Tuesday, December 16, 2014

How to remove and recreate all virtual directories in Exchange 2007

Occasionally, IIS gets messed up.  It's fairly simple to just recreate all of your virtual directories from scratch instead of banging your head against the wall trying to chase down the issue.  In this example, our external and internal URL is mail.company.com.  Our Internal server name is "MailServer".  Our NetBios domain name is "NetBiosDomainName", so change all of these to fit your environment.

Here's how it's done-

Run the following commands in Exchange Management Shell-

Get-AutodiscoverVirtualDirectory
Get-OABVirtualDirectory
Get-OWAVirtualDirectory
Get-WebServicesVirtualDirectory
Get-ActiveSyncVirtualDirectory
Get-UMVirtualDirectory


Now.. You want to remove the existing Virtual Directories but change the website to the one listed in these commands.  In my environment it is "Default Web Site"-

Remove-OWAVirtualDirectory -Identity "Owa (Default Web Site)" -Confirm:$false
Remove-OWAVirtualDirectory -Identity "Exadmin (Default Web Site)" -Confirm:$false
Remove-OWAVirtualDirectory -Identity "Exchange (Default Web Site)" -Confirm:$false
Remove-OWAVirtualDirectory -Identity "Exchweb (Default Web Site)" -Confirm:$false
Remove-OWAVirtualDirectory -Identity "Public (Default Web Site)" -Confirm:$false
Remove-WebServicesVirtualDirectory -Identity "EWS (Default Web Site)" -Confirm:$false
Remove-ActiveSyncVirtualDirectory -Identity "Microsoft-Server-ActiveSync (Default Web Site)" -Confirm:$false
Remove-OabVirtualDirectory -Identity "OAB (Default Web Site)" -Force:$true -Confirm:$false
Remove-UMVirtualDirectory -Identity "UnifiedMessaging (Default Web Site)" -Confirm:$false
Remove-AutodiscoverVirtualDirectory -Identity "Autodiscover (Default Web Site)" -Confirm:$false

Verify the directories have been remove-
Get-AutodiscoverVirtualDirectory
Get-OABVirtualDirectory
Get-OWAVirtualDirectory
Get-WebServicesVirtualDirectory
Get-ActiveSyncVirtualDirectory
Get-UMVirtualDirectory


Now create the new virtual directories.  In this example, our external and internal URL is mail.company.com.  Our Internal server name is "MailServer".  Our NetBios domain name is "NetBiosDomainName", our website is "Default Web Site".  Cange all of these to fit your environment.

New-OWAVirtualDirectory -WebsiteName "New Web Site" -OwaVersion "Exchange2007" -ExternalAuthenticationMethods Fba

Set-OWAVirtualDirectory -InternalUrl "https://mail.company.com/owa/" -ClientAuthCleanupLevel "Low" -LogonFormat "UserName" -DefaultDomain “NetBiosDomainName” -Identity "Owa (Default Web Site)"

New-OWAVirtualDirectory -WebsiteName "New Web Site" -OwaVersion "Exchange2003or2000" -VirtualDirectoryType "Exadmin" -ExternalAuthenticationMethods Fba

New-OWAVirtualDirectory -WebsiteName "New Web Site" -OwaVersion "Exchange2003or2000" -VirtualDirectoryType "Mailboxes" -ExternalAuthenticationMethods Fba

New-OWAVirtualDirectory -WebsiteName "New Web Site" -OwaVersion "Exchange2003or2000" -VirtualDirectoryType "Exchweb" -ExternalAuthenticationMethods Fba

New-OWAVirtualDirectory -WebsiteName "New Web Site" -OwaVersion "Exchange2003or2000" -VirtualDirectoryType "PublicFolders" -ExternalAuthenticationMethods Fba

New-WebServicesVirtualDirectory -WebsiteName "New Web Site" -InternalUrl "https://mail.company.com/EWS/Exchange.asmx" -basicauthentication 1 -windowsauthentication 1

New-ActiveSyncVirtualDirectory -WebsiteName "New Web Site" -InternalUrl "https://mail.company.com/Microsoft-Server-ActiveSync" -ExternalAuthenticationMethods Basic -InternalAuthenticationMethods Basic

New-OabVirtualDirectory -WebsiteName "New Web Site" -InternalUrl "https://mail.company.com/OAB"

Set-OabVirtualDirectory -PollInterval "30" -Identity "oab (New Web Site)"

New-UMVirtualDirectory -WebsiteName "New Web Site" -InternalUrl "https://mail.company.com/UnifiedMessaging/Service.asmx"

New-AutodiscoverVirtualDirectory -WebsiteName "New Web Site" -InternalUrl "https://mail.company.com/Autodiscover/Autodiscover.xml" -BasicAuthentication 1 -WindowsAuthentication 1

Set-ClientAccessServer -Identity “MailServer” -AutoDiscoverServiceInternalUri "https://mail.company.com2007/Autodiscover/Autodiscover.xml"

Set-OfflineAddressBook "Default Offline Address Book" -VirtualDirectories "MailServer\OAB (New Web Site)" -Versions Version2,Version3,Version4

Verify the directories have been created-
Get-AutodiscoverVirtualDirectory
Get-OABVirtualDirectory
Get-OWAVirtualDirectory
Get-WebServicesVirtualDirectory
Get-ActiveSyncVirtualDirectory
Get-UMVirtualDirectory



Run the Command Prompt with elevated permissions and perform run IISreset.

How to recreate all IIS directories on a new IIS 7 website (Including RPC and RPC with Cert) in Exchange 2007

I recently had an issue where my IIS website was corrupt and not operable.  My solution was to create a new IIS website - let's call it "New Web Site" and call the old "Default Web Site".  In this example, our external and internal URL is mail.company.com.  Our Internal server name is "MailServer".  Our NetBios domain name is "NetBiosDomainName", so change all of these to fit your environment.

Here's how it's done-

New-OWAVirtualDirectory -WebsiteName "New Web Site" -OwaVersion "Exchange2007" -ExternalAuthenticationMethods Fba

Set-OWAVirtualDirectory -InternalUrl "https://mail.company.com/owa/" -ClientAuthCleanupLevel "Low" -LogonFormat "UserName" -DefaultDomain “NetBiosDomainName” -Identity "Owa (Default Web Site)"

New-OWAVirtualDirectory -WebsiteName "New Web Site" -OwaVersion "Exchange2003or2000" -VirtualDirectoryType "Exadmin" -ExternalAuthenticationMethods Fba

New-OWAVirtualDirectory -WebsiteName "New Web Site" -OwaVersion "Exchange2003or2000" -VirtualDirectoryType "Mailboxes" -ExternalAuthenticationMethods Fba

New-OWAVirtualDirectory -WebsiteName "New Web Site" -OwaVersion "Exchange2003or2000" -VirtualDirectoryType "Exchweb" -ExternalAuthenticationMethods Fba

New-OWAVirtualDirectory -WebsiteName "New Web Site" -OwaVersion "Exchange2003or2000" -VirtualDirectoryType "PublicFolders" -ExternalAuthenticationMethods Fba

New-WebServicesVirtualDirectory -WebsiteName "New Web Site" -InternalUrl "https://mail.company.com/EWS/Exchange.asmx" -basicauthentication 1 -windowsauthentication 1

New-ActiveSyncVirtualDirectory -WebsiteName "New Web Site" -InternalUrl "https://mail.company.com/Microsoft-Server-ActiveSync" -ExternalAuthenticationMethods Basic -InternalAuthenticationMethods Basic

New-OabVirtualDirectory -WebsiteName "New Web Site" -InternalUrl "https://mail.company.com/OAB"

Set-OabVirtualDirectory -PollInterval "30" -Identity "oab (New Web Site)"

New-UMVirtualDirectory -WebsiteName "New Web Site" -InternalUrl "https://mail.company.com/UnifiedMessaging/Service.asmx"

New-AutodiscoverVirtualDirectory -WebsiteName "New Web Site" -InternalUrl "https://mail.company.com/Autodiscover/Autodiscover.xml" -BasicAuthentication 1 -WindowsAuthentication 1

Set-ClientAccessServer -Identity “MailServer” -AutoDiscoverServiceInternalUri "https://mail.company.com2007/Autodiscover/Autodiscover.xml"

Set-OfflineAddressBook "Default Offline Address Book" -VirtualDirectories "MailServer\OAB (New Web Site)" -Versions Version2,Version3,Version4


Now.. RPC and RPC with Cert.  You probably could just re-install RPC, but if you'd prefer not to here is how I recreated them-

Make a backup of the ApplicationHost.config in C:\Windows\System32\inetsrv\config.

Edit the file in Notepad and copy the following from the previus site to the new site.  DON'T use this text, use the text from your old site "Default Web Site".  Change the name of that section to your new site and paste it in that section of the file.

<site name="<Default Web Site>" id=...>
...
<application path="/Rpc" applicationPool="SomeAppPool">
       <virtualDirectory path="/" physicalPath="C:\Windows\System32\RpcProxy" />
</application>
<application path="/RpcWithCert" applicationPool="SomeAppPool">
        <virtualDirectory path="/" physicalPath="C:\Windows\System32\RpcProxy" />
</application> 
...
</site>

Next, copy the following from the previous site to the new site.  DON'T use this text, use the text from your old site "Default Web Site".  Change the name of that section to your new site and paste it in that section of the file.

Replace the old site with the new one like this-
<location path="<Default Web Site>/RpcWithCert"> --> <location path="<New Web Site>/RpcWithCert">

<location path="<Default Web Site>/Rpc">  --> <location path="<New Web Site>/Rpc">

<location path="<Default Web Site>/Rpc">
        <system.webServer>
            <directoryBrowse enabled="false" showFlags="Date, Time, Size, Extension" />
            <handlers accessPolicy="Execute">
                <add name="RPCPROXY" path="*" verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\system32\RpcProxy\RpcProxy.dll" requireAccess="Execute" />
            </handlers>
            <serverRuntime uploadReadAheadSize="0" />
            <defaultDocument enabled="true" />
            <modules>
                <add name="PasswordExpiryModule" />
            </modules>
            <security>
                <requestFiltering>
                    <requestLimits maxAllowedContentLength="2147483648" />
                </requestFiltering>
                <authentication>
                    <anonymousAuthentication enabled="false" />
                    <basicAuthentication enabled="false" />
                    <windowsAuthentication enabled="true" useKernelMode="false" />
                </authentication>
                <access sslFlags="Ssl, Ssl128" />
            </security>
            <httpErrors>
                <remove statusCode="401" />
                <error statusCode="401" path="C:\Windows\system32\RpcProxy\Error401.txt" responseMode="File" />
            </httpErrors>
        </system.webServer>
    </location>


<location path="<Default Web Site>/RpcWithCert">
        <system.webServer>
            <directoryBrowse enabled="false" showFlags="Date, Time, Size, Extension" />
            <handlers accessPolicy="Execute">
                <add name="RPCPROXY" path="*" verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\system32\RpcProxy\RpcProxy.dll" requireAccess="Execute" />
            </handlers>
            <defaultDocument enabled="true" />
            <security>
                <authentication>
                    <anonymousAuthentication enabled="false" />
                    <basicAuthentication enabled="false" />
                    <clientCertificateMappingAuthentication enabled="true" />
                    <digestAuthentication enabled="false" />
                    <windowsAuthentication enabled="false" useKernelMode="false" />
                    <iisClientCertificateMappingAuthentication enabled="true" />
                </authentication>
                <access sslFlags="Ssl, SslNegotiateCert, SslRequireCert, Ssl128" />
                <requestFiltering>
                    <requestLimits maxAllowedContentLength="2147483648" />
                </requestFiltering>
            </security>
            <serverRuntime uploadReadAheadSize="0" />
            <modules>
                <add name="PasswordExpiryModule" />
            </modules>
            <httpErrors>
                <remove statusCode="401" />
                <error statusCode="401" path="C:\Windows\system32\RpcProxy\Error401.txt" responseMode="File" />
            </httpErrors>
        </system.webServer>
    </location> 


Run the Command Prompt with elevated permissions and perform run IISreset.


Monday, December 8, 2014

How to set up a Linux (Ubuntu) Ubiquiti Unifi (Unifi 3.x, Ubuntu 12.04)

This is a summary of how to set up a Ubiquiti Unifi controller on a Ubuntu Linux box.

1) Install Ubuntu Server 12.04, during the install select "OpenSSH Server" so you can remote into the server with Putty.

2) Once the operating system is up and running, set up a static IP on the box.

          sudo nano /etc/network/interfaces

          Change this-
                    auto eth0
                    iface eth0 inet dhcp

          To your static ip-
                    auto eth01
                    iface eth0 inet static
                              address 192.168.0.3
                              netmask 255.255.255.0
                              network 192.168.0.0
                              broadcast 192.168.0.255
                              gateway 192.168.0.1
                              dns-search example.com
                              dns-nameservers 8.8.8.8 4.2.2.2

          (You can omit the dns-search if you don't need a domain suffix,)

          Simply restart your server or you can restart the networking with this command-
                    sudo ifdown eth0 && sudo ifup eth0

3) Update the OS.
          sudo apt-get update

4) Update the sources.list to include the Unifi repository.
          Open the file-
                    sudo nano /etc/apt/sources.list

          Add the following line at the bottom of the file.
 Updated-
deb http://www.ubnt.com/downloads/unifi/debian stable ubiquiti
  
 #OLD-             deb http://www.ubnt.com/downloads/unifi/distros/deb/ubuntu ubuntu ubiquiti

          Hit <Control> <X> to exit and <Y> to save.

          Add the GPG Key
                     sudo apt-key adv --keyserver keyserver.ubuntu.com --recv C0A52C50

          Update the OS again.
                    sudo apt-get update

5) Install Unifi using apt-get.
                    sudo apt-get install unifi

          If you want the latest version do-
                    sudo apt-get install unifi-rapid

6) If Unifi doesn't start and says "Cannot locate Java Home", do the following-
          Open the init script.
                    sudo nano /etc/init.d/unifi
          Look for the variable "JAVA_HOME" and change the path to include the -amd64.
                    Change- JAVA_HOME=/usr/lib/jvm/java-6-openjdk
                    To- JAVA_HOME=/usr/lib/jvm/java-6-openjdk-amd64
          
          Hit <Control> <X> to exit and <Y> to save.

          Attempt to start Unifi again.
                    sudo service unifi restart

7) Open the unifi controller by going to the IP of the box on port 8443 (with https:).
          https://192.168.0.3:8443/


----

To upgrade to 5.0-
# out the old entry in /etc/apt/sources.list
Add-
deb http://www.ubnt.com/downloads/unifi/debian unifi5 ubiquiti
Then-
apt-key adv --keyserver keyserver.ubuntu.com --recv C0A52C50
apt-get update
sudo apt-get install --only-upgrade unifi

Friday, December 5, 2014

How to add a list of domains to a Send Connector in Exchange 2007 (Forced TLS) (CSV File)

I had a client with a scoped send connector to enforce outbound TLS to their partner company.  I needed to add a huge list of domains to the send connector.  I only tested this with Exchange 2007 but I'm sure it's similar for 2010/2013.

Create a file with Notepad and name the file with the extension .csv.  For my example, we'll use test.csv and we'll save it in C:\temp.  The format of the file should be-

Name
test1.com
test2.com
test3.com
test4.com

Use the following commands in powershell o import the domains to your Send Connector.  For my example, our send connector will be called "TestSend".

$al = (Get-SendConnector -Identity TestSend).AddressSpaces
$al += (Import-CSV c:\temp\test.csv) | ForEach {$_.Name}
Set-SendConnector TestSend -AddressSpace $al3


Wednesday, December 3, 2014

Changing Ubuntu Server IP address from DHCP to Static (including DNS)

I know this is a silly one but some seem to struggle with this and there are some conflicting instructions out there.

sudo nano /etc/network/interfaces


Change this-
auto eth0
iface eth0 inet dhcp

To your static ip-
auto eth0
iface eth0 inet static
        address 192.168.0.3
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1
        dns-search example.com
        dns-nameservers 8.8.8.8 4.2.2.2


(You can omit the dns-search if you don't need a domain suffix,)

Simply restart your server.  If you'd prefer not to, you can restart the networking with this command-
sudo ifdown eth0 && sudo ifup eth0


Cisco ASA Restrict VPN traffic to 1 IP on Site to Site (L2L) Tunnel

I was recently asked to restrict access on a VPN tunnel to one IP address, 192.168.240.13.  Here is how I did it-



access-list restrict extended permit ip host 192.168.240.13 any

group-policy Tunnel internal
group-policy Tunnel attributes
 vpn-filter value restrict

tunnel-group 2.2.2.2 general-attributes
 default-group-policy Tunnel

Setting up a Site to Site (L2L) VPN Tunnel on a Cisco ASA 5505 when the remote end has an overlapping (conflicting) IP Range

A scenario I commonly run into is a client who wants to set up a Site to Site IPSec VPN tunnel to a vendor but cannot use their current IP scheme because it overlaps with another one of their business partners.  This is a fairly simple setup.

Public IP- 1.1.1.1
Private LAN- 192.168.0.0/24
Remote VPN LAN- 192.168.250.0/24
Remote Host IP- 2.2.2.2
Pre-Shared-Key- Key

So we're going to make up a "Natted" LAN for use on this tunnel.  We will use- 192.168.100.0/24.
Natted LAN- 192.168.100.0

First thing, create some object groups.

ASA (config)# object network LocalSubnet
ASA(config-network-object)# subnet 192.168.0.0 255.255.255.0
ASA (config)# object network LocalSubnetNAT
ASA(config-network-object)# subnet 192.168.100.0 255.255.255.0
ASA (config)# object network RemoteSubnet
ASA(config-network-object)# subnet 192.168.250.0 255.255.255.0



Next we create a NAT rule to un-NAT to that address.

ASA (config)# nat (inside,outside) source static LocalSubnet LocalSubnetNAT destination static RemoteSubnet RemoteSubnet



Now we create an ACL for the VPN tunnel.  Since VPN tunnels are processed after NAT, it will be from the Natted subnet to the remote subnet.

ASA (config)# access-list Tunnel extended permit ip object LocalSubnetNAT object RemoteSubnet



Now we build the tunnel like we normally would-
ASA (config)# crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
ASA (config)# crypto map outside_map 10 match address Tunnel
ASA (config)# crypto map outside_map 10 set peer 2.2.2.2
ASA (config)# crypto map outside_map 10 set ikev1 transform-set ESP-3DES-SHA
ASA (config)# crypto map outside_map interface outside
ASA (config)# crypto ikev1 enable outside
ASA (config)# crypto ikev1 policy 10
ASA(config-ikev1-policy)# authentication pre-share
ASA(config-ikev1-policy)# encryption 3des
ASA(config-ikev1-policy)# hash sha
ASA(config-ikev1-policy)# group 2
ASA(config-ikev1-policy)# lifetime 86400
ASA (config)# tunnel-group 2.2.2.2 type ipsec-l2l
ASA (config)# tunnel-group 2,2,2,2 ipsec-attributes
ASA(config-tunnel-ipsec)# ikev1 pre-shared-key Key


That's it!