Ubiquiti makes some interesting gear and they are quite well known for their disrupting the status quo by offering top-notch grade network and wifi devices. Their gear ranges from prosumer to enterprise-grade. Depending on how far down the rabbit hole you go, it can become a bit of an expensive eco-system that you are buying into. On the plus side, if you ever decide to leave any Ubiquiti, it shouldn’t be hard to resell the gear as they have a large community of followers.
I was leaving one job and starting another and decided that it was time to upgrade my home network to allow for some more diverse home-lab options. I decided to jump on the Ubiquiti bandwagon and set-up on their Unifi product line. Being new to Ubiquiti and Unifi I have a lot to learn!
I’m starting off my Unifi environment with a Ubiquiti Dream Machine (UDM), a Unifi 8-port POE switch (US-8-60W), and a Unifi AP (UAP-AC-Lite). I’m starting small. š But who knows how large it’ll grow!
Here are some things I’ve setup in my Unifi environment….
While telnet and SSH are both allowed types of connections to Cisco gear, there is honestly no reason why you should be using telnet in today’s world. You should be using SSH for accessing all of your network devices. In very simplistic terms [and while the technologies are different], you can almost think of it as telnet being the equivalent to HTTP and SSH being the equivalent to HTTPS.
Telnet transfers all data in clear plain text and thus your passwords or other credentials are visible to anyone watching. Using SSH, means that all of your data is encrypted between the device and your computer, so no one else can see your sensitive bits like passwords. Anything used in production should be secured, and thus SSH is the obvious preference. So lets look at how to enable SSH on our device. Once SSH is enabled we can then disable telnet.
Open a console or telnet session on your device to get started.
The first thing we need to do is make sure that the device is configured with a hostname and a domain name.
CiscoDevice# conf t
CiscoDevice(config)# hostname PWWF
PWWF(config)# ip domain-name it.playswellwithflavors.com
The next step is to allow users that are configured on the switch to login with SSH or Telnet connections.
PWWF(config)# aaa new-model
Next we generate the cryptographic keys that the device will use.
PWWF(config)# crypto key generate rsa
We then want to enable SSH version 2 on the device.
PWWF(config)# ip ssh version 2
We will next set the desired SSH authentication timeout (in seconds). This is the amount of time you have to enter the correct user credentials after connecting. The default value is 120 seconds.
PWWF(config)# ip ssh time-out 60
Then we can change the number of allowed SSH authentication retries that are allowed.
PWWF(config)# ip ssh authentication-retries 3
Next up is to configure all of the line vty (virtual terminal). We will configure the following :
set the input transport to SSH only
set the login type to local logins.
set the passwords to use strong encryption
set a timeout for inactive sessions (in minutes)
PWWF(config)# line vty 0 15
PWWF(config-line)# transport input SSH
PWWF(config-line)# login local
PWWF(config-line)# password 5
PWWF(config-line)# exec-timeout 10
PWWF(config-line)# exit
PWWF(config)# exit
PWWF#
The final step is to save our configuration changes with the following command.
PWWF# write
Now you can close your terminal session and connect to your device over SSH.
You can verify that SSH access is enabled on your device with the following command.
PWWF# sh ip ssh
SSH Enabled - version 1.99
Authentication timeout: 60 secs; Authentication retries: 3
If you have not yet created a user credentials, or if you wish to add a new user, here is the command.
In this example, the user name is “bob” and the password is “Aloha1234”
PWWF# conf t
PWWF(config)# username bob secret Aloha1234
So I’ve had the unlucky experience of having to deal with the PRI connected to a T1 controller card on a Cisco 4321 Integrated Router that fails to come back up “online”, EVERY time the router gets power cycled.
Let me tell you… It is annoying! I don’t even want to try to tell you how many hours have been spent listening to hold music while getting in touch with the provider just to have them “run tests” from their side and say that the layer 1 connection is active, so it’s our problem, not theirs.
Basically, what has been happening is that after the router gets rebooted, the D-channel of the PRI gets locked up and doesn’t want to get in sync with the provider to allow inbound or outbound calls. Whenever we ran “show isdn status”, the layer 2 status would come back as “TEI_ASSIGNED” instead of the desired “MULTIPLE_FRAME_ESTABLISHED”. This PRI is connected to a MGCP gateway and in the end we basically either have to clear counters to reset the interface or rebind and rebuild the MGCP connection before it all comes back up.
Luckily since we have been able replicate the issue on every power cycle (whether or not it was an intentional power cycle), and I kept notes which I’m about to share, we have also been able to repeat the same steps to bring it back “online”.
My disclaimer:This worked for me, in the particular environment I referenced above. I have not tested this in any other environment. YMMV. You copy me at your own risk, and I am not responsible for any changes/damages you cause to your environment. These are purely just my notes for the previously mentioned environment.
From the console run the following command.
4321#show isdn status
Reading the output from the above command, summarized, the desired states are:
Layer 1 status: Active
Layer 2 status: MULTIPLE_FRAME_ESTABLISHED
If layer 1 is “Active” then it means that the circuit with your provider should be good. If it is not showing as “Active”, then first check that the physical cable is connected and isn’t damaged. If it looks okay, then get on your cell phone and call your provider.
If layer 2 status is “MULTIPLE_FRAME_ESTABLISHED” then you shouldn’t be having problems. Try another test call to verify that everything is working now, then go home. LOL.
However, if you’re in a situation similar to me, then you can’t make any calls and your layer 2 status is showing as “TEI_ASSIGNED”. The first, and easiest, thing to try is to clear the counters. This resets the interface. You can then recheck to see if the layer 2 status has changed. You can use the following command to clear the counters and recheck the ISDN status.
4321#clear counters 4321#show isdn status
If that did not work and your layer 2 status is still “TEI_ASSIGNED” then the next step is to try to restart the T1 controller. Then recheck the ISDN status. Use the following commands to do so.
4321#clear controller t1 4321#conf t 4321(config)#controller t1 0/1/0 4321(config-if)#shutdown 4321(config-if)#no shutdown 4321(config-if)#exit 4321(config)#exit 4321#show isdn status
Did that work for you? Hopefully it did. But if it did not work, then there is one more thing to try. Rebind the layer 3 to call manager and then teardown and rebuild the MGCP connection, and recheck the ISDN. Use the following commands to do so.
4321#conf t 4321(config)#interface serial 0/1/0:23 4321(config-if)#isdn bind-l3 ccm 4321(config-if)#no mgcp WARNING: no mgcp: Teardown MGCP application may take a while to clean up resources 4321(config-if)#mgcp 4321(config-if)#exit 4321(config)#exit 4321#show isdn status
Okay, now the layer 2 status should be coming back as “MULTIPLE_FRAME_ESTABLISHED” after checking the ISDN status. If it does not, then you really should be beginning to open a TAC case with Cisco to figure out WTF is going on.
If you’re like me you probably use one machine heavily. You have all of the hosts and devices which you connect to regularly, saved in Putty. but what if you want to conveniently share all of those saved settings with a coworker, or back them up so you can restore them in the future to a new PC.
Putty saves all of those ‘saved’ sessions in the Windows registry. While you’re not able to export them directly from Putty, you can use the command line to export either just the sessions, or all settings, from putty.
Note: These instructions only work with the ‘regular’ installed version of Putty on Windows. They will not work with the portable version.
Export
Open a Command Prompt (or PowerShell) as an Administrator.
This will create a “reg” file on the desktop of the current user. It will not export SSH keys. Do not replace “SimonTathom” with your username, Simon is the author of Putty and that is the name that particular folder inside the registry where the settings are saved.
Import
Copy the reg file to the machine which you want to import the putty settings on.
Double-click on the .reg file and accept the import.
If you are like me, the computers around my house are predominately Windows based. Which is fine until you try to remotely connect to the desktop of your RPi. The Raspbian OS just doesn’t work MS’s Remote Desktop Protocol out of the box.
It can though, and all it takes a few is a few steps to enable to the RDP on Raspbian. And in my opinion, since I’m mostly on Windows, it is well worth it just for the convenience. I’ll be using Raspbian Buster in my examples below. If you’re not already on Buster, check out my article on upgrading Stretch to Buster.
Installing Xrdp on Rpi
Lets begin by updating your RPi with the following commands.
sudo apt update && sudo apt upgrade
Lets install Pixel on our RPi. Pixel is the default desktop environment on Raspbian desktop images. It’s stable, light weight, and fast. Which is perfect for running remotely on our RPi. To install Pixel, use the command below.
Next we install the Xrdp package. It is available in the default Raspbian repositories. Use the command below to install Xrdp.
sudo apt install xrdp
The service will automatically start once it has installed, but we can check it’s status with the following command. It should display the status of “running” on the screen.
systemctl show -p SubState --value xrdp
Lastly we need to add the user that is running the service to the “ssl-cert” group. Xrdp uses the key file “/etc/ssl/private/ssl-cert-snakeoil.key” which is only read-able to the users of the “ssl-cert” group. USe the folowing command to add the user to the group.
sudo adduser xrdp ssl-cert
Your RPi now supports RDP! You can easily connect to it using the MS Remote Desktop Connection your Windows machines.
Connecting to your RPi from Windows
From your windows machine, click on the ‘Start menu’ or Windows Search field and type “remote”.
Once the Remote Desktop Connection App launches, enter the IP address of your RPi. Then click the “Connect” button.
Enter the login credentials for your RPi. Then click ‘Ok’.
BAM! Just like that you have successfully connected to and just RDP-ed into your RPi. Well done!
Using a simple RPi we can turn an otherwise normal USB printer into a network printer. Making it easier to print from anywhere in your house, and using any computer in your house. Literally breathing a bit more life into your “old” printer that you were just considering tossing away.
We’ll take advantage of the CUPS software to make this happen. CUPS stands for Common Unix Printing System and is what runs most Linux printing software. It’s going to be the bit that does the communication to your printer to properly print your files. Lets get started…
Make sure your RPi is up-to-date with the following commands:
sudo apt-get update sudo apt-get upgrade
Install CUPS with the following command
sudo apt-get install cups
Add the user ‘pi’ to the ‘lpadmin’ group. This will allow your user ‘pi’ to access all of the administrative functions of CUPS without having to be a superuser. Use the following command.
sudo usermod -a -G lpadmin pi
We need to make CUPS accessible to your whole network. Currently it is only accessible on the RPi itself. To allow it to accept all traffic, use the following commands.
You can now access the RPi print server from any computer on your network. Use the following command if you are unsure of your IP adderss.
hostname -I
Now with that IP address open a web browser and enter the following url, replacing <ip-address> with the IP address of your RPi
http://<ip-address>:631
To allow our CUPS printer server to talk to Windows and to let our windows computers print to it, we need to setup SAMBA on the RPi. Use the following command to install SAMBA.
sudo apt-get install samba
After installing SAMBA, we will need to make a few edit it’s configuration file. Use the following command to open it’s config file in the nano editor.
sudo nano /etc/samba/smb.conf
Scroll down to the end of the file. Edit it to make it match the following:
# CUPS print server
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = yes
read only = yes
create mask = 0700
# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = no
guest ok = no
Save and exit the editor by pressing ‘Ctrl-X’, then ‘Y’, then ‘Enter’
Restart SAMBA with the following command to load our configuration changes.
sudo systemctl restart smbd
Adding a printer to CUPS
Now with the software portion installed, we need to add the printer to CUPS. Make sure that you have turned the printer ‘On’ and that you have it connected to your RPi.
Open a web browser and enter the following url, replacing <ip-address> with the IP address of your RPi
http://<ip-address>:631
Click on the ‘Administrative’ tab at the top of the page. Then click the “Add Printer” button.
On the ‘Add Printer’ screen select the name of the printer you want to set up, and click “Continue”. In this example, we are setting up a HP LaserJet P2055d printer.
Note: If your printer appear on the screen, make sure that it is indeed ‘On’ and connected to your RPi. After verifying that it is, if it is still not appearing, you may need to try restarting your RPi while leaving the printer ‘On’ and connected.
This screen is where you give your printer a name, set a description for it, and a location. The most important thing to do on this screen is to click the tick box for “Sharing: Share This Printer”
On this screen you will select the model of your printer. CUPS tries to auto-detect the model of printer and will select a driver based off what you select. Your selection will differ from mine. Once you are happy with your selection, click the “Add Printer” button at the bottom.
The final screen will let you set the default printer options; paper size, tray, resolution, double-sided, etc….
While not required, I like to give the RPi one more reboot after adding the printer.
To check the status of the print and it’s print queue, use the following command on the RPi.
lpq HP_LaserJet_P2055d
It will display the printer name and if it’s “ready” and if any print jobs are pending.
Adding RPi printer to Windows 10
One thing I noticed when trying to add the printer to to my Windows 10 machines is that I had initially had problems auto-detecting and adding it. It just simply would not work. After a bit of searching the internet, I found a solution that did work for me.
Click on the ‘Start Menu’ and start typing “Printers”, then click on ‘Printers & scanner’.
Click on ‘Add a printer or scanner’
Windows will begin searching for printers… After a moment a link that appears that says “The printer that I want isn’t listed”. Click on that link.
This will open a ‘Add Printer’ window. Click on the option “Select a shared printer by name”
Enter the “name” of your shared printer in the following format, then click ‘Next’.
This is a bit of a long post, so I apologize in advance… Sorry, but not sorry. There are a lot of things that you can customize in a RDS / RD Web Access deployment.
I’m doing these edits, or customizations on a Windows Server 2019 deployment, they should [in theory] work though on RDS deployments as far back as Windows Server 2012/R2, though your mileage may vary – see disclaimer below.
Standard disclaimer… Make sure to backup folders and files before you start making changes. I’m not responsible for anything you break, you’ve been warned.
Eliminate “/RDWeb” from the RDS URL
When adding the RD Web Access role on your remote desktop gateway or broker, it will auto-magically create the RDWeb website in IIS for you.
RDS sets up the the url for your site in the following format: “rds.playswellwithflavors.com/RDWeb” or “example.com/RDWeb”. However, you likely are not using this IIS host to serve up any other webpages other that RDS Web Access… So you probably want to eliminate the need for user to have to enter that “/RDWeb” at the end of the url. And make it appear as just “rds.playswellwithflavors.com” or “example.com”.
Microsoft makes this very easy to accomplish with a simple redirect in IIS.
Open IIS.
Click on the ‘Default Web Site’ in the left-side pane.
Click on ‘HTTP Redirect’ in right-side pane.
Check the box for ‘Redirect requests to this destination’. Enter in the field under it: /RDWeb
Click ‘Apply’.
Restart IIS
Test your website to confirm that you can reach it with the base url, without the “/RDWeb” appended at the end.
Password Reset Link
This customization will edit the Web Access Login Page to add a password reset link where users can change their AD passwords from the main login page.
Open IIS
In the left-hand pane, drill down into “Server”->”Sites”->”Default Site”->”RDWeb”->”Pages”
Double-click on “Application Settings” in the right-hand pane.
Find the value “PasswordChangeEnabled” and double-click on it. Edit it to ‘True’.
Click ‘Ok’.
Now that we edited that value to ‘true’, if the user’s password expires they will be prompted to change their password. That’s handy, right!? Well, if you liked that, then let me tell you that it is possible to go one step further and make a link on the main page for them to reset their password, anytime.
Open the following folder: %windir%\Web\RDWeb\
Since we are going to be editing stuff here, make a backup copy of the “Pages” folder.
Now open the folder: %windir%\Web\RDWeb\Pages\en-US\
Right-click on the file “login.aspx” and select ‘Edit’.
With the file open, press “Ctrl+F” and then search for “userpass”.
Scroll down under the table that “userpass” is in. This is where we want to add our password reset link. Copy the code below and paste it into your file, then save and close it.
<tr>
<td align="right">
Click <a href="password.aspx" target="_blank">here</a> to reset your password.
</td>
</tr>
Reload the page in your browser to view the password reset link.
Change “Domain\user name” to “Email”
At the Web Access login page, I like to change the prompt for “Domain\user name” to “Email Address”. Call me cynical, but I find that users can remember their email address, but will almost always call and ask what to put as the domain. I like to just change this to what the user will understand and prevent them from needing to call me.
Now open the folder: %windir%\Web\RDWeb\Pages\en-US\
Make sure that you have already made a backup copy of the “Pages” folder.
Right-click on the file “login.aspx” and select ‘Edit’.
Look for “L_DomainUserNameLabel_Text” on line 21.
Change the value “Domain\\user name:” to “Email Address:”.
Look for “L_DomainNameMissingLabel_Text” on line 30.
Change the value “You must enter a valid domain name.” to “You must enter a valid email address.”
Save and close the file.
Reload the page in your browser to view the change.
Change the “Work Resources” text on the Login page
This will let you customize the text displayed with your logo in the upper left corner of the RDWeb login page.
Open an administrator PowerShell window on the RD Connection Broker.
Enter the following command: Set-RDWorkspace -Name "<YourBrandingHere>"
Reload the page in your browser to view the change.
Changing the RD Logos
You can brand your RD Web Access page with your company logo. There are two logos you can change. One is in the upper left corner, and the other one is smaller and in the upper right corner.
Take your logo image and resize it into two .png files with the names and dimensions specified below;
logo_01.png – 16pixels x 16pixels
logo_02.png – 48pixels x 48pixels
Now open the folder: %windir%\Web\RDWeb\Pages\images\
Make sure that you have already made a backup copy of the “Pages” folder.
Copy and paste the your logo image files into this folder.
Open IIS and restart the service.
Reload the page in your browser to view the change.
The “logo_01.png” file will replace the icon in the upper right corner.
The “logo_02.png” file will replace the icon in the upper left corner.
Change the “To protect against” message
This is the message on the login page that is beneath the “Sign In” button. You can customize it to your own message.
Now open the folder: %windir%\Web\RDWeb\Pages\en-US\
Make sure that you have already made a backup copy of the “Pages” folder.
Right-click on the file “login.aspx” and select ‘Edit’.
Look for “L_TSWATimeoutLabel_Text” on line 43.
Modify that value there to include your custom message.
Save and close the file.
Reload the page in your browser to view the change.
Change the RD Workspace name and other text
You can customize other text displayed on your RDWeb login page. Things like the page title and other small branding type changes…
Now open the folder: %windir%\Web\RDWeb\Pages\en-US\
Make sure that you have already made a backup copy of the “Pages” folder.
Right-click on the file “RDWAStrings.xml” and select ‘Edit’.
Make changes as desired to reflect what you want displayed;
PageTitle, line 3
HeadingRDWA, line 10
HeadingApplicationName, line 11
Help, line 12
Reload the page in your browser to view the change.
Note: Chrome based browsers like to cache these… Use a private browsing tab, or flush your browser cache if the changes are not appearing after reloading the page.
Remove ‘Help’ Link
This will remove the ‘Help’ link on the RDWeb login page that links to this MS documentation.
Now open the folder: %windir%\Web\RDWeb\Pages\
Make sure that you have already made a backup copy of the “Pages” folder.
Right-click on the file “site.xsl” and select ‘Edit’.
Press ‘Ctrl+G’ and enter 150, to go to line 150
Select and then delete lines 150-158.
Open IIS and restart the service.
Reload the page in your browser to view the change.
Change the Server Logo on Login Page
You can remove the “Server 2012” or “Server 2016” or “Server 2019” logo that is on the login page. I like to replace it with a 1px-by-1px transparent image. It won’t do much overall… But perhaps it’ll make a malicious person have to work a tad bit harder to determine what you’re OS you are on.
Replace the following image: %windir%\web\rdweb\pages\images\WS_h_c.png
Change the Microsoft Logo on Login Page
You can remove the “Microsoft” logo that is on the login page. I like to replace it with a 1px-by-1px transparent image. It doesn’t hurt anything being there, but if you’re cleaning up and editing the branding of your site, why would you leave this logo on it?
Replace the following image: %windir%\web\rdweb\pages\images\mslogo_black.png
If I come across other customization tips I’ll add them here…
As with all major version changes, it is my recommendation to download a new clean image and start fresh with a clean system. (Raspbian Download page) I don’t know what changes people have made to their system, and so have no idea what may break when you move to Buster. The instructions below will likely work on your system. However, that does not guarantee that it will work on your system.
I cannot provide support (or be held responsible) for any problems that arise if you try it. You have been warned! Make a backup before even considering to attempt this…
Open a terminal or SSH window to your RPi. In the files /etc/apt/sources.list and /etc/apt/sources.list.d/raspi.list, change every use of the word āstretchā to ābusterā.
Wait for the upgrade to complete, answering āyesā to any prompt. There may also be a point at which the install pauses while a page of information is shown on the screen ā hold the āspaceā key to scroll through all of this and then hit āqā to continue.
The update will take anywhere from half an hour to several hours, depending on your network speed. When it completes, reboot your Raspberry Pi.
When the Pi has rebooted, launch āAppearance Settingsā from the main menu, go to the āDefaultsā tab, and press whichever āSet Defaultsā button is appropriate for your screen size in order to load the new UI theme.
Buster will have installed several new applications which we do not support. To remove these, open a terminal window and run the following command.
As I’ve said before, the data running on your RPi is only as good as it’s last backup. You have already backed up your RPi, right?
This article is going to cover how to restore the backup image of your RPi with Windows. While can also restore it using Linux or MacOS, I’m not going to cover those as I primarily use the Windows Operating System. If you desire more info on the RPi backup/restore process, please consult the official documentation here.
Restore on Windows
In Windows, we’ll use a utility called “Win32 Disk Imager”. If you followed my previous article on backing up your RPi you should already have it installed. If you haven’t, please go download and install Win32 Disk Imager onto your computer. It is this software that will allow us to restore the full image copy we made back to the micro-SD card of your RPi.
On your Windows computer, open the Win32 Disk Imager program.
In the upper right, under ‘Device’, select the drive letter of the card reader. Mine is “D:\”, your will likely be different.
In the ‘Image File’ box, click on the folder button to browse to, and select, the location of your backup image file, which you’d like to restore.
Click the ‘Write’ button at the button to begin restoring your backup image. There will be a popup message that warns about writing to the device, click ‘Yes’ and it will begin your restore
Once the restore completes, there will be a popup message stating that the write is complete that you need to click ‘OK’ to.
Your restore is now complete!
Go ahead and eject the card from your card reader and return it to your RPi. You can then reconnect the power and turn it back on. Everything should be there, exactly as it was at the time you made the backup.
Like any other computer system, the data running on your RPi is only as good as it’s last backup. Heck, have you ever even backed-up your RPi since you got it up and running? Well let me show you how to get backed-up so that you can get back up in the event that you ever have a RPi catastrophe.
This article is going to focus on backing up your RPi with Windows. While can also back it up using Linux or MacOS, I’m not going to cover those as I primarily use the Windows Operating System. If you desire more info on backing up your RPi, please consult the official documentation here.
Backup on Windows
In Windows, we’ll use a utility called “Win32 Disk Imager”. Go ahead and download and install Win32 Disk Imager onto your computer. It will allow us to make a full image copy of the micro-SD card that is used in our RPi. That way we can restore a 1:1 image of that micro-SD card as it is at the time of backup, back onto the card or onto a new card if we ever need to. We can keep that image copy on a desktop or NAS or cloud storage.
Start by shutting down the RPi with the following command.
sudo shutdown now
One the RPi has shut down, disconnect the power. You can now pull the micro-SD card out of it. Place it into the the card reader on your Windows computer. This might be a usb adapter that you are using, or there might be a SD slot on your laptop that will take a “micro-SD to SD card” adapter.
On your Windows computer, open the Win32 Disk Imager program.
In the upper right, under ‘Device’, select the drive letter of the card reader. Mine is “D:\”, your will likely be different.
In the ‘Image File’ box, click on the folder button to browse to, and select, the location of where you would like to save the image file to.
Click the ‘Read’ button at the button to begin creating your backup image.
Once the backup completes, there will be a popup message you need to click ‘OK’ to.
Your backup is complete!
Go ahead and eject the card from your card reader and return it to your RPi. You can then reconnect the power and turn it back on.
You can now restore you RPi to this point-in-time image when anything ever goes wrong in the future.
