Showing posts with label VPN. Show all posts
Showing posts with label VPN. Show all posts

Saturday, March 22, 2014

CrashPlan and JunOS Pulse conflict

I spent an hour or so today trying to get CrashPlan working on my linux machine.  The software installed just fine, and the backup engine appeared to start fine as well:

$ sudo service crashplan start    
Starting CrashPlan Engine ... Using standard startup
OK

However, the desktop portion of the CrashPlan software kept saying that it was "Unable to connect to the backup engine, retry?".  Weird.  So I checked to see if the server was actually listening on the port it's supposed to be listening on:

$ netstat -ln | grep 4243
$

Nope.  So it must not be starting up as "OK" as it claims.  Digging through some of the logs (specifically /usr/local/crashplan/log/service.log.0) I found this gem that shows up just before the service automatically shuts down:

[03.22.14 22:05:04.511 WARN    main                 com.backup42.service.CPService          ] >>>>> CPService is already listening on 0.0.0.0:4242 <<<<<

Wait, wat?  Something (it thinks it's itself, but that's not the case) is already bound to port 4242.  Netstat shows who actually is bound to that port:

$ sudo netstat -anp | grep 4242 
tcp  0 0 127.0.0.1:4242  0.0.0.0:*        LISTEN      11466/ncsvc
tcp  0 0 127.0.0.1:45982 127.0.0.1:4242   ESTABLISHED 11466/ncsvc
tcp  0 0 127.0.0.1:4242  127.0.0.1:45982  ESTABLISHED 11466/ncsvc

ncsvc!  That's the Juniper VPN software (aka JunOS Pulse).  Well that's no good, I'm almost always connected to the VPN.  Luckily, CrashPlan lets you configure the port that the server uses to something other than 4242!

The fix that made it work happily ever after was simply modifying a line in /usr/local/crashplan/conf/my.service.xml:

Change:
 <location>0.0.0.0:4242</location>
To a port that isn't already in use:
 <location>0.0.0.0:4244</location>

Now the CrashPlanEngine portion of the software runs smoothly even when I'm on the VPN!


Posted by 4 comments:
Labels: , , , , , ,

Wednesday, November 23, 2011

Cisco ASA 5500 Active Directory Integration

Today I needed to enable an extra layer of security for a Cisco ASA VPN (ASA 5500 series appliance - should work on 5505, 5510, 5520, 5540, 5550, etc...).  I needed to require the user to enter their Active Directory domain credentials to connect to a Cisco IPsec VPN, for better security.

I worked this out from inside the ASA's ASDM software.


  1. Add an AAA server group for Active Directory authentication (under Configuration --> Remote Access VPN --> AAA/Local Users --> AAA Server Groups).
  2. Choose a name, and pick protocol: LDAP. Everything else here is fine.
  3. Now that you have your server group, highlight it in ASDM, and in the bottom half of the screen, add a server to the group.  This is where things get tricky!
    • Choose what interface the server is off of, put in the server's IP, and fill out the rest of the details as shown below.  This server must be a domain controller!
    • For Base DN, you should enter your AD domain name, in the format DC=DOMAIN,DC=COM (or local, or whatever)
    • Scope should be set to All levels beneath the Base DN, if you want it to be able to find all of your user accounts.
    • Naming attribute should be sAMAccountName
    • For Login DN, enter the path to an account with the correct privliges to read the required information.  I don't have specific details on this - I just used a domain admin account (I know, I know).  The format should be CN=UserAccount,CN=ThisUsersOU,DC=YourDomain,DC=COM (if the user account is several OUs deep, you'll need to add a CN= entry for each OU, in the correct order - starting with the one that the user is in).
    • Test the server using the Test button, after you click OK!
  4. Now that the group is set up, we need to configure some profiles to use this group!  Inside ASDM, navigate to Configuration --> Remote Access VPN --> Network (Client) Access --> IPsec Connection Profiles.
  5. Edit the profile you want to change to require AD authentication.
    • On the first page (Basic), change the Server Group (under the User Authentication section on the right side) to the group you just created.
    • On the Advanced --> General page, Make sure nothing is checked here - everything should be unchecked and set to --None--
    • Under Advanced --> IPsec --> IKE Authentication, set the Default Mode to XAUTH (Extended user authentication).  This is what forces a login prompt when users connect.  The checkbox here doesn't need to be checked.
    • Nothing else should need to be changed (from defaults) in any other pages.  Click OK, then test it using a VPN client!!!
  6. That's it.  Let me know if you run into any issues or have any suggestions!


Posted by 4 comments:
Labels: , , , ,
Subscribe to: Posts (Atom)