Latest posts

Setting Up Cloudflare Access

Cloudflare Access

I’ve been a fan of Cloudflare for a while now. I love how fast they can propagate DNS changes and I typically like to use them as a DNS resolver. An issue that I’ve ran into many times, is how to protect something with MFA (Multi-Factor Authentication) that doesn’t have any support for MFA.

This problem is common with legacy web applications and very common with SCADA (Supervisory Control And Data Acquisition) web applications. The issue I was trying to solve was how to put MFA in front of a SCADA web application.

I decided to use Cloudflare Access. Cloudflare Access goes by a few names some of them are Cloudflare Zero Trust Network Access (ZTNA), Cloudflare Access, and Cloudflare Zero Trust Access. For simplicity I’m going to refer to it as Cloudflare Access.

Cloudflare Access is really nice because you can put it in front of any web application and it will require the user to authenticate before they can even reach the website.

If you have a lot of applications like this you can even set it up so the users can login to a portal to see all of the applications that are available to them. You can do all of this without the user having to install anything. What’s even better is that it’s free for 50 users.

Here’s how I setup a SCADA web app with Cloudflare Access.

Windows Recovery Partition

When you install Windows it always creates a Recovery Partition, which runs a very lite version of Windows with a few tools. There’s been a few times where I’ve used those tools to fix a system.

I wanted to know what would happen if I deleted the Recovery Partition. This is what I found down that rabbit hole.

Your Windows partitioning will look something like this.

Disk Partitioning with Recovery Partition

geoSCOUT published remote access

I needed to get geoSCOUT working in VMware Horizon but geoLOGIC doesn’t officially support publishing geoSCOUT to systems like Citrix, RD Web, and Horizon. Due to the way that geoSCOUT works you can’t just launch the geoSCOUT exe and have it work.

On the first launch a user would normally run the geoSCOUT Desktop_Build_NonAdmin_v8.exe installer which will create the App Data and the document files for the user. The creation of the App Data part is important because that is when it creates the reference to the geoSCOUT license file. If you try to just run the geoSCOUT Desktop_Build_NonAdmin_v8.exe install file outside of the path of your geoSCOUT license file it won’t install correctly.

Now a way to get around the issue is to have the user RDP into your session host that is publishing the application and have them run the non admin installer but that isn’t very seamless and is very time consuming.

My solution was to write a PowerShell script that launches before the user launches geoSCOUT.

FortiGate Hair-pinning

I have been playing around with Policy mode on the FortiGate and an issue that I’ve ran into a few times is if you have something hosted internally that also needs to be accessed externally it doesn’t work internally when you use the external address, for example a reverse proxy.

In my setup I use a reverse proxy in front of my WordPress Docker containers. Due to this they are running on random ports. When I need to access them I need to use the external address not the LAN address. A half workaround that I was doing, was using CloudFlare proxied mode which did work but I wanted to fix it without needing to do that.

FortiGate Deny Logs

Something that’s annoyed me with FortiGates is that viewing the deny logs isn’t super straight forward. Part of the issue is the fact that Fortinet disables the deny log by default and if you don’t know where to look for it you might not figure it out by clicking around.

Fortinet says that they have the deny logs off by default to optimize the usage of logging space. I however want to see as much info as possible when possible, especially when troubleshooting.

Thankfully turning it on is easy, here’s how to do it and view it.