All posts by administrator

Setting up a Raspberry Pi Zero W for Pi-hole

I’ll start by saying there are lots of guides to do this already but none of them worked for me from beginning to end and I pulled parts from different ones to get things working. So after some trial and error I wrote my own guide. Some other sites I used as reference: A good quick start guide from Reddit, Info on changing the locale and keyboard layout for US, and Setting up a headless Pi Zero. I’m also assuming if you are reading this article that you already know what Pi-hole is and want to implement it on your network.

First things first. You will need a Pi Zero W (if you have a local MicroCenter they have them in store for $5 pretty often), a 8Gb micro SD card, a micro usb cable to power the zero, and a way to write to the SD card, either a SD card adapter or your computer if it has a slot for it. You may also want a case to put yours in if you plan on mounting it and don’t want to short anything out (my personal favorite that runs about $6). If you want to actually see whats going on you will also need a mini HDMI to HDMI cable although hopefully you don’t need to do that. And if you want to get really fancy you can get a Pi Zero W with header pins (or solder some on yourself) and a display such as the Adafruit one to show the IP address and some status info.

Lets grab the software you’ll need:

Then put it together:

  • Format the SD card using the SD Card Formatter utility.
  • Using balenaEtcher burn the Raspbian image to the SD card. By default it will “eject” the SD card once its done. You also might get Windows warnings about a problem with the disk, ignore these and close/cancel the warnings.
  • Pop out the SD card and put it back in. You might get the same warnings, again ignore them.
  • Using Notepad (or Notepad++) create a file named “ssh” with no extension and a single space in it. Save that to the root of the SD card along with the other files.
  • Again using a notepad program create a file called “wpa_supplicant.conf” with the following text (using your country code, SSID, and password) and save that to the root of the SD card. If your SSID is being broadcast you do not need the scan_ssid line as it will slow down the connecting slightly although it doesn’t hurt to have it in there (see here for more info on this file):
country=US
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1

network={
  ssid="YourSSID"
  scan_ssid=1
  psk="YourPassword"
}
  • You should have everything on the SD card needed to boot up and connect to your WiFi. Properly eject the SD card from your computer, pop it into the Pi, and boot it up.
  • Give it 90 – 120 seconds to boot. Since this guide is for getting Pi-Hole setup you will want to have a static IP address for your Pi. Go into your router and find out what the current IP address is and also set a reservation or lock the current IP address to your device.
  • Until it reboots it will be at whatever IP it was assigned. Start up PuTTY and put in the current IP address and connect. You will get a security warning, click Yes to accept the keys.

Your Pi is now on your network so the hard part is done. Next is to configure some basic settings and install Pi-hole

  • Login using the default user “pi” and password “raspberry”
  • Now by default the Pi is setup for the EN_GB locale which means your @ symbol and some others aren’t where they normally are which caused me some issues. So lets tell the Pi to add the EN_US locale and change our keyboard layout.
  • Type in sudo raspi-config and enter
    • Select option 4 for Localization then the first option for Locale
    • In the list scroll down and select en_US.UTF-8 UTF-8 by hitting the space bar to select it then enter
    • It will ask you to select a default language for the system. Select en_US.UTF-8 and enter. Give it a minute while it makes the change.
    • At this point for me I tried to change the keyboard layout but it didn’t work. It seems the Pi needs to be rebooted for these changes to take effect so first get out of the config menu by hitting the right arrow twice and selecting Finish
  • Back at the prompt type in sudo reboot. You will be disconnected, give the Pi a minute or so to reboot. Remember if you set a DHCP reservation the IP address may change when it comes back up.
  • Connect with PuTTY and login again. Easiest way is to click the PuTTY icon in the top left corner of the program and select “Restart Session” then log back in or just close and reopen the software.
  • Go back into the config with sudo raspi-config and enter
    • Select option 4 then 2 for change timezone. Select your country and city for your timezone (US -> Eastern for example).
    • Select option 4 again then 3 for the keyboard. In the list you should have a Generic 104-key PC option. Select that then English (US) or whatever keyboard layout you’d prefer. If you don’t see English (US) click Other first then it should be in the list. Hit enter to select then select the actual keyboard layout. You will be asked a couple more questions, select the appropriate answer (usually the defaults).
    • You can also go into the same menu to select US as your wireless country.
  • Now would also be a good time to change your password to something other then the default raspberry. Select the first option and enter a new password.
  • Select Finish to exit the config menu.

So the next recommended thing to do is update the Pi to the latest software:

  • At the terminal prompt type sudo apt-get update -y and enter. It might take a minute or two.
  • Next type sudo apt-get upgrade -y and enter. Chances are this will take 10 – 20 minutes as updates are downloaded and installed.

Once the updates are done reboot again with sudo reboot, log back in using PuTTY, and install Pi-hole:

  • At the terminal prompt type in curl -sSL https://install.pi-hole.net | bash and enter

Go through the prompts and answer as you want it setup. Note the admin webpage password at the end as you will use that to login at http://YourPiAddress/admin. Lastly set your router DHCP to hand out the Pi-hole IP address for DNS instead of itself and you should be all set.

Resetting Windows Update on Domain Computers

Windows Update & WSUS have been a thorn in my side for many many years. When it works its great but when it doesn’t it can be very frustrating to figure out what went wrong. Over the years I’ve had to rebuilt WSUS twice, once when it just stopped pushing updates and another time where it imploded itself and corrupted the database. Recently we had a number of computers, around 10%, stop reporting back to WSUS for status. They also reported no updates available when checking for updates using WSUS. We tried all the troubleshooters, DISM cleanups, etc, but nothing seemed to work. I thought maybe it was WSUS again but that wouldn’t make sense with so many successfully getting updated. Even tried the Microsoft recommendations on resetting Windows Update but in our case BITS didn’t want to stop. And related to this we were getting Task Host errors on shutdown for those machines with the reason being “AutomaticUpdateHost” which would make sense if BITS was stuck.

After some testing we found that the Microsoft recommendations did work when in safe mode. Problem was doing this as easily with the least amount of downtime and hands on touching. To that end I created a series of three batch files. The first one, run as a administrator, will set the boot options to safeboot with networking and reboot:

bcdedit /set {default} safeboot network
shutdown -r -t 5

The second is most of the Microsoft recommendations along with others I’ve found on the internet:

@echo off
echo Stopping Windows Update and BTIS services…
net stop bits /y
net stop wuauserv /y
net stop appidsvc /y
net stop cryptsvc /y
echo Killing any windows updates in process
taskkill /im wuauclt.exe /f
echo Deleting some files…
del /s /q /f "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr.dat" del /s /q /f "%ALLUSERSPROFILE%\Microsoft\Network\Downloader\qmgr.dat"
del /s /q /f "%SYSTEMROOT%\WindowsUpdate.log"
rd /s /q "C:\WINDOWS\SoftwareDistribution"
rd /s /q "%SYSTEMROOT%\system32\Catroot2"
del %USERPROFILE%\AppData\Local\Temp* /s /q
for /d %%x in (%USERPROFILE%\AppData\Local\Temp*) do @rd /s /q "%%x"
del %systemroot%\Temp* /s /q
for /d %%y in (%systemroot%\Temp*) do @rd /s /q "%%y"
echo Reset the BITS service and the Windows Update service to the default security descriptor.
sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
echo Deleting registry keys….
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /f
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v LastWaitTimeout /f
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v DetectionstartTime /f
Reg Delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v NextDetectionTime /f
echo Re-registering Windows Update components…
regsvr32.exe /s c:\windows\system32\atl.dll
regsvr32.exe /s c:\windows\system32\urlmon.dll
regsvr32.exe /s c:\windows\system32\mshtml.dll
regsvr32.exe /s c:\windows\system32\shdocvw.dll
regsvr32.exe /s c:\windows\system32\browseui.dll
regsvr32.exe /s c:\windows\system32\jscript.dll
regsvr32.exe /s c:\windows\system32\vbscript.dll
regsvr32.exe /s c:\windows\system32\scrrun.dll
regsvr32.exe /s c:\windows\system32\msxml.dll
regsvr32.exe /s c:\windows\system32\msxml3.dll
regsvr32.exe /s c:\windows\system32\msxml6.dll
regsvr32.exe /s c:\windows\system32\actxprxy.dll
regsvr32.exe /s c:\windows\system32\softpub.dll
regsvr32.exe /s c:\windows\system32\wintrust.dll
regsvr32.exe /s c:\windows\system32\dssenh.dll
regsvr32.exe /s c:\windows\system32\rsaenh.dll
regsvr32.exe /s c:\windows\system32\gpkcsp.dll
regsvr32.exe /s c:\windows\system32\sccbase.dll
regsvr32.exe /s c:\windows\system32\slbcsp.dll
regsvr32.exe /s c:\windows\system32\cryptdlg.dll
regsvr32.exe /s c:\windows\system32\oleaut32.dll
regsvr32.exe /s c:\windows\system32\ole32.dll
regsvr32.exe /s c:\windows\system32\shell32.dll
regsvr32.exe /s c:\windows\system32\initpki.dll
regsvr32.exe /s c:\windows\system32\wuapi.dll
regsvr32.exe /s c:\windows\system32\wuaueng.dll
regsvr32.exe /s c:\windows\system32\wuaueng1.dll
regsvr32.exe /s c:\windows\system32\wucltui.dll
regsvr32.exe /s c:\windows\system32\wups.dll
regsvr32.exe /s c:\windows\system32\wups2.dll
regsvr32.exe /s c:\windows\system32\wuweb.dll
regsvr32.exe /s c:\windows\system32\qmgr.dll
regsvr32.exe /s c:\windows\system32\qmgrprxy.dll
regsvr32.exe /s c:\windows\system32\wucltux.dll
regsvr32.exe /s c:\windows\system32\muweb.dll
regsvr32.exe /s c:\windows\system32\wuwebv.dll
echo Resetting Winsock…
netsh winsock reset
echo Resetting WinHTTP proxy…
netsh winhttp reset proxy
echo Resetting the services as automatic…
sc.exe config wuauserv start= auto
sc.exe config bits start= delayed-auto
sc.exe config cryptsvc start= auto
sc.exe config TrustedInstaller start= demand
sc.exe config DcomLaunch start= auto
echo Restarting services…
net start bits
net start wuauserv
net start appidsvc
net start cryptsvc
net start DcomLaunch
echo Telling Windows to detect updates…
wuauclt.exe /resetauthorization
wuauclt.exe /detectnow
wuauclt.exe /reportnow
PowerShell.exe (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()

Then finally once that runs through is the third batch file to set the computer back to a normal boot:

bcdedit /deletevalue {default} safeboot
shutdown -r -t 5

I put all three into a folder and placed it on the desktops of the troubled computers then ran each in sequence. First the computer rebooted in safe mode, then Windows Update gets reset along with deleting all temp files, then the computer reboots normally.

So far every computer this was run on has reported in. Not sure what causes this in the first place but at least we have a quick solution now.

Note: The script was written to be run in regular mode so its stopping services that are normally already stopped in safe mode but was just reused for this purpose on the machines where BITS kept getting stuck.

Update to Batch Converting Visio Files

After some trail and error from my previous post we went through batch converting 300+ Visio vsd files over to vsdx. Overall the files size was reduced by 70%, dropping from over 6 Gb to around 2Gb, and allowing the files to open/save to the network a lot quicker. The only caveat I found was Visio 64-bit is the best way to do this and is most stable, especially with files over 25Mb. Above about 33 – 35Mb and the 32-bit version would randomly crash. With that said I added in some basic error detection to skip corrupt Visio files, some user variables to keep personal info or remove along with deleting the original file or not, and the ability to do sub directories. Here is the modified code:

Public FilesAttempted As Integer
Public FilesConverted As Integer
Public FilesDeleted As Integer
Public FilesSkipped As String

Sub ConvertToVsdx()
FilesAttempted = 0
FilesConverted = 0
FilesDeleted = 0
FilesSkipped = ""
Dim FileSystem As Object
Set FileSystem = CreateObject("Scripting.FileSystemObject")
Dim HostFolder As String
Dim DeleteOriginal As Boolean
Dim RemovePersonal As Boolean

''' HostFolder is directory to start it. Change to your base directory.
HostFolder = "T:\"
''' DeleteOriginal will delete the original file as long as the VSDX was created. Either True or False
DeleteOriginal = True
''' RemovePersonal will remove personal information from the file. Reduces the size a little but you might want to keep the original info
RemovePersonal = False

DoFolder FileSystem.GetFolder(HostFolder), DeleteOriginal
MsgBox "Conversion complete! " & vbCrLf & vbCrLf & "Files attempted: " & FilesAttempted & vbCrLf & "Files converted: " & FilesConverted & vbCrLf & "Files deleted: " & _
FilesDeleted & vbCrLf & "Files with issues: " & vbCrLf & FilesSkipped, vbOKOnly + vbInformation, "Conversion Complete"
End Sub

Sub DoFolder(Folder, DeleteOriginal)
On Error GoTo ErrHandler:
Dim SubFolder
For Each SubFolder In Folder.SubFolders
DoFolder SubFolder, DeleteOriginal
Next
Dim File
For Each File In Folder.Files
' For each file name sure its a vsd and not a temp file
If ((Right(File, 3) = "vsd") And (Right(File, 4) <> "~vsd")) Then
FilesAttempted = FilesAttempted + 1
' Open the file
Application.Documents.Open File
' Remote personal info if set
If RemovePersonal = True Then
Application.ActiveDocument.RemovePersonalInformation = True
End If
  ' Loop through each master then check across pages to see if it is used
  Index = Application.ActiveDocument.Masters.Count
  While Index > 0
  bMasterUsed = False
  Set oMaster = Application.ActiveDocument.Masters.Item(Index)
  For Each oPage In Application.ActiveDocument.Pages
  For Each oShape In oPage.Shapes
  If oMaster.Name = oShape.Name Then
  bMasterUsed = True
  End If
  Next
  Next
  ' if Not used delete it from the document stencil
  If bMasterUsed = False Then
  oMaster.Delete
  End If
  Index = Index - 1
  Wend

  ' Save as a vsdx and increase our counter
  Application.ActiveDocument.SaveAs File & "x"
  Application.ActiveDocument.Close
  FilesConverted = FilesConverted + 1

  ' Delete the original if set and the new vsdx exists
  If ((DeleteOriginal = "True") And (FileExists(File & "x"))) Then
  SetAttr File, vbNormal
  Kill File
  FilesDeleted = FilesDeleted + 1
  End If
NextFile:
End If
Next
Done:
Exit Sub

ErrHandler:
Debug.Print "Error encountered. Error number: " & Err.Number & " - Error description: " & Err.Description
If File <> "" Then
FilesSkipped = FilesSkipped & File & vbCrLf
GoTo NextFile:
End If
End Sub

Function FileExists(ByVal FileToTest As String) As Boolean
FileExists = (Dir(FileToTest) <> "")
End Function

If you use this please let me know how it goes or any tweaks that need to be made.

Check Uptime of Domain Computers

Recently we pushed some updates through GPO which ran at a users login to the domain. Weeks went by and I kept getting calls about people with old software that didn’t update. After some quick investigating these users were simply not rebooting or shutting down their computers and some were going on two months. On one hand that’s pretty good for Windows 10 machines but on the other they were missing important updates. After looking around I found that PsInfo.exe, part of the PSTools suite, would let me poll a computer for uptime but I wanted to poll all the computers and see how widespread this problem was.

First I started with a list of all computers taken from Active Directory using this PowerShell command to export them to a text file. Technically this command exports to a csv but I’m only taking one column so I skipped a step:

Get-ADComputer -Filter * -Properties Name | Select-Object Name | Export-CSV "C:\temp\ComputerNames.txt" -NoTypeInformation

Opening the file you should have a header of Name with all your workstations. I deleted the header and did a global find and replace to remove the quotes so I had a file with just the workstation names. Next I made a batch file with this single line:

For /f "tokens=*" %%i in (ComputerNames.txt) do psinfo uptime -nobanner \\%%i >> uptime.txt

I placed the batch file (CheckUptime.bat for me) in the same directory as PsInfo.exe and my ComputerNames.txt file. Run the batch file and it will step through each computer name in the file and check the uptime giving you something like this:

System information for \WSComputer2:
Uptime: 0 days 5 hours 24 minutes 57 seconds
System information for \WSComputer6:
Uptime: 2 days 17 hours 45 minutes 18 seconds
System information for \WSComputer23:
Uptime: 0 days 0 hours 42 minutes 41 seconds

I’m sure there is also a way to scrap the file and clean this up but it works for my needs.

Adding a SSL Certificate to a WorkPlace N4 Web Supervisor

So as a follow up to my post Adding a SSL Certificate to a Vykon AX Web Supervisor the way WorkPlace N4 web supervisors imports a certificate is slightly different. Mainly the key needs to be in a unencrypted RSA format which was tripping me up. So if you need to do this first read that prior post and then the only real change is for exporting out your key use this command:

openssl pkcs12 -in CertExport.pfx -nocerts -nodes -passin pass:YourPassword | openssl rsa -out key.pem

You will find the key will be exported and have a “RSA” tag in the headers now. Follow the same instructions from the other post to make your pem file (key, cert, intermediate, root) and it should import into a N4 supervisor just fine.

Batch Converting Visio VSD files to VSDX

I use Visio for my network and building layout drawings for simplicity. We have recently upgraded to Visio 2016 from 2007 and along with that there is a new file format, a .vsdx instead of a .vsd. Now I’m not sure of all the behind the scene changes but I do know that when you check a files properties you can reduce the file size by removing unused shapes, remove personal info, and save your old files as the new format. Between these three options the file size will drop 40 – 70% per file. Now when you have hundreds or even thousands of these you can gain a significant amount of file space back along with quicker overall loading and saving times. The problem is this looked to be a manual process.

So I did some searching and of course others have already tried to script this. I found two main articles, one on batch converting the vsd to vsdx and a second on removing the unused objects. I combined the two into a single script and added in the remove personal information option. So now you can do all three with a single script.

This is in VBA so to use this start out by opening a new blank Visio drawing. Hit ALT+F11 to get into Microsoft Visual Basic for Applications. Right click your drawing on the top left (by default Drawing1) and insert a module. Then copy and paste this in:

Sub ConvertToVsdx()
Dim strPath As String
Dim strFile As String
strPath = "C:\Temp2\"
strFile = Dir(strPath & "*.vsd")
Do While strFile <> ""
If Right(strFile, 3) = "vsd" Then
Application.Documents.Open strPath & strFile
Application.ActiveDocument.RemovePersonalInformation = True
' Loop through each master then check across pages to see if it is used
Index = Application.ActiveDocument.Masters.Count
While Index > 0
bMasterUsed = False
Set oMaster = Application.ActiveDocument.Masters.Item(Index)
For Each oPage In Application.ActiveDocument.Pages
For Each oShape In oPage.Shapes
If oMaster.Name = oShape.Name Then
bMasterUsed = True
End If
Next
Next
' if Not used delete it from the document stencil
If bMasterUsed = False Then
oMaster.Delete
End If
Index = Index - 1
Wend
Application.ActiveDocument.SaveAs strPath & strFile & "x"
Application.ActiveDocument.Close
End If
strFile = Dir
Loop
End Sub

Change the strPath to the directory you want to run this on and hit F5 to run. It will open each drawing with a vsd extension in that directory, set the remove personal information tag, remove the unused objects/stencils, then save it as a vsxd.

I haven’t adapted it to do subfolders yet as this is all I really needed but I’m sure there is a way to iterate through directories.

Compiling NodeMCU ESP32 Firmware

Recently I’ve been doing some experimenting with the NodeMCU ESP8266 and ESP32-S chips to use in home automation, sending data back to my Samsung SmartThings system. The ESP32 is considered a development board and as such not everything works as expected. One of the issues I was having was the ADC isn’t very linear resulting in some of my analog inputs being pretty far off (over 4%). With that said the firmware is being updated pretty regularly so I wanted to compile a new version. I attempted to follow the instructions available (https://nodemcu.readthedocs.io/en/dev-esp32/en/build/) but was having trouble. Finally I created a Ubuntu 16.04.3 LTS virtual machine using VirtualBox but then ran into a bunch of other issues since it didn’t have any of the dependencies installed. Well after some experimenting I got it working and here are the steps:

  1. Install Ubuntu 16 (should work with 17 also)
  2. Update it (search for update and launch the software updater)
  3. Drop to a terminal (CTRL+ALT+T), typing each item, and press enter:
    • sudo apt-get update
    • sudo apt-get upgrade
    • sudo apt-get install libncurses5-dev libncursesw5-dev flex bison gperf python-serial
    • sudo apt-get install git
  4. In the same terminal window grab the firmware code: “git clone --branch dev-esp32 --recurse-submodules https://github.com/nodemcu/nodemcu-firmware.git nodemcu-firmware-esp32
  5. Move to the source directory with “cd nodemcu-firmware-esp32”
  6. Start up the menu using “make menuconfig”

You should now be able to select your config options and save a sdkconfig file that you can use to make the firmware. Now I couldn’t save the sdkconfig in the same directory and ended up saving it to my home directory then making a copy of the modemcu-firmware-esp32 directory, pasting the config in there, and running make from there to compile. I’m assuming this is because I used git to pull down the repo and its read only (compiling from the copy with my sdkconfig worked so I didn’t try to figure it out).

If you want to get fancy you can also share out your USB through VirtualBox and flash the chip from the virtual machine using make flash but I didn’t like that idea so I transferred out the NodeMCU.bin from the build directory to my host machine (Windows 10) and used NodeMCU-PyFlasher-2.0 to flash to firmware. Afterward I found that my ADC’s, while not 100% accurate, were a lot closer. Hopefully they keep making progress on this chip as it seems like a very capable replacement to the ESP8266.

Installing Pydio 8 on IIS 8.5 and IIS 10

Pydio 8.0.0 was released earlier today and has a major UI change along with some minor back-end changes. I’ve gone through and did another re-write of the instructions for this new version. Among other things it now supports PHP 7.1.*. I’ve also streamlined the instructions slightly, upgrading all other pre-reqs to the latest versions, and use the modified version of PHP Manager that Ronald Carter has upgraded to no longer require Dot Net 2.0 so less stuff to install on the server. So it should now work without issues on both IIS 8.5 and IIS 10. Here are the new instructions:

Installing Pydio 8 on Windows Server 2012 R2

Installing Pydio 7 on IIS 8.5 – Pure 64 bit

With the recent release of Pydio 7.0 my old instructions are now outdated, especially when it comes to public file shares. There were a lot of changes in the new Pydio so I have re-written my instructions for it. The biggest change is there is no longer any reason to create your own web.config files, the stock one now works correctly on IIS. I’ve also added instructions on scripting things form the command line like indexing workspaces on a schedule which has helped me immensely since I keep some workspaces updated with DFS and have gotten away from using Samba. Here are the new instructions, let me know if you have trouble with them:

Installing Pydio 7 on Windows Server 2012 R2 – Pure 64 bit

Sophos XG Firewall PCI Compliance Woes

Recently I deployed a Sophos XG firewall to replace my very much aging Microsoft Forefront TMG 2010 firewalls. For the most part, after lots of back and forth with Sophos tech support, I got it working correctly for things like Outlook Anywhere, Web and Mobile Access, protecting internal websites, and general web filtering. Everything seemed fine until our monthly PCI compliance scans came along and we failed miserably. TLS 1.0 was enable, HTTP Track/Trace was enabled, and 64 bit cyphers were enabled for each external IP that we were hosting a site on. I contacted Sophos and long story short there is currently no way to fix these through the UI (v16)….all required manually editing the appache httpd file on the box. So here is how to do it.

First telnet into your XG, log in, then go to 5 Device Management then 3 Advance Shell. Type in the following:

# mount -no remount,rw /
# vi /usr/apache/conf/httpd.conf

You should now be able to edit the file. Press “I” once to enter insert mode. Find the SSLCipherSuite line and remove any sections (between the colons) that have 3DES in them. For example the original cypher line:

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS

Modified cypher line:

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

Now find the SSLProtocol list, usually right below the cyphers and remove support for whichever protocol by adding it with a minus. Here is the original line:

SSLProtocol all -SSLv2 -SSLv3

Modified protocols line:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

Lastly for the tracking add a new line under these:

TraceEnable off

Hit ESC then :w and enter to write the file then :q and enter to quit. Then restart the services and mark things what I’m assuming is read only:

# service apache:restart -ds nosync
# service WAF:restart -ds nosync
# mount -no remount,ro /

Keep in mind any Outlook 2010 clients you have in the field might try to connect using TLS 1.0 and will fail with a cryptic proxy server error. You can follow this site to hopefully fix that: https://blogs.technet.microsoft.com/schrimsher/2016/07/08/enabling-tls-1-1-and-1-2-in-outlook-on-windows-7/