tag:blogger.com,1999:blog-66969771090546873522024-03-18T04:48:03.000-05:00Steven M. JordanInformation and Communication Technology PortfolioSteven M. Jordanhttp://www.blogger.com/profile/08808713004280066782noreply@blogger.comBlogger187125tag:blogger.com,1999:blog-6696977109054687352.post-27134676081108210622023-06-05T12:49:00.000-05:002023-06-05T12:49:16.557-05:00NPS Extension Certificate Error<p></p><h4 style="text-align: left;"><span style="color: #38761d;"> Problem: </span></h4>The NPS Azure AD Extension creates a self-signed certificate that is valid for two years. This certificate must be renewed!<br /><br />The renewal process is simple enough:<br /><p></p><pre style="box-sizing: border-box; line-height: 1.4rem; margin-bottom: 0px; margin-top: 0px; overflow-wrap: normal; overflow: visible; word-break: normal;"><span style="font-family: courier; font-size: x-small;"><span class="n" style="background-color: #f7f7f7; box-sizing: border-box; color: #212529;">PS</span><span class="w" style="background-color: #f7f7f7; box-sizing: border-box; color: #bbbbbb;"> </span><span class="nx" style="background-color: #f7f7f7; box-sizing: border-box; color: #212529;">C:\Program</span><span class="w" style="background-color: #f7f7f7; box-sizing: border-box; color: #bbbbbb;"> </span><span class="nx" style="box-sizing: border-box;"><span style="color: #212529;"><span style="background-color: #f7f7f7;">Files\Microsoft\AzureMfa\Config
</span></span></span><span class="err" style="background-color: #e3d2d2; box-sizing: border-box; color: #a61717;">></span><span class="w" style="background-color: #f7f7f7; box-sizing: border-box; color: #bbbbbb;"> </span><span class="o" style="background-color: #f7f7f7; box-sizing: border-box; color: black; font-weight: bold;">.</span><span class="nx" style="background-color: #f7f7f7; box-sizing: border-box; color: #212529;">\AzureMfaNpsExtnConfigSetup.ps1</span></span></pre><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgD4l-ouZIiMne4auvr8nHa56A4C0UPIDOY3378XbeYbOrLq-WoUNUuCufJiIoHqqcNnqqfo--r4HMByKsK4RdloQaLEupOpxYFyQyW-ndVqllXBgfT0oiXzijnOksHaDxP67cmCzM6hOzBznkL7Ei78xcqaX0nvqJMbiPBHDqlUw8s0Uoq4y-JytGIbg/s572/ITSec.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="572" data-original-width="375" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgD4l-ouZIiMne4auvr8nHa56A4C0UPIDOY3378XbeYbOrLq-WoUNUuCufJiIoHqqcNnqqfo--r4HMByKsK4RdloQaLEupOpxYFyQyW-ndVqllXBgfT0oiXzijnOksHaDxP67cmCzM6hOzBznkL7Ei78xcqaX0nvqJMbiPBHDqlUw8s0Uoq4y-JytGIbg/w131-h200/ITSec.JPG" width="131" /></a></div><h4 style="text-align: left;"><br /></h4><h4 style="text-align: left;"><span style="color: #38761d;">PowerShell Error:</span></h4><br /><script src="https://gist.github.com/stevenuwm/aa620aada36d91460d100338927a7911.js"></script><br /><p></p><p>This error implies the package source 'https://www.powershellgallery.com/api/v2 is not reachable or resolved. <br /></p><h4 style="text-align: left;"><span style="color: #38761d;">Fix:</span></h4><p></p>Windows 2016, 2019, and up natively support TLS 1.2. However, you might still need to update the .NET framework and cryptography. At a minimum, manually enable TLS 1.2:<br /><br /> <span style="font-family: courier;">[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12</span><br /><br />That's it!<br /><br /><br /><br /><br /><br /><p></p>Steven M. Jordanhttp://www.blogger.com/profile/08808713004280066782noreply@blogger.com0tag:blogger.com,1999:blog-6696977109054687352.post-11458490387711557162019-11-19T18:13:00.001-06:002019-11-19T18:13:13.101-06:00GPO Slow Link Detection<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtZWSHnY_DFenHDe7-VF9nCB5ZujH6cL4Cjj4VSbYo6BfoMPQDWRQ7GU00OQ7kPd0OGEfdRWgsGTruLXWkzuBnEN-WTyqcFgLG1WgaDIUwEPyGU18on6GkMQVpFXHx7ATfRii4F70M5y9g/s1600/ren_wtf.gif" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="400" data-original-width="500" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtZWSHnY_DFenHDe7-VF9nCB5ZujH6cL4Cjj4VSbYo6BfoMPQDWRQ7GU00OQ7kPd0OGEfdRWgsGTruLXWkzuBnEN-WTyqcFgLG1WgaDIUwEPyGU18on6GkMQVpFXHx7ATfRii4F70M5y9g/s200/ren_wtf.gif" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>GPOs don't work on the VPN?</i></td></tr>
</tbody></table>
<h4>
<span style="color: #38761d;">Problem: </span></h4>
Branch office or managed laptops are missing group policies.<br />
<h4>
<span style="color: #38761d;">Definition: Group Policy Slow Link Detection</span></h4>
Slow-link detection identifies slow connections: Slow transfer rates or high latency. This process can trigger applications to scale back feature and function. For example, slow link detection may interfere with <a href="https://www.stevenjordan.net/2013/03/dfs-namespace-problems-at-branch-offices.html">distributed file systems (DFS)</a>. In other situations, slow link detection can prevent remote workstations from receiving GPO updates.<br />
<h4>
<span style="color: #38761d;">Background: </span></h4>
Wide-spread high-speed Internet connections (e.g., 100 Mbps) were uncommon before c. 2009. Older network protocols were less efficient (<a href="https://www.stevenjordan.net/2012/12/university-wisconsin-stout-wan-file.html">e.g., SMB2 vs SMB3</a>). Slow-link detection was designed to compensate for poor connections. This legacy process continues to impact modern network services (e.g., Windows 2019). <br />
<h4>
<span style="color: #38761d;">Group Policy Slow Link Detection:</span></h4>
Connection rates are measured between the domain controllers and the client. Group policy changes are not distributed when this transfer rate is less than 500 kbps. <br />
<br />
500 kbps may seem reasonable -but it's not. <br />
<h4>
<span style="color: #38761d;">Solution:</span></h4>
Disable slow link detection:<br />
<br />
GPO: Policies\Administrative Templates\System\Group Policy\Slow Link Detection<br />
<br />
Options: Enable this policy.<br />
<br />
<ul>
<li>Enter 0 to disable slow-link detection.</li>
<li>Alternately, set high connection speed rate (e.g., 10000 Kbps is ~10 Mbps).</li>
</ul>
<br />
That's it!<br />
<h4>
<span style="color: #38761d;">References:</span></h4>
<a href="https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc978717(v=technet.10)"><span style="font-size: x-small;">https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc978717(v=technet.10)</span></a><br />
Steven M. Jordanhttp://www.blogger.com/profile/08808713004280066782noreply@blogger.com0tag:blogger.com,1999:blog-6696977109054687352.post-6971729555935254662019-07-31T17:09:00.002-05:002019-07-31T17:14:33.749-05:00Set the Network Location<h4>
<span style="color: #0b5394;">How to Assign Active Network Location with PowerShell.</span></h4>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibD05SYPg8qo2yG5SqO56ywFNupeCHMknAdDiITCnB0L4QD7HfxmLtRgDplpFpguiiJfsGV4WLwIbT-ScT9xu_gNq3voffB5PLP5vWcWllLUrI2Nb0DcDqBjtd-VN0z8nHqxbVV_giyaUI/s1600/Windows_Network_Location.JPG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="50" data-original-width="134" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibD05SYPg8qo2yG5SqO56ywFNupeCHMknAdDiITCnB0L4QD7HfxmLtRgDplpFpguiiJfsGV4WLwIbT-ScT9xu_gNq3voffB5PLP5vWcWllLUrI2Nb0DcDqBjtd-VN0z8nHqxbVV_giyaUI/s1600/Windows_Network_Location.JPG" /></a></div>
<br />
<br />
<br />
<h4>
<span style="color: #0b5394;"><br /></span></h4>
<h4>
<span style="color: #0b5394;">Step 1: Identify networks and associated NICs.</span></h4>
<pre><code><span style="background-color: #fff2cc;">Get-NetConnectionProfile
</span>
Name : domain.com
InterfaceAlias : Ethernet (Domain)
InterfaceIndex : 1
NetworkCategory : DomainAuthenticated
IPv4Connectivity : Internet
IPv6Connectivity : NoTraffic
Name : Unidentified network
InterfaceAlias : RDMA
InterfaceIndex : 2
NetworkCategory : Public
IPv4Connectivity : NoTraffic
IPv6Connectivity : NoTraffic
</code></pre>
The above examples shows two NICs that belong to two different networks.<br />
<br />
<h4>
<span style="color: #0b5394;">Step 2. Change the NetworkCategory:</span></h4>
<div style="box-sizing: inherit; overflow: auto;">
<code class="language-powershell" style="box-sizing: inherit;"><span style="background-color: #fff2cc; font-family: inherit;">Set-NetConnectionProfile -InterfaceIndex 13 -NetworkCategory Private</span></code></div>
<br />
This example changes the active network for the NIC named RDMA. The network location changed from Public to Private. Confirm with Get-NetConnectionProfile.<br />
<br />
That't It!<br />
<h4>
<span style="color: #0b5394;"><br /></span></h4>
<h4>
<span style="color: #0b5394;">References:</span></h4>
<a href="https://docs.microsoft.com/en-us/powershell/module/netconnection/get-netconnectionprofile?view=win10-ps"><span style="font-size: x-small;">https://docs.microsoft.com/en-us/powershell/module/netconnection/get-netconnectionprofile?view=win10-ps</span></a>Steven M. Jordanhttp://www.blogger.com/profile/08808713004280066782noreply@blogger.com0tag:blogger.com,1999:blog-6696977109054687352.post-1802353251887806042019-05-09T14:23:00.000-05:002019-05-30T17:25:07.578-05:00Transfer FISMO Roles with PowerShell<head><script async="" src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<br />
<ins class="adsbygoogle" data-ad-client="ca-pub-8766500260063716" data-ad-format="fluid" data-ad-layout="in-article" data-ad-slot="4983744196" style="display: block; text-align: center;"></ins><script></head>
(adsbygoogle = window.adsbygoogle || []).push({});
</script><br />
<h4>
Problem: </h4>
How to use PowerShell commands to transfer FISMO roles?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-JV-oG-dCjKs/XNR8j3tUzAI/AAAAAAAAFIo/bVztzB6uvAsnBwNEiLc4JLXd5IbD5UvWgCLcBGAs/s1600/Win2016-.PNG" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="" border="0" data-original-height="421" data-original-width="292" height="200" src="https://4.bp.blogspot.com/-JV-oG-dCjKs/XNR8j3tUzAI/AAAAAAAAFIo/bVztzB6uvAsnBwNEiLc4JLXd5IbD5UvWgCLcBGAs/s200/Win2016-.PNG" title="PowerShell FISMO Managment" width="137" /></a></div>
<h4>
Solution: </h4>
Active Directory PowerShell module.<br />
<br />
<h4>
Assumptions: </h4>
FISMO PowerShell management requires Active Directory PowerShell module.<br />
<br />
<span style="white-space: pre;"> </span> Import-Module ActiveDirectory<br />
<br />
<h4>
Example 1. Show forest FSMO roles (forest):</h4>
<span style="white-space: pre;"> </span>PS> Get-ADForest contoso.com| ft DomainNamingMaster, SchemaMaster<br />
<br />
<h4>
Example 2. Show domain FSMO roles (domain): </h4>
<span style="white-space: pre;"> </span>PS> Get-ADDomain contoso.com | ft InfrastructureMaster, PDCEmulator, RIDMaster<br />
<br />
<h4>
Example 3. Transfer single role to a domain controller. </h4>
<span style="white-space: pre;"> </span>PS>; Move-ADDirectoryServerOperationMasterRole -Identity "DCX" PDCEmulator<br />
<br />
<span style="white-space: pre;"> #N.B., </span>PowerShell FISMO role names:<br />
<br />
<span style="white-space: pre;"> 0= </span>PDCEmulator<span style="white-space: pre;"> </span> <br />
<span style="white-space: pre;"> 1= </span>RIDMaster<span style="white-space: pre;"> </span> <br />
<span style="white-space: pre;"> 2= </span>InfrastructureMaster<span style="white-space: pre;"> </span><br />
<span style="white-space: pre;"> 3= </span>SchemaMaster<span style="white-space: pre;"> </span><br />
<span style="white-space: pre;"> 4= </span>DomainNamingMaster<span style="white-space: pre;"> </span><br />
<span style="white-space: pre;"><br /></span>
<br />
<h4>
Example 4. Transfer multiple roles.</h4>
<code>Move-ADDirectoryServerOperationMasterRole -Identity “DCX” –OperationMasterRole DomainNamingMaster,PDCEmulator,RIDMaster,SchemaMaster,InfrastructureMaster</code>
<br />
<code><br /></code>
<br />
<h4>
Example 5: Transfer all roles with numbers: </h4>
<span style="white-space: pre;"> </span>Move-ADDirectoryServerOperationMasterRole “DCX” –OperationMasterRole 0,1,2,3,4<br />
<br />
<b>Example 6. Transfer FSMO roles between domain controllers:</b><br />
<br />
<span style="white-space: pre;"> </span>Move-ADDirectoryServerOperationMasterRole<br />
<br />
That's It!<br />
<br />
<h4>
References:</h4>
<span style="font-size: xx-small;"><a href="https://docs.microsoft.com/en-us/powershell/module/addsadministration/move-addirectoryserveroperationmasterrole?view=win10-ps">https://docs.microsoft.com/en-us/powershell/module/addsadministration/move-addirectoryserveroperationmasterrole?view=win10-ps</a></span><br />
<a href="https://blogs.technet.microsoft.com/canitpro/2017/05/24/step-by-step-migrating-active-directory-fsmo-roles-from-windows-server-2012-r2-to-2016/"><span style="font-size: xx-small;">https://blogs.technet.microsoft.com/canitpro/2017/05/24/step-by-step-migrating-active-directory-fsmo-roles-from-windows-server-2012-r2-to-2016/</span></a><br />
<br />
<script async="" src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<br />
<ins class="adsbygoogle" data-ad-client="ca-pub-8766500260063716" data-ad-format="fluid" data-ad-layout="in-article" data-ad-slot="4983744196" style="display: block; text-align: center;"></ins><script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
</head>Steven M. Jordanhttp://www.blogger.com/profile/08808713004280066782noreply@blogger.com0tag:blogger.com,1999:blog-6696977109054687352.post-10366352093394272422018-07-16T17:45:00.001-05:002019-05-30T17:51:29.235-05:00Domain Controller Preference Order<script async="" src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<br />
<ins class="adsbygoogle" data-ad-client="ca-pub-8766500260063716" data-ad-format="fluid" data-ad-layout="in-article" data-ad-slot="4983744196" style="display: block; text-align: center;"></ins><script></head>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
<h4>
<span style="color: #134f5c;">Outline:</span></h4>
<div>
How to configure locator preferences for domain controllers (DCs). How to set priority and weight on domain controllers. Force clients to consistently connect to the same domain controller.</div>
<h4>
<span style="color: #134f5c;">Problem:<span style="mso-spacerun: yes;"> </span></span></h4>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
Clients connect to different DCs within the same site.<span style="mso-spacerun: yes;"> </span>IPv4 DNS server search has no effect on this random behavior. <br />
<br /></div>
<div class="MsoNormal">
<o:p></o:p></div>
<h4>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiG4_flJ3QaT1eq5rdI8VXPLaj0KthTtniCJHQpcRSpYR2eFk0sFXunxmLZ9glxzVdBmiVIvkc0Q0OzB-w4hKuay1j3urDyVAu9q14s44cW7SLacobVKfeJeScAshu5385jgj0eHZOHbte6/s1600/AD.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="" border="0" data-original-height="656" data-original-width="500" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiG4_flJ3QaT1eq5rdI8VXPLaj0KthTtniCJHQpcRSpYR2eFk0sFXunxmLZ9glxzVdBmiVIvkc0Q0OzB-w4hKuay1j3urDyVAu9q14s44cW7SLacobVKfeJeScAshu5385jgj0eHZOHbte6/s200/AD.jpg" title="DC Client Connection Preferences" width="151" /></a><span style="color: #134f5c;">Solution:</span></h4>
<div class="MsoNormal">
<span style="text-indent: -0.25in;">(a) Assign priority and weights to DNS SRV-records
via GPO (i.e., registry changes);</span></div>
<div class="MsoNormal">
<span style="text-indent: -0.25in;">(b) Or, change subnet topology for simple </span><span style="text-indent: -0.25in;">DC <span style="background: white;">Subnet Prioritization</span>;</span></div>
<h4>
<span style="color: #134f5c;">Assumptions:</span></h4>
<div>
All DCs are located within the same Active Directory (AD) site.<br />
<br /></div>
<h4>
<span style="color: #134f5c;">Domain Controller Priority within a Site</span></h4>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
Domain DNS SRV-records assign priority and weight values that determine DC preference. Clients connect to the domain controller (DC) with the lowest priority
value.<span style="mso-spacerun: yes;"> </span>By default, priority for all DCs is set to zero. For example, assume a site has two DCs:</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoListParagraphCxSpFirst" style="mso-list: l1 level1 lfo1; text-indent: -.25in;">
</div>
<ul>
<li>·<span style="font-size: 7pt; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;"> </span><span style="text-indent: -0.25in;">DC-X with a priority of 0 (i.e., preferred).</span></li>
<li><span style="text-indent: -0.25in;"><span style="font-size: xx-small;"> </span>DC-Y with a priority of 2.</span></li>
</ul>
<div class="MsoListParagraphCxSpLast" style="mso-list: l1 level1 lfo1; text-indent: -.25in;">
<o:p></o:p></div>
<div class="MsoNormal">
In this example, Windows clients connect to DC-X because it
has the lowest priority value. Clients only connect to DC-Y when DC-X is unavailable (e.g., maintenance). <span style="mso-spacerun: yes;"> </span><o:p></o:p></div>
<h4>
<span style="color: #134f5c;">Domain Controller Weights</span></h4>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
What happens when all the DCs share the same priority?<span style="mso-spacerun: yes;"> </span>In this situation, DC preference is determined by SRV-record weight values. Unlike priority, clients prefer higher weight values over lower values.<br />
<br />
<o:p></o:p></div>
<div class="MsoNormal">
What happens if all DCs have the same weight values?<span style="mso-spacerun: yes;"> </span>By default, DCs weight value is set to 100.<span style="mso-spacerun: yes;"> Clients connect round-robin when all DCs use the same </span>priority and weight values.<br />
<br />
<o:p></o:p></div>
<div class="MsoNormal">
What happens when same-site DCs have the same priority and different weight values? <span style="mso-spacerun: yes;"> </span>Weight is not absolute.<span style="mso-spacerun: yes;"> W</span>eight is proportionate. In other words, clients may disproportionately connect to any available DC.<br />
<br />
Clients are
more likely to connect to DCs with higher weights.<span style="mso-spacerun: yes;"> </span>Clients are less likely to connect to lower weights
DCs.<span style="mso-spacerun: yes;"> Weight preference uses a simple formula: </span><span style="mso-spacerun: yes;">DC </span>weight (i.e., single server) divided by the sum of all DCs weights:<br />
<o:p></o:p></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeuP9HnRMbUidpEoMVkTAw4C9lSyj0UKeYKRy4nCUYP8Xn_Ej9X0akJRrZLFuAxvpwzzjTsImswRmXC754VLoFmOiI7fVMDdpaz-pJJp7ggmJmjUyTKAliH5evlYlQhwpYypys_gl7kl0x/s1600/DC-Client-Locator.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="66" data-original-width="290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeuP9HnRMbUidpEoMVkTAw4C9lSyj0UKeYKRy4nCUYP8Xn_Ej9X0akJRrZLFuAxvpwzzjTsImswRmXC754VLoFmOiI7fVMDdpaz-pJJp7ggmJmjUyTKAliH5evlYlQhwpYypys_gl7kl0x/s1600/DC-Client-Locator.PNG" /></a></div>
<div class="MsoNormal">
For Example, assume three DCs within a single AD site (Table
1):<br />
<br />
<o:p></o:p></div>
<div class="MsoNormal">
</div>
<b><span style="color: #134f5c;">Table 1</span></b><br />
<b><span style="color: #134f5c;">Determine domain controller preference based on weights.</span></b><br />
<span style="color: #134f5c;"><o:p></o:p></span><br />
<table border="1" cellpadding="0" cellspacing="0" class="MsoTableGrid" style="border-collapse: collapse; border: none; mso-border-alt: solid windowtext .5pt; mso-padding-alt: 0in 5.4pt 0in 5.4pt; mso-yfti-tbllook: 1184; width: 0px;">
<tbody>
<tr>
<td style="border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 57.25pt;" valign="top" width="76"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
Domain <br />
Controller<o:p></o:p></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 55.0pt;" valign="top" width="73"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
Priority<br />
(Default)<o:p></o:p></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 82.7pt;" valign="top" width="110"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
Weight<o:p></o:p></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 96.25pt;" valign="top" width="128"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
Formula<o:p></o:p></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 93.05pt;" valign="top" width="124"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
Connection Odds<o:p></o:p></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 57.25pt;" valign="top" width="76"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
DC10<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 55.0pt;" valign="top" width="73"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
0<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 82.7pt;" valign="top" width="110"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
10<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 96.25pt;" valign="top" width="128"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
10/(10+20+30)<br />
= 10/60 <br />
= 1/6<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 93.05pt;" valign="top" width="124"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
17%<o:p></o:p></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 57.25pt;" valign="top" width="76"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
DC20<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 55.0pt;" valign="top" width="73"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
0<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 82.7pt;" valign="top" width="110"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
20<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 96.25pt;" valign="top" width="128"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
20/(10+20+30)<br />
= 20/60 <br />
= 2/6<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 93.05pt;" valign="top" width="124"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
33%<o:p></o:p></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 57.25pt;" valign="top" width="76"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
DC30<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 55.0pt;" valign="top" width="73"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
0<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 82.7pt;" valign="top" width="110"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
30<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 96.25pt;" valign="top" width="128"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
30/(10+20+30)<br />
= 30/60 <br />
= 1/2<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 93.05pt;" valign="top" width="124"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
50%<o:p></o:p></div>
</td>
</tr>
</tbody></table>
<div class="MsoNormal">
<span style="font-size: x-small;">Note: This assumes
client and domain controllers reside in the same site and use the same priority values.</span></div>
<h4>
<span style="color: #134f5c;">DC Preference Configuration</span></h4>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
</div>
<ol>
<li>Set
priority and weight via the registry:<br /><span style="color: #45818e;">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters</span></li>
<li>Create
new 32-bit DWORDs:<br /><span style="color: #45818e;">LdapSrvWeight<br />
LdapSrvPriority</span></li>
<li>Assign DC priority and weight values.</li>
<li>Restart
the NETLOGON service to publish to SRV records</li>
</ol>
<h4>
<span style="color: #134f5c;">Subnet Prioritization</span></h4>
Clients prefer to connect to DCs on the same IP subnet. For example, let’s say we have a single AD
site. This site consists of one Windows
10 client and two DCs (Table2):<br />
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<b><span style="color: #134f5c;">Table2<br />Subnet Prioritization</span></b><br />
<table border="1" cellpadding="0" cellspacing="0" class="MsoTableGrid" style="border-collapse: collapse; border: none; mso-border-alt: solid windowtext .5pt; mso-padding-alt: 0in 5.4pt 0in 5.4pt; mso-yfti-tbllook: 1184;">
<tbody>
<tr>
<td style="border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 71.8pt;" valign="top" width="96"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
Host<o:p></o:p></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 49.15pt;" valign="top" width="66"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
Priority<o:p></o:p></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 48.75pt;" valign="top" width="65"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
Weight<o:p></o:p></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 116.9pt;" valign="top" width="156"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
IP address<o:p></o:p></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 116.9pt;" valign="top" width="156"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
Preferred DC<o:p></o:p></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 71.8pt;" valign="top" width="96"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
WIN-10<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 49.15pt;" valign="top" width="66"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 48.75pt;" valign="top" width="65"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 116.9pt;" valign="top" width="156"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
192.168.1.1/24<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 116.9pt;" valign="top" width="156"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 71.8pt;" valign="top" width="96"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
DC-X<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 49.15pt;" valign="top" width="66"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
0<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 48.75pt;" valign="top" width="65"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
100<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 116.9pt;" valign="top" width="156"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
192.168.1.100/24<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 116.9pt;" valign="top" width="156"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
Yes<o:p></o:p></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 71.8pt;" valign="top" width="96"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
DC-Y<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 49.15pt;" valign="top" width="66"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
0<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 48.75pt;" valign="top" width="65"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
100<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 116.9pt;" valign="top" width="156"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
192.168.2.100/24<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 116.9pt;" valign="top" width="156"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
No<o:p></o:p></div>
</td>
</tr>
</tbody></table>
<div class="MsoNormal">
<span style="font-size: x-small;"> Note: All hosts reside in the same AD site. DC01 and DC02 use default weight and priority values.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
In this situation, all hosts belong to the same
AD-site. Both DCs have the same preference
values (i.e., default). WIN-10 and DC-X belong to the same IP subnet. However, DC-Y resides on a separate IP
subnet. DC-X is the preferred DC. Clients only connect to DC-y when DC-X is unavailable (e.g., maintenance). <span style="mso-spacerun: yes;"> </span></div>
<h4>
<span style="color: #134f5c;">Additional Thoughts:</span></h4>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
I recommend minimal registry changes –especially
to DCs. Implement priority and weight changes with caution. Also consider, registry changes
can be difficult to troubleshoot. Therefore,
it’s prudent to push these changes out via GPO.<br />
<br />
<o:p></o:p></div>
<div class="MsoNormal">
Subnet Prioritization seems to be the simplest approach. That is, if you’re comfortable with
internetworking. Simply create a new gateway. Add routes. Assign the subnet to the
second DC. Done.</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
That’s It!<o:p></o:p><br />
<br /></div>
<h4>
<span style="color: #134f5c;">References:</span></h4>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<span style="font-size: x-small;"><a href="https://blogs.msmvps.com/acefekay/2010/01/03/the-dc-locator-process-the-logon-process-controlling-which-dc-responds-in-an-ad-site-and-srv-records/">https://blogs.msmvps.com/acefekay/2010/01/03/the-dc-locator-process-the-logon-process-controlling-which-dc-responds-in-an-ad-site-and-srv-records/</a><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-size: x-small;"><a href="https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc733142(v=ws.10)">https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc733142(v=ws.10)</a><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-size: x-small;"><a href="http://techgenix.com/domain-controllers-weight-priority/">http://techgenix.com/domain-controllers-weight-priority/</a><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-size: x-small;"><a href="https://www.blackmanticore.com/1a64083f14eccc1d32a755a850c2ea3d">https://www.blackmanticore.com/1a64083f14eccc1d32a755a850c2ea3d</a><o:p></o:p></span></div>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<a href="https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc772592%28v%3dws.10%29"><span style="font-size: x-small;">https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc772592%28v%3dws.10%29</span></a><o:p></o:p></div>
<br />Steven M. Jordanhttp://www.blogger.com/profile/08808713004280066782noreply@blogger.com0tag:blogger.com,1999:blog-6696977109054687352.post-80009128133081772242018-07-10T20:38:00.002-05:002019-05-30T17:54:57.959-05:00Fix Shutdown Event Tracker in RDP<script async="" src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<br />
<ins class="adsbygoogle" data-ad-client="ca-pub-8766500260063716" data-ad-format="fluid" data-ad-layout="in-article" data-ad-slot="4983744196" style="display: block; text-align: center;"></ins><h4>
<span style="color: #7f6000;">Problem:</span></h4>
<span style="background-color: white; color: #2a2a2a; font-family: "segoe ui" , "lucida grande" , "verdana" , "arial" , "helvetica" , sans-serif; font-size: 14px;">How to disable the unexpected shutdown prompt for remote desktop users. The remote desktop server (RDS) displays the shutdown tracker warning after patching updates. This shutdown error causes confusion and unnecessary help desk calls.</span><br />
<span style="background-color: white; color: #2a2a2a; font-family: "segoe ui" , "lucida grande" , "verdana" , "arial" , "helvetica" , sans-serif; font-size: 14px;"><br /></span>
<br />
<h4>
<span style="color: #7f6000;">Solution:</span></h4>
<span style="background-color: white; color: #2a2a2a; font-family: "segoe ui" , "lucida grande" , "verdana" , "arial" , "helvetica" , sans-serif; font-size: 14px;">Remove local\Users group permissions from shutdown.exe: c:\windows\system32\shutdown.exe</span><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQ9Atvt04wJwPhxCWUCjHsH5p5GOg_g3Q1MPXJjSN6enqfEHKgXGLOdl4fD-GbKE-3TmWScRomjKcfKDaGypiK2nrPkOFpYcPj2Vl_vhR2G6I0fHyt2pmOxlDYphdV3L7AeZsujXp8Dgc_/s1600/shutdown.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="Hide RDP shutdown warnings from domain users." border="0" data-original-height="78" data-original-width="333" height="74" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQ9Atvt04wJwPhxCWUCjHsH5p5GOg_g3Q1MPXJjSN6enqfEHKgXGLOdl4fD-GbKE-3TmWScRomjKcfKDaGypiK2nrPkOFpYcPj2Vl_vhR2G6I0fHyt2pmOxlDYphdV3L7AeZsujXp8Dgc_/s320/shutdown.PNG" title="c:\windows\system32\shutdown.exe" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<span style="background-color: white;"><span style="color: #2a2a2a; font-family: "segoe ui" , "lucida grande" , "verdana" , "arial" , "helvetica" , sans-serif;"><span style="font-size: 14px;">Both local administrators and local users, have read and execute permissions, on this system file. Remove the local user group in order to hide unwanted shutdown messages. Also note, this change may require ownership changes from the Trusted Installer to the local administrator group.</span></span></span><br />
<span style="background-color: white;"><span style="color: #2a2a2a; font-family: "segoe ui" , "lucida grande" , "verdana" , "arial" , "helvetica" , sans-serif;"><span style="font-size: 14px;"><br /></span></span></span>
<span style="background-color: white;"><span style="color: #2a2a2a; font-family: "segoe ui" , "lucida grande" , "verdana" , "arial" , "helvetica" , sans-serif;"><span style="font-size: 14px;"><br /></span></span></span>
That's It!<br />
Steven M. Jordanhttp://www.blogger.com/profile/08808713004280066782noreply@blogger.com0tag:blogger.com,1999:blog-6696977109054687352.post-80547659901427734482018-06-23T22:31:00.001-05:002019-05-30T17:59:41.682-05:00SRX: How to Copy & Paste in JUNOS<script async="" src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<br />
<ins class="adsbygoogle" data-ad-client="ca-pub-8766500260063716" data-ad-format="fluid" data-ad-layout="in-article" data-ad-slot="4983744196" style="display: block; text-align: center;"></ins><script></head>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
<h4>
<span style="color: #7f6000;">Problem: </span></h4>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4eoByV0KL5JwyNoXQfHUorkmi9GT-M4IcMDAhiJEAa2PqreffUaWpkeCZ_54BxZrdU6_C8rjFxkTkBQT9WpIwVHX0Tqb0HcLWfkkQdUe80OZBXLKRyTxFFLARedZOnouGCTGlBpJifcwv/s1600/juniper_srx_series.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="" border="0" data-original-height="262" data-original-width="200" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4eoByV0KL5JwyNoXQfHUorkmi9GT-M4IcMDAhiJEAa2PqreffUaWpkeCZ_54BxZrdU6_C8rjFxkTkBQT9WpIwVHX0Tqb0HcLWfkkQdUe80OZBXLKRyTxFFLARedZOnouGCTGlBpJifcwv/s200/juniper_srx_series.jpg" title="Paste config text in JUNOS." width="152" /></a><span style="color: #7f6000;"><br /></span></div>
How copy and paste configuration text with Juniper SRX.<br />
<h4>
<span style="color: #7f6000;">Solution: </span></h4>
<div>
<span style="color: #7f6000;"><br /></span></div>
<div>
<div>
Paste text into the config with the "load replace terminal" command. </div>
<div>
Return to the router prompt with either CTRL-D or ^D. </div>
<h4>
<span style="color: #7f6000;">Example: </span></h4>
<pre><code>root@SRX# load replace terminal
[Type ^D at a new line to end input]
interfaces
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.1.2/24;
}
}
}
}
load complete
[edit]
root@SRX# commit
</code></pre>
</div>
<div>
<br />
That's It!</div>
Steven M. Jordanhttp://www.blogger.com/profile/08808713004280066782noreply@blogger.com0tag:blogger.com,1999:blog-6696977109054687352.post-18714952092404241722018-06-23T21:53:00.001-05:002018-06-23T21:53:16.990-05:00SSH Between SRX Nodes<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4eoByV0KL5JwyNoXQfHUorkmi9GT-M4IcMDAhiJEAa2PqreffUaWpkeCZ_54BxZrdU6_C8rjFxkTkBQT9WpIwVHX0Tqb0HcLWfkkQdUe80OZBXLKRyTxFFLARedZOnouGCTGlBpJifcwv/s1600/juniper_srx_series.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" border="0" data-original-height="262" data-original-width="200" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4eoByV0KL5JwyNoXQfHUorkmi9GT-M4IcMDAhiJEAa2PqreffUaWpkeCZ_54BxZrdU6_C8rjFxkTkBQT9WpIwVHX0Tqb0HcLWfkkQdUe80OZBXLKRyTxFFLARedZOnouGCTGlBpJifcwv/s200/juniper_srx_series.jpg" title="SSH between SRX cluster nodes." width="152" /></a></div>
<h4>
<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><span style="color: #7f6000;">Problem: </span></h4>
How to SSH from Node0 to Node 1 within a Juniper SRX cluster.<br />
How to connect from the primary node to the secondary node.<br />
<br />
<span style="color: #7f6000;">Solution: </span><br />
<ol>
<li>SRX 300 Series:<br /><br /><span style="font-family: Courier New, Courier, monospace;">{primary:node0}<br /> smj@SRX> request routing-engine login node 1</span><br /><br /></li>
<li>SRX 1500 Series:<br /><br /><span style="font-family: Courier New, Courier, monospace;">smj@SRX% rlogin -T node1</span></li>
</ol>
<div>
<br /></div>
<div>
That's It!</div>
Steven M. Jordanhttp://www.blogger.com/profile/08808713004280066782noreply@blogger.com0tag:blogger.com,1999:blog-6696977109054687352.post-52375048802411135412018-06-22T17:29:00.000-05:002018-06-22T17:35:28.833-05:00How to Setup a Virtual Smart Card<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjL541jCfn_sfZm6633i2Yh8SmdUA5TXMRDI8P5P7ut6PuL8A9NynSYyV7vcA5mTFjvp3NhcFaEFu-USP8lwLV2K9rSkF_Hefjk21NCyiXz7RRGjcL5ew_tEfmLfHw3GrkQKDHptsm9qp_P/s1600/WIN2016.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="421" data-original-width="292" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjL541jCfn_sfZm6633i2Yh8SmdUA5TXMRDI8P5P7ut6PuL8A9NynSYyV7vcA5mTFjvp3NhcFaEFu-USP8lwLV2K9rSkF_Hefjk21NCyiXz7RRGjcL5ew_tEfmLfHw3GrkQKDHptsm9qp_P/s200/WIN2016.PNG" width="138" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Fun with Virtual Smart Cards!</td></tr>
</tbody></table>
<h4>
<span style="color: #0b5394;"><br /></span></h4>
<h4>
<span style="color: #0b5394;"><br /></span></h4>
<h4>
<span style="color: #0b5394;"><br /></span></h4>
<h4>
<span style="color: #0b5394;"><br /></span></h4>
<h4>
<span style="color: #0b5394;"><br /></span></h4>
<h4>
<span style="color: #0b5394;"><br /></span></h4>
<h4>
<span style="color: #0b5394;">Outline:</span></h4>
Steps on how to enable a virtual smart card.<br />
<h4>
<span style="color: #0b5394;">Assumptions:</span></h4>
Virtual smart cards require a computer with an initialized TPM. N.B., Windows 10 initializes the TPM by default.<br />
<h4>
<span style="color: #0b5394;">Virtual Smart Card Configuration:</span></h4>
<pre><code>tpmvscmgr.exe create /name VSC /pin prompt /puk prompt /adminkey random /generate</code></pre>
<h4>
<span style="color: #0b5394;">Reset the Virtual Smart Card</span>:</h4>
<pre><code>tpmvscmgr.exe destroy /instance root\smartcardreader\0000</code></pre>
<h4>
<span style="color: #0b5394;">PINs, PUKs, and Keys</span>:</h4>
<ol>
<li><span style="font-family: inherit;">Smart Card Personal Identity Number (PIN). The PIN is essentially a password. The PIN can be changed by the end user from any domain computer:<br /><br /> CRTL-ALT-Delete → Change Password → Change PIN.<br /></span></li>
<li><span style="font-family: inherit;">Smart Card Personal Unlock Key (PUK). Windows locks the PIN after three unsuccessful attempts. End users can use their PUK to unblock their PIN:<br /><br /> CRTL-ALT-Delete → Change Password → Unblock Smart Card.<br /><br />The PUK is optional but I recommend it. It's simply too easy to lock the PIN! <br /><br />The PUK changes the PIN. Keep the PUK safe and only use it when its absolutely necessary.<br /><br />In addition, Windows does not include native tools to change the PUK. In order to choose a new PUK, the virtual smart card must first be deleted (i.e., destroyed) and then recreated. Of course, this process deletes all certificates on the smart card.<br /></span></li>
<li><span style="font-family: inherit;">Admin Key. The key benefit to the admin key is that it allows Administrators to generate certificate keys for enrolling-on-the-behalf of others. Organizations that do not use enrollment stations should simply generate a random admin key. </span></li>
</ol>
<h4>
<span style="color: #0b5394; font-family: inherit;">References:</span></h4>
<span style="font-family: inherit;">https://docs.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started</span><br />
<span style="font-family: inherit;"><br /></span>
Steven M. Jordanhttp://www.blogger.com/profile/08808713004280066782noreply@blogger.com0tag:blogger.com,1999:blog-6696977109054687352.post-48642405563660069522018-05-08T07:01:00.000-05:002018-05-08T07:01:07.493-05:00Quickly Uninstall Single KB Update<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjL541jCfn_sfZm6633i2Yh8SmdUA5TXMRDI8P5P7ut6PuL8A9NynSYyV7vcA5mTFjvp3NhcFaEFu-USP8lwLV2K9rSkF_Hefjk21NCyiXz7RRGjcL5ew_tEfmLfHw3GrkQKDHptsm9qp_P/s1600/WIN2016.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" border="0" data-original-height="421" data-original-width="292" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjL541jCfn_sfZm6633i2Yh8SmdUA5TXMRDI8P5P7ut6PuL8A9NynSYyV7vcA5mTFjvp3NhcFaEFu-USP8lwLV2K9rSkF_Hefjk21NCyiXz7RRGjcL5ew_tEfmLfHw3GrkQKDHptsm9qp_P/s200/WIN2016.PNG" title="How to uninstall updates via command line." width="138" /></a></div>
<br />
<h4>
<span style="color: #134f5c;"><br /></span></h4>
<h4>
<span style="color: #134f5c;"><br /></span></h4>
<h4>
<span style="color: #134f5c;"><br /></span></h4>
<h4>
<span style="color: #134f5c;"><br /></span></h4>
<h4>
<span style="color: #134f5c;"><br /></span></h4>
<h4>
<span style="color: #134f5c;">Problem: </span></h4>
Uninstalling Windows Updates is a pain in the neck!<br />
<ul>
<li>The Windows Update GUI provides a long list of KB updates. </li>
<li>Updates are organized by date and not by KB numbers. </li>
<li>It lacks a built-in search function! </li>
</ul>
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggx7CDpb9yqjuJBBl6qTXQXDRuF0UKvI9R6wDkVhjQfWLD5ka4g1W1IaosYNrS2qyWtxX_I2R6_zTqO12nAgAPf2LdUhk-7dDgSH4svogghTJv48aVxkVJgjRSON8qwAODzdZFWeJngNo8/s1600/Update-History.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img alt="" border="0" data-original-height="868" data-original-width="794" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggx7CDpb9yqjuJBBl6qTXQXDRuF0UKvI9R6wDkVhjQfWLD5ka4g1W1IaosYNrS2qyWtxX_I2R6_zTqO12nAgAPf2LdUhk-7dDgSH4svogghTJv48aVxkVJgjRSON8qwAODzdZFWeJngNo8/s320/Update-History.PNG" title="Search for specific Windows updates." width="291" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1. Windows Update History:<br />
No search for you (CRL+F)! :(</td></tr>
</tbody></table>
<h4>
<span style="color: #134f5c;"><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />Solution:</span></h4>
Use the command line to search and uninstall specific updates.<br />
<br />
List installed patches:<br />
<pre><span style="font-family: Courier New, Courier, monospace;">wmic qfe list</span></pre>
<br />
Uninstall specific patch:<br />
<pre><span style="font-family: Courier New, Courier, monospace;">wusa /uninstall /kb:xxxxx</span></pre>
<br />
That's It!Steven M. Jordanhttp://www.blogger.com/profile/08808713004280066782noreply@blogger.com0tag:blogger.com,1999:blog-6696977109054687352.post-70674893035593664742018-05-07T20:33:00.000-05:002018-05-07T20:33:02.528-05:00Container Does Not Exist on the Smart Card<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgniQMFskg9l0bpC9uv0pLzwSXpFDgQwee1Wh30Oqh2k6FCgaUjySdjaCApVtyC3LkAeTwW-LyEc3yCQOG8pimxAgOhoaatO8GauL75qNiVrTn1WbhaRw_AcRea5KZLeQcvYpRXIh2-uWbQ/s1600/PKI-series.JPG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="586" data-original-width="450" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgniQMFskg9l0bpC9uv0pLzwSXpFDgQwee1Wh30Oqh2k6FCgaUjySdjaCApVtyC3LkAeTwW-LyEc3yCQOG8pimxAgOhoaatO8GauL75qNiVrTn1WbhaRw_AcRea5KZLeQcvYpRXIh2-uWbQ/s200/PKI-series.JPG" width="153" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em;"><tbody>
<tr><td class="tr-caption" style="font-size: 12.8px; text-align: center;">T-Shoot Yubikey Minidriver<br />
<div>
<br /></div>
</td></tr>
</tbody></table>
</td></tr>
</tbody></table>
<br /><br /><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<h4>
<span style="color: #134f5c;">Problem: </span></h4>
RDP fails to authenticate Yubikey smart card.<br />
<h4>
<span style="color: #134f5c;">Error: </span></h4>
The requested key container does not exist on the smart card (Figure 1).<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh18saxdbVwLcWad2lWTlBsVl6AXJMdx_MtwYd1H4FTOdhFREjycPc08KlKtoY-AHuc_rx-UZ5NPbxeZLtQRfXRcv97eIxiFCvKLL68kZqjB5DX7507Rg7Ptc7SwyGPYCIzsWoFmlCq4qcM/s1600/key-container-does-not-exist.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="387" data-original-width="487" height="158" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh18saxdbVwLcWad2lWTlBsVl6AXJMdx_MtwYd1H4FTOdhFREjycPc08KlKtoY-AHuc_rx-UZ5NPbxeZLtQRfXRcv97eIxiFCvKLL68kZqjB5DX7507Rg7Ptc7SwyGPYCIzsWoFmlCq4qcM/s200/key-container-does-not-exist.PNG" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1. Smart card container error.</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<h4>
<span style="color: #134f5c;"><br /></span></h4>
<h4>
<span style="color: #134f5c;">Assumptions:</span></h4>
<ul>
<li>Yubikey runs as PIV smart card.</li>
<li>Smart card has multiple authentication certificates.</li>
<li>Certificates reside on slots 81-95.</li>
</ul>
<h4>
<span style="color: #134f5c;">Solution:</span></h4>
<div>
By default, Windows uses the NIST
SP 800-73 PIV smart card driver. Multiple certificates require the Yubikey smart card Minidriver. Install this driver on both the client and the server.</div>
<div>
<br /></div>
<h4>
<span style="color: #134f5c;">Important:</span></h4>
<div>
The Yubikey smart card MSI package does not install the Minidriver on remote servers or virtual machines. Nor does it provide an error. <br />
<br />
The MSI installer only works when a smart card is directly connected (e.g., workstation). <br />
<br />
To reiterate, the MSI package only updates the NIST driver when a smart card is attached to the local USB port. </div>
<div>
<br /></div>
<div>
Instead, use the Yubikey limited INF installer on VMs or via RDP. </div>
<div>
<br /></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAWMrikdR5wMJWPEOKwvoNRaiQYFAWfw3EU-W9GacdzFUkBhR0HB0-F1utEJF5fTpJ6Y_5iLhYv8Ol7RFJhbyCx1k5i954JKs643J47anjTRx5gFeeMaLNcVat5SHdK-mdJllk5isJf9KZ/s1600/ykmd-inf-install.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img alt="" border="0" data-original-height="158" data-original-width="357" height="88" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAWMrikdR5wMJWPEOKwvoNRaiQYFAWfw3EU-W9GacdzFUkBhR0HB0-F1utEJF5fTpJ6Y_5iLhYv8Ol7RFJhbyCx1k5i954JKs643J47anjTRx5gFeeMaLNcVat5SHdK-mdJllk5isJf9KZ/s200/ykmd-inf-install.PNG" title="Install the Yubikey Minidriver on a server." width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 2. How to Install the Yubikey Minidriver.</td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Right-click on ykmd.inf. Left-click on install. That's It!</div>
<div>
<br /></div>
<div>
<br /></div>
Steven M. Jordanhttp://www.blogger.com/profile/08808713004280066782noreply@blogger.com0tag:blogger.com,1999:blog-6696977109054687352.post-49187463113992683532018-02-23T18:17:00.000-06:002018-02-23T18:39:16.591-06:00Fix Chrome Extensions in RDP<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0YEDDSluYnja8bbkmz9-hALMxFUSZP8Yoxx3Eu0ZaOafM1ljECOTTq8lIYkpf6n40uNIq2EEgaWEmD5Mzswzl0NUD5umnmdWvenlhsvlOhZ_buWhnLLYZlMv5XDhNKinw2Yp5DC0V_4qD/s1600/RDPSeries.JPG" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="580" data-original-width="491" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0YEDDSluYnja8bbkmz9-hALMxFUSZP8Yoxx3Eu0ZaOafM1ljECOTTq8lIYkpf6n40uNIq2EEgaWEmD5Mzswzl0NUD5umnmdWvenlhsvlOhZ_buWhnLLYZlMv5XDhNKinw2Yp5DC0V_4qD/s200/RDPSeries.JPG" width="168" /></a><br />
<br />
<h4>
<span style="color: #0b5394;">Problem: </span></h4>
RDP users cannot install Chrome extensions from the Chrome Web Store.<br />
<h4>
<span style="color: #0b5394;">Errors:</span></h4>
<ul>
<li>Could not install package</li>
<li>COULD_NOT_GET_TEMP_DIRECTORY</li>
</ul>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuCNC2GDM2RY10FP-bwsJm4_v0AdOCODHTS78E_TKtORMDiTdJERPvEe8RbQGDXmMrEFqHf4TsOIXXXBaPl8XpzpiJ8P9KK5VflmiHuz_2iKaQRo6eWjs86nb444slNMtIde53p5ngIA9_/s1600/Chrome_TEMP1.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="151" data-original-width="321" height="93" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuCNC2GDM2RY10FP-bwsJm4_v0AdOCODHTS78E_TKtORMDiTdJERPvEe8RbQGDXmMrEFqHf4TsOIXXXBaPl8XpzpiJ8P9KK5VflmiHuz_2iKaQRo6eWjs86nb444slNMtIde53p5ngIA9_/s200/Chrome_TEMP1.PNG" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1: Chrome Temp Directory Error</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<h4>
<span style="color: #0b5394;">Solution:</span></h4>
<div class="MsoNormal" style="margin-bottom: 8.0pt; margin-left: 8.25pt; margin-right: 8.25pt; margin-top: 0in;">
</div>
<ol>
<li>User logs
onto RDP. User does not open Chrome.</li>
<li>Admin creates a new directory on the system drive. This new directory holds user Chrome AppData. For example:
c:\\mkdir c:\Temp\RDP\</li>
<li>Move user’s Chrome AppData to the new directory. For example:<br />
<code>c:\move "c:\users\stevenjordan\AppData\Local\Google\Chrome" "c:\temp\RDP\stevenjordan\"</code></li>
<li>Delete
original folder if necessary. </li>
<li>Create new
symbolic junction where the old data was located. This junction links to
the new location:</li>
</ol>
<pre><code>
c:\mklink /j c:\users\stevenjordan\AppData\Local\Google\Chrome\
"c:\temp\RDP\stevenjordan\Chrome\"
Junction created for c:\users\smjordan\AppData\Local\Google\Chrome\
=== c:\temp\RDP\stevenjordan\Chrome\</code></pre>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-VZcJOBGQmgJLORPvvDZK0MPARUJSiG_jq2S_oBcUzdLWNJc1oeHbdPqfUfJsBiXjrWYY-sQqodVnjIFfp4_-_ngpm5g8XYXVnjZJV2_YvekCsGgOuQ6zsyjsrepcXQnb9PKO0dSD4WSt/s1600/junction_link.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="126" data-original-width="462" height="108" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-VZcJOBGQmgJLORPvvDZK0MPARUJSiG_jq2S_oBcUzdLWNJc1oeHbdPqfUfJsBiXjrWYY-sQqodVnjIFfp4_-_ngpm5g8XYXVnjZJV2_YvekCsGgOuQ6zsyjsrepcXQnb9PKO0dSD4WSt/s400/junction_link.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 2: New Symbolic Junction for Chrome extension.</td></tr>
</tbody></table>
</br>
</br>
</br>
</br>
</br>
</br>
</br>
<h4>
<span style="color: #0b5394;">Analysis:</span></h4>
Chrome extensions reference DOS device paths. Let's consider how dynamic profile disks use symbolic junctions that point to different disks:<br />
<pre><code>c:\Users dir
02/23/2018 11:29 AM bgates {\??\Volume{a5ae22c7-18b8-11e8-968e-00145de79140}
</code></pre>
The junction link causes the problem. Ironically, a second junction link fixes this issue:<br />
<pre><code>
c:\Users\bgates\AppData\Local\Google dir
Directory of c:\Users\bgates\AppData\Local\Google
02/20/2018 10:58 AM DIR
02/20/2018 10:58 AM DIR
02/20/2018 10:58 AM JUNCTION Chrome c:\temp\RDP\bgates\Chrome
09/16/2015 07:46 AM DIR Chrome Cleanup Tool
05/14/2014 06:09 AM DIR CrashReports
03/11/2014 04:26 PM DIR Google Talk
12/04/2017 02:27 AM DIR Software Reporter Tool
0 File(s) 0 bytes
7 Dir(s) 36,942,458,880 bytes free
</code></pre>
Note how the new junction link points to the system drive.<br />
<h4>
<span style="color: #0b5394;">Additional Thoughts:</span></h4>
This solution is implemented on a per-user basis. It does not universally "fix" Chrome extensions for all RDP users. Nonetheless, it may be a good fit because it narrows the scope of untrusted applications.<br />
<br />
Alternatively, use Group Policy to change user environmental variables:<br />
<br />
Group Policy<br />
→ Computer Configuration<br />
→ Administrative Templates<br />
→ System<br />
→ Group Policy<br />
→ Configure user Group Policy loopback processing mode:<br />
Enabled: On<br />
Mode: Merge<br />
<br />
→ User Configuration<br />
→ Windows Settings<br />
→ Preferences<br />
→ Environment (right-click) → New<br />
→ New Environment Properties:<br />
Action: Update<br />
User Variable=Check<br />
Name=Temp<br />
Value=c:\Temp\RDP\%USERNAME%<br />
→ Environment (right-click) → New<br />
Action: Update<br />
User Variable=Check<br />
Name=TMP<br />
Value=c:\Temp\RDP\%USERNAME%<br />
<br />
This change has a wider-scoping impact. It affects all related AppData programs -not just Chrome. It impacts all RDP users (without GP filtering). Avoid the system drive if possible -use a secondary disk instead. In addition, loopback processing applies user configurations to computer objects (i.e., RDP servers).<br />
<br />
That's It!<br />
<br />
References:<br />
<a href="https://blogs.technet.microsoft.com/grouppolicy/2009/05/13/environment-variables-in-gp-preferences/"><span style="font-size: x-small;">https://blogs.technet.microsoft.com/grouppolicy/2009/05/13/environment-variables-in-gp-preferences/ </span></a><br />
<span style="font-size: x-small;"><a href="https://devtidbits.com/2009/09/07/windows-file-junctions-symbolic-links-and-hard-links">https://devtidbits.com/2009/09/07/windows-file-junctions-symbolic-links-and-hard-links</a>/
</span><br />
<a href="https://blogs.msdn.microsoft.com/jeremykuhne/2016/04/21/path-format-overview/"><span style="font-size: x-small;">https://blogs.msdn.microsoft.com/jeremykuhne/2016/04/21/path-format-overview/</span></a><br />
<a href="https://blog.brankovucinec.com/2017/01/09/users-cant-install-google-chrome-extensions-on-rds-farm/"><span style="font-size: x-small;">https://blog.brankovucinec.com/2017/01/09/users-cant-install-google-chrome-extensions-on-rds-farm/</span></a>Steven M. Jordanhttp://www.blogger.com/profile/08808713004280066782noreply@blogger.com0tag:blogger.com,1999:blog-6696977109054687352.post-87245731670731229312018-02-13T15:28:00.002-06:002018-02-13T15:47:07.788-06:00Fix Broken Checkpoints<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJz1vJTEsECJRjAlmq8XB8tu22mmYmP58_NMdJTmJ6gSeAutjevgOmcugKkFVt3Zba7qKMT7qtrrqDPKGbyO_9iRz51qFcljjKGP82Ko3wt700uhuvEVAeFJdUFxCVxmhK6UrAh_W9CYbM/s1600/WIN2016.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" border="0" data-original-height="421" data-original-width="292" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJz1vJTEsECJRjAlmq8XB8tu22mmYmP58_NMdJTmJ6gSeAutjevgOmcugKkFVt3Zba7qKMT7qtrrqDPKGbyO_9iRz51qFcljjKGP82Ko3wt700uhuvEVAeFJdUFxCVxmhK6UrAh_W9CYbM/s200/WIN2016.PNG" title="VM is missing an option to delete its checkpoint." width="138" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<h4 style="clear: both; text-align: left;">
<span style="color: #134f5c;">Summary:</span></h4>
<div class="separator" style="clear: both; text-align: left;">
How to delete Hyper-V checkpoints that cannot be deleted.</div>
<h4>
<span style="color: #134f5c;">Problem: </span></h4>
Checkpoint cannot be removed from the Hyper-V Manager.<br />
<h4>
<span style="color: #0c343d;">Symptoms:</span></h4>
<ul>
<li>Hyper-V Manager shows a checkpoint. No option to remove checkpoint.</li>
</ul>
<ul>
<li>VM disk directory has VHDX and AVHD files:</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgF0c28Yb77IliPfmd70bulmZ9vyk7oTk46MVnlgvl4P92zUjkID72Ic9Y1ktp5mMCMe22_vLCksldA0iwrBOdSgkfSQGsaMNg0cjK6uSQdoICYFnlCyW-DVOzM6I0K7_aDoTM9I14dGOg/s1600/avhdx.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" border="0" data-original-height="44" data-original-width="581" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgF0c28Yb77IliPfmd70bulmZ9vyk7oTk46MVnlgvl4P92zUjkID72Ic9Y1ktp5mMCMe22_vLCksldA0iwrBOdSgkfSQGsaMNg0cjK6uSQdoICYFnlCyW-DVOzM6I0K7_aDoTM9I14dGOg/s1600/avhdx.png" title="AVHD files indicate VM Checkpoints" /></a></div>
<br />
<br /><br />
<h4>
<span style="color: #134f5c;">Solution:</span></h4>
1. Use PowerShell to view existing snapshot:
<br />
<pre><code>PS C:\Users Get-VMSnapshot -VMName tfs.stevenjordan.net
VMName Name SnapshotType CreationTime
------ ---- ------------ ------------
tfs tfs (2/13/2018 - 2:52:36 PM) Standard
</code></pre>
2. Remove VM-Snapshot.
<br />
<code>
PS C:\User Get-VMSnapshot -VMName tfs | Remove-VMSnapshot
</code>
3. Confirm Snapshot has been removed.
<br />
<pre><code>
PS C:\Users Get-VMSnapshot -VMName tfs
PS C:\Users
</code></pre>
That's It!Steven M. Jordanhttp://www.blogger.com/profile/08808713004280066782noreply@blogger.com0tag:blogger.com,1999:blog-6696977109054687352.post-89844452859170518392018-02-02T18:34:00.000-06:002018-02-06T18:31:10.809-06:00 How to Setup BranchCache<head>
<style type="text/css">
.auto-style1 {
text-align: center;
}
.auto-style2 {
font-family: "Courier New", Courier, monospace;
font-size: x-small;
}
.auto-style3 {
font-family: "Courier New", Courier, monospace;
font-size: x-small;
text-align: center;
}
.auto-style5 {
color: #808080;
}
.auto-style6 {
font-family: "Courier New", Courier, monospace;
font-size: x-small;
text-align: center;
color: #808080;
}
.auto-style7 {
font-family: "Courier New", Courier, monospace;
font-size: x-small;
color: #808080;
}
.auto-style8 {
font-family: "Courier New", Courier, monospace;
font-size: x-small;
text-align: left;
color: #808080;
}
</style>
</head>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWjm6mt45MkABiPxe2sh4PkuTb0xroeHwDnpC9qdiO0LHOWVaWIvK348e_Vf0DNZop_OeLLjvxdtHYjMbZ6LvlYxPpi5kTpcduf4PMTKUvLVZXy0n179joZorelwwgEQ5-4oc2_xq9LiNz/s1600/BC2016-B.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="417" data-original-width="294" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWjm6mt45MkABiPxe2sh4PkuTb0xroeHwDnpC9qdiO0LHOWVaWIvK348e_Vf0DNZop_OeLLjvxdtHYjMbZ6LvlYxPpi5kTpcduf4PMTKUvLVZXy0n179joZorelwwgEQ5-4oc2_xq9LiNz/s200/BC2016-B.PNG" width="140" /></a></div>
<h4 style="clear: both; text-align: left;">
<span style="color: #134f5c;">Guide</span><span style="color: #0b5394;">: </span></h4>
<div class="" style="clear: both; text-align: left;">
</div>
Quick and Easy BranchCache Setup.<br />
<h4>
<span style="color: #0b5394;">Overview: </span> </h4>
This article provides instructions on how to implement BranchCache.<br />
<h4>
<span style="color: #0b5394;">Topology: </span></h4>
<ul>
<li>Three office locations: </li>
<ul>
<li>Primary office in Atlanta (ATL). </li>
<li>Branch offices in Chicago (CHI) and Washington D.C (DCA).</li>
</ul>
<li>CHI and ATL host local file servers (i.e., hosted cache mode).</li>
<li>DCA is the only office without a dedicated file server (i.e., distributed cache mode).</li>
<li>All clients use Windows Enterprise.<br /> </li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="margin-left: 1em; margin-right: 1em; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxHTNtbWTiR7fEnH7uuH9fkTySzTTVHy3xaI4uJ9F8pHgQ3azf37GPeAbnDxooWBfapdmyWbo_ozWzQnUUNRkoUPb9dG2r4Sye25ZkBf7Uc_6WUcBVciSL6YyNbCAq1l7-vrUe18C5fe1q/s1600/BranchCache+Network.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxHTNtbWTiR7fEnH7uuH9fkTySzTTVHy3xaI4uJ9F8pHgQ3azf37GPeAbnDxooWBfapdmyWbo_ozWzQnUUNRkoUPb9dG2r4Sye25ZkBf7Uc_6WUcBVciSL6YyNbCAq1l7-vrUe18C5fe1q/s1600/BranchCache+Network.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="756" data-original-width="1004" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxHTNtbWTiR7fEnH7uuH9fkTySzTTVHy3xaI4uJ9F8pHgQ3azf37GPeAbnDxooWBfapdmyWbo_ozWzQnUUNRkoUPb9dG2r4Sye25ZkBf7Uc_6WUcBVciSL6YyNbCAq1l7-vrUe18C5fe1q/s320/BranchCache+Network.PNG" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<h4 style="clear: both; text-align: left;">
<span style="color: #0b5394;">Implement BranchCache:</span></h4>
<ul>
<li>Install the BranchCache Role and Feature.</li>
<li>BranchCace SSL Certificates. </li>
<li>BranchCache Group policy.</li>
</ul>
<h4>
<span style="color: #0b5394;">Step 1. Add Roles and Features.</span></h4>
Run the <i>Add Roles and Features Wizard</i> on each file server. Install the (a) BranchCache for Network Files Role; and (b)the BranchCache Feature.<br />
<div class="separator" style="clear: both; text-align: left;">
<span style="color: #3d85c6;">PowerShell</span><span style="color: #3d85c6;">:</span></div>
<code>Install-WindowsFeature BranchCache -IncludeManagementTools
Enable-BCHostedServer -RegisterSCP</code>
<h4 style="clear: both; text-align: left;">
<span style="color: #0b5394;">Step 2. Adjust Caching.</span></h4>
<div class="" style="clear: both; text-align: left;">
BranchCache stores files in two directories: (a) HashCache and (b) DataCache.</div>
<div class="" style="clear: both; text-align: left;">
File servers store file hashes in the HashCache directory. Remote Hosted Cache servers, as well as Distributed Cache clients, use files hashes for content tracking and updates.<br />
<br /></div>
<div class="" style="clear: both; text-align: left;">
The DataCache directory stores content derived from the hash. This directory contains cached remote content (i.e., files) that are served to local clients. Both directories are stored on the system drive -not good!</div>
<h4 style="clear: both; text-align: left;">
<span style="color: #0b5394; font-weight: normal;">Adjust the Cache Location:</span></h4>
<code>netsh branchcache set publicationcache directory=D:\BranchCache\
netsh branchcache set localcache directory=D:\LocalCache\</code>
<div class="" style="clear: both; text-align: left;">
<b><span style="color: #0b5394;">
</span></b>
<br />
<div class="" style="clear: both;">
<span style="font-family: inherit;">The default HashCache size is a measly 1% of the system disk. The Data Cache is slightly improved with 5% of total disk. Now consider that most system drives hold less that than 100GB. 5GB does not provide enough storage to make BrachCache worthwhile. Let's make BrachCache useful:</span></div>
<div class="" style="clear: both; font-family: "Times New Roman"; white-space: normal;">
</div>
<h4>
<span style="color: #0b5394; font-weight: normal;">Adjust the Cache Size:</span></h4>
</div>
<code>Netsh branchcache set publicationcachesize size=5 percent=TRUE
Netsh branchcache set localcachesize size=5 percent=TRUE</code>
<div class="" style="clear: both; text-align: left;">
Additional caching attributes will be configured via Group Policy (Step 4).<br />
<h4>
<span style="color: #0b5394; font-weight: normal;">Step 3. BranchCache SSL</span></h4>
</div>
<div class="" style="clear: both; text-align: left;">
BranchCache SSL certificates support Windows 7 clients. It's not necessary for organizations with only Windows 8 or Windows 10 clients. Of course, the file server will probably require certificates for other services -just not BranchCache.</div>
<div class="separator" style="clear: both; text-align: left;">
Any trusted SSL certificate will work with BranchCache. We simply need to associate the server certificate with BranchCache: </div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ol>
<li>Add a server certificate in the personal certificate directory for each BranchCache
hosted cache server (e.g., ATL and CHI).</li>
<li>Bind
the SSL certificate hash (i.e., thumbprint) to the hosted cache server. Use the following command:
<code>NETSH HTTP ADD SSLCERT IPPORT=0.0.0.0:443 CERTHASH=xxxxxxxxxxx APPID={d673f5ee-a714-454d-8de2-492e4c1bd8f8}</code>
</li>
</ol>
N.B., CERTHASH is the certificate's thumbprint. <a href="http://www.stevenjordan.net/search/label/PKI">Further certificate information found here</a>.<br />
<h4>
<span style="color: #0b5394;">Step 4. Group Policy</span></h4>
<div class="" style="clear: both; text-align: left;">
Use Group Policies to adjust caching attributes and client settings.</div>
<h4>
<span style="color: #0b5394;"><b>Policies for the File Servers:</b> </span></h4>
<div style="clear: both; text-align: left;">
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "courier new"; font-size: 10pt;">Table 1. BranchCache Policy for File
Servers.<o:p></o:p></span></div>
<br />
<table border="0" cellpadding="0" class="MsoNormalTable" style="mso-cellspacing: 1.5pt; mso-yfti-tbllook: 1184; width: 0px;">
<tbody>
<tr>
<td style="padding: .75pt .75pt .75pt .75pt; width: 100.05pt;" width="136"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "courier new"; font-size: 10.0pt;">Policy<span style="color: #2e75b6; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: #2E75B6; mso-style-textfill-fill-colortransforms: lumm=75000; mso-style-textfill-fill-themecolor: accent1; mso-themecolor: accent1; mso-themeshade: 191;"><o:p></o:p></span></span></div>
</td>
<td style="padding: .75pt .75pt .75pt .75pt; width: 142.55pt;" width="192"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "courier new"; font-size: 10.0pt;">Path<o:p></o:p></span></div>
</td>
<td style="padding: .75pt .75pt .75pt .75pt; width: 62.65pt;" width="86"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "courier new"; font-size: 10.0pt;">Setting<o:p></o:p></span></div>
</td>
<td style="padding: .75pt .75pt .75pt .75pt; width: 122.6pt;" width="166"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "courier new"; font-size: 10.0pt;">Function<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 76.35pt; mso-yfti-irow: 1;">
<td style="height: 76.35pt; padding: .75pt .75pt .75pt .75pt; width: 100.05pt;" valign="top" width="136"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #2e75b6; font-family: "courier new"; font-size: 10.0pt;">Turn on BranchCache<o:p></o:p></span></div>
</td>
<td style="height: 76.35pt; padding: .75pt .75pt .75pt .75pt; width: 142.55pt;" valign="top" width="192"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; text-align: center;">
<span style="font-family: "courier new"; font-size: 10.0pt;">ComputerConfiguration/<br />
Administrative Templates/<br />
Network/<br />
BranchCache<o:p></o:p></span></div>
</td>
<td style="height: 76.35pt; padding: .75pt .75pt .75pt .75pt; width: 62.65pt;" valign="top" width="86"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; text-align: center;">
<span style="font-family: "courier new"; font-size: 10.0pt;">Enabled<o:p></o:p></span></div>
</td>
<td style="height: 76.35pt; padding: .75pt .75pt .75pt .75pt; width: 122.6pt;" valign="top" width="166"></td>
</tr>
<tr style="height: 61.5pt; mso-yfti-irow: 2;">
<td style="height: 61.5pt; padding: .75pt .75pt .75pt .75pt; width: 100.05pt;" valign="top" width="136"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #2e75b6; font-family: "courier new"; font-size: 10.0pt;">Hash Publication for BranchCache<o:p></o:p></span></div>
</td>
<td style="height: 61.5pt; padding: .75pt .75pt .75pt .75pt; width: 142.55pt;" valign="top" width="192"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; text-align: center;">
<span style="font-family: "courier new"; font-size: 10.0pt;">ComputerConfiguration/<o:p></o:p></span></div>
<div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; text-align: center;">
<span style="font-family: "courier new"; font-size: 10.0pt;">Administrative
Templates/ Network/<o:p></o:p></span></div>
<div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; text-align: center;">
<span style="font-family: "courier new"; font-size: 10.0pt;">LanmanServer<o:p></o:p></span></div>
</td>
<td style="height: 61.5pt; padding: .75pt .75pt .75pt .75pt; width: 62.65pt;" valign="top" width="86"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; text-align: center;">
<span style="font-family: "courier new"; font-size: 10.0pt;">Enabled:<br />
Value 2<o:p></o:p></span></div>
</td>
<td style="height: 61.5pt; padding: .75pt .75pt .75pt .75pt; width: 122.6pt;" valign="top" width="166"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "courier new"; font-size: 10.0pt;">(Hash publication for all shared folders).<o:p></o:p></span></div>
</td>
</tr>
<tr>
<td style="padding: .75pt .75pt .75pt .75pt; width: 100.05pt;" valign="top" width="136"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #2e75b6; font-family: "courier new"; font-size: 10.0pt;">MinContentLength Registry Key<o:p></o:p></span></div>
</td>
<td style="padding: .75pt .75pt .75pt .75pt; width: 142.55pt;" valign="top" width="192"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; text-align: center;">
<span style="font-family: "courier new"; font-size: 10.0pt;">ComputerConfiguration/<o:p></o:p></span></div>
<div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; text-align: center;">
<span style="font-family: "courier new"; font-size: 10.0pt;">Preferences/<o:p></o:p></span></div>
<div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; text-align: center;">
<span style="font-family: "courier new"; font-size: 10.0pt;">Windows
Settings/<o:p></o:p></span></div>
<div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; text-align: center;">
<span style="font-family: "courier new"; font-size: 10.0pt;">Registry/<o:p></o:p></span></div>
<div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; text-align: center;">
<span style="font-family: "courier new"; font-size: 10.0pt;">MinContentLength<o:p></o:p></span></div>
</td>
<td style="padding: .75pt .75pt .75pt .75pt; width: 62.65pt;" valign="top" width="86"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; text-align: center;">
<span style="font-family: "courier new"; font-size: 10.0pt;">Reg_D<o:p></o:p></span></div>
<div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; text-align: center;">
<span style="font-family: "courier new"; font-size: 10.0pt;">WORD:<br />
<br />
32768<o:p></o:p></span></div>
<div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; text-align: center;">
<span style="font-family: "courier new"; font-size: 10.0pt;">(Decimal)<o:p></o:p></span></div>
</td>
<td style="padding: .75pt .75pt .75pt .75pt; width: 122.6pt;" valign="top" width="166"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "courier new"; font-size: 10.0pt;">Default caching 64KB. <br />
New caching 32K.<br />
Set as low as 4KB. <br />
<br />
N.B., Low values may impact performance.<o:p></o:p></span></div>
</td>
</tr>
</tbody></table>
<span style="color: #0b5394;"><br />Policies for Windows clients:</span><br />
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "times new roman" , serif; font-size: 13.5pt;">Table 2.
BranchCache policies for Win 8 and Win 10:<o:p></o:p></span></div>
<table border="0" cellpadding="0" class="MsoNormalTable" style="mso-cellspacing: 1.5pt; mso-yfti-tbllook: 1184; width: 0px;">
<tbody>
<tr>
<td style="padding: .75pt .75pt .75pt .75pt; width: 159.75pt;" width="216"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; text-align: center;">
<span style="font-family: "courier new"; font-size: 10.0pt;">Policy<o:p></o:p></span></div>
</td>
<td style="padding: .75pt .75pt .75pt .75pt; width: 165.0pt;" width="222"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; text-align: center;">
<span style="font-family: "courier new"; font-size: 10.0pt;">Path<o:p></o:p></span></div>
</td>
<td style="padding: .75pt .75pt .75pt .75pt; width: 78.75pt;" width="108"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; text-align: center;">
<span style="font-family: "courier new"; font-size: 10.0pt;">Setting<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 42.75pt; mso-yfti-irow: 1;">
<td style="height: 42.75pt; padding: .75pt .75pt .75pt .75pt; width: 159.75pt;" valign="top" width="216"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #2e75b6; font-family: "courier new"; font-size: 10.0pt;">Turn on BranchCache<o:p></o:p></span></div>
</td>
<td style="height: 42.75pt; padding: .75pt .75pt .75pt .75pt; width: 165.0pt;" valign="top" width="222"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "courier new"; font-size: 10.0pt;">ComputerConfiguration/<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "courier new"; font-size: 10.0pt;"> Administrative
Templates/<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "courier new"; font-size: 10.0pt;"> Network/BranchCache<o:p></o:p></span></div>
</td>
<td style="height: 42.75pt; padding: .75pt .75pt .75pt .75pt; width: 78.75pt;" valign="top" width="108"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; text-align: center;">
<span style="font-family: "courier new"; font-size: 10.0pt;">Enabled<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 51.15pt; mso-yfti-irow: 2;">
<td style="height: 51.15pt; padding: .75pt .75pt .75pt .75pt; width: 159.75pt;" valign="top" width="216"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #2e75b6; font-family: "courier new"; font-size: 10.0pt;">Configure BranchCache for network files<o:p></o:p></span></div>
</td>
<td style="height: 51.15pt; padding: .75pt .75pt .75pt .75pt; width: 165.0pt;" valign="top" width="222"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "courier new"; font-size: 10.0pt;">Computer Configuration/<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "courier new"; font-size: 10.0pt;"> Administrative
Templates/<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "courier new"; font-size: 10.0pt;"> Network/<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "courier new"; font-size: 10.0pt;"> BranchCache<o:p></o:p></span></div>
</td>
<td style="height: 51.15pt; padding: .75pt .75pt .75pt .75pt; width: 78.75pt;" valign="top" width="108"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; text-align: center;">
<span style="font-family: "courier new"; font-size: 10.0pt;">Enabled<br />
Value:10<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 51.15pt; mso-yfti-irow: 3;">
<td style="height: 51.15pt; padding: .75pt .75pt .75pt .75pt; width: 159.75pt;" valign="top" width="216"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #2e75b6; font-family: "courier new"; font-size: 10.0pt;">Enable Automatic Hosted Cache Discovery by Service Connection
Point<o:p></o:p></span></div>
</td>
<td style="height: 51.15pt; padding: .75pt .75pt .75pt .75pt; width: 165.0pt;" valign="top" width="222"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "courier new"; font-size: 10.0pt;">Computer Configuration/<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "courier new"; font-size: 10.0pt;"> Administrative
Templates/<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "courier new"; font-size: 10.0pt;"> Network/<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "courier new"; font-size: 10.0pt;"> BranchCache<o:p></o:p></span></div>
</td>
<td style="height: 51.15pt; padding: .75pt .75pt .75pt .75pt; width: 78.75pt;" valign="top" width="108"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; text-align: center;">
<span style="font-family: "courier new"; font-size: 10.0pt;">Enabled<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 46.65pt; mso-yfti-irow: 4; mso-yfti-lastrow: yes;">
<td style="height: 46.65pt; padding: .75pt .75pt .75pt .75pt; width: 159.75pt;" valign="top" width="216"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #2e75b6; font-family: "courier new"; font-size: 10.0pt;">Set BranchCache Distributed Cache mode<o:p></o:p></span></div>
</td>
<td style="height: 46.65pt; padding: .75pt .75pt .75pt .75pt; width: 165.0pt;" valign="top" width="222"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "courier new"; font-size: 10.0pt;">Computer Configuration/<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "courier new"; font-size: 10.0pt;"> Administrative
Templates/<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "courier new"; font-size: 10.0pt;"> Network/<br />
BranchCache<o:p></o:p></span></div>
</td>
<td style="height: 46.65pt; padding: .75pt .75pt .75pt .75pt; width: 78.75pt;" valign="top" width="108"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; text-align: center;">
<span style="font-family: "courier new"; font-size: 10.0pt;">Enabled<o:p></o:p></span></div>
</td>
</tr>
</tbody></table>
Note: BranchCache for
network files uses round trip latency.
Value 10 = 10ms. Hosted Cache mode is for location with dedicated file servers.
Distributed Caching is for locations without dedicated file servers.</div>
</div>
<h4>
</h4>
<h4>
<span style="color: #0b5394;">BranchCache Firewall Policies:</span></h4>
<div>
BranchCache requires inbound and outbound client firewall rules.</div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgP52jdFYr1FJt5WObJGVlf_u-xXNDaQXfB99Huo2OnWZZcBqAqVqGOD4hXnxNDTL0No6yHwa2WAv08YY12kSNXO5Yyibr0dQwNpXv4OfNiXFVDd6viziMFwrpQ6dQYmOV-hw_C29GKdmb1/s1600/BranchCache-Out.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="94" data-original-width="1175" height="49" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgP52jdFYr1FJt5WObJGVlf_u-xXNDaQXfB99Huo2OnWZZcBqAqVqGOD4hXnxNDTL0No6yHwa2WAv08YY12kSNXO5Yyibr0dQwNpXv4OfNiXFVDd6viziMFwrpQ6dQYmOV-hw_C29GKdmb1/s640/BranchCache-Out.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQYQlKdA0LbKnDmWweg7UgNSlmZs-MZW2-O8LiMBNwtEA3YMrqbFCqI7KNICm9QJiZn_mZN7itpUMrf2DssmOcC-pzJKUXxuTl7SkWus_DpXMrZ04Tokoj8En7DuVXS2okZxMXQt_iUXgT/s1600/BranchCache-In.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="71" data-original-width="1201" height="36" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQYQlKdA0LbKnDmWweg7UgNSlmZs-MZW2-O8LiMBNwtEA3YMrqbFCqI7KNICm9QJiZn_mZN7itpUMrf2DssmOcC-pzJKUXxuTl7SkWus_DpXMrZ04Tokoj8En7DuVXS2okZxMXQt_iUXgT/s640/BranchCache-In.png" width="640" /></a></div>
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "times new roman" , serif; font-size: 13.5pt;">Table 3.
BranchCache Inbound Firewall Group Policies<o:p></o:p></span></div>
<table border="0" cellpadding="0" class="MsoNormalTable">
<tbody>
<tr>
<td style="padding: .75pt .75pt .75pt .75pt; width: 134.35pt;" width="182"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; text-align: center;">
<span style="font-family: "courier new"; font-size: 10.0pt;">Policy<o:p></o:p></span></div>
</td>
<td style="padding: .75pt .75pt .75pt .75pt; width: 169.55pt;" width="228"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; text-align: center;">
<span style="font-family: "courier new"; font-size: 10.0pt;">Path<o:p></o:p></span></div>
</td>
<td style="padding: .75pt .75pt .75pt .75pt; width: 116.15pt;" width="158"><div align="center" class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; text-align: center;">
<span style="font-family: "courier new"; font-size: 10.0pt;">Action<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 42.75pt; mso-yfti-irow: 1;">
<td style="height: 42.75pt; padding: .75pt .75pt .75pt .75pt; width: 134.35pt;" valign="top" width="182"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #2e75b6; font-family: "courier new"; font-size: 10.0pt;">BranchCache Content Retrieval (HTTP-In)</span><span style="color: #2e75b6; font-family: "courier new"; font-size: 10.0pt;"><o:p></o:p></span></div>
</td>
<td rowspan="3" style="height: 42.75pt; padding: .75pt .75pt .75pt .75pt; width: 169.55pt;" width="228"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "courier new"; font-size: 10.0pt;">Computer Configuration/<br />
Policies/ <br />
Windows Settings/<br />
Security Settings/<br />
Windows Firewall with<br />
Advanced Security/<br />
Inbound Rules<o:p></o:p></span></div>
</td>
<td rowspan="3" style="height: 42.75pt; padding: .75pt .75pt .75pt .75pt; width: 116.15pt;" width="158"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "courier new"; font-size: 10.0pt;">a. Right-click Inbound Rules. <br />
<br />
b. Left-click New Rule. <br />
<br />
c. Add predefined BranchCache rules.<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 38.25pt; mso-yfti-irow: 2;">
<td style="height: 38.25pt; padding: .75pt .75pt .75pt .75pt; width: 134.35pt;" valign="top" width="182"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #2e75b6; font-family: "courier new"; font-size: 10.0pt;">BranchCache Hosted Cache Server
(HTTP-In)</span><span style="color: #2e75b6; font-family: "courier new"; font-size: 10.0pt;"><o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 45.75pt; mso-yfti-irow: 3;">
<td style="height: 45.75pt; padding: .75pt .75pt .75pt .75pt; width: 134.35pt;" valign="top" width="182"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #2e75b6; font-family: "courier new"; font-size: 10.0pt;">BranchCache Peer Discovery (WSD-In)</span><span style="color: #2e75b6; font-family: "courier new"; font-size: 10.0pt;"><o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 35.25pt; mso-yfti-irow: 4;">
<td style="height: 35.25pt; padding: .75pt .75pt .75pt .75pt; width: 134.35pt;" valign="top" width="182"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #2e75b6; font-family: "courier new"; font-size: 10.0pt;">BranchCache Content Retrieval
(HTTP-Out)</span><span style="color: #2e75b6; font-family: "courier new"; font-size: 10.0pt;"><o:p></o:p></span></div>
</td>
<td rowspan="4" style="height: 35.25pt; padding: .75pt .75pt .75pt .75pt; width: 169.55pt;" width="228"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "courier new"; font-size: 10.0pt;">Computer Configuration/<br />
Policies/<br />
Windows Settings/<br />
Security Settings/<br />
Windows Firewall with<br />
Advanced Security/<br />
Outbound Rules<o:p></o:p></span></div>
</td>
<td rowspan="4" style="height: 35.25pt; padding: .75pt .75pt .75pt .75pt; width: 116.15pt;" width="158"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "courier new"; font-size: 10.0pt;">a. Right-click Inbound Rules.<br />
<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "courier new"; font-size: 10.0pt;">b. Left-click New Rule.<br />
<!--[if !supportLineBreakNewLine]--><br />
<!--[endif]--><o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "courier new"; font-size: 10.0pt;">c. Add predefined BranchCache rules.<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 39.75pt; mso-yfti-irow: 5;">
<td style="height: 39.75pt; padding: .75pt .75pt .75pt .75pt; width: 134.35pt;" valign="top" width="182"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #2e75b6; font-family: "courier new"; font-size: 10.0pt;">BranchCache Hosted Cache Clietnt
(HTTP-Out)</span><span style="color: #2e75b6; font-family: "courier new"; font-size: 10.0pt;"><o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 34.5pt; mso-yfti-irow: 6;">
<td style="height: 34.5pt; padding: .75pt .75pt .75pt .75pt; width: 134.35pt;" valign="top" width="182"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #2e75b6; font-family: "courier new"; font-size: 10.0pt;">BranchCache Hosted Cache Server
(HTTP-Out)</span><span style="color: #2e75b6; font-family: "courier new"; font-size: 10.0pt;"><o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 27.0pt; mso-yfti-irow: 7; mso-yfti-lastrow: yes;">
<td style="height: 27.0pt; padding: .75pt .75pt .75pt .75pt; width: 134.35pt;" valign="top" width="182"><div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #2e75b6; font-family: "courier new"; font-size: 10.0pt;">BranchCache Peer Discovery (WSD-Out)</span><span style="color: #2e75b6; font-family: "courier new"; font-size: 10.0pt;"><o:p></o:p></span></div>
</td>
</tr>
</tbody></table>
<h4>
<span style="background-color: white; font-weight: normal;"><span style="color: #0b5394;">Optional: BranchCache for WSUS and IIS Servers</span></span></h4>
<b><span style="color: #0b5394;">
</span>
</b><br />
<div class="" style="background-color: white; border: none; clear: both; color: #333333; font-family: helvetica, arial, georgia, serif; font-size: 14px; font-style: normal; letter-spacing: normal; list-style: none; margin: 0px; outline: none; padding: 0px; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
BranchCache also accelerates content for web servers and BITS application
servers. Simply install the BranchCache feature and ensure the service is
running. No other configuration steps are necessary. </div>
<h4 style="background-color: white; border: none; clear: both; font-family: helvetica; font-size: 18px; font-style: normal; font-weight: normal; letter-spacing: normal; line-height: 1em; list-style: none; margin: 25px 0px 10px; outline: none; padding: 0px; position: relative; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<span style="border: none; color: #0b5394; font-weight: normal; list-style: none; margin: 0px; outline: none; padding: 0px; text-decoration: none;">
Evaluate</span></h4>
<div class="" style="background-color: rgb(255 , 255 , 255); border: none; clear: both; color: rgb(51 , 51 , 51); font-family: "helvetica" , "arial" , "georgia" , serif; font-size: 14px; font-style: normal; font-weight: 400; letter-spacing: normal; list-style: none; margin: 0px; outline: none; padding: 0px; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
User PowerShell and Performance monitor to ensure BranchCache works:</div>
<div class="" style="background-color: rgb(255 , 255 , 255); border: none; clear: both; color: rgb(51 , 51 , 51); font-family: "helvetica" , "arial" , "georgia" , serif; font-size: 14px; font-style: normal; font-weight: 400; letter-spacing: normal; list-style: none; margin: 0px; outline: none; padding: 0px; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<a href="http://www.stevenjordan.net/2013/03/2012-branchcache-troubleshooting.html" style="border: none; color: rgb(68 , 68 , 68); font-weight: normal; list-style: none; margin: 0px; outline: 0px; padding: 0px; text-decoration: none; transition: all 0.2s ease-in-out;">
http://www.stevenjordan.net/2013/03/2012-branchcache-troubleshooting.html</a></div>
That's It!<br />
<span style="background-color: white; color: #0b5394; font-family: "helvetica"; font-size: 18px;"><br /></span>
<br />
<h4>
<span style="background-color: white; color: #0b5394; font-family: "helvetica"; font-size: 18px; font-weight: normal;">References:</span></h4>
<div lang="x-none" style="background-color: white; border: none; color: #333333; font-family: helvetica, arial, georgia, serif; font-size: 14px; font-style: normal; letter-spacing: normal; list-style: none; margin: 0px; outline: none; padding: 0px; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<a href="http://social.technet.microsoft.com/wiki/contents/articles/14309.branchcache-frequently-asked-questions.aspx" style="border: none; color: rgb(68 , 68 , 68); font-weight: normal; list-style: none; margin: 0px; outline: 0px; padding: 0px; text-decoration: none; transition: all 0.2s ease-in-out;">
http://social.technet.microsoft.com/wiki/contents/articles/14309.branchcache-frequently-asked-questions.aspx</a></div>
<div lang="x-none" style="background-color: rgb(255 , 255 , 255); border: none; color: rgb(51 , 51 , 51); font-family: "helvetica" , "arial" , "georgia" , serif; font-size: 14px; font-style: normal; font-weight: 400; letter-spacing: normal; list-style: none; margin: 0px; outline: none; padding: 0px; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<a href="http://technet.microsoft.com/en-us/library/hh848420.aspx" style="border: none; color: rgb(68 , 68 , 68); font-weight: normal; list-style: none; margin: 0px; outline: 0px; padding: 0px; text-decoration: none; transition: all 0.2s ease-in-out;">
http://technet.microsoft.com/en-us/library/hh848420.aspx</a></div>
<div lang="x-none" style="background-color: rgb(255 , 255 , 255); border: none; color: rgb(51 , 51 , 51); font-family: "helvetica" , "arial" , "georgia" , serif; font-size: 14px; font-style: normal; font-weight: 400; letter-spacing: normal; list-style: none; margin: 0px; outline: none; padding: 0px; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<a href="http://technet.microsoft.com/en-us/library/jj572970.aspx" style="border: none; color: rgb(68 , 68 , 68); font-weight: normal; list-style: none; margin: 0px; outline: 0px; padding: 0px; text-decoration: none; transition: all 0.2s ease-in-out;">
http://technet.microsoft.com/en-us/library/jj572970.aspx</a></div>
<div lang="x-none" style="background-color: rgb(255 , 255 , 255); border: none; color: rgb(51 , 51 , 51); font-family: "helvetica" , "arial" , "georgia" , serif; font-size: 14px; font-style: normal; font-weight: 400; letter-spacing: normal; list-style: none; margin: 0px; outline: none; padding: 0px; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<a href="http://technet.microsoft.com/en-us/library/dd637785(v=ws.10).aspx" style="border: none; color: rgb(68 , 68 , 68); font-weight: normal; list-style: none; margin: 0px; outline: 0px; padding: 0px; text-decoration: none; transition: all 0.2s ease-in-out;">
http://technet.microsoft.com/en-us/library/dd637785(v=ws.10).aspx</a></div>
<div lang="x-none" style="background-color: rgb(255 , 255 , 255); border: none; color: rgb(51 , 51 , 51); font-family: "helvetica" , "arial" , "georgia" , serif; font-size: 14px; font-style: normal; font-weight: 400; letter-spacing: normal; list-style: none; margin: 0px; outline: none; padding: 0px; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<a href="http://technet.microsoft.com/en-us/library/ff710438(v=ws.10).aspx" style="border: none; color: rgb(68 , 68 , 68); font-weight: normal; list-style: none; margin: 0px; outline: 0px; padding: 0px; text-decoration: none; transition: all 0.2s ease-in-out;">
http://technet.microsoft.com/en-us/library/ff710438(v=ws.10).aspx</a></div>
<div lang="x-none" style="background-color: rgb(255 , 255 , 255); border: none; color: rgb(51 , 51 , 51); font-family: "helvetica" , "arial" , "georgia" , serif; font-size: 14px; font-style: normal; font-weight: 400; letter-spacing: normal; list-style: none; margin: 0px; outline: none; padding: 0px; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<a href="http://technet.microsoft.com/en-us/library/dd637785(v=ws.10).aspx" style="border: none; color: rgb(68 , 68 , 68); font-weight: normal; list-style: none; margin: 0px; outline: 0px; padding: 0px; text-decoration: none; transition: all 0.2s ease-in-out;">
http://technet.microsoft.com/en-us/library/dd637785(v=ws.10).aspx</a></div>
<div lang="x-none" style="background-color: rgb(255 , 255 , 255); border: none; color: rgb(51 , 51 , 51); font-family: "helvetica" , "arial" , "georgia" , serif; font-size: 14px; font-style: normal; font-weight: 400; letter-spacing: normal; list-style: none; margin: 0px; outline: none; padding: 0px; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<a href="https://ammarhasayen.com/2013/10/11/branchcache-course-109-where-files-are-stored/" style="border: none; color: rgb(0 , 0 , 0); font-weight: normal; list-style: none; margin: 0px; outline: 0px; padding: 0px; text-decoration: none; transition: all 0.2s ease-in-out;">
https://ammarhasayen.com/2013/10/11/branchcache-course-109-where-files-are-stored/</a></div>
<div lang="x-none" style="background-color: rgb(255 , 255 , 255); border: none; color: rgb(51 , 51 , 51); font-family: "helvetica" , "arial" , "georgia" , serif; font-size: 14px; font-style: normal; font-weight: 400; letter-spacing: normal; list-style: none; margin: 0px; outline: none; padding: 0px; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<a href="https://2pintsoftware.com/branchcache-teeny-weeny-files/" style="border: none; color: rgb(68 , 68 , 68); font-weight: normal; list-style: none; margin: 0px; outline: 0px; padding: 0px; text-decoration: none; transition: all 0.2s ease-in-out;">
https://2pintsoftware.com/branchcache-teeny-weeny-files/</a></div>
Steven M. Jordanhttp://www.blogger.com/profile/08808713004280066782noreply@blogger.com0tag:blogger.com,1999:blog-6696977109054687352.post-54740695261403064652018-02-01T06:31:00.000-06:002018-07-12T16:25:11.394-05:00Force AD DC Replication CMD<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSEpar-T-Ll8bbwHFPE4bMQbrOxyVc3VF3CqT4s_6Kwti96sQGBMRjDdMU4gl43TwtKJLSSGVJxPJfWTNcRB1CBtfgORvbrwnJGsC1WxwYfEDZz4CXz7ZdDjOECkOv4gmo_t8hn3fEanz3/s1600/AD.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="" border="0" data-original-height="656" data-original-width="500" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSEpar-T-Ll8bbwHFPE4bMQbrOxyVc3VF3CqT4s_6Kwti96sQGBMRjDdMU4gl43TwtKJLSSGVJxPJfWTNcRB1CBtfgORvbrwnJGsC1WxwYfEDZz4CXz7ZdDjOECkOv4gmo_t8hn3fEanz3/s200/AD.jpg" title="Easy way to Force Replication to all Domain Controllers." width="151" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<h4>
<span style="color: #134f5c;">Goal: </span></h4>
Synchronize Active Directory in a flash.<br />
<br />
<h4>
<span style="color: #0b5394;">Problem: </span></h4>
How to quickly force domain controller replication throughout the domain.<br />
<br />
<h4>
<span style="color: #134f5c;">Solution:</span></h4>
<span style="font-family: "courier new" , "courier" , monospace;">repadmin /syncall /AdeP</span><br />
<br />
<br />
That's It!Steven M. Jordanhttp://www.blogger.com/profile/08808713004280066782noreply@blogger.com0tag:blogger.com,1999:blog-6696977109054687352.post-78191052458064789672018-01-31T20:26:00.000-06:002018-02-01T10:49:49.171-06:00Check DFSR for Backlogs<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRzHbyTY0gS8672kTmgECp6IWesHRo6umeOBz1uMsXIEDTqYUsnRrK8fCkNx1LSlE52lvx7W5p9BrAsU-8bEyxCImCOenqCmWg7-7OoTtkYTiUm1DGLYJQArMilz-WIl4dirh8-bzUJIXm/s1600/DFSFox.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="" border="0" data-original-height="511" data-original-width="500" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRzHbyTY0gS8672kTmgECp6IWesHRo6umeOBz1uMsXIEDTqYUsnRrK8fCkNx1LSlE52lvx7W5p9BrAsU-8bEyxCImCOenqCmWg7-7OoTtkYTiUm1DGLYJQArMilz-WIl4dirh8-bzUJIXm/s200/DFSFox.png" title="DFSR Backlogs " width="195" /></a></div>
<h4>
<span style="color: #134f5c;">Goal: </span></h4>
Determine if file share replication is up-to-date between shares.<br />
<br />
<h4>
<span style="color: #0c343d;">Problem: </span> </h4>
DFS replication propagation reports show usually high replication times (e.g., 11 days instead of 11 seconds). Users complain about missing data.<br />
<br />
<h4>
<span style="color: #0c343d;">Solution: </span></h4>
Use DFS diagnostic commands to check for backlogs. Large backlogs indicate replication problems (e.g., insufficient staging size, failed pre-seeding, etc.).<br />
<br />
<h4>
<span style="color: #0c343d;">Example</span>:</h4>
<span style="font-family: "courier new" , "courier" , monospace; font-size: normal;"></span><br />
<pre><code>C:\dfsrdiag backlog /rgname:"contoso\data\content" /rfname:Namespace-Folder /sendingmember:server1-hostname /receivingmember:server2-hostname
No Backlog - member <server1-host-name in="" is="" partner="" server1-host-name="" sync="" with=""></server1-host-name></code></pre>
<h4>
<span style="color: #0c343d;"> References:</span></h4>
<a href="https://blogs.technet.microsoft.com/filecab/2009/05/28/dfsrdiag-exe-replicationstate-whats-dfsr-up-to/"><span style="font-size: x-small;">https://blogs.technet.microsoft.com/filecab/2009/05/28/dfsrdiag-exe-replicationstate-whats-dfsr-up-to/</span></a><br />
<a href="https://blogs.technet.microsoft.com/askds/2010/09/07/replacing-dfsr-member-hardware-or-os-part-2-pre-seeding/"><span style="font-size: x-small;">https://blogs.technet.microsoft.com/askds/2010/09/07/replacing-dfsr-member-hardware-or-os-part-2-pre-seeding/</span></a><br />
<br />
<br />
<br />Steven M. Jordanhttp://www.blogger.com/profile/08808713004280066782noreply@blogger.com0tag:blogger.com,1999:blog-6696977109054687352.post-82980299149480403882017-05-10T21:38:00.000-05:002017-05-10T14:16:40.008-05:00Fix Win NAT-T for L2TP and IKEv2<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOa5K8Wso3pWZ0exP6D4EOWLW5QCf3oR6FRQPT7nCv6JMF2YiBUheXsZ_N1EpA2i7ZmWwyf5ckXyH9Y3xFoZarv3ABO4CaI1rH_bX5BSCoIonREjLa48dsKL9ptkO6TsCl5NlEYP3dRGVT/s1600/SysAdmin.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOa5K8Wso3pWZ0exP6D4EOWLW5QCf3oR6FRQPT7nCv6JMF2YiBUheXsZ_N1EpA2i7ZmWwyf5ckXyH9Y3xFoZarv3ABO4CaI1rH_bX5BSCoIonREjLa48dsKL9ptkO6TsCl5NlEYP3dRGVT/s1600/SysAdmin.gif" title="Pesky IKEv2-NAT problems" /></a></div>
<h4 style="font-family: "calibri"; font-size: 11.0pt; margin: 0in;">
<span style="color: #134f5c;"><span style="font-weight: bold;">Problem:</span> </span></h4>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
Windows 2012 RRAS IPsec VPN does not support NAT-T out-of-the-box. By default, RRAS only works with public IP
addresses -no NAT. <span style="font-size: 11pt;">Windows 10 clients cannot connect with L2TP from outside the office. Windows 2016 does not support L2TP for any client from behind routers running NAT.</span></div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<h4 style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="color: #134f5c;"><span style="font-weight: bold;">Solution:</span> </span></h4>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
Enable NAT-T on both Windows servers and the clients. NAT-T allows the
VPN server to serve clients (e.g., Windows 10, Android, Apple iOS) from behind the NAT device. Modify MTU.
</div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<h4 style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="color: #134f5c;"><span style="font-weight: bold;">Background</span>: </span></h4>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
Why NAT-T? </div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
IPsec uses <span style="font-size: 14.6667px;">Encapsulating Security Payload (ESP) </span><span style="font-size: 11pt;">to encrypt packet headers
and payloads. </span><span style="font-size: 11pt;">By default, ESP is not
compatible with </span><span style="font-size: 14.6667px;">Port Address Translation (PAT)</span><span style="font-size: 11pt;">. This is because TCP uses ports and ESP does not. </span></div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div style="margin: 0in;">
<div style="font-family: calibri; font-size: 11pt;">
TCP and ESP are different Internet protocols. TCP uses protocol number 6. N.B., TCP protocol number 6 is not the same thing as TCP port 6. <span style="font-size: 11pt;">TCP ports are communication endpoints. For
example, TCP uses port 80 for web traffic. </span></div>
<div style="font-family: calibri; font-size: 11pt;">
<span style="font-size: 11pt;"><br /></span></div>
<span style="font-family: calibri;"><span style="font-size: 11pt;">ESP uses protocol (i.e., not port) number 50</span><span style="font-size: 14.6667px;">. </span><span style="font-size: 11pt;"> ESP
is a protocol without ports. Network Address Translation (NAT) uses
port translation PAT to bind traffic flows with internal hosts. Therefore, ESP does not work with NAT.</span></span></div>
<div style="font-family: Calibri; font-size: 11.0pt; margin-left: .375in; margin: 0in;">
<br /></div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
NAT-T allows ESP to
work from behind NAT. It encapsulates
ESP protocol 50 inside User Datagram Protocol (UDP) 4500. N.B, NAT-T is not the same as IPsec over UDP. </div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<h4 style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="color: #134f5c; font-weight: bold;">Enable NAT-T </span></h4>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
NAT-T is enabled on most operating systems (e.g., Android) -Windows is the exception. Fortunately, we can enable NAT-T on Windows 10 and Windows 2012 with a few simple changes. <br />
<strike><br /></strike>
<strike>Windows IPsec clients are supposed to work from any location. Therefore, only enable NAT-T on the 2012 RRAS
server.</strike> </div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
Create a new
registry key to enable NAT-T.</div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<ol style="direction: ltr; font-family: Calibri; font-size: 11pt; margin-bottom: 0in; margin-left: 0.375in; margin-top: 0in; unicode-bidi: embed;" type="1">
<li style="margin-bottom: 0; margin-top: 0; vertical-align: middle;" value="1"><span style="font-size: 11pt;"> Edit Registry or create GPO:</span></li>
</ol>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div style="font-family: Calibri; font-size: 11.0pt; margin-left: .375in; margin: 0in;">
HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent\Parameters\</div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<ol style="direction: ltr; font-family: Calibri; font-size: 11pt; margin-bottom: 0in; margin-left: 0.375in; margin-top: 0in; unicode-bidi: embed;" type="1">
<li style="margin-bottom: 0; margin-top: 0; vertical-align: middle;" value="2"><span style="font-size: 11pt;"> Create new DWORD value:</span> AssumeUDPEncapsulationContextOnSendRule</li>
</ol>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<ol style="direction: ltr; font-family: Calibri; font-size: 11pt; margin-bottom: 0in; margin-left: 0.375in; margin-top: 0in; unicode-bidi: embed;" type="1">
<li style="margin-bottom: 0; margin-top: 0; vertical-align: middle;" value="3"><span style="font-size: 11pt;"> Modify DWORD value: 2</span></li>
</ol>
<div>
<span style="font-family: "calibri"; font-size: 14.6667px;"><br /></span>
<span style="font-family: "calibri"; font-size: 14.6667px;">These changes will fix those pesky L2TP-NAT problem. </span><br />
<h4>
<span style="color: #134f5c; font-family: "calibri"; font-size: 14.6667px;">Troubleshooting Issues</span></h4>
<span style="font-family: calibri; font-size: 14.6667px;">Make sure clients use the latest edition of Windows 10. Early versions had quirks where clients simply would not connect via NAT-T. </span><br />
<span style="font-family: calibri; font-size: 14.6667px;"><br /></span>
<span style="font-family: calibri; font-size: 14.6667px;"> NAT-T does not work with the following editions:</span><br />
<br />
<ul>
<li><span style="font-family: calibri;"><span style="font-size: 14.6667px;">version 10240</span></span></li>
<li><span style="font-family: calibri;"><span style="font-size: 14.6667px;">version 1511 (i.e. November Update)</span></span></li>
</ul>
<span style="font-family: calibri; font-size: 14.6667px;"> Unconfirmed (may or may not work): </span><br />
<ul>
<li><span style="font-family: calibri;"><span style="font-size: 14.6667px;">version 1607 (i.e., Anniversary Update)</span></span></li>
</ul>
<span style="font-family: "calibri"; font-size: 14.6667px;"> Confirmed:</span><br />
<span style="font-family: "calibri"; font-size: 14.6667px;"></span><br />
<ul>
<li><span style="font-family: calibri;"><span style="font-size: 14.6667px;">version 1703 (i.e., Creators Update)</span></span></li>
</ul>
<span style="font-family: "calibri"; font-size: 14.6667px;"> NAT-T works great with the registry fix and Creators Update.</span><br />
<span style="font-family: "calibri"; font-size: 14.6667px;"><br /></span>
<span style="font-family: calibri;"><span style="font-size: 14.6667px;"> Workarounds: </span></span><br />
<br />
<span style="font-family: calibri;"><span style="font-size: 14.6667px;">Some folks had to toggle the NAT-T registry value in order to connect (<a href="http://bit.ly/2r2CKnF">http://bit.ly/2r2CKnF</a>).</span></span><span style="font-family: calibri; font-size: 14.6667px;"> I assume this fix was for the November</span><span style="font-family: calibri; font-size: 14.6667px;"> or Anniversary Update. </span><br />
<h4>
<span style="font-family: calibri; font-size: 14.6667px;"><span style="color: #134f5c;">MTU</span></span></h4>
<span style="font-family: calibri; font-size: 14.6667px;">Don't forget to adjust the Max Segment Size (MSS): </span><br />
<span style="font-family: calibri;"><span style="font-size: 14.6667px;"><a href="http://www.stevenjordan.net/2016/11/windows-ikev2-mtu.html">http://www.stevenjordan.net/2016/11/windows-ikev2-mtu.html</a></span></span><span style="font-family: calibri; font-size: 14.6667px;"><a href="http://./">.</a> </span><br />
<span style="font-family: calibri; font-size: 14.6667px;"><br /></span>
<span style="font-family: calibri; font-size: 14.6667px;">That's It!</span></div>
Steven M. Jordanhttp://www.blogger.com/profile/08808713004280066782noreply@blogger.com9tag:blogger.com,1999:blog-6696977109054687352.post-87099245888229936742017-04-28T18:01:00.005-05:002017-04-28T18:01:58.015-05:00Fix IKEv2 Mobile Scripts on IOS10<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXFJPF11wDh_6W53OWPBcIjZzPgQ37wvujjyk5WQto9iEyK6jCOM_gLr8XLL8FlGx5W2VvQrxNLObqSmxe7dNqCw_nubdRSu8PSW9XYirtuf1hKRVR9-jWZWrjp1oRYmEWUVG1MY0hIhon/s1600/VPN.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXFJPF11wDh_6W53OWPBcIjZzPgQ37wvujjyk5WQto9iEyK6jCOM_gLr8XLL8FlGx5W2VvQrxNLObqSmxe7dNqCw_nubdRSu8PSW9XYirtuf1hKRVR9-jWZWrjp1oRYmEWUVG1MY0hIhon/s1600/VPN.gif" title="iPhone 7 fails to connect to IKEv2." /></a></div>
<h4>
<span style="color: #0b5394;">Problem: </span></h4>
Pre-existing IKEv2 VPN mobile configuration scripts do not work with new iPhones. The script installs the VPN but connection attempts fail. <br />
<br />
iPhone7 does not connect to the IKEv2 VPN. However, older iPhones running IOS8 and IOS9 continues to connect.<br />
<h4>
<span style="color: #0b5394;">Solution:</span></h4>
Update the Mac OS and Apple Configurator 2 software. Create a new mobile config after software updates are complete.<br />
<h4>
<span style="color: #0b5394;">Explanation: </span></h4>
IOS 10 cannot connect to IKEv2 VPNs using mobile scripts designed for IOS 8 & 9. <br />
<h4>
<span style="color: #0b5394;">Additional Information:</span></h4>
<span style="background-color: #edf4ff; color: #888888; font-family: Arial, Helvetica, sans-serif;"><span style="font-size: xx-small;">http://www.stevenjordan.net/2016/11/mobile-config-gui.html</span></span><br />
<span style="background-color: #edf4ff; color: #888888; font-family: Arial, Helvetica, sans-serif;"><span style="font-size: xx-small;"><br /></span></span>
<span style="font-size: xx-small;">http://www.stevenjordan.net/2016/11/mdm-cert-enrollment.html</span><br />
<span style="font-size: xx-small;"><br /></span>
<span style="font-size: xx-small;">http://www.stevenjordan.net/2016/09/harden-rras-ikev2.html</span><br />
<br />
<br />Steven M. Jordanhttp://www.blogger.com/profile/08808713004280066782noreply@blogger.com0tag:blogger.com,1999:blog-6696977109054687352.post-46157462517494420612017-03-07T06:03:00.000-06:002017-03-07T06:03:09.662-06:00Sidesync connection has been lost<h4>
<span style="color: #134f5c;">Problem: </span></h4>
Samsung SideSync crashes and displays error messages: <br />
<br />
<ol>
<li>Sidesync connection has been lost.</li>
<li>USB connection to Samsung Phone has been lost.</li>
</ol>
<div>
This problem generally happens from mouse interaction with the virtual phone screen.</div>
<br />
<h4>
<span style="color: #134f5c;">Cause:</span></h4>
Sidesync crashes from keyboard and mouse interaction with the remote session (i.e., virtual phone). This situation occurs when the Keyboard & Mouse sharing are disabled. N.B., Keyboard & Mouse Sharing is disabled by default. <br />
<h4>
<span style="color: #134f5c;">Solution:</span></h4>
Enable the Keyboard and mouse sharing:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<ol>
<li> Open SideSync from the notification bar.<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgewLDq03jAknBGwnmLQbz7QDFriCQrxVTc5b-KRK3Zh9_4jRXo9Ii_TpUyFniWRdHCWaXoLRNYgbN1Lo-Yr52Gb-phwC5NVlrnK8o2gwC3iidEexoFG7o1c_WI3vaVSe21kEAepuRnlLvG/s1600/Samsung2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="102" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgewLDq03jAknBGwnmLQbz7QDFriCQrxVTc5b-KRK3Zh9_4jRXo9Ii_TpUyFniWRdHCWaXoLRNYgbN1Lo-Yr52Gb-phwC5NVlrnK8o2gwC3iidEexoFG7o1c_WI3vaVSe21kEAepuRnlLvG/s200/Samsung2.PNG" width="200" /></a><br /></li>
<li>Click on the "More" button.<br /></li>
<li>Click on "Enable Keyboard and mouse sharing" menu item.<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLvngHKtPlASGuPtGG3LdP64yybLbG3ZOcqpZ14pOzYAOkV4j8TzqwvoqpVlBFp6E7X9AUl0lH_cKYjJBa5sVqzJ50LSJQwivyyc7Teg9O7olD38qemLfDfpy_pSRyQlBmo8d1rJwwUFDI/s1600/Samsung1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="101" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLvngHKtPlASGuPtGG3LdP64yybLbG3ZOcqpZ14pOzYAOkV4j8TzqwvoqpVlBFp6E7X9AUl0lH_cKYjJBa5sVqzJ50LSJQwivyyc7Teg9O7olD38qemLfDfpy_pSRyQlBmo8d1rJwwUFDI/s200/Samsung1.PNG" width="200" /></a><br /></li>
<li>Click on the Phone screen button to initiate screen mirror.</li>
</ol>
<div class="separator" style="clear: both; text-align: left;">
<img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg135k4SQcV-zcU8IAxKceu8KA2iPwFIuGhVrupkmpz2dop-kyMDPlASvN40yEtgA7SQnB0_6oOwt0PAOELUmDIqOMBsy8MarrdaEp5QXp8Wtxt1TJHbufPGMEFTC-Drw8a11Ju_VGa2jMm/s200/samsung5.PNG" width="102" /></div>
<div>
<br /></div>
<br />
<br />
That's It!Steven M. Jordanhttp://www.blogger.com/profile/08808713004280066782noreply@blogger.com2tag:blogger.com,1999:blog-6696977109054687352.post-66086017338784061242017-02-02T06:43:00.000-06:002017-02-02T06:43:03.932-06:00TSA Searches Phones and Laptops<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4K5rmLEIN-rZpb2LXpt6AG6OusZ5WYoDqgsW1QuwAu0mXj8DW5IWNA0T2eD_8_nm-c-s1j2muDW45PsnLcdfW-g-2V9YFORti2Gkkg5JKjGuLJ-0Eq5_3ON40BjCSD3Tz0sZNIs-AtxaS/s1600/ITSec.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="" border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4K5rmLEIN-rZpb2LXpt6AG6OusZ5WYoDqgsW1QuwAu0mXj8DW5IWNA0T2eD_8_nm-c-s1j2muDW45PsnLcdfW-g-2V9YFORti2Gkkg5JKjGuLJ-0Eq5_3ON40BjCSD3Tz0sZNIs-AtxaS/s200/ITSec.JPG" title="Laptop Searches and Inspections at Airports" width="130" /></a></div>
<br />
<br />
Headlines: <b style="background-color: white; font-family: monospace;"><a href="http://www.vocativ.com/397897/travelers-affected-by-trump-ban-forced-to-unlock-phones-computers/">DIGITAL INTERROGATION? TRAVELERS' PHONES, SOCIALS SCANNED AT AIRPORTS...</a> </b><br />
<h4>
Takeaway: </h4>
<br />
Personal electronic devices are subject to searches by the TSA and CBP agents -travelers beware. U.S. Agents may request full access to smart phones, tablets and laptops. Special emphasis is placed on search history, text history, and social media (e.g., Facebook). TSA/ CBP may temporarily confiscate the device, up to thirty days, or copy the contents of the entire disk for further investigation. <br />
<br />
News about digital frisking is en vogue because of recent political events. However, this specific policy has been in effect before 2011 -during both Bush and Obama administrations. (<span style="font-family: inherit;"><a class="tone-colour" data-link-name="auto tag link" href="https://www.theguardian.com/profile/bruceschneier" itemprop="sameAs" rel="author" style="background: rgb(255, 255, 255); color: #005689; cursor: pointer; font-weight: bold; touch-action: manipulation;"><span itemprop="name">Schneier</span></a>,</span> 2008). The less told story, however, is that data is at greatest risk when traveling to other countries. <br />
<h4>
Problem:</h4>
<span style="background-color: white;">It may come as a surprise to learn that most Western governments do not respect individual privacy rights -digital or otherwise. </span>For example, authorities <span style="font-family: inherit;">at <span style="background-color: white;">Paris</span><span style="background-color: white;"> Charles de Gaulle Airport are known to scan </span></span>laptops<span style="font-family: inherit;"> (</span><span style="background-color: white;"><a href="http://news.bbc.co.uk/2/hi/science/nature/150465.stm" style="font-family: inherit;">BBC</a><span style="font-family: inherit;">, 1998). Devices are also subject to search when traveling through Canada, </span>Australia<span style="font-family: inherit;">, or the U.K -no </span>warrants<span style="font-family: inherit;"> needed. (</span><a href="http://www.makeuseof.com/tag/smartphone-laptop-searches-know-rights/" style="font-family: inherit;">Hughes</a><span style="font-family: inherit;">, 2014). </span></span><br />
<span style="background-color: white;"><span style="font-family: inherit;"><br /></span></span>
<span style="background-color: white;"><span style="font-family: inherit;">Encryption to the </span>rescue<span style="font-family: inherit;">? Encryption may protect your data but it's not </span>fail-proof<span style="font-family: inherit;">. For starters, there are different types of encryption. <a href="http://www.stevenjordan.net/2016/09/ipsec-security-levels.html">Some types of encryption are considered strong</a> and nearly impossible to break. However, encryption uses cryptographic algorithms that become obsolete within months or years. <a href="http://www.stevenjordan.net/2016/09/secure-ikev2-win-10.html">Implementing secure encryption can be a complicated process</a>. </span></span><br />
<span style="background-color: white;"><span style="font-family: inherit;"><br /></span></span>
<span style="background-color: white;"><span style="font-family: inherit;">What's more, encryption may protect your data, but it will not stop a frustrated border patrol agent from taking your device or arresting you. (Hughes, 2014).</span></span><br />
<h4>
Why the Fuss?</h4>
There are two sides to every coin. Governments have legitimate national security issues to contend with. Digital search and seizure policies are a simple means to identify terrorists, child pornographers, and other criminal activity. <br />
<br />
On the other hand, the majority of international travelers are not criminals. At least in the U.S., and with exceptions, the right to privacy is a constitutional civil right. There are legitimate reasons to keep trade secrets, health records, or financial information secret. <br />
<h4>
Data at Risk</h4>
Not all inspections are invasive. Some agents may simply ask you to turn the device on. Others may causally browse its contents. However, there are situations that compromise data integrity:<br />
<br />
<ul>
<li>If you provide a key code or password.</li>
<li>If the device is removed from your line of sight.</li>
<li>If the device is physically connected to another machine (e.g., scanned).</li>
<li>If the device connects to an agent's network (Ethernet or WiFi).</li>
</ul>
<div>
If a device is compromised it can no longer be trusted:</div>
<br />
<ul>
<li>Your data is no longer confidential (e.g., pictures, credit cards, etc.)</li>
<li>Your data may have been altered or deleted.</li>
<li>The device may contain a viruses or malware.</li>
<li>All of your passwords may be compromised.</li>
<li>Your network accounts may be vulnerable (e.g., Exchange, VPN, RDP)</li>
</ul>
<br />
<h4>
Conclusion:</h4>
In most situations, digital searches by the TSA/ CBP are probably harmless. However, it's prudent to <a href="http://www.stevenjordan.net/2014/08/network-security-international-and.html">take extra precautions when traveling outside the United States</a>.<br />
<h4>
Links:</h4>
<a href="http://www.vocativ.com/397897/travelers-affected-by-trump-ban-forced-to-unlock-phones-computers/">http://www.vocativ.com/397897/travelers-affected-by-trump-ban-forced-to-unlock-phones-computers/</a><br />
<a href="https://www.eff.org/wp/defending-privacy-us-border-guide-travelers-carrying-digital-devices">https://www.eff.org/wp/defending-privacy-us-border-guide-travelers-carrying-digital-devices</a><br />
<a href="http://www.stevenjordan.net/2014/08/network-security-international-and.html">http://www.stevenjordan.net/2014/08/network-security-international-and.html</a><br />
<a href="http://www.stevenjordan.net/2016/09/ipsec-security-levels.html">http://www.stevenjordan.net/2016/09/ipsec-security-levels.html</a><br />
<a href="http://www.stevenjordan.net/2016/09/secure-ikev2-win-10.html">http://www.stevenjordan.net/2016/09/secure-ikev2-win-10.html</a><br />
<a href="https://www.theguardian.com/profile/bruceschneier">https://www.theguardian.com/profile/bruceschneier</a><br />
<a href="http://news.bbc.co.uk/2/hi/science/nature/150465.stm">http://news.bbc.co.uk/2/hi/science/nature/150465.stm</a><br />
<br />
<br />
<blockquote class="twitter-tweet" data-lang="en">
<div dir="ltr" lang="en">
FYI, data snooping occurs at most other international airports (e.g., British Russian , & Chinese).<a href="https://t.co/lfOjvbCS6W">https://t.co/lfOjvbCS6W</a></div>
— Steven Jordan (@stevenuwm) <a href="https://twitter.com/stevenuwm/status/826530871310155776">January 31, 2017</a></blockquote>
<script async="" charset="utf-8" src="//platform.twitter.com/widgets.js"></script>
https://www.theguardian.com/technology/2008/may/15/computing.securitySteven M. Jordanhttp://www.blogger.com/profile/08808713004280066782noreply@blogger.com0tag:blogger.com,1999:blog-6696977109054687352.post-62949367565204617372016-12-14T15:00:00.000-06:002016-12-14T15:30:08.198-06:00S4B Clients on Split-Tunnel VPNs.<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvzjwRie8NZ8Utg3OhXXo2_pCLaeqs-fu-L8hSSJYh5M9Ucr7p6N_EUVk7yf6i0uDv7heYBYY-H9kcK8xgZ_6JulfLtsLuhZxcwA6s07VV3PK95ySQwiYMxmRD-XaEIDZ1Ax6Z4yaWN7BC/s1600/S4B3.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="" border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvzjwRie8NZ8Utg3OhXXo2_pCLaeqs-fu-L8hSSJYh5M9Ucr7p6N_EUVk7yf6i0uDv7heYBYY-H9kcK8xgZ_6JulfLtsLuhZxcwA6s07VV3PK95ySQwiYMxmRD-XaEIDZ1Ax6Z4yaWN7BC/s200/S4B3.PNG" title="Skype for Business and Lync Client Multimedia Problems on Split-Tunnel VPNs." width="180" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">S4B: Bypass Split-Tunnel VPNs.<br />
<div>
<br /></div>
</td></tr>
</tbody></table>
<h4>
<span style="color: #134f5c;"><span style="color: #0b5394;"><b>Take Away:</b></span><i> </i></span></h4>
Skype for Business (S4B) and Lync clients may experience problems when traversing a split-tunnel VPN. Use Name Resolution Policy Table (NRPT) and Windows firewall group policies (GPOs) to bypass split-tunnel VPNs. This solution is easy to administer and provides remote offices the best multimedia experience.<br />
<h4>
<span style="color: #134f5c;"><b>Problem: </b></span></h4>
The DCA office experiences <i>weird</i> S4B/ Lync issues: <br />
<br />
<ul>
<li>Local S4B/ Lync clients cannot host conference calls for external clients.</li>
<li>All clients (external and DCA) can connect to conference calls hosted at at the company headquarters (JFK). </li>
<li>Local S4B/ Lync clients cannot share multimedia content (e.g., screen-sharing, video, etc.) between external clients. </li>
<li>All clients can share multimedia content when connected to conference calls hosted at JFK HQ.</li>
<li>Audio and video quality is poor (e.g., choppy or static) between DCA and JFK locations.</li>
</ul>
<br />
<h4>
<span style="color: #134f5c;"><b>Topology:</b> </span></h4>
This business consists of two locations: JFK is the primary HQ office. DCA is the branch office.<br />
<ul>
<li>A site-to-site IPsec VPN tunnel connects the DCA and JFK offices. </li>
<li>DCA uses split-tunneling to forward all corporate data.</li>
<li>DCA uses its default gateway to forward all other traffic to the Internet. </li>
<li>JKF hosts all Lync servers: Front End, Access Edge, and Reverse Proxy servers.</li>
<li>Both DCA and JFK use Active Directory (AD) integrated DNS servers.</li>
<li>External clients allow staff to work from home.</li>
</ul>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcpEeKJZjwaq8X-Z_WpGq8UELIXuu2u-FHwXnW_VsJN-Ucw03PxZ9Do8j37p-7ankPMSJz_g2E8irORvLHUxOLgT0jcGcOi46QbyF0n6Psjb17RcIB0eYOJ_ZiOoAhospucq7Cir_H4cgp/s1600/LYNC_Topology1.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="" border="0" height="201" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcpEeKJZjwaq8X-Z_WpGq8UELIXuu2u-FHwXnW_VsJN-Ucw03PxZ9Do8j37p-7ankPMSJz_g2E8irORvLHUxOLgT0jcGcOi46QbyF0n6Psjb17RcIB0eYOJ_ZiOoAhospucq7Cir_H4cgp/s1600/LYNC_Topology1.JPG" title="Topology for organization that uses Lync and Split-Tunnel VPN." width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1. Example of Lync and organization topology.</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<h4>
<span style="color: #0b5394;"><b>ICE Framework:</b></span> </h4>
S4B-Lync uses network topology to select the best connection path. It uses a peer-to-peer connection framework called <a href="http://www.stevenjordan.net/2013/09/lync-client-and-vpn-connection-problems.html">Interactive Connectivity Establishment (ICE)</a>. This framework includes Session Traversal Utilities for NAT (STUN) and Traversal Using Relay NAT (TURN) protocols. <br />
<br />
STUN identifies client Network Address Translation (NAT) (i.e., private IPs). This process also identifies the default gateway (i.e., public IP). Multimedia travels directly between end-points when STUN is used. S4B/ Lync clients prefer to communicate directly (i.e., peer-to-peer) between clients which reside on the same LAN. N.B., LAN is not a reference for broadcast domains. LAN, in this situation, includes all internal networks (i.e., subnets) with routes to the Front-End subnet. Internal clients never use the Access Edge server for internal communication. <br />
<br />
Similarly, external clients prefer STUN for communicating multimedia content to other external peers. The Access Edge server will only bridge external-to-external clients (i.e., TURN) if peer-to-peer communication is not possible.<br />
<br />
Lync clients use TURN framework when end-points do not share a common LAN. The TURN process creates dynamic ports on the Access Edge server; and in turn (pun), proxies external multimedia. TURN is similar to Port Address Translation (PAT), just as the Access Edge server is similar to an Internet gateway.<br />
<br />
To recap, S4B/ Lync clients prefer direct peer-to-peer multimedia communication. Internal clients will never use the Access Edge server for internal multimedia communication. External clients use the Access Edge server to bridge communication whenever peer-to-peer communication is unavailable; including external-to-external, and external-to-internal. <br />
<h4>
<span style="color: #0b5394;"><b>Split-Tunnel Problems:</b></span> </h4>
ICE framework (generally) provides the best multimedia experience. However, it does not work well over split-tunnel VPNs. Split-tunnel VPNs create STUN and TURN mismatches. For example, the DCA branch office firewall forwards all domain traffic to the JFK primary office; all other traffic forwards out the local gateway (i.e., Internet). DCA and external Lync clients interpret this topology differently (Table 1).<br />
<br />
<table class="ms-simple1-main" style="height: 287px; width: 75.45%;">
<!-- fpstyle: 1,011111100 -->
<tbody>
<tr>
<td class="ms-simple1-tl" colspan="4">Table 1. <br />
<u>Default Multimedia Network Traffic Between Lync Clients </u></td>
</tr>
<tr>
<td class="ms-simple1-left" style="width: 114px;"> Source</td>
<td class="ms-simple1-even" colspan="3"> Destination</td>
</tr>
<tr>
<td class="ms-simple1-left" style="width: 114px;"></td>
<td class="ms-simple1-even" style="width: 104px;">JFK</td>
<td class="ms-simple1-even" style="width: 94px;">DCA</td>
<td class="ms-simple1-even" style="width: 123px;">External Client</td>
</tr>
<tr>
<td class="ms-simple1-left" style="width: 114px;">JFK</td>
<td class="ms-simple1-even" style="width: 104px;">STUN</td>
<td class="ms-simple1-even" style="width: 94px;"><span style="color: blue;">STUN</span></td>
<td class="ms-simple1-even" style="width: 123px;">TURN</td>
</tr>
<tr>
<td class="ms-simple1-left" style="width: 114px;">DCA</td>
<td class="ms-simple1-even" style="width: 104px;"><span style="color: blue;">STUN</span></td>
<td class="ms-simple1-even" style="width: 94px;">STUN</td>
<td class="ms-simple1-even" style="width: 123px;"><span style="color: #cc0000;">TURN</span></td>
</tr>
<tr>
<td class="ms-simple1-left" style="width: 114px;">External Client</td>
<td class="ms-simple1-even" style="width: 104px;">TURN</td>
<td class="ms-simple1-even" style="width: 94px;"><span style="color: #cc0000;">STUN</span></td>
<td class="ms-simple1-even" style="width: 123px;">STUN</td>
</tr>
<tr>
<td class="ms-simple1-left" colspan="4"><div style="text-align: center;">
<div style="text-align: left;">
<em>Notes: </em><em>DCA uses split-tunnel VPN to connect to JKF. </em><em>Stun represents
Lync client-to-client. TURN represents multimedia proxy (i.e.,
Lync Access-Edge) requirement. Blue represents split-tunnel topology. Red represents client topology mismatch. </em></div>
</div>
</td>
</tr>
</tbody></table>
<br />
The primary problem with split-tunnel VPNs is with how the S4B/ Lync client interprets the topology. Recall, internal clients always use the Access Edge server for external communication. Likewise, internal clients never use the Access Edge for internal conversations. The VPN firewall forwards all domain traffic to the JKF network. Therefore, DCA clients consider themselves as <em>internal</em>; and external clients as <em>external</em>. DCA clients will only use the Access Edge server when communicating with external clients. <br />
<br />
External clients have an entirely different interpretation of the topology. External clients are aware of the DCA Internet gateway, but they remain unaware of its split-tunneling. External clients will therefore interpret DCA clients as external peers; multimedia traffic is sent directly to the DCA clients (i.e., STUN).<br />
<br />
To recap, external clients are unaware of the DCA split-tunnel. These external clients attempt to send audio and video (AV), and expect to receive AV, directly from the DCA clients. Whereas DCA clients send AV, and expect to receive AV, proxied from the Access Edge server.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9zOhUeMuGuWJGwWr-yF5ltXRBLbxculjvoyHhCZaLhXBGR5WcAs66yM8j5kr-fmDVAY6EOjQ2Xbri3yxK_DOPFn90bWrY07d8awWpTqNNBIuskfSYa899Ea0useGTjB-g5su_XObuvO-T/s1600/Lync_Split_Tunnel.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="" border="0" height="182" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9zOhUeMuGuWJGwWr-yF5ltXRBLbxculjvoyHhCZaLhXBGR5WcAs66yM8j5kr-fmDVAY6EOjQ2Xbri3yxK_DOPFn90bWrY07d8awWpTqNNBIuskfSYa899Ea0useGTjB-g5su_XObuvO-T/s1600/Lync_Split_Tunnel.JPG" title="Example of Lync communication problems over the VPN." width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 2. Lync directional mismatch.</td></tr>
</tbody></table>
<br />
The split-tunnel VPN causes a secondary problem between JFK and DCA. These clients use STUN to establish peer-to-peer connections across the VPN. Users complain about overall client AV quality between these locations. <br />
<br />
Multiple layers of encryption decreases overall AV quality. Lync encrypts multimedia packets with TLS and SRTP protocols. The VPN adds additional packet overhead as it encrypts and encapsulates each packet. Staff at both locations can expect better AV if DCA S4B-Lync clients bypass split-tunneling (i.e., TURN). <br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqEzMolrEaoWXC53iKqjvKTEGGW8JNBV9rcyAhykw6oZrmt-QDXMBomnNOqb6jheieyQIz5ttNDBcR4vlE594sstjQvIhZfAJFPruZvOa5bfxVYhS441Wz57D62-YU_UwHwkmP1swCaIGx/s1600/Lync_TURN.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="" border="0" height="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqEzMolrEaoWXC53iKqjvKTEGGW8JNBV9rcyAhykw6oZrmt-QDXMBomnNOqb6jheieyQIz5ttNDBcR4vlE594sstjQvIhZfAJFPruZvOa5bfxVYhS441Wz57D62-YU_UwHwkmP1swCaIGx/s1600/Lync_TURN.JPG" title="NRTP and Windows Firewall allow Lync clients to bypass VPN." width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 3. Bypass the split-tunnel VPN.</td></tr>
</tbody></table>
<h4 style="clear: both; text-align: left;">
<span style="color: #0b5394;"><b><br />Resolution:</b></span><b> </b> </h4>
<div class="separator" style="clear: both; text-align: left;">
S4B-Lync clients can bypass split-tunneling entirely: (a) changes to DNS topology; and (b) changes to client firewalls. Recall, both offices belong to a single AD domain, and each office uses recursive AD integrated DNS servers. AD replication ensures internal name resolution is the same at each location. Lync clients use DNS to locate S4B-Lync servers via S4B-Lync Discovery (Table 2). </div>
<table class="ms-simple1-main" style="height: 266px; width: 80.66%;">
<!-- fpstyle: 1,011111100 -->
<tbody>
<tr>
<td class="ms-simple1-tl" colspan="3">Table 2. <br />
S4B-Lync Client Discovery Preference Order</td>
</tr>
<tr>
<td class="auto-style2" style="width: 100px;">DNS Prefix</td>
<td class="auto-style1" style="width: 170px;">lyncdiscoverinternal</td>
<td class="auto-style2">lyncdiscover</td>
</tr>
<tr>
<td class="ms-simple1-left" style="height: 21px; width: 150px;">Discovery Order</td>
<td class="ms-simple1-left" style="height: 21px; width: 100px;">1st
preference</td>
<td class="auto-style2" style="height: 21px;">2nd preference</td>
</tr>
<tr>
<td class="ms-simple1-left" style="width: 100px;">Client</td>
<td class="ms-simple1-left" style="width: 100px;">Internal clients</td>
<td class="ms-simple1-left">External clients</td>
</tr>
<tr>
<td class="ms-simple1-left" style="width: 100px;">Server</td>
<td class="ms-simple1-left" style="width: 170px;">Front-End</td>
<td class="ms-simple1-left">Access-Edge</td>
</tr>
<tr>
<td class="ms-simple1-left" colspan="3"><em>Notes: Discovery
preference assumes organization uses a split-brain DNS topology.
Topology consists of independent internal and external DNS servers.</em>
</td>
</tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: left;">
All internal clients, including those on the VPN, use internal DNS for Lync Discovery resolution. External clients use external DNS for their Lync Discovery process. Therefore, VPN clients can bypass split-tunneling using a process that distinguishes Lync traffic, and resolves it using external name records. N.B., Internal DNS continues to resolve all other (i.e., non-Lync) requests. Otherwise, what's the point of having a VPN? </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: #0b5394;"><b>Name Resolution Policy Table:<br /> </b></span></div>
<div class="separator" style="clear: both; text-align: left;">
Split-brain DNS requires a confusing array of zone records. Most Internet documentation suggests <a href="http://blogs.technet.com/b/nexthop/archive/2011/11/15/enabling-lync-media-to-bypass-a-vpn-tunnel.aspx">pin-point DNS zones</a> to influence Lync traffic. Instead, consider using NRPT, which simplifies the entire domain resolution process.<span style="font-family: "trebuchet ms";"> </span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Lync clients can bypass the VPN with NRPT group policy. NRPT is configured with two simple rules:</div>
<ol>
<li><div class="separator" style="clear: both; text-align: left;">
Forward all domain name requests for Lync services to external DNS servers.</div>
</li>
<li><div class="separator" style="clear: both; text-align: left;">
Use client DNS settings (i.e. internal) for all other DNS resolution.</div>
</li>
</ol>
<div class="separator" style="clear: both; text-align: left;">
Create the NRPT Group Policy to allow S4B-Lync clients to bypass the VPN:</div>
<ol>
<li><div class="separator" style="clear: both; text-align: left;">
Create new GPO: Computer Configuration → Policies → Windows Settings → Name Resolution Policy.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhBNOrYKgH0o5ly_5YtvO6ECnqphbfewg6Yd8cKC2SJOlxhQ0jS2CkGPnsEP-46ADy4TrZyTawmPqKPbMGXXDgkX1OKYYejRqSYl96OV6y1l1SN6zbGXmGl1KvHtZqSiZinZ0ops81wbGS/s1600/LyncNRTP1.JPG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhBNOrYKgH0o5ly_5YtvO6ECnqphbfewg6Yd8cKC2SJOlxhQ0jS2CkGPnsEP-46ADy4TrZyTawmPqKPbMGXXDgkX1OKYYejRqSYl96OV6y1l1SN6zbGXmGl1KvHtZqSiZinZ0ops81wbGS/s1600/LyncNRTP1.JPG" /></a></div>
<br />
</li>
<li><div class="separator" style="clear: both; text-align: left;">
Configure the Advanced Global Policy Settings: </div>
<div class="" style="clear: both; text-align: left;">
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwwNhg84E4YJVH-DPX2hjXEduxO8d5RrARKZxO3nbTfj2fkOaiJC4-6fswzTYr-JRDdmOOOLbbQ2m3x071wav6Rp4YdyZxDBLs27VXc15IeOUy6bczFvH1TkFUkcp8GnFEnwUmdcNRp7yx/s1600/LyncNRPT2.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto; text-align: center;"><img alt="" border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwwNhg84E4YJVH-DPX2hjXEduxO8d5RrARKZxO3nbTfj2fkOaiJC4-6fswzTYr-JRDdmOOOLbbQ2m3x071wav6Rp4YdyZxDBLs27VXc15IeOUy6bczFvH1TkFUkcp8GnFEnwUmdcNRp7yx/s1600/LyncNRPT2.JPG" title="NTRP GPO to bypass split-tunneling." width="270" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 4. NTRP GPO to bypass split-tunneling.</td></tr>
</tbody></table>
<br /></div>
</li>
<li><div class="separator" style="clear: both; text-align: left;">
Change the <i>Query Resolution</i> settings. Enable "Configure query resolution options". Enable <i>Resolve both IPv4 and IPv6 addresses for names</i>.</div>
<div class="" style="clear: both; text-align: left;">
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhD_sJa_RdToH_RIoVT2ztfKrlQgKS5FqKzKVGV-HqGiT1xGlJnCffKBB91NuvY5FSepOXtBZ07ra4MTiqjtFggrHvvCzrf5eZMIkD0Q1LemqD7CFYJcMg3lCp4B-GSEh5Yofx-WZhL0xn6/s1600/LyncNRTP3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhD_sJa_RdToH_RIoVT2ztfKrlQgKS5FqKzKVGV-HqGiT1xGlJnCffKBB91NuvY5FSepOXtBZ07ra4MTiqjtFggrHvvCzrf5eZMIkD0Q1LemqD7CFYJcMg3lCp4B-GSEh5Yofx-WZhL0xn6/s1600/LyncNRTP3.JPG" width="251" /></a></div>
</li>
<li>Create rules that forward Lync FQDNs to external DNS servers. <br /><br />a. <i>To which part of the namespace does this rule apply?</i> Choose <i>FQDN</i>.<br />b. Click on the <i>Generic DNS Server</i> tab.<br />c. Toggle the <i>Enable DNS settings</i> check box<br />d. Click the <i>Add</i> button<br />e. <i>DNS server:</i> Enter an external recursive DNS server; or the authoritative public (i.e., Internet facing) DNS server for your organization's sip-domain.<br />f. Click <i>Apply</i>.<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaMsY0e8OU356TV4pNvGN4DqnAOJdQUIpIDi8hVk5HKFemS2vxNsW5CSrJDt1MKi0cW98Ga5DrksnLFRy0AyVp-7xE8iTVwcsm-jertO4AS4PZ6etQTDuU8ecH6x9s3T-Ud7mvLnCKfbiW/s1600/LyncNRTP4.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaMsY0e8OU356TV4pNvGN4DqnAOJdQUIpIDi8hVk5HKFemS2vxNsW5CSrJDt1MKi0cW98Ga5DrksnLFRy0AyVp-7xE8iTVwcsm-jertO4AS4PZ6etQTDuU8ecH6x9s3T-Ud7mvLnCKfbiW/s1600/LyncNRTP4.JPG" width="267" /></a></li>
</ol>
GPOs are applied to AD domains, sites, or Organizational Units (OUs). In most situations, it makes sense to apply the NRPT GPO to the AD site that correlates with the branch office. <br />
<div>
<br /></div>
<div>
From Group Policy Management: Right click on <i>Sites</i> → Left click on <i>Show Sites </i>→ Right click on the branch office site → Link an Existing GPO. </div>
<div>
<br /></div>
<div>
Alternately, create separate computer OUs per location. Link the NRPT GPO OU that nests all branch office computers. </div>
<div>
<h4 style="clear: both; text-align: left;">
<b><span style="color: #0b5394;">Windows Firewall:</span></b></h4>
<div class="separator" style="clear: both; text-align: left;">
NRPT influences clients to logically bypass the VPN. However, there may be circumstances when Lync clients discover alternate (i.e., split-tunnel) paths to internal resources. Lync clients, therefore, require both logical and physical divisions. Windows Firewall compliments the NRPT GPO with two simple rules:</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul>
<li>Restrict traffic based on application (i.e., S4B).</li>
<li>Restrict traffic based on source (i.e., DCA) and destination (i.e., JFK).</li>
</ul>
<div class="separator" style="clear: both;">
Create the Windows Firewall GPO:</div>
<ol>
<li><div class="separator" style="clear: both;">
Create new GPO: Computer Configuration → Policies → Windows Settings → Security Settings → Windows Firewall with Advanced Security → Inbound Rules.</div>
</li>
<li><div class="separator" style="clear: both;">
Right click on <i>Inbound Rules</i> → New Inbound Rule → Program → Path: %ProgramFiles%\Microsoft Office\Office15\lync.exe → Block the Connection → Apply rule to <i>Domain. </i>N.B, Use applicable application paths. For example, Lync Basic and Lync Professional may use different paths.</div>
</li>
<li>
<div class="separator" style="clear: both;">
Edit the new Inbound Rule: Right click on the new rule → Click on the <i>Scope </i>tab → Add all internal IP subnets (i.e., primary office) to the <i>Remote IP address </i>field → Click Add → Click OK.</div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjt0nT6CpRUbigadnfDoS1wGNz45IAGbnTJqj1u-DUKfvDFoa9DTTUdyr4bqlVPr6jmhOqQaT0K81gLjs6E3HJi1IzOyemuKDOv-XS_HZxB2spJEc4znPHI2lmZ2mR-Leu5iXC9UbVVF46G/s1600/Lync_Firewall.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto; text-align: center;"><img alt="" border="0" height="302" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjt0nT6CpRUbigadnfDoS1wGNz45IAGbnTJqj1u-DUKfvDFoa9DTTUdyr4bqlVPr6jmhOqQaT0K81gLjs6E3HJi1IzOyemuKDOv-XS_HZxB2spJEc4znPHI2lmZ2mR-Leu5iXC9UbVVF46G/s1600/Lync_Firewall.JPG" title="Windows Firewall with Advanced Security to Bypass VPN." width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 5. Windows Firewall GPO to bypass VPN.</td></tr>
</tbody></table>
<br />
</li>
<li><div class="separator" style="clear: both;">
Apply the newly created Firewall GPO to apply the AD site that correlates with the branch office. Alternately, apply this GPO to OU that nests branch office computers.</div>
</li>
</ol>
<h4 style="clear: both; text-align: left;">
<span style="color: #134f5c; font-weight: bold;">Conclusion: </span></h4>
<div class="separator" style="clear: both; text-align: left;">
NRTP and firewall GPOs force S4B-Lync clients to bypass split-tunnel VPNs. These combined GPOs have two primary effects: (a) DCA-to-external clients prefer STUN (i.e., client-to-client); and (b) DCA-to-JFK clients use TURN (i.e., client-to-Access Edge) for external AV communication (Table 3). </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
</div>
<table class="ms-simple1-main" style="height: 287px; width: 75.45%;">
<!-- fpstyle: 1,011111100 -->
<tbody>
<tr>
<td class="ms-simple1-tl" colspan="4">Table 3. <br />
<u>Effects of Split-Tunnel GPOs on </u><u>Multimedia Traffic </u></td>
</tr>
<tr>
<td class="ms-simple1-left" style="width: 114px;"> Source</td>
<td class="ms-simple1-even" colspan="3"> Destination</td>
</tr>
<tr>
<td class="ms-simple1-left" style="width: 114px;"></td>
<td class="ms-simple1-even" style="width: 104px;">JFK</td>
<td class="ms-simple1-even" style="width: 94px;">DCA</td>
<td class="ms-simple1-even" style="width: 123px;">External Client</td>
</tr>
<tr>
<td class="ms-simple1-left" style="width: 114px;">JFK</td>
<td class="ms-simple1-even" style="width: 104px;">STUN</td>
<td class="ms-simple1-even" style="width: 94px;"><span style="color: blue;">TURN</span></td>
<td class="ms-simple1-even" style="width: 123px;">TURN</td>
</tr>
<tr>
<td class="ms-simple1-left" style="width: 114px;">DCA</td>
<td class="ms-simple1-even" style="width: 104px;"><span style="color: blue;">TURN</span></td>
<td class="ms-simple1-even" style="width: 94px;">STUN</td>
<td class="ms-simple1-even" style="width: 123px;"><span style="color: blue;">STUN</span></td>
</tr>
<tr>
<td class="ms-simple1-left" style="width: 114px;">External Client</td>
<td class="ms-simple1-even" style="width: 104px;">TURN</td>
<td class="ms-simple1-even" style="width: 94px;"><span style="color: blue;">STUN</span></td>
<td class="ms-simple1-even" style="width: 123px;">STUN</td>
</tr>
<tr>
<td class="ms-simple1-left" colspan="4"><div style="text-align: center;">
<div style="text-align: left;">
<em>Notes: </em><em>DCA uses split-tunnel VPN to connect to JKF. </em><em>Stun represents
Lync client-to-client. TURN represents multimedia proxy (i.e.,
Lync Access-Edge) requirement. Blue emphasizes branch office traffic. </em><br />
<em><br /></em>
That's It!</div>
</div>
</td>
</tr>
</tbody></table>
Steven M. Jordanhttp://www.blogger.com/profile/08808713004280066782noreply@blogger.com8tag:blogger.com,1999:blog-6696977109054687352.post-37945347969090525352016-11-19T17:35:00.000-06:002016-11-19T17:35:03.075-06:00Android IKEv2 Client Setup<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXFJPF11wDh_6W53OWPBcIjZzPgQ37wvujjyk5WQto9iEyK6jCOM_gLr8XLL8FlGx5W2VvQrxNLObqSmxe7dNqCw_nubdRSu8PSW9XYirtuf1hKRVR9-jWZWrjp1oRYmEWUVG1MY0hIhon/s1600/VPN.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXFJPF11wDh_6W53OWPBcIjZzPgQ37wvujjyk5WQto9iEyK6jCOM_gLr8XLL8FlGx5W2VvQrxNLObqSmxe7dNqCw_nubdRSu8PSW9XYirtuf1hKRVR9-jWZWrjp1oRYmEWUVG1MY0hIhon/s1600/VPN.gif" title="Android Client Setup Instructions." /></a></div>
<h4>
Task: </h4>
<div class="MsoPlainText">
Send end-user instructions on how to configure Android IKEv2 VPN clients. </div>
<h4>
Solution:</h4>
<div class="MsoPlainText">
Installation is a two-step process:</div>
<div class="MsoPlainText">
<o:p></o:p></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
Step 1: Install all three certificates. The Administrator has sent a separate website link where you can download necessary certificates: (a) user_device.PFX; (b) vpn_server.CER, and root.CER. Open
each attachment to start the installation. <span style="background-color: white;">Include the PFX password.</span><o:p></o:p></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
Step 2: Configure the Android VPN client: Android
Settings → Connections → More Connection Settings → VPN → Add VPN.</div>
<div class="MsoPlainText">
<o:p></o:p></div>
<div class="MsoPlainText">
<br /></div>
<br />
<div class="MsoPlainText" style="margin-left: .5in;">
VPN Settings (Figure 1):<br />
N.B., Change the value for “IPSec user certificate” to “user_android”.<o:p></o:p></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRT-2CTV2L3tcsvFsc7emsjcdW9n2hZnnRFv2IaUfOO-4qE1cYkkzhT6QIENW1qFPP2DTuPLMJVxuS_h2qGlGN1aL0NEe0veh74VjEYbOQnPOo2vyTJF-GnfiG2b8oot6-EFN7NphlCtS7/s1600/Android_Cert.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRT-2CTV2L3tcsvFsc7emsjcdW9n2hZnnRFv2IaUfOO-4qE1cYkkzhT6QIENW1qFPP2DTuPLMJVxuS_h2qGlGN1aL0NEe0veh74VjEYbOQnPOo2vyTJF-GnfiG2b8oot6-EFN7NphlCtS7/s320/Android_Cert.PNG" width="182" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><div class="MsoCaption" style="margin-left: .5in;">
Figure 1. Android IKEv2 VPN
Settings. <span style="color: windowtext;"><o:p></o:p></span></div>
</td></tr>
</tbody></table>
<div class="MsoPlainText">
Hint: VPN shortcut apps are available in the Google
Play Store. This provides a quick and easy method to connect.<br />
For example: <a href="https://play.google.com/store/apps/details?id=com.rosaneng.vpnsettings&hl=en">https://play.google.com/store/apps/details?id=com.rosaneng.vpnsettings&hl=en</a><o:p></o:p></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText" style="margin-left: .5in;">
</div>
<div class="MsoPlainText">
Also note, your device certificate contains a private key for your
client certificate. Anyone that gets a hold of this key can impersonate
your account. Please protect your device with a passcode and
encryption. This script is not intended for <i>rooted</i> devices.
I encourage you to delete this email from your mailbox after you’ve configured
your devices. <o:p></o:p></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
That's It!</div>
Steven M. Jordanhttp://www.blogger.com/profile/08808713004280066782noreply@blogger.com3tag:blogger.com,1999:blog-6696977109054687352.post-59489253019379845372016-11-18T06:03:00.000-06:002018-08-16T17:42:59.057-05:00Windows IKEv2 MTU<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXFJPF11wDh_6W53OWPBcIjZzPgQ37wvujjyk5WQto9iEyK6jCOM_gLr8XLL8FlGx5W2VvQrxNLObqSmxe7dNqCw_nubdRSu8PSW9XYirtuf1hKRVR9-jWZWrjp1oRYmEWUVG1MY0hIhon/s1600/VPN.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXFJPF11wDh_6W53OWPBcIjZzPgQ37wvujjyk5WQto9iEyK6jCOM_gLr8XLL8FlGx5W2VvQrxNLObqSmxe7dNqCw_nubdRSu8PSW9XYirtuf1hKRVR9-jWZWrjp1oRYmEWUVG1MY0hIhon/s1600/VPN.gif" title="Fix VPN MTU on Windows Server" /></a></div>
<h4 style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="color: #0b5394;"><br />Problem:</span></h4>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
How to set MTU on Windows Servers. Windows Server 2012 VPN fragments packets after it applies encryption! This issue causes latency and causes the VPN to disconnect clients -no good!</div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<h4 style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="color: #134f5c;">Background:</span></h4>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;">The default packet size
is 1500. Now consider how IPsec encryption adds a number
of bytes to the original packet. This
process leads to post-fragmentation conditions. In other words, packets are fragmented after
encryption. This condition degrades or
disrupts VPN performance. </span></div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<h4 style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="color: #134f5c;">Solution:</span></h4>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
Adjust maximum
segment size (MSS) on the outside interface so packet size is less that the
default 1500 MTU. </div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
Packet fragmenting
occurs when a packet is larger than its default MTU. TCP fragments the original data and sends it
avoid encrypted packet. According to
Cisco, ESP overhead adds a maximum of 73 Bytes to each packet. Therefore, we can adjust the MSS to a
conservative 1400. </div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<h4 style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="color: #134f5c;">PowerShell:</span></h4>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
Step 1: Identify external interface.</div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div style="margin: 0in;">
<code><br /><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">
PS
C:\Users\thedude> netsh int ipv4 sh int</span></code></div>
<div style="margin: 0in;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span></div>
<div style="margin: 0in;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Idx Met
MTU State Name</span></div>
<div style="margin: 0in;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">--- ----------
---------- ------------ ---------------------------</span></div>
<div style="margin: 0in;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> 1
50 4294967295 connected
Loopback Pseudo-Interface 1</span></div>
<div style="margin: 0in;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> 29
30 Default connected
RAS (Dial In) Interface</span></div>
<div style="margin: 0in;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> 12
5 1500 connected
Inside</span></div>
<div style="margin: 0in;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> 14
5 1500 connected
Outside</span></div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
Step 2. Modify external interface MSS.</div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
PS
C:\Users\thedude> netsh int ipv4 set subint
"Outside" mtu=1350 store=persistent</div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
Step 3. Confirm MSS:</div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<code></code></div>
<div style="margin: 0in;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">PS
C:\Users\thedude> netsh int ipv4 sh int</span></div>
<div style="margin: 0in;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span></div>
<div style="margin: 0in;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Idx Met
MTU State Name</span></div>
<div style="margin: 0in;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">--- ----------
---------- ------------ ---------------------------</span></div>
<div style="margin: 0in;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> 1
50 4294967295 connected
Loopback Pseudo-Interface 1</span></div>
<div style="margin: 0in;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> 29
30 Default connected
RAS (Dial In) Interface</span></div>
<div style="margin: 0in;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> 12
5 1500 connected
Inside</span></div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><br /></span>
<br />
<div style="margin: 0in;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> 14
5 1400 connected Outside</span></div>
<br />
That's It!
<br />
<br />
<h4>
<span style="color: #134f5c;">References</span>:</h4>
<div>
<div style="font-family: Calibri; font-size: 9.0pt; margin: 0in;">
<a href="https://supportforums.cisco.com/document/64281/how-does-nat-t-work-ipsec">https://supportforums.cisco.com/document/64281/how-does-nat-t-work-ipsec</a></div>
<div style="font-family: Calibri; font-size: 9.0pt; margin: 0in;">
<a href="http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/vspa/configuration/guide/ivmsw_book/ivmvpnb.html#wp2047965">http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/vspa/configuration/guide/ivmsw_book/ivmvpnb.html#wp2047965</a></div>
<div style="color: #595959; font-family: Calibri; font-size: 9.0pt; margin: 0in;">
<a href="http://www.concurrency.com/blog/w/site-to-azure-vpn-using-windows-server-2012-rras">http://www.concurrency.com/blog/w/site-to-azure-vpn-using-windows-server-2012-rras</a>> </div>
</div>
<br />
<br />Steven M. Jordanhttp://www.blogger.com/profile/08808713004280066782noreply@blogger.com2tag:blogger.com,1999:blog-6696977109054687352.post-27373456245660135322016-11-15T21:38:00.000-06:002016-11-15T21:38:00.149-06:00Install Mobile-Config Script<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbWIRzh_9vse4BqHjl2BkYwcsKnTj4IrVHvdUsf63wFP4fA087NWXdJCkdEl52z_KTRlZ9F-yqE90SB45E458hTsJC9lzsf13mdS6_YQZKQocCRMzRr7rlU8gNQ81NryV02T4Hhd2NV56P/s1600/iphone.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbWIRzh_9vse4BqHjl2BkYwcsKnTj4IrVHvdUsf63wFP4fA087NWXdJCkdEl52z_KTRlZ9F-yqE90SB45E458hTsJC9lzsf13mdS6_YQZKQocCRMzRr7rlU8gNQ81NryV02T4Hhd2NV56P/s1600/iphone.jpg" title="Install Mobile-Config Script on the iPhone" /></a></div>
<h4>
<span style="color: #741b47;">Task: </span></h4>
Setup instructions for manual distribution of mobile-config scripts for iPhones and iPads.<br />
<h4>
<span style="color: #741b47;">Assumptions:</span></h4>
These instructions assume the mobile-config script has already been generated, These instructions are for situations when mobile device management (MDM) is not available. It assumes email distribution from a private server. Use caution whenever distributing certificates and private keys! <br />
<h4>
<span style="color: #741b47;">Background:</span></h4>
Mobile-device scripts run on any iPhone or iPad –simply open the email attachment to start the process. It installs certificates and configures the IKEv2 VPN. This script can configure multiple devices.<br />
<h4>
<span style="color: #741b47;">Security Considerations</span></h4>
Also note, the script includes the private key for the client certificate. This provides identity validation, authentication, and authorization. Anyone that gets a hold of this key can impersonate the account. It’s critical to use a passcode and enforce encryption. Do not install these files on jailbroken devices. Delete the script from your mailbox after all devices are configured.<br />
<h4>
<span style="color: #741b47;">Brief instructions:</span></h4>
Step 1: Open mobile-config file to start the profile installation.<br />
<br />
· N.B., This script is not signed –that’s OK.<br />
· Click Next.<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span><br />
<span class="Apple-tab-span" style="white-space: pre;"> </span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgd9qlCf9dTwRSy4yJJuNI2pLBOjEr_k1JcWoR9ULR5k2gpWe0kIDqEGFz4WHQAai0twQ9RcyYrBSZhyphenhyphennPn0SYhVSyzIrAuLDXA6JWgevx0q8CPCPRx5owhuhBndEDSPoVram5H72ijX_nP/s1600/MC1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgd9qlCf9dTwRSy4yJJuNI2pLBOjEr_k1JcWoR9ULR5k2gpWe0kIDqEGFz4WHQAai0twQ9RcyYrBSZhyphenhyphennPn0SYhVSyzIrAuLDXA6JWgevx0q8CPCPRx5owhuhBndEDSPoVram5H72ijX_nP/s1600/MC1.PNG" /></a></div>
<br />
<br />
Step 2: Enter device passcode.<br />
<br />
Step 3: Consent.<br />
<br />
· Brief description for mobile-config. <br />
· Installation requires consent.<br />
· Click Next.<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span><br />
<span class="Apple-tab-span" style="white-space: pre;"> </span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRAFtyxcMcaXVo2CwaqAuee-rNtB3cJfOOFJ1tzm-VXNA1b5I900J33bA88hGxLBDDs_7fMhE8GNdyD2eEsBdF78z8C2Cjowv1ekSCkJ5rZJRPpsfrZZ56dMGunQeOAP3wCWEZ6gScIlAA/s1600/MC2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRAFtyxcMcaXVo2CwaqAuee-rNtB3cJfOOFJ1tzm-VXNA1b5I900J33bA88hGxLBDDs_7fMhE8GNdyD2eEsBdF78z8C2Cjowv1ekSCkJ5rZJRPpsfrZZ56dMGunQeOAP3wCWEZ6gScIlAA/s1600/MC2.PNG" /></a></div>
<br />
<br />
Step 4: Confirm Install.<br />
<br />
· General VPN disclosure.<br />
· Click Install. Click Done.<br />
<br />
Step 5. Connect to the VPN.<br />
<br />
· Open Settings.<br />
· Toggle the VPN button.<br />
· The VPN symbol appears in upper left-hand corner to confirm active VPN sessions.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG0W78isVED8CgxPRdzwqDmBIRGrJvVKc2B9tNabiIK-9knUSmCQrYkOUCFdsJFKSfHPPBMcLpgj9wp7pdoLMxCf1ESHUk1Tr1IyfMoBxOZwDGMoT2MaXBfFmSVRl8b9Yb5duizVMI2rDK/s1600/MC3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG0W78isVED8CgxPRdzwqDmBIRGrJvVKc2B9tNabiIK-9knUSmCQrYkOUCFdsJFKSfHPPBMcLpgj9wp7pdoLMxCf1ESHUk1Tr1IyfMoBxOZwDGMoT2MaXBfFmSVRl8b9Yb5duizVMI2rDK/s1600/MC3.PNG" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The VPN is ready for action. That's It!</div>
<br />Steven M. Jordanhttp://www.blogger.com/profile/08808713004280066782noreply@blogger.com0tag:blogger.com,1999:blog-6696977109054687352.post-15291914033371333872016-11-14T18:08:00.000-06:002016-11-28T11:00:35.436-06:00Dynamic S2S VPNs<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXFJPF11wDh_6W53OWPBcIjZzPgQ37wvujjyk5WQto9iEyK6jCOM_gLr8XLL8FlGx5W2VvQrxNLObqSmxe7dNqCw_nubdRSu8PSW9XYirtuf1hKRVR9-jWZWrjp1oRYmEWUVG1MY0hIhon/s1600/VPN.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXFJPF11wDh_6W53OWPBcIjZzPgQ37wvujjyk5WQto9iEyK6jCOM_gLr8XLL8FlGx5W2VvQrxNLObqSmxe7dNqCw_nubdRSu8PSW9XYirtuf1hKRVR9-jWZWrjp1oRYmEWUVG1MY0hIhon/s1600/VPN.gif" /></a></div>
<br />
<h4>
<span style="color: #134f5c;">Task:</span></h4>
Create site-to-site (S2S) interfaces for dynamic IKEv2 VPN clients (e.g., iPhones). Assign different cryptographic algorithms to each S2S interface. <br />
<h4>
<span style="color: #134f5c;">What are dynamic S2S VPNs?</span></h4>
S2S VPNs usually support static VPN endpoints. For example, a dedicated (i.e., always-on) VPN that connects a branch office to its HQ office. However, S2S VPNs can also connect mobile clients for dynamic connections. This hybrid approach is for special circumstances.<br />
<h4>
<span style="color: #134f5c;">Why use dynamic S2S VPNs? </span></h4>
Most folks should stick with the default RRAS dial-up VPN server. It provides better management and reporting tools. However, dynamic S2S VPNs support configuration features that are unavailable with the standard RRAS client VPNs. <br />
<br />
For example, dial-up IKEv2 VPNs may authenticate any certificate issued from one of its trusted root certificates. S2S VPNs can limit authentication to specific client certificates. The best part, IMHO, is the ability to apply unique cipher suites per S2S interface. For example, we can create separate S2S interfaces for each client -including unique cipher suite standards.<br />
<h4>
<span style="color: #134f5c;">How do we implement dynamic S2S VPNs?</span></h4>
PowerShell offers a straight-forward method to implement S2S VPNs. However, consider using a GUI-Powershell hybrid approach that supports additional client management features.<br />
<h4>
<span style="color: #134f5c;">Dynamic S2S via PowerShell:</span></h4>
The following example creates a new S2S interface with strong security targets:<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>• Certificate authentication<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>• IKEv2 Protocol<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>• Main Mode: AES128-SHA256-DHGroup14 <br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>• Quick Mode: AES256-SHA256<br />
<code></code><br />
<pre><code>Add-VpnS2SInterface -name smj@stevenjordan.net -CustomPolicy -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod aes128 -IntegrityCheckMethod SHA256 -Destination 0.0.0.0 -Protocol IKEv2 -AuthenticationMethod MachineCertificates -ResponderAuthenticationMethod MachineCertificates </code>-EncryptionType RequireEncryption</pre>
<br />
The interface name always matches the authentication certificate's subject name. Some clients (e.g., iPhone) require a matching subject common name and matching subject alternative name (SAN) DNS name. This attribute associates the authentication certificate with the S2S interface. The destination flag is set to accept connection requests from any IP (i.e., it's dynamic).<br />
<br />
Don't forget to lock down the VPN server. Enforcing subject names does not secure the server. Recall, Windows VPN server leaves its front door wide open -by default. Windows VPN security requires manual changes: <a href="http://www.stevenjordan.net/2016/10/door-wide-open-on-win-ikev2.html">http://www.stevenjordan.net/2016/10/door-wide-open-on-win-ikev2.html</a><br />
<h4>
<span style="color: #134f5c;">Managing S2S connections via PowerShell:</span></h4>
Managing client connections is cumbersome compared to traditional RRAS client VPN tools. For example, RRAS and Remote Access Management provide simple GUI tools to manage dial-up connections (Figure 1). However, Remote Access Clients does not display S2S connections. Additionally, RRAS Network Interfaces does display S2S interfaces by deafult.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidFbFCo8ZfElsTtzeRWH_ejnSPe28TreWUMiOMPsFDJoQjp2WqjC5gkot7h3AS49xMPDTSojgQ57waESKNmQRgXlq2Z1GbNjKAu9d1kXmQ3x5DRZ9gssBSHKX7R4hT-IlE9J0VuVPy48a9/s1600/RRAS_Client.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="90" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidFbFCo8ZfElsTtzeRWH_ejnSPe28TreWUMiOMPsFDJoQjp2WqjC5gkot7h3AS49xMPDTSojgQ57waESKNmQRgXlq2Z1GbNjKAu9d1kXmQ3x5DRZ9gssBSHKX7R4hT-IlE9J0VuVPy48a9/s400/RRAS_Client.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1. RRAS Client Connections.</td></tr>
</tbody></table>
The RRAS management GUI does not play well with dynamic S2S connections. The Remote Access Clients tab does not display active connections. However, the GUI will display active IKEv2 WAN Miniports:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh87B-mkN7xeswruhg7sfVurIx4aN4eLZTPOwk7QI3mXW0yCxRVsD0K97gzWNTp1bvQqjJ6FEVwrb1MY5FfJN1yhcz0OSeYoclL3yOUHkbpqbXrhjts1vthgaRS0sHxnelAeAUYNzZ5uzgl/s1600/RRAS_Status2.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="111" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh87B-mkN7xeswruhg7sfVurIx4aN4eLZTPOwk7QI3mXW0yCxRVsD0K97gzWNTp1bvQqjJ6FEVwrb1MY5FfJN1yhcz0OSeYoclL3yOUHkbpqbXrhjts1vthgaRS0sHxnelAeAUYNzZ5uzgl/s400/RRAS_Status2.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 2. Active WAN Miniports. Good enough.</td></tr>
</tbody></table>
PowerShell provides a better method to view active S2S connections:<br />
<code>
PS C:\Users\SMJ> Get-VpnS2SInterface<br />
RoutingDomain Name Destination AdminStatus ConnectionState <br />
------ ------- ----------- ----------- --------------- <br />
XXXXXX-XXXX-SMJ {0.0.0.0} True Connected <br />
</code><br />
<h4>
<span style="color: #0b5394;">Dynamic S2S GUI-Powershell Hybrid
</span></h4>
Alternately, create dynamic S2S interfaces with the RRAS GUI. This approach offers some S2S client management benefits. Keep in mind, these S2S interfaces use default cryptographic algorithms. We'll need to modify S2S security targets with PowerShell:<br />
<br />
Step 1. RRAS → VNS server → Right-click Network Inerfaces → New Demand-Dial Interface:<br />
<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>• Interface Name: Certificate's subject common name. <br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>• Connection Type: VPN → Next<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>• VPN Type: IKEv2 → Next<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>• Hostname: None (leave blank) → Next<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>• Protocols & Security: Route IP packets on this interface → Next<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>• Static Routes: None (or add based on your organization's needs).<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>• Dial-Out Credentials: None → Next → Finish.<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span><br />
Step 2: Edit S2S interface properties → Options tab.<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>• Connection type: Persistent connection → OK.<br />
<br />
Step 3: Edit security targets for S2S interface in PowerShell.<br />
<pre><code>PS C:\Users\SMJ> Set-VpnS2SInterface -name xxxx-xxxx-SMJ -CustomPolicy -CipherTransformConstants AES256 -DHGroup Group14 -EncryptionMethod aes256 -IntegrityCheckMethod SHA256 -EncryptionType RequireEncryption
<span style="background-color: white;">WARNING: VPN site-to-site adapter xxxx-xxxx-SMJ will be modified and the parameters
other than IPv4Subnet/IPv6Subnet will be applicable next time the connection is dialed.</span></code></pre>
<h4>
<span style="color: #134f5c;">Check Hybrid S2S Connection from GUI:</span></h4>
RRAS → VNS server → Network Interfaces: Connection Status<br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhM8e6FU6HJL5Er8Zi1IwUB20q0oKuFCFFEpdEgI01iNa3vapzMlhpgg8CMAp7T8wlK82Z3TOlijr6f88Cfrw_dMe7q6pBDix1lzeUx5ZWbnwkTqfIuXvZDINNGEy-OD7-6oMBtigOl0JPF/s1600/RRAS_Status_GUI.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="98" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhM8e6FU6HJL5Er8Zi1IwUB20q0oKuFCFFEpdEgI01iNa3vapzMlhpgg8CMAp7T8wlK82Z3TOlijr6f88Cfrw_dMe7q6pBDix1lzeUx5ZWbnwkTqfIuXvZDINNGEy-OD7-6oMBtigOl0JPF/s400/RRAS_Status_GUI.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 3. S2S connection status via RRAS GUI.</td></tr>
</tbody></table>
<br />
The RRAS Network Interface GUI now includes a list of S2S interfaces and connection status. It also provides a simple method to disconnect or disable client connections.<br />
<h4>
<span style="color: #134f5c;">Troubleshoot:</span></h4>
Use PowerShell to check server IPsec crypto-sets:<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>• Get-NetIPsecMainModeCryptoSet<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>• Get-NetIPsecQuickModeCryptoSet<br />
<br />
<br />
Confirm server-client security targets work as intended:<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>• Get-VPNS2SInterface<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>• Get-NetIPsecMainModeSA<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>• Get-NetIPsecQuickModeSA<br />
<div>
<br />
I also recommend using the Best Practice Analyzer (BPA) to check for any obvious S2S security warnings.<br />
<a href="https://technet.microsoft.com/en-us/library/ee922676(v=ws.10).aspx">https://technet.microsoft.com/en-us/library/ee922676(v=ws.10).aspx</a><br />
<br /></div>
<br />
That's It!Steven M. Jordanhttp://www.blogger.com/profile/08808713004280066782noreply@blogger.com4