Passed EC-Council CHFI (Computer Hacking Forensics Investigator)

Posted by Ahmed Nabil | 1 comments»
Last week I passed the EC-Council CHFI exam (312-49). This is my second certification with EC-Council after taking the CEH exam. From my point of view The CEH exam was harder than the CHFI as it covers broad range of technical areas. The CHFI lays a good foundation for the Forensics domain, however if you are taking the Forensics as a job then I would recommend going to CHFI plus GIAC Forensics Certification or Guidance Software (EnCase).

Teredo with UAG SP1 Direct Access not working

Posted by Ahmed Nabil In , | 0 comments»
This problem was reported on a standard DirectAccess implementation scenario where all clients aren’t able to connect using Teredo and they all fall back to IPHTTPS which is the last resort for any DirectAccess connection.

Symptoms:
1.       When checking the Teredo Interface state, the following was displayed.
Netsh int teredo show state
Client Type             : teredo host-specific relay
The Client type should have been Teredo Client for a successful Teredo connection.
2.       I disabled the IPHTTPS interface to ensure it won’t fall back to the IPHTTPS option, opened wf.msc (windows Firewall with advanced security mmc) and navigate to monitoring – Security associations – Main Mode and Quick Mode. Both displayed nothing as shown in the figure below. This indicated IPSEC connection failure
Windows Firewall with advanced Security

3.       After capturing both server and client logs and with the help of a Microsoft senior engineer we noticed the following error
 Windows error 13887(ERROR_IPSEC_IKE_CERT_CHAIN_POLICY_MISMATCH)


Resolution:
1.       A recent KB was released from Microsoft to address this specific Certificate problem with a recommended fix. This fix needs to be applied on both the DirectAccess Server and Client.

2.       It turned out that the DirectAccess server has an Antivirus solution which seems to load several modules like NAC and others although it was configured to run normal AV file protection.

 After applying the Fix and removing the AV from the UAG server the clients were able to connect normally using Teredo.