Blog Archives

Howto: Sonicwall SSL-VPN (NetExtender) on Windows 8.1

Those familiar with the Sonicwall SSL-VPN 2000 appliance and Windows are used to connect to the SSLVPN using the NetExtender software. Older versions of the NetExtender appliance will still offer this software when connected using the browser.There are various forums actually providing instructions on how-to install this old software on Windows 8.1. Most include instructions like disabling the WHQL (windows driver signing) check leaving your system vulnerable. Once the software is installed you will prob run in to various issues including: RRAS isn’t addressed properly, Unable to connect even though authentication is working fine, no routes are being added after a successful connection is established.

Not many people seem to know that Sonicwall mobile vpn provider is a build-in option in windows 8.1. It is -obviously- also the preferred method to connect. Naturally because all the Windows security mechanisms are kept in place using the readily available Sonicwall mobile provider. The instructions below will guide you through the steps required to configure an VPN profile for the SSLVPN appliance and offers an alternative to the older NetExtender software. Additionally consider the maintenance options you have implementing these using domain policies 😉 

  1. Type: Windows key + S;
  2. In the search field type: VPN;
  3. Select the ‘manage virtual private networks’ option;
  4. Select ‘Add a VPN Connection’;
  5. In the ‘VPN provider’ select the ‘Sonicwall Mobile Connect’ option;
  6. Type a descriptive name in the ‘Connection name’ field;
    (this name will be visible throughout windows)
  7. In the ‘Server name or Address’ field type the webadress without the protocol portion. example:
    NetExtender: https://vpn.company.com
    Adress field: vpn.company.com
  8. Select save;
  9. Close all the windows;
  10. Type: Windows key + S;
  11. In the search field type: VPN;
  12. Now select ‘Connect to a network’;
  13. Select your created profile;
  14. In the username field use the following:
    domain\username (remember the domain portion is case sensitive!)
  15. Type your password;
  16. Connect.

If all is correct the connection should come up without any problems. If this is not the case, then please review the advanced settings. These settings are available in the ‘manage virtual private networks’ by selecting the ‘edit’ option on the created profile. (steps 1/3).

You can simply review the routes as follows:

  1. Type: Windows key + R;
  2. In the run field type: powershell;
  3. Run the command: route print | Out-GridView;

Hope this helps.

p.s.
If you have already disabled driver signing in a previous attempt, then please re-enable it.
Driver root kits are fairly common and a real risk!

Advertisements

Fix the inline images -bug- in glpi knowledgebase (htmLawed.php)

GLPI-0-84-8 FIX

GLPI uses the htmLawed filter to clean inserted HTML code. Documentation on this framework can be found here: http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/

Problem with this framework in GLPI is that it does not match image tags properly when they contain inline base64 information.

Here is a simple fix to overcome this problem. The htmLawed.php file can be located in %glpi_root%/lib/htmlawed/htmLawed.php. Open it with your favorite editor. Next locate line: 47. Somewhere arround that area you should find the following.

Web - sftp___nagios@glpi.amis.nl_var_www_glpi_prod_lib_htmlawed_htmLawed.php - A_2013-10-29_12-34-30

Add ‘data’ at the end of the marked line.

$x = (isset($C['schemes'][2]) && strpos($C['schemes'], ':')) ? strtolower($C['schemes']) : 'href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; *:file, http, https, data';

The above will stop htmLawed from adding disabled: to the data: in the src=”” tag.

The next step is a bit trickier.

Now we need to actually change the hl_tag function. In the file locate the hl_tag($t) function somewhere around line:407. In this codeblock we are looking for the regular expression marked in the image below:

Web - sftp___nagios@glpi.amis.nl_var_www_glpi_prod_lib_htmlawed_htmLawed.php - A_2013-10-29_12-38-10

This is the expression that doenst match the valid <img> tags within the htmLawed. We dont want to create leaks here, so all we need to do is introduce an exception for our images. You can do so by replacing the text with the following:

Web - sftp___nagios@glpi.amis.nl_var_www_glpi_test_lib_htmlawed_htmLawed.php - A_2013-10-29_12-49-27

In code:


if(!preg_match('`^&lt;(/?)([a-zA-Z][a-zA-Z1-6]*)([^&gt;]*?)\s?&gt;$`m', $t, $m)){
if(strstr($t, 'data:image')){
return $t;
}else{
return str_replace(array('&lt;', '&gt;'), array('&amp;lt;', '&amp;gt;'), $t);
}
}elseif(!isset($C['elements'][($e = strtolower($m[2]))])){
return (($C['keep_bad']%2) ? str_replace(array('&lt;', '&gt;'), array('&amp;lt;', '&amp;gt;'), $t) : '');
}

After this, the images should show up just fine

GLPI - Knowledge base_2013-10-29_12-50-51

I hope this was helpfull 🙂

RHEL5 init script for tomcat catalina

I have written an init script for Tomcat Catalina running in RHEL version 5. I have tested this script using Oracle Enterprise Linux 5.5 Carthage. The script should comply to the init standards defined for RedHat Enterprise Linux using the INIT Functions lib.

The script also alows the use of chkconfig eventhough you might want to alter the used priorities (56 10)

#!/bin/sh
#
# "$Id: catalina ,v 1.0 2010/08/10 Chris_g Exp $"
#
#   Startup/shutdown script for tomcat(Catalina) Application server.
#
#   Linux chkconfig stuff:
#
#   chkconfig: 2345 56 10
#   description: Startup/shutdown script for the tomcat application server.
######

# Source function library.
######
. /etc/init.d/functions

# Define where the catalina.sh script is located.
######
CATALINA_BIN='/u01/tomcat/bin/catalina.sh 1> /dev/null';

# Find the catalina process using ps / awk.
# The match function will return 0 when no match is found with the string "java".
# Position $9 should contain the path to the Java executable used by catalina.
######
PROC=`ps -efc | grep apache.catalina | awk 'BEGIN { FS=" "}; { if( match($9, "java") != 0 ) print $9;}'`

# Replace a potential empty string with a fake process so the RH daemon functions are able to parse
# it properly
######
if [[ "$PROC" == '' ]]; then
    PROC='Tomcat_JVM';
fi

# Define the application name that is listed in the daemonize step.
PROG='Tomcat JVM';

# LOCKFILE
LOCK='/var/lock/subsys/tomcat';

start () {
        echo -n $"Starting $PROG: "

        # start daemon
        daemon $CATALINA_BIN start
        RETVAL=$?
        echo
        [ $RETVAL = 0 ] && touch $LOCK
        return $RETVAL
}

stop () {
        # stop daemon
        echo -n $"Stopping $PROG: "
        killproc $PROC
        RETVAL=$?
        echo
        [ $RETVAL = 0 ] && rm -f $LOCK
}

restart() {
        stop
        start
}

case $1 in
        start)
                start
        ;;
        stop)
                stop
        ;;
        restart)
                restart
        ;;
        status)
                status $PROC
                RETVAL=$?
        ;;
        *)

        echo $"Usage: $prog {start|stop|restart|status}"
        exit 3
esac

exit $RETVAL

# INSTALL
1. Touch a new tomcat file in your init directory.
>touch /etc/init.d/tomcat
2. Copy paste the code above into this file using vi
vi /etc/init.d/tomcat
(putty users)
press the insert button (this should put vi in insert mode)
Alter the tomcat catalina.sh path and copy the altered code to your clipboard and paste it into putty using a richt mouse click.
press esc (this should get you out of insert mode)
next press ” shift + : “, “w”, “enter” (this should save the file)
3. If catalina.sh was able to start tomcat (all vars/java configured) then now the tomcat script should be able to handle the startup.
4. If catalina was allready running, try;

     service tomcat status
     This should allready give a result equal to;
     java (pid 14389) is running…

5. Add tomcat to the chkconfig for automatic startup
     chkconfig –level 2345 tomcat on

Hope this helps 😉

Phase one, Check IOStat for Nagios.

Full Working version can be found here

/* CHECK OUT THE LINK AT THE TOP OF THIS POST 😉 */
/* OR CHECK THE SOURCE DIRECTLY HERE ;               
     http://technology.amis.nl/download/iostat/

    THIS SCRIPT REQUIRES THE SYSSTAT PACKAGE (IOSTAT)
*/

Thanks, Rgrds,

Windows update error?!?

Hi guys,

Uptill reacently we start getting messages in our client system logs stating something like;
The Automatic Updates service terminated with the following error: The class is configured to run as a security id different from the caller. 

To be honost, we tried different aproaches and researched different angles on this issue. Found articles about BITS and other security stuff, but none realy helped. The following is true in our envirnoment.

1. We dont use WSUS.
2. We have a Native 2003 Domain
3. We use Windows XP servicepack 2
4. We do use network policies but for some illusive buisness requirements we dont enforce updates (developers…. )

Here are some things that where true on the issue.
1. We couldnt start or stop the windows update service (wuauserv.dll / wuaueng.dll) and got an access denied message.
2. We couldnt register the various dlls into windows.
3. We couldnt rewrite the BITS entries also getting an access denied message.
4. We couldnt enable “interactive” mode in the security>logon tab of the service getting… Yea an access denied message.

“Update on this Issue”

The problem was somewhat illusive to us, but we found the problem! 🙂

 The behaviour as described above is caused when a network policy is used to enforce the service configuration (Windows Update Service) itself.

In the Machine portion of a GPO you can browse down to : Computer Configuration >Windows Settings > Security > System Services. Here you can configure various aspects of the winows services, like force the messanger service to be disabled. In our case the Windows Update Service was forced to be Automatic and with thus (check the permisssions button) the rights on that service…

Just remove the policy from the Windows Update service service and control the update service using the aprop. policies found under : Computer Configuration > Administrative templates > Windows Components > Windows Update instead.

This should fix the Id is other then caller issue 😉

Just use the “gpupdate /force” command on the clients that realy need some updates, and or wait till the next logon, or 90 Minutes (default gpo refresh time)…

Gl & Rgrds, Chris

Memo : Find duplicate files in network shares.

Do you have a share floating arround on your network that is basicaly a collection of files that realy need some sorting? But sorting that chaos would mean rebuilding that whole tree? Well you might want to try this 😉

1. Download the Swiss File Knife from SourceForge.
2. Copy the executable and put it on your desktop.
2. Copy this baby to C:\windows by typing the command underneath in run.  

 
cmd.exe /c “copy c:\documents and settings\%username%\desktop\sfk152.exe c:\windows\sfk.exe”     (xp)
cmd.exe /c “copy c:\users\%username%\desktop\sfk152.exe c:\windows\sfk.exe”  (vista)

3. Open the cmd prompt by typing “cmd.exe” in the run.
4. Open or map a network location using the following command(s).
     
 

If authentication as a different user is needed your better off using this one..
net use X: \\the.server.ip.addr\ShareName\ user:domain\username  UPN usernames are also allowed “/user:username@domain.ext”
pushd  \\the.server.ip.addr\ShareName

5. verify that the network location is your current location “C:\ or H:\ in networks is not correct ;).
6. Run the Swiss File Knifecommand and redirect any output by using the following command.

sfk dupfind . > “C:\documents and settings\%username%\desktop\sfkoutput.txt”

Thought this is also a nice one to remember / share 😀

Some Documentation about sfk can be found here…