Monthly archives: oktober, 2016

Manually configuring Unified Gateway

I’m writing this post in English to make it easier for our non-Swedish readers.

I’m going to try and explain how to configure Unified Gateway, without the wizard! I’ll try to let the commands speak for themselves, but feel free to comment if you need me to add some additional information about what I’m doing or why. I’ll be configuring Unified Gateway enabling ICA Proxy, RDP Proxy and AAA protected applications – we would also be able to add SSL VPN using a specific group, but we’ll leave that for another time.

I’ve tried to remove parameters that don’t ”matter”, but if there’s something that doesn’t work, it’s most likely because of that – just comment and I’ll update.

My first step of configuring Unified Gateway is also the easiest part, creating a redirect to https (in my own special way) for traffic coming in on http.

Now we’re able to redirect everything hitting HTTP to HTTPS with a 301 (Moved Permanently), while still keeping the Host-header, URL and query. I’ve also added the HSTS header, just to be sure.

 

Next step is configuring some basic AAA settings, and I always try to limit what is allowed by default and then use groups from the AD to allow access to different resources.

The above authentication profile is using ugw.example.com which is my URL to the Unified Gateway, which will be added later.

 

Now, let’s create an AAA portected web application with form fill, and require users to be members of a specific group. In my case, I’ll use ADFS for the form fill application:

You will find some more information about what needs to be configured on ADFS 3.0 to get this working in another blog post I’ve written (in Swedish, but you’ll find the commands).

 

Now let’s create another web application (which is using either 401 / WIA authentication or perhaps ADFS / SAML).

 

Now we need to create the  NetScaler Gateway and some groups.

 

As last step, let’s add all these vServers into one content switch:

 

Now we’ve got one content switch with NetScaler Gateway (ICA Proxy & RDP Proxy) as well as AAA protected applications, and single sign-on between everything. Configured manually!

When it comes to publishing the same URL internally (if you don’t want to use NetScaler Gateway internally as well), you can move the creating of the bookmark from NetScaler Gateway to XenApp/XenDesktop (described here by Jason Samuel, possible with version 7.11) and use StoreFront on the Content Switch instead of NetScaler Gateway.

Good luck and feel free to leave a comment!



Skapa ISO med Powershell

När man bara kan ansluta till en server via till exempel konsol eller ILO som saknar nätverksanslutning kan det lätt bli omständligt att föra över filer eller verktyg till den tilltänkta servern.

På Microsoft Script Center har Chris Wu publicerat ett Powershell skript för att skapa ISO-filer. ISO-filen kan man i sin tur kan använda i den virtuella DVD läsaren i konsolen.

 

Spara ner skriptet med valfritt namn. I exemplet nedan har jag valt namnet ”MakeIso.ps1”. Starta skriptet i Powershell enligt nedan bild så att du kan använda den nya funktionen:

MakeISO

På detta sätt möjliggör man nu att kunna skapa ISO-filer direkt via Powershell. Nedan följer några exempel:

1.

Powershell scriptet kommer nu att skapa en ISO fil i en Temp mapp.

2.

Skapar smidigt en ISO-fil från urklippet

 

Du har nu en ISO med de filer och/eller verktyg som du enkelt kan montera i DVD-läsaren.

 

 



Applocker eventlog audit report

Applocker is a great resource to avoid malicious code and applications, however it’s not always easy to inventory the applications in your environment.
To solve this Applocker can be configured to audit only for a time and clients can upload logs to a server which can then be filtered with powershell into a easy to filter report.

First a GPO must be configured with enforce or audit only rules.
applocker

Then an Event subscription manager needs to be configured (details at the end of the post).
When a server is configured the subscriptions needs to be configured, set up a subscription per applocker policy type.
eventsubscribers

subscriber

The logs should now be collected by the server and presented in the Forwarded Events log.
logs

However the data is only available in XML view and sorting through hundreds of logs manually is often not a valid approach. This is where powershell comes to the rescue.

The script below can be run on the collector server or remotely and outputs valuable data to a gridview report. The gridview can in turn be copied to an excel sheet for further processing.
output

 

Configure Source initiated subscription:
https://msdn.microsoft.com/en-us/library/bb870973(v=vs.85).aspx