25. November 2012 · Comments Off on Enabling Network Level Authentication on Windows XP Service Pack 3 · Categories: Microsoft · Tags: , , ,

The remote computer requires Network Level Authentication, which your computer does not support.

To enable NLA in XP machines; first install XP SP3, then edit the registry settings on the XP client machine to allow NLA

• Configure Network Level Authentication

1. Click Start, click Run, type regedit, and then press ENTER.

2. In the navigation pane, locate and then click the following registry subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa

3. In the details pane, right-click Security Packages, and then click Modify.

4. In the Value data box, type tspkg. Leave any data that is specific to other SSPs, and then click OK.

5. In the navigation pane, locate and then click the following registry subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProviders

6. In the details pane, right-click SecurityProviders, and then click Modify.

7. In the Value data box, type credssp.dll. Leave any data that is specific to other SSPs, and then click OK.

8. Exit Registry Editor.

9. Restart the computer.

24. November 2012 · Comments Off on How to Upgrade the ASA5500 using CLI · Categories: Cisco · Tags: , , , , ,

Version 9.0 of the Cisco ASA software has now been released. Here are some of the major features in the new release.

Filter ICMP by ICMP code
Clustering of multiple ASAs
OSPFv3 and EIGRP support
IPv6 support on outside interface for VPNs
NAT for IPv6 and NAT64
DHCPv6 relay
Unified ACLs for v4 and v6
Clientless SSL VPN – Support for new browsers and HTML5
Site to Site VPN in multiple context mode
Dynamic routing in multiple context mode
Mixed firewall support in multiple context mode

So Today I decided to upgrade my ASA5505 to Version 9.0(1).  Below are the steps to upgrade your ASA More »

23. November 2012 · Comments Off on Cisco ASA Port Forwarding in 8.3 from the CLI the easy way · Categories: Cisco · Tags: , , , , ,

In this example, we want to be able to access a Media Server behind the firewall.  We’ll assume you are using port 32400, the Media Server’s internal IP address is 10.11.12.13/24, I’ll give you the steps, then I’ll explain.

Step 1: Create a new object group for you web server.

asa5505(config)# object network MediaServer

Step 2: Add the IP of the web server to the network group.

asa5505(config-network-object)# host 10.11.12.13

Step 3: Forward the port via the NAT command.

asa5505(config-network-object)# nat (inside,outside) static interface service tcp 32400 32400

Step 4: Exit back to the root and add the access list

 asa5505(config)# access-list outside_access_in permit tcp any object MediaServer eq 32400 any

That’s it!  Now, let’s explain what’s going on here.  Cisco has started moving more and more towards use of object groups in their configs.  It makes things easier, especially when you have a situation where you have 20 web servers behind the firewall and you want to add 1 more in.  Rather than having to rewrite a whole bunch of ACL’s, you just add the IP of the new web server into the object group and everything is done for you.  So here our Media Server is 10.11.12.13.  If you want to send port 80 to more than 1 IP on your internal network, just add more IP’s to that object group.

This works for ANY port forward.  If you want to RDP into a machine, simply replace port 32400 with 3389.  There is one caveat.  You can only do one port forward per object group.  So let’s say that our Media Server is also an FTP server and you want port 21 to forward as well as port 32400.  You’re going to have to create a whole new object group (object network FTPServer), put the same IP in the group (host 10.11.12.13), do the nat command again (nat (inside,outside) static interface service tcp ftp ftp), exit back to the root of config, and add the access list (access-list outside_access_in  permit tcp any object FTPServer eq ftp).

This should get you up and running in no time

17. November 2012 · Comments Off on Cisco ASA 5500 Dual ISP Connection [Failback] · Categories: Cisco · Tags: , , , , ,

Starting from version 7.2(1) and upwards, the Cisco ASA 5500 series firewall supports now the Dual-ISP capability. You can connect two interfaces of the firewall to two different ISPs and use the new “SLA Monitor” feature (SLA=Service Level Monitoring) to monitor the link to the primary ISP, and if that fails, the traffic is routed to the Backup ISP.

asa 5500 dual isp connection

Assume that the Primary ISP (ISP-1) has assigned to us the public IP address 100.100.100.1 with gateway 100.100.100.2. Also, the Backup ISP (ISP-2) has assigned us the public IP 200.200.200.1 with gateway 200.200.200.2. Normally all traffic should flow through ISP-1, but if the physical link (or route) to that ISP fails, then traffic should be redirected to the Backup ISP. We can configure an SLA monitor service which will be checking every 30 seconds (using a ping echo request) the availability of the primary Gateway IP address (100.100.100.2). If there is no response in 20000 milliseconds (20 sec), then the default route will be redirected to the Backup ISP. The configuration is shown below:

asa5500(config)# sla monitor 100
asa5500(config-sla-monitor)# type echo protocol ipIcmpEcho 100.100.100.2 interface outside
asa5500(config-sla-monitor-echo)# timeout 20000
asa5500(config-sla-monitor-echo)# frequency 30
asa5500(config)# sla monitor schedule 100 life forever start-time now
asa5500(config)# track 1 rtr 100 reachability
asa5500(config)# route outside 0.0.0.0 0.0.0.0 100.100.100.2 1 track 1
asa5500(config)# route backup-isp 0.0.0.0 0.0.0.0 200.200.200.2 254

Of course the configuration above assumes that you have already configured two interfaces connected to the ISPs, the first one with name ‘outside’ (security level 0) and the second one with name ‘backup-isp’ (security level 1).

17. November 2012 · Comments Off on How to create local accounts via Group Policy · Categories: Microsoft · Tags: , ,

This step by step document shows how to create a local admin account across all domain joined PC’s for use with situations like LogMein remote support and notebooks, which are not always connected to the domain.

1. Open Group Policy Management

2. Create a new Group Policy Object called “Local Users Login Account” and link it to the appropriate OU.

3. Open up the newly created GPO called “Local Users Login Account”.

clip_image002

4. Under the User Configuration Node, Select Preferences, Control Panel Settings, Local Users and Groups. Then Right Click and select New, Local User

clip_image004

5. In Action, Select Update. User name will be “RemoteAdmin”. Under Full name, type in a descriptive name. Select a password in Password and Confirm Password, and Uncheck User must change password at next logon, and check Password never expires. Leave Account never expires checked. Click on OK.

clip_image006 More »

05. November 2012 · Comments Off on Stop|Start|Restart Exchange 2010 services · Categories: Microsoft · Tags: , ,

Restarting the Exchange services:

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
@Echo Off
Echo 'Stopping Microsoft Exchange Services'
net stop MSExchangeAB
net stop MSExchangeADTopology
net stop MSExchangeAntispamUpdate
net stop MSExchangeEdgeSync
net stop MSExchangeFBA
net stop MSExchangeFDS
net stop MSExchangeIS
net stop MSExchangeMailboxAssistants
net stop MSExchangeMailboxReplication
net stop MSExchangeMailSubmission
net stop MSExchangeProtectedServiceHost
net stop MSExchangeRepl
net stop MSExchangeRPC
net stop MSExchangeSA
net stop MSExchangeSearch
net stop MSExchangeServiceHost
net stop MSExchangeThrottling
net stop MSExchangeTransport
net stop MSExchangeTransportLogSearch
Echo 'Starting Microsoft Exchange Services'
net start MSExchangeAB
net start MSExchangeADTopology
net start MSExchangeAntispamUpdate
net start MSExchangeEdgeSync
net start MSExchangeFBA
net start MSExchangeFDS
net start MSExchangeIS
net start MSExchangeMailboxAssistants
net start MSExchangeMailboxReplication
net start MSExchangeMailSubmission
net start MSExchangeProtectedServiceHost
net start MSExchangeRepl
net start MSExchangeRPC
net start MSExchangeSA
net start MSExchangeSearch
net start MSExchangeServiceHost
net start MSExchangeThrottling
net start MSExchangeTransport
net start MSExchangeTransportLogSearch
End

More »

03. November 2012 · Comments Off on Group Policy Preference Client Side Extensions – Windows XP (KB943729) · Categories: Microsoft · Tags: , , ,

 

Group Policy Preference Client Side Extensions is an update for XP/2003 machines that allows any “Preferences” set by using 2008 policies to be applied. For example I used preferences to map drives for users and while it worked fine for win7 machines I had to apply that update on my XP/2003 machines for them to get the drive maps.

 

Source: Group Policy Preference CSE for XP (KB943729)