Sunday, February 16, 2014

Recommended Network Card Configuration for ISA 2004/2006 Firewall Servers

A common question about ISA Server configuration by people on the forums is:
How should I configure the network interfaces on my ISA Server?
A high-level overview of NIC configuration best practice is provided below:
  • The network card name used within the operating system should be changed to closely match the associated ISA Server network name. This clarifies assignment and improves supportability.
  • Only one network interface should be configured with a default gateway.
  • Only one network interface should be defined with DNS servers.
  • Unused or unnecessary bindings should be removed from all interface, where possible, to improve security. This is often termed ‘interface hardening’.
  • The default bind order should be amended to define a specific customised order.
Based upon these best practices, the configuration shown below is the standard approach that I normally use as part of my usual ISA Server build process.

Multiple NIC Deployment - ISA Server Standard Edition

Rename NICs:
Rename all NICs to descriptive names that ideally match the ISA Server network names.

Internal Network
Anonymous Access Perimeter Network
Authenticated Access Perimeter Network

External Network 
Etc.


By matching the names, this makes mapping networks between ISA Server and Windows much easier when troubleshooting…

Configure NICs: 
Internal Network
1. Default Gateway should not be defined
2. DNS Servers should be defined
3. Register this connection’s address in DNS – Ena
bled 
4. File and Print Sharing for Microsoft Networks – Disabled 
5. Client for Microsoft Networks – Enabled
6. NetBIOS over TCP/IP – Enabled
7. Show icon in notification area when connected – Enabled


Perimeter Network(s) 
1. Default Gateway should not be defined
2. DNS Servers should not be defined
3. Register this connection’s address in DNS – 
Disabled 
4. File and Print Sharing for Microsoft Networks – Disabled 
5. Client for Microsoft Networks – Disabled
6. NetBIOS over TCP/IP – Disabled
7. Show icon in notification area when connected – Enabled


External Network 
1. Default Gateway should be defined
2. DNS Servers should not be defined
3. Register this connection’s address in DNS – 
Disabled 
4. File and Print Sharing for Microsoft Networks – Disabled 
5. Client for Microsoft Networks – Disabled
6. NetBIOS over TCP/IP – Disabled
7. Show icon in notification area when connected - Enabled 



Please Note: Disabling the 'File and Print Sharing for Microsoft Networks' binding on the ISA Server internal interface will prevent you from connecting to shares on the ISA Server computer, irrespective of ISA Server system policy or other custom rules that may allow it. This approach is recommended for better security, as your firewall should not beaccessible as a file server!

Amend Bind Order: 
Edit the bind order as follows:
Internal Network (Highest)
Perimeter Network(s)
…Others…
External Network (Lowest)
image

Multiple NIC Deployment - ISA Server Enterprise Edition
With ISA Server Enterprise Edition, it is recommended to add a dedicated Intra-Array NIC. Therefore, we need to consider this additional interface in our configuration.

Rename NICs:
Rename all NICs to descriptive names that ideally match the ISA Server network names.

Internal Network
Intra-Array Network 

Anonymous Access Perimeter Network
Authenticated Access Perimeter Network
External Network

Etc.

Configure NICs:
Internal Network
1. Default Gateway should not be defined
2. DNS Servers should be defined
3. Register this connection’s address in DNS – Ena
bled 
4. File and Print Sharing for Microsoft Networks – Disabled 
5. Client for Microsoft Networks – Enabled
6. NetBIOS over TCP/IP – Enabled
7. Show icon in notification area when connected – Enabled


Intra-Array Network 
1. Default Gateway should not be defined
2. DNS Servers should not be defined
3. Register this connection’s address in DNS – Disabled
4. File and Print Sharing for Microsoft Networks – Enabled
5. Client for Microsoft Networks – 
Enabled NetBIOS over TCP/IP – Enabled
6. Show icon in notification area when connected – Enabled


Perimeter Network(s) 
1. Default Gateway should not be defined
2. DNS Servers should not be defined
3. Register this connection’s address in DNS – 
Disabled 
4. File and Print Sharing for Microsoft Networks – Disabled 
5. Client for Microsoft Networks – Disabled
6. NetBIOS over TCP/IP – Disabled
7. Show icon in notification area when connected – Enabled



External Network 
1. Default Gateway should be defined
2. DNS Servers should not be defined
3. Register this connection’s address in DNS – 
Disabled 
4. File and Print Sharing for Microsoft Networks – Disabled 
5. Client for Microsoft Networks – Disabled
6. NetBIOS over TCP/IP – Disabled
7. Show icon in notification area when connected – Enabled


Amend Bind Order: 
Edit the network bind order as follows:
Internal Network (Highest)
Intra-Array Network
Perimeter Network(s)
…Others…
External Network (Lowest)
image

Single NIC Deployment – ISA Server Standard Edition
For a single NIC deployment, the following actions are recommended.

Rename NICs:
Rename all NICs to descriptive names that ideally match the ISA Server network names.

Internal Network 
By matching the names, this makes mapping networks between ISA Server and Windows much easier when troubleshooting…

Configure NICs: 
Internal Network
1. Default Gateway should be defined
2. DNS Servers should be defined
3. Register this connection’s address in DNS – Ena
bled 
4. File and Print Sharing for Microsoft Networks – Disabled 
5. Client for Microsoft Networks – Enabled
6. NetBIOS over TCP/IP – Enabled
7. Show icon in notification area when connected – Enabled


Please Note: Disabling the 'File and Print Sharing for Microsoft Networks' binding on the ISA Server internal interface will prevent you from connecting to shares on the ISA Server computer, irrespective of ISA Server system policy or other custom rules that may allow it. This approach is recommended for better security, as your firewall should not beaccessible as a file server!

Single NIC Deployment – ISA Server Enterprise Edition
For a single NIC deployment, the following actions are recommended.

Rename NICs:
Rename all NICs to descriptive names that ideally match the ISA Server network names.

Internal Network
Intra-Array Network
By matching the names, this makes mapping networks between ISA Server and Windows much easier when troubleshooting…

Configure NICs: 
Internal Network
1. Default Gateway should be defined
2. DNS Servers should be defined
3. Register this connection’s address in DNS – Ena
bled 
4. File and Print Sharing for Microsoft Networks – Disabled 
5. Client for Microsoft Networks – Enabled
6. NetBIOS over TCP/IP – Enabled
7. Show icon in notification area when connected – Enabled


Intra-Array Network 
1. Default Gateway should not be defined
2. DNS Servers should not be defined
3. Register this connection’s address in DNS – Disabled
4. File and Print Sharing for Microsoft Networks – Enabled
5. Client for Microsoft Networks – 
Enabled NetBIOS over TCP/IP – Enabled
6. Show icon in notification area when connected – Enabled



Please Note: Disabling the 'File and Print Sharing for Microsoft Networks' binding on the ISA Server internal interface will prevent you from connecting to shares on the ISA Server computer, irrespective of ISA Server system policy or other custom rules that may allow it. This approach is recommended for better security, as your firewall should not beaccessible as a file server!

Amend Bind Order: 
Edit the network bind order as follows:
Internal Network (Highest)
Intra-Array Network
image
I hope this helps!

About Me

I am who i am.

Friday, August 9, 2013

Microsft ISA Server 2006 Configure HTTP filter for blocking applications

If you know attributes of each HTTP traffic, you can block MSN/Yahoo Messenger, Bit torrent, web mail, disallow post on web boards, etc by allow or block HTTP traffic using HTTP filter.
HTTP Traffic
HTTP Traffic on ISA Server is a data that pass through ISA Server using HTTP protocol (by default is on port 80) which is the protocol that is used by most applications. On each HTTP connection, there will be a header information about client that send to server or server to client. These information are such as Request Methods (GET, POST ,etc.), HTTP Versions (1.0,1.1,1.2), User-Agent (Mozilla/4.0, Firefox, etc.), Content-Type (application/xml, image/jpeg, text/xml, etc.), etc. I will not go into deep detail about HTTP protocol if you want more information, you can find at Wikipedia – HTTP. With these header information, ISA Server can filter HTTP traffic to allow or block specific application or traffic.
To see some sample of HTTP traffic, you can use sniffer program to capture each data packet that pass in/out a computer. The popular one is Ethereal. I have installed Ethereal on a computer which running a web server. Let see the different example of each HTTP header information below.
Configurations
To configure HTTP filter, you need to know what attribute and value need to be configured. On this post, I will show only the following:
1. Block specific browser: Firefox.
2. Block MSN Messenger, Windows Live Messenger.
3. Block download file .torrent.
4. Block AOL Messenger.
5. Block Yahoo Messenger.
6. Block Kazaa.
7. Block free web mail. (e.g. hotmail.com, mail.yahoo.com, etc.)
8. Block post on web boards.
Step-by-step
1. Open Microsoft ISA Server Management Console
2. Right-click on the rule that being configured HTTP filter -> select Configure HTTP.
3. Click on Signatures tab and click Add.
4. Block download file .torrent.
To block download any .torrent files by configure signature to “application/x-bittorrent”, “Content-Type” in HTTP Header and Request headers in Search in.
5. Block AOL Messenger.
To block users to use AOL Messenger by configure signature to “Gecko”, “User-Agent” in HTTP Header and Request headers in Search in.
6. Block Yahoo Messenger.
To block users to use Yahoo Messenger by configure signature to “msg.yahoo.com”, “Host” in HTTP Header and Request headers in Search in.
7. Block Kazaa.
To block users to use Kazaa by configure signature to “KazaaClient”, “User-Agent” in HTTP Header and Request headers in Search in.
8. Block free web mail. (e.g. hotmail.com, mail.yahoo.com, etc.)
To block users to access free web mail, block any URL that contain string “mail” by configure on signature to mail.
9. Block specific browser: Firefox.
To block users to use Firefox browser by configure signature to “Firefox”, “User-Agent” in HTTP Header and Request headers in Search in.
10. Block MSN Messenger, Windows Live Messenger.
To block users to use MSN Messenger and Windows Live Messenger.
o To block MSN Messenger by configure signature to “msnmsgr.exe”, “User-Agent” in HTTP Header and Request headers in Search in.
o To block Windows Live Messenger by configure signature to “login.live.com”, “Host” in HTTP Header and Request headers in Search in.
Summary
This is the end of this serie. After complete this serie, starting from install ISA Server, configure the network topology, configure basic rule, configure client types and configure HTTP filter, now you have basic knowledge and understanding how to operate ISA Server on your own. But there are some configurations, I don’t cover for instance how to configure cache on ISA Server, how to implement VPN, etc. If you need more information, try visit ISA Server.org

Friday, June 28, 2013

How to Unlock Huawei Modem E173u-1

As we already knew that Hauwei Modem Model e173u-1 cannot unlock permanently yet so this post will show you on how to unlock modem every time you plug into your computer with the fast way.





Tool needed:
1. Huawei USB Modem Model E173u-1
2. Huawei Temp Unlocking Application Ver 1.0, download here


Let's get start.....

1. Plug your modem into your computer and install driver, you don't need to install driver again if you already installed last time.

2. Run Hauwei Temp Unlocking Application, download from the link above.









3. The program will attempt to unlock your modem.














4. After waiting around few seconds your modem will be unlocked then you can close program.














5. Now your modem is ready to use with any SIM card.















Note: Keep in mind that model E173u-1 is cannot unlock permanently yet so every time you disconnect your modem from computer, you must repeat step 2 to step 4 again.

This tool can be unlock permanently with other model like E1750 as well.

Good luck.

Wednesday, June 12, 2013

How to get your Dell Service Tag from the command line in Windows and Linux



There’s plenty of times you can need the serial number (aka Service Tag) from a Dell machine, but not be able to physically look at the label. It’s a server in a data center, it’s your laptop and it’s on a dock, etc, etc. Fortunately, there are easy commands to get the serial number right from the command line in both Windows and Linux.

Windows:

From a command prompt, type:
wmic bios get serialnumber

Linux (Ubuntu and others):

From a terminal, type:
sudo dmidecode -s system-serial-number

Wednesday, June 5, 2013

How to configure PPTP VPN Server in MikroTik Router

MikroTik is a quite popular router that power by Linux OS, for the first time technician to configure that router feel that it's really complicate, to me i can Yes because we don't familiar with it's interface yet.

Anyway, after spend time to play around with it then we will start to understand MikroTik step by step. Today i'm gonna show about how to configure PPTP VPN Server on MikroTik router and VPN Client configuration on Windows 7.

Let's get start.....

1. You need to download winbox.exe file direct from MikroTik router via web access then you can connect to you MikroTik router via winbox instead.




















2. From the left hand Manu, Click on PPP then PPTP Server.








3. Once you click on PPTP Server Tab another dialog box will come up then you just tick Enable then OK.




















4. On the Interface tab, you simply click on + sign to add PPTP Server, another dialog box comes up, at the name you might put any name you like.




















5. After you click OK, you are done on your PPTP Server








6. Now it's time to create username & password for VPN client to access, you just simply click on Secret Tab then click on + Sign. At the name field, Password field, Server field, Profile field, Local Address, Remote Address then Click OK

Note: Local Address is your Local network class rang. Remote Address is your VPN Client address, it's can be any type of address.





























7. On Profiles Tab, you need to modify your default-encryption to put your local DNS server IP then click OK to finish the modify.






























8. Your PPTP VPN Server on MikroTik Router is completed, next you need to configure VPN access from client pc.

Let's get start....


8.1. Open your network setting or  go to Control Panel -> Network and Sharing Center then click on Setup a new connection or network.











8.2. Click on Connect to a workplace then click Next.

















8.3. Click on No, Create a New Connection then click Next










8.4. Click on Use My Internet Connection (VPN)











8.5. Fill in the username and password that you have create on MikroTik VPN Server for a client then click Connect.

















9. Now your client has been connected to MikroTik VPN Server, to view your client connection, you just simply click on Active Connection on your MikroTik Router.









Here is the video link.


Good luck.....!

How to find your Host Name & IP Quickly

Many of normal users are hardly to find their own computer host name or ip address for IT Administrator to help them verify something or allow them on the firewall for the internet access permission.

With this article you will find a one simple program that will have you to identify your host name and IP address of your own PC, just simply download a small program from the link below and run on your pc.











Thanks to Mr. Kiv Chanrotha for his program, he promises to add another feature is about domain or work group pc check up.

Download here.