Wednesday, August 31, 2011

Unable to connect to Exchange Server via remote PS Unable to load assembly "Microsoft.Exchange.Configuration

 

IF you are trying to connect to your exchange server and failing with fallowing error, fallow the simple steps to fix the issue occurring

VERBOSE: Connecting to NPWINCAS03.SMTp25.gov

[npwincas03.SMTp25.gov] Processing data from remote server failed with the following error message: Unable to load assembly "Microsoft.Exchange.Configuration.O

bjectModel.dll" specified in "InitializationParameters" section. For more information, see the about_Remote_Troubleshooting Help topic.

+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException

+ FullyQualifiedErrorId : PSSessionOpenFailed

Open PowerShell

image

Enter fallowing PS command

$UserCredential = Get-Credential

Enter this one ( replace this to your own=npwincas03.smtp25.gov)





$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://npwincas03.smtp25.gov>/PowerShell/ -Authentication Kerberos -Credential $UserCredential

image





Import-PSSession $Session


Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

Tuesday, August 30, 2011

TMG CAS 2007 ACTIVE SYNC Error, Status: 12309 The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.

If you are having fallowing probes with your TMG , Active sync publishing please have a look your firewall settings to possibly remedy the issue.

Denied Connection NPWINTMG1 8/29/2011 11:56:54 PM
Log type: Web Proxy (Reverse)
Status: 12309 The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. 
Rule: E210 CAS - Active Sync webmail.SMTp25.org

Source: 208.54.35.224:53699
Destination: 172.26.7.5:443

Request: OPTIONS http://webmail.SMTp25.org/Microsoft-Server-ActiveSync?Cmd=OPTIONS&User=dedealoc&DeviceId=androidc1734872834&DeviceType=Android
Filter information: Req ID: 0b5d481c; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
Additional information
Client agent: Android/0.3
Object source: (No source information is available.)
Cache info: 0x8 (Request includes the AUTHORIZATION header.)
Processing time: 1 MIME type:

 

image

Open TMG, Drill down to FireWall Policy, locate the Active Sync rule you have and double click on it.

  • Authentication delegation
  • No delegation, but client may authenticate directly

image

  • Click on Users and set , this rule applies to request from fallowing user set
  • All users

image

Go to monitoring and make sure TMG servers ( if they are in Array) have been syncy, and test the rule.

Tips:

On the logs & Reports create filter to capture the authentication attempts etc.

image

Hopefully you will see everything green in the live logins and issues will get resolved (-:

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

Saturday, August 27, 2011

New-TestCasConnectivityUser.ps1Error

When you run TestCasConnectivityUser.ps1 , you need to have mail enabled test user account for the script to run properly.

new-TestCasConnectivityUser.ps1

Drill down to Script directory on your exchange server, and run “new-TestCasConnectivityUser.ps1”

  • Program Files
  • Microsoft
  • Exchange Server
  • V14
  • Scripts

Make sure the password you are using at the first time meets the password requirements and if you need specify the OU where the account will get created ( replace STP25.gov to your own Domain name space.)

Get-MailboxServer mccnpwinmbx1 | .\new-TestCasConnectivityUser.ps1 -OU STP25.gov/users

If you open ADUC you will be able to see this user, in the default users container.

get-user extest_e7a1882f51284

 

image

image

No running  Test-OutlookWebServices -ClientAccessServer EXCCAS1 should work

image

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

Tuesday, August 23, 2011

Status: A packet was dropped because Forefront TMG determined that the source IP address is spoofed.

 

TMG Logging is showing fallowing errors:……………….

  • Denied Connection MCCNPWINTMG1 8/15/2011 11:09:37 PM
  • Log type: Firewall service
  • Status: A packet was dropped because Forefront TMG determined that the source IP address is spoofed.
  • Rule: None - see Result Code
  • Source: Internal (172.26.4.22:55507)
  • Destination: Local Host (172.26.7.104:3389)
  • Protocol: RDP (Terminal Services)
  • Additional information
  • Number of bytes sent: 0 Number of bytes received: 0
  • Processing time: 0ms Original Client IP: 172.26.4.22

clip_image001

The network is reaching out to TMG internal interface is not recognized by the TMG server, thus TMG thinks the IP address is spoofed and drop the connection.

You need to tell TMG the Network or the IP Address itself does belong to Internal Network, so

Add static route to destination , for example

If we want to add static route for IP address 172.26.5.10 , and tell TMG what DGW to use to reach out this IP we would be using fallowing command from elevated command window ( CMD run as an administrator)

 

route add 172.26.5.10 mask 255.255.255.255 172.26.7.97 -p

Open MFTMG , click networking, Under Networks

Internal , internal Properties , click add range and add the IP address range.

image

Once you have completed this Click on monitoring, configuration and click to make sure TMG servers have been synched.

*** Before making any changes as good practice take backup of your TMG as the backup takes couple, minutes and you can go back if there are any unexpected issues, otherwise like me you will sit in the middle of the night and have to re-build everything (-: , un-necessary headache IMO***

**** Also as another good practice make the changes on the ARRAY MANAGER, if you are running TMG array***

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

TMG 2010 SETUP NIC CARD CONFIGURATION

If you are setting up TMG and you would like to align your deployment with MS recommended & supported way; you will need to have each NIC for TMG to belong to two different network. ( this pertains two NIC scenario)

According to MS, if you do have both NIC sitting on the same network you will cause routing issues and many other usefully tips discussed here below KB…..

http://technet.microsoft.com/en-us/library/cc302678.aspx#NetworkAndRoutingIssues

TIP: Build the server with Single NIC and add the TMG server into domain by using same NIC, once server is added to domain, rename this NIC as "Internal" and make sure , you do not specify the DGW ( default Gateway ) on it.

The LAY out for each NIC shown below. Remember fallowing short list before install.

  • Each TMG server has two NIC cards ( Disable one and add the server indo domain by using that NIC, Use domain integration, lots of headache IMO otherwise, DMZ type of domain.)
  • After successfully joining domain , Rename the same NIC as "Internal" take out the gateway.
  • Enable second NIC name it "External" configure IP, SM and DWG on the External NIC.
  • Internal NIC depends upon static route table on the network routing, so you will need to use Route add command , as shown below to include these static routes.
  • Since Internal NIC has no DGW defined only way to get out from same network gateway to tell TMG how to get there " Static Route" persistence

route add 172.26.5.10 mask 255.255.255.255 172.26.7.97 -p

Mask 255.255.255.255 meaning is , if traffic comes to this IP=172.26.5.10, use this DGW=172.26.7.97

  • AS you can see you define route to one IP , not entire network, if you like to open entire network for routing you have to use CDIR subnet mask , for instance

route add 172.26.5.10 mask 255.255.255.0 172.26.7.97 -p

Mask 255.255.255.0 meaning is , TCP/IP traffic comes to this Network=172.26.5.0, use this DGW=172.26.7.97

  • Now we have route to entire network=172.26.5.0 thus any valid IP falls within this network TMG will know which DGW to use=172.26.7.97 I n this case

image

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

Monday, August 22, 2011

100 Access Denied RSA ACE/server rejected the passcode that you have supplied. Try again with a valid passcode.

image

TMG 2010 RSA integration and fallowing error and the solution. You are receiving this errors because the secureid file is not present in one of the directories

  • C:\Windows\System32 directory
  • E:\Program Files\Microsoft Forefront Threat Management Gateway\sdconfig

Secure ID File what does it do ?

Secure ID File ( Contains node secret encryption key ) , if you are missing SecureID file on your server there are problems with creating secure ID on the TMG servers. The RSA servers passes back this file after first successful Authentication back to TMG server and TMG server suppose to put this file into SDCONFIG folder on the same directory you have installed TMG. The bottom line is you have to have this file on above both directories to make the RSA work. You can ask your RSA admin to create this file manually and give it to you to be put on the TMG server.

Sometimes the file gets created on the SYSTEM32 directory , yet present in the SDConfig, if this is the case  you have to copy it manually from system32 into SDCONFIG directory.

Solution:
Manually create the secureid file from RSA server if it is not preset and give it to TMG administrator to place the file onto two locations on the TMG server. If it is present on the SYSTEM32, copy manually to SDCONFIG directory

  • C:\Windows\System32 directory
  • E:\Program Files\Microsoft Forefront Threat Management Gateway\sdconfig

image

image

 

The SDTEST Authentication Utility is used to verify that a computer running TMG Server can authenticate to a computer running RSA Authentication Manager. Note the following: SDTEST.EXE requires the SDCONF.REC to be located in the …system32 folder to run and test authentication successfully.

Install SDTEST into same directory as the TMG installation directory in my case this is E drive

E:\Program Files\Microsoft Forefront Threat Management Gateway

 

image

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

TMG 2010 Redirect HTTP Request to HTTPS /OWA

Recently I have worked on how to redirect HTTP request to HTTPS on the TMG servers. As I see this very common scenario I am posting it here.
Remember this rule has to come before your publishing rule and details are posted on the sky drive. I will be posting video as well , soon……………………………
image
image
image

image



 


Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)http://telnet25.wordpress.com/ (Blog)

Friday, August 19, 2011

TMG 2010 RSA things you have to remember.

 

IF your setup requires you to setup TMG & RSA communication to meet two way government requirement and you have never done this keep reading hopefully the check list here will get you trough.

Assumption , you have configured your TMG server and you have RSA server in your network.

Summary

1. Add static route to RSA servers from TMG servers

image

2. Modify .Reg key on TMG server, specify what IP will be used for ACEClient

image

3. Go to network connections panel and make sure the Internal NIC is selected as the first NIC on the NIC bindings

image

4. make sure under networking from TMG, , Networks the RSA server IP addresses or Subnet is identified as internal subnet

image

5. You need to obtain SDconfig file from RSA Administrator (Generate Sdconfig from RSA server and save the file on TMG server on two places)

image

6. Locations for SDConfig on the TMG servers

  • C:\Windows\System32
  • E:\Program Files\Microsoft Forefront Threat Management Gateway\sdconfig

image

image

7. Download the tool from here ****Install this tool into same directory as the TMG binaries***

image

8. Your TMG and publishing rule for CAS2010 wont work unless you get the test working

image

1. On the TMG servers you have to make sure you have persistent static route added so that your TMG does know how to talk to RSA servers ( network routing)

Open CMD with Administrator privileges on TMG server and fallow the one line command ( Swap the IP address and proper DG , suits to your scenario)

RSA Server IP= 172.26.4.202

TMG Internal NIC = 172.26.7.105 / 27    ( /27 = 255.255.255.224)

TMG External NIC = 172.26.7.12 / 27

My default gateway for TMG server is =10.0.0.1


route add 172.26.4.202 mask 255.255.255.255 172.16.7.97 -p

Let me explain little bit what these 255.255.255.225 mean here, it means any traffic comes to destination IP=172.26.4.202 will be routed to Internal NIC Default gateway =172.16.9.97  on the TMG Server.

IF you want to have route to entire network, you would use Class less Subnet mask in this case it would be like this

This open entire network, not one host !!!!!!!!!!!!

route add 172.26.4.202 mask 255.255.255.0 172.16.7.97 -p

Delete Route ( if you make mistake and want to delete persistent route

route delete 172.26.4.202

IF you like to see static route table

route print

image

*****If there is no static route defined the TMG server will route the traffic to the external NIC=172.26.7.12 which is different subnet and Internal and external NIC, thus interfaces separated each other not only TMG firewall and most likely another ( CISCO etc) type of firewall. thus they wont allow to talk.****

Now on the TMG server you have to hack the register and tell TMG what the IP address will be used to talk to RSA server on each TMG server.

image

image

image

  • HKEY_LOCAL_MACHINE
  • SOFTWARE
  • SDTI
  • AceClient

PrimaryInterfaceIP"="172.26.7.105"

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

Tuesday, August 16, 2011

Cannot rename this connection. A connection with the name you specified already exist. Specify a different name.

If you are trying to rename the existing NIC and receiving above warning on VMWare host fallow the easy steps to fix the problem, hidden NIC card in the device manager is causing issues….

1.Click Start, click Run, type cmd.exe, and then press ENTER.
2.Type set devmgr_show_nonpresent_devices=1, and then press ENTER.
3.Type Start DEVMGMT.MSC, and then press ENTER.
4.Click View, and then click Show Hidden Devices.
5.Expand the Network Adapters tree.
6.Right-click the dimmed network adapter, and then click Uninstall

 

image

image

 

image

 

image

http://support.microsoft.com/kb/269155

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

Tuesday, August 9, 2011

How to Disable SSLv2 on a Windows Server 2008 and Windows Server 2008 R2

If you are trying to fallow the WIKI post "How to Disable SSLv2 on a Windows Server 2008 and Windows Server 2008 R2" after doing the work, you reboot the problem server, and after rebooting your security scan is still alarming about "SSLv2" enabled on the problem server , create the fallowing key instead.

  1. Open the registry and create a key named Server under the following entry :
  • HKEY_LOCAL_MACHINE
  • SYSTEM
  • CurrentControlSet
  • Control
  • SecurityProviders
  • SCHANNEL
  • Protocols
  • SSL 2.0
  1. Under the registry key Server, create a DWORD value named “DisabledByDefault” and change the value data to “00000001”
  2. Reboot the server

 

Wiki

image

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog

Monday, August 1, 2011

Move Public Folders All replica to Exchange 2010 Server PS Script

If you are in the middle of migration and it is time to move all PF folder replicas from Exchange 2007 to Exchange 2010 server PS is your friend.

Lets say your Existing Exchange 2007 Server name is EXC07 and you want to move all PF replicas to newly build Exchange 2010 Server called EXC210 , you can use fallowing PS commands…..

Connect to your Exchange Server , open EMS

image

Navigate fallowing directory from PS command line

[PS] E:\Program Files\Microsoft\Exchange Server\V14\Scripts>

  • AddReplicaToPFRecursive.ps1
  • RemoveReplicaFromPFRecursive.ps1
  • ReplaceReplicaOnPFRecursive.ps1
  • MoveAllReplicas.ps1

image

Now we are ready to execute existing scripts sits on this directory. All PF replicas sits on the server called “EXC07” and I like to add Exchange 2010 Server called “EXC210 into PF replica  folders as second server.

 

.\AddReplicaToPFRecursive.ps1 –Server EXC210 –TopPublicFolder \ –ServerToAdd “EXC07”

image

Remove Replica  ( pay attention  Exchange  server must have all of its public folder replicas removed before it can be decommissioned…. )

.\RemoveReplicaToPFRecursive.ps1 –Server EXC210 –TopPublicFolder \ –ServerToRemove “EXC07”
  • Now System folders
.\AddReplicaToPFRecursive.ps1 -TopPublicFolder "\NON_IPM_Subtree" ServerToAdd
"EXC210"

image

  • To view a list of the replicas in the public folder hierarchy
Get-PublicFolder -recurse |fl name,replicas
  • Move all replicas from EXCH07 to EXC210

MoveAllReplicas.ps1 –Server EXC07 –NewServer EXC210

  • For System Folders
Get-PublicFolder -recurse \non_ipm_subtree |fl name, replicas
  • To compare content replicated between the source and destination servers
Get-PublicFolderStatistics | FL
  • Also
Get-PublicFolderStatistics –Server ServerA
  • Compare Output to ServerB
Get-PublicFolderStatistics –Server ServerA

 

 Resources:

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog