Category Archives: Security

How to display external bandwidth reports in WatchGuard Dimension

watchguard

Here’s a quick WatchGuard tip. I had to do some analysis on bandwidth usage recently, but although I could see the live usage via system manager there was no report for external bandwidth utilisation in WatchGuard Dimension.

To be able to report on bandwidth utilisation in WatchGuard Dimension you need to enable Performance Statistics logging on the WatchGuard Firebox. Here’s how to do it.

Continue reading

WatchGuard Fireware v11.12 released

watchguard

WatchGuard Fireware v11.12  and WatchGuard System Manager v11.12 was released on 17th November, 2016. This replaces the previous version of 11.11.4 Update 2.

Full release notes can be found here. Please read them before upgrading! Your Firebox must be running, XTM v11.7.5, v11.8.4 or v11.9 or higher before upgrading.

The software can be downloaded from here.

New features and functions include:

  • ConnectWise Integration
  • Threat Detection and Response
  • Geolocation Service
  • Dynamic VPN Tunnels to Azure
  • IPv6 Support in Services and Proxies
  • Services and Proxies Enabled by Default
  • Gateway Wireless Controller
  • FireCluster with DHCP on External Interface
  • X-forwarded Information from Header in Logs and Dimension

For more detailed information see the presentation below.
What’s New in Fireware v11.12

Continue reading

WatchGuard: How to resolve “Response denied by WatchGuard HTTP Proxy – Reason: header-line too large”

WatchGuard

I’ve seen a couple of instances recently from two different customers where the WatchGuard HTTP Proxy has blocked websites from being accessed with the following message:

Response denied by WatchGuard HTTP Proxy
Reason: header-line too large=’Set-Cookie:
Please contact your administrator for assistance.
Continue reading

Windows Server 2012 R2: How to create a UPN Suffix

Windows Server 2012 R2

In this post we’ll look at how to create a new User Principal Name (UPN) Suffix. These instructions are also applicable to Server 2008 as well.

The current best practice for new active directory domain naming is a little hazy see my earlier post Active Directory Domain Naming Best Practices.

But for my scenario i decieded to use a sub domain of our registered company domain. This can be confusing for users as their logon name will appear slightly different to their email address.

So to remedy this we can create a new UPN suffix.

In this example I’ve used an ‘ad’ sub domain of my oxfordsbsguy.com domain. So on initial account creation I only have the @ad.oxfordsbsguy.com domain that i can choose.

ADUC - Create New User

To add a new UPN Suffix, open Active Directory Domains and Trusts, and right click the top level on the left hand side Active Directory Domains and Trusts [DC1.ad.oxfordsbsguy.com] and select Properties.

Active Directory Domains and Trusts - Properties

Type in the alternative UPS Suffixes required, in my case I just want my email domain as an additional UPN suffix, and click Add and click OK.

Active Directory Domains and Trusts - UPN Suffixes

Now back in ADUC, if you select the end user and go to the Account tab you can select the new UPN Suffix.

ADUC - User Logon with UPN Suffix

The end user will now have a username the same as their email address which they will be able to use to login with.

 Related Posts:

1. Active Directory Domain Naming Best Practices

2. How to install Exchange 2013 (SP1) on Windows Server 2012 R2

3. How to reset the Directory Services Restore Mode (DSRM) password

4. How to install Exchange 2010 (SP3) on Windows Server 2012

 

Active Directory Domain Naming Best Practices

Windows Server 2012 R2

It’s quite uncommon to get to setup a new company Active Directory infrastructure from scratch. Usually a customer has some kind of infrastructure in place already which I then help manage, maintain and enhance.

However recently I’ve been tasked with setting up a brand new company’s infrastructure and one of my first tasks was to name the Active Directory domain.

There are a number of possible scenarios:

  • You could use a .local or other non-routable domain
  • You could use an external domain (Split brain DNS)
  • You could use a similar domain to your fqdn e.g. .net instead of .com
  • You could use a sub domain of your fqdn

But which is best?

I guess that depends on your specific scenario.




Certainly if SSL certificates are going to be involved at all (think Exchange) then non-routable domains are out due to recent changes.

http://www.networking4all.com/en/ssl+certificates/faq/change+san+issue/

https://www.digicert.com/internal-names.htm

After doing some research on the Internet there is no definitive answer, however I have found lots of articles relating to the best practices when naming an Active Directory domain. Rather than duplicate the work of others I have provided links below to some of the most useful webpages I found:

http://blogs.msmvps.com/acefekay/2009/09/07/what-s-in-an-active-directory-dns-name-choosing-a-domain-name/

http://www.mdmarra.com/2012/11/why-you-shouldnt-use-local-in-your.html

https://technet.microsoft.com/en-us/library/bb727085.aspx

http://blog.varonis.com/active-directory-domain-naming-best-practices/

http://exchangeserverpro.com/ssl-requirements-for-exchange-when-certificate-authorities-wont-issue-certificate/

https://acbrownit.wordpress.com/2013/04/15/active-directory-domain-naming-in-the-modern-age/

(Incidentally, I went for a sub domain of the fqdn).

 Related Posts:

1. How to install Exchange 2013 (SP1) on Windows Server 2012 R2

2. How to reset the Directory Services Restore Mode (DSRM) password

3. How to install Exchange 2010 (SP3) on Windows Server 2012