Server and Domain Isolation Using IPsection

[Miha]

Hi



In our company we want to achieve that users that are connecting with their
home laptops (if they bring their home laptops at work ) into our local
network don't get any access to other computers, server, internet etc.

We're thinking of implementing 'Server and Domain Isolation Using IPsec', so
that only computers that are part of our domain and are controlled through
GPO settings for IPsec have access, other computers that are not part of our
local domain have access only if we manually set them IPSec parameters into
their local GPO.



I'm wondering if it is possible that users that don't have this settings
set, and if they connects their laptops into our network (some of them are
so clever that are able to set IP address on their home computers, so they
could get connection to the internetJ)don't have any access based on this
GPO (to other computers and servers) and also DON'T HAVE ACCESS TO THE
INTERNET, that they are completely isolated?

Any ideas or suggestions will be appreciated.

Thank you in advance

Regards

Miha

 

[Steven L Umbach]

I see a couple problems. First in a domain you probably want to use Kerberos
for computer authentication for ipsec. If that is the case for you then you
can not configure the local ipsec policy on a non domain computer to be able
to access a domain computer. Otherwise to provide access you would need to
use pre shared key or certificate authentication. I do not recommend pre
shared key because PSK is not securely stored on domain computers and a user
could find your PSK and compromise your ipsec security. Certificates could
work but are more difficult to deploy and require the use of a Certificate
Authority. You could also have different ipsec policies within the domain
some that use Kerberos and some that use certificates. Also keep in mind
that domain controllers can not use ipsec to protect traffic between domain
computers [non DCs] and domain controllers that is used for authentication
which is a lot of ports/protocols that need to be allowed and in general it
is best to just not use ipsec on domain controllers for traffic between
domain controllers and domain members.

The other problem is denying users access to the internet. Usually all that
is required to access the internet is a default gateway and unless that
default gateway is something like ISA 2004 no user or computer
authentication is required. If you do use ISA 2000/2004 then you can
configure it to require user authentication to access the internet and I
believe that you could have an ipsec require policy on the ISA server [not
if a DC] that would not allow user authentication to work because the non
domain computer could not use ipsec to communicate with the ISA server in
order to authenticate the user.

Beyond all that if you use managed switches on your network that can filter
port access by mac address you may want to implement such in order to try to
keep unauthorized computers from accessing your network. Of course mac
addresses can be spoofed but you should have a computer use policy in force
that prohibits such and take harsh disciplinary action for violators. Such
policy should also ban non authorized computers from being connected to your
network. When blaster worm came out many an admin found how serious it was
to allow an unauthorized computer to connect to the network. I heard stories
where networks with thousands of computers were shut down in a matter of
minutes. Unathorized computers are also a hackers favorite back door. ---
Steve

 

[Miha]

Hi Steve. Thank you for the reply and information's !

You said that if computers are non domain computers there would be problem
accessing servers that require IPSec authentication, because of the
Kerberos.

Are there any other ways to give access to these computers? We have
computers in call center that are not a domain computers, and they need to
access resources on some servers, that we're planning to secure them with
IPsec.Could we made extra rules to this servers, that they disallow access
to all non-domain computers except this ones, besides the existing rule to
allow only ipsec avtentications.

Regarding firewall, we don't have ISA, we use Netscreen, so as far as I see
for now, there is no way to block access to the internet for non-ipsec
computers? Or are there any other possibilities?

You also mentioned that we could use extra policy to ban non-authorized
computers from being connected to our network. Can this be done based on
IPSec policy with GPO?

Thank's again for all the help.

Regards

Miha

I see a couple problems. First in a domain you probably want to use
Kerberos for computer authentication for ipsec. If that is the case for you
then you can not configure the local ipsec policy on a non domain computer
to be able to access a domain computer. Otherwise to provide access you
would need to use pre shared key or certificate authentication. I do not
recommend pre shared key because PSK is not securely stored on domain
computers and a user could find your PSK and compromise your ipsec
security. Certificates could work but are more difficult to deploy and
require the use of a Certificate Authority. You could also have different
ipsec policies within the domain some that use Kerberos and some that use
certificates. Also keep in mind that domain controllers can not use ipsec
to protect traffic between domain computers [non DCs] and domain
controllers that is used for authentication which is a lot of
ports/protocols that need to be allowed and in general it is best to just
not use ipsec on domain controllers for traffic between domain controllers
and domain members.

The other problem is denying users access to the internet. Usually all
that is required to access the internet is a default gateway and unless
that default gateway is something like ISA 2004 no user or computer
authentication is required. If you do use ISA 2000/2004 then you can
configure it to require user authentication to access the internet and I
believe that you could have an ipsec require policy on the ISA server [not
if a DC] that would not allow user authentication to work because the non
domain computer could not use ipsec to communicate with the ISA server in
order to authenticate the user.

Beyond all that if you use managed switches on your network that can
filter port access by mac address you may want to implement such in order
to try to keep unauthorized computers from accessing your network. Of
course mac addresses can be spoofed but you should have a computer use
policy in force that prohibits such and take harsh disciplinary action for
violators. Such policy should also ban non authorized computers from being
connected to your network. When blaster worm came out many an admin found
how serious it was to allow an unauthorized computer to connect to the
network. I heard stories where networks with thousands of computers were
shut down in a matter of minutes. Unathorized computers are also a hackers
favorite back door. --- Steve

Hi



In our company we want to achieve that users that are connecting with
their home laptops (if they bring their home laptops at work ) into our
local network don't get any access to other computers, server, internet
etc.

We're thinking of implementing 'Server and Domain Isolation Using IPsec',
so that only computers that are part of our domain and are controlled
through GPO settings for IPsec have access, other computers that are not
part of our local domain have access only if we manually set them IPSec
parameters into their local GPO.



I'm wondering if it is possible that users that don't have this settings
set, and if they connects their laptops into our network (some of them
are so clever that are able to set IP address on their home computers, so
they could get connection to the internetJ)don't have any access based on
this GPO (to other computers and servers) and also DON'T HAVE ACCESS TO
THE INTERNET, that they are completely isolated?

Any ideas or suggestions will be appreciated.

Thank you in advance

Regards

Miha

 

[Steven L Umbach]

Hi Miha.

There may be a way but you need to test it out thoroughly first. The least
secure way is to create a rule with a permit filter action for the IP
addresses of the non domain authorized computers but that poses the risk
that is someone with a non authorized computer configured their computer
with an authorized IP address they could be allowed access. Also such
traffic would not be encrypted.

The other way is to try and configure two computer authentication methods in
your ipsec policy on the server with the top of the list being Kerberos and
then the second in the list being certificates. Your non domain computer and
the server would need ipsec certificates and to trust the issuing CA. It is
possible to issue non domain computer ipsec certificates by enabling the
offline ipsec certificate template and having them use web enrollment to
request and install the ipsec offline certificate. I believe this may work
but am not 100 percent sure. You can use pre shared keys in place of
certificates as the second authentication method but I recommend that you do
that for testing purposes only to see if two computer authentication methods
will work well or not.

I can't think of a way other than using something like ISA to accomplish
your goal of restricting internet access to non domain computers unless you
would consider mac filtering at the switch ports. The extra policy was a non
technical solution that the user would need to read and sign and keep a copy
for their records similar to policies that state you can not "borrow"
company equipment or sleep on the job. --- Steve

Hi Steve. Thank you for the reply and information's !

You said that if computers are non domain computers there would be problem
accessing servers that require IPSec authentication, because of the
Kerberos.

Are there any other ways to give access to these computers? We have
computers in call center that are not a domain computers, and they need to
access resources on some servers, that we're planning to secure them with
IPsec.Could we made extra rules to this servers, that they disallow access
to all non-domain computers except this ones, besides the existing rule to
allow only ipsec avtentications.

Regarding firewall, we don't have ISA, we use Netscreen, so as far as I
see for now, there is no way to block access to the internet for non-ipsec
computers? Or are there any other possibilities?

You also mentioned that we could use extra policy to ban non-authorized
computers from being connected to our network. Can this be done based on
IPSec policy with GPO?

Thank's again for all the help.

Regards

Miha

I see a couple problems. First in a domain you probably want to use
Kerberos for computer authentication for ipsec. If that is the case for
you then you can not configure the local ipsec policy on a non domain
computer to be able to access a domain computer. Otherwise to provide
access you would need to use pre shared key or certificate authentication.
I do not recommend pre shared key because PSK is not securely stored on
domain computers and a user could find your PSK and compromise your ipsec
security. Certificates could work but are more difficult to deploy and
require the use of a Certificate Authority. You could also have different
ipsec policies within the domain some that use Kerberos and some that use
certificates. Also keep in mind that domain controllers can not use ipsec
to protect traffic between domain computers [non DCs] and domain
controllers that is used for authentication which is a lot of
ports/protocols that need to be allowed and in general it is best to just
not use ipsec on domain controllers for traffic between domain controllers
and domain members.

The other problem is denying users access to the internet. Usually all
that is required to access the internet is a default gateway and unless
that default gateway is something like ISA 2004 no user or computer
authentication is required. If you do use ISA 2000/2004 then you can
configure it to require user authentication to access the internet and I
believe that you could have an ipsec require policy on the ISA server
[not if a DC] that would not allow user authentication to work because
the non domain computer could not use ipsec to communicate with the ISA
server in order to authenticate the user.

Beyond all that if you use managed switches on your network that can
filter port access by mac address you may want to implement such in order
to try to keep unauthorized computers from accessing your network. Of
course mac addresses can be spoofed but you should have a computer use
policy in force that prohibits such and take harsh disciplinary action
for violators. Such policy should also ban non authorized computers from
being connected to your network. When blaster worm came out many an admin
found how serious it was to allow an unauthorized computer to connect to
the network. I heard stories where networks with thousands of computers
were shut down in a matter of minutes. Unathorized computers are also a
hackers favorite back door. --- Steve

Hi



In our company we want to achieve that users that are connecting with
their home laptops (if they bring their home laptops at work ) into our
local network don't get any access to other computers, server, internet
etc.

We're thinking of implementing 'Server and Domain Isolation Using
IPsec', so that only computers that are part of our domain and are
controlled through GPO settings for IPsec have access, other computers
that are not part of our local domain have access only if we manually
set them IPSec parameters into their local GPO.



I'm wondering if it is possible that users that don't have this settings
set, and if they connects their laptops into our network (some of them
are so clever that are able to set IP address on their home computers,
so they could get connection to the internetJ)don't have any access
based on this GPO (to other computers and servers) and also DON'T HAVE
ACCESS TO THE INTERNET, that they are completely isolated?

Any ideas or suggestions will be appreciated.

Thank you in advance

Regards

Miha

 

[Miha]

Thanks again for the informations.
We'll try as you have said to set up two computer authentication method to
see how it will work.
Regards
Miha

Hi Miha.

There may be a way but you need to test it out thoroughly first. The least
secure way is to create a rule with a permit filter action for the IP
addresses of the non domain authorized computers but that poses the risk
that is someone with a non authorized computer configured their computer
with an authorized IP address they could be allowed access. Also such
traffic would not be encrypted.

The other way is to try and configure two computer authentication methods
in your ipsec policy on the server with the top of the list being Kerberos
and then the second in the list being certificates. Your non domain
computer and the server would need ipsec certificates and to trust the
issuing CA. It is possible to issue non domain computer ipsec certificates
by enabling the offline ipsec certificate template and having them use web
enrollment to request and install the ipsec offline certificate. I believe
this may work but am not 100 percent sure. You can use pre shared keys in
place of certificates as the second authentication method but I recommend
that you do that for testing purposes only to see if two computer
authentication methods will work well or not.

I can't think of a way other than using something like ISA to accomplish
your goal of restricting internet access to non domain computers unless
you would consider mac filtering at the switch ports. The extra policy was
a non technical solution that the user would need to read and sign and
keep a copy for their records similar to policies that state you can not
"borrow" company equipment or sleep on the job. --- Steve

Hi Steve. Thank you for the reply and information's !

You said that if computers are non domain computers there would be
problem accessing servers that require IPSec authentication, because of
the Kerberos.

Are there any other ways to give access to these computers? We have
computers in call center that are not a domain computers, and they need
to access resources on some servers, that we're planning to secure them
with IPsec.Could we made extra rules to this servers, that they disallow
access to all non-domain computers except this ones, besides the existing
rule to allow only ipsec avtentications.

Regarding firewall, we don't have ISA, we use Netscreen, so as far as I
see for now, there is no way to block access to the internet for
non-ipsec computers? Or are there any other possibilities?

You also mentioned that we could use extra policy to ban non-authorized
computers from being connected to our network. Can this be done based on
IPSec policy with GPO?

Thank's again for all the help.

Regards

Miha

I see a couple problems. First in a domain you probably want to use
Kerberos for computer authentication for ipsec. If that is the case for
you then you can not configure the local ipsec policy on a non domain
computer to be able to access a domain computer. Otherwise to provide
access you would need to use pre shared key or certificate
authentication. I do not recommend pre shared key because PSK is not
securely stored on domain computers and a user could find your PSK and
compromise your ipsec security. Certificates could work but are more
difficult to deploy and require the use of a Certificate Authority. You
could also have different ipsec policies within the domain some that use
Kerberos and some that use certificates. Also keep in mind that domain
controllers can not use ipsec to protect traffic between domain computers
[non DCs] and domain controllers that is used for authentication which is
a lot of ports/protocols that need to be allowed and in general it is
best to just not use ipsec on domain controllers for traffic between
domain controllers and domain members.

The other problem is denying users access to the internet. Usually all
that is required to access the internet is a default gateway and unless
that default gateway is something like ISA 2004 no user or computer
authentication is required. If you do use ISA 2000/2004 then you can
configure it to require user authentication to access the internet and I
believe that you could have an ipsec require policy on the ISA server
[not if a DC] that would not allow user authentication to work because
the non domain computer could not use ipsec to communicate with the ISA
server in order to authenticate the user.

Beyond all that if you use managed switches on your network that can
filter port access by mac address you may want to implement such in
order to try to keep unauthorized computers from accessing your network.
Of course mac addresses can be spoofed but you should have a computer
use policy in force that prohibits such and take harsh disciplinary
action for violators. Such policy should also ban non authorized
computers from being connected to your network. When blaster worm came
out many an admin found how serious it was to allow an unauthorized
computer to connect to the network. I heard stories where networks with
thousands of computers were shut down in a matter of minutes.
Unathorized computers are also a hackers favorite back door. --- Steve



Hi



In our company we want to achieve that users that are connecting with
their home laptops (if they bring their home laptops at work ) into our
local network don't get any access to other computers, server, internet
etc.

We're thinking of implementing 'Server and Domain Isolation Using
IPsec', so that only computers that are part of our domain and are
controlled through GPO settings for IPsec have access, other computers
that are not part of our local domain have access only if we manually
set them IPSec parameters into their local GPO.



I'm wondering if it is possible that users that don't have this
settings set, and if they connects their laptops into our network (some
of them are so clever that are able to set IP address on their home
computers, so they could get connection to the internetJ)don't have any
access based on this GPO (to other computers and servers) and also
DON'T HAVE ACCESS TO THE INTERNET, that they are completely isolated?

Any ideas or suggestions will be appreciated.

Thank you in advance

Regards

Miha

 

[Steven L Umbach]

Sounds good Miha. If it works as you want and you implement certificate
authentication be sure to tightly control which users, via read/enroll
permissions, can request ipsec offline security certificate which you can do
in the properties of the security template and when installing it to train
the user to not select the option to be able to export the private key for
it if that option is available. --- Steve

Thanks again for the informations.
We'll try as you have said to set up two computer authentication method to
see how it will work.
Regards
Miha

Hi Miha.

There may be a way but you need to test it out thoroughly first. The
least secure way is to create a rule with a permit filter action for the
IP addresses of the non domain authorized computers but that poses the
risk that is someone with a non authorized computer configured their
computer with an authorized IP address they could be allowed access. Also
such traffic would not be encrypted.

The other way is to try and configure two computer authentication methods
in your ipsec policy on the server with the top of the list being
Kerberos and then the second in the list being certificates. Your non
domain computer and the server would need ipsec certificates and to trust
the issuing CA. It is possible to issue non domain computer ipsec
certificates by enabling the offline ipsec certificate template and
having them use web enrollment to request and install the ipsec offline
certificate. I believe this may work but am not 100 percent sure. You can
use pre shared keys in place of certificates as the second authentication
method but I recommend that you do that for testing purposes only to see
if two computer authentication methods will work well or not.

I can't think of a way other than using something like ISA to accomplish
your goal of restricting internet access to non domain computers unless
you would consider mac filtering at the switch ports. The extra policy
was a non technical solution that the user would need to read and sign
and keep a copy for their records similar to policies that state you can
not "borrow" company equipment or sleep on the job. --- Steve

Hi Steve. Thank you for the reply and information's !

You said that if computers are non domain computers there would be
problem accessing servers that require IPSec authentication, because of
the Kerberos.

Are there any other ways to give access to these computers? We have
computers in call center that are not a domain computers, and they need
to access resources on some servers, that we're planning to secure them
with IPsec.Could we made extra rules to this servers, that they disallow
access to all non-domain computers except this ones, besides the
existing rule to allow only ipsec avtentications.

Regarding firewall, we don't have ISA, we use Netscreen, so as far as I
see for now, there is no way to block access to the internet for
non-ipsec computers? Or are there any other possibilities?

You also mentioned that we could use extra policy to ban non-authorized
computers from being connected to our network. Can this be done based on
IPSec policy with GPO?

Thank's again for all the help.

Regards

Miha



I see a couple problems. First in a domain you probably want to use
Kerberos for computer authentication for ipsec. If that is the case for
you then you can not configure the local ipsec policy on a non domain
computer to be able to access a domain computer. Otherwise to provide
access you would need to use pre shared key or certificate
authentication. I do not recommend pre shared key because PSK is not
securely stored on domain computers and a user could find your PSK and
compromise your ipsec security. Certificates could work but are more
difficult to deploy and require the use of a Certificate Authority. You
could also have different ipsec policies within the domain some that use
Kerberos and some that use certificates. Also keep in mind that domain
controllers can not use ipsec to protect traffic between domain
computers [non DCs] and domain controllers that is used for
authentication which is a lot of ports/protocols that need to be allowed
and in general it is best to just not use ipsec on domain controllers
for traffic between domain controllers and domain members.

The other problem is denying users access to the internet. Usually all
that is required to access the internet is a default gateway and unless
that default gateway is something like ISA 2004 no user or computer
authentication is required. If you do use ISA 2000/2004 then you can
configure it to require user authentication to access the internet and
I believe that you could have an ipsec require policy on the ISA server
[not if a DC] that would not allow user authentication to work because
the non domain computer could not use ipsec to communicate with the ISA
server in order to authenticate the user.

Beyond all that if you use managed switches on your network that can
filter port access by mac address you may want to implement such in
order to try to keep unauthorized computers from accessing your
network. Of course mac addresses can be spoofed but you should have a
computer use policy in force that prohibits such and take harsh
disciplinary action for violators. Such policy should also ban non
authorized computers from being connected to your network. When blaster
worm came out many an admin found how serious it was to allow an
unauthorized computer to connect to the network. I heard stories where
networks with thousands of computers were shut down in a matter of
minutes. Unathorized computers are also a hackers favorite back
door. --- Steve



Hi



In our company we want to achieve that users that are connecting with
their home laptops (if they bring their home laptops at work ) into
our local network don't get any access to other computers, server,
internet etc.

We're thinking of implementing 'Server and Domain Isolation Using
IPsec', so that only computers that are part of our domain and are
controlled through GPO settings for IPsec have access, other computers
that are not part of our local domain have access only if we manually
set them IPSec parameters into their local GPO.



I'm wondering if it is possible that users that don't have this
settings set, and if they connects their laptops into our network
(some of them are so clever that are able to set IP address on their
home computers, so they could get connection to the internetJ)don't
have any access based on this GPO (to other computers and servers) and
also DON'T HAVE ACCESS TO THE INTERNET, that they are completely
isolated?

Any ideas or suggestions will be appreciated.

Thank you in advance

Regards

Miha

 

[Miha]

Yes you're right. Thanks again for help.
Regards
Mija

Sounds good Miha. If it works as you want and you implement certificate
authentication be sure to tightly control which users, via read/enroll
permissions, can request ipsec offline security certificate which you can
do in the properties of the security template and when installing it to
train the user to not select the option to be able to export the private
key for it if that option is available. --- Steve

Thanks again for the informations.
We'll try as you have said to set up two computer authentication method
to see how it will work.
Regards
Miha

Hi Miha.

There may be a way but you need to test it out thoroughly first. The
least secure way is to create a rule with a permit filter action for the
IP addresses of the non domain authorized computers but that poses the
risk that is someone with a non authorized computer configured their
computer with an authorized IP address they could be allowed access.
Also such traffic would not be encrypted.

The other way is to try and configure two computer authentication
methods in your ipsec policy on the server with the top of the list
being Kerberos and then the second in the list being certificates. Your
non domain computer and the server would need ipsec certificates and to
trust the issuing CA. It is possible to issue non domain computer ipsec
certificates by enabling the offline ipsec certificate template and
having them use web enrollment to request and install the ipsec offline
certificate. I believe this may work but am not 100 percent sure. You
can use pre shared keys in place of certificates as the second
authentication method but I recommend that you do that for testing
purposes only to see if two computer authentication methods will work
well or not.

I can't think of a way other than using something like ISA to accomplish
your goal of restricting internet access to non domain computers unless
you would consider mac filtering at the switch ports. The extra policy
was a non technical solution that the user would need to read and sign
and keep a copy for their records similar to policies that state you can
not "borrow" company equipment or sleep on the job. --- Steve

Hi Steve. Thank you for the reply and information's !

You said that if computers are non domain computers there would be
problem accessing servers that require IPSec authentication, because of
the Kerberos.

Are there any other ways to give access to these computers? We have
computers in call center that are not a domain computers, and they need
to access resources on some servers, that we're planning to secure them
with IPsec.Could we made extra rules to this servers, that they
disallow access to all non-domain computers except this ones, besides
the existing rule to allow only ipsec avtentications.

Regarding firewall, we don't have ISA, we use Netscreen, so as far as I
see for now, there is no way to block access to the internet for
non-ipsec computers? Or are there any other possibilities?

You also mentioned that we could use extra policy to ban non-authorized
computers from being connected to our network. Can this be done based
on IPSec policy with GPO?

Thank's again for all the help.

Regards

Miha



I see a couple problems. First in a domain you probably want to use
Kerberos for computer authentication for ipsec. If that is the case for
you then you can not configure the local ipsec policy on a non domain
computer to be able to access a domain computer. Otherwise to provide
access you would need to use pre shared key or certificate
authentication. I do not recommend pre shared key because PSK is not
securely stored on domain computers and a user could find your PSK and
compromise your ipsec security. Certificates could work but are more
difficult to deploy and require the use of a Certificate Authority. You
could also have different ipsec policies within the domain some that
use Kerberos and some that use certificates. Also keep in mind that
domain controllers can not use ipsec to protect traffic between domain
computers [non DCs] and domain controllers that is used for
authentication which is a lot of ports/protocols that need to be
allowed and in general it is best to just not use ipsec on domain
controllers for traffic between domain controllers and domain members.

The other problem is denying users access to the internet. Usually all
that is required to access the internet is a default gateway and
unless that default gateway is something like ISA 2004 no user or
computer authentication is required. If you do use ISA 2000/2004 then
you can configure it to require user authentication to access the
internet and I believe that you could have an ipsec require policy on
the ISA server [not if a DC] that would not allow user authentication
to work because the non domain computer could not use ipsec to
communicate with the ISA server in order to authenticate the user.

Beyond all that if you use managed switches on your network that can
filter port access by mac address you may want to implement such in
order to try to keep unauthorized computers from accessing your
network. Of course mac addresses can be spoofed but you should have a
computer use policy in force that prohibits such and take harsh
disciplinary action for violators. Such policy should also ban non
authorized computers from being connected to your network. When
blaster worm came out many an admin found how serious it was to allow
an unauthorized computer to connect to the network. I heard stories
where networks with thousands of computers were shut down in a matter
of minutes. Unathorized computers are also a hackers favorite back
door. --- Steve



Hi



In our company we want to achieve that users that are connecting with
their home laptops (if they bring their home laptops at work ) into
our local network don't get any access to other computers, server,
internet etc.

We're thinking of implementing 'Server and Domain Isolation Using
IPsec', so that only computers that are part of our domain and are
controlled through GPO settings for IPsec have access, other
computers that are not part of our local domain have access only if
we manually set them IPSec parameters into their local GPO.



I'm wondering if it is possible that users that don't have this
settings set, and if they connects their laptops into our network
(some of them are so clever that are able to set IP address on their
home computers, so they could get connection to the internetJ)don't
have any access based on this GPO (to other computers and servers)
and also DON'T HAVE ACCESS TO THE INTERNET, that they are completely
isolated?

Any ideas or suggestions will be appreciated.

Thank you in advance

Regards

Miha