by
Shijaz Abdulla on 12.12.2009 at 21:01
Thanks to the location-aware printing feature in Windows 7, your computer will automatically print to the correct printer at home or office, depending on where you are.
Here’s how you can set up this feature:
In my configuration, I print on the HP printer at the office when I’m at the office, and the Lexmark printer when I’m back home, and Windows will automatically change the default printer depending on where I am.
by
Shijaz Abdulla on 03.05.2009 at 18:17
This article used to exist on www.shijaz.com before it was taken down in May 2009. Originally published in August 2007.
This article lists some of the common configuration mistakes and gives information on how to avoid them.
- There is no such thing as a single interface firewall
A firewall has a minimum of two network interfaces. This means you need at least *two* NIC cards in your ISA box if you want it to work as a firewall. Theoretically you can run ISA on a box with a single NIC, but that will do little to secure your network. You might just use it as a proxy that your users can connect to the Internet with.
Tom Shinder of isaserver.org says: “Deploying a single-NIC ISA Firewall is like giving a soldier a Desert Eagle .50 and no ammo.”
In short, you’re not using ISA as a real firewall if you don’t have two interfaces on it!
- Specify the default gateway on that published server!
You need to specify the internal IP address of the ISA server as the default gateway on the server that you want to publish on ISA. Or, make sure that there are appropriate static routes in place.
- Rules that contradict each other
As can be seen from the diagram below, ISA processes your access rules in the order that you specify them, i.e. rule #1 processed first, then 2, 3, etc. If ISA finds that rule #1 is satisfying the conditions required for the access requested by the user, it skips all remaining rules and grants (or denies) access. However, if the condition is not matching for the current rule, it moves on to the next rule and so on.
If you happen to place a rule that ‘allows internet access to all users’ BEFORE a rule that ‘denies internet access to Peter’, then Peter will still have internet access. It might look simple but these mistakes happen all the time.
- IP Addresses
The external interface and internal interfaces on the ISA firewall must belong to separate IP ranges. You cannot have internal and external interface IP addresses from the same IP range.
IP Spoofing: In case there is an internal router that splits the internal network into two (see diagram above), and ISA Server is in one of these networks, make sure that ranges on either side of the internal router are entered in the Internal network address range on ISA. For example, if you have two internal (protected) networks 192.168.2.0/24 and 10.10.0.0/16 separated by a router, and the ISA is at (say) 10.10.0.4, the Internal range on ISA should ideally include 192.168.2.1-192.168.2.254 as well as 10.10.0.1 to 10.10.255.254.
- Installing a service on Port 80 of the ISA Server
Avoid installing any service to listen on port 80 of the ISA Server as this is used by the Web Proxy service. A common mistake is installing a website to listen on port 80 on the ISA Server. Usually this is the result of installing certain third party components (like Trend Micro OfficeScan, which has a web-based console) installed on the ISA Server.
When port 80 is used for listening by another service, Web Proxy may run into problems or clients may be unable to access the other service running on port 80. A symptom of this problem is when you see results under Logging in the Monitoring console where the Source Network, Destination Network, Protocol fields are blank, but the Port field contains 80 and the Action field may be Failed Connection. ISA Console also generates an alert when this happens.
- SMTP Fix-Up: ISA and Cisco PIX
When using ISA behind Cisco PIX (ISA being a second firewall), make sure you disable SMTP fixup on the Cisco PIX if you plan to publish Exchange behind ISA (see diagram). This can be done by typing the following command at the Cisco PIX console:
no fixup smtp protocol 25
write mem
Note: SMTP Fixup prevents you from telnetting on port 25 that is NATed on PIX to ISA Server, and NATed (published) on ISA Server to Exchange Server. When a telnet attempt is made, you get some asterisks (220*******************************************************0*2******0***********************
2002*******2***0*00) in the output. This can be avoided by disabling smtp fixup as explained above.
- FTP is allowed, but users can’t put files on the remote FTP server
You create a rule to Allow FTP from Internal to External so that your users can access FTP sites on the internet. But still your users still can’t write/delete files on the FTP server? It’s because you have to explicitly specify it!
Right click on the rule and click Configure FTP. Clear the check mark next to Read Only.
- Care while Installing Windows 2003 Service Pack 1 / Service Pack 2 and the Scalable Networking Pack
You are running ISA Server 2004 Standard Edition. One fine day, you decide to install Windows 2003 Service Pack 1 on your ISA Server. RPC traffic is blocked. You may not be able to browse the active directory for users from the ISA Server. Occasionally you get an error popup for RPC related errors.
When you see these symptoms, its time to install ISA Server 2004 Standard Service Pack 1!
If you install Windows Server 2003 Service Pack 2 or the Scalable Networking Pack, make sure that you read my KB article 555958.
- Scheduling limitations that you need to be aware of
This is not a configuration mistake, but is something of an expectation that requires clarification. When you create a rule in the access policy that has a schedule (In the rule properties, select the Schedule tab), there are two things that you cannot do:
i. Once you have created a schedule and applied changes, you can’t edit it. You will probably need to create a new schedule object.
ii. Your schedule limits cannot be in half hours, i.e. you can configure a rule to apply between 2 PM to 3 PM but not between 2.30 PM to 3.30 PM.
- Common name on Certificates
When you issue certificates from your CA (or obtain a commercial certificate), the common name should be the published name, i.e. DNS name that you would use to access the website/OWA/etc from outside. For example, if you are publishing a server webserver01.mydomain.local, and users will access thi
s using the internet name www.shijaz.com, then your SSL certificate common name should be “www.shijaz.com”. Else, your users will get a warning stating that “the name of the server does not match the name on the certificate”.
- More than one Default Gateway
Never specify more than one default gateway on the ISA Server. Do not specify the default gateway on both the internal and external NICs.
- DNS Server on more than one NIC
Never specify DNS on more than one NIC. For DNS best practices on ISA Server, see this article.
TIP: Keep a backup!
Keep an XML backup of your ISA configuration before you try out something with the access rules or the configuration. This will help you easily restore your ISA configuration in case you mess it up!
Also note that when you change the Network Template, you lose ALL your Access Rules and Network Rules!
by
Shijaz Abdulla on 03.04.2009 at 00:07
Microsoft Exchange Team has released the Exchange Server Remote Connectivity Analyzer.
This tool helps you ensure that your Exchange internet services like Autodiscover, ActiveSync, Outlook Anywhere, Inbound SMTP have been configured correctly.
Exchange implementers! Bookmark this website: www.TestExchangeConnectivity.com
In the current release, the tool can check Exchange ActiveSync on Windows Mobile 5 and third party devices. It can also check Outlook Anywhere on Outlook 2003 and Outlook 2007 with Autodiscover.
For more information on the tool and a video, check out the Exchange Team blog.
by
Shijaz Abdulla on 21.12.2008 at 21:51
I like to visualize the BlackBerry server as a ‘black box’ – only because it is often difficult to figure out where the problem is. Perhaps my ignorance is to blame, or it’s just my love for the simplicity/transparency surrounding the inner workings of ActiveSync.
The other day, for instance, I was trying to activate a Blackberry Bold device. The activation kept timing out for no reason. Most of the time when this happens, one of the following usually solves the problem.
- "Wipe" the device
- Delete and re-create the user on the Blackberry server
- Do a failover (we have NeverFail for Blackberry)
- Do a full restart of the server.
But this time it was rather strange. All the above actions were in vain. So I decided to ‘troubleshoot by elimination’.
- Check if same SIM card works on another blackberry enabled device. (yes)
- Check if another user can be activated on same blackberry device with same SIM (yes)
I then deduced that there is nothing wrong with the Black Box .. er.. BlackBerry server, the device or the SIM card. "It must be something on the mailbox", I thought. But what exactly?
A quick call to our service provider, and a long wait for someone to get back to me revealed to me what I was missing — the user’s junk mail filter!
Blackberry activation involves sending an email to the user’s inbox, which would contain some kind of a hash. The user’s junk mail filter mistakenly thought that the emails from blackberry were spam and sent it to the user’s Junk Mail folder in Outlook, before the blackberry server could pick it up (from the Inbox folder) and activate the device!
by
Shijaz Abdulla on 14.11.2008 at 06:09
I am moving thousands of Exchange 2003 mailboxes to Exchange Server 2007 over this weekend. Most of these are student mailboxes which have been provisioned using another third party system. Due to a minor bug, the third party system added a trailing space to every student’s display name.
A trailing space is a whitespace at the end of the displayName string. This may look like a very small issue, but unfortunately Exchange Server 2007 is very fussy about such things:
The DisplayName property contains leading or trailing whitespace, which must be removed.
More of that… (ouch!)
Exchange 2007 would not let me move these mailboxes across from Exchange 2003 unless I correct the DisplayName property for all the mailboxes.
I have several thousands of mailboxes having an ‘inconsistent’ display name. Correcting each of these manually would have been a frustrating exercise – so I decided to coin my own PowerShell command to remove leading/trailing spaces from all mailboxes in a given mailbox database. 
get-mailbox -Database ‘SERVER\MailStore’ -ResultSize 4850 | Foreach { Set-Mailbox -Identity $_.Identity -DisplayName $_.DisplayName.Trim() }
where SERVER is the Exchange 2003 server hosting the mailboxes you want to modify, MailStore is the Mailbox store on that server containing those mailboxes. I set the ResultSize to 4850 because I have more than 4000 mailboxes and by default the get-mailbox command fetches only 1000.
by
Shijaz Abdulla on 22.10.2008 at 21:20
Sometimes you cannot delete or rename a file that is currently in use. You might receive an access violation error, or simply a message telling you that your action could not be completed because the file is open in another program.
You may have already come across the Unlocker freeware tool that lets you "unlock" files that are in use by some application.
Here is another way (let’s call it the ‘techie’ way) to unlock files that are in use. It makes use of the Process Explorer tool from Windows SysInternals.
- Download the Process Explorer tool. Execute procexp.exe
- Choose Find > Find Handle or DLL option
- Type the name of the file you want to unlock and hit Search.
- The process EXE locking the file and the path to the file are listed. Double click on the result.
- The file handle will be highlighted. Right-click on it and choose Close Handle.
Your file is now unlocked and can now be deleted, moved or renamed.
A little disclaimer here, closing handles might cause data inconsistency, loss and/or other undesirable effects. Make sure you understand what you’re doing before you do it.
by
Shijaz Abdulla on 19.10.2008 at 11:57
You can now choose from which countries you need to allow access to your servers using ISA Server 2006!
If you were to do it manually, by obtaining IP ranges for different countries and keying them all in, this would have invariably been a mammoth task! Just to give an example: If I wanted to block China, I would need to enter 600 IP address ranges. Similarly, if I wanted to block Israel, I would need to enter more than 860 IP address ranges!
Now, it is not in my interest to start a geopolitical or censorship debate here. I agree the internet should remain open and that’s the way it was meant to be. However, we all acknowledge that there may be enterprise requirements from corporate and/or government customers which would actually need such policies. So here goes:
A list of ISA Server computer sets classified by country in XML format, compiled by Thor is available for download here. The list includes 234 countries. Good luck!
by
Shijaz Abdulla on 19.10.2008 at 09:52
One common query that administrators have is the matter regarding opening two Outlook profiles simultaneously. As we all know, only one Outlook instance (profile) can be open on a PC at any given time. You can of course, open more than one Exchange mailbox inside the same Outlook instance – however this leads to (user) complications of which ‘from’ address to use when responding to email.
Jason Geffner has come up with the smart little utility that helps you run two instances of Outlook at the same time. It’s called ExtraOutlook. Try it out.
And here’s a little disclaimer: This tool is neither endorsed nor supported by Microsoft. As with all other information you find on this blog, use it at your own risk!
by
Shijaz Abdulla on 03.08.2008 at 14:36
You should know that all my blog entries here are written using Windows Live Writer (even though I host it on Blogger). Not only is it easy for me to type up the entries in a word-processor-like interface, it is also easier to work with pictures and screenshots in WLW – way easier than Blogger’s web interface.
While I was writing the previous blog entry, my mouse pointer wandered to the "Add a Plug-in" link on the right, in a moment of mental abstraction 
. I was amazed to see that there are dozens of free plug-ins for available use with Windows Live Writer!
Among my favorites are the "Insert Smiley" and "Insert Polaroid picture" plug-ins.
Here’s an example of what the Polaroid Picture plug-in can do.
I love it!
by
Shijaz Abdulla on 28.07.2008 at 07:46
The AutoComplete cache fetches commonly used email addresses when you type the first few characters in the To, CC or BCC box when you compose a message in Outlook. In this post I will explain how you can remove entries from the AutoComplete cache.
A) To remove a single entry from the AutoComplete cache
1. Compose a new message and start entering the first few letters of the contact you want to remove from the cache.
2. Once Outlook suggests the contact, hit the DEL key on your keyboard.
B) To remove the entire AutoComplete cache
1. Close Outlook.
2. Start –> Run. Type “%userprofile%\application data\microsoft\outlook” (including the quotes) and click OK.
3. You will find an NK2 file named after each Outlook profile. Rename the NK2 file. (The NK2 file is your autocomplete cache file aka nickname cache file).
If you cannot find NK2 files, make sure you can see file extensions (Tools –> Folder Options –> Uncheck “Hide extensions for known file types”)
< Previous posts
