Friday, November 30, 2007

Finally got rid of those annoying SSL Security Prompts for outlook 2007/exchange 2007

So the new Exchange 2007 FE and BE system's been up and running fine for a few months now and I finally decided to fix that damn security prompt for the certificates. Essentially I needed a certificate that could handle the Back End server's FQDN and Netbios, the front end's FQDN and Netbios, the Autodiscover dns name, the smtp dns name, and the whole email domain name. Found few articles at the usual places (Tom Shinder's pages/forums, petro.co.il, etc) and started building out the syntax needed. There seem to be different priorities on what's included but my final one was: (and the one that worked mind you since Entrust barfed the first try back out at me)

New-ExchangeCertificate -GenerateRequest -SubjectName "c=US, O=MyCompanyNameHere, CN=FESERVER.YOURDOMAIN.com" -DomainName FESERVER.YOURDOMAIN.com, exchange.YOURDOMAIN.com, autodiscover.YOURDOMAIN.com, FESERVER.ADsubdomain.YOURDOMAIN.com, FESERVER, BEServer.ADsubdomain.YOURDOMAIN.com, BEServer -PrivateKeyExportable $true -keysize 1024 -path c:\certrequest_FESERVER.cer

(the subdomain was for the internal DNS names since Active Directory is a sub-DNS domain)

Also make sure the CN matches the first server name in the DomainName section if you want ISA to work with this.

Now take your .cer file and head over to Entrust and get a "Unified Communications Certificate". http://www.entrust.net/ssl-certificates/unified-communications.htm
Follow the instructions and keep in mind they require a separate contact for Technical and Authoritative for security.

Sunday, November 25, 2007

Endpoint kills remote access connection manager (Error 5: Access is denied)

To add to the fun, the uninstaller for Endpoint doesn't always get rid of all the problems that came with it. In one case, all the remote access services crapped out so VPN's were unavailable. If you try to create a new VPN, the window options all gray out. I saw a solution on the symantec boards which recommend doing a full manual uninstall.
https://forums.symantec.com/syment/board/message?board.id=endpointcust&thread.id=1844
Uninstall instructions:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007073018014248?Open&src=ent_gold_nam
One user did comment on this blog that reinstalling Endpoint resolved issues that another admin he knew was experiencing. You may want to try that or a combination of a full uninstall/reinstall, etc.

Wednesday, November 21, 2007

Multiple VLANs behind an ISA 2006 firewall fun

Scenario: Introduce a couple of VLAN's into the internal network.
Objective: Full communication between segments, internet access for all VLANs.

The first part was easy, I got a Layer 3 switch in to handle all the routing between VLANs. If your company is cheap like mine they probably won't let you buy all VLAN switches at the same time so to start out, you can just do a port based setup so the old dumb switches don't know they're on a VLAN. (i.e. port 48 - vlan 20, port 47 vlan 30, etc and cascade dumb switches on).

Then came the problem of getting ISA to allow them to go out onto the Internet. ISA didn't want to add the other subnets to the network definition for "INTERNAL" because it didn't think those subnets were attached to it. Since ISA doesn't do VLAN's very well and I couldn't just add another NIC for every VLAN. The solution: Add a permanent static from the command line on the ISA server to point to the layer 3 switch's IP. Once there's a static route setup, ISA will allow you to add those subnets to the network definition for "INTERNAL". Now you can setup your firewall rules to allow internet access, etc. Since all IP's show up as coming from their original subnet you can set granular policies on traffic per subnet if you set up address ranges.

Friday, November 16, 2007

Installing XP on an Octiplex 755

Similar problem to what I ran into on the D630's. XP just doesn't like the new AHCI mode for SATA controllers. Go to BIOS -> Drives -> SATA Operation and change it to RAID Autodetect/ATA mode instead. Of course, this only affects you if you bought the desktop with the "Vista" operating system preloaded. For now it just makes better financial sense to buy it with Vista and take liberal use of downgrade rights until we're ready for a full rollout.

x64 SQL 2005 native client error during installation

Apparently the SQL 2005 x64 Standard DVD installs some screwed up version of the Native Client which causes the whole installation to barf. After searching a lot of forums the solution that worked for me was to rip out the whole thing, download the x64 native client from http://www.microsoft.com/downloads/details.aspx?familyid=DF0BA5AA-B4BD-4705-AA0A-B477BA72A9CB&displaylang=en and then I rebooted and ran the installer again and it worked fine.

Tuesday, November 13, 2007

Why I'm beginning to hate Symantec

Normally my blog is about recanting the rituals and animal sacrifices necessary to resurrect dead systems from the great bit bucket in the sky. Today however we'll take a small departure and go over why I'm beginning to hate Symantec. Now don't get me wrong, I've used products from other companies like mcafee and Avert and Nod and some of those ones named after small asian furry creatures and I've yet to meet any that could catch all viruses all the time. And now that malware, spyware, and adware have joined the fray they're all starting to seem pretty sucky. You begin to miss all that extra computing power that you lose when you have to run 2 or 3 different programs on your home box just to feel remotely safe.

So anyway I got an email blast from Symantec today notifying me that I automatically am getting an upgrade to the latest and greatest successor to the Enterprise Edition of their A/V solution. Now I've found that the old 10.2 was pretty decent, didn't cause many problems, and caught just enough junk that it wasn't worth the time to evaluate other vendors. So I went and downloaded "Symantec Endpoint Protection" and loaded it onto some test machines. Machine 1: Loaded fine, rebooted okay. It killed skype and windows search - generated nice pretty crash errors in each program. Machine 2: Loaded fine, rebooted okay, and caused the VPN connection that never ends. Literally, had to reboot the machine to get it to let go. Resolved by ripping out the driver for "teefer2" on each NIC. Machine 3: Loaded and left for the day.

The new management console for administration has a nice GUI and gives you access to some nice data like who's logged into each client PC, MAC info, ram, etc. More bells, whistles, creates custom deployment packages, makes expresso, slower than a dead snail. I'll give it a few more days before I have to give up and wait until the next release to try again.

Other reasons why I'm beginning to hate Symantec:
1. What they did to Backup Exec.
2. What they did to Backup Exec technical support.
3. Their licensing site. (how hard is it to just show me all my licenses without having to enter in my friggin serial # each login?)
4. Symantec Endpoint
5. The online knowlegebase for product support.
6. What they did to Backup Exec.

UPDATED: I went ahead and use the Endpoint Protection Manager to create a separate deployment package for my Developers and Technical sales guys. This package only has the A/V, Antispyware but leaves out the network threat protection. This is working out much better for now.

Tuesday, November 6, 2007

RIP - Hyperterm

So I'm finally playing around with Vista on the old laptop. I got a new switch in and hooked up the COM ports and went to fire up HyperTerm. To my dismay, it was gone. Good old sweet, gentle but stupid and rickety HyperTerm. I'll admit, it was never the most powerful terminal solution out there but you could always depend on it being installed on every windows box. My only theories are that either that extra 29KB would've pushed the Vista ISO past a single DVD, or that it was deemed a security hazard, or that they couldn't figure out how to let it open a COM port securely.

Alas, I had to fall back to Putty http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
which is a very reliable SSH/Telnet/Serial client. No installation required, just copy/paste and play.