Sole's Blog

Having spent some time trying to install an SSL certificate from a trusted certification authority on this product, I felt I should share my findings as they might save someone else the headaches and time I had to spend on this.

For reference I used a ZyXEL ZyWall USG 300 with Firmware version: 2.20(AOE.6) / 1.11 / 2011-10-05 11:51:34

I assume this information is the same for pretty much all versions of ZyWall products, but I can not confirm this from own testing as I only had access to one edition.

About Intermediate SSL certificates

All certificates today that want to enjoy the WebTrust approval must use intermediate issuing certificate authorities, this means that a root certificate is no longer allowed to directly issue server certificates for customers. This makes good sense security wise, as it is much harder for a hacker to gain access over the root certificate when it is not online and in case of a compromise, it should be sufficient to close the intermediate, without having to “remove/uninstall” the root from every client in the world.

So most professional products around that uses SSL certificates must be able to install both a server certificate and the intermediate issuing certificate, because the client only knows the root certificate, it needs the server to give it both.

Installing SSL certificates on ZyXEL ZyWall USG 300 (the good part)

Go into Configuration -> Object -> Certificate

Some things to have in mind when installing Read the rest of this entry »

Quite some time ago I encountered this error the first time, to be honest i can not even remember when it was. But I do know it was Windows 7 and Internet Explorer fully updated, together with the current Java runtime environment that gave me the problem, but I am getting ahead of myself.

Problem description:

• Using Internet Explorer, Windows 7 and Java Runtime Environment – all updated to latest editions on completely clean installations
• On all webpages loading Java the following error message appears twice (x2, two times, 2 times).
  Title: “Microsoft JScript compilation er…”.
  Error message: “Syntax error”.

Extra bonus information:

• I have experienced this problem on Windows 7 with and without service packs, Internet Explorer 8 and 9
• Usually the problem appears from “birth” with default settings
• Settings in Internet Explorer for showing errors, debugging scripts, etc. are all set to default i.e. not to anoy the user
• The error always comes two times and has absolutely no usefull information
• The Java application works fine without any errors, the only error is the actual message about the error and yes it is realy anoying

So to continue… Read the rest of this entry »

I always wanted the ability to compare different SSL certificates with the clients that do or do not support them.

But at best you can download the roots that a mobile client, browser or operating system uses and compare them with the certificates issued by thoose roots. A cumbersome and extremely tedious task, that still only gives you information about 1 single client. Why has no one made a database containing all popular SSL certificates and clients/browsers/mobile phones and their compatibility.

Well I guess the reason is that it is extremely hard to get a consistent and easy to use data from the clients. The issuers only have information about what clients support them, but the information is usually not quite true, i.e. SSL provider X gets approved by Nokia, so they write now they are supported by Nokia, but that is only true for new nokia phones made after the approval or updates and even in some cases Nokia might forget the SSL provider in a new phone model…

So I tried the next best thing, i created a web page that will test SSL certificates and if they work on any client. Basicly it looks for a small image on a webserver with the SSL certificate, and records if the client was able to load the picture via javascript. The result is then shown on the webpage and stored for a future comparison chart when I have enough clients/SSL certs.

I need your help

But I could realy use some help, I need people to run the test with their different clients, operating systems, mobile phones, etc. so we get as much data as possible.

You can start the test from this page www.ssltest.net/compare/

I also need more SSL certificates to add to the test. If you have or know of a publically available server using a SSL certificate not in the test allready, please e-mail me the URL for a small image of at least 2×2 pixels plus the name of the SSL certificate in use to sole@sole.dk

I hope the results will give enough data to make a public and FREE database of what SSL certificates that work on different browsers, operating systems and mobile phones.

Update 1 jan. 2011.

First results of the client SSL compatibility comparison charts are now public live on www.ssltest.net/compare/sar.php the page is not finished and only shows correctly in IE7+ (not doing layout, etc. before functionality is complete). But there is allready data about different OS, browsers and mobile phones that work or do not work with different SSL certificates. I must admit that the information is surprising for some of the results and I am sure that with more data it will get even more interesting. I have not found another place on the internet that has this information.

Since TeamViewer can be rolled out in an organization with the MSI package and sample vbs scripts from TeamViewer, I was asked if it would be hard to do a small VBScript to fetch the TeamViewer ID from theese machines and save it somewhere for the support staff to look up in.

This script is a very simple example of how to fetch the ID on a machine from registry and save that together with current logged in user and machine name in text files. To change this to save into another system, database, etc. would be quite simple.

But by creating a share with write permissions from everyone and pointing this script to it and placing it during login for all users in a domain, it would be easy to find a given machine or users TeamViewer ID. Since the TeamViewer ID does not change for a machine, it could be just run on machines when the TeamViewer client is installed, but that is entirely up to you. Read the rest of this entry »

Introduction
If you are just looking for a free shadow group script, either click here for a nice simple one or go to the bottom of this post for the full AD administrated script.

I was looking into Shadow Groups, inspired by a customer migrating from Novell to Active Directory. Apparently in Novell you can use Organizational Units as security groups, and by just moving a user to another OU when they change departments, they will automatically update their security permissions given by their department OU placement.

So what is so great about shadow groups you might ask. Simply put if you have OU’s for departments, where you place users depending on department membership, shadow groups, will shadow the members of the OU in the security group, I assume that is where the name shadow group comes from. This allows you to setup security permissions for a group that is linked to an organizational unit. So when you move user A from department sales, into department accounting, the user A will automatically be removed from the sales security group and added to the accounting security group, effectively updating user A’s permissions automatically. Saves time for large organizations, now a user moving OU does not need to have his groups manually updated.

The first hit on google was a blog post by John Policelli (MVP) explaining shadow groups is not a new type of group in Active Directory, it is rather a concept, when you automatically update the members of a security group from the objects placed in an Organizational Unit. Also he points out that this automatic synchronization is not an existing feature in Windows Server, we need to add it our self. The example he uses with dsquery, dsget and dsmod, works if you manually set it in a script for each OU/Group, I was looking for something easier to manage, that preferably did not require editing of the script that needed to run. I strongly believe scripts that can be maintained from Active Directory will always have a longer life time, since less updates and potential errors happen in the script.

After some more searching I found an article by Jakob H. Heidelberg (MVP and fellow Dane) this one also had a good explanation about what Shadow Groups are and also a download link to a simple VBScript to populate a group with the users in an Organizational Unit. If You are looking for a script to feed the OU and Group and then update the group from the users of the OU, that script will do you just fine and I would recommend you take a look at the article and script he wrote, as it is simpler and less prone to errors by being simple.

My idea of a Shadow Group Script Read the rest of this entry »

So You went ahead and used virtualized Domain Controllers for Your Active Directory domain, congratulations! I am sure You will be happy with the decission, as long as You have a decent virtualizing environment, this will give You both peace of mind, faster recovery and cheaper redundancy.

There is however some special considerations You must do, when You are using virtual Domain Controllers, not to mention, please with sugar on top, do NOT P2V/Convert Your physical Domain Controllers to virtual, without at least reading this article!

What areas do we need to consider on a virtual DC?

• Time synchronization
• Disk cache
• Suspend/pausing virtual machine
• Snapshots and System State backups
• Performance

Personally I much prefer virtual Domain Controllers, from having a lot of physical ones, but there are some considerations to be made, about perhaps leaving some physical and what features to use on the virtual and what settings to use as well. This article attempts to uncover some of the points to consider, specifically for virtal DC’s. The list is in no way meant to be the only considerations, but is mostly the things that I personally have noticed forgotten in environments I have encountered. Add Your own preferences and research to this and You should be well on Your way to live happily forever with Your virtual DC’s.

Read the rest of this entry »