/by-benefits.aspx

 

 

Read More

Juniper Netscreen – Route traffic through another firewall

Posted by on 18 Feb, 2015 in Firewalls, Juniper, Security | 1 comment

Setup:

Office A – Juniper Netscreen SSG5 (Static IP)

Office B – Juniper Netscreen SSG5 (Dynamic IP)

Both offices are connected to one another via a VPN tunnel using the SSG5

 

I came across an issue recently where we had remote hosted servers locked down to a certain IP address (Office A) and we needed office B to access those servers from there office using the Dynamic IP. The way I found around this was to redirect certain traffic over the VPN from office B to Office A, then display the IP as the Static IP from office A to access the servers.

 

I won’t go through setting up the VPN between the offices as I am assuming this is already done with the following settings.

  • The VPNs are setup using tunnels
  • The VPNs are working in both directions
  • The Policies used are set to allow ANY service through for this test setup.

 

Office A

 

  • Login into the Juniper and select Policy > Policies.
  • In the from dropdown select untrust. From the To dropdown select untrust and then click New.
    • Source Address: Select the as the office B LAN.
    • Destination LAN: Select Any (or to make it more secure create an Address List for the hosted servers and select them).
    • Service: Select the required service (i.e. RDP) or select ANY to allow everthing through.
    • Logging: enable this setting
    • Click Advanced
      • Source Translation: Tick this option
      • (DIP on): Select None (Use Egress Interface IP)
      • Enable any other relevant settings you require.
      • Click OK
      • Click OK

 

  • Office B

 

  • Select Network > Routing > Destination
  • Click New (Top Right Corner)
    • IP Address/Netmask: Enter the external server IP and mask. If it is a single IP use the mask as 32
    • Gateway: Enable this option
    • Interface: Select the interface as the tunnel interface for the VPN to Office A.
    • Gateway IP Address: Enter the internal IP of the Juniper Netscreen for Office A
    • Permanent: Enable this option
    • Description: I would enter a description here such as the hosted server name
    • Click OK

 

You should have access to the hosted server now. You could if you wanted direct all traffic over the VPN by adding the IP Address/Netmask as 0.0.0.0/0.

Read More

Juniper Netscreen – DNS entries changing on reboot (fixed)

Posted by on 18 Feb, 2015 in Firewalls, Juniper, Security | 0 comments

If you are using a Juniper Netscreen as a DHCP server you may find that when rebooting the device the DNS server entries for the DHCP change to the entries of the untrust port. This is down to the default DNS override settings and they can be changed either by using the GUI or Shell commands. I will show both ways below:

 

GUI:

  • Log into the juniper and select Network > Interfaces > untrust port > Edit
  • Deselect the setting Automatic Update DHCP Server Parameters

juniper_dns1

 

Shell:

Login to the shell (i.e. using Putty) then type the following command to disable the setting on the untrust port:

unset interface untrust dhcp client settings update-dhcpserver 

 

 

Read More

Cisco Meraki – allowing client VPN access to other (VPN) sites

Posted by on 18 Feb, 2015 in Cisco Meraki, Firewalls, Security | 0 comments

Setup:

  • Cisco Meraki MX100 (connected with a static external IP)
  • Juniper Netscreen SSG5/NS5GT (connected with a static external IP)

The above two sites are connected to one another using the guide in my other post which can be found here

 

If you use the Cisco Meraki MX Firewall to connect to third party firewalls such as Juniper Netscreen’s you will notice that clients who are connected to the Meraki VPN client won’t have access to VPN sites even if you allow them access on the Meraki’s Site-to-Site VPN page. This is because to need to add the Client IP ranges to the third party firewalls.

 

If you are using a Juniper SSG5 or similar you need to add the Meraki Client’s internal IP ranges to the following places in the Juniper Firewall:

  • On the Proxy ID for the VPN (VPNs > Autokey IKE > Proxy ID) you need to add the internal IP ranges of the Meraki Client
  • You need to create a untrust address for the Client VPN IP ranges in Policy > Policy Elements > Address > Lists.
  • Once the addresses above have been created you need to add the addresses to the existing policies for the juniper to the Meraki and vice versa.
  • Finally you need to create a route to the destination using the same tunnel interface as the existing VPN in Network > Routing > Destination.

This will allow the users on the client VPN to access the site connected with a VPN between the Meraki and Juniper Netscreen.

Read More