Quantcast
Channel: Fix my IT system
Viewing all 61 articles
Browse latest View live

BIG-IP audit log guide for Windows admins

November 8, 2012, 5:20 am
$
0
0

One thing that I am always keen to keep track of is configuration changes made to a system and by whom this is done.  For an administrator such as myself who has always worked in a Windows environment it is a bit of a daunting task to start managing log files on a F5 BIG-IP device which is of course based on Linux.


Configuration Audit Logging
There are a few places to view and configure the log files.  Since it is advisable to make all the configuration changes in the administrative GUI we will cover this first.

  • Log into the BIG-IP administration GUI
  • Select System
  • Select Logs
  • Click Configuration
  • Scroll to the Audit Logging section
  • Change MCP to Enable
  • Change tmsh to Enable
  • Click the update button

This will now log any configuration changes made to the BIG-IP.  This kind of information is always handy when it comes to troubleshooting an issue.  It is more often than not also required by some policy or other either corporate or compliance.

View the Audit Log


  • Log into the BIG-IP administration GUI
  • Select System
  • Select Logs
  • Select Audit
  • Select List


This will give you a screen with a few log entries in it.  The search feature is basic but allows you to find the changes you are probably looking for

By specifying DB_VARIABLE in the search box it will return configuration change entries.

Filtering the Audit Log
This screen allows you to filter you result based on the Username, Date Range and a Event term such as DB_VARIABLE


  • Log into the BIG-IP administration GUI
  • Select System
  • Select Logs
  • Select Audit
  • Select Search from the drop down Menu



Using the Command Line Tools

TMSH

  • Use your SSH client and connect to the BIG-IP
  • Log in as root
  • tmsh
  • show sys log


This will list the available logs that you can view

  • show sys log audit

This will open the log file for viewing.  The most recent events are right at the bottom.  You can scroll through the log and exit form the log file by pressing q


Viewing the log through this method can be useful to track the most recent changes but it does not allow you to specify filter like you could in the GUI.

Filter the log from the CLI


  • Use your SSH client and connect to the BIG-IP
  • Log in as root
  • cd var/log
  • ls

This will show you the list of files, most of these are log files.  You will be able to correlate the logs to the files by looking at the show sys log from earlier



To simply view the audit log you can use

  • cat audit | more

This will again open the log and you will be able to scroll through the log line by line pressing enter to scroll through q to exit

To filter the events you can use

grep audit -e DB_VARIABLE | more

Exporting the file to Excel
If you want to really interrogate the log file there is no better way than to import it into Excel

Get the file onto your PC
To do this you need to copy the file off the BIG-IP.  I found that the easiest way is to use an app called WinSCP http://winscp.net/eng/download.php


  • Start WinSCP
  • Select SCP form the protocol
  • Specify hostname
  • Specify root and password
  • Click login


This will now bring up a familiar side by side file system view.

  • On the left browse to your folder where you want to copy the files to
  • On the right hand side browse to /var/log
  • You will now see al the log files
  • Select and drag the audit file from the BIG-IP onto the local drive


Import the file 

  • Open Excel
  • File Open
  • Select the audit file
  • Select delimited
  • Specify the delimiter as Space
  • Check Treat consecutive delimiters as one

You will now have the entire log file imported and you can filter and manipulate to your heart's content.



NOTE:  If there are multiple audit.n.gz files these need to be imported to to get more historic log data.  You can use 7zip to decompress the files so you can import them to Excel.

Search

Handy simple F5 redirect iRules

November 14, 2012, 6:48 am
$
0
0
iRules are great and extremely powerful. If however you just want to dip your toes in to do a few basic redirects it can be a bit confusing.

Here are a few very basic iRules that can be used to do "the basics"

Add your domain suffix to a naked domain name

Converts: http://hostname to http://hostname.mydomain.com


when HTTP_REQUEST {
 if { not ([HTTP::host] contains ".mydomain.com")}{
 HTTP::redirect "http://[HTTP::host].mydomain.com[HTTP::uri]"
 }
 }

Add domain suffix and change HTTP to HTTPS

Converts: http://hostname to https://hostname.mydomain.com


when HTTP_REQUEST {
 if { not ([HTTP::host] contains ".mydomain.com")}{
 HTTP::redirect "http://[HTTP::host].mydomain.com[HTTP::uri]"
 }
 }

Change HTTP to HTTPS

Converts: http://any/any to https://any/any


when HTTP_REQUEST {
       HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
    }

Specify a default landing page


Converts: http://mysite/ to http://mysite/default/defaultpage.aspx

when HTTP_REQUEST {
       HTTP::redirect http://[getfield [HTTP::host] ":" 1]/default/defaultpage.aspx
    }



Custom 404 response

Converts: https://myside.mydomain.com/broken-link to https://mysite.mydomain/sorrypage.apsx


when HTTP_RESPONSE {
if { [HTTP::status] == 404} {
HTTP::redirect "https://mysite.mydomain/sorrypage.apsx"
}
}


Those are just the very basics you would probably be looking for to be able to do in the management GUI


Some more info:
https://devcentral.f5.com/wiki/iRules.HomePage.ashx
http://fir3net.com/Big-IP-F5-LTM/irule-examples.html




F5 BIG-IP configuring HTTP and HTTPS monitors 101

November 22, 2012, 3:46 am
$
0
0
HTTP monitors verify that a site is not only up but that it is actually functional.  Monitors can be very basic or they can get rather involved.  Because they do more than simply doing a basic check they are classifed as Extended Content Verification (ECV) monitors.  The steps below will show you the basic of how to configure your own HTTP monitors that are tailored to your specific site.

Before you begin configuring a monitor you need to know some things bout the site's behaviour.  You will need an HTTP sniffer tool for this, such as HTTP watch or Firebug or the developer tool in IE and Chrome.  The reason for this is that it will allow you to see that various strings you will use in the monitor.

The two fields that are most commonly used and changed are the Send String and the receiver string.  To really simplify, it is a GET and RESPONSE pair.  If the response form the server matches the response we configure in the monitor the site is marked as up.

For this example We will use the BIG-IP management GUI site.

Send String
The "Send String" sends a GET request to the web server.  To see and example of the get request start up your browser and HTTP sniffer. Start recording and browse to the site's landing page

If we have a look at the request following the redirect we will see the following:



The Request or Sent header contains the following requets line

GET /tmui/login.jsp HTTP/1.1

We will change this string slightly to be used in the monitor

First up we trim down the request to GET /tmui/login.jsp then we add \r\n The \r is for Line Feed and the \n is for Carriage Return.  so the final send string is:

GET /tmui/login.jsp \r\n

Receive String
If no Receive string is specified any response is deemed successful

If we look at the response body or content we can see the reply content.  We can use some of this to  populate our receive string.  Try and use a unique string form the response.  Keeping in mind that if a failed response is sent form the server it may contain certain strings as well.



We will use the following as the receive string

// Display error modal if necessary

If you apply the monitor to a pool you will now see that the pool and member is indicated as UP.  Another more generic way of configuring monitors is to use the result code as your return string such as


HTTP/1.0 200 OK
HTTP/1.0 302 Found

Or to indicate a failure

HTTP/1.0 404 Not Found


Marking a node as offline or down
There is additional functionality we can use in the monitor.  Both of these will indicate that the node or pool is not functioning.

Setting the Reverse Option to Yes will mark the node as offline if the receive string matches.  As an example you would use the 404 header with reverse

Marking a node as disabled
Another nice feature to have available is the  Receive Disable string.  When this string is received form the node, the node itself is set to a disabled state.  When a node is set to disabled it will have to be manually enabled again



Interval and Time out
F5 recommend to set your interval and time-out ration to 3n+1.  This will mean that 3 request will have to be dropped before it is marked are down.  Depending on your site and the get and receive content you specify you may want to chnage the value but keep the ratio in mind when doing so.

Putting it all together
So when we put it all together it will look as follows:


Understanding the basic of how these work you can start building your own more specific monitors the really check availability of a web application as opposed to just the state of the web server.


Attack surface comparison for Server 2012 editions

November 27, 2012, 6:05 am
$
0
0
With Windows Server 2012 Microsoft has done a great job with simplifying the features and capabilities of the server platform.  Essentially there are no longer any functional differences between Standard Edition and Data Centre Edition.

There are however  still a few options to consider.  The table below will cover the different deployment option and cover the default attack / patching surface for a default installation.

The different option we will compare are:

  • Full install with all the GUI components
  • Full install with GUI components removed with PowerShell (Full - GUI)
  • Core install
  • Windows Hyper-V Server 2012

The table below shows the various role option WRT installation.   the states are as follows

  • Installed : Role is installed and active
  • Available: Role is available and ready for installtion
  • Removed:  Role is available for installtion form external installation media
  • N/A : Role or feature is not available for the platform




Role Version
---> FeatureFullFull - GUICoreHyper-V
Active Directory Certificate ServicesAvailableAvailableAvailable
--->  Certification AuthorityAvailableAvailableAvailable
--->  Certificate Enrollment Policy Web ServiceAvailableAvailableAvailable
--->  Certificate Enrollment Web ServiceAvailableAvailableAvailable
--->  Certification Authority Web EnrollmentAvailableAvailableAvailable
--->  Network Device Enrollment ServiceAvailableAvailableAvailable
--->  Online ResponderAvailableAvailableAvailable
Active Directory Domain ServicesAvailableAvailableAvailable
Active Directory Federation ServicesAvailableAvailableRemoved
--->  Federation ServiceAvailableAvailableRemoved
--->  AD FS 1.1 Web AgentsAvailableAvailableRemoved
--->  AD FS 1.1 Claims-aware AgentAvailableAvailableRemoved
--->  AD FS 1.1 Windows Token-based AgentAvailableAvailableRemoved
--->  Federation Service ProxyAvailableAvailableRemoved
Active Directory Lightweight Directory ServicesAvailableAvailableAvailable
Active Directory Rights Management ServicesAvailableAvailableAvailable
--->  Active Directory Rights Management ServerAvailableAvailableAvailable
--->  Identity Federation SupportAvailableAvailableRemoved
Application ServerAvailableAvailableRemoved
--->  .NET Framework 4.5AvailableAvailableRemoved
--->  COM+ Network AccessAvailableAvailableRemoved
--->  Distributed TransactionsAvailableAvailableRemoved
--->  WS-Atomic TransactionsAvailableAvailableRemoved
--->  Incoming Network TransactionsAvailableAvailableRemoved
--->  Outgoing Network TransactionsAvailableAvailableRemoved
--->  TCP Port SharingAvailableAvailableRemoved
--->  Web Server (IIS) SupportAvailableAvailableRemoved
--->  Windows Process Activation Service SupportAvailableAvailableRemoved
--->  HTTP ActivationAvailableAvailableRemoved
--->  Message Queuing ActivationAvailableAvailableRemoved
--->  Named Pipes ActivationAvailableAvailableRemoved
--->  TCP ActivationAvailableAvailableRemoved
DHCP ServerAvailableAvailableAvailable
DNS ServerAvailableAvailableAvailable
Fax ServerAvailableRemovedRemoved
File And Storage ServicesInstalledInstalledInstalledInstalled
--->  File and iSCSI ServicesAvailableAvailableAvailableAvailable
--->  File ServerAvailableAvailableAvailableAvailable
--->  BranchCache for Network FilesAvailableAvailableAvailable
--->  Data DeduplicationAvailableAvailableAvailable
--->  DFS NamespacesAvailableAvailableAvailable
--->  DFS ReplicationAvailableAvailableAvailable
--->  File Server Resource ManagerAvailableAvailableAvailable
--->  File Server VSS Agent ServiceAvailableAvailableAvailable
--->  iSCSI Target ServerAvailableAvailableAvailable
--->  iSCSI Target Storage Provider (VDS and V...AvailableAvailableAvailable
--->  Server for NFSAvailableAvailableAvailable
Storage ServicesInstalledInstalledInstalledInstalled
Hyper-VAvailableAvailableAvailableInstalled
Network Policy and Access ServicesAvailableAvailableRemoved
--->  Network Policy ServerAvailableAvailableRemoved
--->  Health Registration AuthorityAvailableAvailableRemoved
--->  Host Credential Authorization ProtocolAvailableAvailableRemoved
Print and Document ServicesAvailableAvailableAvailable
--->  Print ServerAvailableAvailableAvailable
--->  Distributed Scan ServerAvailableAvailableRemoved
--->  Internet PrintingAvailableAvailableRemoved
--->  LPD ServiceAvailableAvailableAvailable
Remote AccessAvailableAvailableAvailable
--->  DirectAccess and VPN (RAS)AvailableAvailableAvailable
--->  RoutingAvailableAvailableAvailable
Remote Desktop ServicesAvailableAvailableAvailableAvailable
--->  Remote Desktop Connection BrokerAvailableAvailableAvailable
--->  Remote Desktop GatewayAvailableAvailableRemoved
--->  Remote Desktop LicensingAvailableAvailableAvailable
--->  Remote Desktop Session HostAvailableAvailableRemoved
--->  Remote Desktop Virtualization HostAvailableAvailableAvailableAvailable
--->  Remote Desktop Web AccessAvailableAvailableRemoved
Volume Activation ServicesAvailableAvailableAvailable
Web Server (IIS)AvailableAvailableAvailable
--->  Web ServerAvailableAvailableAvailable
--->  Common HTTP FeaturesAvailableAvailableAvailable
--->  Default DocumentAvailableAvailableAvailable
--->  Directory BrowsingAvailableAvailableAvailable
--->  HTTP ErrorsAvailableAvailableAvailable
--->  Static ContentAvailableAvailableAvailable
--->  HTTP RedirectionAvailableAvailableAvailable
--->  WebDAV PublishingAvailableAvailableAvailable
--->  Health and DiagnosticsAvailableAvailableAvailable
--->  HTTP LoggingAvailableAvailableAvailable
--->  Custom LoggingAvailableAvailableAvailable
--->  Logging ToolsAvailableAvailableAvailable
--->  ODBC LoggingAvailableAvailableAvailable
--->  Request MonitorAvailableAvailableAvailable
--->  TracingAvailableAvailableAvailable
--->  PerformanceAvailableAvailableAvailable
--->  Static Content CompressionAvailableAvailableAvailable
--->  Dynamic Content CompressionAvailableAvailableAvailable
--->  SecurityAvailableAvailableAvailable
--->  Request FilteringAvailableAvailableAvailable
--->  Basic AuthenticationAvailableAvailableAvailable
--->  Centralized SSL Certificate SupportAvailableAvailableAvailable
--->  Client Certificate Mapping Authentic...AvailableAvailableAvailable
--->  Digest AuthenticationAvailableAvailableAvailable
--->  IIS Client Certificate Mapping Authe...AvailableAvailableAvailable
--->  IP and Domain RestrictionsAvailableAvailableAvailable
--->  URL AuthorizationAvailableAvailableAvailable
--->  Windows AuthenticationAvailableAvailableAvailable
--->  Application DevelopmentAvailableAvailableAvailable
--->  .NET Extensibility 3.5AvailableAvailableAvailable
--->  .NET Extensibility 4.5AvailableAvailableAvailable
--->  Application InitializationAvailableAvailableAvailable
--->  ASPAvailableAvailableAvailable
--->  ASP.NET 3.5AvailableAvailableAvailable
--->  ASP.NET 4.5AvailableAvailableAvailable
--->  CGIAvailableAvailableAvailable
--->  ISAPI ExtensionsAvailableAvailableAvailable
--->  ISAPI FiltersAvailableAvailableAvailable
--->  Server Side IncludesAvailableAvailableAvailable
--->  WebSocket ProtocolAvailableAvailableAvailable
--->  FTP ServerAvailableAvailableAvailable
--->  FTP ServiceAvailableAvailableAvailable
--->  FTP ExtensibilityAvailableAvailableAvailable
--->  IIS Hostable Web CoreAvailableAvailableAvailable
--->  Management ToolsAvailableAvailableAvailable
--->  IIS Management ConsoleAvailableAvailableRemoved
--->  IIS 6 Management CompatibilityAvailableAvailableAvailable
--->  IIS 6 Metabase CompatibilityAvailableAvailableAvailable
--->  IIS 6 Management ConsoleAvailableAvailableRemoved
--->  IIS 6 Scripting ToolsAvailableAvailableAvailable
--->  IIS 6 WMI CompatibilityAvailableAvailableAvailable
--->  IIS Management Scripts and ToolsAvailableAvailableAvailable
--->  Management ServiceAvailableAvailableAvailable
Windows Deployment ServicesAvailableAvailableRemoved
--->  Deployment ServerAvailableAvailableRemoved
--->  Transport ServerAvailableAvailableRemoved
Windows Server Update ServicesAvailableAvailableAvailable
--->  WID DatabaseAvailableAvailableAvailable
--->  WSUS ServicesAvailableAvailableAvailable
--->  DatabaseAvailableAvailableAvailable
.NET Framework 3.5 FeaturesAvailableAvailableAvailableAvailable
--->  .NET Framework 3.5 (includes .NET 2.0 and 3.0)RemovedRemovedRemovedRemoved
--->  HTTP ActivationAvailableAvailableAvailable
--->  Non-HTTP ActivationAvailableAvailableAvailable
.NET Framework 4.5 FeaturesInstalledInstalledInstalledInstalled
---> .NET Framework 4.5InstalledInstalledInstalledInstalled
--->  ASP.NET 4.5AvailableAvailableAvailableAvailable
---> WCF ServicesInstalledInstalledInstalled
--->  HTTP ActivationAvailableAvailableAvailable
--->  Message Queuing (MSMQ) ActivationAvailableAvailableAvailable
--->  Named Pipe ActivationAvailableAvailableAvailable
--->  TCP ActivationAvailableAvailableAvailable
--->TCP Port SharingInstalledInstalledInstalled
Background Intelligent Transfer Service (BITS)AvailableAvailableAvailableAvailable
--->  IIS Server ExtensionAvailableAvailableRemoved
--->  Compact ServerAvailableAvailableAvailableAvailable
BitLocker Drive EncryptionAvailableAvailableAvailableAvailable
BitLocker Network UnlockAvailableAvailableRemoved
BranchCacheAvailableAvailableAvailable
Client for NFSAvailableAvailableAvailable
Data Center BridgingAvailableAvailableAvailableAvailable
Enhanced StorageAvailableAvailableAvailableAvailable
Failover ClusteringAvailableAvailableAvailableAvailable
Group Policy ManagementAvailableAvailableAvailable
Ink and Handwriting ServicesAvailableAvailableRemoved
Internet Printing ClientAvailableAvailableRemoved
IP Address Management (IPAM) ServerAvailableAvailableRemoved
iSNS Server serviceAvailableAvailableAvailable
LPR Port MonitorAvailableAvailableRemoved
Management OData IIS ExtensionAvailableAvailableAvailable
Media FoundationAvailableAvailableAvailableAvailable
Message QueuingAvailableAvailableAvailable
--->  Message Queuing ServicesAvailableAvailableAvailable
--->  Message Queuing ServerAvailableAvailableAvailable
--->  Directory Service IntegrationAvailableAvailableAvailable
--->  HTTP SupportAvailableAvailableAvailable
--->  Message Queuing TriggersAvailableAvailableAvailable
--->  Multicasting SupportAvailableAvailableAvailable
--->  Routing ServiceAvailableAvailableAvailable
--->  Message Queuing DCOM ProxyAvailableAvailableAvailable
Multipath I/OAvailableAvailableAvailableAvailable
Network Load BalancingAvailableAvailableAvailable
Peer Name Resolution ProtocolAvailableAvailableAvailable
Quality Windows Audio Video ExperienceAvailableAvailableAvailable
RAS Connection Manager Administration Kit (CMAK)AvailableAvailableRemoved
Remote AssistanceAvailableAvailableRemoved
Remote Differential CompressionAvailableAvailableAvailable
Remote Server Administration ToolsAvailableAvailableAvailableAvailable
--->  Feature Administration ToolsAvailableAvailableAvailableAvailable
--->  SMTP Server ToolsAvailableAvailableRemoved
--->  BitLocker Drive Encryption Administratio...AvailableAvailableAvailableAvailable
--->  BitLocker Drive Encryption ToolsAvailableAvailableRemoved
--->  BitLocker Recovery Password ViewerAvailableAvailableRemoved
--->  BITS Server Extensions ToolsAvailableAvailableRemoved
--->  Failover Clustering ToolsAvailableAvailableAvailableAvailable
--->  Failover Cluster Management ToolsAvailableAvailableRemoved
--->  Failover Cluster Module for Windows ...AvailableAvailableAvailableAvailable
--->  Failover Cluster Automation ServerAvailableAvailableAvailableAvailable
--->  Failover Cluster Command InterfaceAvailableAvailableAvailableAvailable
--->  IP Address Management (IPAM) ClientAvailableAvailableRemoved
--->  Network Load Balancing ToolsAvailableAvailableRemoved
--->  SNMP ToolsAvailableAvailableRemoved
--->  Windows System Resource Manager RSAT [De...AvailableAvailableRemoved
--->  WINS Server ToolsAvailableAvailableRemoved
--->  Role Administration ToolsAvailableAvailableAvailableAvailable
--->  AD DS and AD LDS ToolsAvailableAvailableAvailable
--->  Active Directory module for Windows ...AvailableAvailableAvailable
--->  AD DS ToolsAvailableAvailableAvailable
--->  Active Directory Administrative ...AvailableAvailableAvailable
--->  AD DS Snap-Ins and Command-Line ...AvailableAvailableAvailable
--->  Server for NIS Tools [DEPRECATED]AvailableAvailableRemoved
--->  AD LDS Snap-Ins and Command-Line ToolsAvailableAvailableAvailable
--->  Hyper-V Management ToolsAvailableAvailableAvailableAvailable
--->  Hyper-V GUI Management ToolsAvailableAvailableRemoved
--->  Hyper-V Module for Windows PowerShellAvailableAvailableAvailableAvailable
--->  Remote Desktop Services ToolsAvailableAvailableRemoved
--->  Remote Desktop Gateway ToolsAvailableAvailableRemoved
--->  Remote Desktop Licensing Diagnoser T...AvailableAvailableRemoved
--->  Remote Desktop Licensing ToolsAvailableAvailableRemoved
--->  Windows Server Update Services ToolsAvailableAvailableAvailable
--->  API and PowerShell cmdletsAvailableAvailableAvailable
--->  User Interface Management ConsoleAvailableAvailableRemoved
--->  Active Directory Certificate Services ToolsAvailableAvailableRemoved
--->  Certification Authority Management T...AvailableAvailableRemoved
--->  Online Responder ToolsAvailableAvailableRemoved
--->  Active Directory Rights Management Servi...AvailableAvailableRemoved
--->  DHCP Server ToolsAvailableAvailableRemoved
--->  DNS Server ToolsAvailableAvailableAvailable
--->  Fax Server ToolsAvailableRemovedRemoved
--->  File Services ToolsAvailableAvailableRemoved
--->  DFS Management ToolsAvailableAvailableRemoved
--->  File Server Resource Manager ToolsAvailableAvailableRemoved
--->  Services for Network File System Man...AvailableAvailableRemoved
--->  Share and Storage Management ToolAvailableAvailableRemoved
--->  Network Policy and Access Services ToolsAvailableAvailableRemoved
--->  Print and Document Services ToolsAvailableAvailableRemoved
--->  Remote Access Management ToolsAvailableAvailableAvailable
--->  Remote Access GUI and Command-Line T...AvailableRemovedRemoved
--->  Remote Access module for Windows Pow...AvailableAvailableAvailable
--->  Volume Activation ToolsAvailableAvailableRemoved
--->  Windows Deployment Services ToolsAvailableAvailableRemoved
RPC over HTTP ProxyAvailableAvailableAvailable
Simple TCP/IP ServicesAvailableAvailableRemoved
SMTP ServerAvailableAvailableRemoved
SNMP ServiceAvailableAvailableAvailableAvailable
--->  SNMP WMI ProviderAvailableAvailableAvailableAvailable
Subsystem for UNIX-based Applications [Deprecated]AvailableAvailableAvailable
Telnet ClientAvailableAvailableAvailableAvailable
Telnet ServerAvailableAvailableRemoved
TFTP ClientAvailableAvailableRemoved
User Interfaces and InfrastructureInstalledAvailableInstalled
---> Graphical Management Tools and InfrastructureInstalledAvailableRemoved
--->  Desktop ExperienceAvailableRemovedRemoved
---> Server Graphical ShellInstalledRemovedRemoved
Windows Biometric FrameworkAvailableAvailableRemoved
Windows Feedback ForwarderAvailableAvailableAvailableAvailable
Windows Identity Foundation 3.5AvailableAvailableRemoved
Windows Internal DatabaseAvailableAvailableAvailable
Windows PowerShellInstalledInstalledInstalledInstalled
---> Windows PowerShell 3.0InstalledInstalledInstalledInstalled
--->  Windows PowerShell 2.0 EngineRemovedRemovedRemovedAvailable
---> Windows PowerShell ISEInstalledAvailableRemoved
--->  Windows PowerShell Web AccessAvailableAvailableAvailable
Windows Process Activation ServiceAvailableAvailableAvailable
--->  Process ModelAvailableAvailableAvailable
--->  .NET Environment 3.5AvailableAvailableAvailable
--->  Configuration APIsAvailableAvailableAvailable
Windows Search ServiceAvailableRemovedRemoved
Windows Server BackupAvailableAvailableAvailableAvailable
Windows Server Migration ToolsAvailableAvailableAvailable
Windows Standards-Based Storage ManagementAvailableAvailableAvailableAvailable
Windows System Resource Manager [Deprecated]AvailableAvailableRemoved
Windows TIFF IFilterAvailableAvailableRemoved
WinRM IIS ExtensionAvailableAvailableAvailable
WINS ServerAvailableAvailableAvailable
Wireless LAN ServiceAvailableAvailableRemoved
WoW64 SupportInstalledInstalledInstalledAvailable
XPS ViewerAvailableAvailableRemoved
-->


Even though the remote management of the different deployments are very similar the actual footprint of the server can be very different.  With all the enhancements in management that came with Server 2012 you need a really good reason to use core as opposed to a full install. Keep in mind that a "removed" role or feature can be installed.  This is probably why core is the default installation choice.

Hyper-V server also show off just how thin it really is but it still packs a load of functionality into a very tidy (and free) package.


Windows Server 2012 Core Management step by step

November 28, 2012, 5:52 am
$
0
0
One of the barriers to entry for Windows Server 2008 R2 Core was the fact that managing it was a technical difficulty.  With Server 2012 things are much simpler.  I will take you through installing and adding management functionality.  Right up to the point where you are actually running the full GUI version

Lab Setup
My management machine is Windows Server Standard Full GUI with Hyper-V role enable
The test machine is a virtual machine on this host.
For the sake of keeping script and install paths simple i have built and have left the install ISO attached ot the virtual machines as it's D drive

Getting Up and Running
During the initial installation phase you will notice that the "Server Core Installation" is now the default.  Once the installation finishes and you set the password and log in your are presented with a single command shell.


Step 1 the "sconfig" utility
The easiest way to get your machine added to the network and the domain is to use sconfig from the command prompt.  Below is a screenshot of the sconfig utility.  It present a simple text base interface to perform the essential configuration. Such as joining the domain, changing the computer name, configure network interface.



By default you will notice that "Configure Remote Management" is enabled.  This is important as we will use this later.  Once the server is joined to the domain it can be managed remotely  without further need to interact with the machine directly.

Step 2 Server Manager
From the management server with the full gui or from a Windows 8 with the Remote Server Administration Tools (RSAT) installed you can perform most administrative tasks.  RSAT Download
 
The following steps are all performed on the management server

  • Open the server Manager
  • Form the Dashboard select option  3 "Add other servers to manage"
  • Specify the server's name and click find now
  • Select the server and click the  > button to add it to the servers list
  • Once added you can select All servers form server manager

You will now see the core machine listed
The status by default will be "Online - Performance counters not started"

  • Right Click the server and select computer management

This will fail and present you with the following error


To resolve this we will use some PowerShell commands to remotely set the firewall rules.

  • Right Click the server and select Windows PowerShell




The shell that opens is a remote shell on the windows Core machine.

Execute the follow commands


  • Enable-NetFirewallRule -displaygroup  "Remote Service Management"
  • Enable-NetFirewallRule -displaygroup  “Remote Event Log Management”
  • Enable-NetFirewallRule -displaygroup "COM+ Remote Administration"
  • Enable-NetFirewallRule -displaygroup "COM+ Network Access"
* Note * At this point the COM+ Rules may not be present. But as you will see it might come in handy later


Or you can string them all together
  • Enable-NetFirewallRule -displaygroup  "Remote Service Management",“Remote Event Log Management”,"COM+ Remote Administration","COM+ Network Access"

If you attempt to use computer management now it will succeed.
  • At this point you can also Right click the server and select "Start Performance Counters"
This will now change the server status to Online


Step 3 Adding and Removing Roles and Features
Since we will be adding and removing features it is a good idea to have a look at the Windows features in PowerShell  form time to time.

 Get-WindowsFeature

This will give you the list off all the installed and available Roles and Features



If you look at the Web Server role you will set that it is marked as Available.  This means that we can simply add the roles and features through the Server Manager GUI on our "Management Server"

If however you select a Role or feature that is indicated as Removed you will have to specify installation media to use.

For a list of what is available in the different versions check out http://fixmyitsystem.com/2012/11/attack-surface-comparison-for-server.html


Step 4 Converting Core to full GUI
Ideally all your servers should be core, but sometimes you will need roles and features or simply functionality that is only available in the GUI.  As an example you may have a software installer that cannot be installed or configured from the command-line.

To convert from Core to the full GUI you need to add two features.  You can do this from your management server's Add roles and Features.


  • Select Role-Based or feature based installation
  • Select the server form the list
  • Select Features
  • Select User Interfaces and Infrastructure
  • --> Graphical Management Tool and Infrastructure
  • --> Server Graphical Shell

The next screen will warn you that you need to specify an alternate source path.  Click on the "Specify Alternate Source Path Link


At this point thing get  "a little tricky"  you don't simply specify the ISO location but you have to specify the installation image location.  The installation image is a WIM file and the various installation flavours "See the first Image" are indexes in the image.

To get the info about this you can PowerShell it   Get-windowsimage –imagepath d:\sources\install.wim

The result is as follows

  • Index 1 =  Windows Server 2012 SERVERSTANDARDCORE
  • Index 2 =  Windows Server 2012 SERVERSTANDARD
  • Index 3 = Windows Server 2012 SERVERDATACENTERCORE
  • Index 4 = Windows Server 2012 SERVERDATACENTER


Roles and Features can inly be installed form an image that contains them so in this case you cannot choose the core version.  Therefore the path you need to specify is:

WIM:D:\sources\install.wim:2

Once the installation and reboot is complete you will now have the GUI tools available to you.   Adding these components above has also converted your Core install to Full GUI install.

Step 5 Convert Full GUI back to Core
If you check out the available feature with the Get-WindowsFeature PowerShell Command you will see that it now matches the server with GUI

You may need to have the full GUI to perform initial tasks such as install application and configure them.  But ultimately you want to keep your attack and patching surface as small as possible.  It is possible to reverse the steps we performed above to essentially take a Full GUI server back down to a Core server.

This process happens completely in PowerShell

  • Uninstall-WindowsFeature Server-Gui-Shell -Remove
  • Uninstall-WindowsFeature Server-Gui-Mgmt-Infra -Restart


There are few options here though.  If you know that you will ocassionally need the GUI you can un-install the GUI but leave the install files available.  To do this you un-install the GUI but you do not -Remove the files.


  • Uninstall-WindowsFeature Server-Gui-Shell
  • Uninstall-WindowsFeature Server-Gui-Mgmt-Infra -Restart
Step 6 The in-between-er (Min GUI)


Another permutation here is a step between Core and Full.  It is called Min GUI or Minimal Server Interface In this configuration you have the Server Manager but you do not have the following:
  • Internet Explorer
  • Windows Explorer
  • Desktop
  • Start Screen
To get from Full GUI to Min Gui you execute the following
  • Uninstall-WindowsFeature Server-Gui-Shell -Remove
To get from CORE to Min Gui you execute the following
  • Install-WindowsFeature Server-Gui-Mgmt-Infra,Server-Gui-Shell –Restart –Source c:\mountdir\windows\winsxs
Conclusion
It is easy to move between the different levels of GUI available to the operating system.  It is of course always best to have as little as possible, but sometimes it is not always practical.  This article show how you can start in one place and end in another.  All it take are a few commands...



Quick key performance couter view with PowerShell

December 3, 2012, 3:42 am
$
0
0
Windows Server 2012 makes managing a group of servers remotely much simpler.  PowerShell gives easy access to the performance counters.  Here are a few handy commands to help you check out the basics.
Get-Counter
This give you a list of the local counters for the following

  • Network bytes per second
  • % CPU Time
  • % RAM Used
  • Cache Fault per second
  • % Disk Time
  • Current Disk Queue Length

You will notice that the counters are named and  are referenced by the server's name.  You can use these to further define the command.



You can narrow this down to say on % CPU and % RAM used with the following:
 Get-Counter -Counter "\processor(_total)\% processor time", "\memory\% committed bytes in use"
You can get this continuously per second with the following:
Get-Counter -Counter "\processor(_total)\% processor time", "\memory\% committed bytes in use" -Continuous 
You can do the same but the the updates ever 5 seconds
Get-Counter -Counter "\processor(_total)\% processor time", "\memory\% committed bytes in use" -Continuous -SampleInterval 5
Alternatively you can set how many counts you want to measure
Get-Counter -Counter "\processor(_total)\% processor time", "\memory\% committed bytes in use" -SampleInterval 2 -MaxSamples 4
This forms a nice basis for expanding this to monitoring servers remotely
Get-Counter -Counter "\processor(_total)\% processor time", "\memory\% committed bytes in use" -SampleInterval 2 -MaxSamples 4 -ComputerName "et-lab-hv01"
You can also use variables to clean things up a bit. First define and set the vairables
$counters = "\processor(_total)\% processor time", "\memory\% committed bytes in use"$servers = "et-lab-hv01","et-lab-hv02"
Then execute the command using the variables
Get-Counter -Counter $counters -ComputerName $servers -Continuous

For more information about this check out: http://technet.microsoft.com/library/hh849685.aspx

Use PowerShell to query multiple AD server for account lockout events

January 7, 2013, 4:55 am
$
0
0
Here is a quick tip on how to query a named list of domain controller to find a lockout event for a particular users.  This is always a problem since often users have no idea from where the failed authentication attempts are coming that results in the lockout.

Invoke-Command -computername ADSERVER1,ADSERVER2 -command {Get-EventLog Security | where { $_.eventid -eq 4740 -and $_.message -like "*Username*"}} | format-list

This will return a result that looks like this, from here you can see the caller computer from there the account lockout happened.


Simply add additional servers as a comma separated list next to -computername parameter to query more server.

the Username can also contain wildcard character so you can specify "Joe*" or "*Bloggs"

The servers need to be configured for enable PSRemoting to remotely run the query.  On the AD Servers run Powershell as the administrator.

Enable-PSRemoting 

Yes or All top confirm the changes

Managing the Windows Firewall with PowerShell

January 20, 2013, 3:26 am
$
0
0
Using PowerShell to manage the Windows Advanced Security and Firewall is extremely handy when dealing with a Server Core installations and even more so when you are managing Hyper-V server 2012.

In this article I will cover the following:
  • Checking the current firewall configuration
  • Changing the firewall configuration
  • Managing the firewall remotely
These are the basic thing admins would be performing on machines that do not have their firewalls configured with group policy.

Checking the Current Firewall Configuration_
Before you make any changes to the firewall you should have a look at the current configuration.  There are a few ways of doing this, each with it's own benefits. There are two functions that can be used to get this information:
  • Get-NetFirewallRule
  • Show-NetFirewallRule
Since we will really only be looking at a subset of the properties either of these will work perfectly fine.  The various command have different display options, hopefully this helps to show how everything fit together.

The properties we will be looking for are:
  • DisplayName
  • DisplayGroup
  • Enabled
  • Action

To see just this set of properties run the following command


Get-NetFirewallRule | select-object DisplayName, DisplayGroup,Enabled,Action

To see all of the properties available run the following

Get-NetFirewallRule | select-object *

To filter the output so you only see the rules that are enabled run the following

Get-NetFirewallRule | select-object DisplayName, Enabled, Action | where {$_.enabled -eq "True"} | format-table -AutoSize

This now gives a nice concise list of the rules that are enabled and what they do.


Changing the firewall configuration

There are two function that you would normally use for this
  • Enable-NetFirewallRule
  • Disable-NetFirewallRule
To toggle a rule from Enabled to Disabled just switch the verb around.  Since a lot of the system rules work in groups it is a very convenient to enable all the rules on the group in one go.  The group property we will use is the DisplayGroup.  This is a "simple name" and much easier to work with.

To see the list of rules and display group that are currently disabled run the following

Get-NetFirewallRule | select-object displayName, DisplayGroup,Enabled | where {$_.enabled -eq "False"} | format-table -AutoSize

We will use the output of this command to create the enabling command.  Here you can see that the "Virtual machine Monitoring Group contains 5 individual rules.


To turn all of these on run the following command:

Enable-NetFirewallRule -Displaygroup "Virtual Machine Monitoring"

The command does not output a result code so best is to check again with the previous command.  To disable the rules in the group again just switch the verb for the function as follows:

Disable-NetFirewallRule -Displaygroup "Virtual Machine Monitoring"

To Enable or Disable individual rules you can use the following commands:

Enable-NetFirewallRule -DisplayName "Virtual Machine Monitoring (RPC)"
Disable-NetFirewallRule -DisplayName "Virtual Machine Monitoring (RPC)"

Managing the Firewall Remotely
There are obvious advantages to running all of these command form a remote computer as opposed to being logged onto the actual console.  The two way this can be done are:

  • PSSession - similar to Telnet / SSH
  • Invoking a command to a remote computer
To be able to enable working remotely the target machine needs to have PSRemoting enable.  To do this simply execute:

Enable-PSRemoting

Form your management machine you can now connect remotely to a session on the server by using:

Enter-PSSession <server-name>

From here you can now run all the commands as shown above.  I would however suggest using the second remote method as it give you more flexibility and power.

From the management machine you will be invoking the command on the target machine.  For the examples below the target machine is named et-lab-fv01.

In it's simplest form it looks as follows

Invoke-Command -computer et-lab-fv01 {Get-NetFirewallRule | select-object DisplayName, DisplayGroup, Enabled, Action}

As you can see the actual command in-between the {} is the same as the first example.  That is what is being run on the remote computer.

One nice feature of doing this is that you can make use of the GridView output option to make thing easier to keep track of and filter.

Invoke-Command -computer et-lab-fv01 {Get-NetFirewallRule | select-object DisplayName, DisplayGroup, Enabled, Action} | Out-GridView

You can see just how useful the GridView is

There is a limit to the amount of columns you can send to the grid view.  For instance of you would like to retrieve all the properties you would use the following.  If you have a look you will a alot more column but the  DisplayGroup column is not listed anywhere.

Invoke-Command -computer et-lab-fv01 {Get-NetFirewallRule | select-object * | Out-GridView

To be able to really get everything and get even more functionality output the result to a csv file and import it into Excel the command to output to a file is as follows

Invoke-Command -computer et-lab-fv01 {Get-NetFirewallRule | select-object *} | Export-Csv c:\firewall.csv

The import into Excel now give you the complete picture.


One other advantage of invoking commands are that they can be preformed on multiple machine at the same time. so you can enable or disable a firewall rule group on multiple machines with a single command. in this case the two machines are called et-lab-hv01 and et-lab-hv02

Invoke-Command -computer et-lab-hv01,et-lab-hv02 {Enable-NetFirewallRule -Displaygroup "Virtual Machine Monitoring"}



Search

Windows 8 Offline Installation of .Net 3.5

January 21, 2013, 1:46 am
$
0
0
Windows 8 include .Net 3.5 on the installation media.  It is however not installed by default.  To further complicate things it attempt to do an online installation if you enable it through the Windows Features.

To manually install directly from the installation media use the following command.  Just Specify the source drive letter. In this case it was D:

Dism /online /enable-feature /featurename:NetFx3 /All /Source:D:\sources\sxs /LimitAccess

The installation should complete without requiring a reboot.

Checking the Windows Features you should now see that it is listed as installed.

Convert VMDK and physical drives to VHD and VHDX

January 23, 2013, 8:07 am
$
0
0
If you have ever wanted to move a virtual machine or virtual disk form VMware or to create a virtual copy of a physical drive, this is a great little free tool to do this.  I was in a bit of a bind with not being able to import a machine into VMM and this one helped me out.

2Tware Convert VHD

Simply specify the VMDK file and a destination VHD file and click convert.  Easy.



The process the convert a physical disk is just as straight forward.

Once you have your VHD you can use it in your Hyper-V environment   If you want to further convert it it the new Hyper-V 3 VHDx format you can do so in the Hyper-V console.


  • Open the Hyper-V management console
  • Select Edit Disk form the Action pane
  • Locate the VHD file
  • Choose to Convert
  • Select VHDX
  • Either Fixed or Dynamic depending on your need
  • Specify a new file name
  • Finish the wizard



Windows 8 Hyper-V limitations

January 25, 2013, 1:32 am
$
0
0
One of the coolest things about Windows 8 is that you now have Hyper-V available to you.  No more do you have a need to run Windows Server on your desktop just to get Hyper-V.   Having said that, there are a few differences or limitation on the Windows 8 Hyper-V (client)compared to the Window Server Hyper-V (server)

First up let's just highlight one thing.  Hyper-V on the Windows 8 desktop operating system is not intended as an alternative to Windows server.  It is intended and does a great job of being a personal proper full feature virtual platform.

System Requirements:
Windows 8 Pro or Enterprise x64
RAM: 4 GB
CPU: Needs to Support SLAT (Intel i3, i5, i7  or  AMD Opteron 3rd Gen) enabled in BIOS
Storage : 20GB for OS and Additional space per VM

Adding Hyper-V features
To install or enable Hyper-V you can perform the Add or Remove Windows Features

Check Hyper-V select Management tool to install all the tools including PowerShell CMDlets
Check Hyper-V platform to install the actual Hyper Visor.

Or you can run the following PowerShell command

enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All

Compare Windows 8 to Windows 2012 features

When you add you local machine to the Hyper-V management console and you compare it to a Server based Host you will notice that Windows 8 lacks the following features

Physical GPU
Live Migrations
Replication Configuration

There are also a few differences on the following:

Numa Spanning
Enabled  by default on server not in client

Storage Migration
Limited to moving virtual drive on the local machine only.  You cannot move or run a virtual machine from a SMB 3 file share.

Virtual Switch Extentions
Client does not support Microsoft VMM DHCPv4 Server Switch extention

Virtual hardware
Client does not offer RemoteFX 3D Video Adapter

Management:
Both the client and the server version can be managed through the Hyper-V management console.  Both are also fully support in PowerShell.  Here is one big limitation....

Client cannot be managed with System Centre Virtual Machine Manager (VMM)

Conclusion
Hyper-V in Windows 8 is a great local virtual platform and support almost all of the virtual features.  It is not geared for moving virtual machines across host or to be managed with VMM.

Side Note:  If you want full Hyper-V functionality without having to pay for a Windows Server License - check out Windows Hyper-V Server 2012 it is free and supports EVERYTHING!

PowerShell to "Allow management operating system to share this network adapter"

January 28, 2013, 6:43 am
$
0
0
When you are configuring Hyper-V switches one should always keep in mind that the host needs a communication network too.   I was busy configuring network teams and virtual switches when I successfully managed to configure the following.  Three virtual switches, consuming all of the 5 network adapters, not one of them set to   "Allow management operating system to share this network adapter."

The net result of this configuration is that all the virtual machines are on the network and working perfectly but the host itself is not!  This effectively also cuts off all remote administration and ability to fix this remotely. One more thing....  I am using Hyper-V Server so no GUI tools to help out.

There was nothing left to do but physically log onto the host and fix it with PowerShell

First up check that all the NIC are up and running

Get-NetAdapter



Next up you need to get a list of the virtual switches and pick one to share with the host

Get-VMSwitch


Now you need to check the configuration of the switch.  In my case it is "Corporate Team"

Get-VMSwitch -name "corporate team" |select *

You will probably notice that the AllowManagmentOS value is False.  To chnages this and fix the problem you need to turn it on with the following command

Set-VMSwitch -name "corporate team" -AllowManagementOS 1



Once this has had a minute or so to readjust thing you should now be able to remote manage and connect to the host again.

Using Powershell to Backup Hyper-V VMs - Step by Step

February 8, 2013, 4:12 am
$
0
0
Server 2012 has load of improvements for backup.  The ability to backup a running virtual machine without any interruption or downtime is really powerful.  Automating the backup task creation for virtual machines on a Hyper-V host will save you loads of time once you have tuned your script.

The 40 something Windows Server Backup cmdlets are very well documented http://technet.microsoft.com/en-us/library/jj902459.aspx  but they lack a full example of how to put everything together.  NOTE: Additional cmdlets were added after 2008 R2 and I am using there here, so this is for Server 2012 only.

The process below is how I setup a script to backup select virtual machines on a secondary volume of a single disk server.  I will step through how to change these options so dont worry of this does not exactly fit your requirement.

First up a few basics.  A backup job is called a backup policy.  You can only have one backup policy.  You can only backup to certain locations, as an example these exclude external USB drives.

The policy contains the various settings or parameters, such as schedule and what to back up.  The various cmdlets let you configure these

What you need

  • A new policy (WBPolicy)
  • A backup destination (WBBackupTarget)
  • A list Virtual Machines to backup (WBVirtualMachine)
  • A Backup schedule / times (WBSchedule)


Step 1 Create a new policy
There can only be one policy so if there is an existing one you need to remove it

   Remove-WBPolicy -all -force

Now you can create your new policy to which we will add the various options

   $BackupJob = New-WBPolicy

Step 2 Specify a backup destination
This allows you to specidy a seperate "drive" that is visible to the OS. this can be on a separate physical disk or an additional partition on the OS physical disk.

   $BackupTarget = New-WBBackupTarget -VolumePath B:
   Add-WBBackupTarget -Policy $BackupJob -Target $BackupTarget


Step 3 Add the virtual machines
You can specify which machines to add, or add all of them. I have opted to only backup VMs that contain "ET-LAB" in the name

   $VMs = Get-WBVirtualMachine | where vmname -like "et-lab*"
   Add-WBVirtualMachine -Policy $BackupJob -VirtualMachine $VMs

To add all VMs you can just specify

   Add-WBVirtualMachine -Policy $BackupJob -all

Step 4 Specify a schedule
The backups will run daily, you just really need to specify at what time it should back up.  I have specified to backup at 10AM and 10PM daily


   $BackupTime = [datetime] "10:00", [datetime] "22:00"
  Set-WBSchedule -Policy $BackupJob -Schedule $BackupTime



Step 5 Activate the policy
By now the policy caonts everythign it needs to be able to run.  You now need to activate it.

   Set-WBPolicy -Policy $BackupJob -AllowDeleteOldBackups


Step 6 Manually start a trial job
Once your job has been configured you can use the Windows Server Backup GUI to start things or you can also start it from Powershell

   Start-WBBackup (Get-WBPolicy)

The job should now start of and you should see the following:


Looking at the Hyper-V console you will see that a active backup is indicated in the status column




You can put all these commands together in a PowerShell script that you can run on multiple computers.  Just remember to set the execution policy before you try to run the script

  Set-ExecutionPolicy -ExecutionPolicy Unrestricted


My complete script looks as follows


#Remove Existing Backup Jobs
try { Remove-WBPolicy -all -force }
Catch { Write-Host"No existing Jobs to remove"}

# Create new empty Policy
$BackupJob = New-WBPolicy

# Create the backup target $BackupTarget
# Using a volume

$BackupTarget = New-WBBackupTarget -VolumePath B:

# Add the backup target to the policy

Add-WBBackupTarget -Policy $BackupJob -Target $BackupTarget

#  Add the list of Virtual machines

$VMs = Get-WBVirtualMachine | wherevmname -like "et-lab*"

Add-WBVirtualMachine -Policy $BackupJob -VirtualMachine $VMs

# Setup the scheduled backup times

$BackupTime = [datetime] "10:00", [datetime] "22:00"

Set-WBSchedule -Policy $BackupJob -Schedule $BackupTime


# Activate the policy

Set-WBPolicy -Policy $BackupJob -AllowDeleteOldBackups 


Interactive Login Legal Notice Removal

March 27, 2013, 8:24 am
$
0
0
Most corporate are at some point required to show a legal notice prior to logging on to a computer.  This is normally configured by group policy.


The settings are under - Computer Configuration - Policies - Security - Local Policies - Security Options:

  • Interactive logon: Message test for users attempting to log on
  • Interactive logon: Message Title for users to attempt to log on 




By default these values are blank, and as such the screen is not displayed at logon time.  When these fields have a value, it writes it to the registry and thus causes the notice to be displayed.

The problem comes in if you want to remove the legal notice from a machine.
If the policies does not define a value or a value of "" nothing is written to the registry.

So the registry setting written by a policy cannot be erased by another policy.  To fix this you have to manually go and clean up the registry.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"LegalNoticeCaption"=""
"LegalNoticeText"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"legalnoticecaption"=""
"legalnoticetext"=""

Remeber - to make this a permanent fix you need to ensure that there is no GPO is re-enforcing the legal notice.

F5 BIG-IP how to configure email SMTP alerts step by step

March 28, 2013, 5:08 am
$
0
0

The default alerting method is using SNMP traps, there is however a relatively simple although lengthy process to get the same alerts by email.  I am writing this with the Windows admin in mind, but it is relevant for everyone.

Tools you will need

  • Putty or other SSH terminal
  • WinSCP
  • NotePad ++

There are two seperate processes that need to be changed.

  • Configure the BIG=IP to send emails by editing the ssmtp.conf file
  • Select  the alerts to send via email by editing the alert.conf file


Step 1 Configure mail settings
You need to configure the BIG-IP with the details of your anonymous SMTP server.  The place to do this is in the ssmtp.conf file.

  • Open putty and SSH to the BIG-IP
  • Long in as Root
  • Copy the orginal file before editing with the following
  • cp /etc/ssmtp/ssmtp.conf /etc/ssmtp/ssmtp.conf.orig


  • Open WinSCP
  • Start a SCP session to the BIG-IP
  • Browse to the  /etc/ssmtp/ folder
  • copy the ssmtp.conf file to your pc


  • Edit the file with Notepad ++
  • Find and edit the line with your details
  • mailhub=smtp-mail.domain.com
  • Save the changes


  • SCP the file back onto the BIG-IP


  • In putty run the following to test the SMTP configuration
  • echo "ssmtp test mail" | mail -vs "Test email " myemail@mydomain.com

If this email is successfully sent and received you can proceed to step 2

Step 2 Configure the alerts to mail
The BIG-IP configured to send all alerts as SNMP traps.  You can select the alert and add an email notification to the SNMP trap process, so you get both.

  • Open putty and SSH to the BIG-IP
  • Long in as Root
  • Copy the orginal file before editing with the following
  • cp /etc/alertd/alert.conf /etc/alertd/alert.conf.orig
  • add write permission to the file
  • chmod 644 /etc/alertd/alert.conf


  • Open WinSCP
  • Start a SCP session to the BIG-IP
  • Browse to the  /etc/alertd/ folder
  • copy the alertd.conf file to your pc
  • Edit the file with Notepad ++

Here you need to have a look at how the various alerts are set up.  Each Alert ID is an OID.  At the end of the alerts you want to email add the following
;
email toaddress="myalertemail@domain.com"
fromaddress="BIGIP02@domain.com"
body="";
Between the OID and any other action you should have your email configuration seperated by ; so you should end up with an alert that look like this
alert BIGIP_SYSTEM_CHECK_E_CPU_TEMP_HIGH {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.4";
email toaddress="myalertemail@domain.com"
fromaddress="BIGIP02@domain.com"
body="";
lcdwarn description="CPU Temp too high." priority="3"
}

There are loads of these so you might just want to pick a few pertinenet ones at first.

  • When done making the edits
  • Save the changes
  • SCP the file back onto the BIG-IP


  • In your putty SSH session reset the file permission
  • chmod 444 /etc/alertd/alert.conf
  • Restart the the alertd process
  • bigstart restart alertd

Once all of those things are done you should have backup copies of the original files and email alerts configured.

Step 3 Test the alerts
Your Big-IP should now be able to sedn you alerts by mail should something go wring.  I reccomend testing this before just trusting it.  The easiet way i founf to test this was the reverse a pool monitor.  this would flag it as being down and generate the alert.

The emails look similar to this

From: root [mailto:BIGIP02@domain.com]
Sent: 05 March 2013 03:43 PM
To: Etienne Liebetrau
Subject: 01070638:5: Pool /ATG/pool_www-uat_HTTP member /ATG/node_www-uat1:80 monitor status down. [ was up for 23hrs:32mins:19sec ]



Search

Automatically feed your blog posts to Twitter and FaceBook

March 28, 2013, 5:37 am
$
0
0
Having a blog is great but you have to be present on all of the social media platforms.  The easiest way of doing this is with TwitterFeed check them out:


Advanced IIS compression configuration

April 3, 2013, 8:28 am
$
0
0
Enhancing the standard static and dynamic content compression can improve your site's performance.  The standard "out of the box" configuration works great for most situations but every site is slightly different and as such there is always room for fine tuning.

The Basics

Install the compression components
The enable compression on your IIS site you need to have the IIS performance features installed.  To add these open the Server Manager then:

  • Add roles and Features 
  • Select Role Based 
  • Server Roles 
  • Web Server IIS 
  • Web Server
  • Performance 
  • Static content Compression and Dynamic Content Compression


Configure the default settings
There are a few global settings you can change quite easily.

  • Open the IIS management Console
  • Select The Server level
  • Open Compression


Here you have a few options that pertain to whether to enable static and or dynamic content compression.

You can also specify a minimum file size to compress / compressed cache location and a size limit for the amount of content to keep.

Compressing tiny files often does not yield any benefit so just ignoring those is recommended.
The amount of compressed content to keep is 100MB by default.  If your application generates loads of data you would probably want to increase this.

Advanced Configuration
If you are going to be making changes to these setting you need to know what is happening.  I strongly recommend using HTTP Watch to monitor your progress as I found it the best tool when tweaking these settings.

If you want to change additional setting you will have to open the IIS management console.  Select the server level, open Configuration editor.  From the Section drop down select System.Webserver/httpCompression.


There are 17 setting here that can be changed.  Most of them typically would not need to be changed at all.  The fields I am normally interested in are


  • dynamicTypes
  • staticTypes


dynamicTypes and staticTypes refer to the MIME types that will and won't be compressed.  Something to keep in mind is that IIS will only serve MIME types that are approved.

Adding an additional MIME type for compression
As an example we will add bmp files as a content type to compress


  • Open the staticTypes field
  • Click Add
  • enabled True
  • Mime type image/bmp
  • Close the windows
  • Open the dynamicTypes field
  • Click Add
  • enabled True
  • Mime type image/bmp
  • From the Actions Pane click Apply
  • Restart IIS with iisrest


If we look at a .bmp download now we can see that the content is being compressed

In this example you can see that we saved 93.8 % of the required bandwidth.

Choosing the MIME type are not always straight forward.  Some files are already compressed an example of this is .jpg images. Here you can see how compressing the .jpg actually makes it bigger!

If you would like to compress all other images and exclude .jpg add the following to the dynamicTypes and staticTypes field


  • Enabled = False | MIME Type = image/jpeg
  • Enabled = True | MIME Type = image/*



CPU concerns
All the compressing is great for saving bandwidth but it adds to CPU load.  In my experience the additional load negligible given the massively powerful CPUs available nowadays, You can however set thresholds to guard against CPU congestion due to compression overhead


  • dynamicCompressionDisableCpuUsage
  • dynamicCompressionEnableCpuUsage


  • staticCompressionDisableCpuUsage
  • statricCompressionEnableCpuUsage


These set the upper threshold to disable compression and the resume threshold.  Literally the other side of the story is the client device,  the client would incur a similar decompression overhead.  Since the client is only concearned with it one conversation it is not normally an issue, but it is a good thing to keen in mind.

Conclusion
Compressing HTTP content can be a huge bandwidth saver, if you get to know your web application properly you can tweak out some additional performance gains.  Be cautious though, because being over optimistic can actually take you backwards.

If you would like to know more about the other setting available in the configuration editor check out http://www.iis.net/configreference/system.webserver/httpcompression

F5 Diaries - Episode 1 Building the lab

April 9, 2013, 2:17 am
$
0
0
Join me on my journey of trying to make F5 kit work without going on all the official (read - expensive) training.  I am using a test lab environment specifically set up for doing all this kind of testing.

What is in the LAB

  • F5 BIG-IP Ve Lab edition on TMOS 11.3
  • The virtual edition is running on Windows Server 2012 Hyper-V
  • Windows 8 test VM


Hyper-V VM Configuration :

  • RAM 4GB Static
  • CPU 4 x Virtual
  • HDD 1 x 40GB
  • NIC  7 Virtual assigned  5 x Physical


Network Environment:

  • Internal Network is on the 10.0.0.0\8 address range
  • Internet ADSL Link 1 from Telkom is on 192.168.0.0\24
    (GW 192.168.0.1)
  • Internet ADSL Link 2 from Internet Solution is on 169.212.74.65\29
    (public route-able )
    (GW 169.212.74.65 )


    Internal network segmented in VLANs

  • 10.0.2.0\23 Corporate Management
  • 10.0.4.0\23 Corporate External
  • 10.0.6.0\23 Corporate Internal


Hyper-V virtual switches
I have configured individual virtual switches for each VLAN. I then managed to map those to BIG-IP interfaces.  This took a long time but it is really important to get this 100% correct.


  • NIC 0  - Corporate Management - Management
  • NIC 1 - Corporate Internal - 1.1
  • NIC 2 - Corporate External - 1.2
  • NIC 3 - Telkom ADSL -1.3
  • NIC 4 - Internet Solutions ADSL 1.4 
  • NIC 5 - Not Connected
  • NIC 6 - Not Connected


F5 BIG-IP Self IPs and VLANs
  • Management IP 10.0.2.9
  • Corporate Internal - 10.0.7.9
  • Corporate External - 10.0.4.9
  • Telkom - 192.168.0.254
  • Internet solutions 169.212.74.66
Windows 8 Test VM
Since there will be many different scenarios in which you would like to test different connectivity options I have also included a virtual test PC on the same Hyper-V server. Depending on the test or lab configuration this machine's single NIC can be connect to any of the Hyper-V virtual switches. As a default it is connected to one of the corporate VLANs

Current Diagram
This is what the lab looks like at this point



Saving the basic configuration
At this point you should be able to connect to the management IP and you should be able to ping the various gateway IPs from an SSH session.

This will be the BASE configuration from where all the different lab build will happen. Take a backup or snapshot and keep this as the starting point for all future lab testing.  Make sure you are very comfortable with snapshots.  As an example, I very quickly got the lab to this state.





F5 Diaries - Episode 2 ISP Redundancy

April 10, 2013, 7:13 am
$
0
0
Having more than one ISP for your corporate is essential. If one ISP fails for whatever reason the show must go on.  Similarly if one of the ISPs becomes congested and start to run slowly traffic needs to automatically be routed to the other faster ISP.

This is called outbound load balancing since the connection is initiated form the internal and is requesting an external public resource.  For this functionality you only need F5 LTM you do not need GTM or Link Controller

This lab is going to build on the standard lab from Episode 1 http://fixmyitsystem.com/2013/04/f5-diaries-episode-1-building-lab.html

As a guide I am going to use this F5 doc http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-3-0/2.html#unique_2145903433

How it works
To be able to test this  you will need to a machine that uses an F5 external Virtual server as it's default gateway.  All request are received by the F5 and then load balanced to the external ISPs.  The response is then received by the F5 and routed back to the original client source.



Configure the F5
Summary of what need to be done

  • Create ISP nodes
  • Create an ISP pool
  • Create a virtual server to act as default gateway
  • Enable SNAT automap


Create ISP nodes
You need to create a node for each ISP's ROUTER address

  • Local Traffic
  • Nodes
  • Create
  • ISP1 (Name:  Telkom; Address: 192.168.0.1)
  • ISP2 (Name:  IS; Address: 169.212.74.65)



Create ISP Pool
Use the nodes to create a pool for the virtual server

  • Local traffic
  • Pools
  • Create and name it default_gateway_pool
  • Add the gateway_icmp as the health monitor
  • Load balancing method Round Robin
  • Add the two ISP nodes for * All services
  • Finish


Create Virtual Server
You need to create a wildcard virtual server to act as the default gateway for all connection outbound to the Internet.

  • Local traffic
  • Virtual Servers
  • Create with the following
  • Name: vs_default_gateway
  • Type: Performance (Layer 4)
  • Source: 0.0.0.0/0
  • Destination: Network
  • Address 0.0.0.0
  • Mask 0.0.0.0
  • Service * All Ports
  • VLAN and Tunnel Traffic : Enabled on Internal VLAN
  • Source Address Translation: Auto Map
  • Default Pool: default_gateway_pool


Enable SNAT Auto Map
This allows traffic to rounte correct between the VLANS

  • Local traffic
  • Address translation
  • SNAT list
  • Creat and call it SNAT
  • Translation Automap
  • VLAN Enabled on External & Internal



Configure the Test PC
The test PC now needs to use the F5 as it default gatway to the Internet

  • Connect the Test PC's NIC the the Internal virtual Switch
  • Configure the Network with a static IP details:
  • IP  10.0.7.252
  • MASK 255.255.254.0
  • Gateway 10.0.7.9 (This is the self IP of the F5's Internal VLAN)
  • DNS 8.8.8.8 (Google Public)


Testing
At this point everything should be working.  One the test PC open a browser and connect to http://www.whatismyip.com.  This should give you a public IP.

To check that you have failover disconnect one of the physical DSL routers.  You should now see the pool members being flagged as down, but your internet browsing should still be working.  I did notice a little delay as things were cutting over.  Do the reverse now with the other DSL router. You should observe that the public IP has changed

Troubleshooting
If your browser is not returning any pages check the following

Problem: F5 Returns traffic but no DNS, sites work on IP but not name

  • Open a command prompt and do an nslookup www.google.com
  • You should get a list of IP's if you don't get the list of IP's form another machine.
  • Use the IP in the browser instead of www.google.com
  • If the page loads you know that DNS look up is broken
  • This happens because the SNAT auto map for the Internal And External VLANS has not been defined.
  • Configure the SNAT as described above





F5 Diaries - Episode 3 ISP Load Balancing

April 11, 2013, 3:34 am
$
0
0
Having redundancy or fail-over is one thing, having active load balancing is another.  F5 LTM allows you to
configure both.

In Episode 1 and 2 I covered building the lab and setting up a very basic ISP redundancy.  In this episode  I will place that configuration in a real world deployment, send some traffic trough it and monitor and tweak setting until we have load balancing.

Real world deployment.
Combining your ISP links is most effective if it is done as close to the perimeter as possible.  This means it normally sits outside the corporate firewall.  Clients would then access the load balanced gateway through a NAT or proxy.


Expected conversations
From the proxy perspective the traffic source will be the individual internal IP addresses of the client computers.

From an F5 perspective all the TCP/IP traffic will have the same source IP.  The one of the Firewall or Proxy.  The destination will be the Internet site.  The F5 will elect the external interface to use to send the traffic to that site.

From the internet site the source IP would be the public IP associated with the link that was used.  If the route was via ISP1 the source would be different if the route was via ISP2

Configuring persistence
Once a TCP conversation is started on one route you would like to maintain that route for the duration of that conversation.  This is persistence.  Normally persistence is based on the client address or session cookie.  However in this case the source IP will always be the same. This is great for persistence but would not allow for effective load balancing.  We can use the destination address since this will be very different from conversation to conversation.


  • Local Traffic
  • Virtual Servers
  • Default_gateway (your wildcard VS)
  • Resources
  • Set Default Persistence Profile to dest_addr


Deciding how to split the load
The ideal is to be able to connect many different ISPs with potentially different performance capabilities.  As an example the lab has 1 x 4MB ADSL and 1 x 512KB ADSL.  Because these links will have varying different performance and load on them you want to set the load balancing method to be a dynamic on that evaluates the connection count as well as the performance.

The Observed (node) method uses a combination of the logic evaluating fastest response time and least connections.


  • Local Traffic
  • Pools
  • default_gateway_pool
  • Members
  • Set the Load Balancing Method to Observed (node)


Test your deployment
This setup work nicely for the lab but your environment will probably different in some regard.  It is important to check and see that your load is being distributed as you would like it to be.

You will need:
A number of client computers attempting to access the Internet through your gateway or proxy.  The wider the scope of sites being requested the better.

One of the easiest places to check that load is going to the various ISPs is the monitor the pool


  • Statistics
  • Module Statistics
  • Local traffic
  • Statistics Type Pools
  • Enable Auto Refresh


After letting traffic run for a bit this is what I could see.  It is as expected with the Telkom line has theoretically 8 x bandwidth of the IS line



Monitor traffic using tcpdump
Seeing traffic being split across the  nodes is useful.  It gives you a high level overview to see that things are going as expected.  If however you want to get a closer look as to what is actually goimg where you will need to check out TCP flows with tcpdump in an SSH session

To see outbound traffic from both of the internet facing self ips you will need to specify the following

tcpdump  src host internetIP1 or internetIP2 -i any


T narrow down to HTTP and HTTPS traffic only

tcpdump src host internetIP1 or internetIP2 and dst port 80 or 443 -i any


To see traffic outbound and  inbound for HTTP and HTTPS

tcpdump host internetIP1 or internetIP2 and dst port 80 or 443 -i any


For a bit more info on tcpdump check

http://support.f5.com/kb/en-us/solutions/public/0000/400/sol411.html


Viewing all 61 articles
Browse latest View live
Search