Pages

Tuesday, July 8, 2025

Checking Network Connections on Windows Servers

When you're managing Windows servers, being able to quickly check network connections is essential. This helps in troubleshooting issues like applications not connecting, or services not communicating. We'll look at some straightforward commands to help you diagnose these problems.

TESTING SPECIFIC CONNECTIONS (PowerShell)

The Test-NetConnection command is a powerful tool in PowerShell for checking connectivity to a specific IP address and port.

  • How to use it:

    test-netconnection IPAddress -port XXXXX

  • Replace IPAddress with the actual IP address of the server you're trying to reach.

  • Replace XXXXX with the specific port number that the service (like a license server) is listening on.

This command will tell you if a connection can be established, making it great for verifying if a service is reachable on a particular port.

USING TELNET FOR BASIC CONNECTIVITY

Telnet is a simple command-line tool that can test connectivity to a port. It's often used to see if a port is open and listening.

  • ENABLING TELNET CLIENT

    By default, the Telnet Client might not be installed on Windows Server. You need to enable it first.

    dism /online /Enable-Feature /FeatureName:TelnetClient

    This command uses DISM (Deployment Image Servicing and Management) to add the Telnet Client feature.

  • TESTING WITH TELNET

    Once enabled, you can use Telnet to test a connection.

    telnet -a IPAddress XXXXX

    Again, replace IPAddress with the target server's IP and XXXXX with the port. If you see a blank screen or a connection successful message, it usually means the port is open. If it fails quickly, the port might be blocked or the service isn't running.

VIEWING ACTIVE NETWORK CONNECTIONS (NETSTAT)

netstat is a command-line utility that displays active network connections, routing tables, and a number of network interface statistics. It's great for seeing what your server is connected to, and what ports it's listening on.

  • SHOW ALL CONNECTIONS AND LISTENING PORTS

    netstat -a

    This command will list all active TCP connections and the TCP and UDP ports on which the computer is listening.

  • SHOW NUMERICAL ADDRESSES AND PORT NUMBERS

    netstat -n

    This variation shows addresses and port numbers in their numerical form, which can be quicker and avoid DNS lookups.

MANAGING WINDOWS FIREWALL (NETSH ADVFIREWALL)

The Windows Firewall can often be the reason why connections aren't working. The netsh advfirewall command allows you to view and manage firewall settings.

  • SHOW ALL FIREWALL PROFILES

    netsh advfirewall show allprofiles

    This command displays the settings for all firewall profiles (Domain, Private, and Public).

  • CHECK SPECIFIC FIREWALL PROFILES

    You can check the status of individual profiles:

    netsh advfirewall show domainprofile

    netsh advfirewall show privateprofile

    netsh advfirewall show publicprofile

    These commands show the specific settings for the domain, private, or public network profiles respectively.

  • CHANGE FIREWALL PROFILE STATE

    You can enable or disable firewall profiles if needed, though this should be done with caution.

    netsh advfirewall set allprofiles state [on/off]

    Replace [on/off] with on to enable or off to disable all profiles.

Posted by at No comments:
Labels:

Configuring Windows Server 2022 for Windows Authentication to SQL Managed Instance

This comprehensive guide walks through the essential steps to enable Windows Authentication from Windows Server 2022 to Azure SQL Managed Instance using Microsoft Entra ID and the modern interactive authentication flow.
Prerequisites and System Requirements

For Windows Server 2022 to successfully connect to Azure SQL Managed Instance using Windows Authentication, several prerequisites must be met:

  • Operating System: Windows Server 2022 or higher is required for the modern interactive authentication flow
  • Microsoft Entra ID Integration: On-premises Active Directory must be synchronized with Microsoft Entra ID using Microsoft Entra Connect
  • Device Join Status: The server must be Microsoft Entra hybrid joined or Microsoft Entra joined
  • Interactive Authentication: Applications must connect via interactive sessions (supports SSMS and web applications, but not service applications)

Ensuring Microsoft Entra Hybrid Join Status

Verification Commands


To verify that your Windows Server 2022 is properly Microsoft Entra hybrid joined, use the following diagnostic command:

dsregcmd.exe /status



A properly configured hybrid-joined device should show:

AzureAdJoined: YES

DomainJoined: YES

DeviceId: A valid GUID value
Addressing Pending State Issues

If devices appear in a "pending" state in the Microsoft Entra admin center, this indicates that the hybrid join process hasn't completed successfully. Common scenarios include:

  • New Domain-Joined Devices: Devices that can't complete the registration process due to connectivity or configuration issues
  • Previously Registered Devices: Devices that were moved between organizational units or had their registration disrupted

Resolving Pending State with Scheduled Tasks


For machines in a pending state, the Automatic-Device-Join scheduled task is crucial for completing the hybrid join process. This task is located under:

Task Scheduler Library > Microsoft > Windows > Workplace Join > Automatic-Device-Join
Enabling the Scheduled Task
If the task is disabled (which can happen on some systems), enable it using PowerShell:
Enable-ScheduledTask -TaskPath "\Microsoft\Windows\Workplace Join\" -TaskName "Automatic-Device-Join"

Manual Task Execution


To trigger the device registration process immediately, run the task manually:

schtasks.exe /run /tn "Microsoft\Windows\Workplace Join\Automatic-Device-Join"

Important Notes:

  • This command requires local administrator privileges.
  • The user must be signed in for the task to complete successfully.
  • The task may need to run twice: once to generate the userCertificate attribute, and again after Azure AD Connect synchronization to complete registration.

Understanding the Device Registration Process


The hybrid join process involves multiple components working together:

  • Automatic-Device-Join Task: Runs at user logon and generates device certificates
  • Azure AD Connect: Synchronizes device information from on-premises AD to Microsoft Entra ID
  • userCertificate Attribute: Generated by the device and stored in Active Directory for Azure AD Connect to sync
The task triggers on:
  • User logon events
  • Event ID 4096 in the Microsoft > Windows > User Device Registration log
  • Hourly intervals


Configuring Group Policy for Kerberos Authentication

Essential Group Policy Setting


To enable the modern interactive authentication flow for Windows Authentication to SQL Managed Instance, configure the following group policy setting:

Path: Administrative Templates\System\Kerberos\Allow retrieving the cloud Kerberos ticket during the logon

Configuration Steps

Open Group Policy Editor on your domain controller or management system
Navigate to the Policy Path:
  • Computer Configuration
  • Administrative Templates
  • System
  • Kerberos
  • Configure the Setting:
    • Select "Allow retrieving the cloud kerberos ticket during the logon"
    • Set the policy to Enabled
    • Click OK to save the configuration

Registry Implementation

This policy setting configures the following registry value:
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters
Value Name: CloudKerberosTicketRetrievalEnabled
Value Type: REG_DWORD
Enabled Value: 1

After enabling the group policy, users with existing logon sessions may need to refresh their Microsoft Entra Primary Refresh Token (PRT):
dsregcmd.exe /RefreshPrt

This command should be run from an elevated command prompt to ensure the PRT is properly refreshed.

Verification and Testing


To verify that Kerberos tickets are being retrieved correctly, use the following command after user logon:

klist
You should see Kerberos tickets from kerberos.microsoftonline.com indicating that cloud Kerberos authentication is functioning.

Authentication Flow Overview


The modern interactive authentication flow enables the following process:

  1. Client Authentication: Windows Server 2022 authenticates to Microsoft Entra ID using hybrid join credentials
  2. Kerberos Ticket Request: The system requests a cloud Kerberos ticket during logon
  3. SQL Authentication: Applications use the cloud Kerberos ticket to authenticate to Azure SQL Managed Instance
  4. Seamless Access: Users experience single sign-on without requiring line-of-sight to domain controllers

This configuration eliminates the need for traditional trust relationships and enables secure authentication to cloud resources while maintaining familiar Windows Authentication experiences for applications and users.

Troubleshooting Common Issues

Device Registration Problems


Monitor the following event logs for troubleshooting device registration issues:
Event Viewer Path: Microsoft > Windows > User Device Registration > Admin
Key Events: Look for events 204, 304, and 4096
Group Policy Application
  • Ensure group policy is properly applied by:
  • Running gpupdate /force on target servers
  • Verifying the registry value is set correctly

Checking that the policy applies to the correct organizational units

Network Connectivity

Verify that Windows Server 2022 can reach the required Microsoft endpoints for device registration and Kerberos authentication:
  • https://enterpriseregistration.windows.net
  • https://login.microsoftonline.com
  • https://device.login.microsoftonline.com

By following these comprehensive steps, Windows Server 2022 systems will be properly configured to use Windows Authentication with Azure SQL Managed Instance through the modern interactive authentication flow, providing seamless and secure access to cloud database resources.
Posted by at No comments:
Labels: , ,

Thursday, June 26, 2025

Configure NGinx to serve static files and Apache for dynamic

In CentOS 6.x
Follow the following steps for installation. 
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Now that the repo is installed, we need to install NGinx

yum install nginx

Configuring NGinx

Now that NGinx is installed we need to create a VirtualHost (actually NGinx calls them Server Blocks) for each site we are hosting.
nano /etc/nginx/conf.d/virtual.conf
#Insert one of these for each of the virtualhosts you have configured in Apache

server {
 listen 80;
root /path/to/site/root; 
 index index.php index.html index.htm;
server_name www.yourdomain.com yourdomain.com;
location / {
 try_files $uri $uri/ /index.php;
 }
location ~ \.php$ {

 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $remote_addr;
 proxy_set_header Host $host;
 proxy_pass http://127.0.0.1:8080;

}

location ~ /\.ht {
 deny all;
 }
}

This configuration tells NGinx to try and serve the requested file, but to pass the request onto Apache if it's unable to do so. Requests for PHP files should be forwarded automatically. Apache will be told who requested the file in the 'X-Forwarded-For' header.

The final section tells NGinx not to check requests for .htaccess files as no one want anyone to see the contents of these.


Configuring Apache

We want users to hit our NGinx installation (otherwise this effort is wasted) but Apache is currently sat on port 80. So we're going to move it to 8080 (given that's the port we specified in the NGinx configuration we created).

nano /etc/httpd/conf/httpd.conf
# Find the following
Listen (someIP) 80
# Change the port to
Listen 127.0.0.1 8080

# Now at the bottom of the file, you'll find your virtualhost directives,
# Change all port definitions of 80 to 8080
# Don't forget the Default virtualhost definition
# <virtualhost *:80> becomes <virtualhost *:8080>

We change the Listen address as we don't want external hosts to access Apache directly, everything should go through NGinx. Ideally, we also want to forbid outside access to port 8080 at the firewall to ensure that the point of entry to our system is restricted to the authorised route - through NGinx.

Start the Services
We've now configured Apache to listen on a different port, so all we need to do know is restart Apache (so that it moves to port 8080) and start NGinx so that it can start handling requests.

  • service httpd restart
  • service nginx start

Now if you browse to your site, nothing should have changed visibly. However, if you check the HTTP headers you should see NGinx instead of Apache, checking a phpinfo file should still show Apache as having called the PHP parser though.

 
Posted by at No comments:
Labels: , ,

Installation FFmpeg on Linux RHEL/CentOS 6.X

FFmpeg :

FFmpeg is simply a tool that implements a decoder and then an encoder. It is a complete, cross-platform solution to record, convert, and stream audio and video. This allows users to convert files from one format to another.

Features :

  • FFmpeg is free software licensed under the LGPL or GPL depending on your choice of configuration options.

  • FFmpeg Hosting can convert any video format to the web-optimized .flv format so that they can get streamed on the website.

  • FFmpeg provide command line tool to convert multimedia files between formats.


Steps to Installation FFmpeg on Linux RHEL/CentOS 6.X

  

Step 1 : Create FFmpeg Repository

Open repository Directory

[root@bsrtech ~]# cd /etc/yum.repos.d/

Create name with ffmpeg(any name) repositorty& open with vi command

[root@bsrtech yum.repos.d]# vim ffmpeg.repo

Step 2 : Write the following data on that file

     [ffmpeg]
name=FFmpeg RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el6/en/x86_64/dag/  (64 Bit OS)
#baseurl=http://apt.sw.be/redhat/el6/en/i386/dag/   (32 Bit OS)
gpgcheck=1
enabled=1

Save&Quit the file(:wq)

Stewp 3 : Copy the conf file in lib directory

 Copy /etc/ld.so.conf file in /usr/local/lib/ directory

[root@bsrtech ~]# cp -r /etc/ld.so.conf  /usr/local/lib/

Then After Run This Command

[root@bsrtech ~]# ldconfig -v  (Enter)

Step 4 : Install rpmforge Repository

For 32 Bit OS

[root@bsrtech ~]#rmp -Uvh http://apt.sw.be/redhat/el6/en/i386/rpmforge/RPMS/rpmforge-release-0.5.3-1.el6.rf.i686.rpm

For 64 Bit OS

[root@bsrtech ~]# rpm -Uvh http://apt.sw.be/redhat/el6/en/x86_64/rpmforge/RPMS/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm

Once Update installed Packages using yum update command

[root@bsrtech ~]# yum update

Step 5 : Now Install ffmpeg & ffmpeg-devel

   [root@bsrtech ~]# yum -y install ffmpeg ffmpeg-devel
( or )
   [root@bsrtech ~]# yum -y install ffmpeg*

After Completion use ffmpeg command to see the Full Details of FFmpeg.

[root@bsrtech ~]# ffmpeg
Posted by at No comments:
Labels: , ,

Simplest rules to Redirect using .htaccess

Simplest rules to Redirect using .htaccess

How to write rewrite rule (URL rewriting, mod_rewrite)
(1) Redirect site from http to https :
Add the below in .htaccess file in public_html
===================================================
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
===================================================

(2) Redirecting a domain to another domain via .htaccess
Example :- redirect shaz.com to google.com
===================================================
RewriteEngine on
RewriteCond %{HTTP_HOST} ^shaz\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.shaz\.com$
RewriteRule ^/?$ “http\:\/\/www\.google\.com\/” [R=301,L]
===================================================
(3) Redirect users to access the site with WWW
example :- redirect shaz.com to www.shaz.com
Add the below in .htaccess file
===================================================
RewriteEngine on
RewriteCond %{HTTP_HOST} ^shaz\.com$ [NC]
RewriteRule ^(.*)$ http://www.shaz.com/$1 [L,R=301]
===================================================

(4) Redirect page to another page within public_html
example :- to redirect home.html to index.php
===================================================
RewriteEngine on
RewriteRule ^home.html$ index.php
===================================================

example2 :- rewrite site shaz.com/kb/index.php to shaz.com/blog/index.html
go to kb directory and create a .htaccess file
+++++++++++++++++++++++++++++++++++++++++++++++++++
#cd public_html/kb
#touch .htaccess
#vi .htaccess
+++++++++++++++++++++++++++++++++++++++++++++++++++
===================================================
RewriteEngine on
RewriteRule ^index.php$ /blog/index.html
===================================================
Posted by at 1 comment:
Labels: , ,

Step-by-Step: Installing Home Assistant OS on VMware vSphere

This guide uses the official Home Assistant OS 12.3 VMDK image from GitHub and adapts it for vSphere environments.

Prerequisites

  • VMware vSphere 7.0+ access
  • Download haos_ova-12.3.vmdk.xz from GitHub Release 12.3
  • 7-Zip or similar extraction tool

Installation Steps

  1. Prepare the VMDK:
    • Extract the downloaded .xz file to get haos_ova-12.3.vmdk
    • Rename to home-assistant.vmdk
  2. Create Virtual Machine:
    • Guest OS Family: Linux
    • Version: Other Linux 5.x kernel 64-bit
    • Hardware:
      • 2 vCPU minimum
      • 2 GB RAM minimum
      • Remove all default storage devices
  3. Upload VMDK to Datastore:
    • Use Datastore Browser to upload home-assistant.vmdk
  4. Convert Disk Format: (Required for vSphere compatibility) 
    vmkfstools -i /vmfs/volumes/[DATASTORE]/home-assistant.vmdk \ /home-assistant-converted.vmdk
  5. Configure Virtual Hardware:
    • Add SCSI Controller: LSI Logic SAS
    • Attach converted VMDK as existing hard disk
    • Network: Bridged adapter
  6. Enable UEFI Boot:
    • Edit VM Settings > VM Options > Boot Options
    • Firmware: EFI
    • Disable Secure Boot

First Boot Configuration

  • Power on the VM
  • Access via web browser:
    • http://homeassistant.local:8123
    • or use assigned IP address

Troubleshooting Tips

IssueSolution
"Unsupported disk type" errorRe-run vmkfstools conversion
Boot failureVerify EFI settings in VM options
Network unreachableCheck bridged network configuration

After successful installation, you can expand storage or add USB controllers for Zigbee/Z-Wave devices through vSphere's hardware settings.

Posted by at No comments:
Labels: ,

Friday, April 25, 2025

How to Configure Static IP Address Using nmcli in Linux

Configuring a static IP address is a common task for Linux administrators, especially when setting up servers or virtual machines that require consistent network settings. The nmcli command-line tool, part of NetworkManager, provides a powerful and scriptable way to manage network connections without a GUI. In this guide, we’ll walk through the essential nmcli commands to set a static IPv4 address, gateway, DNS, and disable IPv6 for a network interface.

Step-by-Step: Setting a Static IP Address with nmcli

Let’s assume your network interface is named ens33. Here’s how to configure it:

  1. Assign a Static IPv4 Address
    nmcli con mod ens33 ipv4.addresses "172.16.3.150/16"
    This sets the IP address to 172.16.3.150 with a subnet mask of 255.255.0.0 (CIDR /16).
  2. Set the Default Gateway
    nmcli con mod ens33 ipv4.gateway "172.16.0.1"
    This command configures the default gateway for outgoing traffic.
  3. Configure DNS Server
    nmcli con mod ens33 ipv4.dns "8.8.8.8"
    This sets Google’s DNS server for name resolution. You can add multiple DNS servers by separating them with a comma, e.g., "8.8.8.8,8.8.4.4".
  4. Disable IPv6 (Optional)
    nmcli con mod ens33 ipv6.method "disabled"
    If your environment does not use IPv6, disabling it can simplify network troubleshooting and improve security.
  5. Set IPv4 Method to Manual
    nmcli con mod ens33 ipv4.method manual
    This ensures that the interface uses manual (static) configuration instead of DHCP.

Applying the Changes

After making these changes, you need to bring the connection down and back up for the settings to take effect: 

  •  nmcli con down ens33 nmcli con up ens33

Example: Complete Static IP Setup Script

  • nmcli con mod ens33 ipv4.addresses "172.16.3.150/16" 
  • nmcli con mod ens33 ipv4.gateway "172.16.0.1" 
  • nmcli con mod ens33 ipv4.dns "8.8.8.8" 
  • nmcli con mod ens33 ipv6.method "disabled" 
  • nmcli con mod ens33 ipv4.method manual 
  • nmcli con down ens33 nmcli con up ens33

Additional Tips

  • Check Connection Name: Use nmcli con show to list all available connections and confirm your interface name (e.g., ens33).
  • Disable IPv6 for Other Connections: Replace ens33 with your actual interface name as needed.
  • Verify Configuration: After applying changes, use ip addr and nmcli dev show ens33 to verify your settings.

Summary Table: Key nmcli Commands

Command Description
nmcli con mod ens33 ipv4.addresses "IP/CIDR" Set static IP address and subnet
nmcli con mod ens33 ipv4.gateway "GATEWAY" Set default gateway
nmcli con mod ens33 ipv4.dns "DNS" Set DNS server(s)
nmcli con mod ens33 ipv6.method "disabled" Disable IPv6
nmcli con mod ens33 ipv4.method manual Set IPv4 configuration to manual
nmcli con down ens33 Deactivate the connection
nmcli con up ens33 Activate the connection

With these nmcli commands, you can quickly and reliably configure static IP settings on your Linux systems, making network management more efficient and consistent.

Posted by at No comments:
Labels: ,

Installing PHP 8.3 on RHEL-based Systems: A Step-by-Step Guide


PHP stands as a cornerstone of web development, a versatile scripting language and interpreter renowned for its open availability and prevalent use on Linux-based web servers. Keeping your PHP installation up-to-date is crucial for performance, security, and access to the latest features. This guide walks you through the process of installing PHP 8.3 on your Red Hat Enterprise Linux (RHEL) based system, leveraging the EPEL and REMI repositories for a streamlined experience.

Adding the EPEL and REMI Repositories

To gain access to a wider range of software packages, including the latest PHP versions, we'll add the Extra Packages for Enterprise Linux (EPEL) and the Remi Community Repository (REMI) to your system's package manager. Execute the following commands in your terminal:

Bash
sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
sudo dnf -y install https://rpms.remirepo.net/enterprise/remi-release-9.2.rpm

Note: The dnf command is the package manager used in modern RHEL-based systems like CentOS, Fedora, and AlmaLinux. The -y flag automatically confirms the installation, so proceed with caution.

Installing Yum Utilities

The yum-utils package provides a collection of helpful utilities for managing your DNF repositories and packages. Install it using the following command:

Bash
sudo dnf -y install yum-utils

While the command mentions yum, it's often a symbolic link to dnf on newer systems, so this command works seamlessly.

Enabling the PHP 8.3 Remi Repository

The REMI repository offers more recent PHP versions than the default RHEL repositories. To enable the PHP 8.3 stream from REMI, you'll first need to reset any active PHP modules and then enable the specific PHP 8.3 module:

Bash
sudo dnf module reset php
sudo dnf module install php:remi-8.3

The dnf module reset php command ensures a clean slate by disabling any previously enabled PHP modules. Following this, dnf module install php:remi-8.3 activates the PHP 8.3 module provided by the REMI repository.

With these steps completed, your system is now configured to install PHP 8.3 and its associated packages from the REMI repository. You can now proceed to install PHP 8.3 and any extensions you require using the dnf install php php-<extension-name> command.

Posted by at No comments:
Labels: ,

Fixing “Permission Denied” Errors in Nginx Reverse Proxy Setups with SELinux

Running Nginx as a reverse proxy on a system with SELinux enabled can sometimes lead to frustrating errors like:

[crit] connect() to 172.16.5.32:32400 failed (13: Permission denied) while connecting to upstream, client: 172.16.0.1, server: rplex.adminz.in, request: "GET /web/index.html HTTP/2.0", upstream: "http://172.16.5.32:32400/web/index.html", host: "rplex.adminz.in:8443"

If you’re seeing this, SELinux is likely blocking Nginx from making outbound network connections to your upstream servers. Here’s how you can diagnose and fix the issue.

Understanding the Problem

When SELinux is in enforcing mode, it restricts what processes can do—even if you’re running as root. By default, Nginx (and other web servers running under the httpd_t SELinux context) cannot make arbitrary outbound network connections. This is a security feature, but it can block legitimate reverse proxy setups.

Typical log entries look like this:

[crit] connect() to <backend-ip>:<port> failed (13: Permission denied) while connecting to upstream, ...

Diagnosing SELinux Denials

To confirm SELinux is the culprit:

Check your Nginx error logs for “(13: Permission denied)” messages.

Inspect the SELinux audit logs:

sudo grep nginx /var/log/audit/audit.log | grep denied

If you see denials related to name_connect on a TCP socket, SELinux is blocking the connection.

The Solution: Allow Nginx Network Connections

SELinux controls network permissions for web servers using Boolean flags. The most relevant for Nginx reverse proxies is httpd_can_network_connect.

What does httpd_can_network_connect do?

Enabling this Boolean allows Nginx (and other httpd processes) to make outgoing network connections to any port.

This is required for Nginx to proxy requests to other backend servers, especially if they’re not on standard HTTP/HTTPS ports.

How to Enable It

Make the change persistent with:

setsebool -P httpd_can_network_connect true

The -P flag makes the change survive reboots.

After running this command, restart Nginx:

systemctl restart nginx

This should resolve the “permission denied” errors when connecting to upstream servers.

Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)