Archive for the ‘Networking’ Category

Quickbooks -“could be a firewall problem”

Unfortunately QuickBooks error messages are often misleading and of little help. A prime example of this is the relatively common error message which reads;

“It appears that the QuickBooks software on computer ________ is set up to allow shared access to the company file, but the QuickBooks software on your computer is unable to communicate with it.”

Which also provides the suggested solution;

“The communication problem could be due to a firewall issue. If a firewall is installed on your network, you may need to reconfigure the firewall software.”

Granted the firewall, whether the Windows firewall or a 3rd party firewall, does have to be configured to allow QuickBooks data access, in most cases where people are seeing this message the file has been accessible for some time. Generally during QuickBooks installation the Windows firewall is automatically configured but if you need to review, the QuickBooks site has detailed documentation https://quickbooks.intuit.com/learn-support/en-ca/apps-integrations/set-up-firewall-and-security-settings-for-quickbooks-desktop/00/262400

The message does indicate QuickBooks can “see” the data but cannot access it, indicating the firewall is at least partially configured. Test if one user can access the file but not multiple. If only one user can connect, fist make sure QuickBooks is not in single user mode. If not, it usually indicates a problem with the QuickBooks Database Server Manager. First make sure the QuickBooks service is running in the Services management console. It will show as QuickBooksDBxx where xx indicates your version (see below). You can also run the “File Doctor’ tool and/or scan for QuickBoks files using the QuickBooks Database Manager console. The latter often fixes this and other connection isssues.

All of those suggestions can be found on many sites, however I recently came across a different issue. When you install Quickbooks it creates a QuickBooks user/service account and a QuickBooks service with a suffix indicating the QuickBooks version/year. See the list below. If you do not uninstall the previous year’s QuickBooks, which is fine, you end up with multiple QuickBooks services in the Services management console. Normally the most recent one will start, but If instead one of the older versions starts, you can receive the aforementioned error message. To permanently resolve, set all older versions to disabled and the newest to automatic.

QuickBooks services created by each version/year of Quickbooks:

QuickBooks ver 2012 QuickBooksDB22
QuickBooks ver 2013 QuickBooksDB23
QuickBooks ver 2014 QuickBooksDB24
QuickBooks ver 2015 QuickBooksDB25
QuickBooks ver 2016 QuickBooksDB26
QuickBooks ver 2017 QuickBooksDB27
QuickBooks ver 2018 QuickBooksDB28
QuickBooks ver 2019 QuickBooksDB29
QuickBooks ver 2020 QuickBooksDB30
QuickBooks ver 2021 QuickBooksDB31

Sage Many Redirected Printers

If you remote into a PC to run Sage, sometimes your local printer does not connect. To resolve this you need to open the Windows printers console on the computer running Sage and look for the appropriate printer and the “redirected #”. Then in Sage under Report & Form Options, choose the items you wish to print and beside them select the printer with the redirected # that matches the printer in the Windows printers console, as in the image below.

On many systems each time you reconnect to the remote computer a new redirected connection is created such that there are so many it can be near impossible to locate the appropriate redirected printer. See image below as an example.

To clear all these excess printers you can edit the registry. (As usual, back up the registry or at least the key before deleting and if not comfortable doing so, do not proceed as registry changes can corrupt your machine) To clean up the list of printers, on the computer running Sage, locate the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Window Nt\Currentversion\Printerports
Delete all printer ports showing (redirected #). Do not delete those without (redirected #)
Reboot the computer running Sage, reconnect, and select the newly redirected printer.

Remote Access

Many years ago I wrote numerous blog articles relating to VPNs, and primarily PPTP VPNs. Hits on those blog pages are up 300% since the Coronavirus outbreak due to people looking for ways to work from home. I wanted to warn PPTP is an old solution and is considered to be “broken” and very insecure. Please consider other options.

Rather than creating new articles explaining how to configure various remote access methods I thought I would provide some suggestions and links as it has all been written before by very talented IT folk.

Firstly VPNs. I would always recommend using a VPN appliance/router over the server itself. It is more secure, authenticates at the network perimeter not the server itself, and allows more control. Cisco, Sonicwall, Juniper, Watchguard, and others provide very good solutions . However one concern with any VPN solution is the fact that though it is a secure tunnel, it also allows any and all traffic between an unmanaged remote client computer and the corporate network. Viruses can travers the VPN tunnel, should the client PC be hacked the hacker has direct access to the corporate network, and the remote user can easily copy/steal corporate data that they maybe should not. In addition VPNs occasionally just do not work due to network addressing, slow ISP service, or blocked protocols by ISPs.

If you do want to set up a VPN on a windows server, I would recommend SSTP.  Thomas Maurer has a great configuration guide:https://www.thomasmaurer.ch/2016/10/how-to-install-vpn-on-windows-server-2016/

Perhaps a better option than a VPN is a terminal server, now called a remote desktop server (RD Server). I have never seen the RDP protocol blocked, performance is usually better than a VPN, and all data stays on the corporate network. If set up correctly it uses the Remote Desktop Gateway service and SSL which is very secure. You can, if you like, also use this within your VPN tunnel and if using a business class VPN solution restrict traffic to RDP.

Another alternative if you don’t want to set up an RD Server is to configure the RD Gateway service on your server and allow users to connect securely to their own desktops PCs with the same level of performance. This was a built in feature of SBS and Server Essentials 2016 and earlier.  Mariette Knap has a excellent article on configuring the RD Gateway service, specifically on Server 2019 Std:https://www.server-essentials.com/support/setup-rds-gateway-as-a-replacement-for-access-anywhere-from-the-essentials-experience-role

Regardless of what method you use, as soon as you allow any remote access, make sure you configure Group Policy to enforce strong passwords and to lock accounts after ‘X’ wrong password guesses.  (I use 5, and lock out for 30 minutes). You can set this on the server for domain wide deployment or on an individual PC using GPedit.msc. For both it is located under Computer Configuration |Windows Settings | Security Settings | Account Policies .

The other alternative of course is to use cloud based services such as Microsoft’s Office 365 which you can from any where, at any time.  If dong so, make sure you enable multi-factor authentication for security.

I hope this is of some help and please stay safe n these uncertain times.

 

 

 

100’s of Windows Commands

This is a must have pdf reference file: 

An amazing, free, current, searchable, compilation of hundreds Windows commands with explanations, syntax, and examples of their use.  And, it’s free !

https://www.microsoft.com/en-us/download/details.aspx?id=56846

Windows Commands

15 Minute Beeps

I was asked to look into a beeping in a server room which no one could find. 

It was understandably difficult as there were three server racks with modems, routers, switches, servers, PCs, UPSs, CCTV, and audio equipment.  To add to that they were single beeps, quite wide spread apart, and within a noisy, concrete room.  I determine after a little while they were single beeps and exactly 15 minutes apart.  Typically first suspicions are the UPS units, but 15 minutes is not typical of APC UPS devices.  To make a long story short, it turns out in a far corner where 2 fiber internet connections entered there were small UPSs units supplied by the service provider.  One of the UPS units showed a failed battery.  Being behind the open steel door, no one had seen the light. 

This seems like a trivial post and an obvious solution but I am posting as there are many forums on the Internet with people not being able to locate a device creating a beep every 15 minutes.  This is common with FIOS, Verizon, and Bell equipment.  One story goes as far as to explain a fellow turning everything off in the server room, one device at a time, every 15 minutes, till everything was shut down and unplugged, but could still hear the beeps.

Fibre1

Access a resource using the same internal and external FQDN

For simplicity there are many reasons you may want a single URL or FQDN to access a resource internal or external to your corporate domain.  If the internal and external domain names are the same it can sometimes cause DNS issues resolving the public domain name from the corporate network.  I am often asked about this in reference to web sites; “why is our website accessible from anywhere but our buisiness network””?”   For example you want to access www.net-works.ca from a network that uses the internal domain net-works.local.  The internal DNS server manages DNS for net-works so it doesn’t pass on the request to the forwarder, but it also doesn’t have a DNS record for the www Host.  The simple solution is to create an internal zone for the host name you are trying to access. SBS 2008/2011 did this automatically for “remote” so that the same URL could be used internally and externally.  This technique can be used for access ing websites, dvr systems, or anything you like that uses a FQDN.

To do so open the DNS management console, expand the folders under your server name, right click on the “Forward Lookup Zones folder, and select New Zone.  A wizard starts, click next and you can select the zone type.  Accept the defaults, Primary Zone and next.

image

Select “To all DNS servers running on domain controllers in this domain”.

image

In this case I am going to set up a universal URL for access to a DVR system, so I will enter dvr.net-works.ca  This could be www, remote, or what ever meets your needs.  Keep in mind for external access you must set up the DVR, or matching,  Host record with whichever service manages DNS for your public domain.

image

Again accept defaults, and click next, and finish.

image

Now right click on the new zone folder and choose “New Host (A or AAAA)” record. Finally, again accept defaults except insert the IP address.  In this case it is an internal IP.  There should be no need for a PTR record creation.

image

When complete it should look similar to this:

image

Cisco/Linksys Bad Gateway

Recently after installing a new Linksys (Cisco) EA6300 router we received a “502 – Bad Gateway” error message when trying to access the web management page.

image

(Note: the IP in the image is correct for this site, but the default of course is 192.168.1.1)

Installation of the router and configuring went as expected, and internet access by client machines was fine, but after completion and reboot the Bad Gateway message appeared when trying to log back into the router. This seems to be a common issue with numerous models not just the EA6300, but also the EA6500, EA4500, EA2700, E4200, E1200, and more.  There are numerous posts about this issue on many blogs and message boards, all of which suggest starting to resolve by pressing the reset button.  If you have a detailed configuration with custom IP configurations, port forwards, DDNS and more, that would be quite a nuisance and time consuming.

We discovered simply disconnecting the WAN / Internet connection to the router and refreshing the web management page allowed access and log in.  Once logged on the WAN connection could be reconnected.  Logging out and back in reproduced the problem.  The solution was to gain access as described and then using the built-in utility update the router’s firmware.  Once updated there were no further problems.

Windows Phone 8 App for my Blog

I am pleased to announce my Windows Phone 8 Blog app has been published.  As of yet it is not compatible with Windows Phone 8.1 but should be by the time of “official” release.  The app, which is free,  can be downloaded from: http://www.windowsphone.com/en-us/store/app/lan-tech-blog/d0bd5f80-c223-48ae-a13e-a978913198b0   image

Multiple RDP Sessions on a PC –legal or not

There are many web sites outlining how to reconfigure windows XP, Vista, and Windows 7 to allow multiple concurrent Remote Desktop Sessions, basically making a desktop PC a terminal server. On many occasions I have pointed out doing so is a licensing violation, however I confess I have never seen this specifically stated in any ELUA.  I have been privy to discussions with Microsoft where this has been discussed, and Microsoft employees and support site personnel have often posted it is not permitted on various  sites.

Having been asked to verify this I reviewed various EULAs (End User Licensing Agreements) and it seems Microsoft more often explains in detail what is allowed than what us not.  Much like your insurance company doesn’t state in your home owners policy you are not permitted to have bonfires in your basement.  Some ELUAs such the one for Windows 7 mentions; “The single primary user of the licensed computer may access a session from any other device using Remote Desktop”, but does not state you can have multiple sessions.  It does however state you can have multiple users sharing a single session using NetMeeting or Remote Assistance, which means both users are sharing the same desktop and application, not separate sessions.  The intent with this is to assist an end user.

The modification is promoted as a patch, but a patch would be provided by Microsoft. This ‘patch’ was created by someone named DeepXW who on their own web page refers to it as “Crack termsrv.dll, remove the Concurrent Remote Desktop sessions limit”.

Most of the reputable sites explaining the hack also include a disclaimer explaining it is a violation.  I have posted some examples at the end of my ramblings . Sites such as Experts-Exchange have even banned posting the hack as they have confirmed it is a licensing violation.

We also need to consider if this hack were legal, you would also require buying RDP/RDS CALs (Client Access Licenses), and if Office were installed you would only be legit if you purchased volume licensing with one license for each user. The latter two are requirements on any multi-session Microsoft O/S.  The Office 2013 ELUA does clearly state that you cannot have multiple sessions: “Remote access. The user that primarily uses the licensed computer is the “primary user.” The primary user may access and use the software installed on the licensed device remotely from any other device, as long as the software installed on the licensed device is not being used non-remotely by another user simultaneously.”  This same issue applies to third party software which in many cases has the same limitations.

Granted the hack does work, with some occasional Winsock issues, and though the chances of being caught are minimal, if discovered in a Microsoft audit, which does happen, the penalties are stiff.  I strongly encourage folk to approach this in a more secure, manageable, and legitimate way by using a Microsoft Remote Desktop Services Server (formerly called Terminal server).

Sample comments from various sites outlining the hack:

However, be warned. Before you begin, I need to warn you that patching the file and allowing more than one concurrent Remote Desktop session will violate a few lines in the Windows XP EULA. Proceed with caution and at your own risk. I shall not be liable for any damage caused to you, your computer, your data or your dog/cat because of this.  From <http://www.petri.co.il/multiple-remote-desktop-sessions-on-windows-xp-sp3.htm>

Desktop, which basically only allows the single primary user of the licensed computer to access a session of the computer. And that essentially tells us that the trick we revealed to enable multiple concurrent user in remote desktop in Windows 7 isn’t a legally licensed, despite that it’s really a good useful hack.  From <http://www.nextofwindows.com/how-many-concurrent-connections-allowed-to-access-a-windows-7-computer/

I think you find it is a license violation, as win 7 is single user at time OS.
As with all version of windows you need a license for all current users.
If you “hack it” you have violated the TOS and have voided the windows license.  From <http://social.technet.microsoft.com/Forums/windows/en-US/41e9e500-714a-443b-bff2-55f0d500d3d1/concurrent-sessions-remote-desktop-in-windows-7>

A quick note: enabling multiple concurrent RDP users may be against the Windows 7 End User Licensing Agreement (EULA). Please be sure to check the EULA beforehand and know that we do not recommend making these changes in cases where they may violate the EULAFrom <http://www.optimusbi.com/2012/12/05/enable-concurrent-rdp-connections-windows/>

Regardless of what solution you come up with, concurrent desktop access (if you are not sharing a single session) is in violation of the desktop Windows EULA.   From <http://arstechnica.com/civis/viewtopic.php?f=15&t=1190558

RASdial (automate VPN connections)

In the past I wrote a couple of articles explaining how to connect to a business network using a Windows VPN prior to logon, so that domain authentication takes place and group policies and logon scripts are applied.  See:  Win 7 and earlier and Win 8

As pointed out in the articles, this only works for domain joined computers.  It has been brought to my attention that some folks would like to automate the VPN connection process on non domain joined machines.   .

Automate VPN connection – AFTER logon:

Basically you need a one line batch file and add it to the startup folder, but in detail:

  • Open a text editor such as Notepad and enter the lines below, substituting the name of your VPN connection for Acme, and inserting your user name and password

rem   Batch file to establish a VPN connection
rasdial  acme  username  password
exit

    • Substituting  *  (an asterisk)  for the password, will prompt for the password during the connection.  This is more secure as the password is stored in clear text in the batch file.
    • Save the file to a location such as the desktop, but when doing so save using a .bat extension and enclose the name in quotes such as;  “VPN_Connect.bat”.  Notepad will add a txt extension if you do not use the quotes.
    • Saving to the desktop allows the user to double click on the file to establish the VPN connection.
    • If you want to automate the connection add the batch file to the startup folder and it will run after logon to the PC has completed.  The startup folder can be found in the following locations:

XP: Documents and Settings\All Users\Start Menu\ Programs\Startup
Win7:  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Tag Cloud