Site To Site VPN Between AWS and SonicWALL

VPN (Virtual Private Network) technology can help to create and encrypt a connection between LAN networks over the Internet. Also, local resource either on AWS or behind SonicWALL can be accessed securely through Site to Site VPN.

In this blog, we are showing how to create a VPN between AWS and SonicWALL UTM.

Create and configure VPN :

1. Login to AWS account.
2. Open Services then select VPC.

AWS account interface

3. To create new VPC, this will act as mater subnet, click Your VPCs then hit Create VPC.

Create new VPC

4. Put relevant Name tag, put IP in IPv4 CIDR block, no IPv6, and Tenancy as Default and click the button YesCreate.

IPv4 CIDR block

5. Now go to Subnets and click Create Subnet.

Create-Subnet

6. Put relevant Name tagSelect VPC created earlierAvailability Zone, mention required IPv4 CIDR block and click the button YesCreate.

Hint : IPv4 CIDR block can be any subset of VPC subnet or it could be same as VPC subnet.

IPv4 CIDR block

7. Go to Customer Gateways and click on Create Customer Gateway.

Create Customer Gateway

8. Put relevant Name, select Routing as Static, put IP device as IP Address and click Create Customer Gateway.

 IP Address and click Create Customer Gateway

9. Go to Virtual Private Gateways and click Create Virtual Private Gateway.

Virtual Private Gateway

10. Put relevant Name, select Amazon default ASN and click button Create Virtual Private Gateway.

Amazon default ASN and click button Create Virtual Private Gateway

11. Go to VPN Connections and click Create VPN Connection.

click Create VPN Connection

12.  Mention relevant Name tag and select the Virtual Private Gateway created in step 10.

select the Virtual Private Gateway created

13. Now select Customer Gateway as Existing and select the Customer Gateway ID which was created in step 8.

Customer Gateway ID

14. Select Routing Options as Static.

15. Mention internal network (LAN) behind the SonicWALL as Static IP Prefixes. This will create routes to the network behind the SonicWALL.

network behind the SonicWALL

16. Leave the Tunnel Options blank and click Create VPN Connection, AWS will generate these for you.

Create VPN Connection

17. Now go to Route Tables > Select the required Route Table > under the tab Route Propagation > click Edit.

Route Tables

18. Enable route propagation for Virtual Private Gateway by putting check mark and click Save.

Virtual Private Gateway

19. Go to VPN Connections > Select required VPN and Select Download Configuration.

VPN Connections

20. On the Download Configuration window, select Vendor as GenericPlatform as Generic, and Software as Vendor Agnostic and click Download button.

Download Configuration window

NOTE: Download the file and open it in any text editor software, Notepad++ recommended.

21. Now login to SonicWALL Web console and create address object for AWS subnet (AWS VPC).

SonicWALL Web console

22.  Navigate to VPN > Settings and click Add.

Navigate to VPN

23. Under General TabPolicy Type as Site to SiteAuthentication Method as PSK, any relevant name.

24. Go back to the AWS VPN file, navigate to section “IPSec Tunnel #1”, search for “Virtual Private Gateway” and copy the IP to IPsec Primary Gateway.

25. Under section “IPSec Tunnel #1”, search for “Pre-Shared Key” and copy the key as Shared Secret.

Pre-Shared-Key

26. Go to tab Network.

27. Select Any address for Local Networks and select the AWS subnet (created in step 23) as destination network.

Note : It is compulsory to select the local networks as Any address, else traffic will not pass. Verified on SonicOS Enhanced 6.2.7.1-23n

Local-Networks

28. Go to Proposals tab, select Main Mode for Exchange.

29. Go back to the AWS VPN file, under section “IPSec Tunnel #1”, search for “DiffieHellman” and match the same on SonicWALL.

30. Search for “Encryption Algorithm”, “Authentication Algorithm” and “Lifetime” and match the same on SonicWALL.

Authentication Algorithm

 

31. For “Ipsec (Phase 2) Proposal”, Go back to the AWS VPN file, under section “#2: IPSec Configuration”, search for “Protocol”, “Encryption Algorithm”, “Authentication Algorithm” and match the same on SonicWALL.

 

32. In SonicWALL enable Perfect Forward Secrecy and search for “Perfect Forward Secrecy” in AWS file, and match the DH Group on SonicWALL.

33. Search for “Lifetime” in AWS file, and match the same on SonicWALL.

34. Click OK to create the Tunnel.

35. To Verify go to VPN > Settings and check for Green mark, access the traffic between the sites.

VPN security

Advertisements

Recover Failed/Dead Exchange Server 2013

 

Recover an Exchange Server

You can recover a lost server by using the Setup /m:RecoverServer switch in Microsoft Exchange Server 2013. Most of the settings for a computer running Exchange 2013 are stored in Active Directory. The /m:RecoverServer switch rebuilds an Exchange server with the same name by using the settings and other information stored in Active Directory.

Recovering a lost Exchange server is often accomplished by using new hardware. However, you can also use an existing server.

 

  1. Install Windows OS and give same IP as previous (failed Exchange).

1

 

2. Reset Domain account as shown in below image.

2

 

3. Join Domain with same computer name as previous.

4.Drives letters must be same a previous installation.

You can view previous installation path from adsiedit.msc

 

3

 

 

 

 

  1. Create Drive Letter and Folder path for Datebase(.edb) and logs accordingly. You can get that from Adsiedit.msc

 

And restore .EDB file from backup on that folder.

4

 

5

 

 

 

 

 

  1. Install Exchange 2013 Prerequisites.

 

  1. Install Exchange 2013 with /m:RecoverServer

 

Setup /m:RecoverServer /IAcceptExchangeServerLicenseTerms

 

 

 

 

6

Now check Exchange Server Services.

Move Database and Log Folder Path in Exchange 2013

Move Database and Log Folder Path in Exchange 2013

To view current list of databases type Get-MailboxDatabase cmdlet in EMS.

1

By default Exchange Database location is under C:\Program Files\Microsoft\Exchange Server\V15\Mailbox\ which is definitely not recommended place to store the Mailbox database.

It is always recommended to store Exchange Database and Logs on a different drive other than C:\ Drive.

 

Here, I will move both database and logs to F drive.

Before you proceed please be aware that:

  • the command must be run while logged on to the mailbox server hosting the database
  • this process requires that the database be dismounted while the move takes place, making it unavailable for mailbox users
  • this process should not be followed for databases that are replicated within a Database Availability Group
  • this process cannot be run at the same time as a backup is in progress

 

Move-Databasepath “Mailbox Database 0587117746″ -EdbFilepath “F:\ExchangeDB\Mailbox Database 0587117746.edb” -LogFolderpath “F:\ExchangeLog”

2

Now let’s verify if the database has changed its location. Run the following cmdlet again.

Get-MailboxDatabase | FL Name,*Path*

3

Delete Unisphere Logs

I was getting below event in my VNX 5300 System Alerts.And it was something like logs are getting full.So have to delete it.

Severity : Critical
System : VNXFILE-CS0
Domain : Local
Created : Mar 18, 2015 2:03:01 AM
Message : dskMon[17374]: FS /dev/mapper/emc_vg_lun_5-emc_lv_nas_var_emcsupport mounted on /nbsnas/var/emcsupport filling up (at 91%, max = 90%).
Full Description : The specified feature detected a potential space capacity issue for the specified device name and mount point. This issue may need the attention of the system administrator.
Recommended Action : Verify that the mount point’s condition has reached cautionary levels. Identify whether there is any free space available, and if it can be returned to the mount point. For example, remove unnecessary files or move areas of this mount point onto other, less full mount points on the system. If you cannot reduce the space consumption on this mount point, you might want to expand the mount point to gain additional space. Contact your Authorized Service Provider if you need assistance.
Event Code : 0x1260180018

To fix this…

1. ssh/telnet into the pirmary control station as nasadmin or root. We will be creating a file for the user nasadmin.

2. Change directory to the /nas/log/webui directory. This directory rsync’s with another log directory in /nbsnas

[nasadmin@CS0 /]# cd/nas/log/webui

3. Delete all alert_log files. I would suggest using tar to back them up first.

[nasadmin@CS0 /]# rm alert_log*

4. Recreate the alert_log file and apply the approriate ownership/permissions

[nasadmin@CS0 /]# touch alert_log

[nasadmin@CS0 /]# chmod 664 alert_log

[nasadmin@CS0 /]# chown nasadmin:nasadmin alert_log

 

DAG Required Same Drive Latter for Database & Logs- Change the drive letter that holds the Exchange 2010 databases or logs

1. Dismount the databases which reside on the drive you want to change

2. Open computer management and change the drive letter to whatever you want

3. Open the Exchange Shell and use the Move-DatabasePath CMDLET with the -ConfigurationOnly switch

4. The command would be

Move-DatabasePath -Identity “Database Name” -EdbFilePath “X:\Exchange Databases\DB1.edb” –LogFolderPath “Y:\Exchange Logs\DB1” -ConfigurationOnly

5. You should now be able to mount the databases again because Exchange will have updated itself and look for the new drive letters

6. You may need to restart the MS Exchange Search Indexer service for the index files to start appearing on the new drives instead of the olds ones, or leave it to catch up!

Windows 2008 Server R2 adprep\adprep32

Are you having trouble running ADPREP on your current 32-bit Domain Controller? Have you ran ADPREP multiple times on your Domain but still get an error stating you have not prepared your Domain yet?

Here is a change that gets even the most seasoned Admins. In Windows 2008 Server R2 there is a new ADPREP that needs to be run on a Domain Controller that are your FSMO role holder of the Schema Master role and run a 32-bit version of Windows Server. 

The Domain prep tool is called ADPREP32 which is located on in the \support\adprep.

The switches for the ADPREP32 are the same as the adprep. Here are the main switches used /FORESTPREP, /DOMAINPREP, and /RODCPREP.

Now adprep is still used when your current Domain Controller that holds the FSMO role of Schema Master role is running a 64-bit version of Windows Server. Actually the 64-bit version of ADPREP runs by default this is why you must know to run ADPREP32 on your 32-bit Domain Controller. 

Some background information on adprep:

ADPREP is a command line tool that comes with each version of Windows server.  ADPREP is used to extend the Active Directory schema to support the new features of Active Directory Services in the new Windows version.

There are a number of switches that need to be used with the ADPREP command depending on the version of Windows and the current Domain/Forest structure. 

ADPREP updates the Active Directory schema; updates security descriptors; modifies ACLs for Active Directory objects & SYSVOL; and sometimes creates new objects and containers.


Here are the Active Directory schema versions:

13=Windows 2000
30=windows 2003
31=Windows 2003 R2
44=Windows 2008
47=Windows 2008 R2

Inplace upgrading ESXi 5.0 host to ESXi 5.1

  1. Boot your server from the CD or USB drive containing the ESXi 5.1 installer.
  2. Press Enter to start the interactive installer. 
  3. When the files are loaded, press Enter to continue.
  4. Press F11 to accept the EULA.
  5. Select the disk containing previous installation of ESXi and press Enter
  6. When the scanning is completed you will be presented with the following message. Select the Upgrade option and press Enter to continue. 
  7. Press F11 to confirm the upgrade of your ESXi host. 
  8. When the installer finishes the upgrade, remove the installation media from the host and press Enter to reboot.
  9. When the hosts reboots, you should see the familiar screen with the software version , host name and IP address. 

That’s it! You are done. This process takes literally minutes to complete

Exchange 2010 activesync doesn’t work domain admin group members

By default members of an AD protected group like domain admins or enterprise admin cannot use microsoft activesync with a exchange 2010 server. They get a error like this: “Result: ActiveSync encountered a problem on the server. Support code: 0×85010014″.

Solution 1: Remove the protected group memberships for this account, more information about protected groups can be found here.

Solution 2: Goto active directory users and computers, turn on advanced features on the view menu. Go to the user account, security tab and tick the advanced button. After that you have to enable Include inheritable permissions from this object’s parent. Now activesync will work.