ccie.security lab - other vms, part II - Cisco WSA, MS Win Server

let's continue with deployment of other VMs within the ccie.sec lab. again, WSA deployment is pretty easy as there is an OVA/OVF package present in the Cisco download section so maybe few of basic settings may be inspirational and the second part of this article might be more useful - MS Server (2008 in my case) deployment with the basic settings, incl. active directory installation and certificate authority web-server settings. These functionalities are needed to practise the interaction of ISE/ACS with the AD and ISE/Cert functionality, and/or Cisco IOS/ASA VPN with the cert support.

Cisco WSA

I went to cisco official page and downloaded the latest WSA coeus-9-2-0-083-S000V and going to use the eval license for 45 days ...

1. Create the VM

let's click on file and deploy the OVA/OVF image, select the appropriate ova/ovf archive and click on NEXT in almost all steps. Because it's a testing/lab environment, I have changed the thick provisioning to thin - to save some spac e and didn't touch the net adapters and left them connected to the default VMW network. It can be adjusted as per individual labs


2. Run WSA/VM

start the VM when it's deployed and wait for console output


give the first start some time as it's building the databases and all the internal stuff, so it can take five to ten minutes based on your HW. check the boot progress and login to the WSA with the default credentials (admin/ironport) to get the IP address it was assigned.


you can get the IP from your DHCP client list or just check the IP from showconfig command. Then, go to the browser (Firefox in my case of course) and check the http://IP:8080 which is default HTTP port or HTTPS://IP:8443 which is default HTTPS port. You should get the login screen where you can login with the same credentials.


3. Check/Install the license

within the web-gui go to System Administration - System Setup Wizard to check whether it's the WSA without any license installed


so it's needed to get the license and install it through the CLI with the loadlicense command. Or, the second option is to via the FTP/SCP but I like the CLI, so let's do it via the CLI ... go to the Cisco License portal (cisco license) and download the WSA-45D xml license file.


the best way how to do it via the cli is to ssh to the WSA VM because copy/paste is not working well within the VMW Console. So login via the ssh and type the loadlicense command. Then select the option 1 (paste via CLI) and paste the content of the whole downloaded XML file. After it's processed just acept the agreement and check the final output to verify the license you've apllied.




4. Customize the default settings

I think it's the time to configure the management things - let's sart with the new static interface. Go to Network - Interfaces and change the IP address field to any desired IP address you want to assign. additionally you can check the other options - SSH/HTTP/HTTPS port and hostname of that box.


after you are absolutely satisfied with your solution, don't forget to click on the "submit changes" button



you can check and configure many other things such as DNS servers, routing (static routes), NTP or whatever:



Don't forget you just changed that IP address, so just change the IP in the address bar of the browser.

MS Windows Server 2008 (+AD, CertSRV)

firstly, have to admire I'm not the Microsoft guru but I think I can manage the simple MS server as long it's needed by ccie.sec lab. It means this server is intended to run the Active Directory service, including user management for testing the it with ISE or ACS. I wasn't aware of the theory of Domains, Trees and Forests so this is the first positive consequence of ccie.sec preparation (excluding all the cisco stuff) - I have learnt a lot of MS stuff during these deployments tries. let's start

1. Create the VM

I was thinking whether to use the newer version of MS Server (e.g. MS Server 2012) or some older platform as the core function - running AD and certificate services - should be served by 2008 with the same fashion as all other newer systems. So I made the final decision and Win Server 2008 R2 Eval was finally deployed and tested.


I have created empty VM with the properties as depicted above and suppose I'll need one network connection only - to my shared network segment. I won't be testing the VPN stuff, it will be tested by the Windows 7/8 "client" machine. I'm using 4G of RAM that is really oversized value so you can just lower the mem size

2. Run the VM and install the MS Win

now the thing we already know - it's just about starting the VM and using the ISO (that was moved to local datastore for faster deployment - also for a future use) as a DVD media to be able to boot the installer. so after few secondswe should see the MS logo


using English environment

and selecting the first option - MS Server Standard - Full installation. it means there is "usable" user interface - explorer.exe in case of MS. I tried to install Server Core installation but it's just a set of services without the user interface so there is no desktop, no tray, no start menu, no explorer.exe etc. of course it's without the services but it's a piece of cake to install and set these after the OS installation is done


Then allocate the whole disk (unless you want to adjust the partition table) and check the progress of the win installation.



it's mandatory to change/set your password during the first login


after it's completed and you are logged in, you should see the server overview (no role installed/activated yet). the second important part is to check the system props - mainly the activation state. If it's evaulation version, this should be non-activated and only one task is needed. Click on activate and leave the activation code filed empty and click on Next. It should activate your Win Server with the evaluation license for 180 days



my recommendation is to use the static IP addressing for each VM, so as with all the other win products - tray, open network, change adapter settings (Ethernet), IPv4 address and assign the IP address, mask, default gateway and dns servers. I have disabled the IPv6 for te shared VM segment as I think it's not needed to serve the IPv6 services by the Win server


3. Install additional features/roles

The first role of this server is Active Directory server also known as domain controller. it means we will create pretty new forest with the new domain. I'm using my own domain (sedlec.lab) so just go to the Server Manager and check the roles - there wasn't any installed in my case of fresh win machine. Click on the Add Roles and select the "Active Directory Domain Services"



Follow the installation guide and click approx. million times on the Next button before it's finally deployed. Then, be aware the service/role is not running at all. Just go to the Server manager and click on run the role or just execute the dcpromo.exe.


again, just follow the instructions and click on Next, Next untill the domain controller is running.



when it's running fine and within your own domain, suggest you to rename the machine as the default hostname (machine name) is not so user-friendly. just go to the control panel and check the local computer. Then, you can change the hostname and use the domain you have created earlier.


before we move to the last step, just check the overall computer properties - activation state (should be activated), networking (should be the static IP) and computer name with the domain (should be statically configured), winserver.sedlec.lab in my case.


installing and setting up the certification authority server is also easy - go to Server Manager and click on Add Role. mark the "Active Directory Certificate Services". again, follow the instructions and click approx. million times on the Next button (wondering if it's really needed to have this click opportunity, maybe it could be done automatically in the future).



and that's it. we have deployed the Win Server 2008 with the active directory services and certificate features that means this device may serve as a Certification Authority, let's verify the reachability and basic function and CA web-server tools



that's it. how easy. good luck and enjoy



add your own note here:

Name: human verification: 4 + 7 =    

your opinions/notes:

Copyright © TR2016