Super-Networking Blog

If you really want to configure your IP address from the command prompt instead of the Windows GUI you can do so with the Netsh.exe command.

To see your current network config go to a command prompt and type in the following command “netsh interface ip show config”

If you want to set you IP to 10.10.0.2 with a subnet mask of 255.255.255.0 and a gateway of 10.10.0.1 on your Local Area Connection adapter use the following command: “netsh interface ip set address name=”Local Area Connection” static 10.10.0.2 255.255.255.0 10.10.0.1 1″

Want to setup DNS settings: “netsh interface ip set dns “Local Area Connection” static 10.10.0.200″

These commands should work on Windows Server 2003 and Windows XP, might work on other versions too but haven’t tested.

If you setup a folder to replicate using DFS and you want to lock down the folder rights on it you might have issues. You have to be sure to give the System account on each server write and modify rights for the replication to work.

If you add the system account to the folder you should be able to lock the rights down as far as you want and the replication will still work.

I was getting the following error from Google in their Google Checkout Integration Console:

We encountered an error trying to access your server at

https://www.website.com/ (URL Path Changed)

the error we got  is: javax.net.ssl.SSLHandshakeException:

sun.security.validator.ValidatorException: PKIX path building failed:

sun.security.provider.certpath.SunCertPathBuilderException:

unable to find valid certification path to requested target

Google’s Info on Cart Integration issues is here

About this error is says:

Use a valid SSL certificate so you can receive callbacks. (If you’re only testing in the sandbox, you won’t need an SSL certificate. Feel free to use an HTTP callback URL for testing purposes.)

So you check out your certificate and it is valid, you go to your site over https and everything looks great. I read that sometimes your certificate chain can be broken so I found these instructions:

To view the current certificate chain being returned by your server:

In Firefox:
1. Navigate to your callback URL in your browser.
2. Click the lock icon in the address bar of your browser.
3. Click ‘View’ under the ‘Security’ tab.
4. Click ‘Details.’
5. Locate the current certificate chain under ‘Certificate Hierarchy.’

In Internet Explorer:
1. Navigate to your callback URL in your browser.
2. Double click the lock icon in the lower right hand corner of the status Bar in your browser.
3. Click the ‘Certification Path’ tab in the window that appears.

Additionally, you can view the current certificate chain being returned by your server by using the OpenSSL and the following command:
openssl s_client -connect {website domain}:443 -showcerts

In both Firefox and IE the chain looked fine. But both browsers have a tendency to fix a missing chain so I downloaded and installed openssl and ran that command above. Found the chain was messed up.

I went into the certificate stores on the webservers, went into Intermediate Certification Authorities only to find the CA for our SSL certificate had expired.

We had a VeriSign SSL Cert and here are the instructions on how to fix it:

https://www.verisign.com/support/ssl-certificates-support/page_dev028341.html

After doing an iisreset on all of the servers with the new CA cert everything started working. I hope this keeps some people from running into the same headaches I ran into.

So I thought I would discuss the topic of multiple default gateways on Windows Servers today since my buddy blogged about it.

IT and Development Best Practice

First off you should never have two default gateways on your servers. It doesn’t matter which OS you are running, Windows 98/NT is worse at handling the condition but all of them will have problems. Every windows server has a little routing table in memory. If you have one network card it will know to send anything on its own subnet out that adapter even if you don’t have a gateway. It doesn’t know how to get to anything outside of its own subnet without a default gateway. Now if you have two adapters without default gateways the server will know to send traffic for each subnet depending on which it tied to which network card.

When you add a default gateway to a network card the server will then send anything outside of its local subnet(s) to that gateway you specify. The gateway, being a router or firewall, which then pass the traffic on to the correct location. The problem comes in if you have default gateways on more than one network card. The server then gets confused on where to send its traffic when it is off its local subnets.

The way it is supposed to work is the adapter that is bound first to the OS should be the one used but that isn’t what happens. Instead the OS randomly guesses at which gateway to use and some packets may get through some will not. This is not only for different sessions but in mid session as well.

So what do you do when you have a dual-homed server, you want multiple subnets to go out one adapter and everything else to go out the other? You add the default gateway on the adapter that you want the traffic to go when you might not know the subnet like say Internet traffic. Then add a route statement for the subnets you know and want to go out the other adapter.

Example:

Adapter #1 - 10.1.1.20 Mask 255.255.255.0 Default Gateway 10.1.1.1

Adapter #2 - 192.168.2.20 Mask 255.255.255.0

Go to a command prompt and add the below command

“route add 192.168.0.0 mask 255.255.0.0 192.168.2.1″

This would tell the server that all traffic that is heading for anything on the 192.168.0.0 subnets would be directed to the IP 192.168.2.1. That adapter would not have a default gateway. The other adapter has the default gateway and all other traffic would go out that adapter and to the IP specified. Note that the command above will go away on restart unless you specify -p and it will stay until you do a route delete.

If you want to see all the routes your server is currently using run the command “route print”

One thing to ask yourself before going through this, do I really need a dual-homed server? What security holes am I opening up? Am I bypassing a firewall?

So I am running Solarwinds Orion 8.5 on a Windows 2003 R2 server. I installed Microsoft .NET Framework 2.0 Service Pack 1 (KB110806) on the server and it broke Orion’s website. The website would come up then when I tried to login I would get the following error:

Orion Website Error
An error has occurred with the Orion website.
Additional Information
System.Net.WebException: The remote server returned an error: (400) Bad Request.
at System.Net.HttpWebRequest.GetResponse()
at ClassicSiteProxy.Login(HttpContext context, String
username, String password)
at Login.InitiateLogin()
at Login.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

To fix it I did a repair on Orion, then I installed SP3 for Orion 8.5

It is now working again.

I am still running Endpoint Protection on my laptop, only one issue so far. Endpoint Protection 11 breaks WPA and WPA2 authentication for your wireless network. From reading in some Symantec forums it is a known issue with this software. The easiest way around it is to disable Network Threat Protection while you are authenticating then enable it was the connection is established.

I looked for more of a permanent solution but even when I disabled the HIPS rules and allowed all traffic to pass on my wireless card it still failed. I guess this is the case when the client is unmanaged, if you have a managed client which I don’t you can work around it by allowing EAPOL. I can’t test this because I don’t have the server and so it isn’t managed. Hopefully they come out with a workaround.

If you are running Virtual Server 2005 on a server with multiple processors you should be aware that the virtual machines you run on the server can only use one processor. So if you have a four processor server and are running two Virtual Machines you will only be able to utilize two out of the four processors. To make things worse if you have hyper-threading enabled on your processors the Virtual Machines can only use one logical processor or half of the physical processor. This will slow down your Virtual Machines a lot.

It is always recommended that you disable hyper-threading to get the best performance out of your Virtual Machines. Dual core processors are fine because it is actually two full speed processors in one instead of cutting the processing power in half like hyper-threading does. That said Virtual Machines in Virtual Server 2005 can still only use one core on a dual core processor but it is the same as running one physical processor.

Also I am hearing that the new Microsoft Server 2008 Hyper-V server will be able to utilize multi-core processors in Virtual Machines. This will break the single processor restriction in the current 2005 server.

How often do you find that one of your servers has a drive that is full or overnight has doubled in space usage. If you are like me you don’t want to spend the time to look through explorer to find out what the size of each folder is manually.

An easy free tool to tell you exactly what all the folder sizes are on any Windows drive is called TreeSize Free. You don’t even have to install it, just move over a folder with two files that are under a meg and you are up and running. It will make a quick scan of the drive of your choice and list the folders in order by size, you can then drill down in the folder structure to find what you need right away.

So I ran into a new one today on my Windows XP Pro machine. I was trying to extract a program out of a zip file using XP’s built in compressed file program. The Zip file was 12MB in size, when I did an extract all it was only 100K worth of files in the directory. No errors no alerts, nothing in the event logs. I went into the folder and saw the .EXE was missing. I disabled my Antivirus and tried again, same result. I checked windows defender and it was disabled.

Windows itself was blocking it, I had never had Windows stop me from extracting a file before. I tried to run the file from within the Zip file and that is when I got the error that Windows has blocked the file.

Here is what Windows says about it:

How blocking some attachments helps protect your computer

Sending and reading e-mail is one of the most popular activities on the Internet. The widespread use of this technology, however, makes it a primary way for computer viruses to spread. Because viruses and other security threats are often contained in e-mail attachments, Microsoft Windows XP Service Pack 2 (SP2) helps protect your computer by blocking e-mail attachments that might be harmful.

In most cases, Windows XP SP2 will block files that have the potential to harm your computer if they come to you through e-mail or other communication programs. Windows will block these files if your program is running in a strong security mode. Most files that contain script or code that could run without your permission will be blocked. Some common examples of this file type are those with file names that end in .exe, .bat, and .js.

Blocking these files is very important to do, since directly opening files of this type poses a risk to your computer and personal data.

Is there any way I can open files that have been blocked?

If you are certain that you trust this file and want to open it, follow the instructions below.

2. Save the file onto your computer.
3. Click Start, click My Computer, and navigate to the file that you saved.
4. Right-click the file that you saved, and then click Properties.
5. Click Unblock near the bottom of the dialog box.

Sure enough once I “Unblocked” the Zip file it extracted and the EXE ran.

I installed a trial of Symantec’s Endpoint Protection which is the new version of Symantec’s Enterprise Antivirus. I have used Symantec in business all the way back to version 7 and have always liked it. Version 10 switched its servers to client communication from UDP to TCP which improved network stability. They also changed new virus definitions to be deltas instead of full definitions.

Well Symantec has taken it to the next level now with Endpoint Protection. Now the firewall package is built into all of their clients instead of just their SCS clients. They have also added a HIPS or Host Intrusion Protection Software into this client. This is the next step that a lot of companies have been trying to pull off but haven’t done well yet. IPS watches for known and unknown attacks by watching for activity that could be trying to do malicious things.

Firewalls are great because it blocks connections that aren’t specifically allowed but that still allows all traffic on open ports, the IPS piece will analyze the traffic and watch for malicious activity. So far I have been very impressed how well it is designed, I have not had to make any changes to allow things to work on my machine. I am on a domain and typically you have to allow a ton of stuff just for your machine to function and I did not. Only change I made was to turn off the alerts when the firewall blocked something.

One more note that a lot of standards including PCI require you to run HIDS/HIPS on your machines.