Self Signed Certificates in Exchange 2010

My certificates expired recently on my Exchange server and I had to set about renewing them. Not fun, more on that later. I was going to make a long how to on this but Microsoft has a wiki post on TechNet about this very subject with pictures and explanations.

How to use a self signed certificate in Exchange 2010

This is for your internal server certificates, it doesn’t do much with the outside world. You’ll still need a certificate for your internet facing services. This will clear up the certificate errors you’ll get internally with Outlook 2007-2010 though.


Cyberoam Automatic Backups

It’s about that time again for a new firmware update on your Cyberoam devices and with firmware updates come configuration backups. I’m a big believer in automation, with backups.

One of the methods I implemented with my Cyberoam was the automatic e-mail backup. I am not a fan of the FTP backup as it sends a password to your FTP server in plain text over your LAN or the internet, which is no good. The e-mailed attachment backup is, in my opinion, much more secure.

Unlike Cisco backup files, Cyberoam encrypts the configuration file it sends out so even if someone breaks into you e-mail account, the passwords and other configuration data is secure. I have no idea what key they use, and when I opened the file up the first line looks like this:

Salted__tÐ ð8¸Y°×Ç­uùMúý1´ªeM@•ªøÙзRê8Ù%®Õ µd¾

That likely means that not only is the file encrypted but it’s got some extra random ‘salt’ data tacked on somewhere in the file, or in the key itself. This makes it harder to decrypt even if you know some text in the file because you have to know what the random data is too.

E-mailing the configuration file also lets you have a fairly secure off-site backup of your firewall. The file is relatively small so most e-mail systems will gladly accept the attachment. Mine for instance is about 430k in size.

How to Set Up Automated E-mailed Backups In Cyberoam 10

Step 1 – You should have already set up your SMTP server for notifications. If not, you’ll need to do so now. Click on the Configuration Menu, and then select the “Notifications” tab. Put the IP address of your SMTP server in the text box, as well as the port number (it’s usually 25, but check with your e-mail provider). If you need a username and password, check the authentication box and enter it. You’ll also need to provide the “From” email address, and the address you want the notifications to go to. Typically the From e-mail can be anything on your own server, but might need to be a valid e-mail address if you don’t host your own e-mail.

Here’s a sample configuration:

Cyberoam SMTP Settings

Click save, and you should be good to go. One way to test if this is working is to unplug one of your cables for a minute or two and plug them back in. You should get a Gateway down/up notification. I have looked for a ‘test’ button but have not found one anywhere.

Step 2 – Go to the Maintenance menu and select the “Backup and Restore Tab”.

You’ll see a few options here. If you click the “Download Now” button, you’ll immediately get a download of the backup. That’s how you do a manual backup.

For a scheduled backup decide how often you want the backup. Daily, Weekly, or Monthly. If you choose Weekly or Monthly you’ll get an email on the first day of that time period. So, Sunday or Monday for weekly, and the first day of the month for Monthly.

Select the E-Mail radio button, and enter the e-mail address you want it to go to. Please be aware that your SMTP server in the notifications menu has to be able to e-mail to the e-mail address you enter here, or it won’t work. Remember to hit the save button when you are done.

Here’s a sample configuration:

Cyberoam E-mail Backup Configuration

Breaking a Trace Route in Cisco Routers and Switches

This is a pretty useful piece of information that will make your network troubleshooting go quicker. I find it kind of hard to remember as it breaks with convention. You can’t use CTRL+Break, or any other normal ways to break a trace, ping or whatever in windows (CTRL+Z, CTRL+ESC, CTRL+C).

How to Break a Trace or Ping in Cisco Routers and Switches

Step 1 – Hit Control+Shift+6. That’s it. Some routers seem to want you to do it twice.

Outlook Will Not Open Scanned Attachment

This is a hard problem to classify as I don’t have the exact error message that Outlook gives for this. The basic problem is that when you open an attachment it puts it into a “Secure Temporary Folder”. If an attachment has the same name as another file that has already been downloaded to that folder, Outlook will append the characters (1) to the file. This number is incremented every time a similar file is opened, up to (99). Once you go over 99 it gives an error message and won’t open similar attachments.

This is a problem especially with fax servers, or scanned to e-mail documents from devices that don’t give a unique file name to their attachments. If a user gets over ninety-nine similarly named files in this folder it refuses to open any more attachments. This is a pretty easy thing to fix either manually, or with a batch file for heavy attachment users.

Manual Fix

Step 1 – Click your start button and type “regedit”.
Step 2 – Navigate to this key: HKEY_CURRENT_USERSoftwareMicrosoftOffice12.0OutlookSecurity

Please note the 12.0 part of the above key is dependent on your Office Version. That is for Office 2007, it will be 14.0 for Office 2010. If you check out this Wikipedia article it will tell you what version number corresponds to your Office version:
Step 3 –  Right the key “OutlookSecureTempFolder” and click “Modify”. Copy the value.

Step 4 – Click your start menu and paste the value into the search box.
Step 5 – Delete everything in the folder that opens.

This will fix the problem. Make sure you get to the right registry entry as your computer might show several versions of Office in the registry.

Batch Script

I recommend you only use this method if you are familiar with batch scripting. You can accidentally mess other things up with a script like this.

Follow Steps 1 – 3 above and open Notepad.

Step 4 – Copy and paste the following into Notepad:

del *.*

Step 5 – Paste the registry key value you copied to the second line a space after the “cd”.
Step 6 –  Click File -> Save. Change the drop down menu option under the file name to “All Files” and save the file as “FixOutlookSecureTemp.bat”.

When you double click on this file it should delete everything in the proper folder and prompt before it does so. I have noticed that sometimes it won’t delete the file with the base name in this folder, giving an access denied message. This is fine, you just need less than ninety nine files of this name.

Make sure this works properly without deleting the wrong files. You can then change line 3 to “del /q *.*” and put this in your heavy user’s Startup group and solve a lot of problems automatically every time they log in.


How to set up L2TP VPN in Cyberoam

If you need a super easy VPN that can be used without buying a software client like Cisco VPN Client, then L2TP is definitely the way to go. Windows 7, Vista and XP all have a built-in VPN client that can hook up to it. It’s a really good alternative to traditional IPSEC especially for your road warriors.

 L2TP Connection Setup

  1. Log into your Cyberoam and click “VPN” on the left hand side.
  2. Select L2TP and fill in the blanks.
    1. The Local IP address should be the one corresponding to the LAN port on your Cyberoam.
    2. “Assign IP” should be a range of UNUSED IP addresses on your Local Network. I selected a range of 10. For example if through were not used for anything on your network and could be reserved for this, place those IP addresses in these field.
    3. The DNS server blanks should be your internal network DNS servers so that your users can hit your internal servers without IP addresses. Please see the note below on client set up as I’ve run into a couple of issues with this.
    4. You can add a WINS server, but who uses WINS anymore?
  3. Once you’re done there click on save, then click the policy tab.
  4. You can use the Default L2TP policy, I know it works just fine.
    Capture of Cyberoam L2TP settings
  5. Select pre-shared key in the drop down and put in a good strong passkey for your connection. Cyberoam will typically recommend a simple number sequence for testing purposes and to insure you confirmed it correctly on both ends. You can start out with something like “12345678” but please change this after you’ve tested it.
  6. The WAN port should be the internet facing IP address your users will be entering into Windows. Please note that if you don’t have a static IP address for your internet connection, you’ll need to use a dynamic DNS service or configure Cyberoam’s dynamic DNS service.
  7. I usually check the “Allow NAT Traversal” checkbox. This helps if your end users are behind a router somewhere.
  8. Set Remote LAN Network to “Any” as you might not know how the other end’s network is set up.
  9. Leave remote ID like it is.
  10. Leave the Quick Mode Selecters as default (it should look like the picture above), unless you know you need a different port.
  11. Click Save, and activate the connection.

L2TP users

I like using Active Directory Integration anywhere I can but for some reason the Cyberoam doesn’t like LDAP users authenticating to it over VPN. I might have a setting wrong, but I’ve never gotten this to work right anywhere I’ve installed one. If  you have LDAP/AD integration set up, you’ll just need to add extra users in the Cyberoam for L2TP access. If you imported all your users manually then you can just go into users you want to give access and select the L2TP enable box.

Setting Up Windows VPN

I assume Windows 7 for this. Vista directions are almost identical, XP should be easy to figure out. I would imagine Windows 8 uses the same basic wizard as Vista/7.

  1. Go into your network and sharing center and click “Set up a new connection or network”.
  2. Select “Connect to a Workplace” in the next window. Click Next.
  3. Select “Use my Internet Connection (VPN)”
  4. Type in the IP address you selected in step 6 when you set up the L2TP connection on the Cyberoam. You can also put a DNS name here if you want (Like if you use dynamic DNS or have a DNS record set up on the internet for this IP). Name the Destination. I also will typically select the “Allow other people to use this connection” if multiple usernames will be used on the target computer. Click Next.
  5. Put the username and password in on the next window. These are the Cyberoam user names. Again if you use LDAP you may or may not be able to use your normal Windows login credentials here. I typically don’t send the Domain if I set up Cyberoam specific usernames for this. Click Next.
  6. It will attempt to connect, but you want to skip that because you need to enter a pre-shared key into the Windows settings.
  7. Go back into Network and Sharing Center and click on “Change Adapter Settings”.
  8. You’ll see the VPN connection you just set up here. Right click on it and hit properties.
  9. Everything on the General Tab should be fine. Click on the Options tab. I typically uncheck “Send Windows Domain” since you are logging in with a Cyberoam account. Click on PPP Settings and make sure the bottom two boxes are unchecked.
  10. Click on the Security Tab. Change “Type of VPN” at the top to “L2TP”, this will save a LOT of login wait time. Click the Advanced button under the drop down and select “Use preshared key for authentication”. Enter the same key you put into the Cyberoam in step 5.
  11. Under Data encryption I will select “Optional Encryption” for testing purposes. Required encryption works fine though.
  12. Select “Unencrypted password (PAP)” under the allowed protocols. I usually just do this to test the connection, I take it off for production.
  13. Click the Networking tab. It’s a good idea to manually enter the DNS servers under the IP4 properties. For some reason the DNS servers aren’t always transmitted to the client.
  14. Click OK.

You should be able to connect just fine. Remember you’ll need to test this outside your own LAN. The only problem I’ve had with this method is that the connection occasionally needs to be reset by de-activating and re-activating it under the L2TP connections tab in the Cyberoam. I wouldn’t use this for more than a few users.

The main reason you won’t be able to connect is if you typed the pre-shared key incorrectly. The second reason is usually an incorrect user/password combination. The third biggest reason is the connection needs to be reset as mentioned above. Also I’ve never been able to get more than one remote user per site to be able to connect successfully. So don’t do this and send teams of people to one place on a shared internet connection and expect them all to be able to connect.