iDRAC6 Virtual Console Java – (Connection Failed)

Here is a quick fix to connect to an iDrac Console session using Java, if you are getting the “Connection Failed” error. You simply need to re-enable SSLv3 support in Java temporarily.

  1. Browse to the Java Security File (C:\Program Files (x86)\Java\jre1.x.x\lib\security)
  2. Edit the java.security file. (May need to open Notepad as Admin first)
  3. Comment out the following line “jdk.tls.disabledAlgorithms=SSLv3“.

That should allow you to connect without any errors. For security purposes, you should uncomment that file line when you are finished to disable SSLv3 again.

Update Plex – FreeNAS 11.3

The path to the iocage jails has changed in FreeNAS 11.3. This post shows the new path, but the instructions are the exact same as they were on FreeNAS 11.2.

  1. Download the newest Plex Update via Plex Dashboard Link
  2. Extract the file twice so folders can be accessed
  3. Rename folder plexmediaserver
    For Plex Pass Subscribers, rename plexmediaserver-plexpass
This image has an empty alt attribute; its file name is image.png
This image has an empty alt attribute; its file name is image-1.png
This image has an empty alt attribute; its file name is image-2.png

4. Stop the current Plex Jail
5. Open WinSCP and login to FreeNAS and browse to: /mnt/FreeNAS/iocage/jails/plexpass/root/usr/local/share
6. Rename existing plexmediaserver folder and add _old at the end
7. Copy the plexmediaserver folder you downloaded into the WinSCP window

This image has an empty alt attribute; its file name is image-9.png
This image has an empty alt attribute; its file name is image-3.png

8. Right-Click on the copied folder and set permissions recursively to 0775
9. Open the plexmediaserver folder and select the file Plex Media Server
10. Click New Link

11. Name the link Plex_Media_Server and click OK
12. Click the Link you created and select the Console Button
13. Enter the command: chmod -h 775 Plex_Media_Server

This image has an empty alt attribute; its file name is image-7.png
This image has an empty alt attribute; its file name is image-8.png

Upgrade Complete!

Update Plex – FreeNAS iocage

Manual Plex Upgrade

  1. Download the newest Plex Update via Plex Dashboard Link
  2. Extract the file twice so folders can be accessed
  3. Rename folder plexmediaserver
    For Plex Pass Subscribers, rename plexmediaserver-plexpass

4. Stop the current Plex Jail
5. Open WinSCP and login to FreeNAS and browse to /mnt/iocage/jails/root/usr/local/share/
6. Rename existing plexmediaserver folder and add _old at the end
7. Copy the plexmediaserver folder you downloaded into the WinSCP window

8. Right-Click on the copied folder and set permissions recursively to 0775
9. Open the plexmediaserver folder and select the file Plex Media Server
10. Click New Link

11. Name the link Plex_Media_Server and click OK
12. Click the Link you created and select the Console Button
13. Enter the command: chmod -h 775 Plex_Media_Server

Upgrade Complete!

Factory Reset Aruba IAP Access Point

Reset APs via Console Cable (preferred method)

  • Connect the serial console breakout adapter cable to the AP Ethernet port and a laptop.
  • Power on the AP and get into apboot mode.
  • From the apboot prompt, configure:
    apboot> purge
    apboot> save
    apboot> reset

Reset APs via GUI

  • Click on “Maintenance” and go to the “Convert” tab .
  • In the dropdown for “Convert one or more APs to” choose “Standalone AP”.
  • Pick the one you want. 
  • This will gracefully exit the IAP from the VC cluster.

Disable “Send Read Receipts” via OWA

Believe it or not, disabling Read Receipts in Outlook does not disable this feature from your mobile device. In fact, Send Read Receipts is enabled out of the box, and it has to be disabled via OWA. Big thanks to Gostev from Veeam for pointing this out!

Disabling it is easy, and I can’t think of many scenarios in which someone would NOT want to disable this. It can be disabled by logging into OWA from a computer (or a mobile browser that will disable the mobile view) and go to the following:
Settings -> General -> Mobile Devices -> and make sure to check the “Don’t send read receipts for messages read on devices that use Exchange Active Sync” checkbox.

Update Plex – FreeNAS 11.2 iocage via SSH Console

Basic Plex Upgrade

  1. SSH into FreeNAS
  2. Type jls to list installed jails

3. Type jexec {n} csh where {n} is the installed jail ID
4. Type pkg upgrade

5. Type service plexmediaserver stop
6. Type service plexmediaserver start

Plex-Pass Upgrade

Change the following commands in step 5-6

5. Type service plexmediaserver_plexpass stop
6. Type service plexmediaserver_plexpass start

Finding Raw Device Mappings (RDMs) used in your VMware vSphere Environment

Cleaning up legacy storage and vSphere environments is always fun, especially when you think you have everything moved off an old array, only to find that your production database goes offline when that array is unplugged -totally made up scenario, did not happen to me  🙂

The slow way to approach this would be to go through every VM, one by one, and check the disks associated with the VM, and then reference LUN numbers on the SAN, etc. OR, you could use PowerCLI and find that info in a snap.

For instructions on how to install PowerCLI, see my previous post here

  1. Connect to you vCenter Server through PowerCLI by using the following command and entering appropriate vSphere Credentials

connect-viserver YOUR IP ADDRESS

If you see the following error, you will need to set PowerCLI to disregard Self-Signed Certs

Set-PowerCLIConfiguration -InvalidCertificateAction ignore -confirm:$false

  2. Run the following command to produce a list of VMs with RDMs

Get-VM | Get-HardDisk -DiskType "RawPhysical","RawVirtual" | Select Parent,Name,DiskType,ScsiCanonicalName,DeviceName | fl

The output will look similar to this (sorry, I didnt have any additional RDMs when making this tutorial for a real screenshot)

  3. Finally, if you would like to save the output to a file, use the following command

Get-VM | Get-HardDisk -DiskType "RawPhysical","RawVirtual" | Select Parent,Name,DiskType,ScsiCanonicalName,DeviceName | fl | Out-File –FilePath RDM-list.txt

 

Install VMware’s PowerCLI in Windows

VMware PowerCLI is a very powerful tool to assist in automating tasks, advanced configurations and troubleshooting, etc. The following procedure can be used to install PowerCLI.
Downloading and installing PowerCLI is all done within Windows PowerShell itself.

  1. Open Windows PowerShell (Run as Admin)
  2. Run the following PowerShell Command to download the PowerCLI modules. (Path = wherever you save your PS modules). This Process may take a few mins.
    Save-Module -Name VMware.PowerCLI -Path <path>

  3. Run the following PowerShell Command to Install the PowerCLI Modules

    Install-Module -Name VMware.PowerCLI

  4. Finally, you can test to make sure the modules installed properly by running the following:
    Get-Module -ListAvailable -Name VMware*

Sophos XG Virtual Appliance Firewall Deployment – Step by Step Guide

  1. Download the XG Appliance OVF/OVA files from Sophos
  2. In vSphere, Right-Click on the Cluster or Host where you want to deploy the virtual appliance and select Deploy OVF Template

  3. Click Local FileBrowse. Select the .ovf file and the .vmdk disk files and Open

  4. Give the VM a name and select the Datacenter in which to deploy the Virtual Appliance

  5. Select the Host or Cluster in which to deploy the appliance

  6. Review Storage Details

  7. Select the Virtual Network you want assigned to the LAN interface. (You will configure WAN later)

  8. Review Settings and click Finish

  9. Login to the LAN interface using https://172.16.16.16:4444 (make sure your computer or device you are logging in from has an IP on the 172.16.16.0 network. Provide a new Admin password

  10. If your ISP does not provide an IP via DHCP, manually enter the IP parameters.

  11. Review finalized settings and Continue

  12. The firewall will apply configs and reboot a few times. (Takes 5 mins). Login to the firewall at the same https://172.16.16.16:4444 with the new password you yet.

  13. Finally, you can configure the firewall and change LAN IP, etc once logged in.

Sophos XG Firewall Review

Sophos has been climbing the Security leaderboard of the Magic Quadrant for some time now, and we have utilized their amazing Endpoint protection within our company and with our customers. I was excited to get my hands on their XG Firewalls and takes notes of my experience with the initial deployment, configuration, and ongoing feedback.
Note- this review is based off a week or so of usage, and does not incorporate feedback over time, which is where most issues with any product usually creep up.

Aesthetics – Initial impressions of the nuts/bolts

The XG135w is a desktop form factor unit, that has the ability to be rack-mounted (mounting kit not included). It has a nice clean shell, three large omni-directional antennas, with the ability to add two additional antennas with an add-on module. It has 8 x 1GbE ports plus an additional 1GbE SFP port, which when in use, takes the place of Port 5. It has an HDMI port which I haven’t had time to try out, two USB ports and one Micro USB for console access. It feels like they have taken a really nice gaming motherboard and converted it to an awesome firewall. Its rare that you see SFP, HDMI, and Micro USB ports on a firewall, but it’s what makes the XG so unique. The expansion bay allows you to add any one of the following: SFP DSL Module, 3G/4G module, additional Wifi Radio, or additional SFP ports.
The DC power plug threw me off a little bit though, as it is a 12v banana plug that goes into the firewall itself, while the other end requires an adapter to convert it to a US or European power socket. Not a bad thing, but not what you would expect. (There are two DC ports for dual power supplies). 

White Gloss Shell

Banana Plug DC Power

 

Deployment

Deployment was very easy, with a Setup Wizard that takes you through everything. From Power-On to Management login. It ships with default IP of 172.16.16.16, so you will need to give your laptop an IP on that subnet and then hit that IP through a web browser. You can probably take most of the defaults throughout the 5 page wizard, but the only real decisions you will need to make during setup is a New Admin Password, and whether you want to use the firewall in Route Mode or Bridge Mode. 5 min deployment couldnt be easier.

 

GUI and Management

Sophos has always been very good at “simplicity of management”, and the Sophos Firewall OS keeps to that style. There are basically four areas of management with the XG-
Monitor and AnalyzeOverview, Alerts, Reports
Protect: Policies, Rules, Security Features
Configure: Network Routing, VPN, etc
System: Device related management

Control Center – Overview

 

Do not mistake the simplistic design as a lack of features and security granularity. The XG has a LOT of pre-built policy and rule templates, as well as the ability to create your own.

Built-in Web Policies

Application Profiles

 

Little Gotchas and Thing to Improve

There are a few things that were confusing and more complex than they should be, which I will briefly describe.

Using LAN Ports as Switch Access Ports:
I spent an hour or so at least trying to figure out how to use Ports 3-8 on the same subnet as my LAN traffic. After much trial/error, and even reaching out to Sophos Support, it was finally resolved by a local Sophos SE (Thanks Joe!who has ran into this before. Not only do you have to bridge the interfaces together, you also need to create a LAN to LAN firewall rule allowing the traffic. I guess in hindsight you could say this is just an extra step to maintain security more than it is a software issue, but if so, they should at least document this or train their support staff on how to properly set this up.

Bridge the LAN interfaces then apply the following firewall rule

LAN to LAN Firewall Rule

Default Security Policies:
This could also be considered an extra layer of security, but many multimedia websites/services were semi-broken with the default policies of the XG. For example, NetFlix and Amazon Video would allow you to browse content, but would error out when you attempt to play the content. This also caused some issues in company website hosting services. The solution here was to use the “Allow All” web policy for all Outgoing Traffic. I am sure there is a more granular policy to use here, but with the limited testing I have had with this, that was the quick and dirty fix.

 

Final Thoughts

I have been VERY happy with what I have seen so far and am excited to continue digging into more. I wish I had another XG to test HA failover, and I would love to test out some of their wireless access points. I didn’t do much Wireless testing with the XG itself, since it usually doesn’t make sense to have the wireless enabled in the data center or server room, but I am very interested to see if their Access Points can replace some of the broader brands. In general, the XG is worthy of replacing most legacy vendors in the data center. The hardware is great, the security features are even better!