Wednesday, December 26, 2012

How to send email "from" another user in Outlook 2013

I've seen a few people run in to this:

If you have permission to send on behalf of another user in Exchange, and would like to send from that user from Outlook 2010 or 2013, it's quite simple.

  1. Open outlook
  2. Create a new email message
  3. Click the Options tab
  4. Click the "From" button
  5. In the From: dropdown above To: select the account you would like to send from

Monday, December 3, 2012

Windows Failover Cluster Live Migration Failures with Hyper-V 2012

After moving from one datacenter to another we started experiencing issues live migrating virtual machines from one host to another in our 2 node failover cluster.  The migration would instantly fail, and there would be no error other than:
Live migration of 'Virtual Machine VMNAME' failed.

If I did a quick migration it works, but live did not.  I started looking at the security logs of the hosts and noticed some intermittent errors:

An account failed to log on.

Security ID: SYSTEM
Account Domain: OURDOMAIN
Logon ID: 0x3E7

Logon Type: 8

Account For Which Logon Failed:
Security ID: NULL SID
Account Domain:

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A

Process Information:
Caller Process ID: 0xd30
Caller Process Name: C:\Windows\Cluster\rhs.exe

Network Information:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi  
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Then I noticed errors in the cluster itself, at the same times:

Cluster network name resource 'Cluster Name' failed registration of one or more associated DNS name(s) for the following reason:
The handle is invalid.

Ensure that the network adapters associated with dependent IP address resources are configured with at least one accessible DNS server.

I looked at a domain controller and noticed a lot of Audit Failures for that computer object.  I opened the computer object in ADSI Edit, and noticed that the last login was 11/23 (the day we moved), and the last password reset was 11/24, which is incredibly odd.  The last bad login attempt was a few minutes ago.  I'm not sure how, but I think a password reset may have been attempted while the domain controllers were unavailable.

How I fixed it:

  1. Open Failover Cluster Manager
  2. Navigate to Cluster Core Resource
  3. Right click on the cluster network name and take it offline
  4. Right click on the cluster name and navigate to more actions -> repair

A few seconds later the cluster was repaired, I turned the cluster name back on and live migrations work.

Mystery solved.


Tuesday, September 18, 2012

Auto Provision Lync 2010 Users Via LDAP

We have tools that automatically create Active Directory Users, Exchange mailbox, and Microsoft Lync 2010 accounts to simplify the hiring process.  I figured somebody might find this information useful, so in order to provision a user for Lync 2010 automatically I use a slightly altered version of this (in perl, using Net::LDAP):

use Net::LDAP;

$ldap = Net::LDAP->new("ldap://domain.local", debug =>0) or die("Could not connect to LDAP server.");
my $mesg = $ldap->bind('myUserDN',
password => 'myUserPassword')  or die("Could not bind to LDAP server.");

 $mesg = $ldap->search( # perform a search
base   => "dc=domain,dc=local",
filter => "(&(samAccountName=$username))"

$mesg->code && die $mesg->error;

#there should only be one result in here anyway
foreach $entry ($mesg->entries) { 
$userdn = $entry->dn;

$rtn = $ldap->modify($userdn, replace => { "msrtcsip-userenabled" => "TRUE"});
$rtn = $ldap->modify($userdn, replace => { "msrtcsip-optionflags" => "449"});
$rtn = $ldap->modify($userdn, replace => { "msrtcsip-primaryhomeserver" => "CN=Lc Services,CN=Microsoft,CN=1:1,CN=Pools,CN=RTC Service,CN=Microsoft,CN=System,DC=domain,DC=local"});
$rtn = $ldap->modify($userdn, replace => { "msrtcsip-primaryuseraddress" => "sip:$email"});
$rtn = $ldap->modify($userdn, replace => { "msrtcsip-line" => "tel:+$astextension;ext=$extension"});
$rtn = $ldap->modify($userdn, replace => { "msrtcsip-deploymentlocator" => "SRV:"});
$rtn = $ldap->modify($userdn, replace => { "msrtcsip-federationenabled" => "TRUE"});
$rtn = $ldap->modify($userdn, replace => { "msrtcsip-internetaccessenabled" => "TRUE"});
$rtn = $ldap->modify($userdn, replace => { "msrtcsip-userpolicies" => [("21=7", "0=1434923910")]});

You may find it best to provision a user the way you like, open the user in ADSI Edit to see all the parameters, and adjust this accordingly.  

That said, this should set you off in the right direction for how to fully provision a Lync user automatically.

Thursday, August 16, 2012

Automatically add Remote App connector via command prompt in Windows 8

We've been using the Install-RADCConnection.ps1 (I don't remember where I came across it) script to add the remoteapp connector in Windows 7, but it doesn't work properly in Windows 8.  I've found that a simple change needs to be made.  On lines 40, 42, and 44 change the reference to $connectionKey to be $Id and it works properly.

I was receiving this error when I ran it on Windows 8:

C:\Windows\system32>powershell -File \\server\scripts\Install-RADCConnection.ps1 "\\server\scripts\webfeed.wcx"
Get-ItemProperty : Cannot find path 'C:\Windows\system32\HKEY_CURRENT_USER\Software\Microsoft\Workspaces\Feeds\{50250AF5-D0E6-4ED5-BA69-D6CF96A7D55E}'
because it does not exist.
At \\server\scripts\Install-RADCConnection.ps1:44 char:32
+         if ( ($connectionKey | Get-ItemProperty -Name URL).URL -eq $URL)
+                                ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\Windows\syst...9-D6CF96A7D55
   E}:String) [Get-ItemProperty], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetIt

Get-ItemProperty : Cannot find path 'C:\Windows\system32\HKEY_CURRENT_USER\Software\Microsoft\Workspaces\Feeds\{50250AF5-D0E6-4ED5-BA69-D6CF96A7D55E}'
because it does not exist.
At \\server\scripts\Install-RADCConnection.ps1:44 char:32
+         if ( ($connectionKey | Get-ItemProperty -Name URL).URL -eq $URL)
+                                ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\Windows\syst...9-D6CF96A7D55
   E}:String) [Get-ItemProperty], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetIt

Connection setup failed.

Consult the event log for failure information:
(Applications and Services\Microsoft\Windows\RemoteApp and Desktop Connections).

Scripts Disabled
File \\server\scripts\Install-RADCConnection.ps1 cannot be loaded because
running scripts is disabled on this system. For more information, see
about_Execution_Policies at
    + CategoryInfo          : SecurityError: (:) [], ParentContainsErrorRecord
    + FullyQualifiedErrorId : UnauthorizedAccess

If you run in to that error, make sure you follow the steps in the link it provides to enable script execution.  We set ours at the GPO level.

Monday, July 23, 2012

SQL Server 2012 Availability Group Replica Not Synchronizing

For some reason one of the databases in the availability group was stuck "Not Synchronizing" for a few days. A simple way to fix it was to simply pause & resume it using the SQL command found here:

alter database <databasename> set hadr pause
alter database <databasename> set hadr resume

Synchronization immediately re-started and the database is now catching back up.  I'm not sure what happened, the event logs didn't show anything helpful but this did the trick.

Thursday, July 12, 2012

Exchange Management Console 2010 Send on Behalf of Error

I was trying to add a user to send on behalf of somebody else, and when I tried to apply the settings I got the following error:

Microsoft Exchange Error
The following error(s) occurred while saving changes:

Couldn't find object "domain.local/retired/staff/personsname". Please make sure that it was spelled correctly or specify a different object. Reason: The recipient domain.local/retired/staff/personsname isn't the expected type.

The solution was to open ADSI Edit, navigate to the user I was trying to grant the permissions for, find the publicDelegates setting, and remove the user being referenced.  Problem solved. :)

Thursday, May 3, 2012

Panasonic KX-UT670 Executive SIP Phone Review

I saw the 7" Android Based Panasonic KX-UT670 VoIP SIP phone on display at Astricon in 2011 and instantly fell in love with it. On first impression the phone is well polished, well designed, and has a great feature set.


  • Android 2.2 Based
  • 6 SIP accounts
  • 7 inch, color touch screen
  • HD Voice (G.722)
  • 100 entry phonebook
  • 3-way conference call support
  • Compatible with Asterisk and Broadsoft
  • 2 x GbE ports, PoE
  • Linux based open source operating system
  • Full duplex speaker phone
  • Electronic hook switch (Plantronics)
  • Plug and Play configuration
  • Cable concealing back
  • Long handset cords
  • Non-slip rubber feet
  • Changeable angle stand
  • Wall mountable

The first thing you notice with UT670 is it has a nice home screen providing easy access to your call history, contacts, voicemail, calendar, and of course the phone itself.  It's easy to handle calls using the built in Phone application and feels fairly natural.  The buttons on the right are flexible shortcuts.  If you press the arrow further down it expands to show a screen full of programmable shortcut buttons, where you can program things like speed dials or application shortcuts.
Full Shortcut Screen:

The settings page contains the normal android settings as well as a new Administrative Settings Menu:

The ethernet port settings allow you to configure VLAN tagging, and set port speeds.  IP configuration is done outside of the admin menu.
Applications can be installed via SD Card (side loading), or via the web.  Simply copy the APK to an sd card or install an application from the web browser (you must open this via admin mode, the normal browser will not allow APK's to be installed).  *Note that you need an SD card in the phone in order to install an application, but once the application is installed I've found that I can remove the SD card without any problems.

Additionally, you can add your Google account via the normal Accounts & Sync menu to sync your contacts and calendar for you, but unfortunately it seems to download a contact for every person you've ever corresponded with rather than the contacts in your actual contact list, making it difficult to use..

Configuration of the phone can be done automatically using provisioning files, or manually via the web interface of the phone (username admin, password adminpass).  The web interface doesn't expose all of the potential options, to get access to everything you need to check out the admin guide and use a provisioning file.  Firmware updates aren't terribly difficult to do, I found I had to specify the version of the firmware, and a link to the new firmware version in a provisioning file in order to get the phone to update because the web interface options did not seem to work.

The KX-UT670 has a good speakerphone, I use it almost exclusively, rarely ever picking up the handset.  I haven't had any issues hearing the other person, or with the other person being able to hear.  I've only used it in a private office but it has worked great so far.

One thing the phone is missing is built in bluetooth support, which the Aastra 6739i and the CloudTC Glass phones both have.  If you really want to use a bluetooth headset supposedly the UT670 can support bluetooth via the USB port, but I have not tested this.

In October I spoke to the Panasonic Engineers and told them what I was trying to do and they said they said they would be adding much of the functionality I was looking for in the second release of their API.  I received that API and was easily able to modify my application to control call flow inside the Panasonic emulator.

Here is a screenshot of the application I've built, an intuitive attendant / reception console.  It is a great replacement for the old sidecars like the Aastra 560M or the Polycom IP 650 Sidecar Expansion Module that take up lots of desk space, provide less functionality, and cost a lot more.  If you are interested in this you can find out more at
Selecting a person's name provides a list with their extension and cellphone, providing the ability to easily route calls to them.

The Good:
  • The phone is gorgeous and the handset has a great feel to it.  I like the hard buttons at the bottom of the screen, I wasn't convinced at first but they definitely make usability easier than the CloudTC phone.
  • The API is fairly easy to use and work with, although the documentation isn't very good so you may have to do a bit of trial/error to figure out how to do some things.
  • It works quite well.
  • At $400 it's relatively cheap for what you get.

The Bad:
  • The API has a couple shortfalls, and Panasonic has responded that they designed it that way.
    • When you place a call on hold a new line is opened up so you can make another call.  This is great unless you are putting them on hold to research something, talk to somebody that walked up to you, or any other reason you would put a caller on hold but not want to open another line.
    • If you hang up the new call the phone starts beeping in a very, very obnoxious manner.  Panasonic has said this is so the user doesn't forget a call is on hold.  I would prefer the API let me, the developer, control the user interaction with the phone.
  • The base lets you tip the phone at either a very steep angle or a very flat angle with no in between option.  Neither one of the settings is very convenient for my desk space so I've put a postit pad under the back of it to tip it up a little more and create an in between option.
  • According to Panasonic you may not use these characters in your passwords: " & ' < >.  If one of these characters included in the config file the phone will ignore the entire config file, and if you try and enter them in the web interface the page reloads with the old password.  It took quite a while to figure out this was the problem, but fortunately I've seen this happen with the Panasonic TGP500 so I wasn't flying completely blind.  It would be nice if they included this in the documentation somewhere.  
  • There are a few things like firmware updating, passwords, and a couple API tweaks that I would like to see made, but the phone was just recently released so I expect that will happen over the next few months.

In case you are trying to figure out a quick and easy basic provisioning file, here's mine to get you started.

# Panasonic SIP Phone Standard Format File
## SIP Settings
DISPLAY_NAME_1="Andrew Parisio"
P.S. Here's how you do a factory reset of the phone:
To factory reset the phone through web interface. Log on to the phone using username: customerserviceid
password: cspass

Monday, April 23, 2012

Data Protection Manager 2010 February 2012 Update Crash

Update: Microsoft has been able to reproduce the error and believes this is has been introduced in the latest February 2012 update.
Update 2: It has since been confirmed as a bug, with a hotfix coming.  In the meantime if you run in to this problem they should be able to fix it for you.  The bug is triggered when many events are written to the log at the same time, such as a hardware failure causing all active jobs to fail.

We use Microsoft Data Protection Manager (DPM) 2010 to protect our environment, including our Hyper-V failover clusters which use Cluster Shared Volumes (CSV).  Last Wednesday we installed the February update, and then on Friday one of our McData 4700 4GB FC switches had a port failure which crashed the entire SAN fabric (including the entirely separate, second path which was in no way tied to the primary path).  During this outage, which should never have happened in the first place, our DPM server corrupted itself.  The DPM server is completely separate from the Hyper-V Cluster, the only thing they share is the same network; therefore there is no reason for DPM to have crashed like this.

Now, whenever we attempt to start DPM we get this error in the event viewer (and the DPM service fails to start):

The description for Event ID 999 from source MSDPM cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event: 

An unexpected error caused a failure for process 'msdpm'.  Restart the DPM process 'msdpm'.

Problem Details:
<FatalServiceError><__System><ID>19</ID><Seq>0</Seq><TimeCreated>4/23/2012 6:07:09 PM</TimeCreated><Source>DpmThreadPool.cs</Source><Line>163</Line><HasError>True</HasError></__System><ExceptionType>NullReferenceException</ExceptionType><ExceptionMessage>Object reference not set to an instance of an object.</ExceptionMessage><ExceptionDetails>System.NullReferenceException: Object reference not set to an instance of an object.
   at Microsoft.Internal.EnterpriseStorage.Dls.PRMCatalog.BackupEventIntegration.WriteBackupEvent(BackupEventEntry backupEventEntry)
   at Microsoft.Internal.EnterpriseStorage.Dls.PRMCatalog.BackupEventIntegration.WriteNonLoggedBackupEntries()
   at Microsoft.Internal.EnterpriseStorage.Dls.Prm.PRMHealthProvider.Initialize()
   at Microsoft.Internal.EnterpriseStorage.Dls.JobManager.JobManager.Initialize()
   at Microsoft.Internal.EnterpriseStorage.Dls.JobManager.JobManager.InitializeIfNecessary(Object state)
   at Microsoft.Internal.EnterpriseStorage.Dls.EngineUICommon.DpmThreadPool.Function(Object state)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading._ThreadPoolWaitCallback.PerformWaitCallbackInternal(_ThreadPoolWaitCallback tpWaitCallBack)
   at System.Threading._ThreadPoolWaitCallback.PerformWaitCallback(Object state)</ExceptionDetails></FatalServiceError>

the message resource is present but the message is not found in the string/message table

I opened a support ticket with Microsoft and within half an hour had a call from a tech.  After an hour of trying different things and digging around he asked for a copy of all of our logs, but the diagnostic logging tool they gave me wouldn't work properly because DPM had created 110GB of error log files in 3 days... whoops.  After deleting the repetitive crash logs (9,000 of them, around 12MB each) he got the upload and was able to look at the data.  He has since come to the same conclusion I have, that the crash was indeed a problem in DPM (no, it should not corrupt itself when the sources it is protecting go offline).  He has sent our (corrupt) DPM SQL DB to the "EE" team to look at it, but who knows how long it will take for them to figure out what went wrong and create a fix for us.  In order to get back online we uninstalled DPM, reinstalled, upgraded to QFE 2, and restored from the backup database from Wednesday when the February update was installed.  We then upgraded to the February update again because all of the protection agents needed it, and have set up a task to 

The good news is you don't need the DPM management console or service to be able to restore data.  In the event of a major SAN failure it would have been possible to recover our data using manual tools (with the help of microsoft support).  This is still very unnerving, and a prime example of why you should have good backups of the SQL database on your DPM server.

Wednesday, March 7, 2012

How To Virtualize a Barracuda Spam & Virus Firewall

We just got a brand new 200 series because we have too many users for the 100, and there is no 200Vx, only a 100Vx or a 300Vx with the 200Vx oddly left out of the lineup.  I decided to try and virtualize it just to see if i could.  The answer is yes!  It's pretty easy to virtualize the device for vmware without having to open the case.  You can also use these steps to make a backup (clone) image of the hard drive in case it fails.  Then you could use the image to restore your barracuda to a replacement hard drive

My barracuda does not have the tulip network driver so I was unable to get it working in Hyper-V, but VMware workstation worked great for me.  Some other posts talk about IDE hard drives, USB cd boot in bios, which my device does not support.  I may have a newer revision which is an atom D525 in what looks like a rebranded supermicro 1u chassis and a 250gb Seagate Barracuda hard drive (har har).

I don't recommend it but if you are looking to play around you can unlock many of the features from the higher end models fairly easily.  Look at the last few steps of the post to learn more about how to do that, just note that it requires you to have root access to the machine.

Power it up:

  1. Press p at the bootloader pictured above
  2. The grub bootloader password is bimg
  3. Press e on barracuda
  4. Press e on the second line, scroll to the end, and add init=/bin/bash
  5. Once you get a command prompt, mount –o remount,rw /
  6. Remove the root password in /etc/shadow (I copied shadow to shadow.bak so I could put the box back to factory if i ever needed)
  7. Reboot
  8. Press p at the barracuda boot splash screen (this is a grub boot loader)
  9. Press e on barracuda
  10. Press e on the second line, scroll to the end, and add the word single after the word quiet
  11. Press b for boot
  12. Log in as root (this is why we removed the root pw)
  13. Connect a usb drive that is the same size or larger than your barracuda, mine has a 250gb sata disk (I formatted my external /dev/sdb1 as ext3)
  14. mkdir /mnt/usb
  15. mount /dev/sdb1 /mnt/usb
  16. dd if=/dev/sda of=/mnt/usb/barracuda.img
  17. Now you have a backup image on your USB hard drive. I connected it to another linux server, copied it to my windows server and used starwind v2v to convert the raw image to an expanding virtual machine image. 
  18. If you convert it to a VMWare Virtual Machine it will work just fine, boot it up
  19. Edit the boot loader and add init=/bin/bash to the end of the entry
  20. Once you have a prompt mount the partition read/write: mount -t remount, rw /
  21. Edit /etc/fstab and change all of the sda[x] entries to be hda
  22. Edit /boot/grub/menu.lst and change the sda entries to hda.
  23. Optional: remove the bootloader password in /boot/grub/menu.lst
  24. Optional: allow yourself to SSH to it: iptables -I INPUT -p tcp --dport 22 -s -j ACCEPT
    1. To make this persistent add an entry in /etc/sysconfig/iptables
  25. Optional: to SSH in to it you will need a root password, so log in to the box as root and set one
  26. Optional: If you want to add some features that are in the higher end models this post tells you what files to create to unlock them:
  27. Optional: If you want to unlock even more than you can find in that post you will need to do a little work.  Look for the file on the filesystem, and create a blank file in /etc/barracuda/features for each feature you want to enable. Beware, many of the features are meant for higher end models so some features may not work or may have unexpected behaviors.

Friday, March 2, 2012

Barracuda Spam & Virus Firewall 200 Review

Unboxing and configuration:
We've had an old custom postfix/spamassassin/amavis setup for the last several years that has been catching less and less email.  I set it up many years ago and no longer remember how, and was never all that great at tweaking it beyond the basic settings.  With the complexity of spam and the amount that has been getting through we decided it was time to find a new solution and started looking in to our options.  We have 120 users at the moment with another 50-100 distribution groups, so I'm not really interested in any option where I have to go in and enter each user and assign distribution groups to user accounts.  This makes most hosted options difficult, and with 120 users it can get expensive.  We started looking at appliances and ended up getting the Barracuda Spam & Virus Firewall 200 with 1 year of energize updates, which cost us $1,900.  We were looking for a virtual appliance but for some odd reason barracuda only makes a 100vx and a 300vx, but no 200vx.  The cost of the 200 was cheaper than the 300vx and we don't really need the extra features of the 300vx.

Plugging the unit in was quite simple, it fired up in a couple minutes.  The short page it comes with says to hold down the reset button for several seconds to set the IP address to one of the 3 options which was quite handy.  It took a minute but eventually it loaded on the requested address.  I signed in with the default admin/admin and went to change the IP address to a valid one.  This is where I ran in to my first annoyance with the device.  Every section has a save changes button next to it, but you MUST enter all of "required" options or it won't save, it will instead clear everything you entered and make you try again.  This wouldn't be so annoying if the save changes button wasn't under every section, it highlighted what was required, and then didn't reset everything if it didn't like something.  The usability here is very poor, the interface feels like it was built in 1995.
*Update* I talked to Barracuda support and they know the usability of some of the interfaces isn't very good, it's been reported to the engineers but it sounds like they have no inclination to fix it.

With the IP configured I went and set up spam to tag all email as [spam], disabled bouncing messages and disabled the quarantine so we could see how well it is working.  I went to the domains tab, added my domain and then sent a test message.  The barracuda blocked my messages because it was sent to an invalid domain even though I had just added it to the domains list.  After messing with this for a while i eventually rebooted the device, and it started working.  After a while I added another domain I needed and it did the exact same thing.  The only way to add a domain to the device appears to be to add it, and then reboot it.
*Update* I talked to Barracuda support and this is a known bug in the firmware.  Apparently you can hit reload instead of reboot and that will apply the changes.  They have no ETA for a fix.

The Barracuda Spam & Virus Firewall 200 has a lot of features.  If you look at the configuration page (you can see a demo of it here: there are a lot of options to play with.  One interesting feature is the Exchange Anti-Virus Add-in that installs a virus scanner in your exchange environment so any internal messages get scanned as well.  This is useful if a virus gets in to your network before the barracuda has the definitions to catch it, the exchange server can then catch it if it gets sent to anybody else.  I haven't played with it but if I decide to keep the device I will.

The device can be configured to back up important data to an FTP server or a network share, another useful feature in the event the device fails.  In the case of  FTP you need to make sure any directory you specify exists, as the barracuda will not attempt to create it if it does not exist.  

Barracuda Reputation is Barracuda's shared blacklist with information from all of our devices.  By default messages are blocked, I chose to tag instead of block because I don't want an important message to get blocked because of the BRBL.

Attachment Filtering allows you to have the barracuda handle file types you may not want to accept (.exe for example), they have a predefined list and then you can enter any others you want.

Pattern filtering allows you to have the barracuda watch email for specific things like credit card numbers or other sensitive information you may want to control from coming in our out.  I don't plan to use this feature but I can see how it could be useful.

Another very useful feature is the Reverse DNS tab where you can block entire countries.  If you don't ever correspond with anybody in Russia you can very easily block all email coming from there:

How well it works:
We've only been running it for 24 hours and it's processed 43,184 emails, tagged 6,012, and allowed 2,484.  We have been running this inline with our previous spam filter so we can see how they do relative to each other and the barracuda seems to be catching around 10% more than the old solution, and very rarely fails to tag a message the old system did.  I'd say performance wise once you have it running the device does a pretty good job.  Hopefully it continues to work well in the future!

Wednesday, February 29, 2012

Adventures with Forefront TMG

We wanted to be able to block users from accessing non business related websites, but only wanted the restriction to be in effect when the user was actually clocked in to their project.  Web surfing on breaks and lunch has always been allowed at our company, and we didn’t want to restrict this, just restrict unauthorized use during work.

We decided to look at Microsoft’s Forefront Threat Management Gateway server, or TMG.  This product has the ability to set various filters for web blocking, and might be suitable for our needs.  Just one problem:

How do we make Forefront aware of a specific user’s “status”, as to whether they are clocked in or out?

Forefront can apply its filtering rules based on the IP address or network segment from which the request originates.  It can also filter based on the user name of the person asking for the website.  Unfortunately, there do not seem to be any other external “triggers” that can be used, so we determined that we would try it using AD authentication.

We set up and configured a test TMG environment, and joined it to our domain.  (For a very helpful step-by-step instruction on how to get TMG up and running, take a look at Raihan Al-Beruni’s blog HERE.)

Once it was configured, we did the following:

1.       Created two rules under Firewall Policy in TMG.  One was the “Allow” rule, essentially letting any traffic through.  The other was the “Deny” rule, which restricted users to only accessing sites related to our business
2.       Created two Groups in AD, one called “Filtered” and the other “Non Filtered”
3.       Under the Properties of the Allow rule, we set the Users to be members of the “Non Filtered” group
4.       Under the Deny rule, the “Filtered” group
5.       Apply all the settings, and then add our test user to the “Filtered” group
6.       Test access for the test user.  Success! They could only access the sites allowed by the rule.

Unfortunately, this is where we hit our first snag.  We moved the user from the “Filtered” to the “Non Filtered” group, and… they were still filtered.  A 2nd test user in the “Non Filtered” group had regular access.  Looking at the TMG logs we could see that the rules were being applied. 

TMG appeared to be only pulling the AD group membership information when it encountered a new name.  Eventually, after several hours in some cases, the membership was re-authenticated, and the appropriate rule was applied.  But this was not going to work for someone who was clocking out for a 15 minute break!

Some further experimentation showed that the “TMG Client” software for the desktop was designed to handle some authentication duties.  So, we experimented with adding the Client.

That was the trick!  A change in AD Group membership was reflected instantly on the TMG server, and the client’s access was adjusted accordingly.

Except…it was instant only if the change was applied to the same DC that the TMG server uses.  Otherwise, we had to wait for AD replication, which could take several minutes.

However, we now have a solution.  A TMG Server with the appropriate rules, and the TMG client on the desktop, and we can change a user’s access as often as we wish.  And there can be as many different rules as we have projects.  We have complete flexibility regarding what sites are filtered and what sites are allowed.

Wednesday, February 15, 2012

Outlook Sent and Deleted Items hack

Many of our Outlook users manage “shared” or "additional" email boxes.  Unfortunately, Microsoft’s default actions for email is to store “Sent” or “Deleted” emails in the primary user’s account folders.  Multiple people may be accessing these shared accounts, and it is difficult to track if messages have been sent, or accidentally deleted, if those messages could be stored on one of any number of different user’s email accounts.

However, we have found a way around this problem.  There are registry “hacks” which can be applied which force the Sent and Deleted items to be stored in the email account of their origin.

Fix for Sent Items:

  1.     Click Start, click Run, type regedit, and then click OK.
  2.     Locate and then click the following registry subkey: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Preferences
  3.     On the Edit menu, point to New, and then click DWORD Value.
  4.     Type DelegateSentItemsStyle, and then press ENTER.
  5.     Right-click DelegateSentItemsStyle, and then click Modify.
  6.     In the Value data box, type 1, and then click OK.

Fix for Deleted Items:

  1.     Click Start, click Run, type regedit, and then click OK.
  2.     Locate and then click the following registry subkey: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Options
  3.     Look for a subkey called “General”
  4.     If it doesn’t exist, Right-click on Options, select New Key, and name the key "General"
  5.     Navigate to HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Options\General
  6.     On the Edit menu, point to New, and then click DWORD Value.
  7.     Type DelegateWastebasketStyle, and then press ENTER.
  8.     Right-click DelegateWastebasketStyle, and then click Modify.
  9.     In the Value data box, type 4, and then click OK.

These new registry settings have to be set on each individual’s machine.  It would be possible to use a Group Policy to apply this across your organization, if needed.

Tuesday, January 17, 2012

How to Configure an HP EVA 5000 for Windows Server 2008 R2 MPIO

We have an older HP EVA 5000 and we wanted to use it with Windows Server 2008 R2, Hyper-V, Cluster Shared Volumes, and MPIO.  With the newer EVA 5000 active-active firmware, we're running version 4.1 or 4100, we simply had to configure the hosts in the Command View EVA manager.  Set the operating system type to custom, and enter 00000004198009A8 as your custom type [documentation for server 2008 available here].  Your host should look like this in command view:

Then discover MPIO devices on your server and you should see "COMPAQ HSV111 (C)COMPAQ".  I believe with the active-passive firmware you would see "COMPAQ HSV110 (C)COMPAQ".

With the active-passive firmware (something like EVA 3.110) you would need additional configuration for each drive you present.  Each drive on each host would need to be configured to use the paths for just one controller at a time to make the drive accessible / usable on older EVA firmwares.  With the active-active firmware no additional configuration is necessary.

If you have an EVA running firmware 3.110 and you want to do this you will need to track down a copy of the newest firmware and make sure your license supports it.  HP will not give you a license to run your EVA 5000 if you don't have one, although we managed to get them to make us a new license after many days of pestering many different people in many different departments.

As of writing the 4.1 (4100) firmware is available on HP's site here:
and the 3.110 (3110) firmware is available here:

I can't find a link to it, but the the Command View software is in an ISO named HP_StorageWorks_Command_View_EVA_v9.3_Software_T5494_10022.ISO

How to grant full access permissions to every mailbox in Exchange 2010

I needed to access 75 mailboxes across multiple mailbox databases and didn't want to grant myself full access permissions to them one at a time so i went searching for a solution.  This nifty command granted me access to every mailbox in the company:

Get-MailboxDatabase  | Add-ADPermission -user <myusername> -AccessRights GenericAll -InheritanceType All

I found a variation of this command in a technet forum post available here and modified it to give myself access to all mailboxes, and set inheritance.