As any seasoned webmaster may have known, Cloudflare’s free SSL certificate while convenient for most use cases, are very restrictive in edge cases. For example when you want to have.a.vanity.url.com for your website, Cloudflare won’t work (only vanity.url.com part is permitted).
What can you do? Other than paying cloudflare $10 / month and get a custom-made edge certificate?
http://www.example.com/blog/+ [extra directory before the +] http://www.example.com+ [no trailing slash]
Once you have created the pattern that matches what you want, click the Forwarding toggle. That exposes a field where you can enter the address I want requests forwarded to.
If I enter that in the forwarding box and click the Add Rule button within a few seconds any requests that match the pattern I entered will automatically be forwarded with a 302 Redirect to the new URL.
Advanced forwarding options:
If you use a basic redirect, such as forwarding the root domain to www.yourdomain.com, then you lose anything else in the URL. For example, you could setup the pattern:
And have it forward to:
But then if someone entered:
Then they’d be redirected to:
Not where you’d want them to go:
The solution is to use variables. Each wildcard corresponds to a variable when can be referenced in the forwarding address. The variables are represented by a $ followed by a number. To refer to the first wildcard you’d use $1, to refer to the second wildcard you’d use $2, and so on. To fix the forwarding from the root to www in the above example, you could use the same pattern:
You’d then setup the following URL for traffic to forward to:
In this case, if someone went to:
They’d be redirected to:
Using this and set up a rule like
and forward it to
You can redirect it somewhere else or create a website for it
Due to strict requirements of security for finance businesses, a finance company’s network should be isolated from outside environment. This has the effect of shielding making the entire software infrastructure less prone to software invulnerabilities and thus external attacks. However, this does not eliminate the need for software updates since the network’s operation can still be disrupted by internal sabotage or worm infection from careless users.
Since large financial institutions often have management workflows, updates are subject to prior approval by the management and not all updates maybe approved. The process of maintaining software updates manually, which includes downloading, tracking, approving and installing’s cost could escalate as vulnerabilities are discovered over time and software enhancements are made.
As a major software manufacturer, Microsoft is aware of this issue and have developed Windows Software Update Service (WSUS) as a solution for the update management problem. WSUS allows for approval, mass install, provides a central configuration point and thus reduces the maintenance cost.
This document tried to summarize the knowledge needed for installing and applying WSUS’s update model to an isolated network. This includes:
1. The requirements and how to install WSUS under the isolated model.
2. Configuring WSUS and the approval workflow with WSUS.
3. Synchronize update databases between computers.
4. Configure clients to receive intranet software updates.
Figure 1 A typical corporate intranet
The picture above describes a typical “closed-circuit” corporate network, which connects computers within a branch and branches together. This network is isolated from outside environment (e.g. the internet or other non-corporate affiliated networks).
Two servers, disconnected model
Because the update server must be connected to the internet somehow (to receive updates from the root update server – Microsoft’s), the safest model for this application is to utilize two server – one to receive updates from outside and one to propagate updates inside the intranet. Data would be manually synchronized between the two machines by various means like tapes, external HDDs or an ad-hoc network. Tape and HDD synchronization theoretically is the most secure option, since no connection is required between two machines and thus, makes data leaks and network penetrations almost impossible (data can only go in and can’t go out). Also, update package’s integrity is always verified with digital signatures from Microsoft so they can’t be compromised.
Figure 2 Two servers model
Package approvals can be made on the internal server. Subsequent package updates from the external server will not affect existing approvals.
Although being the most secure option, this model is costly to deploy:
It requires an additional server to receive updates from the internet.
It requires additional data containing medium (tapes, HDDs) to synchronize the servers securely.
It takes time to synchronize (updates are usually large – to the extent of terabytes and external storage media is usually slow)
This technical note is focused primarily on how to configure and make servers perform this role.
One server, switching connection model
Figure 3 Switching connection model – update phase
Figure 4 Switching connection model – distributing phase
To avoid the cost of an additional server and updating time, this one-server model can be used. The update server could switch between two connections: one to the internet (to download updates) and one to the internal network (to distribute updates). The switch could be made at anytime because WSUS itself could handle partial downloads.
With this model, penetrations and leaks may occur if a malicious party could install a drone in the update server to execute predetermined commands or probe for data from the internal network. Therefore t is advised that the update server be carefully firewalled and allow only the update service to access the network interface.
Also, the update server must be dedicated to the role can can’t perform other server roles since it could be disconnected from the internal network at any time.
One server, always on model
Figure 5 One server, always on model
This model is similar to the one server, switching model except that both the connection to the internal network and the internet is always on to the update server. This way, the update server can continuously update its repository and distribute the update to internal computers. The update server acts similar to a router that allow the computers in the internal network to access the internet, except that the only kind of data that can get through is updates and this data also subjects to approval in WSUS.
This model requires an additional interface for the update server. However, the server can also perform other roles for the internal network, since it is always connected.
This model is the least secure of all three. It poses a serious security threat to the internal network in case the update server is compromised by a malicious party. Therefore, making sure the update server itself is up-to-date with the latest security patches and strict firewall configuration is a must.
Comparison between models
One server, switch
One server, always on
Medium (Two servers and transfer media setup)
Low (One server and firewall setup)
High (Update approval on internal server and decide when to sync.)
Medium (Need to decide when to switch)
Low (Update approval only)
High (Manual sync.)
Medium (Manual/Automatic switch required)
Low (Usual security and maintenance checks only)
Configuring WSUS servers
WSUS setup process is straightforward. A configuration wizard is started after WSUS installation is completed to help users configure WSUS. This wizard can be accessed later through the option item in WSUS configuration snap-in (Control panel à Administrative tools à Microsoft Windows Server Update Services)
WSUS can be configured to pull data from another WSUS server instead of the default Microsoft server (useful when deploying the two server model, connected with an ad-hoc network). Other configuration options are visible on Figure 6 and to the left of Figure 7. It should be noted that this wizard should not be followed on the internal server in the two server model since it requires a direct connection to the upstream update server to continue past step 4. Actually no configuration is needed in this case.
Computers in the internal network could be configured into groups to manage which update should or should not be installed on them. WSUS can only manage clients which have reported to it. Refer to section “Configuring clients” for details on how to configure clients.
Figure 8 Client management screen, listing all active clients
Figure 9 Update approval / rejection
Figure 10 Detailed status report for a client, with report viewer installed
After being properly configured, clients will automatically pull updates from the WSUS server and install them if those update packages are approved and have not been installed already.
Synchronizing update repositories
Deploying the two servers model with tapes and external HDDs require manual export and import of update data. “Update data” includes:
Package executables themselves, which are saved as files in WSUS’ update repository (the default folder is C:WSUSWsusContent and can be changed during WSUS’ setup). This is synchronized simply by copying the content of the entire folder.
Information about the packages such as checksum and verification data, termed “metadata”. See “Exporting metadata” and “Importing metadata” for details.
WSUS requires both kind of data to be synchronized to work.
Usually, the list of available updates and their metadata is downloaded before the update packages themselves. WSUS will not distribute such incomplete packages.
Figure 11 Warning when package’s files have not been downloaded
Syntax: wsusutil export <datafile> <logfile>. This will produce a metadata container file (.cab) and a log file (.log). Both are needed for metadata import. The exporting process could take a while.
Figure 12 Exporting metadata
Syntax: wsusutil import <datafile> <logfile>.
Figure 13 Metadata import
To make client update through the new WSUS server instead of the default (Microsoft’s server), the policy for the domain should be modified as in Figure 14 to point to the new WSUS server: http://<servername>.
Figure 14 Client configuration (illustrated with local policy editor)
To edit corporate policy, you con either use the Group Policy Management Console, right click the OU you want to apply WSUS policy and select create policy, you should now see he Group policy object editor similap to tho above screenshot.
Alternatively, you can open Active Directory users and computers, open the properties windows for the OU you want, select the policy tab and click Add (or edit an existing policy).
After policy modification, it may be necessary to:
Forces refresh the active policy with gpupdate /force (which will be automatically refreshed in 15 minutes anyways).
Clear Internet Explorer’s cache on the client to force reload of update configuration files downloaded from the previous update server.
Reauthorize Automatic updates on the client so it is registered on the update server with wuauclt.exe /resetauthorization /detectnow.
Make sure that Automatic Update for the client is enabled.
Figure 15 Windows XP Automatic updates configuration screen (My computer à Properties)
Upon successful configuration, the client will appear on WSUS configuration snap-in as in Figure 8.
For those you don’t know the difference between .ac and .edu: .dot edu is an abbreviation for “education”, which means any entity with educational purpose could use this domain, including elementary schools, high schools, vocational colleges and I haven’t seen this but it’s a possibility: kindergartens. Dot ac, on the other hand, stands for “academic”, which means higher education institutes and research is their main function.
So… my university is in the same domain with naughty kids and hysterical teenagers :”( while entities that I never heard about has the “noble” .ac ~_~. It’s like .ac has a really high standard that even a university couldn’t meet!
Side note: in the United Kingdom and Japan it seems like nobody uses .edu, only .ac; perhaps they want to tell everyone in the world that they don’t allow idiots to enter any educational facilites! For the U.S, it’s always .edu and no .ac (they got the 1st level domains already :P)
No, It’s not!
Source: The Google search above, now they are hiring poets for an IT research instute? 😛
I couldn’t get what VNNIC was thinking allowing the allocation of that. Higher learning institutes got a 3rd level domain while a SMS service bastard get the 2nd level national domain!? What kind of planning is that? Or in Vietnam cell phones are used (more relevant to people) than brains? Sadly nothing could be done, ’cause if you ask them, they I’ll be like “Canadians did that too”.
Doubting that this “www” would be allocated like that somewhere else too, I tred www.edu.vn, name.vn, gov.vn, info.vn, biz.vn etc. Luckily, they are all pointed at dot.vn; so looks like the .ac is an “isolated case” and no one would be held responsible when those reporters find out 😛
Who’s the most advanced
Yesterday I was searching for Russia’s prime minister’s duty and terms, I came across this article and wondered if Vietnam’s prime minister has a page. Sure, I added it to the article. Now some would say Vietnam is no less technology advanced than Thailand or Singapore ;), the parliament (or “national assembly” as it is translated) has a site too.