Thursday, March 09, 2017

How to setup Google Authenticator 2FA with a Watchguard SSL VPN Client for FREE!

My goal for the last year has been to figure out how to turn on 2FA (two factor authentication) for our WatchGuard SSL VPN Clients.  I found that Wright SMS2 worked best, so that is what I will document here.  Most of what I talk about here may also apply to other firewalls too.

The WatchGuard firewall supports 2FA with the Mobile VPN for SSL client, but your Radius server has to do the work.  You can find details about the WatchGuard support here.

So what are the options for getting Google Authenticator to work with WatchGuard for free?

OpenVPN - This was complicated to setup and would have to replace the WatchGuard VPN.  I had too many problems getting this to work and setup was complicated for the users who would have to remove the WatchGuard VPN and install the OpenVPN client.

FreeRadius - This sounded promising, but the Google Authenticator plugin was not well documented and I gave up getting it to support both Active Directory and Google Authenticator at the same time.  It seems that if you just wanted to keep the VPN logins on the Ubuntu server it worked fine, but once I added Active Directory, I couldn't find good documentation about getting them to work at the same time.

Wright SMS2 - This is the solution I ended up going with.  Free, Easy to setup and with my guide here, you can have it working in a day.  This program is really written to add 2FA to Citrix netscaler, but I was able to use it after a few adjustments.

Start by downloading the SMS2 software and installing it on a server that is already setup with Windows NPS (Network Policy Server).  I was able to install it on Server 2016 with no issues.  I made a dedicated Virtual server for this and didn't put it on my domain controller. The software requires a SQL server.  Rather than use SQL Express, I just put the database on an existing SQL server.
The documentation on the SMS2 site is out of date and references an older version.  That made it a little tricky to install.  I will try to explain the settings in the interface that I used and give you a sample config file along with a nice PowerShell script that was shared on the SMS2 forum.  That script will create the QR Codes and send them out in emails to your users.

This article is still in work.  I will finish this up over the next 2 weeks.
Dumping a few easy screen shots below for now.
-Ed 3.9.2017

Here are the settings I used with SMS2

To start with you will want to look at my configuration.xml file that I uploaded to pastebin here:
I would start with your own and then look at the changes I made on mine.  I have removed personal data and replaced it with ## comments ## so you know where you should enter your information.

Now that you have SMS2 installed, you can open the console and try your hand at setting up a user.  Just select a user and then click on Authentication Options.

On the Engine Options you want AD.  This tells SMS2 that the password box is a password from Active Directory, not a PIN number that was pre-set.

On the Auth Options I have renamed OATHCalc to Google Authenticator.  Changing the <FriendlyName> of these items can be done in the Configuration file stored here on your server:  
"C:\Program Files\WrightCCS2\Settings\Configuration.xml"

Next I set the Token generation type to TOTP and picked Google Authenticator from the drop down list. (This always defaults to Feitian Serial for some reason, so don't worry about that if you see it the next time you open the window)
Press Generate Shared Secret and then Save Configuration.  Copy the QR Code to the clipboard and email it to the user.  At the end of this I will talk about a Powershell script that does this better and then you don't need to use this interface at all after you setup the first person (I did one person in the interface just to make sure some defaults were set, like AD for Pincode)

The PowerShell script written by David Ott that you want for mass deployment of QR Codes to users is described here:
My updated version is on Pastebin here:

I made some changes to the PowerShell script.
This is a list of changes:
  • Added more details and graphics to the email
  • Added a better description inside the QR Code so that your Company and Email address show up in Google Authenticator. (line 237)
  • When the Powershell writes back to the database on line 232 I added Feitian Serial and the 30 second time out to that line. (Feitian Serial seems to be required and not Google Authenticator for some reason.  Looking inside the database helped me find that)

Wednesday, November 23, 2016

Setup a 2016 Nano Server for Hyper-V on a Dell Internal Dual SD Module (IDSDM)

Here are my notes that I used to get Nano server running on a Dell R730 with SD Cards.
The part number for the Internal Dual SD Module (IDSDM) is PMR79 or 330-BBCN
It has dual 16GB SD Cards Dell DP/N: 037D9D

Preparing your management PC/server (Or install the latest RSAT tools for Build 1607 or newer on Win10)
Install-WindowsFeature -Name RSAT-Hyper-V-Tools, Hyper-V-Tools, Hyper-V-PowerShell, RSAT-Clustering, RSAT-Clustering-MGMT, RSAT-AD-PowerShell -Verbose

You will need the ADK and Nano Server Image Builder.  
There is an intro to the Image builder and links to that and the ADK here:

Create your Nano server USB stick so you can install Nano on bare metal.
You can make an ISO for use with a Virtual console like iDrac too.
The first part of the instructions from Dell that were created for TP4 didn't work for me.
Instead I used a combination of the Microsoft Nano Server Image Builder app and the instructions for setting up the boot to SD from the Dell white paper.

The Dell Blog and PDF on booting Nano from Internal Dual SD Module (IDSDM) is here:
It's called "Installing Nano Server on Dell PowerEdge Server Internal Dual SD Module"
I skipped the first part and just used the Image Builder instead and then started on page 6 with "Change System Boot Order into IDSDM".

Set VMM as a trusted host
Set-Item WSMan:\localhost\Client\TrustedHosts ""

Set your management PC/Server as a trusted host
Set-Item WSMan:\localhost\Client\TrustedHosts ""

Allow ping
Import-Module NetSecurity
New-NetFirewallRule –DisplayName “Allow Ping” –Direction Inbound –Action Allow –Protocol icmpv4 –Enabled True

At this point you can use iDrac to setup your RAID for storing the VM files.

Create a new partition for Hyper-V on your Nano Server VM instance
Get-Disk | Where partitionstyle -eq ‘raw’ | Initialize-Disk -PartitionStyle GPT -PassThru | New-Partition -AssignDriveLetter -UseMaximumSize

I had two RAID 10 Virtual Disks to setup, so I had to break it out by drive letter.
Find out what disk number to format before you run the next commands! 
Get-Partition | where DriveLetter -eq "G" | Format-Volume -FileSystem NTFS -NewFileSystemLabel “data” -Confirm:$false
Get-Partition | where DriveLetter -eq "F" | Format-Volume -FileSystem NTFS -NewFileSystemLabel “backup” -Confirm:$false

**ReFS is currently not supported on Nano, so we are using NTFS**
Traditional NIC teaming is not supported with Nano.  Server 2016 introduced SET instead.

Get a list of Network adapters

Create a Teamed vmSwitch with SET for Nano
New-VMSwitch -Name vNICset -NetAdapterName NIC1, NIC2 -EnableEmbeddedTeaming $true 

You should see the Virtual Teamed NIC in Hyper-V now.
Turn on VMQ for the NICs in the driver settings - ONLY on 10GB NICs

Thursday, October 06, 2016

Fix Boeing Portal setting for Internet Explorer IE11

The Boeing Supplier Portal stopped working for us after Boeing made a change on 10/5/2016.
The Boeing Portal support team was able to help a little, but they have no documentation on how your IE11 should be setup to access their Exostar and Boeing Portal sites.
Some of the errors we were seeing were a black page after we clicked on the Boeing Portal link in the Exostar MAG page and then some people would get to the portal but then get a login screen any time they clicked on a link, like the REDARS/EID Drawing search window.

There also seems to be a new requirement to setup security questions.  For people with problems this page may come up over and over.

For the record, we are running x64 Windows 10 Enterprise with Prizm Plugin 10.3

Here are the things we had to do in order to get full Portal access to work again.

Close all your IE Browser Windows
Open one new IE Browser Window

Check ALL boxes Except for Passwords reset and the top checkbox for “Preserve favorites website data” – Click DELETE

Click on the Advanced tab and press both the reset and restore advanced settings buttons

Click on the Security tab
Click on Trusted Sites
Click on the Site Button
Add https://*
I have my security level set to low, but it will work fine set to Medium


This will not work until you REBOOT!
Some users reported that after this they need to attempt the login 3 times before it worked.
If you login fails, close all the windows and try again two more times.

If all else fails, Firefox works fine.  We use v42 and v44 on Windows 10 x64 with Prizm 10.3.

Update - 10/19/2016
If Firefox still doesn't work we found that for a few people, uninstalling firefox and then reinstalling it will fix any issues. (Don't forgot to re-install Prizm after you do that!)

If you really get desperate, you can also try backing up and then re-creating the user's windows profile.

Thursday, September 29, 2016

Silent upgrade batch file for CATIA V5-6R2016

Here is my silent upgrade batch file for CATIA V5-6R2016
This blog is going to wrap some lines and sometimes screw up the quotes, so double check all that.

@echo off
echo Install CATIA 2016 silently - (x64 bit Windows)
echo Based on the supported "Distributing the Software in Compressed Form" method.
REM Install CATIA and all Service packs on a clean PC and then zip them up.
REM - Ed Hammond 9.28.2016 Skills Inc.
REM - Copy this file to the local PC and run as Administrator
REM Set the variable for the UNC location on the server where the CATIA installers are stored 
REM ---------------------------
REM -- Install Catia Base
REM start "" /wait "%CATIAINSTALLERS%\CATIA R2016\V5-6R2016.CATIA_P3.win_b64.1-1\CATIA_P3.win_b64\1\WIN64\startb.exe" -newdir -noreboot -all 
REM ---------------------------
REM -- Install VBA
REM msiexec /q /i "%CATIAINSTALLERS%\CATIA R2016\V5-6R2016.CATIA_P3.win_b64.1-1\CATIA_P3.win_b64\1\VBA\Vba71_x64.msi"
REM ---------------------------
REM -- Install Service Pack
REM start "" /wait "%CATIAINSTALLERS%\CATIA R2016\V5-6R2016.SP3.SPK.win_b64.1-1\SPK.win_b64\1\WIN64\startspkb.exe" -bC -killprocess
REM ****************** Now zip them up and put the zip file on your server: %CATIAINSTALLERS%\ ********************
echo ---------------------------
REM Zip up everything under %ProgramFiles%\Dassault Systemes\, Name the ZIP file and store the zip on the server.
echo Backing up CATSettings folder
echo ---------------------------
REM Backup CATSettings folder prior to upgrade. WARNING: Reusing these settings is against best practices. They should be re-created for each version.
start "" /wait robocopy "%APPDATA%\DassultSystemes\CATSettings" "%APPDATA%\DassultSystemes\CATSettings2015" /R:1
Echo Exporting CATSettings to XML file
echo ---------------------------
start "" /wait robocopy "%ProgramFiles%\Dassault Systemes\B25\win_b64\code\bin\CATBatGenXMLSet.exe"" "%APPDATA%\DassultSystemes\CATSettings" CATSettings-Export.xml
REM Optional: Use this Enviroment file line to change where the setting are stored: CATUserSettingPath=CSIDL_APPDATA\DassaultSystemes\CATSettings2015
echo Uninstall the old version
echo ---------------------------
if not exist "%ProgramFiles%\Dassault Systemes\B25\win_b64" to CLEAN
if exist "%temp%\Uninstall.bat" del "%temp%\Uninstall.bat"
start "" /wait robocopy "%ProgramFiles%\Dassault Systemes\B25\win_b64" "%temp%" Uninstall.bat /R:1

echo EXIT >> %temp%\Uninstall.bat
start "" /wait %temp%\Uninstall.bat
echo Create the ENV Folders
echo ---------------------------
if not exist "%ProgramData%\DassaultSystemes\CATEnv" mkdir "%ProgramData%\DassaultSystemes\CATEnv"
if not exist "%APPDATA%\DassultSystemes\CATEnv" mkdir "%APPDATA%\DassultSystemes\CATEnv"
REM Extract Zip file to local PC
echo Use powershell to unzip the files to "%ProgramFiles%\Dassault Systemes\B26"
echo This can take 5 minutes, don't close this window!
echo ---------------------------
powershell.exe -nologo -noprofile -command "& { Add-Type -A 'System.IO.Compression.FileSystem'; [IO.Compression.ZipFile]::ExtractToDirectory('%CATIAINSTALLERS%\', '%ProgramFiles%'); }"
echo Now run all the CATIA tools that create the shortcuts and Prerequisites.
start "" /wait msiexec /i "%CATIAINSTALLERS%\V5-6R2016.CATIA_P3.win_b64.1-1\CATIA_P3.win_b64\1\WIN64\InstallDSSoftwarePrerequisites_x86_x64.msi" /q
start "" /wait msiexec /i "%CATIAINSTALLERS%\V5-6R2016.CATIA_P3.win_b64.1-1\CATIA_P3.win_b64\1\WIN64\InstallDSSoftwareVC11Prerequisites_x86_x64.msi" /q 
CD "%ProgramFiles%\Dassault Systemes\B26\win_b64\code\bin"
echo Running setcatenv
echo ---------------------------
REM For setcatenv help try setcatenv -h
REM For V5Regserver help try V5Regserver -h
REM Enviroment (-e) = CATIA_P3.V5-6R2016.B26
REM ProductLine (-cs) = CATIA_P3
setcatenv -p "%ProgramFiles%\Dassault Systemes\B26" -e CATIA_P3.V5-6R2016.B26 -d "%ProgramData%\DassaultSystemes\CATEnv" -a global -icon yes -menu yes -cs CATIA_P3
echo Running V5Regserver
echo ---------------------------
V5Regserver -set CATIA -env CATIA_P3.V5-6R2016.B26 -direnv "%ProgramData%\DassaultSystemes\CATEnv"
echo Running setcatenv for Tools
echo ---------------------------
setcatenv -tools -e CATIA_P3.V5-6R2016.B26 -cs CATIA_P3
echo Running VBA installer
echo ---------------------------
start "" /wait "%CATIAINSTALLERS%\V5-6R2016.CATIA_P3.win_b64.1-1\CATIA_P3.win_b64\1\VBA\DSVBA71Installer.exe" /install /norestart /q /log %temp%\DSVBA71.log
REM Create a license file (DSLicSrv.txt) that can be copied to the license folder and store it on the server
if not exist "%ProgramData%\DassaultSystemes\Licenses" mkdir "%ProgramData%\DassaultSystemes\Licenses"
copy "%CATIAINSTALLERS%\DSLicSrv.txt" %ProgramData%\DassaultSystemes\Licenses\ /y
echo Done! Don't forget to update you DSLS License Server!