Wednesday 29 March 2023

install ssl cert on manage engine ad audit plus

Purchased wildcard cert

Created internal DNS name adap.domain.com pointing to server 192.168.0.50

Convert the cert + private key + bundle to a single .pfx file with password

Most of the apps the cert was able to be installed from

admin -> general settings -> import SSL

Service Desk Plus - I had to click the 9 dots in the top left to find the "import ssl option"


For AD audit plus I needed to edit a file:

C:\Program Files\ManageEngine\ADAudit Plus\conf

Drop your .pfx file into this folder

Edit server.xml

Search for your SSL port in my case 8083

You will see a line

keystoreFile="./conf/server.keystore" keystorePass="password"

You will need to edit this 

keystoreFile="./conf/MYPFXFILE.pfx" keystorePass="MYPFXPASSWORD"

I needed to change it on two lines at the bottom of the file

Then in services on the windows server restart 

ManageEngine ADAudit Plus service





Posted by at No comments:
Labels: , ,

Tuesday 28 March 2023

openssl - how to convert a cert file + private key + bundle/chain file into one pfx file

openssl pkcs12 -export -in wildcard-cert.crt -inkey private.key -certfile sf_bundle-g2-g1.crt -out cert-chain-pkey-bundle.pfx

Posted by at No comments:
Labels:

Thursday 16 March 2023

Blocking top level domains

Blocking top level domains can be tricky

Geographic considerations: If your organization does not do business with certain countries or regions, it may make sense to block TLDs associated with those locations. For example, if you have no business interests in China or Russia, blocking .cn and .ru TLDs could help reduce the risk of cyberattacks from those regions. Malware comes from every country so best to conduct an exercise on what regions you do business with. There are some exceptions

.ms (used by microsoft)

.co (columbia but can block .co.uk and .com if your rule is not specific)  used by companies that can't get a .com iptel.co, adobe.co

.in (india but used by companies like logme.in, linked.in)

 .lt .jp .gr .es .pl (used by tech companies)

Business considerations: If your organization relies heavily on certain TLDs for business operations or communication with clients, it would be prudent to allow those TLDs. For example, if you frequently communicate with clients using email addresses that end in .com, it would be counterproductive to block that TLD.


Security considerations: Some TLDs are associated with higher levels of risk than others. For example, TLDs such as .cc .xyz, .top, and .loan have been associated with high levels of spam and malicious activity, so it may be wise to block those TLDs.


Brand considerations: Some TLDs are associated with well-known brands, and blocking those TLDs could inadvertently block legitimate traffic. For example, blocking .co could also block legitimate traffic to sites such as adobe.co, bbc.co, and others.


Ultimately, the decision to block or allow specific TLDs should be based on a risk assessment specific to your organization, taking into account factors such as geographic location, business needs, security risks, and brand considerations.


Do an assessment, block TLDs, review what is blocked and allow specific / needed domains.

Posted by at No comments:

Monday 13 March 2023

install cert on IIS web server

 For IIS I needed the .pfx file which is a bundle of certs and private key in one file with a password attached.


I used the digit cert tool.

Downloaded cert files from CA vendor

Imported files into digi cert tool

Ran test key 

Exported as .pfx including the private key

Moved .pfx file to the IIS server

Double click to import

enter password

Mark as exportable in case we need to export in the future


Open IIS

Expand sites

Default Web site

On the right -> Edit site -> Bindings

Add

https 

Fill in hostname: sub.domain.com

In bottom section select the cert, we should see the cert that has been imported.

You may need to restart IIS

Posted by at No comments:
Labels:

Friday 10 March 2023

meraki routing

Meraki when you add an address to the HQ VPN encryption domain it forces all remote sites to route that traffic to HQ

if you only wanted to do it, for one site you can use static routing on the remote side

I was using the uplink IP address in HQ as the next hop but that is incorrect


routing
1 HQ route
manual 
mx ip = 192.168.128.1/24
upilink any
group non
vpn mode enabled
Posted by at No comments:
Labels:

Friday 3 March 2023

install wildcard cert on palo alto firewall

Global protect portal and gateway should be setup

Get customer to get DNS record created eg globalprotect.domain.com

Point the record at the global portect portal IP (Network -> Global Protect -> Portals)

Download the wildcard cert and root/chain cert from the cert vendor (.crt format). The windows .p7b format is no good. The chain bundle cert usually publicly available. The wildcard will need to be downloaded via a login may need to get it from the customer.


Install wildcard cert on palo alto firewall

Global protect portal and gateway should be setup
Get customer to get DNS record created eg globalprotect.domain.com
Point the record at the global portect portal IP (Network -> Global Protect -> Portals)
Download the wildcard cert and root/chain cert from the cert vendor (.crt format). The windows .p7b format is no good. The chain bundle cert usually publicly available. The wildcard will need to be downloaded via a login may need to get it from the customer. Example vendor chain location:
https://certs.godaddy.com/repository


Import vendor root/chain cert bundle

Device -> certificate management -> certificates 

Click import 

Give name eg "vendor-ca-root-chain-bundle"

Select the bundle file "bundle-g2.crt"

Leave everything else and click ok



Import wildcard cert

This can be imported in a few methods (.crt) (.pfx) if its PFX you will need to include the password

Certs should look like this
 


Create SSL/TLS profile

Device -> Certificate Management -> SSL/TLS Service Profile

Name "SSL-TLS-PROFILE"

Min version: TLSv1.2

Max version: Max



Attach SSL/TLS profile to global protect portal and GW

Network -> GlobalProtect -> Portals 

Click the GP_Portal

Authentication tab 

Under server authenticaiton / SSL/TLS service profile

Select your "SSL-TLS-PROFILE" from the drop down

Configure the URL used for portal/gateway in the portal
Network -> GlobalProtect -> Portals
Click the GP_Portal
Agent 
Add the CA root and chain cert (optional to tick install in root cert store)

 
Now click on GP_Agent_Config -> External

You will need a DNS -> pub IP record setup with the external DNS vendor
Fill in the DNS name for the Gateway
 


Add the SSL-TLS profile to the gateway as well

Network -> GlobalProtect -> Gateways

Click the GP_Gateway

Authentication tab

Under server authenticaiton / SSL/TLS service profile

Select your "SSL-TLS-PROFILE" from the drop down

Change IP to URL
Go Portal - GP settings - Agent - Agent config - External
Change external gateway IP to URL


Testing
Do not forget to commit your changes
You may need to restart the GP client
Test web browse to https://globalprotect.domain.com
Test connecting the GP client to globalprotect.domain.com




Posted by at No comments:
Labels: , , , , , , , , , ,
Subscribe to: Posts (Atom)