JasonSamuel.com

Today I would like to clear up some confusion about SSL Chained Certificates. For this example, I will use Network Solutions as the Certificate Authority (CA) you are buying the cert from. This is information you will have to know when you purchase a new SSL cert or renew an existing SSL cert for your Exchange server, IIS web server, or any other external facing server or appliance.

Network Solutions does not issue you a single cert. They issue you an SSL chained cert. So for example, if you are buying a cert for:

widgets.com

They will validate and issue you the cert, but when you download and open the zip file from their website, you will see the following certificate bundle:

AddTrustExternalCARoot.crt
NetworkSolutions_CA.crt
WIDGETS.COM.crt
UTNAddTrustServer_CA.crt

Let’s analyze these certs in your chain. The first one is AddTrustExternalCARoot.crt which is called the “root certificate”. This is the first cert in your chain. This root cert is installed to the Trusted Root Certification Authorities store on your server or network appliance.

The second cert in your chain is NetworkSolutions_CA.crt and the UTNAddTrustServer_CA.crt which are “intermediate certificates”. An intermediate cert is essentially a certificate issued by the Trusted Root CA specifically designed to issue SSL Certificates to you. The reason for this is because if the CA root cert were to ever be compromised, the entire chain fails. It is good security practice to use an “intermediary” to issue the certs from to prevent your root CAs from being exposed from the signing process. If an intermediate were to ever be compromised, you can always regenerate those unlike the root certs. This intermediate certificate sits between your website cert and the root cert. This intermediate cert is installed to the Intermediate Certification Authorities store on your server or appliance.

The last cert in your chain is WIDGETS.COM.crt which is your actual SSL cert. This is also known as your “domain certificate”. This domain cert is installed to the Personal store on your server or appliance.

So the end result is chain of certs that begins at the trusted root CA, runs through the intermediary, and finally ends with the SSL certificate issued to you for your website or appliance (widgets.com).

In most cases, any sever or appliance out there will already have the trusted root cert for Network Solutions installed. You can just install your SSL cert and not have to worry about anything else in most cases. Depending on where you buy your cert from and what you are trying to install your cert to, you may have to go through the steps of installing the Trusted Root cert and Intermediate cert first before installing your SSL cert. With some web browsers like Internet Explorer 7 for example, you can get away with not having to install any Intermediate Certificate because IE7 will automatically go out automatically download the intermediate cert the first time a user visits your website. This makes things easy for the lazy admin but it’s always best practice to go a head and add the Intermediate cert on your end instead of depending on the client and their browser’s ability to do this. There is no point in risking a certificate error for the end user when the fix is so easy.

To verify the chain, go to any site you know that uses SSL (https://) and then click on the lock in Internet Explorer, it will let you view the SSL cert info. Click the “Certificate Path” tab and you can see the chain we described above:

Trusted Root —> Intermediate —> SSL Certificate

You can then click on each one of these certs and hit the “View Cert” button to view each cert in the chain individually. Good luck and post a comment if you have any questions.

There are situations when a user you deleted at some point may become hidden on a BlackBerry Enterprise Server and never really was removed from the database. This is a lost user in the BES database that somehow needs to be removed or it will cause problems. You can see this lost user is taking up a license in the Blackberry Manager but you can’t actually find the user using the GUI. An example of a problem this can cause is if you try to add a user to your BES and you know you have enough licenses, but it gives you an error message saying:

“The number of users selected exceeds the number of available licenses. Please select a fewer number of users to add.”

Here is a quick way of finding the hidden user and deleting the account. Just make sure your database is backed up just incase before you begin. Then open up a command line and type in:

osql -E

Then type these commands for each line (I am going to assume you have named your SQL database the default name of BESMgmt:

1>use BESMgmt
2>select DisplayName from UserConfig
3>go

This will show you all the different users in your database. Find the user you need to remove and then type in:

1>use BESMgmt
2>delete from UserConfig where DisplayName=”John Doe”
3>go

The other option that can fix remove a deleted user is by using the DBClean tool from RIM. I have hosted it here on my blog since it’s hard to find this tool sometimes.

I originally wrote this BES setup guide for a friend’s blog at his request.  Here it is now on mine for your viewing pleasure!

This guide goes over how to install BlackBerry Enterprise Server or Blackberry Professional Software Express (the free version of BES). Surprisingly, a lot of people run into trouble installing a BES server because of the many steps and prerequisites you have to go through. You really need to have experience installing and troubleshooting a BES extensively to have a fast successful deployment. I have written this Blackberry Server Install Guide to help anyone install a BES successfully. If you run into any issues, feel free to post a comment and I’ll reply to you.
—–

BES Install Prerequisites:

-Set aside between 45 minutes to 2 hours to allow yourself time to install all pre-reqs and then install and configure the BES server. You will need to reboot the server so make sure you have scheduled downtime on the server.

-Verify you have the correct Blackberry server software, Licenses, and SRP identifier. If not, call RIM.

-Verify that you are not blocking outbound ports in your organization. If you are, you need to make sure TCP port 3101 is allowed outbound from the server you intend to install the BES on. Your BES will communicate to RIM’s servers using this port. YOU DO NOT need to allow port 3101 inbound to your server.

-Verify that your Exchange Server has SP2 (Service Pack 2) applied.

-If you are installing BES on a member server (which is the best pratice), make sure Exchange System Manager has been installed on it.

-Make sure Outlook is not installed on the same server as the BES. A lot of small businesses with SBS 2003 install Outlook on the server. Uninstall it if you plan to install a BES on an SBS server.

-Install the latest Microsoft Data Access Components (MDAC) from Microsoft:

http://msdn2.microsoft.com/en-us/data/aa937730.aspx

-If you have already installed your SQL server, make sure the BESAdmin account has Server Administrator and Database Creator permission to the database instance.

-Make sure your spam firewall has white listed emails from *.blackberry.net.  I have seen over aggressive spam firewalls blocking emails required for Enterprise Activation because of .dat attachments in the message.

-Optional: Verify TCP port 4101 is allowed to communicate outbound. This port is used by Blackberry Desktop Manager to do a serial bypass for least cost routing. It is not necessary to open this port unless you need this feature.

—–

Now onto the actual install!

1. Login to your server using a Domain Admin account and create a new user called BESAdmin (and make sure you create a mailbox when you create the account). DO NOT ever use the default Administrator account with a BES. You must create a service account.

2. Verify the BESAdmin user is part of the Domain Users group only. It is not necessary to give the account Domain Admin privileges since we are going to give the account local login access in the next steps but you can give it DA access if you want. It’s best practice to leave the account as a Domain User because you always want to give an account just enough permissions to perform it’s function. Also you have to go back and check Send As/Receive As rights if you give it DA access because they are usually set to deny.

3. Now make the BESAdmin a local admin on the server.

On a Domain Controller or SBS server – This is done in AD via the “Built-in Administrators” group
On a member server – This is done by right mouse clicking My Computer and selecting Manage. From Computer Management expand “Local Users & Groups” and select Groups. From Groups double click “Administrators” and add the BESAdmin account.

4. Now give BESAdmin local rights:

On a Domain Controller or SBS server – “Domain Controller Security Policy” and expand the “Local Policies” and “User Right Assignment”. You need to add BESAdmin to “Log on Locally” and “log on as Service”.
On a member server – “Local Security Policy” and expand the “Local Policies” and “User Right Assignment”. You need to add BESAdmin to “Log on Locally” and “Log on as Service”.

5. Open up Exchange System Manager (ESM) and right click the root “YourDomain (Exchange)”. Click on Delegate Control and add the BESAdmin account as an Exchange View Only Administrator.

6. Drill down in Exchange System Manager until you get to your server name. Right click on the server name and hit properties. Now click the Security tab. Add the BESAdmin account and the following permissions:

a. Administer information store
b. Receive As
c. Send As

7. Open up Active Directory and in the top Menu bar, select “View” and then click on “Advanced Features”. Now go to each user you want to add to the BES server and double click on them. Go to the “Security” tab and add the BESAdmin user. Give the BESAdmin account “Send As’ rights.

8. Logout of the server. Now log back in as the BESAdmin user. Now you can begin the BES server installation. You want to select the “Blackberry Enterprise Server” option. Just double-click on the executable and go through the wizard. Accept all agreements and begin the install. Half way through, it will tell you to reboot. Once the server reboots, you can log back in as the BESAdmin and the installer will automatically start back up and continue the install.

9. Once you get to the database portion of the install, make sure to leave the default name of “BESMgmt” as the database name. You may need to create a new SQL instance for the BES server if you already have other names SQL instances running. Do not put it under once of these are instances. The BES server should run under it’s own SQL instance if at all possible.

10. When you get to the screen to enter the license, just copy and paste it exactly as RIM gave you. Then copy and paste the SRP identifier and SRP authentication key and make sure to Test your connection. If you cannot connect, verify TCP port 3101 is allowed to connect outbound. A simple test is to open a command prompt and type:

telnet srp.us.blackberry.net 3101

If your command prompt goes to a black screen, then you are able to connect.

11. Once the install is done, open up Blackberry Manager. You will get an error saying no MAPI profile has been chosen. Hit okay and type in the name of your server and choose the “BESAdmin” account. Hit “Check Name” and then press OK.

12. Now Blackberry Manager will open up. On the right hand side, you should see that the SRP status is “Connected”. If it is not connected, wait a few minutes and then refresh.

13. Once you verify you have an SRP connection, you can begin adding users. I prefer to use Wireless activation for all handhelds. Just user the Add User wizard in the left hand column to add the user.

14. The user will get an email in his mailbox. Just have the user open Outlook and verify the email has been received from BESAdmin and contains an activation password. The user just needs to go to Enterprise Activation on his/her handheld and type in their email address and this password to activate their account on their handheld. It can take anywhere up to 5 minutes or more to complete an activation depending on the user’s mailbox and speed of connection to their provider’s data network.

NOTE: If the user was using BIS, you may need to wipe the handheld before doing an Enterprise Activation with your new BES server. Otherwise the BIS service books will cause activation to fail.

Always make sure that the date and time are set correctly, the time zone is set to the correct time zone (handhelds default to Casablanca usually), and that the top write corner of the handheld says “EDGE”, “GPRS”, or “3G” in call capital letters and not lowercase.

15. The handheld will tell you when Enterprise Activation is complete. On a new activation (as in this is the first time that particular phone has been added to the BES), it will pull down 14 days worth of email onto the phone. If you had previously had the phone on the BES and you removed it and are reading it, it will not pull down all your old email. Just keep this in mind when doing Enterprise Activations.

Additional Notes:

-If the user you are adding to the BES is a Domain Admin, you can get them on the BES and their handheld will work for a little while but then it will stop sending email after about an hour. I have seen this happen time and time again when I “inherit” a BES server at a new client. This is because your Send As permission for Domain Admins will revert on the Exchange server unless you explicitly edit the ACL to allow for it. Run the following script from a command prompt using the DsAcls tool on your server after installing Windows Server 2003 Support Tools (http://technet.microsoft.com/en-us/library/cc755938.aspx):

dsacls “cn=AdminSDHolder,cn=System,dc=Yourdomain,dc=local” /G “Yourdomain.local\BESAdmin:CA;Send As”

Fore more info on this, view KB 907434 from Microsoft at http://support.microsoft.com/kb/907434

You can also enable inheritance on the adminSDHolder container by:

1. Right clicking the container and choosing Properties in Active Directory.
2. Click the Security tab.
3. Click Advanced.
4. Click to select the Allow Inheritable permissions to propagate to this object and all child objects check box .
5. Click OK, and then click Close.

After enabling inheritance on AdminSDholder container, make sure the BESAdmin account is still present on the user account in AD you are adding to the BES with the Send As permission. Wait for Exchange to replicate these permissions  (normally takes 20 minutes to 2 hrs) or you can just restartyour Information Store and it should come into effect immediately.

-If you are having trouble activating a device wirelessly, your BES server has tools on it to help your troubleshoot. Run the following tool to test for connectivity:

C:\Program Files\Research In Motion BlackBerry Enterprise Server\Utility\BBSrpTest.exe

-By default, a user’s deletions on his/her handheld are not synched with Outlook. You either have to set the reconciliation on the handheld or you can set it for all users on the Blackberry server itself. RIM has it set this way by default so users don’t accidentally delete important emails on their handhelds. I never change the default unless the user specifically requests it and I only change it on the Blackberry server itself if the point of contact at the organization approves it.

-Blackberry Professional Software Express (aka BPS, BPSE, replacement for BES Express) does not support HTML rendering yet. Only full blown BES supports it starting with SP6 which was released last year. HTML rendering is a pretty new feature so it will eventually trickle down to Professional. Just make sure the user’s phone is running OS version 4.5 and when they release the SP, it should work just fine.

If you ever run into any issues with your Blackberry Enterprise Server and need some help, feel free to contact me or post here and I’ll reply as soon as I can.

A useful Exchange 2003 guide I wrote for a friend’s blog originally but I am posting it here on mine now for your viewing pleasure .  I can’t tell you how many times I have walked into a new environment only to find that the previous server admin had not been taking advantage of Exchange 2003′s built in spam filtering or had completely misconfigured the server to where it was barely blocking anything at all. If you do not have any 3rd party spam filtering in place, there is no reason not to use Exchange’s built-in filtering. It works very well if configured properly.

Here is a basic mail filtering setup guide for a small business environment running Exchange 2003 that I like to use (and yes, I will do a separate write up for Exchange 2007 content filtering in another post). Remember, this is just a basic setup and different environments will have different needs.

Let’s start assuming you have a brand new Exchange 2003 server setup. Make sure your Exchange server has been updated to SP2 before you do anything.

Then, in Exchange System Manager (ESM), drill down to Global Settings and right click on Message Delivery.

CONNECTION FILTERING
Now click on the Connection Filtering tab. Here, you can tell Exchange to go out and check RBLs (realtime block lists) to verify if mail coming into your Exchange server should be marked as spam or not. Here are the 2 that I like to use. Anymore than this and you’re making your block list strategy too redundant plus it holds up delivery of your email and increases overhead as your Exchange server queries each list. Make sure they are in this order by using the arrow tabs on the right to adjust:

zen.spamhaus.org
cbl.abuseat.org

(I also used to like using sbl.spamhaus.org and xbl.spamhaus.org but zen.spamhaus.org combines these all to one list as well as their pbl.spamhaus.org list. Just use zen.spamhaus.org so there is less overhead on your Exchange server.)

RECEPIENT FILTERING
Next, click on the Recipient Filtering tab. By default, there is nothing in there but way at the bottom, you will notice that the box for “Filter recipients who are not in the Directory” is left unchecked. Check this box. This will prevent email not addressed to someone in your organization to be dropped. Spammers often like to use a dictionary attack when sending out spam to your organization like “joebloe@yourdomain.com” which your Exchange server will process unless you check this box.

INTELLIGENT MAIL FILTERING (IMF)
Next, click on the Intelligent Mail Filtering tab. This is the heart of your spam filtering so you must make sure to configure it properly. SCL ratings (spam confidence levels) are rated on a scale of 1-10. Exchange automatically assigns this rating to every message that it gets. A message with a rating of 1 means the message is not considered spam. A message with a value of 10 is definitely spam (think Viagra ads).

I like to set the Block level to 7, Archive as the block action, and Move messages with an SCL rating of greater than or equal to 4. This is usually pretty good for most environments but you should tweak the settings depending on your environment and feedback from your users overtime.

SENDER ID FILTERING
Next click on the Send ID Filtering tab and leave the default to Accept. The reason is a lot of mail servers don’t have an SPF record since this is a mostly Microsoft iniative so the default setting is fine. You don’t want to accidentally block email from a valid email.

APPLYING YOUR NEW SETTINGS TO YOUR EXCHANGE SERVER
Now on to the part a lot of people miss. You have setup everything but now you need to actually apply it to your SMTP virtual server or nothing is going to happen.

Click on Administrative Groups > First Administrative Group > Servers > the name of your Server > Protocols > SMTP > then right click Default SMTP Virtual Server

Next to the IP Address, you will see the Advanced button. Click on it and you will see something like the below.

This shows the SMTP virtual server. Click Edit and then check everything you see. Click OK through all the windows and when you’re back in the ESM, right click on the Default SMTP Virtual Server and hit Stop. Once it stops, right click on it again and hit Start. You can also just go into Services and restart the SMTP service from there as well.

CONFIGURING WINDOWS UPDATE FOR IMF UPDATES
Now it’s time to configure Windows Update on your server to download IMF updates (these are released by Microsoft twice a month). You have to make a registry change for this to happen. Click Start > Run > type regedit > press Enter. Now drill down to HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange. Right click in the right pane and Add a new DWORD called “ContentFilterState”. Right click on ContentFilterState and change the value from 0 to 1.

Now run Windows Update manually (using the Custom option instead of Express) and you will see the latest IMF definitions as part of your patches you need to install (if you don’t, restart the SMTP service and scan for updates again). Go ahead and install the latest update once you see it.

MANAGING IMF AND YOUR EMAIL MARKED AS SPAM
Okay, so now you have some pretty good filtering setup but is it working? How do you manage mail that is marked as spam?

The answer begins with installing IMF Companion (a free IMF management utility) that you can get at:

http://stoekenbroek.com/imfcompanion/default.htm

Install it and setup the Pickup and Archive directories correctly. On a default Exchange install (we’re going to use the C: drive for this example), the locations should be:

C:\Program Files\Exchsrvr\Mailroot\vsi 1\Pickup

and

C:\Program Files\Exchsrvr\Mailroot\vsi 1\UceArchive

Just to explain what these directories are, Pickup is the directory that Exchange stores messages that it is waiting to deliver and UCE Archive (Unsolicited Commercial Email Archive) is where Exchange dumps email it thinks is spam. This directory can get really big really fast so you want to setup a script to clear it once in a while.

When you open IMF Companion, you can see all the blocked messages in the UCE Archive in the top pane. Notice how the SCL rating column is missing? This is because you have to tell the Exchange server to store archive messages with their SCL rating. To do this, create this registry key if you don’t see it already:

HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange\ContentFilter

Then create a new DWORD key value under it called “ArchiveSCL” and set the value data to 1. Now restart the SMTP service and when you open IMF Companion again, any new messages that come in will have their SCL rating displayed.

In addition to IMF Companion, you can also use the built in Windows Performance Monitor (perfmon) to keep an eye on Exchange.  If you don’t see the IMF performance objects, just reboot the server and they will show up in the drop down list.

We’ve all have had to use the Configure Email and Internet Connection Wizard (aka CEICW) in SBS 2003 to resolve connectivity issues to the Internet, resolve issues with domain logons for users after a service pack upgrade, to get Exchange mail flow going again, etc. The CEICW was considered the “shotgun” method of fixing network connectivity problems. With the release of Small Business Server 2008, CEICW has been broken down into many different wizards so you can run specific tools instead of the whole thing at once.

The Fix My Network Wizard has proven to be one of the more useful new tools in SBS 2008. It checks for issues with IIS, Certificates, Exchange, TCP/IP, DNS, DHCP, RRAS VPN, etc. and either fixes the issues or suggests a course of action to resolve the issue.

To use the FNCW tool, go to:

SBS Console > Network > Connectivity

 

Now wait while it performs the server scan. Once it is done, it will display a list of issues it has found:

Make sure you leave the boxes checked that you want to fix and hit Next. The FNCW tool will begin fixing the issues. If the FNCW was able to fix the issue, it will display a green check box and will let you know in the Details section what it did to resolve it.

 

If it was unsuccessful, it will display a suggestion in the Details area describing the best course of action.

Having trouble with your tape library and Netbackup not seeing your tapes?  Move those tapes manually with robtest commands!  Robtest is a command line utility that can help you manually move tapes and inventory your magazines and drives when Netbackup is hung up or can’t see them.

Here are some simple robtest commands I have used in the past.  To start robtest.exe, just go to “veritas\volmgr\bin\”.  Then select your robot (for example, 1 to select TLD 0)

? – help menu
s d – show status of all drives
s d1 – show status of just drive 1
s s – show status of all slots
s s1 – show status of just slot 1

And some actual tape action:

m s10 s5 – move tape media from slot 10 to slot 5
m d1 s1 -  move tape media from drive 1 into slot 1
unload d1 – rewinds the tape in the drive and releases the read/write head