Hyper-V & OVH – Workgroup

Hyper-V & OVH – Workgroup

On Hyper-V Server

  • Enable Remote Management
  • Enable Remote Desktop
  • Set Computername
  • Enable WSMan and PS-Remoting:
Enable-PSRemoting  
Enable-WSManCredSSP -Role server  

On Managing Client

  • Configure hosts or DNS entry for Hyper-V Server
  • Ensure network profile is “Private”:
Set-NetConnectionProfile -InterfaceAlias Ethernet -NetworkCategory Private  
  • Temporarily start WinRM and add Hyper-V Server as Trusted Host:
Start-Service -Name winrm  
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "hyperv-server.home.local"  
Stop-Service -Name winrm  
  • Enable Hyper-V Management Tools in Windows Features
  • Add Hyper-V Administrator credential with cmdkey:
cmdkey /add:HYPERV-SERVER /user:Administrator /pass:  
  • Launch Hyper-V Manager and connect to server (don’t specify user)
    • or, launch Hyper-V Manager with runas:
runas /user:HYPERV-SERVER\Administrator /netonly "mmc virtmgmt.msc"  

Summary

After lots of mucking around, this is the bare-minimum working configuration I’ve found to remotely manage a Hyper-V server in a non-domain environment.

I’m still not 100% certain why Hyper-V Manager does not work with supplied credentials and the cmdkey or runas workaround is necessary.

Stolen from: https://blog.ropnop.com/remotely-managing-hyper-v-in-a-workgroup-environment

Hyper-V & OVH – Network

Hyper-V & OVH – Network

Network (powershell script)

 

Create an External Switch from the command line

This is the hard part that really had me banging my head of the wall.  If you create an external switch you lose connectivity.

You need to determine the Adapter name to use.  Do to this from a Power Shell prompt run:


Get-NetAdapter

This will list the name of your adapters.  Figure out which one you want to use for your switch.
In my case it was Ethernet 2.

Save the Power Shell Script below to a ps1 file (say c:\MakeSwitch.ps1).  You can run:
Notepad c:\makeswitch.ps1
To do this.  Update it with the correct name determined above.

<#
Make Switch for So You Start Dedicated Server
Usaage:
execute the command Get-NetAdapter
This lists the ethernet adatpers.
Replace “ethernet 2” below with the name of your connected physical adapter
Adapted from:
http://blogs.technet.com/b/heyscriptingguy/archive/2013/10/09/use-powershell-to-create-virtual-switches.aspx
#>

Import-Module Hyper-V
$ethernet = Get-NetAdapter -Name “ethernet 2”
New-VMSwitch -Name externalSwitch -NetAdapterName $ethernet.Name -AllowManagementOS $true -Notes ‘Parent OS, VMs, LAN’
New-VMSwitch -Name privateSwitch -SwitchType Private -Notes ‘Internal VMs only’
New-VMSwitch -Name internalSwitch -SwitchType Internal -Notes ‘Parent OS, and internal VMs’

This actually creates three switches, one of each type.   (external, internal and private).

OVH and pfSense

OVH and pfSense

To create a route up to 192.168.23.254 (your main OVH IP), on an interface having no IP in this range, I use the commands:
route add -net 192.168.23.254/32 -iface em0
route add default 192.168.23.254  
The first line tell the firewall that IP address 192.168.23.254 is on the side of the em0 interface (em0 is my WAN interface), the second one use this address as the default gateway. Install shellcmd into pfSense and add the two commands above, this will make it survive a reboot. Adding more IPs Go to the firewall -> virtual IPs Add an IP Alias, add the IPs one at a time with a /32 Your IPs are now ready to use! LAN Internet Firewall -> NAT -> Outbound Manual Outbound NAT rule generation. If it isn’t created automatically add a rule with the Interface of WAN, source of your internal IP (192.168.1.x/24) leave everything else as default and save.

Nagios MySQL

Nagios MySQL

Monitoring MySQL servers, we will need to pass through a username and password for MySQL when checking the service availability. Firstly we will create a MySQL user: We start on the MySQL user and we will log in to the database server and create a new user for Nagios to use. I normally use the local check_mysql plugin so there is no need to let the user login from other servers.
CREATE USER 'nagios'@'localhost' IDENTIFIED BY 'password'
Next check by running the check_mysql plugin
sudo -s -u nagios /usr/lib/nagios/plugins/check_mysql -H localhost -u nagios -p password
Add this to you nrpe definition file and restart nagios-nrpe-server. Add to your Nagios server and away you go!

Auto OpenVPN Script

Auto OpenVPN Script

Build a new VPS and then follow the instructions here! https://github.com/Angristan/OpenVPN-install I had an issue with my install to do with routing, the trouble was in the iptables NAT rule. Check if IPv4 forward is enable.
# grep net.ipv4.ip_forward /etc/sysctl.conf
net.ipv4.ip_forward=1
# cat /proc/sys/net/ipv4/ip_forward
1
# sysctl -a | grep "net.ipv4.ip_forward "
net.ipv4.ip_forward = 1
If it’s ok, check your iptables rules.
iptables -t nat -L -vn --line
iptables -L FORWARD -vn --line
I had no nat rule in my nat table, sad times! I added the following and all is well. $IP is your public server IP:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP

Cert for ESXi

Cert for ESXi

To generate a certificate request for an ESXi 6.0 host:
 
  1. Open a command prompt and navigate to the OpenSSL directory as previously configured in the Configuring OpenSSL article. By default this is  C:\OpenSSL-Win32\bin.
  2. Run the command:

    openssl req -new -nodes -out rui.csr -keyout rui-orig.key

    This creates the certificate request rui.csr.

  3. Convert the Key to be in RSA format by running these command:

    openssl rsa -in rui-orig.key -out rui.key

Installing and configuring the certificate on the ESXi host 

After the certificate is created, complete the installation and configuration of the certificate on the ESXi 6.0 host:
  1. Navigate to the console of the server to enable SSH on the ESXi 6.0 host.
  2. Log in to the host and then navigate to /etc/vmware/ssl.
  3. Copy the files to a backup location, such as a VMFS volume.
  4. Log in to the host with WinSCP or login locally (my preferred method) and navigate to the /etc/vmware/ssl directory.
  5. Delete the existing  rui.crt and  rui.key from the directory.
  6. Copy the newly created  rui.crt and  rui.key or create them using vi (again my preferred method, I also at the intermediate cert to the .crt file) to the directory using Text Mode or ASCII mode to avoid the issue of special characters (  ^M) appearing in the certificate file.
  7. Type vi rui.crt to validate that there are no extra characters.

    Note: There should not be any erroneous  ^M characters at the end of each line.

  8. Restart the management agents

    /etc/init.d/hostd restart

    /etc/init.d/vpxa restart

Z-Push with MXRoute

Z-Push with MXRoute

I decided to set myself a little challenge to get ActiveSync working for free for a project I am working on. Most ActiveSync clients on the market are licensed directly from Microsoft.

I have an email service from the excellent MXRoute http://www.mxroute.com and I am not using the service much, they don’t currently offer a mobile solution so I thought I would see if it is possible to use a small virtual private server (VPS) to connect to IMAP and pass it to my mobile, turns out you can! I am using MXRoutes London servers, you will need to change the config if you are using any other locations.

Using Z-PUSH (2.3.5) to connect to MX Route

Known Issues:

Z-push syncs the shared address book, I haven’t worked out how to stop this, it’s a minor issue, but you do need to be aware of it.

Z-push fails to get the name of the calendar, so on an activesync device the calendar name shows up as unknown, but it works.

Z-push pulls the tasks through as a calendar, I have turned off syncing tasks.

Z-push itself isn’t the most reliable platform. This isn’t an issue per se, but it is something you need to be aware of.

Pre-Reqs

A VPS or server, I am running Ubuntu 16.04 LTS A MXRoute account Apache installed with an SSL cert (I’m using letencrypt) PHP7 with php-cli and php-soap Instructions

Add the z-push repo by creating /etc/apt/sources.list.d/z-push.list with the content

deb http://repo.z-hub.io/z-push:/final/Ubuntu_16.04/ /

Download and add the repo key to the keychain

wget -qO – http://repo.z-hub.io/z-push:/final/Debian_8.0/Release.key | sudo apt-key add –

Run apt-get update

We then need to install the z-push packages that we need

apt-get install z-push-common z-push-config-apache z-push-backend-caldav z-push-backend-carddav z-push-backend-combined z-push-backup-imap z-push-ipc-sharedmemory

This will install and configure z-push ready to go, we now need to edit the config files to tell it where to get the contacts, calendar and email from.

Start by editing /usr/share/z-push/config.php

Change the section “Default Settings” to match your timezone and ensure that the define(‘USE_FULLEMAIL_FOR_LOGIN’,true); is set to true.

Under the logging settings there is a specialLogUsers value, this is really useful to put a user in here when you need to troubleshoot, this generates debug logs for the named user and which can be found in the /var/log/z-push directory, but remember to remove them when you have done your testing as they can generate massive log files.

The only other setting we need to change is the Backend settings.

Change the backend provider setting to:

define(‘BACKEND_PROVIDER’,’BackendCombined’);

Save and exit the file

Next edit the /usr/share/z-push/backend/combined/config.php

Update it to match the following values

‘backends’ => array(
‘i’ => array(

‘name’ => ‘BackendIMAP’,

),

‘d’ => array(

‘name’ => ‘BackendCardDAV’,

),

‘c’ => array(

‘name’ => ‘BackendCalDAV’,

),

),

‘delimiter’ => ‘/’,

//force one type of folder to one backend

//it must match one of the above defined backends

‘folderbackend’ => array(

SYNC_FOLDER_TYPE_INBOX => ‘i’,

SYNC_FOLDER_TYPE_DRAFTS => ‘i’,

SYNC_FOLDER_TYPE_WASTEBASKET => ‘i’,

SYNC_FOLDER_TYPE_SENTMAIL => ‘i’,

SYNC_FOLDER_TYPE_OUTBOX => ‘i’,

// SYNC_FOLDER_TYPE_TASK => ‘c’,
SYNC_FOLDER_TYPE_APPOINTMENT => ‘c’,

SYNC_FOLDER_TYPE_CONTACT => ‘d’,

SYNC_FOLDER_TYPE_NOTE => ‘c’,

SYNC_FOLDER_TYPE_JOURNAL => ‘c’,

SYNC_FOLDER_TYPE_OTHER => ‘i’,

SYNC_FOLDER_TYPE_USER_MAIL => ‘i’,

SYNC_FOLDER_TYPE_USER_APPOINTMENT => ‘c’,

SYNC_FOLDER_TYPE_USER_CONTACT => ‘d’,

SYNC_FOLDER_TYPE_USER_TASK => ‘c’,

SYNC_FOLDER_TYPE_USER_JOURNAL => ‘c’,

SYNC_FOLDER_TYPE_USER_NOTE => ‘c’,

SYNC_FOLDER_TYPE_UNKNOWN => ‘i’,

),

//creating a new folder in the root folder should create a folder in one backend

‘rootcreatefolderbackend’ => ‘i’,

);

}

}

This tells z-push which backend is responsible for which function.

Next we need to edit the individual service files we will start with email.

Edit the file /usr/share/z-push/backend/imap/config.php

Update the following values, this is assuming you are using MXRoute’s London servers.

// Defines the server to which we want to connect

define(‘IMAP_SERVER’, ‘london.mxroute.com’);

// connecting to default port (143)

define(‘IMAP_PORT’, 993);

// best cross-platform compatibility (see http://php.net/imap_open for options)

define(‘IMAP_OPTIONS’, ‘/ssl/norsh’);

// Mark messages as read when moving to Trash.

// BE AWARE that you will lose the unread flag, but some mail clients do this so the Trash folder doesn’t get boldened

define(‘IMAP_AUTOSEEN_ON_DELETE’, false);

// Since I know you won’t configure this, I will raise an error unless you do.

// When configured set this to true to remove the error

define(‘IMAP_FOLDER_CONFIGURED’, true);

// Folder prefix is the common part in your names (3, 4)

define(‘IMAP_FOLDER_PREFIX’, ”);

// Inbox will have the preffix preppend (3 & 4 to true)

define(‘IMAP_FOLDER_PREFIX_IN_INBOX’, false);

// Inbox folder name (case doesn’t matter) – (empty in 4)

define(‘IMAP_FOLDER_INBOX’, ‘INBOX’);

// Sent folder name (case doesn’t matter)

define(‘IMAP_FOLDER_SENT’, ‘inbox.SENT’);

// Draft folder name (case doesn’t matter)

define(‘IMAP_FOLDER_DRAFT’, ‘inbox.DRAFTS’);

// Trash folder name (case doesn’t matter)

define(‘IMAP_FOLDER_TRASH’, ‘inbox.TRASH’);

// Spam folder name (case doesn’t matter). Only showed as special by iOS devices

define(‘IMAP_FOLDER_SPAM’, ‘inbox.junk’);

// Archive folder name (case doesn’t matter). Only showed as special by iOS devices

define(‘IMAP_FOLDER_ARCHIVE’, ‘ARCHIVE’);

You also want to update the method used for sending emails (I am using an SSL connection to MXRoute)

define(‘IMAP_SMTP_METHOD’, ‘smtp’);

global $imap_smtp_params;

$imap_smtp_params = array(‘host’ => ‘ssl://london.mxroute.com’, ‘port’ => 465, ‘auth’ => true, ‘username’ => ‘imap_username’, ‘password’ => ‘imap_password’ );

The above ‘imap_username’ and ‘imap_password’ are variables and do not need changing to the actual username and password.

Save and close the file.

Next we will setup syncing contacts

Edit /usr/share/z-push/backend/carddav/config.php update the following

// Server protocol: http or https

define(‘CARDDAV_PROTOCOL’, ‘https’);

// Server name

define(‘CARDDAV_SERVER’, ‘london.mxroute.com’);

// Server port

define(‘CARDDAV_PORT’, ‘2080’);

// Address book path

define(‘CARDDAV_PATH’, ‘/rpc/addressbooks/%u/’);

// Server path to the default address book

define(‘CARDDAV_DEFAULT_PATH’, ‘contacts/’);

// Support sync-collection

define(‘CARDDAV_SUPPORTS_SYNC’, false);

Save and close the file

Finally the calendar sync

Edit /usr/share/z-push/backend/caldav/config.php

// Server protocol: http or https

define(‘CALDAV_PROTOCOL’, ‘https’);

// Server name

define(‘CALDAV_SERVER’, ‘london.mxroute.com’);

// Server port

define(‘CALDAV_PORT’, ‘2080’);

// Path

define(‘CALDAV_PATH’, ‘/rpc/calendars/%u/’);

// Default CalDAV folder (calendar folder/principal). This will be marked as the default calendar in the mobile

define(‘CALDAV_PERSONAL’, ‘calendar’);

// If the CalDAV server supports the sync-collection operation

// DAViCal, SOGo and SabreDav support it

// SabreDav version must be at least 1.9.0, otherwise set this to false

// Setting this to false will work with most servers, but it will be slower

define(‘CALDAV_SUPPORTS_SYNC’, false);

// Maximum period to sync.

// Some servers don’t support more than 10 years so you will need to change this

define(‘CALDAV_MAX_SYNC_PERIOD’, 2147483647);

Save and close the file

Although not necessarily I restart apache at this point.

service apache2 restart

On your client device (iOS / Android / Outlook 2013+)

As there is no autodiscovery function you will need to enter the settings manually.

Username: Full email address

Password: Users MXRoute Password

Server: Your VPS address (i.e. z-push.yourdomain.com)

Basic Troubleshooting

Check the apache and z-push logs, both of which can be found in /usr/var/log/

Turn on debugging for a single user (see above for details)

Check you can access activesync on your server https://z-push.yourdomain.com/Microsoft-Server-ActiveSync, you should be promoted for a username and password use the email address and the users mxroute password, you should see a page that gives you the activesync information and tell you that “GET is not supported”.

You should now be good to go!

Configure Windows Remote Desktop to use TLS with StartSSL

Configure Windows Remote Desktop to use TLS with StartSSL

**Firstly it is important to note that StartSSL don’t currently have a trusted root CA.**

Firstly you will need to create you CSR. I do this from a Linux box as openssl is much easier from the command line. You can generate the CSR online or using various Windows tools.

Go to you Linux terminal and type the following

openssl req -out rdp.csr -new  -newkey rsa:4096 -nodes -keyout rdp.key

Open the CSR (nano rdp.csr) and copy the contents into the StartSSL certificate wizard.

You will now need to wait for StartSSL to generate your certificate, in my experience this is currently taking upto 24 hours, it used to be nearly instant.

Open the .crt file and save it on your Linux box as rdp.crt. You will also need to grab the StartSSL Intermediate cert from their site.

You now need to combine the two files. I tend to do this in nano or notepad++ depending on which environment I am working in.

Paste the contents of rdp.crt and this have a line break and paste the intermediate cert underneath it. Save this file, I normally save mine as rdp.pem.

Next we need to take this new file and turn it into a pfx file that Windows will understand. Simple go back to your Linux terminal with the new file and type the following

openssl pkcs12 -export -out rdp.pfx -inkey rdp.key -in rdp.pem

Now go to the windows machine you wish to use the certificate on making sure you have a copy of the rdp.pfx file!

You now need to open the certificate snap-in, the easiest way to do this is.

Start-> Run -> mmc add snapin certificates (Local Computer), select personal certificates and right click, choose All Tasks -> Import. Select the pfx file.

Copy the new cert (probably called myserver.mydomain.com) and place a copy in Remote Desktops -> Certificates.

Double click the certificate and copy the Thumbprint (this is found at the bottom of the details list). You need to paste this Thumbprint into a new file and remove the spaces so you are left with a 40 digit string.

Open a command prompt as an administrator and type / paste the following:

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=”

 

That’s it you have successfully installed a StartSSL Cert onto your Windows RDP server!

OVH Gateway for Failover IPs

OVH Gateway for Failover IPs

OVH have a very odd way of assigning failover IPs for dedicated and VPS servers. 

I run a pfsense firewall on my virtual platform and all the internet traffic runs through that. 

Firstly you need to generate a virtual MAC in the OVH control panel which you need to assign to the WAN interface of your pfSense box. 

Next you need to add the IPs to the alias list on you pfSense machine.

Now this is where things get interesting! You need to add a couple of routes to allow pfSense to get out to the internet at all. You will need the gateway of your primary dedicated / VPS IP address, this will probably be on a different subnet to you new failover IPs.  In this example I will use 111.111.111.111 as my primary IP and the gateway for this IP will be 111.111.111.254.

From the shell of your pfSense box type:

route add -net 111.111.111.254/32 -iface em0

route add default 111.111.111.254

Your pfSense box should now be able to see the internet. 

You will also need to add a rule to allow your pfSense LAN out to the internet. Within the pfSense webConfig go to 

Firewall -> NAT

Click on outbound. Set it to manual outbound and add a mapping:

Interface: WAN

Source: (this should be your LAN i.e. 192.168.1.0/24)

Leave the rest as defaults and save. This should now allow your LAN traffic out on to the WAN.

The routes we typed earlier will not survive a reboot, in order to fix this go to the plugins and download shellcmd. Once this is installed simply add the two routes we typed above into shellcmd plugin (Services -> shellcmd)