How to secure an inbound policy with a secondary user authentication

 

It is possible that you’d want to allow access to an inbound “service” that needs authentication before you actually hit the service it’s destine for.  Lets say you have a web-server on the inside of your firewall.  It has semi-private data on it, that you can’t easily secure with the web-application.  Maybe you have a situation where you just want the service to be protected with a pre-authentication so brute-force against the web-application won’t work correctly.

Here’s how:

• Create your VIP – If you don’t have one.

config firewall vip	Enter into VIP
edit External_HTTPS_T11443_w1	Name 1st VIP (I uses _w1 because you could create multiple for multiple WAN connections)
set extintf wan	Set External Interface
set mappedip 10.11.3.254	Set Internal IP
set portforward en	Enable PAT
set extport 11443	This is your External Port to Access GUI (I suggest not using 443)
set mappedport 443	This is the Internal Mgmt Port (443 is default)
End	End

• Create a local user account – You could use LDAP if you wanted, but not covered in this tutorial.

config user local	Enter Local User Creation
edit allow	Enable the Account
set passwd SecurePassword	Set a Secure Password
end	End to save

• Create a group to use for policy

config user group	Enter Group Creation
edit ServiceAuth	Name the group
set member “allow”	set the members, “allow” is the local account create previously

• Config firewall policy - If you don’t have one.

config firewall policy	Enter Firewall Policy Creation
edit 0	“edit 0” creates a new entry after the biggest number.
set srcintf wan	set the Source Interface (wan) in this instance, probably a port or wan1/2 for you
set dstintf InternalSwitch	set Destination Interface (InternalSwitch). Likely a port or internal for you.
set srcaddr “all”	Set your Source Address. This is the group you created in previous steps
set dstaddr “External_HTTPS_T11443_w1”	Set your Destination Address. This is your VIP Group you created earlier
set action accept	Accept the traffic
set identity-based enable	Enable the ability to do Identity Based
edit 0	Create next ID
set schedule always	Set schedule
set logtraffic enable	Set logging of traffic
set groups “ServiceAuth”	Set the group (Created earlier)
end	End the Identity policy
end	End the Firewall Policy Save

How to use this new policy

• Regardless of service needed, port forwarded/authenticated or any other application using this policy, you must first authenticate to the firewall before using it.
  • It is extremely important that you authenticate using HTTPS and not HTTP.  Otherwise, your credentials pass in the clear.
  • Ex. if protecting RDP, you have to first go to https://ExternalIP:3389 and login with the local/group that is allowed into the policy
  • Once you authenticate, you can then RDP directly into the ExternalIP
• Once you authenticate, the authentication timer is started.  It is possible you’d want to extend this

  config user setting	Enter the User Setting
  set auth-timeout 240	Set the timeout in minutes for 4 hours, 480 minutes is the max.
  end	end and save

Securing down your FortiGate UTM appliance

 

Securing it for a Static IP

If you have a Static IP or group of Static IP’s that you use to connect remotely to your Fortinet device, there is an easy way to map external services, secure it down to a group of subnets and allow only a few IP’s to remotely manage the firewall from the Internet.  There are other ways, this is my favorite with the most amount of control and logging available for the remote connections.  Let’s get started.

Scenario (My Setup)

• WAN IP = Dynamic (wan)
• LAN IP = 10.11.3.254 (InternalSwitch)
• Internal Management Port (HTTPS) = 443
• Internal Management Port (SSH) = 22
• Trusted External Subnets =
• 12.166.20.0/23
• utm.doesntexist.com (DynDNS)

 

Let’s get started with a Dynamic or Static IP

• Log into firewall

• Create a new VIP for HTTPS Access



config firewall vip	Enter into VIP
edit External_HTTPS_T11443_w1	Name 1st VIP (I uses _w1 because you could create multiple for multiple WAN connections)
set extintf wan	Set External Interface
set mappedip 10.11.3.254	Set Internal IP
set portforward en	Enable PAT
set extport 11443	This is your External Port to Access GUI (I suggest not using 443)
set mappedport 443	This is the Internal Mgmt Port (443 is default)
next	Next to start SSH entry, end to not setup ssh

• Create a new VIP for SSH Access

edit External_SSH_T11022_w1	Name this VIP, using _w1 to separate multiple WAN connections
set extintf wan	Set External Interface
set mappedip 10.11.3.254	Set Internal IP
set portforward en	Enable PAT
set extport 11022	This is your External Port to Access GUI (I suggest not using 22)
set mappedport 22	This is the Internal Mgmt Port (22 is default)
end	end to save

• Create a VIP Group

config firewall vipgrp	Enter VIP Group Entry
edit ExternalManagement_w1	Create a group for the External Management using _w1 to define the one for WAN1
set interface wan	Set the Group’s interface (wan) in this scenario
set member “External_HTTPS_11443_w1” “External_SSH_T11022_w1”	Add the two members to the group

• Create address object for trusted IP

config firewall address	Enter Address Creation
edit “TrustedSubnet_1”	Call this what you want, but you are creating a name for this trusted IP
set subnet 12.166.20.0/23	Add the trusted subnet
next or end	Next or end to create more

• Create address object for trusted FQDN

config firewall address	Enter Address Creation
edit “Trusted_FQDN_1”	Call this what you want, this is a trusted FQDN example
set type fqdn	Setup a type FQDN
set fqdn “utm.doesntexist.com”	Add your trusted FQDN

• Create address group object

config firewall addrgrp	Enter Address Group Creation
edit “Trusted_Remote_w1”	Create a group name for Trusted addresses on w1
set member “TrustedSubnet_1” “Trusted_FQDN_1”	Add members to the Group
end	End to save

• Create new ExternalAdmin account

config system admin	Enter Address Group Creation
edit ExternalAdmin	Create your ExternalAdmin Account
set accprofile super_admin	super_admin is a full rights admin, but I suggest creating a restricted user for External Access
set password SecurePassword	Change SecurePassword with a secure password
End	Save and create new Account

• Lockdown admin to local subnet only

config system admin	Enter Address Group Creation
edit ExternalAdmin	Create your ExternalAdmin Account
set accprofile super_admin	super_admin is a full rights admin, but I suggest creating a restricted user for External Access
set password SecurePassword	Change SecurePassword with a secure password
End	Save and create new Account

 

• Create firewall policy

  

config firewall policy	Enter Firewall Policy Creation
edit 0	“edit 0” creates a new entry after the biggest number.
set srcintf wan	set the Source Interface (wan) in this instance, probably a port or wan1/2 for you
set dstintf InternalSwitch	set Destionation Interface (InternalSwitch).  Likely a port or internal for you.
set srcaddr “Trusted_Remote_w1”	Set your Source Address.  This is the group you created in previous steps
set dstaddr “ExternalManagement_w1”	Set your Destination Address.  This is your VIP Group you created earlier
set action accept	Accept the traffic
set service “HTTPS” “SSH”	Set the two services you need.  These are the “internal” services and not the external.  If you management port is not standard you may need to create a service object for this.
set logtraffic enable	Enable logging for your sanity.
end

 

This will in effect do the following:

1. Allow the default “admin” to only login from inside the network
2. Create a new user for ExternalAdmin of the firewall
3. Create 2 VIP’s to allow inbound mapping for alternative ports to the inside management ports
4. Allow you to ping the firewall from anywhere
5. Trust just a few IP/FQDN’s for remote management
6. Log traffic accessing the VIP
7. Apply inbound UTM if you wanted, not in this tutorial though

To use this you will want to either:

1. To use web-management, use the IP of the External Interface to use
1. https://externalIP:11443
1. Use DynamicDNS to “find easier”
2. Putty via externalIP:11022
2. Login with ExternalAdmin and password

Hope this helps you create a secure access method to your firewall. 

 

Enjoy!

Exchange 2007 to Exchange 2010 Public Folder Migration

This Episode

This episode of UTM comes from a recent experience when migrating a customers HUGE public folder database during an Exchange 2007 to 2010 migration.  Doing it manual wasn’t a solution and how I pulled if off, way to easy.

The Delima

This customer had WAY too many public folders to go in and manually create the boring task of manually tying the replication together.  So I thought back to this great PS1 script that had so much promise.  I went in, ran the script, it ran w/o issue.  Waited several hours, no such luck.  So I sat down this morning and said to myself, there has to be a way to do this and I put my mind to sitting down and working on it.

The Stage

You must have a working Exchange 2010 and built a Public Folder Database on the new server. 
EXCHMB01 = Exchange 2007 Mailbox Server (Old)
EX-MB-01 = Exchange 2010 Mailbox Server (New)
Moving from Exchange 2007 to Exchange 2010.  If you didn’t read above!

The Solution

My PowerShell skills are a 7 out of 10, so there may be a few steps that are easier that I make them, but this is how I did it and it worked, so here we go.

Setting the stage

To make life easier and to make sure that I named things correctly, I used a bit of manual configuration for the first step.

1. Open EMC (Exchange Management Console)
2. Open toolbox then open “Public Folder Management Console”
1. 
3. We are going to quickly add a manual entry to one of the Public Folders to make it easy to copy and paste DB names and Paths.
4. Rt. Click a folder on the Right Pane, Click Properties
1. 
5. Click the “Add” to add all of your Replicas.  For this instance I have an old server EXCHMB01 (Ex07) and a new Mailbox Server EX-MB-01 (EX10)
1. 
6. Now for the fun part.  Like I said these steps might be easier from a CLI, but this way, I can know for sure, just in case not all my Mailbox Servers are Public Folder Replicas.

Setting up the Replicas

1. Open the ESM
2. Run the following:
1. get-publicfolder -recurse |fl Name, Replicas
3. You will get a full list of all your public folders, find the one you edited in “Set the Stage”
1. 
4. Copy the “Replicas data to your clipboard, we will use this for 2 steps.

Making all folders a replica to the new and old server both (For Migration)

When migrating, you temporarily want all data on both Public Folder Databases, so that users in both environments work, using replication to replicate the changes.  So I always setup replicas so that can start replicating as we complete mailbox and other migration tasks.

1. Open ESM
2. Run the following:
1. get-publicfolder -recurse | set-publicfolder -replicas "EX10_PublicDB1","EXCHMB01\Public\Public Folder Database"
3. It is VERY important to notice 2 things here.  From the copy and paste, you will get {} and will need to put quotes between the databses.
1. So make sure to edit the part after “Replicas” to Quote and Separate with a comma, each Replica has to be comma separated with quotes around the db
4. Wait, this will take awhile to run, pending on many things.
5. You will get some error about “/” can’t be set, that’s fine.
6. Run the next step to replicate the System Folders
1. get-publicfolder "\NON_IPM_SUBTREE" -recurse | set-publicfolder -replicas "EX10_PublicDB1","EXCHMB01\Public\Public Folder Database"
7. It is VERY important to notice 2 things here. From the copy and paste, you will get {} and will need to put quotes between the databses.
1. So make sure to edit the part after “Replicas” to Quote and Separate with a comma, each Replica has to be comma separated with quotes around the db

Checking your work

1. Simply run the following:
1. get-publicfolder –recurse |ft Name, Replicas –auto –wrap
2. get-publicfolder “\Non_IPM_Subtree” –recurse |ft Name, Replicas –auto –wrap

Removing the Replicas

Once you are done with the Old server and ready to Decommission the old server, you need to remove the old server from the replica list.  To do this you just modify the above syntax how you added them to remove the old server

1. Open ESM
2. Run the following:
1. get-publicfolder -recurse | set-publicfolder -replicas "EX10_PublicDB1"
3. Notice the missing old server!
4. It is VERY important to notice 2 things here. From the copy and paste, you will get {} and will need to put quotes between the databses.
1. So make sure to edit the part after “Replicas” to Quote and Separate with a comma, each Replica has to be comma separated with quotes around the db
5. Wait, this will take awhile to run, pending on many things.
6. You will get some error about “/” can’t be set, that’s fine.
7. Run the next step to replicate the System Folders
1. get-publicfolder "\NON_IPM_SUBTREE" -recurse | set-publicfolder -replicas "EX10_PublicDB1
8. Notice the missing old Server!
9. It is VERY important to notice 2 things here. From the copy and paste, you will get {} and will need to put quotes between the databses.
1. So make sure to edit the part after “Replicas” to Quote and Separate with a comma, each Replica has to be comma separated with quotes around the db

Checking your work

1. Simply run the following:
1. get-publicfolder –recurse |ft Name, Replicas –auto –wrap
2. get-publicfolder “\Non_IPM_Subtree” –recurse |ft Name, Replicas –auto –wrap

Conclusion

I’m not really sure why this was so hard to find, but the solution is pretty simple.  There are other ways to inject the server names, but for a novice to use this guide and with them possibly not knowing where their Public Folders were located, I wanted to show the GUI part and then the commands using copy and paste on how to build the Replicas.

I hope this helps someone and somebody out there thinks… UTM.