Forum Replies Created
Re: Define network connection
Windows normally does select this automatically. The LAN adaptor does normally take priority as it has a higher Metric value.
** I have known this not be be very consistent in certain scenarios though.October 18, 2012 at 5:03 am in reply to: Not able to connect to bl2prd0510.outlook.com server #277191
Re: Not able to connect to bl2prd0510.outlook.com server
There doesn’t seem to be an MX record for that.
Also the IP address you put in there doesn’t correspond to that.
Check with your service provider.
Re: 50/50 DHCP – Load Balance
If you are looking at DHCP failover might be worth looking at windows 2012 and scrap split scopes all together.
Windows 2012 supports failover partners and you can have it on hot standby mode or load sharing mode.
As MS puts it “the biggest improvement in DHCP in 15 years”
Re: Private school(6-12) network – malicious kids!!
“Malicious kids” I think so not..
Kids at that age are inquisitive by nature. If you have set up your network the way it should be you should not have any problems.
Can’t stand it when people offload their shortcomings to others sometimes…September 22, 2012 at 4:15 am in reply to: Firewall considerations for populating an AD forest #277188
Re: Firewall considerations for populating an AD forest
First of you’ll need to change the port of that the RPC Endpoint Mapper service uses from a dynamic to a static one.
Link below on how to do that as well as additional ports needed for AD replication.
Re: Active X for IE
See if this helps: http://technet.microsoft.com/en-us/library/cc721964(v=ws.10).aspx
Re: TMG behind Cisco ASAsamir381988;264575 wrote:Hello,
Do you I have to a create rule for internal DNS Server on TMG ?
No, providing you have configured properly the internal and External networks and the corresponding network adaptors. just configure the Internal adaptor with the DNS settings.samir381988;264577 wrote:Furthermore, I dont want allow internal DNS request passing through Cisco ASA.
If you do the above all the DNS traffic will go through the internal DNS (Which will eventually go through the ASA box but that’s how it already should be configured anyway so it’ll use the existing rules.)
Re: TMG behind Cisco ASA
a) Just a static NAT roule to TMG external interface
b) I don’t believe you need to worry about that
c) Just configure DNS on the internal interface of TMG and let the DNS queries go through your Internal DNS servers.
d) previous point answers this query.
Re: Web Based AD Search
Look into AD Web Services but you’ll need a 2008 r2 DC.
Re: TMG behind Cisco ASAcruachan;264529 wrote:Completely pointless IMO, if you have spent the money on TMG bin the ASA. The only valid scenario for using 2 devices like this IME is using TMG as a single-NIC reverse proxy, and that is a waste to TMG given how expensive it is.
Aside from that, you’re looking at 2 layers of NAT between your internal network and the internet, so you can run into VPN issues if you use IPSEC VPNs.
Well that’s like saying I have a new front door now so I’ll get rid of the gate..
there is nothing wrong with having the TMG as a back firewall box whilst doing forward or reverse proxying as well. The ASA box can handle VPNs, Natting as well as being a solid hardware firewall.
As I said, whilst TMG is a more than capable of handling those on its own, why not use the ASA if It’s there?
There are No two layers of Natting just two different rules..
Re: TMG behind Cisco ASA
TMG is a more than capable firewall on its own but if you have an ASA box in front it should still be ok. Just create a 1 to 1 Nat rule to the TMG external interface and restrict the traffic to just port 80 and 443.September 18, 2012 at 7:37 am in reply to: Blocking specific sites without using any software #277180
Re: Blocking specific sites without using any software
I agree that it needs reinforcing from the HR but there are certain excpectations that can be achieved technically to ensure compliance.
With the wide range of open source proxy servers now (Inc Squid) you should be able to restrict that traffic (even if it’s https).
You could also create a DNS zone and equivalent firewall rules to block it that way, saving you the management headache of the Hosts file.
IMO a total ban of facebook wouldn’t worry me despite the freedom of internet argument. It’s becoming a bit of a religion which we could do with less if I am honest.September 18, 2012 at 6:30 am in reply to: Trying to get current logged in "Active Directory" User #277179
Re: Trying to get current logged in "Active Directory" User
Can you give us more info, ie what the VPN concentrator is and how is that configured to authenticate with AD (ie LDAP or Radius).
Re: Printing files to printers depending on filename
I haven’t used this in a while to give you any specifics but take a look at PCounter: http://www.pcounter-europe.com/
There is also a free component it uses called Qcontrol that might be able to help.
I have dealt with the company in the past and their developement team do address any requirements you may have and include it in the next update.
Worth a look IMO.
Re: Weird DNS Issue
Any Events logged?
See if this helps : http://technet.microsoft.com/en-us/library/cc735852(v=ws.10).aspx
Re: Exchange 2010 email monitoring tool
Not sure what the exact requirements and your setup is but you won’t be able to pro-actively monitor e-mails once they leave your Exchange or before they hit your exchange server.
For issue related to your exchange org you could use the mailflow tools in EMC
or you could have an Edge transport server or equivalent third party exchange gateway such as Sophos E-mail appliance to further channel and control E-mail traffic
Re: Internal mail security – smtp port
You can just restrict relaying in your Exchange server.
In terms of the Sophos mail appliance, that can be just setup as an upstream mail relay server and route e-mail in and out amongst other things.June 21, 2012 at 12:03 pm in reply to: How migrate Windows 2000 sp4 files server to windows 2008 R2 #277170
Re: How migrate Windows 2000 sp4 files server to windows 2008 R2
Could use robocopy with the /SEC switch and re-share andy apply share permissions again at the destination server.
Or use a third party tool like Secure Copy (Scriptlogic) which is quite expensive but it does everything on the fly for you.May 9, 2012 at 2:42 pm in reply to: Can you update clients Java, Adobe, Firefox through a GPO #277168
Re: Can you update clients Java, Adobe, Firefox through a GPO
To centrally manage the Patch deployment, you can use any mentioned deployment methods, or you can have a look at LUP (Local Update Publisher) http://www.localupdatepublisher.com/ an Open Source alternative which uses the WSUS API and mechanism to deploy custom packages inc updates for Flash etc.
Depending on your setup and applications you use, I’d say it’s a good practice to control the Patch update process rather than let them update themselves.May 3, 2012 at 3:31 pm in reply to: Configure WebReady and Direct File access from different sources #277167
Re: Configure WebReady and Direct File access from different sources
Well, a few things.
TMG can be equaly a forward and a proxy.
UAG hasn’t got any Firewall capabilities, TMG handles that on its behalf.
TMG firewall rule also determines that UAG only acts as Reverse proxy.
UAG doesn’t do forward proxying.
Anyway as we are sidetracking a bit, my query was realy around OWA virtual directories and webready policies. TMG and UAG was mentioned to give you a full picture of the setup but bears Not much importance.May 3, 2012 at 11:31 am in reply to: Configure WebReady and Direct File access from different sources #277166
Re: Configure WebReady and Direct File access from different sourcescruachan;258166 wrote:I think this would probably be easier to do if things were the other way round, as TMG has much better firewalling capabilities than UAG but UAG is better at application publishing.
Hmm, Not sure about that..
UAG uses TMG as the underlying firewall. Whilst it is fully configurable as a standalone TMG it’s not recommended to be messed with as it is reserved for the rules generated by the UAG request.
In terms of application publishing, they are both reverse proxies that publish applications slightly different with UAG having some extended capabilities such as endpoint checking.. which doesn’t neccesarily make it better at publishing .. just different.
This is the scenario we have in here and that’s not changing. It could have been two TMGs side-by side but that’s not the point.Quote:A sneaky way of doing this might be to send requests for OWA etc from UAG to TMG and use a TMG rule to restrict the traffic. However I think this would only work if WebReady and Direct File Access use different virtual directories in IIS. Come to think of it, I’ve never looked at the feature in IIS7 but IIS6 could be told which IPs were allowed to access which virtual directories, so if they are different from OWA you could just deny access to the UAG IP address.
I’ll look into the IIS side. Thanks
Re: Install Rights
That’s a very good question actually but not straight forward to answer imo.
Because it depends on quite a few factors the most important of which is How is the program coded:
Most programs are coded to write to various system folders and maybe even registry keys that Non-admin users would not have the write permissions.
Afaik there is no such thing as “Install rights”, it is just a combination of permissions on those locations that enable a user to be able to install software.
Some programs are coded so you don’t even need any specific permissions (Think of Portable apps).
One way of finding out how a specific program is coded to run would be to use ProcMon from Sysinternals and check out for Access denied for directories and registry keys.
From a security perspective though, imagine the damage a malware would cause if it can have access to key OS locations..May 2, 2012 at 10:44 am in reply to: Suggestions on Centrally Managed AV/Spyware Products #277163
Re: Suggestions on Centrally Managed AV/Spyware Products
I would recommend Sophos. They cater for OSX as well.
The Endpoint agent includes a Web control option which does web filtering for about 16 categories which you could manage centrally.
But as you may notice you’ll get various responses based on what folks are used to work with.