tag:blogger.com,1999:blog-54855136719850935912024-03-05T20:14:40.896-05:00Technicalsashkashurikhttp://www.blogger.com/profile/04594731381634427632noreply@blogger.comBlogger28125tag:blogger.com,1999:blog-5485513671985093591.post-50596784199867771992015-07-02T21:46:00.001-04:002015-07-02T21:46:29.696-04:00GPO - WinRM - remote PowerShellI have spent almost two hours today debugging a non issue. I decided to configure Group Policy Objects (GPO) and enable Windows Remote Management (WinRM). One of the first steps consists in enabling the service:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoceEA0NK4G_hUr1vlcUFHVaNUh-Ah6Tv4Lnf5bAqkxDUvMCm0m1ecKvxWlsquvbjWop01arax9Vo0ntr6wdfc672tXuzao1ZsADLFXOfQfSbay2KI_8mdoVTM_uanxPNRHvLJ_GykfiQ/s1600/8750.HSG-8-17-11-3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="498" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoceEA0NK4G_hUr1vlcUFHVaNUh-Ah6Tv4Lnf5bAqkxDUvMCm0m1ecKvxWlsquvbjWop01arax9Vo0ntr6wdfc672tXuzao1ZsADLFXOfQfSbay2KI_8mdoVTM_uanxPNRHvLJ_GykfiQ/s640/8750.HSG-8-17-11-3.jpg" width="640" /></a></div>
<br />
I was configuring it on the server in French and the translation has made my life even harder.<br />
<br />
Any how, just remeber that <span style="font-family: Courier New, Courier, monospace;">IPv4/IPv6 Filter</span> in "<span style="font-family: Courier New, Courier, monospace;">Windows Remote Management Service>>WinRM Service>>Allow automatic configuration of listeners</span>" means that you are specifying the IPs that will be listening (accepting commands) NOT the sources (the IPs that send commands). Again, you will <u>not</u> be limiting the IPs that can remotely manage clients: you will be selecting IPs that will be listening to commands.sashkashurikhttp://www.blogger.com/profile/04594731381634427632noreply@blogger.com0tag:blogger.com,1999:blog-5485513671985093591.post-19218118292637509782014-12-23T18:39:00.000-05:002014-12-23T18:39:16.660-05:00[3 of many] Migrating to Fortinet 5.2 - ECMP Load Balancing - AnswersIn the last post <a href="http://sashkastechnical.blogspot.ca/2014/10/2-of-many-migrating-to-fortinet-52-ecmp.html" target="_blank">here</a>, I have discussed the problems we had with ECMP. In short, the traffic was not balancing properly and switching from one to the other connection after we have migrated to 5.2.<br />
<br />
First, the answers from technical support:<br />
A very busy but knowledgeable and fast person has taken our case. After initial testing based on our suggestions, it took an hour or so to rapidly check everything on our system and answer one or two of my questions.<br />
It looks like everything was working since the beginning. In fact, the documentation from Fortinet<br />
<br />
<ul>
<li>5.2 - <a href="http://docs.fortinet.com/d/fortigate-fortios-handbook-the-complete-guide-to-fortios-5.2/download" style="background-color: white; color: #1155cc; font-family: arial, sans-serif; font-size: 13px;" target="_blank">http://docs.fortinet.com/d/<wbr></wbr>fortigate-fortios-handbook-<wbr></wbr>the-complete-guide-to-fortios-<wbr></wbr>5.2/download</a> pages 299-301<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6unyNXlFQRZpU9sebSqui1ITVYx37cJqxjc_LtFGB3yTdL6Q_TabBPl62fGRI_lqGeiLwkIsLswx8iOogWDXr5PbyfGUxEVH2wgtIxmdHwIQ2IemzNxZ4sMR4hJARSnUDJblL8k_Ke3c/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6unyNXlFQRZpU9sebSqui1ITVYx37cJqxjc_LtFGB3yTdL6Q_TabBPl62fGRI_lqGeiLwkIsLswx8iOogWDXr5PbyfGUxEVH2wgtIxmdHwIQ2IemzNxZ4sMR4hJARSnUDJblL8k_Ke3c/s1600/Capture.PNG" height="237" width="640" /></a></div>
</li>
<li>4.3 - <a href="http://docs.fortinet.com/uploaded/files/1622/fortios-handbook-40-mr3.pdf" style="background-color: white; color: #1155cc; font-family: arial, sans-serif; font-size: 13px;" target="_blank">http://docs.fortinet.com/<wbr></wbr>uploaded/files/1622/fortios-<wbr></wbr>handbook-40-mr3.pdf</a> pages 1685-1692<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiccq4IPbBsg4uJLVclTZxhzrkcmM9tfra7d7klV5r3hzFND925h3KvAt9tjLFVvO-ZlvZRQD2HGqYd-ZjRlWcvgvZpW-KlCn3jr9JWhySci5P8QB_Qpe9yKNur8PJ3phRnRPuQod3okbk/s1600/Capture2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiccq4IPbBsg4uJLVclTZxhzrkcmM9tfra7d7klV5r3hzFND925h3KvAt9tjLFVvO-ZlvZRQD2HGqYd-ZjRlWcvgvZpW-KlCn3jr9JWhySci5P8QB_Qpe9yKNur8PJ3phRnRPuQod3okbk/s1600/Capture2.PNG" height="183" width="640" /></a></div>
</li>
</ul>
<div>
states that ECMP load balancing is using upload (yes you heard it right!- upload) traffic to determine when load balancing occurs. That is, under lab conditions a few Youtube videos saturating 5Mbit connection generate around 600kbits of upload traffic. At the same time, a single Skype conversation will result in around 1Mbit of upload bandwidth used. Given that our own traffic is mostly Youtube (90% to 95%) we have set up spillover threshold to 600k. I will post here any adjustments we make.</div>
<div>
<br /></div>
<div>
A few important notes:</div>
<div>
<ul>
<li>ECMP is using the first available route as default if all routes have the same distance. That is, for ECMP to work in proper and predictable manner (according to Fortinet support) all routes <b>must</b> have the same distance. </li>
<li>However, ECMP accepts routes with different distances and is supposed to select the first available route with the shortest distance as the default and the other one as the spillover. This method was perfectly functional just before 5.2 and should also be working after 5.2. It is not an official statement and should be tested.</li>
</ul>
<div>
In short, I was wrong and Fortinet has helped me to find the answers. Unfortunately, the support person answered only the questions we had on the support ticket. In fact, he has really politely suggested to open a new ticket for debugging the new load balancing method (Wan Link Load Balancing) because he is busy and another client is waiting for him. I cannot say that he was unhelpful or impolite but I do expect to have more than an hour of support in the rare occasions I need help and I finally get it from someone who knows what he/she is doing.</div>
</div>
sashkashurikhttp://www.blogger.com/profile/04594731381634427632noreply@blogger.com4tag:blogger.com,1999:blog-5485513671985093591.post-79939394092723828672014-10-30T17:23:00.003-04:002015-01-14T17:04:46.616-05:00[2 of many] Migrating to Fortinet 5.2 - ECMP Load BalancingWhile I have not done hundreds of ours of testing, I'm fairly certain that ECMP Load Balancing method that worked before 5.2 is now partially buggy and does not perform as expected.<br />
<br />
We are using the following config:<br />
<ul>
<li>300C unit</li>
<li>2 WAN connections</li>
<li>Spillover load balancing</li>
</ul>
<div>
Fortinet suggests <a href="http://docs-legacy.fortinet.com/fos50hlp/52/FortiOS%205.2%20Help/adv_static_routing.028.48.html" target="_blank">here</a> to do the following:</div>
<div>
<ul>
<li>Configure static routes</li>
<li>Configure spillover thresholds</li>
<li>Configure interface status detection</li>
</ul>
</div>
<div>
<b>Static routes</b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBfBJSZzPrvrlkCn6aUI_PJio2KQXjbW3xc2QuEFzy_aXqSvwcshEuGLlShyLSH7k-kQzBKlrHXzJIR08vXMT4P1BIGoJUmySRi2uKRiKjaZd9RgYXIVHMumxDU2andnUjK9ZlH06GZ-A/s1600/Static+routes.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBfBJSZzPrvrlkCn6aUI_PJio2KQXjbW3xc2QuEFzy_aXqSvwcshEuGLlShyLSH7k-kQzBKlrHXzJIR08vXMT4P1BIGoJUmySRi2uKRiKjaZd9RgYXIVHMumxDU2andnUjK9ZlH06GZ-A/s1600/Static+routes.PNG" height="145" width="640" /></a></div>
<div>
<ol>
<li>Notice that the distance is set to the same value: in this config, the unit is supposed to select the shortest distance automatically and use it threshold is reached. Well it does not work as we will see in the images bellow.</li>
<li>In the initial setup under FortiOS 5.0, we had ISP0 distance set to 11 so that, according to the latest documentation, all connections go to port9 until threshold is reached. It did work before we have migrated to 5.2 but is clearly not working now.</li>
</ol>
<b> Spillover thresholds and interface status detection</b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmUYXvNqJYIGCcTYU7fTZGxf9orxS_9HVOjfkWHuR389Y7J7rgP174KY5G07Hv_giyEYUWQ7YLqW28CG0iM0u9zBilcRvSOD2J0dVj_1_5vvHVOzYXAdmr3J14mV8lu1_Vb0ogI2NNEHw/s1600/ECMPLoadBalancing.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmUYXvNqJYIGCcTYU7fTZGxf9orxS_9HVOjfkWHuR389Y7J7rgP174KY5G07Hv_giyEYUWQ7YLqW28CG0iM0u9zBilcRvSOD2J0dVj_1_5vvHVOzYXAdmr3J14mV8lu1_Vb0ogI2NNEHw/s1600/ECMPLoadBalancing.PNG" height="276" width="640" /></a></div>
<div>
<br /></div>
<div>
<b>The behavior in FortiOS 5.2</b></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgpqKENjHOPA9vd1xZ-qg7jNaSEE3BAQ9keo8cUGxWZS8JHHgxhMeOqgFC-7XSLoj2DTL2wSsfk64lIptco09cqg1yz1PmTGbEbMturx6Ny0dWwpzDsNpTxgxCxgLMMITkmWLsSz6kxcE/s1600/Spillover1.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgpqKENjHOPA9vd1xZ-qg7jNaSEE3BAQ9keo8cUGxWZS8JHHgxhMeOqgFC-7XSLoj2DTL2wSsfk64lIptco09cqg1yz1PmTGbEbMturx6Ny0dWwpzDsNpTxgxCxgLMMITkmWLsSz6kxcE/s1600/Spillover1.PNG" height="385" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Normal behavior with 30+ users for the past hour</td></tr>
</tbody></table>
<div>
Notice how the second WAN connection is not getting used at all? Considering that there are multiple users and the link gets saturated well above the threshold of 4500kbits set in the ECMP balancing (it gets up to 5.2Mbit=5320kbits), it is a weird behavior that should not occur in a normal usage scenario.</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8ocG0oV4leXa89NKflGFaGKRevciD9Wf3KW3vrKHVbUSEr6BQ-kcjElXRzollBRuxZ5G0CbWpyNdcoe9hwZSkVHKWVTZ-Z6QAV07yHtBOxfRvy781TVdQAlu-hXkka0184zqOngapKRI/s1600/Spillover2_link+down.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8ocG0oV4leXa89NKflGFaGKRevciD9Wf3KW3vrKHVbUSEr6BQ-kcjElXRzollBRuxZ5G0CbWpyNdcoe9hwZSkVHKWVTZ-Z6QAV07yHtBOxfRvy781TVdQAlu-hXkka0184zqOngapKRI/s1600/Spillover2_link+down.PNG" height="400" width="215" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Simulating WAN connection down</td></tr>
</tbody></table>
<div>
However, it looks like fail-over is working???</div>
<div>
Will it then load balance after we bring back the main connection?</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhS08kIdjJYqEM4VgBerDGTFf1eMn-gWagit9HwmTHobAYfkxhLApIBkcKVCG41wlsqcC3cNKLyavMyGfokncKxUV0GMMOw0BWcptIejsJ8o4Cc1sB6br_R4Q2P7ywMJjmkW1xyRLwqXOk/s1600/Spillover2_link+down-up.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhS08kIdjJYqEM4VgBerDGTFf1eMn-gWagit9HwmTHobAYfkxhLApIBkcKVCG41wlsqcC3cNKLyavMyGfokncKxUV0GMMOw0BWcptIejsJ8o4Cc1sB6br_R4Q2P7ywMJjmkW1xyRLwqXOk/s1600/Spillover2_link+down-up.PNG" height="378" width="640" /></a></div>
<div>
<br /></div>
<div>
Well, it does go back to main connection.and completely drops the second one. Despite the fact that during downtime of WAN1 the routes in cash were using WAN2, the system almost immediately comes back to the same old behavior we have noticed earlier: all connections are reset to WAN 1.</div>
<div>
<br /></div>
<div>
<b>Conclusion:</b> spillover does not work. We can at best hope for fail-over.</div>
<div>
<br /></div>
<div>
We can even go farther and diagnose connection behavior:</div>
<div>
Let us change the spill-over threshold to 1 for port9. In CLI, we will go to a VLAN that has the above setup (if any) and type the following command :</div>
<div style="text-align: center;">
<span style="font-family: 'Courier New'; font-size: 16px;">diagnose netlink dstmac list</span></div>
<div>
The output is the following:</div>
<div style="text-align: center;">
<span style="font-family: 'Courier New';">dev=port9 mac=00:00:00:00:00:00 rx_tcp_mss=0 tx_tcp_mss=0 overspill-threshold=128 bytes=308 over_bps=1 sampler_rate=0</span></div>
<div>
<span style="font-family: inherit;">By comparing </span><span style="font-family: Courier New, Courier, monospace;">overspill-threshold</span><span style="font-family: inherit;"> (in bytes) and </span><span style="font-family: Courier New, Courier, monospace;">bytes</span><span style="font-family: inherit;"> (actual usage in bytes) value we </span>can<span style="font-family: inherit;"> see that the connection has reached over its new threshold. Moreover, </span><span style="font-family: Courier New, Courier, monospace;">over_bps=1</span><span style="font-family: inherit;"> indicates that the unit has detected the limit and is supposed to </span>forward<span style="font-family: inherit;"> new connections to the second port. By going to </span><span style="font-family: Courier New, Courier, monospace;">VDOM-->Log and repport-->Traffic Log --> Forward traffic</span><span style="font-family: inherit;"> we can examine the behavior and we notice that the spill-over </span>actually<span style="font-family: inherit;"> works! yes it does! But what has </span>happened previously<span style="font-family: inherit;">?</span></div>
<div>
<span style="font-family: inherit;">Well, if we put the values back as they were and we generate lots of various traffic from various sources (plus there are some unsuspecting users using the </span>network<span style="font-family: inherit;"> right now), we get the following:</span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div style="text-align: center;">
<span style="font-family: Courier New, Courier, monospace;">dev=port9 mac=00:00:00:00:00:00 rx_tcp_mss=0 tx_tcp_mss=0 overspill-threshold=576000 bytes=132 over_bps=0 sampler_rate=0</span></div>
<div style="text-align: center;">
<span style="font-family: Courier New, Courier, monospace;">dev=port9 mac=00:00:00:00:00:00 rx_tcp_mss=0 tx_tcp_mss=0 overspill-threshold=576000 bytes=54 over_bps=0 sampler_rate=0</span></div>
<div style="text-align: center;">
<span style="font-family: Courier New, Courier, monospace;">dev=port9 mac=00:00:00:00:00:00 rx_tcp_mss=0 tx_tcp_mss=0 overspill-threshold=576000 bytes=162 over_bps=0 sampler_rate=0</span></div>
<div style="text-align: center;">
<span style="font-family: Courier New, Courier, monospace;">dev=port9 mac=00:00:00:00:00:00 rx_tcp_mss=0 tx_tcp_mss=0 overspill-threshold=576000 bytes=66 over_bps=0 sampler_rate=0</span></div>
<div>
<br /></div>
<div>
While the connection looks like this:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEit5jRsHUlDULPTH8RH1-zPi3hcLPnk6YzP7hsPKIMFFM9a9ZE6M9UO8KNMbD8IAbXZq8hsrYO-tskQRNGGa_Of6w74csKh83e3Itbbgg8bAPxI8hY9O-3cF19g7cB7INZFOAEZl-UlM08/s1600/Spillover3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEit5jRsHUlDULPTH8RH1-zPi3hcLPnk6YzP7hsPKIMFFM9a9ZE6M9UO8KNMbD8IAbXZq8hsrYO-tskQRNGGa_Of6w74csKh83e3Itbbgg8bAPxI8hY9O-3cF19g7cB7INZFOAEZl-UlM08/s1600/Spillover3.PNG" height="640" width="254" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
Despite the fact that the WAN1-port9 interface is saturated well above spill-over limit, a short inspection of logs shows that no spill-over occurs and all connections that have been previously forced to a second WAN are now back to WAN1. All this is due to the fact that something is wrong with the setup and/or detection of the traffic: it simply cannot vary between 54 and 162 bytes when we see 5.2Mbit (more than 681 000 bytes) of traffic. Clearly 15 minutes above are not enough to be able to see any effect of load-balancing, especially under lab conditions, but the unit still should indicated that a limit spill-over has been reached (<span style="font-family: 'Courier New', Courier, monospace;">over_bps=1</span><span style="font-family: inherit;"> should be set for port9</span>). </div>
<div>
<br /></div>
<div>
Unfortunately, I do not have time or energy to investigate this farther. Tomorrow, I and my companion will redo the entire setup and use the new load balancing method. The idea comes from the official <a href="http://youtu.be/HRajFKAdflU" target="_blank">Fortinet YouTube channel</a>. Note however that the settings are actually elsewhere in our v5.2.1,build618 (GA) FortiOS: </div>
<div style="text-align: center;">
<span style="font-family: Courier New, Courier, monospace;">VDOM_NAME-->Network--> WAN Link Load Balancing Interface</span><span style="font-family: inherit;"> </span></div>
<div style="text-align: center;">
<span style="font-family: inherit;">or if you do not have VDOMs</span></div>
<div style="text-align: center;">
<span style="font-family: Courier New, Courier, monospace;">System-->Network--> WAN Link Load Balancing Interface</span> </div>
<div>
<br /></div>
<div>
<span style="font-family: inherit;">I do not want to bother fixing the above not because I like so much </span>re-configuring<span style="font-family: inherit;"> everything but because the new setup has a promise to simplify IPv4 tables and reduce by half the amount of policies we have currently: WAN1 and WAN2 have the same policies. <i>Hopefully it will work as expected</i>. </span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><b>UPDATE 21/10/2014:</b> So we have tried for almost 7 hours to make it work and we failed. We had to revert back to the above described method because the system was unstable: pings and connections were dropping for no known (to us) reason. I have created a ticket with Fortinet and will keep you posted. </span><br />
<span style="font-family: inherit;"><br /></span>
<b>UPDATE 23/12/2014:</b> The answer was easy... but the issue of <i>proper</i> loadbalancing was not solved. See my post: <a href="http://sashkastechnical.blogspot.com/2014/12/3-of-many-migrating-to-fortinet-52-ecmp.html" target="_blank">[3 of many] Migrating to Fortinet 5.2 - ECMP Load Balancing - Answers</a><br />
<span style="font-family: inherit;"><br /></span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
sashkashurikhttp://www.blogger.com/profile/04594731381634427632noreply@blogger.com0tag:blogger.com,1999:blog-5485513671985093591.post-19620571785496356282014-10-27T06:04:00.001-04:002014-10-30T17:36:46.231-04:00[1 of many] Migrating to Fortinet 5.2 - OverviewThis is a first of possibly many small remarks on migration process from Fortinet 5.0 to a 5.2 version.<br />
<br />
The migration process went on smoothly. In fact, the entire prep and upgrade took barely 15 minutes! Fortinet has multiple advisories warning of all things that will go wrong basically implying that the entire setup may go crazy. In our case, we have seen some duplication of rules and weird behavior but the unit is fully functional and stable enough for a radical change like this one.<br />
<br />
For instance, we have seen most web filtering and ssh rules duplicated in a format one rule per user group/type.<br />
<div style="text-align: center;">
<br /></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWBLc4hOzMySLsmMKWnxNULicaFV6BRP0CirIC7z1zlPQSU6F0xU5vSHE0-L9nxjirx6Yc9PvLo87kUS0O0tMp7prJngu_xERkGfF77zEkinLjnrBV3u5xAa4VrhMcW7Yi1Jj4B0ZU-aU/s1600/Capture.PNG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWBLc4hOzMySLsmMKWnxNULicaFV6BRP0CirIC7z1zlPQSU6F0xU5vSHE0-L9nxjirx6Yc9PvLo87kUS0O0tMp7prJngu_xERkGfF77zEkinLjnrBV3u5xAa4VrhMcW7Yi1Jj4B0ZU-aU/s1600/Capture.PNG" height="256" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>BEFORE</b></td></tr>
</tbody></table>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdTE58bhy76Cc8sXWYptxTHS8bxkidsPREJcWZS5YkA6hCEb-a03FwZXK-ze3maHYfZxvRxwk662HPwnuO1YWK8fWlOKWuQVUK_fXKIe8hbRYYMt8vGUuuIlqz0tNQ4HfjAn-KG85kWJw/s1600/Capture2.PNG" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdTE58bhy76Cc8sXWYptxTHS8bxkidsPREJcWZS5YkA6hCEb-a03FwZXK-ze3maHYfZxvRxwk662HPwnuO1YWK8fWlOKWuQVUK_fXKIe8hbRYYMt8vGUuuIlqz0tNQ4HfjAn-KG85kWJw/s1600/Capture2.PNG" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>AFTER</b></td></tr>
</tbody></table>
Similarly, some SSL rules have been duplicated but nothing that cannot be cleaned up in an hour or so.<br />
<br />
Unfortunately, some quirks are annoying.<br />
<br />
<ol>
<li>It looks like the old method we have used for load balancing two WAN connections does not work as expected anymore. The spillover does not perform as expected: the unit functions as a fail-over from WAN1 to WAN2. <b>See my <a href="http://sashkastechnical.blogspot.com/2014/10/2-of-many-migrating-to-fortinet-52-ecmp.html" target="_blank">next post</a> for more details.</b></li>
<li>The unit routinely goes from less than 10% load to 100% load. This is unusual for a machine that normally does not even break a sweat and was specifically purchased to exceed possible maximum workloads ensuring multiple years of continuous service.</li>
<li>It is possible that both issues are related. Since the rules are managed and processed in a different manner, there could be a visible advantage (for CPU) in reducing the number of IP rules by levering a new method for WAN load balancing and aggregation.</li>
</ol>
<div>
<br /></div>
<div>
Reminder of the setup:</div>
<div>
<ul>
<li>Fortinet 300C</li>
<li>Two WAN connections set up in spillover format </li>
<li>Multiple VLANs on the network (guests, administration, employees, students etc.) </li>
<ul>
<li>some completely isolated with DHCP managed by Fortigate such as guests</li>
<li>some are allowed limited communication between them</li>
</ul>
<li>Fortigate is setup with two VDOMs with limited and controlled connectivity between them</li>
<li>Overall, we are talking about something like 100 IPv4 rules with specific web filtering, application control, IPS, SSL inspection and traffic shaping rules.</li>
</ul>
</div>
sashkashurikhttp://www.blogger.com/profile/04594731381634427632noreply@blogger.com0tag:blogger.com,1999:blog-5485513671985093591.post-59021417448803560482014-08-01T15:58:00.003-04:002014-10-27T06:08:46.243-04:00Debugging 0x8004005 error in SCCM 2012 R2 OSD deploymentI just hit a most common 0x8004005 error code with my TS (SCCM 2012 R2) on a Lenovo M92z that otherwise runs fine or iMac, MacMini and many other systems including Lenovo laptops.<br />
<br />
<i>Note 1: I have designed a relatively simple adapting task sequence that deploys on all makes and models in my institution.</i><br />
<br />
<i>Note 2: Unless you have a good reason to avoid it, I strongly suggest to activate command prompt support. At least in my case, it is perfect for debugging and solving all sorts of issues.</i><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5zEeUvAY98peMTbYIsxpWnvYRdtDmddSpUvf-uM5GGMiJmLqx5HGrCAQA-KczWFrUr951cLSHYrEb4SPYpfw8oa8L1Ia441HJQ0VlifU_owgaqnXkp5MQjiWFs-WDMwT4v1p8Ohyphenhyphen1nik/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5zEeUvAY98peMTbYIsxpWnvYRdtDmddSpUvf-uM5GGMiJmLqx5HGrCAQA-KczWFrUr951cLSHYrEb4SPYpfw8oa8L1Ia441HJQ0VlifU_owgaqnXkp5MQjiWFs-WDMwT4v1p8Ohyphenhyphen1nik/s1600/Capture.PNG" height="400" width="390" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
In my case, the error appeared right before Setup Windows. But this does not mean anything. In fact the error itself just means "An error occurred."</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
In order to resolve the issue, I have used F8 to go to command prompt as soon as the error appears on the deployed computer. </div>
<div class="separator" style="clear: both; text-align: left;">
In <span style="font-family: Courier New, Courier, monospace;">C:\_SMSTaskSequence\Logs\smsts.log</span> , you will probably find nothing useful but still you need to check it. Open it using the following command (assuming you are in the right directory): <span style="font-family: Courier New, Courier, monospace;">notepad smsts.log</span> .</div>
<div class="separator" style="clear: both; text-align: left;">
As a second step, in the <span style="font-family: Courier New, Courier, monospace;">X:\Windows\panther\setupact.log</span> we will find what we are looking for... or maybe not??? Depending on the failure, the log file may be located in the following places (check them all even if you found a log file somewhere else!!!):</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul>
<li><span style="font-family: 'Courier New', Courier, monospace;">C:\_SMSTaskSequence\Logs\smsts.log</span></li>
<li><span style="font-family: 'Courier New', Courier, monospace;">X:\Windows\panther\setupact.log</span></li>
<li><span style="font-family: 'Courier New', Courier, monospace;">X:\Windows\Temp\SMSTSLog\smsts.log</span></li>
</ul>
<i>Note 3: If 15 minutes have gone and the SCMM client has completely erased <span style="font-family: 'Courier New', Courier, monospace;">C:\_SMSTaskSequence</span><span style="font-family: inherit;"> look in </span><span style="font-family: Courier New, Courier, monospace;">C:\</span><span style="font-family: inherit;"> and in </span>sub-folders<span style="font-family: inherit;"> for the </span><span style="font-family: Courier New, Courier, monospace;">setupact.log</span><span style="font-family: inherit;">. </span></i><br />
<div class="separator" style="clear: both; text-align: left;">
<i><br /></i></div>
<div class="separator" style="clear: both; text-align: left;">
<i>Note 4: If Windows installs but some settings do not get applied use the above mentioned <span style="font-family: Courier New, Courier, monospace;">setupact.log</span> with <span style="font-family: Courier New, Courier, monospace;">setuperr.log</span>, both in <span style="font-family: Courier New, Courier, monospace;">C:\Windows\panther\</span>, to check for errors.</i></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<h4 style="clear: both; text-align: left;">
<b>CASE 1</b></h4>
<div class="separator" style="clear: both; text-align: left;">
The error reads: <span style="font-family: Courier New, Courier, monospace;">Windows Setup could not install one or more boot-critical drivers. To install Windows, make sure that the drivers are valid, and restart the installation.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIeXBVunJbBxQP-nFoJIgjcXCATM3XR3l4hiNkKqzT2IBlecCHzym_jm5VDtOXG_plretgUvdXaMdBtcROnh2KMkh88Pk5B8Y5hyaoW5E83PsJpoI9soekmNyStWd-xfpeDLi_fkE0YEY/s1600/WP_20140801_14_25_57_Pro.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIeXBVunJbBxQP-nFoJIgjcXCATM3XR3l4hiNkKqzT2IBlecCHzym_jm5VDtOXG_plretgUvdXaMdBtcROnh2KMkh88Pk5B8Y5hyaoW5E83PsJpoI9soekmNyStWd-xfpeDLi_fkE0YEY/s1600/WP_20140801_14_25_57_Pro.jpg" height="324" width="640" /></a></div>
<div class="" style="clear: both; text-align: left;">
In this case: the error indicates that Windows failed to import a boot critical driver. On the previous line, the log identifies the driver that was last imported: <span style="font-family: Courier New, Courier, monospace;">btmleihd.inf</span>. But what is it and how to find it?</div>
<div class="" style="clear: both; text-align: left;">
In SCCM --> Drivers, search for a driver with criteria <span style="font-family: Courier New, Courier, monospace;">INF file</span>:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxMpnhtKHC8KctHBkyCstU67WzWyhWe9LIQaGHX8nymGLcBipIH4F5OAutfuh73GSVFeShsC-MAV_X6quyXqc2UVHZyymv0vuS7fIYYCntQOfzQ_5k7XsTTVHi1Xewpb7qFQwzX6U1DiA/s1600/Capture2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxMpnhtKHC8KctHBkyCstU67WzWyhWe9LIQaGHX8nymGLcBipIH4F5OAutfuh73GSVFeShsC-MAV_X6quyXqc2UVHZyymv0vuS7fIYYCntQOfzQ_5k7XsTTVHi1Xewpb7qFQwzX6U1DiA/s1600/Capture2.PNG" height="81" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
It is an Intel Bluetooth driver that windows, for some reason, has considered critical and applicable to this specific system. This driver needs to be disabled or deleted or ... anything you want as long as it does not get installed on the given machine.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<h4 style="clear: both; text-align: left;">
CASE 2</h4>
<div class="separator" style="clear: both; text-align: left;">
If the error occurs <i>before</i> the task sequence starts, check the time on the computer and make sure that there is at least one TS available for that machine. It is possible that the time of the computer is set to let's say 2005 (faulty battery or BIOS/UEFI reset) and all TS are available from 2014. Similarly, the computer may be classified in the wrong category and has no TS associated with it. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<h4 style="clear: both;">
CASE 3</h4>
<div class="separator" style="clear: both; text-align: left;">
It is possible that the deployment failed for another reason. For example:</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul>
<li>could not set boot record</li>
<li>could not find boot partition</li>
<li>etc.</li>
</ul>
sashkashurikhttp://www.blogger.com/profile/04594731381634427632noreply@blogger.com0tag:blogger.com,1999:blog-5485513671985093591.post-51014946318514357682014-07-25T14:22:00.002-04:002014-07-25T14:22:46.420-04:00Default User Start ScreenI have basically followed the tutorial here (using PowerShell of course):<br />
<br />
http://www.scconfigmgr.com/2013/10/23/modify-the-windows-8-1-start-screen-during-osd-in-configmgr-2012/<br />
<br />
Steps:<br />
<br />
<ol>
<li>Deploy OS</li>
<li>Configure the Start Screen as you want on the default admin account</li>
<li>Export the config in a bin file using the command in elevated PowerShell (make sure that <span style="font-family: Courier New, Courier, monospace;">Temp</span> folder exists): <span style="font-family: Courier New, Courier, monospace;">Export-StartLayout -As Bin -Path C:\Temp\appsFolderLayout.bin</span></li>
<li>Using a package or any other deployment method of your choice copy this bin to default user profile during OSD. Command line example: </li>
</ol>
<span style="font-family: Courier New, Courier, monospace;">xcopy appsFolderLayout.bin "%SystemDrive%\Users\Default\AppData\Local\Microsoft\Windows" /Q /Y</span><br />
<br />sashkashurikhttp://www.blogger.com/profile/04594731381634427632noreply@blogger.com0tag:blogger.com,1999:blog-5485513671985093591.post-60440252533117950722014-07-19T23:31:00.000-04:002014-07-24T09:12:42.268-04:00Input Localisation for different systemsAs usual, Apple is different from any other brand name computer: their keyboard for french Canadian localisation is different from any other brand. All other standard Canadian french keyboards have a layout called exactly that: Canadian French. Apple french keyboard is Canadian Multilingual Standard. Following is the combined documentation resulting of almost a week of reading and tests on systems to finally figure it all out.<br />
<br />
Ideally in a French Cnadian stup environment or in any other setup with multiple default keyboard options, we are looking for the following:<br />
<ul>
<li>Apple:</li>
<ul>
<li>FRA-CMS (French Canadian Multilingual Standard) keyboard</li>
<li>ENG-CMS (English Canadian Multilingual Standard) keyboard</li>
</ul>
<li>anything else</li>
<ul>
<li>FRA-CAFR (French Canadian French) keyboard</li>
<li>ENG-CMS (English Canadian Multilingual Standard) or ENG-US (English US) keyboard</li>
</ul>
</ul>
It could be easily accomplished by changing the settings and deleting the extras that we do not need in the following list. Then, this admin settings can be copied to <i>New user profiles</i> and <i>System/login screen</i> settings.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLqzALDYbLaQbopyCrdML89B5upSzHOvCe-fPAk0cVVIReHP-jEinB_QzsQwkZNH6K_mnqZqxPYM_YKaOm9EEvEbeZBEEwYnRkvfprNIosnpqdVjs1YG8JbToeuYaYcyJCe5TPhosHwDI/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLqzALDYbLaQbopyCrdML89B5upSzHOvCe-fPAk0cVVIReHP-jEinB_QzsQwkZNH6K_mnqZqxPYM_YKaOm9EEvEbeZBEEwYnRkvfprNIosnpqdVjs1YG8JbToeuYaYcyJCe5TPhosHwDI/s1600/Capture.PNG" height="320" width="292" /></a></div>
<br />
However, this task seems to be harder to do during the deployment. For the moment, I haven't found any way to do it.<br />
In general, we could, as usual, use our <i>make</i> collection variable to set the Input Locale but how?<br />
<ol>
<li>Using unattend.xml</li>
<li>Using custom script</li>
<li>Direct registry edit</li>
</ol>
<h4>
Codes</h4>
Before we start, we have to figure out the codes for each Input Locale:<br />
From Microsoft (technet and msdn), we can get two following sets of info:<br />
<ul>
<li>http://technet.microsoft.com/en-us/library/hh825682.aspx</li>
<ul>
<li>English - Canada</li>
<ul>
<li>Primary --> en-CA: United States - English (1009:00000409)</li>
<li>Secondary ---> en-CA: Canadian Multilingual Standard (1009:00011009)</li>
</ul>
<li>French - Canada</li>
<ul>
<li>Primary --> fr-CA: Canadian Multilingual Standard (0c0c:00011009)</li>
<li>Secondary ---> en-CA: Canadian Multilingual Standard (1009:00011009)</li>
</ul>
</ul>
<li>http://msdn.microsoft.com/en-ca/goglobal/bb895996.aspx</li>
<ul>
<li>English_Canadian</li>
<ul>
<li>1009:00000409,</li>
<li>1009:00011009,</li>
<li>1009:00001009</li>
</ul>
<li>French_Canadian</li>
<ul>
<li>0c0c:00011009,</li>
<li>0409:00000409</li>
</ul>
</ul>
</ul>
Have you noticed something? Actually there are few things that do not look nice.<br />
<div>
<ol>
<li>French - Canada codes from technet we notice that there is no French Canadian keyboard. Moreover, the secondary keyboard specified is actually an English one?!</li>
<li>The article from MSDN specifies two keyboards for French Canadian and three form English Canadian?</li>
</ol>
To clear out all this weird things, we have to look at how the codes are defined. The code has two components: language and keyboard layout separated by a column. Moreover, the combination has to be compatible. That is, we cannot set "anything: anything" and just assume that it will work.</div>
<div>
Languages:</div>
<div>
<ul>
<li>0c0c - French (fr)</li>
<li>0409 - English (en) US</li>
<li>1009 - English (en) Canadian</li>
</ul>
<div>
Keyboard layout:<br />
<ul>
<li>00000409 - US layout</li>
<li>00011009 - Canadian Multilingual Standard layout</li>
<li>00001009 - Who knows??? According to some <a href="http://www.pcreview.co.uk/forums/french-canadian-keyboard-t1602642.html">old post from 2003</a>, it looks like it is French Canadian. We will confirm it in the section 3.</li>
</ul>
</div>
<h4>
1. Using unattend.xml</h4>
<div>
This method involves two parts, we could try to use custom collection variables directly in <span style="font-family: Courier New, Courier, monospace;">unattend.xml</span> or we could use a custom script to modify the <span style="font-family: Courier New, Courier, monospace;">unattend.xml</span> settings during TS. The first option will be covered here and the second will be discussed in the third section.<br />
<br />
Unfortunately, I was not able to make custom collection variables work. Defining custom collection variables in TS or in appropriate collection and using them in <span style="font-family: Courier New, Courier, monospace;">unattend.xml</span> did not give any results. The variables were not replaced by their respective values. As some have suggested, I removed the line in xml referencing to wim file: no difference. If some one wants to test this method, look at <span style="font-family: Courier New, Courier, monospace;">C:\Windows\Panther\UnattendGC\setuperr.txt</span> . If this file has no errors recorded (empty) and you still want to check what was set and how look at <span style="font-family: Courier New, Courier, monospace;">setupact.txt</span> in the same location. Somewhere towards the middle of the file <span style="font-family: 'Courier New', Courier, monospace;">setupact.txt</span> you will find the following strings:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5oBVnc5Dk8k1tDtKtXmKpU25bH6rWIX3pJcSvfYx3F2FVfpS3m7SORvoiIDc429UB_IUGh_eW6-pgwhGCZQDgTRmz_hUzXu9sNafWSW_9Uy7kZXJRB5-oHL6VRK2QJWGfOQlIoa0Tb6U/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5oBVnc5Dk8k1tDtKtXmKpU25bH6rWIX3pJcSvfYx3F2FVfpS3m7SORvoiIDc429UB_IUGh_eW6-pgwhGCZQDgTRmz_hUzXu9sNafWSW_9Uy7kZXJRB5-oHL6VRK2QJWGfOQlIoa0Tb6U/s1600/Capture.PNG" height="333" width="864" /></a></div>
<br /></div>
In this specific example you may notice that unattend.xml specifies two languages: "0c0c:00001009;0409:00000409" or, according to our codes, "French - Canadian French" and "English - US" inputs. However, the unattend.exe will add four(4) languages! It adds the same languages and in the same order as we see in the first example image of this post. That is, we get:<br />
<ul>
<li>en-CA with CMS</li>
<li>fr-CA with CAFR</li>
<li>fr-CA with CMS</li>
<li>en-US</li>
</ul>
<div>
In this specific example, it looks like the code 0c0c:00001009 has triggered the installation of all 3 keyboards. However, the default keyboard was selected as fr-CA with CAFR because this specific deployment was on a Lenovo laptop. Similar behavior on an iMac with original keyboard gives us fr-CA with CMS as the default keyboard. While it looks like the keyboards are properly selected during deployment, it is still not good enough: users will get mixed up with two different french keyboards.<br />
<br />
So lets attempt to deploy the system with no input locale specified. In the case of our Lenovo test system, we get en-CA with CMS and fr-CA with CMS. In the Apple install, we get<br />
<b><br /></b></div>
<div>
<h4>
2. Using custom script</h4>
</div>
<div>
There are two ways to use a custom script: first we can try to use power-shell to set the input locale or we can try to use a script to set in the <span style="font-family: Courier New, Courier, monospace;">unattend.xml</span> the locale. The second method is obviously out of question (see the experiments with <span style="font-family: Courier New, Courier, monospace;">unattend.xml</span>). </div>
<div>
The script itself is simple:</div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Set-WinUserLanguageList -LanguageList fr-CA,en-CA -force</span></div>
<div>
It will work in windows 8 and 8.1 but not earlier. It can be used as part of GPO deployment or in the TS. This is how it looks in the TS:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGixzAZTXzO7u2lPNze8Uh5sZpsDwzAFHxEj0Yl0MK01Lm8l3PBqP4glaPRLD2cccR1ICr1Yd2n3GbCI6qNm5B1CKeEu6RpDeGf2T8w6FmfeN6FQoN5VayQSIHBcZrcy1HWCOZcwvORtM/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGixzAZTXzO7u2lPNze8Uh5sZpsDwzAFHxEj0Yl0MK01Lm8l3PBqP4glaPRLD2cccR1ICr1Yd2n3GbCI6qNm5B1CKeEu6RpDeGf2T8w6FmfeN6FQoN5VayQSIHBcZrcy1HWCOZcwvORtM/s1600/Capture.PNG" height="291" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhszKIDykdaPyC26Kibs5cLeU2TxP6z_El-CUWwXGCxpb8vCKC4vMNfBKlsUn5l7GtCxr7n8ObwUYMh2SruZKsUCZhabMQVv9LtZAQZzxfhm6slCDuDpt2GJmjgdMZDHEhpEbnGRg3pQ9w/s1600/Capture2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhszKIDykdaPyC26Kibs5cLeU2TxP6z_El-CUWwXGCxpb8vCKC4vMNfBKlsUn5l7GtCxr7n8ObwUYMh2SruZKsUCZhabMQVv9LtZAQZzxfhm6slCDuDpt2GJmjgdMZDHEhpEbnGRg3pQ9w/s1600/Capture2.PNG" height="162" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Unfortunately this methods is not perfect either:</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ol>
<li>PowerShell script does not accept codes.</li>
<li>It works only for the account it is deployed on</li>
</ol>
Thus, we are back to the square one: too many keyboards for no reason and no control of what gets set where. Our only solution is to go with a registry edit. Of course, this change will be probably done by a script but it will still be a direct reg change with all the problems it can lead to.<br />
<br />
<h4>
3. Direct registry edit</h4>
<div>
Probably the best and the worst way to do it but it looks like the only option left. It is the worst because we can kill the system; the best because it looks like the only way to control exactly what keyboard is applied where.<br />
According to the blogpost on <a href="http://www.powershellmagazine.com/2014/03/24/set-keyboard-layouts-available-on-logon-screen-in-windows-8-1/">http://www.powershellmagazine.com/2014/03/24/set-keyboard-layouts-available-on-logon-screen-in-windows-8-1/</a> , we can simply copy appropriate codes to appropriate places.<br />
Current user input locale keys are located in <span style="font-family: Courier New, Courier, monospace;">HKEY_CURRENT_USER\Keyboard Layout\Preload</span><br />
Default input locale is located in <span style="font-family: Courier New, Courier, monospace;">HKEY_USERS.DEFAULT\Keyboard Layout\Preload key</span></div>
<div>
In the registry, the input locale is supposed to be stored in a hex format (LCIDHex code to be precise). The codes can be found in the already familiar list: <a href="http://msdn.microsoft.com/en-ca/goglobal/bb895996.aspx">http://msdn.microsoft.com/en-ca/goglobal/bb895996.aspx</a> For example, LCIDHex code 0409 is in fact en-US or 0409:00000409 input locale. However... the example below will demonstrate that this is not the case.<br />
<br />
In the case of the above mentioned Lenovo install, we can see in the <span style="font-family: 'Courier New', Courier, monospace;">HKEY_CURRENT_USER\Keyboard Layout\Preload</span> the following keys:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFDeRJi9W3UKx5hh9WZySyU66I_yXdUZdyc-4RufIyMovGkCTWwuGaZZiF0oN1S6yVpMy5qU5EoZ8q2PJJN7lyPqXdc4DsJp8Ov6gKaAPsQZlOx1juHc4qARZDceIE01Hcyt3S5x_qSDM/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFDeRJi9W3UKx5hh9WZySyU66I_yXdUZdyc-4RufIyMovGkCTWwuGaZZiF0oN1S6yVpMy5qU5EoZ8q2PJJN7lyPqXdc4DsJp8Ov6gKaAPsQZlOx1juHc4qARZDceIE01Hcyt3S5x_qSDM/s1600/Capture.PNG" height="145" width="400" /></a></div>
In the <span style="font-family: 'Courier New', Courier, monospace;">HKEY_CURRENT_USER\Keyboard Layout\Substitutes </span><span style="font-family: inherit;">we can also find:</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGKcTZ8y8syocUBK8tUycFFMaVei26y_MyKeU5ntBv2MiYZSTjQmb47sHegsAS9t6K0goCc0G7b8KMY1I94ATHd4lEwK-0It_OOx701aZfMu5aMCy5FgcSZory3H5qfwyoCwUYo1IwMHc/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGKcTZ8y8syocUBK8tUycFFMaVei26y_MyKeU5ntBv2MiYZSTjQmb47sHegsAS9t6K0goCc0G7b8KMY1I94ATHd4lEwK-0It_OOx701aZfMu5aMCy5FgcSZory3H5qfwyoCwUYo1IwMHc/s1600/Capture.PNG" height="115" width="400" /></a></div>
<span style="font-family: inherit;">For this Lenovo, we do not need </span>fr-CA with CMS input locale. Removing it (using the interface) gives us the following keys and keyboards left:<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: 'Courier New', Courier, monospace;">HKEY_CURRENT_USER\Keyboard Layout\Preload</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigGpOTF4qqkBU8v99Isb833PDQutzE3170YbY9wcLlpR7HNgTOa-RyAt1c_RP66NVRHkAou5kwwuUnCXkQuM5-jmgM3g9Qv4ea9kOggUgL5OMTSTIIJZA6IhMw_qJQMdMkTOykTXdr_Z0/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigGpOTF4qqkBU8v99Isb833PDQutzE3170YbY9wcLlpR7HNgTOa-RyAt1c_RP66NVRHkAou5kwwuUnCXkQuM5-jmgM3g9Qv4ea9kOggUgL5OMTSTIIJZA6IhMw_qJQMdMkTOykTXdr_Z0/s1600/Capture.PNG" height="120" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: 'Courier New', Courier, monospace; text-align: start;">HKEY_CURRENT_USER\Keyboard Layout\Substitutes</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixObR2XbqK7JV1M9Gqj26oVuOnoVbHvtH8DZC8kVtlMFER0htcJv43Hgh3xH5KsBBVzY48VjI3_lzvXzZkjHT74zO61h3-COjR1xk6SFM9_SyBvMwzUWULyOyMDOJhVAVgnKv9DQ9dU7g/s1600/Capture2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixObR2XbqK7JV1M9Gqj26oVuOnoVbHvtH8DZC8kVtlMFER0htcJv43Hgh3xH5KsBBVzY48VjI3_lzvXzZkjHT74zO61h3-COjR1xk6SFM9_SyBvMwzUWULyOyMDOJhVAVgnKv9DQ9dU7g/s1600/Capture2.PNG" height="92" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-EReyK4st467HXAVbhgXf5kTLGqES4lJD7g0Bwgmwk-2bFP_sEhjsV7nGfSdCyJiwVEyxNwVOR6zaDtxkw_4nPIppqtyhovSFmPzBw9m2bCnEWdbGSICHpgdH3wG0YH0lMz0iddpMXrE/s1600/Capture4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-EReyK4st467HXAVbhgXf5kTLGqES4lJD7g0Bwgmwk-2bFP_sEhjsV7nGfSdCyJiwVEyxNwVOR6zaDtxkw_4nPIppqtyhovSFmPzBw9m2bCnEWdbGSICHpgdH3wG0YH0lMz0iddpMXrE/s1600/Capture4.PNG" /></a></div>
<br />
So lets continue and keep only the two keyboards we need. Lets say it is en-US and fr-CA with CAFR keyboard:<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: 'Courier New', Courier, monospace;">HKEY_CURRENT_USER\Keyboard Layout\Preload</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj192V07bM3UN9cDGhnRkUCRxFUXAZOhkDJHp9E7sz4hFx2GJ0aq_Y9MAHRM3dFdkO0rAhadGOKa7aR6dUHeA-b60iV-RoczhmqbDPS0fPtSJfTmebPeiPDRcGZCynUJOrjvRqcKvV2mkE/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj192V07bM3UN9cDGhnRkUCRxFUXAZOhkDJHp9E7sz4hFx2GJ0aq_Y9MAHRM3dFdkO0rAhadGOKa7aR6dUHeA-b60iV-RoczhmqbDPS0fPtSJfTmebPeiPDRcGZCynUJOrjvRqcKvV2mkE/s1600/Capture.PNG" height="95" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: 'Courier New', Courier, monospace;">HKEY_CURRENT_USER\Keyboard Layout\Substitutes</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3rdH2tQVull6o7ftILkQM11h046DNJmcbinPP8nk_UMUBLjVJSHXvFkc0GTqYaKjB5GOzm1LSpMyExnytveSBaZ9IHtfgMi42ShXbluMSIZTzwAS5LnMpqTq6-0MorbDF_6auXSUteB8/s1600/Capture2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3rdH2tQVull6o7ftILkQM11h046DNJmcbinPP8nk_UMUBLjVJSHXvFkc0GTqYaKjB5GOzm1LSpMyExnytveSBaZ9IHtfgMi42ShXbluMSIZTzwAS5LnMpqTq6-0MorbDF_6auXSUteB8/s1600/Capture2.PNG" height="82" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdFXMvbYn66HzuuKttFEVfmFJzezcOSWFZVhQ5GV1SHfsvBnxeynSb4nllaker1OhrJausnR0BfFh4IW_JjwN44W5_E8LCZQ0q04YpX7iV-Da4byFVLUUnm2lOIT_-GrmGTaY_3a3fTI8/s1600/Capture4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdFXMvbYn66HzuuKttFEVfmFJzezcOSWFZVhQ5GV1SHfsvBnxeynSb4nllaker1OhrJausnR0BfFh4IW_JjwN44W5_E8LCZQ0q04YpX7iV-Da4byFVLUUnm2lOIT_-GrmGTaY_3a3fTI8/s1600/Capture4.PNG" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
From the above tests, we can see that the combination of Preload and Substitutes creates the keyboards we use for all systems except Apple make. Notice that:</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul>
<li>the registry uses the same old codes(not IDs) that we have always delt with</li>
<li>the order in the Preload defines the default keyboard (first in the list)</li>
<li>the locale that has a secondary/tertiary keyboard is detailed in the Substitutes. For example, en-US (code 409) has only one keyboard; hence, no entry in the Substitutes. fr-CA (code 0c0c) has many options; therefore, there is a specification of exact language and layout in the Substitutes: 0c0c - French Canadian with 1009 - French Canadian keyboard.</li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: left;">
So now we can set this in <span style="font-family: 'Courier New', Courier, monospace;">HKEY_USERS.DEFAULT\Keyboard Layout\Preload key</span><span style="font-family: inherit;"> with the following registry file (or any other script that can suit you): </span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">Windows Registry Editor Version 5.00</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">[HKEY_USERS\.DEFAULT\Keyboard Layout]</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: 'Courier New', Courier, monospace;">[HKEY_USERS\.DEFAULT\Keyboard Layout\Preload]</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">"1"="00000c0c"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">"2"="00000409"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: 'Courier New', Courier, monospace;">[HKEY_USERS\.DEFAULT\Keyboard Layout\Substitutes]</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">"00000c0c"="00001009"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: 'Courier New', Courier, monospace;">[HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle]</span></div>
<div class="separator" style="clear: both;">
</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: inherit;">Now, how can we set it in the login screen? According to microsoft kb (</span><a href="http://support.microsoft.com/kb/243330">http://support.microsoft.com/kb/243330</a>) there are a few security IDs that we can identify. We can also use a full registry search to find all related settings. After all, we will get the following additional registry keys to set:</div>
<div class="separator" style="clear: both;">
<span style="font-family: 'Courier New', Courier, monospace;">[HKEY_USERS\S-1-5-18\Keyboard Layout]</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">[HKEY_USERS\S-1-5-18\Keyboard Layout\Preload]</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">"1"="00000c0c"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">"2"="00000409"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">[HKEY_USERS\S-1-5-18\Keyboard Layout\Substitutes]</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">"00000c0c"="00001009"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">[HKEY_USERS\S-1-5-18\Keyboard Layout\Toggle]</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">[HKEY_USERS\S-1-5-19\Keyboard Layout]</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">[HKEY_USERS\S-1-5-19\Keyboard Layout\Preload]</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">"1"="00000c0c"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">"2"="00000409"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">[HKEY_USERS\S-1-5-19\Keyboard Layout\Substitutes]</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">"00000c0c"="00001009"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">[HKEY_USERS\S-1-5-19\Keyboard Layout\Toggle]</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">[HKEY_USERS\S-1-5-20\Keyboard Layout]</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">[HKEY_USERS\S-1-5-20\Keyboard Layout\Preload]</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">"1"="00000c0c"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">"2"="00000409"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">[HKEY_USERS\S-1-5-20\Keyboard Layout\Substitutes]</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">"00000c0c"="00001009"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">[HKEY_USERS\S-1-5-20\Keyboard Layout\Toggle]</span></div>
<br />
Note that 1-5-18 is a Local System account used by the OS; 1-5-19 is NT Authority as a Local Service account and 1-5-20 is NT Authority as Network Service account. Following the same strategy, we get the registry keys for Apple type of computers:</div>
<span style="font-family: Courier New, Courier, monospace;">Windows Registry Editor Version 5.00</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">[HKEY_USERS\.DEFAULT\Keyboard Layout]</span><br />
<span style="font-family: Courier New, Courier, monospace;">[HKEY_USERS\.DEFAULT\Keyboard Layout\Preload]</span><br />
<span style="font-family: Courier New, Courier, monospace;">"2"="00001009"</span><br />
<span style="font-family: Courier New, Courier, monospace;">"1"="00000c0c"</span><br />
<span style="font-family: Courier New, Courier, monospace;">[HKEY_USERS\.DEFAULT\Keyboard Layout\Substitutes]</span><br />
<span style="font-family: Courier New, Courier, monospace;">"00001009"="00011009"</span><br />
<span style="font-family: Courier New, Courier, monospace;">"00000c0c"="00011009"</span><br />
<span style="font-family: Courier New, Courier, monospace;">[HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle]</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">[HKEY_USERS\S-1-5-18\Keyboard Layout]</span><br />
<span style="font-family: Courier New, Courier, monospace;">[HKEY_USERS\S-1-5-18\Keyboard Layout\Preload]</span><br />
<span style="font-family: Courier New, Courier, monospace;">"2"="00001009"</span><br />
<span style="font-family: Courier New, Courier, monospace;">"1"="00000c0c"</span><br />
<span style="font-family: Courier New, Courier, monospace;">[HKEY_USERS\S-1-5-18\Keyboard Layout\Substitutes]</span><br />
<span style="font-family: Courier New, Courier, monospace;">"00001009"="00011009"</span><br />
<span style="font-family: Courier New, Courier, monospace;">"00000c0c"="00011009"</span><br />
<span style="font-family: Courier New, Courier, monospace;">[HKEY_USERS\S-1-5-18\Keyboard Layout\Toggle]</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">[HKEY_USERS\S-1-5-19\Keyboard Layout]</span><br />
<span style="font-family: Courier New, Courier, monospace;">[HKEY_USERS\S-1-5-19\Keyboard Layout\Preload]</span><br />
<span style="font-family: Courier New, Courier, monospace;">"2"="00001009"</span><br />
<span style="font-family: Courier New, Courier, monospace;">"1"="00000c0c"</span><br />
<span style="font-family: Courier New, Courier, monospace;">[HKEY_USERS\S-1-5-19\Keyboard Layout\Substitutes]</span><br />
<span style="font-family: Courier New, Courier, monospace;">"00001009"="00011009"</span><br />
<span style="font-family: Courier New, Courier, monospace;">"00000c0c"="00011009"</span><br />
<span style="font-family: Courier New, Courier, monospace;">[HKEY_USERS\S-1-5-19\Keyboard Layout\Toggle]</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">[HKEY_USERS\S-1-5-20\Keyboard Layout]</span><br />
<span style="font-family: Courier New, Courier, monospace;">[HKEY_USERS\S-1-5-20\Keyboard Layout\Preload]</span><br />
<span style="font-family: Courier New, Courier, monospace;">"2"="00001009"</span><br />
<span style="font-family: Courier New, Courier, monospace;">"1"="00000c0c"</span><br />
<span style="font-family: Courier New, Courier, monospace;">[HKEY_USERS\S-1-5-20\Keyboard Layout\Substitutes]</span><br />
<span style="font-family: Courier New, Courier, monospace;">"00001009"="00011009"</span><br />
<span style="font-family: Courier New, Courier, monospace;">"00000c0c"="00011009"</span><br />
<span style="font-family: Courier New, Courier, monospace;">[HKEY_USERS\S-1-5-20\Keyboard Layout\Toggle]</span><br />
<div>
<br /></div>
However, all this work cannot help us if we do not find the way to edit the default user profile saved in ntuser.dat. As aresult, we will have to use some script. In my case, I chose to convert all of the above keys into a cmd line script that will edit the default user profile. At the same time, I could use the script to do more changes (in the default profile or any other profile for that matter): see <a href="http://stealthpuppy.com/customize-the-windows-default-profile/">http://stealthpuppy.com/customize-the-windows-default-profile/</a> and <a href="http://technet.microsoft.com/en-us/library/cc742162.aspx">http://technet.microsoft.com/en-us/library/cc742162.aspx</a>.<br />
For those who like more a VB style approach look here: <a href="http://micksmix.wordpress.com/2012/01/13/update-a-registry-key-for-all-users-on-a-system/">http://micksmix.wordpress.com/2012/01/13/update-a-registry-key-for-all-users-on-a-system/</a>.<br />
For a PowerShell approach, look here: <a href="http://www.powershellmagazine.com/2014/03/24/set-keyboard-layouts-available-on-logon-screen-in-windows-8-1/">http://www.powershellmagazine.com/2014/03/24/set-keyboard-layouts-available-on-logon-screen-in-windows-8-1/</a>.<br />
<br />
It finally looks like this:<br />
<br />
<table>
<tbody>
<tr><td><div style="text-align: center;">
<b>Other</b></div>
</td> <td><div style="text-align: center;">
<b>Apple</b></div>
</td> </tr>
<tr><td><span style="font-size: x-small;">@ECHO OFF</span><br />
<span style="font-size: x-small;">REM Load the default profile hive</span><br />
<span style="font-size: x-small;">SET HKEY=HKU\Default</span><br />
<span style="font-size: x-small;">REG LOAD %HKEY% %SystemDrive%\Users\Default\NTUSER.DAT</span><br />
<span style="font-size: x-small;"><br /></span>
<span style="font-size: x-small;">REM Set keyboard locale for Default User</span><br />
<span style="font-size: x-small;">REG ADD "%HKEY%\Keyboard Layout" /f</span><br />
<span style="font-size: x-small;">REG ADD "%HKEY%\Keyboard Layout\Preload" /f</span><br />
<span style="font-size: x-small;">REG ADD "%HKEY%\Keyboard Layout\Preload" /v "1" /t REG_SZ /d "00000c0c" /f</span><br />
<span style="font-size: x-small;">REG ADD "%HKEY%\Keyboard Layout\Preload" /v "2" /t REG_SZ /d "00000409" /f</span><br />
<span style="font-size: x-small;">REG ADD "%HKEY%\Keyboard Layout\Substitutes" /f</span><br />
<span style="font-size: x-small;">REG ADD "%HKEY%\Keyboard Layout\Substitutes" /v "00000c0c" /t REG_SZ /d "00001009" /f</span><br />
<span style="font-size: x-small;"><br /></span>
<span style="font-size: x-small;">REM Set keyboard locale for .default</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\.DEFAULT\Keyboard Layout" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\.DEFAULT\Keyboard Layout\Preload" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\.DEFAULT\Keyboard Layout\Preload" /v "1" /t REG_SZ /d "00000c0c" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\.DEFAULT\Keyboard Layout\Preload" /v "2" /t REG_SZ /d "00000409" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\.DEFAULT\Keyboard Layout\Substitutes" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\.DEFAULT\Keyboard Layout\Substitutes" /v "00000c0c" /t REG_SZ /d "00001009" /f</span><br />
<span style="font-size: x-small;"><br /></span>
<span style="font-size: x-small;">REM Set keyboard locale for S-1-5-18</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-18\Keyboard Layout" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-18\Keyboard Layout\Preload" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-18\Keyboard Layout\Preload" /v "1" /t REG_SZ /d "00000c0c" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-18\Keyboard Layout\Preload" /v "2" /t REG_SZ /d "00000409" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-18\Keyboard Layout\Substitutes" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-18\Keyboard Layout\Substitutes" /v "00000c0c" /t REG_SZ /d "00001009" /f</span><br />
<span style="font-size: x-small;"><br /></span>
<span style="font-size: x-small;">REM Set keyboard locale for S-1-5-19</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-19\Keyboard Layout" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-19\Keyboard Layout\Preload" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-19\Keyboard Layout\Preload" /v "1" /t REG_SZ /d "00000c0c" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-19\Keyboard Layout\Preload" /v "2" /t REG_SZ /d "00000409" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-19\Keyboard Layout\Substitutes" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-19\Keyboard Layout\Substitutes" /v "00000c0c" /t REG_SZ /d "00001009" /f</span><br />
<span style="font-size: x-small;"><br /></span>
<span style="font-size: x-small;">REM Set keyboard locale for S-1-5-20</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-20\Keyboard Layout" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-20\Keyboard Layout\Preload" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-20\Keyboard Layout\Preload" /v "1" /t REG_SZ /d "00000c0c" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-20\Keyboard Layout\Preload" /v "2" /t REG_SZ /d "00000409" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-20\Keyboard Layout\Substitutes" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-20\Keyboard Layout\Substitutes" /v "00000c0c" /t REG_SZ /d "00001009" /f</span><br />
<span style="font-size: x-small;"><br /></span>
<span style="font-size: x-small;">REM Set keyboard locale for Current User</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_CURRENT_USER\Keyboard Layout" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_CURRENT_USER\Keyboard Layout\Preload" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_CURRENT_USER\Keyboard Layout\Preload" /v "1" /t REG_SZ /d "00000c0c" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_CURRENT_USER\Keyboard Layout\Preload" /v "2" /t REG_SZ /d "00000409" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_CURRENT_USER\Keyboard Layout\Substitutes" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_CURRENT_USER\Keyboard Layout\Substitutes" /v "00000c0c" /t REG_SZ /d "00001009" /f</span><br />
<span style="font-size: x-small;"><br /></span>
<span style="font-size: x-small;">REM Unload the default profile hive</span><br />
<span style="font-size: x-small;">REG UNLOAD %HKEY%</span></td> <td><span style="font-size: x-small;">@ECHO OFF</span><br />
<span style="font-size: x-small;">REM Load the default profile hive</span><br />
<span style="font-size: x-small;">SET HKEY=HKU\Default</span><br />
<span style="font-size: x-small;">REG LOAD %HKEY% %SystemDrive%\Users\Default\NTUSER.DAT</span><br />
<span style="font-size: x-small;"><br /></span>
<span style="font-size: x-small;">REM Set keyboard locale for Default User</span><br />
<span style="font-size: x-small;">REG ADD "%HKEY%\Keyboard Layout" /f</span><br />
<span style="font-size: x-small;">REG ADD "%HKEY%\Keyboard Layout\Preload" /f</span><br />
<span style="font-size: x-small;">REG ADD "%HKEY%\Keyboard Layout\Preload" /v "1" /t REG_SZ /d "00000c0c" /f</span><br />
<span style="font-size: x-small;">REG ADD "%HKEY%\Keyboard Layout\Preload" /v "2" /t REG_SZ /d "00001009" /f</span><br />
<span style="font-size: x-small;">REG ADD "%HKEY%\Keyboard Layout\Substitutes" /f</span><br />
<span style="font-size: x-small;">REG ADD "%HKEY%\Keyboard Layout\Substitutes" /v "00000c0c" /t REG_SZ /d "00011009" /f</span><br />
<span style="font-size: x-small;">REG ADD "%HKEY%\Keyboard Layout\Substitutes" /v "00001009" /t REG_SZ /d "00011009" /f</span><br />
<span style="font-size: x-small;"><br /></span>
<span style="font-size: x-small;">REM Set keyboard locale for .default</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\.DEFAULT\Keyboard Layout" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\.DEFAULT\Keyboard Layout\Preload" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\.DEFAULT\Keyboard Layout\Preload" /v "1" /t REG_SZ /d "00000c0c" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\.DEFAULT\Keyboard Layout\Preload" /v "2" /t REG_SZ /d "00001009" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\.DEFAULT\Keyboard Layout\Substitutes" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\.DEFAULT\Keyboard Layout\Substitutes" /v "00000c0c" /t REG_SZ /d "00011009" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\.DEFAULT\Keyboard Layout\Substitutes" /v "00001009" /t REG_SZ /d "00011009" /f</span><br />
<span style="font-size: x-small;"><br /></span>
<span style="font-size: x-small;">REM Set keyboard locale for S-1-5-18</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-18\Keyboard Layout" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-18\Keyboard Layout\Preload" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-18\Keyboard Layout\Preload" /v "1" /t REG_SZ /d "00000c0c" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-18\Keyboard Layout\Preload" /v "2" /t REG_SZ /d "00001009" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-18\Keyboard Layout\Substitutes" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-18\Keyboard Layout\Substitutes" /v "00000c0c" /t REG_SZ /d "00011009" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-18\Keyboard Layout\Substitutes" /v "00001009" /t REG_SZ /d "00011009" /f</span><br />
<span style="font-size: x-small;"><br /></span>
<span style="font-size: x-small;">REM Set keyboard locale for S-1-5-19</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-19\Keyboard Layout" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-19\Keyboard Layout\Preload" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-19\Keyboard Layout\Preload" /v "1" /t REG_SZ /d "00000c0c" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-19\Keyboard Layout\Preload" /v "2" /t REG_SZ /d "00001009" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-19\Keyboard Layout\Substitutes" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-19\Keyboard Layout\Substitutes" /v "00000c0c" /t REG_SZ /d "00011009" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-19\Keyboard Layout\Substitutes" /v "00001009" /t REG_SZ /d "00011009" /f</span><br />
<span style="font-size: x-small;"><br /></span>
<span style="font-size: x-small;">REM Set keyboard locale for S-1-5-20</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-20\Keyboard Layout" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-20\Keyboard Layout\Preload" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-20\Keyboard Layout\Preload" /v "1" /t REG_SZ /d "00000c0c" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-20\Keyboard Layout\Preload" /v "2" /t REG_SZ /d "00001009" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-20\Keyboard Layout\Substitutes" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-20\Keyboard Layout\Substitutes" /v "00000c0c" /t REG_SZ /d "00011009" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_USERS\S-1-5-20\Keyboard Layout\Substitutes" /v "00001009" /t REG_SZ /d "00011009" /f</span><br />
<span style="font-size: x-small;"><br /></span>
<span style="font-size: x-small;">REM Set keyboard locale for Current User</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_CURRENT_USER\Keyboard Layout" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_CURRENT_USER\Keyboard Layout\Preload" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_CURRENT_USER\Keyboard Layout\Preload" /v "1" /t REG_SZ /d "00000c0c" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_CURRENT_USER\Keyboard Layout\Preload" /v "2" /t REG_SZ /d "00001009" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_CURRENT_USER\Keyboard Layout\Substitutes" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_CURRENT_USER\Keyboard Layout\Substitutes" /v "00000c0c" /t REG_SZ /d "00011009" /f</span><br />
<span style="font-size: x-small;">REG ADD "HKEY_CURRENT_USER\Keyboard Layout\Substitutes" /v "00001009" /t REG_SZ /d "00011009" /f</span><br />
<span style="font-size: x-small;"><br /></span>
<span style="font-size: x-small;">REM Unload the default profile hive</span><br />
<span style="font-size: x-small;">REG UNLOAD %HKEY%</span></td> </tr>
</tbody></table>
Each script is part of a package and is configured as an application in SCCM. This will give me an ability to deploy the script to any machine at any time. Note however, that if you choose to deploy the script as an application, the changes in the registry may not be immediately visible to active user: log-off / log-in or a restart sequence is usually a good idea.<br />
<br />
<div style="text-align: center;">
<b><span style="font-size: large;">TO BE CONTINUED</span></b></div>
</div>
sashkashurikhttp://www.blogger.com/profile/04594731381634427632noreply@blogger.com0tag:blogger.com,1999:blog-5485513671985093591.post-40459367544470868102014-07-19T18:55:00.000-04:002014-07-19T18:55:05.753-04:00Dynamicly apply drivers in SCCM 2012 R2As I have mentioned before, we have Apple, Lenovo, HP and Dell brands in the domain. We will use a custom collection variable <i>make</i> to differentiate between different brands and apply appropriate drivers.<br />
<br />
In general, we have imported drivers with appropriate labels and everything to ensure that we can control the deployment and future cleanup in a granular manner. However, during the deployment, unless there is a compatibility issue, I prefer to use more broad categories such as Apple, Lenovo etc instead of going into lots of details (ex.: Lenovo 10AF, Lenovo 10AD, Apple iMac 9.1 etc.). In any case, SCCM will install only the best matched drivers from the categories selected in this step.<br />
<br />
In a TS it looks like this:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC1ythbKV7sfE0V4Yi141Kl3Dm5ihvKwNoFqPgemeNq9vTegLAbbZdGvCYYNlGkX3K28DXK0VqBSQzpHV_DYcybWXVD-L03tmLw2j-dArWreYFi-KCEfcRZ33tLABK5_PKDq-V8R924SM/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC1ythbKV7sfE0V4Yi141Kl3Dm5ihvKwNoFqPgemeNq9vTegLAbbZdGvCYYNlGkX3K28DXK0VqBSQzpHV_DYcybWXVD-L03tmLw2j-dArWreYFi-KCEfcRZ33tLABK5_PKDq-V8R924SM/s1600/Capture.PNG" height="320" width="222" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The config for Apple Device drivers is the following:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2GyVcJJHmsm7y3AfPl9QQwYPtgK1Tmwv3PvwSnK1M8jEeJFZ-QD5d15DEcEHNXVSsrinJHThlYKSfLmgXwdgIVLZiu3gAFu1WXAlIOKMQOtT3nygkvgjOc-6JTUAiazhAmucHLOJJJBQ/s1600/Capture2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2GyVcJJHmsm7y3AfPl9QQwYPtgK1Tmwv3PvwSnK1M8jEeJFZ-QD5d15DEcEHNXVSsrinJHThlYKSfLmgXwdgIVLZiu3gAFu1WXAlIOKMQOtT3nygkvgjOc-6JTUAiazhAmucHLOJJJBQ/s1600/Capture2.PNG" height="400" width="331" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfy_a2SSm3MrVy3HwVESRhEt__HYfTzK5qc7tLJa2wSC9r2cNDJrQaFAxt0tvqySJlqDzRy-7Qg7HmQ6ivwRWdHNEGbQRIHzOWqFXTgWCj3lg1hVNPvuCOz3f2FUTDmxbAX6BnUewls2Q/s1600/Capture3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfy_a2SSm3MrVy3HwVESRhEt__HYfTzK5qc7tLJa2wSC9r2cNDJrQaFAxt0tvqySJlqDzRy-7Qg7HmQ6ivwRWdHNEGbQRIHzOWqFXTgWCj3lg1hVNPvuCOz3f2FUTDmxbAX6BnUewls2Q/s1600/Capture3.PNG" height="172" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
For Lenovo, HP and others, we have to choose the appropriate category and appropriate value for <i>make</i> variable. For Unknown System it looks like this:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyjuIzGWFlAlBqH3nvkt4KlnZ41lMA2XZ8rkkWXLSZPyzffOfc1pew179OLz5fjFGL2tzIlGtBfMkTL7zIhR0tZ9dumtKtphZ127RqH-5b_SIAMsY28zrImrC8WkqbZ1TMjyQ3KxWE5L0/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyjuIzGWFlAlBqH3nvkt4KlnZ41lMA2XZ8rkkWXLSZPyzffOfc1pew179OLz5fjFGL2tzIlGtBfMkTL7zIhR0tZ9dumtKtphZ127RqH-5b_SIAMsY28zrImrC8WkqbZ1TMjyQ3KxWE5L0/s1600/Capture.PNG" height="400" width="327" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3V71swT4LYBdjAyUzJao9vDWKEliAZs3aiHhhVBDMy5fmmfDFcD6gEZQjmqqL_8Kd12GJci5a_Cc9ZH72D8D4ZutV4GWOTHOVpg-5tVLavHR1VcDdbPQB87E31_CIz46XplFX6cBmhbE/s1600/Capture2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3V71swT4LYBdjAyUzJao9vDWKEliAZs3aiHhhVBDMy5fmmfDFcD6gEZQjmqqL_8Kd12GJci5a_Cc9ZH72D8D4ZutV4GWOTHOVpg-5tVLavHR1VcDdbPQB87E31_CIz46XplFX6cBmhbE/s1600/Capture2.PNG" height="163" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
Note that in the case of unknown system, the computer will not be part of any predefined dynamic collection. Therefore, the custom variable will not exist in this case. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDyz3YzrRppndXcebvgXIXdwC9RD8eQoKpXFuH1XOgTu7kQOG4bnsmSoL3V05xaZJxO_sUV0qlp3SuANktg2ZdRpoH2srgSfdhR6wcjMne9b1xiHpHWGUs6GM-QrVkCXm25QN0XQ4OSx4/s1600/Capture3.PNG" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em; text-align: center;"><br /></a></div>
sashkashurikhttp://www.blogger.com/profile/04594731381634427632noreply@blogger.com0tag:blogger.com,1999:blog-5485513671985093591.post-4713138173739858252014-07-19T18:13:00.000-04:002014-07-19T18:17:00.241-04:00Dynamic partitioning of HDD in SCCM 2012 R2In general, the default partitioning in SCCM 2012 R2 TS can suit most deployments but not Apple!<br />
In fact, if we want to keep MAC partition and have dual boot with rEFIt or any other config, we have to somehow format the partition and leave everything else intact.<br />
<br />
To do this, we will use Apple Deploy Studio to create/format partitions and deploy OS X. Then we will format the partition in TS.<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicNo2vyTNDDC-LDpsHssp6lABCjwpz96NlfmyueTPD0zSNc8RzRixUK0X5GVxS4X6GgnYWODHm1Z68irNretcG9LXNm7hykNhZjfpw5uddDMeYX1R5cSqq_Gmvz2Jwx1BaK3zNzW2COv4/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicNo2vyTNDDC-LDpsHssp6lABCjwpz96NlfmyueTPD0zSNc8RzRixUK0X5GVxS4X6GgnYWODHm1Z68irNretcG9LXNm7hykNhZjfpw5uddDMeYX1R5cSqq_Gmvz2Jwx1BaK3zNzW2COv4/s1600/Capture.PNG" height="361" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5QeEgeGiq75MqXBk58tnvbEGdrvwPk2m0oHSsTSLTQ-gsOV4853AmeYWHJYHxNltYtCudnt4lnW-5IWP58gtpYeqM20FjGAvEo1CVWM-Wf4qf5P3TtVn2R7pNJe_-KFFlvm2UvLsT-p0/s1600/Capture2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5QeEgeGiq75MqXBk58tnvbEGdrvwPk2m0oHSsTSLTQ-gsOV4853AmeYWHJYHxNltYtCudnt4lnW-5IWP58gtpYeqM20FjGAvEo1CVWM-Wf4qf5P3TtVn2R7pNJe_-KFFlvm2UvLsT-p0/s1600/Capture2.PNG" height="185" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Notice that the condition has a task sequence variable <i>make equals "Apple"</i>. This variables comes from a dynamic collection Apple that I have defined in a <a href="http://sashkastechnical.blogspot.com/2014/07/dynamic-oem-computer-model.html">previous post on OEM branding</a>.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The script <i>DiskPartMac.txt</i> contains:</div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">SELECT disk 0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">SELECT partition 3</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">FORMAT FS=NTFS LABEL="Win8" QUICK NOERR OVERRIDE</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">ASSIGN LETTER=C NOERR</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">ACTIVE</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">EXIT</span></div>
<div class="separator" style="clear: both; text-align: left;">
The script can be adjusted and changed to take into account any number of partitions. For now, it takes into account one MAC OS X and one windows partition: remember that there is always an EFI partition + MAC+ Windows. However, it is important to note that partitions themselves are easier to create by the Deploy Studio: we were never able to make it work on opposite direction.</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
Of course, we will add some conditions to the default HD partitionning in the TS. For both, BIOS and UEFI partitioning, we will add the following: <span style="font-family: Courier New, Courier, monospace;">make not equals "Apple"</span><span style="font-family: inherit;">. For example, conditions for formatting in BIOS boot will look like this:</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDqvoj9FxfLvCwZpeemypypzPevqcYClNouBidYOl-kH9kPpy8lhWdEbd0PAq7ryVHQRwbytyMjOkHFKMI76TyHGfGIPwcDNAOUlvBS3RUbf9IYkMeaGUKpcKBEk9DrjvZc4E2qfDtDCo/s1600/Capture3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDqvoj9FxfLvCwZpeemypypzPevqcYClNouBidYOl-kH9kPpy8lhWdEbd0PAq7ryVHQRwbytyMjOkHFKMI76TyHGfGIPwcDNAOUlvBS3RUbf9IYkMeaGUKpcKBEk9DrjvZc4E2qfDtDCo/s1600/Capture3.PNG" height="228" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />sashkashurikhttp://www.blogger.com/profile/04594731381634427632noreply@blogger.com0tag:blogger.com,1999:blog-5485513671985093591.post-48455276183414937832014-07-19T17:45:00.000-04:002014-07-19T17:45:05.102-04:00Eject CD scriptAs part of our setup, we have to deploy some iMacs and MacMinis all of them do not have PXE. Moreover, we prefer a manually controlled deployment method and do not want to use <i>required</i> deployment.<br />
<br />
My colleague has designed a CD that loads WinPE. However, the CD needs to be ejected ASAP. here is the small script to do it in CMD:<br />
<span style="font-family: Courier New, Courier, monospace;">"Eject CD\eject.exe"</span><br />
<br />
It uses an <i>eject.exe</i> that is part of a small package of scripts that we have created for all our TS needs. If I remember correctly, this exe can be copied from MDT deployment share Scripts folder.<br />
<br />
In the TS, it looks like this:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2r_xrN7oHwXB2HhvGjyaGS5o7W6Q80R1qENNvOfS4tpUXum35fEZBaYxXJohAUgUAF1bc35utq9EP5jR9cBAQt2iF7RMXGUec3oBIwVSTyFVgHlVOCw4-haLEZU9zvIikqyzlzi-On_U/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2r_xrN7oHwXB2HhvGjyaGS5o7W6Q80R1qENNvOfS4tpUXum35fEZBaYxXJohAUgUAF1bc35utq9EP5jR9cBAQt2iF7RMXGUec3oBIwVSTyFVgHlVOCw4-haLEZU9zvIikqyzlzi-On_U/s1600/Capture.PNG" height="360" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjM9SoWgvAewZImjrbvzqM8VT7ImRFW9qvICfqcmV58MZLWLvsclHp7dOKPovgwKN-nhiZK92mOuglqASs2tKjgoDrRjliceP-0nARhSBoOjpjLvx-42HfxaQlgMqmMSXdyOfROKLaf4VE/s1600/Capture2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjM9SoWgvAewZImjrbvzqM8VT7ImRFW9qvICfqcmV58MZLWLvsclHp7dOKPovgwKN-nhiZK92mOuglqASs2tKjgoDrRjliceP-0nARhSBoOjpjLvx-42HfxaQlgMqmMSXdyOfROKLaf4VE/s1600/Capture2.PNG" height="212" width="400" /></a></div>
<br />sashkashurikhttp://www.blogger.com/profile/04594731381634427632noreply@blogger.com0tag:blogger.com,1999:blog-5485513671985093591.post-48808737459177166062014-07-19T16:57:00.002-04:002014-07-19T17:00:41.397-04:00Dynamic OEM Computer ModelOne of the nice touches of proper and detailed TS config is the appropriate use of OEM information. In fact, it is sometimes useful to have OEM models setup according to the hardware specs.<br />
<br />
The script is really simple:<br />
<span style="font-family: Courier New, Courier, monospace;">REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation /V Model /T REG_SZ /D "%make% %model%" /F</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZyJIt-4O3-UlSltXGfkWHc4gmGCzaPIdcAob2SLbFQrJLQdM2PRYoWUQpWw_oGDVRdFvUYtVIZJ4MP_8E5uwkdI2SycTwmWvcZ7ojJQhc3XnEIOnvSJeCJdO0DuBhHBsvX2NPgtzwNiA/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZyJIt-4O3-UlSltXGfkWHc4gmGCzaPIdcAob2SLbFQrJLQdM2PRYoWUQpWw_oGDVRdFvUYtVIZJ4MP_8E5uwkdI2SycTwmWvcZ7ojJQhc3XnEIOnvSJeCJdO0DuBhHBsvX2NPgtzwNiA/s1600/Capture.PNG" height="361" width="400" /></a></div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: inherit;">It leverages two custom variables %make% and %model% defined in the appropriate collection. For example, Apple collection is created with a query</span><br />
<span style="font-family: Courier New, Courier, monospace;">select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.Manufacturer = "Apple Inc."</span><br />
<span style="font-family: inherit;">and has a variable make=Apple</span><br />
<br />
While collection MacMini 5.1 is using a query<br />
<span style="font-family: Courier New, Courier, monospace;">select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.Model = "Macmini5,1"</span><br />
and has a variable model=MacMini 5,1 (Mid 2011)<br />
<br />
The combination of both variables (during deployment to the above mentioned model and make) gives a final script for this model:<br />
<span style="font-family: 'Courier New', Courier, monospace;">REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation /V Model /T REG_SZ /D "</span><span style="font-family: Courier New, Courier, monospace;"><b>Apple</b> <b>MacMini 5,1 (Mid 2011)</b></span><span style="font-family: 'Courier New', Courier, monospace;">" /F</span><br />
<br />
Of course all this work for make and model in OEM branding do not make sense. We are using them extensively throughout the TS: in HDD formatting, driver injection and many more other places.sashkashurikhttp://www.blogger.com/profile/04594731381634427632noreply@blogger.com0tag:blogger.com,1999:blog-5485513671985093591.post-28008407964226672122014-07-19T15:59:00.001-04:002014-07-19T15:59:23.729-04:00Unstable Aerohive behaviorRecently I had some issues with the entire hive: the APs where restarting randomly and the users were unable to register. immediate hot fix was to restart the units but it was good only for a few days or a week max.<br />
<br />
First, diagnostics: the issue we had is completely silent and hidden. No error messages or any other problems show in the logs both on the APs and in the manager. The only warning sign is frequent random restarts of APs: roughly every 3-4 days a few units will restart. Eventually, users that try to authenticate will be refused connection and those who are already authenticated will remain connected.<br />
<br />
While working with Aerohive, we found out that it could be due to WIPS (). It is possible that WIPS will force some sort of kernel panic effectively inducing a unit restart. By disabling WIPS, we have extended the restart time and the interval between authentication problems. However the issue was not fixed completely: once a week or a bit more we had to restart everything again.<br />
<br />
The solution? We haven't found one. Luckily, a new version came out (6.1r6a). At the moment, it looks like a full upgrade has fixed the issues: no restarts or connection issues for the past week.sashkashurikhttp://www.blogger.com/profile/04594731381634427632noreply@blogger.com0tag:blogger.com,1999:blog-5485513671985093591.post-80958318357664716892013-10-17T22:35:00.002-04:002013-10-17T22:52:47.461-04:00FSSO with Device based policiesWhile surfing on the web, I have stumbled upon a series of posts discussing FSSO implementation strategies (agent, pooling mode etc.) and the ways they affects computers used by IT personnel. A most common complaint describes a situation when a particular station may change authentication groups (in FSSO) because IT admins have used it to remotely access another AD bound device under different credentials.Simply put, working from a single station sitting behind a Fortigate unit with multiple RDP sessions active is a real pain for IT personnel. <br />
<br />
Surely, multiple solutions exist. However, I would like to share a combined approach that allows to effectively distinguish between IT personnel only stations and user accessible devices. At the same time, the proposed approach ensures that devices not bound to domain but using the same corporate network may still be allowed and classified based on device type.<br />
<br />
We will need:<br />
<h4>
<b>Custom defined devices</b></h4>
1) In the User&Device --> Device Definition, click on Create New (on top of the list)<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRaAMMdCFFx4KSPTNbJHsP2I1iqTwFPyvaCidXyoBnePWiXTqVzGZBJSoI02pIpqzG73mIOK05OFjHsnnDHYmi8t27oCfT0yApEBLTNX1jcJ6GU9tWHYf1174SYMXgzwMNP6eT-NGvfPE/s1600/NewDevice.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRaAMMdCFFx4KSPTNbJHsP2I1iqTwFPyvaCidXyoBnePWiXTqVzGZBJSoI02pIpqzG73mIOK05OFjHsnnDHYmi8t27oCfT0yApEBLTNX1jcJ6GU9tWHYf1174SYMXgzwMNP6eT-NGvfPE/s1600/NewDevice.PNG" height="206" width="640" /></a></div>
<br />
Notice that you may add multiple MAC addresses per device - a useful feature for VM machines that will share the same type of network access<br />
<div style="text-align: center;">
<b><span style="font-size: large;">OR</span></b>
</div>
2) Search for devices in the list of detected devices.<br />
<div class="" style="clear: both; text-align: left;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgKKT6-ij_oQvlZs7Uq2NSTb5QVup3gPatgXLqT4t7r7zUvucQAW_4m4a2w77i6OtNmd-pKIzlJuGynh9iCH4Ayp21-37i6ZcpFgAmNbH4b_nWtiFxW5r4jgqNwVXaGTAF6y6xmi06B1M/s1600/ExistingDevice.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgKKT6-ij_oQvlZs7Uq2NSTb5QVup3gPatgXLqT4t7r7zUvucQAW_4m4a2w77i6OtNmd-pKIzlJuGynh9iCH4Ayp21-37i6ZcpFgAmNbH4b_nWtiFxW5r4jgqNwVXaGTAF6y6xmi06B1M/s1600/ExistingDevice.PNG" height="326" width="640" /></a></div>
Note that if you want to detect and classify devices you should make sure that it is enabled on appropriate interface. Go to Network-->Interfaces--> Select appropriate interface and check for the option "Device Management."<br />
<h4>
Device Groups</h4>
We need to group our devices in one or many groups according to their permissions and other related info.<br />
In User-->Device-->Device Groups, click on Create New (top left corner of the list). Name the group and add the devices that it should include.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNYEsu-x_l4G02rRYxDhv9bbnG4xT_ornjveY472JMSdASYzfjWL75qdJToCO76ez0XEToNyVpNLAENFLf9VR_6kxBY8tAZb98c7LLjDZo0VbSImT7t2KDkqXJ5vLXfgCxZSrjSIHB0I0/s1600/NewGroup.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNYEsu-x_l4G02rRYxDhv9bbnG4xT_ornjveY472JMSdASYzfjWL75qdJToCO76ez0XEToNyVpNLAENFLf9VR_6kxBY8tAZb98c7LLjDZo0VbSImT7t2KDkqXJ5vLXfgCxZSrjSIHB0I0/s1600/NewGroup.PNG" height="128" width="640" /></a></div>
<br />
<br />
Now, we are ready to modify firewall policies. <i>Our goal is to make sure that the group we have created gets authentication before FSSO based on their MAC address and not on their FSSO associated credentials.</i></div>
<h4>
Firewall rules</h4>
<h3>
Custom device group policy</h3>
Assuming that we have a set of servers that use WSUS and many other services accessing network that also act as ADs, we need to ensure that will not get blocked or capped. We need a new policy with the following configs:<br />
<br />
<ul>
<li><u>Policy type</u>: Firewall</li>
<li><u>Policy subtype</u>: Device Identity</li>
<li><u>Incoming Interface</u>: port on Fortigate unit used by our servers</li>
<li><u>Source address</u>: servers or all or anything you usually use</li>
<li><u>Device:</u> Server- the device group name associated with our server (see authentication rules)</li>
<li>etc. - all other configs as usual for internet access</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMBFizD4KtglQlFW_wftPkZLyyXjjh2gdQ05lkREg0e6t8Iqaaxf_sAB9ORuIv7On_QjcInWToojRfYbUV3NmYvDGOMdy78YgrahBMoBZzSn0b9-9Fa7ST9a6yRgba8odYahwNeAl_h_w/s1600/NewPolicy.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMBFizD4KtglQlFW_wftPkZLyyXjjh2gdQ05lkREg0e6t8Iqaaxf_sAB9ORuIv7On_QjcInWToojRfYbUV3NmYvDGOMdy78YgrahBMoBZzSn0b9-9Fa7ST9a6yRgba8odYahwNeAl_h_w/s1600/NewPolicy.PNG" height="318" width="640" /></a></div>
<div>
<br /></div>
<div>
Once the config is complete, make sure that the policy we have created is placed on the list <i>before </i>other policies that have the same combination of Incoming/Outgoing interfaces.</div>
<div>
<br /></div>
<div>
For example, we need to make sure that all users(system) directly logged onto our <i>servers</i> are not passing through FSSO when communication from port 7 to port 9.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6AKq8x8I9vg5ufxJLFaLfgNieoktvtY_kw90HLcnk6cBD4ubxCCrTQrpBrQNTU7_lMctyFzPdfhDecCfV5E1rFlwNvNgpE4mDaKv5B10TtO1W6Wi4BzDd-RtVCV2UE9gS5LNrfsElxrU/s1600/PoliciesOrder.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6AKq8x8I9vg5ufxJLFaLfgNieoktvtY_kw90HLcnk6cBD4ubxCCrTQrpBrQNTU7_lMctyFzPdfhDecCfV5E1rFlwNvNgpE4mDaKv5B10TtO1W6Wi4BzDd-RtVCV2UE9gS5LNrfsElxrU/s1600/PoliciesOrder.PNG" /></a></div>
<div>
In this example, our servers policy is first. FSSO policy is the second one. Third one is a generic per device type policy created to capture all devices that are not AD bound or authenticated otherwise.</div>
<div>
<br /></div>
<h3>
Generic device policy</h3>
<div>
As we have stated earlier this third policy is something that we are actively using to create custom traffic shaping and filtering rules for guest devices. The idea is simple: we do not want </div>
<div>
<ul>
<li>iThings to use our network to get updates, </li>
<li>all types of full-blown OSes to use torrents(it is not an issue on tablets etc.) or get updates,</li>
<li>we will monitor botnet behavior and limit certain websites only for some device types</li>
<li>etc.</li>
</ul>
<div>
In short we are looking to customize, per device, our rules. To make sure that all non FSSO users get to the third policy, we need to enable a "Skip this policy for unauthenticated user" feature in the second FSSO policy:</div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaK1-NUcNJDQTg8zrjKem5jNwouPucJl1ruaMVadu1rJ8evwvUlM-LJR0AD3nNxh3WJ7j1ELwYy32nW408ru6HbpazPBQ9eYmqva7OQzCEoFj5-SelAfQboKoPR6P3gDFSERr5q9byrLI/s1600/skip.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaK1-NUcNJDQTg8zrjKem5jNwouPucJl1ruaMVadu1rJ8evwvUlM-LJR0AD3nNxh3WJ7j1ELwYy32nW408ru6HbpazPBQ9eYmqva7OQzCEoFj5-SelAfQboKoPR6P3gDFSERr5q9byrLI/s1600/skip.PNG" height="360" width="400" /></a></div>
<div>
<br /></div>
<div>
Now we can add a generic device policy:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiYZtNz5UUM5jS98iVufgCzjL5foxbVuElLevo39qm4b4tW_JVvWugqFUhkGOK5504h_D8KCanR7upw7Afr85mYJcb7YYgxBYXm1-IrHgUXtS4xofLWFngw4n4q5J9jSenfkooYA4RxbM/s1600/AllDevices.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiYZtNz5UUM5jS98iVufgCzjL5foxbVuElLevo39qm4b4tW_JVvWugqFUhkGOK5504h_D8KCanR7upw7Afr85mYJcb7YYgxBYXm1-IrHgUXtS4xofLWFngw4n4q5J9jSenfkooYA4RxbM/s1600/AllDevices.PNG" height="317" width="400" /></a></div>
<h4>
Conclusion</h4>
<div>
We now have three policies:</div>
<div>
<ol>
<li>Used for our internal admin devices</li>
<li>Used for FSSO AD authenticated users</li>
<li>Used for any other device that was not captured by the first two policies</li>
</ol>
</div>
<br />
<h4>
Disadvantages</h4>
This method uses MAC address association. A malicious device that has spoofed a MAC address can pose as a server and will get the same rights. However, I hope that many other fail-safe tools exist on your network preventing impersonation.<br />
<br />
<i>Finally, if you have more ideas or have implemented it differently, please share!</i>sashkashurikhttp://www.blogger.com/profile/04594731381634427632noreply@blogger.com0tag:blogger.com,1999:blog-5485513671985093591.post-37556431901377743892013-10-13T16:37:00.000-04:002013-10-13T16:40:12.935-04:00Adding OS definitions to AerohiveIn the default config, Aerohive has many OS objects. However, you will find that many are missing. In my install, I have found that all Blackberry devices were identified as Linux/unknown.<br />
<br />
<h3>
Fingerprints</h3>
First, we need to get the list of DHCP fingerprints:<br />
<br />
<ul>
<li><a href="http://www.fingerbank.org/">http://www.fingerbank.org/</a></li>
<li><a href="https://github.com/inverse-inc/fingerbank">https://github.com/inverse-inc/fingerbank</a> or directly from <a href="https://raw.github.com/inverse-inc/fingerbank/master/dhcp_fingerprints.conf">https://raw.github.com/inverse-inc/fingerbank/master/dhcp_fingerprints.conf</a></li>
</ul>
<div>
In this file, we will find the blocks of the info we need to add to our OS object list.</div>
<div>
<br /></div>
<h3>
OS objects</h3>
<div>
OS objects can be found in <span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Configuration --> Advanced configuration --> Common objects --> OS objects</span>. A full config can be exported in the form of a text file. In fact, I strongly suggest to have a look at the way it is formatted before adding or modifying anything. Once you are familiar with the format and ready to add a new definition, you can use Import function to do so.</div>
<div>
<br /></div>
<div>
In our case, we would like to add Blackberry to the list. In the online <i>dhcp_fingerprints.conf</i>, we find the following:</div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[os 1101]</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">description=RIM BlackBerry</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">fingerprints=<<eot font=""></eot></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">56,6,1,3,15</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">1,3,6,15</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">EOT</span></div>
</div>
<div>
<br /></div>
<div>
We format it according to the format found in Aerohive:</div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">OS=Blackberry</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">1,3,6,15</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">56,6,1,3,15</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">END</span></div>
</div>
<div>
<br /></div>
<div>
Now we can simply create a text file and import it into our config. Note however that there maybe conflicts in object definitions! When searching for Blackberry keyword in the <i>dhcp_fingerprints.conf</i> you will find the following:</div>
<div>
<span style="font-family: 'Courier New', Courier, monospace; font-size: x-small;"># 1,3,6,15 : 3 CONFLICTS with BlackBerry</span></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[os 404]</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">description=OEMed Wireless Router</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">fingerprints=<<eot font=""></eot></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">EOT</span></div>
</div>
<div>
<br /></div>
<div>
Of course this conflict will never appear unless we have such a device on the network and in our OS objects list. This could explain why Aerohive adds only most common objects in the default config.</div>
sashkashurikhttp://www.blogger.com/profile/04594731381634427632noreply@blogger.com0tag:blogger.com,1999:blog-5485513671985093591.post-21089736939212218632013-08-03T22:31:00.000-04:002013-08-28T21:40:41.268-04:00Fortigate - widget malfunction - multiple bugsIf you have tried to reconfigure/modify, add or move a widget and noticed that your action was not completed: <br />
<span style="font-family: Courier New, Courier, monospace;">CFG_CLI_INTERNAL_ERR</span><br />
<br />
Fortigate has confirmed that it is a bug in UI and in CLI. There are multiple bug reports associated with this case and it should be fixed in the next release.<br />
<br />
<u>Versions affected by these bugs:</u> v5.0 patch release 2 and carried over to 3.<br />
<u>Fix expected:</u> v5.0 patch release 4 which is still pending official release at this time<br />
<br />
<u>UPDATE from 19-08-2013:</u> For me, it is confirmed that the bug was not fixed in the v5.0 patch release 4. Moreover, I see a clear slowdown in the authentication of Fortigate after applying the patch: the first call seems slower than before. While this patch fixes many bugs, more testing is needed.<br />
<br />
<u>UPDATE from 27-08-2013:</u> The support insists that there are two widget types: "old" and "new" the old being available only through CLI. My experience differs: I have been able to reset to default all widgets and recreated the ones I need through GUI. I was able to successfully create and modify both "traffic history" and "interface history" types.<br />
I have requested additional research on the topic but for now it looks like the support is a big disappointment. Is it just me or everyone feels that Fortinet support is not as good as it used to be? Often, they do not have the latest information, are not trained and have no idea on how to help you...<br />
<br />
<u>UPDATE from 28-08-2013:</u> The support has totally ignored the fact that GUI worked as expected after a reset. However, they did confirm that the widget named "traffic history" is the one that may be removed in the future patches as it is considered CPU intensive and was made available only because many customers have requested it.sashkashurikhttp://www.blogger.com/profile/04594731381634427632noreply@blogger.com0tag:blogger.com,1999:blog-5485513671985093591.post-81505437484223454432013-05-28T14:08:00.001-04:002013-08-28T21:42:15.094-04:00Fortigate user monitor - Fixed bug #0193766<b>BUG:</b> 0193766 (FSSO Auth users are not showing up in GUI).<br />
<br />
According to Fortinet support, the issue with authenticated users not showing in the User Monitor will be fixed in the version 5.0.3.<br />
<br />
<b>UPDATE</b> 03-08-2013: It was kind of fixed...<br />
<ul>
<li>now we have to tick an option to see the list;</li>
<li>you cannot anymore deauth a user or all of them (if all users are FSSO type);</li>
<li>you cannot see the policy(ies) used by FSSO user, but you can filter based on these policies ???</li>
</ul>
sashkashurikhttp://www.blogger.com/profile/04594731381634427632noreply@blogger.com1tag:blogger.com,1999:blog-5485513671985093591.post-91569348491727281472013-03-13T13:31:00.002-04:002013-03-14T00:07:27.104-04:00Fortinet - Device Identity and Custom groupsFollowing documents from Fortinet, FortiOS 5 supports policies based on device groups.<br />
Following support documents may be useful:<br />
<a href="http://docs.fortinet.com/fos50hlp/50/index.html#page/FortiOS%25205.0%2520Handbook/Devices.067.02.html#ww1835612">http://docs.fortinet.com/fos50hlp/50/index.html#page/FortiOS%25205.0%2520Handbook/Devices.067.02.html#ww1835612</a><br />
<a href="http://docs.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Handbook/policies.031.11.html">http://docs.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Handbook/policies.031.11.html</a><br />
<br />
I have already blogged about my partial solution that employs some sort of the support for device based firewall rules. However, I have recently found that in Fortigate we can define our personal permanent groups. That is, we can create a group called Servers that regroups different types of machines that will not be purged or cleaned automatically.<br />
<u>Note</u>: At the moment, I do not know how much time it takes but I'm sure that the device list is automatically purged by Fortigate unit on a regular basis.<br />
Custom device group functionality may be particularly useful in scenarios where some mix of clients and servers connect on the same port through Fortigate unit to internet or to some other internal service. In this scenario, we would like to make sure that our servers, VMs etc. are properly classified and allowed the access they are supposed to get not based on the devie type but rather on services they provide. <br />
<br />
For example, one of my machines is a VM hosting all sorts of servers with different responsibilities (proprietary update services, print services, windows updates, rdp etc.). For this MAC address, I want all outgoing traffic to be allowed. Moreover, there are 4 MAC's associated with this machine: I want them all grouped under the same name. All this and some more can be achieved by using device groups.<br />
<br />
In order to set a custom device group and regroup our special devices, we have to do the following:<br />
<br />
<ul><i>
<li><i>User&Device --> Device --> Device Group</i> create a new group, let us call it Server. This group will be used to create a special rule for our servers.</li>
</i></ul>
<i>
</i>
<br />
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjS5pHL5xG5RG9IzYwvih_Qau7WAy3xkQNxj4MnmJDQ-sLJ6UB6Fb27y6CnHwh0IsNzYljZe-9SQKc7QzkiOa8V8HHE2rQJx9oKuxCoPknkojzhiwzRy23qnLEr_9YQwc6EvQwMqwFoyLI/s1600/DeviceGroup2.JPG" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjS5pHL5xG5RG9IzYwvih_Qau7WAy3xkQNxj4MnmJDQ-sLJ6UB6Fb27y6CnHwh0IsNzYljZe-9SQKc7QzkiOa8V8HHE2rQJx9oKuxCoPknkojzhiwzRy23qnLEr_9YQwc6EvQwMqwFoyLI/s400/DeviceGroup2.JPG" width="400" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhXoUkoEHEFT5-BUEQJ-IO6s6L1kXG451Wxb-CETM1dcdqx2aKElzJrgMcepk9w76XMlBeMC0r7hRx2ce7Xr35_86pt_4NY7Zvnt-rzBNa_DufkC8o0z_TW-lfXthVu0iOUvn5BmoPkNA/s1600/DeviceGroup1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhXoUkoEHEFT5-BUEQJ-IO6s6L1kXG451Wxb-CETM1dcdqx2aKElzJrgMcepk9w76XMlBeMC0r7hRx2ce7Xr35_86pt_4NY7Zvnt-rzBNa_DufkC8o0z_TW-lfXthVu0iOUvn5BmoPkNA/s400/DeviceGroup1.JPG" width="173" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9xYL9GotEEUvBdpUtN454FXWElKRznSdZe985DUQvIMaNaRi8RqxcVhVFSjWNSEl0Dp3Cyq7aHYCtIp8pBreCj_YhnTFYu9LqdAJIQnfOGWO0KO-U6d8VEV2_RpaZZ4AXelympxPp23U/s1600/DeviceGroup3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="163" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9xYL9GotEEUvBdpUtN454FXWElKRznSdZe985DUQvIMaNaRi8RqxcVhVFSjWNSEl0Dp3Cyq7aHYCtIp8pBreCj_YhnTFYu9LqdAJIQnfOGWO0KO-U6d8VEV2_RpaZZ4AXelympxPp23U/s640/DeviceGroup3.JPG" width="640" /></a></div>
<div>
<br /></div>
<i></i><br />
<ul><i>
<li><i>User&Device --> Device --> Device Definition</i> assuming that your server has already tried to access internet(for updates or other) it will be in the list. Find it and modify the entry by assigning it to a custom group. You could also use the same interface to associate multiple MAC`s belonging to the same machine. <</li>
</i></ul>
<i>
</i>
<br />
<div class="separator" style="clear: both; text-align: center;">
<i><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiax04P8YqsnGhJei3C4dYzG2mVGfFYsidY8e5sgIHVitZKZK6P4IAbzidUlPG9pXImW2WEg1Xj1L1H3poNtFNL55s2Q4uDfTZvEuM5fS05_Bad3aqerWCCFI_3QNintw0lq4mhUcHrT_o/s1600/DeviceDefinition1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiax04P8YqsnGhJei3C4dYzG2mVGfFYsidY8e5sgIHVitZKZK6P4IAbzidUlPG9pXImW2WEg1Xj1L1H3poNtFNL55s2Q4uDfTZvEuM5fS05_Bad3aqerWCCFI_3QNintw0lq4mhUcHrT_o/s320/DeviceDefinition1.JPG" width="145" /></a></i></div>
<i>
</i>
<div class="separator" style="clear: both; text-align: center;">
<i><br /></i></div>
<i>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTULZZJpq1eVJIDWAEMvOwwF8iM9ARS2rsL5yJL8MQ44Uf8rqdZMl3_USxo2AZgS2sgp-uiqaw5q1onFH5krEMIbTw-udXmmfkyP6usp7vPz4qV4L1ZzFxHsqVRX-O6_090m-x_LXNT6Q/s1600/DeviceDefinition2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="145" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTULZZJpq1eVJIDWAEMvOwwF8iM9ARS2rsL5yJL8MQ44Uf8rqdZMl3_USxo2AZgS2sgp-uiqaw5q1onFH5krEMIbTw-udXmmfkyP6usp7vPz4qV4L1ZzFxHsqVRX-O6_090m-x_LXNT6Q/s640/DeviceDefinition2.JPG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7sGDcMke67U6qKGrSYVdewYbQ27r1B-Uac7ou0HAE2uTxDRxPq2P6qflBua-edW49NLE6bbq2XcsvoZ1KgZfEYg5bsApvw1-broRKhlLn4j71V2TVU__WSsTddlS0qk9UqSUyir8vesM/s1600/DeviceDefinition3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="312" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7sGDcMke67U6qKGrSYVdewYbQ27r1B-Uac7ou0HAE2uTxDRxPq2P6qflBua-edW49NLE6bbq2XcsvoZ1KgZfEYg5bsApvw1-broRKhlLn4j71V2TVU__WSsTddlS0qk9UqSUyir8vesM/s640/DeviceDefinition3.JPG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<br /></div>
<ul>
<li>In Firewall rules you will be able now to use this group and assign special rules to this group.</li>
</ul>
</i><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDfc1RKYeQKSg43Q7akhJTiNc60bg1O6aoHodTocSHMyJJ5UBKBiQtr1HXzTq0L4hjTvo6LYt6vs4a27C8Ii6BF-nERUP5xwb85acfx8DG8dlOFHF5QSR_3noPUiZIZ78Uq4M5Z5zAR64/s1600/Firewall.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDfc1RKYeQKSg43Q7akhJTiNc60bg1O6aoHodTocSHMyJJ5UBKBiQtr1HXzTq0L4hjTvo6LYt6vs4a27C8Ii6BF-nERUP5xwb85acfx8DG8dlOFHF5QSR_3noPUiZIZ78Uq4M5Z5zAR64/s640/Firewall.JPG" width="640" /></a></div>
<br />sashkashurikhttp://www.blogger.com/profile/04594731381634427632noreply@blogger.com0tag:blogger.com,1999:blog-5485513671985093591.post-33163584563091462482013-03-04T14:38:00.000-05:002013-03-13T13:39:48.389-04:00Fortinet - client-less FSSO for ADFollowing a relatively detailed reply from Fortinet support team it looks like a client-less FSSO needs the following:<br />
<br />
<ul>
<li>AD credentials - to configure LDAP a user name/password set is needed with an ability to read from LDAP (a normal user should do). With Win Server 2003 there may be some anomalies with limited user accounts.</li>
<li>LDAP - should be configured for each DC, the same credentials will be used to do the pulling.</li>
<li>Pulling - by default pulling occurs every 10 seconds, but may be configured for an interval from 1 to 30 sec. Also, ports 8000 and 445 need to be open.</li>
</ul>
<div>
According to support, the behavior is a bit different from classic config. Assuming that the interval is 10sec and a user has logged in just after pulling has occurred. If we assume that in the next 9 seconds the system or the user tries to access Internet, the IP will be classified as guest. Once the pulling passed the IP will be reclassified according to the logs in the DC.</div>
<div>
<br /></div>
<div>
Fortinet considers that client-less method is better for 1-3 DC's but they still think that a collector agent is the best choice for a config with more than 3 DC's.</div>
sashkashurikhttp://www.blogger.com/profile/04594731381634427632noreply@blogger.com2tag:blogger.com,1999:blog-5485513671985093591.post-53905783791598770422013-03-02T22:52:00.001-05:002013-03-04T14:18:08.293-05:00Firewall Guru: Enhanced Single Sign-On to Windows AD in FortiOS 5...Sebastian reports that:<br />
<a href="http://firewallguru.blogspot.com/2013/02/enhanced-single-sign-on-to-windows-ad.html?spref=bl">Firewall Guru: Enhanced Single Sign-On to Windows AD in FortiOS 5...</a>: FortiOS 5.0 brings with it an enhancement to how single sign-on can be performed in a Microsoft Active Directory environment. In prior ver...<br />
<br />
While I have seen the same info in the official guide, I'm not sure that this does work properly. I will try to see with Fortinet support team how this is different from collector agent.<br />
<br />
<b>UPDATE:</b> I got a reply from Fortigate see my next post in the blogsashkashurikhttp://www.blogger.com/profile/04594731381634427632noreply@blogger.com0tag:blogger.com,1999:blog-5485513671985093591.post-51726755628664606702013-03-02T19:45:00.000-05:002013-03-02T20:21:52.478-05:003. Partial solutionGiven our setup and limitations we have discussed previously, we have decided to use a neat feature available in Aerohive and separate the traffic at the entry point.<br />
<br />
<h4>
Aerohive setup</h4>
<br />
In Aerohive, we have configured a VLAN per user profile that we want to reroute. To do this, we have set a vlan for each user profile connecting to our wireless: Configuration --> Policy Configuration --> User Profiles.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPAbyshnQ836PZic_XRd7GRbCD0SoovC4vRpI-d79poyiyIIUPQXbSF849aAvqUYT-cutdPWvl6fgAc455NJzPwPWxNrw_roNvzw0JnVRbmjWzFUvrerOVpX6RjqSQd0Gdglov3G3gwU8/s1600/ahVlan.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPAbyshnQ836PZic_XRd7GRbCD0SoovC4vRpI-d79poyiyIIUPQXbSF849aAvqUYT-cutdPWvl6fgAc455NJzPwPWxNrw_roNvzw0JnVRbmjWzFUvrerOVpX6RjqSQd0Gdglov3G3gwU8/s1600/ahVlan.JPG" /></a></div>
<br />
Once the VLAN is assigned on Aerohive, it needs to be properly forwarded and redirected through all the switches all the way up to Fortigate unit. All traffic from this VLAN will end on Fortigate at a separate port from internal traffic effectively isolating these users from the rest of the network.<br />
<br />
This means that Fortigate should be responsible for DHCP and DNS. But before we get there we need to make sure that Aerohive firewall allows this connection.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRJwtmyp9a4wM6LobDCloTecM23zP2rdcAMPoTOkLxlYJDT1dxjYpC4Vleog78-qvVOj_tQ87FSt86cod9IJN88jB27iwxCBBpxGMWdjG0gqMIg8fIfqaPprTx1ZpmXcDunmYXH7hAJZI/s1600/ahUserFwal.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRJwtmyp9a4wM6LobDCloTecM23zP2rdcAMPoTOkLxlYJDT1dxjYpC4Vleog78-qvVOj_tQ87FSt86cod9IJN88jB27iwxCBBpxGMWdjG0gqMIg8fIfqaPprTx1ZpmXcDunmYXH7hAJZI/s1600/ahUserFwal.JPG" /></a></div>
<br />
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFMv8bAwxCT1HS2BD2c4fdz24D1Z7jUB3kq0Te_GNQNr7rXZKGvkcsoEtHPOCCBjOk4I8OCV4oGHQTWXAHYJKxfBszcUjgwvzL0yID0hbOUsBpTCmZrceHGFAWX536hEbkyFrtlbHk1HA/s1600/ahFwalDet.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFMv8bAwxCT1HS2BD2c4fdz24D1Z7jUB3kq0Te_GNQNr7rXZKGvkcsoEtHPOCCBjOk4I8OCV4oGHQTWXAHYJKxfBszcUjgwvzL0yID0hbOUsBpTCmZrceHGFAWX536hEbkyFrtlbHk1HA/s640/ahFwalDet.JPG" width="640" /></a></div>
In Aerohive we need to allow access to our DNS/DHCP - <i>GatewayGuest </i>(The same as Fortigate IP on this VLAN- see the settings bellow). We also may need to allow access to some of our internal websites -<i>DMZ</i>. We need to make sure that guest devices cannot communicate between them(hack each other etc.) - we therefore block all other internal IP access - <i>192.168.0.0/255.255.0.0 - Block</i>. Finally we allow all other communication (last line in the picture above). Since the rules are processed from top to bottom this scenario works as we have intended.<br />
<br />
<h4>
Fortigate setup</h4>
</div>
<div>
<br /></div>
<div>
As I have mentioned earlier, the traffic from this special VLAN will directly arrive at Fortigate unit and is completely isolated from the rest of the network. Thus we will use a built-in features in Fortigate in order to give this users access to DHCP/DNS and maybe to our DMZ.</div>
<div>
<br /></div>
<h3>
Port set-up</h3>
<div>
First, let's look at port setup. Go to Network --> Interface --> PortXX (where XX is the port number that will receive all the traffic).</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6M_74M0DWCp6yFd9_hVcNr9UZCix_p2GLrBb99UBwl7vfDMFPrJmGx5oEQE-aEHxRs9aesCk3Jwr9V11onb5Bn6hXR6TGELfc_3BqZMKm7WK72P1M2J9tW_c84baQg3PI5eXYDFiW51o/s1600/fgPort.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="590" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6M_74M0DWCp6yFd9_hVcNr9UZCix_p2GLrBb99UBwl7vfDMFPrJmGx5oEQE-aEHxRs9aesCk3Jwr9V11onb5Bn6hXR6TGELfc_3BqZMKm7WK72P1M2J9tW_c84baQg3PI5eXYDFiW51o/s640/fgPort.JPG" width="640" /></a></div>
<div>
</div>
<div>
As we can note in the picture above, we need to setup: </div>
<div>
<ul>
<li>the name of the port - <i>PORT_NAME</i>,</li>
<li>a <i>virtual domain</i> that this port will belong to, if any</li>
<li><i>addressing mode</i> should be manual (default) - because our unit will be serving DHCP it cannot get an IP from someone else,</li>
<ul>
<li>IP/Mask should be in the same subnet as the ones in DHCP and it is the same as <i>GatewayGuest</i> set in Aerohive</li>
</ul>
<li>the only <i>Admin Access</i> we allow is ping, but for hardened security even this can be deactivated,</li>
<li>DHCP server - enable</li>
<ul>
<li>set the range and the mask for IP's that can be assigned to the clients</li>
<li>Default Gateway - same as interface unless you have a specific reason to set it up to something else</li>
<li>DNS Server - specify the same address as the IP set in <i>Addressing mode</i> - this will forward all DNS requests through Fortigate and will help us redirect internal traffic directly to DMZ</li>
</ul>
<li>Enable device detection in Device Management - this will help us set policies per device type.</li>
</ul>
<div>
No we need to configure appropriate FireWall rules and DNS.</div>
</div>
<div>
<br /></div>
<h3>
DNS</h3>
<div>
If the port we have configured above was assigned to a VDOM then inside VDOM look for System-->Network-->DNS Server.<br />
First configure a DNS Database:<br />
<br />
Back on the page of DNS configuration (System-->Network-->DNS Server), in the <i>DNS Service on Interface</i> create new DNS service as <i>Recursive</i>. It is possible that Recursive option will not be available if you haven't set-up <i>DNS Database</i>. In this case, you will have the only available option <i>Forward to System DNS</i>.<br />
<br />
<h3>
FireWall</h3>
<br />
Now we need to configure our firewall rules. We will need to create at least two rules:<br />
<br />
<ol>
<li>A rule forwarding traffic from the port we setup above to the port connected to WLAN.</li>
<li>If required, a rule forwarding traffic to DMZ.</li>
</ol>
<div>
The first rule, from our port to the WLAN should be set-up according to your internal config but the following image may help.</div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgY4Fy8ka0gNktasZrnS0t02GDEiFOIX9WLCiHvIapR9akJ1kyWS6_xebHSnliGXclf1X9w3JsF4e0yeDbXupNPD-TkjP72e6xAOR-hODoOxpGxzuTSCalV00EMhqy-R89KVdCq0Z9k_y4/s1600/fgFWallRules.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="364" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgY4Fy8ka0gNktasZrnS0t02GDEiFOIX9WLCiHvIapR9akJ1kyWS6_xebHSnliGXclf1X9w3JsF4e0yeDbXupNPD-TkjP72e6xAOR-hODoOxpGxzuTSCalV00EMhqy-R89KVdCq0Z9k_y4/s640/fgFWallRules.JPG" width="640" /></a></div>
<div>
Since at this moment we know for sure that traffic coming for this rule is not identifiable and may never be, we can at least work with device types and provide some granular security. At the moment Fortinet offers following categories:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV7cOvXVzBhgpGg0anW3QCB2rvY5lGIKkJ6NpQSOcSWpJPBFO18K64NRp3wLimL4rusaPohTCjQt_7jXt5Q6g21I21nRlta0T3Hh2SXSRPrdCrh26F-yX7CJHa8qYqTJumw5Fiz-DC-nQ/s1600/fgDevices.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV7cOvXVzBhgpGg0anW3QCB2rvY5lGIKkJ6NpQSOcSWpJPBFO18K64NRp3wLimL4rusaPohTCjQt_7jXt5Q6g21I21nRlta0T3Hh2SXSRPrdCrh26F-yX7CJHa8qYqTJumw5Fiz-DC-nQ/s1600/fgDevices.jpg" /></a></div>
<div>
</div>
<div>
Similarly, if we decide to setup WebQuota categories for some or all devices, it will work per device IP address. While it is not the same as to have per user name quota it is better than having none at all.<br />
<br />
<i>Final thoughts:</i> I may be adding more details to DNS setup but. for now. I hope that everyone struggling like me will have enough information to have the above described config setup on their devices.</div>
sashkashurikhttp://www.blogger.com/profile/04594731381634427632noreply@blogger.com0tag:blogger.com,1999:blog-5485513671985093591.post-17948538504603824772013-01-17T15:23:00.001-05:002013-05-28T14:05:16.355-04:002.2 Networking series - Fortigate RSSOFortigate RSSO currently looks like a half backed system that was tailored for a a specific use case. It does not look like a new feature that was designed from ground up with users in mind.<br />
<br />
To configure RSSO agent look here: <a href="http://docs.forticare.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/RADIUS-SSO.063.05.html">http://docs.forticare.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/RADIUS-SSO.063.05.html</a><br />
<br />
To configure RSSO groups look here: <a href="http://docs.forticare.com/fos50hlp/50/index.html#page/FortiOS%25205.0%2520Help/RADIUS-SSO.063.08.html#ww1368148">http://docs.forticare.com/fos50hlp/50/index.html#page/FortiOS%25205.0%2520Help/RADIUS-SSO.063.08.html#ww1368148</a><br />
<br />
An example of use: <a href="http://docs.forticare.com/fos50hlp/50/index.html#page/FortiOS%25205.0%2520Help/RADIUS-SSO.063.10.html#ww1369337">http://docs.forticare.com/fos50hlp/50/index.html#page/FortiOS%25205.0%2520Help/RADIUS-SSO.063.10.html#ww1369337</a><br />
<br />
Currently, RSSO allows for following attributes:<br />
<br />
<span style="font-size: small;"><span style="font-family: "Courier New",Courier,monospace;">rsso</span> - enable/disable RADIUS based single sign on feature<br /><span style="font-family: "Courier New",Courier,monospace;">rsso-radius-server-port</span></span> <span style="font-size: small;"> - UDP port to listen on for RADIUS accounting packets<br /><span style="font-family: "Courier New",Courier,monospace;">rsso-radius-response</span></span> <span style="font-size: small;"> - enable/disable sending radius response packets<br /><span style="font-family: "Courier New",Courier,monospace;">rsso-validate-request-secret</span></span> <span style="font-size: small;"> - enable/disable validating RADIUS request shared secret<br /><span style="font-family: "Courier New",Courier,monospace;">rsso-secret</span></span> <span style="font-size: small;"> - RADIUS shared secret for responses / validating requests<br /><span style="font-family: "Courier New",Courier,monospace;">rsso-endpoint-attribute</span></span> <span style="font-size: small;"> - RADIUS Attribute used to hold End Point name<br /><span style="font-family: "Courier New",Courier,monospace;">rsso-endpoint-block-attribute</span></span> <span style="font-size: small;"> - RADIUS Attribute used to hold endpoint to block<br /><span style="font-family: "Courier New",Courier,monospace;">sso-attribute</span></span> <span style="font-size: small;"> - RADIUS Attribute used to match the single sign on group value<br /><span style="font-family: "Courier New",Courier,monospace;">sso-attribute-key</span></span> <span style="font-size: small;"> - key prefix for the single sign on group value in the 'sso-attribute'<br /><span style="font-family: "Courier New",Courier,monospace;">rsso-context-timeout</span></span> <span style="font-size: small;"> <span style="font-family: Arial,Helvetica,sans-serif;">- </span>timeout value for RADIUS server database entries (0 = infinite)<br /><span style="font-family: "Courier New",Courier,monospace;">rsso-log-period</span></span> <span style="font-size: small;"> - minimum time period to use for event logs<br /><span style="font-family: "Courier New",Courier,monospace;">rsso-log-flags</span></span> <span style="font-size: small;"> - events to log<br /><span style="font-family: "Courier New",Courier,monospace;">rsso-flush-ip-session</span></span> <span style="font-size: small;"> - enable/disable flush user IP sessions on RADIUS accounting stop</span><br />
<br />
Following config should be used for our setup:<br />
Enable in the interface port settings(Global-Network-Interface) the option to listen to accounting messages. Then configure through CLI or a combination of Web Interface and CLI the following:<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">edit "RSSO_Agent"<br /> set rsso enable</span> <span style="font-family: "Courier New",Courier,monospace;"><br /> set rsso-radius-server-port 1813</span> <span style="font-family: "Courier New",Courier,monospace;"><br /> set rsso-radius-response enable</span> <span style="font-family: "Courier New",Courier,monospace;"><br /> set rsso-validate-request-secret enable</span> <span style="font-family: "Courier New",Courier,monospace;"><br /> set rsso-secret ENC <span style="background-color: #fff2cc;">*****</span></span><span style="background-color: #fff2cc;"> </span><span style="font-family: "Courier New",Courier,monospace;"><br /> <span style="background-color: #cfe2f3;">set rsso-endpoint-attribute User-Name</span></span><span style="background-color: #cfe2f3;"> </span><span style="font-family: "Courier New",Courier,monospace;"><br /> set rsso-endpoint-block-attribute Called-Station-Id</span> <span style="font-family: "Courier New",Courier,monospace;"><br /> <span style="background-color: #f4cccc;">set sso-attribute Vendor-Specific</span></span><span style="background-color: #f4cccc;"> <span style="font-family: "Courier New",Courier,monospace;"><br /> set sso-attribute-key '6'</span></span> <span style="font-family: "Courier New",Courier,monospace;"><br /> set rsso-context-timeout 28800</span> <span style="font-family: "Courier New",Courier,monospace;"><br /> set rsso-log-period 0</span> <span style="font-family: "Courier New",Courier,monospace;"><br /> set rsso-log-flags protocol-error profile-missing context-missing accounting-stop-missed accounting-event endpoint-block radiusd-other</span> <span style="font-family: "Courier New",Courier,monospace;"><br /> set rsso-flush-ip-session disable</span> <span style="font-family: "Courier New",Courier,monospace;"><br /> next</span> <br />
<br />
<span style="background-color: #fff2cc;">---</span><span style="background-color: white;"> Set the shared secret between Radius server and Fortigate unit.</span><br />
<br />
<span style="background-color: #f4cccc;"><span style="background-color: white;"><span style="background-color: #cfe2f3;">---</span> We need to classify the users based on their user names. Since we know that all our authentications come from a single AD service, a user that has two, three, four devices/sessions should have the same quota for all devices.</span></span><br />
<span style="background-color: #f4cccc;"><span style="background-color: white;"> </span></span><br />
<span style="background-color: #f4cccc;">----</span> Remember that our Aerohive units send Radius accounting packets to Fortigate. These packets contain Vendor specific attributes that contain group numbers.<br />
<br />
However, we have been told by Fortigate support that two of them are there by mistake! That means that: sso-attribute-key and sso-attribute with value Vendor-Specific should not be available as options.This also means that Fortinet's implementation of Radius accounting parser is not feature complete and takes into account only basic attributes.<br />
<br />
Moreover, the support states that:<br />
<ol>
<li>"<i>RSSO uses only build in parameter set, and cannot be used in
the same policy with FSSO users. You can use it with two different rules
with FSSO if you don't use FSSOguest users</i>" - this means that FSSO-Guest and RSSO are not compatible and FSSO and RSSO need to be separated in different policies. </li>
<li>"<i>Web filter work for all users, but Quota work only for
"authenticated" users. That's mean it will not work for RSSO users,until
we will allow for RSSO users to be "authenticated" users in next
releases, and will not work for BYOD non-authenticated users.</i>" - this means that users authenticated with RSSO are not authenticated at all! In fact, in the current release(FortiOS 5.0
Build 0128) RSSO seems to be totally useless functionality. What can it do? </li>
</ol>
<b>UPDATE</b> from 18 January 2013 taken from Fortinet support engineer message(as is) italics-original message, everything else - my comments:<br />
"<i>1. RSSO is nt really "authenticated" users, like FSSO or LDAP for now. This option allow you to assign specific IP's to corresponding groups. The only limitation between LDAP user and FSSO user is using quota.<br />Since it is not "authenticated", you cannot use it with FSSO users in the same policy. This is a new feature, and will be extended in next releases.</i>" - Now everything is clear! After three months of suffering we got it. It was never made to work as authentication method similar to FSSO, LDAP etc. It is simply a way for large providers to assign IPs based on Radius records. Why the documentation says nothing? Why your own engineers do not know nothing about it?<br />
"<i>2. The Vendor-Specific was added by mistake, and cannot work by design. For "Vendor-Specific" you need tree parameters: </i><br />
<i>a. Attribute - It's Vendor-Specific in our case. </i><br />
<i>b. VS Attribute - This is not exist in our firmware. </i><br />
<i>c. attribute key - Used for parsing Attribute parameter, if Radius send not "</i><group><i>", but "Group=</i><group><i>". In this case key will be "Group=". </i> This means that sso-attribute-key is simply a setting that strips the prefix string specified from the attribute value received by the unit. As the support says if the value is "Group=mobile" and the sso-attribute-key is "Group=", Fortigate will only store and register "mobile" as the value.<br /><i>Since we cannot configure "VS Attribute", "Vendor-Specific" will never work. This option will be removed from our firmware.</i></group></group>" It took us three months and close to a 100 hours of testing with five L2 support engineers to get where we are now . Great customer support!<br />
<br />
<b>Update</b> from 09 May 2013: VendorSpecific sso-attribute is still in the latest built (v5.0,build0179 (GA Patch 2)) but it does not work.<br />
<b>Update</b> from 28 May 2013: Confirmed with Fortinet support - the VendorSpecific attribute will be removed and will not work (the only question is when).sashkashurikhttp://www.blogger.com/profile/04594731381634427632noreply@blogger.com10tag:blogger.com,1999:blog-5485513671985093591.post-16466373918492464832013-01-17T14:40:00.001-05:002013-01-17T15:23:44.723-05:002. Networking series - FortigateLast time we looked at Aerohive Radius accounting message. This time we will be considering how Fortigate works.<br />
<br />
We have the latest patch of version 5 FortiOS (FortiOS 5.0
Build 0128). This means that we have features such as:<br />
<ul>
<li>FSSO - Fortinet Single Sign On, is a feature that requires an agent/collector setup to be installed on every AD and DC in the netwrok in order to collect and forward user logins to Fortiage unit. It is not perfect and may miss, sometimes, a logout. However, we never encountered a problem with a missed login.</li>
<li><a href="http://sashkastechnical.blogspot.com/2013/01/22-networking-series-fortigate-rsso.html">RSSO</a> - Radius Single Sign On, is a feature that requires all accounting packets to be sent to Fortigate unit. This setup allows the unit use external Radius authentication server in order to classify users.</li>
<li>FortiBar - A tool bar that appears on some user accessed webpages with additional information and actions. </li>
</ul>
All of the above may be useful for our project. sashkashurikhttp://www.blogger.com/profile/04594731381634427632noreply@blogger.com0tag:blogger.com,1999:blog-5485513671985093591.post-43821410465919330402013-01-17T13:32:00.000-05:002013-01-17T15:55:20.386-05:001.2 Networking series - AerohiveAs I stated earlier, Aerohive uses thick APs that in our setup act as Radius servers.<br />
<br />
This means that they exchange auth/acc messages between the APs that must contain information on user classification. Given that info, we could, normally, redirect accounting messages to another server and use it as user identification.<br />
<br />
In fact, Aerohive sends a standard accounting packet that has two vendor specific parameters.These parameters look in WireShark as:<br />
<br />
AVP: l=12 t=Vendor-Specific(26) v=Aerohive Networks, Inc.(26928)
<br />
VSA: l=6 t=Unknown-Attribute(1): 00000001
<br />
Unknown-Attribute: 00000001
<br />
<br />
and<br />
<br />
AVP: l=12 t=Vendor-Specific(26) v=Aerohive Networks, Inc.(26928)
<br />
VSA: l=6 t=Unknown-Attribute(6): 00000ffc
<br />
Unknown-Attribute: 00000ffc<br />
<br />
One of these parameters, the second one, is of a particular interest to us.<br />
In hex it looks like this: 1a 0c 00006930 06 06 00000ffc<br />
Where:<br />
<ul>
<li>1a 0c => Vendor specific attribute </li>
<li>00006930 => Vendor is <span class="il">Aerohive</span></li>
<li><span class="il">06 => sub-type is <span class="il">Aerohive</span>-User-Profile-</span>Attribute</li>
<li><div id=":tz">
00000ffc => UPID value </div>
<div id=":tz">
</div>
</li>
</ul>
This UPID value is the value we are looking for: it is a group to which a user belongs to!<br />
<br />
<br />
A detailed Aerohive dictionary file that can be used in WireShark looks like this:<br />
<span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"># -*- text -*-<br />#<br /># The Aerohive Vendor-Specific dictionary.<br />#<br />#<br />VENDOR Aerohive 26928 <br />BEGIN-VENDOR Aerohive<br /><br />ATTRIBUTE Aerohive-User-Vlan 1 integer <br />ATTRIBUTE Aerohive-Libsip-Patron-Info 3 octets encrypt=2 <br />ATTRIBUTE Aerohive-Libsip-Action 4 integer <br />ATTRIBUTE Aerohive-Libsip-Additional-Message 5 octets<br />ATTRIBUTE Aerohive-User-Profile-Attribute 6 integer<br />ATTRIBUTE Aerohive-PPSK-Request 201 octets<br />ATTRIBUTE Aerohive-PPSK-PMK 202 octets<br />ATTRIBUTE Aerohive-IDM-Message 203 integer<br />ATTRIBUTE Aerohive-NT-Identity 204 integer<br /><br />#<br /># Integer Translations<br />#<br /><br /># Aerohive-Libsip-Action Values<br /><br />VALUE Aerohive-Libsip-Action Permit 0<br />VALUE Aerohive-Libsip-Action Restricted 1<br />VALUE Aerohive-Libsip-Action Deny 2<br /><br /><br />END-VENDOR Aerohive </span></span>sashkashurikhttp://www.blogger.com/profile/04594731381634427632noreply@blogger.com0tag:blogger.com,1999:blog-5485513671985093591.post-74208515668414570062013-01-17T13:08:00.002-05:002013-01-17T13:08:42.818-05:001.1 Networking series - SetupSome interesting and useful details on our config:<br />
<br />
Our Fortigate unit uses FSSO plugin/software installed on our DC to get user ID's. It is also used to do traffic shaping and web filtering for all connections. The unit is installed on the edge and manages all traffic between various LAN's and two WLAN connections we have.<br />
<br />
In the institution, we have WIFI available everywhere. We are using Aerohives APs. These are thick clients that can work without a controller and may also execute some additional roles. In our setup, the controller is used only for statistics and pushing new configs. Three access points are configured as redundant Radius Servers and one acts as an ActiveDirectory authenticator. <br />
This means that wireless network is very resilient and places little load on the AD: it will cash user login/group. At the same time, user profiles are modified in real time according to their behavior and device they are using. For example, an admin using a wireless device will be placed in a special group that has less access than his/her normal profile. <br />
<br />
<br />
All this functions normally, until the moment we would like to use Fortigate unit to do some accounting/web quota on the users coming from wireless. The machines that belong to our institution are registered in AD. The machines that belong to users, are not. As a result web quota does not work.<br />
Can we do it somehow? Can we optimize our network traffic and identify, at Fortigate, all users (even if it is their own device)?sashkashurikhttp://www.blogger.com/profile/04594731381634427632noreply@blogger.com0tag:blogger.com,1999:blog-5485513671985093591.post-39204671953648558482013-01-17T09:54:00.000-05:002013-01-17T09:55:11.126-05:001. Networking series - PurposeI decided to post a few rants about some of our problems/solutions we have encountered on our network.<br />
<br />
Our set-up:<br />
Wired network is all gigabit managed Cisco switches with some security ensured by PacketFence. <br />
Wireless network is composed of a series of Aerohive AP's with a controller in a VM.<br />
Edge security and many other things are managed by a Fortigate unit.<br />
<br />
Now, all this works really nice until the moment you attempt to do something less common. For example, set web quotas for all users. <br />
<br />
We have found that it is not as easy as it seemed and will probably never work as we hoped. The following posts will detail our findings.sashkashurikhttp://www.blogger.com/profile/04594731381634427632noreply@blogger.com0