Connecting the world…

set

FortiMail – Howto enable DLP

FortiMail has the option to use Data Loss Prevention as enhanced security mechanism. This feature is introduced in firmware 5.3, according to the release notes. By default the DLP option is not visible on the GUI.

FortiMail - No DLP

DLP can be enabled via the CLI, but it is a well hidden feature. The option can be enabled from the “system global” configuration. When you do a “get” or “set ?” from the “system global” menu, you don’t see the option, but you are able to type it manually.

mail # config system global

mail (global) # set data-loss-prevention enable

mail (global) # end

This enables DLP and adds a new configuration menu to the GUI.

FortiMail - DLP enabled

HP Virtual Connect Manager

While change the configuration of within a HP Virtual Connect Manager I noticed that I didn’t have any options to delete server profiles, Ethernet Networks or Shared Uplink Sets within the web browser.

I needed to change the configuration dramatically from an active / standby configuration to an active / active configuration. I also needed to change the complete server profile configuration and Ethernet Networks configuration.

I noticed that I can also connect through SSH to the HP VC Flex-10 Enet modules. This presents a CLI with different command options. And of course I had more options within the CLI compared to the web interface.

——————————————————————————-
HP Virtual Connect Management CLI v3.18
Build: 3.18-3 (r46087) Apr  1 2011 17:45:49
(C) Copyright 2006-2011 Hewlett-Packard Development Company, L.P.
All Rights Reserved
——————————————————————————-

GETTING STARTED:

help           : displays a list of available subcommands
exit           : quits the command shell
<subcommand> ? : displays a list of managed elements for a subcommand
<subcommand> <managed element> ? : displays detailed help for a command

->?

Through the CLI I had the option to remove the server profiles, Ethernet Networks and the configured Shared Uplink Set. The help command (?) is very useful to check the command syntax to remove different configuration settings. You have to remove the different items in the correct order. I used the following order:

  1. 1. Server Profile : remove profile <profile_name>
  2. 2. Ethernet Networks : remove network <enet_name>
  3. 3 Shared Uplink Set : remove uplinkset <sus_name>

When you try to delete the items in the wrong order you will receive an error message on the console, like shown below.

->remove uplinkset SUS1
ERROR: Operation not allowed : The requested shared uplink set is currently in use by one or more networks

After deleting the configuration I configured my desired setup. The configuration can be a lit bumpy, which depends on the firmware used with the Virtual Connect Manager. I found a very good article on configuring HP Virtual Connect Manager in conjunction with ESX, Windows Hyper-V.

HP Virtual Connect Ethernet Cookbook: Single and Multiple Enclosure Domain

TIP: when configuring or changing Ethernet network settings on a Server Profile, first unassigned the profile from the bay. Changing settings on an unassigned profile is much faster than on an assigned profile.

Citrix NetScaler: Protocol Driver Error

Today I have been troubleshooting a Citrix NetScaler configuration, where some clients received the Protocol Driver Error message when executing a published application. This error message is mostly related to a wrong configuration of the Security Ticket Authorities (STA’s). I spent a lot of time troubleshooting this issue and focused on the STA configuration. I have been deleting, adding and modifying multiple STA’s to the configuration of the NetScaler without any luck. I checked the configuration of the firewall, but this wasn’t the problem either.

I decided to go back to basic and just added one STA to the Virtual Server and the STA service group used by the Web Interface. I was able to login with that STA server, but after a while I wasn’t able to login and received the Protocol Driver Error again.

While browsing through the NetScaler I noticed one thing. Every time I wasn’t able to login, there were 5 concurrent users already connected with the NetScaler. I did some more research on the internet and found the following article.

Reading the article, tells me that, by default, only 5 concurrent ICA sessions are possible through the NetScaler. I checked the license and the customer has a license for 50 SSL VPN connections, like shown below:

> show license
License status:
Web Logging: YES
Surge Protection: NO
Load Balancing: YES
Content Switching: YES
Cache Redirection: NO
Sure Connect: NO
Compression Control: NO
Delta Compression: NO
Priority Queuing: NO
SSL Offloading: YES
Global Server Load Balancing: NO
GSLB Proximity: NO
Http DoS Protection: NO
Dynamic Routing: YES
Content Filtering: YES
Integrated Caching: NO
SSL VPN: YES  (Maximum users = 50)
AAA: NO
OSPF Routing: NO
RIP Routing: NO
BGP Routing: NO
Rewrite: YES
IPv6 protocol translation: YES
Application Firewall: NO
Responder: YES
HTML Injection: NO
NetScaler Push: NO

I increased the default value to 50 with the following command:

> set aaa parameter -maxAAAUsers 50

From that point on I was able to start another ICA connection, while there were already 5 concurrent users connected. Now I have to wait and see if this actually solved the problem, but I guess it has.

I tried to increase the –maxAAAUsers value to a value higher than 50, but that isn’t possible as you can see.

> set aaa parameter -maxAAAUsers 100
ERROR: MaxAAAUsers value not allowed by license

Change password through LDAPS on ISA server

Today I received the question about allowing users to changes his/her password through webmail, whereby webmail is published via an ISA server 2006 reverse proxy. This is possible, but it requires the configuration of LDAPS to authenticate users.

I started by configuring a Certificate Authority (CA) on a member server in the domain. During the installation of CA a root certificate is generated. You need to export this root certificate with private key. Next I imported the certificate on the reverse proxy server, but didn’t mark the private key as exportable. So the root certificate cannot be exported from the reverse proxy server with its private key in the future. I checked if binding to the Active Directory is possible by using the tool ldp.exe.

The last part is configuring LDAP Validation in ISA. Go to Configuration –> General –> Specify RADIUS and LDAP Servers. First you need to add a LDAP server set, like shown in the following picture.

Important when configuring the LDAP server set is the usage of the FQDN as LDAP server hostname. This FQDN should be exactly the same compared to the FQDN mentioned in the imported root certificate.

The last step is configuring the LDAP server mapping, which is also shown below.

Because I don’t want to add a domain name during the login procedure on the OWA login page, like DOMAIN\USER, I use the Login Expression wildcard character * and link that to the configured LDAP server set. Now you can login with just username and password, instead of domain\username and password.

Next I configure a OWA Publishing policy like always, but on the Listener I use LDAP as authentication mechanism. On the Listener Forms tab you can enable or disable the options:

  • Allow users to change their passwords;
  • Remind users that their passwords will expire in this number of days;

These options add some extra option to the OWA login page. Another step to configure is the allowed users. In most environments I use the group Domain Users as allowed OWA group, because mostly all users are allowed to use OWA, else you need to configure a separate user group in Active Directory. On the Users tab you remove the All Authenticated Users and click Add. You need to define a new user group, like shown below.

User Group

This means that if you are member of the group Domain Users, you are allowed to use OWA.

The last step is configuring the public path. When logged in to OWA, you have the option to change your password through the options page. To use this feature, you need to added another path to the Path configuration in the reverse proxy server. The path, which should be added, is /iisadmpwd/*, where the External Path is the same as the Internal Path.

Over at isaserver.org, Thomas Shinder wrote a great post about using LDAPS with OWA and multiple domains. The article is called LDAP Pre-Authentication with ISA 2006 Firewalls: Using LDAP to Pre-Authenticate OWA Access.