Monthly Archives: April 2013

First impressions – Veeam and SharePoint Explorer

Since the countdown began to Veeam Backup and Replication V7, Veeam has released some new features, which are going to be included in the upcoming version.
(Read more about it here à
http://go.veeam.com/v7.html ) And as a part of this, the SharePoint Explorer. This includes granular restoration of objects within a SharePoint content database.
I have tried the beta and this is how it looks.

System Requirements

  • Veeam Backup & Replication 6.5
  • Microsoft Windows 2008 SP2 or later (64-bit version)
  • Microsoft SQL 2008 or later (Express Edition supports SharePoint databases under 10GB in size)
  • Microsoft SharePoint 2010 (full support)
  • Microsoft SharePoint 2013 (browse and search only)

After installation, launch the tool and browse to the SharePoint database file (MDF) you want to explore. You can open any SharePoint 2010 and SharePoint 2013 database file, including those backed up by third-party solutions. A sample SharePoint database is available in the download area.
To use this beta with Veeam backups, you should initiate the guest file level recovery on the backup of SQL Server VM hosting the SharePoint database, and then browse to SharePoint database file (MDF) under C:VeeamFLR mount point.

So how does this work.

In this case, I have created a blank site where I store my import work documents. (In this case VIKTIG.TXT) In the same case I’m going to add a number to calendar entries.
After I’ve added all my entries I take a Veeam backup of the Database.

Then I go back to the sharepoint site and delete all my documents and attributes.

Then I open the SharePoint Explorer and point it to the backup file I created.

From here I can explore the SharePoint database and choose those files that got deleted.

Depending on what type of file / attribute I’ve posted in the SharePoint site, I have the option to store the file locally or send it to a user via a e-mail. Or I can restore the file directly to SharePoint

And the document is now back on the SharePoint site.

ARP guard in Hyper-V 2012

So I decided to try the ARP guard functionality in Hyper-V 2012 and see how it works, and in the same case check if it is possible to change the Mac address.

I took a look at what documentation Microsoft had around the subject
http://blogs.technet.com/b/wincat/archive/2012/11/18/arp-spoofing-prevention-in-windows-server-2012-hyper-v.aspx
http://technet.microsoft.com/en-us/library/hh831823.aspx

And what they say here is that

 I am sure you already browsed the new Hyper-V Manager UI and found a couple of new settings like DHCP Guard, Router Guard but nothing specific for ARP Spoofing.
Well, the feature you are looking for is called Port Access Control Lists and is implemented in the new Hyper-V switch and must be configured via PowerShell.

Arp Spoofing is a technique that allows for man-in-the-middle attack.

I can for instance place my computer in the middle of another user and intercept all the traffic going between the end-user and the gateway and place a sniffer on my computer and scan all the traffic going in and out.
Without the user even knowing it. This can happen because of how the Arp protocol is built. It is built on trust, and how computers can find other computers on the same subnet and was never thought of as a secure protocol.

So in order to test this out I had to setup a minor lab built with a couple of VM’s running on a hyper-v 2012 virtual switch.
1: with Windows Server 2008 R2
1: one domain controller
1: Linux Backtrack (which I will use arp spoof and mac changer on)

So when I start my newly installed WS2008 server It has a clean arp table (which consists of the broadcast address)

And as you can see this computer has the IP address 10.0.0.56
So what happens when I ping this server from the backtrack computer ? First the arp request (who owns this ip ? )

You can see the arp request first, then the ICMP protocol start. Then the Arp table is updated.

As an dynamic update. Then I ping the domain controller, which has ip 10.0.0.1,

and it has added itself to the list, look at difference between the mac addresses of 1 and 77.
Next I start the arp-spoof attack from my backtrack computer.

And I can see in wireshark that I am spamming with ARP traffic

And notice here I am saying that IP 10.0.0.1 is at another MAC address.
If you check the arp table now on the other computer you can see that the arp table is updated (poisoned)

And after I activate IP forwarding on the backtrack server I can “act” as a man in the middle.
As you can see now when I try to ping 10.0.0.1 I get a response

but from my Backtrack server instead of my domain controller. And according to my server it responds fine from 10.0.0.1

So how does the arpguard in Windows Server fit in here? In addition, where can I configure it?
The answer is Port Access Control Lists via PowerShell.

This is configured on the Hyper-V host I find it a best to do it via the PowerShell ISE.
so what can I do ? First, I have to create a port ACL that defines that the virtual machine can ONLY communicate out with the IP address of 10.0.0.77 and not any other.

So when I apply this port ACL and try to ping 10.0.0.1 It will not receive a response, and since it does not get a response I tries an ARP request again and my backtrack computer is unable to respons because of the Port ACL

And the arp table is restored to its default.

 

 

Monitoring Netscaler with Operations Manager 2012

This guide has been written with Netscaler build 73 and Operations Manager 2012 SP1 (on WS2012) with the management pack from Citrix.

Operations Manager 2012 supports monitoring network devices either through SNMP (v1, 2 and 3) or through just basic ICMP.
Citrix has made a management pack solution, which you can use to enhance the monitoring capabilities in SCOM.
The pack also includes VMM PRO management pack (Which is not gone through in this guide, just the basic management pack)

The management pack can be downloaded from mycitrix (Requires login)
https://www.citrix.com/downloads/netscaler-adc/components/netscaler-management-pack-for-operations-manager-2012.html

(Just a side note: Comtrade is a Citrix Partner who is currently making a new management pack for Netscaler so stay tuned for the new release )

So when we have a functional Operations Manager server up and running we have to install the SNMP service on one of the servers.
This can be done via Server Manager.

After that is installed go into services.msc and choose “Accept SNMP packets from any host” or just enter the IP of the Netscaler server.
Make sure that firewall on the OpsMgr server allows for SNMP traffic in.

After that is done you can install and open the management pack folder.

You will see that it includes a Guide and MP folder (which contains the Management Packs)
Now open Operations Manager console and go to administration and choose Management Packs, right-click and choose import.

And from there browse to the directory and choose the regular NS MP (Not the PRO)

And choose Install.

After that is installed, go back to monitoring and you will see that a new folder has appeared under Citrix Netscaler

by default all Performance monitoring are mostly disabled so we have to enable these to actually get some data.
So go into Authoring -> Rules and scope it to Citrix Netscaler

First of we can enable Virtual Servers current up

So we create a override rule for Netscaler Devices

and choose Enabled and save it into a Management Pack where we save our overrides.
After that is done we alter the SNMP settings on the Netscaler devices, im going it in CLI

add snmp manager IP
add snmp community enternamehere ALL (The last one is used to define which rights this community string has)

Add the IP of the SCOM MS and add a community string (In my case I used “com”)

After that is done we have to add the network device into Operations Manager.
Open Administration -> Network Management -> Right Click and choose Discovery Wizard from the wizard choose Network Devices ->

From there specify a name and which MS and resource pool to manage the device

Click next -> choose Explicit

Click Next -> Here we add the community string which we will use to authenticate with the NS
We have to add a new run as account which includes the Community String

Next we add the device IP and choose what type of service it will use to communicate with the device

After the Device Discovery Wizard is done, go into Discovery Rule and choose Run.
After a while the Device will appear under Network Devices pane.

You can check the Application Log on the Operations Manager server for info and you can check the snmp stats option in Netscaler.
So after this is complete we can see the device health properties

We also have some Performance counters for CPU and Memory we can see.

After you have enabled other Performance Monitors they will appear here as well, this allows you to create a baseline for how connections should be on your box.
This also allows for Operations Manager to generate alarms in case of DDoS attacks.