Archive for the ‘Networking’ Category

Sage Many Redirected Printers

If you remote into a PC to run Sage, sometimes your local printer does not connect. To resolve this you need to open the Windows printers console on the computer running Sage and look for the appropriate printer and the “redirected #”. Then in Sage under Report & Form Options, choose the items you wish to print and beside them select the printer with the redirected # that matches the printer in the Windows printers console, as in the image below.

On many systems each time you reconnect to the remote computer a new redirected connection is created such that there are so many it can be near impossible to locate the appropriate redirected printer. See image below as an example.

To clear all these excess printers you can edit the registry. (As usual, back up the registry or at least the key before deleting and if not comfortable doing so, do not proceed as registry changes can corrupt your machine) To clean up the list of printers, on the computer running Sage, locate the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Window Nt\Currentversion\Printerports
Delete all printer ports showing (redirected #). Do not delete those without (redirected #)
Reboot the computer running Sage, reconnect, and select the newly redirected printer.

Remote Access

Many years ago I wrote numerous blog articles relating to VPNs, and primarily PPTP VPNs. Hits on those blog pages are up 300% since the Coronavirus outbreak due to people looking for ways to work from home. I wanted to warn PPTP is an old solution and is considered to be “broken” and very insecure. Please consider other options.

Rather than creating new articles explaining how to configure various remote access methods I thought I would provide some suggestions and links as it has all been written before by very talented IT folk.

Firstly VPNs. I would always recommend using a VPN appliance/router over the server itself. It is more secure, authenticates at the network perimeter not the server itself, and allows more control. Cisco, Sonicwall, Juniper, Watchguard, and others provide very good solutions . However one concern with any VPN solution is the fact that though it is a secure tunnel, it also allows any and all traffic between an unmanaged remote client computer and the corporate network. Viruses can travers the VPN tunnel, should the client PC be hacked the hacker has direct access to the corporate network, and the remote user can easily copy/steal corporate data that they maybe should not. In addition VPNs occasionally just do not work due to network addressing, slow ISP service, or blocked protocols by ISPs.

If you do want to set up a VPN on a windows server, I would recommend SSTP.  Thomas Maurer has a great configuration guide:https://www.thomasmaurer.ch/2016/10/how-to-install-vpn-on-windows-server-2016/

Perhaps a better option than a VPN is a terminal server, now called a remote desktop server (RD Server). I have never seen the RDP protocol blocked, performance is usually better than a VPN, and all data stays on the corporate network. If set up correctly it uses the Remote Desktop Gateway service and SSL which is very secure. You can, if you like, also use this within your VPN tunnel and if using a business class VPN solution restrict traffic to RDP.

Another alternative if you don’t want to set up an RD Server is to configure the RD Gateway service on your server and allow users to connect securely to their own desktops PCs with the same level of performance. This was a built in feature of SBS and Server Essentials 2016 and earlier.  Mariette Knap has a excellent article on configuring the RD Gateway service, specifically on Server 2019 Std:https://www.server-essentials.com/support/setup-rds-gateway-as-a-replacement-for-access-anywhere-from-the-essentials-experience-role

Regardless of what method you use, as soon as you allow any remote access, make sure you configure Group Policy to enforce strong passwords and to lock accounts after ‘X’ wrong password guesses.  (I use 5, and lock out for 30 minutes). You can set this on the server for domain wide deployment or on an individual PC using GPedit.msc. For both it is located under Computer Configuration |Windows Settings | Security Settings | Account Policies .

The other alternative of course is to use cloud based services such as Microsoft’s Office 365 which you can from any where, at any time.  If dong so, make sure you enable multi-factor authentication for security.

I hope this is of some help and please stay safe n these uncertain times.

 

 

 

100’s of Windows Commands

This is a must have pdf reference file: 

An amazing, free, current, searchable, compilation of hundreds Windows commands with explanations, syntax, and examples of their use.  And, it’s free !

https://www.microsoft.com/en-us/download/details.aspx?id=56846

Windows Commands

15 Minute Beeps

I was asked to look into a beeping in a server room which no one could find. 

It was understandably difficult as there were three server racks with modems, routers, switches, servers, PCs, UPSs, CCTV, and audio equipment.  To add to that they were single beeps, quite wide spread apart, and within a noisy, concrete room.  I determine after a little while they were single beeps and exactly 15 minutes apart.  Typically first suspicions are the UPS units, but 15 minutes is not typical of APC UPS devices.  To make a long story short, it turns out in a far corner where 2 fiber internet connections entered there were small UPSs units supplied by the service provider.  One of the UPS units showed a failed battery.  Being behind the open steel door, no one had seen the light. 

This seems like a trivial post and an obvious solution but I am posting as there are many forums on the Internet with people not being able to locate a device creating a beep every 15 minutes.  This is common with FIOS, Verizon, and Bell equipment.  One story goes as far as to explain a fellow turning everything off in the server room, one device at a time, every 15 minutes, till everything was shut down and unplugged, but could still hear the beeps.

Fibre1

Access a resource using the same internal and external FQDN

For simplicity there are many reasons you may want a single URL or FQDN to access a resource internal or external to your corporate domain.  If the internal and external domain names are the same it can sometimes cause DNS issues resolving the public domain name from the corporate network.  I am often asked about this in reference to web sites; “why is our website accessible from anywhere but our buisiness network””?”   For example you want to access www.net-works.ca from a network that uses the internal domain net-works.local.  The internal DNS server manages DNS for net-works so it doesn’t pass on the request to the forwarder, but it also doesn’t have a DNS record for the www Host.  The simple solution is to create an internal zone for the host name you are trying to access. SBS 2008/2011 did this automatically for “remote” so that the same URL could be used internally and externally.  This technique can be used for access ing websites, dvr systems, or anything you like that uses a FQDN.

To do so open the DNS management console, expand the folders under your server name, right click on the “Forward Lookup Zones folder, and select New Zone.  A wizard starts, click next and you can select the zone type.  Accept the defaults, Primary Zone and next.

image

Select “To all DNS servers running on domain controllers in this domain”.

image

In this case I am going to set up a universal URL for access to a DVR system, so I will enter dvr.net-works.ca  This could be www, remote, or what ever meets your needs.  Keep in mind for external access you must set up the DVR, or matching,  Host record with whichever service manages DNS for your public domain.

image

Again accept defaults, and click next, and finish.

image

Now right click on the new zone folder and choose “New Host (A or AAAA)” record. Finally, again accept defaults except insert the IP address.  In this case it is an internal IP.  There should be no need for a PTR record creation.

image

When complete it should look similar to this:

image

Cisco/Linksys Bad Gateway

Recently after installing a new Linksys (Cisco) EA6300 router we received a “502 – Bad Gateway” error message when trying to access the web management page.

image

(Note: the IP in the image is correct for this site, but the default of course is 192.168.1.1)

Installation of the router and configuring went as expected, and internet access by client machines was fine, but after completion and reboot the Bad Gateway message appeared when trying to log back into the router. This seems to be a common issue with numerous models not just the EA6300, but also the EA6500, EA4500, EA2700, E4200, E1200, and more.  There are numerous posts about this issue on many blogs and message boards, all of which suggest starting to resolve by pressing the reset button.  If you have a detailed configuration with custom IP configurations, port forwards, DDNS and more, that would be quite a nuisance and time consuming.

We discovered simply disconnecting the WAN / Internet connection to the router and refreshing the web management page allowed access and log in.  Once logged on the WAN connection could be reconnected.  Logging out and back in reproduced the problem.  The solution was to gain access as described and then using the built-in utility update the router’s firmware.  Once updated there were no further problems.

Windows Phone 8 App for my Blog

I am pleased to announce my Windows Phone 8 Blog app has been published.  As of yet it is not compatible with Windows Phone 8.1 but should be by the time of “official” release.  The app, which is free,  can be downloaded from: http://www.windowsphone.com/en-us/store/app/lan-tech-blog/d0bd5f80-c223-48ae-a13e-a978913198b0   image

Multiple RDP Sessions on a PC –legal or not

There are many web sites outlining how to reconfigure windows XP, Vista, and Windows 7 to allow multiple concurrent Remote Desktop Sessions, basically making a desktop PC a terminal server. On many occasions I have pointed out doing so is a licensing violation, however I confess I have never seen this specifically stated in any ELUA.  I have been privy to discussions with Microsoft where this has been discussed, and Microsoft employees and support site personnel have often posted it is not permitted on various  sites.

Having been asked to verify this I reviewed various EULAs (End User Licensing Agreements) and it seems Microsoft more often explains in detail what is allowed than what us not.  Much like your insurance company doesn’t state in your home owners policy you are not permitted to have bonfires in your basement.  Some ELUAs such the one for Windows 7 mentions; “The single primary user of the licensed computer may access a session from any other device using Remote Desktop”, but does not state you can have multiple sessions.  It does however state you can have multiple users sharing a single session using NetMeeting or Remote Assistance, which means both users are sharing the same desktop and application, not separate sessions.  The intent with this is to assist an end user.

The modification is promoted as a patch, but a patch would be provided by Microsoft. This ‘patch’ was created by someone named DeepXW who on their own web page refers to it as “Crack termsrv.dll, remove the Concurrent Remote Desktop sessions limit”.

Most of the reputable sites explaining the hack also include a disclaimer explaining it is a violation.  I have posted some examples at the end of my ramblings . Sites such as Experts-Exchange have even banned posting the hack as they have confirmed it is a licensing violation.

We also need to consider if this hack were legal, you would also require buying RDP/RDS CALs (Client Access Licenses), and if Office were installed you would only be legit if you purchased volume licensing with one license for each user. The latter two are requirements on any multi-session Microsoft O/S.  The Office 2013 ELUA does clearly state that you cannot have multiple sessions: “Remote access. The user that primarily uses the licensed computer is the “primary user.” The primary user may access and use the software installed on the licensed device remotely from any other device, as long as the software installed on the licensed device is not being used non-remotely by another user simultaneously.”  This same issue applies to third party software which in many cases has the same limitations.

Granted the hack does work, with some occasional Winsock issues, and though the chances of being caught are minimal, if discovered in a Microsoft audit, which does happen, the penalties are stiff.  I strongly encourage folk to approach this in a more secure, manageable, and legitimate way by using a Microsoft Remote Desktop Services Server (formerly called Terminal server).

Sample comments from various sites outlining the hack:

However, be warned. Before you begin, I need to warn you that patching the file and allowing more than one concurrent Remote Desktop session will violate a few lines in the Windows XP EULA. Proceed with caution and at your own risk. I shall not be liable for any damage caused to you, your computer, your data or your dog/cat because of this.  From <http://www.petri.co.il/multiple-remote-desktop-sessions-on-windows-xp-sp3.htm>

Desktop, which basically only allows the single primary user of the licensed computer to access a session of the computer. And that essentially tells us that the trick we revealed to enable multiple concurrent user in remote desktop in Windows 7 isn’t a legally licensed, despite that it’s really a good useful hack.  From <http://www.nextofwindows.com/how-many-concurrent-connections-allowed-to-access-a-windows-7-computer/

I think you find it is a license violation, as win 7 is single user at time OS.
As with all version of windows you need a license for all current users.
If you “hack it” you have violated the TOS and have voided the windows license.  From <http://social.technet.microsoft.com/Forums/windows/en-US/41e9e500-714a-443b-bff2-55f0d500d3d1/concurrent-sessions-remote-desktop-in-windows-7>

A quick note: enabling multiple concurrent RDP users may be against the Windows 7 End User Licensing Agreement (EULA). Please be sure to check the EULA beforehand and know that we do not recommend making these changes in cases where they may violate the EULAFrom <http://www.optimusbi.com/2012/12/05/enable-concurrent-rdp-connections-windows/>

Regardless of what solution you come up with, concurrent desktop access (if you are not sharing a single session) is in violation of the desktop Windows EULA.   From <http://arstechnica.com/civis/viewtopic.php?f=15&t=1190558

RASdial (automate VPN connections)

In the past I wrote a couple of articles explaining how to connect to a business network using a Windows VPN prior to logon, so that domain authentication takes place and group policies and logon scripts are applied.  See:  Win 7 and earlier and Win 8

As pointed out in the articles, this only works for domain joined computers.  It has been brought to my attention that some folks would like to automate the VPN connection process on non domain joined machines.   .

Automate VPN connection – AFTER logon:

Basically you need a one line batch file and add it to the startup folder, but in detail:

  • Open a text editor such as Notepad and enter the lines below, substituting the name of your VPN connection for Acme, and inserting your user name and password

rem   Batch file to establish a VPN connection
rasdial  acme  username  password
exit

    • Substituting  *  (an asterisk)  for the password, will prompt for the password during the connection.  This is more secure as the password is stored in clear text in the batch file.
    • Save the file to a location such as the desktop, but when doing so save using a .bat extension and enclose the name in quotes such as;  “VPN_Connect.bat”.  Notepad will add a txt extension if you do not use the quotes.
    • Saving to the desktop allows the user to double click on the file to establish the VPN connection.
    • If you want to automate the connection add the batch file to the startup folder and it will run after logon to the PC has completed.  The startup folder can be found in the following locations:

XP: Documents and Settings\All Users\Start Menu\ Programs\Startup
Win7:  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Remote Site Monitoring Alert

On occasion there may be a need to be notified if a remote server is off-line due to an Internet outage, router issue, power outage, or server down.  There are many excellent services that will monitor and alert you, but most are intended for multi-site and/or multi-server configurations and require a monthly fee.  You might just want to monitor a single site and be notified if it fails.

I had this situation and therefore decided to write a simple script to accomplish the task.  I am not a programmer so I am sure this could be improved upon, but it works.  Feel free to add suggestions or alternatives in the comments section, I am sure we would all be interested.

Basically there is a batch file that makes use of a free little utility called http-ping by www.CoreTechnologies.com which runs every ‘X’ minutes using a scheduled task and verifies if the site is accessible.  If not, a simple VBS script sends an e-mail alert.

Http-ping does need to be able to access an http or https server, which could be a web server, Exchange (OWA), a router management page, or one of many other possibilities.

To configure simply create a folder such as C:\SiteMonitor and place in it; the batch and VBS script below, and http-ping .  You will have to download http-ping from http://www.coretechnologies.com/products/http-ping/

Batch file:

@echo off
:: Enter the directory location (e.g. C:\SiteMonitor\)
Set Directory=C:\SiteMonitor
:: Enter the address of the site to ping (e.e. 123.123.123.123/Exchange:443 or server.domain.com/Exchange:443)
:: (The first example should be used if you need to know if the public IP has changed)
Set Site=123.123.123.123/Exchange:443
::
If Exist %Directory%\PingResult.txt Del %Directory%\PingResult.txt
%Directory%\http-ping.exe %Site% >> %Directory%\PingResult.txt
findstr /M "Reply" %Directory%\PingResult.txt
If %errorlevel%==1 GoTo EMAIL
GoTo END
:EMAIL
cscript %Directory%\SendAlert.vbs
:END

VBS script:

' VBS script to send an alert via e-mail
Dim SMTPserver, Sender, Recipient, Subject
' Set client specific variables
SMTPserver = "smtp.ISPname.abc"
Sender = "alert@SomeDomain.abc"
Recipient = "me@MyDomain.abc"
Subject = "Alert off-line"
Message = "An automated script has determined the server at is currently off-line."
' Send E-mail
       set objMessage = CreateObject("CDO.Message")
       objMessage.Subject = Subject
       objMessage.Sender = Sender
       objMessage.To = Recipient
       objMessage.TextBody = Message
       objMessage.Configuration.Fields("http://schemas.microsoft.com/cdo/configuration/smtpserver") = SMTPserver
       objMessage.Configuration.Fields("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
       objMessage.Configuration.Fields.Update
       objMessage.Send
       set objMessage = Nothing

Customize scripts:

When complete save the batch file as something similar to SiteMonitor.bat.  In the batch file you need to set two variables; the “Directory” where you saved the files, and the “Site” htpp-ping is to test.  The site can be a FQDN or an IP, and needs to point to a server  or router.  In some cases you need to add the port number. Some examples include:

http://www.mysite.abc
remote.domain.abc:443
router1.DDNSservice.abc:8080  (router)
remote.domain.abc/OWA   (Exchange port 80)
123.123.123.123/Exchange:443

In my case the site I wanted to monitor had a dynamic IP.  I needed to be alerted if the public IP changed due to a service used by the site that would not work with a DDNS service.  Therefore I used the last example above.

The VBS script needs to be saved as SendAlert.vbs or change the name used within the batch file to match.  In the VBS script you need to set the following 5 variables as per the examples in the script; SMTPserver, Sender, Recipient, Subject, Message.

Schedule:

Finally, you need to schedule a task to run the batch file every half hour (or your time frame).   The following is an example as to how to do so with Vista/Server 2008 and newer.  Similar can be done under Control Panel, Scheduled Task in XP/Server 2003 and earlier.

Open the Task scheduler under Control Panel / Administrative tools, click on Task Schedule Library, and on the right select Create a Basic Task.  Assign the task a name and you can enter a description if you like.  Make sure you also select “Run whether the user is logged on or not”.

image

Configure the “Trigger” options as per the following image:

image

In the “Actions” pane choose to start a program, and point to your batch file:

image

You can then complete the wizard accepting defaults.  Your monitoring service should now be complete.  If you want to test, change the “Site” variable in the batch file to a non existent IP or FQDN, and you should get an alert the next time it runs.  Note if troubleshooting the results of the last http-ping are recorder in the directory you created as a text file named PingResult.txt

Tag Cloud