Archive for the ‘Uncategorized’ Category

Configure Cisco ASA for SBS 2008/2011 Network using ASDM

Following is an outline as to how to configure a Cisco ASA 5505 for an SBS 2008/2011 network, including basic router configurations, IP addressing, and port forwarding, using the GUI/ASDM. The ASDM version used at the time of writing is 6.4(5), and ASA Version 8.2(5).  For the record this can be accomplished much more easily from the CLI/Command Line Interface, but we SBS folk tend to like to do things from a GUI.  I will however post a follow-up article outlining how to do so from the CLI, using only a handful of commands. [Updte: for CLI instructions see: https://blog.lan-tech.ca/2012/01/25/configure-cisco-asa-for-sbs-20082011-network-using-cli/ ]

It is assumed the ASA is still set to factory defaults. If so, skip to “Basic Router configuration”.

Reset to factory defaults:

Since this article is dedicated to using the ASDM console, to reset from within, simply log on, select “File” from the menu, and then “Reset Device to the Factory Default Configuration”.  If you do not have access to the ASDM console, i.e. you do not know the IP, you can use the blue console cable and access through Telnet. Once connected to the CLI (Command Line Interface) enter the following commands:

  • enable
  • config t
  • config factory-default  (press the space bar a few times when “more” is displayed to get back to the prompt)
  • reload save-config noconfirm  (to write to flash memory)
  • the unit will reboot with factory defaults

Basic Router configuration:

We will run the Start up Wizard to do the basic configuration. During the process do not make changes to the internal interface IP or Internal DHCP settings.

Launch the ASDM using https://192.168.1.1 , choose to ignore the certificate error, and select “run Startup Wizard”. When prompted for a username and password leave both blank. You can also start the wizard from within the ASDM from the menu under Wizards, Startup Wizard.

[ Edit: In case it is confusing; after publishing it was pointed out you can see the 192.168.111.254 current ASA address in the title bar. Please ignore, it is unrelated to the configuration. ]

Starting Point: In the first window accept the default “modify existing configuration” and click next.

image

Basic Configuration:  If you like you can change the ASA Host Name and domain, but I is not necessary. I strongly recommend changing the password, and make it secure. When you log back in later the user name will still be blank.

image

Interface Section: Leave all a defaults.

image

Switch Port Allocation:  Again the defaults are fine for this configuration.

image

Interface IP Address Configuration: Presumably you have been assigned a static public IP by your ISP where you are running a mail server. If so select “Use the following IP address”, enter the appropriate IP and subnet mask under “Outside Address”. (Note: you will need to add a static route for the default gateway later)

If  using DHCP with your ISP, select “Use DHCP” and check “Obtain default route using DHCP” (which will automatically add the default gateway).  When using DHCP you will probably also want to set up a DDNS service.  To do so see the following article: Using DDNS Services with SBS 2008/2011

The wizard will not allow you to continue without entering a DMZ address.  You will not be using the DMZ in this configuration so simply pick a private IP outside of any subnet you plan to use, and select a subnet mask of 255.255.255.0, if presented with a DMZ related error you can ignore.

image

DHCP Server:  We will deal with DHCP later along with the inside interface IP. Leave the current defaults “Enable DHCP” and the IP range for now.

image

Address Translation (NAT/PAT):  You will want to use PAT, so accept the defaults.

image

Administrative Access:  This determines from which IP’s or subnets you can access the ASA 5505 to manage it, and using which protocols. The current default is using the ASDM from the 192.168.1.0 subnet. If you plan to change the IP of the router to a different subnet you need to add it now, before making changes to the inside interface’s IP.  Assuming you later plan to use 192.168.123.0/24 (/24 = subnet mask 255.255.255.0) for your local network, I recommend adding that subnet to the inside interfaces, using two rules, one for HTTPS/ADSM and the other for Telnet, by clicking the “edit” button”.  Leave the “Enable HTTP server for HTTPS/ASDM access to this ASA” checked near the bottom.

image

Startup Wizard Summary: This page displays a summary of your choices. Review and click finish.

image

Disable DHCP:  Assuming you are running SBS 2008/2011 Standard and not SBS 20011 Essentials, you will need to turn off DHCP on the inside interface of the Cisco as the SBS server should most definitely be the DHCP server. If not convinced see: Do I absolutely have to run DHCP on SBS 2008?  If running SBS Essentials the default is to have the router as the DHCP server, though it does not have to be. To disable DHCP, log back into the ASDM if you are no longer connected, and navigate to; Configuration | Device Management | DHCP | DHCP Server | highlight the inside interface and click Edit” | uncheck “Enable DHCP server”. Then click OK and Apply at the bottom.

image

Change Inside interface (LAN) IP:  As mentioned earlier, for the purposes of this article we will use 192.168.123.x (properly represented as 192.168.123.0/24) and choose 192.168.123.254 as the router inside interface IP but for your configuration match the current subnet of your SBS server.

This will be the gateway IP for PC’s and servers on the SBS network. Navigate to: Configuration | Device Setup | Interfaces | Highlight the inside interface and select Edit and change the IP to that of your choosing. Click OK, then check the box “ Enable traffic between two or more hosts connected to the same interface” at the bottom, and Apply.

Note: Should you choose to enable a VPN, using the Cisco or the SBS built-in VPN, the site from which a client connects, must use a different Network ID (Subnet) than that of the SBS LAN. As a result, nobody connecting from a remote site that uses 192.168.1.x locally can connect to resources on this network. Therefore it is always a best practice to avoid common subnets like; 192.168.0.x, 192.168.1.x, 192.168.2.x, 192.168.100.x 10.0.0.x, and 10.10.10.x. However if your SBS is already configured you would need to change the network addressing for the entire network. In the event you were to choose to do so make sure you use the wizard for changing the server IP located under SBS console | networking | Connectivity | Connect to the Internet.  You also have to change any DHCP scopes, reservations, exclusions and device with statically assigned IP’s such as printers.

image

Add a static route for the router’s default gateway:  As mentioned before if you have with a static public IP assigned to the outside interface, you also have to create a static route to assign a default gateway to allow the router Internet access.  To do so select Device Setup | expand routing | Static Routes | and on the right click Add.  Select the outside interface, choose “any” for the Network from the drop down list and insert the gateway address assigned by the ISP, with a metric of 1.  The remaining items should retain the default settings. Click OK and Apply.

image

If you have not already done so, I would recommend saving all changes at this point by selecting from the menu File and then “Save running configuration to flash”, or at ant point simply press Ctrl+S to save.

Configure port forwarding:

SBS requires several ports be forwarded for various services.  Below is an outline as to how to configure port forwarding for SMTP (port 25). You will need to do this for each of the services in the following list that you plan to use:

  • SMTP port 25 Exchange
  • HTTPS / SSL port 443  Outlook web Access, Remote Web Workplace (Remote Web Access), and SharePoint
  • SharePoint custom port 987  (SBS 2003 not required)
  • RWW & Sharepoint 4125  (SBS 2003 only, not required for SBS 2008/2011)
  • PPTP port 1723 SBS VPN. The Cisco VPN is far more secure and moves authentication to the perimeter of the network. Far better to use it than the SBS VPN since it is included with the ASA 55050
  • RDP port 3389 (Definitely not recommended. Much safer to use RWW/RWA)

Add a NAT Rule:  Login into the ASDM, remembering to use the new IP address of the router. Navigate to Firewall | NAT Rules. on the right under addresses there is an option to +Add, select this and then Network Object. Enter the name of the Object, in this case the SBS, enter the IP (in our example 192.168.123.10) and  a subnet mask of 255.255.255.255.  (Adding a network object is not completely necessary but makes reviewing configurations at a later date easier to understand as items are referenced by name rather than IP)

image

Next in the same Window, under “Configuration > Firewall  NAT Rules” in the tile bar, click +Add and select Add Static NAT Rule. In the resulting window set the “Original” Interface to inside and next to source click the drop down list button. Select your new object (SBS-Server in this example).  Set “Translated” Interface to outside, and check the box to “use interface IP address”.  Select Enable Port Address Translation (PAT), TCP, and enter either the port number, or in the case of most services you can enter the service name, if it is known to the Cisco router. A drop down list of known service will appear when you start to type the service name if one exists. If using non-standard services, enter the port number using the format tcp/987. The Original and Translated ports in this case should be the same.

image

Click OK and this will add the rule to the list of static rules.

image

Add an Access Rule:  Next, again in the firewall section, Navigate to Access Rules | Add | Add Access Rule.  Change the Interface to Outside, the Source will be “any”, Destination the outside interface, Service can again be selected from the drop down list, and add a description if you like.  Leave the “More Options” section set to defaults. Click OK and Apply.

image

Repeat the above steps for all services you will be using, probably HTTPS/443 and SharePoint/987, and don’t for get to save ( Ctrl+S) when complete.

This should complete the SBS requirements.

Additional Features you may wish to enable:

  • To enable pinging of internet IP’s from the LAN for testing, navigate to: Configuration | Firewall | Service Policy Rules | highlight the policy under Global Policy and click edit | Rule Actions | check the box for ICMP | click OK and Apply.
  • To allow Tracert to internet IP’s, add the ICMP rule above, then while still under the Firewall configuration switch to the Access Rules item click Add | Add Access Rule | then set the interface outside, action is Permit, and Source/Destination is any. Under Service, enter icmp, it should auto-fill or you can use the drop down list line and click OK.  Click OK again in the Add Access Rule dialog and Apply the results to finish the process.

Category:

Cisco, Firewalls, Networking, SBS, SBS 2003, SBS 2008, SBS 2011, TS/RDS, Uncategorized

Tagged with:

Editing SBS 2008/2011 Server Reports

There have been many complaints that there are numerous events logged in the daily SBS reports to which the ultimate Microsoft solution is; “The errors/warnings are benign and may be safely ignored”, “You can safely ignore the event ID error message, or similar. The fact is some of us quickly scan the reports for serious errors and as soon as we see a red warning, we have to stop, review, and take action or as Microsoft suggests, “ignore”.  In the interest of efficiency, or simply wanting to provide clients with clean reports, it would be nice to have errors that can be ignored, be ignored, and not added to the report. 

Great news!  Microsoft just released “An SBS Monitoring Feature Enhancement”.  This a tool or add-on package that allows you to create your own custom list of excluded events that will no longer be added to the daily reports.  It does include a list of the known common events (below) that can be ignored, which you can also edit if you wish.

SBS 2008
•Event ID: 10016 Source: DCOM
•Event ID: 10009 Source: DCOM
 
SBS 2011 Standard
•Event ID: 129   Source: WinRM
•Event ID: 142   Source: WinRM
•Event ID: 4107  Source: Microsoft-Windows-CAPI2
•Event ID: 10016 Source: DCOM
•Event ID: 10009 Source: DCOM
•Event ID: 5586  Source: SharePoint Foundation
•Event ID: 6772  Source: SharePoint Foundation
•Event ID: 6398  Source: SharePoint Foundation
•Event ID: 8     Source: MSExchange CmdletLogs
•Event ID: 6     Source: MSExchange CmdletLogs

For full details and link to the download, see the full article:

http://blogs.technet.com/b/sbs/archive/2012/01/16/managing-event-alerts-in-your-reports-an-sbs-monitoring-feature-enhancement.aspx

Category:

Reporting, SBS, SBS 2008, SBS 2011, Uncategorized

Tagged with:

Windows Defender Offline Beta – Bootable A/V

Microsoft recently released the beta of a bootable CD version of their popular Windows Defender anti-malware tool.  Many types of Malware cannot be removed from a machine while running Windows, the destructive malware files may be ‘hardened’ or simply re-install upon reboot.  The download allows you to create a bootable CD or USB key that lets you run and clean the hard drive without having to boot to Windows.  In many cases this is far more effective than running within Windows and also much easier than alternative, removing the drive and installing as a secondary drive on another computer. The virus definitions within the tool are frequently updated so be sure to download a current version when you plan to use the tool. The download, outline of the tool’s use, and FAQ’s are available from the following link:

http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline

Category:

Uncategorized

Add a Terminal Server to the SBS 2011 RWA page

With SBS 2008 if you wanted a Terminal Server to be listed with the computers to which a user could select on the RWW (Remote Web Workplace) page, you had to add a registry entry. With SBS 2011 adding the Terminal server (now called RDS or Remote Desktop Services Server) to the new RWA (Remote Web Access) page is pretty much the same only the key in which you create the entry doesn’t exist, so it is now a two step process.

Note: This will not work on Server 2012 Essentials, and because it and SBS 2011 Essentials communicate with the same “connector”, I suspect it will not work on it either.  The change is intended for SBS 2011 Standard, or edit the existing key on SBS 2008 Standard or Premium.

Update:  Should you be looking for information regarding adding a 2012 RDS Server (Remote Desktop Server / Terminal Server)  to an SBS 2008/2011 domain, please see the following more recent post: https://blog.lan-tech.ca/2013/04/11/add-2012-rds-server-to-sbs-20082011/

The normal warnings apply: making changes to the registry can negatively impact your server or even make it unusable. Before making changes to the registry, back it up and if not familiar with making registry changes it might be best not to proceed.

Open the registry editor, as a domain admin, and locate the following key:

        HKLM\SOFTWARE\Microsoft\SmallBusinessServer

  1. Add a new key named RemoteUserPortal
  2. Within that key create a new Multi-String Value entry named TsServerNames Then edit the new entry and insert as a value, the exact name of your Terminal (RDS) server. If you have multiple RDS servers add them each in a separate line of the value/data area.

Category:

SBS, SBS 2011, TS/RDS, Uncategorized

Tagged with:

SBS 2011 Reports Showing Firewall Disabled

Some people are discovering the SBS daily reports are showing the Windows Firewall is not enabled, Windows Firewall is not running, when in fact it is definitely enabled.  In several of the cases I have seen you can resolve by renaming the Repository folder.  To do so:

  • Open the Services management console and stop the “Windows Management Instrumentation” service.  If it keeps restarting, you may have to temporarily set to disabled.
  • Locate the “Repository” folder in C:\Windows\System32\wbem\ and rename to something like OLD_Repository .  Rename rather than delete the folder so you can revert back if for some reason it were necessary.
  • Restart/re-enable the “Windows Management Instrumentation” service
  • Reboot

Category:

Firewalls, SBS, SBS 2011, Uncategorized

Tagged with:

Google Apps and DomainsAtCost Registrar

Probably only a select few will encounter this problem as it would only affect those setting up DomainsAtCost as a Domain registrar and DNS manager, in combination with Google Apps. However, there are many posts stating folk are unable to configure Google Apps with this registrar as Google cannot verify the domain ownership due to it not recognizing the necessary DNS Txt  record. Perhaps the few having problems ‘resolving’ this issue may find it helpful.

Before Google will activate your new Google Apps account it understandably needs to verify domain ownership. There are several ways to do so relating to your web site but if you do not have a website for your domain, you are limited to adding a DNS record with whomever manages DNS for your Domain. In the past Google requested you create a Host [A} record, but a year ago they switched to using Txt records. The Google instructions are simple and straight forward, you just enter a lengthy 68 character text string in the “Text” box and then either leave the “Host” box empty or enter an @ symbol.  (see: http://www.google.com/support/a/bin/answer.py?answer=183895 )image

However if you are with DomainsAtCost and using their Advanced DNS Management the @ symbol is the catch. Their site instead requires you manually enter the domain name yourdomain.abc in the Host field. Doing so will very quickly update DNS and allow Google apps to verify your domain ownership. The DomainsAtCost site will accept the @ but it will not be resolvable by internet based DNS servers. i.e. it doesn’t work. You can test if your Txt record has propagated to public DNS servers by entering  txt:yourdomain.abc  in the MX lookup box at http://www.mxtoolbox.com/

Once domain ownership has been verified by Google you can continue the set up by adding your MX records to your DomainsAtCost DNS configuration. It is interesting though that in the DomainsAtCost Host field for the MX record, which does require the domain name, if you insert the @ character when you save it it will automatically convert to the domain name. This does not happen in the Txt record Host field.

Category:

DNS, Networking, Uncategorized

Tagged with:

Missing SBS 2008/2011 drive space

Internet forums are full of questions entitled “where is my missing drive space”, or “HELP! I am running out of drive space on the system partition”. There are some known issues, addressed below, where SBS is known to generate large log files but very often it is due to hidden contents of user folders. The Redirected Folders feature is usually enabled  with SBS and with the default Group Policy a users folder is protected and hidden from view by all others, including Domain Administrators. Therefore when browsing to a user’s private folders such as My Documents, not only will you be denied access, but the properties of the folder will show:  Size = 0 bytes, and Contains = 0 Files, 0 Folders.

image

This is due to a permission set by group policy, within the Small Business Server Folder Redirection Policy, when the folder was created.

image

Editing the policy will not change existing folder permissions. You can change the permissions if required, though I strongly discourage doing so if for no other reason that user’s have a right to privacy. If you feel you must, Susan Bradley has nicely outlined the process in the following link:  http://msmvps.com/blogs/bradley/archive/2010/02/28/getting-access-to-the-my-documents-redirected-folders.aspx

However, even though you cannot open the file, it is possible to see the contents of the folders (folder and file names) and the size of the contents by using an application named Treesize Professional from:  http://www.jam-software.com/treesize/  There is a 30 day free trial period, but I recommend buying it to have in your “tool box” to quickly locate that user that has 30GB of movies saved in their redirected my documents. Treesize will provide a very nice graphical overview of drive space distribution and you can quickly drill down to the source of the problem. As an example; in the following two images of the same directory, Windows shows 113 MB in use, where Treesize includes the hidden directories and accurately reveals 58.4 GB of consumed drive space.

image

image

Treesize can be used in many other ways for storage management but is invaluable in locating folders that are consuming large amounts of space on your drives.

Other known issues:

Tree size can also help to locate other space consuming culprits. Once located the information and links below, organized by file paths, may be able to assist with resolving.

The following link reviews numerous known file locations that have a tendency to accumulate large log files. This link is extremely valuable in addressing the key space issues with SBS:  http://blogs.technet.com/b/sbs/archive/2010/03/02/recovering-disk-space-on-the-c-drive-in-small-business-server-2008.aspx

  • C:\inetpub\logs\LogFiles
  • C:\Program Files\Windows Small Business Server\Logs\
  • C:\Program Files\Windows Small Business Server\Logs\WebWorkplace
  • C:\Program Files\Windows Small Business Server\Logs\MonitoringServiceLogs
  • C:\Program Files\Windows Small Business Server\Data\badmail
  • C:\Windows\system32\winevt\logs\
  • c:\Windows\system32\certlog
  • C:\Windows\SYSYSI\SSEE\MSSQL.2005\MSSQL
  • C:\Windows\System32\LogFiles\

C:\WSUS  Windows Server Update Services can build up many unnecessary updates that can be cleaned up by running the WSUS “Server Cleanup Wizard” located under Administrative Tools | Windows Server Update Services | SBSname | Options | Server Cleanup Wizard

C:\Program Files\Microsoft\Exchange Server\Mailbox\xxxx Storage Group Keep in mind deleted e-mails are retained in the Exchange database until you do a backup using an Exchange aware backup application such as the built-in SBS backup utility.

C:\Windows\winsxs:   See: “How to Alleviate Disk Space Pressure Caused By a Large Windows Component Store (WinSxS) Directory”  http://support.microsoft.com/?kbid=2592038  https://support.microsoft.com/en-us/kb/2795190

C:\Windows\System32\logfiles\WMI\trace.log  You can stop this logging by editing the registry key (if necessary) to 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\GlobalLogger\Start = 0

You may also want to review an excellent article by Lee Wilbur on regaining space and managing the system partition:  http://www.lwcomputing.com/tips/static/bootdrivesize.asp

Should you need to gain additional space you can also move some of the SBS data files to another drive or partition such as Exchange, Users Shared Data and Redirected Folders, Sharepoint, and WSUS. To do so use the SBS wizards in the SBS console:  http://technet.microsoft.com/en-us/library/cc527581(WS.10).aspx

image

 

Added Nov 30, 2011…….

C:\ProgramData\Microsoft\Windows\WER\ReportQueue  This contains error reports generated by Windows. These files on some systems, though not hidden, the folder properties show as 0 MB. TreeSize will also display the properties of this folder correctly. Though I don’t recommend disabling the reporting you can do so by going to: control panel | problem reports and solutions | advanced settings | off

C:\WINDOWS\system32\LogFiles\HTTPERR  These are HTTP error logs much of which is generated by IIS. If there are a large number of errors you should look into why, but you can reduce the chances of it filling up with log files again by applying the following  http://support.microsoft.com/kb/820729

Remember you can always download a trial copy of SBS to use for testing configurations and modifications from the Microsoft Evaluation Download Center:

http://technet.microsoft.com/en-ca/evalcenter/default.aspx?ocid=aff-c-ca-jtc–MVP52

Category:

SBS, SBS 2003, SBS 2008, SBS 2011, Troubleshooting, Uncategorized

Tagged with:

Using DDNS services with SBS 2008/2011

Often a small business cannot justify the cost of acquiring a static IP from their ISP. It is still possible to host e-mail and other services using a dynamic public IP, but you will need to use a DDNS service (Dynamic Domain Name Service). The following instructions use services offered by No-IP ( www.no-ip.comsee link below), my preference, but similar services are offered by other vendors such as http://www.dyndns.org .

The following assumes you have already purchased a domain name from a registrar. There is no need to host it with your DDNS provider but if they support your domain suffix, such as .com, you can transfer it to them for management simplicity if you wish. You can also purchase a domain through most DDNS service providers if you do not already have one. However, for the purpose of this article it is assumed the domain is with another registrar.

Reliable Dynamic DNS

Set up DNS records:

I recommend purchasing and configuring the necessary services first, followed by making the changes with your domain registrar so that there is no interruption of service if the domain name is already in use. You will need to open an account with No-IP and then purchase their Plus Managed DNS service ($24.95/year). To locate, on the No-IP menu choose Services, managed DNS, No-IP Plus, learn more. Then simply enter your public domain name, click “add my domain”, and then proceed to check out.

Once complete, you need to configure your DNS records. To access the management screen select “Your No-IP” from the top of the screen, DNS hosting, then modify next to your domain name. No-IP sets up assumed common DNS records like ftp.DomainName.comwhich you can leave, or I would recommend removing and just creating the records you need. Click on “Add a host” . In the dropdown list to the right of Hostname, select your domain. In the window to the left enter the name you will use to connect to your server. This can be anything you like but if using a certificate, self-signed or purchased, it must match this name. Common names are mail, the name of the server, or the default with Small Business Server 2008 is “remote”. Click the “Create Host” button at the bottom to save.

Next you need to create an MX record for mail delivery. The MX record would usually uses the Host record you just created, but if you plan to use a different Host name you need to repeat the above process for the additional Host record.

Return to the “Managed Hosts” page and click on “Modify” next to DomainName.com (the root). In the bottom section of the page under mail options enter the Host record you created (not an IP) and click the Update button.

Chances are if you are using a DDNS service you have only one server (one MX record). You may want to consider a backup MX service such as the one offered by No-IP. This is added as a second, lower priority, MX record and in the event your server is off line, the No-IP service stores any mail destined for your server for up to 7 days until your server is back on line. It then automatically forwards all mail to your server. One of the nice features of the No-IP Backup MX service over others is it offers an online usage report. Often you may not be aware your server was off-line due to an ISP outage. The Usage report will record when and how long.

If you have other services such as a web page hosted with a 3rd party or at a second site, you need to create another host record for www.DomainName.compointing to the appropriate IP. If not an IP and you need to redirect to another URL you can use the “Web Redirect” option.

Configure the DDNS client:

The DDNS client needs to be downloaded and installed on a PC or server on your network that is always on, and does not sleep or hibernate. It will monitor your public IP and update No-IP should the IP change. Many newer routers support DDNS services internally, but they require the “Custom DNS” option for No-IP, which most do not. The best bet is to install the No-IP client on your server. It can be downloaded from the No-IP site by choosing the Download tab on the home page.

Once installed, start the No-IP DUC client from the programs menu. Enter your e-mail address and password you used to set up your No-IP account. There should be a popup window as below, but if not click “Select Host” in the client management window. Check the box next to the Host record or records you wish to update with this public IP, and save. I do not recommend choosing the root domain unless you want ALL traffic for your domain directed to this IP.

Next you need to make sure this runs at all times even upon reboot by running the No-IP client as a service. In the No-IP client select file, preferences, check the box “Run as a system service”. At the bottom, if there is only one network adapter installed, you can leave as “Windows Default”. If more than one network adapter select the appropriate one from the drop down list, then click OK to save. This should be the Internet facing network adapter.

You can close the No-IP client but for future reference note there are some useful troubleshooting tools built in for testing your server, especially to see if the appropriate ports are open for the services you are offering via the Internet.

Set Domain to use No-IP DNS servers::

The final step is to change your Domain registrar to use No-IP’s DNS servers. With many registrars such as http://www.networksolutions.com you can make these entries yourself, but with some others you have to call or open a trouble ticket and have the service provider make the changes. No-IP’s DNS servers are listed below. You do not have to use all 5.

ns2.no-ip.com (204.16.254.6)

ns1.no-ip.com (69.72.255.6)

ns3.no-ip.com (69.65.5.106)

ns4.no-ip.com (72.5.169.6)

ns5.no-ip.com (75.102.59.82)

Note: DNS changes can take up to 48 hours to propagate the various Internet DNS servers, however usually less than 8 hours. One of the advantages of a DDNS service is in the future if your IP changes due to a move or ISP change, the DNS changes are immediate. For this reason some technicians choose to use a DDNS service even if using a static IP as it can make for faster recovery in a disaster situation, when a server has to be set up in a new location.

One possible issue with hosting your own services and using a dynamic IP is the ISP blocking specific ports such as 25 which will not allow you to host a mail server. There are services such as NO-IP’s “Mail Reflector” which allow you to use ports other than the standard port 25.

SSL Certificates:

Once your DDNS service is configured you may want to purchase a 3rd party SSL certificate from a vendor such as www.godaddy.com . The certificate eliminates the need of installing the SBS self-signed certificate on remote devices connecting to your server. This will work with a dynamic IP and a DDNS service but as mentioned the name created by the SBS to be used remotely (in our example remote.DomainName.com), the public DNS record, and the SSL certificate must all be the same.  For details regarding installing an SSL certificate on SBS 2008/2011 see:  https://blog.lan-tech.ca/2012/05/17/sbs-2008-2011-adding-an-ssl-certificate/

Reliable Dynamic DNS

Category:

Networking, SBS, SBS 2008, SBS 2011, Uncategorized

Tagged with:

Unexpected characters when typing?

Have you ever suddenly had odd characters appearing when you type, or perhaps not odd but not what you expected? This is quite common with Dell PC’s in Canada that by default have additional language options enabled, but I am sure it happens in other parts of the world as well and with other PC models. You may see for example an ” É ” when you type a ” ? ”

Windows has a “switch” to enable/disable the alternate language keyboard. The Windows 7 default is to hold the left alt key and press the corresponding shift key at the same time. If you prefer, you can change the characters used to control the “switch” or disable it all together under Control Panel | Region and Language |  Keyboards and Languages | Change Keyboards | Advanced Key settings | highlight “Between input languages” and click Change Key Sequence. There are other shortcuts in the same location you may wish to edit while there.

Updated Feb 5/2012:

It seems some Dell computers, even though under Region and Language keyboard settings as noted above are set to use the left alt+shift key as the combination to switch between keyboard language styles, they actually use the left ctrl+shift keys.

Also, you may have decided to permanently change the language and keyboard settings under:  Control Panel | Region and Language |  Keyboards and Languages | Change Keyboards | General.  If so, note that it will only affect the logged on user, it does not affect the actual initial computer logon.  To do so you must also go to  Region and Language | Administrative | Copy settings | and check the box “Welcome Screen and system accounts”.  Checking the other option, the “New user accounts” box, will apply the same edited Region and Language settings to any new user accounts you create, but if there are other existing user accounts to which you want to apply the changes, you will have to do so manually one by one.

Category:

Troubleshooting, Uncategorized

Tagged with:

Sage Simply Accounting (Sage 50) Firewall Rules

When installing Simply accounting (in this case specifically Simply 2011) it requires opening firewall ports on the server to allow clients to use the Connection Manager to access data . Simply provides the following information in its help files:

image

However for most installations you only require 4 rules. You can use the server’s “Windows Firewall with Advanced Security” console to manually create a each rule one by one by generating new rules, browsing to the related service (.exe), and set to “allow”, or you can use a command line and netsh to create the rules. Again a little tedious entering each lengthy command one at a time.

The easiest method is to use a simple batch file with the four commands included in the script below. To make the batch file a little more informative I have added a few lines with description, the ability to opt out, and to be able to verify each command completed successfully. However using just the 4 netsh lines is all you require. The netsh commands included are tailored to only allow access from the local subnet for added security.

Simply copy the lines below to notepad and save as a batch file using a name like AddRules.bat  There are a few related notes:

  • When saving use quotes around the name such as “AddRules.bat” in the Notepad ‘save as’ box, to ensure the .txt suffix will not be added to the name
  • Each netsh commands is one single line. It is wraps in the blog article.
  • When ready to run the batch file right click on it and choose “run as administrator (i.e. elevated privileges)

————————————————————————–

Echo Off
CLS
Echo  Batch file to configure Windows Firewall
Echo    for Sage Simply Accounting 2011 using
Echo      Windows Firewall with Advanced Security
Echo        [Access will be limited to local subnet]
Echo.
Echo click Ctrl+C to escape
Pause
Echo on

netsh advfirewall firewall add rule name=”Simply Connection Manager” dir=in program=”C:\Program Files (x86)\Winsim\ConnectionManager\SimplyConnectionManager.exe” remoteip=localsubnet action=allow

netsh advfirewall firewall add rule name=”Simply Tray Icon” dir=in program=”C:\Program Files (x86)\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe” remoteip=localsubnet action=allow

netsh advfirewall firewall add rule name=”Simply MySQL” dir=in program=”C:\Program Files (x86)\Winsim\ConnectionManager\MySqlBinary\5.0.38\mysql\mysqld-nt.exe” remoteip=localsubnet action=allow

netsh advfirewall firewall add rule name=”Simply MySQL Admin” dir=in program=”C:\Program Files (x86)\Winsim\ConnectionManager\MySqlBinary\5.0.38\mysql\mysqladmin.exe” remoteip=localsubnet action=allow

Echo off
Echo  “ok” should have been displayed after each rule was applied
Echo     Refresh Windows Firewall with Advanced Security to view added rules
Pause
Exit

Update/Note:  I have noticed when cutting and pasting from this article the quotation marks become unrecognized characters on most systems.  Simply paste the abov text in notepad and use Find & Replace to replace all with standard keyboard quotation characters.

Category:

Firewalls, Networking, SBS 2008, SBS 2011, Uncategorized

Tagged with: