Site To Site VPN Between AWS and SonicWALL

VPN (Virtual Private Network) technology can help to create and encrypt a connection between LAN networks over the Internet. Also, local resource either on AWS or behind SonicWALL can be accessed securely through Site to Site VPN.

In this blog, we are showing how to create a VPN between AWS and SonicWALL UTM.

Create and configure VPN :

1. Login to AWS account.
2. Open Services then select VPC.

AWS account interface

3. To create new VPC, this will act as mater subnet, click Your VPCs then hit Create VPC.

Create new VPC

4. Put relevant Name tag, put IP in IPv4 CIDR block, no IPv6, and Tenancy as Default and click the button YesCreate.

IPv4 CIDR block

5. Now go to Subnets and click Create Subnet.

Create-Subnet

6. Put relevant Name tagSelect VPC created earlierAvailability Zone, mention required IPv4 CIDR block and click the button YesCreate.

Hint : IPv4 CIDR block can be any subset of VPC subnet or it could be same as VPC subnet.

IPv4 CIDR block

7. Go to Customer Gateways and click on Create Customer Gateway.

Create Customer Gateway

8. Put relevant Name, select Routing as Static, put IP device as IP Address and click Create Customer Gateway.

 IP Address and click Create Customer Gateway

9. Go to Virtual Private Gateways and click Create Virtual Private Gateway.

Virtual Private Gateway

10. Put relevant Name, select Amazon default ASN and click button Create Virtual Private Gateway.

Amazon default ASN and click button Create Virtual Private Gateway

11. Go to VPN Connections and click Create VPN Connection.

click Create VPN Connection

12.  Mention relevant Name tag and select the Virtual Private Gateway created in step 10.

select the Virtual Private Gateway created

13. Now select Customer Gateway as Existing and select the Customer Gateway ID which was created in step 8.

Customer Gateway ID

14. Select Routing Options as Static.

15. Mention internal network (LAN) behind the SonicWALL as Static IP Prefixes. This will create routes to the network behind the SonicWALL.

network behind the SonicWALL

16. Leave the Tunnel Options blank and click Create VPN Connection, AWS will generate these for you.

Create VPN Connection

17. Now go to Route Tables > Select the required Route Table > under the tab Route Propagation > click Edit.

Route Tables

18. Enable route propagation for Virtual Private Gateway by putting check mark and click Save.

Virtual Private Gateway

19. Go to VPN Connections > Select required VPN and Select Download Configuration.

VPN Connections

20. On the Download Configuration window, select Vendor as GenericPlatform as Generic, and Software as Vendor Agnostic and click Download button.

Download Configuration window

NOTE: Download the file and open it in any text editor software, Notepad++ recommended.

21. Now login to SonicWALL Web console and create address object for AWS subnet (AWS VPC).

SonicWALL Web console

22.  Navigate to VPN > Settings and click Add.

Navigate to VPN

23. Under General TabPolicy Type as Site to SiteAuthentication Method as PSK, any relevant name.

24. Go back to the AWS VPN file, navigate to section “IPSec Tunnel #1”, search for “Virtual Private Gateway” and copy the IP to IPsec Primary Gateway.

25. Under section “IPSec Tunnel #1”, search for “Pre-Shared Key” and copy the key as Shared Secret.

Pre-Shared-Key

26. Go to tab Network.

27. Select Any address for Local Networks and select the AWS subnet (created in step 23) as destination network.

Note : It is compulsory to select the local networks as Any address, else traffic will not pass. Verified on SonicOS Enhanced 6.2.7.1-23n

Local-Networks

28. Go to Proposals tab, select Main Mode for Exchange.

29. Go back to the AWS VPN file, under section “IPSec Tunnel #1”, search for “DiffieHellman” and match the same on SonicWALL.

30. Search for “Encryption Algorithm”, “Authentication Algorithm” and “Lifetime” and match the same on SonicWALL.

Authentication Algorithm

 

31. For “Ipsec (Phase 2) Proposal”, Go back to the AWS VPN file, under section “#2: IPSec Configuration”, search for “Protocol”, “Encryption Algorithm”, “Authentication Algorithm” and match the same on SonicWALL.

 

32. In SonicWALL enable Perfect Forward Secrecy and search for “Perfect Forward Secrecy” in AWS file, and match the DH Group on SonicWALL.

33. Search for “Lifetime” in AWS file, and match the same on SonicWALL.

34. Click OK to create the Tunnel.

35. To Verify go to VPN > Settings and check for Green mark, access the traffic between the sites.

VPN security

Advertisements

DAG Required Same Drive Latter for Database & Logs- Change the drive letter that holds the Exchange 2010 databases or logs

1. Dismount the databases which reside on the drive you want to change

2. Open computer management and change the drive letter to whatever you want

3. Open the Exchange Shell and use the Move-DatabasePath CMDLET with the -ConfigurationOnly switch

4. The command would be

Move-DatabasePath -Identity “Database Name” -EdbFilePath “X:\Exchange Databases\DB1.edb” –LogFolderPath “Y:\Exchange Logs\DB1” -ConfigurationOnly

5. You should now be able to mount the databases again because Exchange will have updated itself and look for the new drive letters

6. You may need to restart the MS Exchange Search Indexer service for the index files to start appearing on the new drives instead of the olds ones, or leave it to catch up!

NLB(WLBS) on Windows Server 2008

 

In this article I will load balance 2 servers and take you through the process step-by-step. Load Balancing takes 2 or more servers and lets them share one IP address so both servers can serve client requests. At the end of this article you should be able to configure NLB.

Gathering Information

Log onto both of the servers and run IPCONFIG /ALL from the command prompt. We need the name, domain and IP address of each server that will be in the NLB Cluster. We will also need to make up an additional name for the cluster in this example we will use SERVER-LB for the virtual cluster name.

The 2 servers we will be Load Balancing are PL2008-01 and PL2008-02. The virtual cluster name will be PL2008-V. So if this was a web server users would go to http://PL2008-V, depending how we configure NLB either PL2008-01, PL2008-02 or both servers will service the web request.

SERVER NAME IP ADDRESS TYPE
PL2008-01.pintolake.net 192.168.1.180 Server 1
PL2008-02.pintolake.net 192.168.1.181 Server 2
PL2008-V.pintolake.net 192.168.1.182 Virtual cluster name and IP address of Servers 1/2

In this example both servers only have one network card. If you have multiple network cards you will still be able to load balance the 2 servers. You need to configure one NIC per server for NLB, both NIC’s should be on the same VLAN and be they should able to contact each other.

PL2008-01

PL2008-02

Installation of NLB feature on all NLB nodes

This should be done on ALL NODES in the NLB Cluster. In this case we are performing this installation on PL2008-01 and PL2008-02.

Open Server Manager, you can open this several different ways in Windows Server 2008. Probably the quickest way to open Server Manager is to right click “My Computer” and choose “Manage”, another way is open “Control Panel” go to “Program and Features” and select “Turn Windows features on or off”. A third way to open it is “Server Manager” option under Administrative Tools.

  • Select “Features” from the Server Manager menu on the left
  • Press “Add Features”

  • Select the checkbox next to “Network Load Balancing”
  • Press “Next”

  • Press “Install”

Installation will proceed to install the necessary components

Installation has successes. It is highly recommended that you repeat this process on all nodes in the NLB cluster at this point before continuing with configuration

  • Press “Close”

NOTE: Network Load Balancing may also be installed from a command prompt with elevated privileges (right click on the command prompt in the Start menu and select Run as administrator) by running theservermanagercmd -install nlb command.

For example:

C:\Windows\system32>servermanagercmd -install nlb

......

Start Installation...

[Installation] Succeeded: [Network Load Balancing].

<100/100>

Success: Installation succeeded.

Configuring NLB on NODE 1 (PL2008-01)

Network Load Balanced clusters are built using the Network Load Balancing Manager which you can start from Start -> All Programs -> Administrative Tools menu or from a command prompt by executing nlbmgr.

  • Under the Cluster Menu option select “New”

  • Enter the first node in the cluster which is PL2008-01
  • Press “Connect”

 

You will have the option to choose which network adapter you want to use, the NIC should be on the same subnet as the other servers in the NLB cluster

  • Press “Next”

  • Enter the Priority ID as, 1 (each node in the NLB cluster should have a UNIQUE ID)
  • Make sure the correct adapter was selected under “Dedicated IP Address”
  • Select “Started” for the “Initial host state” (this tells NLB whether you want this node to participate in the cluster at startup)
  • Press “Next”

  • Press “Add”
  • Enter the Cluster IP and Subnet mask
  • Press “OK”

You can add multiple IP Addresses for the cluster, enter as many as you want.

  • Make sure the “Cluster IP addresses” are correct
  • Press “Next”

  • Select the IP Address for this cluster
  • Enter the NLB address “PL2008-V.pintolake.net”
  • Enter “Unicast” as the “Cluster operation mode”
  • Press “Next”

Unicast vs Multicast

Unicast/Multicast is the way the MAC address for the Virtual IP is presented to the routers. In my experience I have almost always used Multicast, which if you use you should enter a persistent ARP entry on all upstream switches or you will not be able to ping the servers remotely.

In the unicast method:

  • The cluster adapters for all cluster hosts are assigned the same unicast MAC address.
  • The outgoing MAC address for each packet is modified, based on the cluster host’s priority setting, to prevent upstream switches from discovering that all cluster hosts have the same MAC address.

In the multicast method:

  • The cluster adapter for each cluster host retains the original hardware unicast MAC address (as specified by the hardware manufacture of the network adapter).
  • The cluster adapters for all cluster hosts are assigned a multicast MAC address.
  • The multicast MAC is derived from the cluster’s IP address.
  • Communication between cluster hosts is not affected, because each cluster host retains a unique MAC address.

Selecting the Unicast or Multicast Method of Distributing Incoming Requestshttp://technet.microsoft.com/en-us/library/cc782694.aspx

 

 

 

I am leaving all the default for the port rules; by default its set to all ports with Single affinity, which is sticky. For more information on Port Rules, see my Note below.

  • Press “Finish”

NOTE: Add/Edit Port Rule Settings

For most scenarios I would keep the default settings. The most important setting is probably the filtering mode. “Single” works well for most web application, it maintains a users session on one server so if the user server requests go to PL2008-01, PL2008-02 will continue to serve that request for the duration of the session.

None

  • You want to ensure even load balancing among cluster hosts
  • Client traffic is stateless (for example, HTTP traffic).

Single

  • You want to ensure that requests from a specific client (IP address) are sent to the same cluster host.
  • Client state is maintained across TCP connections (for example, HTTPS traffic).

Class C

  • Client requests from a Class C IP address range (instead of a single IP address) are sent to the same cluster host.
  • Clients use multiple proxy servers to access the cluster, and they appear to have multiple IP addresses within the same Class C IP address range.
  • Client state is maintained across TCP connections (for example, HTTPS traffic).

For more information on this please see this TechNet article:

Specifying the Affinity and Load-Balancing Behavior of the Custom Port Rule http://technet.microsoft.com/en-us/library/cc759039.aspx

 

You should see a couple of things in the NLB Manager, this will let us know that this node successfully converged on our new PL2008-V.pintolake.net NLB Cluster

  • Make sure the node’s status changes to “Converged”
  • Make sure you see a “succeeded” message in the log window

Configuring NLB for NODE 2 (PL2008-02)

We will configure PL2008-02 from PL2008-01. If we wanted to configure this from PL2008-02 then we would need to connect to the PL2008-V cluster first then add the host to the cluster.

  • Right click the cluster name “PL2008-V.pintolake.net” and select “Add Host to Cluster”

  • Enter PL2008-02 and press “Connect”

A list of Network adapters will show up

  • Select the network adapter you want to use for Load Balancing
  • Press “Next”

This step is very important; each node in the NLB cluster should have a unique identifier. This identifier is used to identify the node in the cluster.

  • Enter the Priority ID as, 2 (each node in the NLB cluster should have a UNIQUE ID)
  • Make sure the correct adapter was selected under “Dedicated IP Address”
  • Select “Started” for the “Initial host state” (this tells NLB whether you want this node to participate in the cluster at startup)
  • Press “Next”

  • Press “Finish”

You should see a couple of things in the NLB Manager, this will let us know that both nodes successfully converged on our new PL2008-V.pintolake.net NLB Cluster

  • Make sure that both node’s status changes to “Converged”
  • Make sure each node has a unique “host priority” ID
  • Make sure each node is “started” under “initial host state”
  • Make sure you see a “succeeded” message in the log window for the second node

A closer look at the configuration information for this NLB cluster

Memory Limits for Windows Releases

 

Physical Memory Limits: Windows 8

The following table specifies the limits on physical memory for Windows 8.

Version Limit on X86 Limit on X64
Windows 8 Enterprise 4 GB 512 GB
Windows 8 Professional 4 GB 512 GB
Windows 8 4 GB 128 GB

 

Physical Memory Limits: Windows Server 2012

The following table specifies the limits on physical memory for Windows Server 2012. Windows Server 2012 is available only in X64 editions.

Version Limit on X64
Windows Server 2012 Datacenter 4 TB
Windows Server 2012 Standard 4 TB
Windows Server 2012 Essentials 64 GB
Windows Server 2012 Foundation 32 GB
Windows Storage Server 2012 Workgroup 32 GB
Windows Storage Server 2012 Standard 4 TB
Hyper-V Server 2012 4 TB

 

Physical Memory Limits: Windows 7

The following table specifies the limits on physical memory for Windows 7.

Version Limit on X86 Limit on X64
Windows 7 Ultimate 4 GB 192 GB
Windows 7 Enterprise 4 GB 192 GB
Windows 7 Professional 4 GB 192 GB
Windows 7 Home Premium 4 GB 16 GB
Windows 7 Home Basic 4 GB 8 GB
Windows 7 Starter 2 GB N/A

 

Physical Memory Limits: Windows Server 2008 R2

The following table specifies the limits on physical memory for Windows Server 2008 R2. Windows Server 2008 R2 is available only in 64-bit editions.

Version Limit on X64 Limit on IA64
Windows Server 2008 R2 Datacenter 2 TB
Windows Server 2008 R2 Enterprise 2 TB
Windows Server 2008 R2 for Itanium-Based Systems 2 TB
Windows Server 2008 R2 Foundation 8 GB
Windows Server 2008 R2 Standard 32 GB
Windows HPC Server 2008 R2 128 GB
Windows Web Server 2008 R2 32 GB

 

Physical Memory Limits: Windows Server 2008

The following table specifies the limits on physical memory for Windows Server 2008. Limits greater than 4 GB for 32-bit Windows assume that PAE is enabled.

Version Limit on X86 Limit on X64 Limit on IA64
Windows Server 2008 Datacenter 64 GB 1 TB
Windows Server 2008 Enterprise 64 GB 1 TB
Windows Server 2008 HPC Edition 128 GB
Windows Server 2008 Standard 4 GB 32 GB
Windows Server 2008 for Itanium-Based Systems 2 TB
Windows Small Business Server 2008 4 GB 32 GB
Windows Web Server 2008 4 GB 32 GB

 

Physical Memory Limits: Windows Vista

The following table specifies the limits on physical memory for Windows Vista.

Version Limit on X86 Limit on X64
Windows Vista Ultimate 4 GB 128 GB
Windows Vista Enterprise 4 GB 128 GB
Windows Vista Business 4 GB 128 GB
Windows Vista Home Premium 4 GB 16 GB
Windows Vista Home Basic 4 GB 8 GB
Windows Vista Starter 1 GB

 

Physical Memory Limits: Windows Home Server

Windows Home Server is available only in a 32-bit edition. The physical memory limit is 4 GB.

Physical Memory Limits: Windows Server 2003 R2

The following table specifies the limits on physical memory for Windows Server 2003 R2. Limits over 4 GB for 32-bit Windows assume that PAE is enabled.

Version Limit on X86 Limit on X64
Windows Server 2003 R2 Datacenter Edition 64 GB

(16 GB with 4GT)

1 TB
Windows Server 2003 R2 Enterprise Edition 64 GB

(16 GB with 4GT)

1 TB
Windows Server 2003 R2 Standard Edition 4 GB 32 GB

 

Physical Memory Limits: Windows Server 2003 with Service Pack 2 (SP2)

The following table specifies the limits on physical memory for Windows Server 2003 with Service Pack 2 (SP2). Limits over 4 GB for 32-bit Windows assume that PAE is enabled.

Version Limit on X86 Limit on X64 Limit on IA64
Windows Server 2003 with Service Pack 2 (SP2), Datacenter Edition 64 GB

(16 GB with 4GT)

1 TB 2 TB
Windows Server 2003 with Service Pack 2 (SP2), Enterprise Edition 64 GB

(16 GB with 4GT)

1 TB 2 TB
Windows Server 2003 with Service Pack 2 (SP2), Standard Edition 4 GB 32 GB

 

Physical Memory Limits: Windows Server 2003 with Service Pack 1 (SP1)

The following table specifies the limits on physical memory for Windows Server 2003 with Service Pack 1 (SP1). Limits over 4 GB for 32-bit Windows assume that PAE is enabled.

Version Limit on X86 Limit on X64 Limit on IA64
Windows Server 2003 with Service Pack 1 (SP1), Datacenter Edition 64 GB

(16 GB with 4GT)

X64 1 TB 1 TB
Windows Server 2003 with Service Pack 1 (SP1), Enterprise Edition 64 GB

(16 GB with 4GT)

X64 1 TB 1 TB
Windows Server 2003 with Service Pack 1 (SP1), Standard Edition 4 GB 32 GB

 

Physical Memory Limits: Windows Server 2003

The following table specifies the limits on physical memory for Windows Server 2003. Limits over 4 GB for 32-bit Windows assume that PAE is enabled.

Version Limit on X86 Limit on IA64
Windows Server 2003, Datacenter Edition 64 GB

(16 GB with 4GT)

512 GB
Windows Server 2003, Enterprise Edition 64 GB

(16 GB with 4GT)

512 GB
Windows Server 2003, Standard Edition 4 GB
Windows Server 2003, Web Edition 2 GB
Windows Small Business Server 2003 4 GB
Windows Compute Cluster Server 2003 32 GB
Windows Storage Server 2003, Enterprise Edition 8 GB
Windows Storage Server 2003 4 GB

 

Physical Memory Limits: Windows XP

The following table specifies the limits on physical memory for Windows XP.

Version Limit on X86 Limit on X64 Limit on IA64
Windows XP 4 GB 128 GB 128 GB (not supported)
Windows XP Starter Edition 512 MB N/A N/A

 

Physical Memory Limits: Windows Embedded

The following table specifies the limits on physical memory for Windows Embedded.

Version Limit on X86 Limit on X64
Windows XP Embedded 4 GB
Windows Embedded Standard 2009 4 GB
Windows Embedded Standard 7 4 GB 192 GB

The User Profile Service service failed the logon

The User Profile Service service failed the logon. User Profile cannot be loaded.

I got this problem when I try to login with a new user account on Windows 7 PC which is added to the domain.

I think the problem caused by some secuirty permission changes to the default user account in the path C:\Users.

The solution, unhide Default user by doing (Computer -> Tools -> Folder options -> ) ,

The right click over the Default user -> Properties -> Security  then change the permission as bellow so it fixes the issue. Basically you are replacing all child object permissions for Default user.

Now you should be able to login.