Loading ...

Tech Blog

Setup Azure to Unifi USG IPSec VPN

Had another tech firm that needed some Tier 3 assistance as they were having trouble with their VPN connection. I helped them setup Azure to Unifi USG IPSec VPN to connect their headquarters to the hosted RemoteApps server. This tutorial will go into detail about the creation of this tunnel starting with the Microsoft Azure side first using Resource Manager. It will be using the following parameters:

  • VNet Name: TestNetwork
  • Address Space: 10.10.0.0/16
  • Subnets:
    • Primary: 10.10.10.0/24
    • GatewaySubnet: 10.10.0.0/24
  • Resource Group: TestResourceGroup
  • Location: West US
  • DNS Server: Azure Default
  • Gateway Name: TestVPNGateway
  • Public IP: TestVPNGatewayIP
  • VPN Type: Route-based
  • Connection Type: Site-to-site (IPsec)
  • Gateway Type: VPN
  • Local Network Gateway Name: TestSite
  • Local Subnet: 10.20.20.0/24
  • Connection Name: VPNtoTestSite

Configure an Azure VPN gateway

This part takes the longest, so it should be done first:

  • Click on the “+” icon at the top left hand side of the Resource Manager, then search for “Virtual Network Gateway” and click on the “Create” button.
    Azure Virtual Network Gateway
  • Give the Virtual Network Gateway a name
  • Select matching Region to where Azure resources are located
  • Leave Gateway & VPN type the defaults
  • Choose a SKU <- These have changed since the article was created, so my “standard” now is WpnGw1 with Active / Active turned off (this is a good balance of performance and cost)
  • Choose or create a local network (not covered here) that matches internal resources
  • Choose or create a Public IP Address
  • Leave the remaining values as their defaults and then click the “Create” button. (Please note the reminder that this takes 45 minutes to create!)
    Azure Virtual Network Gateway Setup

Configure an Azure Local Network Gateway

This is a reference to your on-premise network so that subnets can pass traffic:

  • Click on the “+” icon at the top left hand side of the Resource Manager, then search for “Local Network Gateway” and click on the “Create” button.
    Azure Local Network Gateway
  • Give the Local Network Gateway a name
  • Select matching Region to where Azure resources are located
  • Specify the external IP address of the local on-premise site
  • Specify the on-premise address space (subnet)
  • Leave the remaining values as their defaults and then click the “Create” button.
    Azure Local Network Gateway Setup

Configure an Azure VPN Connection

This will create the tunnel from Azure to the on-premise site:

  • Click on the “+” icon at the top left hand side of the Resource Manager, then search for “Connection” and click on the “Create” button.
    Azure VPN Connection
  • Choose “Site-to-site (IPSec)” as the connection type
  • Give the Connection a name
  • Select matching Region to where Azure resources are located
  • Leave the remaining values as their defaults and then click the “OK” button. On the summary screen click on the “OK” button to create the connection.
    Azure VPN Connection Setup #1
  • Choose the newly created Virtual Network Gateway
  • Choose the newly created Local Network Gateway
  • Specify a shared key
  • Leave the remaining values as their defaults and click the “Create” button.
    Azure VPN Connection Setup #2

This completes the setup of the Azure side of the VPN tunnel. Now to work on the Ubiquiti USG side.

Configuring an Ubiquiti USG VPN Network

This is a fairly simple process but it has to be precise:

  • Choose the Current Site from the top right hand side of the portal.
  • Click on the Settings gears down on the bottom left side of the portal.
  • Click on Networks then on the “Create New Network” button.
  • Give the connection a name, choose “Site-to-Site VPN” as the Purpose
  • Choose “IPSec VPN” as the VPN Type
  • Choose to Enable this Site-to-Site VPN
  • Add the Azure subnet under Remote Subnets
  • Get the newly created Virtual Network Gateway IP address from Azure for the Peer IP
  • Enter the on-premise external IP address for Local WAN IP
  • Enter the same shared key as used in the Azure VPN Connection for the Pre-Shared Key
  • Choose “Azure Dynamic Routing” as the IPSec Profile
  • Expand Advanced Options
  • Leave Key Exchange Version, Encryption, Hash & DH Group as default and uncheck the PFS & Dynamic Routing boxes.
    Ubiquiti USG VPN Connection Setup

That is all there is to it. If you have any difficulties with connection then delete and re-create the Ubiquiti USG side first (those two check boxes at the bottom of the Advanced Options will check themselves again, but don’t be fooled by this quirk in the software). If your company is currently using either Microsoft Azure or Ubiquiti USG routers and would like a VPN created, then contact us for assistance.

Using External Certificate for RemoteApps in .Local Domain

Recently did some Tier 3 support work for another technology company that was trying to setup a Windows Server 2016 RemoteApps server in Azure that would allow connectivity to remote users for their on-premise software. The process started with creating a VPN tunnel between on-premise and Azure, but that is a discussion for a future set of blog posts. Once this connection  was in place, the company tried to use an external certificate for RemoteApps setup on the server. This would have been fine if the internal domain had not been a “.local”  address scheme. This tutorial assumes that you have already installed Remote Desktop Services on a server and configured it to use the CA provided external certificate.

Change Remote Computer Name

One of the main sticking points that caused issues with security warnings for clients connecting is they would see the warning – “The remote computer could not be authenticated due to problems with its security certificate.” The fix for this has been graciously scripted in PowerShell by someone with the handle “TP” on Technet. The script is called Set-RDPublihedName.ps1 and is used as follows:

Set-RDPublishedName "remote.domain.com"

Proper Active Directory Group

There were then issues with the login process that caused the following error:

Remote Desktop can’t connect to the remote computer “<End Resource Name>” for one of these reasons:

1) Your user account is not authorized to access the RD Gateway “<RD Gateway Server Name>”
2) Your computer is not authorized to access the RD Gateway “<RD Gateway Server Name>”
3) You are using an incompatible authentication method (for example, the RD Gateway might be expecting a smart card but you provided a password)

This was coupled with Security Log messages – “The Network Policy Server was unable to connect to a domain controller in the domain where the account is located. Because of this, authentication and authorization for the RADIUS request could not be performed.” All this turned out to be the RD Gateway was not in the proper Active Directory Group, so added the server to the RAS and IAS Servers group.

Add URL to IIS

There was then an error about not being able to find the computer name, which turned out to be a setting in IIS. Looking under Sites > Default Web Site > RDWeb > Pages click on Application Settings and change the DefaultTSGateway to the URL of the CA external certificate for RemoteApps.

Fixing RS CAP & RAP

Last error that was received was the following:

Remote Desktop can’t connect to the remote computer “computername” for one of these reasons:

1) Your user account is not listed in the RD Gateway’s permission list
2) You might have specified the remote computer in NetBIOS format (for example, computer1), but the RD Gateway is expecting an FQDN or IP address format (for example computer1.fabrikam.com or 157.60.0.1).

This turned out to be related to the RD Client Access Policy (CAP) & Remote Access Policy (RAP) under the RD Gateway Manager tool and DNS. For RD CAP, make sure that Domain Users is listed, and that Client Computer Group membership is blank. FTor RD RAP, make sure that Domain Users is listed, and that it is set to allow connection to Any Network Resource (This allows remote access). For DNS, make sure it contains a Forward Lookup Zone that points to the URL of the CA external certificate for RemoteApps and has an A record for the internal IP address of the RD server.

If your company is currently moving some of your resources to the Azure cloud or wanting to properly setup your RemoteApps server, then contact us for assistance.

Cisco Meraki Ticking Time Bomb

A series of recent security bulletins from Cisco, on February 2nd, detail an issue that has been discovered in several of their devices. Here is a summation:

Cisco ASA Security Appliances

FN-64228 : ASA 5506, ASA 5506W, ASA 5506H, ASA 5508, and ASA 5516 – these models all use the same clock signal part from the same vendor which has been found to degrade over time. After 18 months of continued operation this component will fail and cause the device to stop functioning, no longer boot, and will not be recoverable.

“Customers with affected products that are under warranty or covered by any valid service contract as of November 16, 2016 should go to the Clock Signal Component Issue page and follow the instructions in order to request replacements.” These replacements will be prioritized based on time in operation.

Meraki Router & Wireless APs

Meraki Notification – MX 84 & MS350 Series – these models all use the same clock signal part from the same vendor which has been found to degrade over time. After 18 months of continued operation this component will fail and cause the device to stop functioning, no longer boot, and will not be recoverable.

Meraki will reach out to customers via email and on the dashboard to arrange replacement and the return of affected units.

If your company is currently using one of the affected devices and have not heard from your current IT services provider about the replacement schedule, then contact us for assistance.

Information Security while Traveling

The SANS Institute has been putting out the OUCH! newsletter for some time now in a project called Securing the Human. In the most recent Issue, they discuss some best practices and practical advice for traveling. Here are some highlights:

Minimize Possible Losses

Here are a few tips to protect information from the hazards of traveling and possible theft:

  • Remove any data that is not needed on the device
  • Use full disk encryption & strong passwords
  • Perform a complete backup before leaving
  • Install tracking software on the device
  • Update OSes and Antivirus

Lost/Stolen Devices

Although crime is more of a factor in some third world nations or those in active conflict, the human element of losing the device is 100x more likely. Keep inventory of your devices before, during and after transporting from one location to another. Do not leave your device in the hotel room, have the hotel front desk put it in their safe or locked administrative offices.

Public WiFi

If you have to connect to the internet in public spaces and/or cannot afford mobile data on your trip, then make sure to do the following:

  • Never use public computers for sensitive information, especially banking sites
  • When on public wifi, only surf to sites with HTTPS:// secure connections
  • Consider connecting to a VPN service to further encrypt communications

If your company is requires traveling or you are planning to remotely work while on vacation, then contact us for assistance. We would be happy to walk you through the full disk encryption process, update / secure your devices and configure a company VPN service to connect to on the go.

Oregon Cyber Task Force – Cyber Attack Mitigation

During a recent briefing from the FBI’s Oregon Cyber Task Force in Medford, OR they detailed best practices and industry standards for cyber attack mitigation. FBI special agents started with information and statistics about the most recent threats giving specifics of how the attacks were executed. Security Architect from the State of Oregon then outlined the specifics of how to mitigate these threats properly. Here is a summation:

Current Threat Landscape

Business Email Compromise (CEO Fraud): Involves cyber criminals posing as business executives at companies that regularly perform wire transfers. After compromising the executive’s email, the criminal requests employees to perform wire transfers to the criminal’s bank account. FBI Internet Crime Complaint Center (IC3) has reported over $3 billion of losses worldwide due to this threat.

Ransomware: Ransomware is a form of malware that targets weaknesses in networks to deny the availability of critical data by encrypting it and demanding a ransom for the encryption keys to decrypt the data. Ransomware is frequently delivered through spear phishing emails to end users.

Point of Sale (PoS) Malware: Cyber criminal steals payment card data by remotely infecting PoS systems with malware without the need to physically access the cards or the devices used to process them. This allows criminals to compromise PoS systems on a large scale with larger victim base.

Insider Threat: An insider is a current or former employee who has access to an organization’s network and intentionally misuses that access to negatively affect the company. IC3 has recorded business losses from insider threat to be between $5,000 to $3 million.

Internet Extortion: Victims are threatened by cyber criminal with Distributed Denial of Service (DDoS) attack that will make access to their e-commerce site severely degraded or impossible if they victim does not pay to appease them. These can be real or fake with price tags in the neighborhood of 50 bitcoin or about $30,000.

Cyber Attack Mitigation

Here is a list of items that will need to be addressed to comprise a complete mitigation plan:

  • Create company policy in regards to how wire transfers are handled that require verbal or in-person authorization from multiple company executives
  • Create company policy restricting details that can be shared  about job duties and company hierarchy on social media
  • Review National Institute of Standards and Technology (NIST) Cybersecurity Framework and  adopt risk management processes
  • Create, implement and keep up-to-date an incident response plan
  • Create company policy and implement lawful network monitoring
  • Have proactive relationships with law enforcement agencies – silence is letting cyber criminals win

Practical Security Best Practices

  • Network Segmentation – keep the guest wireless separate from the local network, keep payment processing in its own network and keep web servers in the Demilitarized Zone (DMZ) of the network.
  • Use firewall access rules, Active Directory Group Policy and physical security measures to limit unsecure access to every segment of your network.
  • Restrict usage of administrator level access by creating alternative accounts for these purposes that are not used for local login. Keep these accounts monitored.
  • Implement automated patching and managed virus scanning on all systems. Remove any unsupported / non-updateable software or sytems on the network.
  • Restrict remote access to the network to specific users and use only secure protocols like RDP through VPN
  • Conduct periodic testing of all security measures to identify weakness or failing procedures and adjust systems accordingly

Advanced Mitigation Processes

  • Use multi-factor authentication wherever possible
  • Establish baseline of applications used then implement application whitelisting
  • Standardize encryption for data both at-rest and in-transit
  • Conduct perimeter filtering via Intrusion Detection System (IDS)
  • Regularly backup system logs in a segregated portion of the network to prevent tampering

If your company is going to use full disk encryption or has compliance requirements that you need consulting for, then contact us for assistance.

ADPREP Windows 2008 R2 Server into 2003 Domain

After finishing the migration of a client to their new cloud-based Line of Business SaaS application, it was time to finally get rid of the last Windows 2003 Small Business Server that we manage. The client had a Windows Server 2008 R2 Standard server that used to be the database server for the on-premise application which was being re-purposed as the new Primary Domain Controller (PDC) for the domain. After installing the Active Directory Domain Services (ADDS) role on the new server, I went to run DCPROMO on the new server and found that it asked me to run ADPREP /FORESTPREP on the domain. Took me a little bit of searching to find the Windows 2003 Server media and ran the command successfully, but this did not do the trick – turns out I needed the Windows 2008 R2 Server media and run the ADPREP32 command several times to complete the domain preparation for the new server to be DCPROMO successfully. Extracted the support directory from the media ISO to a folder on the root of the old Windows 2003 Small Business Server and then ran the following commands in order:

ADPREP32 /FORESTPREP

This one took a long time as the server was going from Schema 31 to Schema 47.

ADPREP32 /DOMAINPREP

This one stated that I needed to run the next command, so I did.

ADPREP32 /DOMAINPREP /GPPREP

The command actually stated that the update was already applied. So went back to the Windows 2008 R2 Standard server and ran DCPROMO again which told me that I needed to run one more command.

ADPREP32 /RODCPREP

Ran this one even though I had no plans of having a Read-Only Domain Controller (RODC) in the domain. After all these commands the new server was able to be DCPROMO into the domain controller role. Now all that is left is FSMO roles, DNS, DHCP, printers and file shares.

If your company is going to use full disk encryption or has compliance requirements that you need consulting for, then contact us for assistance.

Full Disk Encryption – Bitlocker vs. TrueCrypt

Recently had a financial planning firm contact me with their new compliance regulations which included full disk encryption on all workstations that accessed client data and on all thumb drives used. This led me on a search to find the best solution for their systems which boiled down to essentially two solutions – Bitlocker or TrueCrypt / VeraCrypt.

Full Disk Encryption w/ Bitlocker

This feature is built into the professional versions of Windows OS from version 7 and beyond. It is simple to use and can be implemented from the Properties on local drives. It works with the modern GUID partition table (GPT) and Unified Extensible Firmware Interface (UEFI) as well as the older MBR / BIOS model. It works best with a Trusted Platform Module chip but can also be setup to use an external USB device as the encryption key repository. There is also a “Bitlocker To Go” setup for thumb drives that will work easily on other Windows based devices.

Full Disk Encryption w/ TrueCrypt

TrueCrypt, and the more recent “fork” of the software VeraCrypt, are based on the same open source code and are compatible with all recent versions of Windows OS. These software packages are not for the faint of heart as they require following detailed instructions on their usage through a multi-stage process to perform the drive encryption. My testing has revealed that they do not work well with modern GPT or UEFI and instead the Master Boot Record (MBR) and Basic Input/Output System (BIOS) systems would have to have been implemented from the initial setup of the workstation to function properly. There is currently no support for TPM, so remember your password or else say goodbye to your data. There is the ability to create a portable drive via these software packages, but the process is not something an end-user could easily do themselves.

Based on the limitations of TrueCrypt and the steep learning curve. It will be my recommendation to use the more simple and up-to-date Bitlocker technology to protect their firm – even if the encryption algorithms available in the other software provide deeper security. If your company is going to use full disk encryption or has compliance requirements that you need consulting for, then contact us for assistance.

Google Apps Migration for Microsoft Outlook

Had a small client recently that wanted to move from standard hosted email service (via WHM / cPanel based server) to Google Apps. In doing the Google Apps migration I found that they had a mix of POP3 and IMAP configured throughout the organization, so using the G Suite Migration for Microsoft® Exchange like I would for larger migrations that are based in IMAP only was out of the question. I found the Google Apps Migration for Microsoft Outlook® which was better suited for doing the job in this small mixed environment.

Google Apps Migration for Microsoft Outlook

If your company is going to use G Suite aka Google Apps migration needs to be performed, then contact us for assistance.

Cable Certification Importance

Reading through a whitepaper from an industry leader in structured cable certification and realized the importance and cost savings that comes from the certification process. Here is a summation of their findings:

Cable Certification Less Expensive Than Downtime

Running the numbers against enterprise sized environments showed that for an average cost of $750 worth of cable certification and repair the business was able to insure themselves against $67,000 of downtime. Consider how much each hour of downtime is worth to your organization then think about how much even 8 hours of downtime per year will cost you – that is the difference between 99.9% and 99.99% uptime.

Product Warranties Don’t Cover Workmanship

Even if you have product warranties from the manufactures of your network equipment and cable there is no guarantee as to the quality of the installation without cable certification.

Certification & Re-certification

The idea here is to future proof your business by making sure that cabling exceeds the current standards. This often can lead to extended return on investment (ROI) when newer technology standards are introduced and the current cabling can go through cable certification again to prove that it meets those standards. For example many Cat6 installations that originally were thought to be running at 1Gbps have been proven to run at 10Gbps over short distances thereby saving the company money and expanding their network bandwidth.

Cable Certification Saves Money

Landlords are mentioned here as a direct beneficiary of the cost savings inherent in cable certification. The costs of certifying a building full of cable prior to new tenants moving in is minimal in comparison with the cost of running all new wires – often only 5-10% of the cost.

Reducing Waste

Instead of demolishing current cable infrastructure to comply with National Electric Code standards of removing abandoned cabling, why not have the cable certification done to mark it for future use? It saves money and the environment

Unscrupulous Installers

No-name copper vendors are putting out so-called Cat5 or Cat6 cables that are manufacture outside the country with inferior goods and facilities. This is then used by unscrupulous installers to lower their overall costs whether or not they pass that savings on to the client. To avoid the use of these inferior cables make sure to only use vendors that supply cable certification for their work.

If your company is unsure about their current structured cable infrastructure or is looking to have new network cabling done, then contact us for assistance.

Missing Western Digital MyCloud Drive

Recently took over an account from another tech and was informed by the client that their Western Digital MyCloud drive was unreachable and they had not been able to access their files shared their with the computers in the office for some time. Since the MyCloud is just a simplified Network Attached Storage (NAS) device for the home / SMB market, I decided to go onsite and find out what was causing the issue.

How to find a missing MyCloud

I first investigated the shortcuts that were sitting on the desktop to figure out what was going wrong with the drive or if there were some bread crumbs as to where it was previously. Found one called Dashboard which pointed to an IP address on their current subnet that went nowhere – this was likely the former IP address of the device. Found a shortcut to the “Public” folder which pointed to an IP address that was on another subnet than theirs – this was likely from a setup before another network change and had not been removed since then. Found another shortcut to the “Public” folder which pointed to the same IP address on their current network  as the Dashboard shortcut, so this confirmed that this was the last known IP address.

Ran a network scan using my personal favorite, SoftPerfect Network Scanner, to discover what was on the current subnet and if the MyCloud was still functional at another IP address. Found that the IP address for the device had changed to another similar address, so figured that it was getting its IP address from DHCP and when the old address lease ran out it just grabbed another one from the router. Checked the router and found that indeed the DHCP table contained the IP address for the device, so added a DHCP reservation to the router for that devices MAC address mapping it to the old IP address to make the broken shortcuts work again. Tested opening the dashboard and “Public” folders successfully which thankfully still had all of their information intact.

The final thing to do was to correctly set permissions within the device for each of the users and corresponding user folders within the device to allow them to connect and “backup” their documents to the device like they were used to. Although I would not recommend using this type of device to any of my clients, it was good to get this company backup up and running successfully. If your company is using Western Digital MyCloud drive for shared file access or are considering adding file shares to your network, then contact us for assistance.

Archives

Categories

Plant a Seed @ 541-761-9549
233 Rogue River Hwy #873 Grants Pass, OR 97527
Mon-Fri: 9:00am-5:00pm
support@farmhousenetworking.com
© 2016-2024- Farmhouse Networking. All rights reserved
Terms and Conditions Privacy Policy

Evaluation Signup

[contact-form-7 id="452" title="Free Network Evaluation"]
And God will generously provide all you need. Then you will always have everything you need and plenty left over to share with others. As the Scriptures say,
“They share freely and give generously to the poor. Their good deeds will be remembered forever.”
For God is the one who provides seed for the farmer and then bread to eat. In the same way, he will provide and increase your resources and then produce a great harvest of generosity in you. - 2 Corinthians 9:8-10