Upload
ngonhu
View
234
Download
2
Embed Size (px)
Citation preview
Server, Network & System Security
Management Seminar for WebSAMS
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 2
Contents:
WebSAMS Architecture
Network and Server Configuration
Security and Maintenance
Backup of Data
Logs Checking
Trouble-shoot Case Studies
WebSAMS Architecture
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 4
WebSAMS Requirements ( cont’d ) WebSAMS Architecture
WebSAMS Network is a private and separated network, isolated from ITED Network
Outside the WebSAMS Network, all users must go via the HTTP Server to access WebSAMS
HTTP Server can be located within the Demilitarized Zone (DMZ), or inside the ITED Network, as shown in the following slides
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 5
WebSAMS Requirements WebSAMS Architecture
HTTP Server and WebSAMS Server are connected in different subsets
Required software is installed in WebSAMS server
Apache
Jboss & JRE (Java)
Sybase SQL Anywhere 16
Crystal Server 2013
Anti-Virus Software & Backup Software
All WebSAMS network cards must be connected to WebSAMS network only
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 6
Network Designs in WebSAMS WebSAMS Architecture
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 7
Network Designs in WebSAMS (cont’d)
WebSAMS Architecture
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 8
Internet Gateway
Internet Gateway
Separate Internet and ITED
2 interfaces - one for real IP and another for internal IP
Support NAT ( Network Address Translation ), i.e.
access from Internet to ITED
WebSAMS Architecture
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 9
What is NAT?
Network Address Translation ( NAT )
Translate the IP address from one network to another network Typically one is inside and one is outside
Port mapping function
WebSAMS Architecture
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 10
HTTP Server
HTTP server is simply a relay server which forwards all the requests to the WebSAMS server
The HTTP server itself does not store any data
WebSAMS Architecture
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 11
WebSAMS Router WebSAMS Architecture
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 12
WebSAMS Router (cont’d)
WebSAMS Router ( between WebSAMS and ITED )
*Block all unnecessary network traffic
*Only allow specific network services and TCP ports
HTTP Server connects to WebSAMS server
Using TCP 8009 for production, TCP 7009 for training, TCP
8109 for 1 server 2 WebSAMS
WebSAMS server can access Internet without passing
through proxy
TCP 80 ( HTTP ) , TCP 443 ( HTTPS ), TCP/UDP 53 ( DNS )
TCP 25 ( SMTP ), TCP 110 ( POP3 )
WebSAMS Architecture
Network and Server Configuration
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 14
WebSAMS LAN segment accesses Internet
Access Internet directly not through the Proxy server
Involved equipment
WebSAMS router
Internet Gateway
ISP
Network and Server Configuration
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 15
Network Settings on WebSAMS server
Under WebSAMS server
DHCP server setup
DNS server setup
Network and Server Configuration
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 16
DHCP server setup
Start > Administrative
Tools > DHCP
1
2
Network and Server Configuration
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 17
DHCP server setup ( cont’d ) Network and Server Configuration
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 18
DHCP server setup ( cont’d ) Network and Server Configuration
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 19
DHCP server setup ( cont’d ) Network and Server Configuration
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 20
Start > Administrative
Tools > DNS
1
2
Network and Server Configuration Internal DNS setup
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 21
Internal DNS setup ( cont’d )
Network and Server Configuration
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 22
Internal DNS setup ( cont’d )
Network and Server Configuration
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 23
Internal DNS setup ( cont’d )
Network and Server Configuration
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 24
Internal DNS setup ( cont’d )
Network and Server Configuration
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 25
Router Config
Modified default route
Example:
ip route 0.0.0.0 0.0.0.0 10.128.15.253
ACL modification
Example:
access-list 101 permit tcp any 10.128.30.0 0.0.0.255 gt 1023 established
access-list 101 permit udp any 10.128.30.0 0.0.0.255 gt 1023
access-list 101 permit icmp any 10.128.30.0 0.0.0.255 echo-reply
access-list 101 permit icmp any host 10.128.30.150 packet-too-big
access-list 101 permit tcp host 172.16.0.150 host 10.128.30.150 eq 8009
access-list 101 permit tcp host 172.16.0.150 host 10.128.30.150 eq 7009
access-list 101 deny ip any any log
Network and Server Configuration
Security and Maintenance
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 27
Best practices Security & Maintenance
Best practices on protection of and export of data from WebSAMS :
Proper Access Control
Data Encryption
Password Handling
Disable remote desktop service in WebSAMS server at “Control Panel > System > Advanced System Settings > Remote tab”
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 28
Patch update Security & Maintenance
Update security patches of Windows Server 2012R2
Install major Windows patches for Window Servers only after testing by EDB as announced via WebSAMS Release Notes / CDR message from time to time
Enable real time protection & update virus pattern on Anti-virus program (including all servers and workstations)
Update IOS (Cisco) or firmware on WebSAMS Router (Consult hardware vendor)
Command “starthsp” can be completed successfully in HTTP server
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 29
Data Security Security & Maintenance
Disconnect any shared folder on WebSAMS Server
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 30
Data Security (cont'd) Security & Maintenance
NAS should be connected to WebSAMS Server with a cross-over ethernet cable. Do not connect NAS device to the WebSAMS network switch.
Exposure of any sensitive export data to any public machine, such as student & guardian personal info, staff personal info, financial report, etc. is not recommended.
Keep an offline and offsite backup
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 31
Data Security (cont'd) Security & Maintenance
Keep original basic network setting in WebSAMS unchanged. For example: Do not connect WebSAMS Server
to the ITED network switch or firewall directly.
Do not connect WebSAMS HTTP Server to the WebSAMS network switch.
Do not connect NAS device to WebSAMS network switch.
Do not connect Internet cable from ISP to WebSAMS Server.
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 32
Data Security (cont'd) Security & Maintenance
To protect against leakage of sensitive data, schools are advised to: ensure that users can only import and export system data when
they are authorized to do so and appropriate measures have been taken.
maintain accuracy, integrity and consistency of system data when importing data to WebSAMS.
take all feasible measures so as to ensure the personal data collected by data users are protected against unauthorized or accidental access, processing, erasure or use.
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 33
Resources on IT Security of WebSAMS Security & Maintenance
IT Security in Schools – Recommended Practice (ITSS):
Path: EDB Webpage > Education System and Policy > Primary and Secondary School Education > Applicable to Primary and Secondary School > IT in Education > On-going Support
Security Guides & Checklist for WebSAMS:
Path: http://cdr.websams.edb.gov.hk >主頁 > 參考資料 > 保安及處理敏感數據指引
WebSAMS Version Upgrade release note:
Path: http://www.websams.edb.gov.hk > Version Upgrade for 3.0 > Major Upgrade
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 34
Resources on IT Security of WebSAMS (cont’d) Security & Maintenance
Security reminders in security alert from EDB from time to time
Path: EDB Website > Education System and Policy > Primary and Secondary School Education > Applicable to Primary and Secondary School > IT in Education
Regularly visit the Information Security website of HKSAR for the update information of IT security
http://www.infosec.gov.hk
Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT)
https://www.hkcert.org
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 35
Internet Security Security & Maintenance
Only open WebSAMS to Internet access for a specific period when necessary:
1. Restrict the time for accessing WebSAMS from clients outside SAMS LAN
segment at “Security > Configuration > System Configuration”
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 36
Internet Security (cont'd) Security & Maintenance
2. Set up specific “Internet Access Time Profile” to further
control the access time for particular user clients outside
SAMS LAN segment at “Security > Access Control > Internet
Access Time Profile”
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 37
Internet Security (cont'd) Security & Maintenance
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 38
New function in WebSAMS: Security Check Security & Maintenance
New function in WebSAMS version 3.0.0.29082017
The Security Check function scans basic settings in: HTTP server
WebSAMS server WebSAMS router
Type command [starthsp] in HTTP server to update it before the first check
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 39
New function in WebSAMS: Security Check (cont'd) Security & Maintenance
1. The Security Check function can be enabled or disabled.
2. Set the scanning time for scheduled daily security check.
192.168.x.x
1.
2.
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 40
192.168.x.x
New function in WebSAMS: Security Check (cont'd) Security & Maintenance
3. Provide supplementary information of Windows Server 2012 Settings in WebSAMS Server.
4. Click “Save” to save the setting or “Save & Perform Scanning” for an ad-hoc scan.
3.
4.
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 41
192.168.x.x
New function in WebSAMS: Security Check (cont'd) Security & Maintenance
5. Click “Report Repository” to go to the page to view all reports generated.
6. Summary of the latest check will be listed.
5.
6.
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 42
New function in WebSAMS: Security Check (cont'd) Security & Maintenance
7. If the checkbox is checked, a notification will be displayed after you log into WebSAMS when an exception report is generated.
192.168.x.x
7.
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 43
New function in WebSAMS: Security Check (cont'd) Security & Maintenance
Exception Report Summary
Details
Note
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 44
New function in WebSAMS: Security Check (cont'd) Security & Maintenance
The Security Check function facilitates schools to check the basic system security settings of WebSAMS
Tips on using the new function:
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 45
New function in WebSAMS: Security Check (cont'd) Security & Maintenance
Schools should also conduct manual checking using the System Security Setting Checklist for WebSAMS on a regular basis as well as a need basis
Schools should properly keep the completed checklist for record purpose
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 46
New function in WebSAMS: Security Check (cont'd) Security & Maintenance
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 47
New feature in WebSAMS: Encrypt Export Files Security & Maintenance
New feature of encrypting export files is provided in WebSAMS version 3.0.0.25042017
To avoid repeating the warning messages during decrypting the exported files, trust the school WebSAMS URL in IE:
ALT+T > Internet Options > Security tab
> Local Intranet > [Sites]
> Input {School WebSAMS URL} > [Add]
In IE11 of Windows 7
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 48
New feature in WebSAMS: Encrypt Export Files Security & Maintenance
ALT+T > Internet Options > Security tab
> Trusted sites > [Sites]
> Input {School WebSAMS URL} > [Add]
In IE11 of Windows 10
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 49
WebSAMS Server Security Security & Maintenance
OS Hardening Setting and Security Best Practices:
1. Local Security Policy
Start Control Panel -> Administrative Tools -> Local Security Policy
In Account Policies -> Account Lockout Policy, set Account lockout threshold to “3” invalid logon attempts
Set Account logout Duration and also Reset account lockout counter after to “30 minutes”.
1. 2.
3.
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 50
WebSAMS Server Security (cont'd) Security & Maintenance
In Local Policies -> Audit Policy
Set Audit object access security setting to “Failure” and also set Audit system events security setting to “Success”
More policy settings in Appendix 8 of Installation Guidelines for WebSAMS 3.0
1.
2.
3.
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 51
WebSAMS Server Security (cont'd) Security & Maintenance
2. User account management
Disable / delete all unused Login Accounts of Windows Server and WebSAMS Application
Start -> Control Panel -> Administrative Tools -> Computer Management -> System Tools -> Local Users and Groups -> Users -> Administrator
On the General tab of ALL user accounts properties, uncheck the Password never expires checkbox.
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 52
WebSAMS Server Security (cont'd) Security & Maintenance
3. Enable Screen Saver Timeout
WebSAMS Server
Similar settings also apply to WebSAMS workstation/ITED workstation if accessing WebSAMS
Start -> Control Panel -> Display > Change screen saver
1.
2.
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 53
WebSAMS Server Security (cont'd) Security & Maintenance
4. Enable Windows Firewall
Start -> Control Panel -> Windows Firewall > Advanced settings
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 54
WebSAMS Server Security (cont'd) Security & Maintenance
Inbound Rules > new Rule…
1. 2.
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 55
WebSAMS Server Security (cont'd) Security & Maintenance
Rule Type > Port
1.
2.
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 56
WebSAMS Server Security (cont'd) Security & Maintenance
Protocol and Ports > TCP > Specific local ports:
80, 443, 8009, 7009, 3268, 7010, 7268 (Add 8109 & 9268 for 1 Server 2 WebSAMS only)
1. 2.
3.
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 57
WebSAMS Server Security (cont'd) Security & Maintenance
Action > Allow the connection
1. 2.
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 58
WebSAMS Server Security (cont'd) Security & Maintenance
Profile > Domain, Private & Public
1. 2.
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 59
WebSAMS Server Security (cont'd) Security & Maintenance
Name > WebSAMS > Finish
1. 2.
3.
4.
5. Apply Latest
Security patch of
WebSAMS
Backup of Data
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 61
Backup Backup of Data
** Remind: Importance of Off-Line Backup
WebSAMS Backup Schedule Pre-backup Backup Post-backup
From about 00:00 am to 06:00 am
Flow of Scheduled Backup: Stop WebSAMS engine
Backup
Housekeep WebSAMS application log files
Start WebSAMS engine
Encryption of backup images
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 62
Backup Job Workflow Backup of Data
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 63
Pre-backup Backup of Data
D:\WebSAMS3.0\batch\pre_backup.bat
Running 15 mins
Stop JBoss, database, Apache
Make copy of WebSAMS data to E:\data\<SUID>\database\sched
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 64
Backup Rotation Configuration Backup of Data
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 65
Backup Rotation Configuration (cont’d) Backup of Data
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 66
Backup Rotation Configuration (cont’d) Backup of Data
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 67
Backup Rotation Configuration (cont’d) Backup of Data
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 68
Backup Rotation Configuration (cont’d) Backup of Data
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 69
Backup Rotation Configuration (cont’d) Backup of Data
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 70
Backup Rotation Configuration (cont’d) Backup of Data
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 71
Backup Rotation Configuration (cont’d) Backup of Data
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 72
Backup Rotation Configuration (cont’d) Backup of Data
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 73
Backup Rotation Configuration (cont’d)
After the time of scheduled
job – Pre_backup.bat
Backup of Data
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 74
Backup Rotation Configuration (cont’d) Backup of Data
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 75
Post-backup Backup of Data
D:\WebSAMS3.0\batch\post_backup.bat
Housekeep Apache log files D:\WebSAMS3.0\Apache\logs\
Housekeep WebSAMS server log files ( older than 30 days ) D:\WebSAMS3.0\JBoss-as-7.1.1.Final\standalone\log
Housekeep CDS log ( More than 30 days ) E:\data\CDS\<dest_id>\system\log\
Housekeep Report temp log files E:\data\<SUID>\rpt\temp
Start database, JBoss, Apache
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 76
Backup on HTTP Server Backup of Data
Back up WebSAMS HTTP server (SUSE Linux Enterprise 11) setting to a USB drive or a floppy drive
User command “httpconfig”
Or use command “fdisk -l” to check USB device name e.g.: sda1, sda2 or sdb1…,etc.
Use command “grepconfig” / “grepconfig /dev/{USB device name}”. (For 1 Server 2 WebSAMS environment, use “grepconfig_1s2s”)
Run the command when HTTP server is running in good condition
Those files can be copied to any Windows storage for backup purpose
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 77
Backup on HTTP Server (cont'd) Backup of Data
Step 1 : Log in HTTP server as root
Step 2 : Type command “httpconfig”
Or “grepconfig /dev/sda1”.
Step 3 : Press “Y” in the following screen
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 78
Backup on HTTP Server (cont'd) Backup of Data
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 79
Backup on HTTP Server (cont'd) Backup of Data
Step 4: Press “0” if all information is correct
Step 5: Press “Y” to confirm in the following screen
Logs Checking
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 81
Logs checking Logs Checking
Windows Event Viewer log
Control Panel > Administrative Tools > Event Viewer
Apache log
D:\WebSAMS3.0\Apache\logs\ access.log-<dd-MM-yyyy> ( http request log )
errors.log-<dd-MM-yyyy> ( error log )
Virus scanning log
Backup software log
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 82
Logs checking (cont'd) Logs Checking
Local backup log
To check whether the pre-backup tasks have been
run successfully (E:\data\<SUID>\Log\DB\backup.log)
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 83
Logs checking (cont'd) Logs Checking
JBoss Server Log D:\WebSAMS3.0\JBoss-as-7.1.1.Final\standalone\log\server.log
Time Stamp
Severity
Message
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 84
Logs checking (cont'd) Logs Checking
WebSAMS Upgrade Logs
E:\temp\wsup1\<yyyyMMdd.HHmm>\*
E:\temp\wsup2\<yyyyMMdd.HHmm>\*
(For 2nd instance of 1 Server 2 WebSAMS)
E:\temp\training\<yyyyMMdd.HHmm>\*
Files and directories are saved under <yyyyMMdd.HHmm> folder, and the latest folder should be kept for tracking purpose.
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 85
Logs checking (cont'd) Logs Checking
WebSAMS HTTP Linux Server
Apache log
(/var/log/apache2/access_log_80, 443, 7010)
Error log
(/var/log/apache2/error_log_80, 443, 7010)
System log
(/var/log/messages)
Virus scan log (/var/log/TrendMicro/SProtectLinux/Virus.yyyyMMdd.#### )
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 86
Logs checking (cont'd) Logs Checking
Linux System Log
/var/log/messages
/var/log/
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 87
Logs checking (cont'd) Logs Checking
All logs in anti-virus: https://websams.school.edu.hk:14943
Virus Logs, Spyware Logs, Scan Logs & System Logs
/var/log/TrendMicro/SProtectLinux/
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 88
Logs checking (cont'd) Logs Checking
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 89
Logs checking (cont'd) Logs Checking
Hardware Firewall Log Screen
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 90
Change password Logs Checking
Change Passwords in regular basis OS System administrator
WebSAMS login accounts including “sysadmin” and “asysadmin”
HTTP root account
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 91
Change password (cont'd) Logs Checking
Trouble-shoot Case Studies
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 93
General trouble-shoot ( Helpdesk issues )
10 general issues frequently received by WebSAMS Helpdesk: 1. ITED / Internet cannot access WebSAMS
2. Unable to connect CDS
3. Unable to back up
4. ITED-access becomes Internet-access
5. WebSAMS-access becomes ITED-access
6. How to setup WebSAMS client PC?
7. How to install WebSAMS root certificate on ITED or Internet client PC?
8. Generate report problem
9. Fonts problem
10. Version upgrade problem
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 94
1. ITED / Internet cannot access WebSAMS
Double check whether WebSAMS has been started ?
Test if WebSAMS segment works or not
Check whether ITED client PC has resolved the IP problem ? DNS problem / DHCP problem
Proxy client
Check using “Internet Explorer” on the ITED client PC
Check whether the ITED client PC uses proxy in IE ?
Confirm whether HTTP server has been started up & the ‘Pass Phrase’ has been entered? Idle 25 seconds > rcapache2 restart
In HTTP server, do the test by typing: telnet <WebSAMS_server_IP> 8009
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 95
1. ITED / Internet cannot access WebSAMS ( cont’d )
Success Sample
Failure Sample
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 96
1. ITED / Internet cannot access WebSAMS ( cont’d )
If succeed, it must be ITED segment problem
If fail, it could be: HTTP server crash
HTTP server wrong setting
WebSAMS’s router wrong setting ( or reset )
School firewall setting if HTTP server in DMZ
If it can load SSL prompt, that means HTTP running smoothly.
Otherwise, it may be HTTP setting or router setting problem
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 97
1. ITED / Internet cannot access WebSAMS ( cont’d )
ITED can access WebSAMS successfully but Internet cannot. The problem is due to:
Hosting registration of WebSAMS domain name in Internet
Internet Gateway problem ( port mapping )
HTTP server’s Default Gateway setting is wrong
It should be set to the Internet Gateway which performs port
mapping
Type “route” in Linux command line to show default gateway
setting
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 98
2. Unable to connect CDS
It may be caused by: Network connection of WebSAMS server has ever broken a short
period
Wrong URL of the Primary and Secondary CDS Extensions in WebSAMS at “CDS > Transmission > Schedule Transmission”
Wrong Internet Gateway setting
Wrong WebSAMS router setting
In WebSAMS server, try to connect Internet without passing through proxy Go to (www.hsbc.com.hk) then click “logon” to test whether https URL
works or not;
Try to ping: cdsx1.websams.edb.gov.hk and cdsx2.websams.edb.gov.hk /
websams.cds.edb.gov.hk (Auto-update CDS message: URLs of CDS extension and CDS certificate)
If fail, it may be DNS problem
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 99
2. Unable to connect CDS ( cont’d )
Nearly 95% of network problem with the message of “Unable to connect CDS” could not pass the following testing. e.g. Internet Gateway did not allow WebSAMS server access
Internet
e.g. WebSAMS router setting had a wrong ACL or wrong default route
A very special case may happen that CDS can send but cannot receive messages. Under our investigation , it may be caused by the ISP and
network setting
Solution :
Implement “packet-too-big” into router setting
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 100
3. Unable to back up
Hardware failure or no free space of hard disk in NAS
Besides, over 95% of cases are due to the following 3 reasons :
Backup task is configured wrongly
Backup task spends too much time that causes post_backup starting early than estimation
The administrator password in system does not synchronize with one from backup batch jobs
For case 3 above, we need to :
Change the password in pre_backup , post_backup
Change the password in Backup software
All password settings must be same as system administrator password
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 101
4. ITED-access becomes Internet-access
Internal DNS setting
Proxy client ?
Client PC using proxy in IE ?
Trouble-shoot Ping URL in command prompt, check what IP is resolved
It should be HTTP internal IP
In one very extreme case The school places HTTP in DMZ
The school Internet gateway changes the source IP
i.e. SNAT in Linux
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 102
5. WebSAMS-access becomes ITED-access
Make sure the WebSAMS version to be on 3.0.0.28082015 or above
Internal DNS setting
Proxy client ?
Client PC / WebSAMS server using proxy in IE ?
Trouble-shoot Ping URL in Command Prompt, check what IP is resolved
It should be WebSAMS server IP
2 ethernet ports in WebSAMS server:
In Command Prompt, enter ‘ipconfig /all’. The first IP address should be the private IP of WebSAMS server. If the first IP address is to connect the NAS, swap the ethernet cables and setting of Internet Protocol (TCP/IP) in between the WebSAMS interface and NAS interface.
4 ethernet ports in WebSAMS server:
Make sure the primary ethernet port which connects to WebSAMS segment and it does not connect to NAS
Make sure the primary ethernet port that matches in the BIOS setup (Motherboard setup)
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 103
6. How to setup WebSAMS client PC?
OS requires Windows 7 or above
Adobe Reader 10.0 or above supports Windows 7/8/10
Enable Hong Kong Supplementary Character Set (HKSCS) in Windows 7/8/10, refer to the 9th question
WebSAMS supports IE:
Windows 7 SP1 + IE11
Windows 8.1 Update + IE11
Windows 10 + IE11 (Microsoft Edge is not compatiable with WebSAMS)
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 104
6. How to setup WebSAMS client PC?
How to find IE11 on Windows 10?
Start menu > Windows Accessories > Internet Explorer
Search “IE” > Internet Explorer
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 105
6. How to setup WebSAMS client PC? ( cont’d )
SAP Crystal Reports 2013 ( full installation )
SAP Sybase SQL Anywhere 16 ODBC Driver (32-bit)
How to get ODBC Driver ?
Available in the installation CD of SAP Sybase SQL Anywhere 16
Driver Installation: Databases > SQL Anywhere (32-bit) > SQL Anywhere client
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 106
6. How to setup WebSAMS client PC? ( cont’d )
Driver Installation: Databases > SQL Anywhere (32-bit) > SQL Anywhere Client
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 107
6. How to setup WebSAMS client PC? ( cont’d )
Configure ODBC Setting: For 32-bit Windows : Control Panel > Administrative Tools >
Data Sources (ODBC)
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 108
6. How to setup WebSAMS client PC? ( cont’d )
Configure ODBC Accounts: For 64-bit Windows : Type “ODBC” in the search field of
Windows Start menu > ODBC Data Sources Administrator (32-bit)
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 109
6. How to setup WebSAMS client PC? ( cont’d )
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 110
6. How to setup WebSAMS client PC? ( cont’d )
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 111
6. How to setup WebSAMS client PC? ( cont’d )
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 112
6. How to setup WebSAMS client PC? ( cont’d )
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 113
Install WebSAMS Root Certificate on Windows 7/8/10
7. How to install WebSAMS root certificate on ITED or Internet client PC?
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 114
Install WebSAMS Root Certificate on Windows 7/8/10
7. How to install WebSAMS root certificate on ITED or Internet client PC? ( cont’d )
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 115
Install WebSAMS Root Certificate on Windows 7/8/10
7. How to install WebSAMS root certificate on ITED or Internet client PC? ( cont’d )
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 116
Install WebSAMS Root Certificate on Windows 7/8/10
7. How to install WebSAMS root certificate on ITED or Internet client PC? ( cont’d )
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 117
Install WebSAMS Root Certificate on Windows 7/8/10
7. How to install WebSAMS root certificate on ITED or Internet client PC? ( cont’d )
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 118
Verification of root certificate in Internet Explorer
Tools (Alt+T) > Internet Options > Content tab
7. How to install WebSAMS root certificate on ITED or Internet client PC? ( cont’d )
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 119
Verification of root certificate in Internet Explorer
7. How to install WebSAMS root certificate on ITED or Internet client PC? ( cont’d )
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 120
8. Generate report problem
Checking Crystal Reports Server
SAP BusinessObjects Central Configuration Manager
Apache Tomcat for BI 4
Server Intelligence Agent
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 121
8. Generate report problem ( cont’d )
SAP BusinessObjects Central Management Console (CMC)
http://localhost:8080/BOE/CMC/ Or
http://127.0.0.1:8080/BOE/CMC/
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 122
8. Generate report problem ( cont’d )
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 123
8. Generate report problem ( cont’d )
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 124
8. Generate report problem ( cont’d )
Add parameters “ -ipport 1566 -reportdirectory E:\Data”
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 125
8. Generate report problem ( cont’d )
Other cases:
Check WebSAMS server computer name Is that equal to the sub-domain name in URL ?
If the sub-domain name is websams-am.schabc.edu.hk then WebSAMS server
computer name should be “websams-am”
The report is generated from customized template Restart JBoss
Try to generate built-in template first If succeed,
Customized template problem
If fail,
Download “Points to Note for Upgrading of WebSAMS 3.0 (Sybase and Crystal Reports) ” from “http://cdr.websams.edb.gov.hk >主頁 > 2014 提升「網上學校行政及管理系統」參考資料”
Contact help desk for further investigation
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 126
Update any user-customized report in WebSAMS 3.0 Open Data Sources (ODBC)
For 32bit Windows: Control Panel > Administrative Tools
For 64-bit Windows: Type “ODBC” in the search field of
Windows Start menu > ODBC Data Sources Administrator
(32-bit)
8. Generate report problem ( cont’d )
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 127
Input an ODBC login
account on the
WebSAMS workstation
for connecting to
WebSAMS database,
such as “genuser”,
“fmpuser” or “stfuser”
Verify database in
Crystal Reports on
WebSAMS workstation
8. Generate report problem ( cont’d )
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 128
8. Generate report problem ( cont’d )
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 129
Remove the
User ID and
leave it blank
8. Generate report problem ( cont’d )
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 130
Click “OK” several times
8. Generate report problem ( cont’d )
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 131
Unable to open cumtomized report template by Crystal Reports 2013.
Open it by Crystal Reports 9 Delete any duplicate parameter
field(s) in Field Explorer
Delete any
duplicate
parameter
field(s)
8. Generate report problem ( cont’d )
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 132
Verify the SQL syntax of the user-customized report
templates
For details, please refer to http://cdr.websams.edb.gov.hk >
主頁 > 2014年提升「網上學校行政及管理系統」參考資料 > 10.
Points to Note for Upgrading of WebSAMS 3.0 (Sybase and
Crystal Reports)
8. Generate report problem ( cont’d )
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 133
9. Fonts problem
The font in WebSAMS Server is corrupted
Cannot display HKSCS fonts in WebSAMS report (.PDF) If the size of “MingLiU.TTC” font file NOT = 26M
1. Reboot the WebSAMS Server and press F8 key during startup to enter Windows Safe Mode;
2. Right-click the bottom left Windows Start button and select “Command Prompt (Admin)”;
3. Type the command "takeown /f C:\Windows\Fonts\mingliu.ttc" and press ENTER key;
4. Type the command"icacls C:\Windows\Fonts\mingliu.ttc /grant administrators:F" and press ENTER key;
5. Type the command "ren C:\Windows\Fonts\mingliu.ttc mingliu.bak" and press ENTER key;
6. Type the command "exit" and press ENTER key to close the Command Prompt window;
7. Copy the font file :
from D:\WebSAMS3.0\batch\utilities
To C:\Windows\Fonts
8. Reboot the WebSAMS Server to Windows Normal Mode and start WebSAMS services.
Don’t install any Government HKSCS on WebSAMS Server.
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 134
9. Fonts problem ( cont’d )
Enable HKSCS (Hong Kong Supplementry Character Set) on Workstation
Cannot display HKSCS fonts in WebSAMS report (.XLS / .DOC)
Windows 7, 8 & 10 have built-in support for HKSCS-2004 with ISO 10646/Unicode code allocation scheme.
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 135
9. Fonts problem ( cont’d )
Enable HKSCS (Hong Kong Supplementry Character Set) on Workstation
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 136
10. Version Upgrade Problem
WebSAMS version <> DB version
Caused by unsuccessful WebSAMS upgrade
Solution WebSAMS Java version cannot be upgraded
Recover files from E:\temp\wsup1\<the latest folder>\backup\
Contact Helpdesk to get the instruction
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 137
10. Version Upgrade Problem ( cont’d )
If database is running, execute the < 2. Start Database > again…
The following error will be prompted:
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 138
WebSAMS Helpdesk Scope
WebSAMS Application enquiry Modules maintenance
General usage enquiries
WebSAMS Technical enquiry Focus on WebSAMS Application
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 139
Resources
WebSAMS Central Document Repository: http://cdr.websams.edb.gov.hk
WebSAMS System Manual: (AOM) http://www.websams.edb.gov.hk/chi/newschool/newschool_c.html > 其他相關資料
(COPM) http://www.websams.edb.gov.hk/chi/newschool/newschool_c.html > 其他相關資料
(UM) http://cdr.websams.edb.gov.hk -> 主頁 > 系統文件 > 用戶手冊
WebSAMS Forum: WebSAMS Central Document Repository ->主頁 > 相關網頁連結 > 香港教育城校管系統討論區 or ;
http://forum.hkedcity.net/forumdisplay.php?fid=71
WebSAMS Helpdesk: Hotline: 3125-8510
Fax: 3125-8999
E-mail: [email protected]
Leave your School ID, contact person and contact number
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 140
CDR Website
Sep 2017 Server, Network & System Security Management Seminar for WebSAMS A - 141
WebSAMS Forum (cont’d)
Q & A Session
The End