Changing WSUS application pool settings via Powershell

If you need to change the recycle settings on a WSUS server running server core, it can be done via Powershell :

Import-Module WebAdministration
Set-ItemProperty -Path IIS:\AppPools\WsusPool -Name recycling.periodicrestart.privateMemory -Value 4194304
Set-ItemProperty -Path IIS:\AppPools\WsusPool -Name ProcessModel.shutdownTimeLimit -Value 00:05:00
Set-ItemProperty -Path IIS:\AppPools\WsusPool -Name ProcessModel.idleTimeout -Value 00:00:00

Run multiple SSL enabled services behind single IP on Edgerouter

Until recently I had a routed /29 on my home connection, but got “downgraded” to 2 public IPs.
Since I run multiple SSL enabled services (RDS gateway, SSTP VPN and a couple of websites, including this one), I had to figure a way.
I stumbled across the reverse proxy HAProxy, which seemed perfect for the job. I COULD run it on a VM, but I’d rather run it on the Edgerouter itself.
Since the Edgerouter is based on Debian 7 (Wheezy), its possible to install Debian packages on it.
There isnt a “native” Wheezy package, but the Debian “backports” system makes it possible.
Basic Linux skills like editing and copying files etc are required for this.

Lets get started !
First we need to add the Wheezy and Wheezy Backports repositories to the system, this is the supported way, don’t just edit /etc/apt/sources.lst.

SSH into the Edgerouter
configure

set system package repository wheezy components “main contrib non-free”
set system package repository wheezy distribution wheezy
set system package repository wheezy url http://http.us.debian.org/debian
set system package repository wheezy-backports components main
set system package repository wheezy-backports distribution wheezy-backports
set system package repository wheezy-backports url http://http.us.debian.org/debian

commit
save

Now we need to install HAProxy
su to root :

sudo su –
apt-get update
apt-get -t wheezy-backports install haproxy

Haproxy uses the configuration file in /etc/haproxy/haproxy.cfg , make a backup of this one.

We’re gonna use most of the configuration found here on reddit , with 2 exceptions.
In this line :
frontend ssl_relay 0.0.0.0:443
Change 0.0.0.0 to the public IP address you plan to use for the incoming requests.

Also, in the “backend ssl_rd” section, we need to add a timeout value, since it defaults to a very short timeout, causing the RD sessions to drop every few minutes.
I tend to be logged in for pretty long, so I set it to 12 hours, so the start of the “backend ssl_rd” looks like this :

backend ssl_rd
timeout server 12h

Of course you’ll need to edit the SNI’s and backend IP addresses etc, look around HAProxy howto’s if thats unclear. I managed to get the reddit one to work in less than half an hour of playing around.

Create new haproxy.cfg with Vi.
For some reason my Edgerouter has a “funny” autoindent setting in Vi, so I had to turn that off, to be able to paste in the configuration.

set noai

Paste the edited configuration, save the file.

service haproxy restart

That should be pretty much it, make sure the rule you have to “protect router” from Internet allows traffic to port 443, or whatever ports you plan to use with HAProxy.
The file /var/log/haproxy.log contains entries from HAProxy,  put this line in haproxy.cfg to get more info :
log /dev/log    local6
Also, make a backup of haproxy.cfg , I’m pretty sure it will get overwritten by Ubiquiti firmware updates.

Just to clarify, after updating to 1.9.1, haproxy is no longer installed, so you will have to run these steps :
apt-get update
apt-get -t wheezy-backports install haproxy

After that, restore the haproxy.cfg and do

service haproxy restart

 

Convert Windows Server 2016 from Eval to Standard or Datacenter

It’s finally possible to convert an evaluation version of Windows Server 2016 to a full Datacenter or Standard Edition.
Apparently it only works for the full GUI version of Windows 2016 🙁
Use the generally available GVLK keys from here : https://technet.microsoft.com/en-us/library/jj612867(v=ws.11).aspx

Datacenter : DISM /online /Set-Edition:ServerDatacenter /ProductKey:CB7KF-BWN84-R7R2Y-793K2-8XDDG /AcceptEula
Standard : DISM /online /Set-Edition:Serverstandard /ProductKey:WC2BQ-8NRM3-FDDYY-2BFGV-KHKQY /AcceptEula

Change Hostnames to UPPER case in SCVMM

Sometimes, when adding new hosts to SCVMM, for unknown reasons, they end up being a mix of upper and lower case.
Theres a couple of descriptions around, about how to fix it with SQL scripts. It seems they only change the names in tbl_ADHC_Hosts table, not those in tbl_ADHC_AgentServer.
This code changes it for both. If you want it to change them all to lower, replace “UPPER” with “LOWER” 😉
Make sure you take a backup of VirtualManagerDB first.
Restart SCVMMService afterwards (A refresh in the console should be enough).


SELECT [ComputerName], UPPER(LEFT([ComputerName], CHARINDEX('.', [ComputerName], 1) -1)) + 
RIGHT([ComputerName], LEN([ComputerName]) - CHARINDEX('.', [ComputerName], 1) + 1) 
FROM [VirtualManagerDB].[dbo].[tbl_ADHC_Host]

SELECT [ComputerName], UPPER(LEFT([ComputerName], CHARINDEX('.', [ComputerName], 1) -1)) + 
RIGHT([ComputerName], LEN([ComputerName]) - CHARINDEX('.', [ComputerName], 1) + 1) 
FROM [VirtualManagerDB].[dbo].[tbl_ADHC_AgentServer]

UPDATE [VirtualManagerDB].[dbo].[tbl_ADHC_Host] 
SET [ComputerName] = UPPER(LEFT([ComputerName], CHARINDEX('.', [ComputerName], 1) -1)) + 
RIGHT([ComputerName], LEN([ComputerName]) - CHARINDEX('.', [ComputerName], 1) + 1)

UPDATE [VirtualManagerDB].[dbo].[tbl_ADHC_AgentServer] 
SET [ComputerName] = UPPER(LEFT([ComputerName], CHARINDEX('.', [ComputerName], 1) -1)) + 
RIGHT([ComputerName], LEN([ComputerName]) - CHARINDEX('.', [ComputerName], 1) + 1)

Result :

vmmuppercase

Ubiquiti Edgerouter Azure Site-to-Site VPN configuration (Route Based)

Here is a working configuration for the newer Route Based Azure S2S, tested on Edgerouter Lite with firmware 1.8.5 and ARM.


set vpn ipsec esp-group esp-azure pfs disable
set vpn ipsec esp-group esp-azure mode tunnel
set vpn ipsec esp-group esp-azure proposal 1
set vpn ipsec esp-group esp-azure proposal 1 encryption aes256
set vpn ipsec esp-group esp-azure proposal 1 hash sha1
set vpn ipsec esp-group esp-azure compression disable
set vpn ipsec ike-group ike-azure
set vpn ipsec ike-group ike-azure lifetime 10800
set vpn ipsec ike-group ike-azure proposal 1
set vpn ipsec ike-group ike-azure proposal 1 dh-group 2
set vpn ipsec ike-group ike-azure proposal 1 encryption aes256
set vpn ipsec ike-group ike-azure proposal 1 hash sha1
set vpn ipsec ike-group ike-azure key-exchange ikev2
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec logging log-modes all
set vpn ipsec nat-traversal enable
set vpn ipsec site-to-site peer <AzurePublicIP>
set vpn ipsec site-to-site peer <AzurePublicIP> local-address any
set vpn ipsec site-to-site peer <AzurePublicIP> authentication mode pre-shared-secret
set vpn ipsec site-to-site peer <AzurePublicIP> authentication pre-shared-secret <YourPSK>
set vpn ipsec site-to-site peer <AzurePublicIP> connection-type initiate
set vpn ipsec site-to-site peer <AzurePublicIP> default-esp-group esp-azure
set vpn ipsec site-to-site peer <AzurePublicIP> ike-group ike-azure
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 esp-group esp-azure
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 local prefix <YourLocalPrefix>
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 remote prefix <YourRemotePrefix>
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 allow-public-networks disable
set vpn ipsec auto-firewall-nat-exclude enable

Ubiquiti Edgerouter Azure Site-to-Site VPN configuration (Policy Based)

I’ve been using Jesper Jensen’s example configuration  with some minor changes for firmware 1.8.0.
Its been tested with Azure ARM (doesn’t seem to be working with classic)
This setup is for the “old” policy based S2S.


set vpn ipsec esp-group esp-azure pfs disable
set vpn ipsec esp-group esp-azure mode tunnel
set vpn ipsec esp-group esp-azure proposal 1
set vpn ipsec esp-group esp-azure proposal 1 encryption aes256
set vpn ipsec esp-group esp-azure proposal 1 hash sha1
set vpn ipsec esp-group esp-azure compression disable
set vpn ipsec esp-group esp-azure lifetime 3600
set vpn ipsec ike-group ike-azure
set vpn ipsec ike-group ike-azure lifetime 28800
set vpn ipsec ike-group ike-azure proposal 1
set vpn ipsec ike-group ike-azure proposal 1 dh-group 2
set vpn ipsec ike-group ike-azure proposal 1 encryption aes256
set vpn ipsec ike-group ike-azure proposal 1 hash sha1
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec logging log-modes ike
set vpn ipsec nat-traversal enable
set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec site-to-site peer <AzurePublicIP>
set vpn ipsec site-to-site peer <AzurePublicIP> local-address any
set vpn ipsec site-to-site peer <AzurePublicIP> authentication mode pre-shared-secret
set vpn ipsec site-to-site peer <AzurePublicIP> authentication pre-shared-secret <YourPSK>
set vpn ipsec site-to-site peer <AzurePublicIP> connection-type initiate
set vpn ipsec site-to-site peer <AzurePublicIP> default-esp-group esp-azure
set vpn ipsec site-to-site peer <AzurePublicIP> ike-group ike-azure
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 esp-group esp-azure
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 local prefix <YourLocalPrefix>
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 remote prefix <YourRemotePrefix>
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer <AzurePublicIP> tunnel 1 allow-public-networks disable

The set vpn ipsec auto-firewall-nat-exclude enable seems to help with traffic not being passed through from on-prem to Azure, its equivalent of setting the
“Automatically open firewall and exclude from NAT” option from GUI.

Ensure data drives are brought online in sysprep’ed VHDX deployments

When deploying multidisk templates in VMM, secondary disks aren’t brougt online.
Before running Sysprep from MDT task sequence, insert “Run Command Line ..” “cmd /c echo san policy=OnlineAll  | Diskpart”

SAN-Policy

Or from a CMD.exe prompt :
SAN-Policy-cmd

If using a PS prompt, make sure the “echo” is enclosed in quotes :

SAN-Policy-PS