Welcome back. In the first half of this series, howto://connect clients to exchange-part one, we covered how to securely enable POP3 and IMAP for clients, and how to make those services accessible over the Internet using our TMG server. In this post, we are going to cover ActiveSync and Outlook Anywhere, and then of course, how to publish them through our TMG.

Exchange ActiveSync is Microsoft’s solution for connecting Windows Mobile devices to Exchange. It also happens to work for iPhones/iPod Touch/iPads, and Droid devices (though Verizon will charge you extra for that privilege. Bzzz!) ActiveSync uses a secure connection over HTTPS, and can be published easily through our TMG, making it the most attractive option for those devices that can use it. For Outlook clients who work remotely, and for whatever reason don’t want to first connect by VPN, Outlook Anywhere lets you make MAPI connections by tunneling RPC over HTTPS, supporting the full Outlook experience. Again, we’ll use our TMG to publish this. We’ll find out everything there is to know about remote connections to Exchange: their dreams, their desires, their most intimates of intimates, and from what I’m looking at, "intimate" is the stud muffin’s middle name. If you would like to set this up on your Exchange server, read on.

Exchange ActiveSync is installed by default on servers when you install the Client Access Server role, so there is not much else to do with that. If you have a CAS, you have ActiveSync. All users will have ActiveSync enabled by default, and you should be good to go. Of course, if it was really that easy, I wouldn’t be blogging about it, would I?

It’s called SEKURITAH

I’m confused. In NT4 days, we all just logged on as Administrator and got the job done. Then in Windows 2000, we started paying attention to security and best practices, and had two accounts…a regular user account, and a privileged user account. We quickly learned what a pain in the arse that was, so in 2003, we started to really use RUNAS.

But then, folks realised that the above was all crap, and we just always made our AD account a member of domain admins. Yeah, we call it human nature. So the good folks as Microsoft introduced User Account Control, and the lovely ConsentUI. That sounded pretty good to me, and I am an advocate of UAC, however…what they did NOT get rid of is a little gem called sdAdminHolder. Why is this a problem? Because it is evil, absolutely evil. This little gem flags all accounts made members of privileged groups to try to better secure them. In addition to restricting who can make changes to these accounts, it also blocks inheritance on the DACLs. This will bork ActiveSync for you the first time you try to set up your account, so listen up.

When you go to set up your device, it will error that a connection failed. Before you spend too much time looking at firewall ports or funky DNS issues, check the system logs on the Exchange server for Event ID 1053 from MSExchange ActiveSync. If this is your problem, it will look like this.

Exchange ActiveSync doesn't have sufficient permissions to create the "CN=Ed Fisher,CN=Users,DC=olympus,DC=home" container under Active Directory user "Active Directory operation failed on zeus.olympus.home. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
".
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchangeActiveSyncDevices" and doesn't have any deny permissions that block such operations.

You see, in order to actually use ActiveSync, configuration information has to be written to Active Directory in your user account object, and if you are a privileged user, sdAdminHolder will spank you with this error. We can fix it, but realise that a process called SDPROP checks for things that mess with accounts flagged with sdAdminHolder every hour, and will just set things back, so move quickly.

If you want to see whether or not an account is flagged, check the attributes. All privileged accounts will have adminCount set to 1, like so.

How to get around sdAdminHolder issues

If you want to get around this, have the client device in hand and ready to set up. Don’t start this process until you have the device ready to configure, as that SDPROP is going to undo what we are about to do. Quiver ladies, quiver.

1. On your CAS server, launch the Exchange Management Console.
2. Browse down to Server Configuration and then double-click your CAS server from the server list.
3. Go to the System Settings tab, and determine with domain controller is being used.
   
4. Launch ADUC on that domain controller and find the account.
5. Right-click the account, and select Properties.
6. Then go the security tab, and click Advanced.
   
7. Check the box to include inheritable permissions blah blah blah…
   
8. Hit OK, then hit OK, and then try to connect with ActiveSync again.

If all goes well, you should slip in under the wire before SDPROP can put things back. SDPROP won’t remove the ActiveSync data, so you will be fine unless you need to make changes or add another device. If that happens, you can just do this again. Since Windows Mobile phones are pretty straight forward to configure (read that as I don’t have one to play with) you are on your own for setting these up. For those of you who belong to the cult of Apple, see this post (coming soon.)

Securing ActiveSync

You may want (or the Security team may tell you) to tighten up the settings on ActiveSync. Here is what we can do with that. I prefer to leave things more open so I can support more devices, and let policy and user training mitigate any risks of exposing confidential information. Again, YMMV. Most of these settings will only work on Windows Mobile devices.

1. Log on to the Exchange Management Console, browse down to Organization Configuration, Client Access, and then click the Exchange ActiveSync Mailbox Policies
2. Double-click the Default Policy to bring up the Properties. Notice the default is to allow non-provisionable devices. This is a good thing for iPod/iPhone/iPad devices.
   
3. You can require that mobile devices require a password for use, and whether or not to encrypt data stored on the device. Just remember how much fun it is to type complex passwords on those little keyboards!
   
4. You can set limits on synching and file sizes
   
5. You can restrict what functions the device can use
   
6. And you can also configure permitted or denied applications on the last two tabs.
7. To deal with a lost or stolen device, first browse down to Recipient Configuration, Mailbox.
   
8. Highlight the user, then on the Actions Pane, click Manage Mobile Phone.
   
9. From this screen, you can either remove a device from a mailbox (leaves the data that is already on the device intact) or lay the smackdown upon it with a remote wipe.
   
   Just remember, no device is guaranteed to be completely clean, and unrecoverable, after any kind of data wipe. Don’t send state secrets, launch codes, or Swiss bank account numbers through email. <♫> The more you know </♫>

Configuring Outlook Anywhere

Next up is Outlook Anywhere. The idea with this is, we want to permit our clients with laptops and the full Outlook client to connect to Exchange without first requiring a VPN. Kind of like using a multipass. Since the connection is securely encrypted within an HTTPS connection and authenticated against AD, this does not present a problem to me. For others, the idea of letting ANYTHING on the inside be accessible without a VPN is anathema, so your mileage may vary on getting this approved. But seriously, what is the real difference between an encrypted VPN tunnel and an encrypted HTTPS connection, other than licensing costs? Not much. And this one is really quite easy to do.

1. Launch the Exchange Management Console.
2. Browse down to Server Configuration and double-click your CAS server.
3. Click on the Outlook Anywhere tab.
4. Configure your external DNS name, and what level of authentication you want. Trust me, you want NTLM. If you have SSL accelerator hardware you can allow offloading.
   

That is it…Outlook Anywhere is now supported on the CAS. Next up, our TMG configuration so we can actually use this across teh tubes!

Publishing ActiveSync and Outlook Anywhere with TMG 2010

To publish these services through TMG requires two rules. We are going to use our generic https listener that we set up on TMG during this post on publishing Outlook Web Access. If you have multiple public ip.addrs and want to set up a dedicated listener, please do so.

1. Log onto your TMG server and launch the TMG Management Console.
2. Browse down to Firewall Policy. Right-click, New, Exchange Web Client Access Publishing Rule…
   
3. We’re going to setup ActiveSync first, so give this rule an appropriate name, and then click Next.
4. Click the drop down list to select Exchange Server 2010, then check the box for Exchange ActiveSync. Don’t ask me why these are check boxes and not radio buttons…I don’t know.
   
5. Leave the default for a single Web site and click Next.
6. Leave the default to connect using SSL, and click Next.
7. Enter only the internal FQDN of your CAS server, and then click Next.
8. Enter the external FQDN for your ActiveSync clients, and the click Next.
9. Select your generic https listener, and click Next.
10. Make sure you select that client may authenticate directly, then click Next.
    
11. Leave the User Set for All Users, and click Next.
12. Click Test Rule. You will see that ActiveSync uses the special URL https://fqdn:443/Microsoft-Server-ActiveSync/. If the test shows green, you are good to go. Green? Super green!
    
13. Now go back and do it all again, this time naming the rule and choosing the option for Outlook Anywhere.
     

That’s it. Get on an external network, and test things out. You should now be able to ActiveSync or Outlook Anywhere across teh tubes. Yay! Now dance all night long. All night long…all night. That, or book a weekend at Fhlostan Paradise. You’ve earned it. Just in case you missed some of the references I scattered through this post, they’re from The Fifth Element. Here’s a sampling of the best character from that flick…DJ Ruby Rhod!

Direct link for RSS and email subscribers…http://www.youtube.com/watch?v=m60GdwvUjQw 

If you found this post useful, please consider following us on twitter. You’ll be the first to learn about new posts, and, rarely, we’ll share a comedic or witty tweet. Of course, you can also leave a comment below (anonymous allowed) to let us know we hooked you up.

You might also enjoy:

1. howto://connect clients to exchange-part one
2. howto://install Exchange 2010 on a single box-part two
3. howto://use TMG 2010 as the Exchange edge transport server

Before you go there, I am not talking about connecting Outlook to Exchange on the LAN. I’m talking about those other situations, like the graphics guy using Mac Mail, or the security guy using Thunderbird on Linux,  or someone with a Windows Mobile device, or even you with your iPhone.

In this two part series, we are going to first cover how to securely enable POP3 and IMAP for those clients that can’t (or won’t) use Outlook, and in the second half of this series, howto://connect clients to exchange-part two, we will cover how to use ActiveSync for Windows Mobile, Droid, and iPod Touch/iPhone/iPads, and also how to support remote Outlook connections without a VPN using Outlook Anywhere. If you need to support POP3 and/or IMAP, read on for how to get it done.

Exchange 2010 does support POP3 and IMAP out of the box. It also supports the secure versions using TLS and either a self-signed certificate or one that you get from your trusted CA. However, none of this is turned on by default. If you try to connect a client at this point, you will get nothing but fails and RST ACKS. To enable these services, do this.

Enabling IMAP and POP3 services

1. Open a cmd prompt, and run netstat –an | more [enter] If you check listening ports on your CAS server, you will see that he is not listening on POP3, POPS, IMAP, or IMAPS. Of course it is listening on SMTP and SMTPS, which you will need for these clients to send mail.
   
2. To enable these services, launch services.msc. Find the Microsoft Exchange IMAP4 and Microsoft Exchange POP3 services. There are only the two…IMAP4 handles cleartext and secure IMAP, and POP3 handles cleartext and secure POP3.
   
3. Configure the IMAP4 service to start automatically.
   
4. Then, start it.
   
5. Repeat the same process for the POP3 service.
6. Now check again with netstat and you will see that you have listeners for 110-POP3, 143-IMAP, 993-IMAPS, and 995-POPS.
   
7. Do your happy dance.
   

Restricting access to IMAP and POP3 services

Strictly speaking, you are done on the server side. Any clients on the internal network should be able to connect. All users will be permitted to connect using POP3 or IMAP4 (and their secure counterparts) by default. If you want to restrict this, you can edit the individual mailboxes and disable specific protocols, like this.

Note that disabling IMAP in this way hits both IMAP4 and Secure IMAP. You don’t do this to disable cleartext…you handle that as shown below.

Securing IMAP and POP3 services with TLS

As you should be aware, IMAP and POP3 are both cleartext protocols. All data, including authentication, is transmitted in the clear. It would be a shame to implement a strong password policy, aggressive lockout settings, and auditing in AD only to have the first guy with Wireshark start grabbing everyone’s domain credentials as they connect to Exchange using cleartext protocols. To prevent that, you want to set both to require TLS.

1. Launch the Exchange Management Console.
2. Browse down to Server Configuration, Client Access.
3. Click on the POP3 and IMAP4 tab.
   
4. Right-click on IMAP4, choose properties, and then go to the Authentication tab.
   
5. Select Secure logon, and if necessary, enter the friendly name of the appropriate certificate.
6. Do the same for the POP3 service.
   
7. Restart both services using services.msc. You must do this for the settings to take effect.

With that, you are done. Internal clients are now able to connect securely to the POP3 and IMAP services, using their domain credentials. MAPI connections from Outlook are still the way to go whenever you have the option, but this should let you support a wider range of client without compromising security. Of course this requires that these clients be on the LAN, or connected by VPN. What if you want to permit connections from outside of your network without requiring VPN?

Connecting from the Internet using TMG

You might consider requiring a VPN connection before allowing access to POP3 and IMAP. This would reduce the number of open ports on the Internet, at the cost of requiring additional efforts on the client. Since ActiveSync clients will use only https to connect, the number of folks this will impact may not be significant.

Please also keep in mind that if you do publish these through the TMG, you are basically doing port forwarding. TMG cannot do SSL proxying for IMAP/POP3/SMTP, so your external clients (and the bad guys) will all be passing traffic directly to your CAS server. If that is acceptable, here is how to do it.

1. Log on to your TMG server and launch the TMG Management Console.
2. Browse down to Firewall Policy, right-click it, and click New, Mail Server Publishing Rule…
   
3. Give it a name, and click next.
4. Since this is for our clients, leave the option for Client access: and click Next.
   
5. Since we only want to support the secure services that use SSL/TLS, we’re only going to select those options here. You may need to enable others for your situation. Then click Next.
   
6. Enter the internal ip.addr of your CAS server, then click Next.
7. Select the external ip.addr you wish to use, and click Next.
8. Click Finish, click Apply, and then enter your documentation.

That’s it. Now you just get the fun of setting up your clients. I don’t plan to cover any of that here except for getting iPhone/iPod Touch/iPad devices working with ActiveSync. That will be covered in an upcoming post, howto://connect your iphone to exchange with activesync. And don’t forget to check back for part two of this post, howto://connect your iphone to exchange with activesync, where we will cover ActiveSync and Outlook Anywhere. Until then, I can hardly throw an animated gif of Snoopy dancing into this post without taking it one step further. This should bring back some childhood memories.

Direct link for RSS and email subscribers…http://www.youtube.com/watch?v=rNremK0cBEg

If you found this post useful, please consider following us on twitter. You’ll be the first to learn about new posts, and, rarely, you’ll get to share a comedic or witty tweet. Of course, you can also leave a comment below (anonymous allowed) to let us know we hooked you up.

You might also enjoy:

1. howto://connect clients to exchange-part two
2. howto://install Exchange 2010 on a single box-part one
3. howto://install Exchange 2010 on a single box-part two

In today’s post we’re going to help get passed the generic 404 errors that SharePoint 2010 throws your way when you go to upload large files. If you are in the right place for this post, you’ve installed SharePoint, added the BLOB service, and everything should be shiny. You can upload small files without issue, and they do go into the BLOB store. But when you try to upload, say, a 100MB video, you get spanked with a 404 that tells you practically nothing of actual value.

If you are not ‘there yet’ and are just reading ahead, check out this post on installing SharePoint 2010. Then, since BLOB storage is a much more efficient way to store Binary Large OBjects, check out Rob Garrett’s blog on Installing the Remote Blob Storage for SharePoint 2010 and SQL 2008 R2. You’re halfway there now…

What doesn’t seem obvious (a little pop up or dialog in the RBS wizard would have been nice!) is that there is more yet to do. The BLOB store (okay, it should be referred to as the RBS service, but I lurve saying BLOB in a technical context almost as much as I like to talk about thunking) is ready to receive and store large files, but there are two more places you have to configure things or you will run into that generic 404 error.

If you check your IIS logs, you will see that the generic 404 is actually a 404 13 (side note to IE9 team…add an option to display full response codes in the browser puh-leez!) which should be reported as a 413 Request Entity Too Large. In other words, you are trying to upload a file larger than the maximum that can be accepted. To actually permit larger uploads, we have to set a value in IIS and a value in SharePoint.

IIS7

1. Browse to c:\inetpub\wwwroot\wss\virtualdirectories\yoursite (or where ever you store your content) and open the web.config in your favourite text editor.
2. Scroll down to the very bottom, put your cursor in front of </configuration> and hit enter to create a new line.
3. Up arrow once to get onto that blank line, and paste this in right above the </configuration>
   <system.webServer>
      <security>
            <requestFiltering>
                  <requestLimits maxAllowedContentLength="2146435072"/>
            </requestFiltering>
      </security>
</system.webServer>
4. Save the file.
5. Open an administrative command prompt, and execute
   iisreset [enter]

The value we set for maxAllowedContentLength, 2,146,435,072, is the number of bytes in 2047MB…the maximum value we can set in SharePoint. If you wish to set a smaller limit, of course you should. Just make sure that whatever you set, you match in the SharePoint configuration…which is next.

SharePoint 2010

1. Open SharePoint 2010 Central Administration.
2. Click Manage web applications under Application Management.
   
3. Select your site, and click general settings.
   
4. Scroll down to the bottom of the Web Application General Settings, and enter 2047* in the Maximum Upload Size.
   
5. Click OK, and for good measure, do another iisreset. That may not be necessary but I found it to be a good habit that has stuck with me.

*Again, you can always choose a smaller maximum size…just match what you have here (in MB) to what you put into web.config (in B.)

After that you should be double rainbows all the way. What are double rainbows you ask? If Joss Whedon is your master, if you are a Browncoat, or a fan of ABC’s Castle, then you probably want to follow @nathanfillion on Twitter. He is the only ‘celebrity’ I follow, mostly because he is just as funny in real life as he is on television. Tell him @retrohack sent you.

Direct link for RSS and email subscribers…http://www.youtube.com/watch?v=sEpxa6EXrOw

And speaking of teh twitterz…if you found this post useful, please consider following us on twitter too. You’ll be the first to learn about new posts, and, rarely we’ll share a comedic or witty tweet. Of course, you can also leave a comment below (anonymous allowed) to let us know we hooked you up.

You might also enjoy:

1. howto://install SharePoint 2010
2. howto://install Exchange 2010 on a single box-part two
3. howto://publish DNS using TMG 2010 or ISA 2006

It was late in the Spring of 2010. I was working my way across the tubes as the chief technologist on an archaeological dig whose goal was simple; exploration and exploitation of binary resources. We were to venture deep into the heart of the world wide web, seeking fame, fortune, treasure, and the odd little application. Way down in the uncharted wilds of microsoft.com, where few have ever dared to venture, while wearing a 1920′s era vintage safari jacket in olive green 500 thread count Egyptian cotton I discovered in a British supply depot in Burma (available in S,M,L, and XL for $425,) and a faithful reproduction pith helmet in silk-wrapped Kevlar made specifically for me by a group of Benedictine monks on an island monastery in the Mediterranean sea (unisex, one size fits all for $175,) I discovered what has proven to be one of the most useful applications ever for Microsoft Forefront TMG 2010 admins and consultants.

The Microsoft Forefront Threat Management Gateway 2010 Best Practices Analyzer, or TMGBPA to its friends, is a tool that can perform health checks, diagnostics, and even create Visio diagrams from your TMG 2010 servers. It looks at installation, licensing, alerts, logs, rules, and the overall health of the underlying operating system, and is something no TMG consultant should be without.

You will want to install the TMGBPA on each of your TMG servers, as well as your workstation with Visio installed (unless of course you don’t want the diagrams, or you’re willing to install Visio on your server.)

<rant> That you cannot remotely assess a TMG server from a workstation that is part of the Remote Management Computers group seems a little lame…but then again, this is a free app. Maybe that will be a feature in the pay version.</rant>

The install

So once you know what machine you want to evaluate first, you’re ready to proceed.

1. Download the Microsoft Forefront Threat Management Gateway Best Practices Analyzer Tool and then launch the install.
2. Like most things Microsoft, this one installs with a wizard. Click Next.
   
3. Then accept the license and click next.
4. I recommend that you have the TMGBPA check for updates each time you launch it. Choose, and then click Next.
   
5. Decide whether or not to reveal all that you do to Microsoft, then click Next, and then click Install.
6. When the product finishes, the option to launch it is already selected. Click Finish.
   

Running a report

1. When the TMGBPA first launches (assuming you took my advice) it with check for updates.
   
   If it cannot, check your rules to make sure your TMG server itself can surf the web…you may have forgotten that part.
2. We then get to choose whether we want to perform a new scan, or review an existing one. Since this is probably our first time running this, click Select options…
3. Give the scan a title, select a domain controller (preferably in the same site as the TMG server,) and choose either a health check, or to run all tasks. We’re going to do all tasks for this post.
4. This may take a while…go get some coffee. Mmmm…coffee 
    
5. Once done, you have a shiny reporting interface you can use to browse the reports.

Reviewing the report

Here’s a look at a report run against a server with some issues…specifically set up to show them to you. The first view is the List Reports, and we can see a list of our critical issues and our warnings.

Yikes! It looks like we have two critical issues, and a handful of alerts. Each can be expanded to show the details of the issue, and a link to the CHM file that provides more information about the problem.

Here is a close up on another server’s warning item.

<rant> One thing that really ticks me off in this report is the warning that Forefront Client Security is installed on the server….whut? That feels like I went to the Ford dealership to buy a new air filter, put it in my Focus, and then later the Ford mechanic told me I shouldn’t have put a Ford filter into my Ford. Since TMG’s anti-malware only protects by scanning files downloaded through the TMG, I don’t know any enterprise that is going to let you run a server without antivirus software. Hmmm, Forefront Client Security on a Forefront server…seems kinda natural sounding to me. What do the TMG folks know that the FCS folks aren’t telling? </rant>

If you select the radio button for Tree Reports, you get the following view, and you can expand or contract topics as necessary. Red Xs show where critical items are, yellow !s show where warnings are.

 
The "Other Reports" button just shows the log generated as the report was run. If you hit errors running the reports, presumably you can debut those there. So far, the TMGBPA has run for me without any errors each time I have used it, or a client has used it to provide me with data. And speaking of…

How to export to xml

The Export report function lets you dump the report to an XML file. Copy that file to another machine (like your workstation with TMGBPA and Visio installed) and you can Select a Best Practices scan to view, browse to the XML file you copied over, and go to town. All you have to do is click Export report, choose where to save it, and if you wish, give it a name.

Creating Visio diagrams

To use the BPA2Visio tool, you have to have both Visio and the TMGBPA installed on the computer. This usually means installing the TMGBPA on your workstation, exporting a report from the TMG server as we just showed above, copying the XML file over to your workstation, and then choosing to load an existing report to build the diagram. Here is the rundown in four easy steps.

1. Click Start BPA2Visio Tool.
   
2. Click Load an existing report and browse to the XML file you exported from the TMG server.
   
3. Watch Visio launch and then act as if it is possessed.
   
4. Profit…or at least bill by the hour

The Visio is created with two tabs, the network diagram (shown above) and another tab summarising the errors and warnings from the BPA analysis. You can manipulate this Visio just like any other to suit your needs, or those of your clients. Save them as documentation, embed the image into a report…you get the point. Have at it. 

Some of you may have no idea what I was doing in the intro to this post…others who share my particular brand of insanity might have recongised an homage to John O’Hurley and the best character to ever come out of Seinfeld. Based on the actual clothier, J. Peterman is the one Seinfeld character I wish would come back in some format on practically any show. Best J. Peterman quote ever? My mind is as barren as the surface of the moon. It’s much funnier in his voice.

Direct link for RSS and email subscribers…http://www.youtube.com/watch?v=2R9kYeJ-DaI

Oh, and John O’Hurley was totally robbed on Dancing with the Stars! I only started watching that show because of him, and stopped right after that obviously fixed competition.

You might also enjoy:

1. howto://Installing Microsoft Forefront TMG 2010, part one
2. howto://document Active Directory-infrastructure
3. Initial ISA Configuration

Dear friend/relative/former or current cow-orker/complete stranger who has my email addr,

I’d like to thank you for taking the time to send/forward me the recent email regarding the joke/big scare/email tracking giveaway/financial insight/rant on the political party you oppose/health advise/rumour. I’d like to thank you, but instead I find myself compelled to beat you with a scsi cable. However, since I oppose Internet violence (I’ll be forwarding you an email about this movement shortly) let me instead try, once again, to explain to you the error of your ways.

It’s not that I object to the content you sent (though, truth be told, it wasn’t funny/it’s not real/Walt Disney had no son and Bill Gates couldn’t care less about my email/that company is already bankrupt, and I have no money to invest anyway/I actually support the other side of the argument/I’m the wrong gender for that and-or am perfectly content with my dimensions/did you consider checking that on Snopes first?) but did you really have to CC me along with another 2^6 other folks with whom I share nothing in common other than the misfortune to be in your address book????

Seriously, dude, it’s called BCC, for  BLIND CARBON COPY. Use it, bizzitch. You see, every time you CC me on some piece of what would otherwise be innocuous drivel, along with dozens of folks I have never and will never meet, I see a sharp uptick in the amount of SPAM, crap, and other shit hitting my inbox. It’s about as direct a correlation as finding the pavement wet after a rainstorm. It’s not that I don’t want to receive this crap (I don’t, but I feel bad telling you this so I keep silent while writing this completely passive-aggressive blog post,) but could you puh-leeez use the BCC option from now on. This way, you can continue to clog the tubes with the binary equivalent of the Home Shopping Channel, TMZ, and Spike TV, without spewing your (at risk of becoming ex-) friends’ email addresses all over the planet. Haven’t you noticed that half the crap you forward to me you have to scroll down for five minutes through all the other addresses already embedded before you get to the actual message.

Dude, that’s just wrong. Stop it. Stop it now. Because if you don’t, you need to know something. The lives of hundreds of innocent feline Americans rest in your hands. You see, Domo is responsible for screening my mail now, and man is his pissed. Seems you are on a mission to spread the gospel at every opportunity. So he has promised that starting today, every time you don’t use bcc, he’s going to off a kitten. No mercy, no remorse.

My gods man, think of teh kittehs

Do you really want that resting on your conscience? I don’t think so. So now prehaps you will think twice before hitting send…bah, who the hell am I kidding? In the time it took to write this post, you’ve already forwarded three emails about Sarah Palin, one about a vacation giveaway, and two more off-colour jokes. Grrrr….

Oh, and speaking of Snopes, check their site before you forward the next email. Stop spreading those rumours around, Stop spreading those lies. I really love how cheesy 80′s music videos are.

Direct link for RSS and email subscribers….http://www.youtube.com/watch?v=u_eB36YTkBk&feature=related

No related posts.

Welcome to the second in our series on network troubleshooting. In part one we covered how to use ICMP PING to perform basic network troubleshooting. In this part, we’re going to see how to troubleshoot at layer four with a tool called tcping. This program, written by Eli Fulkerson, does at layer four with TCP what ping does at layer three with ICMP.

If you would like to use it, download tcping from here. You can save the exe to your system32 directory, or your homedir if you have one, which will make it available to you no matter what system you are logged onto. It is a self-contained binary so you don’t need anything else, and it will work on 2000/2003/2008/XP/7 equally well. Read on to see how to use this little gem.

Level 100-A review of TCP

To really understand how tcping can help you troubleshoot, you need to know something of how TCP works. The Transmission Control Protocol is a session layer protocol that provides reliable service. It establishes and maintains sessions, ensures delivery of data using acknowledgements, and can retransmit data if necessary. Almost all of the data transported on IP networks uses TCP. Before data can start moving, TCP needs to establish a session, using something called a three way handshake between client and server. The handshake creates the session between client port and server port, establishes the parameters for sequence numbers, and sets the amount of data that can be transferred before an acknowledgment is required. It looks likes the diagram to the left, but this video might help make the concept a little more clear.

Direct link for RSS and email subscribers…http://www.youtube.com/watch?v=z40w3G8szK0

At the end of a session, the client and server both close out with a FIN-ACK/ACK exchange. This is not shown above, but the FIN-ACK lets both client and server release any resources allocated to the session (like buffer space in memory) and allows them to reuse ports for other conversations. Eventually, timers would expire out these resources, but the FIN-ACK is the polite way to gracefully end the session.

Level 200-TCPING basics

Many of you have probably used telnet to connect the the ip.addr and port for a service to see if you can make the connection. While this does do much the same thing as tcping does, it takes longer, leaves you needing to either wait for a timeout or CTRL-BREAK the connection, and does not gracefully end the session on the server side. It also cannot test ports continuously like tcping can. If you have already downloaded the binary and placed it in your path, open a cmd-prompt and enter

So this tells us that the syntax for tcping is full of optional switches, and that by default, we target port 80. So the command

tcping 192.168.100.2 [enter]

will probe 192.168.100.2 on tcp port 80. That looks like this

The replies tell us that the server at 192.168.100.2 is up, a service is listening on port 80, and it responds to us on average in 17.472ms. Look at this snip of a Wireshark trace.

See what happens? We complete our three-way handshake, and then we politely tell the server that we’re done by sending a FIN-ACK. Since we didn’t request any actual data over the session, the server responds with a RST-ACK instead of its own FIN-ACK, but that actually saves us both another ACK. This is much better than telnetting to the port because it checks repeatedly, gives us response time, and gracefully ends the connection each time.

So what does it look like if we try to connect to a port that is not listening? Here we will specify port 81, which is not normally used by any Windows service.

We get a connection refused response. On the wire, the server is receiving our SYN packet, and replying that, while it is up and running and received our request, it is not running any service on TCP port 81 and would kindly appreciate it if we would sod off. In networking, that is called a RST-ACK. Here’s what it looks like in a Wireshark snip.

To see if RDP is running on a server, do this…
 
You can try any other server/port combination you want, and you can use the name or the ip.addr.

If you try to connect to a service on a system that is down, or firewalled and configured to drop(not block,) it looks like this.

Tcping waits 20 seconds before giving up on each SYN sent.

Level 300-Advanced TCPINGing

But wait, there’s more. Let’s look at a couple of the other switches supported with tcping. Much like the ping command, tcping tries four connections by default, but we can specify another number of attempts or run a continuous tcping with the same switches. Currently though, we can’t get total statistics from either a ctrl-c or a ctrl-break.

tcping –n 30 will connect 30 times. This will give you summary stats.

tcping –t will connect continuously until interrupted by ctrl-c. No summary stats.

By default, tcping starts its next connection the greater of one second later, or as soon as it receives a response, with a maximum of 20 seconds between attempts. We can specify another timing with the –i switch.

tcping –i 60 will try one connection every sixty seconds.

We can also write the current date/time to each line using –d. This is useful if we are outputting to a file and want to see when each connection attempt was made. Try this.

tcping –i 60 –d –n 5 192.168.100.2 > results.txt [enter]

and then open the results.txt file to see what it contains.

Instant logfile…niiice! 

Did you know that splunk> can tail a log file like this? <♫>The more you know </♫>

Level 400-Audible TCPINGing

Have you ever had to bounce a box, and run a continuous ping against it to see when it came back up? Tcping has an audible feature that you can use to annoy the hell out of your neighbors, but also to let you know what is going on without you having to keep a cmd window visible. The –b switch enables audible beeps, with four options.

• 1 will beep twice when a service does not respond
• 2 will beep once when a service does respond
• 3 will beep when the service changes from one state to the other. One beep if it goes from down to up, two beeps if it goes from up to down.
• 4 will beep every time it sends a SYN…one beep for up, two for down.

Say you are bouncing a server, or even just a service (iisreset, net stop && net start, /etc/init.d/servicename restart, etc.) and you just want to know when the service finally starts to respond again.

tcping –b 2 –t a.b.c.d port#[enter]

will try to connect, and as soon as it starts to get a response you will hear it start to beep. You might as well use those speakers for something besides mp3s and YouTube vids.

And speaking of YouTube vids, here is one I love to show to my non-technical friends and family when they ask me about the tubes. While completely over the top in parts, and taking poetic license in others, it still helps a luddite visualise what is going on, and the voiceover is pretty funny in parts too. Enjoy.

Direct link for RSS and email subscribers…http://www.youtube.com/watch?v=Ve7_4ot-Dzs

If you found this post useful, please consider following us on twitter. You’ll be the first to learn about new posts, and, rarely, we’ll share a comedic or witty tweet. Of course, you can also leave a comment below (anonymous allowed) to let us know we hooked you up.

You might also enjoy:

1. howto://troubleshoot networks with ping
2. howto://macgyver netstat into a sniffer-part two
3. howto://troubleshoot microsoft vpn connections part two-client side issues

You’re diligent about protecting your online identity. You may use disposable email addresses,limit forum posting or mask your email address with special characters or spaces when you do. Yet, somehow, despite your considerable efforts, spam finds its way into your inbox.

This common scenario is plaguing both casual and enterprise users. Latest estimates claim
spam represents over 90% of all email. Like millions of others, you’re probably wondering how this happens. Sometimes, a well meaning friend or co-worker is the culprit. Ever received one of those email chain letters?

Typically they contain your address, and a host of others, and by the third round of forwards,
chances are it will land in the hands of a spammer. But a more sophisticated method may also be used. In a Directory Harvest Attack (DHA), or dictionary attack, spammers employ the use of an automated program, called a botnet. This script targets known domains (think gmail.com or yahoo.com) and using common names, attempts to guess email addresses. The botnet sends an email to the address and in a simple process of elimination, those that come back undeliverable are discarded, while those that don’t become new additions to their spam databases. While an annoyance to end users, this tactic can also hobble corporate email servers overwhelmed by the sheer number of requests.

As we consider potential solutions, there are a few initial steps that come to mind. As a first
line of defense, do take care with online postings. Next, avoid using common names in your
address. Opt for tougher to guess combinations – something including numbers and letters. In
the end though, these remedies may prove ineffective for larger organizations.

In that case, a software solution is the answer. With the rise in these types of attacks, security
software vendors have responded with tools that can help foil DHA attempts. These services
can monitor statistics like frequency of misaddressed e-mails sent from a given IP address; if
the number crosses a predefined threshold, messages or senders are rejected. In the end, a mix of end-user education, policy, and software will likely be required to keep your company email addresses shielded from spam databases.

This guest post was provided by Veronica Henry on behalf of GFI Software, a leading
software developer that produces network and messaging security solutions for SMBs.
More information about GFI anti-spam solution can be found at http://www.gfi.com/mes
All product and company names herein may be trademarks of their respective owners.

RetroHack is happy to consider guest posts. If you’re interested in submitting a post to this blog, please contact us rather than leaving a comment to this particular post. No compensation was offered, requested, expected, or received for posting this article…it’s just good content, however I do create guest posts hosted on other blogs on behalf of GFI Software for pay.

You might also enjoy:

1. How to Find the Best Web Filtering Solution for Your Business
2. howto://document Active Directory-group memberships
3. Fixing 530 Home directory not accessible

Yes, we just had our first experience with a tornado. While unconfirmed, our neighbor saw a funnel, and our poor little 50′ shady tree out front got handed its arse. No one was hurt, and the tree only took out another tree, so except for some fence damage in the back yard, we got off relatively unscathed. Several other trees are down in the area, and those brand new 96gallon trash cans apparently made impressive flying projectiles, but at least for us, we’re all good.

Two doors up…not so lucky. A postal carrier had just stepped out of his truck to deliver a package, when blammo. He is going to be okay, but we had some fun getting the tree off of him and making sure he was okay before we moved him. It was raining so hard I couldn’t make out the faces of the college kids (in the video below) who got to him first. The guy in Browns shirt was johnny on the spot with his first aid (an actual Eagle Scout no less) and was really awesome. I managed to stay off camera for most of it, but all four networks were ‘on the scene’ for hours and you can catch a glimmer of me if you watch carefully.

Five hours of chainsaw action later, we have a huge pile of tree in front of our house, and so does our neighbor. Everyone in the four house section kicked in, and what could have been a miserable two day project was done before dusk. It’s great to have such wonderful neighbors.

Direct link for RSS and email subscribers…http://www.wcnc.com/news/Mailman-struck-by-tree-98270694.html

So now I am going to take four more motrin, and spin up Twister. It just seems appropriate. Good night.

You might also enjoy:

1. Merry Christmas Everyone!

<♫>cue the pipe organ…to the music of Let’s Go Crazy-Prince and the Revolution</♫>
to bid farewell to this thing called Win2K.
Awesome operating system
We thought would last forever and that’s a mighty long time
But I’m here to tell you
There’s something else
Windows 2008.

An o/s of never ending happiness
You can always see the gui, local or remote.

So when you go to check on updates from MSFT
You know the one, Dr Patch everything thing up right
Instead of asking him how much of your time is left
Ask him how much of your CALs, baby

Cause in this Windows
Things are much harder than in 2008
In this Windows
You’re on your own

And if the CIO tries to bring you down
Go crazy – UPGRADE!!!

If you don’t like the o/s you’re living in
Take a look around you
At least you got options

You see I called my own VAR
For a friendly word
She picked up the phone
Dropped it on the floor
(HA, HA) is all I heard

Are we gonna let legacy servers bring us down
Oh, no Let’s Go

Let’s go upgrade
Let’s get patched
Let’s drop the old systems
With no support, let’s go!

We’re all excited
And I bet I know why
Maybe it’s cause
Support ends today
And when we do (When we do)
Upgrade to 2K8 (What’s it all for)
You can sleep better now
No mad users will come knocking on your door

Are we gonna let legacy servers bring us down
Oh, no Let’s Go

Let’s go upgrade
Let’s get patched
Let’s drop the old systems
With no support, let’s go!

Okay folks, I will not subject you to any more of this, and Prince, I sincerely apologise for what was a funny idea in my mind when I started down this path. Just in case you somehow missed it, tomorrow, July 13, 2010, is officially the end of support for Windows 2000. If you are one of the millions, AND MILLIONS, of folks out there still running this platform, tomorrow marks the last patches you will ever receive. And just for those who wonder what a big deal that might be, please note that several vulnerabilities have been discovered this year that impact 2000. More certainly will be discovered, but you won’t have patches for them. Does it make sense to stay on a legacy platform and be

1. at risk, or even worse
2. disable functionality to mitigate vulnerabilities?

Since that functionality is probably the reason you are still stuck on 2000, I don’t think so. Budgets are tight to be sure, but with the creative licensing (and even software license leasing) that is going on, you really have to stretch pretty far to convince me of a valid reason to stay on Windows 2000. It’s time to say goodbye. If you just simply can’t, start thinking about ways to segment those old systems off on their own, so that when they do get pwned, the damage can be contained. Considering the abuse I just delivered to one of the best songs from my youth, it is only right that I close this post with this video. If you can’ upgrade, at least you can jam your arse off. Close the door, crank the volume up to eleven, and enjoy.

Direct link for RSS and email subscribers…http://www.dailymotion.com/video/xdjavz_prince-let-s-go-crazy_music

And in a great example of inter-tubes cooperation, seemingly bizarre coincidences, and my own obsession with great web comics, the music of Prince, and Doctor Who, let me share with you the Hijinks Ensue comic that came out on the same day as this post. Comic courtesy of Joel Watson.

How about you? Are you still trying to support legacy operating systems? Why???

You might also enjoy:

1. splunk> 4.1.2 addresses several security issues

Welcome to the first in a series of posts on basic network troubleshooting. These posts are designed to help someone with some basic networking knowledge expand their repertoire of troubleshooting skills and tricks. This series will cover the following Windows commands.
ping, tracert, pathping, arp, nbtstat, and telnet. We’ll also cover third party command lines tools including tcping, tracetcp, and the name resolution tools in dig, host, and whois.  This first post is all about ping. The rest will be released as I get to them, but I hope to have them all done by the end of the summer. Stay tuned for more.

The first five are in all current versions of Windows. Telnet used to be, but in the interests of sekuritah, Microsoft decided to make you opt-in to using it by making it an optional feature in Vista and later, which is an example of Right ideal, wrong execution. You might get pushback trying to make a third party tool part of a default build, but trust me on this, make sure the Telnet Client feature is added to EVERYTHING. With the exception of pathping, you should also be able to use these same commands, with almost the same syntax, on Linux, Unix, and Mac systems, too. With these tools, we’re set to diagnose many of the networking problems that might pop up, with just a little bit of cmd-line voodoo. If you’d like to learn how to use ping, you know what to do next. So without any further ado, I give you…

Level 100-The origin of PING

Ping is a command, a particular type of Internet Control Messaging Protocol (ICMP) message, a funny sound made by sonar, and a maker of fine golf putters. We’re only really interested in the first two though, starting with the ICMP message. If you remember your OSI model <warning, majorly boring stuff approaching> and how the TCP/IP stack maps to it, then you’ll remember that ICMP operates at the network layer…right along side IP. ICMP can be used to deliver messages about the state of the network, or whether a host or a network is unreachable. UDP uses ICMP Port Unreachable messages in the same way TCP uses RST ACK when a host receives traffic to a port on which no service is listening. Firewalls can use ICMP Administratively Prohibited messages when configured to block, as opposed to drop, to respond that traffic is not permitted.

There are a number of other ICMP messages available, but we are interested in using just two, echo request and echo reply. When we ping from HostA to HostB, the idea is that HostA wants to check on the network path between himself and HostB. HostA sends some discrete data to HostB. HostB sends that data back exactly as received, echoing back the data received. HostA compares the received data with what was sent, and can determine the following;

• that HostB is alive and well
• that data sent from HostA to HostB can get there, and back,
• the average time it will take
• any packet loss
• and data corruption

Mike Muuss wrote the original program to take advantage of this functionality back in 1983, and named it ping after the sound sonar makes when trying to detect ships. Since that time, essentially every operating system that uses TCP/IP has a ping command, though each major operating system tends to insert its own data pattern into the echo requests, along with different default starting TTL values.

Level 200-PING basics

So what can we do with ping? At it’s simplest, ping just tells us if a host is alive. Try this.

1. Open a cmd prompt
2. Do an ipconfig to get your default gateway
   
3. Ping your default gateway
   
    
4. Consider the results.
   By default, Windows sends four ICMP echo requests with 32 bytes of data. What it got back with an average of 1ms was four good responses. The TTL that we see is set by the responding host…we can infer (since our gateway is on our same network) is that it is a Windows host. It is…our TMG. Had it been a Cisco or *nix host, the TTL would have been 64, like this.
   

As a general rule, current Windows hosts start pings and replies with a TTL of 128; modern Linux and Unix hosts use 64, and older systems use 255. If you have a rough ideal of how many hops away a host is, you can infer the operating system by looking at the TTL in the reply.

Since we are on the same subnet, there was no router to decrement the TTL of the replies. Four packets doesn’t really give us a great deal of data loss testing, but we see 0% loss since we sent four, and we got four back. Bottom line….our target is alive and well and we can reach it.

So why does the first ping take longer to respond in each case than the subsequent ones? ARP. In both cases my host did not have the MAC address of the target in cache, so it had to ARP for the address. The target would likely also have to do an ARP before replying. Ping starts its clock when the packet hits the stack at layer three…layer two just needs to catch up.

Request timed out versus destination unreachable

Sometimes a host won’t answer, either because it is down, or firewalled. The response you see in your ping command depends on what operating system you have, and whether or not you are on the same subnet as your target, and sometimes even what kind of network devices are between you and your target.

Before a host can ping another, it has to either ARP the target (on the same subnet) or ARP the router (different subnet.) If no response to that ARP request is received, older Windows systems would say request timed out…the same as if you were pinging a host that was down, or where ICMP was blocked. Windows 7 and 2008 are smart enough to tell you "Destination host unreachable." Check the source ip.addr of the "Destination host unreachable" message. If it is yours, then either you cannot ARP the host, or your gateway. If it is a remote router/firewall, then it could be telling you the host is down, or that ICMP is not permitted by the target. If you are on a Windows 7 host, and trying to ping another host on the same subnet, and you get a request timed out instead of a destination unreachable, it means your target is dropping ICMP. It has to respond to the ARP request, but then it is dropping your echo requests. Bad host, no! (see below for more on that.)

Like any good command line tool, ping also supports several switches. They are all optional (a couple are even like the appendix…still around but no longer useful) but with the right combination, you can learn a lot more about a host or the network between.

Ping without switches really only tells us two things about a host…it is alive and we can reach it. As mentioned above, we can infer from the TTL what type of operating system it is running, but that is about it. Here is where switches come in.

the –n switch, for the number of pings

Windows hosts will send four pings by default. If you wish to set a specific number, use the –n switch. To ping a host ten times you would do this.

ping –n 10 a.b.c.d [enter]

the –t switch, for continuous ping

Switch back to your cmd prompt, and enter this command, substituting your default gateway ip.addr.

ping -t a.b.c.d [enter]

The -t switch initiates a continuous ping, which allows us to check for packet lost, as well as to see any general trends in response times either going up or down. It is also dead useful for monitoring a server that you rebooted to see when it starts to come back up. You can also put it after the target.

The ping will just run continuously until you stop it by hitting ctrl-c, or ctrl-break. Both of those will give you summaries of all pings sent and received, but ctrl-c stops the pings completely, while ctrl-break gives you the summary up to that point, and keeps on going. In this screen shot, the first table is from a ctrl-break, and you can see four more pings before I hit control-c.

Notice what the ping statistics tell you. The number sent, the number received, the number lost (0% is good…the longer you ping the more likely you will drop one or more, but if the percent remains 0 you are doing just fine) the minimum, maximum, and average response times. On a 100Mbit LAN and the same subnet, you definitely should see very low times and 0% loss. The one spike to 140ms when I entered the ctrl-break was more likely a processing problem on my pc than a network issue. Most pings are sent at the rate of one per second, so if you let this run for twelve hours, you should have statistics for around 43,200 pings.

ping –a for name resolution

Sometimes you have an ip.addr and you want to resolve it to a name. While you should do a host or an nslookup to get that information, if you want to combine pinging an ip.addr to see if it is up with a lookup to find its name, use the –a switch, like this.

ping -a 65.55.21.250 [enter]

From that you should see that 65.55.21.250 belongs to microsoft.com, and you can infer that either they fell down and went boom, or that they are blocking ICMP echo requests at their border, and therefore do not comply with RFC 1122. Considering the ping of death was an attack against Windows hosts, I’m guessing they will never be compliant.

Level 300-Advanced PINGing

There are a couple of switches that you will use for special troubleshooting.

ping –l to set the size for larger packets

The –l switch is used to specify the data payload size for your ping. Windows boxes default to using a very small 32 bytes of data. Use –l # to test larger payloads.

ping –f to set the don’t fragment flag

By default, routers can take packets that are larger than the maximum transmission unit for the media, and break them into smaller fragments before forwarding them. The –f flag tells the router that it should reject any packets larger than the MTU by setting the "Don’t Fragment (DF)" flag, instead of fragmenting them. If a router rejects a packet because it is too larger and the DF bit is set, it will respond to the sending host that "fragmentation is required but the DF bit is set.

combine –l and –f to test for mtu issues

Frame, cable and DSL all support the same MTU as Ethernet (1472 once you get past layer three header.) Wi-Fi can handle an even larger MTU, but since that usually connects to an Ethernet network and acts as a bridge, you won’t want to go above 1472. To test your MTU, try this. Open a cmd prompt and enter this command.

ping -f -l 1000 www.yahoo.com [enter]

That says to ping yahoo.com (they always allow ICMP echo request) with a packet of 1000 bytes of payload, and set the DF bit. You can increase that number right on up to 1472….if you have cable or DSL, you will get responses until you use 1473….then you will get an error. When your MTU is actually smaller than the value you set with –l, and you also set –f which tells routers not to fragment, you will get an error stating that fragmentation is required but the DF bit is set.

This becomes useful when troubleshooting throughput (smaller MTU means more packets for the same amount of data, and therefore less throughput) and Windows authentication errors. Some VPN technologies have a lot of overhead in the layer three header <cough>Cisco</cough> which can break Kerberos authentication. If you have an MTU much below 1200, you will want to use the "set mtu" applet in the Cisco client to set a lower value, and force Kerberos to use TCP on your XP clients. Of course, modern Windows clients default to TCP for Kerberos on their own.

ping –w timeout for slooooow (high latency) links

If you want to tell ping to wait a specific number of milliseconds before giving up on a ping, use the –w switch. By default, Windows’ ping will wait 4000 ms for a response.

ping –i TTL to change your TTL

If you want to alter the TTL of your packets to see what routers are not responding to ping, but perhaps will tell you when "TTL Expired In Transit" you can specify a smaller TTL with the –i switch. Remember though that Windows will always start with a TTL far larger than needed to get to the destination, and tracert will do a better job of using ICMP and incrementing TTLs to find the path. In other words, you will probably never use this switch.

Level 400-Arcane PING

There are some other switches available, though you will likely never use them. Some that are still around no longer actually work. They used to be useful for learning some of the hops our packets travel on the WAN, or testing TOS, but alas, no more. Traceroute will tell us the outgoing path, and to learn the return you can trace from the other side.

ping –r count

This would record the route for up to nine hops, putting the routers into the header. We use tracert to see that information now.

ping –s count

This would record the timestamp for up to nine hops. Again, we use tracert for this now.

ping –k host-list

The –k switch lets you specify using a strict source route along a host-list, assuming you have multiple paths of equal cost.

ping –S srcaddr

On a multihomed host, if you want to specify the source ip.addr, use –S.

ping –4

If your host runs IPv4 and IPv6, and the target name can be resolve to an A and a AAAA record, use the –4 switch to specify you want to use IPv4.

ping –6

If your host runs IPv4 and IPv6, and the target name can be resolve to an A and a AAAA record, use the –6 switch to specify you want to use IPv6.

ping –R

For IPv6 only, use the –R switch to specify using the routing header to test reverse route.

Sometimes it’s not that easy…

Our biggest challenge with using PING is that a lot of organisations are making the choice to block/drop ICMP to reduce their exposure. Ping sweeps, oversized or invalid pings, DDoS attacks using ping floods are all risks, and despite the fact that RFC 1122 states that hosts are required to accept and respond to ICMP echo requests, many don’t. Sometimes your side will allow ping, and your target will allow ping, but something in between doesn’t. As a result, don’t assume that an unanswered ping means a host is down unless you know for certain that you have pinged it before and gotten a reply. Ping new hosts with a degree of skepticism until you are sure of the intervening networks. My recommendations are to follow the RFCs, but if you feel you must restrict ICMP traffic, then permit it as follows;

You might also enjoy:

1. howto://troubleshoot networks with tcping
2. howto://macgyver netstat into a sniffer-part one
3. howto://troubleshoot microsoft vpn connections part three-tales from the trenches

however, I am now, officially, a paid and published blogger. My first blog post for something other than my own blog was just published on LoveMyTool.com. I lurve the graphic they chose for the post, and am really quite grateful that they requested the bio. Then they went a step further, linking it to my profile on LinkedIn. That’s class for you. If you’d like to read it, click the pretty picture below.

You might also enjoy:

1. Use all your well-learned politesse

Or I’ll lay your soul to waste. Okay, so perhaps I was starting this post out with a chip on my shoulder, but I had good cause. Instead, I think I will make a small mental adjustment, <applies blunt object to back of own skull…there, that’s better> and instead, I will point out some things that a few folks are doing well instead of what others are doing wrong. I’m leaving this tagged as a rant, because there’s some things still bubbling below the surface. Read on if you are so inclined, else, skip this post and we’ll get back to tech next time, I promise.

I started to title this post "What the hell is wrong with recruiters these days?" but I realised that was not fair, and would needlessly offend the vast majority, so if you are reading this far, I’ve gotten your attention sufficiently to make it clear that I believe my beef to be with only a very few individuals. It is unfortunate that the actions of these few colour the impressions of so many others. I can only imagine (though I also expect) that recruiters have similar issues with candidates, and if any recruiter out there reads this, I beg you to leave a comment with your side of the story. I’ve not done your job, so I can’t speak to it fairly. Disclaimer: I am not actively looking for a new position, though in this economy only a fool would not be open to learning about an opportunity if it existed. Many of my family and friends are, however, and this post was as much inspired by what is happening to them now as what has happened to me in the past.

If you caught the quote, you may be asking if I am comparing recruiters to the Devil. Hardly. I’m sure that most are wonderful and hardworking people who care about their clients and the candidates they represent. It’s the small minority that I am ranting about in this post, and a sad statement on affairs that folks have stories to share only when things go wrong. Let me take a moment to try to balance the scales.

I have dealt with some great recruiters in the past, including Joe Silvestrini at Signature Consultants, Janelle Martin when she was at Synigent, Cyrus Panthaki at Collabera, Trey Scott when he was at Comsys, and Kevin Nangle at Ettain Group. Before you jump to conclusions, only two of those five actually were involved in something that resulted in my getting a job. But all five exhibited some traits that others seem to be painfully and blatantly missing. Why do I call out the five fine folks above for doing a great job? Here’s the rundown.

• They keep their word
  All five of the above stand out in my mind because they never failed to follow through with something they said. Whether it was getting me information, updating me on the status of an opportunity, arranging an interview, or simply checking in with me to see how things are going, they never said they would do something and then didn’t. They always got back to me in the time frame they promised…even if it was only to inform me about a delay completely beyond their control.
• They don’t bullshit
  Simple, straight-forward communication: they never built something up to be what it wasn’t; they never tried to sugar coat something.
• They read and understand the job request and the candidate’s resume
  The five above never pitched me an opportunity that wasn’t a good fit. They know what I can do, and what I cannot, and if they were not certain because it was something really obscure, they opened with "I’m not sure if this is for you, but I wanted to run it by you because it sounds like it might be."
• They understood my salary requirements.
  I love Mercedes Benz, but I am on a Ford budget. I’m not going to go test drive a Mercedes, and then offer the dealer $30K for it. The folks above always respected my salary requirements, and only proffered opportunities that could afford me.

So on the flip side, (yes, the rant is coming out of the box, I just could not keep it in) for other recruiters, what’s puzzling me is the nature of their game. Let’s talk about some things that just really seem to be on the rise, and that piss me right off. I’ll tell you what…if you are a recruiter reading this (thank you for bearing with me this far, and I know that recruiters hit my blog…I can find a referral or source ip.addr from a recruiter’s office that correlates to an email or phone call more than half the time these days) I’ll make you a deal. If you see any of the following that feel awkwardly familiar, don’t call me, and in return, I promise not to cause your computer to bluescreen ever again, and I’ll cancel any logic bomb I attached to your credit report. The following seem to be common amongst my peeps…it’s not just me this happens to, I’m just the guy with the blog. Since I experienced ALL of these, multiple times last year, I am writing this using the first person perspective.

• Dropping off the planet
  You call, you’ve got the perfect position, the hiring manager needs to fill it as soon as possible, you need me to send you my resume just as soon as I possibly can…and then I never hear from you again. You don’t respond to my emails, you don’t return my calls, you just disappear. If that is how you intend to play things…frak you. The job req got closed? They found another candidate? They think my resume sucks? Fine, a simple one line email is sufficient…ignoring my emails and dodging my calls by having the receptionist tell me you are on another call and will get back to me as soon as you can (which implies at the very least, by tomorrow sometime) and then not, is the social equivalent of my ‘frak you’ above. By saying it straight out, I’m just a little more respectful of your time. Have the courtesy to tell me that straight.
• Pitching me the perfect position, without it being a real position.
  Okay, so perhaps the hiring manager/client is at fault for this, and not you, but then again, it’s simple enough to ask the client if the request is funded already or not. If its a spec position, or a pipedream, or something they really want but don’t have approved yet, set the proper expectations with me up front.
• Asking me about a job three hours away, and then wondering why I am not interested.
  Dude, seriously? North Carolina is a big-ass state. There may be a metric assload of jobs in the RTP area, but I am in Charlotte. If you’re not from North Carolina, the East Coast, or even the United States, I should probably excuse your lack of geographic awareness, but if you are calling from the 919 area code, you should know better. Is the job market really so bad that folks are taking jobs hours away, getting a cheap dump to sleep in, and only coming home on weekends? And they are willing to do this for $40 an hour? I call bullshit.
• Promising to send me information, and then not.
  I mean, really, what the hell is up with that? Half the time, all you are really needing to do is forward me an email. Is that really so hard to do?
• Requiring my social security number before making me a job offer.
  How about no, with a side of nein, nichts, nichevo, nacho, and nyet. Should we get to the point where there i an offer to tender, and I want to accept, then of course I will provide it. But requiring it just for the privilege of applying for a position (Government jobs not included) is wrong.
  Need it to do a background check? Then make me an offer contingent on the background check. Want it just to have the hiring manager do the first telephone call…go piss up a rope.
• Stringing me along.
  We’ve gone through the phone calls, the in person interviews, and everything went swimmingly well. The client loved me, I’m perfect for the job. We just need to close the deal. Four weeks later you are still telling me that everything looks good, but the hiring manager took vacation, or her boss is out of the country and has to sign off, or the HR rep is still working on the position, or something like that. The best I ever heard was that the hiring manager is just too busy to start a new person right now. Okay, is that really the bullshit it sounds like, or is he so stupid that he doesn’t realise hiring the new guy would help with being so damn busy? Me, I think it’s the bullshit, but I don’t want to work for someone if they are really that stupid.
• Hitting me with something that is not even remotely close to what I do or where I do it.
  Thought I am not actively looking, I get pinged by phone or email four days out of five, for jobs that are either NO WHERE near me (I checked…my profiles on the job boards do have the right zip code for me, and the commuting range is <25 miles, and no, relocation to anywhere is not set as an option.) Yes, I do have some rather boutique skills that some recruiters need badly enough to call a candidate just in case they would be interested, but where in the blue hell does it say on my resume that I code Java, or COBOL, or know RACF???!!! Oracle? Nowhere on my resume. I don’t expect a technical recruiter to understand that Cisco ACS is the bastard lovechild of TACACS+. I don’t expect them to know that AD LDS and ADAM are essentially the same thing. I do expect them to know that a Windows guy doesn’t work on mainframes, and a network engineer doesn’t normally write C# code. Java, COBOL, and RACF are all sufficiently distinct technologies that they merit specific mention on someone’s resume if they actually have experience with them. Key word searches, yours are broken.
• Insisting on a face to face meeting, and then bailing.
  This happened to Connie just the other day. Before she could be presented to the client, she had to come meet with the recruiter…something about how they have to meet all candidates in person before presenting them to the client. Okay, the recruiter’s office is 35 minutes away. She gets dressed up, drives all the way over there, arrives early, is left sitting in the lobby for 25 minutes PAST the appointment time, only to have the recruiter’s secretary finally come out, shake hands, present the recruiter’s card, make small talk for a couple of minutes, then wish her well. Whut? He couldn’t even be bothered to say hi, let alone keep the appointment? Dude, piss off. That was just about as lame as anything I have ever encountered. Oh, yeah, same jackass has since fallen off the planet.

Oh I could go on, but I just looked down and saw the word count already over 1900, so let me end with this. In a way, I do have sympathy for the devil, since for the greatest part of what I know, recruiters are kind of like commissioned salespeople. If they can’t fill the gig, they don’t get their piece of the pie. I just don’t understand why some of them can’t have some courtesy, some sympathy, some taste.

Direct link for RSS and email subscribers…http://www.youtube.com/watch?v=iLddJ1WceHQ

If you have a recruiter gripe, please sound off below. If you are a recruiter with a candidate gripe, please do likewise. If you think I am full of it….let me know.

You might also enjoy:

1. employerszoom.com doesn’t quite pass the smell test

RetroHack would like to wish everyone a very happy Fourth of July holiday, which in the United States is Independence Day and for the rest of the galactic quadrant is the birthday of the Crab Nebula. I’ve always gotten a chuckle that here in the US we celebrate the date we declared our Independence from what today is our most stalwart and loyal ally, but hey, it works, I love to cook out, and it is one of the family’s favourite movies. Happy Birthday America!

In honour of the day our forefathers declared those things that would become the foundation of our country, our way of life, and the example we try to set for the rest of the world, I invite you to actually read the Declaration of Independence. Then read Thomas Jefferson’s autobiographical account of the events leading up to the Declaration. If that’s too much for a day devoted to cook-outs, fun with friends and family, and fireworks, try these quotations instead. While they are not specifically about Independence Day, I think they capture the spirit of the occasion.

Those who expect to reap the blessings of freedom, must, like men, undergo the fatigue of supporting it. 
~Thomas Paine

It is easy to take liberty for granted, when you have never had it taken from you. 
~Author unknown, sometimes attributed to M. Grundler

We on this continent should never forget that men first crossed the Atlantic not to find soil for their ploughs but to secure liberty for their souls. 
~Robert J. McCracken

Those who deny freedom to others deserve it not for themselves. 
~Abraham Lincoln

Freedom is never free. 
~Author Unknown

There is nothing wrong with America that cannot be cured by what is right with America. 
~William J. Clinton

My God! How little do my countrymen know what precious blessings they are in possession of, and which no other people on earth enjoy!
~Thomas Jefferson

I hope you all have a very enjoyable and safe holiday! Kiss your family, hug your friends, party safely, and thank a veteran. <♫>When Smokey sings, I hear violins…</♫>

Direct link for RSS and email subscribers…http://www.youtube.com/watch?v=qZUoV_iw0II

We’ll be cooking out, taking it easy, and watching Independence Day as a family, and then maybe catching some fireworks. If you are in the United States, what will you be doing to celebrate?

You might also enjoy:

1. HAPPY BIRTHDAY CONNIE!!!
2. Memorial Day

In this post, we’re going to go through setting up our TMG 2010 server to support client PPTP VPN. We’ll go over why PPTP is a good choice for many businesses, the basic network setup involved, and then finally, how to actually configure our TMG server to support PPTP clients.

Much of what we will cover here is the same for other VPN protocols. You can either use this post and skip ahead to configuring the other protocols, or stay tuned…we’ll be covering L2TP/IPSEC,  SSTP, and IKEv2 in upcoming posts. If this sounds like the post for you, please read on.

Finding the right balance between security and usability

I am sure that some of you are reading this and thinking I am off my nut for recommending PPTP over SSTP, L2TP/IPSec, or IKEv2. I may be off my nut, but not about this. Here is why. PPTP is the one VPN protocol that is the common denominator or universal dialect amongst all our diverse platforms. Whether you have any version of Windows, Mac OSX, Linux, iPod Touch, iPhone, or Droid, you have PPTP support, and you have it built-in (or in the case of some Linux distros, a simple package add away.) TMG offers other protocols, but they are Windows-focused. PPTP support means you can supply a secure connection to any device you have. Using MPPE with 128bit encryption and authenticating against AD using MS-CHAP2, and with a strong password policy and account lockout, should cover your bases in all but the most stringent requirements. Yes, you do NOT get mutual authentication with PPTP (unless you implement some EAP methods that will reduce the ubiquity of this solution,) but this post is more about supporting diverse clients securely, and less about just how thick the tinfoil hat is. If your situation requires 3DES or AES, and mutual authentication, skip this post and come back in a few….I should have something on that soon. If your situation includes trying to support the VP of Marketing’s Mac, and your Linux box, and your boss’s iPhone….well this post is for you. Been there, done that, wrote the post.

Prerequisites

In this post, our TMG 2010 server is directly connected to the Internet on its external NIC (live ip.addr, no other firewall in front of it) and we have an another NIC directly connected to the internal network. We’re using the DHCP service provided by another server on the internal network which is assigning VPN clients ip.addrs directly on the internal segment. In other words, a fairly vanilla setup. Also, we’re not split-tunneling. All traffic comes home once the VPN client is connected, and anything destined for the Internet will route back out. Why, you ask? There are times when I have to use an open wireless network. I’d much rather tunnel ALL of my traffic over the VPN, than only protect what I am sending home. See this post if you’d like to know more about the dangers of open wireless hotspots. I think you’ll agree that it is worth the extra bandwidth to provide more protection to our users.

Setting it up

The TMG Management Console divides this up into six sections, which makes for a pretty straightforward setup until you find that many of the steps take you to different tabs on the same dialog. We’re going to hit them the first time they pop up instead of running this strictly by the numbers. Browse down to Remote Access Policy (VPN), click it and then click on Configure Address Assignment Method to begin.

Step One-Configure Address Assignment Method

Click on the Configure Address Assignment Method, which brings up a new dialog that we begin on the second tab, which is kind of strange, but we can work with it. Here, since we are using a DHCP server on the internal network, we select the radio button for DHCP, and choose the Internal network from the drop down list for name resolution services.  
 

If you want to set a static range, click that a radio button, select your server from the dropdown, enter your starting and ending address, and then click OK. Then clicked the Advanced button at the bottom of this tab to enter DNS and WINS server information.

Step Two-Access Networks

Click the Access Networks tab and make sure that both External and Internal networks are checked. That allows our connected VPN clients to route to our internal network and still hit the Internet.

Step Three-Authentication

Now click on the Authentication tab. To get PPTP up and running with the most secure password encryption, we’re going to only check MS-CHAPv2.

Since we are not going to use RADIUS in this post, click OK.

Step Four-Specify Windows Users

Click on Specify Windows Users and once again, land on the second tab of the dialog box. Here, you can add the AD group(s) that you want to permit to connect to your VPN. If that is everybody, select Domain Users.
 

Then click on the General tab, make sure the check box is set to Enable VPN client access, and enter the maximum number of concurrent connections you want to allow.

Then click the Protocols tab. Since today we are only doing PPTP, that is all you need to check.

User Mapping is for RADIUS and EAP, and we’re not using either this time. Quarantine is something to play with AFTER you get connections working so for now, resist the urge to click anything else except OK. Since a lot of what quarantine can do is limited to domain computers, we’re going to leave that for another post on another day.

Step Five-Configure your firewall policy

Click on View Firewall Policy for the VPN Clients Network to go back to your Firewall Policy. You can restrict access to the Internet for VPN clients, and if you put them on a different network segment than the internal, you can even limit their connections to the internal network. Since I am setting this up for trusted clients that already have full access to the internal network, and open access to the Internet, I just need to make sure that they TMG defined network "VPN Clients" is in the AllowAllOutbound rule that I created back here.

Make any desired changes to this for your level of comfort, and then click back on Remote Access Policy (VPN) to continue.

Step Six-View Network Rules

If you are connecting your VPN clients directly to the Internal network, they will be sharing the internal interface of your TMG. If you want to create a virtual subnet for VPN clients, you can either decide to route that traffic bi-directionally through your TMG, or you can NAT the VPN clients to the inside network. Here is where you define that. Since we are connecting VPN clients directly, we choose the Route option, which should be selected by default.

Step Seven-Test it out

Get a client on another network, and setup your connection from your client to your TMG using PPTP. If there is another edge device between your TMG and the Internet, you want to make sure that inbound TCP 1723 and bidirectional IP type 47 (GRE) are both open. If all goes well, you will be prompted for your username and password. This happens over TCP 1723 and is encrypted using MS-CHAPv2. Enter your creds and (assuming you have valid credentials for a user who is a member of a permitted group) if GRE is also open, you should be connected. Yay! If you’re not, here’s some troubleshooting tips.

You can use the live logging in TMG to focus on VPN client connections. Browse down to Logs & Reports, edit your filter to look at VPN Client sessions. I like to do this live while the client connects, but you can also look at historical records if you wish.

Always look first for authentication errors. I can’t tell you how many hours I have wasted assuming the user had good information, only to find out they didn’t. Also look for protocol errors, and make sure the client is setup for MS-CHAPv2 to match your requirements.

If you’re having other problems, here’s the links to our VPN troubleshooting series (part one, part two, and part three.) You can check them out, or leave a comment below if you’d like some more help. Until next time, while you are tunneling data securely, enjoy the best song Springsteen’s ever done.

Direct link for RSS and email subscribers…http://www.youtube.com/watch?v=Nw2OnNoy5JQ&feature=fvst

You might also enjoy:

1. howto://Installing Microsoft Forefront TMG 2010, part two
2. howto://publish a web farm using TMG 2010-part one
3. howto://publish DNS using TMG 2010 or ISA 2006

But don’t worry, the YouTube clip at the end of today’s post will have nothing to do with skin conditions. Today’s little adventure in nostalgia posting comes courtesy of a bridge call that I was asked to join so that we could troubleshoot a systems integration issue. The short story is that a process running on one server has to make a remote shell call to a process running on another, and it wasn’t.

To test things out, it became necessary to install an RSHd on the Windows server, and an RSH client on my Windows 7 workstation, so that I could verify that the communications pathways were there. Of course, MSFT has not included an rsh client since XP, and the RSHd service is now a part of a much larger Services for Unix. Not wanting to go there on the server, and not having an XP workstation at hand, I needed to find a quick way to make this work. I did.

Server

Mike Dubman created a Windows RSH daemon and posted it on SourceForge. It is a zip file to download and extract and it includes a simple self-contained binary as well as the source. You can run the RSHd as an application, or install it as a service. To get a listener running without an install and without having to create an .rhosts file, open a cmd prompt in the extracted directory and run

rshd –d –r [enter]

That is all you need to do to get a listener running for testing. Dubman’s page includes the documentation on installing it as a service, which is an option if you need it.

Client

Bryan Chafy over at Northeastern University ported the RSH client over to Windows. You can get the rsh executable, along with source, here. It runs in a cmd prompt just like any other rsh client. Open a cmd prompt in the directory where you extracted the file (I copied it to my cmdlinetools directory, as previously mentioned here) and away you go. To give you a feel for it, say I want to execute the hostname cmd to test things out against the server fileserver1.

rsh fileserver1 hostname [enter]

You should see fileserver1 in the response. You can also use the ip.addr instead of the name if you choose.

(in)Security

Just remember that remote shell offers no encryption, and without an .rhosts file, it basically just assumes that you are who you say. Usernames are transmitted in the clear, and there is no authentication. Your command, and the account you use to execute it, will cross the wire in the clear, as will any response. This is not to be considered a replacement for SSH, or PowerShell, but when you have to use it for cross-platform/legacy purposes, it’s nice to be able to have something that just works.

RSH clients use TCP 1023 as the source port, and this RSHd expects that, and will not accept connections from higher ports. If you are connecting through NAT (and we all know how much I lurve NAT) you’re going to get spanked with an "Permission denied by rshd." I’ve got no help for you with this…I hate NAT, and there are some protocols that just won’t work through it.

Using CLI tools always reminds me of old-school hacking, and how laughable it is when movies and TV shows try to show it in 30 second blips. While I lurved "The Matrix," this vid from CollegeHumor just rocks. If you have to enable an insecure interface to your server, this might make you feel a little better about doing it…well, this, and a tall cold one. Hope you have cookies enabled!

Direct link for RSS and email subscribers…http://www.collegehumor.com/video:1886349

You might also enjoy:

1. howto://Installing MS Project Server 2007 on Windows 2008
2. Fixing 530 Home directory not accessible
3. Routing Protocols reference