Latest posts

Palo Alto User-ID and Terminal Server Agent Certificates

On November 18th, 2024, the certificates that the Palo Alto User-ID agent and the Palo Alto Terminal Server agent use to communicate with a Palo Alto firewall will expire, causing all communication to fail.

Palo Alto Networks has made new versions of the User-ID and TS agents with updated certificates that will expire on January 1st, 2032.

Before upgrading the User-ID or TS agent, you must upgrade your Palo Alto firewall to a version that supports the updated User-ID and TS agent certificate. Check the Palo Alto advisory here to determine which PAN-OS version you need.

If you want to know how to upgrade a Palo Alto firewall using CLI my blog post Upgrade Palo Alto HA Pair (Active/Passive) with CLI covers the entire process. If you want to upgrade your Palo Alto firewall using the GUI, my blog post, Upgrade Palo Alto Firewall HA Pair (Active/Passive), covers the entire process.

Once you’ve upgraded your Palo Alto firewall, you can upgrade the User-ID and TS agents to the new version.

My blog post, Palo Alto User-ID Agent Upgrade, details the entire upgrade process for the User-ID agent. My blog post, Palo Alto Terminal Server Agent Upgrade, details the upgrade process for the Terminal Server agent.

After I upgraded my User-ID and TS agents, I wanted to validate that everything was using the new certificates before the expiry deadline. I couldn’t find a straightforward way to check. However, I figured out a way.

In this post, I will detail step-by-step how to check the certificates that the Palo Alto User-ID agent and the Palo Alto Terminal Server agent use to communicate with PAN-OS.

The Process

  • Connect to the system that has the Palo Alto User-ID or TS agent installed and browse to the installation directory.

User-ID is typically installed to C:\Program Files (x86)\Palo Alto Networks\User-ID Agent

TS Agent is typically installed to C:\Program Files\Palo Alto Networks\Terminal Server Agent

Active Directory Recycle Bin

If you accidentally delete something in Active Directory, it can be difficult to undo. Fortunately, you can enable a recycle bin for Active Directory, making life much easier if you need to restore something.

The Active Directory Recycle Bin (sometimes called ADRB) was first introduced in Windows Server 2008 R2. You need to enable it to take advantage of it. You can never turn it off once you enable the Active Directory Recycle Bin.

Once the Active Directory Recycle Bin is enabled, when you delete an object out of Active Directory, the object is not instantly deleted. It is placed in the Active Directory Recycle Bin for some time. After some time has passed, the object is actually permanently deleted. The default retention for the recycle bin is 180 days.

In this post, I will show you step-by-step how to check the Active Directory Recycle Bin status using the GUI or PowerShell, how to enable the Active Directory Recycle Bin with the GUI or PowerShell and how to check the Active Directory Recycle Bin retention using the GUI or PowerShell.

Prerequisites

  • Active Directory Forest Functional Level at Windows 2008 R2 or higher
  • Active Directory Domain Functional Level at Windows 2008 R2 or higher
  • Domain Admin account

Checking Active Directory Recycle Bin Status

Before enabling the Active Directory Recycle Bin, it’s a good idea to check if it’s already enabled.

GUI Way

  • Open the Active Directory Administrative Center (aka dsac)
  • In the top right, click on Manage > Add Navigation Nodes…
  • Select your domain, click on the arrows to add it, then click ok.
  • Click on the domain.

Palo Alto Terminal Server Agent Upgrade

Palo Alto Networks makes a program named Terminal Server Agent, aka the TS Agent. It is similar to the User-ID agent. However, the TS Agent is built to identify users on a multi-user system.

In this post, I will show you step-by-step how to upgrade the Palo Alto Networks Terminal Server agent.

Prerequisites

  • Verify that the new Terminal Server agent version is compatible with your PAN-OS.

The TS Agent is typically compatible with the same release number along with earlier still-supported PAN-OS versions. For example, TS agent 11.0 works with PAN-OS 11.0 and earlier. You can confirm this by reading the OS Compatibility section in the release notes.

The Process

  • Log in to the Palo Alto Networks Customer Support Portal.
  • Click on Updates.
  • Click on Software Updates.
  • Select the Terminal Services Agent.
  • Click on the version you need to start the download.
  • Connect to the system that is running the Palo Alto TS Agent.
  • Open Services.
  • Stop the PAN Terminal Server Agent service.

Microsoft 365 Passkey Setup

Microsoft 365 supports hardware security keys with passkeys. Passkeys are sometimes called FIDO2. Passkeys are one of many ways you can secure your accounts.

In this post, I will show you step-by-step how to set up a passkey in Microsoft 365, including configuring a passkey with a break glass emergency access account.

Prerequisites

  • Hardware security key that is FIDO2 compliant. (A common one is YubiKey 5)
  • Microsoft Entra ID Authentication Method for Passkey (FIDO2) and Temporary Access Pass enabled.

The Process

  • Login to Microsoft 365.
  • Click on your account in the top right and click on View account.
  • Click on Security info.
  • Click on Add sign-in method.
  • Select Security key and click Add.
  • Select the type of security key you have.

In this example, I will use a USB device.

  • Plug your security key into your computer and click Next.
  • On the new window select the Security key option to save the passkey to the security key and click Next.

Outlook Email Mover

The way I manage my email might seem a bit strange. Due to working in IT, I get lots of emails. Some emails need action, some are regular emails, and some are notifications I want to know about as soon as they happen. I feel like a normal person would make an Outlook rule to move emails into folders and just check those folders when needed.

The problem I have with dumping emails into folders automatically is when I only have my phone on me, I won’t know if a new email comes in when it’s auto-moved to a folder, so I’d have to keep checking the folders, and that doesn’t work with my workflow.

An example is I get notifications when backups run. If a backup is successful, I have an activated Outlook rule that moves the email into a folder. However, if a backup has an issue or something like that, I want it in my inbox so I see it immediately, no matter what device I’m using.

After I’ve addressed the email, I could move it into a folder. But that is a manual step, I’d rather have an automated way. Also, it doesn’t scale well if you get a lot of emails, and due to the nature of IT and alerts, I get lots of emails for all sorts of things that I want to see, but after I’ve read the email, I want the email to get filed away correctly.

I used to select blocks of emails and move them into folders. However, I’ve accidentally moved an email I needed to reply to into a folder and didn’t notice. If I don’t have a way to move the emails around, an email I need to action could also get lost in the noise of other emails.

A normal person might say to use a different system for alerts. While that’s valid, the issue I have is that’s another system that I’d need to keep checking when I’m not in front of a computer, and I don’t want to do that because I am stubborn and my current system does work, which is why I prefer email notifications.

I expressed the issue of my email clutter to a friend, and they told me about a system they’ve been using to help with it. They use Outlook rules that aren’t enabled to move emails around to different folders. They trigger the rules by using a macro in Outlook.

I tried the Outlook rules macro option, and it worked wonderfully with the one catch you need to enable macros in Outlook. I am worried that having macros enabled in Outlook will increase the attack surface for my account.

Rather than using macros, I found a way to do the same thing but with PowerShell and com objects. This works great, but you have to have Outlook open for it to work, and it doesn’t work with New Outlook. Currently, there doesn’t seem to be any support for com objects in New Outlook.

I went down the rabbit hole of figuring out how I could upgrade the script to support moving emails without using com objects. The rabbit hole led me to Microsoft Graph. With Microsoft Graph, there is a way to retrieve a user’s Outlook rules, but there doesn’t appear to be a way to execute the rules on demand like the macro and com object methods did.

However, Microsoft Graph does support moving emails around. Most of the Outlook rules I use to move emails around are basic rules that can be easily rebuilt using Microsoft Graph. I now have a script that I’m calling Outlook Email Mover that moves emails around based on some provided parameters, which is exactly what an Outlook rule does.

The Script

Outlook Email Mover uses Microsoft Graph to connect to the user’s mailbox and move emails around.

You can find the script on my GitHub https://github.com/thedxt/Outlook-Email-Mover

Prerequisites

How It Works

Outlook Email Mover uses Microsoft Graph to connect to a user’s mailbox. The required scope is "Mail.ReadWrite".

Inside the Outlook Email Mover script is a function called Outlook-email-mover-connector.

The Outlook email mover connector is a function you can use to connect to Microsoft Graph. You can also connect to Microsoft Graph yourself and not use the function as it is optional.

Reset VMware vCenter Root Password

You should always know the root password for your VMware vCenter. Fortunately, if you don’t remember your VMware vCenter root password, there’s a way to reset it.

In this post, I will show you step-by-step how to reset the root password for VMware vCenter.

The Process

  • To be extra safe, take a snapshot of your current vCenter VM.
  • Determine which ESXi host is running your vCenter VM by looking at the related objects and the host listed.
  • Connect to the ESXi host that is housing the vCenter VM.
  • Restart the vCenter VM.
  • When you see the Photon boot screen, press the letter e.

VMware vCenter Disable Root Password Expiry

The root password for VMware vCenter expires every 90 days by default. Depending on your vCenter setup, you may want to disable the root password expiry.

In this post, I will show you step-by-step how to disable the root password expiry for VMware vCenter using the GUI and the CLI.

GUI Way

  • Log in to the vCenter Server Management interface as root (it used to be called the vCenter Server Appliance Management Interface (VAMI)).
  • Click on Administration.

I Went to VMware Explore 2024

This year, I had the exciting opportunity to attend VMware Explore 2024 in Las Vegas from August 26th to August 29th.

I set a few goals for myself for VMware Explore. Those goals were to learn as much as possible about AVI load balancer, VMware Cloud Foundation (VCF), NSX, Kubernetes, and network with other VMware nerds like me. I am happy to report that I achieved those goals. I even met people that I had only ever spoken with online. My brain is so overloaded with information right now, and I love it.

This post will recap my VMware Explore 2024 experience in Las Vegas.

Day 0

The first day of my trip was Sunday, August 25th, and I’m calling this Day 0 as this was essentially a travel day. I flew from the Calgary airport and landed in Las Vegas around 5:45 pm local time.

It was my first time in Las Vegas, so everything was a new experience. The first shock I had was that the airport had gambling machines throughout, even ones in isolated boxes for people to smoke in. I did not expect to see that, but it makes sense, as Las Vegas is known for gambling.

Gambling machines in the Las Vegas airport.

Escaping the airport to the rest of the Las Vegas civilization was an adventure. I needed to take a tram to another part of the airport to get to the doors that would let me out. I thought that was strange as I figured they would just be like exit here, which would be very straightforward.

I then took a cab to the hotel where I stayed, The Palazzo. On the way to the hotel, the cab passed by the Las Vegas Sphere, and holy smokes, is it huge!

The Las Vegas Sphere

The Palazzo is one of two hotels that make up the Venetian Resort. The second hotel is the Venetian. VMware Explore occurred in the Venetian Convention Center, also known as the Venetian Expo.

Outside view of the Venetian Expo

I got checked into the Palazzo and proceeded to find my room. You must cross the entire casino floor to get to the rooms (also called guest suites). I found my way across the casino floor to the guest suite elevators, where you needed to tap your access card before getting to the elevators. I found the bank of elevators that took me to the 35th floor, the floor my room was on.

I dropped off my bags and proceeded to find my way to the VMware Explore registration as it was around 6:15 pm, and registration closed for the day at 7 pm. I wanted to get registered immediately, as I was worried that if I waited until the following day, I might miss out on some sessions. I also wanted to have one less thing to worry about.

The only thing I knew about the location of the VMware Explore registration was that it was at the Venetian Expo and in a ballroom on level 2. I had no idea where any of that was.

Onyx (MLNX-OS) Text Config Export

By default, with Onyx (MLNX-OS), when you export the switch configuration, it is exported as a bin file rather than the regular text-based config files we are all used to. Fortunately, there’s a way to export the configuration as a text file.

In this post, I will show you step-by-step how to generate and export a text-based configuration file from a switch running Onyx (MLNX-OS).

The Process

  • SSH into the switch
  • Run the command enable to elevate yourself
  • Enter configuration mode with the command configure terminal

Before we can run the next command, we need to build it out. First, we tell the Onyx switch to generate a text-based version of the configuration. We will do that with the command configuration text generate

The following option tells the Onyx switch what to use to generate the text config file. We can use an already saved configuration file, or we can use the active configuration. I will use the active configuration. To do this, I will use the active parameter.

Now, we need to specify if we want to use the running config that could be unsaved or the saved version of the running config. If the running config isn’t saved, it’s not real, and I don’t care about it, so I will use the saved option.

Next, we decide if we want the configuration’s expanded version. The expanded version will list everything individually and not use ranges. I like ranges, so I won’t be using the expanded parameter.

Ranged config compared to expanded config

We also need to tell the Onyx switch we want to copy the generated text configuration file off of the switch. We will do that with the parameter upload.

Company Portal Theme

The default theme for Company Portal is fine, but it always looks better when you customize it to match your origination’s theme.

In this post, I will show you step-by-step how to set a theme for Company Portal.

The Process

  • Login to Microsoft Intune admin center
  • Click on Tenant administration
  • Under the End user experiences section, click on Customization.
  • Click on Edit beside settings.
  • Enter your Organization name.
  • Select a Theme color.

The default color for Company Portal is blue.

The default Company Portal Header and color.
  • Select what you would like to see in the header.

I will be selecting Organization logo only as my logo has the organization name in it already.

  • Select a logo for the color-themed background and the white background.

I will be using the same logo for each of them.

Company Portal themed with a logo-only header.