I was playing around with the check_route plugin and noticed a few issues with it not running. In order to get it to work on my Opsview boxes I had to install a new package, change some settings on the traceroute program and then make a patch in the script itself.
First thing you need to do is download the traceroute package if its not already installed
sudo apt-get install traceroute
Once installed you will find that the plugin will fail and show the following error:
The specified type of tracerouting is allowed for superuser only Can't use an undefined value as an ARRAY reference at ./check_route line 129.
Googling the first line I found that you have to setuid root for the traceroute binary
chmod u+s /usr/sbin/traceroute
Trying the plugin again you get the following error
Use of uninitialized value $time_units in string eq at ./check_route line 114. ROUTE UNKNOWN - Cannot cope with line 'traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets'
To get around this you need the plugin to ignore the first line of the output from the traceroute which can be done with the following patch
http://snipt.net/mattywhi/opsview-check_route-diff/
Now the script runs as expected and you get the following output
ROUTE OK - Time taken is 145.895 ms | total_time=145.895ms;5000;100000 hops=14;; route_change=0;;
monitoring · opsview · route · traceroute · tracert
7
Configuring Juniper SSG Firewalls to failover between Internet connections
No comments · Posted by wibble in IT, Uncategorized
I have been working with the Netscreen, and then Juniper firewall products for the past five years and am still learning new and interesting features they offer. One thing that I have been configuring more and more recently are secondary Internet connections and fail-over between them for clients. This post runs through the steps required to configure an SSG firewall to use track-IP to monitor IP addresses on the Internet and then automatically fail-over and fail-back an Internet connection.
The first thing we need to do is move the interfaces that will contain the Internet connections so each is in their own virtual router. This will allow us to have an active default route for each connection and they can behave independently of each other.
set interface ethernet0/0 zone null set interface ethernet0/1 zone null set zone untrust vrouter untrust-vr set vrouter name adsl-vr set zone name BackupUntrust set zone BackupUntrust vrouter adsl-vr
For this example I am using the 192.0.2.0/24 address range for my WAN connections – this was defined by the IETF as a subnet to be used for testing and documentation in RFC 5735. As these interfaces are both public facing I am also going to restrict the management to secure protocols only
set interface ethernet0/0 ip 192.0.2.2/29 set interface ethernet0/0 route set interface ethernet0/0 manage-ip 192.0.2.3 et interface ethernet0/0 manage ping set interface ethernet0/0 manage ssh set interface ethernet0/0 manage ssl set interface ethernet0/1 ip 192.0.2.10/29 set interface ethernet0/1 route set interface ethernet0/1 manage-ip 192.0.2.11 set interface ethernet0/1 manage ping set interface ethernet0/1 manage ssh set interface ethernet0/1 manage ssl
Now we need to setup the default routes out of each virtual router so that each connection can communicate with the rest of the Internet
set vrouter untrust-vr set route 0.0.0.0/0 interface ethernet0/0 gateway 192.0.2.1 exit set vrouter adsl-vr set route 0.0.0.0/0 interface ethernet0/1 gateway 192.0.2.9 exit
We need to ensure that our internal users are able to route to both the untrust-vr and adsl-vr. This can be done by exporting the default static route from the untrust-vr and adsl-vr
set vrouter "untrust-vr" set access-list 1 set access-list 1 permit ip 0.0.0.0/0 1 set route-map name "untrust-vr_export" permit 1 set match ip 1 set preserve preference exit set export-to vrouter "trust-vr" route-map "untrust-vr_export" protocol static set vrouter "adsl-vr" set access-list 1 set access-list 1 permit ip 0.0.0.0/0 1 set route-map name "adsl-vr_export" permit 1 set match ip 1 exit set export-to vrouter "trust-vr" route-map "adsl-vr_export" protocol static
This will import both default routes to the trust-vr and set maintain the preference of the export from the untrust-vr at 20 whilst setting the metric of the adsl-vr export to 140.
Now that our users can connect to the Internet we need to make sure that should there be an issue with the primary internet circuit the backup circuit can be used for Internet access. This is achieved by using track-ip to monitor a number of hosts on the Internet and should they become unreachable shut the interface down.
In this example we are using the IP address of some of the root DNS servers as the addresses the firewall will use to check for a valid Internet connection but they could be any IP addresses that you expect to remain online and will respond to PING requests
set interface ethernet0/0 monitor track-ip ip set interface ethernet0/0 monitor track-ip threshold 75 set interface ethernet0/0 monitor track-ip weight 75 set interface ethernet0/0 monitor track-ip ip 192.58.128.30 threshold 25 set interface ethernet0/0 monitor track-ip ip 192.58.128.30 weight 25 set interface ethernet0/0 monitor track-ip ip 192.36.148.17 threshold 25 set interface ethernet0/0 monitor track-ip ip 192.36.148.17 weight 25 set interface ethernet0/0 monitor track-ip ip 193.0.14.129 threshold 25 set interface ethernet0/0 monitor track-ip ip 193.0.14.129 weight 25
This will PING the three addresses every second and will consider the address to have failed when the test has failed 25 times consecutively. Summing these three failures together will hit the weight and threshold limits of 75 needed to shut down the interface.
If you want to test the status of the track-ip monitoring you can issue the following commands
get interface ethernet0/0 monitor get interface ethernet0/0 monitor track-ip
and you will be able to see the failure statistics as well as whether the interface is failed or not.
When the interface is shut down the default route no longer becomes valid in the untrust-vr and will be deleted in the trust-vr leaving the export from the adsl-vr active and Internet traffic will continue to function as normal. In the background, the management address on the primary connection will continue to poll the IP addresses configured and when they become available the weight and threshold will be below the failure values, the interface comes back up and the untrust-vr route export re-appaers in the trust-vr.
The only other thing to consider here is inbound services on the backup line such as MX records to permit mail delivery to a MIP or VIP on the secondary circuit
If this is all configured correctly the only things the user should notice is that any websites/services that login and use session data (eg online banking) will need to login after fail-over or fail-back as their existing session will no longer be valid.
I had an unexpected, but much welcomed, tweet today from the team at Opsview who would like to make use of some of my writing about Opsview on their own Labs blog. I can honestly say that I wasn’t expecting the blog to be read and picked up in this way but I am pleased that I can hopefully reach a few more people with the data appearing on the Opsview Labs blog as well.
23
Monitoring HP ESXi Hosts using Insight Remote Support
No comments · Posted by wibble in IT, monitoring
This is just a direct link to the HP Blog article itself but worth a read if you are looking at monitoring any HP server running ESX or ESXi. The main bit that I have always found is that you need to install the HP extensions for ESXi installed as this greatly improves what you can see from remote tools such as Insight Remote Support, Nagios/Opsview or from the vSphere client itself.
The link to the article can be found here – http://h30507.www3.hp.com/t5/Technical-Support-Services-Blog/6-Simple-Steps-to-Monitoring-ESXi-with-Insight-Remote-Support/ba-p/100789
As part of my drive to backup all my switch/firewall configs I have been trying to get RANCID to backup the remaining devices on my network. The latest devices we added to the network were a pair of Juniper EX switches that are part of an iSCSI network and until now I have not had a backup of the configs. Looking at the documentation there is a set of commands to backup other JunOS devices so thought I would give it a go.
RANCID is running on an Ubuntu 10.04 server and is running version 2.3.3. and has the jlogin scripts in place. After adding the device information to the .cloginrc file I tested jlogin to check that it could connect as root to the device – it did. When I performed rancid_run however the device did not backup as expected and Rancid hung until it timed out. Upon closer inspection the issue came down to the fact that the root account will ssh to the BSD shell on the switch and not directly to the JunOS command line. To get around this I needed to setup a new user on the switches with the correct permissions and then get this to perform the backup of the switches. The command to add the config is as follows:
set system login user adminusername class super-user authentication plain-text-password
You will be prompted to choose a password and then confirm it before writing it to configuration
commit and-quit
Now you can specify the details in RANCID:
add user ip_address {username}
add password ip_address {password}
add method ip_address {ssh}
The last thing that I did was to take a copy of jlogin and jrancid from an installation of RANCID 2.3.6 and everything seems to be working as expected.
I have had RANCID setup to backup switch and firewall config for a while now but not I had always had issues with backups of my Cisco access points which I had thought was an issue with the version of RANCID or the slight differences in IOS run on the WAPs versus the Switches. Turns out after revisiting it yesterday it was more a PEBKAC or ID-10-T error on my part!
What I had in my .cloginrc file was:
add user ip_address {username}
add password ip_address {password}
add method ip_address {ssh}
add noenable ip_address 1
when I ran bin/clogin ip_address the device would login and get me to the enable prompt as expected but when run as part of rancid_run nothing was coming back for the config. After a bit of reading and searching the solution was simple enough and it wasnt a problem with RANCID or the Aironets….
add autoenable ip_address 1
should have been used instead of the noenable line.
I also managed to get RANCID to backup the config on my Juniper EX switches but that is a story for another post
I have been playing arond with the check_equallogic Nagios plugin written by Claudio Kuenzler (http://www.claudiokuenzler.com) to monitor some performance and utilisation values for a client and I came across a bug with the code in the latest release which I thought I would share.
The latest release allows you to monitor the size of a single volume as well as a single check to monitor all volumes. I setup the check in Opsview as normal and then proceeded to configure the Host Attributes for the SAN host for each volume on the SAN (there were 75 volumes to monitor). Having added all the checks and reloading Opsview I started to see a large number of OK checks for the volumes but also a number of UNKNOWN outputs from the plugin. Closer inspection showed that when you have two volumes that have the similar names (e.g. BES01-D and DR-BES01-D) the more generic name, BES01-D in this example will match for both volumes and the script will return an unknown value. The DR-BES01-D volume returned the correct stats as the volume name only matched one entry.
Looking through the code in the plugin the line that is causing the issue is:
volarray=$(snmpwalk -v 2c -c ${community} ${host} 1.3.6.1.4.1.12740.5.1.7.1.1.4 | grep -n ${volume} | cut -d : -f1)
When it grep’s the list of volumes from the SNMP walk it returns two values and the script cannot cope so exits. After some playing around (and remembering the basics of writing bash scripts) I managed to work around the problem and changed the line to the following:
volarray=$(eval snmpwalk -v 2c -c ${community} ${host} 1.3.6.1.4.1.12740.5.1.7.1.1.4 | grep -n "\"${volume}\"" | cut -d : -f1)
The change adds the quotation marks that are surrounding the string value that is returned from the SNMPwalk so GREP should only return the exact matches. Having updated the script and re-run the checks the UNKNOWN status was gone and the checks all returned the correct data.
Following on from my article on the SQL files bug in RSA Authentication Manager 7.1 we were looking to carry out the upgrade to the client’s server in a maintenance window last weekend however the engineer carrying out the work was unable to login to the Operations Manager console to carry out certain parts of the upgrade task.
It turns out that since RSA was installed the Security Console Super Admin account had its password changed and in the updated documentation we lost the details of the password for the Operations Console as the two passwords are not linked. In order for us to get back into the Operations Console we had to run through the following:
- Create a new Super Admin from the Security Console in the Internal Database
- Run the RSA command line utility (C:\Program Files\RSA Security\RSA Authentication Manager\utils\RSAutil) to create a new Operations Console user account
Unfortunately it wasnt that easy to complete!
Initially when we ran RSAutil as one of the admin accounts we received an error stating that only one account could run it, the account that originally installed RSA! Luckily the account was still listed and we just needed to enable this and perform a swift “runas” to bring up a command prompt as that user.
Next we sent a good bit of time running through various commands to work out how we create a new Operations Console admin account. The final command that we needed to run was as follows:
rsautil manage-oc-administrators -a create -u UserCreatedEarlier -p PasswordForUserCreatedEarlier -g OperationsConsole-Administrators NewOperationsConsoleUsername NewOperationsConsolePassword
We were now able to login to the Operations Console using the account we created. Now to find another maintenance window to patch the RSA server
30
Exam Success: 70-647 – Pro: Windows Server 2008, Enterprise Administrator
No comments · Posted by wibble in IT
I’ve passed
Following a long break from completing my MCSA: Messaging in Server 2003 I have finally got round to updating this for the modern era and upgraded this first to MCTS in Windows Server 2008 and finally this afternoon completed my 70-647 exam to attain the qualification of Microsoft Certified IT Professional: Enterprise Administrator.
For those of you with an MCSA in Windows Server 2003 the upgrade is done with the following exams:
- 70-648 – TS: Upgrading from Windows Server 2003 MCSA to, Windows Server 2008, Technology Specializations. This is equivalent to completing the following two exams 70-640 and 70-642
- 70-680 – TS: Windows 7, Configuring. This is the client exam required as part of the qualification
- 70-643 – TS: Windows Server 2008 Applications Infrastructure, Configuring
- 70-647 – Pro: Windows Server 2008, Enterprise Administrator
Once Microsoft confirm it on the MCP site I will update the qualifications links on the left with the new logo.
exams · MCITP · Microsoft · qualification
19
Opsview: “ODW_STATUS WARNING – No update since” Workaround
No comments · Posted by wibble in monitoring
For a while I have been seeing a daily ODW_STATUS_WARNING about no updates since 03:59:59 on my master opsview server. I was 90% sure this was due to the load that I put on the server (load average sits around 6 and goes up to 13 at certain times of the day) but still got bored of running cleanup_import and then import_runtime -i 1.
I started off by manually clearing out all but 1 week of data from the runtime database (this is run as part of opsview_master_housekeep for various tables) and this didnt resolve the issue. In the end I modified my cron table so that the rc.opsview cron_daily task runs 30 minutes later (at 41 minutes past the hour instead of 11 minutes past. Since changing that I seem to have had no further re-occurrences of the No update prompt.
I am aware that each time I update Opsview I am going to have to make this change until I manage to move the databases to their own host and rebuild the master server onto new hardware but its a workaround for now!
For reference the crontab now looks like:
# OPSVIEW-START # Do not remove comment above. Everything between OPSVIEW-START and OPSVIEW-END # will be automatically installed as part of an Opsview install/upgrade 0,5,10,15,20,25,30,35,40,45,50,55 * * * * /usr/local/nagios/bin/mrtg_genstats.sh > /dev/null 2>&1 41 3 * * * /usr/local/nagios/bin/rc.opsview cron_daily > /dev/null 2>&1 22 2,6,10,14,18,22 * * * . /usr/local/nagios/bin/profile && /usr/local/nagios/bin/opsview_cronjobs 4hourly > /dev/null 2>&1 0,5,10,15,20,25,30,35,40,45,50,55 * * * * /usr/local/nagios/bin/call_nmis nmis.pl type=collect mthread=true > /dev/null 2>&1 34 0,4,8,12,16,20 * * * /usr/local/nagios/bin/call_nmis nmis.pl type=update mthread=true > /dev/null 2>&1 4 * * * * . /usr/local/nagios/bin/profile && /usr/local/nagios/bin/import_runtime -q # NMIS reports 0 0 * * * /usr/local/nagios/bin/call_nmis run-reports.sh day health 0 0 * * * /usr/local/nagios/bin/call_nmis run-reports.sh day top10 0 0 * * * /usr/local/nagios/bin/call_nmis run-reports.sh day outage 0 0 * * * /usr/local/nagios/bin/call_nmis run-reports.sh day response 0 0 * * * /usr/local/nagios/bin/call_nmis run-reports.sh day avail 0 0 * * * /usr/local/nagios/bin/call_nmis run-reports.sh day port 0 0 * * 0 /usr/local/nagios/bin/call_nmis run-reports.sh week health 0 0 * * 0 /usr/local/nagios/bin/call_nmis run-reports.sh week top10 0 0 * * 0 /usr/local/nagios/bin/call_nmis run-reports.sh week outage 0 0 * * 0 /usr/local/nagios/bin/call_nmis run-reports.sh week response 0 0 * * 0 /usr/local/nagios/bin/call_nmis run-reports.sh week avail 0 0 * * 0 /usr/local/nagios/bin/call_nmis run-reports.sh week port 0 0 1 * * /usr/local/nagios/bin/call_nmis run-reports.sh month health 0 0 1 * * /usr/local/nagios/bin/call_nmis run-reports.sh month top10 0 0 1 * * /usr/local/nagios/bin/call_nmis run-reports.sh month outage 0 0 1 * * /usr/local/nagios/bin/call_nmis run-reports.sh month response 0 0 1 * * /usr/local/nagios/bin/call_nmis run-reports.sh month avail 0 0 1 * * /usr/local/nagios/bin/call_nmis run-reports.sh month port # OPSVIEW-END
Following on from my post last night about the Windows Updates check on MonitoringExchange a colleague reminded me that we acutally modified the script from there as we weren’t looking for the names of updates to be listed but simply to get the total number of updates that are outstanding. The modified version of the script is listed below for reference and the source for this is at the following URL: https://www.monitoringexchange.org/inventory/Check-Plugins/Operating-Systems/Windows-NRPE/Check-Windows-Updates
<job>
<script language="VBScript">
' Parse command line switches for pending updates
If Wscript.Arguments.Named.Exists("h") Then
Wscript.Echo "Usage: check_win_updates.wsf /w:1 /c:2"
Wscript.Echo "/w: - number of updates before warning status "
Wscript.Echo "/c: - number of updates before critical status "
End If
If Wscript.Arguments.Named.Exists("w") Then
intWarning = Cint(Wscript.Arguments.Named("w"))
Else
intWarning = 0
End If
If Wscript.Arguments.Named.Exists("c") Then
intCritical = Cint(Wscript.Arguments.Named("c"))
Else
intCritical = 0
End If
Set objShell = CreateObject("WScript.Shell")
Dim sysroot
sysroot = objShell.ExpandEnvironmentStrings("%systemroot%")
' Check if the Server is pending a reboot and quit with warning
Set objSysInfo = CreateObject("Microsoft.Update.SystemInfo")
If objSysInfo.RebootRequired Then
Wscript.Echo "Warning: Reboot required | updates=-1"
Wscript.quit(1)
End If
' Dump Software Dist Event log to variable for parsing
Set objExec = objShell.Exec("cmd.exe /c type " & sysroot & "\SoftwareDistribution\ReportingEvents.log")
results = LCase(objExec.StdOut.ReadAll)
res_split = Split(results, vbCrLf)
Dim regEx
Set regEx = New RegExp
regEx.Pattern = "(.)\S*\s*\S*\s*\S*\s*\d\s*(\d*)\s*\S*\s*\S*[0-9\s]*\S*\s*\S*\s*.*\t(.*)"
regEx.IgnoreCase = true
count = 1
ReDim arrDyn(1)
For Each zeile in res_split
firstsign = regEx.Replace(zeile, "$1")
If (firstsign = "{") Then
number = regEx.Replace(zeile, "$2")
finish = regEx.Replace(zeile, "$3")
If (number = 147) Then
count = count + 1
ReDim Preserve arrDyn(count + 1)
arrDyn(count + 1) = finish
End If
End If
Next
mount_updates = -1
For x = 0 to UBound(arrDyn)
If x = UBound(arrDyn) Then
end_array = Split(arrDyn(x), " ")
mount_updates = end_array(UBound(end_array) - 1)
End If
Next
' Quit the script with the appropriate performance data
mount_updates = Cint(mount_updates)
If mount_updates = 0 Then
Wscript.Echo "OK: There are no pending updates | updates=0"
Wscript.Quit(0)
ElseIf mount_updates >= intCritical Then
Wscript.Echo "Critical: There are " & mount_updates & " updates pending | updates=" & mount_updates
Wscript.Quit(2)
ElseIf mount_updates >= intWarning Then
Wscript.Echo "Warning: There are " & mount_updates & " updates pending | updates=" & mount_updates
Wscript.Quit(1)
ElseIf mount_updates < intWarning Then
Wscript.Echo "OK: There are " & mount_updates & " updates pending | updates=" & mount_updates
Wscript.Quit(0)
Else
Wscript.Echo "Unknown: There has been an error"
Wscript.Quit(3)
End If
Wscript.Echo "Unknown: There has been an error"
Wscript.Quit(3)
</script>
</job>
Microsoft · monitoring · nagios · NSClient · opsview · Windows Update
NSClient 0.3.9 was released earlier this month and from the looks of the change log should be a good replacement for 0.3.8. (http://www.nsclient.org/nscp/blog/Blog-2011-07-05). As with previous releases there are both 32-bit and 64-bit variants and the option for an MSI package or for a ZIP download.
Some things I have noticed in the new release (these may have been in 0.3.8 but I never noticed them) are two new external scripts to check Printer status and check Windows Updates. I have been using my own Windows Update script (https://www.monitoringexchange.org/inventory/Check-Plugins/Operating-Systems/Windows-NRPE/Check-Windows-Updates) as I found the ones that query WMI take longer than the default 10 seconds for the script to run without timing out. Giving the bundled script a go it did a good job of outputting some useful information about the Windows Updates however it still took too long to run so I doubt that I will be using this in its current form. The output when running it on my workstation is as follows:
OK: Number of critical updates not installed: 1 <br />Number of software updates not installed: 6 <br /> Critical updates name: Service Pack 1 for Microsoft Office 2010 (KB2510690) 32-bit Edition+
The Printer check also ran through my list of installed printers and came out with an “Unknown” status and the details listed didnt match what Windows was saying so again probably wont be using this in its current format and more likely monitor the printers individually with SNMP based checks directly to the printers.
There are some good additions to the list of modules. CheckTaskSched looks to be a good addition to make sure that those scheduled tasks you have left to run on your server are running as expected and not left stuck in a running state (or didn’t exit with error code 0). CheckFile and CheckFile2 have been amalgamated into the CheckFiles module which will allow you to check a single file but also multiple files for certain criteria. The link above gives examples on checking file versions, line counts, file sizes etc.
For a full list of changes the change log can be found here: http://www.nsclient.org/nscp/blog/Blog-2011-07-05
monitoring · nagios · NSClient · opsview
As part of a planned reboot of our client’s infrastructure last month we had an issue with the RSA server taking a *LONG* time to come back up (were talking hours not minutes). After logging a call with RSA they pointed out that Authentication Manager 7.1 has an issue with cleaning up the .sql files it creates as part of its standard operation and this has been resolved in SP4.
The .sql files that are generated are all saved in C:\Windows\Temp and are in the format DbMgmtSqlScript*.sql with 1 or two generated per minute on the server. The content of the files is as follows
select to_char(count(*)) from dba_tablespaces; QUIT;
Whilst waiting for approval to install SP4 on the server I was looking for a fix as the RSA server has generated over 64,000 files this month and I stumbled across the following article (http://microsoftplatform.blogspot.com/2011/04/rsa-authentication-manager-71-bug.html) which describes a nice batch file that can be used to clear out the .sql files on a daily basis:
del c:/windows/temp/dbmgmt*.sql
That should carry out a workaround for the short term. Long term I would recommend that you install SP4 and Patch 4 which can be downloaded from the RSA website.
Authentication Manager · RSA · SecurID · SQL
I realise this is has been around for a while now but until a few weeks ago I never really appreciated the Group Policy Preferences and the simplicity they offer.
Back in the days of Windows NT, Server 2000 and Server 2003 server administrators would create login scripts to perform a number of commands such as mapping network drives, installing printers, creating shortcuts and folders… I could go on but you get the idea. In Server 2008 Microsoft introduced the Group Policy Preferences to allow you to use Group Policy to natively configure a whole host of setting in Group Policy that would otherwise be a number of lines of batch/kix/vb script.
As you can see from the image to the left there are a vast number of options that can be configured for a user when they login. For most of the items there are four options: Create, Delete, Update and Replace which will let you make changes to the Drive Mappings, Folders etc. The difference between Update and Replace can vary from item to item but my general understanding is that the Update will attempt to modify the existing item to match what is in the Preference whereas the Replace option will remove what is there and recreate the new object (smilar to a net use P: /DELETE /Y followed by net use P: \\Server\Users\%USERNAME%)
Another benefit is that in a single GPO you can define a number of different Preferences and then filter these around Group Membership.
This should all work Out of the Box with Windows Vista and above so for any legacy clients and servers (Windows XP, Server 2003) you will need to download the appropriate updates from Microsoft http://support.microsoft.com/kb/943729.
All in all this should save time and administrative overhead when they are fully adopted. The only problem is getting the legacy scripts switched over to the new Preferences.
GPO · Group Policy · Login Script · Microsoft
I have spent the past week looking at a peculiar issue with CheckPoint Full Disk Encryption for a client. As a bit of a background all laptops are encrypted with Full Disk Encryption and to provide two factor authentication we are using the RSA SecurID800 which acts as a Smart Card as well as a one time authenticator.
Whilst provisioning a laptop for a new starter we re-used an existing token, issued the Smart Card certificate from our internal Certification Authority and it was added to the token successfully. After updating Full Disk Encryption from the MI Console we rebooted and tested login. Everything worked fine.
The issues came when we removed the old certificates from the token and suddenly Full Disk Encryption was showing “Invalid Logon – No certificates were found on this token” yet when in Windows the RSA software shows the certificate is there and the fingerprint matches what was picked up from Active Directory by the MI Console. Rebooted the laptop and still the same no certificates error.
Speaking with CheckPoint on the issue didn’t turn up much so I decided to issue a new certificate and try again. Went through the same process and upon reboot it worked fine and I put the original error down to a glitch so went and removed the old token from the SID800. Rebooted and it was broken again with the same error message.
To fix the issue I removed *all* certificates from the token, revoked all the issued ones in the CA and then issued one more for the user. All works fine and the user can now work on the laptop without issue.
Moral of the story… Remove all certificates first and then only add the one that you need. Its easier in the long run
Certificates · Check Point · Full Disk Encryption · RSA · SecurID · SID800
I had an issue with one of my clients this week and slow workstation start up times. Looking through the items that were running for all users at login was Roxio Drag2Disk as someone had not taken it out of the standard software image. The client didn’t use or need the software so I looked at a way to uninstall the various components without having to visit each machine individually (Yes we will be removing it from the image).
I thought it would be useful to get the script out there in case others need to accomplish the same task. If you want to use it just dump it somewhere central on your network (eg NETLOGON) and then run it as a startup script in a Group Policy Object
Script is below
' Script: uninstall_roxio.vbs
' Author: Matt White
' Version: 1.0
' Date: 15-06-2011
' Details: Uninstall all Roxio components from a workstation
' Usage: Run as a startup script GPO linked to the relevant Computers OU
'On Error Resume Next
' Define any Variables
dim arrRoxioGUIDS, arrRoxioNames
Set objShell = Wscript.CreateObject("Wscript.Shell")
Set objFSO = Wscript.CreateObject("Scripting.FileSystemObject")
Const ForReading = 1, ForWriting = 2, ForAppending = 8
' Define Application GUIDS
arrRoxioGUIDs = Array("{30465B6C-B53F-49A1-9EBA-A3F187AD502E}", _
"{0D397393-9B50-4c52-84D5-77E344289F87}", _
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}", _
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}", _
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}", _
"{83FFCFC7-88C6-41c6-8752-958A45325C82}", _
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}", _
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}")
arrRoxioNames = Array("RoxioUpdateManager", _
"RoxioCreatorData", _
"RoxioDragToDisk", _
"RoxioCreatorCopy", _
"RoxioExpressLabeler", _
"RoxioCreatorAudio", _
"RoxioCreatorDE", _
"RoxioCreatorTools")
' Create Check if log file exists, if not create it
if objFSO.FileExists("C:\roxiouninstall.log") Then
Wscript.Echo "File Exists"
Set objLogFile = objFSO.OpenTextFile("C:\roxiouninstall.log", ForAppending)
Else
Wscript.Echo "Creating file"
Set objNewLogFile = objFSO.CreateTextFile("C:\roxiouninstall.log")
objNewLogFile.Close
Set objLogFile = objFSO.OpenTextFile("C:\roxiouninstall.log", ForAppending)
End If
objLogFile.WriteLine "Uninstall of all Roxio components started " & Now
Wscript.Quit
' Uninstall Each component
For i = 0 to UBound(arrRoxioNames)
' Check if component is installed
If RegKeyExists("HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\" & arrRoxioGUIDs(i),"UninstallString") = "True" Then
objLogFile.WriteLine "Uninstalling " & arrRoxioNames(i)
objShell.Run "cmd /c msiexec.exe /x " & arrRoxioGUIDs(i) & " /quiet",0,True
If RegKeyExists("HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\" & arrRoxioGUIDs(i),"UninstallString") = "True" Then
objLogFile.WriteLine "Error uninstalling: " & arrRoxioNames(i)
Else
objLogFile.WriteLine "Success uninstalling: " & arrRoxioNames(i)
End If
Else
objLogFile.WriteLine("Error Uninstalling: " & arrRoxioNames(i) & " could not detect installed version.")
End If
Next
' Close Log File
objLogFile.Close
' Function to check if registry key exists
Function RegKeyExists(nHive, strPath, strValueName)
Select Case Left(nHive, 20)
Case "HKCR", "HKEY_CLASSES_ROOT"
nHive = &H80000000
Case "HKCU", "HKEY_CURRENT_USER"
nHive = &H80000001
Case "HKLM", "HKEY_LOCAL_MACHINE"
nHive = &H80000002
Case "HKU", "HKEY_USERS"
nHive = &H80000003
Case "HKCC", "HKEY_CURRENT_CONFIG"
nHive = &H80000005
Case Else
WScript.Echo "Hive Not Supported."
WScript.Quit
End Select
Dim objRegistry
Dim strComputer, strValue
strComputer = "."
Set objRegistry = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
objRegistry.GetStringValue nHive, strPath, strValueName, strValue
RegKeyExists = Not IsNull(strValue)
RegKeyExists = CStr (RegKeyExists)
End Function
… and playing with IPv6 at home and I now have a partial setup of IPv6 on my home network and my parents will be going fully IPv6 from the weekend 
The issues I had to overcome were firstly part of my own stupidity and then part of a need to understand how IPv6 works. First of all my ISP (BeThere) doesn’t currently support Native IPv6 on their DSL connections so I needed to get an IPv6 tunnel and Hurricane Electric’s Tunnel Broker service (http://www.tunnelbroker.net) came in very handy here as it allowed me to have a public /64 and private /48 address range which seems like a whole load of addresses that I can play with.
To get the firewall configured they actually give you a predefined sample config based on your IPv6 allocation which needed a bit of modifying to work with the setup on my firewall. The trouble was adding the /48 range to the Trust/Internal side of my network. I had configured Router Advertisement and also set the interface to be in Router mode instead of Host mode but my PC wasn’t getting anything other than the link local fe80:: address.
Following some hair pulling and discussion with a colleague I realised the issue was that the link from my PC to the firewall had a device in between that wasn’t IPv6 enabled. I should point out here that the PC and firewall are in different rooms and because its a rented property I am unable to run a nice CAT6 cable between the two. So I improvised and took and old laptop which I wasn’t using and plugged this into the PC, connected the Wireless on the laptop to my network and bridged the two connections. This works great (for the most part) with IPv4 but was unable to bridge any of the IPv6 traffic on the network.
I added the IPv6 stack to the Windows XP machine and this broke the IPv4 bridge and I lost my Internet connection and ability to communicate with the world. A swift disabling of the IPv6 brought this back and I am going to have to resort to buying a Wireless PCI card for my PC.
Undeterred by this minor setback I looked at what other devices were on my network that I could setup IPv6 with that don’t have the same issue. I am running a number of test VMs in an ESXi lab and there is a Ubuntu server and a number of Windows Server 2003 boxes running on here. Starting with the Win2K3 box I added the IPv6 stack to the network card and the server got an IP from the /48 I had been allocated. All I had to do was manually set the DNS servers using the Open DNS IPv6 DNS Sandbox and I was online.
After the success of Server 2003 working I logged into my Ubuntu 10.04 LTS server and ifconfig showed that it had automatically picked up an address from my router. All that was left for me to do was to add the Open DNS entries to my /etc/resolv.conf and I was good to go.
IPv6 works and is clearly the way forward. What I now need to do is to fully understand the address assignment and subnetting so that I can allocate networks more clearly and understand what is happening
If you want to learn more about IP addressing then take a look at the following page from RIPE (http://www.ripe.net/internet-coordination/press-centre/understanding-ip-addressing) or alternatively the Wikipedia page on IPv6 (http://en.wikipedia.org/wiki/IPv6)
ipv4 · ipv6 · juniper · opendns · routing · SSG · world ipv6 day
I ran into an issue recently with a client where we were seeing a large level of packet loss to their newly installed SSG140 cluster. There were three clients sharing the same 100Mbit Internet circuit and they all connected directly into a pair of Juniper SRX210 routers.
All three clients had a firewall cluster which was either made up of a pair of Juniper SSG 140s or Juniper SSG 5s and we were seeing the packet loss on the two SSG 140 clusters.
After some investigation and troubleshooting the following KB article from the Juniper website seemed to demonstrate what the problem was: http://kb.juniper.net/InfoCenter/index?page=content&id=KB7435
The virtual MAC address for both firewall clusters public facing interfaces were the same.
Resolution? Rebuild one of the clusters to use a different cluster ID and the MAC address generated for the firewalls is different.
Just managed to complete my next MCP TS: Windows 7, Configuring which keeps me on my way to my MCITP: Enterprise Administrator qualification which I am hoping to get for the end of the summer.
No tags
I started to deploy Adobe Reader X to one of my clients the other day and found that users were unable to open files on shared drives mapped to our DFS. Searching through the web I found the following KB article from Adobe (http://kb2.adobe.com/cps/860/cpsid_86063.html)
Cannot open PDF files whose source is DFS or NFS: PDF files in shared locations on a distributed  or networked file system (DFS/NFS) cannot be opened. Attempting to open such a file results in an error opening this document. Access denied.”
Initially I thought I would have to remove Adobe from all the workstations however a quick look in the registry found the place where this has been set – HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Privileged. To get around the problem I added the following to my login script to force the “bProtectedMode” value to 0
reg add “HKCU\Software\Adobe\Acrobat Reader\10.0\Privileged” /v bProtectedMode /t REG_DWORD /d 0 /f
This is definitely one to watch out for if rolling out Adobe Reader via GPO.
Adobe · GPO · Group Policy · Protected Mode · Reader · registry
