I have written previously on how to quickly create a free, secure and fast VPN solution on Windows Server 2003. Having just migrated my own VPN to Windows Server 2008, I thought I should do a new article for the more recent operating system. This version of the install requires only one network interface and therefore does not require configuration as a router, which simplifies the solution and makes it far easier to implement in todays subnetted networks.
This solution provides for proper 2 factor authentication, which makes it plenty secure enough for it's intended use - a quick and secure way to provide remote access to your network while the comms team sets up their enterprise class VPN solution. The solution is not perfect, primarily in it's requirement to manage the pre-shared key by hand - unworkable for more than a *very* small number of users.
I built this solution using a VM and total configuration and testing time is comfortably under an hour.
First, deploy yourself a fresh Windows Server 2008 VM; not forgetting to sysprep it (thus making sure you have a nice fresh SID!) if necessary and then join it to the domain, so it can authenticate users on the domain.
After logging on as an administrator for the first time, the server manager should open up and allow you to install additional roles. The roles wizard is excellent, but a little mickey mouse for those of us that know what we're about.
If you are using a VM and have the capability, you might want to take a snapshot of the machine at this point in case you want to start again.
Install the Role
Open the Server Manager (right-click on my computer and select manage).
Start the roles wizard by expanding out the left hand menu, selecting roles and clicking the add roles button.
Select the Network Policy and Access Services check box and click next through to the role services dialog.
Select only the Remote access service and click through to install.
Configure RRAS
Once complete, close the role wizard and from the administrative tools menu, open routing and remote access.
Verify the machine name in the snapin is correct and right-click on it, selecting configure and enable to start the wizard. It's worth noting here that if you want to fry the config and start again, you can right-click on the server name and select disable routing and remote access to completely clrea the RRAS config.
Unless specified, from now on leave all the default settings and only change what is decribed below:
Select Custom Configuration
Check VPN Access Only
Finish and start the service
Right-click on the server and select properties:
Server Properties
General Tab: Enable this computer as a: (IPv4) Remote Access Server, uncheck everything else
Security Tab: Authentication Provider: Windows Authentication
Allow custom IPSEC policy for L2tp connection (enter a long passphrase to act as shared key, save this for entry into the client
setup)
IPv4 Tab: Enable IP forwarding
This server can assign addresses by using DHCP
Enable broadcast name resolution
PPP Tab: Check all
Logging Tab: Log all events
Ports Properties
Uncheck all connections boxes for everything other than L2TP and where required, set maximum ports to 1 or 0
L2TP: Remote access connections (inbound only)
Uncheck everything else
Maximum ports: 10 (or whatever you think you'll need)
IPv4 Properties
Routing: Only General and Static Routes, remove everything else
General Properties
Logging Tab: Log errors and warnings
Remote Access Logging and Policies
New Network Policy
Policy Name: "Permit Windows VPN Access"
Policy Condition: Tunnel-Type matches "Layer Two Tunneling Protocol (L2TP)"
Policy Condition: Tunnel-Type matches "Point to Point Tunneling Protocol (PPTP)" (only if you require it)
Access is determined by user dial-in properties (IE set on the Dial-In tab of the user account)
Configure Authentication Methods
Check: Microsoft Encrypted Authentication v2 (MS-CHAP v2) (and user can change password feature)
Check: Microsoft Encrypted Authentication (MSCHAP) (and user can change password feature)
Uncheck everything else on authentication methods
Default remaining settings
Don't forget to remove any snapshots you created as they are no longer required.
Once the setup is complete you will need to open the firewall and configure a public facing IP and preferably a prublic DNS entry too. If this is your home connection and you have no fixed public IP or public DNS then you can set your firewall to accept the connections and static map the ports straight through to your new VPN server.
Firewall Configuration Settings
L2TP Inbound Requirements: Protocol 50, IPSec NAT-T UDP 4500, IKE UDP 500
PPTP Inbound Requirement: Protocol 47, PPTP TCP 1723
Configure the firewall to allow any source to access the firewall on the above ports and the rule to map the results to the internal IP of the VPN Server.
To configure the Windows VPN Client
New Connection Wizard
Connect to the network at my workplace
Virtual Private Network Connection
Set the connection Name "My VPN"
Decide if a dial-up connection is required first
Enter the IP address/DNS Name of the VPN Server
Connection Properties
Options Tab: Check all Dialling Options
Security Tab: IPSec Settings
Use pre-shared key for authentication
(enter text to act as shared key, same as that entered above)
Security Tab: Everything else, leave as default
Networking Tab: Type of VPN L2TP IPSec VPN or PPTP if you configured it above
Networking Tab: Everything else, leave as default
There, all done. I've used this in a few places and because the setup is so quick and easy, on the very rare occasions when it goes wrong, it's actually quicker to fry the config and start again than to try and diagnose what went wrong.
Page : 1/11
Friday, 9 May 2008
Sunday, 4 May 2008
Having migrated this blog to Windows Server 2008 I was checking the logs and noticed that the mail.asp pages was being abused to try and send me spam email.
This has been going on for a while, but my mailserver knows the difference between legit comment and muppets posting porn site links and I never received the duff email. However, I felt that I should be doing something to stop this behaviour.
To this end I've modded the email response page to break the typical attempts and stop it from working. If you also run BlogX and want to know how this was done, please drop me a line.
Of course, there are a variety of methods of doing this, so I will have to see how successful my first try was. It's likely I'll have to brush off more of my rusty ASP to solve it permanently.
Update: My first try was not that successful and about 80% of the bot-based spammers was able to get through. However, my second attempt makes use of the server itself to detect the source of request and block anyone not using the page for legit comment.
I have emailed the author of the blog software who will be implementing a verification methodology where users are required to confirm over email - thus neatly removing any false/spoofed addresses and their messages. This will be available once Matthew1471 has finished his finals!
Saturday, 3 May 2008
The fact that you're able to read this at all can be considered something of a success as I've just finished migrating my various web applications to new webservers running Windows Server 2008. IIS 7 is a whole new ball game, and I don't just mean the incomprehensible admin interface!
The first problem was working out what needed to be installed; in fact, I installed and uninstalled IIS so many times (OK, only 3) that eventually the web service refused to serve even HTML pages and I had to rebuild the server from scratch. Twice. Thank the Lord for unattended installations and VMware ESX 3.5 or I would have gone a little more insane 
So, one working webserver later, I migrated the first of the apps, a basic HTML only site with authentication. So far so good on a few more apps - until I got to my main website www.leafgrove.com, where I "discovered" that CDONTS no longer works and the email contact page was broken as a result. Actually, I discovered this years ago when I moved this app to Windows 2003 Server, but back then all you had to do was find a copy of CDONTS.DLL on Windows 2000 Server SP4+, copy it over and register it. The new solution is CDOSYS and I felt better using that rather than the now very old code from W2K.
A couple of hours (I know, but my ASP is rusty ) with my favourite scripting tool (Sapien PrimalScript 2007) and I had written a spanking new email processor and even improved the old processor's functionality. Some testing followed, and we were finally up and away on that site too.
A couple of other sites making use of HTTP redirects had to be tweaked and I was left with the blog.
The blog was fine until you tried to edit or create entries, whereupon you got one of those useless HTTP500 errors. HTTP500 is a generic message that the server returns when it's sure something's broken but it's not prepared to tell you what. To get any sense out of it you have to switch off friendly messages in the browser and switch on client side errors on the server (not forgetting to switch them off again afterwards!). The problem turned out to be parent paths - which was exactly the same problem as it was a couple of years ago when I migrated this blog to Windows 2003 Server.. The disabling of parent paths was done by Microsoft as a security measure and the correct thing to do is fix the code to remove the ".." where proper paths should be. However, the original issue no longer exists and as this isn't my code and I don't fancy editing 30 odd ASP files looking for duff includes I chose to take the lazy route.
No worries there then, a click or two later to enable parent paths and all was operational.
Being as this is all new, I would appreciate feedback from those that notice any difference. If your feedback is particularly helpful, I might even come up with a prize or something for your efforts! Just click the email button below or drop me a line at the usual place.
Tuesday, 29 Apr 2008
Recently, my Lacie Ethernet Disk (perhaps the cheapest server based storage money can buy) has been shutting down spontaneously. There was no fixed time or set of curcumstances and nothing in the logs other than the usual "shutdown at blah was unexpected" messages in the event logs. Sometimes it would stay up for a week, sometime not even 20 minutes.
The problem turned out to be the weather and was solved by moving it from the top of the rack to the middle.
Confused? Here goes...
The Lacie is not a particularly robust bit of kit internally, and the large disks generate a fair bit of heat. This is probably why the casing is metal as aluminium is an excellent conductor of heat, where plastic isn't. Overly high internal temperatures in the Lacie cause it to power off. My Lacie was sat in the top of my rack, the rest of the space being taken up by servers and the like.
My server room used to get very hot in summer, but last year I put in AirCon and things have much improved - but the unit is only 7Kw capable and the heat is not entirely dissipated from the rear of the rack due to lousy air circulation. The big servers are full of fans and cope fine, but the Lacie is a little more sensitive.
So, it turns out that when we have a bit of sun; as recently, the rack gets just hot enough internally to cause the Lacie to shutdown. I moved the Lacie to the middle of the rack where there is less heat and also where the ambient room temperature is lower and voila, it's been up for a while now and no issues.
Sunday, 20 Apr 2008
Bulimia is not funny, but it was nevertheless entertaining watching BBC news this morning where John Prescott's bulimia was reported. Not even the usually straight-faced early morning presenters were able to keep the smile out of their faces and voices at the thought of the ex-deputy prime minister barfing his chinese dinner into westminster's porcelain chariots.
Monday, 7 Apr 2008
Desktop Virtualisation is the replacement of the traditional desktop hardware with a thin or zero client device that presents only an interface to a Virtual Machine - running on VMWare ESX/VI3/Virtual Server, Microsoft Virtual Server or some other virtualisation platform (seriously, there are others ). You can do this with a PC and a software application, but although useful in a number of situations, that's not what's got me interested.
My experience is currently limited to the Pano Logic Pano Device and Pano Desktop Manager Software v1.1 and later, but I'm voraciously reading whatever I can find about their competitors. Pano is not the only way to skin this particular cat and the industry hasn't yet sorted out the winners and losers in the marketplace.
The Pano device itself is basically an X-Windows terminal that connects to the X Server running on the Pano Desktop Manager (DM). The DM is running Centos and some clever software that allows the Pano devices to be attributed to a pool of Virtual Machines hosted on (in this case) a VMWare Virtual Infrastucture running ESX v3.5. The Pano device is able to find the DM via one of a number of methods, but my favourite is by configuring a special option on the DHCP servers. Once found, the DM registers the device and allows you to 'manage' it from a web application.
When a user powers on the pano device, they are presented (almost instantly) with a customisable X-Windows logon, which accepts their Active Directory domain credentials. The DM then proxies these credentials to a "vacant" Desktop Virtual Machine (DVM) and logs them in to the terminal services connection provided with Windows 2000svr, XP, 2003, Vista and 2008. All the standard applications are available that were installed when the VM was built/cloned, and the user notices nothing different from then on. There is some necessary configuration to do with the Active Directory in terms of GPOs, redirected folders and the like to ensure a smooth and integrated user experience, but essentially that's your lot.
So simple, It's a wonder we weren't doing it years ago.
Back in December 2007 I saw a photo of a tiny desktop device designed to provide a connection to a VMware Virtual Machine. This device was manufactured by Pano Logic in the USA and the photo appear in Windows IT Pro in a write-up of the VMWorld show that year.
The idea of Desktop Virtualisation is the replacement of desktop machines with a virtual desktop infrastructure - VDI. This means that all purchase, power and support costs associated with new desktop computers are reduced down to deployment of a smart-phone sized unit on the desktop and re-use of the original screen keyboard and mouse. The operating system and software licensing costs remain, albeit centralised, but there is no further cost uplift associated with terminal services or citrix.
I was so impressed with the unit, both in it's concept and it's design that I immediately contacted the manufacturers and after some negotiation I managed to secure a sample of the software and hardware. I used my sample to build a test system in my home and from there I personally financed a pilot of the technology into one of my clients. It is very rare that a new technology is impressive enough out of the box for me to attempt to introduce it into a client - I am not paid to take clients onto the bleeding edge. However, the potential for VDI is so great that I felt it would be remiss of me to allow the client in question to miss such a good opportunity.
The first unit cost me around £200 to bring into the UK and even at this price, it compares very favourably with a new desktop computer in many scenarios. Applying the Moore's law-derived rule of technology cost, it is probable that the cost of the desktop units will halve every 2 years thus making the TCO equation even more one sided that it is today.
Saturday, 8 Mar 2008
Sadly, everything about the Jersey Child Abuse Scandal is typical of the Channel Islands.
It's typical that the abuse went on. Child abuse in the islands is far more common than even the self-righteous middle class howler, the Daily Mail would have us believe. Indeed, I know more than one victim and an old friend and I took pleasure in reporting an abuser ourselves in Guernsey in 1992. After an investigation, he was convicted on three counts of indecent behaviour with a minor (amazingly, not rape) and got three counts of four months - running concurrently. He was out in 12 weeks and we still had to lobby hard to get his PSV license revoked so he couldn't drive a taxi! Of course, it's disgusting that he got away with such a laughingly light sentence, but that's pretty typical - even supposing there had been enough convictions from which to glean meaningful statistics.
I'm prepared to bet big money that the Channel Islands have the lowest conviction rates and jail sentences for child abuse anywhere in the civilised world. In fact, a third conviction for drink-driving or half an ounce of cannabis is likely to get you a much harsher sentence and certainly a far bigger fine than rape of a child.
It's also typical that the Island's politicians tried to cover it up. The Channel Islands are a largely closed society where the major business and political landscape is controlled by a small minority of families. Anything that reflects badly on the islands will be covered up and the people involved will be protected, moved to other posts or at worst pensioned off with a comfy life in the sticks. The chap we went after had many friends and we had to hand the police a raft of evidence before they would even investigate. Even after he came out of prison, he didn't lose his job immediately, but was simple transferred to a desk.
Finally, it's very typical that even such a distasteful subject as child abuse will still attract the local politicians like flies on shit. Once the scandal breaks, there will be ones in power who will scream loudly in solicitous soundbites that a full enquiry must be held and that the people responsible will be brought to justice (while simultaneously quietly working to protect them!). There will be the ones out of power who will crow with equal screaming vigour that this was the fault of him and her in power and wouldn't have happened if THEY'D been elected.
The whole political shitstorm will be veiled in a cloak of semi-secrecy, that hides not the Machiavellian machinations of the ruthlessly efficient, but the blundering incompetence of the terminally inbred.
This scandal will not be covered up and the sole reason is that when the Jersey Police were pressured into a coverup, the Chief Officer did what should have done and called the UK police in, to guarantee impartiality. It's likely that his actions will eventually cost him his career, but he had no other choice.
Wednesday, 27 Feb 2008
Wish me luck, I'm migrating a SAN this weekend and resetting all the user and shared data permissions to the way it should be done. The job has taken us about 4 weeks of solid work to design and write the scripts and on the night, we will be re-permissioning over 11,000,000 files and folders and migrating 1300 users in one hit.
Another all-nighter methinks!
Update: Done and dusted, and home by 10 - and a total success with the number of calls to the helpdesk the following day being under 20. Thanks are due to Aron, Jeff and Graham for their hard work and testing.
Monday, 25 Feb 2008
I have a Hungarian chap working on the house for me at the moment. Roland recent took a trip home and told me a story about his return trip:
"While in the UK, I bought a steering rack and piston liners for an old Aston Martin my friend is fixing up. The parts were in separate suitcases as we came through UK customs.
The first case contained the the steering rack and as it went through the x-ray scanner, the security man looking at the monitor went white and looked very shocked. After discussing it with his boss (who also looked stunned), they asked me what they were seeing, and I told them it was a steering rack for an Aston Martin.
They turned the screen around and it looked just like a machine gun.
Then the case with the piston liners went through and he went white all over again. I told him they were piston liners and he showed me the screen.
They looked just like a grenade launcher."
Even in broken english, that is the funnniest thing i've heard this year
