F5 load Balancer and IIS certificate issue

Good day All,

Today i will share with all F5 and IIS certificate issue i was pulled into sometime ago.. In-fact when the issue came to me i was said that all configuration on F5 as been set properly and certificate as been installed on IIS Web server but still the page is unavailable when the tried to access the Server  using https from external network.
Couple of questions i asked

1. is the certificate working properly internally and the answer was Yes
2.I asked what kind of offloading we have configured on F5, Client-side SSL or Server-side SSL and the answer was Server-side SSL
3.last question was if Server-side SSL, are we using 2 certificates 1 for F5 and 1 for IIS web server or we are installing 1 Certificate on F5, exporting and importing the same certificate with Private key on Web server and the answer was only 1 certificate.

for starters if you wondering what is Client-side and Server-side, please check this Manual of F5 it goes in depth on the same..

So i said please hold on and let me check something because i kind of know what is the issue? any guess from anyone? well here you go the answer see below? can you tell me what is missing?

If any one guessed don't see the Private Key then the answer is Yes.. there is no Private key for this certificate so all the traffic from F5 to IIS Web server was encrypted but IIS doesn't have the Private key to decrypt. Why we don't see the Private key, the possible reasons
As the certificate request was generated from F5 and when it receives the certificate it gets the certificate and Private key separately and F5 team passed the same certificate without Private Key to be applied on IIS not knowing Server would need Private key.

So how do we fix the issue well there is neat little tool call openSSL , simple download and install which basically merge Certificate and Private Key in a PFX format to be imported to IIS..


C:\OpenSSL-Win32\bin>openssl.exe pkcs12 -export -out name.pfx -inkey w.key -in w.
crt -name test
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Loading 'screen' into random state - done
Enter Export Password:
Verifying - Enter Export Password:


well the above command will create a PFX , so we re-imported the certificate to Certificate store and reapplied the certificate to IIS.

Hope this helps someone!!!!!!!!!!

The backup operation that started at ... has failed with following error code '2155347997' - SYSTEM STATE BACKUP- WINDOWS 2008

Good day All,

We started updating Firmware on lot of Physical Servers and as part of Pre-requisites we started taking System state backup's and lot of 2008 Severs system state backup was failing.
In-case you guys are wondering what we will do with system state backup? can we restore the Server back in case of disaster well, check this article i have posted, 2 Servers was successfully restored with the process in this link
After some search and couple of these blogs really helped so what really the issue is?
Well let me see i can put in simple and there are lot of blogs which tells in-depth if you google on enumeration errors.. so what basically happening while taking System state backup is Backup process is making sure that all the image paths for the Service is correct and in that process if it sees any invalid paths it stops the backup process with error code...

http://blogs.technet.com/b/askcore/archive/2010/06/18/ps-script-for-blog-enumeration-of-the-files-failed.aspx
http://h10025.www1.hp.com/ewfrf/wc/document?docname=c03921757&cc=ca&dlc=en&lc=es

So for starters download the Powershell script, enable Script execution in PS and run the PS script.. you will see output something like this..

     Service Name    :
     Service Caption :
     Registry key    :
     Value           :
     Reason          : The service path contains spaces, the whole path needs to be enclosed using double      quotes

The good part about the script is it tells what needs to be done so be cautious when changing something in registry .. below are the few things i have seen as errors..

1. The service path contains spaces, the whole path needs to be enclosed using double quotes
2.The service path contains a forward slash. Only paths containing an inverted slash are supported
3.The service path does not have a proper path format. Only paths beginning with [<Drive>]:\ format
are supported.
4.The service path contains invalid characters. Characters < > : " | ? cannot be used in a file path
5.Non-Existed Volume

Couple of things i have noticed

1. Cluster Servers, the server is active on one node and the respective Service is active on that node, you will see that Service warning failure in the PS script you run.. in that case we couldn't never fix it.. before we do activity we failed over the node took the system state backup and then proceeded with firmware update..

2. Warnings in the Script can be ignored

3. the service path contains a reparse point. Paths containing a reparse point are not supported - can be ignored too..

As I progress and if i encounter more backup failure errors will update this post.. 

Hope this helps someone!!!!

WHICH PROCESS ID LISTENING ON WHICH PORT? ???

Good day All,

Welcome back and a very Happy New Year.. this is my first post this year and hopefully will share lot more than last year.

The other day some one asked me i have a process running and need to find out which port is it listening? Well that was easy i know sometimes little things are hard to remember, so i said you can get it from netstat..
I don't want to go over different options available in netstat, let you guys explore but for this to be achieved you should use something like this
netstat -nao
this will scroll through the list of all the tcp/udp ports listening and which Process id is being used.

You will realize that its the big list , so if you know which port number you trying to search then you do something like this
ex: netstat -nao | find "161"

What i am trying to do is find out which process ID\Process is listening on Port 161..If any one have a question how did you correlate PID and Process then open task manger add a column PID , there you know now.
So in the below example i clearly see that PID 1960 is used by SNMP on the default port 161.

.
Hope this helps someone!!!