So we have unboxed and setup our Firepower 1010 device, simply logging into the ASDM fires off warnings that it’s only running DES and I need to register the unit go get any decent level of encryption, (seriously why is 3DES still an ‘add on’ licence, who is still doing 56bit encryption!)
So let’s get is registered and licenced.
Solution
The ‘Licence Envelope’ in the box is simply instructions on setting up a Cisco Smart Account. I already have one of those. If you don’t you will first need to setup a Cisco CCO logon account, (this is free, and you need to log into any of the Cisco Sites). Once you have that sorted you can go to https://software.cisco.com/ and request a Smart Licence (again this is free, it involves some email exchanges).
Now ‘What I do‘ is then create a ‘Virtual account‘ in that Smart account, what you use these for is up to you, but if you want to share the licensing e.g. with your colleagues or employer, then you can do so without giving them access to all your Cisco licences etc. Go back to Software central and select under Administration > Manage Smart Account (normally you just go to Smart Software Licensing).
Creating a Cisco Smart Account ‘Virtual Account’
Virtual Accounts > New Virtual Account > Give it a name and description > Set Access Level ‘Public’ > Next
Give it a name and description > Set Access Level ‘Public’ > Next.
Assign any users that you want to give access to, (you can revisit this later) > Next.
Review the settings > Create Virtual Account.
Register a Cisco FirePower 1010 With Cisco
OK, Cisco Say you need the licences to exist in your Smart account before you licence the hardware, they also say that;
Standard license—L-FPR1000-ASA=. The Standard license is free, but you still need to add it to your Smart Software Licensing account. Security Plus license—L-FPR1010-SEC-PL=. The Security Plus license enables failover. Strong Encryption (3DES/AES) license—L-FPR1K-ENC-K9=. This license is free. Although this license is not generally required (for example, ASA’s that use older Satellite Server versions (pre-2.3.0) require this license), you should still add it to your account for tracking purposes.
Hey Pete,
L-FPR1000-ASA= license usually comes with the device and it’s free, however it has to be under a sales order in order for us to provision it into the account.As for L-FPR1K-ENC-K9 license it is not free and if you need that licenses please provide a Order under which the license is purchased.
Now getting that sales order number was a chore! I had to get it from the Disti that my company purchased the hardware from, after many emails I finally sent them the order only to be told;
Hey Pete,
Please be informed that this is a disti stocking SO. A disti stocking SO contains products and licenses that may be owned by multiple end customers.Hence, we do not get a link to assign disti stocking SOs to an end customer smart account in CCW. Also, the licenses associated with a disti stocking SO will get provisioned once the end customer registers the device on his/her respective smart account. So please ask the customer to register the devices owned by them on their smart account and the licenses will be automatically provisioned to the smart account. If, after the devices have been registered, the licenses do not get provisioned, then please revert and we will investigate the request.
So here’s what your Smart Licence Virtual Account SHOULD LOOK LIKE before you start;
How To Register a Firepower Appliance
Within your virtual account create a ‘New Token’ > Give it a description > New Token.
Copy it to the clipboard.
You need to have Smart Call-Home enabled On your FirePower 1010 First: Configuration > Device Management > Smart Call-Home > Turn it on and provide and email address > Check the Cisco TAC option > Apply.
Go and put the kettle on > After a few minutes, refresh and it should say registered.
Back in smart Licensing portal It should now look like this;
If it looks like this, then either you licence was not there to begin with, or was under a different Virtual Account!
So either documentation is wrong, or I’ve been given incorrect information by Cisco. Either way I’m not looking forward to negotiating this ‘bag of spanners’ every-time I have to install or deploy one of these!
If you require a ‘Virtual Lab’ for testing patches or config changes, on copies of your live servers, or simply want to test the ‘integrity‘ of your backups, then this is the post for you!
Licence Requirements: SureBackup and On Demand Sandbox require Enterprise Plus Veeam Licensing.
Host Licences: Hosts that are only used for SureBackup/ On Demand Sandbox DO NOT NEED Licences, (in Veeam,) only hosts that you back up FROM need licences.
SureBackup and Virtual labs are built on vPower, which allows you to power on your ‘backup files’ in a test/sandbox environment. It’s actually the same technology that Veeam use for U-AIR recovery.
Three components make up a virtual lab;
1. Application Group: This is a group of VMs, and the ‘Order’ they need to be powered on, e.g. for Exchange server you would also need a DC (global catalog server,) and maybe your mail filter appliance to be in the same group.
2. Virtual Lab: Requires a ‘Host’, and a DataStore, (for redo logs only), this only needs to be 10% of the size of the VMs that are being powered on in the lab.
3. SureBackup: This is the process that ‘Tests backups‘, it will bring your backed up machines online, and perform some tests on them, some are simple like ‘ping’ tests others are specific to particular server roles, like additional tests for Domain Controllers, Exchange servers etc.
Here’s how it all ‘hangs together’. We are backing up a Domain Controller, and an Exchange Server, and we are going to use those backup files to power on a copy of the servers in our ‘Test-Lab’.
Note: I’m using VMware ESX, you can also use Microsoft Hyper-V.
These are presented though a ‘Veeam Proxy Appliance’, which presents them to the VEEAM server with a changed ‘octet’ in their IP address. (So by default any other machine needs a static mapping, {see below}).
Create a Veeam SureBackup Application Group
As mentioned above, make sure you have ‘Enterprise Plus‘ licences.
It should go without saying, but you will also need a ‘good’ backup of your servers.
Backup Infrastructure > SureBackup > Application Group > Add App Group > VMware.
Give the app group a name > Next > Add VM > From Backup > Select the VMs for the Lab > Add Next.
Put the server(s) in the correct order, i.e. the domain controllers at the top.
If you are just going to use SureBackup to check backups, then ‘Edit’ the servers, and change their ‘role’ so the correct tests get performed on them. If you are just wanting a Virtual Lab, don’t bother as you will be interacting with them directly anyway. Here are the settings for a Domain Controller.
Give the lab a name > Next > Choose > Select the ‘Target’ ESX Server to use > OK > Next > Choose > Select a datastore for the ‘redo’ logs, remember this needs to be about 10% of the size of the restored VMs. > OK > Next.
Next > ‘Advanced Single Host’ > Next > Add > Browse to the ‘Port Group’ your production VMs are in > Add > OK > Next.
Note: If you need to have your lab network on its own VLAN, this is where you need to specify that traffic to be ‘tagged’ accordingly.
Add > Specify the IP for the ‘inside’ of your Veeam Proxy Appliance, this MUST BE the same as the default gateway on the live network. Then select a sensible masquerade network address > OK > Next.
Veeam: What’s a Masquerade Address?
The proxy server basically will perform NAT from the test lab to the live network, (their actual IP addresses never change, that’s why the proxy appliance had the same IP as the default gateway on the live network. The Masquerade addresses simply change one ‘octet’ of the IP address so the Veeam server can speak directly to each sand-boxed, (Test lab) VM.
If required, Add a ‘Static Mapping‘ i.e if you want to be able to ‘speak’ to a test lab VM from the live network.
How Do Veeam Virtual Lab ‘Static Mappings’ Work?
Using the example, I used above, here if someone on the live network speaks to 192.168.100.21, they are actually talking to 192.168.100.196 in the test lab.
Apply > Finish.
Create a Veeam SureBackup Job
There are two ways of doing this, if you want to create a SureBackup job that just checks your backups, then you would schedule the job, and connect it to your backups, or if you just wanted to do some lab testing, you would create a ‘one off’ SureBackup job and leave the VMs powered on (I’ll point this out below).
Home > SureBackup Job > VMware > Give the job a name > Next.
Select the lab you created above > Next > Select the App Group you created above. (NOTE: If you want to leave your machines ‘powered on’ after the job, i.e. for performing upgrades, patch tests etc, then TICK the option indicated).
Link this job to the backup job for the VMs in question > Add > Select the backup Job > OK.
Note: The option at the bottom, specifies how many VMs are tested at a time in a standard SureBackup Job.
Next > Next.
Schedule the job (if required) > Apply > If you didn’t schedule, then you can click ‘Run the job when I click Finish‘ for ‘one-off’ jobs > Finish.
If you selected the option to leave the machines powered on, then there will ‘always’ be a job running and the job will stop at 99%. (You will need to manually stop the job to remove the test VMs). If you do continuous backups this will be a familiar sight anyway!
There’s my test VMs powered on, that I can interact with, update, patch, and change configurations, without it affecting my live servers.
Related Articles, References, Credits, or External Links
Given the amount of deployments I do, it’s surprising that I don’t use KMS more often. Like most technical types, I find a way that works for me, and that’s the way I do things from then on. However these last few weeks I’ve been putting in a new infrastructure for a local secondary school. Their internet access is through a proxy server, that refuses to let Windows activation work. Unfortunately the “Administrators” of this proxy server were not disposed to give me any help, or let me anywhere near it, to fix it.
So after activating a dozen servers over the phone, I decided enough was enough “I’m putting in a KMS Server!”
I’m deploying KMS on Windows Server 2008 R2, and it is for the licensing and activation of Serer 2008 R2 and Windows 7. I will also add in the licensing KMS mechanism for Office 2010 as well.
Note: If you are using Server 2003 it will need SP1 (at least) and this update.
Solution
To be honest it’s more difficult to find out how to deploy a KMS server, than it actually is to do. I’ve gone into a fair bit of detail below but most of you will simply need to follow steps 1-4 (immediately below). In addition, after that I’ve outlined how to deploy KMS from command line. Then how to test it, and finally how to add Microsoft Office 2010 Licenses to the KMS Server.
Install Microsoft Windows 2008 R2 Key Management Service (EASY)
1. The most difficult part is locating your KMS Key! If you have a Microsoft License agreement, log into the the Microsoft Volume License Service Center, and retrieve the KMS License Key for “Windows Server 2008 Std/Ent KMS B”
Note: To License/Activate Server 2008 R2 AND Windows 7 THIS IS THE ONLY KEY YOU NEED. You do NOT need to add additional keys for Windows 7. (You DO for Office 2010, but I’ll cover that below).
2. Armed with your new key, you simply need to change the product key on the server that will be the KMS server, to the new key. Start > Right Click “Computer” > Properties. (Or Control Panel > System). Select “Change Product Key” > Enter the new KMS Key > Next.
3. You will receive a warning that you are using a KMS Key > OK. You may now need to activate your copy of Windows with Microsoft, this is done as normal, if you can’t get it to work over the internet you can choose to do it over the phone.
4. In a corporate environment (behind an edge firewall) you may have the local firewall disabled on the server. If you do NOT then you need to allow access through the local firewall for the “Key Management Service”, (this runs over TCP port 1688). To allow the service, Start > Firewall.cpl {enter} > Allow program or feature through Windows Firewall” > Tick Key Management Service > OK.
Note: Should you wish the change the port the service uses, you can do so with the following command, i.e. to change it to TCP Port 1024;
[box]
cscript c:\Windows\System32\slmgr.vbs /SPrt 1024
[/box]
That’s It! That is all you should need to do, your KMS Server is up and running.
Install Microsoft Windows 2008 R2 Key Management Service from Command Line
You will notice below that I’m running these commands from command windows running as administrator (Right click “Command Prompt” > Run as administrator).
Note: To License/Activate Server 2008 R2 AND Windows 7 THIS IS THE ONLY KEY YOU NEED. You do NOT need to add additional keys for Windows 7. (You DO for Office 2010, but I’ll cover that below).
2. Providing the command runs without error, we have just changed the product key for this Windows server to be the KMS key.
3. Now we need to activate the Windows Server > Run the following command;
[box]
c:\Windows\System32\slui.exe
[/box]
Select “Activate Windows online now” > Follow the on screen prompts.
4. When complete, it should tell you that it was successfully activated.
5. In a corporate environment (behind an edge firewall) you may have the local firewall disabled on the server. If you do NOT then you need to allow access through the local firewall for the “Key Management Service”, (this runs over TCP port 1688). To allow the service, Start > Firewall.cpl {enter} > Allow program or feature through Windows Firewall” > Tick Key Management Service > OK.
Note: Should you wish the change the port the service uses, you can do so with the following command, i.e. to change it to TCP Port 1024;
[box]
cscript c:\Windows\System32\slmgr.vbs /SPrt 1024
[/box]
That’s It! That is all you should need to do, your KMS Server is up and running.
Testing the Key Management Server
Before it will start doing what you want it to, you need to meet certain thresholds, with Windows 7 clients it WONT work till it has had 25 requests from client machines. If you are making the requests from Windows 2008 Servers then the count is 5. (Note: For Office 2010 the count is 5 NOT 25)
Interestingly: On my test network I activated five Windows 7 machines, then one server, and it started working.
Windows 7 and Windows 2008 R2 have KMS Keys BUILT INTO THEM, if you are deploying/imaging machines you should not need to enter a key into them (unless you have entered a MAK key on these machines then you will need to change it to a client KMS Key). These are publicly available (see here).
1. The service works because it puts an SRV record in your DNS, when clients want to activate, they simply look for this record before they try and activate with Microsoft, if they find the record, they activate from your KMS Server instead. If you look on your domain DNS servers, expand “Forward Lookup Zones” > {your domain name} > _tcp > You will see an entry for _VLMCS that points to your KMS Server.
2. From your client machines you can test that they can see the SRV record, by running the following command;
[box]
nslookup -type=srv _vlmcs._tcp
[/box]
Note: If this fails, can your client see the DNS server? And is it in the domain?
3. There is no GUI console for KMS to see its status, so run the following command on the KMS server;
[box]
cscript c:\Windows\System32\slmgr.vbs /dli
[/box]
4. As I’ve mentioned above, with Windows clients you need 25, and Windows Servers you will need 5 requests before KMS will work, before this you will see;
Windows Activation
A problem occurred when Windows tried to activate. Error Code 0xC004F038
5. For each of these failures, look-in the KMS Server, and the “Current count” will increment by 1 till it starts to work). In a live environment this wont be a problem, (You probably wont be looking at KMS with less than 25 clients!). On a test network just clone/deploy a load of machines until you hit the threshold.
Troubleshooting KMS Clients
To make things simple the command to execute on the clients, is the same command that you run on the KMS server to check the status.
[box]
cd c:\windows\system32
slmgr /dli
[/box]
For further troubleshooting, see the following links.
In addition to servers and clients, KMS can activate and handle Office 2010 licenses as well. You simply need to add in Office support, and your Office 2010 KMS key. As mentioned above, unlike Windows clients, you only need five requests to the KMS server before it will start activating Office 2010 normally.
1. First locate your Office 2010 KMS Key! If you have a Microsoft License agreement, log into the the Microsoft Volume License Service Center, and retrieve the KMS License Key for “Office 2010 Suites and Apps KMS”
Note: As with Windows 7, and Server 2008 R2, Office 2010 comes with a KMS key already installed, if you have changed the key to a MAK key you can change it back using the Microsoft public KMS keys (see here).
I’ve had to do a rollout of Remote Desktop Services on Server 2012 R2, and publish it with Active Directory Federation Services and Web Application Proxy. I’m a little rusty on RDS and needed to deploy a few roles, so for my proof of concept I deployed RDS on TWO servers. Below is a run though and my notes on deploying RDS ONLY (I’ll put the links to other articles at the bottom of this post as I write them).
Solution
To save yourself some hassle, visit every server that will be in the Remote Desktop Server deployment, and add all the others into each others ‘server manager’ console.
Manage > Add Roles and Features > Next > Remote Desktop Services Installation > Next.
Standard Deployment. Note: If you choose Quick Start it puts all the roles on one server > Next.
Session-based desktop deployment > Next.
Next.
Select the server that will host the Connection Broker Rule and add it > Next.
Add the server that will host the Remote Desktop Web Access role > Next.
Add the server that will host the Remote Desktop Session Host role > Next.
Tick the ‘restart the destination server automatically if required’ > Deploy.
Finish. (Note: There will be a licensing error, we will address that in a minute).
In Server Manager > Remote Desktop Services > Overview > Note: There are two options yet to be configured, (shown in green). Select ‘RD Gateway’.
Add in the server that will host the RD Gateway role > Next.
Add in the public name of the RD Gateway server, this will generate a self signed certificate, (you can replace this with a proper one later).
Add.
Close
Now Add RD Licensing.
Add in the server that will host the licensing role > Next.
Add
Close
All the nodes should now be displayed..
In production you would now add your Remote Desktop Licences, If you don’t, the whole thing will run for 120 days, (though it continues to nag you about adding licences). I’m content with the 120 day licence for my test deployment. But I will still ‘Activate’ my licensing server.
Follow the instructions
Now you need to create a ‘Collection‘, this is a group of host servers that host applications you can publish. Server Manager > Remote Desktop Services > Collection > Task > Create Session Collection.
Next.
Give the collection a name > Next.
Add in the server(s) running the RD Host role that will be included in this collection > Next.
Select the user groups that you want to grant access to. Here Im simply using the domain users group > Next.
If you want to deploy ‘profile disks’ enter a UNC path to the share > Next.
Create.
Close.
To actually publish applications, select the collection you just created > RemoteApp Programs > Tasks >Publish RemoteApp Programs.
Select the applications, (or add them in if they are not displayed) > Next.
Publish.
Note: You can change certificates from within Server Manger, but I prefer the manual approach, on the RD Gateway Server > Launch the IIS Manager > Select the server > Server Certificates.
Import > Import your publicly signed certificate, (you can use a self signed certificate but DON’T FORGET your remote client needs to be able to check your CRL, and trust your issuing CA if you do).
Sites > Default Web Site > Edit Bindings.
Select ‘https’ > Edit > Add in your certificate > OK > Close.
Bounce the services with an ‘iisreset‘ command.
Update 070316 You also will need to restart the Remote Desktop Services Service!
Connect to the server on the https://{FQDN}/RDWeb address, and you can check the correct certificate is used.
You should now be able to log into Remote Desktop Services Web Access.
Related Articles, References, Credits, or External Links
“I seem to get a lot of spam”, and “I get a lot more spam than I used to” are right up there with “My computer is running slow”. It’s a problem that, eats up users time and fills your mail stores with junk, and time/disk space costs money.
SEM is tiny! In a world where a graphics driver is now over 100MB the entire install suite is less than 11MB. This is going into my test network so testing its ability to limit spam is NOT the point of this exercise, I’m looking at the ease of installation, configuration, and administration.
SEM Pre-Requisites
1. Exchange 2000, 2003, 2007, 2010, or 2013.
2. Windows Server 2000, 2003, 2003 R2, 2008, 2008 R2, or 2012.
3. .Net framework version 2.0 (SP1).
4. MDAC (Microsoft Data Access Components) version 2.7.
5. Internet Information Services.
Solution
Before You Start
1. If you have already installed the Microsoft Anti Spam agents you might want to remove them, (not that you have to). If you don’t know you can run the following command;
[box]
Get-TransportAgent[/box]
If you just have the four below then you DO NOT have the extra agents installed.
2. If yours looks like the one below, then YOU DO have them installed.
3. As stated you don’t have to remove them but if you want to simply execute the following two commands;
[box]
cd "Program FilesMicrosoftExchange ServerV15Scripts"
./Uninstall-AmtispamAgents.ps1
[/box]
4. Answer each question, then run;
[box]
services.msc[/box]
5. Restart the Microsoft Exchange Transport service.
7. The installer is pretty straight forward > Next > Accept the EULA > Next > Enter your details > Next > Accept or change the install location > Next.
8. The product will install.
9. At this point it’s downloading definitions form the internet, and it will take a while.
10. When complete it needs to setup a user that the services will run under. Just supply a password > Next.
Note: This user (by default) is added to the local administrators group, and the Exchange Organization Management group.
11. Finish.
12. The management console installs on TCP port 5000, so if you need to access it through a firewall you will need to open that port.
13. Toolbars Tab: From here, I’ll jump straight to the configuration section, this drops you straight onto the Plugins tab. From here you can change the logo that will be displayed with the toolbar (this is NOT visible with Outlook 2013). You can also change the URL it points to and adding rights to users.
14. Toolbar Tab > Outlook Toolbar: On a client running Outlook > Download Outlook Toolbar > Run the installer.
Note: The installer is a .exe file, I would have preferred a .msi file, so I could deploy this out (on mass), to domain clients via GPO.
17. Now when you launch Outlook you can see the plugin loading.
18. You will now have an extra toolbar with the following options.
BE AWARE: You install the OWA toolbar ONCE on the Exchange CAS server.
19. Toolbars > Outlook Web Application: Install OWA toolbar.
20. Yes.
21. Now when your clients access OWA, you have the toolbar.
22. Latest news: Essentially this is just an RSS feed from the manufacturer to keep you abreast of software updates etc. If you have some RSS aggregation software you can add this same feed.
23. Mailbox Tab > Mailboxes: Here it will list all the mailboxes, by default the ‘Default policy’ will be applied and virus filtering will NOT be enabled (this is an add on license). you can also access statistics for this particular mailbox, and view quarantined emails. The User filter settings are for applying an exception for this one mailbox (I’ll cover this later). If you can’t locate a particular user there is also a search function.
24. Mailbox Tab > Usergroups: Usergroups are used to apply policies, any new group requires you to maintain membership manually. But if your Active Directory is well designed, you can select your SPAMfighter groups based on your OU structure.
SEM – SPAMfighter – Configuring and Working with Policies
This is pretty intuitive, and the default policy comes preconfigured and already applied, though with all filtering systems it will probably take you a little while to get it streamlined to your requirements. The policies section has four main tabs;
Filter Settings: What tools you are going to use to look for spam. Accept Actions: What it will do if it finds nothing. Block Actions: What it will do if it finds something. User Filter settings: Exceptions to the filters for one or more users. Mailboxes: Puts you straight back to the mailbox section you saw earlier.
25. Out of the box there are five filters enabled.
26. But there are four further filters that you can add to the policies.
SPAMfighter – Filters
27. VIRUSfighter Antivirus Filter for SPAMfighter Exchange Module: Remember this is an ‘Add on’ so it would only apply to mailboxes that have this enabled. It’s on its most conservative setting, and will replace the infected email with safe content.
28. SPAMfighter Sender Filter > Whitelist:Simply add either a particular email address you want to allow or add in an entire domain.
29. If your lists get a little unwieldy you can import or export them, and chose weather to overwrite them or append the imported list to your existing list.
30. And where there is a Whitelist there is a Blacklist, it’s configured exactly the same.
31. Automatic Whitelist: This is a brilliant feature! It dynamically adds the addresses our users send to to the Whitelist, and maintains the cache for 10 days (which you can alter). I’m surprised this is disabled by default.
Note: This will be enabled by default in the next release.
32. SPAMfighter Content Filter > Whitelist phrases: Gives you the power to automatically Whitelist emails based on a phrase they contain i.e. Your corporate email disclaimer or default signature.
33. SPAMfighter Content Filter > Blacklist phrases: As the warning says be careful with this section, this is the sort of thing that is handy for blocking “We attempted to deliver your parcel but were unable to” emails that urge you to click an attached zip file full of infected spyware nastiness.
34. SPAMfighter Content Filter > Whitelist Attachments: Here you can upload an attachments (like your company logo from your email signatures) and the system will whitelist and allow through emails containing them.
35. SPAMfighter Content Filter > Blacklist Attachments: Thankfully this is disabled by default, the list of file extensions is quite long, and contains some commonly used file extensions, You will need to do some planning and testing with this one if you want to enable it.
36. SPAMfighter Community Filter: This will filter mail based on mails that have already been blocked by other SPAMfighter users, it uses a scoring/weighting system. You simply set a threshold the higher you set it the more mail will be stopped, this will require some fine tuning.
37. SPAMfighter Language Filter:This is enabled by default, but no languages are selected (which is sensible). If you are never expecting any emails in Chinese you can block them here.
SPAMfighter Filters that you can Manually Add to the Policy.
38. SPAMfighter IP-address Filter: Pretty much does what it says on the tin! Though blocking spammers by IP address is a little hard to manage, and it’s pretty easy to spoof an IP address anyway, which is probably when this is not on the default policy.
39. SPAMfighter Sender Policy Framework Filter: Personally I think you would be crazy to turn this on! If you don’t know what an SPF record is then read the following article.
40. SPAMfighter DNSBL Filter: A DNSBL is a dynamic DNS list of known spammers, if you are familiar with RBL block lists this is similar.
41. SPAMfighter Combined Spam Score Filter: All the other filters check the mail and give it a score, if the score is higher than a certain threshold this this filter will aggregate all those scores and block the mail.
SPAMfighter – Policies > Accept Actions
42. If the mail makes it through all the filters, then this section decides what happens with it.
43. And that is adding information to the mail header that says the mail was scanned and accepted.
SPAMfighter – Policies > Block Actions
44. If the mail gets blocked by any of the filters, this section decides how that is handled.
Note: You can add other actions from the drop-down list below if this does not do what you require.
45. Just as for the accept policy action, this modifies the email header, though this one says the mail was blocked.
46. SPAMfighter Move To Folder Policy Action > Mailboxes : The second default policy action takes that filtered email and places it within a folder called SPAMfighter within the users mailbox.
Note: You can redirect that mail to another mailbox if that is your preference.
47. The system for Public Folders (if you use them) is identical.
48. Contacts: As is says contacts do not have a mailbox, but you can redirect filters contact mail to a specific mailbox should you wish.
49. User Filter Settings: This section can create an exception for one particular user, it simply creates another policy that you can apply to that user.
50. You can create new policies and apply then to particular users or usergroups, and make the system as granular as you like.
51. Statistics: On my test network I didn’t have any throughput on which to pull some meaningful statistics.
52. Statistics > Notifications: You can have daily/weekly/monthly reports emailed to you.
53. If you decide to purchase, the licenses are priced per mailbox. Prices start at £14.50 each (or £29.00 with the Antivirus) And go down to £2.45 (or £4.90 with Antivirus) depending on the amount you buy. They are available for 1, 2, and 3 year periods. For an up to date price list go here.
Related Articles, References, Credits, or External Links
A couple of months back I put in a 2008 Terminal Services Server, or Remote Desktop Services as it’s now called. I installed the Licensing server and successfully added in the licences the client had purchased, but a while later he rang to say he was having licensing issues.
At first I thought it might have “dropped” it’s licences so I checked Remote Desktop Licensing Manager, and they were still there:
Note: The Windows 2000 Server Built in TS Per Device unlimited licences are a throwback from earlier versions of windows that had a CAL on the client. (Primarily Windows 2000, but some XP clients purchased in a particular time range slipped under the bar as well).
Solution
As it turns out there’s one more step to carry out on Server 2008.
1. Launch the “Remote Desktop Services Host Configuration” console, and check the licensing section, it should give the licensing mode as “Per User” or “Per Device“. In my case it said “Not Specified”. It should also say a licensing server has been specified. (If it does not double click the incorrect entry).
2. Change the licensing mode and/or add a licensing server as required.
Per User or Per Device?
Per Device: CALs for the device get stored in the registry of the machine/device that access’s the TS/RDS server. When issued it expires after a number of days (a random number between 52 and 89 days) at this point it’s freed up to be issued again.
Per User: In this mode the CAL is issued to the user, if one user logs onto multiple devices you only use 1 licence.
Note: As a rule of thumb if you have more devices than users, choose per user. If you have more users than devices then choose per device.
Adding TS or RDS ‘Select’ Licences
You will need your select agreement number, and the amount of CALs you have purchased.
Related Articles, References, Credits, or External Links
RemoteApp is a solution for delivering applications to your users from a Remote Desktop Services Server.
Why would you want to do this? Imagine you only had one copy of office to update in your entire organisation when a new service pack or security update is released., or Adobe bring out a new version of Dreamweaver that’s on all your machines – you simply update the master copy on the RDS server, or redeploy new RemoteApps.
In the following example I’ll configure the server, and create a RemoteApp application (Word 2010) and finally, deploy it to my domain clients.
Client requirements: Windows XP (SP2), Windows Vista, Windows 7, Windows Server 2003 SP2, Windows Server 2008, and Windows Server 2008 R2.
1. On a 2008 R2 Server (That’s a domain member), Start > Run > CompMgmtLauncher.exe {enter} > Roles > Add Roles > Remote Desktop Services > Add the following “Role Services” > Remote Desktop Session Host > Remote Desktop Web Access > (If you do not have a RDS Licensing services Licencing server add that also).
2. Select “Network Level Authentication” >Select your licensing mode > Add in the user(s) and/or group(s) you want to grant access to > Set your client experience options > Set the scope for the licensing server (per forest or per domain) > When complete let the server reboot.
3. If you do not already have a RDS Licensing server then activate the Licensing Server and follow the instructions. (Start > Administrative Tools > Remote Desktop Services > Remote Desktop Licensing Manager).
4. Then Start > Administrative Tools > Remote Desktop Services > Remote Desktop Session Host Configuration > Locate Licensing > And click the “Not Specified” > Then add in the licencing server you just activated.
5. Install and configure the applications you want to deploy. Then Start > Administrative Tools > Remote Desktop Services > RemoteApp Manager > Add RemoteApp Programs > Install and configure the desired application.
6. Add the computers that need access to RemoteApp(s) to the LOCAL group on the RDS server called “TS Web Access Computers”.
8. In the RemoteApp Manager select “Create Windows Installer Package” follow the instructions and put the resulting .msi file in a network share that your domain clients can access.
9. Send out the .msi file generated to your clients by group policy.
10. By default your deployed RemoteApps will be listed on the clients start menu under “Remote Programs”.
Related Articles, References, Credits, or External Links
Seen when adding an Office 2010 KMS key on a Windows 2008 R2 KMS Server.
Note: Using the Microsoft Office 2010 KMS Host License pack as per this article.
An error occurred: 0x80072F8F
To display the error text run the following:
slui.exe 0x2a 0x80072F8F
Solution
1. If you do run the command that they have asked you to, all you get is;
Code:
0x80072F8F
Description:
A Security error occurred
2. Not very helpful, however some Google searching turned up the solution. Check the time on the KMS server is correct, mine was way out.
Note: This had happened because the domain controller was on an ESXi host with the incorrect time, the KMS server took its time from the domain controller when it booted. (Domain clients typically take their time from the DC holding the PDC emulator role).
Each model in the Cisco ASA 5500 range comes with a range of licences and features, to add these features you can purchase them from a Cisco reseller. You will then need to apply the licence to the device.
Solution
1. Your first step is to purchase the Licence you require from an authorised cisco reseller.
2. When your licence arrives you need to locate the PAK that is on the certificate.
3. You need the Serial number of the ASA 5500, to get this either look on the chassis of the device or issue a “show version” command.
[box]
PetesASA# show version
Cisco Adaptive Security Appliance Software Version 8.0(3)
Device Manager Version 6.1(3)
Compiled on Tue 06-Nov-07 22:59 by builders
System image file is "disk0:/asa803-k8.bin"
Config file at boot was "startup-config"
PetesASA up 5 days 17 hours
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.01
IPSec microcode : Cnlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0 : address is 001d.70df.3e28, irq 9
1: Ext: Ethernet0/1 : address is 001d.70df.3e29, irq 9
2: Ext: Ethernet0/2 : address is 001d.70df.3e2a, irq 9
3: Ext: Ethernet0/3 : address is 001d.70df.3e2b, irq 9
4: Ext: Management0/0 : address is 001d.70df.3e27, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 250
WebVPN Peers : 25
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
This platform has an ASA 5510 Security Plus license.
Serial Number: JMX1234ABCD
Running Activation Key: 0x5c385c4d 0xf8344dbb 0xac3161c8 0xaf983c24 0x88888888
Configuration register is 0x1
Configuration has not been modified since last system restart.
[/box]
4. So the one above has a serial Number of JMX1234ABCD.
5. Now you have the PAK and the serial number, you need to register them with Cisco Go there, login with a Cisco CCO account name. Enter the PAK Code > Submit.
6. Check the PAK details, and add more as required > Click “All Done”.
7. Enter the Serial Number of the ASA and tick “I Agree..” > Enter/Check your details > Enter the Licensee details (If Different) > Continue.
8. Read the Summary > Submit > Wait for it to stop saying “Processing” > When complete it should “Go Green” and say Registration Complete.
9. If can take a little while for the licence to be emailed to you and USUALLY goes straight to Junk Mail (Thanks Microsoft, that’s not funny!)
10. When the Licence comes in, the detail that you need is the activation key, it will look like….
dd12eb50 9e16d5bb 45b2a92c 78901838 44999999
11. You add this licence to the ASA with an “activation-key” command:
[box]
PetesASA> enable
Password: ***********
PetesASA# configure terminal
PetesASA(config)# activation-key dd12eb50 9e16d5bb 45b2a92c 78901838 44999999
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 250
WebVPN Peers : 50
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
This platform has an ASA 5510 Security Plus license.
Both running and flash activation keys were updated with the requested key.
PetesASA(config)#
[/box]
12. That’s the licence added.
Note: In the example above I added a licence to increase the web VPN peers from 25 to 50 (Which you can see if you compare the two pieces of code).
When Cisco released the 8.2 version of the ASA code, they changed their licensing model for AnyConnect Licenses. There are two licensing models, Premium and Essentials.
Solution
Cisco ASA AnyConnect Premium Licenses.
You get two of these free with your firewall*, with a ‘Premium License’ you can use the AnyConnect client software for remote VPN Access, and you can access Clientless SSL facilities via the web portal.
*As pointed out by @nhomsany “The two default premium licenses available are NOT cross-platform, (i.e. only Mac or Windows).
Additionally you can use this license’ model with the Advanced Endpoint Assessment License’, this is the license’ you require for Cisco Secure Desktop. You can also use this license’ with the AnyConnect Mobile license’ for access from mobile devices like phones or tablets, (both these licenses are an additional purchase).
For most people wishing to buy extra AnyConnect licensing, this will be the one you want. Their type and size differ depending on the ASA platform in question, e.g. the 5505 premium licenses. are available as 10 session and 25 session licenses. the 5510 are in 10, 25, 50, 100 and 250 Sessions. (Note: These are correct for version 8.4 and are subject to change, check with your re seller).
Failover: If you are using failover firewalls you can (but don’t have to) use a shared license’ model, this lets you purchase a bundle of Premium licenses. and share them across multiple pieces of hardware, This requires an ASA to be setup as the license’ server’. Before version 8.3 you needed to purchase licenses for both firewalls. After version 8.3, Cisco allowed the licenses. to be replicated between firewalls in a failover pair. The exception is Active/Active where the amount of licenses. is aggregated together from both firewalls and ALL are available providing the figure does not exceed the maximum for the hardware being used.
Cisco ASA AnyConnect Essential Licenses
When you enable ‘Essential Licensing’, your firewall changes it’s licensing model and the two Premium licenses. you get with it are disabled*. The Firewall will then ONLY accept AnyConnect connections from the AnyConnect VPN client software.
Note: The portal still exists, but can only be used to download the AnyConnect Client Software.
With Essentials licensing enabled, the firewall will then accept the maximum VPN sessions it can support for that hardware version (see here), without the need to keep adding licenses.
Note: Remember these are “Peer VPN Sessions”. If you have a bunch of other VPN’s (including IPSEC ones), then these are taken from the ‘pot’.
Additionally, you can also use this license’ with the AnyConnect Mobile license’ for access from mobile devices like phones or tablets, this license’ is an additional purchase.
Failover: Prior to version 8.3, if you have failover firewalls and are using Essentials licenses you need to purchase an Essentials license’ for BOTH firewalls. After version 8.3 Cisco allowed the licenses. to be replicated between firewalls in a failover pair.
*To re-enable the built in Premium Licenses. you need to disable Essentials licensing by using the ‘no anyconnect-essentials” command or in the ASDM> Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Essentials.
Related Articles, References, Credits, or External Links