mac OSX: Opening JNLP Files?

KB ID 0001767

Problem

I needed to get onto a HPE server’s iLO at work today. I was using Firefox and the .Net extensions no longer work, so I was forced to use Java web start. Annoyingly that opened my Windows 10 VM (that runs in VMware Fusion), then it fell over!

So the problem is, I need to be able to ‘RUN‘ jnlp file on my MacBook, but there’s no Java application in the applications folder.

Opening JNLP Files (mac OSX)

Try to execute the jnlp file again, but under ‘Open with” Select Other.

Select your hard drive, then System > Library > CoreServices > JavaLauncher.app > (Tick Do this automatically for files like this from now on.) > Open.

Now the file will get blocked by security (if you’ve done anything technical on a Mac you should know how to get round that) Click the Apple Icon (at the top of your screen) > Preferences > Security and Privacy > General Tab > Open Anyway.

You might get some further Java warnings but you should now be able to run the application.

Related Articles, References, Credits, or External Links

NA

Server 2008 R2 – Inbound traffic Blocked – Outbound Traffic works?

KB ID 0000397 

Problem

My colleague had this problem this week, and it involved a call to Microsoft to resolve. Basically the client had some comms problems, so ran Windows updates, post update the server (which was the main domain controller and DHCP server for the network) could not be seen by any clients on the network. The server itself however could quite happily see everything else.

Solution

The problem is due to the Windows firewall (EVEN IF IT’S DISABLED!)

1. On the affected server > Start > in the search/run box type ncpa.cpl {Enter}.

2. Select the network card > Press ALT to get the menu to appear > Advanced > Advanced Settings > Adapter and Bindings > Make sure Local Area Connection is at the top of the list > OK.

3. Start in the search/run box type services.msc > ensure the Windows Firewall service is running (Note: the service can still be running if the firewall is disabled -if you want it off it can remain off).

4. Start > in the search/run box type regedit {enter} > Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSParameters > Create a new DWORD called SocketPoolSize and set it to 500 (Decimal).

5. Whilst in the registry editor, now navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters > You may see a DWORD entry called MaxUserPort (set at 60553 Decimal) If so change it’s value to 65535 (Decimal). If it’s not there create it and set it to 65535 (Decimal).

6. Then reboot the server.

Related Articles, References, Credits, or External Links

NA

SBS – No Incoming Mail ‘421 4.3.2 Service not available’

KB ID 0000803

Problem

While testing mail flow on a new SBS 2011 Server, outbound mail worked fine, but no mail would flow in. When I attempted to Telnet in from a remote host this was what I saw;

421 4.3.2 Service not available
Connection to host lost.

Solution

Normally I’d expect to see an error like this if the Exchange ‘Receive Connector’ was misconfigured, (if you’re not using SBS 2011 create a new default receive connector and make sure there are no firewalls in the way).

If you are using SBS 2011 you need to run the ‘Connect to the Internet’ Wizard (seriously!)

After this check inbound mail flow again.

Related Articles, References, Credits, or External Links

NA

Mail Routing Issue ‘451 5.7.3 Cannot achieve Exchange Server authentication’

KB ID 0000791

Problem

While putting in a New Exchange 2010 server today, I test moved a mailbox to this new site, and could not get mail to flow to the Exchange 2010 server at the clients main site.

451 4.4.0 Primary target IP address responded with: “451 5.7.3 Cannot achieve Exchange Server authentication.” Attempted failover to alternate host , but that did not succeed. Either there are no alternative hosts, or delivery failed to all alternative hosts.

Mail flowed from the main site to this new site, and internal mail at the new site was fine, but any mail destined for the main site, or going external (because the main site has the only server that can use the Exchange organization send connector) would fail with this error.

Solution

I did a lot of trawling to try and find the answer to this, and discovered lots of reasons for this to happen, so rather than just posting what fixed mine, from the most popular to the most obscure try these in order, and attempt to send mail after each step.

Note: Any change on an Exchange Server’s Receive Connectors should be followed by you restarting the Microsoft Exchange Transport Service (on the server you made the change on) before you try again.

1. On the server you are trying to send TO, check the properties of the Default receive connector and ensure ‘Exchange Server authentication’ is selected.

2. On the server you are trying to send TO, If you have a connector configured to ‘relay’ mail, make sure that the server(s) or network specified DOES NOT include the IP address of the server you cannot send FROM. Also Make sure on the authentication tab ‘Exchange Server authentication’ is NOT selected.

3. If you have Cisco PIX Firewalls between these two mail servers (running version 6 or earlier) make sure smtp fixup is disabled.

[box]

Petes-PIX>
Petes-PIX> enable
Password: *******
Petes-PIX# configure terminal
Petes-PIX(config)# no fixup protocol smtp 25
Petes-PIX(config)# write mem

Building configuration...
Cryptochecksum: f59a9bd3 3129b8bc 474b2415 52f2db0f

1049 bytes copied in 0.430 secs
[OK]

[/box]

4. If you have Cisco ASA Firewalls between these two mail servers, then remove esmtp from the default inspection map.

Cisco ASA Disable ESMTP Inspection

At this point I admitted defeat and picked up the phone and called Microsoft. One of their support engineers looked at the connectors and settings, and tested the DNS, had me create a new connector, still mail refused to flow. He did however get me pointed in the right direction. When attempting to Telnet to the Exchange server on the main site this is what we saw;

This is what we should be seeing;

Eureka!

I put all the firewalls in, so I know how they are configured, and I know this client has a CSC module in the ASA 5510 at the mail site, I managed to get the output above by rebooting that module, as soon as it was back online we reverted to the short list again. Also while the CSC was rebooting all the mails stuck on the outbound queue cleared.

Enabling CSC Bypass for a Remote Mail Server

Note: Your class-maps, and access-lists may have different names but this should point you in the right direction.

1. Connect to the ASA, view the policy-maps in use.

[box]

Petes-ASA# show run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect pptp
inspect ip-options
class global-class <<<<< Here we go
csc fail-open <<<< This is the one we are looking for
!
Petes-ASA#

[/box]

2. We can see the class-map the CSC is using is called ‘global-class’, let’s take look at that.

[box]

Petes-ASA# show run class-map global-class
!
class-map global-class
match access-list global_mpc <<<< Here's how its being applied
!

[/box]

3. Now we know that’s being applied with an access-list called global_mpc, let’s see what that’s doing.

[box]

Petes-ASA# show run access-list global_mpc
access-list global_mpc extended deny ip host 10.1.0.253 any
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1
Petes-ASA#

[/box]

Note: Remember permit means inspect and deny means don’t inspect, you can see mine’s set not to scan the CSC update traffic because that’s good practice;

Cisco CSC Module – Stop it scanning its own update traffic

4. So I just need to add in the IP of the Exchange server I cannot send from to make its traffic bypass the CSC Module. Remember to put it at the top so it gets processed before the permit or it will get ignored.

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# access-list global_mpc line 1 extended deny ip host 10.3.0.2 any

[/box]

5. Finally save the changes.

[box]

Petes-ASA(config)# write memory
Building configuration...
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#

[/box]

 

Related Articles, References, Credits, or External Links

Thanks to Jeebu Mathew at Microsoft for his assistance, and pointing me in the right direction.

Outlook Error 0x800CCC0F – Using POP3 To Exchange – Behind a Cisco CSC (Trend InterScan) Module

KB ID 0000642 

Problem

I upgraded a clients firewall and CSC software a couple of weeks ago, and ever since “some” users saw the following errors,

Error 0x800CCC0F

Task ‘{email address} – Sending’ reports error (0x800CCC0F): #The connection to the server was interrupted. If the problem continues, contact your server administrator or Internet service provider (ISP).’

Eventually it would time out altogether with the following error,

Error 0x800CCC0B

Task ‘{email address} – Sending’ reported error (0x800CCC0B): ‘Unknown Error 0x800CCC0B’

Solution

All I could discern from Googling the error, was that the AV (In this case the Trend Micro InterScan for Cisco CSC SSM), in the Cisco CSC Module) was probably the culprit.

I tried stopping the POP3 Service on the CSC that did NOT fix the error.

I confirmed that the CSC module was the root cause of the problem, by disabling the entire module with the following command on the Cisco ASA firewall;

[box]hw-module module 1 shutdown[/box]

Warning: If you do this, your CSC settings must be set to “csc fail-open” or web and email traffic will stop! Once you have confirmed this IS the problem you can re-enable the module with the following command.

[box]hw-module module 1 reset[/box]

I tried from my office and it worked fine, I could not replicate the error, I tried from various servers and Citrix box’s from other clients who kindly let me test from their network. Still I could not replicate the error! I went home and that was the first time I could see the same error their users were seeing. Sadly this led me on a wild goose chase, (I use Outlook 2007 at home and Outlook 2010 everywhere else so I (wrongly) assumed that was the problem).

Breakthrough!

As I could now replicate the error, I could at least do some testing, I attempted a send/receive and looked at the CSC Logging.

Note: To view CSC Logging, connect to the ASDM > Monitoring > Logging > Trend Micro Content Security > Continue > Enter the password > OK > View.

Every time it failed, I saw my public IP being logged with a RejectWithErrorCide-550 and RBL-Fail,QIL-NA. At last something I could work with.

This error indicates a problem with the Email Reputation system, I logged into the CSC web management console > and located this.

Then I disabled the ‘SMTP Anti-spam (Email Reputation)’, and everything started to work.

Conclusion

I understand the need for this system, but the nature of POP3 email clients, dictates they can connect in from anywhere, usually from a home ISP account on a DHCP address. I know from experience that major ISP’s IP ranges get put in RBL block lists (I checked by popping my IP in here, and sure enough it was blocked).

If you are going to use POP3 then you need to leave this system disabled, but to be honest, if you have Exchange, simply swap over to Outlook Anywhere and stop using POP3.

Related Articles, References, Credits, or External Links

Special thanks to Jenny Ames for her patience while I fought with this over a number of days.