Modify Teleport VPN Subnet on Ubiquiti UniFi Gateway

Posted on by

Current lines of the UniFi Gateway devices, such as the UXG-Fiber that I am using, include a built in VPN server called Teleport. The idea is a simple, zero-configuration VPN solution. When activated, the VPN is configured automatically by selecting an unused subnet from the 192.168.X.0/24 range.

While initial deployment was as simple as advertised, I quickly ran into a problem where UniFi assigned a subnet that overlapped with a subnet on an upstream router. Teleport, being a zero-configuration service, gave no way to actually set what subnet is in use. Insert some curiosity and a solution.

Requirements

  • Administrative access to the UniFi OS Control Plane (Cloud Key or equivalent).
  • SSH access to the UniFi OS Control Plane (Cloud Key or equivalent), required to access the MongoDB.

Summary Steps

  • Gain SSH Access to the UniFi OS Control Plane
  • Determine the Site_ID Value for the Teleport Configuration
  • Modify the Teleport Subnet

Continue reading

MS SQL AlwaysOn Availability Groups with Managed Service Accounts

Posted on by

This is a practical guide for configuration Microsoft SQL Server with AlwaysOn Availability Groups using Managed Service Accounts.

This is not a guide for installing Microsoft SQL Server as there are plenty of existing resources to do so. This guide assumes that you have a pair of fresh SQL Servers or that you have the knowledge to create and install a best practices SQL Server.

Requirements

  • Two or more ready SQL Servers.
  • Domain Administrator, or delegated privileges to create Computer Accounts, Managed Service Accounts, and Security Enabled Groups.
  • Domain Administrator, or delegated privileges to set Service Principal Names.
  • Local administrative privileges on the SQL Server operating system.
  • SA privileges on the SQL Server instances.

Summary Steps

  • Pre-Create Active Directory Resources.
    • Computer Account Objects
    • Managed Service Account Object
    • Service Principal Names
  • Configure the SQL Server operating system.
    • Local Firewall
    • Local Security Policy
    • Network Adapters
  • Create the Windows Server Failover Cluster instance.
  • Configure a File Share as a cluster witness.
  • Enable AlwaysOn functionality for MS SQL.
  • Configure the Managed Service Account for MS SQL.
  • Create the Availability Group.

Continue reading

Pages: 1 2

ADCS Enrollment Policy Web Service

Posted on by

This guide covers the deployment of the Active Directory Certificate Services (AD CS) Enrollment Policy Web Service (CEP) role on Server Core. The Certificate Enrollment Policy Web Service allows clients to retrieve Certificate Enrollment Policies from an Enterprise Certificate Authority when access to a Domain Controller is not possible, such as external or DMZ housed computers, or clients without permissions. Users and computers can retrieve enrollment policies from a CEP server over HTTPS/443.

The Certificate Enrollment Policy Web Service binds to Active Directory Domain Controllers over standard LDAP ports. A single CEP server can provide policy services for multiple Enterprise Certificate Authorities. A CEP server is required for clients to utilize a Certificate Enrollment Web Services server.

Requirements

  • Administrator privileges on the CEP server.
  • A deployed and functional Enterprise PKI.

Summary Steps

  • Enroll a Computer Certificate for the CEP server IIS binding.
  • Install the Certificate Authority feature with the Policy Web Enrollment Service role.
  • Determine the URI for client access to the CEP service.
  • Configure Group Policy to direct clients to the new CEP server.

Continue reading

Pages: 1 2

ADDS Group Managed Service Accounts

Posted on by

This guide covers the creation and management of Active Directory Domain Services (ADDS) Group Managed Service Accounts (gMSA). Group Managed Service Accounts are system managed service accounts that behave much like computer accounts in that the system automatically manages and rotates the account password. A gMSA solves many of the security implications arising from using service accounts where passwords may be infrequently (or never) rotated and where multiple users may have access to the account’s credential.

Steps in this guide can be performed on any computer joined to the domain. Access to a domain controller is not necessary.

Requirements

  • Domain Administrator, or delegated privileges to create Managed Service Accounts and Security Enabled Groups.

Summary Steps

  • Create a Security Enabled Group
  • Create a Managed Service Account

Continue reading