Sonicwall NetExtender SSLVPN and Windows 8

***UPDATE
After an email exchange with James Hiscott and some hard work on his behalf, James has an update and Sonicwall have release an update version of the NetExtender available at mysonicwall.com. Read James’ post here http://www.jameshiscott.com/wordpress/?p=10
_______________________

Like most people we’re keenly testing the pre RTM releases of Windows 8 and evaluating new hardware from HP to workout what we’d like to use for staff and students next year. Currently I have Windows 8 CP on a HP Folio13 and really like how it’s working for me. The only problem has been getting the Sonicwall SSLVPN client to work on Windows 8, which for the last week has stopped me from ditching my 2740p tablet and making the Folio13 my sole mobile device

After a few attempts at the NetExtender install it completed successfully after I installed *all* the drivers for the Folio13 from the HP site.

That got me excited and I thought I was all set, I tested the SSLVPN client and it authenticated and connected and looked like it was working. It wasn’t until later that evening when I went to use the VPN that I realised it wasn’t working at all, and even though the connection looked fine there was no network traffic being received by the VPN client.

image

A little digging this morning at the log and debug log files indicated an issue with the routes being added when connecting the vpn

image
Log File

image
Debug Log File

By running route print I could see that the Sonicwall Netextender was interface 38
image

Open the Properties window for the NetExtender

image

Add the required routes to the bottom of the NxConnect.bat

route ADD 172.16.0.0 MASK 255.255.0.0 172.16.72.1 METRIC 5 IF 38
route ADD 172.16.1.3 MASK 255.255.255.255 172.16.72.1 METRIC 5 IF 38
route ADD 172.16.1.2 MASK 255.255.255.255 172.16.72.1 METRIC 5 IF 38

Funnily enough, you don’t seem to need the route delete commands in the NxDisconnect.bat?

route DELETE 172.16.0.0
route DELETE 172.16.1.3
route DELETE 172.16.1.2

And finally you need to change the privileges for NetExtender shortcut to run with administrator privileges. If you have the NetExtender as a startup program, go to

C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu

Right-click on the shortcut and tick box for run this program as an administrator

image

After all of that my NetExtender settings seemed to be reliable and working the same as my Windows 7 devices

Radius – Server 2008 R2 NPS

We’ve OLYMPUS DIGITAL CAMERA         been using NPS on Server 2008 for a while now and its been perfect for handling 802.1x authentication (EAPTLS) and radius auth from the HP WESM in the 5400zl. The radius setup for the HP Wireless Edge Services was pretty easy, it only needs radius clients for the Primary WESM and any Redundant WESM’s.

Now that we’re adding another 50-70 E-MSM422 AP’s for the MSM765 controller we need to add radius clients for each AP. After a conversation with Adam (@DJADSA) we worked out that we were going to hit the 50 radius client limit in Server 2008 Standard. Adam showed me a couple of neat tricks with their NPS configuration that would save us a tonne of time and are new additions to R2!

The first trick was adding a subnet range for Radius Clients instead of adding a radius client for AP individually. Adding the IP/CIDR and shared secret will let all devices in the range talk to the NPS server.

radiusclient

The next tip from Adam was with the Accounting in NPS. We’d tried to get SQL logging to behave in Server 2008 a few times and failed miserably. The NPS application in 2008 would connect to a SQL database but wouldn’t create the structure etc. There was a sql script on the web that would create it for you but we didn’t have any luck getting it all to work properly. 2008 R2 has a new wizard for setting up NPS accounting and the final stage of the wizard gives you the option of creating the SQL structure of the database. very tidy

accountingwiz

With SQL logging enabled it give us the option of writing a web part or two for SharePoint to let staff know which users are connected where, and lets us easily run scripts to find client/authentication problems.

MSM765 SNTP Time Sync

msm765

This week we’ve been reconfiguring our MSM765 wireless controller and adding some new features for Students and guests to the School. With our old ZL WESM we were able to have a VLAN on the wireless network with an HTML based login, which allowed the students to use their own machines on the wireless network with their AD credentials. We wanted to replicate this setup on the MSM by using HTML-based user logins and still use their AD logins. We hit a problem when we tried to configure the Active Directory Authentication on the controller because the time on the controller wasn’t in sync with the 5400 chassis or the domain!

When we check Controller –> Management –> System Time, we could see the the time was incorrect, but there was no option to change it or specify an NTP server. The command ling reference for the controller (MSM7xx-CLI-RG-May09-5992-5933.pdf) gave a few clues on how to set the SNTP server and get the controller connected to our Windows time server

Connecting the terminal to the 5400 with the controller (MSM is in Bay I)

BGSCore(config)# services  I 2
BGSCore(msm765-application-I)> enable
BGSCore(msm765-application-I)# conf
BGSCore(msm765-application-I)(config)#
BGSCore(msm765-application-I)(config)# ntp protocol sntp
BGSCore(msm765-application-I)(config)# ntp server 1 192.168.1.19
BGSCore(msm765-application-I)(config)# ntp server
BGSCore(msm765-application-I)(config)#

The time sync’d straight away and made the connection to AD without a hitch

image

Sonicwall’s Application Firewall and blocking BitTorrent

BitTorrent
We’ve just updated the firmware on our NSA 4500 to 5.5.2.0-3o and have started playing with the Application Firewall and DPISSL (Deep Packet Inspection). The 4500 is a Layer 7 firewall and the application firewall feature lets you do some pretty tricky filtering. We’ve noticed that some of the student machines coming in for repair have bittorrent clients installed. At the moment that sort of traffic is blocked by our ISA firewall/proxy which is the gateway for the Student Netbook VLAN, but we want to remove that over the next few months because it causes a bottleneck for heavy traffic, like heavy ClickView use. When we remove ISA we can either use the Sonicwall or ACL rules on the ProCurve 5400 (or both) to filter the traffic between the netbooks and the rest of the world. After the firmware update with the addition of the DPISSL it seemed like a good chance to see how good the filtering was on the NSA4500.

Before creating the new application firewall policy, I had to create an object for the bittorrent traffic. The Sonicwall has an IDP category for all P2P traffic which has signatures for many P2P applications. You can block traffic for particular applications, eg only block Azureus and allow other bittorrent clients

 applicationobject

With the Application object defined, we can create the policy. In this case we wanted to stop all bittorrent traffic, however, its possible to excluded addresses and or users, which would be handy with the SSO. The rule will look for any traffic deemed to be P2P going through the sonicwall and will drop the packets. nice and easy

policysettingse

Any requests that match the rule are blocked and can be checked in the log view, which can be filtered by application firewall

LogFilter

Setting up uTorrent on a test machine and queuing up some files showed that the rule was working properly and not allowing any traffic to get through. The sonicwall not only blocked the file transfer but also the attempts to look for other peers etc
Capture4

The combination of the application firewall and the DPISSL would also prevent this traffic from running over secure ports or ssl vpn type setups.

Application firewall rules can also be configured to shape traffic to/from any site on the web. At the moment we’ve configured a rule to shape traffic to megaupload and other download sites that work over port 80, and depending on Facebook traffic that could be a contender too. Another type of rule that was described in some sonicwall promotional guff was a rule to catch IE6 traffic and redirect it to a warning page to upgrade your version of IE. That rule sounds like a good idea, I think that might be my next one

BSOD Shenanigans and Minidump files

WindowsRecoveredFromErrorSince we imaged our 2740p Tablets with our Windows 7 SOE two weeks ago, we’ve had a few problems with machines blue screening on shutdown and hadn’t been able to work out which application or driver was causing it. When a machine BSOD’s it creates a minidump file with debugging information about why Windows crashed. Usually we can work out what’s caused the BSOD and we can fix it without having to check the minidump, but this one had us stumped.

Downloading Windows Debugging Tools and the Windows SDK sounded like a massive effort for checking the contents of a file, but in the end, it turned out to be nice and easy. PCHell has a nice Step-by-Step guide to viewing minidump files and after downloading and installing the debugging tools, all we had to do was run WinDbg and open the last minidump file to see that NIPALK.SYS was the offender.

WinDbg

WinDbg doesn’t make you trawl through useless info to get to the offending driver, the info you need is at the bottom of the dmp file labelled Probably Caused by!

A search of the computer found NIPALK.SYS in the C:\Windows\Systen32\drivers folder and Google search found lots of results for Labview and Robolab. Since Robolab is in our SOE, we quickly removed it from the system and that seems to have fixed the BSOD issues on shutdown. Looks like we might need to update to the latest version of Robolab for our next SOE 🙁

RemoteApp: Synergetic access from Home

Finding a decent solution for remote access to Synergetic has always been a problem. The Synergetic loader starts the application from a shared network drive, which is fine when Staff are at School but when they’re offsite, it’s tedious loading Synergetic with a 1Mb upload on the School’s internet link.

RemoteApp was a new feature with Server 2008 and has been refined further with 2008 R2 and Windows 7 with the RemoteApp and Desktop Connections. RemoteApp works similarly to the traditional Windows Terminal Server login used with previous versions of Windows Server, but with more functionality. When you configure a program for RemoteApp, the end user gets the same icon on their desktop or start menu that they would if the application was installed locally. The icon is a shortcut for remote desktop(RDP) that loads a full terminal services login, but hides the session and only shows the application, which is running in the TS session. The user’s printers and mapped drives etc can all be used in the RemoteApp, same as an RP session, but is set per program.

Accessing Synergetic via RemoteApp offsite is as seamless as connecting when at School and doesn’t require a VPN connection. Setting up RemoteApp with signed certificates and opening ports on the firewall is the way to go. Users still have to pass AD authentication, and depending on your Synergetic setup, another username and password to login to Synergetic.

 

Video -  loading Synergetic with RemoteApp

After a brief trial of Synergetic with RemoteApp it looks like we’ll be purchasing the necessary RDS User CAL’s (Check here for changes to TS licensing) and using RemoteApp for Staff access to Synergetic from home and getting them to use this setup for their Academic Report writing and avoid the confusion between Synergetic Network/Stand-Alone and importing/exporting reports.

To setup the trial of Server 2008 R2 and RemoteApp, follow something like the TS RemoteApp Step-by-Step Guide which is pretty straight forward. If you have Windows 7 clients, make sure you check out RemoteApp and Desktop Connections where you can set the Win7 machines to check a URL for a list of available RemoteApps and it will update regularly and automatically put shortcuts on the start menu for users

After you’ve configured the TS services, install Synergetic on the TS box and add it as RemoteApp through the Wizard

wiz1

If your a large Synergetic customer, you probably have multiple databases for different users and need to specify different configuration files with command line arguments.

wiz2

Here’s our test RemoteApps for Synergetic

remoteAppPrograms

Pushing the links for RemoteApps out as *.MSI or RDP files via a script or download makes things nice and easy too

I hadn’t paid much attention to RemoteApp and Microsoft’s VDI offerings, which seems like a mistake on my behalf. With the price of EDU licensing for MS Apps, this is a nice and tidy solution to a problem we’ve had since purchasing Synergetic 10-12 years ago. It might be a good solution for getting applications onto our Student Netbooks too… will see how we go

Windows GPO: Disable Adobe Updater for CS3 and CS4

We’ve known for a while that Adobe updates are too frequent and too large and annoying when you have a couple of hundred machines on the network with the Master Collection installed. Recently, we installed Viewpoint to give us reporting from our Sonicwall firewall, and we saw the impact that Adobe updates had on our internet connection and it was staggering. Adobe updates and Apple iTunes updates were the bulk of our traffic, which is no mean feat when we have 900 Students in the Senior School on Facebook.

Viewpoint_AdobeUsage 
Web Usage Report from Viewpoint

Luckily, Adobe have a registry key that can be used to enable/disable the Adobe Updater, and pushing the entry out to clients via Group Policy seems like the sensible option
http://kb2.adobe.com/cps/408/kb408711.html

On Windows XP or Windows Vista

  1. Using Regedit.exe, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe
  2. Create a new Key in this folder named "Updater"
  3. Create a new DWORD value within this Key named "Enterprise with a value of "1"

To try it out, I created the registry entries on my local machine and imported the entries into a new GPO with the Registry Wizard (Right Click on Registry in the Computer Configuration, and select New –> Registry Wizard)

AdobeGPO1 
Registry Keys imported into GPO

 
AdobeGPO2 
Registry Entries, Action set to Update

It’s important to remember to still update the Adobe applications, especially Acrobat and Flash. The Sophos Security Threat Report 2010 highlights the need to keep these two applications up to date. Malicious code can be executed from flash files embedded in PDF documents, Sebastian Porst has a superb write up on dissecting the Adobe/Flash exploit here, if you’ve got 10 minutes grab a coffee and read up.

You can download the Acrobat Updates manually from Adobe, and push them out to clients with msiexec.exe, check AppDeploy for specifics with your version of Acrobat, but something like this would do the trick

msiexec /p "%installdir%\AcroProStdUpd910_T1T2_incr.msp" /qn /norestart REINSTALL=ALL REINSTALLMODE=omus

msiexec /p "%installdir%\AcrobatUpd912_all_incr.msp" /qn /norestart REINSTALL=ALL REINSTALLMODE=omus

Which is from the Adobe forums and push it out with a script or via GPO

Outlook 2003: Can’t Create File

Just as we’re about to replace the last of our Acer notebooks with XP/Office 2003 SOE we came across this odd error in Outlook 2003 when opening an attachment.

image002

This is a file that’s emailed to Staff almost daily and without problems until this cropped up, seemingly for no reason.

After a little bit of homework, we found that it could be a problem with temporary files and had to check the path for temp files in Outlook via the registry.

reg

When we checked the path Outlook was using for temp files, we were horrified to see this

image003

The Can’t Create File: STUABSD.rtf hit us because Outlook, or probably Windows Explorer, couldn’t create a temp file called STUABSD (100).rtf.

Deleting the temp files cleared up the error straight away

Random AD User Account Lockout

user-account-control-icon The last few weeks we’ve had a problem with one of our IT Staff user accounts where it would regularly get locked out during the day. We suspected some of the Students were trying to guess the password for the account and were probably hoping to get around our web content filter….

This made me realise, we’ve never really looked for account lockouts and and where/why/how they might be happening on the network. I wasn’t excited about scouring the security event logs on our domain controllers to find the info I needed. A quick search brought up the Account Lockout and Management Tools from Microsoft which has been around since 2003, but was new to me. I probably should have been a bit sharper on that one.

One of the applications in the download is that LockoutStatus. This app will take the AD username and return the lockout status and bad password count on each DC for that user.

lockoutstatus

After finding the lockout status if the user you then use the EventCombMT app to search the event logs of the domain controllers. EventCombMT can search the event logs for any event ID but to find events with login issues, I limited the search to the Security logs on the DC’s with event ID’s 529 644 675 676 and 681. More info on usage here

EventComb

EventCombMT produces a text file for each server with the results of the search:

644,AUDIT SUCCESS,Security,Wed Apr 14 10:21:08 2010,NT AUTHORITY\SYSTEM,User Account Locked Out:     Target Account Name: zdjb     Caller Machine Name: STNB4200ZKLC     Caller User Name: IDM$     Caller Domain: TEACH     Caller Logon ID: (0x0,0x3E7)   

644,AUDIT SUCCESS,Security,Wed Apr 14 10:08:14 2010,NT AUTHORITY\SYSTEM,User Account Locked Out:     Target Account Name: zdjb      Caller Machine Name: STTB2710ZJLW     Caller User Name: IDM$     Caller Domain: TEACH     Caller Logon ID: (0x0,0x3E7)  

Straight away I could see the two machines that were causing the account lockout and after calling them back into the Service Desk so we could see what was going on. We were able to work out that it was the Sophos Auto Update causing the problem because these machines had been using the credentials  of this account, with an old password, for receiving updates instead of the update account we normally use.

Solving the problem of the account lockout has prompted some new strategies for monitoring the network that we hadn’t considered before. Now that we have the tools, we can regularly search the event logs for bad passwords on Administrator accounts and follow up the results. Also, we may have started the ball rolling on a project to create more user accounts in AD for different network services. It was lucky that we’d found Sophos was the culprit, but next time it could be difficult to find old credentials being used in an Altiris job for example. By creating different user accounts for services like Sophos, Altiris Jobs, SQL, Exchange and Intranet applications it will help narrow down a search next time we have a password problem and will make it easier to change these passwords on a regular basis.

Vista Black Screen of Death and Altiris SVS

When we rolled out the HP 2730p tablets to Staff last year, we decided to try out the Altiris software virtualisation (SVS).

Since it came bundled with our Altiris purchase it seemed like the easiest choice for getting into software virtualisation. We had tried the demo for VMWare’s Thinapp but were discouraged by the pricing and had been impressed with demos if Microsoft App-V. Software virtualisation would let us have a much smaller SOE with just Vista, Office 2007 and the Adobe CS4 Master Collection, and have every other application installed as an SVS layer. This way we could reduce the time needed for imaging and control the application deployment through Altiris. We could also enable the web portal which would let Staff select which SVS layers they’d like deployed to their machine!

Since the 2730p machines have been imaged, we’ve had a few come back because Vista seems to hang on a black screen after the green progress bar on boot up

Vista Green Bars

The problem seems to be with a driver for SVS (fslx.sys) and after browsing the web for reasons why we’ve had this issue found that it may be a problem with one of the SVS packages we’ve deployed.

A thread on the Symantec forums details some of the SVS KSOD issues that people have had and found that troublesome SVS layers are the culprit. This thread confirmed our suspicions that we were having trouble with SVS packages that we’d made for applications like Skype and iTunes that have regular/frequent updates. The files in the SVS layer can’t be updated when there’s an update or patch for an application. With software virtualisation on the rise it would be handy if the application knew it was virtualised and would warn the user that new versions can’t be installed until the virtualised application is removed.

Anyway, here’s the fix:

· Boot the machine into Safe Mode

· Login as Admin

· Rename C:\Windows\system32\drivers\fslx.sys to C:\Windows\system32\drivers\fslx_old.sys

· Restart the machine

This will disable SVS and all the SVS layers. We’ve had some success with updating the SVS software to a slightly newer version, though, in most cases we’ve still had trouble after updating the SVS client. The best bet is to work out which SVS layer us causing the problem and disable it. Easier said than done.

We’re yet to decide if we’ll consider SVS for the 2010 Staff image. If we do, we’ll have to exclude applications like iTunes and Skype and try to avoid the black screen issues. We also need to decide if we’re going to move to Windows 7 for this image and whether it will be 32 or 64bit. Symantec have released the beta version of Symantec Workspace Virtualization,new version of SVS, which is compatible with 64bit Windows but it’s unlikely that the final version will be released in time for our internal testing.