Windows -- How to enable LDAP over SSL on Windows 2012 or later

By default, Windows domain controller provide LDAP service with no encryption by SSL. If you need to enable SSL on LDAP service (LDAPS), there have two options for you to deploy it.

Option 1:

You can install an Enterprise root CA on domain controllers, it makes all DCs accept LDAPs request immediately. (But install CA on DC is not suggested by MS)

Option 2:

In most case, user already installed Enterprise Root CA on the member server and can follow the instruction link below to set it up.
LDAP over SSL (LDAPS) Certificate
Windows Server 2012 - Enable LDAPS

In my case, I am using Standalone CA with no "Certificate Templates" since it only appear in Enterprise CA. I can't  issue a new templates for DC to enroll new certificate directly.

Here is my steps to submit request to Standalone CA to get certificate and import to DC for LDAPS.

1. Turn on IE and connect Standalone CA https://standalone.ca/certsrv.
2. Click Request a Certificate.
3. Click Advanced certificate request.
4. Click Create and submit a request to this CA.
5. Provide identifying information as required.
6. In the Name box, type the fully qualified domain name of the domain controller.
7. In the Type of Certificate Needed Server list, click Server Authentication Certificate.
8. Under Key Options, set the following options:
• Create a new key set
• CSP: Microsoft RSA SChannel Cryptographic Provider
• Key Usage: Exchange
• Key Size: 1024 - 16384
• Automatic key container name
• Mark keys as exportable
9. Under Advanced Options, set the request format as CMC.
10. In the Attributes box, type the desired SAN attributes. SAN attributes take the following form:
    san:dns=dns.name[&dns=dns.name]
    Multiple DNS names are separated by an ampersand (&). For example, if the name of the domain controller is corpdc1.fabrikam.com and the alias is ldap.fabrikam.com, both names must be included in the SAN attributes. The resulting attribute string is displayed as follows:
    san:dns=corpdc1.fabrikam.com&dns=ldap.fabrikam.com
11. Click Submit.
12. If the CA is not configured to issue certificates automatically, a Certificate Pending webpage is displayed and requests that you wait for an administrator to issue the certificate that was requested. 
    
    To retrieve a certificate that an administrator has issued, connect to http://standalone.ca/certsrv, and then click Check on a Pending Certificate. Click the requested certificate, and then click Next. 
    
    If the certificate was issued, the Certificate Issued webpage is displayed. Click Install this Certificate to install the certificate.
13. Turn on mmc console and add "My user Account" certificates to snaps-ins and click OK.
14. under Personal -> Certificates, double click on the certificate we installed on step 12.
15. On Details tab, click "Copy to Files ..." to turn on Certificate Export Wizard.
16. Select "Yes. export the private key" and click Next.
17. Type in the password and click Next.
18. Give a file name for exported key and select a location to store file.
19. Turn on MMC and add "Service Account" certificates to snaps-ins, select "Local Computer", select "Active Directory Domain service" and click OK.
20. Right click on the NTDS\Personal, "All Task", "Import".
21. Browse the file you stored at step 18 and type in the password you set at the same step.
22. After imported the certificate, you can start using LDAPS as you wish now.

Reference:

Microsoft KB 931351

Windows -- How to decrypt file when you need to encrypt the file stored on domain PC.

Description

====================

  We have a PC that was used by employee who left company long time ago. One day, we need to get some files from this PC and find all files are encrypted by windows EFS. It needs user account to decrypt it but we don't have it because it was deleted long time ago.

Solution

====================

Fortunately, this is a domain PC and I can use domain administrator certificate to decrypt the files.

1. Login to domain controller with domain administrator privilege, export Administrator certificate with private key.

2. Login to PC with local administrator account.

3. Change the files owner to local administrator.

4. Get the full access right on files (For local Administrator).

5. Double click on the exported certificate and follow the step to import as Personal certificate.

6. Right click on the file and start to decrypt file you need.

Juniper -- How to setp Dialup VPN on the Juniper SSG 5 (Policy Base)

In this post, I'll go through the process of setting up Policy Base IPSec VPN on Juniper SSG5 for dial up clients which are using Netscreen-remote client software.

1. Create IP Pool for dialup client.
    Objects => IP Pools => New

   







2. Create IKE User account.
    Objects => Users => Local => New

   













3. Create IKE Group and add IKE user as member.
    Objects => Users => Local Groups => New

4. Create Xauth user account for dialup user authentication.
    Objects => Users => Local => New

You can configure different IP Pools for dialup users by configuring L2TP/Xauth Remote Settings with different IP Pool profile. Or, you can have same IP Pool settings by setting Xauth Settings under VPNs => AutoKey Advance => Xauth Settings

5. Create Xauth Group and add Xauth user account as member.
    Objects => Users => Local Groups => New

6. Create VPN Gateway.
    VPNs => AutoKey Advance => Gateway => New

Select IKE Group as Dialup user Group and click Advanced for detail configuration.

7. Configure the Advanced page for VPN Phase1 authentication and encryption method.
    Click OK to finish the configuration.

You can enable NAT-Traversal if you have NAT device between server and client. Also, you can enable DPD to detect the VPN connection status.

8. Click

Fortigate -- How to allow internal users access to VIP (Public IP address)

Description

====================

Users need to access to our external services that is installed internally and published to internet via VIP (Virtual IP). 

Issue

====================

Users can access to that service by using internal IP address but can't reach external IP address when they are in the office and using internal network.

Cases

====================

Case 1: Users and Services are using same port to Fortigate.

Solution (Case 1):

Firewall VIP

    When configure VIP, external interface must set for "ALL"。
    config firewall vip
    edit "Server1"
        set extip 67.2.22.22
        set extintf "any"               <<< Specifying "any" is a requirement 
        set mappedip 172.18.10.1

Firewall Policy
    1. Allow WAN to Port1 and Port1 to Port 1。
    config firewall policy
      edit 4
        set srcintf "WAN"
        set dstintf "port1"
            set srcaddr "all"
            set dstaddr "Server1"
        set action accept
        set schedule "always"
            set service "ANY"
    next
       edit 3
        set srcintf "port1"
        set dstintf "port1"
            set srcaddr "all"
            set dstaddr "Server1"
        set action accept
        set schedule "always"
            set service "ANY"

Note: This is my case, I completed the configuration above but users still can't access to external services via VIP. 
         After review my network topology, all internal routing are completed on core switch, FG doesn't not know what subnets we have internally. I need to add policy route to FG to tell it when package come from Port 1 and need to access to another subnet, it needs to forward the package to Port1 for routing. That's all, every thing works like a charm.

Case 2: Users and services are in different port on Fortigate

Solution (Case 2):

Firewall VIP

    When configure VIP, external interface must set for "ALL"。
    config firewall vip
    edit "Server1"
        set extip 67.2.22.22
        set extintf "any"               <<< Specifying "any" is a requirement 
        set mappedip 172.18.10.1
    next
    config firewall vip
    edit "Server1"
        set extip 67.2.22.23
        set extintf "any"               <<< Specifying "any" is a requirement 
        set mappedip 172.18.50.1

Firewall Policy
    1. Allow "WAN to Port1"、"WAN to Port3"、"Port1 to Port1" and "Port1 to Port3"。
    config firewall policy
    edit 4
        set srcintf "WAN"
        set dstintf "port1"
            set srcaddr "all"
            set dstaddr "Server1"
        set action accept
        set schedule "always"
            set service "ANY"
    next
       edit 3
        set srcintf "port1"
        set dstintf "port1"
            set srcaddr "all"
            set dstaddr "Server1"
        set action accept
        set schedule "always"
            set service "ANY"
    next
    edit 5
        set srcintf "WAN"
        set dstintf "port3"
            set srcaddr "all"
            set dstaddr "Server2"
        set action accept
        set schedule "always"
            set service "ANY"
    next
    edit 6
        set srcintf "port1"
        set dstintf "port3"
            set srcaddr "all"
            set dstaddr "Server2"
        set action accept
        set schedule "always"
            set service "ANY"
    next
end

Reference Fortigate KB:
Technical Note : How internal users can access internal resources via an external VIP (public IP address)

Outline-Logstash

Introducing Logstash

Input Mechabisms

• TCP/UDP
• Files
• Syslog
• Microsoft Windows Eventlog
• STDIN (Standard Input)
• other

Output Mechanisms

• TCP/UDP
• Email
• Files
• HTTP
• Nagios

Design and architecture

• Message-base architecture
• Single agent to perform different function

Four components

• Shipper: Sends events to Logstash.
• Broker and Indexer: Receives and indexes the events.
• Search and Storage: Search and store events.
• Web interface: Web based interface to logstash called Kibana

Four components can run independently.

Structure

Logstash Resource

• The Logstash Site
• The Logstash book
• The Logstash Issues