Booches.nl

Connecting the world…

Exchange 2007 with ISA 2006

Today I have be working on publishing Microsoft Exchange Outlook WebAccess and Active Sync to the Internet. We had some discussions with some Microsoft Consultants about a secure way to publish Outlook Web Access to the Internet, especially the authentication part of such a solution.

Some people are talking about publishing OWA directly to the Internet. In my opinion, this results in a major security thread, because you directly publish a TCP/80 and TCP/443 connection from the Exchange server to the Internet. An vulnerability or exploit in these services could end up in an hacker who takes over the Exchange server.

A second solution is placing a front-end server in a DMZ segment, but making the server a domain member for authentication. In my opinion still a security leak, because somebody who hacks the DMZ server has maybe the ability to hack or corrupt the Active Directory.

The third solution, and the solution we advise, is using a Microsoft ISA 2006 server as a front-end server in the DMZ. We configure a RADIUS or LDAPS (if you would like the option to change the password) connection to a RADIUS server or a domain member on the internal LAN segment. This ensures a secure way of authenticating users and even if somebody hacks the ISA server, he still hasn’t hacked a domain member server or a vulnerability in TCP/80 or TCP/443 of the Exchange server.

I have had a lot of help of an article on isaserver.org from Thomas Shinder while configuring the solution. I had some problems with publishing Active Sync. Ended up with enabling Basic Authentication on the Active Sync virtual directory (Microsoft-Server-ActiveSync).

HP Blade Switch Development

Maybe old news for some of you, but HP has developed the Cisco switches for the HP Blade servers. The Cisco Catalyst Blade Switch 3120G and 3120X provide stacking functionality. This improves the functionality of the switches by creating a single switch from two physical switches.

Source: The Cisco Catalyst Blade Switch 3120 Series Switches are specifically designed to meet the rigors of the blade server based application infrastructure and provides HP BladeSystem customers with the ability to stack up to nine switches into a single virtual Switch.

The creation of a stack helps improving the availability and load-balancing of connections between the HP Blade environment and the physical network environment. More information about the new switches can be found here.

BGP Multihoming

Today I have been playing with configuring BGP and multihoming. I configured a simple test environment where one customer router (local AS 100) connects to two ISP routers from the same ISP (remote AS 200). I configure some kind of load-sharing amongst the two links to the ISP.

Important when configuring BGP is the concept to not becoming some kind of Transit AS for other BGP connections. It is also very important to secure your own router from accepting the whole routing table of the ISP. In this example I only accept a default route from the ISP.

I configured the following scenario:
BGP Multihoming
The next section show the significant configuration of the different network components in the scenario.

ICTIVITY

interface Loopback0
description INTERNAL NETWORK
ip address 172.16.100.1 255.255.254.0
!
interface FastEthernet0/0
description CONNECTION TO ISP-A
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
description CONNECTION TO ISP-B
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
router bgp 100
no synchronization
bgp log-neighbor-changes
bgp dampening
network 172.16.100.0 mask 255.255.254.0
timers bgp 1 5
neighbor 192.168.1.2 remote-as 200
neighbor 192.168.1.2 prefix-list DEFAULT-ONLY in
neighbor 192.168.2.2 remote-as 200
neighbor 192.168.2.2 prefix-list DEFAULT-ONLY in
maximum-paths 2
no auto-summary
!
ip prefix-list DEFAULT-ONLY seq 10 permit 0.0.0.0/0

ISP-A

interface FastEthernet0/0
description CONNECTION TO ICTIVITY
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
description CONNECTION TO DEFAULT GATEWAY
ip address 10.11.0.2 255.255.0.0
duplex auto
speed auto
!
router bgp 200
no synchronization
bgp log-neighbor-changes
network 10.11.0.0 mask 255.255.0.0
neighbor 192.168.2.1 remote-as 100
neighbor 192.168.2.1 default-originate
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 10.11.0.1

ISP-B

interface FastEthernet0/0
description CONNECTION TO ICTIVITY
ip address 192.168.2.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
description CONNECTION TO DEFAULT GATEWAY
ip address 10.10.0.2 255.255.0.0
duplex auto
speed auto
!
router bgp 200
no synchronization
bgp log-neighbor-changes
network 10.10.0.0 mask 255.255.0.0
neighbor 192.168.2.1 remote-as 100
neighbor 192.168.2.1 default-originate
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 10.10.0.1

The above configuration is very basic, but yet very powerful. The command ip prefix-list DEFAULT-ONLY seq 10 permit 0.0.0.0/0 assures that only default routes are accepted from the ISP. The routing table of ICTIVITY has the following entries:

Gateway of last resort is 192.168.1.2 to network 0.0.0.0

172.16.0.0/23 is subnetted, 1 subnets
C 172.16.100.0 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet0/1
B* 0.0.0.0/0 [20/0] via 192.168.1.2, 00:00:24
[20/0] via 192.168.2.2, 00:00:11

Looking at the routing table our router has two default routes for load-balancing and fail-over purposes.

RADIUS Authentication

I am sure that many of you would like to do the same thing and many of you successfully configured it. I am trying to configure RADIUS Authentication on my Cisco 877W. I have two different RADIUS policies, the first for privilege level 1 and the second for privilege level 15. I am using Microsoft IAS as RADIUS server.

I configured two policies and the second policy has the following Advanced Options set.

RADIUS - Advanced Options

This means that the user should get privilege level 15, when logging in. I configured the following on the Cisco877W router.

aaa authentication login AD group radius local none
aaa authorization exec AD group radius
!
radius-server host 10.10.1.1 auth-port 1812 acct-port 1813 key 7 KEY
radius-server retry method reorder
radius-server transaction max-tries 2
radius-server timeout 4
radius-server deadtime 2
radius-server vsa send authentication
!
line vty 0 4
session-timeout 5
access-class 10 in
exec-timeout 5 0
login authentication AD
transport preferred none
transport input ssh
transport output telnet ssh

The user doesn’t get the privilege level 15, but comes in privilege level 1 and has to enter enable to get into privilege level 15. I turned on RADIUS debugging and I see the shell code coming by, as the debug output below shows.

%SSH-5-SSH2_SESSION: SSH2 Session request from 10.10.1.103 (tty = 1)
using crypto cipher ‘aes256-cbc’, hmac ‘hmac-sha1’ Succeeded
RADIUS/ENCODE(00000716): ask “Password: ”
RADIUS/ENCODE(00000716): send packet; GET_PASSWORD
RADIUS/ENCODE(00000716):Orig. component type = EXEC
RADIUS/ENCODE(00000716): dropping service type,
“radius-server attribute 6 on-for-login-auth” is off
RADIUS(00000716): Config NAS IP: 0.0.0.0
RADIUS/ENCODE(00000716): acct_session_id: 1814
RADIUS(00000716): sending
RADIUS/ENCODE: Best Local IP-Address 10.10.1.1 for Radius-Server 10.10.1.5
RADIUS(00000716): Send Access-Request to 10.10.1.5:1812 id 1645/31, len 81
RADIUS: authenticator 72 D9 B5 F1 76 72 9A D1 – 73 D7 E8 AF 21 F3 B5 0F
RADIUS: User-Name [1] 6 “rene”
RADIUS: User-Password [2] 18 *
RADIUS: NAS-Port [5] 6 3
RADIUS: NAS-Port-Id [87] 6 “tty3”
RADIUS: NAS-Port-Type [61] 6 Virtual [5]
RADIUS: Calling-Station-Id [31] 13 “10.10.1.103”
RADIUS: NAS-IP-Address [4] 6 10.10.1.1
RADIUS: Received from id 1645/31 10.10.1.5:1812, Access-Accept, len 83
RADIUS: authenticator BB BF B5 FD 1D 36 67 9B – FE 5A EE 5A 6C 42 5E B9
RADIUS: Vendor, Cisco [26] 25
RADIUS: Cisco AVpair [1]
19 “shell:priv-lvl=15”
RADIUS: Service-Type [6]
6 Login [1]
RADIUS: Class [25] 32
RADIUS: 3C 09 04 AE 00 00 01 37
00 01 0A 0A 01 05 01 C8 [< ??????7????????]
RADIUS: A6 C0 C2 0D FD 4C 00
00 00 00 00 00 00 13 [?????L????????]
RADIUS(00000716): Received from id 1645/31
%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success
[user: rene] [Source: 10.10.1.103] [localport: 22]

I am running out of options. I have tried to use the Cisco-AVpair in IAS, but no success. I tried using only Telnet, but no success. Maybe someone has an option to try…

Network simulator

More often I have to change critical configuration options in live environments, but sometimes I don’t no the effect of these changes on the network. So I would like to build a test network where I can check the impact of the configuration changes. A good network simulator would definitely help in this situation.

Cisco switches use IOS software and software always contains bugs. A new release can contain bug fixes, but also new features. It could be useful to test these new features in a test environment. Unfortunately we and our customers don’t have a lot of routers and switches in spare. So I need a network simulator, which can simulate real Cisco IOS software.

First I used the tool Dynamips / Dynagen. This text Cisco router emulator emulates a couple of Cisco routers. The tool helps by loading different images on your own laptop. The hard part of Dynamips is the configuration of a test environment. All configuration is done in text files, with a lot of different options.

Luckily I found a graphical user interface for Dynamips. It is called GNS3. GNS3I really love this tool, because designing a network environment is dragging and dropping some routers, define the desired modules and connect them together. Next start the emulator and you are ready to go. The new version of GNS3 doesn’t only emulate routers, but also the Cisco PIX firewall with software version 8.x. Of course it is no Cisco ASA, but better something then nothing.

I really recommend this tool to everybody involved with network infrastructures and especially Cisco environments. The tool can help you by testing features like routing protocols and QoS tools. GNS3 is also very useful when studying for a Cisco Exam, even for the CCIE certification.