Tim D'Annecy

Networking

#Windows #Powershell #Networking

A company I'm working with is looking to move from an OpenVPN connection to a Meraki VPN on newly installed MX hardware.

To accomplish this, I wrote a short script that can be deployed in GPO that adds the new VPN connection and uninstalls the existing OpenVPN application.

Here's the script:

# Migrate-VPN.ps1
# Adds a new Meraki VPN config and removes the existing OpenVPN GUI application.
# Tim D'Annecy 2022-08-04

Start-Transcript -Path 'C:\temp\Migrate-VPN.log'
function Add-VPN {
  $ConnectionName = 'New VPN'
  $ServerAddress = 'XXXyourhostnameXXX'
  $PresharedKey = 'XXXyourpskXXX'

  $check = Get-VpnConnection -Name $ConnectionName -AllUserConnection -ErrorAction SilentlyContinue

  if ($check) {
    Write-Host 'VPN connection named' $ConnectionName 'already exists. Exiting.'
  }
  else {
    Write-Host 'Adding VPN connection' $ConnectionName
    Add-VpnConnection `
      -Name $ConnectionName `
      -ServerAddress $ServerAddress `
      -TunnelType L2tp `
      -EncryptionLevel Optional `
      -L2tpPsk $PresharedKey `
      -AuthenticationMethod Pap `
      -RememberCredential $true `
      -AllUserConnection  $true `
      -Force `
      -WarningAction SilentlyContinue
  }
}
Add-VPN

function Remove-OpenVPN {
  if (Test-Path -Path 'C:\Program Files\OpenVPN') {
    Write-Host 'OpenVPN installed. Removing...'
    (Get-WmiObject -Class Win32_Product -filter "Name LIKE 'OpenVPN%'").Uninstall() | Out-Null
  }
  else {
    Write-Host 'OpenVPN not installed. Exiting.'
  }
}
Remove-OpenVPN

Stop-Transcript

Copy and paste this script into your \\domain.com\SYSVOL\scripts folder and save it as Migrate-VPN.ps1.

Once you've done this, go into Group Policy Management and create a new GPO Object that does 3 things:

  • Create a folder at C:\temp

  • Copy the file from \\domain.com\SYSVOL\scripts\Migrate-VPN.ps1 to C:\temp\Migrate-VPN.ps1

  • Run a Scheduled Task that calls Powershell to run the script every hour on the hour

With these things in place, you should see the changes trickle out to your environment as the machines check in.

Discuss...

#Powershell #Windows #Networking

I have a client that is transitioning their network equipment from Fortigate to Meraki. Part of this transition is testing the Meraki Client VPN instead of the FortiClient application.

We found that that on first run, the FortiClient VPN app disables some services that are needed for the Meraki VPN connection to successfully authenticate. If users don't have Local Admin permissions, they are unable to make any changes to the services to fix the issue.

To work around this, I created a small PowerShell script that can be deployed through GPO or Intune. It stops all of the FortiClient services and processes and re-enables the services that Meraki's VPN uses. It also creates a transcript and stores the log to C:\Fix-MerakiVPN.log that you can use for troubleshooting.

Here's the script:

#Requires -Version 1
<#
.SYNOPSIS
  Closes and disables FortiClient VPN services and apps. Checks and configures Windows services to allow Meraki VPN connection.
.DESCRIPTION
  Closes and disables FortiClient VPN services and apps. Checks and configures Windows services to allow Meraki VPN connection.
.INPUTS
  None
.OUTPUTS
  Log file stored in C:\Fix-MerakiVPN.log
.NOTES
  Version:        1.0
  Author:         Tim D'Annecy
  Creation Date:  2022-06-07
  Purpose/Change: Initial script development
.EXAMPLE
  Fix-MerakiVPN.ps1 
#>

$ServicesToStop = 'FA_Scheduler'#, 'FMAPOService'
$ServicesToStart = 'PolicyAgent', 'IKEEXT'
$AppsToStop = 'FortiClient', 'FortiSettings', 'FortiSSLVPNdaemon', 'FortiTray'

function Fix-MerakiVPN {
  foreach ($App in $AppsToStop) {
    if (Get-Process -Name $App -ErrorAction SilentlyContinue) {
      Write-Host 'Application running. Stopping:' $App
      Stop-Process -Name $App -Force 
    }
    else {
      Write-Host 'OK: Application not running or not installed:' $App
    }
  }
  foreach ($service in $ServicesToStop) {
    if ((Get-Service $service -ErrorAction SilentlyContinue).status -eq 'Running') {
      Write-Host 'Service running. Stopping:' $service
      $ServicePID = (get-wmiobject win32_service | Where-Object { $_.name -eq $service }).processID
      Stop-Process $ServicePID -Force
      Set-Service $service -StartupType Disabled
    }
    else {
      Write-Host 'OK: Service not running or not installed:' $service
    }
  }
  foreach ($service in $ServicesToStart) {
    if ((Get-Service $service -ErrorAction SilentlyContinue).status -eq 'Running') {
      Write-Host 'OK: Service running:' $service
    }
    else {
      Write-Host 'Service not running. Starting:' $service
      Set-Service $service -StartupType Automatic -Status Running 
      Start-Service $service 
    }
  }
}

Start-Transcript -Path 'C:\Fix-MerakiVPN.log' -Append
Fix-MerakiVPN
Stop-Transcript

Discuss...

#Powershell #Windows #networking

I found a great tool [A] that runs netstat to get the currently listening and active ports on the local machine while matching the process IDs with the process names.

This comes in handy when trying to troubleshoot potential firewall or other access issues on a machine.

Here's the code:

$netstat = netstat -aon | Select-String -pattern "(TCP|UDP)"
$processList = Get-Process

foreach ($result in $netstat) {
   $splitArray = $result -split " "
   $procID = $splitArray[$splitArray.length - 1]
   $processName = $processList | Where-Object {$_.id -eq $procID} |    select processname
   $splitArray[$splitArray.length - 1] = $procID + " " +      $processName.processname
   $splitArray -join " "
}

Discuss...

#networking #Windows #grouppolicy

Recently, I had been fighting with Group Policy to apply a change in the local audit policies on a Domain Controller running Windows Server 2012 R2.

I was changing the Default Domain Controller policy object of “Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy”.

Specifically, I was changing the following two items to have our Meraki MX appliances filter content based on AD Security Groups: – Audit account logon events – Success – Audit logon events – Success

From the Cisco documentation page [A], I just needed to allow these two policies to begin filtering.

When I changed this and forced a gpupdate on the DC, it did not apply the policies correctly. They kept saying that the audit policies for both of these items were disabled. To make it worse, the option was greyed out when I tried to change it using secpol.msc or the local Group Policy editory,

I tried disabling the policy at “Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options” for “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings”, but this did not solve the issue after rebooting.

What I found was that I needed to rename the file at C:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csv to something like audit.csv.backup.

The contents of the file were essentially just a CSV header:

Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value

Once this file was renamed, the Group Policies were applied correctly on the Domain Controller. It seems that this file was “blocking” the correct application of the GPO for the changes to the audit policy.

I don't know if this was a corrupt file or changed permissions, but I wanted to write this down in case I have to troubleshoot this again in the future.

Discuss...

#AzureAD #networking

I recently created a print server in Azure. The server is running PapercutMF and is syncing its user list from Azure AD using an App Registration.

We have a site-to-site VPN connection from the on-prem network to Azure with all subnets exported.

Issue

When a new user is onboarded, we want them to be able to take their new Mifare card and associate it with their account. This process we want is the following:

  1. Get new RFID badge from box and give to onboarding user
  2. User touches badge to Xerox RFID reader
  3. Xerox prompts user to type Azure AD email address and password
  4. Papercut MF associates this card number with the user's email address

Step 4 was failing, however, and the MFPs were showing an error message “Login Denied: Failed to associate card to account”:

Login Denied: Failed to associate card to account

Root cause

As explained by Papercut's support KB [A], the main issue with this workflow is that the Azure AD tenant that I created this workflow in uses Conditional Access to require MFA approval before authenticating user logins.

Papercut MF currently does not support MFA prompts and won't be able to process the login from the MFPs.

Remediation

To workaround the Conditional Access policy enforcing MFA, you need to add the print server's IP to the MFA exceptions at this link: https://account.activedirectory.windowsazure.com/usermanagement/mfasettings.aspx

You will need to add the IPv4 address of your VM or load balancer (if using VMSS) with a /32. You could also use the entire subnet:

After making that change, you can verify that this association is working by touching the badge to the reader, then logging in with Azure AD credentials. The logs on the Papercut MF dashboard at Logs > Application Logs will show a successful authentication:

Essentially, this is telling Azure AD to not require an MFA prompt when users authenticate through Papercut MF. The red herring was changing any settings related to the Papercut MF App Registration for user sync, as this does not appear to be related to user login authentication.


References: https://www.papercut.com/support/resources/manuals/ng-mf/common/topics/sys-user-group-sync-azure.html

Discuss...

#networking

A company I'm working with is using a Neat Bar [A] and Neat Pad [A] for Zoom calling. They also use Meraki network devices for wireless (MR 42) and switching (MS 250).

As explained in the Neat documentation [A], the Neat Pad and Bar cannot continue through the setup screen when using Meraki devices with default options for DHCP.

In our environment, we have a wireless SSID that is set to bridge clients to a Wireless VLAN subnet. This SID is using a Pre-Shared Key (PSK), it's not hidden, and is using both 2.4ghz and 5ghz bands with band steering. The DHCP server is running on the Switch Virtual Interface (SVI) configured on the Wireless VLAN subnet.

When trying to connect the Neat Pad and Bar to this SSID, the setup screen allows them to connect, but it say that it's not connected to the internet. The workaround for this is to configure the DHCP options in the SVI to include an NTP time server IP.

The steps are as follows:

  1. Open the Meraki dashboard in a browser.

  2. Navigate to Switch > Routing & DHCP:

  3. Click on the row to open up the Switch Interface config:

  4. In the section “DHCP options”, click the “Add a DHCP option” button. Select “NTP Server (42)”. Copy/paste in one of the direct IPs from the NIST Internet Time Servers page: https://tf.nist.gov/tf-cgi/servers.cgi

After that, you might need to reboot the Neat devices, but the Neat Pad screen should say that the wireless connection has internet access and allow you to continue the setup.

#networking

I just upgraded to Google Fiber 2Gig and there doesn't seem to be much documentation about what each of the ports mean on the two devices that they provided:

I was able to find some FCC documents about each:

I contacted Google Support and got as much info as I could.

Google Multi-Gig Router ports

Google Multi-Gig Router ports

I have the model number GFRG300. There are 1 RJ-11 port, 5 RJ-45 ports, 1 USB port, and one SFP+ port. Starting from the top:

  • Green RJ-11 port with phone handset icon: Line for VOIP phone

  • 3 yellow RJ-45 ports with arrow icons: 1 gbps LAN ports. (Ports intended for devices connected to LAN, e.g. PCs, NASes)

  • Red RJ-45 port with globe icon: Secondary copper WAN connection. Unknown speed. Google Support stated that Router does not support dual WAN uplinks. (Port intended for setups where direct ONT fiber connection is not available and requires a modem and copper RJ-45 for uplink. Not intended for LAN connections. )

  • Bronze/copper RJ-45 port with the text “10” and arrow icons: 10gbps LAN port. (Port intended for a multi-gig switch or the Wifi Mesh Tri-Band Extender.)

  • Blue USB port: Intended for tech-support/troubleshooting service. Google Support stated there is no network connectivity supported over USB.

  • Silver SFP+ port with globe icon: 10gbps SFP port for WAN uplink. Google Support could not provide if this was an SFP or SFP+ port, but it's probably SFP+. (Port intended as uplink using fiber SFP module for connection to ONT.)

Google Wifi Tri-Band Mesh Extender with Wifi 6

Google Wifi Tri-Band Mesh Extender with Wifi 6 ports

I have the model number GFEX310. There are two RJ-45 ports and one USB port on the back of this device.

Going from left to right:

  • Black USB port: Intended for tech-support/troubleshooting service. Google Support stated there is no network connectivity supported over USB.

  • Yellow RJ-45 port with arrow icons: 1gbps LAN port (intended for LAN pass thru for wired devices)

  • Blue RJ-45 port with arrow icons and globe icon: 1gbps LAN port (intended for wired connection to upstream router or switch)

Discuss...

#networking

I just upgraded to Google Fiber and received a Google wifi device [A] as a router/wifi radio device.

Once I connected to the fiber jack with an ethernet cable, the wifi device comes online and is manageable on my phone with the Google Home app.

I connected my NAS device to the single ethernet port on the wifi device. Google wifi ethernet ports

After a few seconds, the Google Home app displays the NAS and gives it a DHCP address.

Inside Google Home under the Wifi menu, I tapped on the Settings icon and selected “Advanced networking > Port Management”.

From there, I was able to add a manual forward for TCP traffic on port 32400. Google Home wifi port forwarding

I saved the setting and my Plex server was immediately able to connect with Remote Access.