Thursday, January 22, 2009

The Syntax for set-outlookanywhere decrypted

Exchange 2007, SP1 (not rtm)

Okay, I know I can be a bit slow on the uptake for some of these powershell commands but this one took way too long to get right. All the nice friendly examples from msdn leave out the Identity parameter. Powershell will be more than happy to barf an error back to you if you leave it out.
http://technet.microsoft.com/en-us/library/bb124149.aspx

Just what is this identity thing anyway? It's pretty much your CAS_Servername\rpc (Default Web Site)



So next you're asking why am I bothering since we've got a nice GUI, etc for setting up outlook anywhere and the permissions on the IIS folder /rpc. Well, through the careful string of failures at getting NTLM to work transparently through my ISA server (whilst still requiring rpc validation at the isa server itself), I determined that Basic authentication was good enough for me. But I still use NTLM for the web publishing rule from the ISA server to the exchange CAS server. With the advent of SP1 for exchange 2007, you can easily setup your server to use different combinations of Basic and NTLM for the Outlook Anywhere and RPC folders respectively. When your server generates AutoDiscover.xml it provides the client with the authentication level that is specified in the -ClientAuthentication Method. But if you want your ISA server to communicate with the exchange CAS with NTLM, then you have to set the -IISAuthentication parameter. (yeah, headaches abound). To see what your CAS server is using, run Get-OutlookAnywhere from powershell

ClientAuthenticationMethod : Basic
IISAuthenticationMethods : {Ntlm}


In summary:
1. My remote users have outlook 2007 sp1 and get autoconfigured to use Basic Auth.
2. My ISA server publishing rule uses NTLM for Authentication Delegation.
3. My rpc folder in IIS just has Integrated Auth checked.

For more information including how to setup an Exch 2007/ISA 2007/Outlook Anywhere/etc check out the following links:

Great tutorial by Thomas Shinder - covers everything from the setup of the exchange server, through the publishing in ISA all the way to the outlook client config:
http://www.isaserver.org/tutorials/Publishing-Exchange-2007-OWA-Exchange-ActiveSync-RPCHTTP-using-2006-ISA-Firewall-Part1.html

The ever reliable petri database:
http://www.petri.co.il/outlook_anywhere_2007_w_isa_server.htm

More info on the set-outlookanywhere syntax:
http://www.exchange-genie.com/2008/02/configuring-outlook-anywhere-for-exchange-2007-sp1/

Paper on setting up transparent authentication/NTLM with isa 2006 and exchange 2007. I did eventually get it to work in a test environment.
http://blog.msfirewall.org.uk/2008/07/publishing-exchange-2007-services-with.html

Tuesday, January 20, 2009

ISA 2006 Remote Desktop problem

So up until recently I was able to remote desktop into my ISA 2006 server from my management desktop. I verified that my management computers were still defined properly and I confirmed that the packets were being received on port 3389 at the firewall side. I decided to remove the recently applied KB956570 (08-037) and voila my remote desktop started working again! The patch was supposed to randomize NAT connections, etc but apparently it likes to kill RDP. Upon further research, I've also seen reference to it causing havoc for PPTP/VPN setups as well. As I have not found a real fix for it, I'd recommend you just uninstall it from Add/Remove programs (make sure the checkbox is marked for Show Updates).

Tuesday, January 13, 2009

Dell Latitude E6400 sound problem fixed - and dvd burning one as well.

*Updated - 4/17/09* New drivers from Intel as provided by Anonymous
http://downloadcenter.intel.com/Product_Filter.aspx?ProductID=2101

*Update* I tried out the DPC latency tool recommended by Martin. Here's a screen cap of how much the latency drops if you just physically remove the CD/DVD drive.
(the additional spike afterward was just me opening SnagIt). It's obscene.



Update 2: Please see Martin's post in the comments section below for additional remediation steps.

Update 3: The Dell tech recommended switching the SATA mode in BIOS from IRRT to AHCI. Of course, if you do that you've got to completely reload your Operating system. I tried it on a spare drive with a fresh install of Vista 32 bit and I haven't had the audio skip yet though I'm still loading more apps on it to test with. The latency was still high but didn't appear to affect audio playback which seemed odd.

Update 4: I Disabled the eSATA port under BIOS and the latency issue with the DVD drive plugged in went away. (For a whole reboot) This just keeps getting better.


Original post:
So I noticed that the E6400 was having weird audio glitches with Vista while under light loads. It was behaving like the hard drive was under heavy load and interrupting the data transfer. But all the resource monitors only showed minimal load. I ran into this problem with all mp3 files and I tried just about everything on the help forums including a fresh load of XP and Vista respectively on a different hard drive. I tried turning off sound effects, changing power saving, turning off wireless, etc.

The solution: The latest Intel Matrix Storage Manager driver! While trying to fix a problem with DVD burning, I ran into a suggestion on the forums related to the SATA controller. After installing the latest driver I went ahead and tested the audio again and the darn thing works perfectly now. My guess is that the previous sata driver wasn't stable enough and was causing the audio problem as a side effect.

http://support.dell.com/support/downloads/download.aspx?c=us&l=en&s=gen&releaseid=R207267&SystemID=LAT_E6400&servicetag=&os=WLH&osl=en&deviceid=11530&devlib=0&typecnt=0&vercnt=2&catid=-1&impid=-1&formatcnt=1&libid=41&fileid=290228

Release Date: 1/8/2009
Version: 8.7.0.1007 Other Versions

Download Type: Application
File Format: Hard-Drive
File Size: 21 MB

Granted, if I push it hard enough I can still make it skip once in a while but it takes a lot of effort. Whereas previously I could do it with freecell.

Tuesday, January 6, 2009

Windows 2008 TS gateway rocks

I set up a test win2k8 box and enabled Terminal Services Gateway on it. It enables you to use remote desktop to access machines inside the firewall from outside. And I haven't used my VPN connection since then!

The setup isn't too bad.
1. Enable the TS Gateway role (and the TS web access if you want)
2. Obtain an SSL certificate with the outside DNS name of the server. This will need to be setup on the TS Gateway server. If you are using an ISA firewall for SSL tunnel inspection, you'll need to install the cert on the listener as well.
3. Make sure your DNS records will resolve properly to the external IP address that matches the SSL certificates DNS name.
4. Create a CAP (connection authorization policy) to specify who is allowed to even connect to the server. You can restrict connection access to specific users or active directory groups as needed.



5. Create a RAP (resource authorization policy) to specify which servers can be accessed. You can also choose to enable all of them but IMHO that's less secure. It would also appear that you can further limit which users can access which RAP groups as well for more granular access. For your initial testing, try not to make this too complicated.



6. If you are just setting up a passthrough on your firewall, then just open up tcp 443 on the right external IP address that corresponds to your SSL cert and have it route the packets to your TS Gateway server.

7. If you are using ISA server you'll need to setup a new publishing rule.










For the listener properties, I left the Client Authentication Method on "No Authentication", No Forms, No SSO.

(Apologies if this isn't well structured, it's been a few weeks since I set this up.)

Now to access the server, you have to use Remote Desktop Client 6.0 or higher. (Basically Vista SP1 or XP SP3). Go to the Advanced Tab and enter in your server information.



Then OK out of that and go to the General Tab and enter in the internal machine name that you want to connect to through the terminal server gateway. (NOTE: Make sure the machine is listed in the RAP policy if you are not allowing all connections. If you used the FQDN in the RAP policy, then you have to use the FQDN in the client. The same goes for the Netbios name and IP address. I just put all 3 in the RAP).



At this point I normally do a Save As to create a shortcut so these settings don't interfere with my other connections.

When you go to connect you may be prompted for a security confirmation. Just accept it and move one. You'll notice in the confirmation window that it shows you both the gateway server name and the end target name/ip.



Additional notes:
a) Your client MUST trust the SSL certificate. I can't garauntee this'll work otherwise