Configure Session TTL / Timeout in Fortinet

Hey there Mobile admins..

Recently, I’ve did some troubleshooting with Fortinet and ActiveSync timeout, also known as Event ID 3030 Source: Server ActiveSync with the following being output to the Application Log on an Exchange Server 2003 and 2007.

Event Type: Warning
Event Source: Server ActiveSync
Event Category: None
Event ID: 3033
Description:
The average of the most recent [200] heartbeat intervals used by clients is less than or equal to [9]. Make sure that your firewall configuration is set to work correctly with Exchange ActiveSync and direct push technology. Specifically, make sure that your firewall is configured so that requests to Exchange ActiveSync do not expire before they have the opportunity to be processed.

Read more on the Direct Push in Technet : Understanding Direct Push , typically you will need to adjust your session TTL to no less then 12 minutes.

Fortinet  lists the official help on the subject in http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD31862 – FD31862 – Customizing Session TTL in FortiOS 4.0 , FortiOS 4 also allows this in Per rule ! so for all those with FortiOS 3 , use the mentioned KB from Fortinet try the FortiOS CLI Reference..

Usually i set this time out to no less the 15 minutes or 900 seconds.. you’r call 🙂

-updated the link to Fortinet KB

Troubleshooting Exchange 2003 and 2007 Store Log/Database growth issues

Issues like these always come up with various customers, I’d thought it might be good to share with you all.

As posted also in the official Microsoft Exchange Team blog:

Mike Lagase has just posted a very detailed troubleshooting guide for these problems on his blog – Troubleshooting Exchange 2007 Store Log/Database growth issues

This is one of the most comprehensive collection of information on how to troubleshot those issues. Read it !

Prevent Outlook Anywhere (aka RPC over HTTP) from being automatically configured in Exchange 2007 with autodiscover

Update #2 – July 28th 2014 –

Removing the EXPR while Autodiscover is being utilized (which is probably the case in most deployments) will achieve preventing Outlook Anywhere from being used.

With that being said, a few commentators stated that they would like to continue using Outlook Anywhere and with Autodiscover enabled and the EXPR removed this will result in constant “removal” of the Outlook Anywhere settings that were statically configured.

If you want only specific users to be able to use Outlook Anywhere while others don’t I would advice considering the Set-CasMailbox -MAPIBlockOutlookRpcHttp:$true cmdlet to allow/block specific users.

UpdateJune 29th 2013 –

If you’re going to deploy Exchange 2013 anytime soon – work your way to adapt autodiscover, and bring back the EXPR value. See Exchange 2013 Outlook Anywhere Considerations for more.

This is an unsupported method, use at your own risk!

Once “Outlook Anywhere” is configured on a client access server an EXPR entry is created. Then the autodiscover application picks up the change and publish it, along with the url’s for OAB,EWS & Availability.
This basically “force” the automatic propagation of settings into the profile, including the checkbox for “Connect to Microsoft Exchange using HTTP” and filling the information for the HTTP proxy and authentication methods.

Microsoft documented Deployment Considerations for the Autodiscover Service in:

http://technet.microsoft.com/en-us/library/aa997633(EXCHG.80).aspx – Where only Site Affinity is can be configured.

The Outlook provider setting and autodiscover relation are referenced quite good in the Exchange team blog:

http://msexchangeteam.com/archive/2008/09/26/449908.aspx

A client of mine needed the possibility to disable the automatic propagation of the  “Connect to Microsoft Exchange using HTTP” setting in an Exchange 2007 environment .
he did of course wanted to keep the ability to connect using “Outlook Anywhere”  if desired when configuring that manually.

Because autodiscover was made to auto-configure clients that are inside & outside the corporate network disabling this feature disables the ability for external outlook clients, that not domain joined to automatically connect using “Outlook Anywhere” . it does, however does not affect the configuration of a profile.

Within the exchange shell:
Get-outlookprovider –identity EXPR | remove-outlookprovider
Once this is done, recycle the application pool of AutoDiscover in IIS.

This solution will keep the outlook clients from automatically propagate the settings for “Outlook Anywhere” , but retains the possibility for configuring it manually.
All web services and autodiscover information other then the proxy information itself are intact.

Updates (Thanks for all commentators)

New-OutlookProvider -Name:EXPR

I have done the required testing to make sure this solution works.

This is an unsupported method, use at your own risk!

Prevent users from changing the permissions settings on their mailbox folders in Outlook 2003/2007

From a thread I’ve took part in, there are currently no settings in the official office 2003/2007 ADM packs to control this setting.

Here’s the registry how to:

For Outlook 2003:

http://support.microsoft.com/kb/948894
1, Click Start, click Run, type regedit, and then click OK.
2, Locate and then click the following registry subkey:
HKEY_CURRENT_USERSoftwareMicrosoftOffice11.0OutlookOptionsFolders
3, On the Edit menu, point to New, and then click DWORD Value.
4, Type DisableEditPermissions, and then press ENTER.
5, Right-click DisableEditPermissions, and then click Modify.
6, In the Value data box, type 1, and then click OK.
7, Exit Registry Editor.

For Outlook 2007, that is HKEY_CURRENT_USERSoftwareMicrosoftOffice12.0OutlookOptionsFolders

Manual creation of the ADM is required, i might post it later on.

A bite of spam

Thought I should post this to share some info and maybe even provide a simple FAQ and some basic info on how to fight the world’s true evil.

unsolicited bulk e-mail messages…   SPAM

for start if you want some background and some basic info on what/how/why and such..i would reference you to spamfaq.net (archive) , once you are familiar with some basics terms and such, you would probably want to start and impalement (if not already) some anti-spam methods , either choose a 3rd party application for this, an hardware based relay all-in-on solution etc..

most simple solutions are rather a mail relay , with some kind of software which does a bunch of tests and lookups about the incoming message and content to measure its validity.. and so on .. my anti-spam ninja skills are mostly based with some exchange servers that either didn’t implement anything other then an exchange server which is receiving mail directly from the internet, running an anti-virus solution of some kind..

I usually follow these few steps and the outcome is less SPAM being processed by the mail server , that is blocked on session connect.

1. Whois information about each and every domain which is being used for outbound email is valid and as possible updated with relevant internal contact.

2. Add SPF information about each and every domain which is being used for outbound email. (i define that a Fail response = reject message)

3. Register your domains with Sender-ID , the microsoft “spf” framework. (i define that a Fail response = reject message)

4. Enable the use of DNS RBL (real time block list) provider as a first method to filter out the bad guys. this will drop most evil right here.

5. Add SURBL, suppress sending out NDR/Out-of-Office & any other method / product you may want to use.. anti-spam is not a set-and-forget matter. you will need to take care of every solution you might choose , find dropped messages and troubleshoot false-positives and etc.. don’t do any short cuts.

DNS RBL’s

Choose carefully the provider which suites you and of course make sure your mail system supports using a DNS RBL look-up, most mail gateways allow this built in or either with a 3rd party add-on, for instance exchange 2003 sp2/2007 supports this built-in, so make sure you verify this. also make sure you are setting the correct RBL with the correct response code from him. that is of course so you will not just turn on blocking all your incoming email traffic 🙂 a great compare of the major DNS RBL providers is updated weekly @ http://www.sdsc.edu/~jeff/spam/cbc.html

SURBL

another great method to even more enhance your blocking of spam is by using SURBL – “..SURBLs list web sites found in unsolicited message bodies. Those domains can be used to detect future unsolicited messages advertising the same sites. In contrast, most other lists have the IP addresses or domain names of unsolicited message senders, open relays, open proxies, etc. ” http://www.surbl.org/

because I cannot really cover it all here , here’s some links to further info, utils and more..

The anti-spam portal – Super site. all over.

DNSBL Resource News,info,rating’s of DNSBL’s and more.

ORFilter freeware , allowing microsoft smtp server to use RBLs and more.

Exchange 2007 & Exchange 2003 Coexistence – CAS Proxy issues

sorry for the huge gaps , but it’s been very busy and messed up lately… well anywayz

A CCR implementation, along with 2 HUB/CAS & 2 ISA servers to serve.

on the legacy side , an Exchange 2003 cluster based windows w2k & 2 front ends.

all seems to be working great , except that when it all came to start testing connectivity and co-existence with the 2003 backend cluster

using the new CAS servers to replace the frontend servers things went bad.

i’ve had error 500 when accessing 2007 mailboxes with /exchange,  404 errors when accessing /exchange and using 2003 Mailboxes.

also , event id 1000 , with source EPROX was logged in the CAS application log,  the description doesn’t make much sense..except that it wrote the Backend cluster 2003 name..
” The description for Event ID 1000 from source EXPROX cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. ”
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
CLUSTER

Solving.. 🙂

the error 500 was solved when i double checked that all the CCR mailbox role features were installed, web-ISAPI-ext was missing, and now the 2007 mailboxes works with /exchange.

now, if you’ll read some in technet you’ll find out on the hows and why and so on… BUT ! you should keep in mind that if you work with a Clustered backend , and you want to support any front end/cas

you should also follow the following KB:

“How to configure host header and authentication information in Exchange 2000 Server or Exchange Server 2003 Outlook Web Access on a Windows Server 2003 or Windows 2000 server cluster”

long story short now –
to make this legacy proxy support , you should first check that navigating to your CAS mailboxes with /exchange WORKS to 2007 mailboxes first.
rather use the default Form auth and dont change nothing to test it.

then , make sure you’ve added ALL the host headers you will use (eg; owa.company.com, owa.local.dom etc..) on your clustered backend 2003/2000 exchange servers.

once this works , you should not see any EPROX errors in applications log , nor Availability service errors that actually say that the CAS server cannot find your backend servers.

then you should be able to test with 2003 mailboxes through the CAS servers , and decommission any front end servers you might have.

Hope this helps!

my cup of checkpoint SecuRemote / SecuClient

Well.. I really like checkpoint products.. with that being said it , and by the title of this post i’ll rather go to business 🙂

For the record, I’m using Vista x86 with sp1 on my laptop , and mostly happy with the OS behavior..
anyways, the thing is that i have VPN-1 SecuRemote / SecureClient NGX R60 HFA2 installed on my laptop since I’ve installed the OS,
i’m installing only SecuRemote during setup & using it a lot to connect to costumers and such .

so far os good , then comes this time when I had to connect to a client and for some reason,
I had been persuaded to install the SecuClient because we had some issues to connect…!@$@

yea , from this point things went bad !

humm.. well for starts I’ve uninstalled , restarted & re-installed the SecuClient this time, setup got stuck..
in the part where it configures additional components or something (that gui with the wheels …)
then on the reboot… hum well the desktop fail to show up , it was pitch black with the mouse cursor only !!?
so obviously something went wrong.

long story short , after battling with the install over and over again, the quick fix to the black screen is manually delete fw.sys from system32drivers each time,
this fastlly broke the service binding on the network adapters & made me able to boot normally to windows and uninstall the secure client software and drivers.

finally what fixed the issue is actually binding back IPV6 which i’ve disabled …added the binding to the network adapters & removedthe registry key
for info on that to: http://support.microsoft.com/kb/929852
after that , all went great.. regarding the install of the client – securemote only !! 🙂

okay, now what … some more fun to the end !
I’m lately using internet connection sharing on my laptop , so that it shares wireless to the lan adapter.. humm that got broke ,
unbinding the checkpoint service from the network adapter did the trick on that one.

There. nuff rumbling.

Scripting sharepoint lists “Connect to Outlook” stssync links

I was asked to figure this out, took me a while but i found quite a nice approach to make it super easy.

The official Technet on the matter,  explains the how to phrase the stssync link correctly , after fighting with it..unicode etc.. i finally though of something easy.

1. Locate the list you want to connect to.

2. Press “connect to outlook” button.

3. Approve in outlook…

4. Right click the newly added list & choose share “List name”

5. Mail the share offer to yourself .. then check out the message headers.

6. Notice the “x-sharing-config-url” , this is the exact syssync reference link that you need 🙂 clean and easy & without any hassle or unicode stuff…

7. Enjoy distributing this , you can use outlook.exe /share stssync://url , or use a Link in a webpage to make the users add the lists to their outlook.

That’s it 🙂

Enable sata AHCI / RAID (ICH8/ICH8R/ICH9/ICH9R/ICH10)

Well , i’ve had some experience in the past as for moving windows installations to different hardware / storage controllers  ..

my new computer was installed too quickly and i’ve done it with Legacy IDE mode as far as my southbrige sata controller, blah blah anyways , if anyone might be doing it here’s a fair nicly made guide with how to enable it quickly for a variaty of chipsets works very good  , check this forum link.

http://forums.hexus.net/hexus-hardware/112584-how-enable-ahci-raid-mode-without-reinstalling-windows-p35-ich9-ich9r.html