How to recreate all IIS directories on a new IIS 7 website (Including RPC and RPC with Cert) in Exchange 2007

I recently had an issue where my IIS website was corrupt and not operable.  My solution was to create a new IIS website - let's call it "New Web Site" and call the old "Default Web Site".  In this example, our external and internal URL is mail.company.com.  Our Internal server name is "MailServer".  Our NetBios domain name is "NetBiosDomainName", so change all of these to fit your environment.

Here's how it's done-

New-OWAVirtualDirectory -WebsiteName "New Web Site" -OwaVersion "Exchange2007" -ExternalAuthenticationMethods Fba

Set-OWAVirtualDirectory -InternalUrl "https://mail.company.com/owa/" -ClientAuthCleanupLevel "Low" -LogonFormat "UserName" -DefaultDomain “NetBiosDomainName” -Identity "Owa (Default Web Site)"

New-OWAVirtualDirectory -WebsiteName "New Web Site" -OwaVersion "Exchange2003or2000" -VirtualDirectoryType "Exadmin" -ExternalAuthenticationMethods Fba

New-OWAVirtualDirectory -WebsiteName "New Web Site" -OwaVersion "Exchange2003or2000" -VirtualDirectoryType "Mailboxes" -ExternalAuthenticationMethods Fba

New-OWAVirtualDirectory -WebsiteName "New Web Site" -OwaVersion "Exchange2003or2000" -VirtualDirectoryType "Exchweb" -ExternalAuthenticationMethods Fba

New-OWAVirtualDirectory -WebsiteName "New Web Site" -OwaVersion "Exchange2003or2000" -VirtualDirectoryType "PublicFolders" -ExternalAuthenticationMethods Fba

New-WebServicesVirtualDirectory -WebsiteName "New Web Site" -InternalUrl "https://mail.company.com/EWS/Exchange.asmx" -basicauthentication 1 -windowsauthentication 1

New-ActiveSyncVirtualDirectory -WebsiteName "New Web Site" -InternalUrl "https://mail.company.com/Microsoft-Server-ActiveSync" -ExternalAuthenticationMethods Basic -InternalAuthenticationMethods Basic

New-OabVirtualDirectory -WebsiteName "New Web Site" -InternalUrl "https://mail.company.com/OAB"

Set-OabVirtualDirectory -PollInterval "30" -Identity "oab (New Web Site)"

New-UMVirtualDirectory -WebsiteName "New Web Site" -InternalUrl "https://mail.company.com/UnifiedMessaging/Service.asmx"

New-AutodiscoverVirtualDirectory -WebsiteName "New Web Site" -InternalUrl "https://mail.company.com/Autodiscover/Autodiscover.xml" -BasicAuthentication 1 -WindowsAuthentication 1

Set-ClientAccessServer -Identity “MailServer” -AutoDiscoverServiceInternalUri "https://mail.company.com2007/Autodiscover/Autodiscover.xml"

Set-OfflineAddressBook "Default Offline Address Book" -VirtualDirectories "MailServer\OAB (New Web Site)" -Versions Version2,Version3,Version4

Now.. RPC and RPC with Cert.  You probably could just re-install RPC, but if you'd prefer not to here is how I recreated them-

Make a backup of the ApplicationHost.config in C:\Windows\System32\inetsrv\config.

Edit the file in Notepad and copy the following from the previus site to the new site.  DON'T use this text, use the text from your old site "Default Web Site".  Change the name of that section to your new site and paste it in that section of the file.

<site name="<Default Web Site>" id=...>
...
<application path="/Rpc" applicationPool="SomeAppPool">
       <virtualDirectory path="/" physicalPath="C:\Windows\System32\RpcProxy" />
</application>
<application path="/RpcWithCert" applicationPool="SomeAppPool">
        <virtualDirectory path="/" physicalPath="C:\Windows\System32\RpcProxy" />
</application> 
...
</site>

Next, copy the following from the previous site to the new site.  DON'T use this text, use the text from your old site "Default Web Site".  Change the name of that section to your new site and paste it in that section of the file.

Replace the old site with the new one like this-

<location path="<Default Web Site>/RpcWithCert"> --> <location path="<New Web Site>/RpcWithCert">

<location path="<Default Web Site>/Rpc">  --> <location path="<New Web Site>/Rpc">

<location path="<Default Web Site>/Rpc">

        <system.webServer>
            <directoryBrowse enabled="false" showFlags="Date, Time, Size, Extension" />
            <handlers accessPolicy="Execute">
                <add name="RPCPROXY" path="*" verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\system32\RpcProxy\RpcProxy.dll" requireAccess="Execute" />
            </handlers>
            <serverRuntime uploadReadAheadSize="0" />
            <defaultDocument enabled="true" />
            <modules>
                <add name="PasswordExpiryModule" />
            </modules>
            <security>
                <requestFiltering>
                    <requestLimits maxAllowedContentLength="2147483648" />
                </requestFiltering>
                <authentication>
                    <anonymousAuthentication enabled="false" />
                    <basicAuthentication enabled="false" />
                    <windowsAuthentication enabled="true" useKernelMode="false" />
                </authentication>
                <access sslFlags="Ssl, Ssl128" />
            </security>
            <httpErrors>
                <remove statusCode="401" />
                <error statusCode="401" path="C:\Windows\system32\RpcProxy\Error401.txt" responseMode="File" />
            </httpErrors>
        </system.webServer>
    </location>

<location path="<Default Web Site>/RpcWithCert">
        <system.webServer>
            <directoryBrowse enabled="false" showFlags="Date, Time, Size, Extension" />
            <handlers accessPolicy="Execute">
                <add name="RPCPROXY" path="*" verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\system32\RpcProxy\RpcProxy.dll" requireAccess="Execute" />
            </handlers>
            <defaultDocument enabled="true" />
            <security>
                <authentication>
                    <anonymousAuthentication enabled="false" />
                    <basicAuthentication enabled="false" />
                    <clientCertificateMappingAuthentication enabled="true" />
                    <digestAuthentication enabled="false" />
                    <windowsAuthentication enabled="false" useKernelMode="false" />
                    <iisClientCertificateMappingAuthentication enabled="true" />
                </authentication>
                <access sslFlags="Ssl, SslNegotiateCert, SslRequireCert, Ssl128" />
                <requestFiltering>
                    <requestLimits maxAllowedContentLength="2147483648" />
                </requestFiltering>
            </security>
            <serverRuntime uploadReadAheadSize="0" />
            <modules>
                <add name="PasswordExpiryModule" />
            </modules>
            <httpErrors>
                <remove statusCode="401" />
                <error statusCode="401" path="C:\Windows\system32\RpcProxy\Error401.txt" responseMode="File" />
            </httpErrors>
        </system.webServer>
    </location> 

Run the Command Prompt with elevated permissions and perform run IISreset.

How to set up a Linux (Ubuntu) Ubiquiti Unifi (Unifi 3.x, Ubuntu 12.04)

This is a summary of how to set up a Ubiquiti Unifi controller on a Ubuntu Linux box.

1) Install Ubuntu Server 12.04, during the install select "OpenSSH Server" so you can remote into the server with Putty.

2) Once the operating system is up and running, set up a static IP on the box.

          sudo nano /etc/network/interfaces

          Change this-
                    auto eth0
                    iface eth0 inet dhcp

          To your static ip-
                    auto eth01
                    iface eth0 inet static
                              address 192.168.0.3
                              netmask 255.255.255.0
                              network 192.168.0.0
                              broadcast 192.168.0.255
                              gateway 192.168.0.1
                              dns-search example.com
                              dns-nameservers 8.8.8.8 4.2.2.2

          (You can omit the dns-search if you don't need a domain suffix,)

          Simply restart your server or you can restart the networking with this command-

                    sudo ifdown eth0 && sudo ifup eth0

3) Update the OS.

          sudo apt-get update

4) Update the sources.list to include the Unifi repository.

          Open the file-

                    sudo nano /etc/apt/sources.list

          Add the following line at the bottom of the file.
 Updated-
deb http://www.ubnt.com/downloads/unifi/debian stable ubiquiti
  

 #OLD-             deb http://www.ubnt.com/downloads/unifi/distros/deb/ubuntu ubuntu ubiquiti

          Hit <Control> <X> to exit and <Y> to save.

          Add the GPG Key
                     sudo apt-key adv --keyserver keyserver.ubuntu.com --recv C0A52C50

          Update the OS again.

                    sudo apt-get update

5) Install Unifi using apt-get.

                    sudo apt-get install unifi

          If you want the latest version do-
                    sudo apt-get install unifi-rapid

6) If Unifi doesn't start and says "Cannot locate Java Home", do the following-

          Open the init script.

                    sudo nano /etc/init.d/unifi

          Look for the variable "JAVA_HOME" and change the path to include the -amd64.

                    Change- JAVA_HOME=/usr/lib/jvm/java-6-openjdk

                    To- JAVA_HOME=/usr/lib/jvm/java-6-openjdk-amd64

          

          Hit <Control> <X> to exit and <Y> to save.

          Attempt to start Unifi again.

                    sudo service unifi restart

7) Open the unifi controller by going to the IP of the box on port 8443 (with https:).

          https://192.168.0.3:8443/

----

To upgrade to 5.0-
# out the old entry in /etc/apt/sources.list
Add-

deb http://www.ubnt.com/downloads/unifi/debian unifi5 ubiquiti

Then-

apt-key adv --keyserver keyserver.ubuntu.com --recv C0A52C50

apt-get update

sudo apt-get install --only-upgrade unifi

How to add a list of domains to a Send Connector in Exchange 2007 (Forced TLS) (CSV File)

I had a client with a scoped send connector to enforce outbound TLS to their partner company.  I needed to add a huge list of domains to the send connector.  I only tested this with Exchange 2007 but I'm sure it's similar for 2010/2013.

Create a file with Notepad and name the file with the extension .csv.  For my example, we'll use test.csv and we'll save it in C:\temp.  The format of the file should be-

Name
test1.com
test2.com
test3.com
test4.com

Use the following commands in powershell o import the domains to your Send Connector.  For my example, our send connector will be called "TestSend".

$al = (Get-SendConnector -Identity TestSend).AddressSpaces

$al += (Import-CSV c:\temp\test.csv) | ForEach {$_.Name}

Set-SendConnector TestSend -AddressSpace $al3

Changing Ubuntu Server IP address from DHCP to Static (including DNS)

I know this is a silly one but some seem to struggle with this and there are some conflicting instructions out there.

sudo nano /etc/network/interfaces


Change this-
auto eth0
iface eth0 inet dhcp

To your static ip-
auto eth0
iface eth0 inet static
        address 192.168.0.3
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1
        dns-search example.com
        dns-nameservers 8.8.8.8 4.2.2.2

(You can omit the dns-search if you don't need a domain suffix,)

Simply restart your server.  If you'd prefer not to, you can restart the networking with this command-

sudo ifdown eth0 && sudo ifup eth0

Cisco ASA Restrict VPN traffic to 1 IP on Site to Site (L2L) Tunnel

I was recently asked to restrict access on a VPN tunnel to one IP address, 192.168.240.13.  Here is how I did it-



access-list restrict extended permit ip host 192.168.240.13 any

group-policy Tunnel internal
group-policy Tunnel attributes
 vpn-filter value restrict

tunnel-group 2.2.2.2 general-attributes
 default-group-policy Tunnel

Setting up a Site to Site (L2L) VPN Tunnel on a Cisco ASA 5505 when the remote end has an overlapping (conflicting) IP Range

A scenario I commonly run into is a client who wants to set up a Site to Site IPSec VPN tunnel to a vendor but cannot use their current IP scheme because it overlaps with another one of their business partners.  This is a fairly simple setup.

Public IP- 1.1.1.1
Private LAN- 192.168.0.0/24
Remote VPN LAN- 192.168.250.0/24
Remote Host IP- 2.2.2.2
Pre-Shared-Key- Key

So we're going to make up a "Natted" LAN for use on this tunnel.  We will use- 192.168.100.0/24.
Natted LAN- 192.168.100.0

First thing, create some object groups.

ASA (config)# object network LocalSubnet

ASA(config-network-object)# subnet 192.168.0.0 255.255.255.0

ASA (config)# object network LocalSubnetNAT

ASA(config-network-object)# subnet 192.168.100.0 255.255.255.0

ASA (config)# object network RemoteSubnet

ASA(config-network-object)# subnet 192.168.250.0 255.255.255.0

Next we create a NAT rule to un-NAT to that address.

ASA (config)# nat (inside,outside) source static LocalSubnet LocalSubnetNAT destination static RemoteSubnet RemoteSubnet

Now we create an ACL for the VPN tunnel.  Since VPN tunnels are processed after NAT, it will be from the Natted subnet to the remote subnet.

ASA (config)# access-list Tunnel extended permit ip object LocalSubnetNAT object RemoteSubnet

Now we build the tunnel like we normally would-

ASA (config)# crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

ASA (config)# crypto map outside_map 10 match address Tunnel

ASA (config)# crypto map outside_map 10 set peer 2.2.2.2

ASA (config)# crypto map outside_map 10 set ikev1 transform-set ESP-3DES-SHA

ASA (config)# crypto map outside_map interface outside

ASA (config)# crypto ikev1 enable outside

ASA (config)# crypto ikev1 policy 10

ASA(config-ikev1-policy)# authentication pre-share

ASA(config-ikev1-policy)# encryption 3des

ASA(config-ikev1-policy)# hash sha

ASA(config-ikev1-policy)# group 2

ASA(config-ikev1-policy)# lifetime 86400

ASA (config)# tunnel-group 2.2.2.2 type ipsec-l2l

ASA (config)# tunnel-group 2,2,2,2 ipsec-attributes

ASA(config-tunnel-ipsec)# ikev1 pre-shared-key Key

That's it!  

Windows Time Hell

I'm kind of over windows time issues, so I found this little bad boy!  This thing is great, rock solid time sync, no headaches.

http://www.timesynctool.com/