Inside access to external NAT IP services

The corporate office has an environment where there is a separate “guest” network for vendors, visitors, etc. that can use their own devices, to use internet services through Wi-Fi.
Due to the fact some internal services are needed such as joining internal Audio/Video conferences, and access to collaborative services, we had a requirement that access to those services be available through this semi-public network that is “external”, i.e. uses external DNS resolution, but is still “inside” the firewall boundary as shown below.

Access from GuestNet-Diag

To spell it out, we had the following infrastructure:

  • Internal services only accessible from inside the corporate network and internal devices.
  • External services accessible from outside the corporate network.
  • Guest network with external/public DNS resolution.

The requirements are as follows:

  • Internal services accessible externally if secured with boundary extending services, primarily Microsoft Direct Access, or if explicitly approved, Cisco VPN software.
  • Skype for Business availability for Guest Wi-Fi to join conferences and collaboration.
  • SharePoint services (specifically Office Online Server) for collaboration access from Guest Wi-Fi.

Cisco has a good article here: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html to make this process work, the D-NAT methodology was used, but the article can a bit confusing, so I just wanted to explain a couple things to clarify it, and show how the final NAT rules end up looking.

The following are the relevant NAT rules:

Access from GuestNet

  • For the Match Criteria:
    • Source is the Guest network.
    • Destination for the Skype for Business services is the “inside” DMZ interface, as in this case, the DMZ is sandwiched, has an internally facing network, and an externally facing network, or wherever the service resides, as some services are on the “services” network.
    • IP source is the Guest network object.
    • IP destination is the External IP of the service.
  • For the Action:
    • Source is wherever the service resides.
    • Destination is the Internal IP of the service.

I hope this helps clarify the Cisco article.

 

Broken ADFS! Service Unavailable – Error 503

Came in this morning to a lovely issue, ADFS authenticated services were completely unavailable! Office 365 archive mailboxes, hosted CRM, etc.

Upon testing the URL: /adfs/services/trust/mex a lovely “Error 503” was displayed!

Key prob 1

I changed the internal ADFS certs to use the new EKU requirements (Server and Client Authentication), verified NT SERVICE\drs and NT SERVICE\adfssrv had the correct permissions on the private keys, but still no dice for external usage.

After using my trusty bing.com, I came across this lovely Microsoft article about the KeySpec property for the Web Application Proxy server: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/ad-fs-and-keyspec-property

Checking the server’s keys using the Powershell command dir cert:/LocalMachine/My reveals the following problem:

KeySpec = 0

Ext Cert wrong

Ok, so the fix is easy right? Just export the cert to a pfx file, import it with

certutil -csp "Microsoft RSA SChannel Cryptographic Provider" -importpfx

or as the article says:

certutil –importpfx extcert.pfx AT_KEYEXCHANGE

In this case, I got a lovely -importPFX command FAILED: 0x80090029 The requested operation is not supported. error message as shown:

Key prob 3

After looking around for a while, I remembered the article I wrote back in September 2017: LS Audio/Video Authentication Server Error 19008 – Private Key not found, went through that process, and what do you know, it worked!!

Ext Cert right

The URL: /adfs/services/trust/mex now works perfectly, and all services that depend on ADFS are up!

Exchange database contains one or more mailboxes…

What do you do when you have what appears to be an empty mailbox base, but you get the dreaded: “This mailbox database contains one or more mailboxes, mailbox plans….” message?

remove-db error

The following are some commands to run:

Get-MailboxStatistics -Database DatabaseToRemove | ForEach { Update-StoreMailboxState -Database $_.Database -Identity $_.MailboxGuid -Confirm:$false }

Get-MailboxStatistics -Database DatabaseToRemove | where {$_.DisconnectReason -eq "SoftDeleted"} | foreach {Remove-StoreMailbox -Database $_.database -Identity $_.mailboxguid -MailboxState SoftDeleted}
Get-Mailbox -Database DatabaseToRemove -Archive
Get-Mailbox -Database DatabaseToRemove -PublicFolder
Get-Mailbox -Database DatabaseToRemove -Arbitration
Get-Mailbox -Database DatabaseToRemove -AuditLog

If after all those back empty you still have the issue, try to remove the database with the -Verbose parameter, as that parameter will show you what mailboxes (if any) still reside on the database.

Remove-MailboxDatabase DatabaseToRemove -Verbose

If the removal process still fails, a possibility is that the database in question is an Archive Database for a mailbox residing on a different mailbox database.

The following command helps you list mailboxes using a specific database as Archive Database:

Get-Mailbox | where {$_.ArchiveDatabase -eq DatabaseToRemove}

You can migrate just the archive mailbox to another database like so:

New-MoveRequest username -ArchiveOnly

The database can now be removed after the move is completed!

Net Neutrality, my thoughts

My take on Net Neutrality:

The old adage of free market vs government boundaries! – Let’s take a look at some different mediums, the telephone, heavily regulated, how much innovation have we seen there in the past 20 years? What about broadcast spectrum? Sure, we have HDTV now, but innovation? I worked on Microsoft Mediaroom a while back (it’s called ATT Uverse here in the States), do you know 10 years ago they had the capability of choosing what car you wanted to be in while a car race was going on, the angle of the  football field or team you wanted to see from during a game? All from your remote control! Why haven’t we seen it yet? Government regulations! – Let’s look at another medium not regulated in the slightest, the Internet! – When I got involved in it the rage was BBS technologies, a bank of modems where files/bulletin boards, etc were exchanged, then E-Mail took over and went nutso. Groupwise, Lotus Notes and Microsoft slugged it out. During that HTML went nutso, we know that story, then we have PKI, VoIP, IoT, and the plethora of other technologies, what’s the latest? Blockchain, who knows what else? Do you see a contrast?

What’s the big difference here? Free market vs heavily regulated mediums!

I’m no expert, but that’s how I see it.