SSL based VPN's are great. In short it is VPN without firewall or NAT issues (both of which you get with PPTP and IPSec VPN's). But SBS 2008 does not enable SSTP VPN's by default. It uses RRAS, so SSTP is possible, but it is not as easy as it first looks! The following is a brief guide to the steps. Exact step by step instructions are not included, as you should be someone with RRAS and certificates experience before approaching this, and if you are not but have a business need for SSTP VPN (and who doesn't!) then call C7 Solutions in the UK on 0845 257 1777 for help and assistance. This is not at all easy to configure and get working.
- Ensure that you have run the connecting to the internet wizard, and that you are using a third party certificate (as there are less steps if you do this). With the default self signed certificate SSTP will not work as the client on the internet will not be able to reach the certificate revocation location. Using the installed Certificate Services and creating your own issued certificate requires publishing to the internet the certificate revocation information and so adds steps that are not entirely necessary given that certificates are inexpensive and would cost less to buy than the time taken to go through all the extra steps needed with your own issued certificates.
- Enable remote access from the SBS Console > Network > Connectivity page and choose Configure a Virtual Private Network link under Connectivity Tasks on the right-hand side of the window.
- Add some SSTP ports to the VPN in the Routing And Remote Access management program. Right-click Ports and choose Properties and enable SSTP for remote access inbound connections and set the number of connections to a suitable number for your organization. Leave PPTP enabled as Windows XP does not support SSTP VPN tunnels (only Vista SP1 and later will do so).
- Create an MMC and add in the local computers Certificate snap-in. View the properties of your trusted certificate that you are using for Remote Web Workplace and note down the Thumbprint value of this certificate.
- Ensure that this certificate is associated with 0.0.0.0:443 and [::]:443 network bindings on the server. Type netsh http show ssl from elevated command prompt to get this information. You typically get four entries with IP:port being the first line of each. Check for IP:port reading "0.0.0.0:443" and [::]:443 as this shows the IPv4 and IPv6 mappings for SSL certificates on the server. Ignore the :8172 and :987 entries (these are for IIS Management Service and companyweb).
- If the certificate hash is not the same for both the remote web workplace certificate and the netsh bindings information in the previous two steps or if you are missing the IPv6 binding then you need to reset the bindings. If they are same then jump to step 7.
a) Ensure that the certificate bound to the remote web workplace is correct. From the client machine browse to http://remote.your_domain.com. You should be automatically forwarded to https://remote.your_domain.com/remote and the login page. If you get any certificate errors during this in the web browser you must fix them now before continuing.
b) If the certificate on the remote web workplace site is incorrect then run the Fix My Network wizard and the Set Up Your Internet Address wizard in the SBS Console (both found in the Network > Connectivity > Connectivity Task pane).
c) Repeat the test in step a and if the certificate that is now associated with the site is incorrect also run the Add A Trusted Certificate wizard which is found in the same place as above. This step should not be needed if a trusted certificate has already been installed on the server and it matches the remote.your_domain.com name and the wizards in step b will associate the correct certificate to the website.
d) From an elevated command prompt delete the certificate binding for IPv4 by typing netsh http delete sslcert ipport=0.0.0.0:443. The binding should be deleted successfully.
e) From an elevated command prompt delete the certificate binding for IPv6 by typing netsh http delete sslcert ipport=[::]:443. The binding should be deleted successfully if an IPv6 binding existed, otherwise expect to see an error which can be ignored.
f) Delete the certificate binding in the RRAS configuration by deleting these registry keys, if they exist, "HKLM\ System\ CurrentControlSet\ Services\ Sstpsvc\ Parameters\ Sha256CertificateHash" and "HKLM\ System\ CurrentControlSet\ Services\ Sstpsvc\ Parameters\ Sha1CertificateHash"
g) Connect the correct certificate to the IPv4 and IPv6 bindings by typing the following entries from an elevated command prompt where xxx is the certificate hash of the trusted certificate used for the Remote Web Workplace. netsh http add sslcert ipport=0.0.0.0:443 certhash=xxx appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY and netsh http add sslcert ipport=[::]:443 certhash=xxx appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY.
h) Close any open copy of IIS Manager and restart the program. Ensure that the bindings for the SBS Web Applications site is correctly bound to your trusted remote web workplace certificate.
i) Note that binding SSTP to the IPv4 and IPv6 listeners on port 443 will cause TS Gateway administration to display error messages (specifically that the certificate is not bound and that the IIS web site is not configured). These errors can be ignored on SBS 2008 but if you click the links to fix the errors then all will work fine. The only condition is that this fixing of errors must be done after SSTP is configured correctly (so ensure SSTP connectivity works and then come back to this step to fix). Future changes to the certificate in IIS or TS Gateway might break the SSTP binding. - From a client machine browse to https://remote.your_domain.com/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ and ensure that no errors occur. Note that you will not see anything in the web browser. View the properties of the certificate, specifically the CRL Distribution Points (CDP) value. Note that you should not have got any certificate errors when browsing to this site and if you did you need to resolve them before continuing further in these steps.
- Browse to the CDP URL in the above certificate - you should be able to reach this location on the web without error. The web browser should attempt to download the CDP file.
- On a Vista (SP1 or later) or Windows 7 client create a new VPN connection and in properties of the connection object choose the Security tab and ensure that the Type of VPN is set to SSTP. For regular everyday use set this to Auto, and it will find a working protocol (starting with PPTP) and so if PPTP does not work due to NAT or firewall/proxy issues SSTP will be tried and succeed (but for testing set the VPN connection specifically to SSTP). Also ensure that the name of the server you are connecting to is the same name that the certificate uses for the certificate common name.
- Connect the VPN and all should work. Errors regards certificate trust will appear if you have used the self issued certificate, even if you have added the certificate to your certificate store and have the certificate working in Internet Explorer. Once you have connected you can confirm from the RRAS management console that you are connected over an SSTP VPN connection. To confirm this click Ports in the RRAS management console and the active connection should be utilizing an SSTP port.
- Congratulate yourself on getting this far - this is not easy!
Labels: networking, pki, sbs 2008, sstp, vpn
permalink posted by Brian Reid : 11:54 AM
0 comments 
Thirty days after installing Essential Business Server 2008 your licence restrictions take effect. This means that users are shown as unlicenced in the EBS Management Console will only be able to log into licenced devices (as shown in the EBS Management Console as well). Only licenced users will be able to log into any computer on the network (unless group policy restrictions so limit them).
The licencing enforcement is implemented by the Log On To restriction on the user account. This restriction (on the Account tab of the users object in Active Directory Users and Computers administration program) lists the workstations, by NetBIOS name, that the user can log into and all unlicenced users will have a list of device licenced machines. All licenced users will be set to allow them to log into any workstation. This list is reset at a regular basis each day, but if you are approaching 30 days since installation get your user and device licences correct, don't miss anyone or any shared device off the list or they will not be able to login or the shared computer will not be accessable to any of the unlicenced users.
Labels: ebs 2008, sbs 2008, windows
permalink posted by Brian Reid : 12:40 PM
0 comments
A recent installation of a second SharePoint site on Small Business Server 2008 broke the Remote Web Workplace site for access from the internet. Intranet access to the site worked fine, but from the internet where the http request to the site is redirected to https had stopped working.
Opening up IIS 7 Manager and checking the bindings of the SBS Web Applications site showed that the site had two http bindings and a https binding. The https binding was for * under IP Addresses and port 443. Clicking the Edit button on this binding showed that the certificate was not correct. This was the reason the site was not working, as a https site requires a certificate.
So I selected the correct certificate and clicked OK. And got the following error:
A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)
The reason is that the installation of the SharePoint site, and the installation of the certificate to support that site broke the binding for the TS Gateway role on the Windows 2008 machine. The broken binding on the SBS Web Applications site was because of this broken TS Gateway configuration and to fix the above error in IIS required fixing the TS Gateway issue. Note that at no point in the configuration of the SharePoint application was the TS Gatway role configuration changed - the installation of another certificate on the server broke the TS Gatway which broke the Remote Web Workplace SBS Web Applications site.
Opening Server Manager and navigating to the Roles/Terminal Services/TS Gateway/Servername area showed a message in the middle pane of the Server Manager saying that configuration of the TS Gateway was not complete. Clicking this link brought up the TS Gateway SSL Certificate page of the Properties dialog. Click Browse Certificates and select the correct certificate. In SBS 2008 this will be the Remote Web Workplace certificate. Click OK to close the dialog and you will now be able to check the https binding on the SBS Web Applications website. The error will now not occur, and the https binding will be bound to the correct certificate.
If you are not running SBS 2008 then the above is possible, just it is more likely to be a problem with the Default Web Site bindinging instead.
Additionally, I noticed after I had written the above that this error also occurs if you delete the certificate used by the TS Gateway from the IIS box and as well as breaking TS Gateway (which would be expected) it also breaks the "Add a trusted certificate" wizard in the SBS Server Console. The Add a trusted certificate wizard crashes when started with just a failed application message and nothing in the event log. To fix make sure the SBS Web Application IIS site is bound to a valid digital certificate.
Labels: 2008, https, iis, remote web workplace, rww, sbs 2008, terminal server, ts gateway, windows
permalink posted by Brian Reid : 9:55 AM
0 comments
I found the other week that my Hyper-V server, running Server Core and nothing else was restarting all of its own accord. As this is just a server at home, and the monitor is switched off 99% of the time I had not noticed it blue screening.
So looking in the event log (remotely of course, as it was running Server Core) to see why, I noticed it had done the same thing every day at a few minutes past 1pm - one of my scheduled backup times during the day.
I was getting Event ID 1001 at about 1:03pm each day. So I changed the time of the backup (using Windows Server Backup, command line) to 11pm and I got 1001 bugchecks at 11:03pm each day.
There was nothing else recorded in the event log, apart from the usual system start/TCP-IP etc messages and no clue as to the reason for the failure. All I had was the BugCheck, an example being 0x0000007e (0xffffffffc0000047, 0xfffff80003676b48, 0xfffffa60019ff5c0, 0xfffffa60019ff660.
A bit of research later, and ignoring most of the posts regards VSS and Hyper-V I came across http://support.microsoft.com/kb/958662/en-us and http://support.microsoft.com/kb/960038/en-us (the latter of these is a hotfix) which I applied and solved the problem.
It would seem that Hyper-V and VSS based backups have an issue with some backups if a virtual machine is in a running state. It is possible to save the Hyper-V guest machine and then back it up without issue, but of course this kicks people of the virtual machine - a bit pointless really unless its a development machine. To turn off backup for a Hyper-V machine, so that the server does not bluescreen then either disable the Backup (volume snapshot) option in the guest machine settings, under Integration Services or install the hotfix and reboot once.
permalink posted by Brian Reid : 3:57 PM
0 comments
The Microsoft Dynamics CRM 4.0 Outlook client software, when installed on a terminal server (Microsoft or Citrix) results in the CRM toolbar (which is part of the CRM Outlook Add-in) appearing for all users of the server regardless of whether or not they require the functionality of CRM and irrespective of whether or not they have an account on the CRM system.
The CRM toolbar appears because the Outlook CRM Add-in is loaded, and the add-in is loaded because of the following registry key:
HKCU\Software\Microsoft\Office\Outlook\Addins\crmaddin.addin
Removal of this key from the users' registry stops the add-in appearing under Outlook and stops the add-in loading. There is though one problem with this. At the users login a program runs that recreates this key if it is missing, so that registry key needs to be removed as well. This one is:
HKLM\SOFTWARE\Microsoft\Windows\Current Version\run and the deletion of the MSCRM value (keeping a copy of the data in this value for later).
For all users logging into a computer running the CRM Outlook client would now only get the add-in if the first registry key above exists, so existing CRM users are not affected by this change. Remove the first registry key above from any user who does not use CRM and remove the second key one from the machine and all new users will not get CRM. To give new users the CRM Outlook add-in just run the command line that was the data of the MSCRM registry value (where x is the drive where the CRM software is installed):
x:\program files\microsoft dynamics
crm\client\configwizard\crmforoutlookinstaller.exe /activateaddin
All the above works fine on a standard client, but if you need to do the above on a terminal server then you need to be aware of the shadow copy of the registry keys that terminal servers use to create the initial users profile the first time they login. Because the CRM client is initially installed with the CHANGE USER /INSTALL command active the registry stores a copy of the first registry key above so that it can be applied to users when their profile is created. This registry key needs to be removed as well. You will find this key at:
HKLM\SOFTWARE\Microsoft\Windows NT\Terminal
Server\Install\Software\Microsoft\Office\Outlook\Addins\crmaddin.addin
Note that you do not need to be in change user install mode when you make this change, as we are not uses these changes to affect existing user profiles, just stopping new user profiles from loading the CRM add-in if they do not need to. To change existing user profiles just delete the first registry key above from their profile using a script or manual action or whatever method you prefer. Of course you will need to have done the other steps above before this or the registry key will be recreated the next time they login.
Labels: citrix, crm, terminal server
permalink posted by Brian Reid : 9:43 AM
0 comments
Remote Web Workplace (RWW) is a feature of Windows Essential Business Server 2008 (WEBS) and Small Business Server 2008 (SBS). Both of these operating systems provide a web portal to view internal resources such as Outlook Web Access (OWA), SharePoint and Remote Desktop to your own PC.
I have noticed on a number of installations the following error:
There is a problem in Remote Web Workplace. A logon error occurred: There is a problem communicating with the Outlook Web Access server.
There are two reasons for this that I know about. The outcome of this for the user is a popup with the above error in it when clicking the E-Mail or SharePoint link within RWW.
The first is if you have changed the URL of your RWW site then the Single Sign-On (SSO) functionality is configured to connect to the old URL and so fails. The second reason is if the external URL for RWW is not accessible internally (for example if the internal Active Directory DNS name is the same internally and externally and the internal DNS zone does not have an A record for the RWW URL).
To fix the first issue you need to make a backup of the web.config file located in "c:\program files\Windows Essential Business Server\Bin\webapp\Remote" and then edit this file (using Notepad or the like) so that the ssoApplications node reads as follows:
<wssg>
<ssoapplications>
<ssoapplication application="OutlookWebAccess" servername="remote.fabrikam.com">
</ssoapplications>
Where the serverName value is correct for your environment. Note also that if SharePoint is installed and the Company Web link appears on RWW, this XML node will contain some Sharepoint information that will need changing too.
To fix the second issue you need to add an A record to your internal DNS that points to your RWW site and to use the external IP address of this site. If your internal AD/DNS zone is the same as your external zone (i.e. fabrikam.com in the above example) then create a new A record for remote.fabrikam.com on an internal DNS server that has the external IP address of the site as IP address. If you internal and external DNS zones are separate ensure that the SBS server or the WEBS Messaging Server resolve the external value correctly.
If neither of these solve your problems with RWW then the place to look is the RWW debug log file. This is located in "c:\program files\Windows Essential Business Server\Logs\WebWorkplace\w3wp" and you need to read the bottom of the file to find the most recent login error (search the file from the bottom upwards for the word "error").
The above two problems where solved based on the errors found in this debug log file.
Labels: ebs 2008, rww, sbs 2008
permalink posted by Brian Reid : 9:10 PM
0 comments
Archive
March 2005
July 2005
February 2006
May 2006
November 2006
March 2007
May 2007
June 2007
August 2007
April 2008
May 2008
June 2008
September 2008
October 2008
November 2008
January 2009
February 2009
March 2009
April 2009
May 2009
June 2009
July 2009