Fortigate and LDAP 4.0 MR3 Patch1

Hi Guys,

I have been setting up a lot of Fortigate’s recently and on my first few had issues with the settings for LDAP i found that it was tricky to remember the correct settings and also typing out the long LDAP Strings can be a bit tricky and cause typo’s.

  1. Logon to the fortigate and go to the Users -> Remote -> LDAP (Create New)
  2. Fill in a Name for the connector
  3. Fill in the IP Address of the server that has LDAP Installed
  4. Change the Common Name Identifier to: sAMAccountName
  5. Enter the Distinguished Name if your domain was domain.local the distinguished name would be: DC=domain,DC=local
  6. Make your Bind Type Regular
  7. In the User DN Box you must type the full path to the user e.g. if you user is domain.local/users/service accounts/fortigate you would need the following: CN=fortigate,OU=Service Accounts,OU=Users,OU=MyBusiness,DC=domain,DC=local
  8. type the password for your service account
This should be all that you require. one thing to keep an eye on is typo’s when doing the User DN this will stop you from being able to logon with an SSL-VPN or anything for that matter!
If you get an error in the logs for SSL-VPN saying no_matching_policy then you will have a typo somewhere.

Server 2003 Reinstall Terminal Services Licensing.

I Came across an issue today where i needed to reinstall terminal services licensing but when you do this licensing is lost and needs to be re-applied.

I managed to resolve this issue by copying the licensing db to a different folder and then re-installing terminal services and copying it back.

 

  1. stop Terminal Services Licensing service
  2. Copy c:\windows\system32\LServer\TLSLic.edb
  3. Paste the db to a different location
  4. Uninstall Terminal Services Licensing from add remove components
  5. Re-Install Terminal Services Licensing
  6. stop Terminal Services Licensing service
  7. copy the TLSLic.edb back to c:\windows\system32\LServer\ overwriting the new db that is in there
  8. start Terminal Services Licensing service

Now you will notice that TS Licensing is working and all of your licences still work.

 

NOTE: You CANNOT move this to another server it is registered to that Licensing server!!!

Block iGoogle with Fortigate

Ok so i had a customer that wanted to block iGoogle but allow google which turns out to be tricky as the only way to tell the difference is by the gadgets and the title bar.
i tried to do some research about iGoogle: every sites of iGoogle what I tested has the same title in html source code. Exactly: <title>iGoogle</title>

So you can use DLP sensor to detect this title in http request and block this sites. I have tested this on a FortiGate-60B with 4.2.3 version of firmware.


I tried to solve this problem over application control, web content filter and FortiGuard web filter but I didnt find solution here.

Warning: Cannot modify header information – headers already sent by…

Ok so today i was doing some PHP coding and get the dreaded header error caused me a bit of a headache as i needed to redirect some pages. After a bit of searching i managed to find an alternative to using:

So to get rid of the error that this produces simply change it to any of the below:

OR

OR

i used the last option as i found this worked best compared to the others with my program however they may all work well for your application

Mapping a network drive in NT4 with logon credentials

Ok so today I had a customer come to me saying that when they map a network drive in NT4 the user details don’t get remembered when the pc is rebooted.

Here is a simple solution to the issue we have been having:

run this at startup or as a logon script and the issue will be no more.

Send on Behalf and Send As

Send on Behalf and Send As are similar in fashion. Send on Behalf will allow a user to send as another user while showing the recipient that it was sent from a specific user on behalf of another user. What this means, is that the recipient is cognitive of who actually initiated the sending message, regardless of who it was sent on behalf of. This may not be what you are looking to accomplish. In many cases, you may want to send as another person and you do not want the recipient to be cognitive about who initiated the message. Of course, a possible downside to this, is that if the recipient replies, it may go to a user who did not initiate the sent message and might be confused depending on the circumstances. Send As can be useful in a scenario where you are sending as a mail-enabled distribution group. If someone replies, it will go to that distribution group which ultimately gets sent to every user who is a part of that distribution group. This article will explains how to use both methods.

Send on Behalf

There are three ways to configure Send on Behalf. The first method is by using Outlook Delegates which allows a user to grant another user to Send on Behalf of their mailbox. The second method is having an Exchange Administrator go into the Exchange Management Shell (EMS) and grant a specific user to Send on Behalf of another user. The third and final method is using the Exchange Management Console (EMC).

Outlook Delegates

There are major steps in order to use Outlook Delegates. The first is to select the user and add him as a delegate. You then must share your mailbox to that user.

  1. Go to Tools and choose Options
  2. Go to the Delegates Tab and click Add
  3. Select the user who wish to grant access to and click Add and then Ok

Note: There are more options you can choose from once you select OK after adding that user. Nothing in the next window is necessary to grant send on behalf.

  1. When back at the main Outlook window, in the Folder List, choose your mailbox at the root level. This will appear as Mailbox – Full Name
  2. Right-click and choose Change Sharing Permissions
  3. Click the Add button
  4. Select the user who wish to grant access to and click Add and then Ok
  5. In the permissions section, you must grant the user at minimum, Non-editing Author.

Exchange Management Shell (EMS)

This is a fairly simple process to complete. It consists of running only the following command and you are finished. The command is as follows:

Set-Mailbox UserMailbox -GrantSendOnBehalfTo UserWhoSends

Exchange Management Console (EMC)

  1. Go to Recipient Management and choose Mailbox
  2. Choose the mailbox and choose Properties in Action Pane
  3. Go to the Mail Flow Settings Tab and choose Delivery Options
  4. Click the Add button
  5. Select the user who wish to grant access to and click Add and then Ok

Send As

As of Exchange 2007 SP1, there are two ways to configure SendAs. The first method is having an Exchange Administrator go into the Exchange Management Shell (EMS) and grant a specific user to SendAs of another user. The second and final method (added in SP1) is using the Exchange Management Console (EMC).

Exchange Management Shell (EMS)

The first method is to grant a specific user the ability to SendAs as another user. It consists of running only the following command and you are finished. The command is as follows:

Add-ADPermission UserMailbox -ExtendedRights Send-As -user UserWhoSends

Exchange Management Console (EMC)

  1. Go to Recipient Management and choose Mailbox
  2. Choose the mailbox and choose Manage Send As Permissions in Action Pane
  3. Select the user who wish to grant access to and click Add and then Ok

Miscellaneous Information

No “From:” Button

In order for a user to Send on Behalf or Send As another user, their Outlook profile must be configured to show a From: button. By default, Outlook does not show the From: button. In order to configure a user’s Outlook profile to show the From: button:

Replies

If you are sending as another user, the recipient user might reply. By default, Outlook is configured to set the reply address to whoever is configured as the sending address. So if I am user A sending on behalf of user B, the reply address will be set to user B. If you are the user initiating the sending message, you can configure your Outlook profile to manually configure the reply address.

Conflicting Methods

If you are configuring Send on Behalf permissions on the Exchange Server, ensure that the user is not trying to use the Outlook delegates at the same time. Recently, at a client, I was given the task to configure Send As as well as Send on Behalf. As I was configuring Send As on the server, I found out that the client was attempting to use Outlook Delegates at the same time. Send As would not work. Once the user removed the user from Outlook Delegates and removed permissions for that user at the root level of your mailbox that appears as Mailbox – Full Name, Send As began to work. So keep in mind, if you are configuring Send As or Send on Behalf, use only one method for a specific user.

SendAs Disappearing

If you are in a Protected Group, something in Active Directory called SDProp will come by every hour and remove SendAs permissions on users in these protected groups.  What security rights are configured on these security accounts are determined based on what security rights are assigned on the adminSDHolder object which exists in each domain.  The important part for you to remember is that every hour, inheritance on these protected groups will be removed and SendAs will be wiped away.

A good blog article explaining what adminSDHolder and SDprop are and what Protected Groups  is located here.



The Missing Manual Part 1: Veeam B & R Direct SAN Backups

One thing that I had problems with the first time I installed Veeam was the ability to backup Virtual Machines directly from the SAN. Meaning that instead of proxying the data through an ESXi host, the data would flow from SAN to backup server directly. The benefits of this process are very clear… reduced CPU and network load on the ever so valuable ESXi resources.
Continue Reading

How to determine which service pack of sql server is installed

To get to know what service pack is installed on a sql server instance you can obtain the current version of SQL Server and then look up to which service pack it correspond or you may use query against SQL Server instances starting from sql server 2005.
Continue Reading

KILLING A WINDOWS SERVICE THAT SEEMS TO HANG ON “STOPPING”

It sometimes happens (and it’s not a good sign most of the time): you’d like to stop a Windows Service, and when you issue the stop command through the SCM (Service Control Manager) or by using the ServiceProcess classes in the .NET Framework or by other means (net stop, Win32 API), the service remains in the state of “stopping” and never reaches the stopped phase. It’s pretty simple to simulate this behavior by creating a Windows Service in C# (or any .NET language whatsoever) and adding an infinite loop in the Stop method. The only way to stop the service is by killing the process then. However, sometimes it’s not clear what the process name or ID is (e.g. when you’re running a service hosting application that can cope with multiple instances such as SQL Server Notification Services). The way to do it is as follows:
Continue Reading

How to Make the Shutdown Button Unavailable by Using Group Policy

You can use Group Policy Editor to make the Shutdown button unavailable in the Log On to Windows dialog box that appears when you press
CTRL+ALT+DELETE on the Welcome to Windows screen.
Continue Reading