Brian Ambler, Sr. Technical Support Engineer

Hello Jan,

It would be expected that if only UDP 12222 were allowed outbound through the firewall, the AP would be able to form a CAPWAP client but would be unable reach the HiveManager to successfully push configuration updates. By default, a HiveAP will use UDP 12222 to establish CAPWAP and TCP 22 to form a secure connection to the HiveManager to push complete configuration updates. The HiveAP can fail over to use TCP 80 for CAPWAP and TCP 443 for configuration updates, but if a successful CAPWAP connection is formed over UDP 12222 the AP will continue to look to open an SCP connection over TCP 22. I have excerpted the following from our Help documentation for more detail; should you need more information on this subject I would recommend calling our ATAC team at (866) 365-9918 and someone on our Support team will be able to assist you further.

Services and Firewall Policies (from Help System):

It is likely that the policy set on most firewalls already permits outbound traffic on TCP port 80 for HTTP, but it is less likely that they permit outbound traffic on UDP port 12222 for CAPWAP. To avoid having to reconfigure the firewall, you can configure devices behind the firewall to communicate with HiveManager Online using HTTP on TCP port 80 instead of CAPWAP UDP port 12222. Furthermore, if outbound traffic must pass through an HTTP proxy server, you can configure devices to send CAPWAP over HTTP to the proxy server. Note that HiveManager Online uses HTTP only for monitoring devices and pushing delta config updates. When downloading files such as HiveOS image files, full configurations, captive web portal pages, and certificates from HiveManager Online to devices, devices use HTTPS. (With a physical HiveManager appliance, the devices use SSH for these file downloads.) In addition, for uploading packet captures to either HiveManager or HiveManager Online, devices use HTTPS. Therefore, if there is a firewall in front of the devices, it must allow the following types of outbound services:

To HiveManager: CAPWAP (UDP port 12222), SSH (TCP 22), and HTTPS (TCP 443)

To HiveManager Online: CAPWAP (UDP 12222), SSH (TCP 22), and HTTPS (TCP 443); or

HTTP (TCP 80) and HTTPS (TCP 443)

24. April 2014

My Aerohive APs are connected by CAPWAP, but why is their connection status shown as disconnected?

This can happen if there is a firewall policy blocking outbound traffic on UDP port 12222 for CAPWAP. To avoid having to reconfigure the firewall, you can configure HiveAPs behind the firewall to communicate with HiveManager Online using HTTP on TCP port 80 instead of CAPWAP UDP port 12222.

There are the two necessary CLI commands:

capwap client transport http

capwap client server port 80

If outbound traffic must pass through an HTTP proxy server, you can configure HiveAPs to send CAPWAP over HTTP to the proxy server.
To accomplish that, enter these 2 CLI commands:

capwap client http proxy user password

capwap client http proxy name port

capwap client http proxy name port

15. April 201415. April 2014

Offene Ports und Anwendungen finden mit netstat – auch unter Linux

Quelle: http://www.nwlab.net/tutorials/netstat/offene-ports-netstat.html

Offene Ports und Anwendungen finden mit netstat

Grundlagen

Für die Kommunikation in IP-Netzen spielen die Ports eine wichtige Rolle. Über das Protokoll (UDP, TCP) und die Portnummer wird auf dem Layer 4 ein Dienst identifiziert.

Eine Anwendung die einen Service im Netzwerk anbietet, öffnet dazu einen Port. Dieser Port geht dabei zunächst in den Status „Listen“ und wartet auf Verbindungsversuche.

Eine Liste der offiziell vergebenen Portnummer findet man bei der IANA.

Ein offener Port im Status Listen ist ein potientielles Einfallstor für Script Kiddies und Hacker.

Trojaner oder besser Trojanische Pferde installieren gerne Backdoors und öffnen dabei einen entsprechenden Port.

Daher ist es sehr zu empfehlen, sich von Zeit zu Zeit die offenen Ports seiner Systeme anzusehen. Bei der Suche nach unbekannten Portnummer leistet Google gute Dienste.

„Offene Ports und Anwendungen finden mit netstat – auch unter Linux“ weiterlesen

15. April 2014

Deploying vCenter 5.5 U1 – Error vpxd must be stopped

Die üblichen Bauchschmerzen bei neuen vCenter Installationen und deren Lösung. Dieser zielführende Artikel kam von: vninja.net thanks!

VMWARE VCENTER SERVER APPLIANCE ERROR: VPXD MUST BE STOPPED TO PERFORM THIS OPERATION

While deploying a fresh vCenter Server 5.5 Appliance, I ran into an issue getting it configured.

When the appliance is deployed, the first time you log in you get presented with the configuration wizard. The wizard clearly states that if you want to set a static ip, or hostname, you should cancel the wizard, do the network configuration and then re-run the wizard after the fact.

Well, that´s what I did, and it resulted in the following error when trying to create the embedded database:

VC_CFG_RESULT=410(Error: VPXD must be stopped to perform this operation.)

I even tried redeploying the appliance from scratch, but sadly that had the same outcome.

In the end, I was able to complete the configuration by opening an SSH session to the vCenter appliance, and running the following command to stop the vmware-vpxd service mentioned in the error message:

~ # service vmware-vpxd stop

After that I could successfully complete the Setup Wizard. Hopefully this will help someone finding themselves in the same conundrum in the future.

Update:

Since my setup is a single host, and at the moment of deploying the vCenter Server Appliance there was no existing vCenter in place, I deployed the appliance directly to an ESXi host. When you do this, you do not get the OVF deployment wizard that asks your IP adresses, netmasks etc. I suspect that this is the root cause of this issue, and that this is something you can/will run into of you deploy it in this manner.

14. April 201414. April 2014

Virtuelle Maschine über USB Stick? Ja klar!

USB Sticks sind nun ja in geeigneten Größen und angenehmer Performance verfügbar.

Warum also nicht auch mal eine ganze VM auf dem Stick mitnehmen, um überall und schnell einsatzfähig zu sein? Wie das funktioniert, zeigt uns dieser Artikel samt Video von VMware.

To create and deploy ACE packages:

Launch VMware workstation.
Click VM > ACE and click New Package.
In the New Package Wizard, click Next.
Name the package being created, specify where to save the package and click Next.
Select the type of the package and click Next.
- Full – installs a new ACE instance
- Policy update – updates policies of existing ACE instances
- Custom – allows a selection of package components
Select a package distribution format and click Next.
- Network image – a single folder containing all created files
- Multiple folders for creating DVDs or CDs – allows you to fit each folder on DVD or CD and label the disc as well
Review the package summary and click Next.
After the package is created, click Finish.

To create and deploy Pocket ACE packages:

Launch VMware Workstation.
Click VM > ACE and click New Pocket ACE package.
In the Pocket ACE package wizard, click Next.
Name the package being created, specify where to save the package and click Next.
Select the player to be included in the Pocket ACE package and click Next.
When the Pocket ACE is deployed to a portable device, set a password for the package and click Next.
Review the package summary and click Next.
After the package is created, deploy the portable device and click Finish.
In the VMware Pocket ACE Deploy wizard, select the portable device or select a custom folder.

7. April 20147. April 2014

Sharepoint update nach Windows Update über psconfig.exe

Quelle: http://www.silent-blog.com/psconfig-nach-update-von-sharepoint-server/

—

Nach dem Microsoft-Update eines Sharepoint-Servers muss die PSConfig manuell ausgeführt werden.

Dazu auf dem Server eine Kommandozeile mit Administratorrechten öffnen und zum Verzeichnis:

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\BIN>

wechseln.

Jetzt folgenden Befehl eingeben:

PSCONFIG.EXE -cmd upgrade -inplace b2b -force -cmd applicationcontent install -cmd installfeatures

19. März 2014

AD Explorer for Veeam Backup

Veeam Explorer for Active Directory Beta released

March 17, 2014 by Marcel van den Berg Leave a comment

Veeam just released a beta version of Veeam Explorer for Active Directory. This nice piece of software allows a simple restore of Active Directory objects without having to restore a complete Active Directory server. Just do a file level recovery of a domain controller. The guest filesystem will be mounted locally on the backup server to C:\veeamflr folder. After that, browse into that folder with Explorer for Active Directory and open ntds.dit . Use the Explorer for Active Directory to restore objects directly into the operational AD. It is also possible to export to a LDIF file.

Supported are Windows Server 2003, 2008 and 2012. When restoring objects of a Windows Server 2012 domain controller make sure Veeam Explorer for Active Directory is installed on the same version OS (2012) or on Windows 8.

The info below was taken from the Veeam forum:

VEAD supports search and restore of all AD objects types, including users, groups, computer accounts and contacts. It can restore individual object’s attributes, the entire objects, and even the whole organizational units (along with the hierarchy). Of course, the deleted objects do not have to be present in the Recycle Bin, as we will obtain all the data from backup where the objects are still present in AD. More importantly, unlike many other Active Directory recovery solutions, we do not require that the tombstone of the deleted object is still present in AD. VEAD is also fully Microsoft Exchange aware, so when restoring the user account, we will restore all Exchange-related attributes and reconnect the mailbox. As you will see, this is a very comprehensive solution.

But, there is one more thing. VEAD also has the unique ability to recover passwords! Imagine accidentally deleting the entire OU with all your users. Without this feature, each user will be prompted to set the new password upon first logon, which is very disruptive and insecure. But this feature will come even more handy if you lose an OU with computer accounts! If you simply restore those back, computers will not be able to logon to the domain because of computer account password mismatch. Now, just imagine the nightmare of going to each computer, switching it into workgroup, and then joining it back into the domain… hundreds of times! This is when you will really appreciate this feature.

The beta can be downloaded here. (requires B&R 7.0)

Andrea Mauro of vinfrastructure.it wrote a great post about Veeam Explorer for Active Directory

17. März 2014

Zurücksetzen eines Windows Server Admin Kennworts

Admin-Kennwort ganz einfach zurücksetzen
Veröffentlicht am 18. Januar 2011 von rwigand

Es gibt sicher viele Wege, ein vergessenes Kennwort zurückzusetzen, aber diese hier ist glaube ich die Einfachste und funktioniert auch an Domänencontrollern mit dem Domänen-Administrator-Konto. Ein bisschen erschrocken war ich schon, aber zumindest wird jetzt hoffentlich auch noch dem letzten klar, dass physischer Zugriff zu einem Server absolut keine gute Idee ist…

Man nehme eine original Windows Server DVD (getestet mit Server 20o8 und 2008 R2) und boote davon.
Sprache auswählen und weiter.
“Repair your Computer”
aktuelle Instanz auswählen und weiter
als Recovery Option den Punkt “Command Prompt” auswählen
am Command Prompt wechseln nach c:\Windows\system32

Jetzt kommt die Magie:

Die Datei utilman.exe (das ist die Eingabehilfe) umbenennen
(move Utilman.exe Utilman.exe.bak)
eine Kopie der cmd.exe erstellen als utilman.exe
(copy cmd.exe Utilman.exe)

Das war es auch schon. Fast unglaublich, oder? Jetzt nur noch DVD raus und Rebooten. Nach dem normalen Start bei der Login-Aufforderung reicht jetzt ein “Windows-u”, und schon öffnet sich statt der Eingabehilfe ein CMD-Fenster. Was jetzt kommt, dürfte klar sein:

net user administrator N_eues!PW123

Und schon kann man sich als Administrator mit dem gerade gesetzten Passwort anmelden. Nicht vergessen, später die alte utilman.exe wieder zurückzukopieren, wir wollen doch nicht, dass jemand den Rechner hackt, oder?

Und wer jetzt schimpft, wie man so eine Lücke lassen kann, der sei erinnert an den Eingangssatz: Physischer Zugang zum Server ist die Wurzel allen Übels!

Quelle: http://mymathom.wordpress.com/2011/01/18/admin-kennwort-am-dc-ganz-einfach-zurcksetzen/

17. März 2014

Schneller Restore von gelöschten Ordnern in MS Exchange

Gelöschte öffentliche Ordner lassen sich in Outlook noch einige Tage nach dem löschen mit einem von Microsoft zur Verfügung gestellten
die gelöschten Objekte in öffentlichen Ordnern wiederherzustellen.
Dieses Programm liegt unterhalb des Exchange-Programm-Verzeichnisses unter
bin\ExFolders.exe. Mit diesem kann man (z.B. Herr Höffle) sich auf den
Exchange-Server verbinden und dort in dem betroffenen Pfad mittels
Rechtsklick die Option „Show deleted Subfolders“ auswählen.

20. Februar 201420. Februar 2014

Aerohive AP Status Colors

erohive wireless status LED color codes
Aerohive wireless status LED color codes

A handy reference from the Aerohive team to the Aerohive wireless status LED color codes that indicate what the Aerohive unit is up to:

base64 aerohive colour codes1 Aerohive wireless status LED color codes

Blue – HiveAP is booting

Green – IP obtained via ethernet and may be securely connected to HiveManager

Yellow – IP obtained via Wireless Mesh and may be securely connected to HiveManager

White – HiveAP is managed by HiveManager and the configuration or OS Update has been applied.

Purple – HiveAP HiveOS software image is being updated.

Under normal operating conditions you would expect the status LED of the unit to be white, indicating a successful connection to the HiveManager.

Ubamicros Brainlog

Beiträge

Benötigte Aerohive ports zur erfolgreichen Kommunikation und Konfiguration