Assignment title: Information

ITB7345 Advanced Networking Technologies LAB practical exercises Technical report assessment (40% of the course) • Completion of each practical lab (signed off by the tutor): 2% (12% in total) • The research lab report for each lab is a further 4% (24% in total) o Each report should be around 800-1500 words. Do not include the lab steps given in this document. Students should research the topic and include the following in the report:  Purpose of the technology (1 marks)  Description/Architecture of the technology (4 marks)  Uses/applications of the technology (5 marks)  Advantages and disadvantages (5 marks)  Description of an alternative technology (5 marks)  Comparison to other alternative technologies (10 marks)  Professionalism: Grammar, spelling, APA referencing, appropriate headings, logical order, appropriate diagrams, simple/clear explanations (10 marks) • Extension exercises are to be done after completing all 6 labs (4% in total) o Extension to project 1: 2% for create an Ubuntu virtual machine using VMware server o Extension to project 6: enable SSL filtering on pFsense to blacklist facebook and other specified HTTPs sites Wintec Centre for Business IT and Enterprise ITB7345: Advanced Networking Lab book PROJECT 1 Network Virtualisation and Network Address Translation AIM The student will be able to install and configure a virtual server on a removable drive with Windows 10 as the host operating system EQUIPMENT PC, Removable Drive with Windows 10 Operating System, Windows server 2012 ISO file Ubuntu Linux ISO file TASKS • Download installation files • Install Virtual Box onto the removable drive • Create a virtual machine • Change virtual machine's physical settings • Set the IP address of the virtual machine • Join the virtual machine to the Rexnet active directory domain • Set the VM to be a domain controller • Configure another VM with the Ubuntu OS 1. DOWNLOAD INSTALLATION FILES • The first step is to install the windows 10 Operating System on your removable drive. This will be your host operating system • Install Windows 10 image on a removable drive using imager o Power of pc o Insert removable drive o Power on pc o Make sure the orange light on your removable drive is flickering to indicate the OS is being loaded into your removable drive and not the local pc's hard drive o When option displayed Press F12 o Choose the windows 10 option (check with tutor) o Delete all the Disk 0 partitions (NOT Disk 1) and create a new partition on Disk 0 – this is where you will install operating system • Copy the VirtualBox installation file from the ITSW1 server to your desktop. The filename and location will be given by your tutor o OR download for free from: https://www.virtualbox.org/wiki/Downloads • Go to \\itsw1\OperatingSystems\Windows server 2012 and download the following files to your desktop: o The operating system file for Windows Server 2012 (with update) (.iso). The filename is:  en_windows_server_2012_r2_with_update_x64_dvd_6052708.iso o The operating system file for Ubuntu (.iso). The file name is:  Ubuntu_12.04-desktop-i386 2. Install VirtualBox • Double click on the VirtuaBox installation file and follow the wizard to install the software on your removable drive. Just accept the default setting during the setup 3. CREATE A VIRTUAL MACHINE (VM) FOR WINDOWS SERVER • Start -> VirtuaBox • Click the 'New' icon at the top of the screen to create a new virtual machine • Give your VM a name (something sensible and recognisable e.g. DileepWindowsServer12VM) o Move the arrow so that you have around 4000 MB of Memory size o Ensure the create a new virtual hard disk icon is selected o Click next • Hard disk file type: Select the Virtual Hardisk (VDH). This is compatible with other virtualisation software such as VMWare (note: The VDI type can only be used on VirtualBox) • On the main screen right click on your VM and select properties o Click on storage option in the left hand panel o Select the 'Empty' option in the storage tree section o Next optical drive click on the CD icon o Choose Virtual optical disk file o Browse to your desktop and select your iso file and click ok • On the main screen click the start icon o Install server 2012 by following the wizard o Product key: DBGW-NPF86-BJVTX-K3WKJ-MTB6V o Choose Custom install: windows only (advanced) o Select your virtual hard disk (in the partition section) o Enter the full user name to be: student and password: router • Click on the radio button following option: 'installer disk image file (iso)' -> browse to your desktop and select the operating file for windows server that your earlier downloaded • Do not enter a product Key (accept the pop up message about manual activation later) • Wait for it to install 4. Change VM Physical settings • On the main screen click on the Network section: o For adapter 1 make sure the adapter is enabled and attached to: bridged adapter o The name of this adapter should be the Intel network card e.g. INTEL (R) 825780C o If you have another adapter on your adapter go to virtual adapter 2 and it to the second card (e.g. Dlink or Realtek) Note: bridged means the virtual adapter of the VM is linked to the physical adapter of the host Note: the more memory and processing power you can use will be limited by the number of VMs you want and the hardware specifications of the physical host machine 5. JOIN VM SERVER TO THE REXNET DOMAIN • Right click start -> system -> computer name tab • Change your VM server's full computer name to something you can recognise (e.g. DILEEPVMSERVER) • Click on 'Domain' Radio button and enter: REXNET.local or REXNET • The details for authentication are: username: admin ; password: router • Restart the VM (not the physical host) • log the VM with local administrator log on: (Username: DILEEPVMSERVER\administrator ; password: no password) It may prompt you to change the password in which case use: Router1 6. PING THIS VIRTUAL SERVER • On your server: Go to the command prompt and type 'ipconfig'. What is the current up address settings?_________________ • On your physical host: Go to the command prompt and type 'ipconfig'. What is the current up address settings?_ Are they different or the same? Why? _ • Make sure the Windows firewall is turned off on both the VM and the host PC • Go to another windows client PC on your network and do the following: o Start Command prompt o Ping server's IP address o Ping VM's host pc IP address (note: some terminal have windows firewall enabled) o Go to: Start-> network and look at the computer name. Can you see the VMserver and the host PC as if they are separate terminals? Y/N 7. NETWORK ADDRESS TRANSLATION • Change your network adapter from 'bridged' to 'NAT' • Wait for a minute then go to the command prompt of the server VM and type ipconfig • What are the IP address settings? • Try to ping a windows client on the 10.150.10.x network from this server. Can you ping it? Y/N • What can you tell me about the new IP address and how can it ping a terminal on another network?___________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ 8. SET THE IP ADDRESS OF YOUR VM SERVER • Change your Network adapter settings for your VM back to "bridged" • Set the server to have the following static IP address: o IP address: 10.150.2.x ; subnet mask: 255.255.240.0 ; gateway 10.150.1.1 ; DNS server: 10.150.1.10 o Ping the new IP address of the server from a windows client 9. SET SERVER UP AS A DOMAIN CONTROLLER Active Directory is the directory service for Microsoft Windows Server 2008. A directory service is a database that stores information about users, groups, domains other and resources (known as objects) on a network and provides a way to centrally access and administer that information. • Close server manager and start it again (This is so the new IP addressing settings are registered) • Server manager -> dashboard -> Add roles and features -> click skip this page by default and click next -> role-based or feature-based installation type-> select a server from the server pool (your server should be the only one, but check the ip address is the one you set) • Sever roles: active directory domain services (DNS is also installed with this) and DNS server -> leave the default features e.g. group policy management and click next. -> read and click next until you tick the option to tick the option to automatically restart the server and install The installation process will take some time, when you are returned to server manager you will refresh by click on f5 and you will see 'AD DS' in the left hand pane and click on the more link on the 'configuration required for active directory domain services" message. Then click on promote to Domain controller. • Add a new forest • Enter your root domain name e.g. dileep.local:_ • Domain controller options: tick DNS server and the password to be: Router1 • DNS option: leave blank • Use default NetBIOS name • Use default paths for Database, Log files, SYSVOL • Review your selections and click next • Read the pre-requisite checks and click install • Restart the pc if prompted (if it does this automatically when prompted) Note: you will only be allowed to compete the above steps if you are logged in as administrator and have set the password as requested in section 6 of this lab Check that your server is now a domain controller by going to server manager -> local server and seeing that is in your newly created domain 10. CONFIGURE A CLIENT WORKSTATION • In order to test your newly created user you need to set up a client workstation to become part of your domain. Go to another windows client PC on your network and set the following: o IP address: 10.150.2.x (the IP address on your computer case) o Subnet mask: 255.255.240.0 o Default Gateway: server IP address o DNS server: server's IP address • Right click start button-> System-> and click the 'Computer Name' tab, the change button and change the domain to yourdomain.local • At the prompt enter a username and password of a user who has privileges to join the domain and restart the computer when prompted • At the login screen choose to login to your domain as your newly created user 11. INSTALL ANOTHER VM FOR UBUNTU LINUX • Use the steps you have learned to create another VM and install the Ubuntu operating system on it using the other iso file you created. Give your administrator use the following properties:  Full Name: your name  user name: student  password: Router1 Tutor sign-off:______________________________ PROJECT 2 Virtual Private Networks (VPN) Lab PROJECT 2 AIM Students will be able to: - Set up and establish a VPN connection between two windows server 2012 terminals - Clients connected to the LAN of each server will be able to ping each other through the VPN students work in groups of 4 for this project EQUIPMENT 2 PCs with 2 network adapter driver and windows server 2012 2 PCs with 1 network adapter driver and windows 10 1 Cross over cable Network Set up: This project will connect between two groups. Each one will have a removable drive with windows server 1. Make sure each Removable drive is in a PC with two network cards. Use the Windows server 2012 VM you created in project 1 2. Physically connect your network as shown in the diagram above.  Ensure that your VPN servers have two network cards i. The INTEL card will be your internal network card and the other card (in the PCI slot e.g. DLink or Realtek) will be your external card ii. Each and that adapter 1 is linked to the INTEL card and adapter 2 is linked to the other card as shown in project 1 iii. Note if the second card is not detected you may need to install the network driver files by going through the device manager (as the tutor for the driver)  Note you can use cross over cables on the green patch panel between the external cards Configuration of VPN Servers: 3. Rename the computer name of each server as shown in the diagram (ROUTER1 and ROUTER2 respectively). Then restart. This is important. 4. Set up the IP addressing schemes on both servers and their workstations (making sure they are on separate subnets. Each group will be given two number x and y for the addresses below):  LAN 1: 172.168.4.0 /24 • ROUTER1 internal interface settings: • IP: 172.16.4.x; SNM: 255.255.255.0; Gateway: none • LAN1_Client: • IP:172.16.4.y; SNM: 255.255.255.0; Gateway: 172.16.4.x  ROUTER1 external interface settings: • IP:10.1.0.1; snm:255.255.255.0; Gateway: none  LAN 2: 172.16.56.0 /24 • ROUTER2 internal interface settings: • IP:172.16.56.x; SNM: 255.255.255.0; Gateway: none • LAN2_Client: • IP:172.16.56.y; snm:255.255.255.0; Gateway:172.16.56.x • ROUTER2 external interface settings:  ROUTER2 external interface settings: • 10.1.0.2; snm:255.255.255.0; Gateway: none Before going on make sure your server can ping your own LAN host and the external interface of the other router (you will not be able to ping the remote client yet) Please check that the firewalls on all routers and clients are OFF 5. Install server role o Start-> Server manager ->dashboard->manage menu->add roles and features o Click on Next until you reach the Roles tab o In the server roles menu: select remote access and click next o you don't need to add anything in the features tab, just click next o next o In the role services: select the Direct access and VPN (RAS) option only o Add all the default features o Install and close 6. Deploy VPN  On the Server manager dashboard -> click on the remote access option in the right hand menu  Right click on your server and select Remote access management  Click on Direct Access and VPN and click on the 'Run the getting started wizard'  Choose deploy VPN only 7. Routing and remote access  Start -> Routing and remote access -> Right click on your server and select: Configure and enable routing and remote access.  Select the 'Remote Access (Dial-up or VPN)' checkbox (require at least 2 NICs for this to work)  Select the VPN checkbox  When asked to select the interface that connects the server to the internet (external interface) • Select the network interface card (REXT) and unselect the Enable security checkbox (Make sure that you choose the external NIC)  When asked to specify the internal address choose (RINT) (Make sure that you choose the Internal NIC)  On the Router 1: • select From a specified range of addresses (make sure the range is not conflicting with the test host and click new: • set to be: 203.168.100.1 – 203.168.100.10 • This is the addressed used in the outer header for tunnelling  On the Router 2 • select From a specified range of addresses (make sure the range is not conflicting with the test host and click new: • set to be: 203.168.200.1 – 203.168.200.10 • This is the addressed used in the outer header for tunnelling  For both servers select No (When finally asked whether you want Routing and Remote access to authenticate connection requests)  Click Finish (Regarding the pop up message about DHCP servers; click OK) 8. On the ROUTER1 server in the Routing and Remote Access, expand the tree on the left-hand window, right click on Network Interfaces and select new Demand Dial Interface and complete the wizard as follows:  Set the name to "VPNUSER1"  Select Connect using virtual private networking  Select Point to Point tunneling protocol  Enter the public address of the ROUTER2 (10.1.0.2)  Select both tick boxes: Route IP packets on this interface and Add a user account so a remote router can dial in  Set a static route for the ROUTER2 LAN (LAN 2) • (destination: 172.16.56.0; snm: 255.255.255.0; Metric: 2)  Set the Dial In credentials to be: • Username: VPNUSER1 (entered by default) • password Router07 (continue Router 1 configuration on the next page)  Set the Dial Out Credentials to be: • Username: VPNUSER2 • Domain: ROUTER2 (computer name of the other server) • password : Router07 9. On the ROUTER2 in the Routing and Remote Access, expand the tree on the left-hand window, right click on Network Interfaces and select new Demand Dial Interface and complete the wizard as follows:  Set the name to "VPNUSER2"  Select Connect using virtual private networking  Select Point to Point tunneling protocol  Enter the public address of the ROUTER1 (10.1.0.1)  Select both Route IP packets on this interface and Add a user account so a remote router can dial in  Add a static route for the Remote Site LAN • (destination: 172.16.4.0; snm: 255.255.255.0; Metric: 2)  Set the Dial In credentials to be: • Username: VPNUSER2 • password Router07  Set the Dial Out Credentials to be: • Username: VPNUSER1 • Domain: ROUTER1 • password : Router07 10. Once both servers are configured above, right-click on the newly created demand dial interface (On any server) in the 'network interfaces' and select Connect. Wait for a while and refresh the other server (F5). Confirm that the session has been established. Note: You only need to issue the connect command on one of the servers and it should automatically update the other one 11. Test connectivity  Hosts from different sites should be able to ping each other (note: the router cannot ping the host on the other site's LAN but the clients can ping each other) 12. Type the following on router 1: route print This displays the routing table for the server. There should be a route to the remote LAN (LAN2): What is the: Gateway address:______ Output interface address:_ 13. From the Client PC on LAN 1. Do a tracert to the client PC on LAN 2. List the addresses at each hop: e.g: Hop 1: 172.16.4.1 (R1 INT) Hop 2: 203.100.1 (translated address) Hop 3: 172.16.56.3 (client LAN2) Why does Hop 2 have a completely different subnet address to any of the physical interfaces? ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ What is the VPN server/router actually doing to the packets at hop 2? 14. Go to: server manager -> Network Policy and Access ->Routing and Remote acesss ->Network Interfaces What is the status and type of the VPNLAN1 or VPNLAN2 interface? Status: Type:_ What does this interface type mean?___ Note: after some time you will notice that the VPNUSER interface is still enabled but is disconnected. This happens because it is a demand dial interface and when there is no traffic it disconnects. Once the client ping each other again the state will become connected 15. Go to: server manager -> Network Policy and Access ->Routing and Remote access -> IPv4->general What is the IP address of the VPNUSER1 or VPNUSER2 interface?_ 16. Check the VPN users have permissions by going to computer management->local users and groups -> users -> right click on the VPNUSER1 or VPNUSER2 user -> Dial in tab -> network permissions should be set to 'allow access Y/N For initial configuration steps go to: http://thesolving.com/server-room/how-to-install-a-vpn-on-windows-server-2012-r2/ 17. Tidy up: Ensure the lab is as it was before you started the lab PROJECT 3 Network Virtualisation Hyper-V Core Setup and Management PROJECT 3 AIM Students will be able to: - Install and configure a Hyper-V server 2012 R2 core Operating System - Set configuration setting on the Hyper-V server core - Install Hyper-V tools on a Windows 10 client - Create a virtual machine from the client on the sever core students work in pairs for this project EQUIPMENT - 2 PCs with Windows 10 Operating System and NICs, - 1 Removable Drive - 1x Hyper-v server 2008 R2 Core CD (or network image) - 1 Ubuntu Linux iso file - 1x USB drive TASKS 1. Install Hyper V server 2012 R2 core server 2. Install driver for the Intel network interface card 3. Set a static address on the server 4. Add the core server to the Rexnet domain 5. Add local administrator to the core server 6. Enable Remote Desktop on the core server 7. Install Hyper-V server 2012 R2 core server 8. Disable the windows firewall on the core server 9. Install Hyper-V tools on your windows client 10. Create Virtual switch on the core server from the windows client 11. Create VM on the core server from the windows client 12. Install VM on the core server from the windows client 13. View core server Device manager from the client using the Microsoft Management Console (MMC) LAB 1. Turn off PC -> insert in the server cd and removable drive and start PC • While booting - Press F12 when prompted to go to the Windows images • Choose the Windows server 2012 R2 x64 Hypercore image • Delete all the Disk 0 partitions (NOT Disk 1) and create a new partition on Disk 0 – this is where you will install your server • Follow the installation wizard 2. Configure the Intel Network adapter • On your server's blue screen: press '8' for Network adapter settings and make sure the network adapter has been successfully detected. What is the IP address of your server at this stage? _ 3. Set a static address on the server • It is good practice to give your server a static IP address. • From the main menu of the blue screen on your server - Press '8' for Network adapter settings-> enter the instance number of your adapter -> press '1' -> enter 's' for static -> for setting up the static ip address • Use the following settings: IP: 10.150.3.x, SNM: 255.255.240.0, GW: 10.150.1.1 • Press 2 to enter the DNS server and use: 10.150.1.100 (alternate DNS server 10.150.1.11) • Is the Static IP address for your server set correctly? Y/N 4. Add the core server to the Rexnet domain • From the server's main menu (blue screen) – press '1' for the Domain/Workgroup • -> press 'd' for domain • -> enter domain name: 'rexnet' -> enter username: 'rexnet\admin' • -> password: router • -> 'y' to change the name of your server-> enter a unique servername e.g. DILEEPHYPERVCORE • -> restart • Is the Server part of the Rexnet domain? Y/N 5. Add a local administrator to your server • From the main menu of the blue screen on your server – press '3' to add a local administrator • User: rexnet\admin 6. Enable remote desktop • From the server's main menu (blue screen) on your server – press '7' • -> type 'e' for enable • -> type '2' for any client for remote desktop • Go to the windows client and start-> remote desktop o use the IP address of your server o username: rexnet\admin o password: router) • Can your remote desktop from your client PC to Your server PC? Y/N 7. Disable Firewall on the server • From the other windows client try and pin the IP address of your server – you may find it cannot ping • On the command prompt of your server user the following command to disable the firewall: netsh firewall set opmode disable (Alternative: netsh advfirewall set allprofiles state off) • You should now be able to ping the server from your client Y/N 8. Install Hyper v tools on your windows client • Log into your windows client on the rexnet domain as the user: admin (pw: router). You may need to switch user if it is already logged in as another user • Double click on the file and follow the wizard to install it onto your pc • Control panel -> programs and features -> turn windows features on/off • -> Expand 'HyperV' • -> Check the boxes and sub-options for Hyper-v management tools and Hyper-V platform • Click 'ok' to enable the new hyper v tools features • Once it is enabled -> start -> administration tools -> Hyper-V manager • Connect to server (right hand panel) • ->click on 'another computer' and enter the hostname of your core server (you could try the ip address of the server instead of the hostname but it may result in an RPC service error) • -press 'ok' to connect • Server connected? Y/N • Notes o if it is displaying a message saying that access denied, then make sure your client is logged in as admin user and right click on the core server icon in Hyper-V manager and refresh o If it has an RPC service error message - make sure the firewall has been disabled on both the client and server and that you are connecting to your server using Hyper-v Manager with the hostname (not the IP address) 9. Create a virtual switch on the core server from the windows client • On your client: start Hyper V Manager-> right click your core server name -> select 'Virtual Switch Manager' • New virtual network -> External -> add • Name your virtual switch e.g. DileepVirtualSwitch and select the Intel network adapter on your core server e.g. Intel 82578DC Gigabit Ethernet adapter (make sure the check box that says 'allow management operating system…." is checked • -> 'ok' • -> 'yes' 10. Create VM on the core server from the windows client • Copy the Ubuntu iso file (ITSW1\public\itb7345\ virtualisation folder) on to your USB drive and plug the usb drive into your core server • On your client: -> Hyper-V manager -> right click on your server name -> new -> virtual machine -> next • Make this a Generation 1 virtual machine (same viritual hardware as previous versions of Hyper-V) • Give your virtual machine a unique name e.g DileepUbuntuVM • -> Keep the memory to default (512 MB) -> next • -> For the connection select your virtual switch (e.g DileepVirtualSwitch) from the drop down menu and change the size of your VM to be smaller e.g. 40GB (keep the name and location to be the default values) -> Next • Check the radio button that says: 'Install the operating system from a boot CD/DVD ROM' and check the radio button that says: Image file (.iso)-> browse for the iso on the USB on your server -> 'Next' -> 'Finish' (note: if you cannot see your usb drive you can navigate to your usb drive letter e.g. G:\ and the typing 'dir' to make sure you can see the contents of your usb drive. Then copy it from the G: drive to the C: drive of your server by using the following DOS command: Copy C:\ 11. Install VM on the core server from the windows client • On your client: -> Hyper-V manager-> double click on your virtual machine name (e.g DileepUbuntuVM ) in the center panel • -> 'Action' menu -> Start • This will start the installation wizard for Ubuntu as if it was a live installation from a CD Y/N Note: you can install as many Virtual switches and Virtual machines on your core server as required. The only limitation is the memory and processing power for your core server's hardware 12. View the Core server Device Manager from the client using MMC (This part does not work so you don't need to do this part) • On your windows client -> start ->type: MMC • File -> Add/remove snap in.. • Select device manager -> add • ->Select the 'Another computer' radio button -> Enter the IP address/hostname of your server • ->'Finish' • Double click on the Device Manager • Can you view the Device Manager for your server? Y/N 13. Tutor sign off 14. Tidy up For more information on clustering two Hyper-V server 2008 R2 cores Have a look at the following YouTube video: https://www.youtube.com/watch?v=bqK2NU1gf0I You can manage virtual machines through the command line in Hyper-V core if you are interested. Have a look at the following websites for more information: http://www.mediazone.nl/post/How-to-manage-a-Hyper-V-core-with-powershell-on-the-Hyper-V-machine.aspx http://www.tomsitpro.com/articles/hyper-v-powershell-cmdlets,2-779.html Simple Network Management Protocol (SNMP) SNMP is a protocol used to enable the control of and interaction with intelligent devices installed on a network. It allows a network manager with a SNMP console to interrogate intelligent SNMP enabled devices. SNMP enables devices such as bridges, routers, printers, file servers etc.. to be able to communicate status information onto a network. All SNMP enabled devices must have an SNMP "management agent" installed. The management agent enables certain information about the device, notably the current state of it and the history its of operation to be held. This data is held in a MIB (Management Information Base). As many SNMP devices have different hardware and software platforms SNMP uses a layer 6 protocol ASN.1 (Abstract Syntax Notation 1) to communicate between all devices. This ensures a common language of communication. SNMP management is done via special management stations, which run special management software, which is capable of communicating with the agents over the network, issuing commands and getting responses. In this design all of the intelligence is placed on the management stations, so that the SNMP overhead on the devices is kept to a minimum. SNMP communicate operates in the following way: - The normal mode of operation is for a management station to send a request to an agent asking it for information or commanding it to update its state in a certain way. Then the agent replies with the requested information or with a confirmation that it has updated its state as requested. SNMP data is stored as a standard SNMP variable, there are about 175 standard variables and a number of others that are vendor specific, all of these are stored in the MIB. The data is sent via ASN.1 SNMP defines 7 types of messages that can be sent between management stations and agents. These are: - Message Description Get-request Requests the value of a variable or variables. Get-next-request Requests the variable following Get-bulk-request Fetches values within a large table Set-request Updates a variable or variables Inform-request Manager to manager message describing local MIB i.e. if it is managing a variable at a particular point in time SnmpV2-trap Agent to manager trap report (error message) Practical Exercises Download an application (the latest stable version) called "The Dude" from http://www.mikrotik.com/thedude and install it on your PC When you first start the application, it prompt to scan the network. Change the 'Scan network' address to: 10.150.1.0 /24 Make sure the 'Discovery mode' setting is: reliable scan (not fast scan) Uncheck the checkbox: 'Layout Map after discover complete' Click on the 'Discover' button 1. How do you find out if a device is SNMP enabled? 2. What are some of the devices that are SNMP enabled? 3. What are the IP addresses for the N201-Printer and the ITSW1 server? Are they SNMP enabled? 4. Looking at the logs, what events/actions have taken place today? To view information about a particular SNMP device The MIB Browser (Start->all programs->MG-SOFT MIB Browser->Mib Browser) allows us to get the different MIB variables we may require in the object identifier tree. (look at the "Query" tab). 5. Firstly contact the N201-Printer. What procedure did you use? What information does this return? 6. I wish to find the following information about the printer. For each value please write down the entire response binding, including the MIB variable that you used, its data type and the actual value • What hardware information can you discover? • What how many interfaces does this printer have? • What type of interfaces does this printer have? Aside: What does it mean by the term instances? • What are the speed of the interfaces in Mbps? • The printer's system up time: • MAC (AKA: physical/hardware) address on interface number 1: 7. Now have a look at the MIB of the ITSW1 server on the network that is SNMP enabled. Using the same process of querying MIB variables to find out the following information: • Servers Hostname: • What is the name of the person I would contact if there are any problems with this server: • Physical address of interface 22 (interfaces 17-22 have addresses): • Operating system type and version For the next two questions: Create a connection with your file server by finding Bourne in your network connections ('Network' in the control panel) then go into one of the folders on Borne • TCP port # that you are using on your computer to communicate with the File server • TCP port # that the File server is using to communicate with you 8. What does it mean if you Walk the tree? What information is returned? 9. Turn on SNMP service on your computer: a. Control panel->programs &features->turn on/off windows features->tick SNMP and it's sub category: WMI SNMP provider and click the 'OK' button b. Right click 'Computer' -> manage->services and applications->services i. Make sure SNMP service and SNMP trap have started ii. Right click SNMP service->properties->security tab->check the radio button Accept 'SNMP packets from any host' iii. In the security tab->add a community name called: public and give it Read only rights iv. Agent tab-> add contact name and location v. Apply changes c. From another computers MIB browser, contact your computers ip address and see if you can get the Contact person, location, hostname and other MIB variables Y/N? PROJECT 5 Using Windows Powershell for managing Active Directory users PROJECT 5 AIM The student will be able to setup new users and associated folders using the appropriate utilities. EQUIPMENT A PC configured as a Windows7 workstation and connected to a Windows server environment. TASKS 14. Connect the PC to the network 15. Apply a fixed IP address 16. Set PC as an Active Directory Client 17. Explore the ITD student domain 18. Install Windows server 2003 admin tools 19. Create a new user using AD GUI 20. Create a new Organisation unit using AD GUI 21. Create One new user using Powershell 22. Delete user using AD Powershell 23. Create Multiple users using Powershell and CSV File 24. Use command line tools 25. Tidy the workplace 26. Produce a report 1. LOG INTO DOMAIN FROM THE WINDOWS CLIENT AS THE ADMINISTRATOR a. Press Ctrl+Alt+Delete to be presented with the Windows Logon screen. Choose to Logon to the Rexnet domain using the details: User: admin Password: router Login successful? 2. INSTALL WINDOWS ADMINISTRATIVE TOOLS Next we need to install the tools required to administer the server, the setup file required to install the pack is located on the public drive of Makinen Server. a. Make sure you are logged in as the admin user (part b and c may already be done fore you) b. Install program from the itsw1 server (location given by Tutor) \\itsw1\Public\nm619\.. c. Once Installed: Click Start – Control Panel – Programs – Turn Windows features on or off d. Expand "Remote Server Administration Tools" and expand "Features administration tools" e. Check "Group Policy Management Tools" f. Expand "Role Administration Tools", then expand "AD DS and AD LDS Tools" g. Check "Active Directory Module for Windows Powershell". h. Expand "AD DS Tools" i. Check "Active Directory Administrative Center" and "AD DS Snap-ins and Command-line Tools" j. Click Ok 3. USE ACTIVE DIRECTORY USERS AND COMPUTERS TO CREATE A USER Active Directory Users and Computers is one of the most frequently used tools throughout these exercises. This tool is used for creating and configuring the users, computers and groups of users on the Domain a. Login as admin b. Run the "Active Directory Users and Computers Administrative Tool" Note: Create a shortcut on the desktop. c. Expand the rexnet domain and select ITD by highlighting it and then go into the ITB6244 folder by highlighting it d. Only when you have highlighted the ITB6244 folder: create a user from the Action menu -> New -> User. Enter a login name, first and last name of your choice. Login Name: First and Last Name: ____________ e. Click Next f. Set the password to be: Router1 a. Also Check "password never expires" option g. Click Next h. Click Finish i. Have you created your user? Y/N 4. CREATE AN ORGANISATIONAL UNIT a. Expand the rexnet domain and select ITD by highlighting it and then go into the ITB6244 folder by highlighting it b. Only when you have highlighted the ITB6244 folder: create a user from the Action menu -> New -> Organisational Unit b. Give your organisational unit a unique name e.g. MyOU 5. USING ACTIVE DIRECTORY MODULE FOR POWERSHELL a. Start-> ControlPanel-> Administrative tools ->Active Directory Module for Powershell b. Also have Active Directory GUI open so that you can see what is happening with the Powershell commands c. At the command prompt type: Import-Module ActiveDirectory (This will only work if the following file exists on the PC: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\ActiveDirectory.psd1 d. To find a particular user use the "Get-ADUser command to find the user you just created details e.g. Get-ADUser username. e. . Now Delete your user using the following command: Remove-ADUser username (type 'Y' to confirm when prompted) f. To get details for all users in the ITB6244 Organisational Unit use the following command Get-ADUser -Filter * -SearchBase "OU=ITB6244, OU=ITD,dc=rexnet,dc=local" f. If we wanted to add one new user we could use the following to create a user called Dileep in the MyOU organisational unit: Notes - You will need to create a new user with a different user from the one you did previously with a different username and details - you will need to change the following in the script below: name, SamAccountName, GivenName, DisplayName, UserPrincipalName and Path (MyOU) to create your own unique user in your organisation unit: - Type this script into a text file with large font size and then paste it into Powershell. This will save a lot of time if there are errors New-ADUser -Name "Dileep Rajendran" -SamAccountName "draj1" ` -GivenName "Dileep" -Surname "Rajendran" -DisplayName "Dileep Rajendran" ` -UserPrincipalName "[email protected]" -Enabled $true ` -Path "OU=MyOU,OU=ITB6244,OU=ITD,DC=rexnet,DC=local" -Department "Sales" ` -AccountPassword (ConvertTo-SecureString "Router1"` -AsPlainText -Force) (note: make sure there are no spaces at the end of the line after the special character `) g. Use the following command to see if your user has been added Get-ADUser username Can you see your new user in Powershell? Y/N h. Look at your active directory GUI and refresh the page. Can you see your new user? Y/N Look at your active directory GUI and refresh the page. Has your user been deleted? Y/N 6. CREATE MULTIPLE USERS FROM A CSV FILE a. Start a new excel file and create a list of users as in the diagram below. Note: The column headings will need to be the same but your users must be different b. Save the file as a "users" with the CSV (comma delimited) file type onto your desktop c. Now in Powershell, type the following commands (changing 'MyOU' to your organisational unit name) (Type this script into a text file with large font size and then paste it into Powershell. Will save a lot of time if there are errors) Import-Csv -Path C:\users\admin\desktop\users.csv | foreach {New-ADUser -Name $_.name -Enabled $true ` -AccountPassword (ConvertTo-SecureString $_.password ` -AsPlainText -Force) ` -samAccountName $_.samAccountName -City $_.city ` -Department $_.Department -EmployeeID $_.EmployeeID ` -Path "OU=MyOU,OU=ITB6244,OU=ITD,DC=rexnet,DC=local"} d. Look at your Active Directory Users and groups GUI and refresh the page. Can you see all the new user? Y/N e. Can you see your users in Powershell: Get-ADUser -Filter * -SearchBase "OU=MyOU,OU=ITB6244, OU=ITD,dc=rexnet,dc=local" Y/N 7. OTHER COMMAND LINE TOOLS a. Open the command prompt b. Type ping itsw1.rexnet.local What IP address did the DNS name translate to? _________________________ c. Type net user at the prompt Result? d. Type net view at the prompt Result? e. Type net use and note allocated drive mappings f. Type net use Y: \\ITSW1\public at the prompt Note: Use another drive letter if Y: is already mapped. Result? g. Type net use to view mapped drives. Drive Y: mapped? Y/N PROJECT 6 PFSENSE (Firewalls, NAT and Proxy server) PROJECT 6 AIM The student will be able to install the pfSense operating system, and configure the firewall, NAT and proxy settings EQUIPMENT • A PC with 2 NICs • A PC configured as a Windows7 workstation and connected to a Windows domain • pfSense installation CD • Removable Drive TASKS 27. Install the pfSense OS onto a removable drive 28. Configure interface IP address settings 29. Client web-browser access 30. Configure NAT 31. Install and setup Squid proxy server 32. Block websites using a Blacklist 33. Create and test Firewall rules 34. Edit firewall rule for specific IP addresses Extra Student Resources: pfSense operating system free download: https://www.pfsense.org/ pfSense installation and setup tutorial: https://www.youtube.com/watch?v=txqoJiowDGI Physical setup pfSense server has two NICs The NIC in the PCI slot (D-link or Realtek manufactured) will use the green cable and be the WAN interface of your server which is connected to the IT Internet switch. This NIC will have the following settings which you will set during installation: • IP address of 202.14.63.X • SNM: 255.255.240.0 • G/W: 202.14.63.2 • DNS: None (The value X will be provided to your specific group by your tutor) The on-board NIC (Intel manufactured) will use the white cable and be the LAN interface of your server which is connected to the Rexnet switch as it should be by default. This NIC will have the following settings which you will set during installation: • IP address of 10.150.4.X • SNM: 255.255.240.0 • G/W: None • DNS: None The windows client will have the following settings which you can set now: • IP address of 10.150.3.X • SNM: 255.255.240.0 • G/W: 10.150.4.X (your pfSense IP address) • DNS: 8.8.8.8 (Google DNS server) • Alternate DNS: 8.8.4.4 (Google DNS server) 8. Install the pfSense OS onto a removable drive The installation is done using command line interface. • On the 'welcome to pfSense' screen, select option 1 – Boot Multiuser • type 'i' to launch the installer when prompted (it takes about 5 mins to reach this point and need to be watchful and quick here otherwise it will run from a live cd) • On the 'Configure Console' screen select 'Accept these changes' • On the 'Select task' screen select 'Quick/Easy install' • On the 'Are you SURE' screen select 'ok' • On the 'Install Kernel' screen select 'Standard Kernel' • On the 'Reboot' screen select 'Reboot' Note: Pull out the cd while it is rebooting (this is important otherwise you will have repeat above steps • When prompted with "Do you want to set up VLANS now" type 'n' • Check the interface id for each interface e.g. the Intel NIC may have an interface id of em0 Intel NIC interface id:_ (this will be your LAN interface) Other NIC interface id:______ (this will be your WAN interface) • When prompted with "Enter WAN interface name" type the interfaced id for the NIC that is not your intel NIC e.g. rl0 or vr0 • When prompted with "Enter LAN interface name" type the interfaced id for the one that is the intel NIC e.g. em0 • Press enter with nothing • Make sure it is correct and when prompted with "Do you want to proceed" type 'y' (if for some reason typed the wrong interface if and you cannot see the screen with the actual interface id values, then leave it blank and type 'n') 9. Configure the interface IP addresses settings • When prompted with "Enter an option" type '2' for setting the IP address of an interface. • When prompted with "Enter the number of the interface you wish to configure" type '1' for the WAN interface • When prompted with "Configure IPv4 address WAN interface via DHCP" type 'n' • When prompted with "Enter the new WAN IPv4 interface address" type '202.14.63.X' (where X is given by the tutor) • When prompted with "Enter the new WAN IPv4 subnet bit count" type '20' for a subnet mask of 255.255.240.0 • When prompted with "For a WAN enter the new WAN IPv4 upstream gateway address" type '202.14.63.2' • When prompted with "Configure IPv6 address WAN interface via DHCP" type 'n' • When prompted with "Enter the new WAN IPv6 address" – just leave it blank and press enter for nothing • When prompted with "Do you want to revert to HTTP as the webConfigurator protocol" type 'n' • Repeat all of the above steps for another interface (the LAN interface) o Note the following settings: Interface number: 2 IP address: 10.150.4.X SNM: /20 Gateway: none DNS: none o When it prompts: "Do you want to enable a DHCP on the LAN?" type 'n' o All the rest of the settings will be the same as the WAN interface you just set up 10. Client web browser access • Go to any other windows client • Set the static IP address settings as follows: IP address: 10.150.3.X SNM: /20 Gateway: 10.150.4.X (your pfSense server LAN interface) DNS: 8.8.8.8 (Google's DNS server) Alternate DNS: 8.8.4.4 (Google's DNS server) • Now use a web-browser on the client and type in the pfSense server IP address: 10.150.4.X and log in using the following credentials: Default username: admin Default password: pfsense (do not change this) (Note: if you cannot access the server you need to check that the server and client has the correct ip addresses for all interfaces and that the cables are properly connected) • Click 'here' to continue • Go to: System tab -> General settings o Enter two DNS servers 8.8.8.8 and 8.8.4.4 o user-gateway of: 202.14.63.2 will be in the drop down list 11. Configure the NAT settings • From the client web browser GUI. Go to Firewall menu -> NAT-> port forwarding tab • Add a rule by clicking the 'Plus' button • Keep all the default settings except change the following: o Destination port range: HTTP to HTTP o Redirect target IP: 10.150.4.X (pfSense server LAN IP) o Redirect target port: 8080 • Save changes • Try to google something from your client - Can your client access the internet websites? Y/N (note: if you cannot access the internet, try pinging the pfSense server and google DNS servers to troubleshoot) 12. Install Squid proxy server package • Restart you server (or you will not see the packages menu option below • System menu -> packages -> available packages tab (if this is not available then type the following into the url: https://10.150.4.x/pkg_mgr.php . Then go to 'available packages' tab) • Scroll down and Install the 'Squid3' package o The button is on the right hand side of the screen • Once installed: o Services menu-> proxy server -> general tab o Keep a default settings except: check the 'transparent proxy' and 'allow users on interface' check boxes Note: You may need to configure the local cache in the local cache tab The LightSquid package which we are not installing in this particular lab allows the pfSense server to produce reports on which IP addresses tried to access unwanted websites etc. It takes about a day to update. Status menu ->proxy report ->light squid report tab 13. Block websites using a Blacklist • Open a new window on the web-browser of the client and access the following: trademe.co.nz and facebook.com • Can you access these websites? Y/N (note: if you cannot please troubleshoot to ensure access) • On pfSense server, Go to: Services menu-> proxy server -> access control tab -> black list section • Enter the websites into the blacklist section and save changes. • Now can you access these websites? Y/N What message was displayed on your screen when you try to access trademe.co.nz? _________________________________ _ _ _ Why can you not block Facebook.com using this? _ _ _ _ 14. Create and test Firewall rules • In a new window of your client's web browser enter the following: ftp://cs.purdue.edu • Can you access this FTP site Y/N • (note: if you cannot please troubleshoot to ensure access) • Close this window of your web-browser with the FTP site • On the pfSense server window, Go to: Firewall menu -> rules -> LAN tab • Add a rule by clicking the 'Plus' button at the top of the list (why do you add a rule to the top of the list rather than the bottom of the list? _ _ _ _ • Make sure the rule has the following setting to block the FTP protocol: o Action: block o InterfaceL LAN o TCP/IP version: IPv4 o Protocol: TCP o Source: LAN net (this means the whole LAN network) o Destination: any o Destination port range: from: FTP (21) (select from drop down list) o Destination port range: to: FTP (21) (select from drop down list) o Description: block FTP to remote sites Make sure you Save changes and then there is another button to Apply changes • If you need to edit or delete the rule at any point use the e or x buttons respectively below: • Can you access this FTP site now? Y/N (if you can access – check your firewall settings to block access) What message does your web-browser display? _ _ • Close the web-browser and re-connect to your pfSense server. 15. Edit firewall rule for specific IP addresses Edit this firewall rule so that only particular client IP addresses are blocked but others are allowed • Click on the edit button • Change the Source to: Network 10.150.8.0 /24 • Check that you able to access the FTP site • Can you access this FTP site Y/N (note: if you cannot please troubleshoot to ensure access) • Close the web-browser window with the FTP site • Change the IP address of you client to 10.150.8.X (leave the subnet mask, gateway and DNS server as you had previously set it) • Can you access this FTP site now Y/N (if you can access – check your firewall settings to block access) • By changing your client IP address you are able to test that the allowed IP address and the blocked IP address are working as required • Disable the FTP firewall rule you created by clicking on the red x on the left hand side of the rule • Can you access this FTP site Y/N (note: if you cannot please troubleshoot to ensure access) Extension: Enable SSL filtering using pfsense so that facebook.com can be blocked. Use the following website as a guide: https://turbofuture.com/internet/Intercepting-HTTPS-Traffic-Using-the-Squid-Proxy-in-pfSense 16. Tutor sign off ______ 17. Tidy up • Make sure the client IP address is back to automatic detection • Unplug the green network cable from the server but leave the white cable • Turn the Server off before the removing the removable drive • Return the removable drive back to the tutor