Dec 142011

Recently I had the task of setting up a Site-to-Site IPSec tunnel between my office and one of my employees home office. At my main business HQ we have a Sophos UTM running inside of a vSphere 4 cluster. However I had to find the cheapest way to get the employee hooked up.

The main tasks of the VPN endpoint at the employee’s site was:

1) Filter web, pop3, and provide security for the devices behind the UTM at the home office (1-3 computers, and other random devices)

2) Provider a Site to Site VPN connection and to allow the user access to internal resources, along with providing access to our VoIP PBX (VoIP phone at employee site)

3) Provide access to other resources such as exchange, CRM, etc… And reverse management of devices at home office from HQ

First I needed to find an affordable computer to install the Sophos UTM software appliance on to. My company is an HP Partner, and we love their products, so I decided to purchase a new computer that would be powerful enough to host the UTM software appliance, and also be protected under HP’s business warranty. I wanted the system to have enough performance that in the future, if the home office was decommissioned, we would be able to use it still as a UTM device but for something else (let’s say a real remote office).

After taking a look at our distributor to find out what was immediately available (as this was a priority), we deiced to pick up a HP Compaq 4000 Pro Small Form Factor PC. Below are the specs:

HP Compaq 4000 Pro Small Form Factor PC

Part Number: LA072UT (Or LA072UT#ABA for the English version in Canada)

System features
Processor Intel® Core™2 Duo Processor E7500 (2.93 GHz, 3 MB L2 cache, 1066 MHz FSB)
Operating system installed Genuine Windows® 7 Professional 32-bit
Chipset Intel® B43 Express
Form factor Small Form Factor
PC Management Available for free download from HP Client Automation Starter; HP SoftPaq Download Manager; HP Client Catalog for Microsoft SMS; HP Systems Software Manager
Standard memory 2 GB 1333 MHz DDR3 SDRAM
Memory slots 2 DIMM
Internal drive bays One 3.5″
External drive bays One 3.5″
One 5.25″
Internal drive 500 GB 7200 rpm SATA 3.0 Gb/s NCQ, Smart IV
Optical drive SATA SuperMulti LightScribe DVD writer
Graphic card Integrated Intel Graphics Media Accelerator 4500
Expansion features
I/O ports 8 USB 2.0
1 serial (optional 2nd)
1 parallel (optional)
1 PS/2 keyboard
1 PS/2 mouse
1 microphone/headphone jack
1 audio in
1 audio line out
1 RJ-45
Slots 2 low-profile PCI
1 low-profile PCIe x16
1 low-profile PCIe x1
Media devices
Audio Integrated High Definition audio with Realtek 2 channel ALC261 codec
Communication features
Network interface 10/100/1000
Power and operating requirements
Power Requirements 240W power supply – active PFC
Operating Temperature Range 10 to 35°C
Dimensions and Weight
Product weight Starting at 7.6 kg
Dimensions (W x D x H) 33.8 x 37.85 x 10 cm
Security management
Security management Stringent Security (via BIOS)
SATA Port Disablement (via BIOS)
Drive Lock
Serial, Parallel, USB enable/disable (via BIOS)
Optional USB Port Disable at factory (user configurable via BIOS)
Removable Media Write/Boot Control
Power-On Password (via BIOS)
Setup Password (via BIOS)
HP Chassis Security Kit
Support for chassis padlocks and cable lock devices
What’s included
Software included Microsoft Windows Virtual PC
HP Power Assistant
Warranty features Protected by HP Services, including a 3 years parts, 3 years labour, and 3 years onsite service (3/3/3) standard warranty. Terms and conditions vary by country. Certain restrictions and exclusions apply.

This system was spec’d very nicely for the requirements we had. Another huge bonus is that it was covered under a factory 3 year warranty from HP. Which means that if anything failed, we would have next business day replacement (I love this, and so do my clients who all purchase HP). The one downside is that the system shipped with a Windows 7 license which we wouldn’t be using, but for the price of the system, it didn’t really matter.

The system only came standard with one Gigabit NIC (Network card), however we need two since this device is acting as a firewall/router. It’s a Small Form Factor system, so we had to find a second network adapter which was compatible with the computers case form factor. The card which we purchased was:

HP – Intel Gigabit CT Desktop NIC

Part Number: FH969AA

Although the computer above is not in the compatibility list for the network card, the network card still worked perfect. Once received, we simply replace the case bracket on the card with one that shipped with it for small form factor computers.

We then burned the .ISO image of the UTM software appliance, and proceeded to install it on the system. It installed (along with the 64-bit kernel) perfectly on the computer. After the install was completed, we configured it to connect to our main central Sophos SUM (Software Update Manager) and shipped the device out to the employee’s home office.

Once installed, we logged on to the Sophos SUM user interface, and created a Site to Site IPsec using the wizard. Within 2-5 seconds the connection was established and everything was working 100%.

After using this for a few days, I checked to make sure the computer was powerful enough to be providing the services required, and it was without any problems.

Just wanted to share my experience in case anyone else is doing something similar to what I did above. If you were to reproduce this, all the hardware should be under $700.00 CAD.

Nov 282011

Just thought I’d do up a quick little post about an issue I’ve been having for some time, and just got it all fixed.

I’ve been running Astaro Security Gateway inside of a VMware environment for a few years. When version 8.x came out, I went ahead and simply attached the ISO to the VM and re-installed over the old v7 and restored the config. This worked great, and for the longest time I had no real issues.

I noticed from time to time that with packet sniffs, there was quite a few retransmissions and TCP segments lost. This didn’t really pose any issues, and didn’t cause any problems, however it was odd.

Recently, I had to configure a Site to Site IPsec VPN between my office, and one of my employees to provide exchange, VoIP, etc… With astaro this is fairly easy, few clicks and it should work simple, however I started noticing huge issues with file transfers, whether being transferred over SMB (Windows File Sharing), or SCP/SSH. Transfers would either completely halt when started, transfer a few couple hundred kilobytes, or transfer half of the file until it would simply halt and become unresponsive.

After 3-4 days of troubleshooting, I went ahead and did a packet sniff, noticed there were numerous TCP segments lost, fragmentation, etc… Initially I beleive that maybe MTU configuration may have had something to do with it, however TCP/IP and the Astaro device should have taken care of properly setting the MTU on the IPsec automatically.

After trying fresh installs of ASG, etc… and no behaviour change, I finally decided to take a few days away and give it a shot later. I’ve troubleshot this from every avenue and for some reason the issue is still existing. I finally figured that the only thing I haven’t checked was with my VMware vSphere environment. Checked the settings, all was good, however I did notice that the NICs for the ASG vm (which were created by the v7 appliance) were set as flexible, and inside of the VM were detected as some type of AMD network adapter. I found this odd.

After shutting down the ASG VM, removing the NICs and configuring new ones using E1000, all of a sudden the issue was fixed, the IPsec Site to Site VPN functioned properly, and all the network issues seen in network captures were resolved.

I hope this helps some other people who may be frustrated dealing with the same issue.

Nov 022011

Well it’s been a few months and love it!

Here’s a little snippet:

Download: 93.89Mb/s

Upload: 4.83Mb/s

Ping: 12ms

Keep in mind I need the connection mostly for upload. I’ve actualy gone over 5Mbps plenty of times. Can’t wait for their 250 plus offering, or even better yet FTTP.

Jun 142011

Well, I decided to upgrade to Shaw’s new “Business Internet 100 Plus” today. I decided to choose the option to pick up the Cable modem, instead of having scheduled a technition since I wanted to play with it today!

Got it done rather quickly over the phone. The plan also includes a phone line, which actually does have to be scheduled since it uses a different device that has to be installed by a Shaw tech.

Anyways, plugged in the new SMC Cable Modem. Noticed that it was an integrated all-in-one Cable/Router/Wifi. This concerned me as I thought I may have received the wrong unit. Plugged it in, noticed Wifi turn on (which concerned me even more). Shortly however, the WiFi turned off, and the “Bridge Mode” was enabled after it was automaticly provisioned by Shaw. (I confirmed this is what actually was happening later on when I spoke to tech support).

Had a few problems getting online. For some reason my account was limited for only 2 devices to have concurrent internet. This was odd and frusterating considering I have 6 Static IPs and should have over 10 Dynamic IPs. After a phone call to Shaw, they resolved this. I also got them to test the line, and all was good.

One interesting thing is that most of the speed test sites out there, actually don’t provide accurate testing since they can’t actually handle your bandwidth. The Shaw Speed test actually reporting a download speed of 98Mbps, and an upload spead of 4.97Mbps.

So far it ROCKS!

Update – July 21st, 2011

It’s been over a month now, and I’m still very satisfied. We had a few minor problems in the past on our old connection with the limitations of upload speed, both for pushing updates out to clients, along with our VoIP system that runs over our internet connection. With the new service, all issues no longer exist. I can actually utilize the internet connection, get the speeds I expect, at the same time use multiple lines on our VoIP system with absolutely NO issues at all.

The speed is still rock solid, the stability of the connection is also still rock solid. Absolutely no complaints whatsoever…

Jul 032010

I’ve had my main web server directly on the net for some time now. The box runs CentOS and I always have it fully up to date, with a minimal install just to act as a web server.

It’s always concerned me a little bit, the fact is I keep the box up to date as much as possible, but it’s still always in the back of my mind.

This weekend I had some time to mess around with some stuff. I wanted to get it setup behind my Sophos UTM, however I did NOT want it to use the public IP address that it’s setup for as I have numerous static IPs all for different services.

I spent a good 3-4 hours doing lots of searching on Google, and I saw a few people that wanted to do the same thing as me, but didn’t really find an explanation for anything.

Ultimately I wanted to setup another external IP address on the Sophos UTM software appliance box, and have that external IP dedicated to JUST the web server. Everything else would continue to run as configured before I started modifying anything.

I finally got it going, and I thought I would do a little write up on this since I saw a lot of people were curious, however no one was having luck with it. So far I’ve just done it for my main web server, however in the future I’ll be doing this with a few more external IPs and servers of mine. So let’s log into the Astaro web interface and get started!

PLEASE NOTE: I performed this configuration on Astaro Security Gateway Version 8, this will also work on a Sophos UTM

  1. Configure the additional IP  –              “Interfaces & Routing”, then choose “Interfaces”. Select the “Additional Addresses” tab on the top of the screen. Hit the “New additional address…” button and configure the additional IP. Please note this worked for me as all my static IPs use the same gateway for the most part, if you have multiple statics that use different gateways this may not work for you. In my case I called this address “DA-Web”. Make sure you enable this afterwards by hitting the green light!
  2. Configure the NAT Rules      –              On the left select “Network Security”, then choose the sub item “NAT”. We do not want to touch anything under “Masquerading” so lets go ahead and select the “DNAT/SNAT” tab. In this section we need to create two rules, one for DNAT, and one for SNAT. Keep in mind that “Full NAT” is available, but due to the setup of the traffic initiation I don’t think we want to touch this at all.
    1. Create the DNAT Rule            –              Hit the “New NAT rule” button. Set “Position” to Top”. “Traffic Source” and “Traffic Service” to “Any”. “Traffic Destination” set to the additional address you created (keep in mind this has the same name as the main external, only with the name of the connection inside of it). Set “NAT mode” to “DNAT”. And finally set Destination to the server you want this going to, or create a new definition for the server. Make sure “Automatic packet filter rule” is NOT checked. See image below for my setup.
    2. Create the SNAT Rule            –              Hit the “New NAT rule” button. Set the “Position” to top. “Traffic Source” should be set to the definition you created for the server you are doing this for. “Traffic Service” should be “Any”. “Traffic Destination” should be “Internet”. Keep in mind this is very important, we want to make sure that if you use multiple subnets inside your network that SNAT is ONLY performed when needed when data gets shipped out to the Internet, and NOT when your internal boxes are accessing it. Set “NAT mode” to SNAT. And finally “Source” being the additional IP you created (again this looks like your normal External IP, but hold the mouse over when selecting the definition to make sure it’s the “additional” IP you created). Make sure “Automatic packet filter rule” is NOT checked. See image below for my setup.
    3. Create Packet Filter Rules    –              Now it’s time to open some ports up so that your server can offer services to the internet. This is fairly standard so I’m sure that you can do it on your own. In my example I created a few rules that allowed HTTP, DNS, and FTP from “any” using the service, to the destination “DA-Webserver” to allow the traffic I needed.

This should be it, it should be working now. If you don’t want to create the packet filter rules and want ALL traffic allowed, you can simply forget section c above, and when creating the DNAT and SNAT rules check the “Create automatic packet filter rules” box on both rules. Keep in mind this will be opening your box up to the internet!

If you find this useful, have any questions, or want to comment or tell me how to do it better, please leave me a comment!


Jul 012010

Here’s a few oldies I found while going through the millions of pictures I’ve taken over the years…