31 C
Dubai
Wednesday, April 30, 2025
Home Blog Page 38

Installing Windows Admin Center

Satheshwaran Manoharan
-
0
Installing Windows Admin Center

Download Windows Admin Center Setup

Windows Admin Center could be the future of server management in bulk moving away from GUI and using Core based windows servers in the backend.

image

image

Choose any non used port like 6516

image

image

now you can add windows servers for remote management.

image

image

image

Disable Feedback Hub via Group Policy

Satheshwaran Manoharan
-
0
Disable Feedback Hub via Group Policy

Feedback hub could be annoying for Enterprise users request for recommendation. lets see how to disable them via group policy.

image

Computer Configuration _ Administrative Templates _ Windows Components _ Data Collection and Preview Builds _ Do not Show Feedback Notifications _ Enabled

image

Set to Enabled _

image

Save Public IPs using F5 LTM Policies

Satheshwaran Manoharan
-
0
Save Public IPs using F5 LTM Policies

F5 has different modules and one of them is LTM – Local Traffic Manager . At this stage I would like to explain when LTM is faced on the internet facing side. On how we can save Public IPs .

LTM has Policies feature where you can re direct traffic based on DNS hostname. So in our Case For 1 Public IP we share more than 15 Apps

AppA.azure365pro.com

AppB.azure365pro.com

AppC.azure365pro.com

AppD.azure365pro.com

and goes on and we have a wildcard SSL Sharing the same SSL Certificate. Even though Public IP is much cheaper nowadays. It allows things to manage to remove and Add applications without touching the perimeter firewall.

Just Add DNS Record and use LTM Policies to re direct traffic to the specified Virtual Server. It works seamlessly without complicating our life in to many custom iRules

Lets consider your VLANs and Self IPs are in Place with Traffic allowed from Load Balancer to Desired Apps  and SSL Imported to Load balancer Already.

Its my First Virtual Server just to redirect all HTTP to HTTPS Traffic.

83.100.100.100 is my Public IP – Allowed only 443 to 80 to F5 LTM From Perimeter Firewall

172.21.10.10 is my Private IP –  Its just a dummy IP from the Self IP Range Points no where.

Name VIP1-HTTP
Partition / Path Common
Description DMZ (83.100.100.100) – Redirect to HTTPS
Type – Standard
Source Address     Host 0.0.0.0/0
Destination Address/Mask Host 172.21.10.10
Service Port  Port 80
Notify Status to Virtual Address Checked
PVA Acceleration None
Availability     Unknown (Enabled) – The children pool member(s) either don’t have service checking enabled, or service check results are not available yet
Syncookie Status Inactive
State    Enabled

image

Configuration: Basic
Protocol    TCP
Protocol Profile (Client)    tcp
Protocol Profile (Server)   Use Client Profile
HTTP Profile (Client)    http
HTTP Profile (Server)   Use Client Profile
HTTP Proxy Connect Profile  None
FTP Profile    None
RTSP Profile  None
SSL Profile (Client)   None Selected
Selected         Available

SMTPS Profile    none
POP3 Profile    none
Client LDAP Profile    none
Server LDAP Profile   none
Service Profile  none
SMTP Profile    none
VLAN and Tunnel Traffic  All VLANS and Tunnels
Source Address Translation Auto Map

image

Everything left to default.

Content Rewrite
Rewrite Profile none
HTML Profile none

Access Policy
Access Profile none
Connectivity Profile none
Per-Request Policy none
VDI Profile none
Application Tunnels (Java & Per-App VPN)  Not Enabled
OAM Support    Not Enabled
ADFS Proxy   Not Enabled
PingAccess Profile  none

API Protection
API Protection Profile   none

Acceleration:
iSession Profile   none  Context:  server
Rate Class  none
OneConnect Profile none
NTLM Conn Pool none
HTTP Compression Profile none
Web Acceleration Profile none
HTTP/2 Profile (Client) none
HTTP/2 Profile (Server) none
HTTP MRF Router  Not Enabled

image

Load Balancing
Default Pool  none
Default Persistence Profile none
Fallback Persistence Profile none

iRules (Use the Default irule to redirect all traffic to Https no matter whatever it is)

/Common/_sys_https_redirect

image

Security Settings . We have ASM – Application Security Manager enabled am not going to into that in this article. Definitely  it has amazing features.

Policy Settings
Destination    172.21.10.10:80
Service  HTTP
Application Security Policy  Disabled
Service Policy  none

IP Intelligence Disabled
DoS Protection Profile Profile:  Enabled
Bot Defense Profile Profile:  Enabled
Log Profile Log illegal Requests

image

Now we are done with HTTP To HTTPS redirection.

Lets create a Virtual Server for HTTPS

General Properties
Name    VIP1-HTTPS
Partition / Path    Common
Description   DMZ (83.100.100.100)
Type  Standard
Source Address    Host  0.0.0.0/0
Destination Address/Mask  Host  172.21.10.10
Service Port  Port 443

Notify Status to Virtual Address  Enabled
PVA Acceleration    None
Availability     Unknown (Enabled) – The children pool member(s) either don’t have service checking enabled, or service check results are not available yet
Syncookie Status    Inactive
State  Enabled

image

Get the SSL Issues and Import using a pfx file. So that we can use them on the HTTPS Virtual Server.

Import pfx file – Certificate Management – Traffic Certificate Management – SSL Certificate List – Import

image

Local Traffic – Profiles – SSL

image

Create a Client Profile and Assign the SSL

image

Exactly Same as HTTP Profile . Only difference in here is

SSL Assigned on Both.

SSL Profile (Client)  – Valid Wild Card SSL
SSL Profile (Server) – You place a default SSL or leave it Empty

image

Leave Everything to none. Lets see how we can create this Policy.  To Get App Redirection Working.

image

  • Lets Create App A  with Same Settings but Service Port 1000
  • Lets Create App B  with Same Settings but Service Port 1001
  • Lets Create App C  with Same Settings but Service Port 1002
  • Lets Create App D  with Same Settings but Service Port 1003

It can go on with the Same Shared Public IP.

image

SSL is Assigned for SSL Profile (Client)

image

game Virtual Server with Custom port 1000 is directing the traffic to game Pool . which has the real game pool members.

Default Pool
Default Persistence Profile   cookie
Fallback Persistence Profile source_addr

image

Lets Create a Policy.

image

For Example

AppA.azure365pro.com (In my Case App A is game.azure365pro.com)

AppB.azure365pro.com

AppC.azure365pro.com

HTTP Host host is any of game.azure365pro.com request time (DNS hits the main Virtual Server)

Forward Traffic to Virtual Server game.azure365pro.com (Forward Traffic to Real Member)

image

Now Apply the Policy and Assign them to the HTTPS Main Pool listening on 443.

Now you can use the same policy to forward multiple hostnames to different pools with same ssl and same public ip.

It helps to manage F5 more simpler on the perimeter level with minimal public IPs giving a lot of flexibility.

No doubt Its an amazing product.  Their APM module is amazing as well . Will Discuss that in future posts.

Disabling AuthGSSAPI on Receive Connector of Exchange Server

Satheshwaran Manoharan
-
0
Disabling AuthGSSAPI on Receive Connector of Exchange Server

Submitting Messages on Port 587 from F5 SMTP Mailer failing with AUTH GSSAPI Remote(SocketError)

when i bypass F5 load balancer its submitting messages directly to the exchange server without any issues.

image

When i am submitting via F5 . I can see its initiating AUTH GSSAPI protocol from the listed supported protocols and fails to Submit the Message.

Default log location

%ExchangeInstallPath%TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive

2019-08-19T08:38:51.744Z,EXCH1\Client Frontend EXCH1,234255E01EE2EF03,2,172.21.11.231:587,172.21.1.10:39534,<,EHLO F5DMZ, 2019-08-19T08:38:51.744Z,EXCH1\Client Frontend EXCH1,234255E01EE2EF03,3,172.21.11.231:587,172.21.1.10:39534,>,250 EXCH1.azure365pro.com Hello [172.21.1.10] SIZE 37748736 PIPELINING DSN ENHANCEDSTATUSCODES STARTTLS AUTH GSSAPI NTLM 8BITMIME BINARYMIME CHUNKING,
2019-08-19T08:38:51.746Z,EXCH1\Client Frontend EXCH1,234255E01EE2EF03,4,172.21.11.231:587,172.21.1.10:39534,<,AUTH GSSAPI, 2019-08-19T08:38:51.747Z,EXCH1\Client Frontend EXCH1,234255E01EE2EF03,5,172.21.11.231:587,172.21.1.10:39534,>,334 ,
2019-08-19T08:38:52.797Z,EXCH1\Client Frontend EXCH1,234255E01EE2EF03,6,172.21.11.231:587,172.21.1.10:39534,-,,Remote(SocketError)

Disabled GSSAPI from Listed Available Protocols – Setting EnableAuthGSSAPI to $false

Set-ReceiveConnector "EXCH1\Client Frontend EXCH1" -EnableAuthGSSAPI $false

To Check 

Get-ReceiveConnector "EXCH1\Client Frontend EXCH1" | fl *binding*,*GSS*
image

Applied the same for all members in the pool of Exchange Servers

Once Disabled. It submitted the message without any issues.

To Revert Back –

Set-ReceiveConnector "EXCH1\Client Frontend EXCH1" -EnableAuthGSSAPI $true

 

The Undeliverables

Satheshwaran Manoharan
-
0
The Undeliverables

You have sent an email and received a notification that your email has not been delivered to the recipient. You can recognize such emails as a bounced email

 
Mail Delivery System MAILER-DAEMON@rspamd3-1.sh.yanmail.me
 Sent: Wednesday, August 14, 2019 2:11 PM
 To: prvs=12202f182=arun.ab@localhost
 Subject: Undeliverable: flight information 
 Delivery has failed to these recipients or groups:
 carrie@groups.com
 Your message couldn't be delivered. Try to send it again later. If the problem continues, please contact your email admin.
 Diagnostic information for administrators:
 Generating server: rspamd3-1.sh.yanmail.me
 carrie@groups.com
 Remote Server returned '554 5.3.0 < #5.3.0 x-unix; Spam,Subject or body has spam keywords in system level.>'
 Original message headers:
 Return-Path: 
 Received: from rspamd3.sh.yanmail.me (rspamd3.sh.yanmail.me [210.16.190.24])
         by rspamd3-1.sh.yanmail.me (Postfix) with ESMTP id 69E13400270
         for carrie@groups.com; Wed, 14 Aug 2019 18:11:01 +0800 (CST)
 X-yanmailID: 2efb.5d53ddfa.5549d.0 1B2CB400772 20190814 b2a6c4eebe7b11e997f4a4badb2c2b1183634@localhost
 Received: from mx3.azure365pro.com (unknown [83.111.45.45])
         by rspamd3.sh.yanmail.me (Postfix) with ESMTP id 1B2CB400772;
         Wed, 14 Aug 2019 10:10:02 +0000 (UTC)
 Authentication-Results: mx3.azure365pro.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=arun.ab@localhost; spf=Fail smtp.mailfrom=arun.ab@localhost; spf=None smtp.helo=postmaster@EXCH1.azure365pro.com
 Received-SPF: None (mx3.azure365pro.com: no sender authenticity
   information available from domain of
   arun.ab@localhost) identity=pra;
   client-ip=172.21.1.45; receiver=mx3.azure365pro.com;
   envelope-from="arun.ab@localhost";
   x-sender="arun.ab@localhost";
   x-conformance=sidf_compatible
 Received-SPF: Fail (mx3.azure365pro.com: domain of
   arun.ab@localhost does not designate 172.21.1.45 as
   permitted sender) identity=mailfrom; client-ip=172.21.1.45;
   receiver=mx3.azure365pro.com;
   envelope-from="arun.ab@localhost";
   x-sender="arun.ab@localhost";
   x-conformance=sidf_compatible; x-record-type="v=spf1";
   x-record-text="v=spf1 mx ip4:83.111.59.85 ip4:83.111.59.91
   ip4:194.170.218.45 ip4:83.111.45.45 -all"
 Received-SPF: None (mx3.azure365pro.com: no sender authenticity
   information available from domain of
   postmaster@EXCH1.azure365pro.com) identity=helo;
   client-ip=172.21.1.45; receiver=mx3.azure365pro.com;
   envelope-from="arun.ab@localhost";
   x-sender="postmaster@EXCH1.azure365pro.com";
   x-conformance=sidf_compatible
 X-Ironport-Dmarc-Check-Result: validskip
 IronPort-SDR: tJPXFRc2sF6vCBvYaRYfC54vheytHvCqbrz+WJiVwLC5gDActvRNIBeJxOiYO83GTIYNinupWy
  js2actTGrLgg==
 IronPort-PHdr: =?us-ascii?q?9a45=3AEvE6QR+ReM/esP9uRHKM819IXTAuvvDOBiVQ1K?=
  =?us-ascii?q?IIvI4IwLz6GQhODcAOGHoQ6jDJBZIZ7ZIwzg3ECAgICCQIVgSk+gQlxTXOCb?=
  =?us-ascii?q?AmCRReBBAECBSQcggOIF4I8cowygSKBIQEB?=
 X-IronPort-AV: E=Sophos;i="5.64,384,1559505600"; 
    d="jpg'145?png'145,150?scan'145,150,208,217,150,145";a="3173282"
 Received: from unknown (HELO EXCH1.azure365pro.com) ([172.21.1.45])
   by mx3.azure365pro.com with ESMTP/TLS/ECDHE-RSA-AES128-SHA256; 14 Aug 2019 14:09:56 +0400
 Received: from EXCH4.azure365pro.com (172.21.1.454) by EXCH1.azure365pro.com
  (172.21.1.45) with Microsoft SMTP Server (version=TLS1_2,
  cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Wed, 14
  Aug 2019 14:09:56 +0400
 Received: from EXCH4.azure365pro.com ([172.21.1.454]) by
  EXCH4.azure365pro.com ([172.21.1.454]) with mapi id 15.01.1466.012; Wed, 14
  Aug 2019 14:09:56 +0400
 From: Arun ab arun.ab@localhost
 To: "carrie@groups.com" carrie@groups.com, Huang
         huang.huang@mz.com
 CC: david david@groups.com, Aseeb Khader
         aseeb.abdul@localhost
 Subject: RE: flight information
 Thread-Topic: flight information
 Thread-Index: AQHVUbMHcem8LlXMJ022gk/php1/Lab6bNBg
 Date: Wed, 14 Aug 2019 10:09:56 +0000
 Message-ID: 9679ca5aee5a4dbd89936c63f9991c07@localhost
 References: b2d75de4bb3211e9bb64d4ae5278bc1212252@localhost,
        <201908110657434899274@groups.com >
 51887700bda611e99fcb52540073b44e@groups.com
 In-Reply-To: 51887700bda611e99fcb52540073b44e@groups.com
 Accept-Language: en-US
 Content-Language: en-US
 X-MS-Has-Attach: yes
 X-MS-TNEF-Correlator:
 x-originating-ip: [172.21.1.240]
 x-exclaimer-md-config: 74f2138c-68ed-481e-8eaf-f54f1b694524
 Content-Type: text/plain
 MIME-Version: 1.0

 

Solution –

Remote Server returned ‘554 5.3.0 < #5.3.0 x-unix; Spam,Subject or body has spam keywords in system level.>’

External System Doesn’t like one of your keywords like bad words.or Words typed on a different language. Try Sending a blank Email. Try to Send clearing your signature. That should let you know which keywords causing the issue.

Creating Shared Calendars in Office 365 and Exchange Server

Satheshwaran Manoharan
-
1
Creating Shared Calendars in Office 365 and Exchange Server

Let’s see how to create a common  Travel calendar / Vacation Calendar / Public Calendar / Group Calendar using a shared mailbox and create security groups to map owners and reviewers. Please note you need to use PowerShell to achieve the same. It should be simple and easy.

I had to work on this requirement for a company . Where they wanted to plan their vacation on calendars and they don’t want to user resource mailboxes as they don’t want users to look vacation calendars in their resource mailboxes list. So Shared Mailboxes was the perfect option for me.

Was an interesting one. Note in Office 365 and Exchange server calendar permissions doesn’t reflect instantly on Microsoft Outlook. Outlook Web App will take minimal time to Reflect. Lets see how to go about it and achieve the same.

Lets create a Shared Mailbox. (Lets utilize the default calendar within the shared mailbox.)

image

Connect to Exchange Online PowerShell

By default, In Exchange Server and  Office 365 users can view only free busy calendar information items of other users and shared mailboxes.

  • Calendar Default {AvailabilityOnly}
image

For Example you add a shared Calendar to look into some useful information it may look by default. Which is good as default.

Opening Shared calendars via Various Channels

For Specific cases like vacation / travel calendars you need to alter the default permissions.

image

Yearly Vacation

image
New-DistributionGroup -Type Security -Name "Vacation Calendar Reviewers" -Alias "vacationCalendarreviewers"
image

Lets hide it and restrict it.



Set-DistributionGroup vacationCalendarreviewers -HiddenFromAddressListsEnabled $true -AcceptMessagesOnlyFrom vacation@localhost
image

lets create groups for Owners to manage calendars.



New-DistributionGroup -Type Security -Name "Vacation Calendar Owners" -Alias "vacationCalendarowners"


Set-DistributionGroup vacationCalendarowners -HiddenFromAddressListsEnabled $true -AcceptMessagesOnlyFrom vacation@localhost


Add-MailboxFolderPermission -identity "vacation@localhost:\Calendar" -user "vacationCalendarowners" -AccessRights Owner
image


Get-MailboxFolderPermission vacation@localhost:\calendar | Select FolderName,User,AccessRights
image

Lets Add some users to Reviewers and Owners to Check from Exchange Admin Center.
  • Vacation Calendar Owners
  • Vacation Calendar Reviewers
image

You can allow Conflicts if required. You Can disable Recurring Meeting if required.



Set-CalendarProcessing vacation@localhost -AllowConflicts $True -AllowRecurringMeetings $false
image

Just listing below for the Options Available for Example



Set-CalendarProcessing vacation@localhost –ResourceDelegates approver@localhost

Can forward Meeting Requests for Approval




PS C:\WINDOWS\system32&amp;amp;amp;amp;amp;gt; Get-CalendarProcessing vacation@localhost | fl

RunspaceId : c3ea4643-4c65-4bc9-ae41-1a235df05a6c
AutomateProcessing : AutoUpdate
AllowConflicts : False
BookingType : Standard
BookingWindowInDays : 180
MaximumDurationInMinutes : 1440
AllowRecurringMeetings : True
EnforceSchedulingHorizon : True
ScheduleOnlyDuringWorkHours : False
ConflictPercentageAllowed : 0
MaximumConflictInstances : 0
ForwardRequestsToDelegates : True
DeleteAttachments : True
DeleteComments : True
RemovePrivateProperty : True
DeleteSubject : True
AddOrganizerToSubject : True
DeleteNonCalendarItems : True
TentativePendingApproval : True
EnableResponseDetails : True
OrganizerInfo : True
ResourceDelegates : {}
RequestOutOfPolicy : {}
AllRequestOutOfPolicy : False
BookInPolicy : {}
AllBookInPolicy : True
RequestInPolicy : {}
AllRequestInPolicy : False
AddAdditionalResponse : False
AdditionalResponse :
RemoveOldMeetingMessages : True
AddNewRequestsTentatively : True
ProcessExternalMeetingMessages : False
RemoveForwardedMeetingNotifications : False
MailboxOwnerId : Vacation
Identity : Vacation
IsValid : True
ObjectState : Changed








Vacation Calendar Owners can Cancel / Approve / Delete / Create






The Owner role gives full control of the folder. An Owner can create, modify, delete, and read folder items; create subfolders; and change permissions on the folder.






image






Vacation Calendar Reviewers can contact Organizer but not do anything else






image






To Remove Calendar Permission






Remove-MailboxFolderPermission -identity "vacation@localhost:\Calendar" -user "vacationCalendarowners"






Good to Have






    

  • Owner   -  The Owner role gives full control of the folder. An Owner can create, modify, delete, and read folder items; create subfolders; and change permissions on the folder.
    • 

  • Publishing Editor  -  The Publishing Editor role has all rights granted to an Owner, except the right to change permissions. A Publishing Editor can create, modify, delete, and read folder items and create subfolders.
    • 

  • Editor  -  The Editor role has all rights granted to a Publishing Editor, except the right to create subfolders. An Editor can create, modify, delete, and read folder items.
    • 

  • Publishing Author  -  A Publishing Author can create and read folder items and create subfolders but can modify and delete only folder items that he or she creates, not items created by other users.
    • 

  • Author -   An Author has all rights granted to a Publishing Author but cannot create subfolders. An Author can create and read folder items and modify and delete items that he or she creates.
    • 

  • Nonediting Author -   A Nonediting Author can create and read folder items but cannot modify or delete any items, including those that he or she creates.
    • 

  • Reviewer   -  A Reviewer can read folder items but nothing else.
    • 

  • Contributor -   A Contributor can create only folder items and cannot read items.
    • 

  • None  -   The None role has no access to the folder.
    • 







Other Scenarios _ Please do not use if you don’t have clarity about it.






Get-Mailbox –Database DatabaseName | ForEach-Object {Set-MailboxFolderPermission $_":\calendar" -User Default -AccessRights Reviewer}


Add-MailboxFolderPermission -Identity vacation:\calendar -User Resource Calendar Owners -AccessRights Owner


Get-Mailbox -Resultsize Unlimited | ForEach-Object {Set-MailboxFolderPermission $_":\calendar" -User Default -AccessRights Reviewer}


Import-Csv users.csv | foreach {Add-MailboxFolderPermission -Identity "user@localhost:\calendar" -User $_.alias -AccessRights Owner }


                

            


        

    
1...373839...113Page 38 of 113
                            

                        

                        

                            

                                                
                                            

                        

                            
 
    
 

 



    

                

            














EDITOR PICKS





POPULAR POSTS





POPULAR CATEGORY










 







ABOUT ME



Satheshwaran Manoharan - Microsoft MVP -
Award-winning Technology Leader with a wealth of experience running large teams and diversified industry exposure in cloud computing. From shipping lines to rolling stocks.In-depth expertise in driving cloud adoption strategies and modernizing systems to cloud native. Specialized in Microsoft Cloud, DevOps, and Microsoft 365 Stack and conducted numerous successful projects worldwide. Also, Acting as a Technical Advisor for various start-ups. 



Contact : Info@Azure365Pro.com




FOLLOW US













© Azure365Pro.com


        


    

    





    

    





	

		
		
							
						×
							How can I help you?