Friday, November 28, 2014

Site-to-Site IPSEC VPN using Mikrotik Routerboards

A good video on how to setup the VPN is here:
http://gregsowell.com/?p=1290
Example:  Site A has static IP address and Site B has dynamic IP address. On Site B Mikrotik router, you will need to add the following script to update the VPN policy. To do this using Winbox, go to System -> Scripts. Click + sign. Give the script a name. Then paste the following code into the box below:
:local WANip [/ip address get [find interface="ether5"] address]
 
:log info "Interface IP is $WANip"
 
:local WANip [:pick "$WANip" 0 ([:len $WANip] - 3)]
 
:log info "IP sans the slash notation is $WANip"
 
/ip ipsec policy set 0 sa-src-address=$WANip
Click Okay to save the script. 

To schedule the script to run every 5 minutes (in case the WAN IP address changes), in Winbox go to System -> Scheduler. Give the task a name. Start date can be ignored. Set Start time to 1 second (00:00:01). Set Interval to 5 minutes (00:05:00). Where it says On Event, type in the name of the script you entered above. Click okay.

Note:  Here is a list of ports that will need to be opened on both Mikrotik routers in order for the VPN traffic to pass successfully:
Chain: Input, Protocol: 50 (ipsec-esp), Action: Accept
Chain: Input, Protocol: 51 (ipsec-ah), Action: Accept
Chain: Input, Protocol: 17 (udp), Any Port: 500, Action: Accept
Note: In version  Mikrotik OS version 6.39.1, you may experience the following error with IPSEC tunnels:
Expecting IP address type in main mode when using preshared key for authorization (see RFC 2409 section 5.4).
If you see this error, open Winbox, go to IP -> IPSEC. Then go to Peers tab. Double click on the Peer IP address. Then where it says My ID Type, change it to auto. Click Okay. Repeat the same procedure for the other router. This should re-establish the IPSEC tunnel.
Posted by at No comments:
Labels: , , ,

Friday, October 3, 2014

How to Add Exchange Autodiscover SRV Record at Godaddy

Here are the instructions on how to add an Exchange Autodiscover record over at Godaddy.
  1. Log into your Godaddy account.
  2. Click on Domains, then click on the Launch button next to domain you wish to edit.
  3. Click on DNS Zone File tab.
  4. Towards bottom of page, find SRV Records heading and click Add Record.
  5. Where it says Name, type in @.
    Where it says Target, type in the FQDN of your Exchange server. Ex. servername.business.tld
    Where it says Protocol, type in _tcp
    Where it says Service, type in _autodiscover
    Where it says Priority, type in 10
    Where it says Weight, type in 10
    Where it says Port, type in 443 (unless you've changed the port that Exchange Web Services listens on)
    Where it says TTL, leave at default 1 Hour or change to 1/2 Hour. 
  6. Click Finish.
  7. Be sure to click Save Changes to ensure the zone file changes are applied.
Posted by at No comments:
Labels: , , ,

Wednesday, September 24, 2014

Lock down Exchange to receive only from GFIMaxMail servers

After adding a client to the GFIMAXMail email filtering service, you should lock down Exchange to only receive e-mail from GFIMAXMail servers to prevent spammers from bypassing the filtering.

  1. Open Microsoft Exchange Management Console.
  2. Open Server Configuration then Hub Transport.
  3. If using Microsoft Windows SBS2008 or SBS2011, find the default connector named Windows SBS Internet Receive SERVERHOSTNAME where SERVERHOSTNAME is the name of the server you are working on. Double left click on it to bring up the Properties window.
  4. Click on the Network tab.
  5. Under Receive mail from remote servers that have these IP addresses, remove all of the entries.
  6. Add the IP netblock for your LAN (ex. server IP address 192.168.16.3, so add 192.168.16.0/24).
  7. Add the following IP netblocks that correspond to GFIMAXMail's server clusters:
    • 174.36.154.0/24
    • 192.69.16.0/24
    • 192.69.17.0/24
    • 192.69.18.0/24
    • 192.69.19.0/24
    • 208.43.37.0/24
    • 208.70.88.0/24
    • 208.70.89.0/24
    • 208.70.90.0/24
    • 208.70.91.0/24
    • 5.10.67.0/24
    • 92.51.176.0/24
    • 94.186.192.0/24
  8. When finished adding IP address ranges to the Network tab, click Okay.
A better option would be to add an ACL on your firewall for all incoming Port 25 traffic and add the IP address ranges above, but not all firewall support that type of granular control.
Posted by at No comments:
Labels: , ,

Wednesday, June 25, 2014

Updating Microsoft Windows Small Business Server 2011 (SBS2011)

There are several important updates that need to be manually installed on Microsoft Windows Small Business Server 2011. Download the files below. Before installing them, perform a full server backup. Then install the updates in this order:

  1. Microsoft Windows Server 2008 R2 Service Pack 1
    (download the X64 file only as SBS2011 never came in X86/32-bit version).
  2. Microsoft Windows Small Business Server 2011, Update Rollup 4
    (optional but highly recommended)
  3. Microsoft Exchange Server 2010 Service Pack 3
  4. Microsoft Exchange Server 2010 Service Pack 3, Update Rollup 6
    (optional but highly recommended)
  5. Microsoft Sharepoint Foundation 2010 Service Pack 2
Recommended: reboot between each step and take a backup between each step.

You'll need a couple of hours for the average server to install all of the updates. 
Posted by at No comments:
Labels: , , , ,

Thursday, June 19, 2014

SBS2011 error messages after installing Sharepoint 2010 updates

You may get various error messages after installing Sharepoint 2010 updates (such as SP1). This is due to the requirement of upgrading the Sharepoint database after installing updates.

To check this issue, open an elevated Sharepoint 2010 Management Shell and run the following:
(get-spserver $env:computername).NeedsUpgrade
If the the output says True, then you need to upgrade the Sharepoint database. To do that, open an elevated Command Prompt and run the following:
cd \"Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN"
PSConfig.exe -cmd upgrade -inplace b2b -force -cmd applicationcontent -install -cmd installfeatures
It should take about 5-10 minutes depending on hardware and the size of the database. It should say successfully upgraded database. I recommend rebooting the server afterwards just to be sure.

For more info: http://blogs.technet.com/b/sbs/archive/2011/07/06/potential-issues-after-installing-sharepoint-foundation-2010-sp1.aspx
Posted by at No comments:
Labels: , ,

Wednesday, March 19, 2014

How to add Exchange Autodiscovery SRV record using WHM

In order to allow smartphones and e-mail clients (Outlook 2007, 2010, and 2013 in particular) to automatically configure the necessary Exchange server address and settings, an Autodiscovery SRV record needs to be created. If you use cPanel to host your domain name & DNS settings, then you can follow these directions to add an Autodiscovery SRV record into the DNS management in WHM.

1. Log into WHM.
2. Click on DNS Functions then find the domain you want to edit and click Edit.
3. Where it says Add New Entries, enter the following into the first text box:
_autodiscover._tcp
4. You can modify the TTL on the record if you want, or leave it at the default 14400 seconds.
5. Where it says Select choose SRV.
6. Where it says Priority enter:
10
7. Where it says Weight enter:
10
8. Where it says Port enter:
443
9. Where it says hostname enter the external FQDN of your exchange server:
remote.somedomain.com.
(don't forget the period at the end of the hostname)
10. Click Save button at bottom.

11. Use Microsoft's Exchange Autodiscovery tool to check your work:
https://testconnectivity.microsoft.com/
For more info:  https://www.thirdtier.net/2009/02/setting-up-an-external-autodiscover-record-for-sbs-2008/
Posted by at No comments:
Labels: , , , , , ,

Sunday, February 16, 2014

Network adapter tweaks for Windows Server 2003, 2008, SBS 2008, and SBS 2011

These technologies are great if your environment support them end to end, but if not you may see some of the following issues.

Symptoms include:
  • Sporadic Network issues.
  • Service failing (Because of network login issues)
  • Delay in service start (Because of network login issues)
  • Unexplained issues that Seem to be network related but other areas have already been investigated

Resolution: To keep it as simple and reliable as possible
  1. Update to latest drivers
  2. Disable Everything that says offload or scaling in the NIC properties
  3. Disable it for the OS as well

Windows Server 2008 / Server 2012 / SBS 2008 / SBS 2011
  • netsh interface tcp set global rss=disabled
  • netsh interface tcp set global chimney=disabled
  • netsh interface tcp set global autotuninglevel=disabled
Windows Server 2003 / SBS 2003
  • netsh int ip set chimney disabled

Copied from: http://exchangemaster.wordpress.com/2010/05/12/disable-toe-and-rss/
and: http://www.symantec.com/business/support/index?page=content&id=TECH197934
Posted by at No comments:
Labels: , , , , , , ,

Monday, January 20, 2014

Windows Server 2012 R2 Core Notes

To enable PING on Server 2012 R2:
netsh firewall set icmpsetting 8
To enable File & Printer Sharing through filewall:
netsh advfirewall firewall set rule group=”File and Printer Sharing” new enable=yes
To get a list of features on Server 2012 R2:
dism.exe /online /Get-Features
To enable Remote Desktop Connections to the server over a network:
netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes
To enable remote management of Server 2012 R2 via mmc over a network:
netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes
netsh advfirewall firewall set rule group="remote event log management" new enable=yes

 netsh advfirewall firewall set rule group="Windows Remote Management" new enable=yes
 netsh advfirewall firewall set rule group="remote volume management" new enable=yes
sc config VDS start=auto
Create a Scheduled task to run daily at 10pm:
schtasks.exe /Create /SC DAILY /ST 22:00 /TN BACKUP /TR c:\pathto.cmd
Free GUI tool to manage Server 2012 R2 Core:
http://corefig.codeplex.com/
note: to transfer the extracted contents from the ZIP file to the server, enable the File and Printer Sharing firewall rule above, then connect to the server via SMB: \\servername\c$
Another free GUI tool that combines Corefig with Hyper-V management capabilities:
http://pshvm.codeplex.com/
A commercially available free tool to remotely manage Hyper-V on Server 2012 R2 Core:
http://5nine.com/5nine-manager-for-hyper-v-free.aspx
A free tool to diagnose issues with Remote Management:
http://blogs.technet.com/b/jhoward/archive/2008/11/14/configure-hyper-v-remote-management-in-seconds.aspx
note: when the server and client machines are on Workgroups, add the server administrator to the Credential Manager control panel applet on the client machine, and allow anonymous dcom on the client. This fixes errors such as E_ACCESSDENIED 0x80070005 when using 5Nine Manager for Hyper-V.
How to download files on the console without any additional tools:
powershell.exe "Import-Module BitsTransfer; Start-BitsTransfer -Source http://domain.tld/somefilename.exe -Destination c:\PathToAFolder" 

To download files from an FTP server using ftp.exe, enter these two Windows Firewall rules to allow ftp.exe to connect:
netsh advfirewall firewall add rule name="File Transfer Program" dir=in action=allow program=%SystemRoot%\System32\ftp.exe enable=yes protocol=tcp 
netsh advfirewall firewall add rule name="File Transfer Program" dir=in action=allow program=%SystemRoot%\System32\ftp.exe enable=yes protocol=udp
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)