Category: Cloud Services

Is Email Down Again?

Email Down

While troubleshooting an email encryption issue after a WHM / cPanel web server migration, my thoughts turned to email down time and what it is worth to a small business. This is the core concept behind business continuity – “Business continuity encompasses planning and preparation to ensure that an organization can continue to operate in case of serious incidents or disasters and is able to recover to an operational state within a reasonably short period.” (Wikipedia) The best way to recover from a disaster is to have planned in advance for the eventuality and have systems in place that provide redundancy when the incident occurs. When it comes to business email continuity only one name comes to mind:

Microsoft Office 365

Guaranteed UptimeMicrosoft provides a Service Level Agreement (SLA) that financially backs their services based on a guaranteed amount of uptime per month. If service is down for more than 45 minutes (99.9% uptime) in a month then a 25% credit will be given, if service is down for more than 7 hours (99% uptime) in a month then a 50% credit will be given, and if for some reason they are down for more than 36 hours (95% uptime) in a month then a 100% credit will be given. Considering the literal billions of users of their products, having to give away credits for downtime would seriously cost Microsoft so it is in their favor to keep the services flowing.

Geographic Redundancy – Microsoft has Office 365 data copied to servers in no less than 8 datacenters around the United States including one nearby in Washington. This means that a hardware failure or lost data in one center will not effect the other 7 datacenters – email will continue to be routed through the others until services can be restored to the one. With redundancy like that there should be no worries about downtime or data loss.

Unparalleled Support – Office 365 email is running on Microsoft Exchange being administered and supported by the people who created it. There is nothing like going to the creator of something to talk to them when there is a problem. They have the breadth of experience that comes from using their own products for the past 20 years. This level of knowledge is unparalleled in the industry and it shows in the quality of service and support that is received. 

If your company needs the best in class reliability and service that comes from switching to Office 365, then contact us for assistance.

Xerox Scan to Email G-Suite (Fix Error 017-714)

Recently had trouble getting a Xerox VersaLink C7025 multifunction printer to Scan to Email correctly and found a couple solutions to the problem that I wanted to share. It all started when I configured the SMTP settings for the scanner to use G-Suite to send emails using the following article – “Send email from a printer, scanner, or app” but got the error 017-714 report from the printer. Did some searching online and found the following answer:

Using Google Insecure SMTP Server

As per the same article, the multifunction will work by using the following settings:

  • Device Email: clients scanner email address
  • SMTP Server: aspmx.l.google.com
  • Outgoing Port: 25
  • Connection Security: None
  • SMTP AUTH: None

This is great if the client wants the scans emailed only to people in their own domain. This will not allow sending to anyone outside their domain, which was not what this client wanted, so I contacted Xerox support and worked my way up to Level to support who pointed me to the following more secure answer:

Using Google Secure SMTP Server

The first thing to do is to make sure that Less Secure Apps setting is allowed for the Device Email account. This can be checked at – https://www.google.com/settings/security/lesssecureapps  but you might find that it has to be changed in the G-Suite Admin Console (disabled by default on all accounts). Once logged into https://admin.google.com,  click on Security then on Basic. Choose the option to allow each user to chose their own setting then go back to the less secure app setting page and change to allow for only that account. Now the multifunction can be configured as follows:

Xerox Scan to Email G-Suite

If your company has software that needs to be automatically updated or would like to sign-up for remote monitoring and maintenance, then contact us for assistance.

CyberSecurity Month – Small Business Tips

CyberSecurityBroadband and information technology are powerful tools for small businesses to reach new markets and increase sales and productivity. However, cybersecurity threats are real and businesses must implement the best tools and tactics to protect themselves, their customers, and their data. Visit www.fcc.gov/cyberplanner to create a free customized Cyber Security Planning guide for your small business and visit www.dhs.gov/stopthinkconnect to download resources on cyber security awareness for your business. Here are ten key cybersecurity tips to protect your small business:

1. Train employees in security principles.

Establish basic security practices and policies for employees, such as requiring strong passwords and establish appropriate Internet use guidelines, that detail penalties for violating company cybersecurity policies. Establish rules of behavior describing how to handle and protect customer information and other vital data.

2. Protect information, computers, and networks from cyber attacks.

Keep clean machines by having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats. Set antivirus software to run a scan after each update. Install other key software updates as soon as they are available. (Our managed monthly service contract customers already have this taken care of.)

3. Provide firewall security for your Internet connection.

A firewall is a set of related programs that prevent outsiders from accessing data on a private network. Make sure the operating system’s firewall is enabled or install free firewall software available online. If employees work from home, ensure that their home system(s) are protected by a firewall. (We don’t recommend the free stuff as you always get what you pay for.)

4. Create a mobile device action plan.

Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.

5. Make backup copies of important business data and information.

Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly and store the copies either offsite or in the cloud. (We recommend backup copies in both)

6. Control physical access to your computers and create user accounts for each employee.

Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel. (Definitely agree with the separate users and least

7. Secure your Wi-Fi networks.

If you have a Wi-Fi network for your workplace, make sure it is secure, encrypted, and hidden. To hide your Wi- Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router. (Also make sure to segregate public guest traffic from private traffic.)

8. Employ best practices on payment cards.

Work with banks or processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations pursuant to agreements with your bank or processor. Isolate payment systems from other, less secure programs and don’t use the same computer to process payments and surf the Internet.

9. Limit employee access to data and information, and limit authority to install software.

Do not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission.

10. Passwords and authentication.

Require employees to use unique passwords and change passwords every three months. Consider implementing multifactor authentication that requires additional information beyond a password to gain
entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multifactor authentication for your account. (Multifactor should be implemented on all web based applications from third party vendors.)

If your company is concerned about cybersecurity and wants to take the needed steps to protect yourselves, then contact us for assistance.

CrashPlan for Home is No More

Effective August 22, 2017, Code42 will no longer offer new – or renew – CrashPlan for Home subscriptions, and we will begin to sunset the product over several months. CrashPlan for Home will no longer be available for use starting October 23, 2018.

What alternatives exist?

CrashPlan itself is suggesting that customers move to Carbonite for their personal computer backups. In order to get the same great combination of onsite & offsite backup that CrashPlan users are used to, Farmhouse Networking recommends using Plus package that includes the backup to an external drive. This package is on sale for $25 off the normal yearly cost. Small businesses with only one computer will also find this package to be the most secure way of backing up their important files for the least out-of-pocket costs.

If your business has more than one computer or a server, Farmhouse Networking recommends upgrading to a full business class Backup & Disaster Recovery (BDR) solution with Synology. This provides both the speed of on-site recovery with the resilience of off-site recovery via the cloud. On-site recovery is much simpler with this BDR solution as the device becomes a copy of the main computer or server in the case of failure. This takes recovery time down to minutes instead of days.

If your company is using CrashPlan for backups and are not ready for the move, then contact us for assistance.

DNS Filtering for Security & Productivity

DNS filteringAny Human Resources department manager will attest to the need for an Acceptable Use Policy as part of the Employee Handbook. It should clearly state the proper use of business-owned workstations and what traffic is allowed on the company network. Monitoring this policy is next to impossible for small businesses, yet ignoring it leads to infections, security breaches, and huge losses to the bottom line by wasted employee productivity. How does a company stay safe from the big, bad Internet?

Policy Creation

This may sound boring, but before any monitoring and enforcement can take place legally, there must be a clearly defined policy in place with consequences for violations. This policy must be signed by each employee. Only when signed policies are in each employee’s file, can measures can be taken to monitor and enforce the new written policy.

No Administrator Access

There is no reason for the average employee to need Administrator access to a workstation once it is setup properly for business use. Most employees do not need to install any software or make any major setting changes without first consulting management and/or network support personnel. Software and operating system updates should also be handled by network support personnel or by an automated process. Installation of additional hardware should be cleared with management and implemented by network support personnel. Workstations are a company-owned tool to be used by the employee only for the best interests of the company, not for personal file storage or entertainment purposes.

DNS Filtering

The Internet is an invaluable tool for business purposes. There are, however, many threats out there, and the common user has no idea how to avoid them. There are also innumerable distractions ranging from time wasters to those that are downright illegal. DNS Filtering inspects every internet request against a database of known sites and blocks bad traffic before it goes anywhere on the internet. This keeps your internal network assets safe from malicious sites and content that is inappropriate for business or bad for productivity. This is accomplished without interrupting or slowing down the normal flow of good traffic around the Internet.

If your company is looking to add layers of security to your network or increase productivity by limiting Internet time wasters, then contact us for assistance.

Powershell One Liner: Disable User Protocols

Here is a quick powershell one liner that I came up with when I got a request from Microsoft Support to disable user protocols. I did some research and found out that they meant the protocols or services used to access Office 365 Exchange Online.

Connect to Microsoft Office365 via Powershell

Open Windows Azure Active Directory Module for Windows Powershell as Domain Administrator and type in the following to connect to Exchange Online via Powershell:

Set-ExecutionPolicy RemoteSigned
$creds = Get-Credential
(Enter the Office 365 Administrator credentials then click “OK” button.)
Import-Module MsOnline
Connect-MsolService -Credential $creds
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $creds -Authentication Basic -AllowRedirection
Import-PSSession $Session

Disable User Protocols

Once connected to Office 365 via Powershell, here is the one liner to disable user protocols:

Set-CASMailbox user@company.com -ImapEnabled $False -PopEnabled $False -OWAEnabled $False -ActiveSyncEnabled $False -MAPIEnabled $False

Enable User Protocols

Here is the one liner to enable user protocols:

Set-CASMailbox user@company.com -ImapEnabled $True -PopEnabled $True -OWAEnabled $True -ActiveSyncEnabled $True -MAPIEnabled $True

If your company is currently using Office 365 and needs help translating commands given by Microsoft Support, then contact us for assistance.

Setup Azure to Unifi USG IPSec VPN

Had another tech firm that needed some Tier 3 assistance as they were having trouble with their VPN connection. I helped them setup Azure to Unifi USG IPSec VPN to connect their headquarters to the hosted RemoteApps server. This tutorial will go into detail about the creation of this tunnel starting with the Microsoft Azure side first using Resource Manager. It will be using the following parameters:

  • VNet Name: TestNetwork
  • Address Space: 10.10.0.0/16
  • Subnets:
    • Primary: 10.10.10.0/24
    • GatewaySubnet: 10.10.0.0/24
  • Resource Group: TestResourceGroup
  • Location: West US
  • DNS Server: Azure Default
  • Gateway Name: TestVPNGateway
  • Public IP: TestVPNGatewayIP
  • VPN Type: Route-based
  • Connection Type: Site-to-site (IPsec)
  • Gateway Type: VPN
  • Local Network Gateway Name: TestSite
  • Local Subnet: 10.20.20.0/24
  • Connection Name: VPNtoTestSite

Configure an Azure VPN gateway

This part takes the longest, so it should be done first:

  • Click on the “+” icon at the top left hand side of the Resource Manager, then search for “Virtual Network Gateway” and click on the “Create” button.
    Azure Virtual Network Gateway
  • Give the Virtual Network Gateway a name
  • Select matching Region to where Azure resources are located
  • Leave Gateway & VPN type the defaults
  • Choose a SKU <- These have changed since the article was created, so my “standard” now is WpnGw1 with Active / Active turned off (this is a good balance of performance and cost)
  • Choose or create a local network (not covered here) that matches internal resources
  • Choose or create a Public IP Address
  • Leave the remaining values as their defaults and then click the “Create” button. (Please note the reminder that this takes 45 minutes to create!)
    Azure Virtual Network Gateway Setup

Configure an Azure Local Network Gateway

This is a reference to your on-premise network so that subnets can pass traffic:

  • Click on the “+” icon at the top left hand side of the Resource Manager, then search for “Local Network Gateway” and click on the “Create” button.
    Azure Local Network Gateway
  • Give the Local Network Gateway a name
  • Select matching Region to where Azure resources are located
  • Specify the external IP address of the local on-premise site
  • Specify the on-premise address space (subnet)
  • Leave the remaining values as their defaults and then click the “Create” button.
    Azure Local Network Gateway Setup

Configure an Azure VPN Connection

This will create the tunnel from Azure to the on-premise site:

  • Click on the “+” icon at the top left hand side of the Resource Manager, then search for “Connection” and click on the “Create” button.
    Azure VPN Connection
  • Choose “Site-to-site (IPSec)” as the connection type
  • Give the Connection a name
  • Select matching Region to where Azure resources are located
  • Leave the remaining values as their defaults and then click the “OK” button. On the summary screen click on the “OK” button to create the connection.
    Azure VPN Connection Setup #1
  • Choose the newly created Virtual Network Gateway
  • Choose the newly created Local Network Gateway
  • Specify a shared key
  • Leave the remaining values as their defaults and click the “Create” button.
    Azure VPN Connection Setup #2

This completes the setup of the Azure side of the VPN tunnel. Now to work on the Ubiquiti USG side.

Configuring an Ubiquiti USG VPN Network

This is a fairly simple process but it has to be precise:

  • Choose the Current Site from the top right hand side of the portal.
  • Click on the Settings gears down on the bottom left side of the portal.
  • Click on Networks then on the “Create New Network” button.
  • Give the connection a name, choose “Site-to-Site VPN” as the Purpose
  • Choose “IPSec VPN” as the VPN Type
  • Choose to Enable this Site-to-Site VPN
  • Add the Azure subnet under Remote Subnets
  • Get the newly created Virtual Network Gateway IP address from Azure for the Peer IP
  • Enter the on-premise external IP address for Local WAN IP
  • Enter the same shared key as used in the Azure VPN Connection for the Pre-Shared Key
  • Choose “Azure Dynamic Routing” as the IPSec Profile
  • Expand Advanced Options
  • Leave Key Exchange Version, Encryption, Hash & DH Group as default and uncheck the PFS & Dynamic Routing boxes.
    Ubiquiti USG VPN Connection Setup

That is all there is to it. If you have any difficulties with connection then delete and re-create the Ubiquiti USG side first (those two check boxes at the bottom of the Advanced Options will check themselves again, but don’t be fooled by this quirk in the software). If your company is currently using either Microsoft Azure or Ubiquiti USG routers and would like a VPN created, then contact us for assistance.

Using External Certificate for RemoteApps in .Local Domain

Recently did some Tier 3 support work for another technology company that was trying to setup a Windows Server 2016 RemoteApps server in Azure that would allow connectivity to remote users for their on-premise software. The process started with creating a VPN tunnel between on-premise and Azure, but that is a discussion for a future set of blog posts. Once this connection  was in place, the company tried to use an external certificate for RemoteApps setup on the server. This would have been fine if the internal domain had not been a “.local”  address scheme. This tutorial assumes that you have already installed Remote Desktop Services on a server and configured it to use the CA provided external certificate.

Change Remote Computer Name

One of the main sticking points that caused issues with security warnings for clients connecting is they would see the warning – “The remote computer could not be authenticated due to problems with its security certificate.” The fix for this has been graciously scripted in PowerShell by someone with the handle “TP” on Technet. The script is called Set-RDPublihedName.ps1 and is used as follows:

Set-RDPublishedName "remote.domain.com"

Proper Active Directory Group

There were then issues with the login process that caused the following error:

Remote Desktop can’t connect to the remote computer “<End Resource Name>” for one of these reasons:

1) Your user account is not authorized to access the RD Gateway “<RD Gateway Server Name>”
2) Your computer is not authorized to access the RD Gateway “<RD Gateway Server Name>”
3) You are using an incompatible authentication method (for example, the RD Gateway might be expecting a smart card but you provided a password)

This was coupled with Security Log messages – “The Network Policy Server was unable to connect to a domain controller in the domain where the account is located. Because of this, authentication and authorization for the RADIUS request could not be performed.” All this turned out to be the RD Gateway was not in the proper Active Directory Group, so added the server to the RAS and IAS Servers group.

Add URL to IIS

There was then an error about not being able to find the computer name, which turned out to be a setting in IIS. Looking under Sites > Default Web Site > RDWeb > Pages click on Application Settings and change the DefaultTSGateway to the URL of the CA external certificate for RemoteApps.

Fixing RS CAP & RAP

Last error that was received was the following:

Remote Desktop can’t connect to the remote computer “computername” for one of these reasons:

1) Your user account is not listed in the RD Gateway’s permission list
2) You might have specified the remote computer in NetBIOS format (for example, computer1), but the RD Gateway is expecting an FQDN or IP address format (for example computer1.fabrikam.com or 157.60.0.1).

This turned out to be related to the RD Client Access Policy (CAP) & Remote Access Policy (RAP) under the RD Gateway Manager tool and DNS. For RD CAP, make sure that Domain Users is listed, and that Client Computer Group membership is blank. FTor RD RAP, make sure that Domain Users is listed, and that it is set to allow connection to Any Network Resource (This allows remote access). For DNS, make sure it contains a Forward Lookup Zone that points to the URL of the CA external certificate for RemoteApps and has an A record for the internal IP address of the RD server.

If your company is currently moving some of your resources to the Azure cloud or wanting to properly setup your RemoteApps server, then contact us for assistance.

Google Apps Migration for Microsoft Outlook

Had a small client recently that wanted to move from standard hosted email service (via WHM / cPanel based server) to Google Apps. In doing the Google Apps migration I found that they had a mix of POP3 and IMAP configured throughout the organization, so using the G Suite Migration for Microsoft® Exchange like I would for larger migrations that are based in IMAP only was out of the question. I found the Google Apps Migration for Microsoft Outlook® which was better suited for doing the job in this small mixed environment.

Google Apps Migration for Microsoft Outlook

If your company is going to use G Suite aka Google Apps migration needs to be performed, then contact us for assistance.

WHM AWS S3 Glacier Backup Setup

Amazon AWS S3 Storage to the rescue again with native support in WebHost Manager (WHM) to backup directly to S3. WHM AWS S3 Glacier backup is easy to setup and works like a charm. Included in this post are the standard settings that I use for all WHM backups.

WHM AWS S3 Glacier Backup Setup

  • Login to WHM and run a quick search for backup at the top left of the navigation pane
    WHM AWS S3 Glacier Backup - Quick Search
  • Click on “Backup Configuration” to begin setup
  • Under “Backup Status” choose “Enabled”, under “Backup Type” choose “Compressed” to save on bandwidth and leave the timeouts at their defaults
    WHM AWS S3 Glacier Backup - Backup Status
  • Under “Scheduling and Retention” choose to do a backup each day of the week and keep them for 30 days
    WHM AWS S3 Glacier Backup - Scheduling and Retention
  • Under “Files” choose to disable “Backup Suspended Accounts”, choose to enable “Backup Access Logs”, choose to enable “Backup Bandwidth Data”, choose to disable “Use Local DNS” and put a check next to “Backup System Files” to allow for full restores if needed
    WHM AWS S3 Glacier Backup - Files
  • Under “Databases” choose both “Per Account and Entire MySQL Directory”, under “Default Backup Directory” type in:

    /backup

    Leave the “Retain backups in default directory” unchecked and disable “Mount Backup Drive as Needed”
    WHM AWS S3 Glacier Backup - Databases

  • Under “Additional Destinations” choose Amazon S3 from the drop down list and click on the “Create new destination button”
  • Assuming there is already a bucket and user created in AWS for this purpose – give the destination a name, check the box next to “Transfer System Backups to Destination”, type in the name of a folder in the bucket under “Folder” that will be created and used, type in the name of the “Bucket”, type in the “Access Key ID” and “Secret Access Key” then change the timeout to 60 seconds
  • Click on the “Save and Validate Destination” button to make sure all settings are correct
  • Finally click on the “Save Configuration” at the bottom to complete the WHM AWS S3 Glacier Backup setup.

Your WHM AWS S3 Glacier Backup has now been setup and with proper setup of S3 Storage there will be automatic archival too. If your company is using Amazon Web Services or S3 Storage for backup and need help getting it setup properly, then contact us for assistance.

Archives

Categories

Plant a Seed @ 541-761-9549
233 Rogue River Hwy #873 Grants Pass, OR 97527
Mon-Fri: 9:00am-5:00pm
support@farmhousenetworking.com
© 2016-2025 - Farmhouse Networking. All rights reserved
Terms and Conditions Privacy Policy

Evaluation Signup

Error: Contact form not found.

And God will generously provide all you need. Then you will always have everything you need and plenty left over to share with others. As the Scriptures say,
“They share freely and give generously to the poor. Their good deeds will be remembered forever.”
For God is the one who provides seed for the farmer and then bread to eat. In the same way, he will provide and increase your resources and then produce a great harvest of generosity in you. - 2 Corinthians 9:8-10