Friday, June 10, 2016

PFsense on Xenserver 6.5



PFsense has a few issues with XenServer. First the nic offloading on FreeBSD is not compatible with the virtual nics on XenServer. This causes very slow throughput on the virtual nics. Second PFsense doesn't see the xn nics as supporting Vlans even though they do.  And last XenServer tools needs to be installed.



So first disable the offloading on the nics.  

1.
First find the UUID of the virtual interfaces for the VM running PFsense, type the following in the XenServer console: 

xe vm-vif-list uuid=VMUUID


Then using each of those UUIDs

2.
xe vif-param-set uuid=VIFUUID other-config:ethtool-tx="off"
xe vif-param-set uuid=VIFUUID other-config:ethtool-rx="off"



http://think-brick.blogspot.com/2016/02/pfsense-on-xenserver-enable-vlan.html
Next you must trick PFSense into allowing vlans on the xen nic.
This needs to be done in the PFSense webpage

1.
Go to Diagnostic -> Edit File

2.
Load file /etc/inc/interfaces.inc

3.
Add the "//hack for XenServer" to the file after the "//hack for some lagg modes", and before the "return false;":
// hack for some lagg modes missing vlanmtu, but work fine w/VLANs
if (substr($iface, 0, 4) == "lagg")
return true;

 // hack for XenServer xn interfaces
if (substr($iface, 0, 2) == "xn")
return true;


return false;




Last install XenServer tools

1. 
pkg install xe-guest-utilities

2.
echo "xenguest_enable=\"YES\"" >> /etc/rc.conf.local
ln -s /usr/local/etc/rc.d/xenguest /usr/local/etc/rc.d/xenguest.sh

3.
service xenguest start



That's it!  Your done...  BUT WARNING!!! If you upgrade to a newer version that overwrites interfaces.inc PFsense may not boot.  At this point I plan on Backing up my config and taking a snapshot each time I test an upgrade.  If the upgrade breaks things then i'll install from scratch and run the above fixes then restore my config.  Not fun, no... But until they start better supporting XenServer we don't have much of an option.


References:

Disable nic offloading
https://forum.pfsense.org/index.php?topic=85797.0

Enable vlans
http://think-brick.blogspot.com/2016/02/pfsense-on-xenserver-enable-vlan.html

Install XenServer tools
https://blog.feld.me/posts/2014/07/pfsense-on-citrix-xenserver/



Monday, March 21, 2016

Install issues with XenServer 6.5 on a HP DL380 G5 or Cisco MCS7800

After having to install XenServer 6.5 on a Cisco MCS7800, which is just a re-branded HP DL380 G5, I wanted to list post install steps that must be taken.

1.  For some reason a local storage area is never created during install.  So step one is to create it.
xe sr-create content-type=user type=ext device-config:device=/dev/cciss/c0d0p3 shared=false name-label="Local storage"
2.  Make it default by right clicking on Local storage and choosing default using XenServer manager GUI.

3.  And finally, because the local storage was never created an import template was never generated
cd /opt/xensource/packages/files/transfer-vm./install-transfer-vm.sh

That should fix the issues of not having local storage, not having default storage, and not having an import template.  If I come across other tweaks that are needed with this system i'll add them to the list.

http://discussions.citrix.com/topic/362083-populating-local-storage-on-xenserver-65/page-3

Tuesday, April 7, 2015

Soti MobiControl Dynamic Template

Well, I just created my first ever Github project.  It's a template for use with Soti's MobiControl.  If you have ever used MobiControl then you know that the Lock Screen design/templates are VERY limited.  You basically have to hand write HTML and use their tags (ex. ) in the HTML to insert each and every entry in the Lockdown policy.  This is very cumbersome for anyone, let alone those who are not really good with HTML.  

Once you have finally created a good working template you better hope that you never need to add or delete an item from the lockdown policy.  If you do your going to have to go into the the HTML and manually add/remove the references to the correct lockdown tag. You better hope that it doesn't screw up your layout.  Or worse you decide to use a different device with a different screen size!  You may as well start over....

With that in mind I created a template that uses CSS and JavaScript to automatically adjust for the screen size, number of lockdown entries, and the header and footer text/image.  It also automatically uses the exe icon if you don't manually set an image for your entry (yeah you had to specify that in the HTML manually).  This new template will make it really easy to add and delete entries in the lockdown policy without ever having to touch the HTML.  Oh and did I mention it handles device rotation!?  Yep... That too.

If your using MobiControl and want to check it out, or are just interested in device orientation through CSS, or any of the other tweaks I used.  Check it out at https://github.com/mobilebob/Soti_Dynamic_Template

Description:
A Soti MobiControl template, that's dynamic. A mobile phone style template that changes automatically depending on how many entries you have in your lock screen. It keeps you from having to change the HTML every time you want to change the lock screen entries. It's also dynamic for screen size and changes based on device orientation. Uses CSS and Javascript

Wednesday, September 3, 2014

Ghetto-fi your VMware backups (VMware backups for free)

If you are using VMware on the cheap (free), then you are probably missing some great functionality.  For one, backups!  Sure you can backup your data inside the VM (and you should!), but how about bare metal full VM backups?  If you like the idea but hate the cost check out ghettoVCB.  It's a great script that has some limited community support.  Basically it runs several shell commands to snapshot your VM which unlocks your main VMDK file.  Then makes an FTP connection out, and copies the entire VM (minus the snapshot of course) to a destination of your choosing.  Then if you have any need for the backup you can simply import the VM and your back up and running.  Lots of great uses for this and it's FREE!

https://communities.vmware.com/docs/DOC-8760

https://github.com/lamw/ghettoVCB

Friday, July 18, 2014

Offline Files not coming back online when reconnecting to the network

So here's the problem we had. User has offline files on his H: drive (Home drive), so that he can access them while traveling.  If the user boots up his laptop and logs in, and THEN connects via VPN or work wireless, he can't access his H: drive at all.  He can still see his offline files, but they stay offline and all other files are not accessible.  Also if he disconnects his laptop goes to a meeting then comes back and docks he is unable to get access to his H: drive until he reboots.  The only way to get the files back online and have access to the rest of his H: drive is to log-in WHILE having a live network connection to the office.  After a bit of research I found the answer via mcseRob (See link below).

The short version is that the user needs read access to the folder that the share is pointed to, not just a sub-folder that his H: drive is pointing to.  Windows checks to see if the files are back online by checking the share itself!  So when it checks and doesn't have read access to the share it thinks the files are still offline.  So a quick fix is to give all users read access to the share itself.

For our situation we ONLY give read access to the share and not all the sub folders below.  This does allow everyone to see the sub-folder names, which may reveal user names.   But follow the link below for some possible fixes to that problem.

Source: http://social.technet.microsoft.com/Forums/windows/en-US/dccf79c0-af86-43e9-99c6-20a21c22c38c/offline-files-the-work-offlinework-online-button-disappears-from-windows-explorer-after-the?forum=w7itpronetworking

Tuesday, December 6, 2011

Enable Windows 7 admin shares for local accounts (c$, etc)

If you are frustrated by the lack of access to admin shares in Vista or Windows 7 here is a reg hack to re-enable those shares. This will allow local accounts (On the host machine) to access admin shares. By changing this registry setting you are DISABLING UAC remote restrictions!

Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\Windows\CurrentVersion\Policies\System Name: LocalAccountTokenFilterPolicy Data Type: REG_DWORD
Value: 1

Please be aware that this is a security hole if your systems are not patched (Not to mention zero day attacks). Use with discretion and without blame (Me that is).

From Microsoft:
How UAC remote restrictions work 
To better protect those users who are members of the local Administrators group, we implement UAC restrictions on the network. This mechanism helps prevent against "loopback" attacks. This mechanism also helps prevent local malicious software from running remotely with administrative rights.

Source: http://support.microsoft.com/kb/951016/
Other Source: http://en.wikipedia.org/wiki/Administrative_share

Thursday, October 13, 2011

Check to see if a VBS script has Admin rights


Came across a problem today where we were running a VBS script that was obviously designed expecting UAC to be turned off.  In looking for a way to elevate the script to Admin before running, I found some code to force the script to run as administrator without having to reghack each PC.  It took a combination of sites to get the code, but here it is.

On Error Resume Next
key = CreateObject("WScript.Shell").RegRead("HKEY_USERS\s-1-5-19\")
If err.number <> 0 Then
 Set objShell = CreateObject("Shell.Application")
 objShell.ShellExecute "wscript.exe", Chr(34) & _
 WScript.ScriptFullName & Chr(34), "", "runas", 1
 WScript.Quit()

End If


If you insert that code at the beginning of your script it will first check to see if the script has Administrative rights (Either through UAC, or XP admin) and if it doesn't it will relaunch the script using runas administrator.

Warning: I haven't tested this in Windows XP.  I know that the Check part will work, but don't know about the relaunch.


Reghack to get Run As Administrator in the context menu for .VBS files:
http://www.sevenforums.com/tutorials/152967-run-administrator-add-vbs-file-context-menu.html

UAC elevation code:
http://www.winhelponline.com/articles/185/1/VBScripts-and-UAC-elevation.html

Check for Admin rights code:
http://csi-windows.com/toolkit/csi-isadmin

Edited: 9-4-15 Thanks Hh Lohmann