Windows Imaging in FileWave 15.5+: Secure NFS Tunneling and Fallback Options

What

In FileWave version 15.5.0, significant changes have been made to the Windows Imaging process using the Imaging Virtual Server (IVS). Previously, when imaging or capturing a Windows system, the device would mount NFS (Network File System) volumes directly over TCP/UDP port 2049. Starting with FileWave 15.5, the imaging process has been enhanced for security and reliability by ~~establishing~~allowing the creation of a VPN tunnel over TCP/UDP port 20490. Over this secure VPN tunnel, the system accesses the NFS mounts, providing a more secure and efficient imaging environment.

~~However,~~This ifsecure ~~issues~~functionality ~~arise~~was ~~with~~initially ~~the~~enabled ~~new~~by ~~VPN~~default, ~~tunneling~~but ~~method,~~from ~~there~~16.2.0 onward it is adisabled ~~fallback~~by ~~mechanism~~default ~~that allows you to revert to the previous method of direct NFS mounting over port 2049. This ensures that imaging tasks~~and can ~~continue~~be ~~without~~enabled ~~interruption,~~or ~~even~~disabled ifvia ~~the~~a ~~VPN tunnel encounters problems in certain network environments.~~command.

When/Why

When to Use

Secure

~~Default~~imaging ~~Behavior~~:is Bysomething ~~default,~~you ~~FileWave~~want ~~15.5~~to ~~uses~~consider aif ~~VPN~~you ~~tunnel~~frequently capture images of devices that have user data on ~~port~~them. ~~20490 for all Windows~~Secure imaging ~~tasks.~~will ~~Fallback~~prevent ~~Scenario~~:someone from grabbing an image from the IVS server. If you ~~experience~~don't ~~issues~~typically ~~with~~do ~~imaging~~this, orand ~~capturing~~typically use the IVS to simply capture base images ~~due~~and todeploy ~~VPN~~them ~~tunneling~~then ~~problems,~~there is better performance if Secure Imaging is disabled. If you setup your IVS on version 16.2.0 then it will be disabled by default. If you were running an older IVS you may ~~need~~see toit ~~revert~~enabled ~~to the direct NFS mounting method.~~

Why This Change Matters

~~Enhanced Security~~~~: Using a VPN tunnel adds an extra layer of security by encapsulating NFS traffic within a secure tunnel, protecting data during the imaging process.~~ ~~Improved Compatibility~~~~: The VPN tunnel~~but can ~~help~~easily ~~navigate~~toggle ~~network~~it ~~restrictions~~off or ~~firewall rules that might block direct NFS traffic over port 2049.~~ ~~Operational Flexibility~~~~: Providing a fallback option ensures that imaging can continue smoothly, even if the new method encounters issues~~on in ~~certain network configurations.~~ 16.2.0.

How

SwitchingEnabling toSecure the Fallback Mechanism: Direct NFS Mounting over Port 2049Imaging

IfYou ~~you~~can ~~encounter~~enable ~~issues~~it with ~~the~~this ~~default VPN tunneling method during Windows imaging, you can switch back to the previous method of direct NFS mounting. Follow these steps~~command on ~~the~~FileWave ~~Debian~~16.2.0 ~~IVS~~or ~~server~~:

Create the Fallback Flag File

~~Open a terminal on the IVS server and create a flag file to signal that secure tunneling should be disabled:~~beyond:

sudo touchimaging-control /etc/fw_insecure_nfs_mountenable secure-mount
sudo reboot

~~This~~

Disabling fileSecure tells the system to use direct NFS mounting instead of the VPN tunnel.

Update UFW Firewall RulesImaging

~~Allow~~You ~~traffic~~can enable it with this command on ~~port~~FileWave ~~2049~~,16.2.0 ~~which~~or ~~is used by NFS:~~beyond:

sudo ufwimaging-control allowdisable 2049/tcpsecure-mount
sudo ufw allow 2049/udp

~~This updates the firewall to permit NFS communication over port 2049.~~

Restart Network Services

~~To apply the changes, restart all network-related services. The simplest method is to reboot the IVS server:~~

sudo reboot

~~Note:~~ ~~Rebooting ensures all services are restarted properly and the new settings take effect.~~

Reverting Back to Secure VPN Tunneling

~~Once any issues with VPN tunneling are resolved, you can switch back to the default secure method:~~

Remove the Fallback Flag File

~~Delete the flag file to re-enable secure tunneling:~~

sudo rm /etc/fw_insecure_nfs_mount

Remove UFW Firewall Rules for Port 2049

~~Close the ports that were opened for direct NFS access:~~

sudo ufw delete allow 2049/tcp
sudo ufw delete allow 2049/udp

~~This ensures that NFS traffic cannot bypass the VPN tunnel, maintaining a secure configuration.~~

Restart the IVS Server

~~Reboot the IVS server to apply the changes:~~

sudo reboot

~~This will restore the VPN tunneling over port 20490 for imaging tasks.~~

Important Considerations

~~Security Implications~~~~: Reverting to direct NFS mounting over port 2049 is less secure than using the VPN tunnel. Use this fallback option only when necessary and ensure that your network is secure.~~

Firewall Configuration: Make sure that your network’s firewalls allow traffic over the necessary ports:

Port 20490 for ~~VPN~~Secure ~~tunneling (default method).~~Imaging.
Port 2049 for ~~NFS~~Standard ~~if using the fallback method.~~

~~Testing~~~~: After making changes, perform a test imaging task to confirm that everything is functioning as expected.~~ ~~Documentation~~~~: Keep a record of any changes made to the IVS server configuration for future reference and troubleshooting.~~Imaging.

Digging Deeper

Secure Imaging Flag File

On FileWave less than 16.2.0 you can delete the flag file to enable Secure Imaging:

sudo rm /etc/fw_insecure_nfs_mount
sudo reboot

On FileWave less than 16.2.0 you can create the flag file to disable Secure Imaging:

sudo touch /etc/fw_insecure_nfs_mount
sudo reboot