Connecting the world…

ssl

Configure IOS SSL VPN on IOS router

Yesterday I blogged about configuring a VPN client on an IOS router and today I blogged about importing PKCS12 certificates for WebVPN purposes. This follow up blog is about configuring the WebVPN functionality together with the AnyConnect client and port forwarding on an IOS router. I use the same setup as with the VPN client and also configured split-tunneling for the AnyConnect connection.

webvpn The Cisco IOS SSL VPN feature supports multiple options, like:

  • Clientless: usage of a web portal;
  • Thin client: usage of a web portal with port forwarding feature;
  • Full client: usage of the Cisco AnyConnect client;

This example shows you how to configure all options listed above. The fist step involves configuring the authentication method with an AAA method.

aaa new-model
aaa authentication login sslvpn local
username rene privilege 15 secret 5 $1$FkgJ$u3uU0rstyeaBXswW0EIX55

The authentication method is called sslvpn and uses the local database on the router for authenticating users. Next you have to configure the basic IP and port information for connecting to the SSL VPN feature of the router. I use the public IP address of the router and configured the WebVPN on port TCP/4400. I use the SSL trustpoint from my previous blog post.

webvpn gateway gateway_1
ip address 83.137.194.62 port 4400
ssl trustpoint trustpoint_www
inservice

To use the full client feature, you have to upload an AnyConnect client to the routers flash. You can upload multiple AnyConnect clients for different operating systems. I just upload a client for Windows.

webvpn install svc flash:/webvpn/svc.pkg sequence 1

Next you have to configure a “webvpn context”. Within the webvpn context you define multiple VPN parameters. The webvpn context contains configuration parameters to access an URL through the web portal, define the port forwarding features or apply a policy group to the webvpn context. Below you see an example configuration of a webvpn context.

webvpn context home
title “Booches Portal”
ssl authenticate verify all
!
url-list “WebServers”
heading “WebServers”
url-text “Inside webserver” url-value “http://192.168.1.10”
!
login-message “Booches”
!
port-forward “Port Forwarding”
local-port 444 remote-server “192.168.1.150” remote-port 5001 description “NAS TCP/5001 (Management)”
local-port 443 remote-server “192.168.1.150” remote-port 443 description “NAS TCP/443 (Photo,File System)”
local-port 222 remote-server “192.168.1.200” remote-port 22 description “Ubuntu TCP/22 (Management)”
!
policy group policy1
url-list “WebServers”
port-forward “Port Forwarding”
functions file-access
functions file-browse
functions file-entry
functions svc-enabled
hide-url-bar
svc address-pool “sslvpn”
svc keep-client-installed
svc split include 192.168.1.0 255.255.255.0

You can configure multiple webvpn contexts with different authentication methods, url-list or port forwarding parameters. Next you see some screenshots from the WebVPN. To access the WebVPN feature the user has to browse to https://83.137.194.62:4400/home, because I configured gateway gateway_1 domain home (full config at the end). The web portal login page is displayed below.

webportal_login

After logging in you will get to the web portal menu, where you can choose between the multiple client options.

default_portal

The Bookmarks section list the URL list to access internal websites. The Tunnel Connection (SVC) option starts the Cisco AnyConnect client. If the AnyConnect client isn’t yet installed on the remote client, it will be pushed by the router. The Thin Client Application starts the port forwarding feature.

port_forwarding

All the relevant configuration from the example above can be found below.

aaa new-model
aaa authentication login sslvpn local
username rene privilege 15 secret 5 $1$FkgJ$u3uU0rstyeaBXswW0EIX55
!
ip local pool sslvpn 10.10.1.1 10.10.1.254
!
webvpn gateway gateway_1
ip address 83.137.194.62 port 4400
ssl trustpoint trustpoint_www
inservice
!
webvpn install svc flash:/webvpn/svc.pkg sequence 1
!
webvpn context home
title “Booches Portal”
ssl authenticate verify all
!
url-list “WebServers”
heading “WebServers”
url-text “Inside webserver” url-value “http://192.168.1.10”
!
login-message “Booches”
!
port-forward “Port Forwarding”
local-port 444 remote-server “192.168.1.150” remote-port 5001 description “NAS TCP/5001 (Management)”
local-port 443 remote-server “192.168.1.150” remote-port 443 description “NAS TCP/443 (Photo,File System)”
local-port 222 remote-server “192.168.1.200” remote-port 22 description “Ubuntu TCP/22 (Management)”
!
policy group policy1
url-list “WebServers”
port-forward “Port Forwarding”
functions file-access
functions file-browse
functions file-entry
functions svc-enabled
hide-url-bar
svc address-pool “sslvpn”
svc keep-client-installed
svc split include 192.168.1.0 255.255.255.0
default-group-policy policy1
aaa authentication list sslvpn
gateway gateway_1 domain home
max-users 2
inservice

I like for SMB solutions the IOS SSL VPN feature, because it is powerful and works over SSL, but it is also flexible and can almost publish every service.

Microsoft IAG

It has been a while since my last post, but time is short these days.

Today I had to troubleshoot a Microsoft IAG appliance. Microsoft IAG stands for Microsoft Intelligent Application Gateway. And indeed, intelligent it is. NOT. I have seen and configured multiple SSL VPN solutions like Juniper SA, Citrix Access Gateway, Citrix Secure Gateway and Cisco WebVPN. But to be honest, Microsoft IAG is the worst of all.

Microsoft IAG is installed on an appliance and is closely related to Microsoft ISA 2006, which is also installed on the server. Whenever you make some configuration changes to IAG, you have to active the new configuration inside IAG. After activating the configuration, I looked at the new ISA firewall policies and I really couldn’t believe my eyes. IAG configured ISA automatically, when activating the configuration.

A simple portal, where 2 websites and OWA are published and a network connect (SSL IP VPN), results in approximately 10 firewall policy rules in ISA. Okay, I could live with that, but I shivered while taking a closer look at the rules. It is not easy to discover what purpose a specific rule has, without looking to the different tabs while editing the rule.

Besides the crazy management of the appliance, me and a colleague had a lot of problems when testing the appliance. Currently the network connector is not supported on Windows Vista and you receive a lot of (useless) errors when using Internet Explorer 8. The logging functionality is also very basic and hard to find. I had problems with configuring and testing the network connector with the non-split tunneling and disable local area network access option, I couldn’t find any useful logging about the problem. For some reason only specific traffic is routed into the VPN tunnel. I ended up configuring split-tunneling and only route specific network segments into the SSL VPN tunnel.

My opinion till now, Microsoft IAG cannot be compared with other SSL VPN appliances I have seen. I guess Microsoft IAG could test positive when using the appliance in a solely Windows environment, where only Windows services, like OWA and SharePoint, are published to the internet.

Maybe the solution is a lot cheaper compared with the Juniper and Citrix solution, but for know I would rather buy a Cisco ASA 5505 or Cisco ASA 5510. I would definitely not configure the Microsoft IAG as a cooperate firewall terminating the Internet connection.

Microsoft Outlook through Citrix Access Gateway SSL IP VPN

One of our customers wants you use their locally installed Microsoft Outlook through a Citrix Access Gateway (CAG). Sales people from that customer travel through the country and use the Outlook offline to read or prepare e-mail to send later. These people use UMTS technology to connect their laptops to the Internet. The customers wants these sales people to have the ability to use their Outlook offline and actually send/receive mail when connected to a network with Internet access.

The customer is using CAG’s to publish multiple services to the Internet, so together with my colleague Edwin Houben from DigiPulse, we started to look at a suitable solution. The CAG is located behind a CheckPoint firewall and traffic to the internal network needs to go through an ISA server firewall.

First we started to look at the ports Microsoft Outlook uses to connect to the Exchange server. Looking at the settings from a laptop, the connection is made by FQDN of the Exchange server. While performing a netstat -na we noticed that Outlook uses two ports to connect to the Exchange server.

PORT DESCRIPTION
TCP/135 EPMAP
TCP/1536 AMPR-INTER

The Outlook clients connects to the Exchange server on FQDN. So the laptop needs to have an IP connection to the Exchange server. So we decided to use the Citrix Secure Access Client to give the user the ability to establish an secure IP connection to the network.

Looking at the customers network, we had to configure access-lists on two locations to make the solution more secure. The first location is a Network Resource in the CAG. The Network Resource enables only the above ports to the Exchange server IP address. The second location is allowing the IP address of the CAG to connect to the Exchange server on the above port numbers through the ISA server.

After configuring both access-list, we did some testing and the solution works perfectly. You can now use the laptop on the internal network and externally with the Citrix Secure Access Client without making any changes in the Outlook configuration.

Later, the customer noticed that he couldn’t use Microsoft Outlook anymore in conjunction with the Citrix Secure Access Client. After digging a bit deeper in the traffic flow between Microsoft Outlook and the Exchange server, I noticed that, beside TCP/135, random ports above 1024 are used. So I changed the Network Resource  and the ISA servers to allow TCP/135 and the range TCP/1024-2000. I haven’t used the complete range of registered port numbers, so I hope Exchange doesn’t use a port above TCP/2000.

FUNNY ADD-ON

I didn’t some Googleing (or Googling or whatever) on TCP port 135 and I found some “funny” things:

Some well known Root kits also use this port to transmit data back to home base and download more malware. I also suspect may be an entry point for some root kit /malware for un patched systems or systems that did not patch correctly. Source 

Currently inbound scans are likely the Nachi or MSBlast worms. Source

The problem with port TCP 135 is that it is used for multiple services, which are listed below. So blocking port TCP 135 could affect communication between devices or the usage of services.

 

Client/Server Communication DCOM DHCP Manager
Exchange Administrator Microsoft Message Queue Server RPC User Manager
RPC Service Manager RPC Port Mapper SCM used by DCOM
SQL Session Mapper WINS Manager  

Cygwin with OpenSSL for CSR generation

A lot of services, which are published to the Internet, are secured with SSL certificates. A lot of times we use SSL certificates to secure communications when implementing ISA reverse proxy servers, Citrix Secure Gateway servers and/or Cisco WebVPN portals.

When you want to secure a connection with a SSL certificate you have to create a Certificate Signing Request (CSR) and get the CSR signed by a Certificate Authority (CA). This can be done by a “real” CA, like GeoTrust or Verisign, or you can configure your own CA and sign your own CSR.

There are a lot of ways for generating CSR’s. In first I always used what the customers could offer me. This could be the Cisco ASA firewall, a Windows server with IIS or the Juniper SA appliance. Sometimes could take a couple of hours before I could finally generate a CSR. While generating a CSR, a private key is also generated. When using customer equipment for generating the CSR, it could happen that the customer deletes the private key, which makes the CSR useless.

A colleague of mine often has the same problems and he started using Cygwin with OpenSSL under Windows. I have to say, GREAT. I started using it myself. A great advantage is that I can use my own laptop and I don’t have to depend on the customers equipments. Furthermore, and maybe the most important, I know what I am doing during the generation and signing of certificates, so I will never delete the wrong files.

Normally I generate a new private key per certificate and I use the following commands for generating the private key, CSR and the actual certificate.

1. Generate a private key
openssl.exe genrsa -out private-www-booches-nl.key 2048

2. Generate the CSR, fill in the required information (common name is the most important)
openssl.exe req -sha256 -new -key private-www-booches-nl.key -out csr-www-booches-nl.csr

3. The CSR is uploaded to the CA. The CA sends you the SSL certificate, which I save as www-booches-nl.crt

4. Create the actual SSL certificate
openssl.exe pkcs12 -export -out www-booches-nl.pfx -inkey private-www-booches-nl.key -in www-booches-nl.crt

When using an Open Source web server you have to use a certificate with a DER format. The first 3 steps, as shown above, are still the same. You can use the following steps to create a DER file.

4. Put the key file code at the end of the crt file
cat private-www-booches-nl.key >> www-booches-nl.crt

5. Create the DER file
openssl.exe x509 -in www-booches-nl.crt -inform PEM -out www-booches-nl.der -outform DER

It is also possible that you need a PEM certificate instead of a PFX certificate. Below you see the command to create a PEM certificate from a PFX certificate.

6. Create the PEM file
openssl.exe pkcs12 -in www-booches-nl.pfx -out www-booches-nl.pem -nodes

7. Check the CSR content
openssl.exe req -text -noout -in csr-www.booches.nl-csr

Using Cygwin with OpenSSL really makes it easier when working with CSR’s and certificates. A very usefull website with “The Most Common OpenSSL Commands” can be found here (in Dutch).

PDA Active Sync – Invalid Certificate

The usage of Pocket PCs (PDAs) becomes more and more a default feature for business. The last months I have installed quit some Windows ISA 2006 servers for Reverse Proxy purposes. I have installed them normally for webmail only, but lately I have added the Microsoft Active Sync feature.

The Pocket PCs connect to the organization via UMTS, GPRS, USB with laptop or whatever with an internet connection. Today I had the same job on the schedule: Enable Active Sync for Pocket PCs.

I thought by myself: EASY JOB, but NOT. After configuring the ISA reverse proxy I used a Pocket PC emulator to test the Active Sync features. I received the following error message when synchronizing:

pda

I found this a strange message, because clients use the same URL as the Pocket PC for accessing their webmail and they never receive an error message for an untrusted certificate.

The used certificated is issued by Equifax Secure Global eBusiness CA-1. This is a common and one of the better CA’s.

I had to dig deeper into the problem. I tried to install the certificate on the Pocket PC, but no luck. I searched the internet and found a tool called Microsoft Exchange Server Disable Certificate Verification. You can find an executable here, which can be used when using the Pocket PC in conjunction with a PC through USB. I also found a similar tool to install on the pocket PC, this is called AS_Cert_OFF.cab. The tool wasn’t the solution to the problem, so I had to dig deeper.

I was thinking way to complex, the problem was fixed by requesting a new certificate. The used certificate didn’t support Pocket PC. Comparing the different SSL certificates on QuickSSL.com I noticed I had to use a QuickSSL Premium certificate. This certificate supports popular mobile devices and smartphones.

After generating a CSR, requesting the certificate and installing the certificate on the ISA server, the connection and synchronization works like a charm. At least for the most PDA’s. Some PDA’s received the following error 80072f7d. After searching some forums, I found the solution in adding a registry key. I added the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows CE Services]
“AllowLSP”=dword:00000000

After adding the key to the registry, all Pocket PC’s synchronized perfectly.