Creating a NO-REPLY email address on exchange 2010

September 25, 2012 11 comments

Last week we got a call to create a NO-REPLY email address for our administration department. They want to send information to students and parents but not with their own email address. They do not need to receive replies. Its one-way information.

Lets get started on how we got this to work. Start ADUC and choose to create a new user:

Open your exchange Management Console and create a new mailbox

Select the NO-REPLY user we’ve just created.

Make sure you check if the NO-REPLY email address is correct.

Close these settings and open ADUC to create a new security group

Make sure you add all users to this group that need to send email AS NO-REPLY@……..

Open the properties of the NO-REPLY user and choose the security tab

Now add the NO-REPLY Email Users group

Make sure you select the SEND AS property to ALLOW

Select OK and wait. It can take up to TWO hours to make this work (due to exchange caching)

Lets finish off by creating a transport rule. This results in creating a return message to users that send email to NO-REPLY@…..

Open up your exchange Management Console and point to transport rules – create transport rule

Choose SEND TO PEOPLE and enter NO-REPLY@…..

Actions : Send rejection message to sender with enhanced status code

Enter a suiting return message and choose code 5.7.1

Now your done. Start outlook (with a user account that is member of the NO-REPLY Email Users group) and create a new mail and change the FROM button to NO-REPLY@……..and TEST, TEST, TEST

Configuring TMG NLB Array with HP Network Configuration Utility on Cisco 4506

June 29, 2012 Leave a comment

Recently we migrated our edge Forefront TMG standard machine to a Forefront TMG Enterprise standalone array to create redundancy for incoming traffic (NLB) and outgoing traffic (ISP-R). We bought 2 HP DL360 G7 servers with 24GB Mem, 4 x 300 SAS disks, 2 x Quad core CPU’s to support 3500 users (in theory).  Little information was to be found on how to configure the NLB configuration if you had 2 cisco 4506 core switches. So I thought I ‘ll write it down. The setup looks like this:

Port-channel 1 is used between the 2 core switches and all vlan are allowed on this trunk. Port-channel 2 is configured between the 4506 and the TMG-FE-x server. VLAN 10 and 11 are used for internal traffic (lets say student and teacher traffic). VLAN 50 is used for the DMZ subnet (webserver running here). VLAN 100 is the internet connection from ISP1 and VLAN 101 is the internet connection from ISP2. We are going to configure NLB for VLAN 10, 11, 50 and 100. We choose not to use it for ISP 2 (VLAN 101). VLAN 99 is used for the Intra-Array adapter between the TMG’s.

Start off by running the HP Network Configuration utility on TMG-FE-1 and TMG-FE-2 and configure it like this:

Define VLAN 10 and 11 on TMG-FE-1 teaming interface (configured on port-channel 2)

Define VLAN 10 and 11 on TMG-FE-2 teaming interface (configured on port-channel 2)

The IP addresses for the TMG-FE-1 are: VLAN 50 = 10.10.50.2, VLAN 100 = 100.100.100.2, VLAN 101 = 101.101.101.2.

The IP addresses for the TMG-FE-2 are: VLAN 50 = 10.10.50.3, VLAN 100 = 100.100.100.3, VLAN 101 = 101.101.101.3.

Now its time to config the first Core switch (left one):

interface Port-channel1
description 20GB connection to other Core
switchport
switchport mode trunk
switchport nonegotiate

interface Port-channel2
description 2GB connection to TMG-FE-1
switchport
switchport trunk allowed vlan 10,11
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk

interface TenGigabitEthernet1/1
description Uplink to other Core 20Gb Channel
switchport mode trunk
switchport nonegotiate
logging event link-status
udld port aggressive
flowcontrol receive off
channel-group 1 mode on
!
interface TenGigabitEthernet1/2
description Uplink to other Core 20Gb Channel
switchport mode trunk
switchport nonegotiate
logging event link-status
udld port aggressive
flowcontrol receive off
channel-group 1 mode on

interface GigabitEthernet5/1
description Connection to TMG-FE-1
switchport trunk allowed vlan 10,11
switchport mode trunk
switchport nonegotiate
logging event link-status
channel-group 2 mode on
spanning-tree portfast trunk

interface GigabitEthernet5/11
description Connection from TMG-FE-1 to ISP2
switchport access vlan 101
switchport mode access
switchport nonegotiate
spanning-tree portfast

interface GigabitEthernet5/13
description Connection to TMG-FE-1 (Array NIC)
switchport access vlan 99
switchport mode access
switchport nonegotiate
spanning-tree portfast

interface GigabitEthernet6/1
description Connection to TMG-FE-1
switchport trunk allowed vlan 10,11
switchport mode trunk
switchport nonegotiate
logging event link-status
channel-group 2 mode on
spanning-tree portfast trunk

interface GigabitEthernet6/10
description Connection from TMG-FE-1 to ISP1
switchport access vlan 100
switchport mode access
switchport nonegotiate
spanning-tree portfast

interface GigabitEthernet6/12
description Connection to TMG-FE-1 (DMZ NIC)
switchport access vlan 50
switchport mode access
switchport nonegotiate
spanning-tree portfast

Config for the second core:

interface Port-channel1
description 20GB connection to other Core
switchport
switchport mode trunk
switchport nonegotiate

interface Port-channel2
description 2GB connection to TMG-FE-2
switchport
switchport trunk allowed vlan 10,11
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk

interface TenGigabitEthernet1/1
description Uplink to other Core 20Gb Channel
switchport mode trunk
switchport nonegotiate
logging event link-status
udld port aggressive
flowcontrol receive off
channel-group 1 mode on
!
interface TenGigabitEthernet1/2
description Uplink to other Core 20Gb Channel
switchport mode trunk
switchport nonegotiate
logging event link-status
udld port aggressive
flowcontrol receive off
channel-group 1 mode on

interface GigabitEthernet5/1
description Connection to TMG-FE-2
switchport trunk allowed vlan 10,11
switchport mode trunk
switchport nonegotiate
logging event link-status
channel-group 2 mode on
spanning-tree portfast trunk

interface GigabitEthernet5/11
description Connection from TMG-FE-2 to ISP2
switchport access vlan 101
switchport mode access
switchport nonegotiate
spanning-tree portfast

interface GigabitEthernet5/13
description Connection to TMG-FE-2 (Array NIC)
switchport access vlan 99
switchport mode access
switchport nonegotiate
spanning-tree portfast

interface GigabitEthernet6/1
description Connection to TMG-FE-2
switchport trunk allowed vlan 10,11
switchport mode trunk
switchport nonegotiate
logging event link-status
channel-group 2 mode on
spanning-tree portfast trunk

interface GigabitEthernet6/10
description Connection from TMG-FE-2 to ISP1
switchport access vlan 100
switchport mode access
switchport nonegotiate
spanning-tree portfast

interface GigabitEthernet6/12
description Connection to TMG-FE-2 (DMZ NIC)
switchport access vlan 50
switchport mode access
switchport nonegotiate
spanning-tree portfast

If you finished installing & configuring Forefront (not included here! maybe in another post one day) on both machines (make sure you have networks configured for VLAN 10, 11 and 50) then its time to config the NLB’s. Select the VLAN 10 network and choose Configure Load Balanced networks. Select the appropriate (VLAN 10 network) and select configure NLB. Now configure your primary NLB VIP address : 10.10.10.1. Choose MULTICAST. Repeat the same action for VLAN 11 : IP address 10.10.11.1, for VLAN 50 : IP address 10.10.50.1 and for VLAN 100 : IP address 100.100.100.1 (if you need more VIP’s for extra services like OWA, MAIL then enter them here)

Note: We ran into problems when enabling MULTICAST NLB for VLAN 100. It worked when we placed an workstation in VLAN 100 but it did not work from any other external subnet (different ISPs). I think it can be solved by asking your ISP to configure static ARP entries on their router that point to your VLAN 100 NLB VIP’s. We choose to configure VLAN 100 as an UNICAST NLB. That worked allright.

Still we need one thing to do on our Cisco 4506 Core switches : creating static ARP entries to avoid flooding on the Cores. So we need to find out the Multicast MAC Addresses and Unicast MAC Addresses of our VIP’s. Start a Dos Box on the TMG server and run : nlb ip2mac 10.10.10.1, nlb ip2mac 10.10.11.1, nlb ip2mac 10.10.50.1, nlb ip2mac 100.100.100.1. a Multicast MAC Address will start with 03:bf and a Unicast MAC Address will start with 02:bf. If you are good at converting decimal values to hexadecimal values you can convert them yourself fairly easy. Decimal 10 = hexadecimal 0a, decimal 100 = hexadecimal 64. etc etc. Our VIPs will look like:

IP 10.10.10.1 = MAC 03:bf:0a:0a:0a:01
IP 10.10.11.1 = MAC 03:bf:0a:0a:0b:01
IP 10.10.50.1 = MAC 03:bf:0a:0a:32:01
IP 100.100.100.1 = MAC 02:bf:64:64:64:01

Configure the 4506 core switches with static arp entries (only needed for the Multicast VIP’s):

arp 10.10.10.1 03bf.0a0a.0a01 ARPA
arp 10.10.11.1 03bf.0a0a.0b01 ARPA
arp 10.10.50.1 03bf.0a0a.3201 ARPA

To avoid flooding traffic on all ports we must tweak it some more (only on ports that are needed):

mac address-table static 03bf.0a0a.0a01 vlan 10 interface Po1 Po2
mac address-table static 03bf.0a0a.0b01 vlan 11 interface Po1 Po2
mac address-table static 03bf.0a0a.3201 vlan 50 interface Po1 Gi6/12

Now you are done. Hope it was helpfull somehow and feel free to comment.

Allowing Ipad Youtube App through TMG Forefront

June 18, 2012 1 comment

Recently we migrated to a cisco LAN and WLAN environment. Our schoolboard decided to use Ipads for our employees and students. Like any school youtube is (too) often used. Playing videos while using the browser goes fine. But when we tested the Youtube App we got a error message. Lets check our forefront logging and reporting tool:

Seems like an error : 10053 An established connection was aborted by the software in your host machine.

Use the following steps to fix this:

Lets check our log again:

Yup..it works

Allowing Alvira Epoint 5100 cash dispenser traffic through TMG

October 13, 2011 Leave a comment


Recently our students got cash cards with a Mifare chip to use with our Follow you printing system. Out students need to pay for their printing behavior so we decided to buy a couple of Alvira Epoint 5100 cash dispensers.

Lets get this to work behing a TMG firewall. These settings are used for dutch transactions (Equens). First create custom ports in the TMG:

Port 2601 TCP outbound and Port 54095 TCP outbound

Then create one computer set or 3 computers:

Equens1 IP : 82.195.48.7

Equens2 IP : 82.195.52.1

Equens3 IP : 87.213.38.194

Finish off with creating a firewall rule that allows these 2 protocols from the cash dispensers to the computer(set) with ALL USERS. Test it and you done.

Wireshark: Eliminating NBNS

March 14, 2011 Leave a comment

If you work with wireshark its good to sniff around on all your vlans once and then. You might be surprised what you’ll find. Today I checked some student vlans and found alot of machines that were very “chatty”.  Also with server names that do not exist anymore in the network.

It seems like alot of NBNS packets on the wire. The NetBIOS Name Service (NBNS) translates human-readable names to IP addresses (much like DNS) and in modern networks its not needed anymore. Since we are running a Windows 2008 R2 network with Windows XP SP3 workstations and do NOT have applications that depend on it we are going to eliminate it.

On the workstations

In the advanced properties of the network card you can change the NetBIOS value.

By default its Enabled and controlled via the DHCP scope. Lets disable this value and add an extra option to the DHCP scopes. You need to add option 001 to the scope with a value of 0×2.

On the server side

If you are absolutely sure that you don’t need NetBIOS/WINS and you do not have any applications that rely on it you can elimate NetBIOS by changing the NetBIOS property on the Nics. When completed you can fire up Wireshark again and check if any NBNS traffic is still on the wire.

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: