You are currently browsing the archives for the Windows sbs 2008 category.

How to Configure Exchange to only accept mail from the hosted anti-spam service

How to Configure Exchange to only accept mail from the hosted anti-spam service
Configure Exchange to only accept mail from the hosted anti-spam service: Under Server Configuration, select Hub Transport, move to the Receive Connectors tab. Double click on Windows SBS Internet Receive YourServerName. Move to the Network tab. In the receive mail from servers with these IP addresses, add the IP address ranges of the hosted anti-spam solution servers.

Categories: Windows sbs 2008Bookmark

How to Configure Exchange Smarthost for Outbound Filtering by hosted anti-spam on SBS 2008

How to Configure Exchange Smarthost for Outbound Filtering by hosted anti-spam on SBS 2008
Configure Smarthost for Outbound Filtering by hosted anti-spam: Under Organization Configuration, select Hub Transport, move to the Send Connectors tab. Double click the connector and move to the Network tab. Select the Route mail through the following smarthosts and enter the friendly name of the service. ex: outbound.exchangedefender.com

Categories: Windows sbs 2008Bookmark

How to Disable Exchange 2007 Anti-Spam

How to Disable Exchange 2007 Anti-Spam
Disable Exchange Anti-Spam: Launch the Exchange Management Console. Expand Organization Configuration. Choose Hub Transport. Move to the Anti-Spam tab. Highlight each item except recipient filtering and choose Disable. Recipient filter is left enable to prevent reverse NDR attacks.

Categories: Windows sbs 2008Bookmark

How to configure Active Directory FTP User Isolation Mode (IIS 6.0) on SBS 2008

How to configure Active Directory FTP User Isolation Mode (IIS 6.0) on SBS 2008

FTP is an older protocol which has been replaced with better methods of hosting files. FTP is also unsecure and your username/passwords are sent in clear text which poses a major security risk. For a list of better methods in lieu of FTP please consider using a secure SharePoint site, a secured website, or Secure FTP to host and share files. However, if you have no choice but to use FTP and need to isolate Users continue reading.

IIS 6.0 introduced a new feature for companies hosting an FTP site on their server to isolate users so they are “locked” in to their home directory and cannot browse the root of the FTP server. There are two ways of accomplishing this goal with user isolation, one method is to isolate users by creating a folder structure which has their username and another method is using Active Directory attributes to isolate the user(s). Here are the steps for configuring AD Isolation mode.

1. Install the FTP Service from add/remove windows components.

2. Open IISManager

3. Delete the Default FTP Site as it does not get created in isolation mode by default

4. Create a New FTP Site by right clicking FTP Sites and going to new FTP Site

clip_image001[1]

5. This will launch the FTP Site Creation Wizard, Click Next

6. Enter a Description for Your FTP Site

clip_image002[1]

7. Set the IP address and Port to use for your FTP Site

*note if you have ISA 2000/2004 installed on this server do not select All Unassigned, select the internal IP address only.

clip_image003[1]

8. Next screen will be the FTP User Isolation options, Select Isolate users using Active Directory

clip_image004[1]

9. Next you will need to select a User that has Access to Active Directory, any domain admin account will suffice. Click Next and re-enter password to Confirm

clip_image005[1]

10. Select the required Permissions and click Next and then Click Finish

clip_image006

11. The IIS portion is now finished and now on to AD.

12. There are 2 schema attributes in AD that reside in the User Class that will allow us to define the users home directory for FTP. They are msIIS-FTPRoot which defines the root of the FTP server and msIIS-FTPDir which defines the users Home Directory. The problem here is that there is no GUI interface to define these attributes so for the purpose of this demonstration I will use ADSIEDIT from Support tools to modify these attributes, however you can also run the below script to do it as well.

Iisftp.vbs /SetADProp UserName FTPRoot ServerShare

Iisftp.vbs /SetADProp UserName FTPDir Directory

13. Load Up Adsiedit and drill down to the user account you want to isolate and go to the properties of that account and modify the 2 attributes mentioned above

clip_image007

14. Now whenever that user connects to your FTP server the user will be isolated to the Home Directory that was defined in Active Directory.

Categories: Windows sbs 2008Bookmark

Common Remote Web Workplace (RWW) Connect to a Computer Issues in SBS 2008

Common Remote Web Workplace (RWW) Connect to a Computer Issues in SBS 2008
The connect to a computer feature in SBS 2008 is one of the most popular features of RWW. The connect to a computer feature in SBS 2008 utilizes TS-Gateway behind the scenes, however, when there is a misconfiguration or a problem, RWW may only provide partial information to help isolate the root issue. This post will discuss most of the known issues, how to identify them and steps to resolve them.

What we will cover:

  1. Receiving Certificate Errors When Connecting to Clients/Servers with TS Gateway or Remote Web Workplace on SBS 2008
  2. VBScript Error: 50331676
  3. Connection Authorization Policies and Resource Authorization Policies.
  4. Authentication Failures
  5. Client Machine Requirements
  6. Internal DNS Considerations
  7. External DNS Considerations
  8. TS Gateway Service Known Issues

1.  Receiving Certificate Errors When Connecting to Clients/Servers with TS Gateway or Remote Web Workplace on SBS 2008

For certificate related errors, please review the issues discussed in this article: http://blogs.technet.com/sbs/archive/2008/10/03/receiving-certificate-errors-when-connecting-to-clients-servers-with-ts-gateway-or-remote-web-workplace-on-sbs-2008.aspx

2.  VBScript Error: 50331676

When you try to connect to a server or machine you get the following error:

clip_image002

You must have a certificate installed in TS Gateway Manager. This is handled by the “Set up your Internet Address Wizard” or the “Add a Trusted Certificate Wizard” in the SBS 2008 Console. To verify you have a certificate installed for TS Gateway do the following:

  1. Open TS Gateway Manager from Administrative Tools — Terminal Services
  2. Select Properties on the Server Object, and choose the SSL Certificate tab from within properties. You should see a screen similar to the one below stating which certificate TS Gateway is using.

    clip_image003

As stated beofre, you should not see this problem If you have completed the Internet Address Management Wizard, if for any reason no certificate is selected, make sure you click on Browse Certificates and select the proper certificate, for example “remote.contoso.com”.

3.  Connection Authorization Policies and Resource Authorization Policies.

You must pass the connection authorization policy to make a connection, and the resource authorization policy for the machine you are trying to connect to. This error may also display the VBSCRIPT error 50331676.

We have seen a few cases where the connection authorization policy was modified manually to only allow domain computers to make connections. This means that any machine outside the domain (e.g. their home machine) would not be able to connect. This is shown below. To access this policy:

  1. Open TS Gateway Manager from Administrative Tools – Terminal Services
  2. Expand your computer object
  3. Expand Policies
  4. Select Connection Authorization Policies
  5. Right-Click on the General Connection Authorization policy on the right hand side and choose properties
  6. Make sure the Client computer group membership is blank if you want non-domain joined machines to be able to use the RWW Connect To Computer feature.

clip_image004

4.  Authentication Failures

You must have Windows Authentication enabled on the IIS /RPC virtual directory under the SBS Web Applications web site. If it is missing, you will see a looping prompt for authentication when you try to connect.

Since both Outlook Anywhere and TS Gateway share this Virtual Directory modifying authentication settings in Exchange for Outlook-Anywhere within the Exchange Management Console can disable Windows Auth. To make sure Windows-Auth is enabled in Exchange Management Shell (Run as admin) perform the following command:

Get-OutlookAnywhere

(Ignore the warning)

Check the value for the IISAuthenticationMethods Parameter.

clip_image006

You can also check in IIS Manager under the RPC virtual directory, authentication.

clip_image008

Changing the authentication here may only help for a few minutes as Exchange will reset the settings again. You need to complete the proper Exchange configuration steps to resolve this.

If the output of the Exchange Management Shell shows that you are missing NTLM, you need to reset the Exchange setting for outlook anywhere from the Exchange Management Shell (run as admin) perform the following command (ignore the warning):

Get-OutlookAnywhere | Set-OutlookAnywhere –IISAuthenticationMethods: Basic, ntlm

After you make this change, the settings in IIS will not immediately change, it might take up to 15 minutes for this change to happen. You can safely make the change in IIS, under the authentication for RPC to enable Windows Authentication and Basic Authentication and they should remain set as expected.

If you still cannot authenticate to the TS gateway prompt, the following resources discuss some known issues:

5.  Client Machine Requirements

The client machine you are trying to connect to must have RDP enabled and listening on the default port of 3389. You must also verify that any firewalls present on the workstation are allowing the traffic inbound on TCP/3389.  Additionally, the client machine you are making the connection from must allow the ActiveX Control to run.  The easiest way to ensure that ActiveX will be enabled is by adding your remote web workplace site to your list of trusted sites in Internet Explorer.

6.  Internal DNS Considerations

You might connect to an unexpected machine when trying to connect to the remote machine.  If this happens you should verify that the DNS records for the clients on the SBS 2008 server hosting RWW are correct.  To do this open the DNS Management console from Start, Administrative Tools, DNS.  Expand the forward lookup zones, and your local active directory zone.  Verify that the host (A) records for the clients are correct.

7.  External DNS Considerations

The hostname section of the PTR record for the remote client machine’s public IP address cannot match the NetBIOS hostname of the SBS 2008 server. If these names match the RWW will not use TS proxy and the connection will fail or connect to an unexpected target.

The only fix is the change the PTR record for the client pc’s external IP address.

Example: Suppose you are using a Windows Vista machine on the Internet. The public IP for this client is 65.53.x.x. The PTR record for this IP is server01.contoso.com. If the SBS 2008 server this machine is trying to connect to has a NetBIOS hostname of Server01, the connection will fail. Ideally your PTR record should match your MX record and your MX record should not be the NetBIOS hostname of your server.

Note: This is a very RARE issue.

8.  TS Gateway Service known issues

TS Gateway Service Not Started After Restart in IIS Manager.

This issue is discussed on this post: http://blogs.technet.com/sbs/archive/2009/04/20/ts-gateway-service-not-started-after-restart-in-iis-manager.aspx

The Terminal Services Gateway service is not running, Contact your network administrator to resolve this issue.This error can happen due to a number of different issues other than the TS Gateway service not running or the role service not being installed.

  • If IPv6 has been unproperly unbound from the network interface you might get an error that states that the TS Gateway service is not installed.  Check the following link for issues related to improperly disabling IPv6: http://blogs.technet.com/sbs/archive/2008/10/24/issues-after-disabling-ipv6-on-your-nic-on-sbs-2008.aspx
  • If Client certificates has been set to Accept or Require under the SSL setttings on the Rpc virtual directory. This must be set to Ignore.
  • In general, this error will happen when we cannot properly access the /RPC virtual directory or its settings have been changed from default.
Categories: Windows sbs 2008Bookmark