| Follow me on:

RSA Authentication Manager 7.1 on VMware

August 15th, 2008 | 2 Comments

I had to install and configure RSA Authentication Manager 7.1. Looking at the Supported Platforms I couldn’t find VMware ESX as supported platform. VMware ESX was supported for RSA AU6.1. So I thought by myself, let’s give it a try. What I noticed first was the size of the installer. The installation file for RSA AM 7.1 is about 2.5Gb, which I think is a lot compared to the 300Mb for RSA AM 6.1.

I installed a server with the following specs:

  • 2 x Intel Xeon 2.0 Ghz processor
  • 2Gb of RAM
  • 60 Gb partition, solely for RSA
  • 2Gb Paging file

The installation of RSA Authentication Manager 7.1 took 1,5 hours to install, so I really started doubting the installation under VMware. After the installation I wasn’t able to open the management console, which runs webbased in this new version. To be sure, I restarted the server after the installation. Now it took 45 minutes to pass the Applying computer settings and Applying personal settings.

I called RSA and the engineer told me that there are no known issues for running RSA Authentication Manager 7.1 under VMware. The only important thing he told me was the usage of 4Gb RAM and a 4GB Paging file, when running under VMware. I upgraded the memory from 2Gb RAM to 4GB RAM and I configured two 4Gb paging files.

You maybe already guess the following lines of text, but the upgrade didn’t work out. The boot process still took approximately 45 minutes. After booting the server, the performance was really bad. The memory usage was steadily running on 4.2 Gb!!!!

I called RSA a second time and the next engineer took my doubts away. The told that RSA Authentication Manager 7.1 is NOT OFFICIALE supported by RSA. The performance problems are probably caused by the new Oracle database and the different Java instances, which are running on the server. Because RSA had to run in a virtual environment, I downloaded RSA AM 6.1. The installation AND configuration of the complete environment took about 2 hours.

So at the time of writing this blog post:

DO NOT INSTALL RSA AUTHENTICATION MANAGER 7.1 UNDER VMWARE!!!!

ADD ON August 15th 2009

RSA 7.1 is now supported under ESX 3.5. Check the updated article on this matter.

Maybe you also want to check this article about configuring On-Demand with RSA 7.1.

RDP and Spooler system service

August 12th, 2008 | 3 Comments

My colleagues and I configure a Windows server from time-to-time. Mostly when we configure a server, it is a server which is placed in the DMZ zone, like an ISA Reverse Proxy or Citrix Secure Gateway. Recently I spoke with a colleague and we started discussing the running services under Windows.

After installing a Windows server with the default settings, I am stunned about all the different services which are running on the newly installed server. So most of the time, I stop a lot of these services and configure them to be started manually after a reboot. I do not only stop services from the Services MMC, but also settings on the network card, like Client for Microsoft Windows, File and Printer Sharing for Microsoft Windows, Registrar connection in DNS, LMHOST lookup and NetBIOS over TCP/IP.

Normally a server in the DMZ doesn’t have any printers connected, so I stop the Print Spooler service, but when connecting to the server with RDP the following Event logging shows up in the Event Viewer –> System log:

EventID: 1114

Source: TermServDevices

Type: Warning

Description: Error communicating with the Spooler system service. Open the Services snap-in and confirm that the Print Spooler service is running.

Looking at the Internet, there are different ways to stop is error from showing up in the Event viewer. All solutions are related to stopping the mapping of printers during the RDP log-in process. My colleague told me that he always uses a registry entry to disable the logging and guess what, this specific registry entry is shown below:

Registry folder: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd

Entry name: fEnablePrintRDR

Type: REG_DWORD

Value: 0×00000000 (0)

After adding this registry key the warning message in the Event Viewer won’t show up again.

Change password through LDAPS on ISA server

August 6th, 2008 | No Comments

Today I received the question about allowing users to changes his/her password through webmail, whereby webmail is published via an ISA server 2006 reverse proxy. This is possible, but it requires the configuration of LDAPS to authenticate users.

I started by configuring a Certificate Authority (CA) on a member server in the domain. During the installation of CA a root certificate is generated. You need to export this root certificate with private key. Next I imported the certificate on the reverse proxy server, but didn’t mark the private key as exportable. So the root certificate cannot be exported from the reverse proxy server with its private key in the future. I checked if binding to the Active Directory is possible by using the tool ldp.exe.

The last part is configuring LDAP Validation in ISA. Go to Configuration –> General –> Specify RADIUS and LDAP Servers. First you need to add a LDAP server set, like shown in the following picture.

Important when configuring the LDAP server set is the usage of the FQDN as LDAP server hostname. This FQDN should be exactly the same compared to the FQDN mentioned in the imported root certificate.

The last step is configuring the LDAP server mapping, which is also shown below.

Because I don’t want to add a domain name during the login procedure on the OWA login page, like DOMAIN\USER, I use the Login Expression wildcard character * and link that to the configured LDAP server set. Now you can login with just username and password, instead of domain\username and password.

Next I configure a OWA Publishing policy like always, but on the Listener I use LDAP as authentication mechanism. On the Listener Forms tab you can enable or disable the options:

  • Allow users to change their passwords;
  • Remind users that their passwords will expire in this number of days;

These options add some extra option to the OWA login page. Another step to configure is the allowed users. In most environments I use the group Domain Users as allowed OWA group, because mostly all users are allowed to use OWA, else you need to configure a separate user group in Active Directory. On the Users tab you remove the All Authenticated Users and click Add. You need to define a new user group, like shown below.

User Group

This means that if you are member of the group Domain Users, you are allowed to use OWA.

The last step is configuring the public path. When logged in to OWA, you have the option to change your password through the options page. To use this feature, you need to added another path to the Path configuration in the reverse proxy server. The path, which should be added, is /iisadmpwd/*, where the External Path is the same as the Internal Path.

Over at isaserver.org, Thomas Shinder wrote a great post about using LDAPS with OWA and multiple domains. The article is called LDAP Pre-Authentication with ISA 2006 Firewalls: Using LDAP to Pre-Authenticate OWA Access.

Cisco RPS 2300

August 4th, 2008 | 2 Comments

Lately I was looking at the Cisco Redundant Power System 2300, because this unit delivers power supply redundancy and resiliency for different power requirements. The RPS 2300 helps to seamlessly failover in the event of power failures.

Depending on the number of internal power supplies, the RPS 2300 can provide redundant power of up to two of six connected switches and/or routers. The RPS 2300 supports 1150W AC or 750W AC power supplies. With two 1150W AC power supply modules, the Cisco RPS 2300 can fully back up two 48-port switches that are delivering 15.4W of PoE on all ports.

The RPS 2300 has enhanced capabilities when used in conjunction with Cisco Catalyst 3750-E and 3560-E, like:

  • The ability to remotely place the RPS or any of the six individual RPS ports in active or standby mode;
  • Setting priorities for each RPS port;
  • Failure and exception history reporting;

Normally when switching back from the RPS to normal AC power, the switch reboots. When backed up by a Cisco RPS 2300, a Cisco Catalyst 3750-E and 3560-E is capable of reverting back to its own power supply without rebooting. I really like this feature, because in normal operation a network administrator could miss a power failure of the primary AC and the backup operation by the RPS. When switching back uncontrolled, the reboot of the switch could cause serious problems in the network.

The Cisco RPS 2300 supports two power supplies as mentioned before. These power supplies are also compatible with Cisco Catalyst 3750-E and 3560-E switches. The supported power supplies are:

  1. The C3K-PWR-1150WAC power supply;
  2. The C3K-PWR-750WAC power supply;

The Cisco RPS 2300 can operate with one or two power supplies. If two power supplies are installed, the must be of the same type.

When choosing to use the Cisco RPS 2300, you should pay attention to spare RPS cables. The Cisco Catalyst 3750-E and 3560-E switches use different RPS cables (CAB-RPS2300-E) compared to other switches (CAB-RPS2300). More information about the Cisco RPS 2300 can be found in the following PDF file.

  • my Tweetz

    • Going to install new PacketShaper licenses in an hour. The installation steps from BlueCoat are very clear... hope the installation is too 2 days ago
    • Just met some former class mates from 15 years ago. It's funny to hear what everbody is doing nowadays 3 days ago
    • Mysteryland is over. We had a great time. We saw great dj's and herad some good sets. And only 2 drops of rain!!! 5 days ago
    • We arrived at Mysteryland. The party can begin http://moby.to/22oq2q 5 days ago
    • Online mysteryland in de zwembroek ciao 6 days ago
    • More updates...

    Powered by Twitter Tools

  • Advertisements