Having finally gotten fed up with rebooting my galaxy tab every few days to get it to work with my home netgear router, I started trolling through forums for a solution. Suffice it to say, Android has a long way to go as far as dhcp and wifi if even half of what's posted on these forums is accurate. Fortunately I managed to stumble on a fix that worked for me. My wifi network was set up to accept Both WPA and WPA2. I removed WPA support and just left only WPA2 support on and I haven't had to reboot in the past few weeks. (There's some kind of rekey'ing issue with WPA version 1 every few days) I'd also had intermittent issues with my Cisco WAPs and I applied the same changes to them and am waiting to see if it helps.
Tuesday, January 17, 2012
Thursday, January 5, 2012
Android Exchange 2010 ActiveSync issue with Smart Forwarding
Ran into a real doozy of a bug this week with one of my user's DROID phones. Apparently there's a bug in the Smart Forwarding feature that causes an infinite loop for an outgoing message. After doing some digging I found a LOT of references to this rare bug on the forums. I'll post the links below but the short version is that the smart forwarding is supposed to just insert a marker when you forward an email with an attachment. That marker tells the server to insert the attachment so the client doesn't have to download the whole email to their phone first. In some cases this marker gets hosed royally and causes a loop between the client and server and it just repeatedly sends out the same email. The only way to break that loop is to kill the mail profile on the device or hard reset it.
So for now I've told my users that if they've got this feature to turn it off.
http://social.technet.microsoft.com/Forums/en-AU/exchangesvrmobility/thread/0e332aff-dc44-47d2-a294-36c68b56b04e
http://www.sharepointpanda.com/2011/08/motorola-atrix-with-gingerbread-update-triggers-infinite-loop-on-forwarded-emails/
http://www.atrixforums.com/forum/rescue-squad/5153-forwarded-emails-exchange-2010-get-sent-infinite-loop-after-gb-update.html
So for now I've told my users that if they've got this feature to turn it off.
settings -> battery and data manager ->data
delivery -
> Email and corporate sync -> smart forwarding
Email Settings-> SmartForwarding
http://social.technet.microsoft.com/Forums/en-AU/exchangesvrmobility/thread/0e332aff-dc44-47d2-a294-36c68b56b04e
http://www.sharepointpanda.com/2011/08/motorola-atrix-with-gingerbread-update-triggers-infinite-loop-on-forwarded-emails/
http://www.atrixforums.com/forum/rescue-squad/5153-forwarded-emails-exchange-2010-get-sent-infinite-loop-after-gb-update.html
Friday, October 14, 2011
I like the Cisco AP541N WAPs
So I've been resisting giving wireless access to my internal network for a long while. But over time the security options on wireless equipment have gotten better and frankly the cable clutter in the conference rooms has started resembling a brier patch. So I went to go look for a wireless router that could not only handle multiple VLANs but would also provide strong security and integrate my user's Active Directory accounts. Enter in the Cisco AP541N which can emulate up to 15 virtual APs, each can be configured with unique authentication options, VLAN tagging, and supports redirection to a URL. And it had good clustering support to boot which was a nice plus along with POE support to simplify deployment and it comes in just under $400.
http://www.cisco.com/cisco/web/solutions/small_business/products/wireless/ap_500/index.html
For my secure network I set the VAP to use RADIUS auth to my win2k8 r2 domain controllers that were set up using NPS. Good setup article here: http://aaronwalrath.wordpress.com/2010/06/22/install-windows-2008-r2-nps-for-radius-authentication-for-cisco-router-logins/
Accessing the VAP is a breeze as the user just has to click connect on their domain joined laptops and their credentials are automatically passed through without any end user configuration. Nice video at: http://www.youtube.com/watch?v=g-0MM_tK-Tk
Now the only thing that I didn't like when I configured it was that the admin password was limited to only 8 alphanumeric characters. Fortunately if that's an issue you can just configure the whole WAP to use 802.1x to authenticate the admin account. I also ran into an issue where the auto-configured settings that the cluster feature set up had an authentication problem but all I had to do to fix that was just re-enter the RADIUS password again and it went away.
http://www.cisco.com/cisco/web/solutions/small_business/products/wireless/ap_500/index.html
For my secure network I set the VAP to use RADIUS auth to my win2k8 r2 domain controllers that were set up using NPS. Good setup article here: http://aaronwalrath.wordpress.com/2010/06/22/install-windows-2008-r2-nps-for-radius-authentication-for-cisco-router-logins/
Accessing the VAP is a breeze as the user just has to click connect on their domain joined laptops and their credentials are automatically passed through without any end user configuration. Nice video at: http://www.youtube.com/watch?v=g-0MM_tK-Tk
Now the only thing that I didn't like when I configured it was that the admin password was limited to only 8 alphanumeric characters. Fortunately if that's an issue you can just configure the whole WAP to use 802.1x to authenticate the admin account. I also ran into an issue where the auto-configured settings that the cluster feature set up had an authentication problem but all I had to do to fix that was just re-enter the RADIUS password again and it went away.
Monday, September 26, 2011
TMG 2010 and enabling TLS 1.2
With the impending demise of TLS 1.0 on the web I figured it was a good time to make sure all my servers had TLS 2.0 enabled on them. The normal IIS 7.x servers wouldn't be a problem since I'd found a powershell script for turning those on a while ago but I wasn't sure about the TMG 2010 servers. Since they also function as ssl termination endpoints they also needed to support TLS 1.2. After a bit of searching I found only a few mentions of TLS 1.2 and TMG 2010 and they seemed to imply that it would track with whatever the OS had enabled on it. So I went ahead and ran the script to enable it, rebooted, and then tested my servers out with the SSL labs tester (https://www.ssllabs.com/ssldb/index.html) which reported back to me that my servers were now supporting TLS 1.2.
But they also reported back that my server still supported Insecure Negotiation. So I dug around a bit more and found some registry keys that need to be set in order to turn off Insecure Negotiation at http://support.microsoft.com/kb/980436 . So I set these 3 DWORD values to zero:
AllowInsecureRenegoClients
AllowInsecureRenegoServers
UseScsvForTls
Updated: I started getting an supplied sspi channel bindings were incorrect on servers that were published behind the TMG server so I deleted those keys and that went away.
The powershell script that I used for TLS 1.2 enabling can be found here:
Monday, July 25, 2011
Custom Calendar permissions missing in Outlook on recovered calendar
After painfully recovering a Calendar last week for a user, they were no longer able to set 'Custom' permissions for their Calendar. All the Free/Busy options had disappeared from the panel completely. The solution turned out to be running outlook.exe /ResetFolders Only that fixed all the odd permission issues on the Calendar.
Wednesday, July 20, 2011
Silent installs and MDT 2010
The initial rollout of MDT was well received by the rest of my IT department but as with all things the new toy eventually led to new requests for changes. At the top of the list was to make the application installs silent or hands-free. It didn't take long to discover that there was no silver bullet to fix that problem. There are multiple installer programs, differences between .msi implementations, secret flags, and in some cases a matter of hunting down hidden alternate downloads of application installers. In this post I'm going to describe how I streamlined my testing and at the bottom I'll list all the install flags that I'm using currently.
The first you'll need a good testing platform. I recommend either a Hyper-V or VMWare VM so you can just do snapshots and then restore the state back after each test.
Next you'll want to create a Custom Task in MDT 2010 that will just run 1 application. You'll be able to manually run this task from your virtual machine while inside windows. Otherwise you'd have wait for the whole OS install, etc each time you want to test a new command line syntax. To get to the Task you just go to your deployment share, Scripts folder and run litetouch.vbs.
"\\yourservername\deployment$\Scripts\LiteTouch.vbs"
Third, go to www.appdeploy.com and search their knowledgebage for your application. Their package knowledgebase has a good user contribution database made from the blood, sweat, and tears of your colleagues in the field. Take for instance Adobe Reader X. The package KB article is linked here: http://www.appdeploy.com/packages/detail.asp?id=1976Once there, click the Command Line section and you'll see what options you have for non-interactive or silent installs. There are multiple entries for most of them as the method sometimes changes with newer versions of the software or some users just like different options to be selected instead. If you make good use of virtual machine snapshots you'll save yourself tons of time testing these out.
WHENEVER possible, use the noreboot or suppress reboot. MDT hates it when apps reboot by themselves. Just set the reboot flag under the application properties in MDT instead.
For some applications you'll have to download special versions of the installer and for others you may have to do an msi extraction first. Below you'll find my list of applications that I use and what flags work for me.
7-zip 64 bit
msiexec /i 7z465-x64.msi /quiet
windirstat
windirstat1_1_2_setup.exe /S
CutePDF (made a batch file)
ECHO Installing converter
converter.exe /auto
ECHO Installing cutepdf
cutewriter.exe /silent
Malware Bytes
mbam-setup.exe /SP- /SILENT /NOCANCEL
Symantec Endpoint protection 11.0.6
Just create a self-installing image using the Centralized admin console
Microsoft Windows Live Messenger
WLSetup-web.exe /q /NOToolbarCEIP /NOhomepage /Nolaunch /nosearch /AppSelect:Photo,Mail,Messenger
Microsoft .net 4.0 framework
dotNetFx40_Full_x86_x64.exe /passive /norestart
Microsoft Office 2007/2010
Just use the customization tool - http://technet.microsoft.com/en-us/library/cc179097.aspx
Adobe Acrobat X Reader
AdbeRdr1000_en_US.exe /sAll /msi /norestart ALLUSERS=1 EULA_ACCEPT=YES
VMWare Player 3.0
msiexec /i "vmware player.msi" REBOOT=ReallySuppress DESKTOP_SHORTCUT=0 QUICKLAUNCH_SHORTCUT=0 /qn
Microsoft Visual Studio 2010 (recommend doing an application bundle with SP1)
setup\setup.exe /q /norestart
Microsoft Visual Studio 2010 SP1 (recommend doing an application bundle with SP1)
setup /q /norestart
Roxio Creator 10.3
setup.exe /qn Reboot=ReallySuppress
SQL Server 2008 R2
Let the GUI build out an unattended file for you.
Then use this syntax:
setup /CONFIGURATIONFILE=CompanyInstallSettingsR2.ini /INDICATEPROGRESS /SAPWD="password"
Microsoft TMG 2010 Firewall Client
msiexec /i ms_fwc.msi SERVER_NAME_OR_IP=yourTMGServer ENABLE_AUTO_DETECT=1 REFRESH_WEB_PROXY=1 /qn /L*v c:\fwc_inst.log
SnagIT 9.x
Build out a batch file
snagit.exe USERNAME="INSERT USER NAME HERE" TSC_SOFTWARE_KEY="INSERT KEY HERE" TSC_LICENSEMODE="Full" /quiet
That's all folks! Good luck.
Tuesday, June 21, 2011
Lync 2010 SIPPROXY_E_CONNECTION_EXTERNAL_INTERNET_ACCESS_DISABLED
So after following 3 guides and one book I can now connect to my Lync 2010 server remotely through TMG 2010. The nifty error in the title there was rather fun to get rid of. You'd think that just toggling a setting that says enable remote user access would be the end of it. The final hitch that got me was that all the guides I found for setting up an Edge server have you export/import the configuration BEFORE you assign a global access policy and the Access Edge Configuration. I just assumed that once they'd partnered up, all updates would just magically sync by themselves. I found out through trial and error that if you make changes after you've deployed your Edge server then you need to go back in and re-import the configuration. Here's how to sync them up again:
1. Export out the current configuration from your internal Lync 2010 server.
Export-CsConfiguration -filename c:\temp\yourfilename.zip
2. Import the current configuration onto your Edge server using that file.
Import-CsConfiguration -filename c:\temp\yourfilename.zip -LocalStore
Thursday, June 9, 2011
TMG 2010, android 3.0, and the google market
Now this one was driving me up the wall. One of our users has a new Iconia Tablet and wasn't able to use the Android market at all while behind my firewall but worked fine everywhere else. I did a trace with TMG and there were no errors, all outgoing connections looked fine. So I went ahead and threw on Network Monitor onto the firewall so I could see where it was going. I noticed that 74.125.227.4 kept popping up which resolves to android.clients.google.com. I added that to the Web Browser tab for the proxy and then let the settings kick in and it fixed the problem. So I'm guessing that there's some issue with the TMG proxy and the google market.
Well, that didn't fully knock it out of the park. Apparently it also tries an outbound TCP 5228 which I also had to add to the protocol list for my users.
Subscribe to:
Posts (Atom)
Posts
