Sign up and stay connected to your favorite communities.

sign uplog in
View
Sort
Coming soon
3

So I need to renew my VMCA shortly as it will expire at the end of the month. It is an intermediate Sub CA of my Windows AD Enterprise CA. I noticed because I was unable to renew a few esxi servers that were also expiring at the end of the month.

So I started up the certificate-managerhoping to find a renew VMCA otions but this is what I was presented with:

# /usr/lib/vmware-vmca/bin/certificate-manager
                 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
                |                                                                     |
                |      *** Welcome to the vSphere 6.0 Certificate Manager  ***        |
                |                                                                     |
                |                   -- Select Operation --                            |
                |                                                                     |
                |      1. Replace Machine SSL certificate with Custom Certificate     |
                |                                                                     |
                |      2. Replace VMCA Root certificate with Custom Signing           |
                |         Certificate and replace all Certificates                    |
                |                                                                     |
                |      3. Replace Machine SSL certificate with VMCA Certificate       |
                |                                                                     |
                |      4. Regenerate a new VMCA Root Certificate and                  |
                |         replace all certificates                                    |
                |                                                                     |
                |      5. Replace Solution user certificates with                     |
                |         Custom Certificate                                          |
                |                                                                     |
                |      6. Replace Solution user certificates with VMCA certificates   |
                |                                                                     |
                |      7. Revert last performed operation by re-publishing old        |
                |         certificates                                                |
                |                                                                     |
                |      8. Reset all Certificates                                      |
                |                                                                     |
                |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.

So I started by taking 2 snapshots of the vcsa. One with the vcsa powered on and the other with the vcsa powered off, just for good measure.

Looking at the above options #4 seems the most logical?

Anyone have some advice before I do anything(stupid)?

1 point · 16 days ago

It shouldn’t trigger a failover. Replacing the ESXi certs should be nondisruptive for what it’s worth.

Glad you got it sorted, though.

see more
Original Poster1 point · 16 days ago

I think the process caused the Hypervisor's to miss a heartbeat. Not sure why. So I was doing the renew's consecutively pretty quickly, to members of the same cluster.

1 point · 16 days ago

I used to script it and never had that problem. /shrug

see more
Original Poster1 point · 15 days ago

/shrug don't know why then. It happened.

Load more comments

1

I am trying to create a module that uses office365 PSSession. However I have issues sharing my pssession with the module. I think I would have to setup a connection to office 365 pssession through the module itself. Is there a another way? Is there a better way?

I guess I could possibly not use a module. Either add these functions to my profile alternatively. But I like the idea of a module and was hoping to get this to work.

Appreciate any help

2 points · 22 days ago · edited 22 days ago

What are you trying to run from your module?

Where is your code example of what is failing for you?

Have you Dot-Sourced your module / imported your module to your local logon session for use in your normal session?

O365 will only run the Exchange cmdlets in E2K16 as that is what get proxied to you whne you do this connection.

If you are trying to do AAD stuff, then you need to alos conenct to AAD and have that module locally installed.

Start an O365 sessing, you are usign your currently logged on user identity to the host you are on and then loggin into an O365/AAD session using a specific O365/AAD session whcih is remote and not a login profile on your localhost.

Your persoanlly installed modules and it's functions / commands are / should be direclty avaialibe to you in your local host loggged on session, but anything you throw at O365/AAD must be using the O365/AAD cmdlets specifically. Not something that O365/AAD has no idea what it is.

see more
Original Poster2 points · 21 days ago · edited 21 days ago

OK I think you misunderstood me. To be fair maybe I did not word clearly or It's hard to understand. Maybe not. Maybe there is a simple answer I am not seeing.

Imagine I have a module saved as AuditO365.PSM1 that uses the office365 command Search-UnfiedAuditLog

function Search-UserAuditLog
(
[Parameter(Mandatory=$true)][string]$UserIds,
[Parameter(Mandatory=$true)][System.DateTime]$StartDate,
[Parameter(Mandatory=$true)][System.DateTime]$EndDate
)
{
    if (Get-Command Search-UnifiedAuditLog -ErrorAction SilentlyContinue|Out-Null){
        $IPList=import-csv "$($MyInvocation.MyCommand.Module.ModuleBase)\IPLIST.csv"
        $UnifiedAuditLog=Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-90) -EndDate (get-date) -UserIds $UserIds -ResultSize 5000 #-Operations PasswordLogonInitialAuthUsingPassword 
        $AUDIT=$UnifiedAuditLog | %{$_.auditdata|ConvertFrom-Json}

        $Inspect=@()
        foreach ($rec in $AUDIT){
            $found=$IPList|? {$rec.clientIP -match $_.IPAddress}
            if (!$found){
                $geoip=Get-GeoIP $rec.ClientIP
                $location="$($geoip.City) $($geoip.region_name) $($geoip.country_code)"

                $out=$rec.psobject.copy()

                $out|Add-Member -MemberType NoteProperty -Name Location -Value $location
                $out| Add-Member -MemberType NoteProperty -Name City -Value $geoip.city
                $out| Add-Member -MemberType NoteProperty -Name Region_Name -Value $geoip.region_name
                $out| Add-Member -MemberType NoteProperty -Name Country_Code -Value $geoip.country_code
                $recordtype=($UnifiedAuditLog| ? {$_.Identity -eq $rec.Id}).RecordType
                $out| Add-Member -MemberType NoteProperty -Name RecordTypeName -Value $recordtype

                $Inspect+=$out

            }

        }
        return $Inspect
    }else{ Write-Error "Please connect to Office 365 PSSession!"}

}

Export-ModuleMember Search-UserAuditLog

Now let's say that I load this module. Then I connect to office365 like so:

$o365cred=Get-Credential
Import-Module AuditO365
$o365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $o365cred -Authentication Basic -AllowRedirection    
Import-PSSession $o365Session -AllowClobber -DisableNameChecking

ModuleType Version    Name                                ExportedCommands                                                                                                                                                      
---------- -------    ----                                ----------------                                                                                                                                                      
Script     1.0        tmp_bleepboop123.wut                {Add-AvailabilityAddressSpace, Add-DistributionGroupMember, Add-MailboxFolderPermission, Add-MailboxLocation...}   

I now have the ability to run Search-UnifiedAuditlog, Get-mailbox or anything that is provided to me by the temporary module that get's installed when I create a pssession to Office 365.

Here is my problem. My module AuditO365, which has been successfully loaded, is unable to access, use or run any of the commands provided by the pssession module: tmp_bleepboop123.wut. So instead it returns the Write-Error statement.

My question is how can I share my pssession and all of it's commands into my module so that my module can run the command Search-UnifiedAuditLog in this particular case.

I know I could establish a PSSession inside my module. I don't like that though. It's ugly. I know I could just save the code to my profile or a .ps1 file but I want to make a module so I can give/deploy it to other admins.

Thanks!

This is somewhat of a guess but I'd imagine you need to import the temporary module into your custom module. Without doing that your module has no knowledge of the commands from the temp module created by the session.

Alternatively, it looks like you could use the -Global parameter of Import-Module passing the Import-PSSession command to Import-Module to import the commands into the global session

Import-Module (Import-PSSession $o365Session) -Global
see more
Original Poster1 point · 21 days ago

Thanks u/obsidianclock; the Import-Module (Import-PSSession $o365Session) -Global worked. I think coupled with the issue u/purplemonkeymad pointed too, that seems to have solved my issue!

Load more comments

2 points · 21 days ago

Well there is this

If you want to make your own this might be a helpful example.

2 points · 27 days ago · edited 27 days ago

Seperate your Account Skuid with Semicolons ;

eg:

DisplayName,Firstname,LastName,UserPrincipalName,UsageLocation,AccountSKuid
Bertram Gilfoyle,Bertram,Gilfoyle,BGilfoyle@PiedPiper.com,US,piedpiper:ENTERPRISEPACK;piedpiper:ATP_ENTERPRISE

Then run something like this:

$success=@();$failed=@();Import-Csv -Path "C:\My Documents\NewAccounts.csv" | ForEach-Object {New-MsolUser -DisplayName $_.DisplayName -FirstName $_.FirstName -LastName $_.LastName -UserPrincipalName $_.UserPrincipalName -UsageLocation $_.UsageLocation -LicenseAssignment ($_.AccountSkuId).Split(";") -ErrorAction SilentlyContinue; if (!$?){$failed+=$_}else{$success+=$_}}

Couple things to note about what you posted. you need to user Foreach-Object or %

foreach is used like this:

$users=import-csv c:\myfol\myfile.csv
foreach ($user in $users){
   $user
}

You did $.Attribute in your foreach loop and it should bet $_.attribute

I don't know if exporting your results to csv would actually do anyting because I am not sure if new-msoluser actually returns an object. So instead I added if (!$?){} so that if it fails we add the user record to the $failed variable and if it succeeds we add it to the $success variable. You can export-csv those if you like.

Maybe start by pasting it in Powershell ISE script page. Step through your code.

Have not,

But I think separating both untrust interfaces into there own routing-instances is a good start.

Then maybe look at filter based forwarding all public ip traffic from your trust/private ip sided out your 1000/1000.

You can still use single quotes you just have to wrap your variable in $()

ex:

New-ComplianceSearch -Name $searchname -ExchangeLocation all -ContentMatchQuery 'subject:$($subject)'
see more
4 points · 3 months ago · edited 3 months ago

I think this won't work. as $($subject) will only work between ""

Generally you use $($var) because you can't get a object property in a string with double quotes. I will just show you in an example it is easier:

$process=Get-Process notepad
 $str1="1 - the process: $($process.Name) has ID: $($process.id)"
write-host $str1
$str2= '2 - the process: ' + $process.Name + ' has ID: ' + $process.id
write-host $str2

Try the following

$subject="test"
$ContentMatchQuery1='subject:' + $subject
$ContentMatchQuery2="subject:$subject"
#verify strings look good
write-host $ContentMatchQuery1
write-host $ContentMatchQuery2
#3 different ways to skin this cat - I THINK - not confirmed
New-ComplianceSearch -Name $searchname -ExchangeLocation all -ContentMatchQuery $ContentMatchQuery1
New-ComplianceSearch -Name $searchname -ExchangeLocation all -ContentMatchQuery $ContentMatchQuery2
New-ComplianceSearch -Name $searchname -ExchangeLocation all -ContentMatchQuery "subject:$subject"

So the following way I believe would not work. This is because of the + operator:

New-ComplianceSearch -Name $searchname -ExchangeLocation all -ContentMatchQuery 'subject:' + $subject

But this might:

 New-ComplianceSearch -Name $searchname -ExchangeLocation all -ContentMatchQuery $('subject:' + $subject)

This is probably confusing. PowerShell has many ways to manipulate strings and variables. But when you start mixing those different string and variable methods then things can break.

Anytime you replace a device and reuse the old device's IP address(es) you can run into ARP issues, since the adjacent devices will often continue to use their old, stale ARP entries for the new device, which won't work because the new device has a different MAC address. This is much more likely to be a problem "soon" after the device swap, since most devices will age out ARP entries after a while, but that often doesn't happen quickly enough to prevent connectivity problems during testing. For example, many Cisco devices have a 4 hour ARP timeout, which is quite a while, especially during a maintenance window. Clearing the ARP entries in the adjacent devices is usually sufficient, but sometimes it's easier to just reboot them.

see more
1 point · 3 months ago · edited 3 months ago

Also push your MAC address out the connected ethernet switches with gratuitous arp:

set interfaces ge-0/0/x gratuitous-arp-reply

This will make the srx spew out it's own MAC address by asking for it's own IP address. The switches will see the traffic and learn. It's helped me on switches that I have no control over (usually ISP).

Original Poster1 point · 3 months ago

Very sorry for the confusion. I'm just looking for some help that's all.

I'm replacing my cisco ASA firewall with a Juniper SRX Firewall. Our ASA firewall is end of support in September. We were able to get a new firewall through e-rate. I had assistance from the company I purchased from on setting up the initial config on the SRX. When we cut over to the new firewall we weren't able to get out to the internet. The person that was helping me said there was something wrong with my network. And that's where my confusion lies. Nothing has changed as far as the network is concerned, so to me that makes me feel I'm missing something on my firewall config.

https://drive.google.com/file/d/1tapegf5ZIGXcQ6J5BEnOPmpayZYCFemR/view?usp=sharing

see more

Be vary careful not to have asymmetric network. Your network diagram really is not that fleshed out.

SRX do not like asymmetric networks and will drop the traffic(tcp) if it receives packets that it detects assymetry. UDP traffic generally works.

Learn how traffic is routed on your network. If there is asymmetry clean it up/redesign. Because it is easier to do that then to work around the problem with NAT. Also More secure and elegant than turning off sequence check and syn checks for tcp.

send traffic from your client to the internet. something you can narrow down. (e.g. ping 8.8.8.8 -t) then do:

> show security flow session source-prefix 172.16.4.2/32 destination-prefix 8.8.8.8/32

take note of the ingress interface displayed in the output. or if it even see's the flow.

Then do:

show route 172.16.4.2

take note of the route and interface used.

If they are different then you have asymmetric network.

But you still have not provided enough info:

  • traceroute or pathping
  • ipconfig of host showing subnet and default gw
  • the subnets that lie in between your client and the srx. Their subnets and masks.

Load more comments

aricade commented on
Original Poster1 point · 3 months ago

Apparently it works now.... Not sure why! I did have to connect to Ge-0/0/1 in GNS3 for it to be Ge-0/0/0 in the vSRX. I'll adjust the settings appropriately.

see more

Not sure why! I did have to connect to Ge-0/0/1 in GNS3 for it to be Ge-0/0/0 in the vSRX

Yeah I have heard of this. This is vSRX 17.x right? The interfaces do not get labelled correctly in GNS3.

David Bombal talks about that in his youtube video

aricade commented on
r/ccnaPosted by

i never got the gns vm to work in my vmworkstation like my other vm's that i run..gns vm always stated i need a VT supported chipset which I do or how else would I be running all my other vm's...perhaps a bios update but screw all that.

my laptop still has the old school gns3 that can run everything i need to test layer 3 stuff out plus when i want to lab up layer 2 or layer 3 switches with trunks i use Packet Tracer.

see more

don't know what you have tried. But you may need to enable it in your bios.

VT technology is enabled, its the reason i bought this mobo and cpu so that i can run virtualization, i have about 10 VM's that i currently run with VM Workstation..oh I also went the simple route with just using VM Player just like the GNS documentation states but at this point i dont want to attempt a bios update for the intel cpu and the whole rig goes south for one VM.

see more
1 point · 3 months ago · edited 3 months ago

The only thing I can think of, but you may have done already, is to enable the VT-X check box on the GNS3 VM's properties: https://imgur.com/a/qglnc

Anyway maybe you have tried this. Otherwise take a look.

Load more comments

Yeah, that's nonsense.

Look, TA has an impact on price if at least for the very reason that a portion of investors use TA to make their decisions.

And I'm not even a TA guy. I'm 95% FA, 5% TA. But goddamn are people quick to shoot down what they don't understand.

see more

I am just picking this up... Not a FIN guy...

TA= Technical Analysis

So I figured FA = Feelings analysis??? but no FA = Fundamental Analysis.

I guess Feelings Analysis should really be Qualitative Analysis and when describing the crypto the word "holistic" should be used vigorously... Else it's QA would be really really bad...

eg Ripple is a holistic solution for cross border payments, running on Google-juice, that empowers financial institutions to do stuff.

There better not be a Quantitative Analysis. I already claimed QA. They will have to just take QAA or something...

TIL: I guess I am a FA guy.

I'll just be leaving now...

Original Poster1 point · 4 months ago

This looks more like a router than a switch, is that correct?

see more

SRX S=Security R=Routing X=Switching

JE get's you registered so you can download app-id etc.. you wont be able to do a

> request services application-identification download 

You should have received an email from your vendor with a code/serial and instructions on how to register if you have JE. Once that is done you can download APP-ID. Aswell you can pay for IDP/AV/UTM features. This is an added cost but as I understand requires the JE feature/hardware.

Try something like this?

gr-0/0/0 {
    unit 0 {
        tunnel {
            source 10.10.10.10;
            destination 10.20.20.20;
            path-mtu-discovery;
            routing-instance {
                destination r1;
            }
        }
        family inet {
            mtu 1400;
            address 10.11.11.1/30;
        }
    }
}

I do this on my srx.. Not sure about EX

Does it work fine on the console? Is it still switching after 20 seconds?

You are just having management cli issues?

If you can find the old Juniper JNCIS-SEC study Guides there are a good starting point.

I have resorted to using the vsrx-12.1X47-D20.7. If your purpose is simple enough I would recommend this. The differences are not that great.

I believe the vsrx for 15.x requires lots of ram an CPU (4gb 2 vcpu, but check it out I could be wrong). Make sure you give it enough when it's in a nested config. Even after that it was very unbearable to run(for me).

If you get it working though I'd love to hear about it!

Just had a co-worker say something so stupid he'll have to put it on his tombstone...."Test it live"

see more

considering that we were stuck at .18 to .40 cents for the past year... well this is not bad. Until XRP starts moving trillions of dollars a day... Then maybe we can have something to talk about...

For now Ripple will keep doing what they are doing. In the mean time hodl...

I've not looked at the Junos Genius prep for JNCIA since the app was refreshed a few months ago, but when I used it last year to prep it was only beneficial for 20-25% of the test tops. Knowing how to subnet, basics of routing and hands on experience configuring EX series were of greater benefit.

see more

I would add policy-statements is another thing you should brush up on. There was a lot of questions with sample policies where you had to determine which routes would be accepted into the routing table.
Understanding the logic, match criteria, route filters etc...

Chapter five of the O'Reilly Junos Enterprise Routing book was good. Look at page 152: CTRL-F Longest match wins, but may not….

If you understand that example and don't get tripped up then you should be good going into the exam. At least for that topic.

Original Poster1 point · 6 months ago

Thank you. That worked. Interesting note: that's keeping me from accessing my wan IP web server inside my own network. It's not a problem, just an interesting observation.

see more

try adding aswell:

set security nat destination rule-set nat1 from zone trust

You now are dnat'ing from untrust and trust. Should work.

So for example here. Would I buy from quadriga, send it to shapeshit.io, then get another wallet? This seems pretty tedious. Is there another place

see more

Yeah but generate a paper wallet. send the shapeshift to your XRP Wallet Pub Key.

Yeah it can be tedious. You could open an account on bitstamp or gatehub. But you may find that tedious aswell.

I started with bitstamp. There is a verification process you will need to go through. In the end I found shapshift faster.

Just saw that i can use Shapeshift + Jaxx. Very easy like this. Thanks

see more

Not familiar with jaxx. Just make sure you have some sort of wallet backup up. But essentially same same, but different but still same....

0

We migrated a o365 Tenant to our o365 Tenant last night. To do a remove-msoldomain: We must first remove all the SMTP/SIP/UPN's with that domain. So we did. But we missed a couple unified groups created by the Planner o365 app. Tried the following but no joy:

$fixthesegroups=Get-MsolGroup -All | ? {$_.proxyaddresses -match "^.*\@(This\.com|That\.com|TheOther\.de|AndDontforgetThis\.com)"}
$REMOVEME=@()
foreach ($dl in $fixthesegroups){

    foreach ($proxy in $Dl.ProxyAddresses){
        if ($proxy -match "^.*\@(This\.com|That\.com|TheOther\.de|AndDontforgetThis\.com)"){
            $REMOVEME+=$proxy
        }    

    }
    $newEmail=$dl.PrimarySMTPAddress  -replace "\@(This\.com|That\.com|TheOther\.de|AndDontforgetThis\.com)","@thisold.onmicrosoft.com"
    Set-UnifiedGroup $dl.EmailAddress -PrimarySMTPAddress $newEmail
    Set-UnifiedGroup $newEmail -EmailAddresses @{remove=$REMOVEME}
}

I tried the gui(You can't remove email addresses), I Tried removing the prefixed "(smtp:|SMTP:)" in the REMOVEME array. I tried removing the proxy adresses one by one.

How the heck do you update these groups. Does it just take a really long time? In the end I deleted them, but we needed to backup the Sharepoint sites for some of these sites first. As I understand if you delete them it deletes the planner and the sharepoint data completely.

I think I hate unified groups...

0
comment
3 points · 8 months ago · edited 8 months ago

I did the VCA by accident thinking it was part of the VCP. Studied the VCP material and tried to do the VCA. Passed but I was ill prepared. Worst exam experience ever. After barely passing, jaw drops and just thinking wtf just happened??? my 2 cents VCA is not worth it. Don't waste your money. Try and do the VCP. Put your efforts there.

The VMware Install and Configure (VCP Pre Req) training can be done through Webex live classroom. That's how I did it and it was great. I had a great instructor and learned some new things.

VCA is one badge on my linkedin that I am kind of embarrassed about. To me it proves no real knowledge of running/working in a VMware shop. Maybe for Sales people, IDK...

You need to go here fore details vcp 6 or 6.5

  1. attend required trianing course (VICM 6/6.5 or other specified at above link)
  2. pass the 2V0-620 or 2V0-622 (VCP exam)
  3. pass the 2V0-600 or 2V0-602 (foundations exam)

You can do these in any order you like but I did it in the order above. Do the foundations exam first. Don't do it like i did...

Original Poster1 point · 8 months ago

Less than 10 VLANs

And they all do support RSTP and that is what was configured on them. But that storm was created and took down the whole LAN so my best guess is because they don't have everything identical (path method, priority, timers, etc.) and no root set.

see more

Also make sure you set up all edge ports with bpduguard where you can. It might also be wise to have a mac limit of 1, on your edge ports, if you can or 2-4 if you need to be a bit lenient.

Often it can be a user that plugs in a dumb l2 switch that does not do or care about stp.

u/aricade
Karma
346
Cake day
March 12, 2011

Trophy Case (3)

Seven-Year Club

reddit gold

Since June 2018

Verified Email

Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.