Windows -- How to decrypt file when you need to encrypt the file stored on domain PC.

Description

====================

  We have a PC that was used by employee who left company long time ago. One day, we need to get some files from this PC and find all files are encrypted by windows EFS. It needs user account to decrypt it but we don't have it because it was deleted long time ago.

Solution

====================

Fortunately, this is a domain PC and I can use domain administrator certificate to decrypt the files.

1. Login to domain controller with domain administrator privilege, export Administrator certificate with private key.

2. Login to PC with local administrator account.

3. Change the files owner to local administrator.

4. Get the full access right on files (For local Administrator).

5. Double click on the exported certificate and follow the step to import as Personal certificate.

6. Right click on the file and start to decrypt file you need.

Juniper -- How to setp Dialup VPN on the Juniper SSG 5 (Policy Base)

In this post, I'll go through the process of setting up Policy Base IPSec VPN on Juniper SSG5 for dial up clients which are using Netscreen-remote client software.

1. Create IP Pool for dialup client.
    Objects => IP Pools => New

   







2. Create IKE User account.
    Objects => Users => Local => New

   













3. Create IKE Group and add IKE user as member.
    Objects => Users => Local Groups => New

4. Create Xauth user account for dialup user authentication.
    Objects => Users => Local => New

You can configure different IP Pools for dialup users by configuring L2TP/Xauth Remote Settings with different IP Pool profile. Or, you can have same IP Pool settings by setting Xauth Settings under VPNs => AutoKey Advance => Xauth Settings

5. Create Xauth Group and add Xauth user account as member.
    Objects => Users => Local Groups => New

6. Create VPN Gateway.
    VPNs => AutoKey Advance => Gateway => New

Select IKE Group as Dialup user Group and click Advanced for detail configuration.

7. Configure the Advanced page for VPN Phase1 authentication and encryption method.
    Click OK to finish the configuration.

You can enable NAT-Traversal if you have NAT device between server and client. Also, you can enable DPD to detect the VPN connection status.

8. Click

Fortigate -- How to allow internal users access to VIP (Public IP address)

Description

====================

Users need to access to our external services that is installed internally and published to internet via VIP (Virtual IP). 

Issue

====================

Users can access to that service by using internal IP address but can't reach external IP address when they are in the office and using internal network.

Cases

====================

Case 1: Users and Services are using same port to Fortigate.

Solution (Case 1):

Firewall VIP

    When configure VIP, external interface must set for "ALL"。
    config firewall vip
    edit "Server1"
        set extip 67.2.22.22
        set extintf "any"               <<< Specifying "any" is a requirement 
        set mappedip 172.18.10.1

Firewall Policy
    1. Allow WAN to Port1 and Port1 to Port 1。
    config firewall policy
      edit 4
        set srcintf "WAN"
        set dstintf "port1"
            set srcaddr "all"
            set dstaddr "Server1"
        set action accept
        set schedule "always"
            set service "ANY"
    next
       edit 3
        set srcintf "port1"
        set dstintf "port1"
            set srcaddr "all"
            set dstaddr "Server1"
        set action accept
        set schedule "always"
            set service "ANY"

Note: This is my case, I completed the configuration above but users still can't access to external services via VIP. 
         After review my network topology, all internal routing are completed on core switch, FG doesn't not know what subnets we have internally. I need to add policy route to FG to tell it when package come from Port 1 and need to access to another subnet, it needs to forward the package to Port1 for routing. That's all, every thing works like a charm.

Case 2: Users and services are in different port on Fortigate

Solution (Case 2):

Firewall VIP

    When configure VIP, external interface must set for "ALL"。
    config firewall vip
    edit "Server1"
        set extip 67.2.22.22
        set extintf "any"               <<< Specifying "any" is a requirement 
        set mappedip 172.18.10.1
    next
    config firewall vip
    edit "Server1"
        set extip 67.2.22.23
        set extintf "any"               <<< Specifying "any" is a requirement 
        set mappedip 172.18.50.1

Firewall Policy
    1. Allow "WAN to Port1"、"WAN to Port3"、"Port1 to Port1" and "Port1 to Port3"。
    config firewall policy
    edit 4
        set srcintf "WAN"
        set dstintf "port1"
            set srcaddr "all"
            set dstaddr "Server1"
        set action accept
        set schedule "always"
            set service "ANY"
    next
       edit 3
        set srcintf "port1"
        set dstintf "port1"
            set srcaddr "all"
            set dstaddr "Server1"
        set action accept
        set schedule "always"
            set service "ANY"
    next
    edit 5
        set srcintf "WAN"
        set dstintf "port3"
            set srcaddr "all"
            set dstaddr "Server2"
        set action accept
        set schedule "always"
            set service "ANY"
    next
    edit 6
        set srcintf "port1"
        set dstintf "port3"
            set srcaddr "all"
            set dstaddr "Server2"
        set action accept
        set schedule "always"
            set service "ANY"
    next
end

Reference Fortigate KB:
Technical Note : How internal users can access internal resources via an external VIP (public IP address)