Microsoft Exchange and Remote Desktop Services Specialists

SEMblog

Microsoft Exchange Server and
Blackberry Enterprise Server news, views and fixes.

2 July 2006 09.30

Three Rules of Microsoft Licensing

I have been posting these three rules of software licensing in various forums for a couple of years now, so it made sense to include them here.
Purchasing software licenses for Microsoft products is daunting, with multiple choices and schemes available to you. However as long as you consider these three rules, you shouldn't go too far wrong.

  1. Get at least three opinions, including one from Microsoft.
    Even some people at Microsoft don't understand all the options, so if you aren't sure on something then make sure that you get three opinions. 
  2. Get in writing.
    Without it in writing, it is worth nothing if you are audited. 
  3. The most expensive option will be the correct one.
    That is pretty obvious I think.

It will not make licensing any easier, but it will help you sleep at night in the knowledge that you have at least tried to do the right thing.

6 March 2006 11.05

VPN Through a PIX

Stuck out on site with a client, I couldn't connect to home via VPN. The client has a Cisco PIX and a quick bit of research showed that while the PIX will allow PPTP pass-through, it isn't enabled by default.

Apparently you need 6.3 of the PIX software, but then you can add the following command to the configuration and can then use the Windows VPN client:

fixup protocol pptp 1723

A quick change and I was able to connect home.
More information on Cisco's web site
You have to make a similar change if you need to go through a PIX with the Cisco VPN client to connect to a remote Cisco VPN server. In that case the command is:
ISAKMP NAT-TRAVERSAL
Another command that requires version 6.3 of the PIX software.

5 March 2006 10.55

Why you shouldn't use Self Generated SSL Certificates

A constant theme on many of the Internet forums is the use of self generated SSL certificates versus purchased SSL certificates, particularly when deploying RPC over HTTPS or Outlook Web Access.
Many people will advocate that using a self generated certificate is fine and will do the job.
This could be a certificate generated from the selfssl.exe tool that is supplied with the IIS Resource Kit, or Microsoft's certificate application.
However I am not one of them, and always deploy Exchange with a purchased certificate.

Use of SSL Certificates
SSL Certificates have two main tasks. 

  1. To prove that the server you are accessing is the server that you meant to access.
  2. To encrypt the connection between the application being used to access the server, and the server itself.

There are three things that your web browser looks for when accessing a secure site.

  • that the name on the certificate matches the address being accessed
  • the certificate is issued by someone the browser trusts, or the certificate matches one already installed on the web browser
  • the certificate is valid.

If any of those three fail, then you will get a warning message popup.
With self generated certificates, you will get the warning message when you access the server. This is because the certificate hasn't been issued by a trusted authority.
You can get round that warning message by importing the certificate in to the web browser. However that makes a lot of work with deployment, complicates matters and also means that you have to repeat the exercise when the certificates expires.
It also doesn't help when people are accessing your site from a public computer where you cannot install the certificate, such as an internet café or their machine at home.
And that is where self generated certificates start to cause problems.
You can tell your users to ignore the message when connecting to your site, but users have a habit of only hearing what they want to hear. They will hear "ignore the message" but forget the bit "when using our site". In these days of phishing and spoof web sites network administrators need to give out a consistent message - and telling users to ignore a security warning is a very example of failing to do that.
A security warning of any kind looks unprofessional and shows a lack of concern for security.

So what are the alternatives?
The best alternative is to purchase an SSL certificate.
However many administrators think that they need to go to one of the big SSL certificate issuers such as Verisign and pay US$400 or more per year - and that is just for a 40 bit certificate.
That is not the case.
I do my deployments using RapidSSL certificates. They cost US$69 per year and that is for a 128bit certificate. Their root certificate is in most of the popular web browsers so there is no complication there.
If you do need to deploy the certificates to Pocket PC devices, then that can be easily done (see http://www.amset.info/pocketpc/certificates.asp).
You could also certificates from Certificates for Exchange which are trusted by Windows Mobile 5.0 with MSFP and higher. Nothing to install on the devices making deployment easy.
You may also see some "free" SSL certificates around. These should be looked at carefully, paying particular attention to the root certificate support. If the root certificate isn't in the majority of web browsers then you will have the same problem as when issuing your own certificates - prompts and imports.

Do Self Generated Certificates Have a Place?
Yes they do. I use them all the time in lab environments. When I have control over every item accessing the service, then I will use the a self generated certificate and make all of adjustments as required to get it to work correctly. However in a production deployment, they are never used.

18 February 2006 10.35

New Articles on amset.info

A couple of new bits and pieces for my technical web site amset.info

The articles on working with Distribution lists have been grouped together and can be found here:
http://www.amset.info/exchange/groups.asp

This was caused by the publication of three new articles...
Creating a moderated distribution group:
http://www.amset.info/exchange/groups-moderated.asp
How to make your distribution lists appear at the top of the Global Address List (which is actually quite old, but was buried on another page)
http://www.amset.info/exchange/groups-top.asp
And how to hide the membership of a group, or even the existence of a group from the GAL. http://www.amset.info/exchange/groups-hidemembers.asp

Elsewhere, two pages have been added to the Pocket PC section, which may be of interest to Exchange Server administrators.
Working with SSL Certificates deals with getting SSL certificates on the handheld devices. If you are deploying OMA or Exchange Active Sync then this could be of interest to you.
http://www.amset.info/pocketpc/certificates.asp
Using the Windows Mobile 5.0 Emulator could also be of interest as it lets you simulate what the users are doing with their devices can aid support of those devices by your support team.
http://www.amset.info/pocketpc/wm5emulator.asp

Many of the articles on the web site are reviewed frequently, as I update the techniques or correct errors, so please check back often!