Wednesday, December 24, 2014

Azure Ipsec router ( Static gateway multi site)

The problem:
Multi site VPN on Azure using IKEv1 (CISCO ASA 8.3)
The situation to solve:

We need a connection between our three on premises sites and the production and staging in a vnet on Azure via VPN. Unfortunately we have an old CISCO ASA hardware running IOS 8.3 and it only supports IKEv1.

Sunday, November 30, 2014

Playing with Kubernetes

Last hacknight at Peertransfer we were playing with Kubernetes and Docker. Kubernetes is a Docker cluster orchestrator. In this article there is a very detailed description and explanation of what Kubernetes can do.
Here, I am going to transcribe my notes about how we deployed and tested Kubernetes basics in less than an hour.
First of all you need a DigitalOcean account and you have to deploy the Docker APP VM.  I like DigitalOcean because it is fast, cheap and clean, but you can use Docker installation wherever you want, for example in Kubernetes doc they use OS X.
In this test you need a GCE (Google Computing engine) account too, because we are going to deploy VMs (minions) on this platform.

Tuesday, November 25, 2014

Cisco ASA AnyConnect VPN group lock

I'm going to paste a recipe from Cisco Forum, this recipe explains how to set a tunnel lock into AnyConnect. It is very important because if you don't apply this policy any user with authorised credentials in the radius will be able to login in any VPN tunnel.

Starting with Docker

Definition from Wikipedia

Docker is an open-source project that automates the deployment of applications inside software containers, by providing an additional layer of abstraction and automation of operating system–level virtualization onLinux.[2] Docker uses resource isolation features of the Linux kernel such as cgroups and kernel namespaces to allow independent "containers" to run within a single Linux instance, avoiding the overhead of starting virtual machines.[3]

What about Docker?

Docker reminds me old isolation container technology, such as Solaris Zones, *BSD Jails or even Linux OpenVZ. In fact, it is the same technology. Docker uses LXC linux kernel module that derivates from OpenVZ.
Docker is newer, better and simpler than the old alternatives. It provides you with an API, a Container repository and an easy CLI management interface. These points make Docker really powerful and modern.

Tuesday, November 11, 2014

Deployment tips for Active Directory Certificates Services NDES role

For those who have to setup and environment compliant with SCEP protocol into Microsoft platform, Active Directory Certificate Service has a role called NDES (Network Device Enrollment Service) that simply is the MS implementation for this standard.

I´m not going write a how to, because there are some over internet and the best one, as usual, is the Techect wiki entry that can be found here. My scenario runs on Windows Server 2012 R2.

This guide is quite good, but the product is still, in my humble opinion, in an early stage because the config is based on registry keys (HKLM\Software\Microsoft\Cryptography\MSCEP) and documentation of those keys is limited.

Sunday, November 9, 2014

Why do I hate Nagios?

You either love or hate Nagios, there are no intermediate opinions when you use this application. I am definitely uncomfortable with Nagios. While I'm not a radical SCOM guy, because I like other free (as in freedom) monitoring systems: Zabbix, Sensu even PandoraFMS, I really hate Nagios.
And if you want there are a lot of very good SaaS alternatives too, such as New Relic, Datadog, Monits, etc.

Nagios reminds me of the good old times, when we only had a few machines in our data centers and three or four services and they were easy to manage and monitor.  Do you remember big brother monitoring software? It was quite popular 15 years ago and it was very simple because our projects were very simple comparing with our projects nowadays.

Friday, November 7, 2014

Hyper-v capacity report (Powershell). Part 1

I am going to write about capacity. Some days ago one of our managers asked me about the ISO 20.000 and the capacity plan. He was looking for a simple dashboard to display our hypervisors capacity every month. So, I thought that using Powershell and SSRS could be a good idea to display and access this information.
So in this post I am going write about the draft version of the system that will generate this capacity dashboard.

ELK ( Elastic Search, Logstash, Kibana) for Windows and Linux logs for easy data mining

Recently I have been testing ELK (Elasticsearch, Logstash, Kibana) for the visualisation and data mining with Syslog, Windows Event Viewer, Apache, SQUID and IIS logs.

Tuesday, August 19, 2014

Anyconnect ASA 8.3 profile

Hello,  today I´m going to give an example of AnyConnect Profile XML file.
It is important know how the profiles works in Anyconnect VPN, for example this tags:


These are interesting, because they allow you to connect via terminal server or remote desktop (rdp), by default, users musnt´t connect using this type of share computing for security reasons.

Wednesday, July 30, 2014

Puppet in Windows Azure

Few month ago Microsoft announced the availability of Azure VM images with Puppet agent installed.
Puppet is a piece of software useful to manage hundreds o thousands of machines from a single point of management.
Today, I have tested this feature and here are the notes, I hope they will be useful to you.

Testing Vagrant Azure provider

Last weekend I tried Vagrant-Azure, it is still a little bit unstable.
First of all, I did some tests with Vagrant and Virtualbox on Windows, following this URL, in this first test everything went fine, no problems.

Later, I wanted to use a Azure as provider and I had to install Vagrant-Azure Plugin

Wednesday, July 23, 2014

VPN from CISCO ASA 5530 8.3(2) to Azure resets every 1 minute

We are working in a hybrid cloud solution, the first step is setting up the communications between our on premise servers and Azure.

We have at least one dozen of different network ranges in on premise network behind the ASA. 
We started the communication between on premise and Azure with one full /24 network and it worked fine, no problems at this point. So we added an extra HOST of different network and the problems began, we saw these messages in the ASA device log:

Wednesday, July 16, 2014

Lessons learned with a migration to Office 365

Today we are going to write about Office 365 and the recent migration of one of our clients.


  • The client want to migrate their mailboxes from on premise Exchange servers to Office 365
  • The client requieres password synchronisation (just an active directory sync, not federation or SSO)
  • The client has Exchange 2003 and Office 2007
  • The Exchange 2003 in our client's implementation is not standard
  • The client wants a gradual migration to have time window to deploy Office 2013 on their computers in multiple stages.

Limit bandwidth between on premise and Azure with Cisco ASA

Here is a new recipe. We are working into a new hybrid cloud with Microsoft Azure and our offices. One of the requirements was the limitation of the bandwidth, between on premise servers and services in Azure servers, because we only have a  link of 20Mbps and this link has to provide access to clients and to our infrastructures in Azure. So we decided to limit the bandwidth to 8Mbps, between both sites. Here is the configuration example.

Wednesday, July 2, 2014

SCOM 2012 SP1 UR5 Failed

Today we have to update our management server from SCOM 2012 SP1 UR4 to SCOM 2012 SP1 UR5.

We have installed the KB 2904680 in the management server and after rebooting it, the Microsoft System Center Data Access Service started and died ten seconds later, generating the following errors in the event viewer under de Operations Manager log:

Friday, June 20, 2014

Powershell DSC (Desired State Configuration) Summary

Before writing about DSC, I want to recommend a video. Few days ago I saw this video about Visio Powershell, it is really cool how this guy uses Powershell to manage their Visio diagrams, it is a must watch.

Last month was the month of the DSC (Desired State Configuration), there are a lot of posts and discussions about this topic, especially after the Technet America 2014 and I am going to make a little selection of these posts and videos.

Friday, May 16, 2014

Monitoring memory and CPU based on process command line match

The title of this posts looks fairly uncommon, but sometimes it is necessary to monitor some system parameters based on the command's line, for example, it is useful to monitor IIS application pools.

Our client needed this type of monitoring to do reports based on this data, so we did these SCOM RULES based on scripts.

One little notice before we start with the scripts: some people ask us what "Call oAPI.LogScriptEvent" does. The answer is that this call writes an event with number 2000 in the agent machine and it is useful for debugging.

If you don´t know or you don´t remember how to associate a script to SCOM RULE here is an old post talking about this topic.

Here are the scripts, I hope they will be as useful to you as they were to us.

Friday, April 4, 2014

Windows 2012 R2 disk deduplication

Today we are going to talk about the file deduplication, a service which can achieve space savings of 60% into VDI infrastructures. 
There are some software requisites to setup before deduplication. To start the setup you have to add the following roles in to the server:

Tuesday, March 18, 2014

SCOM 2012 SP1 client-side event 34215

This is a short tip to solve the error event 34215, this event appears when client-side is trying to write an extra configuration into a IIS shared configuration and you don´t have enough permissions.

First thing, is understand how client-side monitoring is deployed. By default, client-side monitoring, tries to create the CSMCollector virtual directory and the OperationsManagerCsmCollector v.4.0 application pool when you execute the client-side wizard in the SCOM console.
The solution is easy, just give the computer permissions (web server) over the shared directory of IIS config.

After that you will get an event 34243 that means "The new client-side monitoring configuration has been successfully applied. No conflicts were detected."

Tuesday, March 11, 2014

SCOM 2012 check root login into CentOS system

Continuing the previous post, here is a recipe to rise an alert when root or privileged account has login into CentOS box via SSHD.
Obviously, for this recipe you need the Unix/Linux Management Packs applied and properly configured, here is an old post concerning this topic. 

There are at least two ways, via ACS or via Unix/Linux Log file monitoring to rise this type of alerts. 
The quickest and easiest way is with Log file monitoring, but it is less accurate than ACS, for example ACS has a set of reports to get detailed login statistics, but in some scenarios, it could be noisy and complex to manage.

Sunday, March 9, 2014

SCOM 2012 - Create alert / monitor based on Windows event ( Administrator login alert )

Today, our customer asks us how we can know when the Administrator has logon via terminal server on Windows Server on their Domain.
The answer is with SCOM, using the event alert feature.
When you do a login in Windows 2008 or higher and the audit is running an event with id 4624  is created in the security log of the machine.
So first step to create the alert / monitor is to enable the audit.
You have to add new group policy with the audit enabled in the OU of the computers that you want to monitor, in this image you can see highlighted what you need.

Wednesday, February 5, 2014

Vmware Notes (I)

Recently, I have been reading a little bit about Vmware, usually, I am Hyper-V guy, but probably in a short time I am going to work with Vmware.
I have been doing a little bit of research about Vmware and here are some notes that I have taken/pasted about this topic.
This article, doesn't cover all topics regarding Vmware, probably I will write a second article where I will extend it.
I hope these notes will be useful to you.