IT Work

ISA 2006 and the fun of a corrupt rule

Tim Robichaux — Tue, 16 Jun 2009 22:07:43 GMT

It always seems like every time one thing if fixed, something else breaks. This morning I was working on Project A and I needed to look something up on our ISA 2006 firewall. While I was there I decided that I would look into, and fix, something odd that was happening with Project B's rule. Well, after fixing the rule into a corrupt state, I now had a Project C to work on as well. Corrupt rules are never fun, but I was able to figure out how to fix it, but I'm sure it's NOT a supported or recommended procedure.

When I was trying to find out exactly what machine we are routing FTP traffic, I wanted to take a look at why my IMAP connections seemed to be getting mail that was MONTHS out of date. Looking up and down the list of rules, I found a duplicate IMAP(S) rule that was pointing to an old IP address of our Exchange 2007 server. I figured that somehow, that might be a reason why I'm not getting the correct e-mail. I clocked into the rule, and changed the internal endpoint to our current Exchange 2010 server, clicked Apply and then OK.

On closing out of the ISA Management Console and looking at my e-mail, I noticed that my Inbox was starting to fill up with alerts from System Center: Operations Manager telling me that there was a problem with the configuration on one of our ISA machines, specifically the one that I was logged into. Side Note: I know I should have been looking at the configuration on the Configuration server, not one of the nodes of the array, but the Configuration server is having problems of its own!!!

Logging into the Configuration server, I opened up the Management Console and noticed that the rule I had edited was missing a bunch of information. Clicking on it (right or left) brought up an error dialog stating that "there is not enough memory to perform the action." After much fumbling and scrolling up and down, I realized that the name of the corrupt rule was the same as one farther down on the list, and when I changed the IP, the rules ended up being exactly the same. This led to the node pushing the change up to the configuration server before it was really sure that it SHOULD, and so, I am stuck with this dumb ghost rule. Since I know that I couldn't affect the corrupt rule, I decided to change the name of the good rule, so they wouldn't match! Brilliant!!! (:

Things weren't quite that simple, however, and when I made any changes to anything else on the server, I wasn't able to commit the changes! I kept getting an error that the corrupt rule needed more information before the changes could be saved. Oops! I even tried Exporting the rule set, removing the offending rule from the XML file, and then Importing it back in, but I ran into the same error.

It was time to bite the bullet and following the somewhat sparse directions from this forum post, I fired up ADAM ADSI Edit to remove the offending rule, once and for all.

Even though the directions weren't the best, it was enough for me to get there, so I'll post a little bit more coherent account:

Log into the machine that's hosting the ADAM database.
Open the ADAM ADSI Edit application by clicking "Start -> All Programs -> ADAM -> ADAM ADSI Edit"
Right-click the ADAM ADSI Edit node in the tree pane, and select "Connect to…"
Leave the Server name the default value of "localhost" and change the Port to "2171"
Select the Distinguished name (DN) or naming context: radio button and enter "CN=FPC2" into the box
Click OK.
In the tree pane, expand the My Connection [localhost:2171] node, and then the following nodes:
- CN=FPC2
- CN=Array-Root
- CN=Arrays
- CN={GUID of affected Array}
- CN=ArrayPolicy
- CN=PolicyRules
Once in the right set of Policy Rules, find the GUID of the offending rule and delete it
Restart the Microsoft ISA Server Storage service to re-populate the cache
Profit!

NOTE: I am pretty sure this is NOT supported. Any time you mess with ANY of the raw editing tools, you stand a big chance of messing things up beyond recovery. DO NOT USE these steps if you are not willing to accept total failure as a possible case.

Exchange 2007 and Disabled Mailboxes

Tim Robichaux — Fri, 12 Dec 2008 10:03:34 GMT

This is an information post, designed to make some information available to myself and others. I did NOT discover this but I thought it was something pretty important.

When disabling an Exchange 2007 mailbox, it sometimes will not automatically show up in the "Recipient Configuration | Disconnected Mailbox" bucket. It takes running the command:

clean-mailboxdatabase <mailbox database>

Once that command is run, you can reconnect it or do whatever you need to it. Thanks Missy and Amit (If you want the full explanation and pictures, click here)!

Looks like it's NOT 64-bit

Tim Robichaux — Wed, 29 Oct 2008 22:56:44 GMT

So, there's been all this hooplah (created by me) about the MacBook Pro that I'm using at the moment. I have been really enjoying my time spent with it, and I've been able to overlook some of the minor issues that I've run into. I do wish that it had more RAM. I do wish that Excel could open my timesheet. I do wish that I could easily sync offline files (Paul tipped me on a product, but I don't want to write about it until I've fully tested it).

Those are all small issues, but what I've run into now is bigger than that. Apparently, I am running a 32 bit operating system <pausing for the collective gasps>! I made the attempt to create a new virtual machine running Windows Server 2008, so that I could run a couple of the management tools that I can't run in OSX. My attempt resulted in this screen:

Shocking, I know. Now, I also understand that with a smaller amount of RAM in my system, it's really not a big deal to not have all 64 bits of addressable space, but the outrage is justified. In doing some research, I found out that the chip that was shipped was 64 bit CAPABLE, just not ENABLED. I'm not going to futz around and try and make it work, but that is something that I want to make sure my next hardware purchase can handle. I know this sounds silly, but I try to research these things, and I've walked away from buying hardware because it lacked a single feature that I wanted. NOTE: This should be taken with a hearty understanding that a) this is a WORK laptop and that I didn't pay for it and b) I am very grateful for the chance to use it and experience the goodness that is a MacBook Pro.

That all being said, I'm off to dig up my 32 bit version of Windows Server 2008 to install. Whee!

Mac Stuff

It's a difficult decision

Tim Robichaux — Fri, 24 Oct 2008 20:57:31 GMT

I'm getting ready to head out to PDC to do some support work and I'm faced with a very difficult decision, in my mind. As I stated in my last post, I just got a shiny, new (old) MacBook Pro. I've been using it for two days now and the only thing I've found that was kind of wonky has been working on my timesheet in Excel (the Mac Office 2008 version). The dilemma, to cut to the quick, is that I am worried that something will come up at the PDC where the MacBook Pro will not suffice. If there was an issue I could be concerned about, straight up, I would address it, but this is more of a nebulous fear.

I currently use a Lenovo Thinkpad T61 with 8GB of RAM and a 160GB drive as my primary work machine. It's been doing "OK," but there are always quirks. The new MacBook Pro has less RAM, and a slightly slower processor, but it also has much more hard drive space. Most of these things are a non-issue, but that is where the fear comes into play.

I think that what I'm going to do is just end up taking both machines with me. The nice thing about working backstage is that I'll be able to (mostly) set up my stuff and then not have to worry about it. I don't think having a "backup" Thinkpad is going to be an issue, but I can have it there as a security blanket, just in case things go belly-up. If someone DOES point out that I'm a huge geek and I should just pick one machine and stick to it, I can claim that the Thinkpad is a backup for the demo! Woo! I win!

Mac Stuff

Living with DPM - Part 2

Tim Robichaux — Tue, 16 Sep 2008 16:53:32 GMT

Lately I've been working with System Center - Data Protection Manager from Microsoft and I have to say that while it's a nice product, there are some areas that need improvement. One of the things I've been wanting to do is talk about some of the issues I've had and open up a forum to discuss those issues. To start this off, I'm taking some of the problems that I've had with DPM's tape handling.

Note: I don't want it to look like I'm just bashing DPM. I DO like parts of it. If you know of ways to resolve these issues, PLEASE let me know. I'll post those fixes as updates.

Tape Issue El Five:

Inconsistency in tracking tape movement. When I use the tape device to remove a tape or multiple tapes (since this is the only manner to eject or load tapes), DPM does not see that I’ve done anything; it never actually talks to the tape library. When I try to resync, the progress bar completes but no updated information is produced. If I re-run a Detailed Inventory, it then finds out what tape slots are actually occupied. This seems like a lot of tape movement just for DPM to see that a tape has been removed.

Tape Issue Number VI:

The whole OMID and barcode thing. I know there has been talk about getting this fixed, but it is a big stopper when I can’t erase the tapes or generate an OMID on my own to pop in there. Until this gets resolved, I’ve just turned off the barcode reader in the tape library.

Tape Issue Number 7:

I can’t figure out how to allow multiple protection groups to get written to a single tape. This may just be me missing something pretty obvious, but I would like to be able to put multiple, smaller protection groups all on one tape so that I don’t have the huge number of extra media just to back up a bunch of 600MB – 20GB protection groups.

Yes, Number 4 is missing. When I was writing this, originally, I was doing it in the heat of irritation. That leads to many things like snarky humor and missed counts.

Living with DPM - Part 1

Tim Robichaux — Fri, 12 Sep 2008 21:43:01 GMT

Note: I don't want it to look like I'm just bashing DPM. I DO like parts of it. If you know of ways to resolve these issues, PLEASE let me know. I'll post those fixes as updates.

Tape Issue Numero Uno:

No tape controls in DPM. When I am using DPM to back up data to tape in a library, it would be nice to be able to eject and load tapes using DPM, instead of having to navigate through the menus on the front of the tape library.

Tape Issue Number Two:

Lack of success at erasing ANY tape. Whenever I try to put in a new tape and erase it, it fails. It does not matter if it is a new tape, fresh from the plastic or one that has been used for backups before, I’ve never had a tape get successfully erased. As far as I know, erasing the tape using DPM is the way to get around the issues of media with no OMID.

Tape Issue The Third:

Lack of success identifying any tape. This is the situation, I have five tapes.

Tape 1 – Fresh out of the box
Tape 2 – Fresh out of the box
Tape 3 – Used on the old system (has data)
Tape 4 – Used on the old system (has data)
Tape 5 – Used on the old system (has data)

Every tape is put into the loader and then once a Detailed Inventory is run. Here are the results:

Tape 1 – Unknown
Tape 2 – Unknown
Tape 3 – Unknown
Tape 4 – Unknown
Tape 5 – Unrecognized

I try to Erase or Identify any of the individual tapes. The jobs all fail, but when a particular tape gets put back, it changes from Unknown to Unrecognized and I can “Mark as Free…” So now, I have:

Tape 1 – Unknown
Tape 2 – Free (Contains Data)
Tape 3 – Unknown
Tape 4 – Free (Contains Data)
Tape 5 – Free (Contains Data)

So now, out of 5 tapes, I have three that I can use. This seems like a lot of work with little return.

I know that DPM is supposed to be very different from traditional backup systems, but I think that the change has been too radical. It is hard to educate IT organizations to the point where they are comfortable migrating to a new technology when something as important as backups are concerned. I'm looking forward to see where Service Pack 1 will take us in the future.

Microsoft ISA 2006

Tim Robichaux — Thu, 14 Aug 2008 23:01:57 GMT

Recently we picked up a big project in the Platform team. We were all excited about it, and pretty soon we were all working hard at making it a success. One of the things that was a little bit broken was that were trying to come up with a good way to make files available to customers and team members who were not local. Sure, the team members could VPN in, but the customers couldn't. We looked at a couple of solutions like Microsoft Groove and publishing a Sharepoint site, but everything seemed to have a problem or issue that we really didn't like. What we ended up deciding on as a solution was using our existing TeamPlain Web Access for Team System. We had used that solution before to give access to another client to access the bug tracking list for a code project and everyone seemed to be happy with how it turned out.

Projects were created, permissions assigned, and then the fun started.

It seemed that people were able to log into the system and navigate with no problem, but they couldn't download any of the files. I looked into TFS and TeamPlain and I couldn't find anything that would prevent this issue. Looking at the error that was coming up on the client, I thought that it looked a lot like an error tossed out by ISA 2006.

Error Code: 500 Internal Server Error. The request was rejected by the HTTP Security filter. Contact your ISA Server administrator. (12217)

After some googleing, I found that this error is often seen in OWA implementations behind ISA 2006 and there is an option in the HTTP configuration on the publishing rule in ISA that you can set to prevent this error. I whipped open the ISA Server Management tool and started right-clicking. The only problem was that the "Configure HTTP" option that should have been there on that rule was missing. When I opened up the rule, on the "Traffic" tab, I should have been able to click the "Filtering" button and get to the same setting (which the fix is, for the impatient, turning OFF the "Verify normalization" and "Block high bit characters"). This was something of a big problem since without that switch, I wouldn't be able to share these files in the way that we had decided.

Sidenote:
The problem with the file download, at it's root, seems to be that the title of the file has some extra characters in it. What is supposed to be a %20 in the URL gets converted to %2520 and ISA chokes on this and says, "Not YOURS, no file for YOU." As you can guess, this is a pretty big problem when trying to use the system to deliver documents and foster collaboration.

Back to ISA 2006. It didn't work. Now, I had been unhappy with our ISA server for quite a while. It never got patched right, and all sorts of odd things have happened with it. I couldn't troubleshoot it, since it was a production system, so I did the second best thing, I built a new one. I lovingly patched it, and coddled it and configured it the best I was able. The neat thing was that I created a bunch of test rules, and they DID have the options that I needed to configure. The final step was to import the rules from the old ISA server. Oddly, when I imported them, the RULE WAS BROKEN on the NEW server. After much swearing, I wiped ISA from the box and started over. This time, at the suggestion of our Head of IT, I took an exported set of the rules from the old (BAD) server and imported them into the (NEW) server AFTER making a backup of the rules that worked. This time, when I imported the rules from the old server, everything WORKED.

I've been working with Microsoft products for a number of years, and this kind of behavior is quite common. I remember installing Windows 2000 Professional on the same hardware a couple of different times and getting different configurations each time. I wasn't surprised, but I was just glad that it worked. After some more configuration, I thought that I had everything the same as the existing firewall, and after some convincing of the Head of IT, at 6:00PM we switched over to the new system. The only problem that I was able to find was this morning, VPN was broken and one of the sites (http://getsharp.3sharp.com) was unreachable.

Now, I don't have VPN totally ironed out (I just switched us back to PPTP which is FINE when you are using strong passwords, which we are), but it looks like everything is doing well. Just because I am so happy about these, I will now list the things that used to be broken that now work:

Pandora Internet radio.
Performance Monitor on the ISA machine
Updates and patches on the ISA machine
File transfers using the TeamPlain web access

So, next on my list of things to do is building a new Edge server for our OCS deployment. We have been having some issues with this and it's due to us running out of IP addresses. I just got 13 more, and I'm totally pumped about the stuff we'll be able to publish with them!

Subtext 2.0

Tim Robichaux — Thu, 14 Aug 2008 21:31:05 GMT

Hey! Apparently, a new version of Subtext is coming out! I've been waiting for this for a while, and I'm going to get it put on the IT list of things to get done. I don't think it will change the way we do business, but I am really looking forward to some of the refinements that it incorporates.

Update:
One of the things that is mentioned is improved integration with Windows Live Writer. This is one of the really exciting things, since the is a product I can't say enough nice things about. I'm VERY happy with it.

Just a short shout out

Tim Robichaux — Thu, 17 Jul 2008 00:05:50 GMT

I don't want to get into the middle of a huge flame war, but I wanted to say that I think Apple did an awesome job with the split-disk install of Leopard that I'm working with right now. I've had to install operating systems a number of times, and installed software all over the place, and one of the things I've noticed is an inconsistency in checking to make sure you have all the disks. I just got done walking through the wizard for installing a fresh copy of Leopard, and the last thing that I was asked was if I had the Mac OS X Install Disc 2 handy, since I would probably need it. The nice thing about this was that it was done just before the format, so it was the last little check, just to make SURE that you were ready to wipe things out.

Once more, not trying to incite a flame war, but I found this MUCH more comforting than when I tried to install Windows Media Center 2005 back a few years ago and only realized that I was missing a disk when halfway through installing files, I was told to insert Disc 2. It was my own fault for not checking before I started, but we don't reinstall every day, so it is nice to have little reminders, sometimes.

I don't remember when it was that I first saw it in Linux, but I do remember on Red Hat or Fedora, being given a list of the CDs that I would need to install the packages I had chosen. I remember at the time lamenting the fact that I couldn't install a base system off of one CD (which, as far as I know, is still the case if you don't download the DVD). Now, I use Ubuntu for all my Linux-licious needs, so one CD is all that I need and all that I want.

P.S. If you didn't know, you can install a small jailed copy of Ubuntu Desktop 8.04 on an existing NTFS partition. I just installed it on my co-worker's Server 2008 box for him to find in the morning. With getting the OS installed and dual monitors working and ready for a reboot back into Server 2008, I invested about 10 minutes in the prank. That's some nifty software!

How To Set Up Phone Paging on a Mitel 3300

Tim Robichaux — Thu, 10 Jul 2008 23:53:36 GMT

Our Story So Far

I am not an expert in traditional telephony. I am at peace with this, but there are times where I need to step up to the plate and take one for the team. I've been managing and maintaining our Mitel 3300 ICP for a while now, and I am constantly struck as to how difficult it can be. For a large number of years, telephony of the traditional type, has been full of terms and concepts that may not be quite comprehensible to someone who is not well steeped in the lore of the big Bells.

Earlier today, I was working at my desk and I was asked if I could page some people to help move some equipment from the office across the hall. I'll admit that I was actually stumped. This was something that I had never thought about, and I had no idea how to go about it. With all of the phone systems that I had worked with, previously, there was normally a button on the phone that would page everyone else with a phone. This worked well in a small office where people were often not at their desks. Since just pushing the button seemed to work (and I was not responsible for the PBX), I washed it from my mind. Now that I am in charge of making our PBX sing, it's a bit of a different matter. Delving into the (meager) documentation that I have on the 3300, I found what seemed to be the thing to do. There was already a paging group set up.

I added myself to the group (there were a few members in it, but none since we took over the PBX from our vendor), and then looked to see how to add a button to my phone. Navigating to the Multiline Set Key Assignment, finding my set than then finding an open button, I was presented with a large number of options. I selected the "Paging" option, saved and preceded to fail at paging people.

Looking into the help files, I was only able to find information on Loudspeaker Paging, which I was to find out, is very different from paging directly to the phones. After much searching around and digging, I found a refrence to a concept called "Direct Paging." I didn't see it when I was searching the help files (I actually found it in a 3300 User Guide, under the Advanced Features). I tried the steps contained in the instructions, but it looked like they weren't working.

Thinking that this might be a problem with how I set up my buttons, I looked back through my key settings and, lo and behold, I found an actual option to assign a button the "Direct Page" function.

With everything saved, I was able to pick up the handset, hit my new page button, dial the Page Group number, and send my shining voice out to the masses.

Back to the Good Stuff

It looks like in the telephony industry, there is a big difference in using the phone to send a message to an actual paging system and just sending a message to all the phones lying around in the company.

It looks like there are quite a number of parallels between the two, however. The way the Loudspeaker Paging works is through an actual port or card that connects to a loudspeaker system. Depending on the level of complexity of the system, the 3300 can support up to 16 zones (well, it can really support 15 zones with one [00] reserved for the dreaded "Page All Zones" type of function). On the Direct Page side of the fence, the administrator has the option of setting up multiple Page Groups and all management and pages are handled by the 3300, instead of outside hardware. I'm not sure of the maximum number of Page Groups, but it seems like it is probably quite a few.

I don't want to spend a lot of time becoming an expert on Mitel. There are people who work with the hardware much more than I do, and I would rather focus on the specifics of integrating it with OCS 2007. Now, having said that, for the record, I love learning the little ins and outs of these systems. It's quite interesting and I've learned a lot about how PBXes work, and that's help me understand the link between the telephony world and VoIP.

Well, back to the phone closet!