Veeam Virtual Labs & SureBackup

KB ID 0001572

Problem

If you require a ‘Virtual Lab’ for testing patches or config changes, on copies of your live servers, or simply want to test the ‘integrity‘ of your backups, then this is the post for you!

Licence Requirements: SureBackup and On Demand Sandbox require Enterprise Plus Veeam Licensing.

Host Licences: Hosts that are only used for SureBackup  / On Demand Sandbox DO NOT NEED Licences, (in Veeam,) only hosts that you back up FROM need licences.

SureBackup and Virtual labs are built on vPower, which allows you to power on your ‘backup files’ in a test/sandbox environment. It’s actually the same technology that Veeam use for U-AIR recovery.

Three components make up a virtual lab;

1. Application Group: This is a group of VMs, and the ‘Order’ they need to be powered on, e.g. for Exchange server you would also need a DC (global catalog server,) and maybe your mail filter appliance to be in the same group.

2. Virtual Lab: Requires a ‘Host’, and a DataStore, (for redo logs only), this only needs to be 10% of the size of the VMs that are being powered on in the lab.

3. SureBackup: This is the process that ‘Tests backups‘, it will bring your backed up machines online, and perform some tests on them, some are simple like ‘ping’ tests others are specific to particular server roles, like additional tests for Domain Controllers, Exchange servers etc.

Solution

Veeam Backup and Recovery Download

Here’s how it all ‘hangs together’. We are backing up a Domain Controller, and an Exchange Server, and we are going to use those backup files to power on a copy of the servers in our ‘Test-Lab’.

Note: I’m using VMware ESX, you can also use Microsoft Hyper-V.

These are presented though a ‘Veeam Proxy Appliance’, which presents them to the VEEAM server with a changed ‘octet’ in their IP address. (So by default any other machine needs a static mapping, {see below}).

Create a Veeam SureBackup Application Group

As mentioned above, make sure you have ‘Enterprise Plus‘ licences.

It should go without saying, but you will also need a ‘good’ backup of your servers.

Backup Infrastructure > SureBackup > Application Group > Add App Group > VMware.

Give the app group a name > Next > Add VM > From Backup > Select the VMs for the Lab > Add Next.

 

Put the server(s) in the correct order, i.e. the domain controllers at the top.

If you are just going to use SureBackup to check backups, then ‘Edit’ the servers, and change their ‘role’ so the correct tests get performed on them. If you are just wanting a Virtual Lab, don’t bother as you will be interacting with them directly anyway. Here are the settings for a Domain Controller.

And here for Exchange.

Next > Finish.

Create a Veeam SureBackup Virtual Lab

Backup Infrastructure > SureBackup > Virtual Labs > Add Virtual Lab > VMware.

Give the lab a name > Next > Choose > Select the ‘Target’ ESX Server to use > OK > Next > Choose > Select a datastore for the ‘redo’ logs, remember this needs to be about 10% of the size of the restored VMs. > OK > Next.

Next > ‘Advanced Single Host’ > Next > Add > Browse to the ‘Port Group’ your production VMs are in > Add > OK > Next.

Note: If you need to have your lab network on its own VLAN, this is where you need to specify that traffic to be ‘tagged’ accordingly.

Add > Specify the IP for the ‘inside’ of your Veeam Proxy Appliance, this MUST BE the same as the default gateway on the live network. Then select a sensible masquerade network address > OK > Next.

Veeam: What’s a Masquerade Address?

The proxy server basically will perform NAT from the test lab to the live network, (their actual IP addresses never change, that’s why the proxy appliance had the same IP as the default gateway on the live network. The Masquerade addresses simply change one ‘octet’ of the IP address so the Veeam server can speak directly to each sand-boxed, (Test lab) VM.

If required, Add a ‘Static Mapping‘ i.e if you want to be able to ‘speak’ to a test lab VM from the live network.

How Do Veeam Virtual Lab ‘Static Mappings’ Work?

Using the example, I used above, here if someone on the live network speaks to 192.168.100.21, they are actually talking to 192.168.100.196 in the test lab.

Apply > Finish.

Create a Veeam SureBackup Job

There are two ways of doing this, if you want to create a SureBackup job that just checks your backups, then you would schedule the job, and connect it to your backups, or if you just wanted to do some lab testing, you would create a ‘one off’ SureBackup job and leave the VMs powered on (I’ll point this out below).

Home > SureBackup Job > VMware > Give the job a name > Next.

Select the lab you created above > Next > Select the App Group you created above. (NOTE: If you want to leave your machines ‘powered on’ after the job, i.e. for performing upgrades, patch tests etc, then TICK the option indicated).

Link this job to the backup job for the VMs in question > Add > Select the backup Job > OK.

Note: The option at the bottom, specifies how many VMs are tested at a time in a standard SureBackup Job.

Next > Next.

Schedule the job (if required) > Apply > If you didn’t schedule, then you can click ‘Run the job when I click Finish‘ for ‘one-off’ jobs > Finish.

If you selected the option to leave the machines powered on, then there will ‘always’ be a job running and the job will stop at 99%. (You will need to manually stop the job to remove the test VMs). If you do continuous backups this will be a familiar sight anyway!

There’s my test VMs powered on, that I can interact with, update, patch, and change configurations, without it affecting my live servers.

Related Articles, References, Credits, or External Links

NA

Cannot Access / Open ASDM

KB ID 0000458

Problem

Out of the box Cisco PIX/ASA devices should have a working ASDM. This config can get broken over time, and also there are a few things that can trip you up on your client machine.

Solution

Make sure the client machine you are using is not the problem

1. The ASDM runs using Java make sure the machine has Java installed.

Note: If you are using Java version 7 Update 51 see the following article.

Unable to Access ASDM – “Unable to launch device manager from…”

2. Make sure the internet browser you are using is supported:

Operating System
Browser
 
Java SE Plug-in1
Internet Explorer
Firefox2
Safari
Chrome

Microsoft Windows

10
8(8.1)
7
Server 2012 R2
Server 2012
2008 Server
XP

Yes

Yes

No support

Yes

8.0

Apple Macintosh OS X:

10.6
10.5
10.4

No support

Yes

Yes

Yes (64 bit only)

8.0

Ubuntu Linux 14.04
Debian Linux 7

N/A

Yes

N/A

Yes

8.0 (Oracle only)

Note: Support for Java 5.0 was removed in ASDM 6.4. Obtain Sun Java updates from java.sun.com.

Note: ASDM requires an SSL connection from the browser to the ASA. By default, Firefox does not support base encryption (DES) for SSL and therefore requires the ASA to have a strong encryption (3DES/AES) license. As a workaround, you can enable the security.ssl3.dhe_dss_des_sha setting in Firefox. See http://kb.mozillazine.org/About:config to learn how to change hidden configuration preferences.

3. Make sure you are NOT trying to access the ASDM through a proxy server, this is a common “gotcha”!

4. Can another machine access the ASDM?

5. If the ASDM opens but does not display correctly, then do the following, File > Clear ASDM Cache > File > Clear Internal Log Buffer > File > Refresh ASDM with the running Configuration on the Device.

Make sure the ASA is configured correctly, and your PC is “allowed” access

1. Connect to the firewall using either SSH, Telnet, or via the Console Cable.

2. Log into the firewall, go to enable mode > Enter the enable password

[box]

Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA#

[/box]

3. The ASDM is enabled with the command “http server enabled”, to make sure that’s there issue a “show run http” command”

[box]

PetesASA# show run http
http server enable
http 10.254.254.0 255.255.255.0 inside
http 123.123.123.123 255.255.255.255 outside

[/box]

Note: if the command is NOT there, you need to issue the following three commands:

[box]

PetesASA# configure terminal
PetesASA(config)# http server enable
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c69

9878 bytes copied in 1.550 secs (9878 bytes/sec)
[OK]
PetesASA(config)# 

[/box]

Note: If you see a number after the command e.g. “http server enable 2456” then you need to access the ASDM on that port, like so {IP address/Name of ASA}:2456 (This is common if you’re port forwarding https but you still want to access the ASDM externally).

4. Assuming that the ASDM has been enabled, the IP address you are accessing from (or the subnet you are on) also needs to be allowed access. You will notice in step 3 above that when you issue the show run http command, it also shows you the addresses that are allowed access, if yours is NOT listed you can add it as follows:

[box]

PetesASA# configure terminal
PetesASA(config)# http 10.254.254.5 255.255.255.255 inside
PetesASA(config)# http 10.254.254.0 255.255.255.0 inside
PetesASA(config)# http 123.123.123.123 255.255.255.255 outside
PetesASA(config)# write mem
Building configuration...

Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c89 9878 bytes copied in 1.550 secs (9878 bytes/sec)
[OK]
PetesASA(config)#

[/box]

5. At this point try and access the ASDM again.

6. The ASA needs to be told what file to use for the ASDM, to make sure its been told issue the following command, (If there is NOT one specified then skip forward to step 7 to see if there is an ASDM image on the firewal)l.

[box]

PetesASA# show run asdm
asdm image disk0:/asdm-739.bin

Note: on a Cisco PIX the results will look like..

PetesPIX# show run asdm
asdm image flash:/asdm-501.bin

[/box]

7. Write down the file that it has been told to use (in the example above asdm-632.bin). Then make sure that file is actually in the firewalls memory with a “show flash” command.

[box]

PetesASA# show flash
--#-- --length-- -----date/time------ path
142 15943680 May 08 2010 18:10:42 asa831-k8.bin
144 14240396 May 08 2010 18:11:50 asdm-739.bin
3 2048 Jul 21 2009 12:04:26 log
6 2048 Apr 28 2010 15:08:32 crypto_archive
163 393828 Feb 14 2010 12:23:28 crypto_archive/crypto_arch_1.bin
164 393828 Apr 28 2010 15:08:32 crypto_archive/crypto_arch_2.bin
147 9526560 Jul 21 2009 12:04:52 csd_3.4.1108.pkg
148 2048 Jul 21 2009 12:04:54 sdesktop
150 2648712 Jul 21 2009 12:04:54 anyconnect-win-2.3.0254-k9.pkg


127135744 bytes total (29583360 bytes free)

[/box]

Note: If the file you are looking for is NOT there then (providing you have a valid support agreement with Cisco) download an ASDM image and load it into the firewall see here for instructions.

Note: If the file is in the flash memory but was not referenced in step 6 then you can add the reference with the following command (obviously change the filename to match the one that’s listed in your flash memory).

[box]

PetesASA# configure terminal
PetesASA(config)# asdm image disk0:/asdm-631.bin
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c89

9878 bytes copied in 1.550 secs (9878 bytes/sec)
[OK]
PetesASA(config)#

[/box]

 

Related Articles, References, Credits, or External Links

Connecting to and Managing Cisco Firewalls

Cisco Allowing Remote Management

Cisco ASA5500 Update System and ASDM (From ASDM)

Outlook – Constantly Prompts for a Password

KB ID 0001227 

Problem

I did an Exchange 2010 to 2016 Migration for a school this week. They are going to reimage all their PCs to Windows 10 and install Office 2016 over the summer holidays. But a few staff members were working over the holidays and needed their Win7/Outlook 2010 clients pointing to the new Exchange server.

This I did (I simply created new mail profiles and let auto discover do its work). But then the Outlook clients prompted for a username and password every five minutes (even if ‘remember password’ was ticked).

Solution

Outlook constantly prompting for passwords all the time is a common problem, and one I really struggled with here. Make sure before you troubleshoot this error that you have done the following;

  • Updated your version of Outlook with the latest updates.
  • Make sure you have NOT cached old/incorrect passwords in Windows Credential Manager.
  • Make sure some ‘clown’ had NOT ticked ‘Always ask for Credentials’ (Account > More Settings >security tab). While you are in there if you are on Office 365 ensure ‘Anonymous Authentication’ IS selected.
  • Make sure you are NOT going though a proxy server! If you are, you need to make an exception for the Exchange traffic.
  • The names and urls that your Exchange server are setup and match the certificate on the Exchange server (and can be resolved in DNS) see this article.
  • Try changing the username Outlook is trying to authenticate with, from username@domain-name to DOMAIN\User-name (particularly if your email address and public/private domain name are NOT the same).

Given my Exchange background the answer was pretty much staring me in the face. Modern Exchange servers, use https for pretty much everything now, (IMAP and RPC are old school). The problem was the account settings to collect mail via https/Outlook anywhere needed changing. After a bit of trial and error and some internet searching the following cured the problem.

Note: The following ‘More Settings’ Options were removed in Outlook 2016. To get that to work, you need to have your autodiscover setup correctly! The easiest way to do this, is DELETE any A or CNAME records that point to autodiscover.doamin.com, and setup an SRV record (thats for Pubic DNS Space and Private DNS Space.

Exchange AutoDiscover Errors – Creating an AutoDiscover SRV Record

Go to the properties of your mail account > More settings.

Tick > Connect to Exchange using HTTP  > Exchange Proxy Settings.

Enter the correct URL of your Exchange server > Tick connect using SSL only > Enter ‘msstd:{Exchange-URL} > UNTICK both the https options > Set the authentication to NTLM Authentication (or negotiate) > OK.

As a side note: I also set the MSSTD address on the Exchange server, with the following shell command;

[box]Set-OutlookProvider EXPR -CertPrincipalName msstd:mail.petenetlive.com

Set-OutlookProvider EXCH -CertPrincipalName msstd:mail.petenetlive.com[/box]

Related Articles, References, Credits, or External Links

Outlook Error “The name of the security certificate is invalid or does not match the name of the site.”

Exchange – ‘Not all the required authentication methods were found’

VMware VI Client Error ‘Call “ServiceInstance.RetrieveContent” for object “ServiceInstance” on Server “IP-Address” failed’

KB ID 0000870 

Problem

This is a pretty generic error. It basically means “I cant connect to what you are asking me to connect to, on TCP Port 443 (https)”.

Solution

Internet searching for this error is very frustrating, everyone who was posting this error was seeing it because, instead of putting the IP address or name in the box (that actually tells you to put in the IP address or name (see image above)). If you put in https://{Name or IP Address}, you will see this error. However this was NOT MY PROBLEM.

This is happening because there is no communication between you and the ESX/vCenter you are trying to connect to. The first thing you need to do is see if HTTPS is open. On the affected machine open a web browser and point it to the same target and make sure you see the web console of the ESX/vCenter server. If you can’t see this, check firewalls (and proxies) and make sure HTTPS is not getting blocked.

In my case I could see this but it still did not work! Then I was reminded we have had strange comms problems on this site before, which I have documented here. Sure enough, when I dropped the MTU on the server I was trying to connect from (which was over a site to site VPN tunnel). It started to work fine.

Related Articles, References, Credits, or External Links

NA

Veeam – “Task Failed Error: No connections could be made because the target machine actively refused it”

KB ID 0000758

Problem

Seen when running Veeam Backup and Replication.

Error
Task Failed Error: No connections could be made because the target machine actively refused it

Also when trying to connect to VMware VCenter from the Backup and Replication management console;

Error
Failed to connect to “Host-name” by SOAP, port 443, user “User-Name”, proxy srv: port:0
Unable to connect to the remote server
No connections could be made because the target machine actively refused it {IP-Address}:443

Solution

There are a few things that might cause this, make sure the Veeam Server can “Ping” the VCenter and the hosts. Also make sure if you use a proxy server there is an exception for traffic going to this IP address.

In my case the problem was simply that the VMware Server service was not running on the Virtual Center.

Related Articles, References, Credits, or External Links

Veeam Backup and Recovery Download

Veeam Availability Suite Download

Veeam Backup For Office 365 Download

Veeam Backup For Azure Download

Veeam Backup for AWS Download

Creating a ‘Seeded’ Veeam Replication Job

KB ID 0000912

Problem

If you have a slow connection, and you are trying to replicate servers from one site to another you may struggle to do the initial replication. I’ve had an ongoing problem with a client who was trying to do this, we set it up, and the link was too slow. The client upgraded his internet connections at both sites, still the replication window would have been longer than 24 hours. In the end we chose to ‘seed’ the replication. Using this process we take a backup on the servers at the source location, then take the backup to the target location. Finally we setup the replication task and tell it to use the backup as a ‘seed’. Using this method is preferable because only the changes then get replicated over the slow link.

In the following scenario Im using Veeam 6.5 but the process is the same for Veeam 7. As a backup target Im going to host a backup repository on a Buffalo NAS Box (via iSCSI), that I can transport to the other site easily. I’ve also got a Veeam server at both locations, if you do not you may need to setup a temporary server at the source location to do the initial backup.

Because I’ve got a Veeam server at both locations I can utilise them BOTH as backup proxies, If you are only going to have a Veeam box at the target location, then I strongly suggest you setup a backup proxy on another server at the source site.

Solution

Veeam Backup and Recovery Download

Create a Backup of the Source Machine with Veeam

At this point I’ve added the iSCSI box as a backup repository (If you are unsure on how to do this, I do the same thing again to present the iSCSI box at the target site below.

1. Im not going to run through how to setup a simple backup job, Veeam is refreshingly easy to use.

2. So now I have the backup on my iSCSI device, I can turn it off and move the files to the target location.

Present the Backed Up files to the Veeam Server at the Target Location

3. Here I’m pointing my Veeam Server directly at the iSCSI server.

4. Now I can bring the new ‘drive’ online and make sure it gets a drive letter in Windows.

Veeam: How Do I Add a Backup Repository?

5. Launch Veeam > Backup & Replication > Backup Repositories > Add Backup Repository.

6. Give it a sensible name > Next.

7. Next.

8. This Server > Populate > Select the iSCSI drive letter.

9. Browse to the folder that contains your backup data > Next.

10. I’ve already configured vPower NFS so I’ll just click Next.

11. Tick ‘Import existing backups automatically’, and ‘Import guest file system index’ > Next.

12. Finish.

How Do I Setup a Veeam ‘Seeded’ Replication Job?

13. Launch Veeam > Backup & Replication > Replication Job > Give the job a name > Tick ‘Low connection bandwidth (enable replica seeding). At this point I also want to tick the next two options so that if I need to failover the Virtual machines it will connect them to the correct VMware Port group on the target host. Also the IP addresses of the failed over machines will be changed to match the subnet of the target network > Next.

14. Add > Browse to the VM(s) you want to replicate and select them > Next.

15. Choose the host that you want to replicate the virtual machine to >Set the resource pool if you use them > Select the datastore where you will be hosting the replica files > Next.

16. Add > Locate the ‘Port Groups’ on the source and the target virtual networks. (Note: Here the port groups have the same name, they are NOT the same port group) > Next.

17. Add > Add in the IP address details from the source network and the network you will want to bring up the replicas on in the event of a failover > OK > Next.

18. Add in the source and destination proxies (make sure you have one at both ends!) > Select a local repository (this is just for the metadata not the actual replica) > Here I’m going to store seven restore points (handy because you can restore single files from a replica if you need to). DONT click Next.

19. Advanced > Traffic Tab > Set Optimize for to ‘WAN target’ > OK >Next.

20. Enable seeding and select your new repository > If you have ran the job successfully before you may have an existing replica mapping you can use, I do not > Next.

21. Enable application aware image processing (in case you ever want to restore a single file, or mail attachment, or SQL table for example) > Enter and administrative account and password > Next.

22. Set the schedule for the job > Create.

23. Finish, (if you want to start the job immediately tick the box, and it will run now, and then run again as scheduled).

24. Now when the job runs it scans the ‘seed’ first, creates the replica, and finally replicates the difference.

25. You will notice whenever the replication tasks run in future, it only replicates the differences. For example, here on a subsequent run, it only took twenty six and a half minutes to do the job.

 

Related Articles, References, Credits, or External Links

NA

SmoothWall – Allowing Windows Updates and Windows Activation

KB ID 0000441 

Problem

I’ve had fun this week installing a new virtual environment for a client with a SmoothWall firewall. It took a call to SmoothWall support for me to get Windows updates to work, then after activating a few 2008 R2 servers via phone, I was motivated to get online activation running as well.

Windows Activation Error – (We are being blocked by the SmoothWall Proxy).

A problem occurred when Windows tried to activate. Error Code 0x8004FE33

Windows Update Error – (We are being blocked by the SmoothWall Proxy).

A error occurred while checking for new updates for your computer Code 80072EFD

Solution

1. Connect to the web management console of the SmoothWall. Select Guardian > User defined categories.

2. Select the “User Defined Categories” tab.

3. Give the Category a name > Set Filter type to “Content and URL filtering” > Copy and paste in the domains listed below > Then click “Add”.

Domains Required for Windows Update

[box]

windowsupdate.microsoft.com
update.microsoft.com
c.microsoft.com
download.windowsupdate.com
genuine.microsoft.com

[/box]

Domains Required for Windows Activation

[box]

sls.microsoft.com
wer.microsoft.com
connect.microsoft.com
go.microsoft.com
sls.microsoft.com
crl.microsoft.com
microsoft.com

[/box]

Note: These are the top level domains.

4. Select the “Filters” tab > Give it a name > Set the filter type to “Content and URL filtering” > Expand “Good” content > Tick “Software Updates”.

5. Scroll down and expand “User Defined” > Locate the user defined category you created in step 3 and tick it > Click Add.

6. Select the Policy tab > Groups = All groups > Change the filter to the one you created in step 4 > Time period = Always >Action = Allow > Tick “Enabled” > Add.

7. From the menu select Guardian > Authentication > Settings.

8. Scroll down to the “Do not require authentication for these domains….” section > Paste in the domains you also pasted in in step 3 > Click “Save and Restart”.

 

Related Articles, References, Credits, or External Links

NA

Defining / Locking and Managing Proxy Settings

KB ID 0000181 

Problem

If you have a proxy server at your corporate/home location, then there a few methods you can use to ensure that your clients use it. Before you start running though this, remember if you have a proxy server then it’s common sense that your firewall/router will block web access for your clients, and only allow the Proxy server (and any other servers/machines) that need direct web access out. If you are forcing your users out through one machine, for either caching, URL filtering, monitoring usage or just because it’s part of your corporate security strategy, then locking down Internet access around the proxy server should be your first consideration.

Once that’s done you can install your proxy and deploy the settings to the client PC’s

Solution

How you do this depends on your circumstances.

It’s a single stand alone machine. (Option 1)

To manually configure one machine simply open internet explorer (other browsers are also available) Tools > Internet Options > Connections > Tick Use a proxy server for your LAN > Enter the IP address of the Proxy server > Enter the port number > Tick Bypass proxy server for local addresses (If you have web servers on your local network). > OK >OK > restart Internet Explorer.

It’s a single stand alone machine. (Option 2)

Optionally you can set the proxy with local policy – this is preferable if lots of people use the same computer and you don’t want to configure each user separately. Click start > In the search/run box type gpedit.msc {enter}

The Group Policy Editor window will open > Navigate to User Configuration > Windows Settings > Internet Explorer Maintenance > Connection > Proxy Settings.

Double click proxy settings > Tick Enable Proxy settings > Enter the IP address(es) > Enter the Port(s) > Tick Do not use proxy server for local (intranet) addresses, (If you have web servers on your local network). > Apply > OK > Close the policy editor > Reboot. (or run gpupdate /force).

Note: Using this method a technically savvy user can simply get into the settings and change them in the browser – to stop this happening you can hide the tab that displays the proxy settings.

It’s a single stand alone machine. (Option 3)

You can also set the proxy options by directly editing the registry (Warning editing the registry can cause earthquakes and lead to teenage pregnancy!). Click start > In the search/run box type regedit {enter}.

Navigate to HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings. The keys that look after your proxy settings are,

ProxyEnable set 0 for disabled and 1 for enabled
ProxyOverride set <local> for bypass proxy for local addresses (Note:you can also add domains seperated by a semi colon ; that you don’t want to use the proxy for).
ProxyServer Sets the IP address and Port i.e. 192.168.99.1:808 (Note this setting WONT BE THERE if there’s never been a proxy set), you will need to create it as a new string value (REG_SZ).

Or you can simply run the following .reg file

[box]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
"ProxyEnable"=dword:00000001
"ProxyOverride"=""
"ProxyServer"="192.168.99.1:808"

[/box]

It’s On a Network with DHCP

You can lease proxy settings with your DHCP scope, its known as DHCP option 252.

To add Option 252 to a Server 2008 DHCP scope, On the Server Click Start > Administrative tools > DHCP > Expand your Server name> Right Click IPv4 > Select Set Predefined Options.

In the Predefined Options and Values dialog box, click Add In Name type WPAD >In Code, type 252 > In Data type, select String, and then click OK > In String, type http://192.168.99.1:808/wpad.dat, (change as appropriate).

Then You need to ad that option to your existing scope > Expand the scope > Right click server options > Select Configure Options > Advanced > Scroll down top option 252 and select > Apply > OK.

Now you need to create a wpad.dat file (simply create it in notepad) and serve it from the URL you entered above.

Sample wpad.dat file (simply change the URL’s and port numbers as applicable).

[box]

function FindProxyForURL(url, host)
{
// variable strings to return
var proxy_yes = "PROXY 192.168.99.1:808";
var proxy_no = "DIRECT";

if (shExpMatch(url, "http://www.petenetlive.com*")) { return proxy_no; }
if (shExpMatch(url, "http://www.dont_want_to_proxy.com*")) { return proxy_no; }
if (shExpMatch(url, "http://192.168.99.5*")) { return proxy_no; }
if (shExpMatch(url, "https://subdomain.dont_want_to_proxy.com*")) { return proxy_no; }

// Proxy if PC is on local LAN
if (isInNet(myIpAddress(), "192.168.99.0", "255.255.255.0"))
return "proxy_yes";
else
return "DIRECT";
}

[/box]

Once that’s done you need to allow .dat as a MIME extention on your IIS Server > Start Administrative tools > Internet Information Services (IIS) Manager > Select The Server name > Select MIME Types.

In the right hand column > Click Add > Put in the file extension as .dat and the MIME Type as “application/x-ns-proxy-autoconfig” > OK.

Then either reboot or run “iis /restart”

It’s on a Windows Domain

You can set the proxy settings for your USERS (Note: its a user policy so it CANT be applied to computers). On your Server Click Start > Administrative Tools > Group Policy Management > Right click Your domain (if you want the policy to apply at domain level) > Select Create a GPO in this domain and link it here > Give it a sensible name > OK.

 

Right Click your new Policy and select Edit > Navigate to User Configuration > Policies > Windows Settings > Internet Explorer Maintenance > Connection > Proxy Settings.

Note: In modern domains this policy has been removed, see the following article;

Managing IE Settings via GPO

 

Double click proxy settings > Tick Enable Proxy settings > Enter the IP address(es) > Enter the Port(s) > Tick “Do not use proxy server for local (intranet) addresses”, (If you have web servers on your local network). > Apply > OK > Close the policy editor > Reboot. (or run gpupdate /force).

Note: Using this method a technically savvy user can simply get into the settings and change them in the browser – to stop this happening you can hide the tab that displays the proxy settings.

 

My Users complain that their Laptops don’t work when they go home since I set the proxy?

 

Well that’s to be expected? While at home they can’t see your proxy server, some companies like this option, as it stops their users surfing the internet from their home internet connection. For other people this is a big problem, there are essentially three ways to solve this problem. 1) Send out your proxy settings Via DHCP. Then while your users are offsite they wont get any proxy settings (see above). Or 2) feel free to use the script I wrote (below), this can be applied via policy (Local or Domain), or simply put in the startup folder of your users laptops. Finally you can use a “Proxy.pac” file to autoconfigure the clients proxy settings.

How it works: It pings an IP address on your corporate network, (in this case the router) which is always on, if it gets a reply – then it must be on the corporate network so it enables the proxy Server, If it gets no reply, then it must not be connected to the corporate network and turns off the proxy server.

[box]

::-----------------------Begin Script------------------------------------
@ECHO OFF
:: Check LAN connectivity

PING 192.168.99.254 | FIND "TTL" > NUL
IF NOT ERRORLEVEL 1 GOTO ON_LAN
GOTO OFF_LAN

:ON_LAN
::**************Proxy ON**************

::Enable the Proxy Server (ticks the box "user a proxy server for your LAN...")
REG ADD "HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f

:: SET the proxy (fills in the Address and port values)
REG ADD "HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings" /v ProxyServer /t REG_SZ /d "192.168.99.1:808" /f

:: Set the bypass proxy server for local addresses option -  ticks the box each subsequent entry is additional domains to bypass for
REG ADD "HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings" /v ProxyOverride /t REG_SZ /d ";*.local;www.dontproxy.com" /f

GOTO END

:OFF_LAN
::**************Proxy OFF**************

REG ADD "HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f

:END
::-----------------------End Script------------------------------------

[/box]

Or to use a proxy.pac file

1. Create a file on your PC in notepad and call it proxy.pac change the relevant network details, proxy IP address, and port number from the example below.

[box]

function FindProxyForURL(url, host)
{
if (isInNet(myIpAddress(), "192.168.99.0", "255.255.255.0"))
return "PROXY 192.168.99.1:808";
else
return "DIRECT";
}
[/box]

2. Save the file in your C:windowssystem32 directory.

3. On the client open Internet Explorer > Tools > Options > Connections > LAN Settings > Tick “Use an automatic configuration script” and enter the following

file://c:/windows/system32/proxy.pac

Note: this can be done with a registry file see below.

[box]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
"AutoConfigURL"="file://c:/windows/system32/proxy.pac"

[/box]

Note: This can be set in Policy as well, the policy lives in User Configuration > Windows Settings > Internet Explorer Maintenance > Automatic Browser Configuration> Configure as below.

Related Articles, References, Credits, or External Links

NA

Error When Trying to Set Out of Office ‘Your automatic reply settings cannot be displayed because the server is currently unavailable. Try again later’

KB ID 0000897 

Problem

When attempting to set my Out of Office automatic replies within Outlook, I was greeted with this.

Your automatic reply settings cannot be displayed because the server is currently unavailable. Try again later.

If I logged into Outlook Web Access, (Options > Set Automatic Replies) I could set it up and it worked fine.

It’s never really bothered me, but my colleagues were complaining about it, and when they used Outlook on our Terminal Server they also got this.

MailTips could not be retrieved.

Solution

Before proceeding you need to make sure of TWO things.

1. You are logged in, or authenticated against your domain.

2. If you are accessing web pages via a proxy server, the name of the Exchange server should be added to the Proxy Exceptions list. (Note: If you have multiple entries, you separate them with a semi colon).

Assuming you have met the two requirements above, then do the following.

1. Open Outlook > In the task bar (in the system tray) > Hold down CTRL and Right Click the Outlook Icon > Select Test E-mail AutoConfiguration.

2. Enter your details > Use AutoDiscover > Test.

Note: Here I got the following error message;

Autoconfiguration was unable to determine your settings

This was because the client I was on, could not resolve autodiscover.my-domain-name.co.uk, once that was rectified I could get further.

3. In the first section Locate the URL that is being used for OOF, and make a note of it.

4. Open your web browser and make sure you can open that URL. (Note: It will redirect to Services.wsdl that is normal).

Note: If you are asked for logon credentials, you are NOT authenticated against the domain.

5. Repeat the same with the URL that is listed in the HTTP section of the test.

6. At this point mine started working. My problem was the lack of DNS resolution, if you find another fix drop me a line and Ill update this article (link at the bottom of the page).

Incorrect Permissions on the EWS Virtual Folder.

Just after I wrote this site follower Peter Dorner Emailed me to say,

Another common problem, is that the EWS virtual directory has misconfigured permissions in IIS.

So I checked permissions on some working systems, to see what they should be.

EWS Permissions Exchange 2007 on IIS 5

EWS Permissions Exchange 2007 on IIS 6 onwards

EWS Permissions Exchange 2010 on IIS 6 onwards

Note: As shown anonymous is enabled for the IUSR account.

EWS Permissions Exchange 2007 on IIS 6 onwards

EWS Permissions Exchange 2013 on IIS 7 onwards

Note: As shown anonymous is enabled for the IUSR account.

 

Related Articles, References, Credits, or External Links

NA