Cisco ASA: Prioritise RDP Traffic

KB ID 0001359

Problem

I have a client who had two sites, one didn’t have a particularly good internet connection, (which is the actual problem that needed to be solved). But in the interim, he wanted me to prioritise RDP traffic, as his staff were constantly complaining about the speed of their connections.

Note: They may be a myriad of reasons why user experience is bad for an RDP session, this was quite simply a bandwidth issue.

The client requested I prioritise RDP traffic on the link. We were not really sure if that would cure the problem, but they have not complained since!

Solution

On the main site, (with the RDP server(s) on), create an ‘access-list‘ to match our interesting traffic. (I’m just using ‘any’ as the source.)

[box]

Main-Site# configure terminal
Main-Site(config)# access-list ACL-RDP-Traffic extended permit tcp any eq 3389 172.16.0.0 255.255.0.0

[/box]

Create a ‘priority-queue‘ on the outside interface.

[box]

Main-Site(config)# priority-queue outside
Main-Site(config-priority-queue)#  exit

[/box]

Create a ‘class-map‘ that matches our ‘access-list‘.

[box]

Main-Site(config)# class-map CM-RDP-Traffic
Main-Site(config-cmap)#  match access-list ACL-RDP-Traffic
Main-Site(config-cmap)#  exit

[/box]

Create  ‘policy-map‘ that uses the ‘class-map‘ and assigns it priority.

[box]

Main-Site(config)# policy-map PM-RDP-Traffic
Main-Site(config-pmap)#  class CM-RDP-Traffic
Main-Site(config-pmap-c)#   priority
Main-Site(config-pmap-c)#   exit
Main-Site(config-pmap)#  exit

[/box]

Apply the ‘service-policy‘ to the ‘outside interface‘.

[box]

Main-Site(config)# service-policy PM-RDP-Traffic interface outside
Main-Site(config)# end

[/box]

You can ensure it has worked with  the following command;

[box]

Main-Site# show service-policy interface outside priority

Interface outside:
  Service-policy: PM-RDP-Traffic
    Class-map: CM-RDP-Traffic
      Priority:
        Interface outside: aggregate drop 0, aggregate transmit 0
Main-Site#

[/box]

Then, do the mirror image on the remote site, (where the clients are). Note: I’ve made this access list a little more specific.

[box]

Remote-Site# configure terminal
Remote-Site(config)# access-list ACL-RDP-Traffic permit tcp 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0 eq 3389
Remote-Site(config)# priority-queue outside
Remote-Site(config-priority-queue)#  exit
Remote-Site(config)# class-map CM-RDP-Traffic
Remote-Site(config-cmap)#  match access-list ACL-RDP-Traffic
Remote-Site(config-cmap)#  exit
Remote-Site(config)# policy-map PM-RDP-Traffic
Remote-Site(config-pmap)#  class CM-RDP-Traffic
Remote-Site(config-pmap-c)#   priority
Remote-Site(config-pmap-c)#   exit
Remote-Site(config-pmap)#  exit
Remote-Site(config)# service-policy PM-RDP-Traffic interface outside
Remote-Site(config)# end

[/box]

Don’t forget: To save the changes with a ‘write memory‘ command when you’re happy.

Related Articles, References, Credits, or External Links

NA

MRS Proxy Error ‘The connection to the server could not be completed’

KB ID 0001358

Problem

When attempting a cross forest mailbox migration, When specifying the ‘Remote MRS Proxy Server address’ you get the following error;

error

the connection to the server ‘server-fqdn‘ could not be completed

Solution

Note: For Office 365 Environments see below.

This tripped me up for quite a while, (it kept saying access denied). I’d tested this previously and everything was working. Note: If you have never had it working, ensure that the name you are using is resolvable in DNS and it’s the name on the certificate of the MRS Proxy server, (or at least a subject alternative name) See this link for how to set it up properly.

Assuming, (like me) everything is OK and the MRS proxy service is running etc, then I found the root cause of my problem by running;

[box]Get-MigrationEndpoint | fl[/box]

I saw the problem straight away, it was using ‘cached credentials for an admin user who had changed their password, now all I had to do was work out how to replace the credentials!

Within the the Exchange admin center > Recipients > Migration > {Ellipsis} > ‘Migration Endpoints’.

Update.

Enter the new (correct credentials)  > Save > Save.

Now retry your ‘batch’ migration.

Office 365 Migration Endpoint Error

If you get the same error when attempting to setup a Migration Endpoint in Office 365;

Then simply skip setting up the endpoint, and perform a batch migration, the system will then connect to the MRS proxy service and work.

Related Articles, References, Credits, or External Links

NA

Mac OSX: Creating ‘Password Protected’ Zip Files

KB ID 0001357

Problem

Me to the office: Does anyone know how to create a password protected Zip file on a Mac?

Reply: Use Windows

Well actually this advice is ‘bobbins!’ Windows still can’t do this without installing an application, (I would recommend 7-Zip). But with a Mac of course you can 🙂

Solution

First open an Terminal window, then ‘change directory’ to the folder that contains the uncompressed file(s), or folder(s) you want to Zip.

Changing Directory With Spaces In Your Foldernames

I thought I’d better put this here, if you have spaces in your folder names, you use the following syntax;

And repeat if you have multiple spaces like so;

Mac OSX: Create a Normal Zip File

Before we try and password protect a Zip, file let’s see how to create a simple one;

[box]zip -r {Archive-Name}.zip {Folder-or-Filename-To-Add}[/box]

Mac OSX: Adding Password Protection To Zip Files

Use the following syntax;

[box]zip -e {Archive-Name}.zip {Folder-or-Filename-To-Add}

Enter and Confirm The Password[/box]

Related Articles, References, Credits, or External Links

NA

Exchange ‘Cross Forest’ Mail Migrations

KB ID 0001356

Problem

PeteNetLive is full of Exchange Migration walkthroughs, going all the way back to Exchange 2003. But what if you are migrating to another forest? Well for small migrations you can of course export mail from the old Exchange Server, and them import it into the new mailbox in the new domain/forest (usually via .PST files). I’ll provide links at the bottom of the page, if that’s what you would prefer to do.

Earlier this year, I got involved with a client that was migrating many domains into one, and this method seemed a better fit for them. The process/screenshots below are taken from my testing and proof of concept for this project.

As you can see, (above) I’ve got a source Exchange server, (Running Exchange 2010) in domaina.com, and I’ve got a target Exchange server, (Running Exchange 2016) in domainz.com

Note: You may guess from the server names, these are also domain controllers, (this is not recommended in a production environment!) My old Exchange server is also running Certificate Services, which will become apparent below.

 

Solution

The service that does all the ‘heavy lifting’, is the Microsoft Exchange Mailbox Replication Service. Out first task is to get it running on the legacy Exchange server. Open the Exchange Shell and execute the following command;

[box]Set-WebServicesVirtualDirectory -Identity “EWS (Default Web Site)” -MRSProxyEnabled $true -MRSProxyConnections 50[/box]

Ensure the service is running;

The front end of the MRS service is presented via IIS, and it’s secured with HTTPS, so it will use the certificate you have presented, (i.e the same one for OWA). Therefore the new (Target Exchange Server) needs to trust that certificate. If you have a publicly signed certificate from a third party vendor, then you don’t need to import anything you can skip this step.

The World is Full of People Who are Scared of Certificates! I have no idea why? For a certificate to work, you need to TICK TWO BOXES;

  • BOX ONE: You need the trust the Certificate Authority who issued the certificate, (this is printed onto the certificate, and in most cases can be extracted from the web certificate as well. This is the CA Certificate of the issuer, NOT the certificate you see in OWA.
  • BOX TWO: The certificate will have a name on it, it will be either the common name, or a subject alternative name (within the certificate), it will look something like, owa.your-domain.com, or *.your-domain.com for example. This must be resolvable via DNS, and also be the hostname you are looking at.

Below, I’m simply importing the Root CA Certificate, from DomainA into my Exchange server on DomainZ.

Note: Start > Run > mmc.msc > File > Add/Remove Snap-in > Certificates > Local Computer.

In production, I’d setup conditional forwarding between the two domains to handle DNS, but in this case I’m being lazy and just putting the FQDN of the Exchange 2010 server in the Exchange 2016’s hosts file, (old school eh!)

To Setup Conditional Forwarding; Take a look at the first three steps in this article.

Providing you have done everything correctly, you should be able to ‘browse’ from Exchange 2016, to Exchange 2010, to the following URL, and not receive any certificate errors, it should look like this;

[box]https://servername.domain-name.com/EWS/mrsproxy.svc[/box]

Note: If you get any certificate/untrusted errors, fix them before proceeding.

Pre-Staging the Cross Forest MailBox Migration

Actually moving the mailboxes is a ‘two-step‘ procedure, first you pre-stage the move, this creates a Mail User* in the new domain.

*Note: A Mail User is an a little bit like a Contact insofar as they both have external email addresses (i.e ‘username@domaina.com’, while the mail user is in domainz.com, (until the mailbox is migrated). The difference between a Mail user and a contact is, a mail user has a logon name and a password. Once migrated the Mail User is converted into a User Mailbox in the new domain, and the User Mailbox back in old domain gets converted into a Mail User with an email address of username@domainz.com for the mail user in domaina.com. This (while being cool) allows mail flow between the domains during migration. (Assuming your DNS is all setup correctly, of course).

The following procedure is carried out on the new Exchange server, open an Exchange Shell Window and execute the following command;

[box]$Rcred = Get-Credential[/box]

Then supply an administrative account in the SOURCE, (remote) domain.

Repeat the procedure, but this time use Lcred;

[box]$Lcred = Get-Credential[/box]

Then supply an administrative account in the TARGET, (local) domain.

Exchange has a script to do the do the staging for you, it’s in the Exchange install directory, in the ‘scripts’ folder. Mine is in the C: drive, but the path to yours may be different, (depending on how you installed Exchange). But once located, you need to change to the directory that the Prepare-MoveRequest.ps1 script is in i.e.;

[box]cd “c:\Program Files\Microsoft\Exchange Server\V15\Scripts”[/box]

Note: V15 denotes Exchange 2013 and 2016.

Now execute the following command, (this is all one command if it gets wrapped);

[box].\PrepareMoveRequest.ps1 -Identity “username@domaina.com” -RemoteForestDomainController dc2a.domaina.com -RemoteForestCredential $Rcred -LocalForestDomainController dc1z.domainz.com -LocalForestCredential $Lcred -TargetMailUserOU “OU=Migrated,DC=domainz,DC=com“[/box]

Note: This assumes you have created the OU to migrate into! And, (as you can see in the example below,) I’m using the public email address of my user, not the internal one, (it doesn’t matter).

Execute Cross Forest Mailbox Migration

Now the mailboxes are ‘pre-staged’ we can select them for migration, in the new Exchange environment, Recipients > Migration  >Add > Move to this forest.

Add.

Select the User(s) > Add > OK.

Next.

 

Enter the administrative credentials for the source domain > Next.

Enter the FQDN, of the legacy server, (use the SAME NAME that’s on the certificate) > Next.

Give the migration ‘Batch’ a name > Set the ‘target’ email domain > Select the target Exchange Database, (and Archive database if applicable) > Next.

Note: If you keep getting failed migrations, that say ‘FailedOther‘ then you can raise the bad item limit, and large item limits.

Select a user to get the mail notification > Select ‘Automatically Complete Migration Batch’ (or it will stop at 95% and you will have to complete this manually) > New.

You can now view progress in the ECP, (a big buggy and slow to update,) or by running ‘Get-MoveRequest | Get-MoveRequestStatistics

 If there’s a problem, both the ECP (Exchange Control Panel) and EMS (Exchange Management Shell) should give you a clue. You can remove and rerun a migration on a failed user and nothing will break! Sometimes you need to raise the bad item limit or make sure the source mailbox isn’t too large before proceeding for example. (Use the search box at the top of the page, I’ve posted a lot of Mailbox Move problems).

Related Articles, References, Credits, or External Links

Exchange 2007 / 2010 – Export Mailbox’s to PST files

Exchange 2003 – Exporting Mail to .pst files with ExMerge

Exchange (2010 Post SP1 and Newer) Bulk Importing Mail From PST Files

MRS Proxy Error ‘The connection to the server could not be completed’

ADMT Password Export Server Error: Invalid Password!

KB ID 0001355

Problem

Seen when trying to install the ‘ADMT Password Export Server Service’, whilst doing a domain migration;

Invalid Password!

The supplied password does not match this encryption key’s password. ADMT’s Password Migration Filter DLL will not install without a valid encryption key.

Solution

At first I assumed I was suffering from ‘fat fingers‘ and just entering the wrong password, (or the Caps Lock was on.) However, it became apparent that this was not the case. I attempted to generate a new file by re-running the command on the ADMT server;

[box]admt key /option:create /sourcedomain:{source-domain} /keyfile:”C:\PES.pes” /keypassword:{password}[/box]

Same error? The only way I could get this to work was cancel the install, then launch an administrative command window, and finally running the install, ‘en-US_pwdmig.msi’ file from within that Administrative Window.

Related Articles, References, Credits, or External Links

ADMT (Active Directory Migration Tool) Domain Migration – Part 1

AnyConnect Error – ‘Failed To Get Configuration From Secure Gateway’

KB ID 0001354

Problem

Saw this while attempting to connect to my ASA this week.

AnyConnect Secure Mobility Downloader
Failed to get configuration from secure gateway. Contact your system administrator

Solution

Well luckily I’d just made a change so I could focus on the right area straight away. I’d been messing around with the profile xml file associated with my AnyConnect GroupPolicy. If you take a look at my profile below you will see it’s not associated.

Note: If you select change group policy mine wouldn’t apply, it failed with an error trying to delete a profile I’d used in the past.

So to fix the problem I’m going to need to log on at command line, let’s make sure my new profile is listed;

[box]

Petes-ASA# show run webvpn
webvpn
 enable outside
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-macos-4.4.03034-webdeploy-k9.pkg 1
 anyconnect image disk0:/anyconnect-win-4.4.03034-webdeploy-k9.pkg 2
 anyconnect profiles AnyConnect-VPN-Profile disk0:/anyconnect-vpn-profile.xml
 anyconnect enable
 tunnel-group-list enable

[/box]

Note: You can ‘show flash‘ and make sure the file is in flash memory as well.

I will list all my group-policies, and you can see the last one has a profile that’s associated with it that no longer exists (it’s not in flash memory either).

[box]

Petes-ASA# show run group-policy
group-policy DfltGrpPolicy attributes
 vpn-simultaneous-logins 0
group-policy IPSEC-VPN internal
group-policy IPSEC-VPN attributes
 dns-server value 192.168.100.10
 vpn-simultaneous-logins 3
 vpn-tunnel-protocol ikev1
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value petenetlive.com
 nem enable
group-policy PNL-GP-ANYCONNECT-ACCESS internal
group-policy PNL-GP-ANYCONNECT-ACCESS attributes
 wins-server none
 dns-server value 8.8.8.8 8.8.4.4
 vpn-simultaneous-logins 3
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelall
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value petenetlive.com
 split-tunnel-all-dns enable
 webvpn
 anyconnect mtu 1398
 anyconnect profiles value PNL-Profile type user
 anyconnect ssl df-bit-ignore enable

[/box]

It’s easy to remove it.

[box]

Petes-ASA(config)# group-policy PNL-GP-ANYCONNECT-ACCESS attributes
Petes-ASA(config-group-policy)# webvpn
Petes-ASA(config-group-webvpn)# no anyconnect profiles

[/box]

Then simply add the correct one back in, and save the changes.

[box]

Petes-ASA(config-group-webvpn)# anyconnect profiles value AnyConnect-VPN-Profie type user
Petes-ASA(config-group-webvpn)# write mem
Building configuration...
Cryptochecksum: 67c49642 778e75bd df747b94 7d4c8787

23272 bytes copied in 3.260 secs (7757 bytes/sec)
[OK]

[/box]

Now if you ‘refresh’ your ASDM, you will see it displays correctly again;

 

Problem Solved.

Related Articles, References, Credits, or External Links

AnyConnect Error: ‘The AnyConnect package on the secure gateway could not be located’

Cisco AnyConnect Error: ‘The VPN client driver has encountered an error’

Cisco AnyConnect Error: ‘The client could not connect because of a secure gateway address failure. Please verify Internet connectivity and server address’

AnyConnect Error:  ‘The secure gateway has rejected the connection attempt, No assigned address’

Cisco AnyConnect Error: (Mobile Devices)

Microsoft IIS – Stop Getting Indexed By Search Engines

KB ID 0001352 

Problem

If you have a publicly facing website, and you DON’T want it indexed by the major search engines, then this is the post for you. Why would you want this? Well you  might have a development server that you don’t want appearing in peoples search results, or you might be hosting files and folders you want publicly available, but again you don’t want those files and folders showing in peoples Google/Bing search results.

Solution

From ‘Administrative Tools’ open ‘Internet Information Services (IIS) Manager’ > Select the Server > HTTP Response Headers.

Add  > Name = X-Robots-Tag > Value = noindex > OK.

Then from an administrative command window run ‘iisreset’.

Related Articles, References, Credits, or External Links

NA

Exchange 2010 – EMC Error ‘GetSteppablePipeline execution of scripts is disabled’

KB ID 0001351 

Problem

Seen when attempting to open the Exchange Management Console;

Exception calling “GetSteppablePipeline: with “1” argument(s): File C:\ProgramFiles\Exchange Server\v14\RemoteScripts\ConsoleInitialize.ps1 cannot be loaded because the  execution of scripts is disabled on this system. Please see “get-help about_signing” for more details.”

Solution

This is usually caused by an update rollup, and can be easily fixed by running the following command at an administrative PowerShell session.

[box]Set-ExecutionPolicy RemoteSigned -scope LocalMachine[/box]

Note: Sometimes you may get an error message;

Set-ExecutionPolicy : Access to the registry key ‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell’ is denied.

If that happens launch regedit.exe navigate to the above value and change it from ‘Restricted’ to ‘Unrestricted’.

Related Articles, References, Credits, or External Links

NA