Exchange Hybrid – Free/Busy information not working

When upgrading an SSL cert last week i had to run the Exchange Hybrid Configuration Wizard again. Of course when you update something like this or the AD Connect something is broken….

Before the Free/Busy was working from Microsoft 365 Exchange Online to the On-Prem environment.

After checking the relationship i saw that the sharing code was empty again.

Get-OrganizationRelationship | select TargetSharingEpr

Resulted in an empty response. To fix the Free/Busy time this needs to be filled in, in there are subdomains. If you have let’s it’s fine, but if you have it goes wrong. Because it tries to reach instead of Even if you have some CNAME records, it takes to long.

Instead of letting autodiscover finding out what the URL is, as told in the beginning, i had this issue in the past, simply put the Hybrid servers in the TargetSharingEpr directly. So

Set-OrganizationRelationship -TargetSharingEpr -Identity yourmicrosoftidentity

After this, the Free/Busy will work again.

Converting SSL certicates

Often when we you buy / get a new certificate you need to have another certificate depending on your needs.

PEM Format

The PEM format is the most common format that CA’s issue certificates in. PEM certificates usually have extentions such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and contain “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” statements. Server certificates, intermediate certificates, and private keys can all be put into the PEM format.

Apache and other similar servers like Citrix NetScaler use PEM format certificates. Several PEM certificates, and even the private key, can be included in one file, one below the other, but most platforms, such as Apache, expect the certificates and private key to be in separate files.

DER Format

The DER format is simply a binary form of a certificate instead of the ASCII PEM format. It sometimes has a file extension of .der but it often has a file extension of .cer so the only way to tell the difference between a DER .cer file and a PEM .cer file is to open it in a text editor and look for the BEGIN/END statements. All types of certificates and private keys can be encoded in DER format. DER is typically used with JAVA related platforms.

PKCS#7/P7B Format

The PKCS#7 or P7B format is usually stored in Base64 ASCII format and has a file extention of .p7b or .p7c. P7B certificates contain “—–BEGIN PKCS7—–” and “—–END PKCS7—–” statements. A P7B file only contains certificates and chain certificates, not the private key. Several platforms support P7B files including Microsoft Windows and Java Tomcat.

PKCS#12/PFX Format

The PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys.

When converting a PFX file to PEM format, OpenSSL will put all the certificates and the private key into a single file. You will need to open the file in a text editor and copy each certificate and private key (including the BEGIN/END statments) to its own individual text file and save them as certificate.cer, CACert.cer, and privateKey.key respectively.

OpenSSL Commands to Convert SSL Certificates

There are several online convertors for SSL certificates but I urge you to use convert the certificate locally via OpenSSL. You don’t wont to store your PRIVATE key on someone else it’s machine. If you do it locally you have the private key on your machine. I good point here is that you should have some form of disk encryption on your laptop in event that your PC/laptop is stolen that the keys remain safe. Use the following OpenSSL commands to convert SSL certificate to different formats:

OpenSSL Convert PEM

Convert PEM to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert PEM to P7B

openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

Convert PEM to PFX

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

OpenSSL Convert DER

Convert DER to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

OpenSSL Convert P7B

Convert P7B to PEM

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Convert P7B to PFX

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx

OpenSSL Convert PFX

Convert PFX to PEM

openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes


Policy Based Routing HPE Aruba 3800 series

Today busy with some Policy Based Routing (PBR) routing on an HPE Aruba 3800 series switch.



The default gateway is set to which is ISP A a line dedicated for business traffic.

So in the config of the switch

ip route
ip routing

Let’s assume that we have another ISP, named B which needs to used for Office 365 in particular Exchange Online. Of course the best option would be to change the default gateway because Microsoft has a lot of IP addreses which are changing on regular basis. So my advice would be to set the default gateway to ISP B and make a PBR for the things that should go to ISP A. Users of VLAN 5 needs to have this in place.

We start by creating a Class which contains the IP version 4 address for Exchange Online listed on this Microsoft page. The class name is case sensitive, also please not that we can’t use normal subnetmasks (the switch accepts it, but it’s not working) we should use Wildcard masking over here.

class ipv4 “Office365-Subnets”
5 match ip
10 match ip
15 match ip
20 match ip
25 match ip
30 match ip
35 match ip
40 match ip
45 match ip
50 match ip
55 match ip
60 match ip
65 match ip
70 match ip
75 match ip
80 match ip
85 match ip
90 match ip
95 match ip
100 match ip
105 match ip
110 match ip
115 match ip
120 match ip
125 match ip
130 match ip
135 match ip
140 match ip
145 match ip
150 match ip
155 match ip
160 match ip
165 match ip
170 match ip
175 match ip
180 match ip
185 match ip
190 match ip
195 match ip
200 match ip
205 match ip
210 match ip
215 match ip
220 match ip

Now we have a class we can bind it in a policy and set the next-hop to

policy pbr “POL-Office365-Subnets”
     5 class ipv4 “Office365-Subnets”
      action ip next-hop

Since the implementation of HPE states that we need to map to a VLAN and we only created a policy but didn’t bind it anywhere we have to do the following:

vlan 5
   name “test”
   untagged 1
   ip address
   service-policy “POL-Office365-Subnets” in

Keep in mind that you only can bind one PBR to a VLAN. You can enter again the command service-policy “POL-test” in and give enter, you won’t get a warning but you simply override the PBR. Also you can only set the PBR to incoming packets on a VLAN.

Some show commands:

show policy POL-Office365-Subnets

Statements for policy “POL-Office365-Subnets”
policy pbr “POL-Office365-Subnets”
     5 class ipv4 “Office365-Subnets”
      action ip next-hop

 show statistics policy POL-Office365-Subnets vlan 5 in

 Hit Counts for Policy POL-Office365-Subnets


 5 class ipv4 Office365-Subnets action ignore
(       0 )      5 match ip
(       0 )      10 match ip
(       0 )      15 match ip
(       0 )      20 match ip
(       0 )      25 match ip
(       0 )      30 match ip
(       0 )      35 match ip
(       0 )      40 match ip
(       0 )      45 match ip
(       0 )      50 match ip
(       0 )      55 match ip
(       0 )      60 match ip
(       0 )      65 match ip
(       0 )      70 match ip
(       0 )      75 match ip
(       0 )      80 match ip
(       0 )      85 match ip
(       0 )      90 match ip
(       0 )      95 match ip
(       0 )      100 match ip
(       0 )      105 match ip
(       0 )      110 match ip
(       0 )      115 match ip
(       0 )      120 match ip
(       0 )      125 match ip
(       0 )      130 match ip
(       0 )      135 match ip
(       0 )      140 match ip
(       0 )      145 match ip
(       0 )      150 match ip
(       0 )      155 match ip
(       0 )      160 match ip
(       0 )      165 match ip
(       0 )      170 match ip
(       0 )      175 match ip
(       0 )      180 match ip
(       0 )      185 match ip
(       0 )      190 match ip
(       0 )      195 match ip
(       0 )      200 match ip
(       0 )      205 match ip
(       0 )      210 match ip
(       0 )      215 match ip
(       0 )      220 match ip


IPv4 Translation Table

IPv4 Translation Table

Netmask Inverse /CIDR Usable Size /32 1 1 Host /31 0 2 Hosts /30 2 4 Hosts /29 6 8 Hosts /28 14 16 Hosts /27 30 32 Hosts /26 62 64 Hosts /25 126 128 Hosts /24 254 1 Class ‘C’ /23 510 2 Class ‘C’s /22 1,022 4 Class ‘C’s /21 2,046 8 Class ‘C’s /20 4,094 16 Class ‘C’s /19 8,190 32 Class ‘C’s /18 16,382 64 Class ‘C’s /17 32,766 128 Class ‘C’s /16 65,534 1 Class ‘B’ /15 131,070 2 Class ‘B’s /14 262,142 4 Class ‘B’s /13 524,286 8 Class ‘B’s /12 1,048,574 16 Class ‘B’s /11 2,097,150 32 Class ‘B’s /10 4,194,302 64 Class ‘B’s /9 8,388,606 128 Class ‘B’s /8 16,777,214 1 Class ‘A’ /7 33,554,430 2 Class ‘A’s /6 67,108,862 4 Class ‘A’s /5 134,217,726 8 Class ‘A’s /4 268,435,454 16 Class ‘A’s /3 536,870,910 32 Class ‘A’s /2 1,073,741,822 64 Class ‘A’s /1 2,147,483,646 128 Class ‘A’s /0 4,294,967,294 Any

Cisco FirePower Management Center 6.0.0 Password

In the previous versions of Cisco FirePower Management Center  < 5.x the default credentials were:

Username: admin
Password: Sourcefire

With version 6 > the default password is changed and not listed (yet) in the Cisco documentation.

Username: admin
Password: Admin123