Configuring SSTP VPN connections to Threat Management Gateway 2010
SSTP or SSL VPN connections are great for people working on client sites or behind very restrictive firewalls – they only require HTTPS (port 443) to be open to be able to connect. Unfortunately, you need to be running Windows 7 or Server 2008 (or newer) in order to make use of them. Threat Management Gateway 2010 is one option for an SSL VPN endpoint.
SSTP VPN Requirements
- Clients must be Windows 7/Server 2008 or newer
- Certificate – either commercial or an internal Certificate Authority
- Published CRL – SSTP clients check for the Certificate Revocation List of the CA
- If you already have an SSL listener (e.g. for Exchange publishing rules) then you need a dedicated IP address for the SSTP connection
Keep it simple stupid!
I am a firm believer in trying to keep things simpler where ever possible (but not for the sake of it) In years gone by I have heard many admins lament about the complexities of deploying IIS to work alongside third party plugins such as PHP. I can remember numerous occasions where I have wrestled with the config and "best practice".
I am however glad to say finally Microsoft have taken notice of this and produced a very simple and effective deployment toolkit.
The Microsoft Web Platform Installer (now in version 3.0)
I have recently deployed an IIS7.0 server that required PHP and MySQL using this tool and I am very happy with the results!
I know generally any system admin will avoid "wizards" as it were but in this instance it is time well saved!
Online Archiving with Exchange 2010? Can’t see your Online Archive in Outlook?
Having recently managed several Exchange 2010 migration projects, one of the best new features which really sells it to systems administrators is the Online Archive. “No more managing PST files? When can we have it installed by?”
The problem is, once they’ve purchased licensing for Exchange 2010 and installed and configured the server, migrated the users’ mailboxes and decommissioned the old Exchange 2003 server, the Online Archive feature is not available. The users have been enabled, and as of SP1 we have a separate Archive mailbox database configured on slow (cheap) storage, but the Online Archive is nowhere to be found in Outlook. If the users log on using OWA, lo and behold the Online Archive is available.
Now, fair enough, Microsoft require an Enterprise Client Access License (CAL) per user for this feature – it’s an Enterprise level feature and you pay for it. What is not so apparent unless you dig around the licensing site is that you also need the Volume Licensing version of Outlook 2010 or 2007 called “Pro Plus”. An OEM or Retail copy of Outlook will not cut it.
Where does this leave them then? Small companies who have shelled out for OEM/Retail copies of Office Professional cannot afford to simply purchase a whole new VLK copy and upgrade. You can’t upgrade and OEM/Retail license to a VLK license, there’s no path. These companies have paid for the Enterprise CALs to use Enterprise features, only to find out that it’s not just the CAL they need!
To me, this is a BIG flaw in the way Microsoft are selling Exchange 2010. Licensing is complex enough without adding this sort of gotcha to a solution, and the companies have paid for an Enterprise CAL. They’re not trying to use an Enterprise feature on a Standard license, they’ve paid for it!
And people like me can’t turn round and recommend an upgrade to a client without upgrading the entire Office licensing too. I hope Microsoft sort this out, I really do, because in all honesty, it puts a real downer on an otherwise superb product that up til now, I have had no hesitation in recommending.
I normally make it a rule that what I post on here is a solution, unfortunately in this case the solution is expensive and involves upgrading your licensing.
Exchange 2010 – CreateTestUser : Mailbox could not be created. Verify that OU ( Users ) exists and that password meets complexity requirements
While using the New-TestCasConnectivityUser.ps1 script to create a test user for Exchange 2010’s connectivity testing, I ran into an issue:
CreateTestUser : Mailbox could not be created. Verify that OU ( Users ) exists and that password meets complexity requirements.
At C:\Program Files\Microsoft\Exchange Server\V14\Scripts\new-TestCasConnectivityUser.ps1:255 char:27
+ $result = CreateTestUser <<<< $exchangeServer $mailboxServer $securePassword $OrganizationalUnit $UMDialPlan $UMExtension $Prompt
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,CreateTestUser
Oddly enough, that OU does exist (as it will by default on any Windows Domain!) and the password complexity more than satisfied the complexity requirements. The issue is simple enough to fix, I opened the script in notepad and found the line beginning “new-mailbox” – and deleted the parameter “–OrgainisationalUnit:$OrganistationalUnit”. This means the new user defaults to the default OU – Users!
Just a simple fix to save some time! Thanks MS for the buggy script!
Update: Looks like this occurs when there's more than one OU called Users - my fix will still sort it, but at least you know!
Batch Converting Video Files on Ubuntu Linux using HandbrakeCLI
Disclaimer: this post is more for my own recollection than anything else! When it comes to Linux, I’m an amateur and everything I do from the simplest thing upwards is copy-and-paste from much more informed bloggers and websites!
My home server is running Ubuntu Linux 10.10 – access is via an SSH client only. I run an NFS file server for my home network, which stores my Music and Video for the network, and is running an iTunes server. Most of my DVDs have been ripped to high quality MP4 files for viewing on PC, but they aren’t suitable for my iPhone, so I also frequently compress them for viewing on that device.
The following command lists the files in the Source folder and runs Handbrake via the CLI to convert the files using the iPhone template and spits them out to the Video folder.
for file in `ls /media/Data/NFS/Source/`; do $(HandBrakeCLI -v -i /media/Data/NFS/Source/${file} -o /media/Data/NFS/Video/"${file%.vob}.mp4" --preset="iPhone & iPod Touch"); done
The case of the missing network adaptor: a.k.a Installing additional drivers on ESXi 4.1
Recently I installed and configured a client’s new ESXi host, they’re a small company and only require a single host. The host in question was an IBM x3650 M3, an excellent workhorse for virtualisation and one of 5 or 6 of the same model that I’ve installed in the last year. In addition to the onboard Broadcom Dual Gigabit NIC, we always install at least a second Intel PCIx Dual Gigabit card for resilience/redundancy/performance.
A start is a start
So here 
we go, my very first tech blog... so what on earth do I start with?
Given I am unlikely to have any profound revelations I shall simply focus on what I have discovered as useful and helpful on my travels!
First up then...
I have been asked on many occasions by individuals and SMEs should they opt for a brand such as HP over Dell or vice versa... as ever my default response is a brief needs analysis. It seems all to often folk get caught up by hearsay/brand loyalty over suitability.
For example I have had both great and poor experiences with well know brands such as HP and Dell.
More importantly our job in IT is to find out what the need really is! And then source a suitable cost effective solution that will last at least for the duration specified. Of course I am simplifying the matter a great deal but in a nutshell that is what we must do and what really should be expected of us. I have lost count of the mount of times I have come across IT solutions that are utterly over kill or completely inadequate and therefore cost a business large sums of time and money.
In short if you get the needs analysis and scoping right the solution will present itself readily and should deliver exactly what is required for the duration specified!
Recent Comments
- Sam McGeown on PowerCLI Script to set RDM LUNs to Perennially Reserved – Fixes Slow Boot of ESXi 5.1 with MSCS RDMs
- Stu on PowerCLI Script to set RDM LUNs to Perennially Reserved – Fixes Slow Boot of ESXi 5.1 with MSCS RDMs
- ScottM on Powershell script to zip all .bak files in a folder structure, then delete the .bak
- Why secure your vSphere environment with valid SSL certificates? « DefinIT on Using the VMware SSL Certificate Automation Tool with a Microsoft Certificate Authority
- John Wiersma on PowerCLI Script to set RDM LUNs to Perennially Reserved – Fixes Slow Boot of ESXi 5.1 with MSCS RDMs
Top Posts & Pages
- Installing and Configuring OTRS 3.0.9 on Windows Server 2008 R2
- PowerShell: Recursively taking ownership of files and folders and adding permissions without removing existing permissions
- Unable to access admin shares (c$, d$, ADMIN$, IPC$) on Windows Server 2008 in a Workgroup
- vCenter 5.1 - Configuring vCenter Linked Mode
- Configuring a Guest wireless network with restricted access to Production VLANs
Categories
Qualifications
_1084_1085_thumb.jpg "MCITP Logo")
Archives
- May 2013 (2)
- April 2013 (2)
- March 2013 (2)
- February 2013 (4)
- January 2013 (1)
- December 2012 (2)
- November 2012 (3)
- October 2012 (4)
- September 2012 (1)
- August 2012 (4)
- July 2012 (1)
- June 2012 (1)
- May 2012 (1)
- February 2012 (1)
- January 2012 (4)
- October 2011 (2)
- August 2011 (1)
- July 2011 (1)
- June 2011 (2)
- April 2011 (1)
- March 2011 (7)
- February 2011 (4)
- January 2011 (1)
- December 2010 (1)
- November 2010 (3)
- October 2010 (1)
- September 2010 (5)
- August 2010 (3)
- July 2010 (5)
- June 2010 (4)
- May 2010 (2)
- April 2010 (3)
- March 2010 (6)
- February 2010 (5)
- January 2010 (1)
- December 2009 (2)
- November 2009 (1)
- October 2009 (3)
- September 2009 (3)
- July 2009 (3)
- May 2009 (1)
- April 2009 (2)
- February 2009 (2)
- January 2009 (4)
- December 2008 (2)
- November 2008 (1)
- October 2008 (3)
- September 2008 (5)
- August 2008 (1)
- July 2008 (6)
- May 2008 (8)
- April 2008 (2)
- March 2008 (1)
- February 2008 (1)
- January 2008 (1)
- November 2007 (1)
- October 2007 (1)
- July 2007 (1)
- June 2007 (6)
- May 2007 (2)