Warning: Cannot modify header information - headers already sent by (output started at /home/lwoods56/public_html/w3.woodsnetworks.com/index.php:4) in /home/lwoods56/public_html/w3.woodsnetworks.com/wp-includes/feed-rss2.php on line 8
Woods Networks http://w3.woodsnetworks.com Bringing Technology To Business Tue, 05 Apr 2016 17:17:33 +0000 en-US hourly 1 https://wordpress.org/?v=4.8.4 28602048 Adallom/Microsoft Cloud Security – Log Export http://w3.woodsnetworks.com/index.php/2016/04/adallommicrosoft-cloud-security-log-export/ http://w3.woodsnetworks.com/index.php/2016/04/adallommicrosoft-cloud-security-log-export/#respond Tue, 05 Apr 2016 17:11:36 +0000 http://w3.woodsnetworks.com/?p=487 No related posts. ]]>

Forward logs to your SIEM (Preview Feature)

 Taken from: https://technet.microsoft.com/en-us/library/mt657569.aspx

Integrating with a SIEM service allows you to better protect your cloud applications while maintaining your usual security workflow, automating security procedures and correlating between cloud-based and on-premises events. The Cloud App Security SIEM agent pulls the logs using the Cloud App Security API and streams them in CEF format into the SIEM logger to enable you to include your Cloud App Security logs in your SIEM. To integrate Cloud App Security with your SIEM, you must perform the following to take the Cloud App Security logs from the and send them to your SIEM service using Syslog TCP.

 Cloud App Security uses TCP to assure reliability of the SIEM integration.
  1. Prerequisites:
    • A standard Linux or Windows server (can be a virtual machine).
    • The server should run Java 8.
  2. In the Cloud App Security console, click your name in the console menu bar, and select User settings and then click on the API Token tab. Name your SIEM integration token and click Generate new token. In the Created API token window, copy the token value.
  3. Create the following folders on your server:/etc/mcas/siemagent (Linux) or C:\MCAS\siemagent (Windows)/etc/mcas/siemagent/cfg (Linux) or C:\MCAS\siemagent\cfg (Windows).
  4. Download SIEMAgent.jar and save it to your server in:For Linux: /etc/mcas/siemagent/For Windows: C:\MCAS\siemagent
    It is recommended to keep the version number as part of the filename, for easier identification of the installed version.
    • Cloud App Security supports multiple concurrent SIEM agents for different variations of logs and filters. You can create several configuration files and repeat these steps.
    • The Cloud App Security SIEM agent uses the system clock to make the initial events synchronization. Make sure its accurate before running the agent. Events will be downloaded from the initial run and onward. If you want to download all events, contact support.
  5. Configure your SIEM agent as follows:
    1. Choose a name for your configuration and create a new file in the cfg folder and name it [CFGNAME].xml.Where CFGNAME is the name of your configuration (do not include the brackets [ ] in your code).Start with a letter, and do not use spaces or special symbols (the use of numbers, dashes and underscores is allowed). Paste the following into the file you created, and edit the parameters within (instructions on the next step).For Linux:
      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
         [RUN INTERVAL]
         https://[PORTAL SUB-DOMAIN].portal.cloudappsecurity.com/api/
         [LOG TYPE]
         [SIEM HOST]
         [SIEM PORT]

      For Windows:

      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
         [RUN INTERVAL]
         https://[PORTAL SUB-DOMAIN].portal.cloudappsecurity.com/api/
         [LOG TYPE]
         [SIEM HOST]
         [SIEM PORT]

      Parameters table:

      Omit any lines of the optional parameters that you are not using.
      Value Description Example
      CFGNAME A unique name that describes this instance of the SIEM agent. Use the same name you chose for the file name. audits
      RUN INTERVAL The interval for synchronization in milliseconds.

      Recommended value is 20 seconds.

      PORTAL SUB-DOMAIN The sub-domain you have when you login to the portal. cloudappsecurity
      LOG TYPE Type of logs to retrieve. Supported values:

      • audits- Activity log entries
      • alerts – Alert entries
      FILTER Optional

      List of filters. Only entries that match all the filters are returned (AND). See usage, below.

      SIEM HOST The IP address of the SIEM server.
      SIEM PORT The port number of the TCP Syslog listener. 1111
      PROXY HOST Optional

      The IP address of your HTTP proxy.
      PROXY PORT Optional

      The TCP port of your HTTP proxy.

      LOGGING ENABLE Optional

      Set to true in order to activate the logs.


      Set to true in order to send internal logs of the SIEM agent to the Syslog server.

      FORMAT SET Optional

      ADALLOM_CEF_V1 – (Default) the default SIEM agent output format.

      ARCSIGHT_CEF_V1 – Output format compatible with ArcSight system.


      Activity Filters:

      Parameter name Type Description
      action Multi-value strings, supports negation, comma separated list. List of actions
      service Multi-value strings, supports negation, comma separated list. List of apps in the following format:

      • Take the application name as listed in the portal.
      • Convert all characters to lower case.
      • Replace spaces with a hyphen -.
      • Remove all non-numeric and non-alphabetical characters.
      • Replace multiple hyphens – with a single hyphen -.
      • Remove any hyphens – from the start and end.
      • For example:Google Apps: google-appsOffice 365: office-365Microsoft SharePoint Online: microsoft-sharepoint-online

        Salesforce: salesforce

      user Multi-value strings, supports negation, comma separated list. List of users

      Alert Filters:

      Parameter name Type Description
      users Multi-value strings, supports negation, comma separated list. List of users
  1. Run the SIEM agent in one of the following modes:
    • Manual run:
      • Linux: java -jar /etc/mcas/siemagent/siemagent.jar /etc/mcas/siemagent/cfg/[CFGNAME].xml
      • Windows: java -jar C:\MCAS\siemagent\siemagent.jar C:\MCAS\siemagent\cfg\[CFGNAME].xml
    • Automated run: Create a startup script to run the agent on system startup.
http://w3.woodsnetworks.com/index.php/2016/04/adallommicrosoft-cloud-security-log-export/feed/ 0 487
Cisco ACS / TACACS Active Directory Join/Bind Issues http://w3.woodsnetworks.com/index.php/2014/12/cisco-acs-tacacs-active-directory-joinbind-issues/ http://w3.woodsnetworks.com/index.php/2014/12/cisco-acs-tacacs-active-directory-joinbind-issues/#respond Mon, 29 Dec 2014 19:54:59 +0000 http://w3.woodsnetworks.com/?p=468 No related posts. ]]> After battling with a number of issues successfully joining the ACS appliance to the domain, I wanted to post a list of troubleshooting steps to help anyone else that might run into issues:

– Password for the AD Account – If you are getting errors like account disabled, “invalid credentials to join this machine to active directory domain”, account locked, etc after doing a Test Connection which returns successful, try changing the password. Remove any special characters, and potentially shorten the password. I had an extremely long password with complexity that caused my issues. I am unsure of the max length, but this was the root cause of most of my issues.

You might see something like this in your logs which is an indication of above:

Dec 29 14:06:40 yyyyyyyy adleave[9970]: INFO cli.adleave Leaving domain yyy.com successful
Dec 29 14:06:40 yyyyyyyy adleave[9970]: INFO lrpc.session process authentication request failed: ipc socket connect: No such file or directory
Dec 29 14:06:41 yyyyyyyy adjoin[10021]: INFO cli.adjoin Version: CentrifyDC 4.3.0-192
Dec 29 14:06:41 yyyyyyyy adjoin[10021]: WARN base.kerberos.keytab getUserSalt failed: get creds: Preauthentication failed
Dec 29 14:06:41 yyyyyyyy adjoin[10021]: INFO cli.adjoin Join to domain ‘yyy.com’, zone ‘null’ failed.
Dec 29 14:06:41 yyyyyyyy adjoin[10028]: INFO cli.adjoin Version: CentrifyDC 4.3.0-192
Dec 29 14:06:41 yyyyyyyy adjoin[10028]: INFO samba.interop Attempting interoperability with untested Samba version .
Dec 29 14:06:41 yyyyyyyy adjoin[10028]: INFO cli.adjoin Wrote /etc/centrifydc//openldap/slapd.conf
Dec 29 14:06:41 yyyyyyyy adjoin[10028]: INFO util.configfiles Wrote /etc/centrifydc//openldap/ldap.conf
Dec 29 14:06:41 yyyyyyyy adinfo[10034]: INFO lrpc.session process authentication request failed: ipc socket connect: No such file or directory
Dec 29 14:06:41 yyyyyyyy adinfo[10034]: INFO lrpc.session process authentication request failed: ipc socket connect: No such file or directory

– You then might get the following error: “The item you trying to delete is referenced by other items. You must remove all references to this item before it can be deleted.” This is apparently a known bug. some posts say that you basically have to remove everything that refers to Active Directory in ACS. DO NOT do that. Just go to the CLI and issue the following two commands:

acs stop

acs start

Then go back in and set the password. There was a note on one of the posts that you should skip the Test Connection as it could cause the above.

– I read another post that said to right-click on the computer object in Active Directory and chose reset before doign the join. I do not believe that fixed it in my case, but it is good for the “bag of tricks” for troubleshooting this. In effect it should clean the object to prepare it for a domain join.

http://w3.woodsnetworks.com/index.php/2014/12/cisco-acs-tacacs-active-directory-joinbind-issues/feed/ 0 468
Export Contact information from Office 365 (or Exchange 2010 +) http://w3.woodsnetworks.com/index.php/2013/09/export-contact-information-from-office-365-or-exchange-2010/ http://w3.woodsnetworks.com/index.php/2013/09/export-contact-information-from-office-365-or-exchange-2010/#respond Fri, 13 Sep 2013 15:17:26 +0000 http://w3.woodsnetworks.com/?p=461 Related posts:
  1. Scripting Office 365 license assignment
The following exports all contacts and selected information.  This is an Exchange/Office 365 commandlet so you will need to be connected appropriately:

get-contact -resultsize unlimited | Select-Object name,FirstName,LastName,displayname,Company,WindowsEmailAddress | Export-Csv c:\script\user_audit.csv -Delimiter "|"

http://w3.woodsnetworks.com/index.php/2013/09/export-contact-information-from-office-365-or-exchange-2010/feed/ 0 461
Office 2013 “Call us Overprotective” and Lync 2013 “Cannot sign in because the server is temporarily unavailable” using Office 365 http://w3.woodsnetworks.com/index.php/2013/09/office-2013-call-us-overprotective-and-lync-2013-cannot-sign-in-because-the-server-is-temporarily-unavailable-using-office-365/ http://w3.woodsnetworks.com/index.php/2013/09/office-2013-call-us-overprotective-and-lync-2013-cannot-sign-in-because-the-server-is-temporarily-unavailable-using-office-365/#respond Tue, 10 Sep 2013 17:16:01 +0000 http://w3.woodsnetworks.com/?p=453 No related posts. ]]> As we have been testing Office 2013 with our Office 365 implementation, we ran into two issues.

#1 – Lync 2013 could not sign in and we would receive an error message stating “Cannot sign in because the server is temporarily  unavailable”.  After digging through a lot of different forums and support threads, the one workaround that worked reliably was to launch Lync as a different user that was local to the computer and not on the domain. While this works for IT folks, not a permanent solution for the entire company.

#2 – When trying to access SharePoint documents or otherwise interact with Office 365 through Office 2013, we would get authentication prompts that would state “Call us overprotective, but we need to verify your account again before opening this document.”  These we could not find a reliable workaround to.  Many-times a document from SharePoint simply could not be opened/edited due to the prompt displaying over and over again.

We ended up opening a ticket with Microsoft for each of these issues.  While troubleshooting the issue we were doing packet captures and analyzing the packet captures when we noticed a number of TCP resends which looked similar to an issue we were having with downloading larger files from SharePoint Online. (Side note: If you are battling SharePoint download issues as well, this will help identify the issue…)  The fix/workaround that we found for that solution was to disable AutoTuning in Windows 7.

We tested disabling AutoTuning and like magic both of these issues went away we could sign into Lync 2013 and we could successfully authenticate when the Overprotective prompt comes up.

To disable AutoTuning, from an elevated command prompt (right click on cmd.exe or command prompt and choose run as administrator) execute the following command:

netsh int tcp set global autotuninglevel=disabled

For best results reboot your computer.

We are still working with Microsoft to determine what in our network layer would be causing this. For reference we are a Cisco shop, if this fixes your problem would love to hear what your core network vendor is.

Note: Our configuration provides WS-Fed through a Cloud Identity Management Solution. We utilize our Active Directory Domain for authentication to Office 365 through this service.

http://w3.woodsnetworks.com/index.php/2013/09/office-2013-call-us-overprotective-and-lync-2013-cannot-sign-in-because-the-server-is-temporarily-unavailable-using-office-365/feed/ 0 453
Export AD Password and Account Information using Get-QADUser http://w3.woodsnetworks.com/index.php/2013/08/export-ad-password-and-account-information-using-get-qaduser/ http://w3.woodsnetworks.com/index.php/2013/08/export-ad-password-and-account-information-using-get-qaduser/#respond Tue, 20 Aug 2013 13:39:57 +0000 http://w3.woodsnetworks.com/?p=447 No related posts. ]]> You will need the free Quest Active Roles Management Shell to perform this function:

Get-QADUser -Name * -SizeLimit 0 | select givenName,sn,name,samaccountname,company,description,PasswordExpires,PasswordNeverExpires,PasswordLastSet,lastLogonTimestamp,AccountIsDisabled,AccountExpires | Export-Csv c:\script\user_audit.csv -Delimiter "|"

To see a good list of fields to query:


http://w3.woodsnetworks.com/index.php/2013/08/export-ad-password-and-account-information-using-get-qaduser/feed/ 0 447
White Icons on Windows 8 for Shortcuts with Icons located on the Network http://w3.woodsnetworks.com/index.php/2013/08/white-icons-on-windows-8-for-shortcuts-with-icons-located-on-the-network/ http://w3.woodsnetworks.com/index.php/2013/08/white-icons-on-windows-8-for-shortcuts-with-icons-located-on-the-network/#respond Fri, 16 Aug 2013 15:22:06 +0000 http://w3.woodsnetworks.com/?p=442 No related posts. ]]> In my case, I push shortcuts via group policy to computers.  When choosing a network path for the icon, in Windows 8 the icon shows as a white box instead of the icon pointed to on the network.  Some discover found the following two possible solutions:

Through Group Policy if your domain has been upgraded or locally to the machine through gpedit.msc:

Computer configuration/Administrative Templates/Windows Components/File Explorer/Allow the use of remote paths in file shortcut icons.

Alternately if you like hacking the registry:


Created DWORD (32-bit) Vaule: EnableShellShortcutIconRemotePath
Value: 1 (Decimal)

Note: You  might have to create the Explorer key. (It was missing on both of the computers I tested this on)

http://w3.woodsnetworks.com/index.php/2013/08/white-icons-on-windows-8-for-shortcuts-with-icons-located-on-the-network/feed/ 0 442
Adding users to sharepoint across a trust (One-Way or Two-Way) http://w3.woodsnetworks.com/index.php/2013/07/adding-users-to-sharepoint-across-a-trust-one-way-or-two-way/ http://w3.woodsnetworks.com/index.php/2013/07/adding-users-to-sharepoint-across-a-trust-one-way-or-two-way/#respond Wed, 31 Jul 2013 12:36:14 +0000 http://w3.woodsnetworks.com/?p=436 No related posts. ]]> To have users from a trusted domain show up in the peoplepicker, you have to let sharepoint know about the trust. To do so run the following command based on which scenario you are in:

Two-Way Trust
STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv forest:goldentemple.corp;domain:postholdings.com -url http://sharepoint/

One-Way Trust
STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv forest:yourprimarydomain.com;domain:trusteddomain.com,username,password -url http://yoursharepointsite/
For one-way trusts you will also need to run the following command on all front-end servers in your farm with a key that you make up:
STSADM.exe -o setapppassword -password key


http://w3.woodsnetworks.com/index.php/2013/07/adding-users-to-sharepoint-across-a-trust-one-way-or-two-way/feed/ 0 436
Change SMTP Server for All Alerts in Solarwinds http://w3.woodsnetworks.com/index.php/2013/07/change-smtp-server-for-all-alerts-in-solarwinds/ http://w3.woodsnetworks.com/index.php/2013/07/change-smtp-server-for-all-alerts-in-solarwinds/#respond Tue, 16 Jul 2013 19:37:01 +0000 http://w3.woodsnetworks.com/?p=428 No related posts. ]]> If you recently changed mail servers/services or have a need to update the smtp server for all of your alerts, this is an easy way to do so if you feel comfortable with SQL. (You should backup your database before making any mass changes like this… )

declare @oldServerName As Varchar(255)
declare @newServerName As Varchar(255)

set @oldServerName = 'localhost2'
set @newServerName = 'localhost'

update [dbo].[ActionDefinitions] set [Target] = REPLACE(CAST( [Target] AS VARCHAR(MAX)),'SMTPSERVER:'+@oldServerName,'SMTPSERVER:'+@newServerName) WHERE Target like '%SMTPSERVER:%'
select * from [ActionDefinitions]

http://w3.woodsnetworks.com/index.php/2013/07/change-smtp-server-for-all-alerts-in-solarwinds/feed/ 0 428
RDS Powershell new-rdremoteapp syntax to publish app on Server 2012 http://w3.woodsnetworks.com/index.php/2013/06/rds-powershell-new-rdremoteapp-syntax-to-publish-app-on-server-2012/ http://w3.woodsnetworks.com/index.php/2013/06/rds-powershell-new-rdremoteapp-syntax-to-publish-app-on-server-2012/#respond Thu, 13 Jun 2013 13:59:04 +0000 http://w3.woodsnetworks.com/?p=423 No related posts. ]]> Powershell Command to fully publish app. The -VirtualFilePath is not well documented and if not set will result in not being able to configure the app through the GUI.

new-rdremoteapp -Alias "{appname no spaces}" -DisplayName "{friendly display name}" -FilePath "{full file path example: D:\Program Files (x86)\JDEdwards\B7\system\Bin32\oexplore.exe}" -VirtualFilePath "{full file path example: D:\Program Files (x86)\JDEdwards\B7\system\Bin32\oexplore.exe}" -ShowInWebAccess 1 -collectionname {your collection name} -ConnectionBroker {servername.domainname.com}

http://w3.woodsnetworks.com/index.php/2013/06/rds-powershell-new-rdremoteapp-syntax-to-publish-app-on-server-2012/feed/ 0 423
Powershell Export Specific Fields to CSV http://w3.woodsnetworks.com/index.php/2013/06/powershell-export-specific-fields-to-csv/ http://w3.woodsnetworks.com/index.php/2013/06/powershell-export-specific-fields-to-csv/#respond Thu, 13 Jun 2013 13:26:09 +0000 http://w3.woodsnetworks.com/?p=421 No related posts. ]]> If you only want specific fields/columns from a command to show in the export file use the following syntax. In my example I was getting all of the members of an AD group and only wanted certain logon name information.

Get-QADGroupMember CTX-ProductVision-Prod | select-object LogonName,UserPrincipalName,NTAccountName,SAMAccountName,DN | Export-Csv c:\scripts\pv.csv -Delimiter "|"

http://w3.woodsnetworks.com/index.php/2013/06/powershell-export-specific-fields-to-csv/feed/ 0 421