SSL Vpn With 2008 Server
Now-a-days, every business is mobile, which means a VPN connection is most likely needed. The problem is when clients travel to hotels or other countries, where firewall compatiblity and configuration can cause connectivity issues. Fortunately, there is an answer for this: SSL VPNs. Since an SSL VPN connection is secure and allowed on almost all firewalls, remote users will have a much more reliable connection mechanism; no matter where they are. To top it off, SSL VPN (SSTP) is a feature natively bundled with Windows Server 2008.
How does SSL VPNs help?
* A NAT device doesn’t need to support PPTP in order for it to work.
* Specific ports aren’t required to be open on the firewall (think hotels and other countries).
* Connectivity can be made through web proxy servers.
* The small footprint VPN client is easily accessible.
Clients supported: Vista SP1+, Windows 7, Windows Server 2008
What are the high level steps involved to setting up Windows Server 2008 SSL VPN connections (SSTP)?
* Obtain a certificate to be used for your connections (just as if you are installing an SSL certificate for your website)
* Install IIS on the VPN server
* Request a certificate for the VPN server using the IIS Certificate Request Wizard
* Install the SSL certificate
* Install the RRAS server role on the VPN server
* Enable the RRAS Server and configure it to be a VPN server
* Configure the User Account to allow dial-up connections
* Update DNS (ie. vpn.company.com)
* Configure the Client to use SSTP and Connect to the VPN Server using SSTP
How-To configure Windows 2008 for SSTP VPN
1. Install IIS on VPN server with all security settings marked for installation
2. Create a Certificate Request in IIS console
a. Make sure common name is actual Internet Hostname clients will connect to (e.g. vpn.company.com)
3. Cut and Paste the certificate request into your SSL provider’s website
4. Install any Intermediary certificates and your SSL certificate per your SSL provider’s instructions (DO NOT bind the certificate to a website in IIS)
5. Install Routing and Remote Access
6. Load the Routing and Remote Access MMC and run the wizard to enable it (Select Custom -> VPN if you are using only 1 NIC)
8. Enable Dial-In access for the remote user’s AD account
9. Enabled SSL connection (port 443) from the outside
10. Update DNS for the domain with the common name of the certificate
11. Test the SSL VPN connection by choosing SSTP in the vpn network connection propertiesIf the connection doesn’t work, make sure the proper certificate is bound following:
1. Make sure the right certificate hash is bound (netsh http show ssl)
a. If necessary, delete and readd the correct certificate binding…
1. Remove binding from IPv4 (netsh http delete ssl 0.0.0.0:443)
2. Remove binding from IPv6 (netsh http delete ssl [::]:443)
3. Delete registry entry for the hash (reg delete hklm\system\currentcontrolset\services\sstpsvc\parameters /v sha256certificatehash /f)
4. Add binding from IPv4 (netsh http add sslcert ipport=0.0.0.0:443 certhash=<replace with your cert hash> appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY)
5. Add binding from IPv6 (netsh http add sslcert ipport=[::]:443 certhash=<replace with your cert hash> appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY)
Exchange 2003 and pop3 timeouts
If you have a system where most users get timeouts on their pop3 accounts this might be the fix!
Install and open wireshark (google wireshark) and set it to filter to only pop3 with this: "tcp.port == 110"
try to login to the pop3 server with telnet like this:
telnet exchangeserver.com 110
user userwithproblem@exchangeserver.com
pass testpassword
list
retr 1
see if you dont get signoff message in wireshark you might have this problem. Its detailed in KB816896
Make this reg file:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\POP3Svc\Parameters]
"CheckPop3Tail"=dword:00000001
(REMEMBER a return in the end or regedit wont eat the file is its supposed to)
Install the regfile, and restart the pop3 service.
Try and get your mail again.
Hope this helps someone out there 
Growl, Prowl and our iPhone in a IT environment
I found prowl in the itunes store the other day. It has some great features! after i got it to work i can now get push notifications on my iPhone if a server is down, or a service restarts, or a backup just failed!
First, go get growl for windows here
Then install it and add your iPhone in "Network". For now set notification priority to all.
Go get Growlnotify and drop the contents in your windows folder.
Now go to your windows 2008 server event collector and add a task to run at a specific event. add something like this line:
c:\windows\growlnotify.cmd /t:"{Topic}" "{Message to send}"
c:\windows\growlnotify /a:{NameOfApp} /r:{NotificationType} /n:{NotificationType} /t:{Topic} "{Message}"
NOTE: The "" is changed by wordpress for some reason. Write them again manually or you will get a "bad arguments" error
The notification type is important as you can specify in growl if a specific notification type is EXTRA important and schould be send to your iphone or just another growl notification server.
And well... PANG you get push notifications on your iPhone 
(as long as you remember to install prowl first 
- You get that from the app store! )
winrm and winrs a management tool for windows 2008
If you are using Windows 2008 Server, WinRM is installed but not enabled by default. This is a good security precaution. The easiest way to determine if WinRM is already enabled and started on your machine is to go to a CMD prompt and run:
winrm enumerate winrm/config/listener
If you get no response them WinRM is not running. To configure WinRM to start automatically and allow for remote access, use the winrm quickconfig command like this:
C:\Users\Administrator> winrm quickconfig
WinRM is not set up to allow remote access to this machine for management.
The following changes must be made:
Create a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.
Make these changes [y/n]? y
WinRM has been updated for remote management.
Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.
C:\Users\Administrator>
Once I configured the quickconfig, I reran the enumeration command with these results:
C:\Users\Administrator> winrm e winrm/config/listener
Listener
Address = *
Transport = HTTP
Port = 80
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 10.253.15.98, 127.0.0.1, ::1, fe80::5efe:10.253.15.98%11, fe80::9583:2148:e1ef:6444%10
C:\Users\Administrator
From this, I know that WinRMis enabled.
Similar in operation to the former Sysinternals tool PSExec, WinRS leverages Windows Remote Management to let you launch processes on remote machines. Where it differs from PSExec is in its ability to easily pass through firewalls in the same way as WinRM. For example, if you want to discover IP information about a remote machine, you can remotely launch ipconfig with the -all switch on that machine using this syntax:
winrs -r:{Remote Host} ipconfig -all
Another handy use of WinRS can be when installing software on remote systems. If you want to quietly install an application using an MSI file onto a remote machine, use the following syntax. This syntax assumes the MSI file has already been deposited into the C:\ folder.
winrs -r:{Remote Host} msiexec.exe /i c:\install.msi /quiet
I have used this for other things as creating a centralised backup with windows backup (Windows 2008 only) and then ship the completion logs directly to the same server. Simply make a batch file containing all our severs like this:
winrs -r:{Remote Host} wbadmin start backup -backupTarget:\\{Remote Host}\backup\weeknumber -include:C: -allCritical -vssFull -quiet
hope you enjoy. Please leve a comment if you liked thic article
Make full trust for shared configuration IIS7
Navigate to the "C:\Windows\Microsoft.NET\Framework\v2.0.50727" folder with a command prompt (with elivated permissions) and run the following command:
C:\Windows\Microsoft.NET\Framework\v2.0.50727>caspol -m -ag 1. -url "file://\\1
0.0.0.2\Share\*" FullTrust
Note this has to be done on each server!
To read more about this command look here
for more info about setup of the shared configuration take a look here