Blog

We recently needed to create SPF records for one of our customers’ several email domains. Sender Policy Framework is implemented as a DNS TXT record and it’s designed to provide a mechanism to allow an email server to verify the valid IP addresses for a given email domain. The syntax can be a little tricky so I found several good sites to help generate the SPF. One of the best was Microsoft’s, which retrieves the actual IP addresses from DNS to build the TXT record. After you answer a few questions about email flow it creates the record which you can copy/paste into your DNS configuration.
 
https://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
 

0 Comments   Networking SPF SPAM Email DNS

 

iOS 9 now will "help you out" by having the device switch to cellular data if it thinks your Wi-Fi connection is too slow. This could end up using more of your cellular data than you'd like. This appears to be turned on by default after the upgrade. You can turn it off by going to Settings -> Cellular then finding Wi-Fi Assist at the bottom of the screen.

0 Comments   General WiFi iOS9 Apple

 

Even though Session Roaming was disabled for customer’s Citrix environment, users were ‘hijacking’ their Citrix sessions randomly when launching applications from two separate computers. These users had recently been migrated to XenApp 6.5 environment using Storefront (from XenApp 6.0\Web Interface configuration).
 
Troubleshooting showed that the hijacking was only occurring for the user when Citrix load evaluators placed the user on the same Citrix server in the farm for both sessions. The issue did not have to do with the Citrix Session Roaming feature, but rather an RDS setting to limit users to only one session per RDS server.
 
The resolution is to modify RDS Host Configuration setting to not ‘Restrict each user to a single session’. This setting is configured on each individual RDS\Citrix server.

0 Comments   Networking Remote Desktop Citrix XenApp

 

After initially installing I was having many problems with Windows 10. Updates from Microsoft would not install. Drivers for mouse and scanner were not working. The most useful error I could get was a corrupted registry. After much frustration I decided to use the Windows 10 Repair option. To do this, boot to the Windows 10 installation media and choose the "Repair" option. Then choose the option to “Keep Windows settings, personal files and applications”.

This will reinstall and fix most issues with Windows 10. In this case I did not have to reinstall any programs except Microsoft Office.
 
Here is a detail description of the process. This article was written for Windows 8, but the process is the same with Windows 10.
https://www.winhelp.us/non-destructive-reinstall-of-windows-8-and-8-1.html
 

 

0 Comments   Networking Windows Repair Windows 10

 

When attempting to access the SEP Management GUI, I got an error in my browser that said “ssl_error_weak_server_ephemeral_dh_key”. This is caused by weak ciphers which have been deprecated by browser updates.
 
To resolve this you have to modify the SEP server's "server.xml" file to exclude the weak ciphers and include newer and stronger ciphers, as well as replace the Java Cryptography Extension (JCE) files to support the stronger ciphers.

  1. Login to the SEP server and stop the Symantec Endpoint Protection WebService.
  2. Go to C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\conf and open server.xml.
  3. In the server.xml file, find the section with cipher= value under <Service name=”WebService”> and replace the current ciphers listed in the file with the following: ciphers="TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
  4. Download the new JCE files from Java’s website here.
  5. Unzip and save those files to C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\jre\lib\security.  Overwrite the existing files in prompted.
  6. Start the Symantec Endpoint Protection WebService back up, and you should be all set.

0 Comments   Networking SEP Symantec Endpoint Protection

 

Microsoft has changed the way that RemoteApp are made available to users in Server 2012 R2. They have done away with the MSI Installer method and the ability to create a RDP file. The two deployments options now are RDWeb and RemoteApp/Desktop Connection.

RDWeb is a great option for remote users, Mac users, and users of Microsoft operating systems older than Windows 8. The users simply go to a website, login, and are presented with all of the applications published to them. You can also use RDWeb to allow users to start RDP connections to Windows computers, which might be useful for users working remotely who need to connect to their office computers.

The RemoteApp/Desktop Connection method publishes the RemoteApps available to a user to their desktop, without having to log into RDWeb. The applications the user has published to them simply show up in their Start Menu. This setting can be deployed to users using Windows 8 and newer computers via a Group Policy Object. The Desktop connection URL setting under User Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | RemoteApp and Desktop Connections should be set to https://FQDN/RDWeb/Feed/webfeed.aspx as shown below.

It is important to note that the RemoteApp/Desktop Connection method requires that the SSL certificate issued to the remote desktop server be trusted on the user’s PC for the GPO to apply. RDWeb will also show security warning if the SSL certificate is not trusted on the user’s PC. While eliminating these security messages can be achieved by using an internal certificate, in cases where there is not an internal certificate authority, it is likely more economical to purchase a trusted third party SSL certificate than use the self-signed certificate from the remote desktop server. A third party certificate will eliminate the need for the user’s PC to have any certificates imported into their certificate store.

 

0 Comments   Networking RemoteApp Remote Desktop Windows Server 2012 R2

 

After installing Windows 10, I decided I wanted to try out the Mail Desktop App.  I added my Exchange  account in the Settings->Accounts-> Add account. After adding my credentials, I got this message:

This caused the Windows 10 lock out policy to be inherited from the policy that is a part of Exchange Activsync, which locks the device after one or three minutes (depending on the policies set up for Activsync).

By removing the Exchange account from the Windows 10 Mail app, it also removed the Activesync enforcement of lockout and hence the lockout times reverted to being controlled by the power manager application.

0 Comments   Networking Exchange lockout Windows 10 Mail App

 

There was a 2012 R2 server I had configured and been using to test with for several months. After a few months, I could no longer connect to the server with remote desktop. I could ping the server and browse the admin shares across the network. I logged in and verified the Remote Desktop Services service was started and enabled.

Looking at the event log, I could see that every time I tried to remote in, the System log was adding event 36870 – “A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.”

More research seemed to indicate that this was a problem with the Remote Desktop certificate on the system.  I opened the certificate manager for the local system, backed up the remote desktop certificate and then deleted it the certificate store.  Now, when I restarted the Remote Desktop Services service, I started getting a different event 1058 – “The RD Session Host Server has failed to replace the expired self-signed certificate used for RD Session Host Server authentication on SSL connections.  Access is denied.”

More research pointed me to checking the permissions in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys.  When I tried to set a permission on the folder, it propagated to all the files within except for one which said that access was denied.  I was unable to modify the permissions on the file itself even though I was logged in as the local administrator.

Taking a chance, I stopped the Remote Desktop Services service and was able to delete the file with the permission issues.  I restarted the Remote Desktop Services service and observed that a new Remote Desktop certificate had been created as well as a new file in the MachineKeys folder.  I was now able to connect to the server using remote desktop.

0 Comments   Networking RDP Remote Desktop Certificate Windows Server 2012 R2 SSL

 

Recently we've been experiencing a problem with the Cisco AnyConnect client disconnecting and reconnecting shortly after the initial connection is established. Originally we thought that this was a bug in the client. Cisco recommended switching to an IKEv2 connection profile, but the disconnect problem was never resolved, even with updated versions of the client. During a recent remote session with Cisco support, the root cause of the disconnects was discovered.

In later versions of the AnyConnect client, there are two protocols in use:  SSL and DTLS. DTLS is a variant of TLS that uses datagrams which are sensitive to delay. After authentication, the client attempts to negotiate a DLTS connection. If that negotiation is unsuccessful, the client disconnects and reconnects using SSL only. DTLS uses UDP port 443. In our test environment, the remote access firewall is behind another firewall that was only allowing TCP port 443 through. After updating the firewall rule to allow UDP port 443 as well, the disconnects stopped occurring.

0 Comments   Networking VPN Cisco AnyConnect DTLS SSL

 

A customer called after getting disconnected from their VM. He gave us a possible cause to his issue, stating “Right before I had this problem, I had an interesting icon in the system tray. I clicked on it and it said it was ejecting the floppy. That's when my connection dropped and I couldn't get back in.”
 
I logged onto the vSphere management console and noticed the virtual machine no longer had a NIC attached. I added the NIC back and had him test logging into the virtual machine. Everything worked. Then I started trying to figure out how he removed a NIC from the VM without editing the configuration, which he doesn’t have permission to do. Turns out he did exactly what he said he did.

According to http://kb.vmware.com/kb/1020718, ESX/ESXi v4.x and later include a feature called HotPlug. In some deployments the virtual NICs can appear as removable devices on the System Tray in Windows guest operating systems. Problems can occur if you mistake this device for one that you can safely remove. This is particularly true in VMware View environments, where interaction with the Desktop is constant. The moral of this story is do not remove virtual NICs from the Windows System Tray.

0 Comments   Networking VMware tools VMware NIC