Cisco ASA SSL VPN with Active Directory

There is little doubt the bring-your-own-device (BYOD) strategy is becoming a popular method to access company resources. As technical professionals, it is our responsibility to allow the flexibility of BYOD without compromising too much on security. This post will provide a sample solution of how to configure the Cisco ASA device to utilize Active Directory authentication and authorization for SSL VPN remote access.

The following components are used for this configuration:

• Cisco 5500 Series ASA that runs ASA 8.4(2)
• Apple iPhone 4S with iOS 6.0.1
• Cisco AnyConnect Secure Mobility Client v3.0.09097
• Active Directory Domain Controller (Microsoft Windows Server 2012)

Device	Interface	IP Address	Name
ASA	G0/0 (outside)	203.0.113.251/24	vpn.example.com
-	G0/1 (inside)	192.168.206.1/24	ciscoasa.corp.example.com
ISP	-	203.0.113.1/24	-
DC01	Ethernet	192.168.206.11/24	dc01.corp.example.com

---

Active Directory and DNS
This post may seem verbose, but the objective is to outline a sample lab for anyone to reconstruct in their own testing environment. That being stated, our scenario will start with a clean build of Windows Server 2012 in Server Core mode.

Tip: You can open a separate console window (for PowerShell) from the default cmd.exe shell by running the command start powershell.

The following table displays the properties and the values we will set for the initial configuration of the server:

Name	Value
Computer Name	dc01
IP Address and Subnet Mask	192.168.206.11/24
Default Gateway	192.168.206.1
DNS Servers	208.67.222.222 208.67.220.220

# Time Zone
Use the tzutil command to display/list/set the time zone. First, display the current setting. Run the following command from an elevated PowerShell prompt:

PS> tzutil /g

To list (with pager) all valid time zone IDs and display names, run the following pipeline of commands from an elevated PowerShell prompt:

PS> tzutil /l | Out-Host -Paging

Set the time zone. For example, if your computer is currently located in the 'Eastern Standard Time' time zone you would run the following command from an elevated PowerShell prompt:

PS> tzutil /s 'Eastern Standard Time'

# Network Configuration and Hostname
Assign a static IPv4 address, netmask, and gateway to the network interface. Run the following command from an elevated PowerShell prompt:

PS> New-NetIPAddress -IPAddress 192.168.206.11 -PrefixLength 24 -DefaultGateway 192.168.206.1 -InterfaceIndex (Get-NetAdapter).ifindex

We will initially be using the external OpenDNS name servers for name resolution in our scenario. After we install the DNS Server role in the upcoming steps, these servers will then be set automatically as forwarders for our internal DNS. Run the following command from an elevated PowerShell prompt:

PS> Set-DNSClientServerAddress -InterfaceIndex (Get-NetAdapter).ifindex -ServerAddresses ("208.67.222.222","208.67.220.220")

Rename the server. This operation will also reboot the computer for the change to take effect. Run the following command from an elevated PowerShell prompt:

PS> Rename-Computer -NewName dc01 -Restart 

# Active Directory Domain Services Role
After our base configuration is complete, the next step is to install the AD Domain Services role. Run the following command from an elevated PowerShell prompt:

PS> Install-WindowsFeature AD-Domain-Services -IncludeManagementTools 

# AD Forest
Install a new AD Forest at the Windows 2012 Domain and Forest Functional Level. This operation will also install and configure the AD-integrated DNS Server role by default. Run the following command from an elevated PowerShell prompt:

PS> Install-ADDSForest -DomainName "corp.example.com" -DomainNetbiosName "example" -ForestMode 5 -DomainMode 5

You will be prompted to create a Directory Services Restore Mode (DSRM) password, and the server will be rebooted after the operation is complete.

# DNS
This step is not required, but it is a best practice to create a DNS reverse lookup zone (or zones) for your AD domain. Run the following command from an elevated PowerShell prompt:

PS> Add-DnsServerPrimaryZone -ReplicationScope "Forest" -NetworkId "192.168.206.0/24" -DynamicUpdate "Secure"

Add DNS resource records for the Cisco ASA device. The following pipeline of commands will add a single DNS A (and associated PTR) resource record type to both the primary forward and reverse lookup zones. Run the following from an elevated PowerShell prompt:

PS> Get-DnsServerZone corp.example.com | Add-DnsServerResourceRecordA -Name 'ciscoasa' -IPv4Address 192.168.206.1 -CreatePtr

As stated earlier, we can verify the external OpenDNS servers are now set as forwarders for the DNS server. Run the following command from an elevated PowerShell prompt:

PS> Get-DnsServerForwarder

UseRootHint        : True
Timeout(s)         : 3
EnableReordering   : True
IPAddress          : {208.67.222.222, 208.67.220.220}
ReorderedIPAddress : {208.67.222.222, 208.67.220.220}

# Login Distinguished Name (DN) User
The Login DN represents a user record in the LDAP server (Active Directory) that the administrator uses for binding from the ASA device. When binding, the ASA authenticates to the server using the Login DN and the Login Password.

The following command will create the asa-ldapq AD user in the default AD Users container. Since we're creating this user account in a test environment, we will simply set some “weak” password options. Run the following command from an elevated PowerShell prompt:

PS> New-ADUser -Name 'asa-ldapq' -SamAccountName 'asa-ldapq' -DisplayName 'ASA LDAP Query' -CannotChangePassword $true -PasswordNeverExpires $true -AccountPassword (ConvertTo-SecureString 'Pa$$worD1' -AsPlainText -Force) -Enabled $true

# VPN Security Group
We need to create a global security group that will “filter” the users who have remote access via VPN. Our upcoming ASA configuration will reference the memberOf attribute for this specific security group. Run the following command from an elevated PowerShell prompt:

PS> New-ADGroup -Name 'VPN' -GroupScope Global -GroupCategory Security -DisplayName 'VPN' -samAccountName 'VPN'

# Test User Accounts
Let's create three normal domain user account objects. We can compose a simple CSV file for our user objects and their "core" properties. Run the following commands from an elevated PowerShell prompt:

PS> 'SamAccountName,GivenName,Surname,DisplayName' > $HOME\Documents\users.csv
PS> "jsmith,Joe,Smith,'Joe Smith'" >> $HOME\Documents\users.csv
PS> "sjackson,Sally,Jackson,'Sally Jackson'" >> $HOME\Documents\users.csv
PS> "fbeans,Frank,Beans,'Frank Beans'" >> $HOME\Documents\users.csv

Now let's verify the CSV file is syntactically correct. Run the following command from an elevated PowerShell prompt:

PS> cat $HOME\Documents\users.csv
SamAccountName,GivenName,Surname,DisplayName
jsmith,Joe,Smith,'Joe Smith'
sjackson,Sally,Jackson,'Sally Jackson'
fbeans,Frank,Beans,'Frank Beans'

With the CSV file successfully created, we will move on to creating the accounts in AD. Run the following command from an elevated PowerShell prompt:

PS> $userpw = 'Pa$$worD1'
PS> Import-CSV "$HOME\Documents\users.csv" | % { New-ADUser -Name $_.SamAccountName -GivenName $_.GivenName -SurName $_.SurName -DisplayName $_.DisplayName -AccountPassword (ConvertTo-SecureString $userpw -AsPlainText -Force) -Enabled $true }

Add the first two users as members of the VPN security group. We will leave Frank Beans out to test the requirement that a normal domain user, that is not a member of the VPN security group, will not be able to successfully establish a remote access VPN connection. Run the following command from an elevated PowerShell prompt:

PS> Add-ADGroupMember 'VPN' -Members 'jsmith','sjackson'

Verify the users were added to the VPN security group. Run the following command from an elevated PowerShell prompt:

PS> Get-ADGroupMember -Id vpn | select Name

Name
----
jsmith
sjackson

Cisco ASA
We are now ready to configure our Cisco ASA device. This tutorial assumes you've already done the basic configuration for the ASA (users, enable password, remote administration access, etc.).

# Names
Let's start by setting our domain name followed by an alias for the domain controller. Note: The domain name may already be set if you already configured SSH on the device. Run the following commands:

ciscoasa# conf t
ciscoasa(config)# domain-name corp.example.com
ciscoasa(config)# name 192.168.206.11 dc01

# Interfaces
If you haven't already done so, configure the interfaces with a logical address and place in the proper security zone. Run the following commands (and subcommands):

ciscoasa(config)# int g0/0
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# ip address 203.0.113.251 255.255.255.0
ciscoasa(config-if)# no shut
ciscoasa(config-if)# int g0/1
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip address 192.168.206.1 255.255.255.0
ciscoasa(config-if)# no shut
ciscoasa(config-if)# exit

# Network Address Translation (NAT)
We will use the "network object NAT" method for our implementation. We will also be using Dynamic Port Address Translation (PAT)/("Many-to-One") for address translation.

Create the address translation for our internal LAN network. Run the following command (and subcommands):

ciscoasa(config)# object network OBJ-LAN
ciscoasa(config-network-object)# subnet 192.168.206.0 255.255.255.0
ciscoasa(config-network-object)# description INTERNAL_LAN
ciscoasa(config-network-object)# nat (inside,outside) dynamic interface
ciscoasa(config-network-object)# exit

Create a NAT exemption for traffic between the internal LAN network behind the ASA (192.168.206.0/24) and the VPN user's IP address pool. This is required because the encrypted traffic should not go through a NAT operation. Run the following commands (and subcommands):

ciscoasa(config)# object network OBJ-VPN
ciscoasa(config-network-object)# subnet 192.168.200.0 255.255.255.0
ciscoasa(config-network-object)# description VPNADDR
ciscoasa(config-network-object)# exit
ciscoasa(config)# nat (inside,outside) source static any any destination static OBJ-VPN OBJ-VPN

# Routing
The most preferred routing method on a perimeter appliance is to to have a default route pointing to the router connected to the outside interface. This would be the ISP router for our scenario. Create the default route. Run the following command:

ciscoasa(config)# route outside 0 0 203.0.113.1

# VPN Pool
Our AnyConnect clients will need to be assigned IP addresses when they connect, so we need to define a local pool of addresses on the ASA. Run the following command:

ciscoasa(config)# ip local pool VPNPOOL 192.168.200.1-192.168.200.254 mask 255.255.255.0

# LDAP Attribute Map
The LDAP attribute map will be used to link the members of our VPN AD security group (from the memberOf attribute) to the AAA server host defined in the next step. If we didn’t configure this, all users in AD would be able to have VPN remote access by default. Run the following command (and subcommands):

ciscoasa(config)# ldap attribute-map LAM-VPN
ciscoasa(config-ldap-attribute-map)# map-name memberOf Group-Policy
ciscoasa(config-ldap-attribute-map)# map-value memberOf CN=VPN,CN=Users,DC=corp,DC=example,DC=com GP-AllowVPN
ciscoasa(config-ldap-attribute-map)# exit

# AAA Server Group and Host
We will use LDAP for authentication and authorization with our AD domain controller when our AnyConnect clients establish a connection. Notice the asa-ldapq user we created earlier will be the specific account that connects and queries the LDAP server (AD). Remember to use the same password you set earlier when creating the asa-ldapq account. Run the following commands (and subcommands):

ciscoasa(config)# aaa-server ASG-LDAP protocol ldap 
ciscoasa(config-aaa-server-group)# exit
ciscoasa(config)# aaa-server ASG-LDAP host 192.168.206.11
ciscoasa(config-aaa-server-host)# server-type microsoft
ciscoasa(config-aaa-server-host)# ldap-base-dn DC=corp,DC=example,DC=com
ciscoasa(config-aaa-server-host)# ldap-scope subtree
ciscoasa(config-aaa-server-host)# ldap-naming-attribute sAMAccountName 
ciscoasa(config-aaa-server-host)# server-port 389 
ciscoasa(config-aaa-server-host)# ldap-login-dn CN=asa-ldapq,CN=Users,DC=corp,DC=example,DC=com
ciscoasa(config-aaa-server-host)# ldap-login-password Pa$$worD1
ciscoasa(config-aaa-server-host)# ldap-attribute-map LAM-VPN
ciscoasa(config-aaa-server-host)# exit

Tip: You can get the ldap-login-dn attribute value for our asa-ldapq user by running the following PowerShell command (requires ActiveDirectory PowerShell module):

PS> Get-ADUser -Id asa-ldapq | fl dist*

DistinguishedName : CN=asa-ldapq,CN=Users,DC=corp,DC=example,DC=com

# Group Policies
We will be creating two group policies. The first (GP-AllowVPN) will be for members of the VPN AD global security group. The second will be the default "deny" policy for members who don't have remote access VPN privileges (i.e. not members of the VPN group). Both policies will be linked to the Tunnel Group that will be created in the next step. Run the following commands (and subcommands):

ciscoasa(config)# group-policy GP-AllowVPN internal
ciscoasa(config)# group-policy GP-AllowVPN attributes
ciscoasa(config-group-policy)# dns-server value 192.168.206.11
ciscoasa(config-group-policy)# vpn-simultaneous-logins 2
ciscoasa(config-group-policy)# vpn-tunnel-protocol ssl-client 
ciscoasa(config-group-policy)# default-domain value corp.example.com
ciscoasa(config-group-policy)# webvpn
ciscoasa(config-group-webvpn)# anyconnect keep-installer installed
ciscoasa(config-group-webvpn)# anyconnect ask none default anyconnect timeout 30
ciscoasa(config-group-webvpn)# exit
ciscoasa(config-group-policy)# exit
ciscoasa(config)# group-policy GP-DenyVPN internal
ciscoasa(config)# group-policy GP-DenyVPN attributes
ciscoasa(config-group-policy)# vpn-simultaneous-logins 0
ciscoasa(config-group-policy)# exit

# Connection Profile (Tunnel Group)
Tunnel groups are used to more easily assign policies and attributes to a common group of users. Run the following commands (and subcommands):

ciscoasa(config)# tunnel-group TG-Corp type remote-access
ciscoasa(config)# tunnel-group TG-Corp general-attributes
ciscoasa(config-tunnel-general)# address-pool VPNPOOL
ciscoasa(config-tunnel-general)# authentication-server-group ASG-LDAP LOCAL
ciscoasa(config-tunnel-general)# authorization-server-group ASG-LDAP
ciscoasa(config-tunnel-general)# default-group-policy GP-DenyVPN
ciscoasa(config-tunnel-general)# exit
ciscoasa(config)# tunnel-group TG-Corp webvpn-attributes
ciscoasa(config-tunnel-webvpn)# group-alias SSL-VPN enable
ciscoasa(config-tunnel-webvpn)# end

# Test the Configuration
At this stage, I would recommend we test our AAA configuration. We will attempt to authenticate with our jsmith user. Run the following command and verify the output:

ciscoasa# test aaa-server auth ASG-LDAP host dc01 user jsmith pass Pa$$worD1
INFO: Attempting Authentication test to IP address  (timeout: 12 seconds)
INFO: Authentication Successful

# AnyConnect
Transfer the Windows AnyConnect client package from your local computer to the ASA device. I will use the scp (Secure Copy) method in my example.

We first need to enable the 'secure copy' functionality on the ASA before we can copy packages over via scp. Run the following commands:

ciscoasa# conf t
ciscoasa(config)# ssh scopy enable

For the 'secure copy' transfer, the command/utility will vary depending on what client OS you're using. I recommend WinSCP or PSCP if using a Windows client. From a Linux or Mac OS X client, we can use the cli scp command in a terminal. For my configuration, I would like to note I already have a user named marc created on the ASA with a privilege level of 15. The following command will copy the Windows AnyConnect client package to the ASA's flash from a Linux or Mac OS X client:

$ scp anyconnect-win-3.1.00495-k9.pkg marc@192.168.206.1:

After the file has been transferred to flash, it must be unpackaged. Run the following command (and subcommand):

ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg

The preceding steps will be followed by enabling WebVPN on the outside interface and globally enabling the WebVPN tunnel mode. We also want to enable the group drop-down list for Tunnel Group selection. Run the following subcommands:

ciscoasa(config-webvpn)# enable outside
ciscoasa(config-webvpn)# tunnel-group-list enable
ciscoasa(config-webvpn)# anyconnect enable
ciscoasa(config-webvpn)# end

We can verify the AnyConnect package has been correctly set by running the following command:

ciscoasa# sh webvpn anyconnect
1. disk0:/anyconnect-win-3.1.00495-k9.pkg 1 dyn-regex=/Windows NT/
  CISCO STC win2k+ 
  3,1,00495
  Hostscan Version 3.1.00495 
  Fri 08/03/2012 14:06:41.27 

1 AnyConnect Client(s) installed

Now would be a great point to save our configuration. Run the following command:

ciscoasa# copy run start

# (optional) AnyConnect for iPhone
We will perform testing and verification with the Cisco AnyConnect Secure Mobility Client on the iPhone 4S. Let's first check to make sure we have the required license for our ASA. Run the following command:

ciscoasa# sh ver | grep Mobile
AnyConnect for Mobile             : Enabled        perpetual

The Cisco AnyConnect Secure Mobility Client for iOS is available from Apple's App Store. Cisco doesn't charge money for the client itself; instead, the number of SSL tunnels is controlled by the license installed on the ASA.

After the AnyConnect client has been downloaded and installed on the iPhone device, we need to configure the attributes for the VPN connection.

1. Open the AnyConnect app.
2. Select Add VPN Connection.
3. Enter a description that labels the connection.
4. Enter the server address. The value should be the FQDN of the outside interface. I will be using vpn.example.com.
5. Push the Save button to save the connection.

Our first test is to verify a member of our VPN security group can successfully login to the VPN. I will be using the jsmith user for the test.

1. From the Home tab of the AnyConnect app, push the slider to transition the state from Off to On to initiate the Authentication screen.
2. The Group field should already by populated with our Tunnel Group alias that we configured earlier.
3. Enter the user jsmith for the Username field.
4. Enter the password Pa$$worD1 in the Password field.
5. Push the Done button to close the virtual keyboard.
6. Then push the Connect button to initiate the connection.

We just verified our jsmith user could successfully login to the VPN. Our next task is to verify the fbeans user has his login fail because he is not a member of the VPN security group. Repeat the previous steps substituting the jsmith user with the fbeans user in step 3.

Read More

Zenoss Core 4 Installation

Zenoss Core 4 was recently released, so I thought I would document a sample installation process for it. My single server installation closely aligns with the official Zenoss Core Installation Guide, but it also differs in some areas and has a little more "glue".

Hardware Requirements
You should meet these minimum hardware requirements for a single-server installation of Zenoss 4 Core (up to a 1000 devices):

Deployment Size	Memory	CPU	Storage
1 to 250 devices	4GB	2 cores	1 x 300GB (10K RPM or SSD)
250 to 500 devices	8GB	4 cores	1 x 300GB (10K RPM or SSD)
500 to 1000 devices	16GB	8 cores	1 x 300GB (15K RPM or SSD)

CentOS 6
My solution will be using the CentOS-6.3-x86_64-minimal.iso image. The aim of this image is to install a very basic CentOS 6.3 system, with the minimum number of packages needed to have a functional system. This post won't document the install process for CentOS 6 considering each environment (and associated requirements) is different. The stages of the OS installation consist of language, storage, hostname, network, timezone, and the root password. Note: All commands are run within the context of the root account unless otherwise specified.

Make sure to update the system after the initial boot post install:

# yum update

I also install the following packages that are not included by default:

# yum install file ntp vim-enhanced man man-pages wget traceroute yum-utils

# hosts file
It is recommended to add the hostname (FQDN and short) and IP address to your local hosts file. My Zenoss server's FQDN is zenoss.test.internal and the IP address is 192.168.36.20. Modify the file with your text editor.

# vim /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.36.20   zenoss.test.internal    zenoss

# SELinux
Zenoss documentation states the requirement that SELinux be disabled. We can accomplish this by changing the SELINUX value to disabled in the /etc/sysconfig/selinux file. Modify the file with your text editor.

# vim /etc/sysconfig/selinux

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Reboot the computer for the change to take effect.

After logging in after the reboot, verify SELinux is disabled. Run the following command:

# sestatus
SELinux status:                 disabled

# Network Time Protocol (NTP)
Time synchronization is an often overlooked, but a very essential, configuration step for new server deployments. In my configuration, I will have my zenoss server sync with an Active Directory domain controller (which holds the PDC emulator FSMO role) on my private network. We will need to modify the ntp.conf file with a text editor and start the NTP daemon (and also set it for autostart at boot time). Notice that I "comment out" the default public pool.ntp.org virtual cluster servers. You may want to leave these enabled if you don't have a particular time source to sync with.

# vim /etc/ntp.conf

...
# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict -6 ::1

# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.centos.pool.ntp.org
#server 1.centos.pool.ntp.org
#server 2.centos.pool.ntp.org

# Use internal NTP Server (AD/DC01)
server 192.168.36.11 iburst

#broadcast 192.168.1.255 autokey        # broadcast server
#broadcastclient                        # broadcast client
#broadcast 224.0.1.1 autokey            # multicast server
#multicastclient 224.0.1.1              # multicast client
#manycastserver 239.255.254.254         # manycast server
#manycastclient 239.255.254.254 autokey # manycast client
...

Start the NTP daemon.

# service ntpd start
Starting ntpd:                                             [  OK  ]

Set NTP daemon for autostart at boot time and verify.

# chkconfig ntpd on; chkconfig --list ntpd
ntpd            0:off 1:off 2:on 3:on 4:on 5:on 6:off

We can verify the NTP status by running the following commands:

# ntpq -pn
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*192.168.36.11   50.23.135.154    3 u   50   64   37    0.892   11.750   3.961

# ntpstat
synchronised to NTP server (192.168.36.11) at stratum 4 
   time correct to within 125 ms
   polling server every 512 s

# Firewall
Zenoss requires the following ports to be open on the host firewall:

Port	Protocol	Direction	Description
11211	TCP/UDP	inbound	memcached
8080	TCP	inbound	Web interface
514	UDP	inbound	syslog
162	UDP	inbound	SNMP Traps
25	TCP	inbound	zenmail

Add the rules. It is recommended to add each rule with the iptables command, but I prefer to modify the /etc/sysconfig/iptables file directly with a text editor.

# vim /etc/sysconfig/iptables

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 11211 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 11211 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 162 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

For tighter security, you can confine allowed traffic from a specific network. The following configuration would limit the allowed traffic solely from the 192.168.36.0/24 network.

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.36.0/24 -m state --state NEW -m tcp -p tcp --dport 11211 -j ACCEPT
-A INPUT -s 192.168.36.0/24 -m state --state NEW -m udp -p udp --dport 11211 -j ACCEPT
-A INPUT -s 192.168.36.0/24 -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A INPUT -s 192.168.36.0/24 -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
-A INPUT -s 192.168.36.0/24 -m state --state NEW -m udp -p udp --dport 162 -j ACCEPT
-A INPUT -s 192.168.36.0/24 -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Restart the firewall service for the changes to take effect.

# service iptables restart
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]

# Oracle Java 6
From a client computer, browse to Oracle's Java Downloads and grab the latest Java Version 6 Linux x64 RPM file.

Transfer the file to the Zenoss server. The command/utility will vary depending on what client OS you're using. I recommend WinSCP, PSCP, PSFTP, or Filezilla if using a Windows client. From a Linux or Mac OS X client, we can use the scp command. The following command will copy the file to the root's home directory on the destination Zenoss server:

$ scp jre-6u38-linux-x64-rpm.bin root@192.168.36.20:

Back on the Zenoss server, we now need to make the binary file executable.

# cd ~
# chmod u+x ./jre-6u38-linux-x64-rpm.bin

Install the Oracle Java Runtime Environment (JRE).

# ./jre-6u38-linux-x64-rpm.bin
Unpacking...
Checksumming...
Extracting...
UnZipSFX 5.50 of 17 February 2002, by Info-ZIP (Zip-Bugs@lists.wku.edu).
  inflating: jre-6u38-linux-amd64.rpm  
Preparing...                ########################################### [100%]
   1:jre                    ########################################### [100%]
Unpacking JAR files...
 rt.jar...
 jsse.jar...
 charsets.jar...
 localedata.jar...
 plugin.jar...
 javaws.jar...
 deploy.jar...
 
Done.

Add the JAVA_HOME variable statement to the end of the system BASH profile file.

# echo 'export JAVA_HOME=/usr/java/default' >> /etc/profile

"Dot" source the system BASH profile file to add the JAVA_HOME variable to the current shell environment.

# . /etc/profile

Verify the variable is set and that Java is installed correctly.

# echo $JAVA_HOME
/usr/java/default
# java -version
java version "1.6.0_38"
Java(TM) SE Runtime Environment (build 1.6.0_38-b05)
Java HotSpot(TM) 64-Bit Server VM (build 20.13-b02, mixed mode)

# RRDtool
We need to enable access to the RepoForge YUM repository for the RRDtool package.

From a client computer, browse to the RepoForge site and grab the latest rpmforge-release package for the EL 6 distribution (x86_64).

Transfer the package to the Zenoss server. The command/utility will vary depending on what client OS you're using. I recommend WinSCP, PSCP, PSFTP, or Filezilla if using a Windows client. From a Linux or Mac OS X client, we can use the scp command. The following command will copy the file to the root's home directory on the destination Zenoss server:

$ scp rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm root@192.168.36.20:

Back on the Zenoss server, we now need to install the rpmforge-release RPM package.

# cd ~
# yum --nogpgcheck localinstall rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

Disable automatic access to the RepoForge YUM repository.

# yum-config-manager --disable rpmforge

List all available versions of the rrdtool package. Zenoss requires version 1.4.7 or later.

# yum --showduplicates --enablerepo=rpmforge-extras list rrdtool
Loaded plugins: fastestmirror, presto
Loading mirror speeds from cached hostfile
 * base: mirrors.cat.pdx.edu
 * extras: mirror.spro.net
 * rpmforge-extras: mirror.hmc.edu
 * updates: centos.sonn.com
rpmforge-extras                                          | 1.9 kB     00:00     
rpmforge-extras/primary_db                               | 433 kB     00:00     
Available Packages
rrdtool.i686                    1.3.8-6.el6                      base           
rrdtool.x86_64                  1.3.8-6.el6                      base           
rrdtool.x86_64                  1.4.5-1.el6.rfx                  rpmforge-extras
rrdtool.x86_64                  1.4.7-1.el6.rfx                  rpmforge-extras

Download and install the rrdtool package (and dependency packages).

# yum --enablerepo=rpmforge-extras install rrdtool-1.4.7-1.el6.rfx

# MySQL
My solution diverges from the official Zenoss documentation. I prefer to deploy the Percona Server with XtraDB instead of the standard MySQL server. Percona Server is an enhanced drop-in replacement for MySQL. Visit the Percona website for more information.

We first need to enable access to the Percona YUM repository for the Percona packages.

From a client computer, browse to the Percona Software Repositories for MySQL site and read the documentation wiki to see how to enable access to their YUM repo. At the time of this post, the following will perform an automatic installation. This operation will install the RPM and also the Percona GPG key.

# rpm -Uvh http://www.percona.com/redir/downloads/percona-release/percona-release-0.0-1.x86_64.rpm
Retrieving http://www.percona.com/redir/downloads/percona-release/percona-release-0.0-1.x86_64.rpm
Preparing...                ########################################### [100%]
   1:percona-release        ########################################### [100%]

Verify the Percona repository has been added.

# yum repolist
Loaded plugins: fastestmirror, presto
Loading mirror speeds from cached hostfile
 * base: mirror.pac-12.org
 * extras: ftp.osuosl.org
 * updates: mirror.cisp.com
repo id                        repo name                                  status
base                           CentOS-6 - Base                            6,346
extras                         CentOS-6 - Extras                             17
percona                        CentOS 6 - Percona                            39
updates                        CentOS-6 - Updates                         1,017
repolist: 7,419

Let's now install the required packages.

# yum install Percona-Server-client-55 Percona-Server-server-55

After MySQL has been installed, we need to modify the MySQL my.cnf configuration file with some recommended settings from Zenoss.

# vim /etc/my.cnf

[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
max_allowed_packet=16M
innodb_buffer_pool_size=256M
innodb_additional_mem_pool_size=20M

[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid

Start the MySQL daemon.

# service mysql start

Verify MySQL is set for autostart at boot.

# chkconfig --list mysql
mysql           0:off 1:off 2:on 3:on 4:on 5:on 6:off

# EPEL
We need to enable access to the EPEL repository for dependency packages of RabbitMQ and Zenoss Core.

Change to root's home directory and download the RPM from the EPEL site.

# cd ~
# wget -r -l1 --no-parent -A 'epel*.rpm' http://dl.fedoraproject.org/pub/epel/6/x86_64/

Install the EPEL RPM.

# yum --nogpgcheck localinstall dl.fedoraproject.org/pub/epel/6/x86_64/epel-*.rpm

Disable automatic access to the EPEL YUM repository.

# yum-config-manager --disable epel

# RabbitMQ
From a client computer, browse to the Download section of the RabbitMQ site and grab the latest 2.x Fedora/RHEL RPM package (version 3.x is not supported by Zenoss at the date of this post).

Transfer the package to the Zenoss server. The command/utility will vary depending on what client OS you're using. I recommend WinSCP, PSCP, PSFTP, or Filezilla if using a Windows client. From a Linux or Mac OS X client, we can use the scp command. The following command will copy the file to the root's home directory on the destination Zenoss server:

$ scp rabbitmq-server-2.8.7-1.noarch.rpm root@192.168.36.20:

Back on the Zenoss server, we now need to install the RabbitMQ package (and dependency packages from the EPEL repo).

# cd ~
# yum --nogpgcheck --enablerepo=epel localinstall rabbitmq-server-2.8.7-1.noarch.rpm

Start the RabbitMQ daemon.

# service rabbitmq-server start
Starting rabbitmq-server: SUCCESS
rabbitmq-server.

Set RabbitMQ for autostart at boot.

# chkconfig rabbitmq-server on

Zenoss Core
From a client computer, browse to the Zenoss Core site and grab the latest Zenoss Core 4 RPM package for RHEL/CentOS 6 64-bit (v4.2.3 at the date of this post).

Transfer the file to the Zenoss server. The command/utility will vary depending on what client OS you're using. I recommend WinSCP, PSCP, PSFTP, or Filezilla if using a Windows client. From a Linux or Mac OS X client, we can use the scp command. The following command will copy files to the root's home directory on the destination Zenoss server:

$ scp zenoss_core-4.2.3.el6.x86_64.rpm root@192.168.36.20:
root@192.168.36.20's password: 
zenoss_core-4.2.3.el6.x86_64.rpm              100%  116MB  29.0MB/s   00:04    

Back on our Zenoss server, we now need to install the Zenoss Core 4 package (and dependency packages from the EPEL repo).

# cd ~
# yum --nogpgcheck --enablerepo=epel localinstall zenoss_core-4.2.3.el6.x86_64.rpm 

# memcached and snmpd
Start the memcached daemon and configure it to start automatically at boot.

# service memcached start
# chkconfig memcached on

Start the snmpd daemon and configure it to start automatically at boot.

# service snmpd start
# chkconfig snmpd on

# Start Zenoss
Run the following command to start Zenoss:

# service zenoss start

At this stage, Zenoss should be ready from a functional perspective. We now need to focus on securing the Zenoss server.

Post-Install
The auto-deploy script offered by Zenoss runs a separate script that secures your Zenoss installation. Since we chose to do a normal install, we will need to grab and run that script now.

We first need to switch to a login shell for the zenoss user.

# su -l zenoss

Verify the zenoss user shell. As a side note, that's an "interesting" UID number for the zenoss user.

$ id
uid=1337(zenoss) gid=500(zenoss) groups=500(zenoss)

Download the secure_zenoss.sh file from GitHub.

$ wget --no-check-certificate https://raw.github.com/osu-sig/zenoss-autodeploy-4.2.3/master/secure_zenoss.sh

Before we run the script, let's get the default passwords for the zenoss user in the global.conf file.

$ egrep 'user|password' $ZENHOME/etc/global.conf | grep -v admin
zodb-user zenoss
zodb-password zenoss
amqpuser zenoss
amqppassword zenoss
zep-user zenoss
zep-password zenoss

Give the secure_zenoss.sh script the execute permission.

$ chmod u+x secure_zenoss.sh

Run the secure_zenoss.sh script. I opted not to change the MySQL root password at this time. We will be performing that task in the next section.

$ ./secure_zenoss.sh
Restricting permissions on /opt/zenoss/etc/*.conf*
Assigning secure password for global.conf:zodb-password
Assigning secure password for global.conf:amqppassword
Assigning secure password for global.conf:zep-password
Assigning secure password for global.conf:hubpassword
Assigning secure password for hubpassword:admin
MySQL is configured with a blank root password.
Configure a secure MySQL root password? [Yn]: n
Forcing zeneventserver to only listen on 127.0.0.1:8084

Let's now verify the passwords have been modified for the zenoss user in the global.conf file.

$ egrep 'user|password' $ZENHOME/etc/global.conf | grep -v admin
zodb-user zenoss
zodb-password 18zmcTgYsA+AjczljwQd
amqpuser zenoss
amqppassword 18zmcTgYsA+AjczljwQd
zep-user zenoss
zep-password 18zmcTgYsA+AjczljwQd
hubpassword 18zmcTgYsA+AjczljwQd

We will also need to modify the password in the zodb_db_main.conf and zodb_db_session.conf files to match the value set for the zodb-password property in the global.conf file.

Let's first get the current configuration of these two files.

$ tail -n +1 $ZENHOME/etc/zodb_db_{main,session}.conf
==> /opt/zenoss/etc/zodb_db_main.conf <==
<mysql>
    host localhost
    port 3306
    user zenoss
    passwd zenoss
    db zodb
</mysql>

==> /opt/zenoss/etc/zodb_db_session.conf <==
<mysql>
    host localhost
    port 3306
    user zenoss
    passwd zenoss
    db zodb_session
</mysql>

Run the following commands to perform a substitution of the passwd property for each of the files:

$ zodbpw=$(grep zodb-password $ZENHOME/etc/global.conf | awk '{print $2}')
$ sed -i.orig "5s/zenoss/$zodbpw/" $ZENHOME/etc/zodb_db_{main,session}.conf
$ unset -v zodbpw

Verify the modification was successful.

$ tail -n +1 $ZENHOME/etc/zodb_db_{main,session}.conf
==> /opt/zenoss/etc/zodb_db_main.conf <==
<mysql>
    host localhost
    port 3306
    user zenoss
    passwd 18zmcTgYsA+AjczljwQd
    db zodb
</mysql>

==> /opt/zenoss/etc/zodb_db_session.conf <==
<mysql>
    host localhost
    port 3306
    user zenoss
    passwd 18zmcTgYsA+AjczljwQd
    db zodb_session
</mysql>

Exit out of the shell for the zenoss user to return to the root user shell.

$ exit

# MySQL (Percona Server)
The interactive mysql_secure_installation command improves the security of your MySQL installation. It will allow you to set your MySQL root password as well as other security related operations.

# mysql_secure_installation

The password for the MySQL database zenoss user will also need to be set to "sync up" with the previous password modifications. We will use the value set for the passwd property in the zodb_db_* config files.

# mysql -u root -p
Enter password: <your_mysql_root_password>
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 472
Server version: 5.5.31-30.3 Percona Server (GPL), Release rel30.3, Revision 520

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> SET PASSWORD FOR 'zenoss'@'localhost' = PASSWORD('18zmcTgYsA+AjczljwQd');
Query OK, 0 rows affected (0.00 sec)

mysql> \q
Bye

Restart the MySQL daemon.

# service mysql restart

# RabbitMQ
The following script will ensure the proper Zenoss credentials/permissions are set for the AMQP entities.

Create the set-rabbitmq-perms.sh script:

# vim set-rabbitmq-perms.sh

Enter the following text into your script then save it.

001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025

#!/usr/bin/env bash set -e VHOSTS="/zenoss"USER="zenoss"PASS="grep amqppassword \$ZENHOME/etc/global.conf | awk '{print \$2}'" if [ $(id -u) -eq 0 ]then RABBITMQCTL=$(which rabbitmqctl) $RABBITMQCTL stop_app $RABBITMQCTL reset $RABBITMQCTL start_app $RABBITMQCTL add_user "$USER" "$(su -l zenoss -c "$PASS")" for vhost in $VHOSTS; do $RABBITMQCTL add_vhost "$vhost" $RABBITMQCTL set_permissions -p "$vhost" "$USER" '.*' '.*' '.*' done exit 0else echo "Error: Run this script as the root user." >&2 exit 1fi

Give the script file the execute permission.

# chmod u+x set-rabbitmq-perms.sh

Run the script.

# ./set-rabbitmq-perms.sh
Stopping node rabbit@zenoss ...
...done.
Resetting node rabbit@zenoss ...
...done.
Starting node rabbit@zenoss ...
...done.
Creating user "zenoss" ...
...done.
Creating vhost "/zenoss" ...
...done.
Setting permissions for user "zenoss" in vhost "/zenoss" ...
...done.

Restart the rabbitmq-server daemon.

# service rabbitmq-server restart

Restart Zenoss.

# service zenoss restart

# Verification
Verify all Zenoss daemons are running.

# su -l zenoss -c 'zenoss status'
Daemon: zeneventserver program running; pid=10258
Daemon: zopectl program running; pid=10350
Daemon: zenhub program running; pid=10408
Daemon: zenjobs program running; pid=10449
Daemon: zeneventd program running; pid=10495
Daemon: zenping program running; pid=10540
Daemon: zensyslog program running; pid=10827
Daemon: zenstatus program running; pid=10625
Daemon: zenactiond program running; pid=10661
Daemon: zentrap program running; pid=10829
Daemon: zenmodeler program running; pid=10788
Daemon: zenperfsnmp program running; pid=10845
Daemon: zencommand program running; pid=10877
Daemon: zenprocess program running; pid=10903
Daemon: zenrrdcached program running; pid=10902
Daemon: zenjmx program running; pid=10948
Daemon: zenwinperf program running; pid=11023
Daemon: zeneventlog program running; pid=11061
Daemon: zenwin program running; pid=11093

If the proper permissions have been set for the RabbitMQ zenoss vhost(s), then the following queues should be listed:

# rabbitmqctl -p /zenoss list_queues
Listing queues ...
celery 0
zenoss.queues.zep.migrated.summary 0
zenoss.queues.zep.migrated.archive 0
zenoss.queues.zep.rawevents 0
zenoss.queues.zep.heartbeats 0
zenoss.queues.zep.zenevents 0
zenoss.test.internal.celeryd.pidbox 0
zenoss.queues.zep.signal 0
zenoss.queues.zep.modelchange 0
...done.

# Web Interface Setup Wizard
After the preceding steps have been completed, it is time to start the Setup Wizard for the initial configuration of customizing Zenoss for your environment. On your client computer, open a web browser and type http://192.168.32.20:8080 in the address field.

Read More

Configure an Active Directory authoritative time source

One of the most fundamental tasks in a network is to keep the clocks on all computers (and network devices) synchronized with world time. This is essential for domain controllers, member servers, and client computers of an Active Directory (AD) domain, so one of the first tasks after deploying a forest root domain should be to configure an external authoritative time source. By default, all domain-joined computers (including domain controllers) must be accurate to within five minutes of one another. This is a requirement of Kerberos authentication.

The domain controller holding the primary domain controller (PDC) emulator role (in the forest root domain) is considered the default authoritative time source for the whole forest. Only this specific domain controller should have an external time source set.

Configure
The following examples were tested on Windows Server 2008 R2 (domain/forest functional level). They should work on previous (and later) versions, but it is highly recommended to test thoroughly before changes are made in production.

# PDC emulator operations master role
Identify the domain controller, with the PDC emulator operations master role, in the forest root domain. Run the following commands from a PowerShell prompt:

PS> $forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
PS> $forest.RootDomain.PdcRoleOwner.Name
dc01.example.com

# Link the domain controller to an external time source
After the specific domain controller has been identified, it is time (pun intended) to configure the Windows Time service on that computer. In this example, the following command will set the external time source to the US pool.ntp.org virtual cluster. Run the following commands from an elevated PowerShell prompt:

PS> w32tm.exe /config /manualpeerlist:"0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org 3.us.pool.ntp.org" /syncfromflags:manual /reliable:YES /update
PS> w32tm.exe /config /update

Restart the Windows Time service for the changes to take effect. Run the following command from an elevated PowerShell prompt:

PS> Restart-Service w32time

# Switch roles (optional)
You may encounter a requirement to revert the time server computer back as a normal member in the time synchronization domain hierarchy. For example, this may be required if you migrate the PDC emulator operations master role to another domain controller. Once you configure another authoritative time server and confirm this designation, you can remove the designation from the local computer. Run the following commands from an elevated PowerShell prompt:

PS> w32tm.exe /config /syncfromflags:Domhier /reliable:NO /update
PS> w32tm.exe /config /update

Restart the Windows Time service for the changes to take effect. Run the following command from an elevated PowerShell prompt:

PS> Restart-Service w32time

# VMware Guests
It is recommended to disable the VMware Tools periodic time synchronization feature for AD domain-joined virtual machine computers. This can be accomplished with at least two different methods:

1. Set tools.syncTime = "FALSE" (or "0" for some VMware versions) in the configuration file ( .vmx file) of the virtual machine. Or...

2. Deselect Time synchronization between the virtual machine and the host operating system in the VMware Tools toolbox GUI of the guest operating system.

Verify and Troubleshoot
The w32tm command-line tool is your primary resource to verify and troubleshoot the time synchronization software configuration.

# Determine the time difference between the local computer and a remote time server
Run this command from a PowerShell prompt:

PS> w32tm /stripchart /computer:dc01 /dataonly /samples:5
Tracking dc01 [10.10.1.60:123].
Collecting 5 samples.
The current time is 4/14/2012 10:49:28 AM.
10:49:28, +00.3586386s
10:49:30, +00.3586515s
10:49:32, +00.3586644s
10:49:34, +00.3586773s
10:49:36, +00.3586902s

# Determine whether the computer is configured to synchronize time from the domain or manual list of time servers
This command should be run from a member computer to verify it’s getting its time source from the domain hierarchy. The Type attribute should be NT5DS if it is using the domain hierarchy for time synchronization. Run this command from an elevated PowerShell prompt:

PS> w32tm /query /configuration | Select-String ‘type’

Type: NT5DS (Local)

# Display a list of peers and their status
This first example displays output from a member computer. Run this command from an PowerShell prompt:

PS> w32tm /query /peers
#Peers: 1

Peer: dc01.example.com
State: Active
Time Remaining: 28765.7593447s
Mode: 3 (Client)
Stratum: 3 (secondary reference - syncd by (S)NTP)
PeerPoll Interval: 15 (32768s)
HostPoll Interval: 15 (32768s)

This specific example displays output from the domain controller holding the PDC emulator operations master role (if configured to sync with the US pool.ntp.org virtual cluster). Run this command from an PowerShell prompt:

PS> w32tm /query /peers
#Peers: 4

Peer: 0.us.pool.ntp.org
State: Active
Time Remaining: 904.5625720s
Mode: 1 (Symmetric Active)
Stratum: 2 (secondary reference - syncd by (S)NTP)
PeerPoll Interval: 10 (1024s)
HostPoll Interval: 10 (1024s)

Peer: 1.us.pool.ntp.org
State: Active
Time Remaining: 487.6398725s
Mode: 1 (Symmetric Active)
Stratum: 3 (secondary reference - syncd by (S)NTP)
PeerPoll Interval: 10 (1024s)
HostPoll Interval: 10 (1024s)

Peer: 2.us.pool.ntp.org
State: Active
Time Remaining: 36.4734125s
Mode: 1 (Symmetric Active)
Stratum: 2 (secondary reference - syncd by (S)NTP)
PeerPoll Interval: 10 (1024s)
HostPoll Interval: 10 (1024s)

Peer: 3.us.pool.ntp.org
State: Active
Time Remaining: 547.1089785s
Mode: 1 (Symmetric Active)
Stratum: 2 (secondary reference - syncd by (S)NTP)
PeerPoll Interval: 10 (1024s)
HostPoll Interval: 10 (1024s)

# Display the specific time source of the local computer
This first example displays output from a member computer. Run this command from an elevated PowerShell prompt:

PS> w32tm /query /source
dc01.example.com

This example displays output from the domain controller holding the PDC emulator operations master role (if configured to sync with the US pool.ntp.org virtual cluster). You will notice from this output the DC is currently syncing with the 0.us.pool.ntp.org node in the cluster. Run this command from an elevated PowerShell prompt:

PS> w32tm /query /source
0.us.pool.ntp.org

# Perform a manual resync
Sometimes you may need to manually resynchronize the local clock with its time source. Run this command from an elevated PowerShell prompt:

PS> w32tm /resync /rediscover
Sending resync command to local computer
The command completed successfully.

Read More