Wednesday, June 15, 2011

Webproxy auto configuration, the (hard) MS way

In windows you can use automatic proxy detection to configure all your local clients to use the proxy settings you wish.

In short you do the following:

  1. Create a file named wpad.dat on a webserver named wpad.mycompany.local (Or whatever your dns domain is)
  2. In that file you put the prxy definition, which ports, urls etc. (See here for the details)
  3. Make sure your DNS answers the query for wpad.mycompany.local with the web server delivering the wpad.dat file

So far, everything is simple and easy to understand, but... it does not work if you use microsoft products for DNS and/or Webserver.

There are two pitfalls in the MS products:

1. DNS problem

Do a query for wpad.mycompany.local (Like nslookup wpad.mycompany.local)
You would now assume your DNS server returns you the configured IP.
Nada, nothing, it just return a message telling you it's not a known name. Double check it, it's just not working.
The DNS server does not answer the question properly.

The reason for this is "security", looks like the query for wpad. is a dangerous query, so MS blocks these in the DNS servers. Don't believe it ? Look here

The simplest way is to just disable that queryblocklist on your DNS server(s)

dnscmd [dnsservername] /config /enableglobalqueryblocklist 0

2. IIS problem

When you finally got past the DNS problem and your dns servers answer queries for wpad.mycompany.local correctly, then the next problem jumps in.

Just open your web browser and enter: http://wpda.mycompany.local/wpad.dat
You would expect that you see the content of that text file, but no, IIS thinks it's not something we wish to deliver to the clients.

The reason is, that the .dat extension is not assigned to a mime type, so IIS does not deliver these files and just returns a "File not found"

As the last step you make .dat known as mime type "application/x-ns-proxy-autoconfig"

Monday, June 6, 2011

SBS 2011 and web access

In the microsoft SBS 2011 you can login to your server/network via a simple webbrowser.
For this the setup asks you the external dns name of your server and then magically configures everything.

So when you for example use: myserver.mycompany.com as server name, then you can access to the RWA (Remote Web Access) part with the url https://myserver.mycompany.com/Remote

The Outlook Web Access is found on https://myserver.mycompany.com/owa

So far everything is fine.
But when you now wish to have the users directly redirected to the webinterface of OWA when they enter the server url, then you have a problem.

http://myserver.mycompany.com is always redirected to https://myserver.mycompany.com/Remote

According to MS this is "By design" and can not be changed/modified.
Normal people would configure such a redirect in the IIS Manager and define the target url there. Apparently MS SBS developers are not part of the "normal people" group, they have probably hard coded this redirection in some dll, .net stuff or who ever....


In SBS 2008 server the same was also true, but you could at least hack it to make the redirect as you wished.


The recommendation for SBS 2011 is to setup a external website with some kind of webmail.mycompany.com URL and then make there a redirect to https://myserver.mycompany.com/owa

Very cool feature, the all-in-one solution of MS does require additional web servers to configure your server as you wish it.

The other readical solution to this problem is to completly remove the /Remote virtual stuff from your IIS (And loosing the corresponding functionality) and then just put a redirect at that level on the server....

SMTP SSL in Exchange 2007/2010

In exchange 2007 and higher, the default connector are configured to accept passwords only when using a secured connection (Like SSL or TLS).
A good idea
, but...


The SSL option is only available for POP and IMAP, on SMTP you miss this option, here you can only configure a TLS secured connection.

Not a problem.... do you think?
When you still have users accessing your mail server via POP3/SMTP with MS Outlook 2003 (Not uncommon these days) then they don't have the option to use SMTP with TLS, only SMTP with SSL is available...

Other products from the same company not offering SMTP with TLS are: Outlook Express, Windows Mail....

So you will either have to upgrade all clients to a new MS Office version, or downgrade security on your exchange server and allow the SMTP connector to also accept password over unsafe connections.

Or, probably the best thing to do: Just switch to a real mail user agent like thunderbird.....

Wednesday, June 1, 2011

Migration of MS SBS 2003 to MS SBS 2011

Microsoft has a good document about the steps to migrate a SBS 2003 server to SBS 2011.
It is normally easy and well documented. But as always, there are things not working es expected or documented.

Here a few things:

Migration fails when joining the domain (dcpromo)
  • When installing the new server it should automatically join the old domain
  • If that join fails, then the migration wizard shows a fatal error and tells you to restart with the whole installtion. (Of course at this point you already had waited about 1-2 hours)
  • When you google (or bing) arround, you will see that a "recovery" of the setup process is still possible. Look here for more details.
  • One problem might be, that your migration account (usually the Administrator) is using a weak password, one not meeting 2008R2 complex password rules
  • Another might be, that your migration user is not member of all required groups

DHCP reservations are not migrated
  • Yep, can occure, sometimes it works, sometimes not
  • In that case export the leases from the old server and then either add them manually on the new server. See here how to do it almost automatically

After mailbox migration to the new server, the mailboxes are not available and/or the owa shows just a empty screen after login

  • Make sure the all required exchange services are running (For example the "MS Exchange RPC Client" is one to not correctly autostart after a server reboot
Other potential MS exchange migration issues

  • Access to smtp, pop and imap is no longer allowed with plain text passwords. So you should confiure your clients to use either POP/IMAP with (start)tls or/and with SSL
  • IMAP and POP3 connectors are not started by default, you have to enable these services in the service manager
  • For external SMTP access to your server (for non-outlook users) it is best to create a SMTP connector on Port 587 (Submission port), that way you can prevent problems when your ISP blocks connections to the standard smtp port


Fax migration
  • You still have to configure the fax service on the new server before doing the fax migration