Mike Poulson's Thoughts on lots of stuff : ISP

DSL testing on campus Part 2 of 2 (the NEW way)

mpoulson — Tue, 09 May 2006 19:10:00 GMT

This is part 2 of a 2 part post. Post two: The NEW way of doing DSL on campus About 2 years ago me and a co-worker were approached by 2 teams on campus that had a large number of DSL lines and did not want to pay the fee that Verizon charged. So I came...(read more)

DSL testing on campus Part 1 of 2 (the old way)

mpoulson — Tue, 09 May 2006 18:17:00 GMT

This is part 1 of a 2 part post. Post one: The OLD way of doing DSL on campus. So for the past few years I have been part of a team that provides DSL access to various test teams on campus. For a company like MSFT testing the "home scenario" is very important....(read more)

IPv6 6over4 tunnels with Windows and Cisco

mpoulson — Tue, 18 Jan 2005 18:27:00 GMT

A few years ago I began working with Art Shelest here at Microsoft to get Native IPv6 running in my lab. After a few weeks we had it up and running.

We had to work with MSIT (was known as ITG at the time) to get a 6over4 tunnel setup so that we could connect to the 6bone even though my upstream routers did not support IPv6 (still don't at this time). Once the tunnel was setup on the ITG Router we ran a command on my Windows IPv6 Router in my lab and it was up and running.

We run our entire lab IPv6 network on Windows Routers. We use Windows Server 2003 but you could use Windows XP Pro if you wanted. Unlike RRAS the IPv6 routing stack is included in Windows XP. And after Windows XP SP1 this stack was fully supported by Microsoft support. So if you follow the steps at http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ip_v6_imp_lab_node.mspx you can get your internal test network setup.

Now to create a 6over4 tunnel to another router you simply run the below commands from a cmd prompt on your main IPv6 router

netsh
int ipv6
add v6v4tunnel interface="V6v4 Tunnel" localaddress=<local ipv4 address> remoteaddress=<remote ipv4 address>
set interface "v6v4 Tunnel for=en
add address int="v6v4 tunnel" address=<IPv6 address from provider>
add route ::/0 "v6v4 tunnel" <remote IPv6 address> publish=yes

Key things to note with the above

The Local IPv4 address is the IP address that the tunnel is going to use to talk to the Upstream V6 Router (With my example below it would be 1.1.1.1).
The Remote IPv4 Address is the IP address of the upstream V6 router (with my example below it would be 2.2.2.1).
The IPv6 address from provider would be a IPv6 address that you get from your v6 provider (with my example below it would be 3ffe:ffee:100:2::2)
The Remote IPv6 address is the IPv6 address of the upstream IPv6 router (with my example below it would be 3FFE:FFEE:100:2::1)

The Cisco side of the config looks like this

interface Tunnel1
description v6in4 tunnel to lab 1.1.1.1/3FFE:FFEE:100:2::2
no ip address
ipv6 address 3FFE:FFEE:100:2::1/64
tunnel source 2.2.2.1
tunnel destination 1.1.1.1
tunnel mode ipv6ip

Once the machines are all setup important things to know are "how do you back up your ipv6 configuration?" Well with netsh it could not be easier.

Simply run 'netsh int ipv6 dump > c:\ipv6backup.txt' this will dump all the ipv6 config out to the txt file. Now if the router was to ever go down you can run the command 'netsh exec c:\ipv6backup.txt'. With these 2 commands it will backup and restore your ipv6 configuration.. You can also modify the backup command to be 'netsh dump > c:\netshbackup.txt' and it will back up 99% of all the settings for your network configuration.

If you would like to know more about how I have my IPv6 network setup please let me know. Also I recommend the Microsoft Press Book Understanding IPv6 (http://www.microsoft.com/MSPress/books/4883.asp) ISBN: 0-7356-1245-5

Securing a TS connection with Smart Cards

mpoulson — Sun, 12 Dec 2004 00:23:00 GMT

Well today is going to be a busy day here at the Microsoft Enterprise Engineering Center. At about 11:30 I am going to have lunch some of the RedvsBlue people (http://www.redvsblue.com). Then I have the job of setting up and testing a remote access solution for a customer. Note that the steps below are technical and you should know a little something about Active Directory and PKI before you start.

The problem: How do you provide a customer secure remote access into a scenario?

Solution: Smart cards and Terminal Services on Windows Server 2003! Smart cards keep the Private PKI key stored on the card, and cannot be removed from the card. It requires two-factor authentication. Something you have (the smart card) and something you know (the PIN).

How: First we set up a DC (or 2). Then install cert services on box (domain member). Then install Terminal Services on to another box (aka the Jump box).

We are using the Microsoft Base CSP (http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techref/en-us/w2k3tr_certs_how.asp) on some Amtel Smart cards.

I create user accounts in the Domain for each person that will need remote access. Each Account has a Very LONG and Very RANDOM password. This is because the user will never use a password. They will not be able to use their smart card. Once the users are created make sure that you go in the properties of each user and under the Account tab select the following options: User Cannot change password, Password never expires and Smart Card is required for interactive logon.

Now create a separate Admin account. This will be the account that I use to manage the TS (terminal Services) jump box and issue the smart cards. Make sure it has a secure password.

To issue a smart card the issuing user account must have an Enrollment Agent Cert. To get this cert you must first enable it on the CA. (Open the CA MMC snapin -> select Certificate Templates -> Right-click on Certificate Templates -> Select New -> Select Certificate Template to issue. In the list select Enrollment Agent.

Repeat the steps above to also add the Smart Card Logon Cert. This is the cert that we will put on each Smart Card.

After you have enabled that cert (Enrollment Agent) you must now request it with the user account that will be issuing the Smart Cards. So for my solution that is the separate admin account. I will use runas.exe /u:<domainName>\<adminUser> "mmc certmgr.msc". This will allow me to open the MMC without logging in as that user.

To request the new cert select personal -> right-click on personal -> select all tasks -> select Request new Cert... Once the Wizard opens select Next to start it -> Select Enrollment Agent -> Select Next -> Enter a Name (like SC enrollment Cert) -> Select Next -> then Select Finish to issue the cert.

Now we will need to make sure we have our smart card reader installed on the machine that has our enrollment Cert and http access to the CA. With all of the above done you can now open a web browser to http://<CA Machine Name>/certsrv/certsces.asp (note: that you might have to add this site to your trusted sites to get the Active X control to load).

From this browser window we can select the type of Cert we want to put on the Smart Card. We are going to use Smart Card Logon Cert. You will need to select the Microsoft Base Smart Card Crypto Provider as your CSP. The Administrator Signing Certificate is the Enrollment Cert that we requested earlier. At this point you can select any user in the domain to issue a smart card for.

One thing to note is that when you have a smart card for user account it does not matter if the user changes their password. The smart card will allow the user to be authenticated without a password. So make sure that you keep accounts that have the Enrollment Agent Cert secure.

In the future I will also write about how to use the AD to further secure the Solution.

Thanks for reading my first Full Blog Entry J

Mike Poulson