DHCP Guest Range on a Single Subnet

At my new job, we needed to deny unregistered devices access to the internet by default. Normally this should be done via NAC, but all I had available was a Windows DHCP Server, a single subnet (and VLAN), and a perimeter firewall. Upgrading to NAC wasn’t an option at the time.

I wanted to configure the DHCP server so that whitelisted clients would get a DHCP IP Address lease in a different range than guest clients. This way, I can block all traffic to/from the guest client IP range at the firewall. This isn’t at all a robust security solution, but it was good enough for the specific application.

Here’s how you can configure Windows DHCP Server to put whitelisted machines in a specific IP range, and guest machines in a separate IP range.

  1. Create a ‘DHCP Scope’ in DHCP that constitutes the entire IP address range you’d like to use for DHCP. The scope should include both whitelisted PC’s and guests.
  2. Create an ‘exclusion range’ in the main scope created in the previous step. The exclusion range will be the ‘guest’ range.
  3. Create a ‘DHCP Policy’ in the main scope.
    Policy Name: “Guest Devices Get Blocked Pool”
  4. Edit the new policy.
  5. On the ‘Conditions’ tab, add a new condition.
    Criteria: MAC Address
    Operator: Not Equals
  6. Populate the policy’s new condition “Values” with your MAC address whitelist.
  7. Back on the Policy Properties window (conditions tab), make sure that the ‘AND’ radio button is selected.

An important note is that each condition can only hold about 20 MAC addresses. When you want to whitelist more devices past the limit, just create another ‘condition’ in the same policy. As long as ‘AND’ is the operator on the ‘Conditions’ tab, it’ll work great.

Another important note is that when running a DHCP fail-over partner, create the policy on a source member, and then replicate it to the partner. Every time you whitelist a new machine, you need to initiate a replication.

Here’s some PowerShell to help.

#Get all current reservation mac addresses:
Get-DhcpServerV4Lease -ScopeID 192.168.1.0 | Select ClientId

#Get all whitelisted machines:
(Get-DhcpServerV4Policy -ScopeID 192.168.1.0 -Name “Guest Devices Get Blocked Pool”).MacAddress

Thanks for reading :).

Advertisements

SCVMM 2012 R2 – Using Mac Address Pools

I had the weirdest thing happen the other day. I created a VM and migrated it to second host. I created a new VM, and had trouble accessing the first VM. What gives! Well, I ran into a MAC address duplication issue.

To avoid this, first configure your Hosts and VM’s to use Logical Switches. Once configured, set all of your VM’s to the static MAC address of ’00:00:00:00:00:00′ using SCVMM console. Once you hit ‘Apply’ and ‘OK’ to close the properties window, SCVMM will give the VM a new MAC address from the MAC address pool. No more duplicates!

For the Logical Switch configuration, see my post ‘SCVMM 2012 R2 – Logical Switches‘.

SCVMM 2012 R2 – Logical Switches

OK, logical switches are pretty sweet. Like a lot of things, it took me a little while to wrap my head around the concepts and terminology. The SCVMM concept of a logical switch is very similar to VMWare’s Distributed Virtual Switch. It’s all about finding novel ways to map your networking hardware to virtual abstractions, to hopefully make things easier to manage.

This post will cover one of the most basic configurations. Creating a simple logical network which will connect to both your hosts and VM’s.

Step One – Logical Network

This is where you tell SCVMM how you want to present the physical network to the virtual machine hosts.

  1. Open SCVMM Console -> Fabric -> Networking -> Logical Networks.
  2. Create a ‘Logical Network’.
  3.  You’ll see three options. Choose ‘One Connected Network’ and check both boxes, then click ‘Next’.
  4. On the ‘Network Sites’ page, click ‘Add’.
  5. Check the box next to ‘All Hosts’.
  6. Under the section ‘Associated VLANs and IP subnets’, click ‘Insert Row’.
  7. Change the new row’s VLAN to “0” and make the IP Subnet blank, then click ‘Next’.
  8. On the summary page, click ‘Finish’.

By choosing ‘One Connected Network’, we instruct SCVMM that the sites specified in the ‘Network Sites’ page are all part of the same routable network. This is this simplest way to start.

By adding the new associated VLAN “0” with no subnet, we instruct this logical switch to transmit to and from any IP subnet on the default untagged VLAN.

Step Two – Uplink Profile

When we create a logical switch, we need to define physical ports on the VM hosts that will be designated as ‘uplinks’ to this logical switch. To do this, we need to create a ‘Port Profile’ that describes the uplinks.

  1. Open SCVMM Console -> Fabric -> Networking -> Port Profiles
  2. Create a Hyper-V Port Profile.
  3. On the ‘General’ tab, choose ‘Uplink Port Profile’ and click ‘Next’.
  4. On the ‘Network Configuration’ tab, click the checkbox next to your logical network, then click ‘Next’.
  5. On the ‘Summary’ tab, click ‘Finish’.

Notice that you can change the load balancing algorithm on the ‘General’ tab. Lots of fun stuff available there.

Step Three – Logical Switch

Now, we can create the logical switch!

  1. Open SCVMM Console -> Fabric -> Networking -> Logical Switches
  2. Create a logical switch.
  3. On the ‘Uplink’ page, add your uplink profile.
  4. On the ‘Virtual Ports’ page, add the ‘Host Management’ and ‘High Bandwidth’ profiles.

It’s worth looking into the virtual port profiles. You can do some cool stuff like manage the security settings and QoS.

Step Four – Assign the Logical Switch to Hosts

This can get tricky, and you can end up disconnecting your host from the network. I recommend that you shut down all VM’s on the host, and try this on a host where you have physical access in case things don’t work out quite right.

  1. Open SCVMM Console -> VMs and Services -> All Hosts.
  2. Right-click your host and choose ‘Properties’.
  3. Click the ‘Virtual Switches’ page.
  4. Delete the current standard switch, but don’t click ‘Apply’ yet or the host will become unreachable.
  5. Add your new logical switch, but don’t click ‘Apply’ yet or the host will become unreachable.
  6. Click the new logical switch, and then click ‘New virtual network adapter’ with the following settings, then click ‘Apply’.
    name: mgmt
    port classification: Host Management
  7. Wait a few minutes, then right-click the host and choose ‘Refresh’.

Step Five – Assign the Logical Switch to your VM’s

Alright! Now we can finally use the new-fangled virtual switch.

  1. Right-click a VM on the host and choose ‘Properties’ -> ‘Hardware Configuration’ -> ‘Network Adapter’.
  2. Connect your VM’s Network Adapter to the ‘VM Network’ that matches the ‘Logical Network’ name created in Step 1.
  3. Connect your VM to the ‘Logical Switch’ and assign it a port classification (probably ‘High Bandwidth’).

And congrats! You’ve made it through configuring a SCVMM Logical Switch.

 

 

SCVMM 2012 R2 – Initial Overview and Install

I recently got started with SCVMM.

Overview

  1. Spin up a VM. Give it 4GB RAM.
  2. Install SQL 2012 /w SP1.
  3. Create an account: service-scvmm. Grant this account local admin access.
  4. Install Windows ADK and PE.
  5. Configure AD container for distributed key management.
  6. Run setup.
  7. Create the library share via the setup wizard.
  8. Discover the hosts.

Advanced topics for later posts:

  • VM Templates
  • Logical Switches
  • MAC Address Pools
  • Virtual Machine Migration via Kerberos.

What you get ‘Out of the Box’

I wasn’t impressed with SCVMM right away. It sees like just Hyper-V manager, but with less capability. For example, I can’t seem to change the BIOS boot order inside SCVMM.

Eventually, I found some benefits:

  • Host performance statistics. Easy to access daily and monthly averages.
  • Integration with other System Center products like Orchestrator and Service Manager. You can do some really advanced and nifty stuff.
  • Virtual machine library and templates make it easy to deploy new machines.
  • Logical switches make it easy to change networking options across many hosts.
  • MAC Address pools ensure that if you migrate a machine, the original host won’t re-use the migrated machine’s mac address. Otherwise, this can cause some serious network weirdness.

Things You’ll Need

Notes on the install process:

Configuring the AD container for distributed key management isn’t tricky, just unexpected. Here’s a good link:

Process:

  1. Open ADSIEdit.
  2. Right-click the domain root -> new -> container. Name it “VMMDKM”.
  3. Grant the account installing SCVMM full control on the new container. Must also propagate to sub-containers.

Intel vPro – Configuration – Part 10 – SCCM Integration

vPro Series of Posts


Now that we have a standalone vPro reference installation, let’s integrate it into SCCM!

Here, I’m going to turn things over to Brian Muller. His blog post on SCCM 2012 integration is excellent.

Integrating SCCM 2012 with SCS 8.1

Here is the general overview. Consider it a preview of what you’re in for (stolen from his post).

  1. Adding the Out of Band Role Management Role to your SCCM server
  2. Extending the Hardware Inventory for SCCM 2012
  3. Modifying the SCS profile for SCCM 2012
  4. Creating the collections required for the discovery and configuration of your clients
  5. Creating the Discovery and Configurations packages
  6. Creating the Task Sequences required for the discovery and configuration of your clients
  7. Creating the Deployments (SCCM 2007 – Advertisements)
  8. Creating the Status Filter rules to automatically update the Intel collections
  9. Queries to help you troubleshoot

Next up, some custom PowerShell scripting to make things a bit easier.

Intel vPro – Configuration – Part 9 – Adding TLS

vPro Series of Posts


TLS: The Final Frontier. Here’s how it goes!

Overview

  1. Configuring a SCS Profile for TLS
  2. Reconfigure the AMT Device
  3. Try it out!
  4. Troubleshooting Options

Configuring a SCS Profile for TLS

  1. Open SCS Console and choose the ‘Profiles’ button on the top-left of the screen, then click ‘New Profile’.
  2. On the ‘Getting Started’ screen, enter ‘rconfig-dhcp-kerb-tls’ for the name, and then click ‘Next’.
  3. On the ‘Optional Settings’ screen, select the following check boxes, and click ‘Next’.
    • Active Directory Integration
    • Access Control List (ACL)
    • Transport Layer Security (TLS)
  4. On the ‘AD Integration’ screen, click ‘…’ and select the OU where AMT objects will be stored. The SCS server must have full permissions on this OU. When finished, click ‘Next’.
  5. On the ‘Access Control List’ screen, click ‘Add’, and add an Active Directory user o group account.
  6. On the ‘User/Group Details’ screen, switch the “Access Type” to “Both”, and check all checkboxes except “Access Monitor’. Then, click OK to save.
  7. On the ‘Transport Layer Security’ screen, choose your vPro SHA1 CA from the CA drop-down box, then choose the certificate template named “AMTTLSCertificates”, then click ‘Next’.
  8. On the ‘System Settings’ screen, enter the MEBx password that you want to use for the target AMT system. It needs to match whatever you manually set the MEBx password to on the target system. We will go over manually setting the MEBx password in later posts. For now, choose a password.
  9. Still on the ‘System Settings’ screen, enter the same password in the box labeled ‘Use the following password for all systems:’.
  10. Click the ‘set’ button next to the label ‘Edit IP and settings’.
  11. On the ‘Network Settings’ screen, choose ‘Use the following as the FQDN’ and select ‘Primary DNS FQDN’ from the drop-down box.
  12. Under the IP frame, choose ‘Get the IP from the DHCP server’.
  13. Under the ‘DNS’ frame, choose ‘Update the DNS directly’.
  14. On the ‘Finish’ screen, click ‘Finish’.

Reconfigure the AMT Device

The process for this is the same as the process in the previous blog post.

  1. Login to the target AMT system.
  2. Open a command prompt and navigate to C:\Temp\vPro.
  3. Run the following command:
    acuconfig.exe /output console ConfigViaRCSOnly <SCS-Server-FQDN> <ProfileName>

You should see no errors.

Try it out!

First, try the WebUI in IE at https://amt-system.yourdomain.com:16993. Note that the protocol is ‘https’ and the port number is 16993. Next, try VNC+. Choose ‘TLS’ from the drop-down box labeled ‘Encryption’. Lastly, try Manageability Commander.

Troubleshooting Options

  1. If provisioning fails, you can try adding the /verbose switch to acuconfig. This might give you more information.
  2. For Manageability Commander, you can choose ‘help’ -> ‘show debug info’. This can be very useful.
  3. For any applications using the Intel DLLs, you can enable debug mode like in the last blog post’s troubleshooting section.

And there you have it! vPro with Kerberos and TLS. The next blog post will focus on polishing everything a bit and adding some automation.

Intel vPro – Configuration – Part 8 – Adding Kerberos

vPro Series of Posts


Now that you have provisioning down with Digest users, let’s add that unique Kerberos twist. Before you begin, I highly recommend watching the following video. It’s difficult. It’s technical. It’s also incredibly helpful to understand the underpinnings of Kerberos.

Brian Desmond: Kerberos Uncovered

Overview

  1. Configure SCS Profile for Kerberos
  2. Configure Admin Workstation IE and Network Settings
    1. IE Options
        1. Windows Integrated Authentication
        2. AMT Device to Local Intranet
        3. Automatic Logon security settings enabled
        4. Protected mode disabled for Local Intranet
        5. TLS 1.1 enabled
    2. OS Options
      1. Kerberos CNAME registry key imported
      2. Kerberos Port Number registry key imported
  3. Pre-flight checklist
    1. AMT Device AD Object Exists
    2. AMT Device SPN’s registered and correct
    3. No duplicate SPN’s
  4. Re-Configuring the AMT Device
  5. Try it out!
  6. Troubleshooting

Configure SCS Profile for Kerberos

  1. Open SCS Console and choose the ‘Profiles’ button on the top-left of the screen, then click ‘New Profile’.
  2. On the ‘Getting Started’ screen, enter ‘rconfig-dhcp-kerb’ for the name, and then click ‘Next’.
  3. On the ‘Optional Settings’ screen, select the following check boxes, and click ‘Next’.
    • Active Directory Integration
    • Access Control List (ACL)
  4. On the ‘AD Integration’ screen, click ‘…’ and select the OU where AMT objects will be stored. The SCS server must have full permissions on this OU. When finished, click ‘Next’.
  5. On the ‘Access Control List’ screen, click ‘Add’, and add an Active Directory user o group account.
  6. On the ‘User/Group Details’ screen, switch the “Access Type” to “Both”, and check all checkboxes except “Access Monitor’. Then, click OK to save.
  7. On the ‘System Settings’ screen, enter the MEBx password that you want to use for the target AMT system. It needs to match whatever you manually set the MEBx password to on the target system. We will go over manually setting the MEBx password in later posts. For now, choose a password.
  8. Still on the ‘System Settings’ screen, enter the same password in the box labeled ‘Use the following password for all systems:’.
  9. Click the ‘set’ button next to the label ‘Edit IP and settings’.
  10. On the ‘Network Settings’ screen, choose ‘Use the following as the FQDN’ and select ‘Primary DNS FQDN’ from the drop-down box.
  11. Under the IP frame, choose ‘Get the IP from the DHCP server’.
  12. Under the ‘DNS’ frame, choose ‘Update the DNS directly’.
  13. On the ‘Finish’ screen, click ‘Finish’.

Configure Admin Workstation IE and Network Settings

Out of the box, Windows and IE don’t like to play well with some particular aspects of the Intel AMT Kerberos implementation. The following will make everything work. All of this must be done on the administrator’s workstation — the computer which will be used to connect to the AMT device. None of these steps need to be completed on the target AMT system itself.

Internet Explorer Options

We will perform the following steps below:

  • Enable Windows Integrated Authentication
  • Add AMT Device to the Local Intranet zone
  • Enable Automatic Logon security settings
  • Disable protected mode for the Local Intranet zone
  • Enable TLS 1.1

Procedure for Updating Internet Explorer Options

  1. Login to your workstation as the user that you would like to use to connect to the AMT system.
  2. Open Internet Explorer.
  3. Click the gear icon in the top-right, then choose ‘Internet Options’
  4. Select the ‘Advanced’ tab.
  5. Scroll down to the ‘Security’ section.
  6. Make sure that the following boxes are checked:
    1. Windows Integrated Authentication
    2. TLS 1.0
    3. TLS 1.1
    4. TLS 1.2
  7. Select the ‘Security’ tab.
  8. Click the ‘Local Intranet’ zone.
  9. Click Sites -> Advanced
  10. Add the FQDN of the target device, prefixed with http://. Example: “http://user-pc-01.mydomain.com&#8221;. Then, click ‘Add’.
  11. Click ‘OK’ until you are back to the ‘Internet Options’ screen.
  12. Click the ‘Custom Level…’ button.
  13. Scroll down to the section ‘User Authentication’.
  14. Ensure that the radio button named ‘Automatic logon with current user name and password’ is selected, then click ‘OK’.
  15. Back at the ‘Internet Options’ screen, make sure that the check box named ‘Enabled Protected Mode’ is not checked.

Operating System Options

The Windows operating system needs tweaked to allow Kerberos tickets for an HTTP or HTTPS on a non-standard port. It also needs tweaked to allow Kerberos tickets for CNAME’s. Even though the references below at targetted at XP and Windows Server 2003, they still apply to all current windows and IE versions (including Windows 8 and Windows Server 2012).

References:

Procedure

Add the following registry entries:

Entry #1
Type: DWORD
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149\iexplore.exe
Value: 1

Entry #2
Type: DWORD
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149\iexplore.exe
Value: 1

Entry #3
Type: DWORD
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209\iexplore.exe
Value: 1

Entry #4
Type: DWORD
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209\iexplore.exe
Value: 1

Pre-flight Checklist

Next, let’s make sure that we don’t have any outstanding AD or SPN issues that will prevent Kerberos from working.

Confirm that AMT Device AD Object Exists

Open active directory and navigate to the OU that you specified for AMT devices in the SCS profile. Is your computer object there? If so, you’re set. If not, then it wasn’t created in our previous provisioning. This might be ok, but it’s probably better to go back a few blog posts and try everything again.

Confirm that the AMT Device SPN’s Registered and Correct

  1. Open Active Directory.
  2. Select ‘View’ from the top menu, then choose to enable ‘Advanced Features’.
  3. Browse to the OU which contains the AMT objects, as specified in your SCS profile.
  4. Right-click the AMT device which will be tested and choose ‘Properties’.
  5. Click the ‘Attribute Editor’ tab.
  6. Scroll down to the field named ‘ServicePrincipalNames’, and double-click it.
  7. Verify that the following SPN’s are registered:
    1. HTTP://fqdn:16992
    2. HTTP://fqdn:16993
    3. HTTP://fqdn:16994
    4. HTTP://fqdn:16995
    5. HTTP://fqdn:623
    6. HTTP://fqdn:664

If you do not see the SPN’s registered, I suggest deleting the AMT object and re-provisioning it.

No duplicate SPN’s

Open a command prompt as administrator and type the following command. It should return zero duplicate SPN’s.

setspn -x

If it shows duplicate SPN’s, it will be necessary to remove the duplicates with this command:

setspn –D <SPN> <Account>

I highly recommend that you google around and read up on the concept of SPN’s and duplicate SPN’s before doing this.

Re-Configuring the AMT Device

Woohoo! Again, the actual meat of the process.

  1. Login to the target AMT system.
  2. Open a command prompt and navigate to C:\Temp\vPro.
  3. Run the following command:
    acuconfig.exe /output console ConfigViaRCSOnly <SCS-Server-FQDN> <ProfileName>

You should see no errors.

Try it out!

First, try to open the WebUI at http://fqdn:16992. Use internet explorer, and make sure that you are logged in as a user which was given access in the SCS profile, and also has the internet explorer options configured properly (outlined above). Also, make sure that the target FQDN is in the ‘Intranet Zone’ in the IE options.

The WebUI should log in correctly. If you get a pop-up window asking for a username and password, then Kerberos has failed and the web page is attempting to use digest authentication.

You can also now use RealVNC+. Make sure to go into the options -> connections tab and check the box labeled ‘Use Single Sign-on’.

Also, you can use Manageability Commander. One issue with Manageability Commander is that it doesn’t support Kerberos SOL connections out of the box. To make Kerberos SOL connections work, it’s necessary to run the program with the following command-line switch: “-alttsp:0”.

Troubleshooting

Troubleshooting is actually pretty difficult, but there are three main things to try.

First, go back over all of the blog posts and double-check everything. This is a pain, and it seems like it won’t solve the problem, but it often does. I once misspelled the registry entry for the Kerberos port number workaround, and spent hours checking every other aspect of the configuration.

Second, if your problem is with Manageability Commander or Intel Platform Solutions Manager, you can configure Intel’s DLL files to dump a log. To do this, navigate to the application folder in Windows Explorer. Look for a file named ‘imrsdk.dll’ or ‘imrsdk_x64.dll’. Add a new file named ‘imrsdk.ini’ with the following code.

[COMMON]
Debug_Level=2

Make sure to restart your application. The Intel DLL will then drop a new file named log.txt into it’s folder, and may offer some good information.

Third, you can try the Wireshark approach. Install Wireshark on a computer with two network cards, and place it between your AMT device and its network connection. Then, bridge the connections on the Wireshark computer. You can use this computer to collect all TCP packets between the AMT device ,the domain controllers, and the SCS service. This might tell you if you have network-level problems. It may also be necessary to insert the Wireshark computer between your workstation and your workstation’s wired connection in order to see if the requested SPN is correct.

The next post will cover adding TLS to the mix!