Netscaler Upgrade

Research

Using a Citrix Account , download the latest firmware
 
https://www.citrix.com/downloads/netscaler-adc/
 
Save the Config for your Netscaler and also do a snapshot
 

Webased Upgrade

 
  • go to System – System Upgrade and select the firmware file and click Upgrade
 

CLI

 
Download Putty and Connect to Netscaler
 
Type : ns show version : to get the current version
 
Connect to Netscaler and type Shell to get to the prompt
 
HouseKeeping – go to /flash/ , delete any items that are not the current version ( rm %name of file% , if folder rm -rf %name of folder% )
 
If you Webased Upload has failed you might be lucky and the installer has been placed in /var/nsinstall/ , if not use WINSCP to copy the tgz file , then run tar xzvf nameofupgrade.tgz
 
Again housekeeping , clear up any installers not the current or old
 
Open the folder of the new install and go to type ./installns
 
 
After upgrade check SSL Labs
 
Use this to fix SSL : https://www.citrix.com/blogs/2018/05/16/scoring-an-a-at-ssllabs-com-with-citrix-netscaler-q2-2018-update/
 

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Powershell to Install Desktop Experience on Server OS in Powershell

Random 

<#
.SYNOPSIS
Install Desktop Experience for servers for disk cleanup.
#>


# V2 admin check
If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))
{
    Write-Warning "Please run this script as an Administrator!"
    Exit 1
}

[version]$OSVersion = [Environment]::OSVersion.Version

#check OS version
If ($OSVersion -gt "6.2") {
#server 2012 and above
   Install-WindowsFeature -Name Desktop-Experience
} ElseIf ($OSVersion -gt "6.1") {
#server 2008r2 and above
    Add-WindowsFeature -Name Desktop-Experience
} ElseIf ($OSVersion -gt "6.0") {
#server 2008 and above
    servermanagercmd.exe -install Desktop-Experience
} Else {
    write-host 'What OS Is this?'
}
InstallDesktopExperience.ps1 view raw
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

How to List Folder Permissions for User Shares and Reset the NTFS permissions

Code

List the permissions on all the folders

$OutFile = "C:\temp\Permissions.csv"
Remove-Item $OutFile -ErrorAction SilentlyContinue
$Header = "Folder Path,Exception,IdentityReference,AccessControlType,IsInherited,InheritanceFlags,PropagationFlags"
Add-Content -Value $Header -Path $OutFile 

$RootPath = "D:\Shares\Users$"

try
{
#to add subfolders add - Recurse after $RootPath
    $Folders = dir $RootPath 2>&1 | where {$_.psiscontainer -eq $true} 
}
catch [System.Exception]
{
    $_.Exception.Message
}

foreach ($Folder in $Folders){
    
    try
    { 
        $ACLs = get-acl $Folder.fullname | ForEach-Object { $_.Access  }
        $Exception = $false 
      }
    catch [System.Exception]
    {
        $Exception = $true
        $SystemMessage = $_.Exception.Message 
    }
    Finally
    {
        Foreach ($ACL in $ACLs)
        {
             if ($Exception -eq $false) {
            $OutInfo = $Folder.Fullname + "," + $Exception  + "," + $ACL.IdentityReference  + "," + $ACL.AccessControlType + "," + $ACL.IsInherited + "," + $ACL.InheritanceFlags + "," + $ACL.PropagationFlags
             }
           else {
            $OutInfo = $Folder.Fullname + "," + $Exception  + "," + $SystemMessage
           }
           Add-Content -Value $OutInfo -Path $OutFile
       }
    }
}
ListFolderPermission.ps1 view raw

Change the permissions

#######################################################
# 
# I put this script together to fix the permissions on users' home folders
# that had gotten messed up when they were moved to a new fileserver
# cluster.  After many attempts that 'almost' worked, I incorporated scripts
# from fellow SpiceHeads, most notably Martin Pugh (Martin9700).  An 
# edit or two from others, (Simon Matthews helped with the Set-ACL syntax 
# and Martin Boyle contributed the Set-Strictmode line for debugging), and
# I fixed up the logging output.
# 
# There's a couple of comments in the script that I left in but really only apply
# to the limited type of environment I was dealing with (2003 functional domain 
# with no access to the ActiveDirectory module).  (I figure I can't be the only 
# with overlords stuck in the past.)
# 
# Mike Schulman (s31064) 11/19/2015
# 
#######################################################

#Set-Strictmode -Version Latest -Verbose	##### Uncomment for configuring to your situation, then comment out again when you've got it right.

$Path = "D:\Shares\Users$"

##### Permissions adds the users/groups and the permissions they should have.  The actual User should not be added here.  
##### What's on the line below is an example only.  The format is domain\user-group:Permission.  
##### Separate additional users/groups with a comma and enclose the list in "".

$Permissions = "%yourdomainname%\Domain Admins:FullControl"

# Setup Access Rules
# $Domain = (Get-ADDomain).NetBIOSName	##### Need to set statically on next line because of 2003 limitations.
$Domain = 'ENCOM'
$AccessRules = @()
ForEach ($Perm in $Permissions.Split(","))
{	$Group = $Perm.Split(":")[0]
	$Level = $Perm.Split(":")[1]
	$AccessRules += New-Object System.Security.AccessControl.FileSystemAccessRule($Group,$Level, "ContainerInherit, ObjectInherit", 

"None", "Allow")
}

##### Setup Logging
##### Pasting this script as text into a PS command line causes the line below to throw an error and place the log file in the C:\ folder.  The script still works.

$Log = "$(Split-Path $MyInvocation.MyCommand.Path)\Set-UserACL-$(Get-Date -format 'MMddyy-hhmm').log"
Add-Content -Value "$(Get-Date): Script begins" -Path $Log
Add-Content -Value "$(Get-Date): Processing folder: $Path" -Path $Log

##### This is where it all starts to happen.
##### You can also modify the -Path in the Get-ChildItem line to limit the number of folders affected during testing.

$Dirs = Get-ChildItem -Path "$Path\*" | Where { $_.PSisContainer }
$UserError = @()
ForEach ($Dir in $Dirs)
{	$User = Split-Path $Dir.Fullname -Leaf
	Try
	{	Add-Content -Value "-----------------------------------------------" -Path $Log
	 	Add-Content -Value "$(Get-Date): Testing $($User): $($Dir.Fullname)" -Path $Log

##### The next line should be        $Test = Get-ADUser $User -ErrorAction Stop
##### It will test for the existence of the user before looping through the script.  I had to take it out because of the limitations of my environment.

	 	$ACL = Get-Acl $Dir -ErrorAction Stop
        
        ##### Set inheritance to no
		#$ACL.SetAccessRuleProtection($true, $false)
        #Add-Content -Value "$(Get-Date): Inheritance for $User set successfully" -Path $Log
        
        ##### Set owner to user
		#$ACL.SetOwner([System.Security.Principal.NTAccount]$User)
        #Add-Content -Value "$(Get-Date): Owner $User set successfully" -Path $Log
        
        ##### Remove old permissions
		$ACL.Access | ForEach { [Void]$ACL.RemoveAccessRule($_) }
        Add-Content -Value "$(Get-Date): Old permissions for $User removed successfully" -Path $Log
        
        ##### Set new permissions
		ForEach ($Rule in $AccessRules)
		{	$ACL.AddAccessRule($Rule)
		}
		$UserRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$Domain\$User","Modify", "ContainerInherit, 

ObjectInherit", "None", "Allow")
		$ACL.AddAccessRule($UserRule)
		Set-Acl -Path $Dir -AclObject $ACL -ErrorAction Stop
        Add-Content -Value "$(Get-Date): New permissions for $User set successfully" -Path $Log
	}
	Catch

##### This is where the errors get logged.  The first line logs them to the console, and the next two lines add them to the log file.

	{	Write-Host "Unable to process $($Dir.Fullname) because $($Error[0])" -ForegroundColor Red
		Add-Content -Value "-----------------------------------------------" -Path $Log
        		Add-Content -Value "$(Get-Date): Unable to process $($Dir.Fullname) because $($Error[0])" -Path $Log
	}
}

##### This just closes the log file.

Add-Content -Value "-----------------------------------------------" -Path $Log
Add-Content -Value "$(Get-Date): Script completed" -Path $Log
FixUserFolderNTFSPermissions.ps1 view raw
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Mimecast – Bounce – Message content not accepted

Random

Recently had a customer stop being able to send items to Mimecast with the following 

554 Email rejected due to security policies - https://community.mimecast.com/docs/DOC-1369#554

This was happening to Multiple emails and Mimecast Logs showed : Bounce – Message content not accepted

So something generic in the content was causing this

Generic would be email signatures and Links in email signatures are usually the cause, removing one of the domains in the email signature fixed this , we lodged a Support case with Mimecast who removed this domain from their blocklist

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

How to Update\Add\Renew Citrix Netscaler SSL Cert

Random

Open Netscaler and generate RSA Key

Create a new RSA key 

Create a new CSR

 

 

Request File Name is name.csr

Key FileName is the RSA key you just generated

Digest Method : SHA 256

Use PEM and Enter Company Details

Once CSR Created , download and open this key and enter it into your Cert Provider.

Download the New Key as a .PEM format 

Upload the New Key to the Certificates

Install the Certificate

Certificate File Name is the one you have uploaded from your provider ( .pem ) 

The Key File Name is the RSA Key you generated at the start

Install CA/Intermediate certs

If the certificate requires any Intermediate certs, Upload these to Certificates, then install

Link the CA Certificates with the new SSL Certificate

Right Click on your certificate you have installed under following directory and click Link , choose the CA cert that matches its chain

 

Change the SSL Cert on the Netscaler Virtual Server and Load Balancer

Navigate to your Virtual Server

 

Choose Server Certificate 

Add Binding

Select your new certificate . Select and Bind

Repeat step on Load Balancer

 

Make sure you SAVE THE CONFIG!

Test the chain using : https://whatsmychaincert.com/

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Previous full backup chain transformation failed Error: Agent: Failed to process method {Transform.Patch}: An unexpected network error occurred.

Random

Recently multiple Transform jobs for Veeam on a Synology NAS was maxing out the I/O’s of the NAS , with the errors

Previous full backup chain transformation failed Error: Agent: Failed to process method {Transform.Patch}: An unexpected network error occurred.

applying the below registry keys and spacing out the transform fixed the issue 

 

SessTimeout - Reboot Required

Key: HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\
DWORD: SessTimeout
This is a value in seconds. Try a value of 600 decimal (10 minutes).
This increases the amount of time the Windows SMB client will wait for a response from an SMB server before it aborts the connection. The default timeout is one minute.

TcpMaxDataRetransmissions - Reboot Required

Key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DWORD: TcpMaxDataRetransmissions
Try a value of 10.
This increases the number of times the Windows TCP implementation will retransmit a data segment before it aborts the connection. The default number of retries is five.
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

May Windows Update breaks RDP

Random

https://support.microsoft.com/en-au/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018

 

I had one user with this issue and on Windows Home Edition – so the machine don’t have GPO or Gpedit.

It didn’t had the Registry key, way to fix was creating the Registry key manually with value=2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters]

"AllowEncryptionOracle"=dword:00000002

Group Policy path: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation Setting name: Encryption Oracle Remediation

from Vulnerable to Mitigated on Client computers (Win 10, Win 7)

If the CredSSP patch has not been applied to the server, you will get an error and will not be able to connect. If applying the patch to the server (released March) is not possible the setting can be changed via GPO or local GPEDIT on client machines.

 

Obviously patching the server is the better option!

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

DNS Authentication – DMARC Fail

Random

Recently had a customer have a bounce back for an email someone tried to send him with the error

 

DNS Authentication – DMARC Fail

 

DMARC Utilises DKIM and SPF records to monitor senders and act accordingly. I checked the domain of the sender’s email using https://otalliance.org/resources/spf-dmarc-tools-record-validator and the domain had no DKIM or SPF but did have a DMARC Record!

You need to have SPF and DKIM records before DMARC

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

How to find Serial Number from Vmware Vsphere Esxi Host

Random

Enable SSH on the ESXi Machine and run the following

esxcfg-info | grep "Serial N"

If this doesnt work then you can use something like this in powershell however it needs Vcenter and Vsphere CLI

Get-VMHost | Select Name,
    @{N='Serial';E={(Get-EsxCli -VMHost $_).hardware.platform.get().SerialNumber}} |
Export-Csv serial.csv -NoTypeInformation -UseCulture
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)