Crumpled Thoughts

At my office we use a Microsoft ISA server for our firewall/VPN server. We have three discreet IP subnets within our private network. 192.168.5.0/24, 192.168.6.0/24, and 192.168.7/24. When I establish a VPN connection from the external network I get an IP address on the 192.168.6.0/24 network.

I have my VPN connection set up to not use the default gateway on the remote network. This prevents all of my internet traffic from being routed over the VPN while I am connected to it… the problem is that if I need to access a resource on the 192.168.5.0/24 or 192.168.7.0/24 networks, I have to manually add routes to them across the VPN.

The process was:

• Find out what IP I was assigned on the VPN
• Add an IP route to 192.168.5.0/24
• Add an IP route to 192.168.7.0/24

If I was always assigned the same IP address on the VPN, I could have just put the commands in a batch file, but the IP address is dynamically assigned from a DHCP server and is always different than it was the last time. So this is what I used to do:

That is a lot of typing! I’d been meaning to play around with Windows PowerShell anyhow, and decided to write a script to automate this task in PowerShell. This is what I came up with:

# vpn.ps1
#
# Add IP routes across a VPN via a DHCP assigned IP address
#
# Get the IP address of the VPN connection
$vpnip = ipconfig | findstr "192.168.6."
# If we don't have an IP address on the VPN, error and quit
if (!$vpnip) {
"You do not have an IP address on the VPN"
exit
}
# Trim any leading/trailing whitespace
$vpnip = $vpnip.Trim()
# Split the contents of $vpnip in to an array
$vpnip = $vpnip.Split(" ")
# Find out the depth of our IP address in the array
$bit = $vpnip.Length - 1
# Get out just our IP address on the VPN
$vpnip = $vpnip[$bit]
# Add whatever routes we need
route add 192.168.5.0 MASK 255.255.255.0 $vpnip
route add 192.168.7.0 MASK 255.255.255.0 $vpnip

I save the script as vpn.ps1 and put it in my “scripts” directory in my profile directory. Then I just put a shortcut on my desktop to powershell.exe C:\Users\chillman\scripts\vpn.ps1. Now I just connect to the vpn, launch my shortcut and I’m ready to go. Hopefully this will be useful to someone.

Normally I’m an early adopter of new Windows operating systems, but with Vista I’ve been slow to take the plunge. After running various beta releases and release candidates I was hesitant to use it on my ‘production’ computers. Well, I finally took the plunge last weekend and my work laptop is now running Vista business edition.

I’ve been getting really annoyed at how slow the Vista start menu is, navigating “All Programs”. I discovered a way to speed it up drastically. Customize the start menu and un-check “Highlight newly installed programs”.

The navigation will get much faster. Now if I can just figure out how to get the program folders to expand outside of the start menu, like Windows XP did by default.

Today I had to set up a Treo 650 to access a user’s Exchange mailbox over the web. I did not imagine it would be as difficult as it turned out to be.

At this site we run a Linux router/firewall that handles all traffic coming into, and leaving the network. We use Apache’s mod_proxy to proxy web connections from the internet to IIS servers on the private network. Having had more than a couple 36+ hour days cleaning up viruses due to exploited IIS servers, I feel much more comfortable having Apache handle the web requests.

One of the “Gotcha’s” to using mod_proxy is that you have to disable “Integrated Windows Authentication” on any sites you proxy with Apache. Apache doesn’t understand the headers involved. No big deal, because these requests are typically coming from the internet over SSL.

I started the setup at about 12:00 noon today. The first thing I did was add the following bits of code to the Apache configuration file to Proxy the ActiveSync connections:

#ActiveSync
ProxyPass /Microsoft-Server-ActiveSync https://webmail.example.com/Microsoft-Server-ActiveSync
ProxyPassReverse /Microsoft-Server-ActiveSync https://webmail.example.com/Microsoft-Server-ActiveSync

I then put the appropriate settings into the Treo, and tested connectivity. This is where things started to piss me off.

The software on the Treo has terrible, non-intuitive error codes. The documentation is even worse. This is what I discovered (over about 4 hours of trying to get it to work):

• For the ProxyPass directives to work, you can not use Integrated Windows Authentication on the IIS site.
• For the Treo VersaMail app to use Exchange ActiveSync it must use kerberos authentication, which requires enabling Integrated Windows Authentication.
• Palm’s software engineers don’t really give a shit whether the error message you get is in any way helpful, just as long as you understand it’s not working.

So the thing that sucks about this is that we run “stuff” on the gateway which requires us to use Apache on Linux. It provides remote access for employees through a web interface, and dynamically modifies iptables firewall rules when folks need access.

This was my fix, which I think is as good of a fix as is possible.

• Exported the IIS web site that handled OWA, OMA, and ActiveSync to a file.
• Created a new web site from the exported file.
• Changed the TCP ports for HTTP and HTTPS to obscure, high ports.
• Modified the document root on the IIS site, as all the magic happens in Virtual Directories.
• Requested/Installed a new SSL certificate from an internal enterprise CA with a common name matching the internet FQDN.
• Enabled “Integrated Windows Authentication” on the “Exchange” virtual directory in this new web site.
• Forwarded the obscure, high SSL port from the firewall into the Exchange server.

Now the Treo works… just had to set the obscure high port in the advanced settings on the Treo. I didn’t want to go down the forwarded port road, because it seems like a compromise in security. All too often I see people bypass security measures in order to get things to work, and I hate it. This seems like a small compromise I’ll have to settle for.

Got a better solution? Let me know.

-Chris

Ever need to install or upgrade Symantec AntiVirus on a large number of machines rapidly? Check this out. Much easier than using a login script, or messing with transfom files for the installer.

Installing Symantec AntiVirus 10.x using a Group Policy Object (GPO) installation

Yesterday I was at a client’s site and was tasked with changing the password for the local administrator account on approximately 200 MS Windows domain computers. Typically if I have to change the local admin password on a few domain computers I’ll just use the computer management MMC snapin, connect to a remote computer, change the password, lather – rinse – repeat. This would take forever though to do on 200 computers.

I came across a Visual Basic Script file which allowed me to complete the task in about 15 minutes. I just had to create a text file with the netbois computer names of each machine I wanted to change the password on, then run one command. This little script is going to come in handy. I found it published here, at VisualBasicScript.com.
(more…)