To determine which version of Microsoft SQL Server 2008 is running, connect to SQL Server 2008 by using SQL Server Management Studio, and then run the following Transact-SQL statement.
SELECT SERVERPROPERTY('productversion'), SERVERPROPERTY ('productlevel'), SERVERPROPERTY ('edition')
To be Continued.....
Sunday, September 12, 2010
Thursday, September 9, 2010
Create Systems Management Object for SCCM and Security
Using Adsiedit Create a container in AD, CN=System called System Management by right clicking on CN=System and choose New Object, scroll down to container from the list, click next, give it a value of System Management.
In Active Directory Users and Computers expand the System container, and right click click on System Management.
choose delegate control, click next, click add, click object types, add computers, click ok, advanced, find now.
Highlight the SCCM servername and click ok.
Click OK again, click Next in the Delagation of control Wizard page, choose 'create a custom task to delegate'
Click next, make sure 'this folder, existing objects in this folder and creation of new objects in this folder is selected
Click next, select the 3 permissions General, Property-Specific and Creation-deletion of specific child objects are selected then place a check mark in FULL CONTROL
and click next then Finish.
Failure to do the above will mean that the System Management Container in AD will NOT POPULATE with SCCM specific info and you will see many errors in SCCM site status
Once the permissions are granted correctly, it will look like this.
Print Screens to Follow
In Active Directory Users and Computers expand the System container, and right click click on System Management.
choose delegate control, click next, click add, click object types, add computers, click ok, advanced, find now.
Highlight the SCCM servername and click ok.
Click OK again, click Next in the Delagation of control Wizard page, choose 'create a custom task to delegate'
Click next, make sure 'this folder, existing objects in this folder and creation of new objects in this folder is selected
Click next, select the 3 permissions General, Property-Specific and Creation-deletion of specific child objects are selected then place a check mark in FULL CONTROL
and click next then Finish.
Failure to do the above will mean that the System Management Container in AD will NOT POPULATE with SCCM specific info and you will see many errors in SCCM site status
Once the permissions are granted correctly, it will look like this.
Print Screens to Follow
Sunday, August 22, 2010
Forefront UAG architecture
Forefront UAG architecture
Portals and trunks
A Forefront UAG trunk is a transfer channel via which you publish corporate applications and resources. Remote endpoints can then connect to the trunk, and access the internal applications and resources. You can create HTTP or HTTPS trunks, thus specifying whether endpoints connect to the trunk over an HTTP or HTTPS connection. If you use an HTTPS connection, you require a server certificate obtained from a public certification authority, and it must be trusted by the connecting endpoint.
Remote endpoints can access applications and resources published via a trunk in one of two ways:
1.Connect to a portal─You can create a Forefront UAG portal for a trunk, to provide a consolidated Web gateway that allows remote endpoints to access one or more corporate applications in the portal.
2.Connect directly─You can publish Web applications with an application-specific public host name, thus allowing endpoints to type in the host name, and connect directly to the application.
On a single server, each trunk has a unique listener (a combination of IP address and portal). In an array of multiple Forefront UAG servers, each server in the array shares the same trunks. If traffic arriving at array members is load balanced, each trunk has a unique virtual IP (VIP) address. Traffic arriving at the trunk portal can be serviced by any of the array members, thus providing scalability, high availability, and failover.
There are a number of trunk properties that you can set, including IP addresses, public host name and ports, authentication requirements for users connecting to portal sessions, access policies with which endpoints must comply in order to access portals, a logoff policy for the portal, and a traffic inspection policy.
Supported Authentication
Forefront Unifed Access Gateway (UAG) supports the following authentication:
* RSA
* LDAP
* Active Directory
* ADFS 1.0 (Update 1 - Provides Support for ADFS 2.0)
* KDC (Kerberos Constraint Delegation)
* RADIUS
* Certificates ( PKI and CRL )
To be Continued........
The following diagram shows a basic topology for Forefront UAG.
Forefront UAG can be configured as a publishing server. You publish internal corporate applications and resources via Forefront UAG, and remote client endpoints from a variety of locations access these published resources by connecting over HTTP or HTTPS to a Forefront UAG site or portal. You can publish Web and non-Web applications, Remote Desktop Services (RDS) applications, and allow full VPN client access to internal networks. To control endpoint access you can configure a number of mechanisms, including client authentication, and access controls that allow or deny access based on endpoint health checks.
In addition, Forefront UAG can be configured as a DirectAccess server. Forefront UAG DirectAccess allows remote managed computers to connect automatically and seamlessly to the corporate intranet any time Internet access is available, without the need to initiate a VPN connection. Bi-directional connectivity is established each time a user’s DirectAccess-enabled computer is connected to the Internet, even before the user logs on.
Portals and trunks
A Forefront UAG trunk is a transfer channel via which you publish corporate applications and resources. Remote endpoints can then connect to the trunk, and access the internal applications and resources. You can create HTTP or HTTPS trunks, thus specifying whether endpoints connect to the trunk over an HTTP or HTTPS connection. If you use an HTTPS connection, you require a server certificate obtained from a public certification authority, and it must be trusted by the connecting endpoint.
Remote endpoints can access applications and resources published via a trunk in one of two ways:
1.Connect to a portal─You can create a Forefront UAG portal for a trunk, to provide a consolidated Web gateway that allows remote endpoints to access one or more corporate applications in the portal.
2.Connect directly─You can publish Web applications with an application-specific public host name, thus allowing endpoints to type in the host name, and connect directly to the application.
On a single server, each trunk has a unique listener (a combination of IP address and portal). In an array of multiple Forefront UAG servers, each server in the array shares the same trunks. If traffic arriving at array members is load balanced, each trunk has a unique virtual IP (VIP) address. Traffic arriving at the trunk portal can be serviced by any of the array members, thus providing scalability, high availability, and failover.
There are a number of trunk properties that you can set, including IP addresses, public host name and ports, authentication requirements for users connecting to portal sessions, access policies with which endpoints must comply in order to access portals, a logoff policy for the portal, and a traffic inspection policy.
Supported Authentication
Forefront Unifed Access Gateway (UAG) supports the following authentication:
* RSA
* LDAP
* Active Directory
* ADFS 1.0 (Update 1 - Provides Support for ADFS 2.0)
* KDC (Kerberos Constraint Delegation)
* RADIUS
* Certificates ( PKI and CRL )
To be Continued........
Friday, August 20, 2010
Publish Exchange in UAG
Outlook Web Access
In the Forefront UAG management console, right-click HTTPS connections and select New Trunk
Click Next at the first page of the Create Trunk Wizard
Select Portal Trunk as the trunk type and check the box stating that you will be publishing Exchange applications via the portal. The wording for this check box suggests we will be using a portal to access Exchange. However, configuring Forefront UAG using this wizard will result in an Outlook Web App user directly accessing Outlook Web App without first logging in to a portal.
Enter a name for your trunk. You cannot use spaces or any non-alphanumeric characters. Enter the public host name of the portal, mail.fabrikam.com in our example, and make sure that the IP address the trunk will listen to requests on is correct, that is, the external network interface of Forefront UAG.
Click Next, and on Step 3 – Authentication, click Add and select the entry that you created earlier.
On Step 4 – Certificate, make sure the certificate that you installed earlier is selected, and then click Next.
On Step 5 – Endpoint Security, if you have already deployed Network Access Protection (NAP) policies on your network, you may select them here or else leave the default of Use Forefront UAG access policies, and then click Next. Be aware that Endpoint Security policies only apply to Web browser clients and not to clients like Outlook Anywhere or Exchange ActiveSync.
On Step 6 – Endpoint Policies, leave the defaults for now and then click Next
On Step 7 – Select Exchange Services, select Exchange Server 2010, and check the box next to Outlook Web Access only. It's recommended that you do not select all the check boxes to select all the Exchange services. The load-balancing method configured when publishing a farm in this manner is not optimal for Exchange. Therefore, it's recommended that you publish Outlook Web App first and return to the wizard for Outlook Anywhere and Exchange ActiveSync following that.
On Step 8 – Configure Application, enter an Application name–Exchange 2010 OWA in our example.
On Step 9 – Select Endpoint Policies, leave the default options, and then click Next.
On Step 10 – Deploying an Application, click Configure a Farm of application servers, and then click Next.
On Step 11 – Load-Balanced Web Servers, enter the FQDNs of the Client Access servers you will be publishing, and then change the Balance request by setting by clicking Cookie-based affinity. (When you run the wizard for Outlook Anywhere and Exchange ActiveSync, click IP-based affinity.). In the Paths field, you should review and remove paths you do not require.
On Step 12 – Configure Connectivity Verifiers, select Establish a TCP Connection. The default selection is to send an HTTP/HTTPS GET request to the Client Access server to check whether IIS is responding. The issue when publishing Exchange is that IIS on Client Access server won’t respond to HTTP requests, and the FQDN of the Client Access server itself is not usually in the SSL certificate installed on the Client Access server. So an HTTPS request to the server FQDN, which Forefront UAG will try, will fail also. For these reasons, it is easy to tell Forefront UAG to establish a TCP connection to port 443 on the Client Access server, which, if successful, is sufficient to tell Forefront UAG that IIS is up and responding to requests.
Click Next, and on
Step 13 – Authentication, click Add to add the authorization servers that you previously configured to the list. The lower option buttons determine how Forefront UAG will authenticate to the Client Access server. The default 401 request means Forefront UAG will use Basic authentication to the Client Access server. Therefore the Client Access server must have Basic enabled on the /owa virtual directory. If you click HTML form, you can leave FBA enabled on the Client Access server. This capability is unique to Forefront UAG and enables both internal and external Outlook Web App users to easily access Outlook Web App using forms-based authentication.
On Step 14 – Portal Link, the default settings will create icons in the portal for Outlook Web App access, if a portal is used. Also, if the lower check box is selected, the portal will open Outlook Web app in a new window when it is accessed. Click Next.
On Step 15 – Exchange Application Authorization, you can leave the default, which enables all authenticated users to access Exchange. This only means that they can try to access Outlook Web App. Any Outlook Web App policies you created in Exchange still apply, including OWAEnabled set to false. Or, you can restrict who can access Outlook Web App at Forefront UAG by selecting from a list of groups or even restrict access down to the user level by adding individual users to this list.
Click Finish on the final page of the wizard to return to the management console.
Click the Save icon to save the configuration. Click the Activate icon to back-up the existing configuration and activate this new configuration.
If you chose 401 request on Step 13, use the EMC to open the properties of the owa and ECP virtual directories for each Client Access server being published, set the authentication to Basic, and then run iisreset on each Client Access server you have changed.
Active Sync and RPC over HTTP
Open the Forefront UAG management console, and navigate to the properties of the trunk you previously created.
In the Application section of the page, click Add to open the Welcome to the Add Application Wizard dialog box, and then click Next. In Web list, click Microsoft Exchange Server (all versions).
On Step 2 – Select Exchange Services, in the Exchange versions list, click Microsoft Exchange Server 2010, and then select the Outlook Anywhere (RPC over HTTP) and Exchange ActiveSync check boxes. If you view the configuration later and decide you want more control over individual settings for Outlook Anywhere and Exchange ActiveSync, you can run this wizard once for each protocol. We keep them together in this walkthrough because, most of the time, when Outlook Anywhere and Exchange ActiveSync use the same authentication scheme, the settings for both are compatible.
On Step 3 – Configure Application, select a descriptive name for the application
On Step 4 – Select Endpoint Policies, leave the defaults for now, and then click Next.
On Step 5 – Deploying an Application, select Configure a farm of application servers.
On Step 6 – Load-Balanced Web Servers, enter the FQDNs of the servers in the Client Access server array you are publishing.
On Step 7 – Configure Connectivity Verifiers, click Establish a TCP connection for the reasons described earlier.
On Step 8 – Authentication, select the Authorization source you have previously configured.
Accept the warning message, which effectively states that Outlook Anywhere and Exchange ActiveSync clients cannot use forms-based authentication or the portal and so will use Basic or NTLM authentication.
On Step 9 – Outlook Anywhere, notice that the default Public Host Name values have been completed. Click Use Basic authentication to change the default Outlook Anywhere Authentication option for both services so that Forefront UAG can delegate credentials to the Client Access server correctly.
On the Authorization page of the wizard, either leave the default of allowing all users to connect or click to restrict the service to specific groups or users. Again, as with Outlook Web App, any options set within Exchange by using the Set-CASMailbox cmdlet will still apply.
Click Finish on the wizard completion page.
Viewing the management console, you will now see the additional application entries the wizard has created. Autodiscover and EWS have been put into rules separate from Outlook Anywhere and EAS.
When you have activated the configuration, the next step is to configure Exchange to correctly allow Basic authentication to be used against the different virtual directories required for Outlook Anywhere and Exchange ActiveSync.
Enable Outlook Anywhere on each published Client Access server, clicking Basic authentication as the Client authentication method. After all changes are made, iisreset has been run, and event ID 3006 is logged showing that the appropriate registry keys have been set.
If this is the first time Outlook Anywhere has been enabled, several more steps are required to ensure users outside Forefront UAG can fully use Outlook. Also, one more step is required so that Exchange ActiveSync can use the Autodiscover service. You should run these on each server in the Active Directory site you are publishing, replacing the server host name as appropriate.
Set the external URL for the offline address book (OAB) virtual directory. It is assumed that the OAB is already enabled for Web-publishing. If it's not, see Configure Offline Address Book Distribution Properties.
Set-OABVirtualDirectory RED-CAS-1\* -ExternalURL https://mail.fabrikam.com/OAB
Set the external URL for the Exchange Web Services (EWS) virtual directory to https://mail.fabrikam.com/EWS/Exchange.asmx.
Set-WebServicesVirtualDirectory RED-CAS-1\* -ExternalURL https://mail.fabrikam.com/EWS/Exchange.asmx
Set the external URL for the Exchange ActiveSync virtual directory to allow the Autodiscover service to provide devices with the correct value.
Set-ActivesyncVirtualDirectory red-cas-1\* -externalurl https://mail.fabrikam.com/Microsoft-Server-Activesync
Set the authentication property for the OAB and EWS virtual directories to include Basic as an option if you are using Basic authentication.
Set-OabVirtualDirectory red-cas-1\* -BasicAuthentication:$true
Set-WebServicesVirtualDirectory RED-CAS-1\* -BasicAuthentication:$true
At this point that you should test this configuration to make sure it works as expected. From an Outlook 2007 or Outlook 2010 client on the external network, first make sure that an A record for autodiscover.fabrikam.com exists in DNS, then make sure that Outlook Anywhere is enabled on the Client Access server in the site you are publishing and that all relevant URLs are correct, and then try to create a new Outlook profile. It's very important to ensure that the Autodiscover service works correctly for an Outlook client because the Autodiscover service provides Outlook with the location of the different Web services it requires for usual operation, such as Out of Office settings and offline address book downloads.
If Outlook Anywhere works, try to connect by using a mobile device, either with the Autodiscover service configuring the profile or manually, by entering the server name (mail.fabrikam.com in this example).
In the Forefront UAG management console, right-click HTTPS connections and select New Trunk
Click Next at the first page of the Create Trunk Wizard
Select Portal Trunk as the trunk type and check the box stating that you will be publishing Exchange applications via the portal. The wording for this check box suggests we will be using a portal to access Exchange. However, configuring Forefront UAG using this wizard will result in an Outlook Web App user directly accessing Outlook Web App without first logging in to a portal.
Enter a name for your trunk. You cannot use spaces or any non-alphanumeric characters. Enter the public host name of the portal, mail.fabrikam.com in our example, and make sure that the IP address the trunk will listen to requests on is correct, that is, the external network interface of Forefront UAG.
Click Next, and on Step 3 – Authentication, click Add and select the entry that you created earlier.
On Step 4 – Certificate, make sure the certificate that you installed earlier is selected, and then click Next.
On Step 5 – Endpoint Security, if you have already deployed Network Access Protection (NAP) policies on your network, you may select them here or else leave the default of Use Forefront UAG access policies, and then click Next. Be aware that Endpoint Security policies only apply to Web browser clients and not to clients like Outlook Anywhere or Exchange ActiveSync.
On Step 6 – Endpoint Policies, leave the defaults for now and then click Next
On Step 7 – Select Exchange Services, select Exchange Server 2010, and check the box next to Outlook Web Access only. It's recommended that you do not select all the check boxes to select all the Exchange services. The load-balancing method configured when publishing a farm in this manner is not optimal for Exchange. Therefore, it's recommended that you publish Outlook Web App first and return to the wizard for Outlook Anywhere and Exchange ActiveSync following that.
On Step 8 – Configure Application, enter an Application name–Exchange 2010 OWA in our example.
On Step 9 – Select Endpoint Policies, leave the default options, and then click Next.
On Step 10 – Deploying an Application, click Configure a Farm of application servers, and then click Next.
On Step 11 – Load-Balanced Web Servers, enter the FQDNs of the Client Access servers you will be publishing, and then change the Balance request by setting by clicking Cookie-based affinity. (When you run the wizard for Outlook Anywhere and Exchange ActiveSync, click IP-based affinity.). In the Paths field, you should review and remove paths you do not require.
On Step 12 – Configure Connectivity Verifiers, select Establish a TCP Connection. The default selection is to send an HTTP/HTTPS GET request to the Client Access server to check whether IIS is responding. The issue when publishing Exchange is that IIS on Client Access server won’t respond to HTTP requests, and the FQDN of the Client Access server itself is not usually in the SSL certificate installed on the Client Access server. So an HTTPS request to the server FQDN, which Forefront UAG will try, will fail also. For these reasons, it is easy to tell Forefront UAG to establish a TCP connection to port 443 on the Client Access server, which, if successful, is sufficient to tell Forefront UAG that IIS is up and responding to requests.
Click Next, and on
Step 13 – Authentication, click Add to add the authorization servers that you previously configured to the list. The lower option buttons determine how Forefront UAG will authenticate to the Client Access server. The default 401 request means Forefront UAG will use Basic authentication to the Client Access server. Therefore the Client Access server must have Basic enabled on the /owa virtual directory. If you click HTML form, you can leave FBA enabled on the Client Access server. This capability is unique to Forefront UAG and enables both internal and external Outlook Web App users to easily access Outlook Web App using forms-based authentication.
On Step 14 – Portal Link, the default settings will create icons in the portal for Outlook Web App access, if a portal is used. Also, if the lower check box is selected, the portal will open Outlook Web app in a new window when it is accessed. Click Next.
On Step 15 – Exchange Application Authorization, you can leave the default, which enables all authenticated users to access Exchange. This only means that they can try to access Outlook Web App. Any Outlook Web App policies you created in Exchange still apply, including OWAEnabled set to false. Or, you can restrict who can access Outlook Web App at Forefront UAG by selecting from a list of groups or even restrict access down to the user level by adding individual users to this list.
Click Finish on the final page of the wizard to return to the management console.
Click the Save icon to save the configuration. Click the Activate icon to back-up the existing configuration and activate this new configuration.
If you chose 401 request on Step 13, use the EMC to open the properties of the owa and ECP virtual directories for each Client Access server being published, set the authentication to Basic, and then run iisreset on each Client Access server you have changed.
Active Sync and RPC over HTTP
Open the Forefront UAG management console, and navigate to the properties of the trunk you previously created.
In the Application section of the page, click Add to open the Welcome to the Add Application Wizard dialog box, and then click Next. In Web list, click Microsoft Exchange Server (all versions).
On Step 2 – Select Exchange Services, in the Exchange versions list, click Microsoft Exchange Server 2010, and then select the Outlook Anywhere (RPC over HTTP) and Exchange ActiveSync check boxes. If you view the configuration later and decide you want more control over individual settings for Outlook Anywhere and Exchange ActiveSync, you can run this wizard once for each protocol. We keep them together in this walkthrough because, most of the time, when Outlook Anywhere and Exchange ActiveSync use the same authentication scheme, the settings for both are compatible.
On Step 3 – Configure Application, select a descriptive name for the application
On Step 4 – Select Endpoint Policies, leave the defaults for now, and then click Next.
On Step 5 – Deploying an Application, select Configure a farm of application servers.
On Step 6 – Load-Balanced Web Servers, enter the FQDNs of the servers in the Client Access server array you are publishing.
On Step 7 – Configure Connectivity Verifiers, click Establish a TCP connection for the reasons described earlier.
On Step 8 – Authentication, select the Authorization source you have previously configured.
Accept the warning message, which effectively states that Outlook Anywhere and Exchange ActiveSync clients cannot use forms-based authentication or the portal and so will use Basic or NTLM authentication.
On Step 9 – Outlook Anywhere, notice that the default Public Host Name values have been completed. Click Use Basic authentication to change the default Outlook Anywhere Authentication option for both services so that Forefront UAG can delegate credentials to the Client Access server correctly.
On the Authorization page of the wizard, either leave the default of allowing all users to connect or click to restrict the service to specific groups or users. Again, as with Outlook Web App, any options set within Exchange by using the Set-CASMailbox cmdlet will still apply.
Click Finish on the wizard completion page.
Viewing the management console, you will now see the additional application entries the wizard has created. Autodiscover and EWS have been put into rules separate from Outlook Anywhere and EAS.
When you have activated the configuration, the next step is to configure Exchange to correctly allow Basic authentication to be used against the different virtual directories required for Outlook Anywhere and Exchange ActiveSync.
Enable Outlook Anywhere on each published Client Access server, clicking Basic authentication as the Client authentication method. After all changes are made, iisreset has been run, and event ID 3006 is logged showing that the appropriate registry keys have been set.
If this is the first time Outlook Anywhere has been enabled, several more steps are required to ensure users outside Forefront UAG can fully use Outlook. Also, one more step is required so that Exchange ActiveSync can use the Autodiscover service. You should run these on each server in the Active Directory site you are publishing, replacing the server host name as appropriate.
Set the external URL for the offline address book (OAB) virtual directory. It is assumed that the OAB is already enabled for Web-publishing. If it's not, see Configure Offline Address Book Distribution Properties.
Set-OABVirtualDirectory RED-CAS-1\* -ExternalURL https://mail.fabrikam.com/OAB
Set the external URL for the Exchange Web Services (EWS) virtual directory to https://mail.fabrikam.com/EWS/Exchange.asmx.
Set-WebServicesVirtualDirectory RED-CAS-1\* -ExternalURL https://mail.fabrikam.com/EWS/Exchange.asmx
Set the external URL for the Exchange ActiveSync virtual directory to allow the Autodiscover service to provide devices with the correct value.
Set-ActivesyncVirtualDirectory red-cas-1\* -externalurl https://mail.fabrikam.com/Microsoft-Server-Activesync
Set the authentication property for the OAB and EWS virtual directories to include Basic as an option if you are using Basic authentication.
Set-OabVirtualDirectory red-cas-1\* -BasicAuthentication:$true
Set-WebServicesVirtualDirectory RED-CAS-1\* -BasicAuthentication:$true
At this point that you should test this configuration to make sure it works as expected. From an Outlook 2007 or Outlook 2010 client on the external network, first make sure that an A record for autodiscover.fabrikam.com exists in DNS, then make sure that Outlook Anywhere is enabled on the Client Access server in the site you are publishing and that all relevant URLs are correct, and then try to create a new Outlook profile. It's very important to ensure that the Autodiscover service works correctly for an Outlook client because the Autodiscover service provides Outlook with the location of the different Web services it requires for usual operation, such as Out of Office settings and offline address book downloads.
If Outlook Anywhere works, try to connect by using a mobile device, either with the Autodiscover service configuring the profile or manually, by entering the server name (mail.fabrikam.com in this example).
Subscribe to:
Posts (Atom)