Windows 2008 TS gateway rocks

I set up a test win2k8 box and enabled Terminal Services Gateway on it. It enables you to use remote desktop to access machines inside the firewall from outside. And I haven't used my VPN connection since then!

The setup isn't too bad.
1. Enable the TS Gateway role (and the TS web access if you want)
2. Obtain an SSL certificate with the outside DNS name of the server. This will need to be setup on the TS Gateway server. If you are using an ISA firewall for SSL tunnel inspection, you'll need to install the cert on the listener as well.
3. Make sure your DNS records will resolve properly to the external IP address that matches the SSL certificates DNS name.
4. Create a CAP (connection authorization policy) to specify who is allowed to even connect to the server. You can restrict connection access to specific users or active directory groups as needed.



5. Create a RAP (resource authorization policy) to specify which servers can be accessed. You can also choose to enable all of them but IMHO that's less secure. It would also appear that you can further limit which users can access which RAP groups as well for more granular access. For your initial testing, try not to make this too complicated.



6. If you are just setting up a passthrough on your firewall, then just open up tcp 443 on the right external IP address that corresponds to your SSL cert and have it route the packets to your TS Gateway server.

7. If you are using ISA server you'll need to setup a new publishing rule.










For the listener properties, I left the Client Authentication Method on "No Authentication", No Forms, No SSO.

(Apologies if this isn't well structured, it's been a few weeks since I set this up.)

Now to access the server, you have to use Remote Desktop Client 6.0 or higher. (Basically Vista SP1 or XP SP3). Go to the Advanced Tab and enter in your server information.



Then OK out of that and go to the General Tab and enter in the internal machine name that you want to connect to through the terminal server gateway. (NOTE: Make sure the machine is listed in the RAP policy if you are not allowing all connections. If you used the FQDN in the RAP policy, then you have to use the FQDN in the client. The same goes for the Netbios name and IP address. I just put all 3 in the RAP).



At this point I normally do a Save As to create a shortcut so these settings don't interfere with my other connections.

When you go to connect you may be prompted for a security confirmation. Just accept it and move one. You'll notice in the confirmation window that it shows you both the gateway server name and the end target name/ip.



Additional notes:
a) Your client MUST trust the SSL certificate. I can't garauntee this'll work otherwise

Backup Exec, ISA, and V-79-57344-65072 - The connection to target system has been lost

So out of the blue my backups started barfing when trying to backup one of my ISA servers. Which really sucks because it was working fine.

V-79-57344-65072 - The connection to target system has been lost. Backup set canceled

The only changes that were made recently were just the application of the latest security patches, etc from MS. (Of course, Symantec's support of ISA with Backup Exec has never been stellar so I can't rule out the possibility that it just stopped working randomly). I went ahead and checked the usual forums, KBs, etc and found a lot of references to the error. I did the usual logging on the ISA server to check the traffic flow, etc and did notice that the agent kept trying to use the external network adapter even though the initial connections were being handled from the internal adapter. For testing I even tried creating a bi directional full access rule between the ISA server and the backup exec server and it didn't fix it. The only thing that worked was to create a User Defined Selection and use that for the backup job definition instead of the server name as mentioned in this forum post here:

https://forums.symantec.com/syment/board/message?board.id=be11dOther&message.id=2121&query.id=62200#M2121

I created a new User Defined Selection and used the Internal IP address of that ISA server and the damn thing started working.

nortel i2050 and vista

So I had given up on getting the i2050 to work since I still have an ancient BCM 3.7 system. But then I found out some of my users had gotten hold of the V2 version of the software (build 255) and had been using it successfully for a couple of months. Of course, I've yet to find anything from Nortel that says it's supported on the 3.7 but heck it seems to work so we'll use it for now.



I've seen some references online that the V2 version of the i2050 CD can still be purchased but I haven't found it in stock anywhere yet. They're heavily pushing the new V3 but I'm pretty sure that won't work on my old 3.7 system.

Backup Exec 12.5

I was slightly hesitant when I got the upgrade emails from Symantec but I went ahead and downloaded it. The upgrade installation went through without a hitch, all my settings were retained, and the jobs are running properly. I'm not being sarcastic when I say that this is probably the best Backup Exec upgrade I've had in the past 4 years.

One of the reasons I wanted to roll this out is that I'm looking at rolling out a 2008 Hyper-V box next year and they've added a new agent specifically for Microsoft Virtual Servers. Now I'm not a licensing expert but it looks like they're going to focus more on licensing the Host Virtual server and not worry as much about how many virtual machines are on it. An Agent for VMWARE ESX is now available as well.

On top of that, they've released a new version of their System Recovery product (8.5) which like the previous version allows you to convert your backups into virtual machines. The new 8.5 version adds support for Hyper-V and scheduled conversions.
http://www.symantec.com/business/backup-exec-system-recovery-server-edition

So far so good with the new version. I'll keep my fingers crossed that it lasts...

vmware 2 install - system administrator has set policies to prevent this installation error

Whilst trying to upgrade my VMWare server 1.0 to the new 2.0 version, I ran into a fun error.



So I tried a few resolutions I had found on the web which led me to this patch:
http://support.microsoft.com/kb/925336

Now granted, the title of that KB seems misleading but apparently it applies here too. Since VMWare made this big huge install file (500+ MB), you have to install this patch and reboot. Afterwards, the installer worked fine for me.

VMWare Server 2.0 problem with disconnected network cable

I ran into an interesting problem with VMWare Server 2.0 this week on a laptop. When the network cable is not plugged in and you're not on a wireless network, you can't open a browser to connect to the console of currently running virtual machines. (I really miss the old Console app).

The workaround I use is to create a Loopback Adapter on the host machine:
2003 instructions:
http://articles.techrepublic.com.com/5100-10878_11-5647584.html
XP instructions:
http://support.microsoft.com/kb/839013

Once created, assign a static IP like 172.16.180.1 or something similar. The loopback adapter is always on and always appears connected. Reboot and then use the loopback adapter's address to get into the VMWare admin web console. https://172.16.180.1:8333 or whatever address you chose to assign your loopback adapter. (Keep in mind you want to choose an address that isn't likely to conflict with other networks when you travel. Using the loopback adapter is perfectly safe and won't affect how your virtual machines operate. This workaround just pertains to how the web console is bound to IIS.

copy user - parameter is incorrect error

So recently I've been trying to fix an issue that was preventing me from copying existing user accounts. You'd get to the final step and click finish and be rewarded with an error box stating: Windows cannot create the object such and such because: The parameter is incorrect.



As it turns out, this error is caused by bad data in one of the user Attributes. The good news is that it can be fixed, the bad news is that it may require some perseverance to find it. The following steps and screenshots were done on a Win2k8 controller so some things might look different. The user and computers MMC is currently in 'advanced' mode (View-> Advanced Features)

Open up a known good user that you can copy and on another window or another dc open up the problem user. Go to the Attributes Tab and set the Filter in the bottom right to "Show only attributes that have values" and repeat in the other window. (That is unless you like spending LOTS more time doing this). This will narrow the search down considerably.



Now do a side by side comparison and look for values that either exist in only one user or that look odd.



In my case, when I went to Edit the msRADIUSCallbackNumber attribute, I found that it had garbage in it. Just hit the Clear button and OK out.



After I torched the msRADIUS values on mine, I was able to copy the user without any problems. And due to a shortage of time, I didn't get around to writing a powershell script to dump it out to excel but maybe if I get bored one day...

Dell Latitude E6400 first impressions

Where to begin? It has a completely redesigned exterior and IMHO looks a bit more like the stinkpad laptops. That aside, the slick black top does look nice. The battery has been relocated to the rear of the unit and they added firewire, usb powershare (which allows you to charge devices off of it while it's off), HDMI output, SD Card slot, eSATA port, and an optional built in webcam for the lid. It also feels lighter but I'm haven't decided yet if it feels as sturdy as the D630 series that it replaced. The only downside so far is that it only has 3 USB ports but honestly it's a fair trade. The power cord has a glowing blue light near the plug which is probably just for bling but to me it's a power system troubleshooting tool (confirming power is getting there).

The new BIOS interface looks like it was designed by the guys who did the UI for the diagnostics CD. It has built in mouse support and a few menu tweaks. It didn't prompt with an option to go into BIOS from the boot Logo so I used the F12 boot menu option to get into it. One step backward is that it wouldn't let me use special characters in the admin password (ie $%^@). These type of things are common for major version changes and will probably be ironed out in a few patches.

The new docking station selection is pretty snazzy and come with multiple elevation options. The one I got has Dual DVI and HDMI ports as well as the base VGA port.

Overall the performance has been good so far.

Updated: 10/12/08 - Upon closer inspection, it's actually a DisplayPort in the back and not an HDMI, but you can buy an adapter from Dell. It appears they're still trying to push the DisplayPort technology even though the rest of the world is going HDMI.