Flashing Sophos AP55 with OpenWrt

Flashing AP55 and AP55C to give them a new life with OpenWRT

Requirements

Getting started

Open up your Access Point and locate the four TTL pins marked with the red square, you need the multimeter to indentify which pin is which. For this Board, the AP55C the order from left to right is 3.3v, ground, TX, RX. So you should only connect to the last 3 pins.

As an example I have connected the blue, green and yellow wire to the board. Blue ground, Green TX on the board so RX on your USB, and yellow RX on the board so TX on your USB.

Flashing the board

Now once you’re connected install the right drivers for the TTL USB, just have a look around the internet. Start your putty client, check which COM device has been assigned to the USB by windows and set the speed to 115200. After opening the session start the access point by plugging in the power cord and keep pressing a random keyboard key to interupt the boot sequence of U-BOOT.

On the Openwrt forum there is a link to images for the AP55 and AP100 series, download the correct image for your device via this url and download a squashfs-sysupgrade image. Start your TFTPD64 program, connect a ethernet cable from your device to the accesspoint and give your NIC 192.168.99.8/24 as IP. Set the TFTPD64 DHCP server with a pool starting at 192.168.99.9 so your AP is the 99.9.

Create a directory for your TFTP server and rename your openwrt image to “uImage_AP55”, then following this guide enter the following commands:

ath> tftpboot

Speed is 1000T

dup 1 speed 1000

Using eth0 device

TFTP from server 192.168.99.8; our IP address is 192.168.99.9

Filename 'uImage_AP55'.

Load address: 0x81000000

Loading: #################################################################

         #################################################################

         #################################################################

         ############################

done

Bytes transferred = 7132091 (6cd3bb hex)

Once your image has been uploaded the flash memory has to be erased and overwritten for the image to be bootable. In this case the Load address: 0x81000000 is the HEX address for the image. Do the following to see information about what to remove:

ath> bdinfo

boot_params = 0x87F7BFB0

memstart    = 0x80000000

memsize     = 0x08000000

flashstart  = 0x9F000000

flashsize   = 0x01000000

flashoffset = 0x00029CD4

ethaddr     = 00:00:AA:BB:CC:DD

ip_addr     = 192.168.99.9

baudrate    = 115200 bps

Now you can erase the space where the image boots from, which is in my case Booting image at 9f070000 meaning 0x9f070000. To calculate the end you have to use a hex calculator to add 0x9f070000 to the flashsize, which is 0x01000000. The result is 0xA0070000.

Calculated hex value

So you can erase the flash memory like this:

ath> era 0x9f070000 0xA0070000

Erasing flash...

First 0x7 last 0xff sector size 0x10000                                      255

Erased 249 sectors

Now we have to put the Openwrt image at the TFTP address in the space where U-BOOT wants to find the image. Which is 0x9F000000, we need the TFTP address which is 0x81000000 and we need the size Bytes transferred = 7132091 (6cd3bb hex).

So you can execute the following command with the above information:

ath> cp.b 0x81000000 0x9f070000 0x6cd3bb

Copy to Flash...

 Copy 7132091 [0x6cd3bb] byte to Flash... write addr: 9f070000

Done

It has been done, your OpenWrt image has been flashed onto the Sophos AP. You can now boot the device with a simple boot command. Have fun!

Windows Admin Center (WAC) ACME certificates with PFsense

In this guide I will show you how to setup automatic certificate renewal for Windows Admin Center (WAC) with the PFsense ACME package. The starting requirement for this guide is that you have already setup the ACME solution within PFsense, if not you can use this guide.

Creating a certificate user

Assigned privileges for the certificate user
  • First navigate to this github script i created and download it to your Windows Admin Center instance.
  • Second you should create a custom Pfsense user with restricted access, do this by going to System -> User Manager -> Add. After that, create a user and name it accordingly.
  • After creating the user, you should create a PFsense group to assign this new user to. In addition, edit the group to assign correct privileges. Under assigned privileges add “WebCfg – System: Certificate Manager” and “WebCfg – Dashboard (all)”. Set the variable $PFSENSE_USERNAME and $PFSENSE_PASSWORD in the script for the certificate user we have created and change the $SITE variable to the PFsense FQDN or ip-address.

Setting the certificate variables

The certificate ID for *.ictguru.nl as example.
  • Head to System -> Certificate manager -> Certificates. You should hover over the export certificate button of the certificate you’ll want to enroll for your WAC instance. We are looking for the certificate id, this is the red string in the screenshot. Set this as value for the $CERTID variable.
  • In addition we should set the following variables. $CERTNAME will be the name for your certificate once downloaded, $CERTDIR is the location where the certificates will be downloaded and merged into a .pfx file. $PFXPASSWORD is the password that will be set for your certificate file and $WACPORT is the port on which your Windows Admin Center instance will be running.

Creating the scheduled task for automatic renewal

After that, we can create scheduled task on the WAC server. Preferably a service account with administrative privileges for running the script. Create the scheduled task according to the screenshots below, for running script i recommend setting the program to powershell.exe and the arguments to -NoProfile -NoLogo -NonInteractive -ExecutionPolicy Bypass -File c:\PfsenseACME-WacSSL.ps1.

Test the scheduled task that you have created above and check the results by going to your WAC server in you browser. After that, you should be greeted with a smaal green lock inside your web browser like so.

sqlite3.IntegrityError | Upgrading FreeNAS 11.3-U7 to TrueNas Core 12.4-U4

During my upgrade of FreeNAS i encountered a sqlite3.IntegrityError stopping a active database upgrade. I will show you how to fix it and upgrade to TrueNAS.

I had tried upgrading FreeNAS a number of times but it all failed, all errors had something to do with the FreeNAS middlewere. Today i wanted to see if i could overcome by upgrading to TrueNas, a in-place upgrade gave me the same result. I then tried a clean install of FreeNAS, this did boot. But when i tried to import my configuration it failed once again, this time i had a file as a reference; /data/update.failed here i could see the following lines. As you can see ” sqlite3.IntegrityError: UNIQUE constraint failed: directoryservice_idmap_rid.idmap_rid_domain_id

Operations to perform:
Apply all migrations: account, auth, contenttypes, directoryservice, jails, network, plugins, services, sessions, sharing, storage, system, tasks, vm
Running migrations:
Applying account.0010_auto_20190221_0824... OK
Applying account.0011_remove_netdata_user... OK
Applying directoryservice.0006_certificate_model... OK
Applying directoryservice.0007_migrate_to_nslcd... OK
Applying directoryservice.0008__alter_kerberos_principal... OK
Applying directoryservice.0009__add_createcomputer_to_ad... OK
Applying directoryservice.0010_encrypt_keytabs... OK
Applying directoryservice.0011_add_new_idmap_model...Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/django/db/backends/utils.py", line 64, in execute
return self.cursor.execute(sql, params)
File "/usr/local/www/freenasUI/freeadmin/sqlite3_ha/base.py", line 381, in execute
execute = super().execute(query, params)
sqlite3.IntegrityError: UNIQUE constraint failed: directoryservice_idmap_rid.idmap_rid_domain_id

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
File "/usr/local/www/freenasUI/manage.py", line 42, in <module>
execute_from_command_line(sys.argv)

This thread came to my rescue as on of the only sources online, they stated that deleting two rows in the freenas-v1.db from your configuration download could fix this issue. Download SQLite browser and unzip your FreeNAS/TrueNAS archive file. Then open your freenas-v1.db file with SQLite explorer. Here you can see a lot of tables for FreeNAS configuration. We need directoryservice_idmap_rid.

Sqlite explorer for freenas.db

List the rows and remove row 2 and three by right clicking on the row number and clicking remove record. Also navigate to /usr/local/etc/smb4.conf and remove all idmap config parameters, restart the samba service. Source: Samba wiki

Sqlite explorer for directoryservice_idmap_rid

Save the modified database, repack it in a tar archive file and upload as your configuration to your NAS. You should install a clean version of the newest version, after booting you can import the new archive file to import your configuration. Additionally i had to backup my encryption keys and reset my ZFS pool.

Exchange 2016 with 4GB RAM

I was doing some exercises for school with exchange server 2016 when i had a fun idea, i was wondering what would happen with 4gb of RAM. The bare minimun is 8GB of ram to get past the prerequisites. On 8GB it ran quite well, so i wondered: what would happen? what could happen?

Testing Exchange 2016 with 4GB RAM

Hyper-V status for ‘Mail1’, It is asking for 10GB of RAM while 4GB of RAM has been assigned.

Now on to the experiment, i decided to boot the server for the fun with 4GB of ram. It booted just fine, that was until i tried to log into the server. I could not access it via RDP, only the Hyper-V native console. After that i decided to check the server memory. The server was asking about 6GB of non-existant RAM.

Trying to access the OWA portal surpised me, login screen presented itself. When my login finally processed i was disappointed to see the server ‘officially’ ran out of memory.

Okay, back to the drawing board. What if i created a 15 to 20 GB pagefile?

Setting up Exchange 2016 with a pagefile

So i did create a 20GB pagefile, rebooted the server, waited a long time for it to initialize, and bingo! After the reboot i tried logging into OWA again, and to my surprise i was greeted with the inside of my mailbox. Now lets try to use the actual mailbox, i sent a mail to my own mailbox and waited for the magic to happen. Only for it to never be sent, it completely dissappeared. So i sent another email and decided do investigate using the ECP.

.

Conclusion

To conclude, it is not possible to run Exchange 2016 with 4GB of ram, i don’t think that 6GB will change much, 8GB is the bare minimum for a reason. It was a fun experiment. Here are some of the eventlogs:

Event ID 7000: The Microsoft Exchange Diagnostics service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

Event ID 7009: A timeout was reached (30000 milliseconds) while waiting for the Microsoft Exchange Diagnostics service to connect.

Event ID 2004: Windows successfully diagnosed a low virtual memory condition. The following programs consumed the most virtual memory: w3wp.exe (8528) consumed 455249920 bytes, noderunner.exe (6748) consumed 442880000 bytes, and w3wp.exe (2320) consumed 403537920 bytes.

Event ID 1000: Faulting application name: dwm.exe, version: 10.0.14393.0, time stamp: 0x578999ab
Faulting module name: dwmcore.dll, version: 10.0.14393.1715, time stamp: 0x59b0d15f
Exception code: 0xc00001ad
Fault offset: 0x00000000000f5956
Faulting process id: 0xf10
Faulting application start time: 0x01d619b841150774
Faulting application path: C:\Windows\system32\dwm.exe
Faulting module path: C:\Windows\system32\dwmcore.dll
Report Id: e2e48ab6-8839-4c86-9bd7-c2e956165c3c
Faulting package full name:
Faulting package-relative application ID:

Event ID 3154: Active Manager failed to mount database EXC-DB01 on server Mail.school.test. Error: An Active Manager operation failed with a transient error. Please retry the operation. Error: Database action failed with transient error. Error: A transient error occurred during a database operation. Error: MapiExceptionNetworkError: Unable to mount database. (hr=0x80040115, ec=-2147221227)

Sysprepped server not automatically AzureAD joined

Around the start of the corona crisis a client of ours needed a big upgrade for his RDS farm. The current farm existed of 5 RD servers and 1 gateway. We would sysprep 5 servers for a total of 10 RD servers.

I should mention that those RD Servers are hybrid joined, local and via AzureAD. We configured the 5 servers en went about our day. Until users started complaining about conditional access policies on the RD servers. Five of them were not AzureAD joined and that caused problems.

DsrDeviceAutoJoinFederated failed with -2146893802
wmain: failed with error code 0x80090016.

Manually running the workplace join task (Task scheduler>Microsoft>Windows>Workplace Join>Automatic Device Join) dit not help, it just created these errors. After a long internet search i found the solution.

Rename-Item -Path "C:\ProgramData\Microsoft\Crypto\Keys" -NewName "KeysOLD"
New-Item -Path "C:\ProgramData\Microsoft\Crypto\Keys" -ItemType Directory
Get-Acl -Path "C:\ProgramData\Microsoft\Crypto\KeysOLD" | Set-Acl -Path "C:\ProgramData\Microsoft\Crypto\Keys"