Posts Tagged ‘firewalls’

Quick Update to a Radiotope Guide for Built-In Mac OS X VPN Connections

Tuesday, March 26th, 2013

Just a note for those folks with well-worn bookmarks to this post on Ed Marczak’s blog, Radiotope.com, for authenticating VPN connections with Mac OS X Server’s Open Directory, which is still valid today. When trying to use the System Preferences VPN client/network adapter with the built-in L2TP server in Sonicwall, though, I was curious why OD auth wasn’t working for me, but users that were local to the Sonicwall were. Having been a while since the last time I’d set it up, I went on a search engine spelunking and found a link that did the trick.

In particular, a comment by Ted Dively brought to my attention the fact you need to change the order(in the VPN sidebar item, L2TP Server, when the Configure button pop-up is clicked, it’s under the PPP tab) that the L2TP service is configured to use for authentication type, PAP instead of the more standard MSCHAPv2.

Where it's done

We hope that is of help to current and future generations.

How to Configure basic High Availability (Hardware Failover) on a SonicWALL

Friday, November 30th, 2012

Configuring High Availability (Hardware Failover) SonicWALL requires the following:

1. Two SonicWALLs of the same model (TZ 200 and up).

2. Both SonicWALLs need to be registered at MySonicWALL.com (regular registration, and then one as HF Primary, one as HF Secondary).

3. The same firmware versions need to be on both SonicWALLs.

4. Static IP addresses are required for the WAN Virtual IP interface (you can’t use DHCP).

5. Three LAN IP addresses (one for Virtual IP, one for the management IP, and one for the Backup management IP).

6. Cross over cable (to connect SonicWALLs to each other) on the last ethernet interfaces.

7. 1 hub or switch for the WAN port on each SonicWALL to connect to.

8. 1 hub or switch for the LAN port on each SonicWALL to connect to.

Caveats

1. High Availability cannot be configured if “built-in wireless is enabled”.

2. On NSA 2400MX units, High Availability cannot be configured if PortShield is enabled.

3. Stateful HA is not supported for connections on which DPI-SSL is applied.

4. On TZ210 units the HA port/Interface must be UNASSIGNED before setting up HA (last available copper ethernet interfaces).

 

Setup

1. Register both SonicWALLs at MySonicWALL as High Availability Pairs BEFORE connecting them to each other:

• “Associating an Appliance at First Registration”: http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6233#Associating_an_Appliance_at_First_Registration_

• “Associating Pre-Registered Appliances”: http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6235#Associating_Pre-Registered_Appliances

• “Associating a New Unit to a Pre-Registered Appliance”: http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6236#Associating_a_New_Unit_to_a_Pre-Registered_Appliance

2. Login to Primary HF and configure the SonicWALL (firewall rules, VPN, etc).

3. Connect the SonicWALLs to each other on their last ethernet ports using a cross over cable.

4. Connect the WAN port on both SonicWALLs to a switch or hub using straight through (standard) ethernet cables, and then connect the switch to your upstream device (modem, router, ADTRAN, etc.)

5. Ensure the Primary HF can still communicate to the Internet.

6. Connect the LAN port on both SonicWALLs to a switch or hub using straight through (standard) ethernet cables, and then connect them to your main LAN switch (if you don’t have one, you should purchase one. This will be the switch that all your LAN nodes connect to.).

7. Go to High Availability > Settings.

8. Select the Enable High Availability checkbox.

9. Under SonicWALL Address Settings, type in the serial number for the Secondary HF (Backup SonicWALL). You can find the serial number on the back of the SonicWALL security appliance, or in the System > Status screen of the backup unit. The serial number for the Primary SonicWALL is automatically populated.

10. Click Accept to save these settings.

 

Configuring Advanced High Availability Settings

1. Click High Availability > Advanced.

2. Put a check mark for Enable Preempt Mode.

3. Put a check mark for Generate / Overwrite Backup Firmware and Settings when Upgrading Firmware.

4. Put a check mark for Enable Virtual MAC.

5. Leave the Heartbeat Interval at default (5000ms).

6. Leave the Probe Interval at default (no less than 5 seconds).

7. Leave Probe Count and Election Delay Time at default.

8. Ensure there’s a checkmark for Include Certificates/Keys.

9. Press Synchronize settings.

 

Configuring High Availability > Monitoring Setting

(Only do the following on the primary unit, they will be sync’d with the secondary unit).

1. Login as the administrator on the Primary SonicWALL.

2. Click High Availability > Monitoring.

3. Click the Configure icon for an interface on the LAN (ex. X0).

4. To enable link detection between the designated HA interface on the Primary and Backup units, leave the Enable Physical Interface monitoring checkbox selected.

5. In the Primary IP Address field, enter the unique LAN management IP address.

6. In the Backup IP Address field, enter the unique LAN management IP address of the backup unit.

7. Select the Allow Management on Primary/Backup IP Address checkbox.

8. In the Logical Probe IP Address field, enter the IP address of a downstream device on the LAN network that should be monitored for connectivity (something that has an address that’s always turned on like a server or managed switch).

9. Click OK.

10. To configure monitoring on any of the other interfaces, repeat the above steps.

11. When finished with all High Availability configuration, click Accept. All changes will be synchronized to the idle HA device automatically.

 

Testing the Configuration

1. Allow some time for the configuration to sync (at least a few minutes). Power off the Primary SonicWALL. The Backup SonicWALL should quickly take over.

2. Test to ensure Internet access is OK.

3. Test to ensure LAN access is OK.

4. Log into the Backup SonicWALL using the unique LAN address you configured.

5. The management interface should now display “Logged Into: Backup SonicWALL Status: (green ball)”. If all licenses are not already synchronized with the Primary SonicWALL, go to System > Licenses and register this SonicWALL on mysonicwall.com. This allows the SonicWALL licensing server to synchronize the licenses.

6. Power the Primary SonicWALL back on, wait a few minutes, then log back into the management interface. The management interface should again display “Logged Into: Primary SonicWALL Status: (green ball)”.

NOTE: Successful High Availability synchronization is not logged, only failures are logged.

Installing a SonicWALL ViewPoint Virtual Machine

Monday, April 2nd, 2012

When installing a Viewpoint VM machine you will need to download three items.

First is the SonicWALL_ViewPoint_Virtual_Appliance_GSG.pdf available from mysonicwall.com
This will be you step by step instruction manual for installing the Viewpoint VM.
Next you will need to identify which version VXI host and then download the same version client as your VXI host.
Lastly you will need log into mysonicwall.com and download the sw_gmsvp_vm_eng_6.0.6022.1243.950GB.ova from mysonicwall.com

When you have all three of these downloaded open the SonicWALL_ViewPoint_Virtual_Appliance_GSG and start going through the step by step instructions.
You will first install the VM client and may run into the first gotcha. Depending on machine setup the .exe may be blocked from running.
The download will look like this: VMware-viclient-all-4.1.0-345043.exe.zip, get properties on this file and unblock if blocked.
After the install of the VM client follow the instructions in the PDF till you get to page 18 step 2.

2. When the console window opens, click inside the window, type snwlcli at the login:
prompt and then press Enter. Your mouse pointer disappears when you click in the
console window. To release it, press Ctrl+Alt

Here is where you will run into the biggest gotcha.

You will be ask to log into with name and password, on first login use name of: snwlcli no password,
Then use the default name and password and continue.

Configuring a Cisco ASA 5505 with the basics

Thursday, March 1st, 2012

The Cisco ASA 5505 is great for small to medium businesses. Below are the steps you will have to complete to configure your ASA to communicate with the internet. There are many more steps, options, and features to these devices (which later there will be more articles in regards to some of these features).

Bring your device into configuration mode
318ASA>en
Brings the device into enable mode

318ASA#config t
Change to configuration terminal mode

318ASA(config)#
The ASA is now ready to be configured when you see (config)#

Configure the internal interface VLAN (ASA’s use VLAN’s for added security by default)
318ASA(config)# interface Vlan 1

Configure interface VLAN 1
318ASA(config-if)# nameif inside
Name the interface inside

318ASA(config-if)#security-level 100

Set’s the security level to 100

318ASA(config-if)#ip address 192.168.5.1 255.255.255.0
Assign your IP address

318ASA(config-if)#no shut
Make sure the interface is enabled and active

Configure the external interface VLAN (This is your WAN\internet connection)
318ASA(config)#interface Vlan 2
Creates the VLAN2 interface

318ASA(config-if)# nameif outside
Name’s the interface outside

318ASA(config-if)#security-level 0
Assigns the most strict security level to the outside interface (lower the number the higher the security).

318ASA(config-if)#ip address 76.79.219.82 255.255.255.0
Assign your Public Address to the outside interface

318ASA(config-if)#no shut
Enable the outside interface to be active.

Enable and assign the external WAN to Ethernet 0/0 using VLAN2
318ASA(config)#interface Ethernet0/0
Go to the Ethernet 0/0 interface settings

318ASA(config-if)#switchport access vlan 2
Assign the interface to use VLAN2

318ASA(config-if)#no shut
Enable the interface to be active.

Enable and assign the internal LAN interface Ethernet 0/1 (note ports 0/1-0/7 act as a switch but all interfaces are disabled by default).
318ASA(config)#interface Ethernet0/1
Go to the Ethernet 0/1 interface settings

318ASA(config-if)#no shut
Enable the interface to be active.
If you need multiple LAN ports you can do the same for Ethernet0/2 to 0/7.

To have traffic route from LAN to WAN you must configure Network Address Translation on the outside interface
318ASA(config)#global (outside) 1 interface
318ASA(config)#nat (inside) 1 0.0.0.0 0.0.0.0

***NOTE for ASA Version 8.3 and later***
Cisco announced the new Cisco ASA software version 8.3. This version introduces several important configuration changes, especially on the NAT/PAT mechanism. The “global” command is no longer supported. NAT (static and dynamic) and PAT are configured under network objects. The PAT configuration below is for ASA 8.3 and later:

318ASA(config)#nat (inside,outside) dynamic interface

For more info you can reference this article from Cisco with regards to the changes – http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

Configure the default route (for this example default gateway is 76.79.219.81)
318ASA(config)#route outside 0.0.0.0 0.0.0.0 76.79.219.81 2 1

Last but not least verify and save your configurations. If you do not save your configurations you will have to.

Verify your settings are working. Once you have verified your configurations write to memory to save the configuration. If you do not write to memory your configurations will be lost upon the next reboot.

318ASA(config)#wr mem

Basic SonicWALL Router Setups

Tuesday, October 11th, 2011

A work in progress…

1. Register the Sonicwall appliance at www.mysonicwall.com A new account may be created for this purpose

2. Download the latest firmware from mysonicwall.com

3. Disable popup blocking on your browser

4. The default IP of a factory Sonicwall device is 192.168.168.168. Connect to the Sonicwall (you need to adjust your Ethernet NIC’s config to match the Sonicwall’s network settings)

5. Follow the setup wizard and define a WAN IP, LAN IP, and DHCP range of IPs

6. Upload the newer firmware downloaded above and boot from it

7. In the https://[Sonicwall IP Address]/diag.html screen, uncheck the box ““Enforce Host Tag Search with for CFS”

8. Use the Public Server Wizard to create additional systems on the LAN that need to be publicly accessible. Note that the default WAN IP address provided in the wizard is the SonicWALL’s, but you can enter a different WAN IP; this creates a NAT policy using a new Address Object in the WAN zone

9. If more than one service needs to be visible for a system (ie, a mail sever needing 993, 587, 465, etc.), just select a single service during the wizard setup and then modify the “Service Group” that the wizard creates to include additional services that you want visible

10. For site-to-site VPN, follow the documentation in the SonicOS Administrators guide. Typically we have found that setting the VPN policy up in Aggressive Mode works more reliably than Main Mode

Provisioning TelePacific iNOC On A SonicWALL

Friday, January 7th, 2011

1. Login to SonicWALL

2. Check to see if SNMP is already in use on WAN IPs by checking under Network > Firewall.

ALERT: Enabling SNMP Management on the SonicWALL will cause issues with the SNMP firewall rules. You can ONLY have SNMP SonicWALL Management OR SNMP firewall port forwarding. Not both. This was confirmed with SonicWALL Tech Support.

3. Go to System > Administration

4. Scroll down and put a check mark for “Enable SNMP”

5. Click on Configure

6. Put in whatever you want for System Name, System Contact, System Location. You can leave Asset Number blank. Ask TPAC for their monitoring WAN IP and put that in the “Host 1″ field.

7. Go to Network > Interfaces

8. Click on the Configure icon for the Interface that you want monitored.

9. Put a check mark next to SNMP

10. Click OK

11. You can confirm SNMP is listening by using snmpwalk. On a Mac, the command can be:

snmpwalk -c private -v 2c “wanipaddress of SonicWALL”

or

snmpwalk -c private -v 1 “wanipaddress of SonicWALL”

The SonicWALL utilizes version 1 and 2c for SNMP.

Restricting Outgoing Email To a 3rd Party SMTP Relay Host on SonicWALLs

Friday, November 12th, 2010

Often times, it is necessary to lockdown outbound traffic to MX Logic. MX Logic can provide outbound filtering capabilities which assists against getting blacklisted, while also scanning your outgoing e-mail for malware. Also, limiting only the server to communicate with MX Logic ensures that no rogue mail servers can send out e-mail (often done by infected devices).

This guide assumes you have already used the Wizard to setup port forwarding, firewall rules, and NAT policies for allowing the mail server to be accessed via the SonicWALL.

To Lockdown a SonicWALL to Outbound Email to MX Logic
1. Determine what port you will be sending out on. If you are using a non standard port, you will first need to make a custom service object on the SonicWALL for the port.
2. Create an Address Group containing the Address Objects for MX Logic
1. Go to Network
2. Go to Address Objects
3. Add Address Object
1. Name: MX Logic 1
2. Zone Assignment: WAN
3. TYPE: Network
4. Network: IP From MX Logic
5. Netmask: Subnet From MX Logic
NOTE: You will need to do this for each subnet that MX Logic Offers. Name them sequentially. The Address info can be found on MX Logic’s Portal.
4. Go to Address Objects
5. Create Address Object Group
6. Add all of your MX Logic Address Objects to the Address Object Group, and call it “MX Logic”
7. Save all your changes.
3. Go to Firewall
4. Go to LAN to WAN
5. Click Add
6. Create a Rule that allows the mail server on the LAN to send out to anywhere on the WAN.
1. Action: Allow
2. From Zone: LAN
3. To Zone: WAN
4. Service: SMTP (or whatever you named your custom one)
5. Source: Your Address Object Representing Your Mail Server
6. Destination: MX Logic (The Address Object Group you created Previously).
7. Save your changes.
7. Create Another Rule to block all other outbound e-mail.
1. Go to Firewall
2. Go to LAN to WAN
3. Click Add
4. Action: Deny
5. From Zone: LAN
6. To Zone: WAN
7. Service: SMTP (or whatever you named your custom one)
8. Source: Any
9. Destination: Any
10. Save Your changes
8. Adjust Rule Order.
1. Ensure that the MX Logic Outbound rule is above the rule that blocks all other devices from sending SMTP traffic out to the Internet.
2. Apply the changes.
NOTE: By doing this, any laptop users, or other portable device users, that may try to send email over port 25 through other servers (Gmail, Yahoo, AOL, etc.) will be DENIED by the SonicWALL.

Setting Up SonicWALL’s SonicPoints

Tuesday, February 23rd, 2010

99% of this is from Page 23 of the SonicWALL Network Security Appliances – SonicPoint-N Dual-Band Getting Started Guide, the other 1% makes it worth reprinting.

Configuring Wireless Access

This section describes how to configure SonicPoints with a
SonicWALL UTM appliance.

SonicWALL SonicPoints are wireless access points specially engineered to work with SonicWALL UTM appliances. Before you can manage SonicPoints in the management interface, perform the following steps:
-Configuring Provision Profiles
-Configuring a Wireless Zone
-Configuring the Network Interface

Configuring Provision Profiles
SonicPOint Profile defines settings that can be configured on a SonicPoint, such as radio SSIDs, and channels of operation.

These profiles make it easy to apply basic settings to a wireless zone, especially when that zone contains multiple SonicPoints When a SonicPoint is connected to a zone, it is automatically provisioned with the profile assigned to that zone. If a SonicPoint is connected to a zone that does not have a custom profile assigned to it, the default profile “SonicPoint-N” is used.

To add a new profile:
1. Navigate to the SonicPoint > SonicPoints page in the SonicOS interface.
2. Click Add SonicPointN below the list of SonicPoint provisioning profiles.
3. The Add/Edit SonicPoint Profile window displays settings you can enable and/or modify.

Settings Tab:
1. Select Enable SonicPoint
2. Enter a Name Prefix to be used internally as the first part of the name for each SonicPoint provisioned
3. Select the Country Code for the area of operation

802.11n Radio Tab
1. Select Enable Radio
2. Optionally, select a schedule for he radio to be enabled from the drop-down list. The most common work and weekend hour schedules are pre-populated for selection.
3. Select a Radio Mode to dictate the radio frequency band(s). The default settings is 2.4GHz 802.11n/g/b Mixed.
4. Enter an SSID. This is the access point name that will appear in clients’ lists of available wireless connections.
5. Select a Primary Channel and Secondary Channel. You may choose AutcChannel and Secondary Channel. You may choose AutoChannel unless you have a reason to use or avoid specific channels.
6. Under WEP/WPA Encryption, select the Authentication Type of your wireless network. SonicWALL recommends using WPA2 as the authentication type.
7. Fill in the fields specific to the authentication type that you selected. The remaining files change depending on the selected authentication type.
8. Optionally, under ACL Enforcement, select Enable MAC Filter List to enforce Access Control by allowing or denying traffic from specific devices. Select a MAC address object group from the Allow List or Deny List to automatically allow or deny traffic to and from all devices with MAC addresses in the group. The Deny List is enforced before the Allow List.

Advanced Tab:
Configure the advanced radio settings for the 802.11n radio. For most 802.11n advanced options, the default settings give optimum performance. For a full description of the fields on this tab, see the SonicOS Enhanced Administrator’s Guide.

Configuring a Wireless Zone

You can configure a wireless zone on eh Network > Zones page. Typically, you will configure the WLAN zone for use with SonicPoints.

To configure a standard WLAN zone:
1. On the Network > Zones page in the WLAN row, click the icon in the Configure column.
2. Click on General tab.
3. Select the Allow Interface Trust setting to automate the creation of Access Rules to allow traffic to flow between the interfaces within the zone, regardless of which interfaces to which the zone is applied. For example, if the WLAN Zone has both the X2 and X3 interfaces assigned to it, selecting the Allow Interface Trust checkbox on the WLAN Zone creates the necessary Access Rules to allow hosts on these interfaces to communicate with each other.
4. Select the check boxes for the security services to enable on this zone. Typically, you would enable Gateway Anti-Virus, IPS, and Anti-Spyware (IF YOU HAVE THE LICENSES). If your wireless clients are all running SonicWALL Client Anti-Virus, select Enable Client AV Enforcement Service.
5. Click on the Wireless Tab.
6. Select Only allow traffic generated by a SonicPoint to allow only traffic from SonicWALL SonicPoints to enter the WLAN Zone interface. This provides the maximum security on your WLAN.
7. Optionally, click the Guest Services tab to configure guest Internet access solely, or in tandem with secured access. For information about configuring Guest Services, see the SonicOS Enhanced Administrator’s Guide.
8. When finished, click OK.

Configuring the Network Interface

Each SonicPoint or group of SonicPoints must be connected to a physical network interface that is configured for Wireless. SonicOS by default provides a standard wireless zone (WLAN), which can be applied to any available interface.

To configure a network interface using the standard wireless (WLAN) zone:
1. Navigate to the Network > Interfaces page and click the Configure button for the interface to which your SonicPoints will be connected.
2. Select WLAN for the Zone type.
3. Select Static for the IP Assignment.
4. Enter a static IP Address in the field. Any private IP is appropriate for this field, as long as it does not interfere with the IP address range of any of your other interfaces.
5. Enter a Subnet Mask.
6. Optionally, choose a SonicPoint Limit for this interface. This option helps limit resources on port by port basis when using SonicPoints across multiple ports.
7. Optionally, choose to allow Management and User Login mechanisms if they make sense in your deployment. Remember that allowing login from a wireless zone can pose a security threat, especially if you or your users have not set strong passwords.

Verifying Operation

To verify that the SonicPoint is provisioned and operational, navigate to the SonicPoint > SonicPoints page in the SonicOS management interface. The SonicPoint displays an “operational” status in the SonicPointNs table.

Connect to WIFI and ensure that you can browse the Internet.

Installing Zenoss

Wednesday, December 30th, 2009

To monitor a device over the WAN, there needs to be a 1 to 1 Firewall Rule. There needs to be a firewall rule, allowing SNMP traffic from the WAN to a device on the lan. For multiple devices, then each device will need a dedicated WAN IP with the firewall rule. SNMP runs on UDP on port 161

Install SNMP service in components will require I386 for .dll
Download and install additional SNMP dll files provided by SNMP Informant, http://www.snmp-informant.com
Once installed right click on SNMP click properties and go to the Agents tab:
Contact: (e.g. support@318.com)
Location: (e.g. 830 Colorado Ave. Santa Monica, CA)
Check all services below that
Move to next tab traps:
Community Name:(e.g. 318zenoss)
Click Add to list
Then click add and enter the Zenoss server address
Move to next tab Security:
Make sure send authentication trap is checked
Add community name 318zenoss read only
And check SNMP packets from any host
Click Apply and Ok

Restart the Service.

Add two firewall rules allow traffic from the Device (LAN) to the WAN zenoss address of the Zenoss Server

Next Add device in zenoss:
Log in as user
Click Add Device
Enter Device IP WAN IP Address for Device Name
SNMP Community: 318zenoss
Select the Server Class:
/Servers/Windows – Windows Server
/Servers/Darwin – Mac Server
/Servers/Unix – Linux/Unix Server

Add or select Location Path

Add Or Select Client Name as Location

Select Your Team As Group

Setting Up SonicWALL High Availability Pairs

Friday, May 29th, 2009

Prerequisites
1. They MUST be the same model
2. Make sure that if you need Stateful High Availability that you have the license for it (only Primary SonicWALL needs to be licensed)
3. Make sure that if the client wants support for both SonicWALLs that they purchase support for the Backup SonicWALL as well.
4. Register and associate the Primary and Backup SonicWALLs as a High Availability pair on mysonicwall.com
5. Physically label the SonicWALLs
6. On the back of each SonicWALL make note of the Serial Number.
7. Ensure you have two (2) Ethernet cables coming off of the LAN (one for each SonicWALL)
a. Adjust the Spanning Tree protocol if it’s being used on the switch to FAST.
8. Ensure that you have a crossover cable for X8 on NSA 240s (this is for the heartbeat between the two units)
9. Ensure that you have a dumb switch for the WAN, and two (2) Ethernet cables (one for the primary, one for the secondary).
10. Ensure that you have 2 LAN IP address that you can give to the SonicWALLs for monitoring
11. DON’T connect the SonicWALLs together yet

Setup
1. Register both SonicWALLs online
2. Register both SonicWALLs as an HA Pair
a. Go to www.mysonicwall.com
b. Go to the Backup SonicWALL
c. At the bottom of the licensing, look for HF or Hardware Failover
d. Enter in the requested information (name, and serial number)
e. On the “Service Management – Associated Products” page confirm that the registration was successful, then scroll to the bottom to see the Associated Products and click either HA Primary or HA Backup to display that the unit that is now associated with the your newly registered SonicWALL.
f. (OPTIONAL) Register Stateful HA on the Primary SonicWALL if you have the license.
3. Power on Primary SonicWALL and enter in LAN and WAN information
4. Connect LAN and WAN to SonicWALL (DO NOT CONNECT CROSSOVER CABLE)
5. Activate Primary SonicWALL (login to the Primary SonicWALL and register it when you get it online).
6. Load up new firmware on Primary SonicWALL (this’ll take up to 5 minutes)
7. Disconnect Primary SonicWALL from LAN and WAN once you’ve confirmed that the unit is now registered.
8. Power on Backup SonicWALL and enter in LAN and WAN information same as Primary and connect to LAN and WAN (DO NOT CONNECT CROSSOVER CABLE)
9. Activate Backup SonicWALL (login to the Primary SonicWALL and register it when you get it online).
10. Load up new firmware on Primary SonicWALL. (this’ll take up to 5 minutes)
11. Disconnect Backup SonicWALL from LAN and WAN once you’ve confirmed that the unit is now registered.
12. Power on and connect Primary SonicWALL
13. Create all necessary firewall/security rules on the Main Unit
14. Create a Backup of your settings

Configuring HA
1. Login to Primary SonicWALL
2. Go to “High Availability”
3. Go to “Settings”
4. Select Enable High Availability checkbox
5. Enter in Serial number of Backup SonicWALL
6. Click Accept
7. Go to “High Availability” > “Advanced”
8. Leave all values the same in the fields
9. Select the following:
Enable Preempt Mode
Enable Virtual MAC
10. Save your settings

Connecting the HA units
1. Make sure both devices are turned on
2. Connect a LAN cable to X0 on each SonicWALL device
3. Connect a WAN cable to X1 on each SonicWALL device
4. Connect the cross over cable to the HA reserved port (X8 if it’s an NSA 240)
5. Login to the Primary SonicWALL
6. Go to “High Availability” > “Settings” and keep clicking on refresh until:
a. That status at the top right is Active
b. “Primary Status” is enabled
c. Dedicated HA Link is connected
d. “Found backup” is Yes
e. “Settings Synchronized” is Yes
f. OPTIONAL make sure anything that says “Stateful” is at “yes”
7. Review the logs to ensure that there are NO errors with licensing. If found, errors with licensing will occur in the logs every 10 minutes. If you find errors in the licensing, wipe everything out, and reapply the firmware.

Configuring Monitoring of HA Devices
1. Login to Primary SonicWALL
2. Go to “High Availability” > “Monitoring”
3. Find X0 (the LAN) and click to configure it
4. Enable Physical Monitoring
5. Enter in a LAN IP address for each device that you reserved in the Prerequisite steps (Primary = Primary Unit; Backup = Backup Unit).
6. Attempt to manage both SonicWALLs from their respective HA IP addresses. NOTE: The HA LAN management IP addresses are only used for management and CANNOT be used as a gateway for traffic.

Finish
1. Backup all of the settings from the Primary SonicWALL and Secondary SonicWALL (via HA LAN management IP address)

Configuring IPS to Deny P2P Traffic On a SonicWALL

Thursday, May 28th, 2009

1. Login to SonicWALL
2. Go to Application Firewall
3. Go to Application Objects
4. “Add New Object”
5. In the next window, name the object
a. Under “Application Object Type” select “Signature List”
b. Under “IDP Category” select P2P
c. Under “IDP Signature” select each one, and add it to the list
NOTE: I tried using Signature Category List, assuming that this would be the same thing as choosing Signature List, and then Selects all of the IDP Signatures. I did not get good results, YMMV.
d. Click OK
6. Go to Policies
a. “Add New Policy”
b. Name the Policy
c. For “Policy Type”, choose “Dynamic Content”
d. For “Application Object” choose the name of the Application Object that you created initially.
e. For Action, choose “Reset/Drop”
f. Select “Enable Logging”
g. Ensure “Log Redundancy Filter” is selected.
h. Click OK
7. Ensure that the Policy is enabled.
8. Check the little bar graph next to the policy, called the Policy Statistics. This will tell you how many times it was used to block traffic.
9. Check the logs to see the blocking in effect, it will most likely be highlighted in yellow.

Safari Browsing and Sonicwall Enhanced

Friday, May 15th, 2009

Thanks to one Ed Marczak and earlier hinted at here we had a fix for a SonicWALL issue that was bugging us from awhile back. With SonicOS Enhanced and Content Filtering Service, Safari experiences errors trying to load pages that require a login, such as store.apple.com and www.amazon.com. This even occurs when CFS is not enabled on your Sonicwall.

To fix this, you need to uncheck the “Enforce Host Tag Search with for CFS” feature on the SonicWALL. In order to uncheck “Enforce Host Tag Search with for CFS”, you have to login to sonicwall console and then go to diag page, which is accessible by logging into the sonicwall and replacing the webpage name with diag.html.

For example, if you log into http://192.168.1.1/main.html you have to replace main with diag; that is: http://192.168.1.1/diag.html

This page will bring the internal settings page of the SonicWALL, and from here you can uncheck “Enforce Host Tag Search with for CFS”.

ESX Patch Management

Tuesday, April 14th, 2009

VMware’s ESX Server, like any system, needs to be updated regularly. To see what patches have been installed on your ESX server use the following command:

esxupdate -query

Once you know what updates have already been applied to your system it’s time to go find the updates that still need to be applied. You can download the updates that have not yet been run at http://support.vmware.com/selfsupport/download/. Here you will see a bevy of information about each patch and can determine whether you consider it an important patch to run. At a minimum, all security patches should be run as often as your change control environment allows. Once downloaded make sure you have enough free space to install the software you’ve just downloaded and then you will need to copy the patches to the server (using ssh, scp or whatever tool you prefer to use to copy files to your ESX host). Now extract the patches prior to running them. To do so use the tar command, as follows:

tar xvzf .tgz

Once extracted, cd into the patch directory and then use the esxupdate command with the update flag and then the test flag, as follows:

esxupdate –test update

Provided that the update tests clean, run the update itself with the following command (still with a working directory inside the extracted tarball from a couple of steps ago):

esxupdate update

There are a couple of flags that can be used with esxupdate. Chief amongst them are -noreboot (which doesn’t reboot after a given update), -d, -b and -l (which are used for working with bundles and depots).

If esxupdate fails with an error code these can be cross referenced using the ESX Patch Management Guide.

You can also run patches without copying the updates to the server manually, although this will require you to know the URL of the patch. To do so, first locate the patch number that you would like to run. Then, open outgoing ports on the server as follows:

esxcfg-firewall -allowOutgoing

Next, issue the esxupdate command with the path embedded:

esxupdate –noreboot -r http:// update

Once you’ve looped through all the updates you are looking to run, lock down your ESX firewall again using the following command:

esxcfg-firewall -blockOutgoing

Setting Up A DMZ With Transparency Mode on a SonicWALL

Wednesday, January 7th, 2009

This article will outline how to setup a SonicWALL with One to One NAT using Transparency Mode on a DMZ on a specific Port.

What you need:
1. SonicWALL with OS Enhanced
2. All WAN IP addresses leased to company
3. An unused unassigned port on the SonicWALL (not port 1 – it’s reserved for stuff internally on ALL SonicWALLs).

Steps:
1. Login to SonicWALL
2. Add portshield interface to network interfaces on SonicWALL. (Network)
3. Here’s the trick. Create a new address object, name it anything. Make sure it has the following:
a) Zone is DMZ
b) Type is Range
c) Make it within the WAN Range, but the unused IP addresses in that range.
d) Enable DHCP on this Interface
e) Click Save
4. Go to Firewall
5. In matrix click WAN > DMZ
6. If applicable (not recommended due to obvious security implication,) change setting from “deny all” to “allow all” (whichever host will be behind that DMZ should be running its own firewall).
7. Go to DHCP, ensure the scope for the subnet is correct. Then get the MAC address of the firewall to be chained to it, and add it on there with the appropriate WAN IP (for static setup).
8. Change the DNS settings for the DHCP stuff to ensure it’s not using the LAN’s IP DNSes.
9. Test with your laptop.

Traversing SonicWALLs with NetBIOS

Friday, August 15th, 2008

This article assumes that you already have a functioning Site to Site VPN connection setup.

1. On the SonicWALL with OS Standard, go to the ‘VPN > Advanced’ page and uncheck the box next to ‘Disable all VPN Windows Networking (NetBIOS) Broadcasts This is a global setting, and unless unchecked, no VPN SA will be able to pass NetBIOS broadcasts. When done, click on the ‘Apply’ button in the upper-right-hand corner to save and activate the change.

2. Then, go to the ‘VPN > Settings’ page and click on the ‘Configure’ icon next to the VPN policy you previously created to connect to the central site. On the pop-up that appears, go to the ‘Advanced tab and check the box next to ‘Enable Windows Networking (NetBIOS) Broadcast’. This is a per VPN SA setting and applies to this VPN tunnel only. When done, click on the ‘OK’ button to save and activate the change.

3. On the central site SonicWALL with OS Enhanced, go to the ‘VPN >Settings’ page and click on the ‘Configure’ icon next to the VPN policy you previously created to connect to the remote site. On the pop-up that appears, go to the Advanced tab and check the box next to ‘Enable Windows Networking (NetBIOS) Broadcast’. When done, click on the ‘OK’ button to save and activate the change.

4. Then, go to the ‘Network > IP Helper’ page. Check the box next to ‘Enable IP Helper’, make sure the box next to ‘Enable DHCP Support’ is unchecked (unless you are using this feature – DHCP enabled enabled you may not be able to uncheck this setting), and check the box next to Enable NetBIOS Support’. You will notice that there will be an autocreated IP Helper Policy listed as a result of the previous step’s configuration. When done, click on the ‘Apply’ button in the upper-right-hand corner to save and activate the change.

5. On XP workstations you will need to reboot them (or wait about 30 minutes) for the broadcasting to work, and NetBIOS results to populate “Network Neighborhood”
NOTE: On Vista workstations you can hit refresh a couple of times (this may take up to 5 minutes – but no reboot required), and it should start populating pretty quickly.

Mac OS X Server 10.5: NATd

Tuesday, August 12th, 2008

There are certain aspects of Mac OS X Server that it just isn’t that great at. One of them is acting as a router. It’s just a fact that an appliance by SonicWALL, Cisco, Watchguard and sometimes LinkSys will run circles around the speed and feature set of Mac OS X Server. So with that in mind, let’s look at how you would go about configuring a basic port forward on OS X Server if you decided not to listen to us on this point…

You can use the /etc/nat/natd.plist. The key you’ll want to edit is the redirect_port, one per port or a range of all in one key… Basically the array would look something like this assuming you were trying to forward afp traffic to 192.168.0.2 from a WAN IP of 4.2.2.2:

redirect_port

proto

TCP

targetIP

192.168.0.2

TargetPortRange

548

aliasIP

4.2.2.2

aliasPortRange

548

You could also use the route command or ipfw depending on exactly what you’re trying to do with this thing. Route is going to be useful if you’re trying to respond to network traffic over a different interface than the default interface.

Configuring a SonicWALL for Fonality/Trixbox

Thursday, August 7th, 2008

The Fonality/Trixbox server and phones should be on the same subnet, separated from the data network.

On the SonicWall:

Under Network/Interfaces, create a new Interface for the Phone System. Under the Zone option, create a new Zone for the Phone System. Name the zone Phone System. Under the “Switch Ports” tab, assign it a port on the SonicWall. Label this port for the phone system (in the SonicWall OS and physically).

Blacklisting IP addresses on SonicWALLs

Friday, April 4th, 2008

Blacklisting an IP from the WAN on a SonicWALL

1. Login to SonicWALL 2. Go to Firewall Rules 3. Go to Matrix 4. Go to WAN -> LAN 5. Create Rule 6. For Source, choose Create Network. 7. Change Zone to WAN 8. Name it whatever you want (ie. Blacklisted IP1) 9. Enter in IP 10. Save it 11. On the firewall rule, make sure to click on the check box for Deny 12. Source is Blacklisted IP 13. Destination is ANY 14. Service ANY (if you want to block all traffic). 15. Save it. 16. Move it up in the chain to be the first rule. 17. Test it.

Setting Up VPN Clients in OS X, Vista and Windows XP

Thursday, November 29th, 2007

The steps for setting up VPN connections are straightforward for both Macs and PCs. Here are the steps to follow for setting up new VPN connection on a client desktop or laptop to their server:

Mac OS X (Tiger) – * First, open the ‘Applications’ folder by going to the Finder and choosing “New Finder Window” from the “File” menu. Click on the ”Applications” icon, then scroll down until you see the “Internet Connect” icon. * Click on the “Internet Connect” icon. * Next, go to the ‘File’ menu and select “New VPN Connection Window.” * On the window that pops up prompting you to choose which type of VPN, click ‘PPTP,’ then click ‘Continue.’ * In the new window, for the configuration, Click on the ‘Other’ and select ’Edit Configurations…’ * A new window will come up. You should then type in a description of the VPN connection in the Description text field. * Type in the DNS name of the server you want to connect to as the ‘Server Address.’ * Type in the username you will use to access the server. This username should have already been created on the server. * In the next text box, enter your VPN password. The password should also have been previously set. * Un-check ’Enable VPN on demand’, and ’Encryption’ should be set to ’Automatic’. * Click the ’OK’ button. Your configuration is saved, and you are ready to connect.

Mac OS X (Leopard) – * Go to the Apple menu in the upper left-hand corner of the top menu. * Click on System Preferences from the drop-down menu. * Click on ‘Network’ icon. * In the right-hand menu, click on the drop-down menu next to ‘Configuration’ , which currently says ‘Default’, and select ‘Add Configuration’. * Type in a name the configuration CITES VPN or the alternate name you chose in step # 8.

Mac OS X (Lion) – * Go to the Apple menu in the upper left-hand corner of the top menu. * Click on System Preferences from the drop-down menu. * Click on ‘Network’ icon * Click on the ‘plus’ button on the bottom of the left column and choose VPN from the Interface dropdown menut. * Choose the type of connection from the ‘VPN Type’menu (typically PPTP). * Label the connection with a name of your choosing in the ‘Service Name’ field. * Enter the proper information in the the ‘Server Address’ and ‘Account Name’ fields * If you are not using a shared computer you can click on the ‘Authentication Settings’ button and enter your password to store it for future sessions * Check the box labeled, ‘Show VPN status in menu bar’ * From the menu choose Connect yourchosenVPNlabel – the status of the connection will update and start counting seconds when you are connected.

12. In the right-hand menu, enter the following information:

Configuration: DAS VPN (or a name of your choosing) Server Address: the.vpn3.domain.com Account Name: Your guest ID Encryption: Maximum (128 bit only) from the drop-down menu

13. Check the box next to Show VPN status in menu bar.

Windows Vista: 1. From the Start Menu, right click on Network, select Properties. This will open the Network and Sharing Center. 2. On the left side, click on Set up a connection or network. 3. Select Connect to a workplace. 4. Click on the Next button. 5. Select Use my Internet connection (VPN). 6. Replace the Example with the actual WAN IP address of the VPN server you will be connecting to. Also, you can change the name from VPN Connection to something that is more meaningful. 7. Click on the Next button. 8. Enter in the User Name and Password of your VPN account. 10. Now from the Network and Sharing Center, you can go to Manage Network Connections to see the new VPN connection. This is also where you disconnect. To reconnect later, go to the Network and Sharing Center and click Connect to a network.

Using Outlook Remotely with RPC over HTTPS

Friday, July 6th, 2007

Setting up RPC over HTTPS is different than setting up Entourage over HTTP/S. First, an overview of what HTTPS is. HTTPS is the secure form of HTTP, it stands for HyperText Transfer Protocol Secure. This means that you will need an SSL certificate for connection between Outlook and Exchange. RPC is what Outlook uses to synchronize special information over from Exchange. RPC stands for Remote Procedure Call, and is the special programming routine that allows the application (Outlook) to connect with Exchange via OWA.

Now that we’ve established what RPC over HTTPS is, an outline will follow of how to connect Outlook to Exchange using RPC over HTTPS on Windows 2003 Small Business Server.

Introduction:

Small business server comes with many things already installed and ready for use right out of the box for a company. Two of these things are Exchange and Remote Web Workplace. Remote Web Workplace seems to be an idea made by Microsoft so that an Administrator could remote into their server via HTTP/S, and from there can use many tools in Remote Web Workplace to administer the entire network infrastructure via the Small Business server.

Check List:
1. Are you using Small Business Server 2003?
2. Is Exchange functioning and setup correctly?
3. Do you have an SSL certificate?
4. Are ports 80 and 443 open (and 3389 if you’re doing this remotely)?
5. Do you know the NetBios name of the server (right mouse click My Computer and check the computer name)?
6. Do you have Outlook (preferably 2003)?
7. Are the client workstations that need remote access updated with SP2 for XP?

If you have this, then you’re ready to rock.

Getting it All to Work Together

1. Make Them a Member of Remote Web Workplace

Log in as Administrator to the Small Business server and open up Active Directory Users and Computers. Locate the users you want to have access (or create a security group) and add the group or user to the following group called, “Remote Web Workplace”.

NOTE: You may not see this group as a security group in Active Directory, but if you type in the name and press the “Check” button, it should underline itself. You have now confirmed that this is a valid Security Group.

2. Get The Facts

With the new user you created, login to https://mail.domainname.com/remote. This is the Remote Web Workplace that you are logging into. You should be greeted with a login. Use the credentials for the user (or pick a user from the security group) that is now a member of “Remote Web Workplace”. You should be able to log in. If you cannot, log in to Remote Web Workplace, log in as Administrator and see if you can log in. If you can log in with the Administrator account, check your settings that you’ve applied to the security group, or user, and ensure that they are indeed members of “Remote Web Workplace”.

Once you have logged in, to the right, there should be a link called “Configure your computer to use Outlook via the Internet”, click on it, and it will outline steps that are pretty darn close to what you should setup in Outlook. It’s basically a help file, but it will give you almost exactly what you will need to use RPC over HTTPS. Just in case, I will also outline the steps here that the link will post.

NOTE: It is important that your users can log in to Remote Web Workplace with the users that need access to RPC over HTTPS. If they cannot log in to here, you will NOT be able to user RPC over HTTPS.

3. Configure or Reconfigure the SSL Certificate

When you log in to Remote Web Workplace via HTTPS, you should be greeted with a pop-up that asks if you want to accept the SSL cert. Check the SSL certificate and MAKE SURE THAT THE WEBSITE NAME OF THE CERT MATCHES THE WEBSITE.

If it does, then log in from each computer that needs RPC over HTTPS and install the certificate from Remote Web Workplace by clicking on View Certificate, and then Install Certificate. You can double-check that the certificate is installed by opening up MMC, go to Certificates, pull up the one for User Certificates, and look for one named with the server or domain name as a Trusted Root. Again, make sure that the cert’s name (not the CA issuer) is called by the MX record name (or predetermined Exchange website name) and NOT THE SERVER NAME. After you install the certificate, close Internet Explorer, and reopen it, and log in to Remote Web Workplace. If you are prompted to accept the certificate again, something is wrong with the certificate, and you will need to create a new one.

If the certificate doesn’t match the Exchange website name or the certificate saved keeps prompting you to accept it, you will need to create a new certificate. You can do this by the following:
1. Download IIS 6.0 Resource Kit Tools, available from:

http://www.microsoft.com/downloads/details.aspx?FamilyID=56FC92EE-A71A-4C73-B628-ADE629C89499&displaylang=en

2. Run the application, and install SelfSSL
3. Click on Start -> All Programs -> IIS 6.0 Resource Kit -> SelfSSl
4. In the Command Prompt type the following:

selfssl /T /N:CN=

NOTE: should be your Exchange website name, ie., mail.domainname.com (without the less-than and greater-than signs).

5. Type “y” to replace the SSL settings for site 1.
6. Log in to Remote Web Workplace again, and display the certificate. Ensure it is now called what it is supposed to (HINT: Before you view the certificate there should be a green check mark for “Certificate matches website name”). Install the cert, close IE, and retest. You should not longer be prompted to accept the certificate.

NOTE: This is important because if the certificate does not match the Exchange website name the connection will FAIL. You will either get a “server not available error” or other unusual errors.

4. Configure Outlook (a.k.a, It’s all Downhill from Here)

NOTE: This is available in Remote Web Workplace under the link: “Configure your computer to use Outlook via the Internet”

1. Go to Control Panel -> Mail -> Profiles and create a new Profile
2. With the new profile create an e-mail account, make sure to choose Exchange.
a. For the server name put the NetBIOS name, NOT THE WEB NAME.
b. For the user name, put in the username of the user.

NOTE: Do not hit, “Check” it will not work.

c. Click on the “More Settings” button.
d. Click the Connection Tab.
i. Checkmark the box that says “Connect to my Exchange mailbox using HTTP”
ii. Press the Exchange Proxy Settings Button
1. For https:// put in the website name that we’ve been getting the certificate ready for.
2. Put a check mark for “Connect using SSL only”
3. Put a check mark for “Mutually authenticate the session when connecting with SSL”.
4. For “Principal name for proxy server:” put the following: msstd:mail.domainname.com
5. Put a check mark for “On fast networks…” and “On slow networks…”
6. For “Proxy authentication settings” change it to “Basic Authentication”
3. Press OK a bunch of times, Next, and then Finish.
4. Make sure that this profile is set to “Always use this Profile”
5. Save your settings
6. Test your settings, and if you’ve done everything right, you should be prompted for your credentials. After you have been authenticated, you should now start receiving e-mail, and be able to view the calendar and do all of the other Exchange type stuff that the users are used to.

Installing SonicWALL ViewPoint

Wednesday, May 23rd, 2007

Here are the steps to follow for installing Sonic ViewPoint. Note that a Windows system running 2000, XP, or 2003 is required.

1. Go to www.mysonicwall.com and add the ViewPoint license key to the registered appliance.

2. Download the ViewPoint installation software. It is a free download from www.mysonicwall.com (the client should have a login/password from when the SonicWALL was installed)

3. Extract and run the installer. Follow the prompts to add an SMTP server and admin accounts. Make sure that the Windows firewall is off or has an exception for ports 80, 443, and 514. Reboot the system.

4. Log into the SonicWALL appliance and enter the upgrade key from the mysonicwall.com site into the System > Licenses section on the navbar.

5. In the Logs > ViewPoint section on the navbar, Add the IP address of the computer running the ViewPoint software.

6. open a web browser to the IP address of the ViewPoint system. In the far left pane, right-click on MyReportsView and select Add Unit. Enter the information for the SonicWALL appliance in the window that appears and click OK.

Installing and Configuring Asterisk

Thursday, April 26th, 2007

Installing and Configuring Asterisk

The following article is for installing and configuring Asterisk. There are now different flavors of using Asterisk, the two I will touch upon in this writing is Asterisk (the command line version) and Trixbox (f.k.a Asterisk@Home).

BACKGROUND
Asterisk is a PBX (Phone Box Exchange) system used to connect multiple phone to multiple lines (or a combination there of) for having many features that a traditional PBX would give you, but Open Source (in this case free). You can use PSTN lines, IAX, or SIP routing lines, as well as hard phones (traditional telephones or VoIP handsets) or soft phones. It is used for VoIP (Voice over Internet Protocol).

INSTALLATION
We will first cover installation with the traditional Asterisk software:

First have a box with Linux loaded on it.

System Requirements:

First download Asterisk from CVS:

# cd /usr/src
# export CVSROOT=:pserver:anoncvs@cvs.digium.com:/usr/cvsroot
# cvs login
(password is same as username)
# cvs checkout zaptel asterisk
# cd zaptel
# make clean ; make install
# cd ../libpri
# make clean ; make install
# cd ../asterisk
# make clean ; make install
# make samples

If all of this worked without any errors, you have successfully installed Asterisk.

You can now run

# asterisk –vvvvvvvc

If that doesn’t work, try

# /usr/sbin/asterisk -vvvvvvc

This will run asterisk console in super-verbose mode, if there are any errors, you will see them scrolling across the screen too.

You can type “stop now” to kill Asterisk.

Installing Cards:

Open up your computer and install the card into a PCI slot. These cards require a certain voltage, so make sure your computer can power the card appropriately. When in doubt, lookup the model number of your card, and the model number of your computer. Sometimes, you will need an extra plug from the powersupply to power some of the larger TDM cards.

After you have your card installed, you must configure the card. The following is how to configure a card (this checks for any type of card):

# modprobe zaptel
# modprobe wcfxo
# modprobe wcfxs

NOTE: The first one to be probed, will become channel 1, etc.

Next, you have to edit the zaptel.conf file to let it know where the cards are at. Here is an example of a basic zaptel.conf configuration:

Fxsks=1
Fxoks=2
Fxoks=3
Loadzone=us
Defaultzone=us

Without getting too deep as to why, fxsks is actually for the fxo card, the fxoks stuff is for the fxs cards. The zones just need to be equal to your country code. The number after the fx??? Needs to be equal to what you got when you modprobed earlier.

Now, save your changes and prepare to edit another file called Zapata.conf.

Under Zapata.conf, you would change it (in this scenario) as so:

• busydetect=1 #busy detect on or off
• busycount=7 #how many rings it would take for it to know it’s busy
• relaxdtmf=yes #if dtmf should not be forced
• callwaiting=yes #self-explanatory
• callwaitingcallerid=yes #self-explanatory
• threewaycalling=yes #self-explanatory
• transfer=yes #self-explanatory
• cancallforward=yes #self-explanatory
• usecallerid=yes #self-explanatory
• echocancel=yes #tries to kill/adjust echoing that’s prevalent with VoIP
• echocancelwhenbridged=yes #Self-explanatory
• rxgain=0.0 #volume
• txgain=0.0 #volume
• group=1 #groups for trunking
• pickupgroup=1-4 #groups for phones to pickup calls ringing on other phones
• immediate=no #as soon as the phone is picked up, it dials a specified number [think Red Bat Phone from Original Batman program]
• context=bell #bell is a “group of settings” in your extensions.conf file
• signalling=fxs_ks #signalling method, just have it match your zaptel.conf
• callerid=asreceived #pass callerid on to asterisk’s extension logic
• channel=1 #assign the settings to this channel
• context=home #home is a “group of settings” in your extensions.conf file
• group=2
• signalling=fxo_ks #signalling method, just have it match your zaptel.conf
• mailbox=2468 #mailbox number
• callerid=”Phone 1″ <2468> #callerid of phone on this channel
• channel=2 #assign the settings to this channel
• signalling=fxo_ks #signalling method, just have it match your zaptel.conf
• mailbox=3579 #mailbox number
• callerid=”Phone 2″ <3579> #callerid of phone on this channel
• channel=3 #assign the settings to this channel

Run the following (after stopping Asterisk) to finish configuring the Zaptel cards:
# ztcfg –vv

Now edit the extensions.conf file to configure numbers for the cards:

[default] #This is the default plan for what happens when someone dials extension 103, or 1000
; exten => $extensionNumber,$priority,$command
exten => 103,1,BackGround(tt-monkeys)
; definitions for extension 1000….
exten => 1000,1,Dial(SIP/dg,20,t,r)
exten => 1000,2,Voicemail(s1000)

[telewest_pstn] #This is a sample dial plan called “telewest_pstn” that determines what happens when you use your PSTN like to make a SIP phone ring.
exten => s,1,Dial(SIP/dg,25,t,r)
exten => s,2,Voicemail(s1000)
exten => s,3,Hangup

[default] #This is another part of the default dial plan for dialing out.
; if the number starts with a 9, send it via the PSTN landline.
exten => _9.,1,Dial(Zap/1/${EXTEN:1})
; or if it’s a 6 digit number (i.e local call)
exten => _XXXXXX,1,Dial(Zap/1/%{EXTEN})

Make sure to save your changes.

Sip.conf

From http://www.voip-info.org, the resource for Asterisk, and VoIP related items.
The sip.conf file is a “configuration file for Asterisk SIP channels, for both inbound and outbound calls.”

Here is an example from www.voip-info.org:

[general]
context = (own_context in extensions.conf where receive the call )
realm = real.com (If you’d like to separate by realms)
bindbort=5060 (the port to bind to)
srvlookup=yes (lookup the server?)
disallow=all (secure it by not allowing everybody)
allow=ulaw (protocol)
allow=gsm (encoding/compression – check with provider)
language=en (self explanatory)

trustrpid = yes
sendrpid = yes

register => fromuser@fromdomain:secret@host (from your other asterisk box or VoIP provider)
register => XXXX@YYYY.com:AAAA@IP (from your other asterisk box or VoIP provider)

[my_provider]
type=peer (type of SIP extension)
fromuser=XXXX (user name)
fromdomain=YYYY.com (domain name)
canreinvite=no (usually set to no)
secret=AAAAA (password)
insecure=very (usually set to this)
host= IP (IP address of what this extension should use to authenticate)
disallow=all (secure it by not allowing everybody)
allow=gsm (encoding/compression – check with provider)
allow=ulaw (encoding/compression – check with provider)
allow=alaw (encoding/compression – check with provider)
qualify=yes (usually set to yes)
nat=no (if you’re behind a SOHO firewall, set this to yes)

Outbound call in extensions.conf
exten => _X.,1,Dial(SIP/${EXTEN}@my_provider) (how outbound calls are handled by Asterisk: This specific one means that when a phone number is dialed the first thing that happens is for it to go to a variable extension being called (which is usually declared beforehand) through a SIP line.

When creating or making changes to this file, reload Asterisk by logging into the console and typing the following:

Reload

This will tell Asterisk to re-scan the *.conf files and absorb the changes accordingly.

Trixbox:

Trixbox is a good program that contains all of the essentials of Asterisk, but it much easier to setup. You just pop in the install CD, ad it will install Asterisk, and a lot of other add-ons for you (along with wiping out your hard drive).

Instead of re-inventing the wheel. Sureteq has a good link for how to install and configure Trixbox. It’s for version 1.2, but it will work for version 2.0 just as well.

http://www.sureteq.com/asterisk/trixboxv1.2.htm

Firewalls:

Ideally, when setting up VoIP you will want to do the following with your VoIP PBX system.
1. Separate it from your regular network, whether this be through VLAN’ing, Subnetting or AirGaping, make sure its separate so that it doesn’t mess with your traffic.
2. Change the default passwords on your PBX for EVERYTHING!!!
3. Run the updates to update everything on the server BEFORE configuring it
4. Confirm that your Firewall/Router has QoS (preferably for VoIP on it).
5. Open up the following ports if applicable:
a. 22 TCP for SSH (Quick Remote Administration)
b. 5060 TCP for SIP Registration
c. 10000-20000 UDP for RTP (for audio, video and data)
d. 4569 UDP for IAX2 -> If you’re using IAX, this is probably the one you want.
e. 5036 UDP for IAX
6. Add your modules (especially the backup/restore module)
7. Set a backup schedule for the PBX

An earlier version of Trixbox is Asterisk@home, and was just as easy to manage. Something to keep in mind is that within versions of Trixbox 2.0 and later, it is not too hard to restore your configuration. Upgrades between versions, and between Trixbox and Asterisk will require you to have a card copy of all of your information and will have to be manually entered once the upgrade is complete.

SonicOS Enhanced: CFS Causes errors on sites with logins

Thursday, March 1st, 2007

This article applies also to any SonicWALL running SonicOS Enhanced that is having performance issues.

Safari and other web browsers on a Mac will experience errors trying to load pages that require a login over https, such as store.apple.com and www.amazon.com. To fix this, you need to uncheck the “Enforce Host Tag Search with for CFS” feature on the SonicWALL. This applies even if the SonicWALL is not utilizing the Content Filtering Service features.

In order to uncheck “Enforce Host Tag Search with for CFS”, you have to login to sonicwall console and then go to diag page, which is accessible by logging into the sonicwall and replacing the webpage name with diag.html.

For example, if you log into http://192.168.1.1/main.html you have to replace main with diag; that is: http://192.168.1.1/diag.html

This page will bring the internal settings page of the SonicWALL, and from here you can uncheck “Enforce Host Tag Search with for CFS”.

Data Loss

Sunday, November 19th, 2006

We’ve attended plenty of events that preach the importance of backup, but rarely is it approached from what is essentially at the heart of data protection – data recovery. For example, did you know that DLT tapes (still the media of choice across the board) are designed to be overwritten only 5 times? According to our valued partners at SonicWALL, Inc., administrators report that they use DLT tapes an average of 12 times. Also, something like 73% of the backed up data surveyed, was unrecoverable!!! Point being, a backup is only as secure as its recovery plan.

The recommendation here is to run periodic recovery drills to test the viability of the data protection scheme. Taking SonicWall’s lead, we here at 318, Inc. would like to begin a vigorous push with all our clients towards increasing the awareness of the importance of data recovery. Another tidbit: 93% of companies that had suffered a major loss of data, were out of business within one year. Far too many systems administrators’ careers have ended abruptly due to recovery-plan negligence and we’ve all seen it happen… nuff said.

A few more interesting points on the subject of data loss (if data loss can be considered interesting…):

The speed of recovery is as important as anything else. The example was given of when, during the early days of eBay, their servers were brought down under attack and, though their data was safely backed up, it took 2.5 days to recover it. Million$ lost in revenue! Administrators should design a plan that includes rapid recovery of the most recent and most critical data, allowing the affected party(s) to resume their daily tasks while recovery of the older, less important files continue to restore.
People are, by far, the biggest challenge to security – eg. Passwords taped to monitor screens; using “password” as their password, etc. Only strict security company policies and education can combat this security leak. Even the most secure server in the world can be easily compromised by an employee walking through an airport with log-on credentials for that server, written with a Sharpie on the outside of their laptop case (it was an agent from the U.S. Homeland Security Department -true story – as the laptop came out of security’s X-ray scanner, it was mistakenly handed to the wrong person!).
Small to medium businesses are hit hardest by data loss. They usually have fewer resources to invest in protecting their data and are usually the ones least likely to appreciate the importance of a strong backup/recovery scheme.
Data protection is more important than ever now, considering that cyber-criminals are making approximately 6 times more money with far fewer expenditures than organized crime ever did, even in its hey day.
On the subject of data security, no discussion is complete without extensive planning for protecting the network that the data resides on. “Controlling the flow of data can be as difficult as herding cats.” For network security, 318, Inc. recommends the SonicWall TZ 170 firewall/router for most networks. We feel it’s important to understand some of the differences between using SonicWall’s firewall appliances and the limitations of other, “consumer level” products such as Linksys or D-link routers. From SonicWall.com:

SonicOS Standards, which ships on every SonicWALL TZ 170, includes:

Real-Time Gateway Anti-Virus, Anti-Spyware and Intrusion Prevention. The TZ 170 extends security from the network core to the perimeter by integrating support for SonicWALL’s Gateway Anti-Virus, Anti-Spyware and Intrusion Prevention Service, delivering real-time protection against the latest blended threats, including viruses, spyware, worms, Trojans, software vulnerabilities and other malicious code.
Powerful Content Filtering. The TZ 170 supports SonicWALL’s Content Filtering Service, providing an enterprise-class, scalable content filtering service that enhances productivity and security without requiring additional server or deployment costs.
Deep Packet Inspection Firewall. The TZ 170 features a configurable, high performance deep packet inspection firewall for extended protection to key Internet services such as Web, e-mail, file transfer, Windows services, and DNS.
WorkPort. The SonicWALL TZ 170 includes an optional port that can be configured as a WorkPort, creating an independent, isolated zone of trusted network security that protects corporate networks from malicious attacks that can occur when telecommuters share broadband Internet access with networked home computers.
Comprehensive Central Management Support. Every SonicWALL Internet security appliance can be managed using SonicWALL’s award-winning Global Management System, which provides network administrators with the tools for simplified configuration, enforcement and management of global security policies, VPN, and services, all from a central location.
More information about SonicWall’s products can be found at their website: http://www.sonicwall.com.

318, Inc. is a proud partner of SonicWall, and would appreciate the opportunity to perform a vulnerability assessment on your network in order to offer you some solid recommendations for protecting it.

Dual WANs for Your Office

Tuesday, September 5th, 2006

Often, a single internet connection is all that is needed to allow a group of computers to access the internet for websites, email and chatting. DSL, Cable Modem or a single T1 can often provide enough bandwidth for a small group of users.

As your company grows, there can come a point where the speed of the internet connection becomes a bottleneck, increasing the time for web pages to load and for emails to be sent and received. After you hit the limits of what a single connection is able to provide, one very cost effective way to address the issue is to add a second connection.

Adding a second internet connection to your network is also highly recommended if your business relies heavily on the internet. In the event of a downed internet connection, the outage could cost companies thousands of dollars in lost productivity and client interaction. By utilizing a second internet connection from an alternate provider, businesses can ensure a higher level of availability and uptime.

The equipment can be set up in one of two ways. When setup in a failover configuration, the second internet connection is used only when the primary fails. In typical configurations, the fast data connection such as a T1 is supplemented by the slower connection, such as DSL, to bear the burden of connectivity in the event of an outage.

When setup with load balancing, both internet connections are used simultaneously, with the traffic load being split and routed to the more ‘available’ connection. In this configuration, both data circuits should be sufficiently fast to allow the load to be effectively shared between both circuits, typically T1’s.

318 is an expert in setting up and integrating Dual-WAN networks. It can be as simple as using a DSL line and a cable modem, or as robust as using two T1s from two different providers. Or even an mix of a T1 and WiMax link. If you think this is a situation that would suit your business, give 318 a call to discuss your options.

Setting Up Firewalls in Windows Server 2003

Tuesday, May 9th, 2006

Windows Server has always been a little tricky to configure any type of routing on. To enable the Windows Server 2003 Firewall:
1. Click on Start -> Administrative Tools -> Routing and Remote Access.
2. Under ComputerName (Local) select IP Routing.
3. Right-Click on NAT/Basic Firewall and click on New Interface.
4. Select the NIC to perform Firewalling on and click OK.
5. Click on the radio button for Basic Firewall only.
6. Click on Inbound Filters.
7. Click on Drop all packets except those that meet the criteria below.
8. Click on New.
9. If you are allowing any traffic for each protocol then do not check the Source Network, if you are filtering so that only certain IP addresses can hit the port then use the Source Network to do so.
10. Select the type of protocol that we will be allowing into the server (for an example of web traffic we will select TCP here.
11. Enter the Source and Destination Port in the next two boxes.
12. Click on Services and Ports and place checkboxes in the ports that users of your local subnet should have access to (eg – www, ftp, etc).
13. Click on Apply.
14. Click on OK.

Blocking Outbound AIM/iChat Clients

Tuesday, April 11th, 2006

NOTE: The principles outlined here can be applied for other chat services such as MSN and Yahoo.

Requirements
* SonicOS Enhanced (can also be done with SonicOS Standard, but this article only speaks to the Enhanced configurations).
* Internal DNS server

Blocking iChat
First, determine the range of IP addresses that login.oscar.aol.com resolves to,
and add them as Address Objects in the SonicWALL. You can combine them into an Address Object Group called “AIM Servers”. Here are the known IP addresses as of this article’s writing:

64.12.161.153
64.12.161.185
64.12.200.89
205.188.153.121
205.188.179.233

For good measure, you can block the entire block of IPs just to be sure.

Add a Deny firewall rule to the SonicWALL, preventing traffic from the
LAN Subnet to the AIM Servers Address Object Group.

If your LAN clients use a local server for DNS, you can create an entry on the DNS server for login.oscar.aol.com, forcing logins to go through a specific IP address that is in the AIM Servers group.

Exceptions
Inevitably, there will be executives and other users who need to use the AIM service. It is possible to configure the router and other systems to accommodate these privileged users. Be sure to see the Caveats section below, however.

Add a static IP address for the AIM-allowed users’ computer’s MAC addresses (AirPort and Ethernet) and group them all into an address object group called AIM-Allowed IPs.

Add an Allow firewall rule to the SonicWALL, allowing traffic from the
group of AIM-Allowed IPs to the AIM Servers group, making sure that this rule has a higher priority than the Deny rule.

Caveats
This is far from unbreakable as you might imagine. Most of them would
require more technical knowledge than the users possess. Some possible
problems with this approach:

1. Connect via a remote proxy server. This is probably the most obvious choice since these settings are configurable in iChat and other AIM clients.
2. If AOL changes the server IP for processing logins, permitted AIM users may no longer be unable to connect, or users may be able to type an IP address that is not restricted and gain a connection.
3. If permitted AIM users change computers, you will need to change the MAC address in the static DHCP rule for those users.
4. If somebody spoofs a permitted AIM user’s MAC address, they will be able to gain AIM access.
5. If e-mail is hosted in-house, you will need to take care to manage the MX records accurately for the aol.com domain, and change them when necessary.

Choosing the Right Web Host

Monday, April 10th, 2006

Managing Your Hosting Environment

When you start a new hosting environment, you will probably handle many of the tasks that you will likely want your clients to handle later down the road. There are many products that help to ease the administrative burden of a shared hosting environment. These products empower users of your services to create their own accounts and perform other administrative tasks using easy to navigate web portals.

• cPanel and Plesk are server management software solutions designed to allow administrators to create Reseller accounts, Domain accounts and email features. Administrators have the ability to assign users rights to various aspects of their hosting environment. This saves time for the hosting provider and allows for clients to receive a wider variety of features without the hosting provider having to set these up for each individual client. These include web support, adding features to web sites, domain control, DNS control, email account control, spam filtering, virus filtering and other features. While cPanel and Plesk are not the only products that allow for these types of functions they have risen to be what most sites now use.
• Webmin is an open source solution that allows for managing web sites, DNS, email, spam filtering and virus filtering from a web portal. Webmin is not meant specifically to be used in a web hosting environment but can be used to obtain some of the features that are available in the commercial packages, cPanel and Plesk.

One of the main reasons that many web-hosting ventures don’t work out is support. When we think of supporting clients in a web-hosting environment we typically think of the phone calls where we help the clients troubleshoot FTP, Mail and web issues. But the overall level of support that you provide for your clients also includes setting up email accounts, web features and other settings that they can setup themselves. The first time they need to do this they may call, but if you have a support department that is dedicated to helping them use the tools that you can provide them then you can drastically cut down the support calls you receive.

Rather than just offer tools that help users on a technical level, the makers of Plesk also offers tools to help run your entire web hosting company. HSPcomplete integrates billing, provisioning and marketing using control panels that integrate with their Plesk control panel. If you are planning on moving from simple web hosting and into colocation for clients, you can use PEM to manage an entire data center.

Network Bandwidth Monitoring enables network administrators to identify how their network is being used. This allows for the optimization or blocking of certain network services that are creating bottlenecks. By monitoring bandwidth, web hosts are also able to plan for the future development of their network services.

Securing Your Hosting Environment
Many hosting environments are started using a single server that is plugged directly into a network port provided by a colocation company. Over time, new servers are added but the need for a firewall to protect these servers is often overlooked. Many administrators will choose to use the firewall that is built into their servers rather than a physical firewall. Once you have a multi-server environment it is going to become important to start considering your network architecture and the security of this network. This includes patch management, firewalling, intrusion detection and security audits.

A network security system designed to identify intrusive or malicious behavior via monitoring of network activity. The Network Intrusion Detection Systems (NIDS) identify suspicious patterns that may indicate an attempt to attack, break in to, or otherwise compromise a system. Many networks have a hard exterior that is tough to penetrate. Many companies have invested time and manpower to make the perimeter of their network as secure as possible using firewalls. In this scenario, if a single system is compromised, it is often easy for attackers to exploit other systems on the network. Host based Intrusion Detection Systems (IDS) help to mitigate this by scanning network traffic for known attacks.

If you are processing credit card transactions then at some point you are likely to go through an automated security audit using an application like Nessus, so the bank can limit their risk to legal ramifications of data theft. Whether required or not, security audits can help organizations ensure that they are meeting security best practice minimums.

Contingency planning is a critical aspect of security. Implementing industry standard tiered storage and backup procedures help ensure that your data is fully redundant. Disaster recovery goes beyond backup and requires you to ask many questions about what you would do in certain situations. Many organizations have redundant hardware, the software required to restore in case of a failure, and redundant locations that ensure their clients the 99.999% uptime that many organizations now require in their Service Level Agreements.

Whether you are just getting started, adding new servers to your hosting environment, switching to a new colocation facility or bringing your servers in house, Three18 can help you. You are not alone. We have been there many times over and can work with you to define the systems and procedures that will get your hosting environment profitable, secure and stable.

Enable the Firewall in Mac OS X Server

Thursday, February 9th, 2006

To enable the Firewall on Mac OS X Server:
* Open Server Admin from /Utilities/Server.
* Click on the Firewall listing under the Computers and Services pane.
* Click on the Settings tab.
* Click on the Services tab (see Figure 13.x).
* Enable any services that should be allowed on the server by checking their box. If the service isn’t listed in the table, add it using the + box.
* Once all of your services have been added click on the Start Service button.

Once you have started the Firewall, you can use the Active Rules button to view what is running on your server. If you use Perl or some shell scripts to update your active rules, you will need to use the Refresh button in Server Admin before you see those rules updated if Server Admin is open when you update the rules. You cal also use the Logging tab to view what is being allowed and/or denied on the server.

Figure 13.x Enabling the Firewall on Mac OS X Server