Preparing, Migrating users and Handling contacts between two forests in Microsoft Exchange Cross Forest migration

This article presumes that you have setup all the initial steps for the Cross Forest migration to work:

– Configure DNS resolution and trust between two AD forests.

– Create and configure Send connector between Source.com and Target.com

– Create and configure Availability service between Source.com and Target.com

– Configure Source.com as accepted domain in blue.com

– Install and configure ADMT server at the target domain Target.com

– Install and configure Password Encryption Server (PES) on the source domain Source.com

– Configure MRSProxy on Source and Target CAS Servers (Enabling MRSProxy, Increase limits..etc.).

– Configured Public Certificates between both CAS Servers or installed self signed CA certs.

image

In order for two Cross forest Exchange users to send an E-mail to one another before or during Cross forest migration; Each forest have to have the other forest’s users as external contacts on their Exchange environment to ease the finding of any particular user in that other organization and avoid X500 errors after the migration.

During the migration this process is critical and very important to be up to date in order to not mess users included in distribution groups before, during and after user migration from source to target forests.

For Cross forest user migration, User has to be prepared via Microsoft’s own prepare-moverequest Powershell which is included in the $Exscript directory that prepares the target user’s attributes (Before or after ADMT copy) for the migration using the Powershell script new-moverequest.

However, before that user is migrated and before doing the prepare move request the user must have their user object mail user enabled in order to get all the proper attributes for the move request to work which means the Contact has to either be deleted or lose the SMTP which is goin to be enabled on the mail enabled user.

For this process and in a big environment a tool, 3rd party or a script must be used to hasten the migration of users otherwise it would take ages and would be a very problematic process.

User Creation:

Using ADMT then Prepare-Moverequest script

Starting with the creation of target user using ADMT or by Prepare-MoveRequest Script, If ADMT is used prior to PrepareMoveRequest. The target user will have exchange attributes migrated and mail-user enabled by default but due to some incomplete or incorrect attributes the user will most probably have a corrupted mail user object that needs to be disabled and re-enabled with the proper mail address.

Using Prepare-MoveRequest before ADMT

In the case of using Prepare-Moverequest the user will be created in the target forest properly without any issue but will not have their SIDHistory copied so after creation of the user account ADMT must be used to copy user’s SIDHistory with Exchange attributes excluded.

Note:

– This method has an advantage over using ADMT first, User don’t have to create a new outlook profile in order to use their target mailbox after migration.

– You don’t have to mailenable user.

Mail Enabling User:

The first step for the migration to work is to Mail enable user in the target forest. Assuming you have a user called Tim@source.com the user gets his AD Object copied to the target forest with ADMT and user gets his UPN changed from tim@source.com to tim@target.localautomatically, still user will get his SIDhistory and the Groups he’s in if groups are migrated prior to that however, in some rare cases that I have seen while doing this kind of project the SIDHistory might not get copied and you might not notice that unless you take a very close look at the log that ADMT is generating for you, In the script I am attaching below and prior to preparing the user for migration I added a script to bulk check user list for SIDHistory. The script below will disable mailuser that’s migrated with ADMT and show you their SIDHistory attribute in order to double check before you migrate their mailbox.

$Users = import-csv -path “C:\List\List1.csv”

foreach ($User in $Users)

{

$Identity = $User.Alias

$UIdentity = $User.Sam

$Mail = $User.Proxy

$NProxy = $User.NewProxy

#Before Migration, Show if user has SIDHistory or Not, If not don’t migrate User

$UserSID = dsquery * -filter “&(objectcategory=user)(samaccountname=$Identity)” -attr objectsid sIDHistory

Write-host User $User.Alias has $UserSID -ForegroundColor Green -BackgroundColor Black

The CSV file format for this powershell should be as following, I will explain why in detail below

Alias,Proxy,NewProxy,NewIdentity

Alias,MailAddress@domain.com,MailAddress@domain.local,NewIdentity

image

In order for the Prepare-Moverequest to work we will have to MailUser enable this user by using the following script

Enable-Mailuser –Identity SamAccountName –ExternalAddress PrimarySMTPAddress

Enable-Mailuser –Identity Tim –ExternalAddresstim@domain.com

In this case user will be ready for the prepare moverequest script to work and get his source Exchange attributes to be copied to the target one.

Prepare-MoveRequest for Single mailbox:

The Prepare-Moverequest powershell is pretty easy to use for a single user and all you need is to enter target and Remote credentials in a variable to use it with the command.

Once you use the script it’ll copy the source user and their Exchange attributes including Proxy Addresses, it’ll convert the LegacyExchangeDN into X500 address in the target user’s mailbox object so users in the source forest wont get any cache issue reaching to the migrated user and will set other attributes like Displayname, MailNickName..etc like in the screenshot below.

Script is as the following

$TargetCredentials = Get-Credential

$RemoteCredentials = Get-Credential

.\Prepare-MoveRequest.Ps1 -Identity UPN@targetdomain.com -RemoteForestDomainController “SourceDCHostname.SourceDC.local” -RemoteForestCredential $RemoteCredentials -LocalForestDomainController “TargetDCHostname.TargetDC.local” -LocalForestCredential $TargetCredentials -TargetMailUserOU “OU=DestinationOU,DC=TargetDC,DC=local” -UseLocalObject -OverwriteLocalObject –Verbose

image

Prepare-MoveRequest for Bulk mailboxes:

For bulk users the script is simpler but for it to work you’ll need to prepare a CSV file that meets the requirements of the powershell script.

Bulk Users Script:

cd $exscripts

Write-Host “Starting to Prepare-MoveRequest for users in your CSV List….” -ForegroundColor Green -BackgroundColor Black

Import-Csv C:\Identity\Identity_1.csv | .\Prepare-MoveRequest.ps1 -RemoteForestDomainController “SourceDCHost.SourceDC.local” -RemoteForestCredential $RemoteCredentials -UseLocalObject -OverwriteLocalObject –Verbose

CSV Example:

Alias,Proxy,NewProxy,NewIdentity

Alias,MailAddress@domain.com,MailAddress@domain.local,NewIdentity

image

–Moving Users

Moving Single Mailbox:

After preparing the Move request, The only thing left to do is to move users. This process is pretty easy and only one script line is used.

[PS] C:\Exchange 2010\scripts>New-MoveRequest -Identity “outlook.test@SourceSMTPDomain.com” -RemoteHostName “webmail.SourceOwaUrl.com” -Remote -RemoteCredential $RemoteCredentials -TargetDatabase DestinationDB1 –TargetDeliveryDomain SourceSMTPAcceptedDomain.com

image

Moving Multiple Mailboxes:

Import-Csv C:\Identity\Identity_15.csv | New-MoveRequest -RemoteHostName “webmail.calikenerji.com” -Remote -RemoteCredential $RemoteCredentials -TargetDatabase CEDB12 -TargetDeliveryDomain calikenerji.com

CSV Example:

Identity

Outlook.user@SourceSMTPDomain.com

Outlook.user2@SourceSMTPDomain.com

Outlook.user3@SourceSMTPDomain.com

image

Once the list is ready and you run the powershell script the target CAS server would connect to the source CAS and start migration as in the following screenshot.

image

Once users migration is finished, On the source forest user will be converted to MailUser so non-migrated users in the source forest will still be able to send emails to this user however, The Groups on target forest must be manually maintained and updated with users that are being migrated.

image

– Contacts Issue

In the target forest those two migrated users were already contacts there prior to migrating them and thus Target forest users who have sent those two users email have the LegacyExchangeDN Address of those contacts cached in their Outlook in X500 format which will create an issue if those contacts are deleted without exporting their LegacyExchangeDN and add it to the migrated users’s ProxyAddress Attributes.

Prior to deleting those contacts, From the Target forest I have exported their info to CSV with the following attributes.

Name, Alias, PrimarySMTPAddress and LegacyExchangeDN Attribute using the following powershell script

Get-MailContact -result unlimited | where {$_.PrimarySmtpAddress -like*@TargetSMTPDomain.com} | select Name,Alias,Primarysmtpaddress,legacyExchangeDN | Export-Csv c:\TargetContacts.csv -notypeinfo -encoding utf8

The PowerShell will export contacts in the following format and in order to import them you’ll need to bulk edit the file using Notepad or Notepad++

image

In notepad replace “/o= with X500:/o=

image

and Replace all “ with nothing

image

After you save the file in the target forest, Only in the condition of migrating Source users to the target forest use the following script to Import those users’ LegacyExchangeDN as X500 to their migrated Mailbox objects.

Import-CSV “C:\TargetContacts.csv” | foreach{Set-Mailbox -identity $_.Name -EmailAddresses @{add=$_.LegacyExchangeDN}}

Hope this helps and if you have any questions in mind please don’t hesitate to contact me at info@moh10ly.com or call me 320-200-9663.

Mohammed JH

Get all mailbox Exchange Servers IP address remotely

Sometimes while we do Exchange projects in big environments where there more than 10 or 15 servers we need to quickly get a particular server’s hostname or IP.

I created a simple PowerShell script that does the work for you

#Get all mailbox Exchange Servers IP address remotely

#Import Exchange Management Shell if ran from PowerShell

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn

# Find Mailbox Server Roles

$Servers = Get-ExchangeServer | Where-Object {$_.Serverrole -eq “mailbox”}

# Print Servername and IP

foreach ($Server in $Servers) {Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter IPEnabled=TRUE -ComputerName $Server | Select-Object -Property IPAddress,PsComputerName,Name}

image

Exchange 2010 CrossForest group Migration

In an Exchange Crossforest migration the distribution groups can be a very painful operation that would cause loss of time, lots of issues and continues headache if not solved within a timely manner.

The migration can be a long boring process that needs to be as accurate as possible to avoid any issue related to members in the group or/and Group’s Primary SMTP details.

While doing a Crossforest migration I came through through this headache and tried to seek a script that would satisfy my migration’s requirements but only thing I found is the exportPowershell made by Satheshwaran Manoharan.

Export Process:

The script exports all groups and their members from the source forest, but to import there’s no option and I had to write my own script.

To make use of this script first make sure you that you have migrated the Groups with ADMT in the recommended order otherwise the migration would be problematic.

  • First: Universal Groups
  • Second: Global Groups
  • Third: Domain Local Groups

Once groups are migrated to the target forest you can check how they look like through Exchange management shell and whether they have members added or SMTP address set.

image

After I checked it apparently shows that group is empty and has no Primary SMTP address associated with it.

Import Process:

In order to add members during the migration since this is a Hybrid/Coexistence migration not cutover, It took time to migrate users and therefore I have to add non-migrated users in target forest as External Contacts to the Distribution Groups and add migrated users as Mailbox users.

Then after adding the users I have to setup Primary SMTP address for the groups according to the exported CSV file from the Source Forest.

image

To Import users, I had to setup a CSV file with the following format:

In this format, the Display name, Alias, RecipientType and PrimarySMTPAddress belong to the User object that’s included in the group meanwhile, The Dgroup is the Distribution group’s Alias and DGSMTP is the Group’s Primary SMTP address.

image

The following script imports groups members to their relative groups

#########################################################################################

# If user type is Usermailbox then it’ll be in Target forest as a Contact #

#########################################################################################

$Users = Import-Csv “C:\Groups\dgs.csv”

Foreach ($User in $Users){

$GroupAlias = $User.Dgroup

$GroupSMTP = $User.DGSMTP

Write-Host “$User.Alias” has been Added to the Group $User.Dgroup -ForegroundColor Green -BackgroundColor Black

if ($User.RecipientType -Match “UserMailbox”){

Add-DistributionGroupMember -Identity $GroupAlias -Member $User.PrimarySMTP -BypassSecurityGroupManagerCheck}}

Fixing Distribution Groups Primary SMTP Address:

Since distribution groups are mostly imported without Primary SMTP address through ADMT then we’ll have to also make sure that we fix this for our groups, but what if the destination forest has similar groups or the SMTP is used already ? In order to avoid any mistake when associating the Primary SMTP address I have created a script that would check distribution groups with null value in their primary SMTP Address and copy the SMTP address to these groups avoiding any overwrite or change of the destination Distribution groups.

#########################################################################################

# Setup groups with Primary SMTP Address

#########################################################################################

$Groups = Import-Csv “C:\Groups\Group_test.csv”

Foreach ($Group in $Groups){

$GroupAlias = $Group.dgroup

$GroupSMTP = $Group.DGSMTP

if ((Get-DistributionGroup $GroupAlias | %{$_.PrimarySmtpAddress}) -match “$GroupSMTP”) {

Write-Host Group $GroupAlias already has $GroupSMTP Setup as primary SMTP address -ForegroundColor Yellow -BackgroundColor Red}else{

Set-DistributionGroup -Identity $GroupAlias -PrimarySmtpAddress $GroupSMTP -EmailAddressPolicyEnabled $False

Write-Host Group $GroupAlias has $GroupSMTP Setup as primary SMTP -ForegroundColor Green -BackgroundColor Black }}

The script will check if the groups has primary SMTP matches the one in the CSV file, if it doesn’t it’ll setup the primary SMTP address for that group with green color like in the below screenshot

image

You can use this script with the same CSV file that you will use for adding members to the groups too , If groups SMTP exists already you’ll get the following error

image

Note:

Attached below, You can find the new version of the powershell and the CSV along with it.

Setup Squid Guard (Proxy Server) on Pfsense

Setup Squid Guard (Proxy Server) on Pfsense

In order to setup Squid Guard you should have two packages installed on your Pfsense for it to work properly.

First package should be Squid 3 (In case you’re publishing Exchange web services with it) or Squid if not.

Second Package would be Squid Guard-Squid3 for Squid 3 or in case you don’t have Squid 3 you can use the normal “Stable” Squid-Guard version for Squid. 

Squid Package

In my case I am using Squid 3 because I use its reverse proxy to publish Exchange web services so I will install SquidGaurd-Squid 3 to configure its proxy server.

I already downloaded and installed it but If you didn’t do so then you will have to navigate to >System > Packages >Available Packages and there you can find it and install it.

From the Services Menu drop down you will find those 3 below (Proxy Filter, Proxy Server and Reverse Proxy) 

First I will go to Proxy Server tick which Interfaces I want to enable the proxy on (LAN, DMZ) and Enable “Transparent Http Proxy” and “Allow users on interface” in the General tab page

If you scroll down you will find “Logging Settings” and other options that you don’t need to enable. Logging is required mostly for troubleshooting times.

Next I will go to “Local Cache” tab and change the Squid Hard Disk cache Settings in order to take more than 100 mb. I will make it 5000mb which is 5 GB to make internet browser faster for users who visit the same websites often.

After that you don’t need to do anything except saving changes in the end of the page below

Go to “ACLs” page and enable the Local networks that I have, I will write them in the “Allowed subnets” section and save the page. 

I am finished with the Proxy Server settings, I will go to Proxy Filter and I will scroll down to the end of the page to Enable Blacklist option and paste the link below then click Save to save the changes

http://www.shallalist.de/Downloads/shallalist.tar.gz

Go to Blacklist tab to download the black list from there then I will copy the link below and press on Download

http://www.shallalist.de/Downloads/shallalist.tar.gz

When I finish downloading I will go to “Common ACL” tab page and configure the Rules there which we have downloaded. As you can see below I have everything already configured but in order for you to configure it you will have to press on the > Green Start button first of all

After you press on the Green button It will show you the rules that you want to configure. I have already configured (Alcohol, Deny, Gambling, Hacking, Social net)…

Then next I will configure the Redirect mode and type my own customized message that will appear to the clients behind Pfsense and use safeSearch.

When done I will save this page and go to the General tab page and will click on Apply all changes and save the page.

Note:

you should see that SafeGuard service state “Started” in order for it to work. If for any reason the service is not started try to navigate to >Status > System logs  and check your logs here if there’s anything related to SafeGaurd or Squid.

Now I will go to the Client and check if my client with “Pfsense as their default gateway” will respond to the Safe Guard rules or not.

I tried opening Facebook or Twitter but both are not working and they gave me the same message which I have customized in Pfsense.  

Over all this had been easy setup and everything works perfectly

Hope this would be useful to you all.

Publishing Exchange on Pfsense

How to Publish Exchange on Pfsense (Old Version)

This page will guide you through the steps of publishing Microsoft Exchange web services on Pfsense’s last version 2.1.5. 
If you don’t have it already installed, you can check out my guide on how to install Pfsense and prepare it on your environment. 

Note:

Before starting you must know that if you’re going to use the same Public IP (WAN) for Pfsense for Exchange Web service then you must set Pfsense to use a non-standard HTTP/HTTPS port.

First thing, we will have to install Squid3 plugin to Pfsense

Installing Package

I will click on the Plus sign + next to the Squid3 package to install it.

Now I will go to the Reverse proxy after I check if it’s installed on the Services Menu

Will have to export the Certificate from our Exchange and import it to the Certificate store in Pfsense.

I’ll click on the + on the CAs to import the Certification Authority root certificate

 I opened the CA certificate in Notepad++ and copied it all then give it a name and clicked on Save

After clicking on Save here is what I got.

Add the Exchange’s personal certificate and Key and use Digicert’s tool to export the key as in the following screenshot

Now I’ll go back to Pfsense’s portal to the Certificate section to add the Exchange’s certificate, I will go to Certificates tab and click on the + sign to add the cert.

I will paste the certificate data and the key as well and save.

I added the Cert’s code data and the cert’s Key as well, and after I clicked on Save here’s what it looks like.

Now I will go on the reverse proxy tab and configure it for Exchange. First thing I should do is Enable HTTP and HTTPS ports and choose the certificate for Exchange.

NOTE: placing the standard ports e.g. (80, 443) for http and  https might work in earlier versions of Pfsense like 1.5 and 2.0 but not 2.1 and 2.2, in order for the reverse proxy to work on the new versions you’ll have to use the port field empty if you decide to use the standard ports. 

Here I have enabled all the ports and choose the right certificate, I will also import the Intermediate certificate in case it was needed.

I will go back to the Exchange Server where I have all the certificates and export the Intermediate Certificate

In order to know the intermediate Certificate, I will go to the MMC and click on the personal certificate and check it’s path. 

I will double click on the certificate and check its certification path

Opening the Intermediate certificate store.

 I will use MMC Wizard to export the Certificate with Base 64 Encoded option.

 After I exported

Now I will enable OWA and fill the information related to it as following.

Next I will go to the firewall (NAT) part to configure the required ports and IPS. Click on Firewall tab and NAT

I will only need to configure the port 25 and 443 since I have a certificate already and want to use HTTPS instead of http.

Here ıs what my firewall looks like right now.

Note: On Exchange server the default gateway should be the LAN IP of the Pfsense or at least there should be a persistent route to the local IP of Pfsense. 

I will save this rule and check if I can browse to OWA from my browser, note that I am connecting remotely and I have Exchange server hosted on hyper V from a different place.

WHOA, It works without any issues but still I’ll sign in and make sure I can still login without any problem.

Now I will check if I can send e-mail back and forth to Gmail and Exchange. starting by sending an e-mail from Exchange. I can get an e-mail to Gmail.

Now I am replying the e-mail from Gmail to Exchange.

Everything seems to be working as expected… 

Now it’s time to make sure that ActiveSync is working properly as well. I will first of all test active sync with Remote Connectivity Analyzer www.testexchangeconnectivity.com or https://testconnectivity.microsoft.com

I will have to go to Exchange Server tab and select “Exchange ActiveSync” option for testing and click continue down right the window 

Then here I will enter my credentials as you can see below

Test will take about 15-30 seconds to finish

Then here it will show the expected result.

detailed result of the test

Note: 

I have also tested it on my iPhone and it worked without any issue as well.

Pfsense and Active Directory Integration

In this tutorial. I will integrate my Active directory with Pfsense in order to authenticate Users from Active directory instead of using Pfsense’s User manager.

The process will give you more options and will make managing users much easier. so in order to do that follow the following steps.

First open your Pfsense Web UI and click on System – > user manager

Next go to Servers Tab

Click + in the right corner

After you click on the + icon you will get the following page.

Fill these details accordingly, for help on how to fill these in check the below snapshot

Note: Make sure that your password is simple and contains only letters, no numbers or special characters e.g. Pfsense

When done click on Select and the result will be that you will be able to view the following OU/CN.

Now create a group on AD e.g. “PF” and create the same identical group name on Pfsense. On AD add any user to this group.

Then go back to pfsense – > system – > user manager -> goto Settings Tab – > from Authentication server select your AD and save

Now click on Diagnostic -> Authentication -> select your AD server

Type in your username and password for the user which you have added to the group pf in the AD and click test then you will see the result on top. “User: Pfsense authenticated successfully. this user is a member of these groups: pf

Hope this will help you find your way through Pfsense. 🙂

SquidGaurd Package installation issue

SQUIDGAURD PACKAGE INSTALLATION ISSUE

Symptoms:

After upgrading Pfsense from 2.1.5 to 2.2 I have got no SquidGaurd installed and when I tried to install it I get the following error on Pfsense

ERROR: No digital signature! If you are *SURE* you trust this PBI, re-install with –no-checksig option.

of squidguard-squid3-1.4_4-amd64 failed!

Installation of squidGuard-squid3 FAILED!

Beginning package installation for squidGuard-squid3 .

Downloading package configuration file… done.

Saving updated package information… done.

Downloading squidGuard-squid3 and its dependencies…

Checking for package installation…

 Downloading https://files.pfsense.org/packages/10/All/squidguard-squid3-1.4_4-amd64.pbi …  (extracting)

 ERROR: No digital signature! If you are *SURE* you trust this PBI, re-install with –no-checksig option.

of squidguard-squid3-1.4_4-amd64 failed!

Installation aborted.Removing package…

Starting package deletion for squidguard-squid3-1.4_4-amd64…done.

Removing squidGuard-squid3 components…

Tabs items… done.

Menu items… done.

Services… done.

Loading package instructions…

Include file squidguard.inc could not be found for inclusion.

Deinstall commands…

Not executing custom deinstall hook because an include is missing.

Removing package instructions…done.

Auxiliary files… done.

Package XML… done.

Configuration… done.

done.

Failed to install package.

Installation halted.

Reasons: as it indicates in the error above the reason why the package is not installed is due to not being digitally signed which might be something related to the new version.

Resolution:

In order to resolve this issue and successfully install SquidGaurd you will have to connect to your Pfsense from SSH (SSH Must be enabled and firewall rule must be configured) and do the following in order to install it by ignoring the Digital signature check.

Enter an option: 8

fetch https://files.pfsense.org/packages/10/All/squidguard-squid3-1.4_4-amd64.pbi

rm -rf /var/db/pbi/installed/squidguard-squid3-1.4_4-amd64.pbi

pbi_add -f –no-checksig squidguard-squid3-1.4_4-amd64.pbi

Now I will go to System > Packages and (re)install the package that failed.

And the result as below

Reference

https://doc.pfsense.org/index.php/Pbi_add:_Invalid_file_for_usercheck

Filter DNS traffic after blocking websites with Squid

Let’s assume that you have installed and configured Squid Proxy to block several categories of websites that you don’t want your users or clients to visit ..

In some places maybe interference on client machines or applying group policy on AD is not strict thing and might give the option to users to pass through proxy rules .. so I have considered the same thought and said after I have configured squid proxy to block certain websites (Porn, chat, social…etc) using the Wpad autodiscover method.. I said in case I change the DNS the user will pass through the proxy and find away to connect to those blocked websites.

Then I thought what if I can block external DNS queries and let all the DNS queries pass through the Pfsense or my internal DNS..

To do so I have configured my PFsense’s WAN DNS IP to Google (System>General Setup>

I have added my Local DNS to the DNS resolver (Pfsense Version 2.2)

Next I will go to the Rules and go to my LAN (DMZ in my case) and create 3 rules in total as following:

The rules in the figure below will allow any DNS query request from any source through only (Local Address of the Pfsense) and the second rule will allow DNS requests from the local DNS Server to any DNS server.

Third rule will blcok any DNS request from anywhere else.

Which in result will allow all clients to forcefully use the local DNS to resolve names and resolve IPs, but still even if the user changed his Local LAN/Wifi DNS IP to Google still he’ll be able to connect to the allowed websites from SQUID but he/she won’t be able to resolve FQDNs through (Nslookup command) for example.

I’m attaching screenshots to demonstrate how this is working flawlessly.

As you can see below I have opened google, Flickr, Facebook, gmail, searched for local time and it all worked according to the Squid rules and while still using (8.8.8.8)

Now I will change the DNS back to the local DNS IP and see if i can resolve internet addresses without an issue and connect as well, which worked fine too.

This is a simple article but I’m sure it could be very useful for those companies who want to block wide range of categories and force it on to their employees. or for families who want to avoid their kids from doing naughty stuff or watch violent websites.

Create your own Nameserver using TinyDns on Pfsense

If you ever thought of hosting your own Public DNS for your own domain then this article is going to be of help for you as I will go through the process of hosting my own Public DNS for my freely acquired domain www.moh10ly.cf

These free domain providers have poor Public DNS capabilities and usually lack of many DNS records e.g. (SRV, TXT, PTR) and that what made me personally want to go on and host my own public DNS for this domain.

I’m going to use Pfsense 2.1.5 for this demonstration but I guess 2.2 also works as well but haven’t tried TinyDns on it yet.

Ok so to configure your own nameserver, first you must have a public domain (domain.com) ..

In this example I will register a free domain from this registrar: www.freenom.com

The process for registration is pretty simple, you will have to follow the wizard and validate your email then sign in to

your portal to edit or configure your free domain.

I have already added a new domain for myself which is called ( moh10ly.cf )

To configure name servers, You must fulfill the following prerequisites:

  1. Public static IP.
  2. DNS Package on Pfsense
  3. Firewall that supports static NAT.

Next step: I will click on Manage domain to change the DNS configuration to point it to my own name server

When you get the following window, click on Management tools and choose “Register glue records”

Very important note:

Next add your Name servers (They don’t need to exist as we will create them later) but you will have to create 2 at least

and you can point them to the same Public IP address.

Scroll down and you will find an option to add the second dns, you can call it dns2 and point it to the same IP address.

Next save changes, then click on Management tools –> Name Servers and there if you couldn’t find the new name servers

you have configured then enter them here.

Save changes again

Now let’s go on Pfsense and setup our Public DNS (Name Server), You will have to go to “System>Packages>Available

Packages” and there download “dns-server” or “TinyDns”

When you have finished installing TinyDns you will find it under “Services” menu. Click on it

Once you are there, click on “Settings tab” and on the binding IP address place your Public IP which you’ll use for the name

servers. And make sure you use the WAN NIC to listen on.

Save and click on the “New domain wizard” to setup your domain

Click Next

On the next window configure your domain as in the following, make sure that it matches your configuration on registrar’s

domain.

Click Next and Finish

Once finished, go to the Add/ Edit record tab and there you will find 4 created records

Next create the root DNS record which is . And point it to the same public IP and any other records that you might have an

installed role for like Exchange, IIS ..etc

Now it’s time to configure the firewall to allow inbound queries on port 53. here’s the rule that I have created under

(Firewall\Rules) because I have only one Public IP address on WAN I won’t use a static NAT rule.

I will go back to TinyDns on Pfsense to see the incoming requests for name resolving from public clients.

Under the logs tab I could see the requests I was making from my PC using google as my DNS.. So everything works fine.

That’s it, the configuration of your own Name server is done.

Configuring Snort on Pfsense

Configuring Snort on Pfsense (will be Updated with the latest version soon)

If you would like to protect your system from any public attacks e.g. (Exploits, Transitive trust, Data driven, Infrastructure, DOS, Magic… Etc.) then you should consider deploying IDS or IPS system to detect and protect your network from any attacks.

Deploying Snort

In Pfsense the famous open source firewall, you have the capability to deploy Snort which is one of the most famous and old ID/PS systems around.

In order to do so you will have to go to Packages from System/Packages and install it

After clicking on the packages button, you will get a list of packages and among them snort will be listed there

Click on the + on the far right to start the installation process.

I’ll Click on Confirm to continue

After it’s been installed now you’ll be able to see it on the Services menu tab.

Click on Snort and let’s go configure it.

Before you start configuring Snort, you must know that in order to successfully get it to work you must be registered in at least one of the snort communities which publishes important rules that tells snort what to check.. Similar to the firewall’s rules.

Register on Snort’s Website

The websites are as following and you can find their settings under the Global settings tab in snort window

https://www.snort.org/users/sign_up

https://portal.emergingthreats.net/register

I will sign up to Snort free account and configure all of the snort supported rules in order to get the most of it. After signing up I’ll need to activate my account.

I have receieved the confirmation now and I’ll confirm my account now, Once confirmed Snort will provide you with a code called VRT Oinkmaster confirmation code.

When your account is activated, you will need to go to your profile by clicking on your activated e-mail top right and you will find it on the left side. Copy the code and paste it to your snort on pfsense. 

Just like this

So after I added the code this is how my Global Settings tab looks like  (I enabled all the other free rules as well)

Now I will go to Updates tab and start updating rules tab, After clicking update this is how it will look like: 

When finished this is how it’ll look like

Back to the updates tab you’ll notice that all the enabled rules have been updated .

If you are connecting to Pfsense from any location where you are planning to enable Snort Interface for then before you enable snort you must consider going to Pass Lists and add your IP (Either private if you’re planning to enable the LAN Interface or Public IP if you’re planning to include WAN Interface).

In order to create a Pass list, you will have to create an Alias and add the Ips you would like to include in the pass note that these IPS are never going to be checked or filtered by Snort.

In order to create an Alias List, click on Firewall Tab and scroll to Alias

Once in IP list page click on the + button far right to add the Ips that you would like to pass.

From type select the type of hosts that you’d like to include there, for me I’d like to include only a couple of Ips

Click Save and Apply then Close then go back to Snort’s Pass Lists and click on + to add new Pass list.

Select all the Networks, WAN IP, GATEWAY, DNS and finally the Alias that you have created and save. 

Once saved, this is how the pass lists is going to look like

Now we can go back to Snort Interfaces and enable the WAN Interface for snort. I’ll click on Snort Interfaces tab and click + to add the new interface

Below I will select block offenders in order to protect myself from DDoS attacks and other attempts to crack internet exposed servers e.g. (FTP, Http..etc) .

Here from Pass List I will select the list which I’ve created in the Pass List tab

As you can see below when the icon is red it means that the Snort is not running and you will have to press on the red icon to turn it on.

After enabling the WAN interface you will have to go define some rules and enable them.

Let’s define some rules for this interface e.g. FTP in order to do so I will click on the E next to the WAN description far right on the top snapshot.

We should go to WAN Categories and select different category in order to apply rules.

Note:

Enabling all rules might affect your VM or PM’s processor performance.

Now I will select all the rules from the rules list below and that will enable all the rules also that are included in the Snort GPLv2 Community. 

Once added, you will have to apply changes and then click on Apply …. And for any reason if the service did not start as in the below snapshot then you should navigate to Status tab and check the “System Logs”

In System logs I noticed the following error:

snort[13270]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_6026_de0/rules/snort.rules(427) Unknown rule option: ‘sd_pattern’.

After doing some digging on this error it seems that it’s caused by the rule “Sensitive Data” and after disabling all the rule set in this rule I was able to start Snort on WAN again.

To disable the rules simply click on the “Disable all rules in the current Category” 

When this is done, I will test snort if it’s working by simply try to hack into pfsense’s portal by using wrong passwords for let’s say 10/20 times and see if my IP will get blocked (I’ll use a different Public IP which is not in the pass lists)..

After trying about 7 attempts with wrong username and password I tried refreshing the page

Here is what I got

I will go check Snort blocked list and see if the IP that I tried connecting from is there note that the Public IP which I was trying to connect from was

As you can see below the IP has been blocked and the alert description says it as it is (http_inspection)

So that means that our snort works as it’s supposedly expected to.