Blog Navigation
Partners
Latest Activity
Phil explains how to use the old telephone tones to wane off telemarketers!
Posted on: January 11th, 2011 by Famous Phil
There is a new blog with additional information on this topic at http://famousphil.com/blog/2011/07/revisiting-exchange-2010-sp1-pst-backups-improved-script/
About a week ago, I finally got around to reviewing and upgrading my existing backup routine for my exchange server. My previous backup scheme involved pushing a full server backup image to a remote server on a weekly basis. If the server failed during a backup, I would have no viable way of recovering from a complete disaster. Obviously, this required some changes.
With the release of SP1 for Exchange 2010, a few new power shell commandlets came out that provide functionality to back up Exchange accounts directly on the server (no needing second computer with outlook and exchange management tools anymore!). This meant that I decided to utilize some backup scripts that backup each mailbox nightly. I also modified the weekly system backup.
There are scripts attached to this post. With any kind of solution that I provide, I always provide it on an as is basis with no warranty provided that it will work for your situation, although I try my best to cover as many scenarios as I can.
So what was decided upon? Read the rest of this entry »
Tags: backup, exchange 2010, Firewall, Linux, powershell, scp, server
Posted in Hosting / Server Administration
|| 3 Comments »
Posted on: November 24th, 2010 by Famous Phil
Breaking through a restrictive firewall with OpenVPN
Let me start off with wishing you a happy thanksgiving holiday. I was hoping to get this blog done sooner but I have been facing a shortage of time with my regular responsibilities as a student. Anyways, enough about that, this blog post is going to explain how I can break through a restrictive firewall and have a fully usable IP address from the inside of that firewall. This task took me about a month to successfully complete with about 30 consecutive hours so I felt the urge to blog it for the future me, you, the reader can benefit too I suppose. This is a huge blog so it will take a while to read.
The motivation:
I’m a huge fan of landline communication because it has a more stable and clear signal. Unfortunately, my University removed the phone lines from all the rooms and wants $300 for a telephone jack activation and $28/month for local area calling (meaning the 716 area code only). Furthermore, my parents have a calling plan that allows for extreme local calling that doesn’t include the University phone prefix. Before, they didn’t mind paying extra to call me, but now my parents would have to pay for my University phone and the privilege to call me. This just doesn’t make sense.
With this in mind, I started searching for a VoIP provider (Voice over Internet Protocol) that uses SIP (Session Initiation Protocol). For those of you who have never heard of VoIP, it is a simple way to connect a special device to the internet and get a regular telephone jack. This jack can then be connected to an old fashioned telephone (or cordless phone in my case) that can act similarly to a landline. The quality for VoIP is very comparable to a landline when connected to a land based internet connection (meaning it sucks at home), but UB has a land based connection which means it will be fine.
I tested the device at UB over the summer on a network link in a room where I’m completing my master’s project and the device worked fine (I have some control over that firewall). Unfortunately, in my on campus apartment, that connection can’t be altered in my favor. I’ve found that the provider I selected requires unsolicited incoming connections to properly work, something that I know UB would never allow for. Instead of going through Bureaucratic Bulls**t where I would surely loose, I took the alternate route, unblock the connection myself (and use it for my own computers too).
In the end, I have public IP addresses that are totally un-firewalled within my apartment where I can do trace routes and other network diagnostic tasks. I also appear like I’m in Michigan (since that is where the datacenter is).
If you want to know more about how this is done, please continue by reading more. DISCLAIMER: I WILL NOT SUPPORT ANYTHING WITHIN THIS BLOG THAT IS OF YOUR OWN FAULT… The information is provided on an AS-IS basis. I’m sure there are minor mistakes here and there since this blog is almost 12 pages long in Microsoft Word!
One last note: DO NOT ATTEMPT DOING THIS if you are a novice user or someone who doesn’t know what they’re doing! Firewalls are put up for a reason, breaking through them without having a really good reason to do so could harm you and the network you’re on in the long run, especially if you’re at work! I take no responsibility for anything that happens to you.
Tags: Firewall, OpenVPN, voip
Posted in Hosting / Server Administration, Student Life
|| 11 Comments »
Posted on: September 29th, 2010 by Famous Phil
Wow… it has been a really long time since I’ve blogged on my own site. I guess that time flies when I’m really busy, I probably shouldn’t be taking the time to write this either, but I did have some important notes to pass along that might help other admins out there.
Over the past weekend, I finally decided to take the plunge as a system administrator and upgrade my Exchange 2010 server to Service Pack 1. Overall, SP1 introduces many welcomed improvements, most noteably:
Overall, I was impressed with the new Exchange 2010 feel and look, I also noticed a significant increase in speed. Now comes the technical bit that might save some administrator’s arse.
I should note at this point that my Exchange server contains the Hub Transport, Mailbox, and Client Access roles, the server itself is running Server 2008 R2 Datacenter. I only host 8 Exchange Mailboxes, so having all the roles on a single server for me really doesn’t degrade performance, and it makes sense financially. The upgrade instructions below for the most part will work on a single server, but the error that I explain will also work on clustered Exchange systems.
First, to upgrade the Exchange server, I strongly recommend first grabbing all of the available Windows Updates via the built in Windows Update application. Do a reboot to verify that everything updated successfully. I would strongly recommend doing a full backup at this point. For me, I started a full backup the night before the upgrade process.
To upgrade Exchange, first, grab the upgrade executable and run that file (its available on the Microsoft Website here). The file that you download simply extracts the service pack files to the location of your choice. You will also want to download 5 other updates that are listed here. Additionally, you will want the Office 2010 filter pack located here. Make sure that you install the Office 2010 Filter Pack and other updates before you begin the Exchange 2010 upgrade. I simply told each update to restart later to avoid several reboots which take a long time to complete.
I’d also recommend installing 2 server roles with the prerequisites, these are the IIS 6 Management Console and the IIS 7 Compression addon. You can add both of these through the Computer Management Console by right clicking on the IIS Server Role and adding these to it. After this, it is time to reboot the server.
The Exchange upgrade can now be started. I found that the pre-requisites took about 5 minutes to check and then I was able to quickly click on the upgrade button. The upgrade took about an hour to get to the MailBox Role upgrade step (basically one of the final steps during the upgrade. Unfortunately, it produced an error that goes something like:
Mailbox Role Failed
Error:
The following error was generated when “$error.Clear();
buildToBuildUpgrade-ExsetdataAtom -AtomName SystemAttendant -DomainController $RoleDomainController
” was run: “An error occurred with error code ’3221685221′ and message ‘Overlapped I/O operation is in progress.’.”.
There was no way to go back so I had to basically cancel the installation and I was left with an unusable upgrade installation. Fortunately, the Exchange upgrade is able to pick off close to where it left off, so don’t panic if you get to this step.
The problem isn’t with hardware (I/O is In/Out) like I initially thought, but rather, it is due to a poor implementation of the Microsoft Firewall. Basically, my Exchange server is configured to allow all traffic to go to and from itself, and then I open up specific ports to the world. All of my rules are custom rules that are specifically configured to block everything but what is absolutely required.
It turns out that Microsoft Exchange looks for the pre-made rules in the firewall and makes sure that those are enabled. So instead of checking to see if physical access is granted, it instead looks for a name of a rule (which could have a completely different definition when it comes to actual allowing and blocking of services). The solution was to export my current firewall policy and make a new policy based on the default firewall settings (so I basically reset the firewall). I then turned off the firewall profiles (not the service) and restarted the Exchange upgrade and it started a few steps behind where it left off. Overall, it took about 3 hours to get the upgrade to fully run along with a few reboots.
This isn’t the first time that I’ve seen incompetence in Microsoft software. If your server is running as a file server, if you don’t have the default file sharing rules enabled (oh, and did I mention they’re very insecure too?), when you goto share a folder, you will get some strange error that has nothing to do with the firewall. Microsoft really should look at actual permissions, not just the name of a rule. Oh well, hopefully they will do this by the time Windows 8 is released!
So anyways, the firewall gets me again. Hopefully the next time I run into a problem, I will look at the firewall first before attempting any solutions.
Tags: exchange 2010 sp1, Firewall, i/o error
Posted in Hosting / Server Administration
|| 18 Comments »
Posted on: August 14th, 2010 by Famous Phil
Today’s topic was sparked by a recent influx of worms attempting to take over one of the public servers that I manage. Basically, I constantly get log notifications for the firewall (yes, I actually read logs!) saying that all these attack signatures are being detected against programs running on one of my servers.
These programs are IIS 7 (web server, Internet Information Services) and MSSQL Server 2008 R2 (Microsoft Standard Query Language Server). In the past when I ran my own computers on an un-firewalled internet connection (public wi-fi, home DSL), with home security software installed (like Norton 360), I have also noticed these types of log messages and popup warnings.
Most people (I’d estimate at least 50%) probably have some sort of broadband, un-firewalled, connection setup in their home that is directly connected to their computer. Most people probably subscribe to some security solution like Norton 360, and they probably run some sort of firewall. Normally, these firewalls catch all the bad stuff that can harm your computer, but stuff still could potentially come through.
Although there will always be loop holes for these security vulnerabilities, there is another means of protection that most people would NEVER think of! If you’re thinking Wireless router from the local Wally World (Wal-Mart), you read my thoughts. Yes, Wireless routers don’t just share an internet connection wirelessly like most people think.
So what else does a wireless router do? A wireless router is simply a ROUTER with a wireless ability built into it. Routers are complex pieces of engineering that connect many computers together. Without getting into too much detail, routers connect two separate networks together to bring multiple endpoints together. The internet has many subnets that are connected to each other through routers. Think of the telephone system when I mention this, more specifically area codes and dialing prefixes. The area code for Matthouse is 716, the prefix is 584. So 1-716-584-xxxx gets routed to a particular telephone. In my example, when you dial the full number, 1 means connect to the main US router which knows all the US phone area codes. Next, 716 means connect to the router which handles the Western New York area prefixes, then finally that router sends the call to the router than handles the 584 prefix. That router then is practically directly connected to the xxxx number which will ring a phone and help establish your connection. The internet is connected in a similar fashion.
Traffic is sent in internet packets that run on a certain port number. For simplicity, a port is required to connect to a computer. Computers listen on ports for connections and there are 65535 possible ports. You might think of a port like a way to get to your house from the road at your address. Each drive way is a unique path in and it accepts only a certain type of car. Hackers tend to send a car into that drive way that acts and looks like the car it accepts, but once it’s in, it can cause havoc in your home (computer).
So what am I getting to? Routers connect different networks, so they inherently have to forward all the traffic from one network to another, including all the ports. Since ports are easy ways to get into your computer (provided your computer is actively listening / accepting on that port), hackers tend to go for these ports. Some ports on web servers (like port 80) are absolutely necessary to leave open, but other ports like 5109 (which happens to be the AOL Instant Messenger port) probably isn’t needed on that web server. For a home computer, blocking all the ports inbound to the computer is probably smart, while allowing all the outgoing ports from the computer to the internet.
NOTE: I probably should add that with outbound connections through firewalls, if you request something from an external source (say a webserver) while having all incoming connections blocked, you will still get the response from that external source. Firewalls are smart about allowing replies back through while blocking all new connections that are probably hacker initiated.
BOTTOM LINE: All computers have different needs. A wireless router when added to your network will block all incoming ports by default and allow all outgoing connections on all ports. Therefore, by adding one of these cheap boxes, you’re not only gaining a wireless network access point, but you’re also protecting yourself from the nasty dangers of hackers that probe computers for open listening ports. Since many ISPs provide un-firewalled public IP addresses to residential customers, those customers would be wise to install one of these routers. Who knows, it might save their computer from a severe attack from a hacker some day! I’ve also found that when I run a firewall in terms of a router, I don’t need as much protection from Norton 360 on my computer, so I basically have a faster computer (it isn’t working on blocking bad stuff anymore).
Hopefully this helps you!
Tags: Firewall, wireless router
Posted in Technology
|| 12 Comments »
Posted on: February 28th, 2010 by Famous Phil
As of late, I’ve been focusing many of my efforts into Windows more than on Linux. I suppose my only reason is because my Windows administration knowledge is quickly becoming outdated, but it is also because I spend 99.9% of my time developing and administrating Linux based machines. I am usually under the impression that Windows makes stuff so easy with the “next next next finish” principle, but Windows has just as many problems as Linux does, it just does not make them evident until you actually want to do something with Windows technology. The only great thing about Windows is that normally, the fix is 99 times easier than the same type of fix on a Linux based system.
Over the past couple of months, I’ve been wanting to put together a Windows based web server for myself. Its purpose was originally to keep my Outlook 2007 application on Exchange open (to update my website calendar / update my webmail RSS feed folder). I’m beginning to run other stuff on the server (e.g. my instant messenger) so that I can have a better online presence (lets face reality, email isn’t as live as some of my friends would like). Since I chose to run Windows Server 2003, I decided that it might be worth my time to enable Internet Information Services and work on developing some ASP based web applications just for the fun of it. Of course, when the time is right, I will open up a few more accounts on the server through Matthouse for others who share my desire to learn ASP for fun. For those of you who are wondering, I’m waiting for a good billing system to come along, I have one, I’m simply waiting on the developer to make a few changes.
Anyways, today I was playing around with the server and I enabled FTP publishing so that I could easily upload a few files to the server through my local computer. Unfortunate for me, going to the windows components page under the control panel’s add/remove programs section to add FTP Publishing wasn’t enough. Sure enough, the server did install FTP and made it available in the Internet Information Services Manager section of the computer management console.
After I deleted the default ftp site and made a new site with isolated user home directories, ftp didn’t work correctly. Note that this server does not connect to nor run Windows Active Directory, so all the accounts are local. Anyways, after some research, I found that under the ftp root, I needed to add a folder called “LocalUser” and then I had to add the username of the account under that directory. To ensure that other users could not read files / data the directory, I changed permissions on the user folder to allow only that user and administrators access. At this point FTP began to sort of work!
I say sort of work because FTP only worked in active mode, meaning the Windows Firewall was getting in the way. After spending a few minutes looking for a solution, I figured that I would try adding the internet information services executable to the exceptions list. Sure enough, this fixed the passive mode problem. The steps I took to fix the problem were: 1. open up the Windows Firewall control panel console under the Windows control panel. I went to the exceptions tab and added a problem. I browsed for additional programs and added “C:\WINDOWS\system32\inetsrv\inetinfo.exe” to the exceptions list. After this was added, passive mode worked as expected.
Although Server 2003 is outdated by now, it is still a very stable system to do any experimental work on, which is why I choose to run it over a better and never version of Windows. It is also much cheaper to run than a newer version of Windows like the current Exchange Server which is running Windows Server 2008 R2 Datacenter.
Tags: Firewall, FTP, IIS, Microsoft
Posted in Hosting / Server Administration
|| 2 Comments »