Booting F5 BIG-IP LTM 3900 from USB

November 8th, 2015

As a side note: should you own BIG-IP LTM 3900 appliance and wonder how to boot it from the USB stick (to reinstall the OS or run the End User Diagnostics software) make sure to use a USB stick which is precisely 1GB in size. Any other USB sticks (2/4/8/16GB) simply won’t work.

Why it can’t be documented somewhere on the F5 website remains a mystery to me.

[20151205] : I stand corrected. It looks like it has nothing to do with the size but with the chipset. I received a Rescue Kit the other day from F5 and they included two USB 32GB sticks — it’s SanDisk Cruzer Glide.

Adding and troubleshooting KMS keys

October 29th, 2015

On the KMS host:

Use Volume Activation Tools to add a new host key or:

  1. cscript.exe c:\windows\system32\slmgr.vbs -ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

To see what keys have been deployed and what the status is:

  1. cscript.exe c:\windows\system32\slmgr.vbs /dlv all

To activate (requires http/s access from the KMS host):

  1. cscript.exe c:\windows\system32\slmgr.vbs /ato activation.ID

where Activation ID is a string you get from running ‘cscript slmgr.vbs /dlv all’.

On the KMS client:

To manually force the activation of Windows OS (requires 1688/tcp access to the KMS host):

  1. cscript.exe c:\windows\system32\slmgr.vbs /ato

To manually force the activation of Windows Office (requires 1688/tcp access to the KMS host):

  1. cscript.exe c:\"program files (x86)"\"microsoft office"\office14\ospp.vbs /act

Deploying wildcard SSL certificate for VMware Horizon 6

February 6th, 2015

Quick notes on how to deploy a wildcard SSL certificate with VMware Horizon 6 setup. In my case there is one Connection server and one Security server, both running Windows 2012 R2 Server OS. We also own a wildcard certificate covering our public domain, say domain.org.

Read the rest of this entry »

Managing multiple FreeBSD servers

November 17th, 2014

If you run multiple installations of FreeBSD sooner or later you will face with the issue of how to update them all in the most efficient and centralized way. Building kernel/world for a FreeBSD server with one CPU and couple of GB of RAM will take hours to complete. Fortunately, there is a way to optimize it.

Read the rest of this entry »

http to https redirect under F5

October 13th, 2014

Say you have a virtual web server, serving domain1.org, configured on F5 with the following iRule redirecting plain http to https:

  1. when HTTP_REQUEST {
  2.  
  3.  if { [HTTP::host] equals "domain1.org" } {
  4.   HTTP::redirect "https://[HTTP::host][HTTP::uri]"
  5.  }
  6. }

You decided to buy another domain (domain2.org) and want to point it to the same IP where domain1.org is hosted, with the redirect to https://domain1.org. Here is how the modified iRule will look like:

  1. when HTTP_REQUEST {
  2.  
  3.  if { [string tolower [HTTP::host]] ends_with ".domain2.org" } {
  4.   HTTP::redirect "https://domain1.org[HTTP::uri]"
  5.  } elseif { [HTTP::host] equals "domain1.org" } {
  6.   HTTP::redirect "https://[HTTP::host][HTTP::uri]"
  7.  }
  8. }

Here is an alternative way to implement redirection by using HTTP Class profile.

Under Local Traffic › Profiles › Protocol › HTTP Class create a new profile:

  1. Name: HTTP2HTTPS
  2. Parent Profile: httpclass
  3.  
  4. Hosts: Match all
  5. URI Paths: Match all
  6. Headers: Match all
  7. Hosts: Match all
  8. Cookies: Match all
  9.  
  10. Send To: Redirect to…
  11. Redirect to Location: https://[getfield [HTTP::host] ":" 1][HTTP::uri]

For domain2.org redirection, modify it and change Redirect to Location to:

  1. Send To: Redirect to…
  2. Redirect to Location: https://domain1.org/[HTTP::uri]

User based access control for Skype with Dante and FreeBSD 10

October 4th, 2014

[20170512/ Another update. It actually came out that the latest Skype (confirmed with 7.36.0.101) does support socks, however there is an issue with the password length used to authenticate to the socks instance. Anything greater than 5 (five) characters fails. I don’t know whether it’s done deliberately, or there is some bug that’s never going to be fixed, but anyway, the workaround is either to use some generic account with the five-or-less-characters password, or disable socks authentication altogether./20170512]

[20170312/ Somewhere around first week of March 2017 (or end of February), Skype started dropping connections from versions 7.1.32.xx and below. When you try to log in, you’ll be presented with the message about outdated version. I’m not aware about any versions after 7.1.32 that support Socks. Despite of numerous bugs opened Socks functionality was never fixed, therefore the content of this article is no longer valid, and you won’t be able to use Skype with Socks. The configuration option is still there, but no connection attempts to the Socks server are made. Perhaps this is how they promote the usage of Skype Business Server./20170312]

Today we’re going to configure Dante running on FreeBSD 10.0-STABLE to allow Skype connectivity based on username/password stored in Active Directory. The version of Dante being used is 1.4.1 installed from ports and Active Directory is handled by Windows Server 2008 R2.

Note: as at the time of writing, the version of Dante available in FreeBSD ports collection is 1.4.0 and it’s marked as BROKEN because of the bug 192295. Use this patch to install 1.4.1.

Install required software:

  1. % cd /usr/ports/security/pam_ldap && make install clean
  2. % cd /usr/ports/net/dante && make install clean

Create /usr/local/etc/pam.d/sockd file:

  1. auth       required /usr/local/lib/pam_ldap.so
  2. account    required /usr/local/lib/pam_ldap.so
  3. password   required /usr/local/lib/pam_ldap.so

Create /usr/local/etc/ldap.conf file and fix permissions:

  1. host 10.9.128.1
  2. base OU=Users,DC=int,DC=domain,DC=org
  3. ldap_version 3
  4. binddn CN=socksd,OU=Users,DC=int,DC=domain,DC=org
  5. bindpw xxxxxxx
  6. pam_filter objectclass=user
  7. pam_login_attribute samaccountname
  1. % chmod 600 /usr/local/etc/ldap.conf

Adjust host, base, binddn and bindpw to reflect your environment.

Modify /usr/local/etc/sockd.conf file:

  1. logoutput: stdout /var/log/dante.log
  2. internal: 10.9.36.10 port = 1080
  3. external: 10.9.36.10
  4.  
  5. socksmethod: pam.username none
  6.  
  7. user.privileged: root
  8. user.unprivileged: nobody
  9. user.libwrap: nobody
  10.  
  11. client pass {
  12.         from: 10.9.128.0/24 port 1024-65535 to: 0.0.0.0/0
  13.         log: error connect disconnect
  14. }
  15.  
  16. socks pass {
  17.         from: 10.9.128.0/24 to: 0.0.0.0/0
  18.         command: connect udpassociate
  19.         socksmethod: pam.username
  20.         log: error connect disconnect iooperation
  21. }
  22.  
  23. socks pass {
  24.         from: 0.0.0.0/0 to: 10.9.128.0/24
  25.         command: udpreply
  26.         log: connect error
  27. }

Modify /etc/rc.conf to start Dante at boot:

  1. # enable dante
  2. sockd_enable="YES"

Configure Skype to use Socks with proxy authentication and check the logs of Dante:

  1. Oct  4 16:45:44 (1412433944.407661) sockd[482]: info: pass(1): tcp/accept [: 10.9.128.47.59574 10.9.36.10.1080
  2. Oct  4 16:45:44 (1412433944.525454) sockd[483]: info: pass(1): udp/udpassociate [: pam.username%usera@0.0.0.0.64526 10.9.36.10.60780
  3. Oct  4 16:45:49 (1412433949.196857) sockd[630]: info: pass(1): tcp/accept [: 10.9.128.47.59578 10.9.36.10.1080
  4. Oct  4 16:45:49 (1412433949.378804) sockd[499]: info: pass(1): tcp/connect [: pam.username%usera@10.9.128.47.59578 10.9.36.10.1080 -> 10.9.36.10.59578 64.4.23.143.33033
  5. Oct  4 16:45:49 (1412433949.380925) sockd[499]: info: pass(1): tcp/connect -: pam.username%usera@10.9.128.47.59578 10.9.36.10.1080 -> 10.9.36.10.59578 64.4.23.143.33033 (35)
  6. Oct  4 16:45:49 (1412433949.544730) sockd[499]: info: pass(1): tcp/connect -: 64.4.23.143.33033 10.9.36.10.59578 -> 10.9.36.10.1080 pam.username%usera@10.9.128.47.59578 (63)
  7. Oct  4 16:45:49 (1412433949.548340) sockd[499]: info: pass(1): tcp/connect -: pam.username%usera@10.9.128.47.59578 10.9.36.10.1080 -> 10.9.36.10.59578 64.4.23.143.33033 (40)
  8. Oct  4 16:45:49 (1412433949.706747) sockd[499]: info: pass(1): tcp/connect -: 64.4.23.143.33033 10.9.36.10.59578 -> 10.9.36.10.1080 pam.username%usera@10.9.128.47.59578 (3)
  9. Oct  4 16:45:49 (1412433949.962844) sockd[499]: info: pass(1): tcp/connect -: 64.4.23.143.33033 10.9.36.10.59578 -> 10.9.36.10.1080 pam.username%usera@10.9.128.47.59578 (144)

Since Dante is quite talkative make sure to rotate logs by editing /etc/newsyslog.conf file:

  1. /var/log/dante.log                      640  3     100  *     JB    /var/run/sockd.pid

Running Splunk with add-on for Check Point OPSEC LEA on FreeBSD 10

September 30th, 2014

Here is my set of notes to run latest Splunk with add-on for Check Point OPSEC LEA on FreeBSD 10.0-STABLE.

Splunk: 6.1.3 build 220630
Add-on for Check Point OPSEC LEA: 2.1.0
Check Point: R71.30

Read the rest of this entry »

make buildworld & IBM x3650 m3

September 28th, 2014

Upgrade from 10.0-RELEASE to 10.1-PRERELEASE

Brand: IBM x3650 m3

In order to successfully boot the server make sure to enable legacy support as per this thread.

Processor: 2 x Intel Xeon X5650 2.67Ghz (6 cores each)
Memory: 144GB
HDD: 2 x 72GB (15k RPM, 6Gbps SAS 2.5-inch) in RAID1

Softupdates: ON
SMP: ON

  1. CPU: Intel(R) Xeon(R) CPU X5650  @ 2.67GHz (2666.82-MHz K8-class CPU)
  2. real memory = 154618822656 (147456 MB)
  3. avail memory = 150235295744 (143275 MB)
  4. mfi0: <LSI MegaSAS Gen2> port 0x1000-0x10ff mem 0x97940000-0x97943fff,0x97900000-0x9793ffff irq 16 at device 0.0 on pci1
  5. mfid0: 68664MB (140623872 sectors) RAID volume (no label) is optimal

make -j4 buildworld: 31mm 20ss
make -j4 buildkernel: 03mm 31ss
make installkernel: 09ss
make installworld: 58ss

NSD and OpenDNSSEC under FreeBSD 10 [Part 4: Firewall]

August 31st, 2014

This is the forth part in the series of articles explaining how to run NSD and OpenDNSSEC under FreeBSD 10.

It’s just a reference for firewall freaks like me showing which ports need to be opened on each respective server.

I’m using PF on all four servers with the ‘deny all’ default rule.

NS-FEED needs to be able to send 53/udp to the signer and both slaves (to NOTIFY about zone changes). It has to accept incoming 53/tcp from the signer and both slaves (to allow zone transfers) and also it has to accept 53/udp from the signer (the signer will periodically poll the hidden master for zone changes):

  1. pass out quick on xl0 inet proto udp from xl0 to 192.168.128.1 port = domain keep state
  2. pass out quick on xl0 inet proto udp from xl0 to 192.168.128.2 port = domain keep state
  3. pass out quick on xl0 inet proto udp from xl0 to 10.9.128.2 port = domain keep state
  4.  
  5. pass in quick on xl0 inet proto tcp from 192.168.128.1 to xl0 port = domain flags S/SA keep state
  6. pass in quick on xl0 inet proto tcp from 192.168.128.2 to xl0 port = domain flags S/SA keep state
  7. pass in quick on xl0 inet proto tcp from 10.9.128.2 to xl0 port = domain flags S/SA keep state
  8.  
  9. pass in quick on xl0 inet proto udp from 10.9.128.2 to xl0 port = domain keep state

NS-SIGN has to be able to send 53/udp and 53/tcp to the hidden master (to request and perform zone transfer from the hidden master). It has to be able to send 53/udp to both slaves (to notify slaves about zone changes). It has to accept incoming 53/tcp from both slaves (to allow zone transfers) and also it has to accept 53/udp from the hidden master:

  1. pass out quick on xl0 inet proto tcp from xl0 to 10.9.128.1 port = domain flags S/SA modulate state
  2. pass out quick on xl0 inet proto udp from xl0 to 10.9.128.1 port = domain keep state
  3. pass out quick on xl0 inet proto udp from xl0 to 192.168.128.1 port = domain keep state
  4. pass out quick on xl0 inet proto udp from xl0 to 192.168.128.2 port = domain keep state
  5.  
  6. pass in quick on xl0 inet proto tcp from 192.168.128.1 to xl0 port = domain flags S/SA keep state
  7. pass in quick on xl0 inet proto tcp from 192.168.128.2 to xl0 port = domain flags S/SA keep state
  8. pass in quick on xl0 inet proto tcp from 10.9.128.1 to xl0 port = domain flags S/SA keep state

NS-3 and NS-4 have to be able to send 53/tcp to the hidden master and the signer (to request zone transfers). They also have to accept incoming 53/udp and 53/tcp from anywhere to serve recursive DNS requests:

  1. pass out quick on xl0 inet proto tcp from xl0 to 10.9.128.1 port = domain flags S/SA modulate state
  2. pass out quick on xl0 inet proto tcp from xl0 to 10.9.128.2 port = domain flags S/SA modulate state
  3.  
  4. pass in quick on xl0 inet proto udp from any to 192.168.128.1 port = domain keep state
  5. pass in quick on xl0 inet proto tcp from any to 192.168.128.1 port = domain flags S/SA modulate state
  1. pass out quick on xl0 inet proto tcp from xl0 to 10.9.128.1 port = domain flags S/SA modulate state
  2. pass out quick on xl0 inet proto tcp from xl0 to 10.9.128.2 port = domain flags S/SA modulate state
  3.  
  4. pass in quick on xl0 inet proto udp from any to 192.168.128.2 port = domain keep state
  5. pass in quick on xl0 inet proto tcp from any to 192.168.128.2 port = domain flags S/SA modulate state

NSD and OpenDNSSEC under FreeBSD 10 [Part 3: OpenDNSSEC]

August 31st, 2014

This is the third part in the series of articles explaining how to run NSD and OpenDNSSEC under FreeBSD 10.

In this exercise we’re going to configure our signing server NS-SIGN which will be running OpenDNSSEC with DNSSEC keys stored in SoftHSM.

For the sake of simplicity, let’s assume we’re going to host a zone called signed.org.

Read the rest of this entry »