So you need to share port 443 Windows Reverse Proxy – IIS / ARR
So I have finally had to setup my first IIS / ARR reverse proxy the other day and it was not as easy as I had hoped. Having gotten through the tricky points I thought to take a moment to write up a quick How to for everyone that wants to try this.
The basics steps are to setup a separate VM-AppProxy server with IIS installed and leave it disconnected from the domain so it can be used in the perimeter.
I am doing this on 2012 R2 but the same steps should work for 2008 R2 or 2012. After installing the server and running all the windows updates to bring it current you can start installing IIS and .net 3.5 and begin setting up the rewrite rules for the various service URL’s you want to redirect.

1. 1. Install Windows Server
      If you need help with this you can reference various articles on the web to get you to this point. Be sure to update the server with all available windows updates so it is secure and bug free.
3. Install the IIS and .net 3.5.1 Role and feature
   Open Server Manager.
   Under Manage menu, select Add Roles and Features
   Select Role-based or Feature-based Installation
   Select the appropriate server (local is selected by default)
   Select Web Server (IIS) next
   Choose .net 3.5 and 4 and all the subfeatures
   Click Next again and let the role and features install to completion
4. 3. Install the MS Web Platform Installer
      Download and install the MS Web Platform Installer 4.6 using this link
      http://www.microsoft.com/web/downloads/platform.aspx
5. 4. Download and Install ARR Plugin for IIS
      After you have installed the Web Platform Installer you can then install ARR 3.0
      http://www.iis.net/downloads/microsoft/application-request-routing
6. 5. Run Windows Update again
      Run Windows Update again to get all the security updates and fixes for IIS and .net
8. Open IIS Manager on the proxy server
   You should now see a option for Server Farms listed under Sites.
9. 7. Setup Server Farms For Each URL Redirect
      You will need to create a separate Server Farm for each of the URL’s you want to redirect. I have set this up to redirect all my Lync 2013, Exchange 2013, Nagios, RDP Gateway, and Spiceworks URL’s.
11. Create a server farm
    Right click on Sever Farms and create a new farm
    Name the server farm the URL you are redirecting, for demonstration purposes I will start with my Spiceworks install.
    Name = spiceworks.yourdomain.com
    Hit Next
    Server Address will be the LAN IP of the server hosting the service
    Server address = 192.168.x.x
    Under advanced Settings is where you can redirect the traffic coming in on 443 to another port. For Lync you will redirect this from 443 to 4443. Otherwise if you are just redirecting 443 then leave this setting alone.
    Click Finish
12. 9. Configure Caching, Proxy, and Routing Rules
       On the server farm you created you need to set a few additional settings to keep traffic from timing out.
       Under Caching – disable disk cache
       Under Proxy – change the timeout to 200 – this can be adjusted to fit your needs but I find 200sec is plenty.
       Under Routing Rules – Disable SSL offloading
14. Set Rewrite Rules
    Click on the servername in IIS and on the home screen choose URL Rewrite
    You will see two default rules created for each of the server farms you created.
    Delete the one that is not SSL as we are only using this for 443 traffic.
    (If you want to redirect port 80 you can leave that and set the rule but for the purposes of this How To I am only doing 443 / SSL.)
    Double click the SSL rule and set the following settings
    Requested URL = Matches Pattern
    Using = Wildcards
    Pattern = *
    Ignore Case = Checked
    Delete any Conditions that were created and then click Add
    Condition input = {HTTP_HOST}
    Check if Input string = Matches Pattern
    Pattern = spiceworks.*
    Ignore Case = checked
    Hit OK
    Scroll down to Action
    Action type = Route to Server Farm
    Action Properties
    Scheme = https://
    Server farm = spiceworks.yourdomain.com
    Path = /{R:0}
    Stop processing of subsequent rules = checked.
    Hit Apply in the upper right
15. 11. Port Firewall to IIS ARR Server
        Port your firewall on 443 to the new IIS ARR LAN IP and set external DNS entries
16. 12. Apply wildcard SSL cert
        You will need a wildcard SSL cert on the new IIS ARR server for yourdomain.com. Just get a 3rd party cert or request one from your internal PKI server for testing. Either way you go without the SSL cert installed and active this will not work.
        Click the Server in IIS and on the Home screen choose SSL certificates.
        Request the new wildcard cert and save the request to a text file.
        Get the SSL cert from your 3rd part and download the certificate
        Go back to the IIS home screen and SSL certificates and complete the certificate request
        Click on the Default Web Site in IIS and then Click Bindings on the right and choose https 443
        Drop down under SSL certificate and choose the new cert you just imported / completed.
        Hit OK
17. 13. Repeat for other URL’s
        Repeat steps 7 – 10 for the other URL’s you want to redirect.
18. 14. Troublshooting IIS ARR Using Failed Request Tracing
        If you are having issues getting IIS ARR to work you can turn on Failed Request Tracing by Installing a feature under IIS – Health and Diagnostics called Tracing.
        Open Server Manager
        Add Roles and Features
        Next, next to features
        Find Web Server IIS then Health and Diagnostics and check the box next to Tracing and Install
        Open IIS and click the Default Web Site and on the right under Configure Choose Failed Request Tracing
        Check the box to enable and set a log path
19. 15. URL Rewrite Patterns For Common MS Products
        {HTTP_HOST} Matches the Pattern = autodiscover.yourdomain.com
        In conclusion this is a fairly easy process but I was stuck on how to format the rules correctly. Once I realized that I had to delete what was automatically created and set it up manually I made progress quickly.
        I am still having issues with the Spiceworks Android App not getting redirected properly on 443 but I am working on that now and I think I have a fix.
        The fix for the Android was the URL needs a wild card for the App. I set the rule as above and I am now able to get to my Spiceworks Install over 443 through the IIS ARR!
        References

Manually merge the files together using the following writeup
http://itproctology.blogspot.com/2008/06/how-to-manually-merge-hyper-v-snapshots.html

Report back if you need more

ok they released a V2 version that is fine
http://windowsitpro.com/patch-tuesday/patch-tuesday-kb3002657-gets-quick-fix-windows-server-2003

MS is starting to leverage big data and AI to help you work smarter
http://gadgets.ndtv.com/apps/news/microsoft-launches-delve-collaborative-tool-for-office-365-671797

$computers = Get-Content -path C:\fso\computers.txt
$user = "aUser"
$password = "MyNewPassword!"
Foreach($computer in $computers)
{
$user = [adsi]"WinNT://$computer/$user,user"
$user.SetPassword($Password)
$user.SetInfo()
}

http://blogs.technet.com/b/heyscriptingguy/archive/2009/03/25/how-can-i-change-the-passwords-of-multiple-local-computer-accounts.aspx

#Allow Remote Scripts To Run
Set-ExecutionPolicy RemoteSigned

#Store Office 365 Global Admin Creds and connect to MS online
$credential = Get-Credential
Import-Module MsOnline
Connect-MsolService -Credential $credential

#Verify Active Directory Sync Has Been Disabled - Money Command will not run with it on
$IsDirSyncEnabled = (Get-MsolCompanyInformation).DirectorySynchronizationEnabled
If($IsDirSyncEnabled -eq $false) {Write-Host "Office 365 Active Directory Sync Disabled - Good to go!"} else {Write-Host "Please disable Active Directory Sync and Wait" Exit}
Start-Sleep -Seconds 5

#If you want to dump your existing AD to text file for reference uncomment the next line
#ldifde -f C:\export.txt -r "(Userprincipalname=*)" -l "objectGuid, userPrincipalName"

do{

Query the local AD and get all the users output to grid for selection

$ADGuidUser = Get-ADUser -Filter * | Select Name,ObjectGUID | Sort-Object Name | Out-GridView -Title "Select Local AD User To Get Immutable ID for" -PassThru
#Convert the GUID to the Immutable ID format
$UserimmutableID = [System.Convert]::ToBase64String($ADGuidUser.ObjectGUID.tobytearray())

Query the existing users on Office 365 and output to grid for selection

$OnlineUser = Get-MsolUser | Select UserPrincipalName,DisplayName,ProxyAddresses,ImmutableID | Sort-Object DisplayName | Out-GridView -Title "Select The Office 365 Online User To HardLink The AD User To" -PassThru

#Uncommend the ###Careful### out of the following command to purge all the deleted users from the users recycle bin on Office 365
#This will only query for users that are unlicensed so it will skip users with mailboxes but still use at your own risk
###Careful### Get-MsolUser -ReturnDeletedUsers | Where-Object {$_.isLicensed -NE "false"} | Remove-MsolUser -RemoveFromRecycleBin -Force

Money command that sets the office 365 user you picked with the OnPrem AD ImmutableID

Set-MSOLuser -UserPrincipalName $OnlineUser.UserPrincipalName -ImmutableID $UserimmutableID

#Verify ImmutableID has been updated
$Office365UserQuery = Get-MsolUser -UserPrincipalName $OnlineUser.UserPrincipalName | Select DisplayName,ImmutableId
Write-Host "Do the ID's Match? if not something is wrong"
Write-Host "AD Immutable ID Used" $UserimmutableID
Write-Host "Office365 UserLinked" $Office365UserQuery.ImmutableId

Ask To Repeat The Script

$Repeat = read-host "Do you want to choose another user? Y or N"
}
while ($Repeat -eq "Y")

#List Users and ImmutableId
Get-MsolUser | Select DisplayName,ImmutableID | Sort-Object DisplayName | Out-GridView -Title "Office 365 User List With Immutableid Showing"

#Close your PS Office 365 Connection
Get-PSSession | Remove-PSSession

Check out the new OneDrive client for both Windows and Mac OSX!

https://preview.onedrive.com/sync/setup.html

Kiss those pesky limitations goodbye!

I have to say I am quite impressed at what you have accomplished here!

Third IPA watching the Padres beat Miami!!

We have a client who recently upgraded from Fortivoice appliance to a Elastix PBX VM running on Hyper-v. Call quality is very bad with lots of jitter.

Edgemax Lite running 1.6.0 With QoS settings as per this how to https://community.ubnt.com/t5/EdgeMAX-Configuration-Examples/EdgeMAX-Quality-of-Service-for-Voice-Over-IP-QoS-for-VoIP/ta-p/529077

Two NetGear GS748tV5 switches with Auto VOIP turned on for all the ports
Separate NIC for just this Elastix VM with bandwidth reserved as high as it can go
VM specs are 4GB RAM with 2 Cores and I also went to the trouble to reserve disk I/O for just this VM

Jitter buffer turned on in FreePBX and played with the millisecond buffer and buffer resync settings for a good two hours last night. Thought I found the sweet spot but this morning under load jitter is bad enough you cannot really hear.

I also found a setting for the QoS / CoS that will look for DSCP tags and prioritize that traffic but I cannot for the life of me find where to set that in the FreePBX. A networking friend of mine told me to set this in the VOIP phones and match that tag on the Switches so that they know it is high priority / expedited forwarding but I cannot find in the phone interface where to set that.

At this point I am way out of my comfort zone and need some advice on how to proceed to get call quality locked down and acceptable.

I feel like this is a network driver issue and the article about small business PBX below states I should use the legacy network adapter which I did not do on the setup... just accepted all defaults. If that is truly the fix I need someone with Elastix / CentOS experience to tell me if replacing the NIC on the VM will mess up the Elastix box and force a rebuild.
My other thought was to completely rebuild the Elastix VM with the legacy adapter and export then import the settings from the old one to the new and test.

Internet Pipe is Verizon FIOS with 100/100 so I know that is not a issue unless I am not setting MTU correctly for the FIOS?

Articles I have tried already
http://kb.netgear.com/ci/fattach/get/80/1261136566/redirect/1/filename/QoS_on_Netgear_Switches.pdf

http://kevinjmorse.ca/articles/small-business-pbx-part-2-elastix-hyper-v

http://www.hulu.com/watch/588246

Ohh a Debbie Smile! Thats Like Seeing A Yeti!

MS Office 365 is really good about data retention and you should not lose anything when messing with Licensing.
We recently moved from Paid subscriptions to ones provided by our partner program and did a similar switch and it was seamless and not disruptive in anyway.

Well if you need more detail then you need to uninstall the AD Manager and install AD Audit
http://www.manageengine.com/products/active-directory-audit/download.html

I just spent the better part of 3 hours tracking down the CLI commands necessary to clear out any old VPN settings and set just the L2TP VPN server on an Ubiquiti Edgemax device running firmware 1.4.1. I gathered all that in one place here for reference.
1.
Connect via SSH
Open either the webportal and click the CLI option (does not allow you to paste) or better yet just download Putty and connect over SSH that way.
Dglogo_85x95_big
2.
Show Running VPN Configuations
configure
#show l2tp config
show vpn l2tp
#show pptp config
show vpn pptp
3.
Delete VPN Configurations
configure
delete vpn pptp
delete vpn l2tp
delete vpn ipsec
commit
save
4.
L2TP Server Configuration

change eth1 to whatever is the external interface port of the Edgemax

set vpn ipsec ipsec-interfaces interface eth1
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal enable
set vpn l2tp remote-access authentication mode local
#Add local users for L2TP
set vpn l2tp remote-access authentication local-users username WhateverUserName password WhatEverUserPassword

Set a range of IP addresses that are not being used by your LAN DHCP

set vpn l2tp remote-access client-ip-pool start 192.168.x.x
set vpn l2tp remote-access client-ip-pool stop 192.168.x.x

Set the DNS servers to give out over DHCP for VPN Name Resolution

set vpn l2tp remote-access dns-servers server-1 192.168.x.x
set vpn l2tp remote-access dns-servers server-2 192.168.x.x

Set the authentication mode for L2TP

set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret ThisIsYourLongPassword
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600

Set the l2tp listening address to the WAN IP and WAN Gateway

set vpn l2tp remote-access outside-address ThisIsYourWANIP
set vpn l2tp remote-access outside-nexthop ThisIsYourWAN-GW-IP

Optional to set the MTU but I do this just in case they end up on DSL or T1

set vpn l2tp remote-access mtu 1492
commit
save
exit
5.
Add The Firewall Rules For L2TP Traffic
Open the web browser of choice and enter the LAN IP of the edgemax to login to the portal.
Go to the Security Tab and then find WAN_Local in the Firewall Rules.
Click Actions on the right and drop down choosing Edit Ruleset
Add a new rule with the following settings:
Basic Tab:
Description = L2TP
Enable = Checked (true)
Action = Accept
Protocol = UDP
Choose the Destination Tab
Ports = 500,1701,4500 (no spaces)
Save
Add another rule in the ruleset
Description = ESP
Enable = Checked (true)
Action = Accept
Protocol = choose by name then choose ESP
Save
Save again to exit the firewall settings
6.
Configure Windows L2TP VPN
On your windows box that needs to VPN into the Ubiquiti you will create a new VPN connect using the wizard and then go to ncpa.cpl and set the properties on the VPN connect. Specifically three settings:
1 – On the security tab of the VPN connection properties change the type of VPN to Layer 2 Tunneling Protocol
Choose Advanced Settings right below that option and set the shared secret you used above when configuring the L2TP server.
Under allow these protocols choose Challenge Handshake and Microsoft CHAP Version 2
Under the Networking tab choose IPV4 then advanced and turn off the option for Use Default Gateway On Remote Network so you can browse the internet locally while connected to the VPN.
7.
Test the connection
Enable the VPN connect and enter the username and password you created when setting up the local users on the Ubiquiti Edgemax box and hit connect. You should now be connected but the tunnel will not come live until you ping across it or try and access resources on the LAN.
Conclusion
In conclusion I found all the information was in bits and pieces scattered throughout the internet and the docs on the Ubiquiti Wiki were incomplete.
Hopefully if someone else needs to configure VPN for your Ubiquiti device this will help.

Fastest one yet!

What version of Outlook are we discussing?

• 1. Login to Office 365 Account that is a member of the Global Admins Role.
  2. Enabled Rights Management @ Admin / Service Settings / Rights Management / Manage in the Portal
  3. Install Azure AD Management Admin Tool.
     a. http://www.microsoft.com/en-us/download/details.aspx?id=30339

Script to setup email encryption on Office 365
#Enter Office 365 Global Admin Login and Password
$UserCredential = Get-Credential
#Import the rights management and msonline PowerShell modules
Import-Module AADRM
Import-Module msonline
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic - AllowRedirection
Import-PSSession $Session
Connect-aadrmservice -Credential $UserCredential
#Make sure Rights Management is enabled (True)
Get-aadrmconfiguration
#Turn on Org Customs - Don't worry if it errors most likely it is already enabled
Enable-organizationcustomization
#Configure IRM Key Location and Set the services
Set-IRMConfiguration -RMSOnlineKeySharingLocation "https://sp- rms.na.aadrm.com/TenantManagement/ServicePartner.svc"
Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"
Set-IRMConfiguration -ClientAccessServerEnabled $false
Set-IRMConfiguration -InternalLicensingEnabled $true
Test-IRMConfiguration -RMSOnline
#Add Exchange Online Transport Rules
New-TransportRule -name "Encrypt" -SubjectContainsWords "Encrypt" -SenttoScope "NotInOrganization" -ApplyOME $true
New-Transportrule -name "Decrypt" -SentToScope "InOrganization" -RemoveOME $true
#Disconnect from Office 365 Powershell Session
Remove-PSSession $Session

Sounds like NIC issues on the ESX host or the modem itself if this is happening again with a new VM...
You should not need to clone the MAC address you only need to power off the cable modem for 5 min or more to clear the ARP cache then a new IP will be assigned. If you are dynamic and trying to keep the same IP address for service reasons that might be your slow down and Comcast has put all the resources on the new subnet that will require you to get a new IP in order to interface with...

Autocomplete corruption will do this, I bet it is one or two particular email addresses she uses that crashes Outlook. Hence the random nature of this.

Couple things to try:

ID the last user she tries to send to before Outlook crashes and delete that from the Autocomplete list. Type it Anew and see if you can get it to send without crashing

Second would be to clear the whole Autocomplete list and start over fresh but that is usually to disruptive for most users.

http://support.sherweb.com/Faqs/show/how-to-clear-the-outlook-2013-autocomplete-cache

Start Outlook in safe mode and see if it is a plugin
Start - Run - Outlook,exe /safe

Reinstall / Repair Office to fix the mso.dll association and registration.

Report back your findings

Your best internet troll / hater story and how you dealt with it please?