Updating Let's Encrypt Certificate for SirsiDynix Horizon Web Services

How to update the a Letsencrypt Certificate on Apache Tomcat for SirsiDynix Horizon Web Services.  If you went though my post on Adding Let's Encrypt TLS Certificate to SirsiDynix Horizon Web Serivces Tomcat Server you will like this post.  It takes about 10 to 20 minutes to do and is pretty quick for having to do a manual update.

There are a couple of things that you will want to have handy to make this process sing.

• Logged in to The windows Apache Tomcat server with a view of the desktop 
• Access to the Lets Encrypt Key and CSR 
• Logged into your DNS Provider 
• Passwords required for your tomcat keystore

Environmental Variable Verification:

Keystore Details

Alias: KeystoreAlias FileName: $KeystoreFileName Password $KeystorePassword!

From your windows server running Apache Tomcat go to zerossl.com

Put in the email you have setup your tomcat server account, you will also need your account key and domain CSR.

Select DNS Verfication, Accept TOS, Accept SA and hit next.

This will take you to the DNS ACME-Challenge page. You will need to copy and paste the challenge and update the challenge in the TXT field in our Zoneedit account under the _acme-challenge.$yourdomain value.

Once Verified it will allow you to download your new domain and intermediate cert.

Save the downloaded file to the documents folder. Then open it up in sublime text edit and split the certs appart. The top certificate one is the domain cert which we need the other is the intermediate certificate. Save them in the following format. Copy and paste them into

Domain-cert-renewal-$TodaysDate.crt
Intermediate-cert-renewal-$TodaysDate.crt

Copy and paste the files into the apache tomcat directory. C:\Program Files\tomcatserver

Run CMD as Administrator and go to cd “C:\Program Files\tomcatserver” this will make things easier.

Type in “$JAVA_VAR”\keytool -import -alias $yourkeystorealias -trustcacerts -file domain-cert-renewal-20180919.crt -keystore $yourkeystorefilename

Then it will prompt you for a password:

Enter the password for the keystore.

Then it will ask you for a new password. You can continue to use the one that you have, so if you change it update the documentation!

You will get a warning about PKCS12 you can ignore it but that is it your done. Your SSL Cert is updated. Restart your apache tomcat server for the certificate updates to take effect.

If you want to verify the certificate there is a java program loaded called Portecle
http://portecle.sourceforge.net/

Once the Program is open you can open the keystore file by going File -> Open Keystore File -> “C:\Program Files\$pathtotomcatdirectory” or by Opening the file from the drop down as shown below.

You will then be prompted for the Keystore Password: $KeystorePassword!
Once that is done you can see the certificates in the keystore as shown below.

Setting windows server network binding/priority order

In Windows Server you can have multiple networks "VLANS" connected to your computer.  Windows will randomly setup the priority of your virtual networks which can cause a problem for you especially in a clustered hyper-v environment.  You can set the network priority of your virtual networks in two ways in server 2012R2 but is a little bit different in 2016.

In server 2012R2 go to network and sharing

Press the "ALT" Key and the advanced menu will be displayed.

Under advanced select "Advanced Settings"

You can then set the order of what networks get priority.  With the top most being the highest priority.

In Server 2016 this has changed a bit where you set the metric for the binding priority.

If your using Hyper-V you need to select the vEthernet interface -> Right Click and get properties -> Select Advanced TCP/IP Settings and deselect "automatic metric" and put a metric with the lower value gets the binding

Reference:

https://docs.microsoft.com/en-us/powershell/module/netadapter/set-netadapter?view=win10-ps
https://www.mssqltips.com/sqlservertip/4928/configure-network-binding-order-for-a-windows-server-2016-failover-cluster/
https://labs.supinfochina.com/en/change-network-card-priority-in-windows-server-2012-r2/
https://social.technet.microsoft.com/Forums/windowsserver/en-US/da2cebda-4ead-401e-a821-3330eb5d4988/change-network-binding-order?forum=windowsserver2008r2networking
https://social.technet.microsoft.com/Forums/windows/en-US/cb8dac7f-5f04-42b1-8065-a95c946f6ec2/change-network-adapter-priority-order?forum=ws2016

Setting up Mitel VOIP phones using PFSense and Active Directory

At my office we were using a Mitel Phone controller that used streamline adapters for connecting our phones to the VOIP system.  At the best of time the system required a weekly reboot otherwise phones would randomly drop off the system and need to be rebooted.

Mitel Streamline Dongle

So we had a bit of a panic, on a Friday before the long weekend near closing time; Mitel Streamline system decided to die.  

About the Organization:

So we have 2 locations about 500 meters apart lets call one SAP and the other LMC; they are connected by a high speed fiber link.  So what was done is we were asked to pass two different VLANs though the network VLAN 11 for LMC and 210 for SAP.  Our LMC network was already getting the VOIP system though the DHCP on our Active Directory Controller.

Here is some of the info for the single DHCP Server:  192.168.1.0/24 on VLAN 100 and we are using option 43 to pass VLAN 11 to the phones.

To add or modify the Mitel string you need to go to DHCP Server -> Server Name -> IPV4 -> Scope -> Scope Options

Find 043 put a good name and description then add the following String:

id:ipphone.mitel.com;sw_tftp="$YOURSRVIP";call_srv="$YOURSRVIP";vlan=11;dscp=46  

example:
id:ipphone.mitel.com;sw_tftp=10.12.0.10;call_srv=10.12.0.10;vlan=11;dscp=46  

Active Directory Mitel Scope Option

With our two locations we know LMC is setup on a 192.168.1.0/24 network and we have Mitel phones working and being passed though on option 43 on our DHCP Server.

We need to add the phones at SAP to the network and to do that we need to setup another virtual network with a DHCP server so it can pass the Mitel info but still connect to the active directory controller.

Since we use PFSense and Cisco switches adding another virtual network was pretty easy and we are going to use PFSense.  So we added 2 new VLAN to the switches VLAN 210 and 200 and we also added it to the PFSense firewall.

So we are going to setup the following on the SAP network:

Vlan 200 - 192.168.200.0/24 - 210 in the Mitel DHCP Options



Adding vlan 200 to the PFSense Firewall to allow users to connect to the domain and keep using their Mitel phones.  Please note this is a redundant firewall so everything goes though CARP.

Go to Interfaces -> Assignments.  Press the add button and add the new network VLAN (You might want to make sure you've added the vlan to all relevant switches)

VLANS

be sure to add the new network in your interface assignments for carp.

Then go to Firewall -> Virtual IPs

Press the Add Button.  Below is a sample of the settings that might be used in the new network.

VIRTUAL IP Settings

Enable the network interface and set the IP for the PFSense firewall on the network

SAP Network Interface Settings

Now that we have the Gateway and the Interface setup now we can enable the DHCP Server.   Under Services -> DHCP Server.  Select the network you want to enable the DHCP server on and fill out your settings you want for your DHCP Server

DHCP Range

***IMPORTANT***

Here is where we add the option 43 Type is Text and the value for our Mitel phones is the same as what we have for our AD DHCP Option with the exception of the vlan (Unless you are obviously using a different server)

Press the add button and fill out 43 in the number field, should be a text type and copy/paste or type the value listed below for your mitel phone option.

id:ipphone.mitel.com;sw_tftp=10.12.0.10;call_srv=10.12.0.10;vlan=210;dscp=46  

With that done now we can configure our firewall rules for SAP Network so we can talk to our AD controller on the LMC Network so our users can login and use the network resources with the appearance that nothing has changed.  We have 3 different rule sets that we have to setup, the LMC interface (which were already done)

LMC interface:

We have an open rule for an SMTP mail forwarder on port 587
Access for "CatMan" which is allowed to go through to anywhere
A block for any thing from getting to the SuperSecret_Network
A Pass for anything on the LMC_Network to be allowed anywhere

SAP Interface:

A block for any thing from getting to the SuperSecret_Network
A Pass for anything on the SAP_Network to be allowed anywhere


Floating Rule:

This makes the whole thing work properly.  On our selected network interfaces we want to make sure we allow all traffic to the network our domain controller is on.  This lets us get our DNS for our clients from our domain server while they get a different DHCP address from our PFSense firewall and the proper Mitel information for the phones.

Floating Rule that allows the pass from one network to another

List of the floating rules

Now there is obviously more happening with this firewall then meets the eye but this is essentially what you need in a nutshell.  On our LMC network we have our computer clients on Vlan 100 with a subnet of 192.168.1.0/24. The Mitel Phones work using vlan 11.  Our SAP Network on Vlan 200  clients are on a subnet of 192.168.200.0/24 using vlan 210 for the Mitel phones.  

All clients can access network shares and login to the domain with no issue.  Below is a ping test from a machine on the SAP Network to another machine on the LMC Network and it also works from LMC to SAP.

Verification that the network passes though.

Reference Documents Mitel VOIP Phones:
http://edocs.mitel.com/UG/Apps-Solutions/MiCollab%207.2/MiCollab/MiCW%20Help/forms/dhcp_options.html
http://www.mitelforums.com/articles/option-128-missing.php