Skip navigation

Category Archives: Windows

Pushing Sophos AV from Enterprise Manager on SBS 2008/2011

With the security on Windows devices improving natively, things are a little more difficult now to push applications out to the desktop – this is something that should be welcomed, but at the same time makes installation of products like Sophos Antivirus a little more difficult to deploy via the Enterprise Manager.

There are some pre-requisite steps that now need to be taken prior to deployment:

1) Allow traffic to the SBS Server from the LAN.

netsh firewall add portopening TCP 8192 “Sophos”
netsh firewall add portopening TCP 8193 “Sophos”
netsh firewall add portopening TCP 8194 “Sophos”
netsh firewall add portopening TCP 8081 “Sophos quarantine digest”

2) Open up Group Policy and edit the Domain Group Policy ->Computer Config->Windows Settings ->Security Settings->System Services.  Ensure that:

Remote Registry: Automatic
Computer browser: Automatic

3) Allow traffic on the workstations…. Computer Config > Administrative Templates > network > Network Connections > Windows Firewall > Domain Profile

8192:TCP:<SERVERIP>:ENABLED:Sophos8192
8193:TCP:<SERVERIP>:ENABLED:Sophos8193
8194:TCP:<SERVERIP>:ENABLED:Sophos8294

You should then be able to assign the machines to groups within the Enterprise Console

Free Brick Level backups on Exchange 2003/SBS 2003

I’ve seen so many people attempt to restore Exchange and fail using Microsofts built in tools, or come unstuck because they want to restore a single mailbox, that I thought I’d document the free method of backing up Exchange that we use, so that it will hopefully help others.

One of the tools available from Microsoft free is Exmerge.  It allows individual mailboxes to be individually exported to PST files, which can then either be re-imported back into Exchange or simply opened in Outlook.  Exmerge is available from http://www.microsoft.com/downloads/details.aspx?familyid=429163ec-dcdf-47dc-96da-1c12d67327d5&displaylang=en

Extract and save to the Exchsrv/bin directory, and when the appropriate mailboxes have been selected, destinations set save the configuration.  This will create an exmerge.ini file.

This can then be scripted in a batch file and run as a scheduled task.  I create a folder on the local disk of the Exchange server (although this can be done to a mapped drive) for each day I want the backup to run.

My exmon.bat file reads:

D:\exchsrvrbinexmerge.exe -F C:\scriptsexmonexmerge.ini -B

Which runs the exmerge.exe, with the options specified in scriptsexmonexmerge.ini and runs the script as a batch job using the -B switch.

To clean the folder prior to running, I have a separate batch file that runs earlier on the same day that runs

del /F /Q /S z:\Exchangeexmon*.*

Subsequently to back up the PST files to a separate server I use the excellent BackupPC running on a Debian server.  Installation instructions for Debian are here: http://www.debianhelp.co.uk/backuppc.htm

The BackupPC box is confugured to access the SMB share that the PST’s are stored in, as well as additional file shares on the server.  BackupPC supports incremental backups and backups via a variety of methods (including SSH and rsync, as well as SMB).

It’s also possible to archive off historic backups for off-site using the archive functions within BackupPC.  As a free solution for backing up mailboxes and beiong able to recover easily (with version control) this is very effective…

Exchange 2003 Pop3 Service Hangs when starting

Following a reboot of our Exchange 2003 server, the Pop3 service stated it was started, but on trying to connect to port 110 using telnet it just popped up “connection to the host lost”.  When we attempted to restart the service it hung when starting – there were no events in the event viewer following the stopping of the service.

The solution was to kill the process in Task Manager (inetinfo.exe).  We found it immediately re-spawned and worked…

Migrating a batch of Printers to a new Print Server

I’ve just had to migrate a batch of printers to a new AD print server. Fortunately this process was made somewhat painless by the Microsoft Print Migration tool available here:

http://www.microsoft.com/DOWNLOADS/details.aspx?FamilyID=9b9f2925-cbc9-44da-b2c9-ffdbc46b0b17&displaylang=en

How to add a HTML email signature (including embedded image) to Outlook Web Access

Outlook web access does not allow the inclusion of images by default. However it is possible to embed the image within the signature.

First upload the image you wish to include to a web server and make a note of the full path. ie, http://www.yourdomain.com/images/companylogo.jpg.

Then create a new signature in Outlook and ensure the path of the image on the signature points to your webserver. You can find the raw signature files in “C:documents and settingsusername.domainapplication datamicrosoftsignatures” on Office 2007/XP.

You can then edit the raw signature in Notepad.This is an ideal opportunity to tidy up the messy html created by Outlook when designing the signature in the first place. Find the image src and edit to point to the full path of the hosted image

Send an email with the signature embedded to the users email address and open the email within OWA (in IE). Copy the signature then go into Options -> Email Signatures and paste in the signature.

Installing a PPTP Client in Fedora 10

The Network-Manager pptp client in F10 just wasn’t working for me.  Nothing in the logs, not output….just nothing at all. The pptpconfig client is  a far better solution – it’s available from : http://pptpclient.sourceforge.net.  Unfortunately there are no installation documents available for F10 – it is easy to install though:

#rpm -Uvh http://pptpclient.sourceforge.net/yum/stable/fc10/pptp-release-current.noarch.rpm

# yum –enablerepo=pptp-stable install pptpconfig

# pptpconfig

….enter the details of your PPTP account and connect.  Add additional routes if required

Connecting to a host using an alternative gateway with OpenVPN

I’ve just finished installing a pfSense firewall as a second gateway for a network that required a dedicated internet connection for some services. Some of the hosts on the network use the main office internet connection as their default gateway. As a result of this I was unable to connect to these hosts from remotely via the VPN, as the return path for the packets attempts to go via the primary internet connection, rather than via the VPN.

I had a quick glance at the pfSense/OpenVPN docs to see whether there was anything I could specify in pfSense and they stated that the machines needed to use the pfSense as the default gateway – this was unacceptable for our purposes here (one of the devices in question is the Asterisk VoIP server on the network which needs to use the other Internet connection for it’s external traffic). There is an easy solution to this however by simply adding a static route back to the IP range issued to DHCP clients via the pfSense’s internal IP.

This looks something like this:

openvpn

Effectively any internal machines that need to be visible over the VPN need to have an appropriate return path configured. The DHCP scope I have used for VPN clients is 10.0.200.0/24.
For linux machines on the network, the route can be added on a temporary basis (ie. until reboot) by entering the following command on the host:

route add -net 10.0.200.0/24 gw 10.204.6.1

or permanently by adding an entry into the /etc/sysconfig/static-routes (on Centos as per http://www.centos.org/docs/5/html/5.1/Deployment_Guide/s1-networkscripts-static-routes.html)

On Windows hosts this can be achieved by adding a persistent route:

route add -p 10.0.200.0 mask 255.255.255.0 10.204.6.1
:)

Using Recipient Policy to Create Email Addresses

By default, Microsoft exchange uses the username when creating email addresses for users using Recipient Policy.

eg.

username@domainname.com

However, in many cases the standardised email address format is slightly different – for example:

firstname.lastname@domainname.com

This is actually really easy to edit in the Exchange System Manager using a few variables:

%g  = Given Name (First name).
%3g = means first 3 letters of Given Name
%s  = Surname (Last name).
%3s = means first 3 letters of sn.
%d  = displayname.
%m  = Exchange alias.

Once this has been edited, just right click on the Policy and click Update this Policy now.

How to determine the MAC address of a remote machine

Sometimes it’s necessary to discover the MAC address of a remote system on a network quickly (for example when setting up DHCP scope reservations). It’s fortunately a really easy process to determine this information.

First of all, ping the remote host, then run an

arp -a

at the command line.  This will give you the MAC details.  The catch is that this only works on the same subnet – when trying to do this on a remote subnet (on the other side of a router, etc) you won’t get a response…there is a solution for this though, as long as the remote host you want to determine the MAC for is a Windows host.

NBTscan is a tool that can do this (and is available from the repositories on most linux distros (or at least on Debian, Ubuntu and Fedora, and is  also downloadable for Windows ;) )

First DNS Hijacks reported

It looks like following Dan Kaminsky’s exploit being made public the first attacks have been reported on DNS servers:

http://www.techcentral.ie/article.aspx?id=12375

I can’t believe that there are many people out there who haven’t yet patched their DNS servers……but it’s worth checking on the Doxpara site (http://www.doxpara.com/)

…that is, of course unless you’re DNS has been hijacked and you are being sent to a spoofed doxpara site ;)

Still bad news for those running Mac DNS servers as Apple still haven’t released a patch, although apparently the Bind team have stated that the BSD version of the patch can be ported….

Further info here:

http://xforce.iss.net/xforce/xfdb/35575