Category Archives: Homelab

Ubiquiti UniFi Security Gateway Disable NAT

Posted on by

This is a guide for disabling the Network Address Translation (NAT) function on the Ubiquiti Networks UniFi Security Gateway (USG). The NAT functionality can be disabled by a custom config.gateway.json file on the UniFi Controller. There is no User Interface option currently to disable NAT.

Note: These instructions apply to the Unifi Security Gateway (USG) line of products, which are end of life. The config.gateway.json method does not exist on the UDM and UXG line of products.

If you’re here looking to disable NAT on a UDM or UXG product line, know that there is now an option in the web interface. Ubiquiti added controls directly in the web interface starting with UniFi Network 8.3.32 to control or disable NAT.

Requirements

  • Unifi Security Gateway (USG)
  • SSH access to the UniFi Controller

Summary Steps

  • Create or update a custom config.gateway.json configuration file
  • Perform a manual device provision of the USG

Continue reading

IIS WMSvc Automated Certificate Management

Posted on by

I’ve added a new script to my GitHub PowerShell repository for managing the IIS WMSvc Certificate. The script WMSvc_InstallCertificate.ps1 is intended to be ran either by scheduled task or by command line and will attempt to detect when the Web Management Service (WMSvc) certificate needs to be replaced. Replacement certificates are sourced from an Enterprise Certificate Authority automatically. The IIS machine account must have privileges to enroll.

In my lab, this script is tied to a scheduled task that is automatically created by group policy on servers attached to the IIS role security group. This same security group is also granted enroll privileges on the certificate template. In effect, new servers created will automatically receive a trusted certificate for their management port and that certificate is rotated automatically before expiration.

Since my lab IIS installations run on Server Core, it is quite convenient to have the remote management service configured automatically.

Local and Domain NTP Overridden by Secure Time Service

Posted on by

Starting with Windows 10 1511, Microsoft introduced a new feature called Secure Time Seeding, part of the Secure Time Service (STS), as an upgrade to the W32TIME service. The STS uses information from SSL connections to validate NTP data. Information from this feature supersedes all other time sources, including locally configured NTP, domain controllers, and Hyper-V time synchronization.

I first noticed the feature when several of my Hyper-V virtual machines began shifting their system clocks backwards and forwards several times a minute. At first the time changes spanned a few hours, but as the machine uptime climbed, so did the time jumps. Eventually, the time was bouncing backwards and forwards by weeks, several times a minute. The Hyper-V time synchronization service was fighting with the new Secure Time Service and this wrecked havoc on authentication and any other services running on the systems.

Continue reading

Unifi VPN Radius Challenge Fails with Invalid Password

Posted on by

An issue exists between the Ubiquiti Networks Unifi software controller v5.10.19 and a Microsoft Radius or Network Policy Server (NPS) when NTLMv2 responses are forced on all Domain Controllers. When this condition exists, radius calls from the Unifi controller fail with error event that indicates the password is invalid. The security logs on the radius server report the following failure:

Failure Information:
     Failure Reason:     Unknown user name or bad password.
     Status:             0xC000006D
     Sub Status:         0xC000006A     (Account logon with misspelled or bad password)

The issue is limited only to VPN connections. WiFi connections using the same Radius connection profile and user account succeed.

Applying the registry key in Microsoft KB 2811487 to the Radius server resolves the issue.

Set DWORD:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy\Enable NTLMv2 Compatibility = 1

vCenter Server Fails Upgrade to 6.5.0-U1 with VCSServiceManager Error

Posted on by
Reply

I spent a portion of the last two weekends attempting to upgrade my homelab vCenter Server running on Server 2016 from 6.5.0 to 6.5.0-U1 with little success. My implementation is only a month old and non-complex, aside from the external Platform Service Controller servicing the single vCenter Server (so far).

Both the PSC and the VCS returned the same error during installation: “Installation of component VCSServiceManager failed with error code ‘1603’. Check the logs for more details.”

Installation of component VCSServiceManager failed with error code 1603.

Continue reading