Archive for the ‘isa’ Category

Newer Entries »

Generate wildcard certificates for ISA 2005 R2 with OpenSSL

Monday, April 9th, 2007

Generate key pair 

 openssl genrsa -out wildcard.domain.com.privkey.pem 1024

Generate certificate request 

 openssl req -new -key wildcard.domain.com.privkey.pem
-out wildcard.domain.com.cert.csr

Make sure you enter *.domain.com when asked for common name.

From \OpenSSL\bin\PEM execute 

../openssl ca -cert <path>/CA.crt
-in <path>/wildcard.domain.com.cert.csr
-keyfile <path>/CA.key -days 3650
-out <path>/wildcard.domain.com.cert.cer

Export the certificate 

openssl x509 -in wildcard.domain.com.cert.cer
-out wildcard.domain.com.cert.x509.cer

Export the private key 

openssl.exe pkcs12 -export
-inkey wildcard.domain.com.privkey.pem
-in wildcard.domain.com.cert.cer
-out wildcard.domain.com.privkey.pfx

I suggest you use a password for this one :)

Follow this on how to import the certificate and the private key.

This entry is based on how to and iis how to.

Posted in isa | No Comments »

Redirect a path to different web server than the complete site using ISA 2005

Monday, April 9th, 2007

I'm forwarding http requests for a domain www.abc.com to server A. I'd like to forward www.abc.com/def to server B.

I configured 2 web publishing rules for the same domain. The first one only includes the path def/, the second one includes *.

ISA behaved very strange. No error message. Sometimes the path def/ worked, sometimes www.abc.com worked.

Posted in isa | No Comments »

Virtual Machine running Gentoo on Virtual Server 2005 R2

Monday, April 9th, 2007

Environment Windows Server 2003 R2, ISA Server 2005, Virtual Server 2005 R2, Network access through Loopback Adapters

Problem Creation/Installation of a virtual machine running Gentoo

Steps

  1. Create Virtual Machine - configure disks
  2. Under General Properties
    • Select Run virtual machine under the following user account and provide username and password
    • Make sure it got access to the .vhd and .vnc files (e.g. C:\Documents and Settings\All Users\Documents\Shared Virtual Networks) (details).

      If you I got the following error message in the EventLog (Virtual Server): The virtual machine "foo" cannot connect virtual network adapter 1 because either the virtual network is invalid or access was denied. This virtual network adapter will be left disconnected.

      The reason were missing privileges of the user on .vnc files.

  3. Mount the Gentoo ISO image
  4. Start the VM and follow Gentoo Installation
  5. Edit make.conf. For my Core2 Duo E6600 Iuse 
    CFLAGS="-O3 -march=nocona -pipe -fomit-frame-pointer"
    
  6.  ln -s /usr/portage/profiles/default-linux/x86/2006.1 make.profile
  7. If you got an existing VM
    • copy /etc/kernels/kernel-config-* 
    •  genkernel --kernel-config=/etc/kernels/kernel-config-* all
  8. Kernel options to avoid clock skew (details) 
    clock=pit
  9. emerge -u logwatch chkrootkit apache netpbm ffmpeg imagemagick ntp gallery virtual/mysql awstats logrotate
  10. configure rsync mirror server

Posted in gentoo, isa, virtual server | No Comments »

Site-2-Site IPsec with ISA 2006/Windows 2003 and OpenSwan/OpenWrt/Linux

Friday, March 30th, 2007

Task Establish Site-to-Site IPsec between ISA 2006 and OpenWrt 0.9 on a Linksys WRT54GL using OpenSwan (2.4.6-1 or 2.4.4-1)

Solution Use the following settings in ipsec.conf

conn isa2openwrt
    authby=secret
    esp=3des-sha1
    ike=3des-sha1
    leftid=<public-ip isa>
    left=<public-ip isa>
    leftsubnet=<private subnet behind isa>
    leftnexthop=%defaultroute
    rightid=<public-ip openwrt>
    right=<public-ip openwrt>
    rightsubnet=<private subnet behind isa>
    rightnexthop=%defaultroute
    pfs=yes
    ikelifetime=1h
    keylife=1h
    rekey=no
    keyingtries=5
    auto=start

Note leftid and rightid MUST correspond to the public IPs, because ISA 2006 expects this.

authby=secret relates to pre-shared key (I didn't wanna mess with certificates).

ISA 2006 configuration is straight forward. Just provide the public IPs and the sub-networks you want to expose. IMPORTANT In IPSec Configuration/Phase I set "Authenticate and generate new key every" to 3600 (instead of the 28800) - see solution.

If you have multiple subnets (or just want to be able to connect to the public IP of the opposite site) OpenSwan requires you to have a seperate conn section for each subnet.

Solved Issues Right now the tunnel stops working after some idle time (e.g. no traffic). Interestingly the tunnel can be re-established by restarting the OpenWrt end (/etc/init.d/S60ipsec restart).

An upgrade of OpenSwan 2.4.4-1 to 2.4.6-1 didn't help. Up to now I'm too busy/lazy to enable the Oakley log on the ISA 2006 server.

Paul Wouters suggested to use Dead Peer Detection, but that didn't help.

SolutionI found this posting that I'm currently testing.

Firewall Don't forget to enable IKE/ISAKMP and ESP traffic on the OpenWrt with iptables


iptables -A input_rule -p esp -s <public ip of ISA server> -j ACCEPT
iptables -A input_rule -p udp -s <public ip of ISA server> --dport 500 -j ACCEPT

and you probably want to make sure, traffic to the private subnet on the opposite tunnel site isn't getting NAT'ed by


iptables -t nat -A postrouting_rule -d 10.1.1.0/24 -j ACCEPT

Debugging On ISA 2006 the Log Viewer is pretty helpful and don't forget to check the alerts.

On OpenWrt enable syslog with


nvram set log_ipaddr=
nvram commit

and Windows Syslog Daemon works well. ipsec.conf needs 

config setup
   plutodebug="all"
   ...

or something similar.

Some barely related commands

  • ipkg list_installed
  • ipkg install openswan
  • ipconfig /flushdns

Links

Posted in isa, openwrt | 2 Comments »

ISA 2006 vs. MediaWiki and Umlauts

Monday, March 26th, 2007

Story

Just incase, ISA 2006 filters umlauts in URLs by default. As I use umlauts in my page titles in MediaWiki, I just got HTTP 500 internal server error message. The important hint that led to my solution was the mentioning of HTTPFilter in the error message.

Environment ISA 2006, Web Site Publishing, MediaWiki

Symptom Wiki pages with umlauts don't work.

Reason ISA 2006 filters umlauts in URLs.

Solution Properties of "Web Publish Rule", Traffic, Filtering, (uncheck Verify normalization, Block high bit characters)

Posted in apache, isa, mediawiki | No Comments »

ISA 2006, Virtual Server 2005, “Publish Web Site” NOT working?

Sunday, March 25th, 2007

Environment ISA 2006 (or 2004), Virtual Server 2005, same machine

Symptom "Publish Web Site" Wizard succeeds, but the Web site is not accessible.

If you want to Publish a Web Site using the Web Listener on port 80, it simply does not work. I couldn't find an error message - at least there wasn't any in the Event Log. I'm not sure about the Dash board. But since I used ISA 2006 the first time...

Reason Virtual Server 2005 requires IIS installed. IIS installs a Default Web site, that listens on port 80 *surprise*.

Solution Stop the Default Web site in IIS and good to go.

Posted in isa, virtual server | No Comments »

Newer Entries »