A veces es necesario poder acceder a una shell completa de Linux para poder ejecutar comandos y realizar troubleshooting. En Symantec Brightmail Gateway esto es posible.
Antes de explicar como se hace, remarcar que esto hay que hacerlo con sumo cuidado, ya que cualquier acción puede tener efectos en la plataforma.
Para acceder a la consola Linux, habrá que ejecutar los siguientes pasos:
1.- Acceso al equipo Symantec BrightMail Gateway mediante ssh con el usuario admin.
2.- Ejecutar el comando set-support. Este comando nos dejara introducir un password para el usuario support. Este password tendrá una validez de dos días.
3.- Desconectar la sesión ssh y volver a conectar con el usuario support.
A partir de este momento, ya estaremos conectados a una terminal Linux.
miércoles, 23 de octubre de 2013
jueves, 3 de octubre de 2013
Cambio de certificados en el Proxy SG para la autenticación SSL con el AD
Los equipos BlueCoat Proxy SG están configurados de manera que la autenticación de los usuarios
con el BCAAA se hace de manera cifrada, mediante SSL. Para poder cifrar esta comunicación, los
equipos usan un certificado generado durante el proceso de instalación del BCAAA en el propio
Controlador de Dominio. Estos certificados se generan con una duración de 1 año.
Para poder hacer este cambio sin afectar a las comunicaciones, se recomienda desactivar la
comunicación SSL en la configuración del IWA. Para ello, acceder a Management Console ->
Authentication -> IWA y desactivar la casilla Enable SSL. APPLY.
Instalar/Reinstalar el BCAAA
Acceder a a
Section B: BCAAA Installation
1) Install BCAAA and set the parameter as 'Allow only SSL connections.'
2) Configure CN as hostname (for example ford.kllab.bluecoat.com; do not use IP and make sure
the DNS is able to resolve the above hostname).
3) Select “Save the automatically generated certificate in the certificate store” as YES.
4) Select “Require the ProxySG to provide a valid certificate in order to connect” as NO.
5) Click 'Install' to run the installation process.
6) Once the BCAAA installation is complete, please verify the bcaaa.ini and make sure the
configuration is as below. If it is different, please modify the bcaaa.ini and restart the BCAAA
service.
UseSSL=1
CertificateSubject=ford.testlab.bluecoat.com
SaveGeneratedCertificate=1
VerifySG=0
7) From the BCAAA console, click START, RUN, type in MMC and click OK. When the Console
comes up, click File, ADD/Remove Snap-in or press CTRL + M, click ADD, select CERTIFICATES,
click ADD, select SERVICE ACCOUNT, click NEXT twice, select BCAAA, click FINISH, and click
CLOSE and click OK.
8) Make sure the certificate appears under BCAAA\Personal, Certificates. If there’s no certificate as
per the hostname suggested in step 2, you may need to perform some additional steps as
documented in Appendix A.
9) Double click the above certificate; you should see that the certificate is currently not trusted.
10) To make the certificate trusted, press CTRL + M (or click File, ADD/Remove Snap-in), click
ADD, select CERTIFICATES, click ADD, select Computer Account, click NEXT and click FINISH. Click
CLOSE and OK.
11) Then under Certificate – Service (BCAAA) on Local Computer, BCAAA\Personal, Certificates,
select the ford.testlab.bluecoat.com certificate, right click and COPY. Then go to Certificate (LOCAL
COMPUTER), Trusted Root Certification Authorities, Certificates, right click and PASTE it. The
certificate will place at the bottom of the lists. Then double click the certificate
(ford.testlab.bluecoat.com) and you will find that the certificate is not currently trusted.
12) On the same certificate screen as above, click DETAILS, select COPY TO FILE, the WIZARD pop
up and click NEXT, click NEXT (bypass No, do not export the private key), select Base-64 encoded
X.509 (.CER), click NEXT, save the file to a path (for example: c:\bcaaa), click FINISH.
13) Close the MMC console and open the bcaaa.cer which you’d created with notepad, then copy
the entire string from BEGIN CERTIFICATE to END CERTIFICATE. Then connect to ProxySG
Management Console via https.
14) Restart the BCAAA services.
Section C: ProxySG Configuration and Settings
1) In Management Console -> SSL -> CA Certificates, click IMPORT, type in the CA Cert name as
the hostname (eg: ford.testlab.bluecoat.com), and paste the string copied from bcaaa.cer to CA
Cert section.
2) Click OK and the certificate will be placed on the bottom of CA certificates list. Click APPLY.
Then proceed to Management Console -> Policy -> Visual Policy Manager, and click LAUNCH.
3) Ensure the device profile includes your BCAAA server’s certificate by navigating to Configuration
-> SSL -> Device Profiles, highlight the profile name above, and click ‘Edit’. Change ‘CCL’ to ‘<All
CA Certificates>’. Click ‘Apply’. This should then get BCAAA over SSL working OK. Note that this
will allow all CA certificates to be trusted by the above profile. If you do not want this, simply
create a new profile along with a new CA Certificate list.
4) At Visual Policy Manager, click Policy, select Add Web Authentication Layer, provide a name and
click OK. At the Action, right click and select SET, click NEW, select Authenticate, then choose the
REALM you’d created and click OK twice. Click Install Policy and close the Visual Policy Manager.
5) Please go back to BCAAA console and open Event Viewer and observe if there’s any error during
your testing. Select Application at Event Viewer. Then test the authentication with your PC,
explicitly point to ProxySG and connect to a website.
Appendix A
============
To generate the certificate for BCAAA server (where the certification doesn’t show after
installation), you must configure the ProxySG to send a NTLM request to BCAAA. After the request
is sent to BCAAA, the certificate will be generated automatically.
To initiate a NTLM request from ProxySG to BCAAA, the simplest method is configuring a client
browser and point to ProxySG explicitly. The ProxySG should then forward the authentication
request to BCAAA.
con el BCAAA se hace de manera cifrada, mediante SSL. Para poder cifrar esta comunicación, los
equipos usan un certificado generado durante el proceso de instalación del BCAAA en el propio
Controlador de Dominio. Estos certificados se generan con una duración de 1 año.
Para poder hacer este cambio sin afectar a las comunicaciones, se recomienda desactivar la
comunicación SSL en la configuración del IWA. Para ello, acceder a Management Console ->
Authentication -> IWA y desactivar la casilla Enable SSL. APPLY.
Instalar/Reinstalar el BCAAA
Acceder a a
Section B: BCAAA Installation
1) Install BCAAA and set the parameter as 'Allow only SSL connections.'
2) Configure CN as hostname (for example ford.kllab.bluecoat.com; do not use IP and make sure
the DNS is able to resolve the above hostname).
3) Select “Save the automatically generated certificate in the certificate store” as YES.
4) Select “Require the ProxySG to provide a valid certificate in order to connect” as NO.
5) Click 'Install' to run the installation process.
6) Once the BCAAA installation is complete, please verify the bcaaa.ini and make sure the
configuration is as below. If it is different, please modify the bcaaa.ini and restart the BCAAA
service.
UseSSL=1
CertificateSubject=ford.testlab.bluecoat.com
SaveGeneratedCertificate=1
VerifySG=0
7) From the BCAAA console, click START, RUN, type in MMC and click OK. When the Console
comes up, click File, ADD/Remove Snap-in or press CTRL + M, click ADD, select CERTIFICATES,
click ADD, select SERVICE ACCOUNT, click NEXT twice, select BCAAA, click FINISH, and click
CLOSE and click OK.
8) Make sure the certificate appears under BCAAA\Personal, Certificates. If there’s no certificate as
per the hostname suggested in step 2, you may need to perform some additional steps as
documented in Appendix A.
9) Double click the above certificate; you should see that the certificate is currently not trusted.
10) To make the certificate trusted, press CTRL + M (or click File, ADD/Remove Snap-in), click
ADD, select CERTIFICATES, click ADD, select Computer Account, click NEXT and click FINISH. Click
CLOSE and OK.
11) Then under Certificate – Service (BCAAA) on Local Computer, BCAAA\Personal, Certificates,
select the ford.testlab.bluecoat.com certificate, right click and COPY. Then go to Certificate (LOCAL
COMPUTER), Trusted Root Certification Authorities, Certificates, right click and PASTE it. The
certificate will place at the bottom of the lists. Then double click the certificate
(ford.testlab.bluecoat.com) and you will find that the certificate is not currently trusted.
12) On the same certificate screen as above, click DETAILS, select COPY TO FILE, the WIZARD pop
up and click NEXT, click NEXT (bypass No, do not export the private key), select Base-64 encoded
X.509 (.CER), click NEXT, save the file to a path (for example: c:\bcaaa), click FINISH.
13) Close the MMC console and open the bcaaa.cer which you’d created with notepad, then copy
the entire string from BEGIN CERTIFICATE to END CERTIFICATE. Then connect to ProxySG
Management Console via https.
14) Restart the BCAAA services.
Section C: ProxySG Configuration and Settings
1) In Management Console -> SSL -> CA Certificates, click IMPORT, type in the CA Cert name as
the hostname (eg: ford.testlab.bluecoat.com), and paste the string copied from bcaaa.cer to CA
Cert section.
2) Click OK and the certificate will be placed on the bottom of CA certificates list. Click APPLY.
Then proceed to Management Console -> Policy -> Visual Policy Manager, and click LAUNCH.
3) Ensure the device profile includes your BCAAA server’s certificate by navigating to Configuration
-> SSL -> Device Profiles, highlight the profile name above, and click ‘Edit’. Change ‘CCL’ to ‘<All
CA Certificates>’. Click ‘Apply’. This should then get BCAAA over SSL working OK. Note that this
will allow all CA certificates to be trusted by the above profile. If you do not want this, simply
create a new profile along with a new CA Certificate list.
4) At Visual Policy Manager, click Policy, select Add Web Authentication Layer, provide a name and
click OK. At the Action, right click and select SET, click NEW, select Authenticate, then choose the
REALM you’d created and click OK twice. Click Install Policy and close the Visual Policy Manager.
5) Please go back to BCAAA console and open Event Viewer and observe if there’s any error during
your testing. Select Application at Event Viewer. Then test the authentication with your PC,
explicitly point to ProxySG and connect to a website.
Appendix A
============
To generate the certificate for BCAAA server (where the certification doesn’t show after
installation), you must configure the ProxySG to send a NTLM request to BCAAA. After the request
is sent to BCAAA, the certificate will be generated automatically.
To initiate a NTLM request from ProxySG to BCAAA, the simplest method is configuring a client
browser and point to ProxySG explicitly. The ProxySG should then forward the authentication
request to BCAAA.
Suscribirse a:
Entradas (Atom)