Booches.nl

Microsoft Outlook through Citrix Access Gateway SSL IP VPN

One of our customers wants you use their locally installed Microsoft Outlook through a Citrix Access Gateway (CAG). Sales people from that customer travel through the country and use the Outlook offline to read or prepare e-mail to send later. These people use UMTS technology to connect their laptops to the Internet. The customers wants these sales people to have the ability to use their Outlook offline and actually send/receive mail when connected to a network with Internet access.

The customer is using CAG’s to publish multiple services to the Internet, so together with my colleague Edwin Houben from DigiPulse, we started to look at a suitable solution. The CAG is located behind a CheckPoint firewall and traffic to the internal network needs to go through an ISA server firewall.

First we started to look at the ports Microsoft Outlook uses to connect to the Exchange server. Looking at the settings from a laptop, the connection is made by FQDN of the Exchange server. While performing a netstat -na we noticed that Outlook uses two ports to connect to the Exchange server.

The Outlook clients connects to the Exchange server on FQDN. So the laptop needs to have an IP connection to the Exchange server. So we decided to use the Citrix Secure Access Client to give the user the ability to establish an secure IP connection to the network.

Looking at the customers network, we had to configure access-lists on two locations to make the solution more secure. The first location is a Network Resource in the CAG. The Network Resource enables only the above ports to the Exchange server IP address. The second location is allowing the IP address of the CAG to connect to the Exchange server on the above port numbers through the ISA server.

After configuring both access-list, we did some testing and the solution works perfectly. You can now use the laptop on the internal network and externally with the Citrix Secure Access Client without making any changes in the Outlook configuration.

Later, the customer noticed that he couldn’t use Microsoft Outlook anymore in conjunction with the Citrix Secure Access Client. After digging a bit deeper in the traffic flow between Microsoft Outlook and the Exchange server, I noticed that, beside TCP/135, random ports above 1024 are used. So I changed the Network Resource  and the ISA servers to allow TCP/135 and the range TCP/1024-2000. I haven’t used the complete range of registered port numbers, so I hope Exchange doesn’t use a port above TCP/2000.

FUNNY ADD-ON

I didn’t some Googleing (or Googling or whatever) on TCP port 135 and I found some “funny” things:

Some well known Root kits also use this port to transmit data back to home base and download more malware. I also suspect may be an entry point for some root kit /malware for un patched systems or systems that did not patch correctly. Source 

Currently inbound scans are likely the Nachi or MSBlast worms. Source

The problem with port TCP 135 is that it is used for multiple services, which are listed below. So blocking port TCP 135 could affect communication between devices or the usage of services.

Cacti Plugin Management and RealTime Plugin

I played a little with Cacti today and installed the Plugin Architecture 2.1. While reading some forums a lot of people are talking about the Plugin Management functionality. I looked and searched in my complete Cacti installation, checked all the configurations which can be made, but I couldn’t find anything about Plugin Management.

After some more searching on forums I found how to enable the Plugin Management. When you download the Plugin Architecture ZIP file, the ZIP contains a file called pa.sql. This file needs to be imported into the Cacti database with the following command:

mysql -u root -p cacti < pa.sql

After executing the command you can enable Plugin Management per user under User Management.

I haven’t played a lot with Cacti lately, but my colleague told me about a new plugin. This new plugin in called Realtime and I find it very useful. As you all know, Cacti only polls after a certain amount of minutes. Sometimes it is useful to get real-time bandwidth utilization statistics. In most cases I always use tools like STG or Interface Traffic Indicator (both can be found on the Tools page) to get real-time statistics. The Realtime plugin allows you to get real-time bandwidth utilization statistics through Cacti. You can download the Realtime plugin here, more information can be found at CactiUsers.org.

Upgrade WordPress

I just upgraded my WordPress version from 2.6 to 2.6.3. So if you notice some strange behavior, feel free to inform me by mail or comment!!

Company transportation….

Today I am working at a customer who has two locations in a very very small town. The “head quarters” is located in the center of town and the factory is located outside the town. On both locations I have to replace all network components, so there is some traveling between both locations.

So one of the employees tells me: “Lets take company transportation to get to the other location.” So I think: “Nice, lets be lazy and take a car, like real IT people would do.” But instead of taking a car, I have to take a bicycle!!!! This customer really bought about 10 bicycles for transportation between both locations.

Man, it is years ago that I used a bicycle, but it was fun and good for my shape. Not only engineers are taking the bicycle, but also businessmen who visit this customer take a bicycle to the other location. Looks cool, all the businessmen in suite on a bicycle.

I really like the idea of taking the bicycle. In the Netherlands it is common that people use a bicycle, so maybe more companies should follow this example…

IEEE 802.3x FlowControl between Cat3750E and Cat2960

I have a network with two Catalyst 3750E switch stacks, which are connected with a 2 x 10Gbps Etherchannel. Every stack facilitates a ring topology of approximately 10 to 15 Catalyst 2960 switches. Two of the 2960 are connected with 1Gbps links to a switch stack to create the ring topology. So lets say that 7 24-ports Catalyst 2960 switch share a 1 Gbps link to the switch stack. With this customer, this won’t be any problem, because there are no heavy users and/or applications.

But let’s imagine that a link between a Catalyst 3750E and Catalyst 2960 switch or between two Catalyst 2960 switches is giving problems and the Catalyst 2960 cannot handle the receiving traffic. You need to find some way to slow done the traffic. I normally start thinking about the usage of IEEE 802.3x FlowControl.

Flow control enables connected Ethernet ports to control traffic rates during congestion by allowing congested nodes to pause link operation at the other end. If one port experiences congestion and cannot receive any more traffic, it notifies the other port by sending a pause frame to stop sending until the condition clears. Upon receipt of a pause frame, the sending device stops sending any data packets, which prevents any loss of data packets during the congestion period.

But after reading some documentation, FlowControl isn’t an option. When a link between both switches gets congested the Catalyst 2960 would have to send a pause frame to the Catalyst 3750E and that’s the problem.

Both, Catalyst 3750E and Catalyst 2960, can only receive, but not send, pause frames. So configuring FlowControl between Catalyst 3750E and Catalyst 2960 is useless, because no switch can inform the counterpart about the congested link.