Posts Tagged ‘SSL’

 If you host your Azure MFA User Portal outside of your MFA Server e.g. in a DMZ , the User portal server has to speak to this MFA server via SSL using the SDK and also via a certificate. Make sure the SSL of you MFA server is valid. It might be self signed internally on that server ( cannot be from the domain as the DMZ server can’t speak to your domain ) so you need to create a new one and transfer it securely to the User portal and install it on the Trusted Root Authority 

System.Security.Authentication

This certificate cannot be verified up to a trusted certification

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Use this to Generate a Command for Open SSL e.g the below 

https://www.digicert.com/easy-csr/openssl.htm

openssl req -new -newkey rsa:2048 -nodes -out test_test_com.csr -keyout test_test_com.key -subj "/C=US/ST=Test/L=/O=Test/CN=test.test.com" 

Now add to the end : -config “C:\Program Files\Autonomy\WorkSite\Apache\conf\openssl.cnf”

In Comand Prompt Navigate to Openssl.exe (  C:\Program Files\Autonomy\WorkSite\Apache\bin ) 

Run the full command

openssl req -new -newkey rsa:2048 -nodes -out test_test_com.csr -keyout test_test_com.key -subj "/C=US/ST=Test/L=/O=Test/CN=test.test.com" -config "C:\Program Files\Autonomy\WorkSite\Apache\conf\openssl.cnf"

It will generate a .csr and a .key file , copy these to C:\SSL

Use the CSR with your certificate Authority to Generate a .crt file and also a chain file

Download these to C:\SSL

Open the file : C:\Program Files\Autonomy\WorkSite\Apache\conf\worksite.conf

Add or Change the Lines to the below

SSLCertificateFile “C:\SSL\certs_test_test_com.crt”
SSLCertificateKeyFile “C:\SSL\test_test_com.key”
SSLCertificateChainFile “C:\SSL\certs_DigiCertCA.crt”

Restart iManage Work Server Service

 

Next

Copy “C:\SSL\test_test_com.key” to “C:\SSL\test_test_comkey.pem”

Open certs_test_test_com.crt with Notepad and copy the contents into a new file

Open certs_DigiCertCA.crt with Notepad and copy the contents to the below of the new file ( directly under the other certificate on a new Line ) 

Save this as C:\SSL\test_test_comfullchain.pem

On the Worksite Service Properties  , Configure Hosted DM

Change .PEM files to your new file

 

 

Restart iManageMicroServiceHub Service

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Find the current cert location

sudo vi /etc/nginx/nginx.conf

Look for lines

ssl_certificate /etc/pki/nginx/cert.pem;


Go to Digicert and download .pem with All certs

Use WINSCP to copy this to /etc/pki/nginx/and change the config to look at the new PEM file : 

sudo vi /etc/nginx/nginx.conf

Restart Nginx

sudo service nginx restart
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Login to N-Central with the username : productadmin@n-able.com

This process will take the N-able server down so it will need to be in Scheduled Outage

Choose

Enter the details of the company and click Generate – This will create a self signed cert on the server and restart the web interface , if you have any issues logged in , use firefox as this copes better with Self Signed Certs

Copy CSR that is has created

Go to Digi Cert and Re-Download Button and Enter your CSR

Download a Bundle of all CER’s together

 

Upload this via SSL certificate ( this will reboot the webinterface ) 

 

Any issue with the upload you might need to Rechain the file yourself , if so choose

Then use this to order and create a CRT to upload

 

https://support.solarwindsmsp.com/kb/solarwinds_n-central/SSL-for-SolarWinds-N-central-Chaining-your-certificate/

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Open Netscaler and generate RSA Key

Create a new RSA key 

Create a new CSR

 

 

Request File Name is name.csr

Key FileName is the RSA key you just generated

Digest Method : SHA 256

Use PEM and Enter Company Details

Once CSR Created , download and open this key and enter it into your Cert Provider.

Download the New Key as a .PEM format 

Upload the New Key to the Certificates

Install the Certificate

Certificate File Name is the one you have uploaded from your provider ( .pem ) 

The Key File Name is the RSA Key you generated at the start

Install CA/Intermediate certs

If the certificate requires any Intermediate certs, Upload these to Certificates, then install

Link the CA Certificates with the new SSL Certificate

Right Click on your certificate you have installed under following directory and click Link , choose the CA cert that matches its chain

 

Change the SSL Cert on the Netscaler Virtual Server and Load Balancer

Navigate to your Virtual Server

 

Choose Server Certificate 

Add Binding

Select your new certificate . Select and Bind

Repeat step on Load Balancer

 

Make sure you SAVE THE CONFIG!

Test the chain using : https://whatsmychaincert.com/

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

When trying to create an IMAP Mailbox Sync via Office 365 , I was getting the following Failed Error next to the Sync Status

TLS negotiation failed with status AlgorithmMismatch

The IMAP Server I was syncing from was using SSL  on port 993 however the SSL cert was self signed rather than from a proper cert authority

In the end I had to enable syncing through 143 Uncrypted or you can purchase a sign SSL cert for the migration

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

citrixiconRecently I went through this to update a Cert on a Gatewat: http://fixmyitsystem.com/2012/07/configure-citrix-xenapp-web-site-to-use.html

However the SSL certificate was still not updated

If you route traffic over a different port you need to run through this as well : 

Start , All Programs , Citrix , Administraion Tools , Secure Gateway Configuration Wizard

Choose Next and Standard

Pick your new Cert

Leave the rest of the options as default

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

A VPN for a new site had been working fine , however disconnected and would not stay Active

Enabling Debug

diagnose debug application ike -1
diagnose debug enable


Disable Debug
diagnose debug reset
diagnose debug disable
Produced the below sort of errors : 

ike 0:VPN TTN:16877: ignoring unencrypted PAYLOAD-MALFORMED message from 41.224.14.131:500.
 ike 0:VPN TTN:VPN TTN P2: IPsec SA connect 50 41.224.244.77->41.224.14.131:0
 ike 0:VPN TTN:VPN TTN P2: using existing connection
 ike 0:VPN TTN:VPN TTN P2: config found
 ike 0:VPN TTN:VPN TTN P2: IPsec SA connect 50 41.224.244.77->41.224.14.131:500 negotiating
 ike 0:VPN TTN:16877:VPN TTN P2:17015: ISAKMP SA still negotiating, queuing quick-mode request
 ike 0:VPN TTN:16877: out 474981673AAFACE9D0216ED361A1081D05100201000000000000006C338C4B9F667E7DC90860B2541F716F185CF7E6B42813D02B34C11EFD6B7530644B6D91E5685CA6D1609DFDE30FEE4108D130782677BC3B12A27E544C7E11D2EA89BB51401C1919352C6A93D5CBEB590B
 ike 0:VPN TTN:16877: sent IKE msg (P1_RETRANSMIT): 41.224.244.77:500->41.224.14.131:500, len=108, id=474981673aaface9/d0216ed361a1081d
 ike 0: comes 41.224.14.131:500->41.224.244.77:500,ifindex=50....
 ike 0: IKEv1 exchange=Identity Protection id=474981673aaface9/d0216ed361a1081d len=256
 ike 0: in 474981673AAFACE9D0216ED361A1081D0410020000000000000001000A00008408413E837E46626B7A07879E99EC6B73BF71A99C00F3AF2A0B68B526FD2D3EBDC7AF274255283369206E877CA0EBB0A62257AF229F0600D85C90BF266C8852B2336E9CAFE8F0E7EF63E57CD1E28647A049BF6D1DFCD45C6C23B3F92A95B1EC29A0F9992FC4D78EB018DC54C903339121BCD535F9C9246BD2E62A787466485D980D000018C30B61834BB43EBC5839BC3F53695599BF7DCA4C0D00001412F5F28C457168A9702D9FE274CC01000D00000C09002689DFD6B7120D00001425E6C9CE61A0081DB8BA401A26766C19000000141F07F70EAA6514D3B0FA96542A500100
 ike 0:VPN TTN:16877: retransmission, re-send last message
EBDC7AF274255283369206E877CA0EBB0A62257AF229F0600D85C90BF266C8852B2336E9CAFE8F0E7EF63E57CD1E28647A049BF6D1DFCD45C6C23B3F92A95B1EC29A0F9992FC4D78EB018DC54C903339121BCD535F9C9246BD2E62A787466485D980D000018C30B61834BB43EBC5839BC3F53695599BF7DCA4C0D00001412F5F28C457168A9702D9FE274CC01000D00000C09002689DFD6B7120D00001425E6C9CE61A0081DB8BA401A26766C19000000141F07F70EAA6514D3B0FA96542A500100
 ike 0:VPN TTN:16877: retransmission, re-send last message


Turns out the remote site did not have a static IP Address from it's ISP , we need to get this set from the ISP and change the IP's each time
VN:F [1.9.22_1171]
Rating: 10.0/10 (1 vote cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Users who could connect where no longer connecting to our Foritgate

If using VDOM use 

#conf Global

#diagnose sys top

Check for Free Memory Usage( Should not be over 80% ) 

Enable Debug for VPN

#dia debug en
#dia debug reset
#dia debug application sslvpn -1

Then Connect VPN , and check for logs for that user

Found : 

 “no more addresses” fortigate

#diagnose debug disable

#exec vpn sslvpn list

If using VDOM Use this before

#conf vdom

#edit Vdom Name 

Users where getting 4 Address in the SSL VPN Sessions instead of one which was filling up the DHCP List

#fnsysctl ps

find the PID of sslvpnd

#run diag sys kill 11 <pid>

VPN Service will restart Automatically.

 

VN:F [1.9.22_1171]
Rating: 10.0/10 (2 votes cast)
VN:F [1.9.22_1171]
Rating: +1 (from 1 vote)

Compatibility of 3g/4G usb modems can be found here : 

Configuring Modems on the FortiGate

Always a time when an ISP doesn’t deliver internet to premises so the office is without Internet. Thanks to 4g connections , you can pipe internet out through that however most VPN’s need static IP’s which you don’t get with 4g / 3g cards. Fortinet provides a DDNS service for this problem per : http://video.fortinet.com/video/99/site-to-site-ipsec-vpn-setup-with-dynamic-interface , however some providers assign IP’s on their private network ( Telstra ) so you need to put the VPN in aggressive mode and authenticate with Passkey 

here is the config to get the VPN working on a Fortinet Firewall.

See here how to get the Modem working : http://pariswells.com/blog/fixes/fortinet-60d-model-with-telstra-sierra-wireless-320u

Remote Office VPN Config

config vpn ipsec phase1
    edit "VPN"
        set interface "modem"
        set dhgrp 2
        set proposal aes128-sha1
        set remote-gw **IP-Address of remote-gw**
        set psksecret ENC ***PASSKEY***
    next
end
config vpn ipsec phase2
    edit "192.168.10.0-192.168.11.0"
        set phase1name "VPN"
        set proposal aes128-sha1
        set keepalive enable
        set dhgrp 2
        set keylifeseconds 3600
        set src-subnet 192.168.16.0 255.255.255.0
        set dst-subnet 192.168.18.0 255.255.255.0
    next
end

 

Remote Office Firewall Config

config firewall policy
    edit 8
        set srcintf "wan1"
        set dstintf "modem"
        set srcaddr "192.168.16.0/24"
        set dstaddr "192.168.18.0/24"
        set action ipsec
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set inbound enable
        set outbound enable
        set vpntunnel "VPN"
    next
    edit 4
        set srcintf "wan1"
        set dstintf "modem"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
    edit 5
        set srcintf "switch"
        set dstintf "modem"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
    edit 6
        set srcintf "switch"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 7
        set srcintf "wan1"
        set dstintf "switch"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

 

 

Main Office

edit "VPN"
        set vdom "root"
        set type tunnel
        set snmp-index 25
        set interface "*INTERNET**"
    nex
 
 
 
    edit "VPN"
        set type dynamic
        set interface "*INTERNET**"
        set keylife 28800
        set proposal aes128-sha1
        set comments "VPN"
        set dhgrp 2
        set psksecret ENC **passphrase**
    next
 
 
 
 
    edit "192.168.16.0-192.168.18.0"
        set phase1name "VPN"
        set proposal aes128-sha1
        set dhgrp 14 2
        set keepalive enable
        set keylifeseconds 3600
        set src-subnet 192.168.18.0 255.255.255.0
        set dst-subnet 192.168.16.0 255.255.255.0
    next
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)