Sep 302021
 
ISRG and Let's Encrypt

Today, the DST Root CA X3 certificate expired, leaving many devices on the internet having issues connecting to services and certificates that use this Root CA, including those using Let’s Encrypt certificates.

Some of these problematic devices include Samsung Galaxy phones, iPhones, VDI zero and thin clients, and even Sophos UTM firewalls.

In my environment, I noticed a number of issues when browsing to websites that use the free Let’s Encrypt certificates, as the Web Protection Web Filtering service on my Sophos UTM firewall would report the certificate has expired and not allow me access to the websites using it.

The Problem

Let’s Encrypt originally used the “DST Root CA X3” certificate to issue Let’s Encrypt certificates. However, as time has passed and the service has been used more, they now use “ISRG Root X1” and “ISRG Root X2” as Root CA’s and “Let’s Encrypt R3” as an intermediate certificate.

Older devices may be using the older Root CA which expired today (September 30th, 2021). Please see https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ for more information.

The Fix

To fix this issue, you need to add the 2 new Root CAs to your computer or device.

Root CA Certificates (PEM format):

Intermediate Certificate (PEM format):

You can download them by clicking the links above or go to https://letsencrypt.org/certificates/ for more information and to download if you don’t trust the above links.

After downloading and adding these Root CAs and the Intermediate CA to your computer or device, you should have the full certificate chain to validate the Let’s Encrypt certificates. You only need to add the two root certificates. The Let’s Encrypt certificates that are used on websites that you visit and that you might have deployed on your servers should now work without any issues.

If you’re still having issues, you can try deleting the “DST Root CA X3” certificate from your existing Root CAs. Also, you may need to close and reopen any software and/or browsers for it to work with the new certificate.

HTTPS Scanning/Filtering Firewall Fix (Sophos UTM as example)

If you have a firewall that scans HTTPs traffic, you’ll need to add the two root certificates above to the HTTPS Certification authority list.

As an example, to fix this on the Sophos UTM firewall, follow the instructions below:

  1. Download the 3 certificates above.
  2. Log on to your Sophos UTM
  3. Navigate to “Web Protection”, “Filtering Options”, and “HTTPS CAs” tab.
  4. Disable the old “Digital Signature Trust Co. DST Root CA X3” Certificate in the list.
  5. Using the “Upload local CA”, browse to and select 1 of the 3 certificates, then click upload.
  6. Repeat step 5 for each of the 3 certificates listed above.
  7. The issue has been fixed! You should now see all 3 certificates in the “Local verification CAs” list.

The steps should be similar for other firewalls that provide HTTPS Scanning and Filtering.

Sep 252021
 
Windows Server 2022 Logo

Today, I will be showing you howto install, configure, and deploy Windows Server Update Services (WSUS) on Windows Server 2022. I’ll also show you how to use the WSUS MMC interface, approve/manage updates, and more!

This video will demonstrate the process of the WSUS role installation, post-installation tasks, first-time WSUS configuration wizard, and the WSUS MMC.

Check it out and feel free to leave a comment! Scroll down below for more information and details on the guide.

Who’s this guide for

This guide is perfect for a seasoned IT professional or a beginner who is looking at getting experience with Windows Server 2022.

What’s included in the video

In this guide I will walk you through the following:

  • Server Manager
    • Windows Server Update Services Role Installation
  • WSUS Considerations and Requirements
    • WID (Windows Internal Database)
    • SQL Express
    • GPO Group Policy Objects
    • WSUS Maintenance
    • Upstream and Downstream WSUS Servers
    • Bandwidth Optimization
  • WSUS Usage and Platform
    • WSUS Infrastructure Design
    • WSUS Synchronization Schedule
    • WSUS Language, Products, and Classifications selections
    • WSUS MMC Overview
    • “gpupdate /force” command usage
    • WSUS Update Approval
    • WSUS Reporting

Additional Information

Please see below (click to enlarge) for a WSUS GPO Configuration Example.

GPO Settings for WSUS Configuration
WSUS GPO Configuration Example

Please Note: This example contains configuration to automatically install updates. This example should only be used for workstations and not servers. Please use this example as a guide for your own study.

What’s required

To get started you’ll need:

  • 1 x Server (Virtual Machine or Physical Server)
  • Microsoft Windows Server 2022 Licensing
  • A running Windows Server 2022 Instance (OSE)
  • A network router and/or firewall

Hardware/Software used in this demonstration

  • VMware vSphere
  • HPE DL360p Gen8 Server
  • Microsoft Windows Server 2022
  • pfSense Firewall

Blog Posts mentioned in this video

Sep 232021
 

Synology C2 Cloud, C2 Backup and C2 Storage are new ways to backup smart! Using Synology’s C2 Cloud, you can not only back up your Synology DiskStation NAS and all of it’s contents to the cloud, but you can also backup your endpoints directly to the cloud as well now, including Workstations and Servers providing “Centralized protection for Microsoft workloads”.

I want to give a brief overview with what you can do with it, and yes I’ve tried it and so far love it! It works great!

With DSM 7, came a big expansion of Synology’s C2 Cloud Offering

I first heard about Synology C2 Cloud during a VMUG User Group presentation that was sponsored by Synology a few months ago.

I was very impressed with the presentation on the new Synology DSM 7 operating system, it’s capabilities, and the integration with the new Synology C2 Cloud. It really peaked my interest!

With the release of DSM 7.0 (on June 29th 2021), Synology also launched a number of Cloud initiatives delivered by their C2 Cloud platform. This included C2 Transfer, C2 Identity, and C2 Storage. As of today, they have released C2 Backup!

With the fresh release, I want to go over Synology’s C2 Backup, and C2 Storage.

What can we do with C2 Backup and C2 Storage?

The possibilities are almost endless, but let’s list some of the main uses that come to mind:

  • Backup Synology DiskStation NAS to Synology C2 Cloud
    • Backup your Synology DiskStation File Shares
    • Backup your Synology Photo Collection and Videos
    • Backup your Synology Apps
    • Backup your backups to the cloud (disk to disk to cloud)
  • Active Backup for Business
    • Backup Workstations and Servers to NAS, then replicate to Cloud
    • Backup Microsoft 365 to NAS, then replicate to Cloud
    • Backup Virtual Machines to NAS, then replicate and/or archive to Cloud
  • Endpoint Backup direct to Synology C2 Backup
    • Backup a Windows Desktop or Laptop directly to Synology C2 Cloud

One of the biggest threats we have today is ransomware. Ransomware has been ravaging businesses and corporations, destroying and deleting their backups and holding the companies at hostage. It’s even effected the home user, holding their private and valuable files on their computers and NAS devices hostage.

Another common threat is general disasters, including hardware failure, fires, and other events causing complete loss of data.

Using both the Synology DiskStation and the Synology C2 Cloud we can mitigate these risks by backing up your data.

And with any backup, we should always abide by the 3-2-1 rule having 3 copies, on 2 different platforms/media types, and one off-site. Backing up to your Synology NAS and then replicating it up to Synology C2 cloud, you can achieve this level of protection.

Synology C2 Cloud also provides C2 Identify and C2 transfer for business services, which I won’t cover in this post.

Use Case Examples

Below I’ll list a few of the most common uses cases I would expect.

Home or Small Business File Share backup

For home or small business users, file and data storage is typically handled via Windows Shares, and the Synology DiskStation NAS is perfect for providing this type of storage.

Using the Synology DiskStation, you can back these shares to Synology’s C2 Storage Service further protecting your data and also keeping it off-site. You can still also backup to other sources such as removable hard drives.

Complete NAS backup

You can now fully backup your entire NAS to the Synology C2 Storage service. Providing an easy way to restore it, should you ever have a disaster including ransomware, a catastrophic failure, or fire, and have lost your unit needing to replace it fully.

Active Backup for Business Replication

If you’re using Active Backup for Business, you probably already know you can backup the following to your NAS:

  • Microsoft Windows Servers
  • Microsoft Windows Workstation
  • Microsoft 365 (Office 365) data
  • VMware Virtual Machines
  • And more!

Now we have the ability to replicate these backups to Synology’s C2 Storage service, to further protect our backups and also archive data.

Endpoint Backup (new with Synology C2 Backup)

Now you can backup Microsoft Windows endpoints (workstations, laptops, and tablets) directly to the Synology C2 Backup service!

You can backup an unlimited numbers of Microsoft endpoints with the only limitation being how much storage you’re paying for.

Endpoint backups include full-system backups (using incremental updates to save bandwidth), and provide bare mental restore capabilities, as well as file-level recovery when you only need to grab a few files from a backup without restoring the entire system.

You also have the ability to deploy the C2 Backup agent via Active Directory GPOs for ease of deployment.

And don’t forget, this is a perfect way to backup mobile users with laptops!

Is it Encrypted?

One question you might be asking is if the data is safe and encrypted. It sure is (if you enable it)!

The Synology C2 Cloud provides client-side encryption using AES 256-bit encryption with private keys.

In my testing when enabled, the data is encrypted on my Synology DiskStation NAS and then uploaded to Synology’s C2 Cloud. Encryption is handled via a password and a PEM key (AES 256) that you must save and keep safe (preferably not on any of your computers, but on a USB key somewhere safe)! Hold on to this, because you’ll need it in the event of a disaster.

In the case of C2 Storage, while the data is encrypted and then stored on Synology’s servers, there are some actions you can take via a web interface to view/download your data to your computer, instead of restoring to your NAS. Keep in mind if you do this, you’ll need to enter your password in to Synology’s servers, however they state the password will not be saved and will be destroyed after the task completion.

In the case of C2 Backup, you’ll have a powerful web interface where you can manage backups, restore backups, restore files, and more.

How much does it cost?

For the C2 Storage Service, the pricing table below (US Dollars):

For the C2 Backup Service, the pricing table is below (US Dollars):

You’ll notice that right now the C2 Backup Service is limited to only a 300GB plan and 2TB plan.

Features to come

While you can today deploy any of the features listed in this post, there are some future capabilities that are coming soon…

Soon, using Synology C2 Backup, you’ll be able to automatically backup your Microsoft 365 data (including Exchange Online and OneDrive for Business) direct to Synology’s C2 Backup.

While you can already back this data up to your NAS (and then replicate to C2 Storage), soon you’ll be able to cutout the NAS and have it go direct.

In conclusion

I’d highly recommend checking out the Synology C2 Cloud portfolio of services as I’ve already deployed and am currently using the Synology C2 Storage service in my homelab with my Synology DiskStation NAS.

Synology also has another datacenter available to choose from Germany.

More information can be found at the following links:

C2 FAQ

Synology C2 Backup (for business)

Synology C2 Transfer (for business)

Synology C2 Identity (for business)

Synology C2 Storage (for business)

Pricing information can be found at the following links:

Synology C2 Backup Pricing (for business)

Synology C2 Storage Pricing (for business)

I’ll be posting some tutorials and reviews so stay tuned! In the meantime, leave a comment if you’ve used any of these products in your environment!

Sep 202021
 

Welcome to Episode 03.1 of The Tech Journal Vlog (Special Episode on VMware Horizon 8 Version 2106)

In this episode – VMware Horizon 8 Version 2106

This is a special episode dedicated to the release of VMware Horizon View 8, version 2106.

What’s new

In the video, I cover what’s new in the 2106 release.

My Favorite Changes & Enhancements:

  • Audio recording support for 48Khz Audio via RTAV, defaults to 16Khz
    • Persistence on Audio quality recording settings across sessions
    • Sample Rate can be configured via GPO
  • VMware Horizon Linux Client supports Microsoft Teams Optimization
    • Linux Based Zero Clients should add functionality shortly (10ZiG already has!)
  • Raspberry Pi 4 Support!!!!
    • Also supports RTAV

Other interesting changes and enhancements:

  • UI Change on VMware Horizon Client
  • Instant Clones now support SysPrep: Instant Clones with Parent
    • No duplicate SIDs when using SysPrep
  • Ability to use 6 x 4K Displays
  • No Longer have to re-install VMware Horizon Agent after VMware Tools Upgrade
  • Forgot to mention: Support added for USB Redirection with Xbox Gaming Controllers

Additional Items:

  • VMware OSOT Optimization tool Versioning now matches Horizon
    • Removal of Custom Templates
  • VMware VDI Base Image Creation Guide has been updated
    • New guide on automating the VMware VDI Base Image Creation added

Links Mentioned in this post:

Don’t forget to like and subscribe!

Leave a comment, feedback, or suggestions!

Sep 192021
 
Windows Server 2022 Logo

Today we’re deploying a Windows Server 2022 member server and joining it to the domain we created in previous videos. I’ll also be explaining the difference between Domain Credentials and Local Credentials on member servers.

This video will demonstrate and explain the process of deploying a Windows Server 2022 member server, network configuration, DHCP vs Static IPs, and domain credentials vs local credentials.

Check it out and feel free to leave a comment! Scroll down below for more information and details on the guide.

Who’s this guide for

This guide is perfect for a seasoned IT professional or a beginner who is looking at getting experience with Windows Server 2022.

What’s included in the video

In this guide I will walk you through the following:

  • Document a new Server deployment
  • Configure Networking
  • Join Windows Server 2022 Server to domain as member server
  • Discussion on time importance with Active Directory and Domains
  • Discussion on Domain Credentials vs Local Credentials

What’s required

To get started you’ll need:

  • 1 x Server (Virtual Machine or Physical Server)
  • Microsoft Windows Server 2022 Licensing
  • A running Windows Server 2022 Instance (OSE)
  • A network router and/or firewall

Hardware/Software used in this demonstration

  • VMware vSphere
  • HPE DL360p Gen8 Server
  • Microsoft Windows Server 2022
  • pfSense Firewall
Sep 192021
 
Windows Server 2022 Logo

Today, I will show you how to create an Active Directory Domain on Windows Server 2022.

This video will demonstrate and explain the process of configuring, and deploying a Windows Server 2022 instance as a Domain Controller, DNS Server, and DHCP Server and then setting up a standard user.

Check it out and feel free to leave a comment! Scroll down below for more information and details on the guide.

Who’s this guide for

This guide is perfect for a seasoned IT professional or a beginner who is looking at getting experience with installing Windows Server 2022.

What’s included in the video

In this guide I will walk you through the following:

  • Document a new Server Installation and domain
  • Promote a Windows Server 2022 Server to a Domain Controller with Active Directory
    • Installation and configuration of Microsoft Active Directory
    • Promote a server as a new domain controller
      • Overview of Forest Functional Level
      • Overview of Domain Functional Level
      • Overview of DSRM (Domain Services Restore Mode) and Password
    • Installation and configuration of DNS Role
    • Installation and configuration of DHCP Role
  • Setup and configuration of a new user account on domain
  • Creation of DHCP Scope for Network

What’s required

To get started you’ll need:

  • 1 x Server (Virtual Machine or Physical Server)
  • Microsoft Windows Server 2022 Licensing
  • A running Windows Server 2022 Instance (OSE)
  • A network router and/or firewall

Hardware/Software used in this demonstration

  • VMware vSphere
  • HPE DL360p Gen8 Server
  • Microsoft Windows Server 2022
  • pfSense Firewall
Sep 182021
 
Windows Server 2022 Logo

With the recent release of Microsoft Windows Server 2022, I felt I needed to give it a shot. Join me as I install Windows Server 2022.

These instructions are also valid for previous versions of Microsoft Windows Server.

This video will demonstrate and explain the process of installing, configuring, and deploying a Windows Server 2022 instance.

Check it out and feel free to leave a comment! Scroll down below for more information and details on the guide.

Who’s this guide for

This guide is perfect for a seasoned IT professional or a beginner who is looking at getting experience with installing Windows Server 2022.

What’s included in the video

In this guide I will walk you through the following:

  • Installing Windows Server 2022 (with Desktop Experience)
  • Document a new Server Installation
  • VMware Tools Installation
  • Configuring Network Settings
  • Computer Name Change
  • Windows Server 2022 Server Manager Overview
  • Windows Updates

What’s required

To get started you’ll need:

  • 1 x Server (Virtual Machine or Physical Server)
  • Microsoft Windows Server 2022 Licensing
  • A network router and/or firewall

Hardware/Software used in this demonstration

  • VMware vSphere
  • HPE DL360p Gen8 Server
  • Microsoft Windows Server 2022
  • pfSense Firewall
Sep 182021
 

Welcome to Episode 03 of The Tech Journal Vlog at StephenWagner.com

In this episode

Fun Stuff

  • Homelab Video Demo (https://youtu.be/oaZv2hpQKac)
  • Telus Fiber 1G Internet (for Business)
    • Sophos UTM Dual WAN Balancing
  • Synology
    • Synology Diskstation DS1621+
    • DSM 7.0
    • Synology C2 Cloud Backup

Work Update

  • VDI Consulting
    • VDI Golden Images for Non-Persistent VDI
  • DUO MFA/2FA
    • Implementations of DUO with Horizon
  • Exchange Projects
  • IT Director as a Service 🙂

Life Update

  • Back at the Gym
  • Travel is Back (Regina, Vancouver)

New Blog Posts

Current Projects

  • Synology DS1621+
  • AMD S7150 x2 MxGPU
  • NVME Storage Server Project
  • 10ZiG Thin Clients

Don’t forget to like and subscribe!
Leave a comment, feedback, or suggestions!

Sep 132021
 
Synology C2 Cloud Logo

So if you’re like me, you’ve just deployed your Synology DiskStation DSM NAS to backup to the Synology C2 Cloud (C2 Backup) or access Synology Hybrid Shares (C2 Storage).

But wait, you’re having issues with disconnections or slow speeds? It could be your firewall!

If you have an advanced firewall or an enterprise grade firewall, you’ll need to make some exceptions to avoid HTTPS scanning and interception, IPS, and other mechanisms that could be blocking traffic destined for the Synology’s C2 Cloud.

The Problem

While I wouldn’t necessarily call it a problem, your Synology NAS uses HTTPS (Port 443) to connect to Synology’s C2 Cloud. This actually makes things very easy and in most cases works off the bat with most firewalls.

When it comes to more complicated firewalls or enterprise firewalls, you may have the following technologies deployed which could be causing connection issues to the Synology C2 Cloud:

  • HTTPS Scanning
  • IPS (Intrusion Prevention System)
  • Traffic tagging and identification
  • QoS

The above technologies may either be slowing down or causing issues with communication.

The Fix

Here’s how we’ll configure the Synology C2 Firewall Exceptions!

To fix this, we need to make a few exceptions on the firewall. In my case I’m using a Sophos UTM, however using the information below you should be able to create rules for your own firewall even if the vendor is different.

First, let’s start with Synology’s C2 Cloud DNS hostnames, domains, and IP ranges. I identified these through my own troubleshooting and packet analysis:

Synology C2 Cloud DNS

  • synology.com
  • c2.synology.com
  • us.c2.synology.com

Synology C2 IP Range (CIDR Block)

  • 66.150.175.0/24

Please Note that the above are for the Synology C2 Cloud datacenter in the US region.

We’ll need to create exception rules for the above hosts, and IP range to avoid any type of traffic interception or scanning.

HTTPS Scanning Exclusion

On the Sophos UTM, I created an exception on the HTTPS Scanner to exclude any type of scanning for web (HTTP and HTTPS) traffic destined for these hosts. The entries in the exception are below:

^https?://([A-Za-z0-9.-]*\.)?synology\.com/
^https?://([A-Za-z0-9.-]*\.)?c2\.synology\.com/
^https?://([A-Za-z0-9.-]*\.)?us\.c2\.synology\.com/

I also created a Network Definition Group (called it Synology C2 Group) for the IP CIDR range, along with the DNS hostnames, and added it to the transport mode skiplist under “Skip Transparent Destination Hosts/Nets”.

IPS (Intrusion Prevention)

IPS systems can slow down traffic significantly as they scan inbound and outbound data. This shouldn’t disrupt the connection to the Synology C2 Cloud, but will slow it down.

Using the network definition created above (Synology C2 Group), we’ll go to the IPS settings and create an exception. We’ll disable all IPS features on traffic “Going to these destinations” and apply it to the “Synology C2 Group” network group definition.

QoS and other Systems

You’ll also want to make sure that if your using QoS that you configure the applicable rules to put the priority you want on the Synology C2 Cloud traffic.

After that, you should be good to go and now enjoying the Synology C2 Cloud!