Keep running into this issue at client sites where an on-premise Microsoft Exchange Server (especially from Microsoft SBS Server) to Office 365 migration has taken place. Client workstations are unable to connect to Office 365 servers via Autodiscover for their migrated email accounts. During Outlook first run it would pre-populate their email correctly but then try to connect to the old email server instead. If the DNS settings for the workstation were changed to non-domain external DNS servers then the email would not pre-populate but the setup would complete successfully. Checked the Autodiscover URL using NSLOOKUP to the Microsoft servers from local domain DNS servers successfully, so felt a little stumpled. Research pointed to the Service Connection Point (SCP) object in Active Directory which can be either deleted from the server or excluded on a per workstation basis, so both will be shown here. Starting with the server first:
Deleting SCP from Server after Office 365 Migration
Login to a server with Active Directory Domain Services installed as administrator
Launch ADSIedit from the Start Menu
Right click on the root of the console and choose “Connect to…”
Under “Select a well know Naming Context” choose Configuration
Navigate down through the tree as follows (these are always listed from the bottom up on other tech sites for some reason):
Recently ran into an issue where a company wanted to use multiple types of VoIP phones that required seperate settings to download their configuration with a vendor – this is usually done in a homogeneous environment via DHCP option 66 settings. (Option 66 is part of IETF RFC 2132 which states that this option uses FQDN or IP address to point to a TFTP server.) In this particular setup only one VoIP phone vendor at a time could be specified in the option 66, so custom settings were going to be needed to make all the other vendors phones work properly. Found that this could be done via DHCP reservation on either their Windows Server 2012 R2 Standard or on their Cisco 871w router, but I am sure their are ways to do it on other vendors equipment (which is outside the scope of this article). So here is how to configure the
Windows Server DHCP Option 66 Reservation
Turn the phone on its back and record the MAC address of the device.
Start the DHCP administrative tool on the server.
Expand the tree into the IPv4 then into the Scope needing the reservation.
Right Click on Reservations and choose “New Reservation…”
Give the new reservation a name, specify IP address and MAC address previously recorded.
Right click on the new reservation and choose Configure Options.
In the Reservation options scroll down to 066 Boot Server Host Name and enter the URL or IP of the vendors configuration server.
Make sure the vendor has reset the authorization token and factory reset the phone to pull the new reservation and configuration files.
Cisco 800 Series DHCP Option 66 Reservation Setup
Something to remember is that each reservation is treated as its own DHCP pool by the router. (I recommend exporting the configuration file to a local workstation and manually editting if there are more than a couple edits to make.)
Login to router and enter configuration terminal mode:
While investigating ambient music service for a business through Pandora for business, found this incredible new way for businesses to socially connect with the users of their free WiFi service. With Social Wifi using the Mood WiFi router setup properly users will be taken to a portal page upon connecting to the free WiFi system. This portal page asks for them to login via Facebook, Twitter, Instagram account or email address then for those who connect with social media are asked to like the business they are connecting at to gain access to the internet. This system brilliantly allows business to track who is using their internet service and deeply connect with them via social media. I could easily see this as a huge benefit for any small retail store or restaurant wanting to expand their advertising dollar with a very small budget ($35 per month).
Here are the basics, as promised earlier, for deploying the Remote Desktop Gateway role on Windows Server 2012 platform. Here are the basic steps to add only this role on a single server:
Install Remote Desktop Gateway Role on Windows Server 2012
Once logged in a administrator, open Server Manager and select “Add servers roles and features”
If you have not already check the box next to “Skip this page by default” then click “Next >”
It is important to select role based installation here before clicking “Next >”. This article only explains how to install RD Gateway, not a full deployment.
Select your server that will host the RD Gateway rolethen click “Next >”
Select Remote Desktop Services role
Skip feature selection as you don’t need anything here
On the Remote Desktop Services role click “Next >”
On the Add Roles and Features Wizard click “Add Features”
Make sure Remote Desktop Gateway role is selected and click “Next >”
On the Network Policy and Access Services (NPS) click “Next >”
Make sure Network Policy Server role is selected and click “Next >”
Make sure leave the defaults for the Web Server Role (IIS) role is selected and click “Next >”
Checked the “Restart the destination server automatically if required” check-box then click “Install”
You may notice that Server Manager states there are no RD Connection Broker servers in the server pool. This is as designed since this is not a complete Remote Desktop Session host environment as we want to have only RD Gateway
In Server Manager go to Tools > Terminal Services > Remote Desktip Gateway Manager and you will see that Remote Desktop Gateway server is not configured. One of the most important things to keep things simple for the user is the RD Gateway certificate (the SSL certificate needs to be installed on BOTH the server and on the client workstation for this will not work). It is highly recommended to get an external SSL Certificate for this process – a great provider is StartSSL as they are free for a basic secure certificate.
Click on “View or modify certificate properties” then click on “Import Certificate…”
Navigate the file downloaded from your certificate provider and import it.
On the right hand side click on the “Create New Authentication Policies Wizard”
In the wizard select “Create RD CAP and a RD RAP (recommended)” then click “Next >”
Name the Remote Desktop Client Access Policy policy then click “Next >”
Leave the default of Password authentication then select an Active Directory User Group (I usually create a specific one for this purpose and add the needed members to it) then click “Next >”
Device redirection and session time out are left at their defaults, so click “Next >”
Name the Remote Desktop Remote Access Policy policy then click “Next >”
Select an Active Directory Computer Group (I usually create a specific one for this purpose and add the needed endpoints to it) then click “Next >”
Leave the default port as 3389 then click “Next >”
Finish the wizard and you will receive successful message the RD RAP and RD CAP policies have been created.
The server is now configured. Go to the client workstation and import the SSL certificate from your provider.
Open the RDP client, click on the “Show Options”, click on the “Advanced” tab then “Settings…”
Specify the RD gateway server here. (The RD Gateway address here and the server name on the certificate needs to be the same.) Then select “Use my RD Gateway credentials for the remote computer” and then click “OK”
On the General tab, specify local computer name of the workstation or server inside the network and full username including local domain then click “Next >”
Working on a client who was the victim of their previous IT company over using Microsoft Office 2010 Pro Plus licenses on workstations. This caused them all to have licensing errors and required the client to switch to a Microsoft Open License agreement that they had previously for Office 2010 Standard. After uninstalling and re-installing the software, the Microsoft Outlook 2010 client repeatedly asked for credentials even though they were entered correctly. Stumbled across the Microsoft Support and Recovery Assistant for Office 365 in my Google search for the root cause, so I gave it a try. This tool was child's play to use and within minutes found that Microsoft Outlook 2010 needed Service Pack 2 installed in order to be compatible with Office 365. Installed this patch and the client immediately connected. Thanks for the new tool Office 365 Troubleshooting Tool Microsoft.
Recently converted a client’s Windows Standard 2012 R2 terminal server into a Remote Desktop Protocol (RDP) Gateway server so that remote users could connect to their workstations inside the corporate network. (The details of how to do this properly will follow soon in another post.) Once the setup was completed it was time to test the connectivity as follows:
Testing RDP Connectivity
Log into a remote workstation
Open Microsoft Terminal Services Client (MSTSC)
Type in the Computer name and User name into the General tab:
Click on the Advanced tab and then on the Settings… button.
Choose Use these RD Gateway server settings then type in the external URL of the RDP Gateway
Choose Bypass RD Gateway server for local addresses
Choose Use my RD Gateway credentials for the remote computer then click OK
Should then be able to click Connect to tunnel into that workstation
Issues with NULL SID as follows:
Getting errors during login process about inability to connect, noticed that it allowed for credentials at RDP Gateway but then failed when trying to login to local worksations.
Attempted to connect from machines without the KB2592687 and KB2830477 installed, but same errors occured.
Checked the event logs for the local workstation and found Event ID #4625 NULL SID errors. Which should have pointed to issues with authentication.
Tested NTLMv2 login issues via changing the following registry entry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] – LMCompatibilityLevel set above 3
Did the same thing via Group Policy using the following setting:
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options – “Network security: LAN Manager authentication level” set to Send NTLMv2 response only
Finally narrowed it down to NTP settings on the router not being set and mismatch of time.
Recently wrestled with a Juniper SRX 220 router that a client needed help with securing RingCentral on. This entailed creating port forwarding rules for specific secure port ranges for TLS transport and linking those with rules for specific IP ranges belonging to RingCentral servers. Here are the specific lines of code that were used to make this connection possible (I am also throwing in the CoS settings used to shape traffic for good measure):
security policies from-zone Internet to-zone LAN policy RingCentral_IP1_NAT match source-address RingCentral_IP1
security policies from-zone Internet to-zone LAN policy RingCentral_IP1_NAT match destination-address any
security policies from-zone Internet to-zone LAN policy RingCentral_IP1_NAT match application RingCentral
security policies from-zone Internet to-zone LAN policy RingCentral_IP1_NAT then permit
security policies from-zone Internet to-zone LAN policy RingCentral_IP2_NAT match source-address RingCentral_IP2
security policies from-zone Internet to-zone LAN policy RingCentral_IP2_NAT match destination-address any
security policies from-zone Internet to-zone LAN policy RingCentral_IP2_NAT match application RingCentral
security policies from-zone Internet to-zone LAN policy RingCentral_IP2_NAT then permit
security zones security-zone Internet address-book address RingCentral_IP1 220.127.116.11/22
security zones security-zone Internet address-book address RingCentral_IP2 18.104.22.168/22
applications application RingCentral term Mobile_App_Media destination-port 4000-5000 protocol udp
applications application RingCentral term Phone_Registration_UDP destination-port 5060-6000 protocol udp
applications application RingCentral term Phone_Registration_TCP destination-port 5060-6000 protocol tcp
applications application RingCentral term RTP_SRTP_Softphone1 destination-port 8000-8200 protocol udp
applications application RingCentral term RC_Meeting_Signaling_UDP destination-port 8801-8802 protocol udp
applications application RingCentral term RC_Meeting_Signaling_TCP destination-port 8801-8802 protocol tcp
applications application RingCentral term RTP_SRTP_Deskphone destination-port 16384-16482 protocol udp
applications application RingCentral term RTP_SRTP_Softphone2 destination-port 20000-60000 protocol udp
This should be everything unless you have custom firewall filters to lock down management access or something else like that. Please feel free to contact us if you need any help configuring either your RingCentral account or Juniper routers or switches.