In previous article we created IPSEC VPN (with shared key), now we’ll create SSL-VPN.

 

SSL VPN stands for Secure Sockets Layer virtual private network,  It is called as web based VPN or WebVPN. SSL VPN provides SSL VPN remote-access connectivity from almost any Internet-enabled location using only a web browser that natively supports SSL encryption.

Below is comparasion between IPSEC and SSL

0.PNG

 

Create Local network definition:Addresses-Create New-Address

 

1.png

 

2.PNG

There is predefined VPN range, i decided to use it

 

3.PNG

Configuring Portal

Under VPN click SSL-VPN settings-change default port 443 (i chose 444)

 

0.PNG

Click SSL-VPN Portals under VPN-under tunnel mode select ‘VPN Pool” (optionally)

5.PNG

Create policy for accessing from the outside

In this policy members of VPN users can access local network.

VPN_Users group is created in previous post

 

6-1.PNG

 

Testing access

10-1.PNG

 

Setting FortiClient

select SSL-VPN, enter Fortigate Public IP,check Customize port and type port used for portal access

14.PNG

 

 

Advertisements

In last post we integrated Active directory with Fortigate now we’ll map Security Group for VPN users with Fortigate groups.

User & Device-User Groups-Create New

 

1.PNG

Type Firewall-Add

 

2

Click on OU with VPN group-right click group-Add Selected

 

3.PNG

 

4.PNG

Now from VPN menu click VPN Creation Wizard

 

5.PNG

Select Fortigate “WAN” interface (outside in my case),define Pre-Shared key and select VPN group we created in previous step

 

6.PNG

Define local interface-local addresses,VPN subnet and optionally DNS server

 

7.PNG

 

8.PNG

Now create IPV4 Policy

Go to Policy & Objects > IPv4 Policy

Incoming interface is created by wizard,select source and destination

 

9.PNG

Download and install Forti Client

Once installed click Configure VPN

 

10.PNG

Select IPSec VPN specify Fortigate WAN interface Address and Pre-shared key defined in previous steps

 

11.PNG

 

12.PNG

 

 

I created 2 Organizational Units:

one for Service account-fortigate_LDAP,for searching Active Directory (service)

and one for AD group where all users who need to login to Fortigate will be put (fortigate)

 

0.png

 

User & Devices-LDAP Servers-Create New

 

1.png

Type Domain Controller IP,domain name Distinguished Name,service account username/password-Bind Type:regular

 

2.PNG

 

Now map AD group to Fortigate group:

User Groups-Create New

 

5.PNG

Click Add

 

1

 

Click on OU with our group-select it-righ click-Add Selected

 

10.PNG

 

11.PNG

Now Associate this Fortigate group to Administrator profile:

System-Administrators-Create New-Administrator

 

12.PNG

Select Match all users in remote server group-select profile and from drop-down select Fortigate user group we created earlier

1.png

 

In Admin Profiles section we can create new profiles

1.png

Now you should be able to login with Active Directory user credentials

 

Fortinet Fortigate is Firewall appliance, available as Virtual Machine in Azure and Amazon.In this example we’ll be deploying Fortigate to Amazon.

In Launch Instance click AWS Marketplace and choose product

 

3.PNG

and instance type

4

Select VPC, if you try adding two Interfaces, you’ll get “We can no longer assign a public IP to your instance”, so assign only one network interface

5.PNG

I have VPC with 2 subnets:192.168.10.0/24 and 192.168.20.0/24. i assigned interface 192.168.10.0 which will be “external”.

I created secondary interface and assigned it to 192.168.20.0 subnet.This one will be internal.

Creating second interface

In EC2 menu click Network Interfaces-Create Network Interface

 

6.PNG

 

Select subnet and Security group

7.PNG

 

Attaching interface

Click on your Fortigate instance-Actions-Networking-Attach Network Interface

 

8.png

 

9

After instance is started, we can connect to it.Use internal address, not a public one, otherwise, when changing interface role, you’ll lose connection to Fortigate.

Default username is admin, password is instance ID

Click Network-interfaces-right-click interface-Edit

11.PNG

Set alias, and change role

13.PNG

 

14.PNG

If You need to get members of particular Azure AD role use below script:

 

connect-azuread
#get all groups
Get-AzureADDirectoryRole | select displayname

$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Company Administrator'}

Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | Get-AzureADUser | select displayname,user
principalname | Export-Csv "C:\Users\lap-top\Downloads\1.csv" -NoType

Requirements:

  • If a file is deleted in source, remove it from destination as well.
  • If a file is deleted form destination, do not remove from source.
  • if a file is already in source and destination do not do anything
  • if a file is on source but not destination, copy to destination
robocopy "\\source" "destination" /r:60 /w:5 /PURGE /MIR /MT:64

r:60 – retry 60 times

w:5 wait 5 seconds between retries

/PURGE: delete from destination if file is not in source

/MIR MIRror a directory tree

/Z : copy files in restartable mode

If we use /Z (restartable mode) the transfer bandwidth is about 4 to 6Mbps.

If  we take off the /Z switch, it goes between 80-120Mbs

and we need to add /MT:64

/MT[:n] :: Do multi-threaded copies with n threads (default 8).

This way the “file in use” error should be eliminated since Robocopy will have enough time between the scheduled run times to copy even the largest files ~6GB

Bamboo is a continuous integration (CI) server that can be used to automate the release management for a software application, creating a continuous delivery pipeline.

In this post we’ll enable users to authenticate to Bamboo using their Active Directory Credentials

Creating service account

We need account for searching AD (domain user account)

 

Capture.PNG

 

Create AD groups: one for Admin, second for user access

Edit 1.png

Edit configuration file (Bambo home\xml-data\configuration\atlassian-user-custom.xml

 

<atlassian-user>
<repositories>
<!– LDAP repository –>
<ldap key=”ldapRepository” name=”Active Directory LDAP Repository” cache=”true”>
<!–
[HOSTNAME], the hostname to your LDAP, (i.e.: 192.168.10.71)
[DISPLAY-NAME], i.e.: Sample User. A
[PASSWORD], password to authenticate “Sample User. A”
–>
<host>1.1.1.1</host>
<port>389</port>
<!–
in <security…> we are going to authenticate our LDAP configuration against a user in our Active Directory
whereas, in this example we will be using “Service Account BAMBOO LDAP. A” as user
–>
<securityPrincipal>CN=Service Account BAMBOO LDAP,OU=service,OU=accounts,DC=company,DC=com</securityPrincipal>
<securityCredential>pass</securityCredential>
<securityProtocol>plain</securityProtocol>
<securityAuthentication>simple</securityAuthentication>
<baseContext>DC=company,DC=com</baseContext>
<!–
in <baseUserNamespace> we are going to specify where our users have been created in the Active Directory
–>
<baseUserNamespace>OU=user,OU=accounts,DC=company,DC=com</baseUserNamespace>
<!–
in <baseGroupNamespace> we are going to specify where our groups have been created in the Active Directory
–>
<baseGroupNamespace>OU=security,OU=groups,DC=company,DC=com</baseGroupNamespace>
<userSearchAllDepths>true</userSearchAllDepths>
<groupSearchAllDepths>true</groupSearchAllDepths>
<usernameAttribute>sAMAccountName</usernameAttribute>
<!–
in <userSearchFilter> we are going to get all users that are members of “Bamboo.App.Admin” and “Bamboo.App.Users” groups
–>
<userSearchFilter>(&amp;(objectClass=person)(|(memberOf=CN=Bamboo.App.Admin,OU=security,OU=groups,DC=company,DC=com)(memberOf=CN=Bamboo.App.Users,OU=security,OU=groups,DC=company,DC=com)))</userSearchFilter>
<firstnameAttribute>givenName</firstnameAttribute>
<surnameAttribute>sn</surnameAttribute>
<emailAttribute>mail</emailAttribute>
<groupnameAttribute>cn</groupnameAttribute>
<!–
in <groupSearchFilter> we are going to get all the groups specified in <baseGroupNamespace>
–>
<groupSearchFilter>(&amp;(objectClass=group))</groupSearchFilter>
<membershipAttribute>member</membershipAttribute>
</ldap>
<!– Default bamboo user repository –>
<hibernate name=”Hibernate Repository” key=”hibernateRepository” description=”Hibernate Repository” cache=”true”/>
</repositories>
</atlassian-user>

 

Restart Bamboo service

4.PNG

 

Point Bamboo to LDAP repository:

Administration-User Management

5.png

Security-user repositories-Custom user repository-save, if config file has any error,it will be shown when you click Save, correct it and click Save again

 

2

 

You should be able to login with AD credentials

 

Setting permissions

Security-Global permissions-under Group access add group and chose permissions

 

6