Monday, April 27, 2015

Exchange 2013 -- How to display message tracking log on Exchange 2013

Start from the Exchange 2013, Microsoft removed Message Tracking Log Explore that was for administrator to trace the messages in and out in the mail server.

Delivery Report (EAC)

On Exchange 2013, you can use EAC to track messages with delivery report, but it limited in a mail box with dedicated a sender or a recipient.

Get-MessageTrackingLog (Shell)

Or, you can use the shell to trace the message.
Get-MessageTrackingLog
You can add more parameters to reduce the out results.
(List most command parameters below, for detail, please refer to MS DOC.)
-Start The start date and time of the date range.
-End The End parameter specifies the end date and time of the date range. Message delivery information is returned up to, but not including, the specified date and time.
 -EventId The EventId parameter filters the message tracking log entries by the value of the EventId field. The EventId value classifies classify each message event. Example values include DSN, Defer, Deliver, Send, or Receive.
 -Sender The Sender parameter filters the message tracking log entries by the sender's SMTP email address.
-Recipients The Recipients parameter filters the message tracking log entries by the SMTP email address of the message recipients. You can specify multiple recipient email addresses separated by commas. 
-ResultSize The ResultSize parameter specifies the maximum number of results to return. If you want to return all requests that match the query, use unlimited for the value of this parameter. The default value is 1000. 
Example to use parameters:
Search messages that send from peter@example.com to mary@forexample.com, start date is 2015/04/25, end date is 2015/04/27. EventID is SEND and no result size limited.
Get-MessageTrackingLog -start "2015/04/25" -end "2015/04/27" -EventId "Send" -Sender "peter@example.com" -Recipients "mary@forexample.com" -ResultSize Unlimited
Use "Format-Table" can customize format of output.
Get-MessageTrackingLog -start "2015/04/27" -Sender "zachary@xxxx.xxxx | ft EventId, Source, Sender, Recipients, MessageSubjet


Out-GridView (Shell)

Of course, add more parameters can reduces the output of result, but still not easy to read shows as command line.
There is a new feature comes with PowerShell 2.0 called Out-GridView. It displays the result in a user interface likes original Message Tracking Log Explore in Exchange 2010 or before.
Example:
Get-MessageTrackingLog -ResultSize Unlimited -Start “2015/04/27” | Out-GridView

張貼者: 位於 9 comments:
Tag: ,

Tuesday, April 21, 2015

Fortigate -- VIP Service Port vs. Policy Service

Important Concept

The service of firewall policy is defined protocol between source interface and destination interface. It might straightforward on the service configuration when setup standard protocol between two interfaces, but it might get confused when you customize port and set it on the firewall policy.

Scenario

We have a web server host internally and need to public to Internet with static WAN IP address. We don't want to use standard HTTP and HTTPs port on the internet.

Condition (All conditions below are fake value)

  • Web Server Internal IP: 192.168.1.10
  • Web Server Internal Service Port: HTTP(80), HTTPS(443)
  • Web Service Internet IP: 8.8.8.9
  • Web Service Internet Port: HTTP(9980), HTTPS(9443)

Initial Configuration

  1. Create new Virtual IP (VIP)
    config firewall vip
        edit "Web Service HTTP"
            set extip 8.8.8.9
            set extintf "WAN"
            set portforward enable
            set mappedip 192.168.1.10
            set extport 9980
            set mappedport 80
        next
            edit "Web Service HTTPS"
            set extip 8.8.8.9
            set extintf "WAN"
            set portforward enable
            set mappedip 192.168.1.10
            set extport 9443
            set mappedport 443
  2. Create Custom Service
    config firewall service custom
            edit "TCP_9980"
                    set protocol TCP/UDP/SCTP
                    set tcp-portrange 9980
            next
            edit "TCP_9443"
                    set protocol TCP/UDP/SCTP
                    set tcp-portrange 9443
            next
  3. Create Firewall Policy
    config firewall policy
            edit 72
                    set srcintf "WAN"
                    set dstintf "Internal"
                            set srcaddr "all"
                            set dstaddr "Web Service HTTP" "Web Service HTTPS"
                    set action accept
                    set schedule "always"
                            set service "TCP_9980" "TCP_9443"
                    set logtraffic enable
            next

Issue of Initial Configuration

After the setup, I tried to connect from Internet to customize port but fail. Why??
Refer to the beginning subject, "The service of firewall policy is defined protocol between source interface and destination interface."
Base on my requirement, Internet users access to my web service must connect to customized port 9980 and 9443, but between interface "WAN" and "Internal", it should be standard port of HTTP and HTTPS, that is why connection fail on the initial configuration.

Correct Configuration

3. Create Firewall Policy
config firewall policy
        edit 72
                set srcintf "WAN"
                set dstintf "Internal"
                        set srcaddr "all"
                        set dstaddr "Web Service HTTP" "Web Service HTTPS"
                set action accept
                set schedule "always"
                        set service "HTTP" "HTTPS"
                set logtraffic enable
        next

Schematic diagram


張貼者: 位於 3 comments:
Tag: , , , ,

Thursday, April 9, 2015

Windows -- How to enable LDAP over SSL on Windows 2012 or later

By default, Windows domain controller provide LDAP service with no encryption by SSL. If you need to enable SSL on LDAP service (LDAPS), there have two options for you to deploy it.

Option 1:

You can install an Enterprise root CA on domain controllers, it makes all DCs accept LDAPs request immediately. (But install CA on DC is not suggested by MS)

Option 2:

In most case, user already installed Enterprise Root CA on the member server and can follow the instruction link below to set it up.
LDAP over SSL (LDAPS) Certificate
Windows Server 2012 - Enable LDAPS

In my case, I am using Standalone CA with no "Certificate Templates" since it only appear in Enterprise CA. I can't  issue a new templates for DC to enroll new certificate directly.

Here is my steps to submit request to Standalone CA to get certificate and import to DC for LDAPS.
  1. Turn on IE and connect Standalone CA https://standalone.ca/certsrv.
  2. Click Request a Certificate.
  3. Click Advanced certificate request.
  4. Click Create and submit a request to this CA.
  5. Provide identifying information as required.
  6. In the Name box, type the fully qualified domain name of the domain controller.
  7. In the Type of Certificate Needed Server list, click Server Authentication Certificate.
  8. Under Key Options, set the following options:
    • Create a new key set
    • CSP: Microsoft RSA SChannel Cryptographic Provider
    • Key Usage: Exchange
    • Key Size: 1024 - 16384
    • Automatic key container name
    • Mark keys as exportable
  9. Under Advanced Options, set the request format as CMC.
  10. In the Attributes box, type the desired SAN attributes. SAN attributes take the following form:
    san:dns=dns.name[&dns=dns.name]
    Multiple DNS names are separated by an ampersand (&). For example, if the name of the domain controller is corpdc1.fabrikam.com and the alias is ldap.fabrikam.com, both names must be included in the SAN attributes. The resulting attribute string is displayed as follows:
    san:dns=corpdc1.fabrikam.com&dns=ldap.fabrikam.com
  11. Click Submit.
  12. If the CA is not configured to issue certificates automatically, a Certificate Pending webpage is displayed and requests that you wait for an administrator to issue the certificate that was requested. 

    To retrieve a certificate that an administrator has issued, connect to http://standalone.ca/certsrv, and then click Check on a Pending Certificate. Click the requested certificate, and then click Next

    If the certificate was issued, the Certificate Issued webpage is displayed. Click Install this Certificate to install the certificate.
  13. Turn on mmc console and add "My user Account" certificates to snaps-ins and click OK.
  14. under Personal -> Certificates, double click on the certificate we installed on step 12.
  15. On Details tab, click "Copy to Files ..." to turn on Certificate Export Wizard.
  16. Select "Yes. export the private key" and click Next.
  17. Type in the password and click Next.
  18. Give a file name for exported key and select a location to store file.
  19. Turn on MMC and add "Service Account" certificates to snaps-ins, select "Local Computer", select "Active Directory Domain service" and click OK.
  20. Right click on the NTDS\Personal, "All Task", "Import".
  21. Browse the file you stored at step 18 and type in the password you set at the same step.
  22. After imported the certificate, you can start using LDAPS as you wish now.
Reference:
張貼者: 位於 5 comments:
Tag: , , , , ,

Wednesday, March 25, 2015

Windows -- How to decrypt file when you need to encrypt the file stored on domain PC.

Description

====================
  We have a PC that was used by employee who left company long time ago. One day, we need to get some files from this PC and find all files are encrypted by windows EFS. It needs user account to decrypt it but we don't have it because it was deleted long time ago.

Solution

====================
Fortunately, this is a domain PC and I can use domain administrator certificate to decrypt the files.

1. Login to domain controller with domain administrator privilege, export Administrator certificate with private key.

2. Login to PC with local administrator account.

3. Change the files owner to local administrator.

4. Get the full access right on files (For local Administrator).

5. Double click on the exported certificate and follow the step to import as Personal certificate.

6. Right click on the file and start to decrypt file you need.


張貼者: 位於 No comments:
Tag: , , , ,

Juniper -- How to setp Dialup VPN on the Juniper SSG 5 (Policy Base)

In this post, I'll go through the process of setting up Policy Base IPSec VPN on Juniper SSG5 for dial up clients which are using Netscreen-remote client software.

1. Create IP Pool for dialup client.
    Objects => IP Pools => New
   







2. Create IKE User account.
    Objects => Users => Local => New
   













3. Create IKE Group and add IKE user as member.
    Objects => Users => Local Groups => New
















4. Create Xauth user account for dialup user authentication.
    Objects => Users => Local => New














You can configure different IP Pools for dialup users by configuring L2TP/Xauth Remote Settings with different IP Pool profile. Or, you can have same IP Pool settings by setting Xauth Settings under VPNs => AutoKey Advance => Xauth Settings

5. Create Xauth Group and add Xauth user account as member.
    Objects => Users => Local Groups => New














6. Create VPN Gateway.
    VPNs => AutoKey Advance => Gateway => New















Select IKE Group as Dialup user Group and click Advanced for detail configuration.

7. Configure the Advanced page for VPN Phase1 authentication and encryption method.
    Click OK to finish the configuration.

















You can enable NAT-Traversal if you have NAT device between server and client. Also, you can enable DPD to detect the VPN connection status.

8. Click
張貼者: 位於 26 comments:
Tag:

Fortigate -- How to allow internal users access to VIP (Public IP address)

Description

====================
Users need to access to our external services that is installed internally and published to internet via VIP (Virtual IP). 

Issue

====================
Users can access to that service by using internal IP address but can't reach external IP address when they are in the office and using internal network.

Cases

====================

Case 1: Users and Services are using same port to Fortigate.


Solution (Case 1):
Firewall VIP
    When configure VIP, external interface must set for "ALL"。
    config firewall vip
    edit "Server1"
        set extip 67.2.22.22
        set extintf "any"               <<< Specifying "any" is a requirement 
        set mappedip 172.18.10.1

Firewall Policy
    1. Allow WAN to Port1 and Port1 to Port 1
    config firewall policy
      edit 4
        set srcintf "WAN"
        set dstintf "port1"
            set srcaddr "all"
            set dstaddr "Server1"
        set action accept
        set schedule "always"
            set service "ANY"
    next
       edit 3
        set srcintf "port1"
        set dstintf "port1"
            set srcaddr "all"
            set dstaddr "Server1"
        set action accept
        set schedule "always"
            set service "ANY"

 Note: This is my case, I completed the configuration above but users still can't access to external services via VIP. 
         After review my network topology, all internal routing are completed on core switch, FG doesn't not know what subnets we have internally. I need to add policy route to FG to tell it when package come from Port 1 and need to access to another subnet, it needs to forward the package to Port1 for routing. That's all, every thing works like a charm.

Case 2: Users and services are in different port on Fortigate


Solution (Case 2):
Firewall VIP
    When configure VIP, external interface must set for "ALL"。
    config firewall vip
    edit "Server1"
        set extip 67.2.22.22
        set extintf "any"               <<< Specifying "any" is a requirement 
        set mappedip 172.18.10.1
    next
    config firewall vip
    edit "Server1"
        set extip 67.2.22.23
        set extintf "any"               <<< Specifying "any" is a requirement 
        set mappedip 172.18.50.1

Firewall Policy
    1. Allow "WAN to Port1"、"WAN to Port3"、"Port1 to Port1" and "Port1 to Port3"
    config firewall policy
    edit 4
        set srcintf "WAN"
        set dstintf "port1"
            set srcaddr "all"
            set dstaddr "Server1"
        set action accept
        set schedule "always"
            set service "ANY"
    next
       edit 3
        set srcintf "port1"
        set dstintf "port1"
            set srcaddr "all"
            set dstaddr "Server1"
        set action accept
        set schedule "always"
            set service "ANY"
    next
    edit 5
        set srcintf "WAN"
        set dstintf "port3"
            set srcaddr "all"
            set dstaddr "Server2"
        set action accept
        set schedule "always"
            set service "ANY"
    next
    edit 6
        set srcintf "port1"
        set dstintf "port3"
            set srcaddr "all"
            set dstaddr "Server2"
        set action accept
        set schedule "always"
            set service "ANY"
    next
end


Reference Fortigate KB:
Technical Note : How internal users can access internal resources via an external VIP (public IP address)

張貼者: 位於 6 comments:
Tag: ,
Subscribe to: Posts (Atom)