Home
Microsoft 365
Linux
Windows
Powershell
Cloud Computing
    Citrix Xendesktop
    Citrix XenApp
Useful links
About
  • Home
  • Microsoft 365
  • Linux
  • Windows
  • Powershell
  • Cloud Computing
    • Citrix Xendesktop
    • Citrix XenApp
  • Useful links
  • About
ajni.IT -
Security

Sophos SG/XG Firewall Site To Site SSL VPN apc to ovpn

November 17, 2022 by AJNI No Comments

Sophos SG/XG Firewalls use OpenVPN to create Site To Site SSL VPN tunnels, but the configuration file is specific to Sophos firewalls. This can be converted to a normal ovpn file though.

Here is how you can manually convert the APC configuration file into an OVPN file.

Take now of these things in your apc file:

Block 1 is the client certificate:

—–BEGIN CERTIFICATE—–

—–BEGIN CERTIFICATE—–

Block 2 is the CA certificate:

—–BEGIN CERTIFICATE—–

—–BEGIN CERTIFICATE—–

Block 3 is the private key:

—–BEGIN PRIVATE KEY—–

—–END PRIVATE KEY—–

Block 4: there is also a username and password:

Just above the private key is the user:

Just below the private key is the password:

So now here is the ovpn file:

client
dev tun
proto tcp
remote insert hostname or IP of the firewall here 443
route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
cipher AES-128-CBC
auth SHA256
comp-lzo
route-delay 4
verb 3
reneg-sec 0
<cert>

Insert certificate here from Block 1

</cert>

<ca>

Insert certificate here from Block 2

</ca>

<key>

Insert private key from Block 3

</key>

Here is a short test with OpenVPN client on Windows. The password has to be inserted manually, but normally the tunnel gets initiated from a firewall/network appliance, in that case you should be able to insert username and password in the command line.

Reading time: 1 min
Security•Windows Client OS•Windows Server

Windows Print Nightmare fix error 0x0000011b on Windows 7 and later clients

December 16, 2021 by AJNI No Comments

If you get the error 0x0000011b on Windows 7 and later clients after updating your print server, here is a registry key that might help you:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print
DWORD RpcAuthnLevelPrivacyEnabled 0

The key needs to be set on your print server. Remember that by setting this key, you will effectively re-open the print nightmare security flaw by downgrading your security level on the server. If you want a persistent fix, you should use type 4 printer drivers, which do not need admin rights on the client side. Admin rights are needed if you have type 3 printer drivers.

References:

https://docs.microsoft.com/en-us/answers/questions/563223/windows-cannot-connect-to-the-printer-error-0x0000.html

Reading time: 1 min
Azure•Cloud Computing•Microsoft 365•Security•Windows Server

Publish your internal website through Azure AD App Proxy

December 11, 2021 by AJNI No Comments

Azure AD App Proxy allows you to publish an internal website to the internet. It is easy to set up and does not require inbound firewall rules. Traditionally, you would publish a website with the help of a reverse proxy, for example with Citrix Netscaler/ADC, KEMP Loadbalancer or F5.

In the Azure AD Portal (aad.portal.azure.com) open Application Proxy and firstly install the software on a server in the corporate network. Domain join is not a requirement, but is needed if you use Kerberos authentication.

You will need to log in with your tenant admin (or a M365 user that has the appropriate role).

After the installation, you should see the server in Azure AD App Proxy:

To then publish your site, select + Configure an app

Provide the internal URL along with the protocol (HTTPS or HTTP). You could select Azure AD in Pre Authentication and work with conditional access policies and require MFA for example. This example is using Passthrough Authentication.

Also some basic settings can be changed. To publish the site, hit + Add

After a few minutes, your site should be available:

You can also configure custom domains by verifying your domain(s) in Microsoft 365 by uploading your public certificate with the private key (pfx) and configuring the appropriate DNS record. For detailed information, check out the Microsoft docs below.

References:

https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy

Reading time: 1 min
Azure•Microsoft 365•Security•Windows Client OS•Windows Server

Configure Seamless Sign-On for Microsoft 365 Login with Azure AD Connect

May 28, 2021 by AJNI No Comments

When syncing local AD users to Azure AD, you can configure Seamless Sign-On to automatically login to Microsoft 365 Apps like Sharepoint Online, OneDrive, or Exchange Online. This is very easy to do and will make logins for users less painful.

Assuming Azure AD Connect is already set up with Pass-through authentication (see https://www.ajni.it/2021/05/configuring-azure-ad-connect-for-user-synchronization/), just open Azure AD Connect and then hit “change user sign-in” and log in with an Azure AD Global admin. After that, select “Enable single sign-on”.

Enter Domain Admin credentials.

When the pre-checks is complete, hit configure and exit.

A Computer Account named AZUREADSSOACC will be created in Active Directory which allows the authentication validation between Azure AD and local Active Directory. The Kerberos decryption key is saved in the cloud and should be changed regularly. You can see that on the Computer account, service principal names are configured

Lastly, you can roll out the feature with Group Policy. The URL https://autologon.microsoftazuread-sso.com must be added to the intranet zone list, which allows the browser to send Kerberos tickets to that site.

The GPO can be found under User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List.

Status bar updates via script must be also enabled. This GPO is located under User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone > Allow updates to status bar via script.

You can test the feature by opening portal.office.com. After entering the username, login should be done automatically without needing to insert a password.

References:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start

Reading time: 1 min
Cloud Computing•Linux•Security

Linux Apache2 Virtual Hosts with different users

September 15, 2020 by AJNI No Comments

Apache Virtual Hosts are great because they let you host multiple websites on the same server. The public IP address can also be re-used – Apache knows, based on the HTTP host header, which website to show.

But have you considered this scenario? website1.com gets compromised and some malicious person has access to the server. What can they do? Most certainly they have access to every other website on the server because, by default, every Virtual Host runs under the same user www-data. Fortunately, there is a module that allows us to use different users for every Apache2 Virtual Host called apache2-mpm-itk.

It is very easy to install:

apt-get install libapache2-mpm-itk

a2enmod mpm_itk

If you face any issues, disable mpm-prefork and try enabling mpm_itk again.

a2dismod mpm_prefork

Now, in the Virtual Host config file, insert these lines (user www-site1 and group www-site1):

<IfModule mpm_itk_module>
AssignUserId www-site1 www-site1
</IfModule>

The user could be added with useradd:

useradd www-site1

Lastly, give owner rights to the new user and no one else.

chown www-site1:www-site1 -R /var/www/site1

Or even better, give the www-site user write rights on the upload folder. Everything else is readable only.

find /var/www/site1/ -type d -exec chmod 0755 {} \; #Change directory permissions rwxr-xr-x

find /var/www/site1/ -type f -exec chmod 0644 {} \; #Change file permissions rwxr-xr-x

chown ajni:ajni -R /var/www/site1/ # Let your useraccount be owner

chown www-site1:www-site1 -R /var/www/site1/uploads/ #Let apache be owner of upload folder

Oh yeah. Don’t forget to restart apache:

service apache2 restart

References:

https://cloudkul.com/blog/apache-virtual-hosting-with-different-users/

Reading time: 1 min
Page 1 of 212»

Tip Of the Day

  • Citrix Virtual Apps and Desktops 2203+ grey screen/ConnectionFailure in Eventviewer

    3 days ago

Keep in touch

Oh hi there!
It’s nice to meet you.

Sign up to receive awesome content in your inbox, every month.

Check your inbox or spam folder to confirm your subscription.

Categories

  • AI & Deep Learning (1)
  • Azure (14)
  • Citrix XenApp (15)
  • Citrix Xendesktop (8)
  • Cloud Computing (32)
  • Coding (1)
  • Hyper-V (9)
  • Linux (8)
  • Microsoft 365 (15)
  • Powershell (14)
  • Security (6)
  • VDI (10)
  • Virtualization (18)
  • VMware (9)
  • Windows (21)
  • Windows Client OS (24)
  • Windows Server (61)

Archives

  • March 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • December 2020
  • November 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019

ajni IT © 2019