Category Archives: Networking

Networking Stuff!

[How-To] Upgrade the firmware on a Dell PowerConnect N2000/3000 series switch

  1. Download the latest firmware from Dell’s website
    1. Navigate to http://www.dell.com/support/ and enter in your service tag.  You should see downloads for this product, grab the latest firmware that is in a zipped folder.
  2. Extract the .zip folder of the firmware
    N2000 Firmware
  3. Console into the switch via SSH or direct console
  4. Copy the current configuration to startup
    1. console#> copy running-config startup-config
      N2000-3000 - copy running-config startup-config
  5. Transfer the firmware to the switch
    1. TFTP Method
      1. console#> tftp://N3000_2000v6.1.2.4.stk backup
    2. USB Method (Directly attached to switch)
      1. console#> usb://N3000_2000v6.1.2.4.stk backup
        N2000-3000 - usb transfer - backup
  6. Verify the backup version is the new build
    1. console#> show version
      N2000-3000 - backup - version
  7. Activate the new firmware
    1. console#> boot system backup
      N2000-3000 - backup - boot system backup
  8. Reboot the switch
    1. console#> reload
      N2000-3000 - update bootcode - reload
  9. Verify the build is now up-to-date
    1. console#> show version
      N2000-3000 - show version - active - 6_1_2_4
  10. Update the boot code
    1. console#> update bootcode
      N2000-3000 - show version - active - 6_1_2_4 - update bootcode
  11. Reboot the switch
    1. console#> reload
      N2000-3000 - update bootcode - reload

That should do it!

[Tutorial] Upgrading the firmware on a Cisco 5508 Wireless LAN Controller

This guide will show you what steps are needed to get your Cisco 5508 Wireless LAN Controller to the latest and greatest state.

  1. Download and install a TFTP Server program
    1. TFTPD is the recommend program to be used by Cisco.  It is a free and can be obtained from here: http://tftpd32.jounin.net/tftpd32_download.html
  2. Ensure your TFTP server instance is running and pointed to a directory of your choice.
    In this tutorial, I will be using C:\TFTP-Root as my directory for hosting firmware.
    Tftpd32
  3. Ensure you have an inbound firewall created to allow incoming connections to your machine on UDP port 69 if you will be using the TFTP option.
    UDP 69 - TFTP - Windows Firewall with Advanced Security
  4. Copy the firmware you want to transfer to the WLC to the TFTP server’s directory
    TFTP-Server Firmware Directory
  5. Login to your Cisco WLC and select the Commands tab
    Cisco WLC 5508 - Commands Tab
  6. Ensure the following settings are entered and then click the Download button
    1. File Type: Code
      Transfer Mode: TFTP
      IP Address: xxx.xxx.xxx.xxx (IP Address to your machine)
      File Path: / (Use a relative file path; for example, if your firmware was located at c:\tftp-server\cisco5508\AIR-CT5500-K9-7-6-110-0.aes, use /cisco5508/)
      File Name: AIR-CT5500-K9-7-6-110-0.aes (or whatever your firmware is called)
      TFTP File transfer is successful
  7. Click OK when prompted to transfer the firmware
    Please confirm that you want to initiated the Code download process
  8. Once the firmware has finished updating, click on the Click Here link to reboot the WLC.
    TFTP File transfer is successful
  9. On the System Reboot page, hit the Save and Reboot button.
    Cisco WLC 5508 - Commands - Save and Reboot
  10. Click OK on the Configuration will be saved and the controller will be rebooted prompt.
    Configuration will be saved and the controller will be rebooted - Click ok to confirm
  11. Once the wireless LAN controller reboots, you should now be on the firmware version you provided.  You can verify on the Monitor page.
    Latest WLC firmware with outdated FUS
  12. At this point, you can can be done with your upgrade, however, it is highly recommended you also upgrade to the latest (or compatibile), version of the Field Upgrade Software (FUS) in additional to the WLC firmware (provided Cisco has a new version). The same steps to upgrade the FUS are of steps 6-10.
    1. Additional note, the FUS takes a considerable amount of time to upgrade the WLC.  It is normal for the FUS to take 30-50 minutes to upgrade after applying the firmware.  If you are not busy or intersted, you can watch the FUS upgrade various components if you console into the WLC during boot to keep an eye on things.
  13. Once the WLC and FUS firmware versions have been upgraded to their compatbile versions, you should be good to go! 🙂

Pushing firmware through CLI

If you wish to push the firmware manually via TFTP or FTP, you can use the following commands below (order doesn’t matter as long as transfer download start is entered last).  The process is the same for uploading the firmware to the WLC, you only need to swap out the filename for either the FUS firmware or WLC firmware.

(Cisco Controller) > transfer download datatype code
(Cisco Controller) > transfer download mode tftp (can use ftp as well)
(Cisco Controller) > transfer download username user (only needed if using ftp)
(Cisco Controller) > transfer download password password (only needed if using ftp)
(Cisco Controller) > transfer download filename AIR-CT5500-K9-1-9-0-0-FUS.aes
(Cisco Controller) > transfer download path /
(Cisco Controller) > 
transfer download start


As of 4/14/2014, here are the latest firmware versions:

Release 1.9.0.0 for the Field Upgrade Software

Release 7.6.110.0ED for the Wireless LAN Controller


Notes: While upgrading our WLC from stock firmware, I received a strange error stating % Error: Code file transfer failed – Error while writing output file.  Please see my other blog post in regards to upgrading really old firmware on this device to the latest version: http://jackstromberg.com/2014/04/cisco-wlc-firmware-upgrade-error-code-file-transfer-failed-error-while-writing-output-file/

Cisco WLC Firmware Upgrade – % Error: Code file transfer failed – Error while writing output file

Symptom: When trying to upgrade your 5508 Wireless LAN Controller from an older firmware version (6.0.199.4 in my case), you receive the following error:

% Error: Code file transfer failed – Error while writing output fileError Code file transfer failed - Error while writing output file

Solution: When upgrading the firmware on the 5508, greater versions need to be applied incrementally.  Stock 5508 WLCs appear to be shipping with Software Version 6.0.199.4, the following firmware versions should be applied to reach the latest and greatest versions.

I applied the following upgrades to reach higher versions:

6.0.x  to 7.2.x ED

7.2.x ED to 7.x

Upgrading Network Policy Server from Server 2008 R2 to Server 2012 R2

Synopsis: This tutorial will cover a basic “upgrade” path to go from Server 2008 R2 to Server 2012 R2.  This tutorial assumes you have a single Network Policy Server and you are wishing to reuse the same machine name, IP, and settings.  In environments needing high availability, you will need to complete each of the steps below, adding/removing each server being upgraded from your network load balancer.

In a standalone instance, you will experience some downtime as you will have to retire the old machine and setup a new one.

Tutorial

  1. Login to your Server 2008 R2 NPS server
  2. Open up a command prompt with Administrative Privileges
  3. Execute the following command
    1. netsh nps export filename=”c:\users\YOURUSERNAME\Desktop\NPS.xml” exportPSK=YES
      netsh nps export
  4. Copy the NPS.xml file to your local machine
  5. Disjoin the NPS server from the domain
  6. Retire the machine
  7. Recreate a new Server 2012 R2 machine with the same name and IP address
  8. Join the Server 2012 R2 machine to the domain
  9. Open up Server Manager and select Add Roles and Features
    Server 2012 - Manage - Add Roles and Features
  10. Click Next > on the Before You Begin screen
    Add Roles and Features Wizard - Before you begin
  11. Click Next > on the Installation Type screen
    Add Roles and Features Wizard - Select installation type
  12. Click Next > on the Server Selection screen
    Add Roles and Features Wizard - Select destination server
  13. Check Network Policy and Access Services (click Add Features when the screen pops up)
    Add Roles and Features Wizard - Network Policy and Access Services
    Add Roles and Features Wizard - Server Roles - Network Policy and Access Services
  14. Click Next > on the Features screen
    Add Roles and Features Wizard - Default - Network Policy and Access Services
  15. Click Next > on the Network Policy and Access Services screen
    Add Roles and Features Wizard - Network Policy and Access Services Welcome
  16. Check Network Policy Server and click Next >
    Add Roles and Features Wizard - Role Services - Network Policy Server
  17. Click Install
    Add Roles and Features Wizard - Network Policy and Access Services - Confirmation
  18. Click Close once the installation has successfully completed
    Add Roles and Features Wizard - Network Policy and Access Services - Results
  19. Copy over your XML file from the old NPS server to your new Server 2012 R2 NPS server.
  20. Open up an administrative powershell prompt
    Server 2012 - PowerShell - Run as Administrator
  21. Execute the following command
    1. Import-NpsConfiguration -Path c:\users\YOURUSERNAME\Desktop\NPS.xml
      Server 2012 R2 - Powershell - Import-npsconfiguration
  22. Head over to Server Manager and select Tools -> Network Policy Server
    Server Manager - Tools - Network Policy Server
  23. Verify the rules imported (I selected RADIUS Clients and Servers -> RADIUS Clients to see if it imported my WLAN controller)
    Network Policy Server - RADIUS Clients
  24. Connect your machine to your wireless network! 🙂

[Tutorial] Configuring Direct Access on Server 2012 R2

This tutorial will cover deployment of Windows Server 2012 R2’s latest version of DirectAccess.  While there are multiple ways to configure Direct Access, I tried to pull together what I believe are the best/recommended practices and what I believe would be a common deployment between organizations.  If you have any thoughts/feedback on how to improve this deployment, please leave a comment below.

Before beginning, if you are curious what DirectAccess is, here is a brief overview of what it is and what it will allow us to accomplish.

DirectAccess, also known as Unified Remote Access, is a VPN-like technology that provides intranet connectivity to client computers when they are connected to the Internet. Unlike many traditional VPN connections, which must be initiated and terminated by explicit user action, DirectAccess connections are designed to connect automatically as soon as the computer connects to the Internet. DirectAccess was introduced in Windows Server 2008 R2, providing this service to Windows 7 and Windows 8 “Enterprise” edition clients.
http://en.wikipedia.org/wiki/DirectAccess

Prerequisites

  • Domain Admin rights to complete the tutorial below
  • Windows Server 2012 R2 machine
    • Two network cards – One in your internal network, the other in your DMZ
    • Joined to your domain
    • Latest Windows Updates
      (seriously, apply these, there are updates released specifically for DirectAccess)
  • DMZ
  • PKI Setup (Public Key Infrastructure to issue self-signed certificates)
    • Custom template setup for issuing servers with an intended purpose of Server Authentication
    • Certificate auto-enrollment has been configured
  • Active Directory Security Group designated with Computer Objects allowed to use DirectAccess
  1. Login to your Server 2012 R2 server we will be using for installing the Direct Access
  2. Ensure all windows updates have been applied.
    Latest Windows Updates
  3. Open up Server Manager
    Server 2012 R2 - Server Manager
  4. Select Manage -> Add Roles and Features
    Server 2012 - Manage - Add Roles and Features
  5. Click Next > on the Before you Begin step
    Add Roles and Features Wizard - Before you begin
  6. Ensure Role-based or feature-based installation is checked and click Next >
    Add Roles and Features Wizard - Select installation type
  7. Select Next > on the Select destination server step
    Add Roles and Features Wizard - Select destination server
  8. Check Remote Access and click Next >Add Roles and Features Wizard - Server Roles - Remote Access
  9. Click Next > on the Select Features step
    Add Roles and Features Wizard - Server Roles - Features
  10. Click Next > on the Remote Access step
    Add Roles and Features Wizard - Remote Access
  11. Check DirectAccess and VPN (RAS)
    Add Roles and Features Wizard - Remote Access
  12. Click the Add Features button on the dialog box that prompts
    Add Roles and Features Wizard - Remote Access - Add Features
  13. Check DirectAccess and VPN (RAS) and then click Next >
    Add Roles and Features Wizard - Remote Access - Select role services
  14. Click Next > on the Web Server Role (IIS) page
    Add Roles and Features Wizard - Web Server Roll IIS
  15. Click Next > on the Role Services page
    Add Roles and Features Wizard - Web Server Roll IIS - Roll Services
  16. Check the Restart the destination server automatically if required checkbox and click Yes on the dialog box.
    Add Roles and Features Wizard - Confirm installation selections
    Add Roles and Features Wizard - Restart is required dialog
  17. Click Install
    Add Roles and Features Wizard - Confirm installation selections - Restart the destination server automatically if required
  18. Click Close when the install has completed
    Add Roles and Features Wizard - Results
  19. Back in Server Manager, click on Tools -> Remote Access Management (You can ignore the warning icon, the Open the Getting Started Wizard will only do a quick setup of DirectAccess.  We want to do a full deployment).
    Server Manager - Tools - Remote Access Management
    Here is what the quick deployment looks like.  Don’t click on this. Server Manager - Post-Deployment Configuration - DirectAccess
  20. On the Remote Access Management Console, click on DirectAccess and VPN on the top left and then click on the Run the Remote Access Setup Wizard.
    Remote Access Management Console - DirectAccess and VPN
  21. On the Configure Remote Access window, select Deploy DirectAccess only
    Configure Remote Access - Deploy DirectAccess Only
  22. Click on the Configure… button for Step 1: Remote Clients
    Remote Access Management Console - DirectAccess and VPN - Step 1 Remote Clients
  23. Select Deploy full DirectAccess for client access and remote management and click Next >
  24. Remote Access Setup - Deploy full DirectAccess for client access and remote managment
  25. Click on the Add… button
  26. Remote Access Setup - Select one or more security grups containing client computers that will be enabled for DirectAccess
  27. Select the security group inside of Active Directory that will contain computer objects allowed to use DirectAccess and click OK
    Remote-Access-Setup-Select-Groups
  28. Optionally, uncheck or check Enable DirectAccess for mobile computers only as well as Use force tunneling and click Next >
    1. If Enable DirectAccess for mobile computers is checked, WMI will query the machine to determine if it is a laptop/tablet.  If WMI determines the machine is not a “mobile device”, the group policy object will not be applied to those machines in the security group.  In short, if checked, DirectAccess will not be applied to computers that are desktops or VMs placed inside the security group.
    2. If Use force tunneling is checked, computers will always use the direct access server when remote.  For example, if the user surfs the web to a public website like jackstromberg.com, the traffic will go through the DirectAccess tunnel and back to the machine, rather than directly to the ISP.  Generally, this is used for strict compliance environments that want all network traffic to flow through a central gateway.
    3. Remote Access Setup - Select Groups - Next
  29. Double click on the Resource | Type row
    1. What this step is trying to do is find a resource on the internal network that the client can “ping” to ensure the DirectAccess client has successfully connected to the internal network.
      Remote Access Setup - Network Connectivity Assistant - Resource Type
  30. Select whether you want the client to verify it has connected to the internal network via a HTTP response or network ping, optionally click the validate button to test the connection, and then click Add
    1. You may want to add a couple resources for failover testing purposes, however it isn’t recommended to list every resource on your internal network.
      Remote Access Setup - Network Connectivity Assistant - Configure Corporate Resources for NCA
  31. Enter in your Helpdesk email address and DirectAccess connection name (this name will show up as the name of the connection a user would use), and check Allow DirectAccess clients to use local name resolution and click Finish.
    1. Based on what I could find, checking Allow DirectAccess clients to use local name resolution will allow the DirectAccess client to use the DNS server published by DHCP on the physical network they are connected to.  In the event the Network Location server is unavailable, the client would then use the local DNS server for name resolution; allowing the client to at least access some things via DNS.
      Remote Access Setup - Network Connectivity Assistant - Helpdesk email address - DirectAccess connection name
  32. Click on Configure… next to Step 2: Remote Access Server
    Remote Access Management Console - DirectAccess and VPN - Step 2 Remote Access Server
  33. On the Remote Access Server Setup page, select Behind an edge device (with two network adapters) and ensure you specify a public facing DNS record that DirectAccess will use to connect back to your environment, and then click Next >
    1. NOTE: By default, your domain’s FQDN will be used, so if you have a .local domain, you will want to switch this to your actual .com, .net, .org, .whatever.
    2. As an additional side note, hereis some information from the following KB article on what the differences are between each of the topologies.  From what I gather, using the dual NIC configuration is Microsoft’s best practice from a security standpoint.
      • Two adapters—With two network adapters, Remote Access can be configured with one network adapter connected directly to the Internet, and the other is connected to the internal network. Or alternatively the server is installed behind an edge device such as a firewall or a router. In this configuration one network adapter is connected to the perimeter network, the other is connected to the internal network.
      • Single network adapter—In this configuration the Remote Access server is installed behind an edge device such as a firewall or a router. The network adapter is connected to the internal network.

    Remote Access Server Setup - Network Topology

  34. On the Network Adapters step, select your External (DMZ) and Internal (LAN) adapters.Remote Access Server Setup - Network Adapters - External Internal
  35. Leave the Remote Access Setup screen open and right click on Start button and select Run
    Server 2012 - Run
  36.  Type mmc and select OK
    Server 2012 - Run - mmc
  37. Click File -> Add/Remove Snap-in…
    mmc - File - Add-Remove Snap-in
  38. Select Certificates and click Add >
    Add or Remote Snap-ins - Certificates
  39. Select Computer account and click Next >
    Certificates snap-in - Computer Account
  40. Ensure Local Computer is selected and click Finish
    Certificates snap-in - Select Computer
  41. Click OK on the Add or Remove Snap-ins machine
    Add or Remove Snap-ins - Certificates - Local Computer
  42. Expand Certificates (Local Computer) -> Personal -> Certificates, right click on Certificates and select Request New Certificate…
    Certificates - All Tasks - Request new certificate
  43. Click Next on the Before You Begin screen
    Certificate Enrollment - Before You Begin
  44. Click Next on the Select Certificate Enrollment Policy
    Certificate Enrollment - Select Certificate Enrollment Policy
  45. Select your template that will support server authentication and click More information is required to enroll for this certificate.  Click here to configure settings.
    Certificate Enrollment - Request Certificates

    1. Note: The WebServers enrollment policy is not something out of the box configured by Microsoft.  You will need to manually login to your certificate authority, duplicate the Web Servers template with the settings you wish, ensure your usergroup can Enroll for a certificate, and then publish it to AD.
  46. On the Subject tab, enter the following values (substituting in your company’s information):
    Common name: da.mydomain.com
    Country: US
    Locality: Honolulu
    Organization: My Company
    Organization Unit: Information Technology
    State: Hawaii
    Certificate Enrollment - Certificate Properties - Subject Tab
  47. On the Private Key tab, expand Key options and check Make private key exportable.  Click Apply when done.
    Certificate Enrollment - Certificate Properties - Private Key Tab
  48. Click Enroll.
    Certificate Enrollment - Request Certificates - Enroll
  49. Click Finish.
    Certificate Enrollment - Certificate Installation Results
  50. Go back to the Remote Access Setup screen and click Browse…
    Remote Access Server Setup - Network Adapters - External Internal
  51. Select your da.mydomain.com certificate we just created and click OK.
    Remote Access Setup - Select a certificate
  52. Click Next >
    Remote Access Setup - Network Adapters - External Internal Certificate
  53. Check Use computer certificates and check Use an intermediate certificate and then click Browse…
    Remote Access Setup - Authentication - Active Directory Credentials
  54. Select the certificate authority that will be issuing the client certificates and click click OK
    Remote Access Setup - Authentication - Select a certificate
  55. Optionally, you may enable Enable Windows 7 client computers to connect via DirectAccess as well as Enforce corporate compliance for DirectAccess clients with NAP.  Note: Configuring these two options are not covered in the scope of this tutorial.  Click Finish when done.
    Remote Access Setup - Authentication - Finish
  56. Click on Configure… next to Step 3: Infrastructure Servers
    Remote Access Management Console - DirectAccess and VPN - Step 3 Infrastructure Servers
  57. On the Remote Access Setup screen, check The network location server is deployed on a remote web server (recommended), type in the website address to the Network Location Server, and click Next >
    1. So for whatever reason, there aren’t many articles explaining what exactly the network location server is and how to set it up.  From what I gather, the Network Location Server is merely a server with a website running on it that the client can contact to ensure it has reached the internal network.  The webpage can be the default IIS webpage; just ensure the website is NOT accessible externally.
      Remote Access Setup - Network Location Server
  58. Specify any additional DNS servers you wish to use for name resolution, ensure Use local name resolution if the name does not exist in DNS or DNS servers are unreachable when the client computer is on a private network (recommended) is checked and click Next >
    Remote Access Setup - Infrastructure Server Setup - DNS
  59. Check Configure DirectAccess clients with DNS client suffix search list, ensure your local domain’s suffix has been added, and click Next >
    Remote Access Setup - DNS Suffix Search List
  60. Click Finish on the Management page.
    Remote Access Setup - Management
  61. Click the Configure…. button on Step 4: Application Servers
    Remote Access Management Console - Step 4 Application Servers
  62. Check Do not extend authentication to application servers and click Finish
    Remote Access Setup - Do not extend authentication to application servers
  63. Click Finish… on the Remote Access Management Console page
    Remote Access Management Console - Finish
  64. Click Apply on the Remote Access Review page
    Remote Access Review - Summary of Remote Access configuration settings
  65. Click Close once direct access has successfully finished deploying
    Apply Remote Access Setup Wizard Settings - The configuration was applied successfully
  66. Login to one of your Windows 8.X Enterprise machines that is inside of your DirectAccess Compuers security group and run a gpupdate from command line to pull down the latest group policy.
  67. At this point, you should now be able to login to your network via DirectAccess!

NOTES:

Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment.  Once you click on the link, in the bottom left corner, you will find two steps to some good KB articles: http://technet.microsoft.com/en-us/library/jj134262.aspx

Here is another article from Microsoft with a more indepth explanation about where to place the Network Location Server: http://technet.microsoft.com/en-us/library/ee382275(v=ws.10).aspx

Configuring DHCP Failover for Server 2012 R2

In this tutorial, we will implement one of Server 2012’s newest features, DHCP Failover.  Before Server 2012, DHCP failover was achieved through Windows Failover Cluster. Now, Server 2012 has native tools built into the DHCP role to support failover without the need to setup clustering services.  It is nice to note that DHCP failover is fully supported in all server editions of Windows Server 2012 (Foundation, Standard, Data Center), allowing everyone to provide this role in high availability.

Before beginning, this tutorial assumes the following prerequisites to this tutorial:

  • Two Server 2012 servers have been installed and joined to your domain as member servers
  • Both servers have installed the DHCP role
  • One of the servers has been configured with your desired DHCP scopes
  1. Login to your primary DHCP server that has been configured with the DHCP scopes
  2. Open up the DHCP program
    1. Launch Server Manager
      Server 2012 R2 - Server Manager
    2. Click Tools->DHCP
      Server Manager - Tools - DHCP
    3. Expand your DHCP server and right click on IPv4 and select Configure Failover…
      DHCP - IPv4 - Configure Failover
    4. On the Introduction to DHCP Failover page, click Next to allow failover of all DHCP scopes.
      Optionally, uncheck Select all and select the specific scopes you would like to allow to failover and then click Next.
      Configure Failover - Introduction to DHCP Failover
    5. Click on the Add Server button
      Configure Failover - Specify the partner server to use for failover - Add Server
    6. Check This authorized DHCP server, select the server you would like to use to allow failover, and then click OK
      Configure Failover - Specify the partner server to use for failover - Add Server - Authorized DHCP server
    7. Click Next
      Configure Failover - Specify the partner server to use for failover - Partner Server
    8. Enter in the settings you wish to use and then click Next.  I would recommend entering a Shared Secret and checking the State Switchover Interval to failover in the event a server fails unexpectedly.
      Notes:
      If you are failing over to another DHCP server on the same subnet, it is recommended to setup loadbalancing.  If you are failing over your DHCP server to another network, set the mode to Hot standby.  Additionally, here is a list with more indepth details on what each option does.

      • Relationship Name: Descriptive name to describe this DHCP Failover relationship.  This can be named anything to help you understand the server relationship.
      • Maximum Client Lead Time: Specifies the amount of time for which a DHCP lease may be renewed by either failover peer without contacting the other.  It also specifies the amount of time that either DHCP server will wait in a “partner down” state before assuming control of the entire IP address range within the scope.  ( default = 1 hour ).
      • Mode: Select Load Balance ( default – Active / Active ) or Hot Standby ( Active / Passive )
      • Load Balance Percentage: Specifies the percentage of the IP Address range to reserve for each server in the failover relationship.  Each server will use their assigned range of addresses prior to assuming control over the entire IP Address range of a scope when the other server transitions into a “partner down” state and the Maximum Client Lead Time ( specified above ) passes.
      • Auto State Switchover Interval: When selected, specifies the amount of time that elapses before a DHCP Server is automatically transitioned to a “partner down” state when network communication is interrupted to a DHCP Server.  If this option is unchecked, an administrator must manually transition the status of a DHCP Server into a “partner down” state using the DHCP Management console or PowerShell. ( when checked, the default = 60 minutes )
      • Enable Message Authentication: check this checkbox option to enable authentication of failover replication traffic between servers
      • Shared Secret:  Type a “Shared Secret” ( ie., a Password ) to be used to authenticate the failover connection between servers

      Configure Failover - Create a new failover relationship

    9. Click Finish
      Configure Failover - Summary
    10. Click Close on the results dialog, confirming the failover configuration was properly setup.
      Configure Failover - Progress of failover configuration
    11. Optionally, you can login to your secondary DHCP server to confirm failover has successfully been setup.
      1. On the secondary DHCP server, right click on one of your DHCP scopes and select Properties
        DHCP - IPv4 - Scope - Properties
      2. Select the Failover tab and you should see your failover settings in effect.
        DHCP - Scope Properties

That’s all that’s to it!  Hurray for high availability! 🙂

Notes:

Descriptions of each of the failover options were found on the following technet article: http://blogs.technet.com/b/keithmayer/archive/2012/10/28/step-by-step-scoping-out-the-new-dhcp-failover-in-windows-server-2012-31-days-of-favorite-features-part-28-of-31.aspx

An offial Microsoft KB article on configuring DHCP failover can be found here: http://technet.microsoft.com/en-us/library/hh831385.aspx

Migrate DHCP Role from Server 2008 R2 to Server 2012 R2

After doing a quick google search, it appears you can easily migrate your DHCP server as long as you have both your current DHCP server (running Server 2008 R2) and a new Windows Server 2012 server you are going to designate as a DHCP server.

  1. Login to your new Server 2012 R2 machine with the DHCP role installed
  2. Open up a Powershell shell
    Server 2012 - Powershell
  3. Execute the following command to export the configuration from the Server 2008 R2 DHCP Server
    1. Export-DhcpServer –ComputerName win2k8r2-dhcp.corp.contoso.com -Leases -File c:\users\yourusername\Desktop\dhcpexp.xml -verbose
      Export-DhcpServer Server 2012
  4. Execute the following command to import the configuration into your new Server 2012 R2 DHCP Server; must be an Administrator running this PowerShell command.
    1. Import-DhcpServer –ComputerName win2k12r2.corp.contoso.com -Leases –File C:\users\yourusername\Desktop\dhcpexp.xml -BackupPath C:\users\yourusername\Desktop\backup\ -Verbose

Notes: Credit goes to the following technet article for the powershell commands and a more in-depth explanation: http://blogs.technet.com/b/teamdhcp/archive/2012/09/11/migrating-existing-dhcp-server-deployment-to-windows-server-2012-dhcp-failover.aspx

Dell PowerConnect 5548 – Enable port mirroring/monitoring via command line

To enable port mirror/monitoring on the Dell PowerConnect 5548 series switches, please follow the following steps:

  1. SSH or Telnet to the switch
  2. Login to the switch
  3. Execute the command: enable
  4. Execute the command: config
  5. Execute the command: interface gigabitethernet 1/0/##
    1. In this case, use the port number of the device that will be getting the traffic to analyze.  This is the interface your “wireshark” machine would be connected to, to do a packet capture.
  6. Execute the command: port monitor gigabitethernet 1/0/##
    1. In this case, use the port number of the device you want to see the network traffic/activity on.  For example, if my device that I wanted to monitor was on gigabit port 1/0/5, I would use that, not the machine that is going to receive the traffic (not your “wireshark” machine).

Once you are done with the forward, you can disable port monitoring/mirror by executing the following command after running through steps 1-5 again: no port monitor gigabitethernet 1/0/##

Last, if you want to see the status of your mirrored/monitored port, you can do so by executing the following command after repeating steps 1-3: show ports monitor

Tutorial: 802.1X Authentication via WiFi – Active Directory + Network Policy Server + Cisco WLAN + Group Policy

Here is how to implement 802.1X authentication in a Windows Server 2008 R2 domain environment using Protected-EAP authentication.  I have designed the tutorial to be worked on in the specific order to prevent downtime if deployed during the day.  By creating the Network Policy server first, once we switch the authentication type from whatever to 802.1X via RADIUS, our Network Policy Server will immediately start processing requests and allowing machines on the domain.  By configuring the Cisco Wireless LAN Controller or Group Policy first, clients will try connecting to a RADIUS server that doesn’t exist or present invalid credentials.  If you have any suggestions on how to better the implementation I demonstrate here, please drop a comment below to improve security/stability of these types of deployments. 🙂

Active Directory

First, we need to create a security group in Active Directory to allow a list of specific users and computers to login to the domain.  In this example, we will allow any authenticated user or machine on the domain to authenticate successfully to the RADIUS sever.  In the screenshot below, we can see I have added both Domain Users and Domain Computers to a security group called WirelessAccess. Here is a screenshot with the above settings.

802.1X - AD Security Group

Network Policy Server

  1. Create a new Windows Server 2008 R2 or Windows Server 2012 machine
  2. Add the machine to the domain
  3. Give the machine a static IP: (I’ll use 10.10.10.15 throughout this document as a reference to this server)
  4. Open up Server Manager, click Add Roles, click Next on the Before You Begin screen, check Network Policy and Access Services and click Next, click Next on the Introduction screen, check Network Policy Server (leave the rest unchecked) and click Next, click Install.
  5. Once Network Policy Server is installed, launch the Network Policy Server snap-in (via MMC or Administrative Tools)
  6. Inside of Network Policy Server, on NPC (Local), select RADIUS server for 802.1X Wireless or Wired Connections from the dropdown and click Configure 802.1X
    1. On the Select 802.1X Connections Type page, select Secure Wireless Connections, and enter My Company’s Wireless.  Click Next.
    2. Click on the Add… button.  Enter the following settings:
      1. Friendly name: Cisco WLAN Controller
      2. Address: 10.10.10.10 (Enter your WLAN Controller’s IP address)
      3. Select Generate, click the Genereate button, and then copy down the Shared Secret the wizard generated (we will use this later to get the WLAN Controller to talk to the RADIUS server).  Click OK.
    3. Click Next.
    4. On the Configure an Authentication Method, select Microsoft: Protected EAP (PEAP). Click Next.
    5. Click Next on the Specify User Groups (we will come back to this).
    6. Click Next on the Configure Traffic Controls page.
    7. Click Finish
  7. Click on NPS (Local) -> Policies -> Network Policies. Right click Secure Wireless Connections and click Properties.
  8. Click on the Conditions tab, select NAS Port Type, and click Remove.
  9. Still on the Conditions tab, click Add…, select Windows Groups and click Add…, click Add Groups…, search for WirelessAccess and click OK.  Click OK on the Windows Groups dialog box, click Apply on the Secure Wireless Connections Properties box.  You should now have something like the image below:
    802.1X - Secure Wireless Connections Conditions
  10. Click on the Constraints tab.
    1. Uncheck all options under Less secure authentication methods like the image below:
      802.1X - Secure Wireless Connections Constraints
    2. Click Apply

Cisco WLAN

  1. Login to your Cisco Wireless Lan Controller
  2. Add a RADIUS server to your controller
    1. Click on the Security tab
    2. Select AAA -> Radius -> Authentication on the left side
    3. Click the New… button in the top right
      1. Server IP Address: 10.10.10.15 (The IP address of your NPS server we setup earlier)
      2. Shared Secret Format: ASCII
      3. Shared Secret: The long generated password you wrote down when setting up the Network Policy Server
      4. Confirm Shared Secret: Same password in previous step
      5. Key Wrap: unchecked
      6. Port Number: 1812
      7. Server Status: Enabled
      8. Support for RFC 3576: Enabled
      9. Server Timeout: 2
      10. Network User: Checked
      11. Management: Checked
      12. IP Sec: Unchecked
      13. Here is a screenshot with the above settings
        802.1X - Cisco WLAN - RADIUS
  3. Create or modify a wireless network to use 802.1X
    1. Click on the WLANs tab
    2. Create a new wireless network or select an existing WLAN ID to edit
    3. On the “WLANs > Add/Edit ‘My SSID'” page, use the following settings
      1. Security Tab
        1. Layer 2 Tab
          1. Layer 2 Security: WPA+WPA2
          2. MAC Filtering: Unchecked
          3. WPA+WPA2 Parameters
            1. WPA Policy: Unchecked
            2. WPA2 Policy: Checked
            3. WPA2 Encryption: AES checked, TKIP unchecked
            4. Auth Key Mgmt: 802.1X
          1. Here is a screenshot of the above settings
            802.1X - Cisco WLAN - Security
        2. Layer 3 Tab
          1. Layer 3 Security: none
          2. Web Policy: unchecked
        3. AAA Servers Tab
          1. Authentication Servers: checked Enabled
          2. Server 1: Select your RADIUS server from the dropdown
          3. Local EAP Authentication: Unchecked
          4. Authentication priority order for web-auth user: Move RADIUS over to the right
          5. Here is a screenshot of the above settings802.1X - Cisco WLAN - AAA Servers
        4. Click Apply

Group Policy

  1. Go to your domain controller and open up the Group Policy Management console.
  2. Right click the Organizational Unit you want to apply to policy to and select Create a GPO in this domain, and Link it here…
    1. Note, the policy must be linked to the OU containing a group of machines you want to have WiFi access to or a parent of the OU.
  3. Enter in 802.1X WiFi Policy for the Name and click OK
  4. Right click your new GPO and click Edit
  5. Navigate to Computer Configuration->Policies->Windows Settings->Security Settings->Wireless Network (IEEE 802.11) Policies
  6. Right click and select Create A New Wireless Network Policy for Windows Vista and Later Releases
  7. Ensure the following settings are set for your Windows Vista and Later Releases policy
    1. General Tab
      1. Policy Name: My Wireless Policy for Vista and Later Clients
      2. Description: Vista and later wireless network for my company.
      3. Check Use Windows WLAN AutoConfig service for clients
      4. Here is a screenshot with the above settings802.1X - General
      5. Click the Add… button and select Infrastructure
        1. Connection Tab
          1. Profile Name: My Network
          2. Enter in your SSID (Wireless network name that gets broadcasted) and click the Add… button
          3. Check Connect Automatically when this network is in range
          4. Here is a screenshot of the above settings802.1X - Properties
        2. Security Tab
          1. Authentication: WPA2-Enterprise
          2. Encryption: AES
          3. Select a network authentication method: Microsoft Protected EAP (PEAP)
          4. Authentication Mode: User or Computer authentication
          5. Max Authentication Failures: 1
          6. Check Cache user information for subsequent connections to this network
          7. Here is a screenshot of the above settings with the Advanced tab open as well802.1X - Security Settings
        3. Click OK
    2. Network Permissions Tab
      1. Enter your network into Define permissions for viewing and connection to wireless networks if it hasn’t been added already.
      2. Uncheck Prevent connections to ad-hoc networks
      3. Uncheck Prevent connections to infrastructure networks
      4. Check Allow user to view denied networks
      5. Check Allow everyone to create all user profiles
      6. Uncheck Only use Group Policy profiles for allowed networks
      7. Leave all Windows 7 policy settings unchecked
      8. Here is a screenshot with the above settings (note, you may change the settings above to be in accordance to your policy.  Just ensure you don’t check Prevent connections to infrastructure networks).
        802.1x - Network Permissions
      9. Click OK
  8. Right click and select Create A New Windows XP Policy
  9. Ensure the following settings are set for your Windows XP Policy
    1. General Tab
      1. XP Policy Name: My Wireless Policy for XP Machines
      2. Description: My wireless policy for XP machines.
      3. Networks to access: Any available network (access point preferred)
      4. Check Use Windows WLAN AutoConfig service for clients
      5. Uncheck Automatically connect to non-preferred networks
      6. Here is a screenshot of the above settings.
        802.1X - XP General
    2. Preferred Networks Tab
      1. Click the Add… button and select Infrastructure
        1. Network Properties Tab
          1. Network name (SSID): My SSID
          2. Description: My wireless network
          3. Uncheck Connect even if network is not broadcasting
          4. Authentication: WPA2
          5. Encryption: AES
          6. Check Enable Pairwise Master Key (PMK) Caching
          7. Uncheck This network uses pre-authentication
          8. Here is a picture of the above settings
            802.1X - XP Network Properties
        2. IEEE 802.1X Tab
          1. EAP Type: Microsoft: Protected EAP (PEAP)
          2. Eapol-Start Message: Transmit
          3. Authentication Mode: User or Computer Authentication
          4. Check Authenticate as computer when computer information is available
          5. Uncheck Authente as guest when user or computer information is unavailable
          6. Screenshot of above settings
            802.1X - XP IEEE
        3. Click OK
    3. Click OK

Site to Site VPN via two Sonicwall firewalls – With DHCP over VPN

Introduction: This document shows an example of how to configure a VPN tunnel between 2 SonicWALL firewalls, one running SonicOS Enhanced at the main site (central site) and the other one running SonicOS standard at the remote site. Remote PC’s located behind the SonicWALL appliance on the remote site will obtain IP addresses automatically from a DHCP server located on the LAN zone of the Enhanced unit.

Versions Used: SonicWALL recommends using the latest firmware version on the units. On this document this feature has been tested on SonicOS Enhanced 5.6.0.11-61o and SonicOS Enhanced 4.2.1.0-20e.  SonicWALL’s original document, which can be found here, shows support for this configuration on SonicOS Enhanced 3.0.0.4-21e and SonicOS Standard 3.0.0.1-28s. Please note that SonicOS Enhanced runs on TZ170, PRO2040, PRO3060, PRO 4060, Pro 5060 models, and NSA 3500. SonicOS Standard only runs on the TZ 150, TZ170, PRO2040, and PRO3060 models. Customers with current service/software support contracts can obtain updated versions of SonicWALL firmware from the MySonicWALL customer portal at https://www.mysonicwall.com. Updated firmware is also freely available to customers who have registered the SonicWALL device on MySonicWALL for the first 90 days.

Network Topology: VPN Network Topology

Prerequisites: This guide assumes the following:

  • DHCP Server is up and running on the Central Site
  • The DHCP Server is in the LAN Zone
  • WAN Interfaces have been configured properly for internet access at both the remote and central site

Task List:

  • Configurations at the central site:
    • Set Firewall Unique Identifier
    • Add and configure a VPN policy 
    • Configure DHCP over VPN 
  • Configurations at the remote site: 
    • Set Firewall Unique Identifier
    • Add and configure a VPN policy 
    • Configure DHCP over VPN 
  • Testing
    • Verify that the VPN tunnel comes up
    • Verify that the DHCP client at the remote site obtains an IP address
    • Verify that traffic flows correctly between the sites
    • Verify that the DHCP client has access to its own network

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SonicWALL Central Site Configuration

  1. Login to your SonicWALL at the Central Site
  2. Click on VPN->Settings
  3. In the Unique Firewall Identifier box, enter CentralSite and click Apply
    1. VPN-Settings-CentralSite
  4. On the VPN->Settings page, click the Add… button
    1. Use the configuration below:
      1. General Tab
        1. Policy Type: Site to Site
        2. Authentication Method: IKE using Preshared Secret
        3. Name: RemoteSite
        4. IPsec Primary Gateway Name or Address: yourwanipaddressoftheremotesite
        5. IPsec Secondary Gateway Name or Address: Leave this blank
        6. Shared Secret: Enter a good long password here!
        7. Confirm Shared Secret: Enter the same good long password you used above!
        8. Local IKE ID and Peer IKE ID: Leave these settings their default values
        9. CentralSite-General
      2. Network Tab
        1. Local Networks: Select Choose local network from list and select LAN Subnets
        2. Remote Networks: Select Destination network obtains IP addresses using DHCP through this VPN tunnel
        3. CentralSite-Network
      3. Proposals Tab
        1. IKE (Phase 1) Proposal
          1. Exchange: Main Mode
          2. DH Group: Group 2
          3. Encryption: AES-256
          4. Authentication: SHA1
          5. Life Time (seconds): 28800
        2. IKE (Phase 2) Proposal
          1. Protocol: ESP
          2. Encryption: AES-256
          3. Authentication: SHA1
          4. Enable Perfect Forward Secrecy: unchecked
          5. Life Time (seconds): 28800
        3. CentralSite-Proposals
      4. Advanced Tab
        1. Enable Keep Alive: this should be unchecked and grayed out
        2. Suppress automatic Access Rules creation for VPN Policy: unchecked
        3. Require authentication of VPN clients by XAUTH: unchecked
        4. Enable Windows Networking (NetBIOS) Broadcast: unchecked
        5. Enable Multicast: unchecked
        6. Apply NAT Policies: unchecked
        7. Management via this SA: all options unchecked
        8. User login via this SA: all options unchecked
        9. Defualt LAN Gateway (optional): 0.0.0.0
        10. VPN Policy bound to: Zone WAN
        11. CentralSite-Advanced
  5. Click OK
  6. Click on VPN->DHCP over VPN
    1. Select Central Gateway from the dropdown and click the Configure… button
      1. CentralSite-DHCPoverVPN
    2. Click on the Add… button and then type in the IP address of your DHCP server at the CentralSite.
      1. CentralSite-DHCPConfig
    3. Click OK

SonicWALL Remote Site Configuration

  1. Login to your SonicWALL at the remote site
  2. Click on VPN->Settings
  3. In the Unique Firewall Identifier box, enter RemoteSite and click Apply
    1. RemoteSite
  4. On the VPN->Settings page, click the Add… button
    1. Use the configuration below:
      1. General Tab
        1. Authentication Method: IKE using Preshared Secret
        2. Name: CentralSite
        3. IPsec Primary Gateway Name or Address: yourwanipaddressofthecentralsite
        4. IPsec Secondary Gateway Name or Address: Leave this blank
        5. Shared Secret: Use the same secret as the CentralSite
        6. Confirm Shared Secret: Use the same password as the CentralSite
        7. Local IKE ID and Peer IKE ID: Leave these settings their default values
        8. RemoteSite-General
      2. Network Tab
        1. Local Networks: Select Local network obtains IP addresses using DHCP through this VPN Tunnel
        2. Remote Networks: Select Create new address object
          1. Enter in your CentralSite’s LAN information (this will be the network you pull DHCP IPs from.
            1. CentralSite-LAN Config
        3. On the Choose destination network from list, you can now select CentralSite LAN
          1. RemoteSite-Network
      3. Proposals Tab
        1. IKE (Phase 1) Proposal
          1. Exchange: Main Mode
          2. DH Group: Group 2
          3. Encryption: AES-256
          4. Authentication: SHA1
          5. Life Time (seconds): 28800
        2. IKE (Phase 2) Proposal
          1. Protocol: ESP
          2. Encryption: AES-256
          3. Authentication: SHA1
          4. Enable Perfect Forward Secrecy: unchecked
          5. Life Time (seconds): 28800
        3. RemoteSite-Proposals
      4. Advanced Tab
        1. Enable Keep Alive: check this option if it is not grayed out
        2. Suppress automatic Access Rules creation for VPN Policy: unchecked
        3. Require authentication of VPN clients by XAUTH: unchecked
        4. Enable Windows Networking (NetBIOS) Broadcast: unchecked
        5. Enable Multicast: unchecked
        6. Apply NAT Policies: unchecked
        7. Management via this SA: all options unchecked
        8. User login via this SA: all options unchecked
        9. Defualt LAN Gateway (optional): 0.0.0.0
        10. VPN Policy bound to: Zone WAN
        11. RemoteSite-Advanced
  5. Click OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Testing/Verification

  1. Open up one of the SonicWALL devices (either Central or Remote) and head over to VPN->Settings
    1. You should see a green dot indicating the connection is active.  Additionally, at the bottom of the same page, you can see the “Current Active VPN Tunnels”.  You should see the tunnel has been established their as well.
      1. Active Connection
    2. Active connections from the RemoteSite’s SonicWALL
      1. Active VPN Tunnels
  2. Next, head over to a workstation on the RemoteSite’s network.
    1. Type ipconfig /release on the workstation
    2. Type ipconfig /renew on the workstation
    3. Type ipconfig and verify the IP address is in the correct range from the Central Site.
  3. On the CentralSite’s SonicWALL, go to VPN->DHCP over VPN
    1. Under Current DHCP over VPN Leases, you should see your client
  4. Try to ping a server at the CentralSite, you should receive a successful reply.