Tips, Tricks, and Tales from the Techs

If you run a website with a secure portal, then you most likely have a certificate (or are self certified, which is not what this article is covering).  At some point in time that certificate will expire and you will need a new one.  But how do you do that?  You cannot generate a new CSR while the current certificate is loaded.  If you unlead the certificate your users will not be able to access your site.  What to do, what to do.

Setup a separate {fake} website
The first step is to go into IIS and create a new website.  It really doesn’t matter what you call it or what ports or whatever.  We really don’t care.  I call mine, ‘Temp-cert site’ and put it on some unused port that I don’t care about.  I also just make a directory, but don’t give any rights to it (just in case).  So what you should have is:

Create the CSR
The next step is to create the CSR based on this new site.  So you go through the normal motions:
Right click the Temp-cert site
Click properties
Click Directory Security tab
Click Server Certificate

The ‘Welcome to the Web Server Certificate Wizard’ will start – Go through this just like you did for the actual website you wanted to get the cert for.  Notice we haven’t actually touched the ‘real’ site yet.
Once you are done, copy and paste the New Request to your Certificate Provider and get your certificate back

Install the new certificate
Now that you have your new certificate, you will need to install it somewhere (not to the actual site yet).  So back to the temp site we go.  Right click and get into properties, and the Directory Security tab.  Click again on Server Certificate.  This time the wizard will go through the installing of the cert.  YES this will install the cert on our ‘temp’ site, but don’t worry we’ll fix that in a minute.  Make sure the cert installed without an error.

Remove the certificate on ‘Temp’ site
Now that you have a brand new shinny certificate on this site, we are going to remove it.  Removing the certificate takes it off that particular site, but does not remove it from the certificate store.  So go back into properties of the ‘temp’ site, and back into the familiar Directory Security and Server Certificate wizard.  Here we want to remove the certificate.  That wizard completes pretty fast and painless.  Now on to installing on the right site.

Install the certificate on the ‘real’ site
Okay, NOW is the time we are actually going to do something to the real site.  Right click on the proper site, and get into properties.  Then into the Directory Security and click on the Server Certificate wizard.  So you should see something like this:

So now you select the ‘Replace the current certificate’ and click next.  From there you should see a list of all the certs that have been installed on the server.  From there you should see your brand new shinny certificate, with the proper issue and expire dates.  Just simply select it, and close out of the wizard….

Thats IT!!!!

Now you have your new cert, and your actual live website wasn’t down, or without a cert at all.  This way will assure you that you have no down time as Certificates can take a few days to get after you give them your CSR.

Sean Tips and Tricks Add new tag, certificate, IIS, SSL, websites

This one has plagued me for quite a while.  I use Firefox and I always have tons of tabs.  And if you use Cisco SDM to configure routers, which I tend to (to at least get the bigger chunks of configuration done), then you’ve experienced that wonderful feeling that you get when you close SDM and all of your firefox windows (probably 3 or 4 at this point) go away, along with your tabs.  And when you re-open firefox, you notice that you have to recover from a crashed session, and you can only recover the last 3 sessions or whatever.  ARRRRRRGGGGHHHH!!!…  I’ve said many times….

So what is the solution?  You can set your default browser to IE, and then SDM will happily work through IE, and when you close, you won’t loose any of your Firefox sessions.  But if you do that, then everytime you click on a link from any source, they open in IE and not Firefox.  Bummer.  So after much digging, I have figured out a way to have it work the way I want.

My solution is based on the IE View add-on available for Firefox from here.  What this view allows you to do is open up any page that you have in FF in a separate IE window.  And just like IE Tab, you can specify sites that should always open in IE.  Great news!!  Now how to make it work?

So after some poking around, running things manually, I figured out that the SDMlauncher.exe program, merely calls up (using your default browser setting) c:\program files\Cisco Systems\common\common\launcher.html and passes it some arguments.  That will then load (with the arguments) in a browser window, which then opens other browser windows, etc..  So in IE View, if you simply add in ‘file:///C:/Program%20Files/Cisco%20Systems/Cisco%20SDM/common/common/launcher.html’, then your set.  Thats literally all there is to it.

So when you open up SDM Launcher, and put in the IP address, and click launch, you will see a tab get created in FF and within a millisecond (or so) IE will open and reload the page.  That will in-turn, perform all the actions that your used to when running SDM, but in IE.  The tab that you have in FF just has a placeholder message about the page being loaded in IE.  Once your done in SDM, you simply close the program, all of your IE windows (that are part of the SDM chain) will go away, and the tab in FF will even go away.  Very cool indeed!

Good luck with it and I hope this helps you out!

Sean Uncategorized

Over the past 24 hours, I’ve been involved with installing a couple routers at locations where the VPN was an integral part of the overall implementation.  At both locations I wanted to use Active Directory for authentication.  In the past, with PoPToP installations or other routers the RADIUS was very straight forward.  For Cisco, it is for the most part, but there are some gotcha’s that I’ve run into, and am going to post here.  Basically I was never really able to get the group authentication up and running through RADIUS and I’m not even sure that its worth getting working.  Its so easy to setup the group in the Cisco SDM and input all of your pertinent settings there, and then use RADIUS for the actual user authentication.

So your steps are really pretty simple and straight forward.  You will want to:

Install and configure IAS
Setup a RADIUS client in IAS with vendor set as Cisco (remember your shared secret)
Delete the existing Policies, and create a new policy and connect it to your windows group that will have VPN access
Set the policy to Grant Remote Access and go into Edit Profile
On the Authentication tab, make sure that ONLY the top option (MS-CHAP v2) is checked
On the Advanced tab, I set only a single service type of RADIUS Standard and set to Login

On the router, start the EasyVPN setup, choosing ‘local’ for the group authentication.  For the User Authentication, choose RADIUS and input the IP address of your IAS server and put in the secret.  Then setup your group policy normally (which is what you’ll give to your VPN clients).

That’s basically it.  When the remote user sets up their connection they will put in the group info that you specify from the EasyVPN setup, and as soon as they try to connect, they will get a login box with the familiar user name, password, and domain sections.  Works like a charm and only takes few minutes.

Very cool!  Now to see if I can get the same IAS server to work with the wireless AP to do EAS!  That’ll be another post.

Sean Uncategorized

This past week, I attended the Sharepoint Bootcamp at New Horizons in Sacramento.  It was taught by Sharee English who is a Sharepoint consultant and trainer.  You can check out her blog here.  I have to say that I was very impressed by what Sharepoint can do.  Not only is Sharepoint a way to house and store documents, but you can actually run your business off of a properly designed sharepoint installation.  From Sharee’s blog, you can find all kinds of references to sites etc.. that are run from Sharepoint, or you can see a demo site (with great links of all kinds) here. I hope to get our Sharepoint server up and running in the next few weeks, although that will be dependent on us getting our virtual architecture up and running and the servers converted to virtual servers.  But that is another story entirely.

For those of you running Small Business Server as the backend server, you already have a Sharepoint server running.  If you go to http://companyweb from inside the network, you will be taken to your internal sharepoint site.  Now that site is based off WSS (windows sharepoint services) which is the free version of the product, unlike the pay-for product that is call Micrsosoft Office Sharepoint Services, or MOSS, but you get the idea.

Basically with a MOSS or WSS install, you can replace that old network drive as the document storage location and get a more robust, more accessible file storage repository, that does versioning, etc..  I’ll be covering more of what you can do in a future blog.   If you have Exchange 2007, and outlook 2007, you can get rid of public folders and use a Sharepoint backend to house that data.  That way your data will be available to everyone you specify wether they have Outlook or not.  And its all searchable.  Very cool indeed.

Stay tuned for updates to our setup as I get it going.

Sean Tips and Tricks