Keith Combs' Blahg

Ramblings from another nerd on the grid

May, 2005

  • Passive FTP errors with ISA 2004

    When you implement ISA Server 2004 on a connection, by default, it blocks all traffic.  Other than the hidden system rules, you’ll see only one firewall access rule and it denies all traffic in either direction.  In order to use a FTP client, you’ll need to create a firewall rule that allows the FTP protocol.  The site I use for storing screenshots and graphic elements requires passive FTP so I obviously needed to create a rule so that BlogJet, WS_FTP and other tools would work correctly.

    However, even though I created the rule to allow the traffic from my home office network to the internet, things weren’t working correctly.  I could login to the site, but I could not add a file, rename a file, or delete a file.  Obviously it was time to look more closely at my rule.  I started poking around in the properties and stumbled across the Application Filter section at the bottom of the Parameters tab (see screenshot).  FtpfilterApplication filters are very useful and allow you to extend rules in many ways.  I particularly like the streaming media application filters because it “streamlined” getting all of the ports opended correctly for my streaming server.

    So getting back on topic, when I first looked at my rule, the FTP protocol had the “FTP Access Filter” application filter turned on.  At this point I backed out of the properties for the rule and went looking for information on this filter, and what it does.  In the ISA Server 2004 helpfile, I found the following information:

    FTP access filter

    The FTP access filter that is provided with Microsoft Internet Security and Acceleration (ISA) Server 2004 forwards File Transfer Protocol (FTP) requests from SecureNAT clients to the Microsoft Firewall service. The filter dynamically opens secondary ports, which are required by FTP, and performs necessary address translation for SecureNAT clients.

    Although you could create a protocol for FTP, the protocol would not offer the full range of capabilities afforded by the FTP access filter. The following list describes the differences between a user-defined FTP protocol and the FTP access filter:

    • The FTP access filter dynamically opens specific ports for the secondary connection, but the protocol definition opens a range of secondary ports.
    • The FTP access filter can protect clients by performing the address translation required for the secondary connection.
    • Because the FTP access filter includes a read-only FTP protocol definition, it can distinguish between read and write permissions, enabling you to fine-tune access permissions.

    The FTP access filter uses the following protocol definitions, which are installed with the filter during the ISA Server installation:

    • FTP client read-only
    • FTP client
    • FTP server
    For instructions about applying FTP access filtering to a specific rule, see Configure FTP filtering. By default, the FTP access filter is applied to FTP and FTP server protocols. For more information on protocols, see Protocols. 

    This filter has some cool capabilities and I’ll probably take advantage of some of them later when I publish a FTP server.  But at this point I didn’t really see anything that indicated to me how to fix the issue.  So I turned off the filter checkbox and ran some quick test.  Bingo!!!  Now I can access the FTP site, upload files, rename files, delete, etc. 

  • Windows Server 2003 SP1 Slipstreaming

    We’re currently delivering some sessions on Windows Server 2003 SP1 and SQL Server 2005.  The last demo of the Windows Server 2003 SP1 session takes an existing Windows Server 2003 i386 directory and slipstreams SP1 into it.  If you dig around on Microsoft.com, you’ll be hard pressed to find documentation on how to do this.  It’s mentioned in the readme for SP1, but you really don’t get a good example in the docs. 

    In order to do the process demonstrated, you’ll need to order the CD.  See http://www.microsoft.com/windowsserver2003/downloads/servicepacks/sp1/cdorder.aspx for ordering instructions.  After you have the CD, you’ll notice srsp1.exe at the root.  You can dump the command line options using the srsp1.exe /? command.  Warning, this unpacks everything before it shows the options (see screenshot). I don’t particularly care for that, but I didn’t write the code.  I just get to whine about it.

    SwitchesIf you look carefully, you’ll see some interesting options.  However, what you don’t see is the command line option we use in the demo. HA! Now you know why it’s important to come to a TechNet seminar.  Ok, that’s not the only place to get information, but it is interesting that searches in the MSN and Google search engines currently come up dry on the subject.

    So how does an IT Dude do the slipstream?  Well, the key is to build a directory and do the merge.  You can see the demo (demo 5) at our TechNet website, or perform the following steps:

    1. Create a directory and share it so that network installs can use it later.  We’ll create c:\DepShare.

    2. Copy the contents of the i386 directory on the Windows Server 2003 CD to c:\DepShare.

    3. Open a command console and go to the root of the SP1 CD, or if you copied the contents of the CD, change to that directory.  In our demo, we’ve copied the CD contents to c:\SP1.

    4. Type srsp1.exe /s:c:\DepShare  and hit enter.

    At this point, you should see the slipstream process begin.  It will take a few minutes to complete depending on the machine you are using for this merge.  For more information, see the Technical Center at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/servicepack/default.mspx

    For merging SP1 with other updates, see How to Combine SP1 with Other Updates and Deploy to Multiple Computers.

     

     

  • What should I run? SBS 2003 Premium SP1 or individual components?

    VzI’m fortunate enough to live in a place where I can get one of those kewl new fiber optic connections to the internet.  It’s called Verizon FIOS and has been steadily rolling out in North Texas and other parts of the USA.  This coming week I am converting my 15meg/2meg residential plan to a static ip address business plan (same speeds).  After the conversion takes place, I’ll have the opportunity to start hosting our email, web sites, etc. from the comfort of my home office network.  If you want information on the Verizon FIOS offering, click the image above for the residential packaging.  The business offerings are at http://biz.verizon.net/pands/fios/Default.asp

    The question that comes to mind is what software I should use to run our websites and email?  Should I install SBS 2003 Premium SP1 or just run some standard editions of Windows Server 2003 SP1, Exchange Server 2003 SP1 and ISA Server 2004 SP1? 

    Core Software Requirements

    • Secure – the server must be secured behind a firewall.  I’m planning on implementing ISA Server 2004 regardless.  ISA will allow us to publish the websites, give us acces to email, VPN if needed, etc.
    • Web hosting – the solution must be capable of hosting five public internet facing websites.  Each website is a different domain name.  The number of hits for each website is pretty small.  FrontPage extensions will naturally be used on IIS6.  SSL will be used on Outlook Web Access (OWA).
    • Email – we’ll be receiving email from the five domains mentioned.  For instance, my mailbox must be able to receive email from at least four domains.  For each domain, we would like a “catchall” mailbox rule so that any email sent to the domain is received.  The number of mailboxes will be very low.
    • DNS – all of the DNS records for the five domains will be hosted on our server.  Most likely we’ll have a completely different internal DNS namespace since it would be difficult which public DNS namespace to pick.
    • Xbox Live – we have a number of Xboxes so Xbox Live must work.  The real requirement here is to have a network that is not strict NAT so that our connections can host some of the games.  I know ISA 2004 and Xbox Live is not a supported config, but I am confident I can create the appropriate firewall policies, or set the Xboxes on their own perimeter network.

    My Hardware

    The server will be low volume so I am not too worried about performance.  If things grow, I’ll buy a dual proc machine later when needed.   For now, it’s a Pentium 4 2.66 GHz processor, 3gigRAM, dual SATA 300gig hard drives, builtin Intel Pro 100 VM adaptor, Intel Pro 1000 MT Dual Port Server adaptor and various other standard components.  I highlighted the dual port ethernet card because it’s a nice design for those of you that want multiple networks without using a bunch of slots.  Intel also makes some quad port cards. 

    So back to the original question.  Would we run into any problems running SBS S003 Premium SP1 (when it ships), or would Windows Server 2003 SP1, Exchange Server 2003 SP1 and ISA Server 2004 SP1 be a more flexible approach?  I really like the integration of the components in SBS but I also like a more modular approach.

    What do you think?

  • Offline Address Book (OAB) Head On Collisions

    We all know about the kinetic energy of a head on collision.  I have a corporate Exchange mailbox.  I also have a hosted Exchange mailbox.  Each time I log on to either profile and retrieve new email using a “Send/Receive”, the current Offline Address Book (OAB) gets whacked by the incoming OAB data.

    Unlike a head on collision with vehicles, size does not matter.  My hosted OAB is tiny compared to the OAB I receive from Microsoft.  So I set out to research if it was possible to force Outlook 2003 to look into a specific directory for the OAB.  It seemed logical that per profile settings would be the way to go.

    Fortunately, a knowledgebase (KB) article on the subject has already been written that describes one solution to the problem. How to Change Location of Offline Address Book Files (KB 148493) goes on to describe modifying the settings that are used during profile generation.  You can create an email profile and specify the location of the OAB files using the OfflineAddressBookPath value.  This seems simple enough but I thought I would ask the rest of you if you have devised any other methods.

    Any thoughts or tricks on this subject?

    Update for 5/25 - Apparently I didn't read the entire article.  Supposedly, the method described is ignored by Outlook 2003.  Great.  Back to square one..

  • DNS testing - try these automated tests

    Have you ever wondered if your DNS mad skillz are really up to par?  Would you like to test your DNS implementation?  Are you tired of pouring over the standard text books and looking at whitepapers?  Hey, I don’t blame you one byte.  So stop fretting and head over to http://www.dnsreport.com/.  The site is simple and allows you to crank a number of tests against your domain to see if any problems are identified.

    I stumbled across it trying to diagnose an email issue.  One of the domains I was hosting was seeing blockage from an email domain we were trying to send to.  The DNS Report test reported enough information to get us on the right track for resolution.

    As you might recall, I am hosting five domains from my fiber connection.  All inbound and outbound email traffic flows through my Exchange 2003 server.  All of this is running on Windows Server 2003 Standard SP1 with protection provided by Sig Arms and ISA Server 2004.  I’ll be writing a lengthy article soon about the firewall rules, media server implementation, DNS implementation, webfarm, etc.  The SBS support dudes said I’d never get it working correctly…    By the way, it’s all on one box.  So how did I implement a primary and secondary DNS server?

    I’ll be building a SBS 2003 SP1 box as soon as I get official media.  We’ll definitely put it to the test when that happens.  Stay tuned…

  • Does anyone use MS Reader?

    NewpocketpcI’m sure several years ago, many of you installed and used MS Reader to some degree.  I really like it because I love ClearType fonts.  I also like Reader because it has a Pocket PC version and gave me another excuse to justify having a PDA.  I purchased a few books and took advantage of the summer series where we gave away free copies of books each week.  That was an awesome promotion by the way.

    As many of you are aware, being a Microsoft employee means you have the opportunity to test and run a variety of products.  This also means you get in the habit of building laptop images pretty frequently.  Unfortunately, this also means you’ll run through your six MS Reader activations pretty fast.  Thankfully, you can get more activations after you justify it to PSS.

    But I wondered how many people are in the same boat?  Do you like MS Reader but can’t use it? If so, follow these steps:

    • Go to http://das.microsoft.com/activate/en-us/default.asp
    • Attempt activation using your Passport account.  Once you have received the message, quota's exhausted or limit exceeded, you will have the opportunity to submit a request for more activations.
    • Submitting this request will produce an immediate request denied message.  ON this page, is a second request form, to PSS.  Submit the request here....you will be granted more activations.

    I’m assuming this works for anyone and didn't just work for me because I am a Microsoft employee.  Hopefully this will help everyone answer the question correctly.