Security

Warning message when you start Outlook 2007 and then connect to a mailbox that is hosted on an Exchange 2007: Security certificate is invalid.

I encountered this issue when setting up an Exchange 2007 environment. After I installed the SSL cert for OWA all of the users using Outlook 2007 reported that they got a certificate warning when opening Outlook internally.

A co-worker of mine found this support article which fixed the issue and saved my bacon.

SYMPTOMS
When you start Microsoft Office Outlook 2007 and then connect to a mailbox that is hosted on a mailbox server that is running Microsoft Exchange Server 2007, you receive the following security warning message:

The name of the security certificate is invalid or does not match the name of the site.

CAUSE
You replace the default self-signed Exchange 2007 certificate with a different certificate.

By default, the URL that is stored in these objects references the NetBIOS name of the server. For example, a URL that resembles the following URL is stored:

https://NetBIOS_name.contoso.com/autodiscover/autodiscover.xml

This may differ from the host name that is used in the FQDN of the replacement certificate. For example, the replacement certificate may have an FQDN that resembles the following FQDN:

mail.contoso.com

This issue causes a name mismatch error to occur. Therefore, you receive the security warning message when you try to connect Outlook 2007 to the mailbox.

RESOLUTION
To resolve this issue, modify the URLs for the appropriate Exchange 2007 components. To do this, follow these steps:
1. Start the Exchange Management Shell.
2. Modify the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To modify this URL, type the following command, and then press ENTER:

Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml

3. Modify the InternalUrl attribute of the EWS. To do this, type the following command, and then press ENTER:

Set-WebServicesVirtualDirectory -Identity “CAS_Server_Name\EWS (Default Web Site)” -InternalUrl https://mail.contoso.com/ews/exchange.asmx

4. Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER:

Set-OABVirtualDirectory -Identity “CAS_Server_name\oab (Default Web Site)” -InternalUrl https://mail.contoso.com/oab

5. Modify the InternalUrl attribute of the UM Web service. To do this, type the following command, and then press ENTER:

Set-UMVirtualDirectory -Identity “CAS_Server_Name\unifiedmessaging (Default Web Site)” -InternalUrl https://mail.contoso.com/unifiedmessaging/service.asmx

6. Open IIS Manager.
7. Expand the local computer, and then expand Application Pools.
8. Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.

Source: http://support.microsoft.com/kb/940726

Certificate, Exchange Server, Outlook

Cisco adopting strategies to compete in the small business line

Cisco is almost synonymous with big business in the network infrastructure market but recently they have really been working to make themselves more friendly to the SMB market.

Here is a good article about that:

 http://www.channelregister.co.uk/2009/09…

Working at a consulting company that is a Cisco partner and has a large focus on small business I find that there are a lot of great Cisco products in the price range my client’s look for.

The ASA 5505 for example is a great little firewall with a lot of good features and price was is right on the mark and  often cheaper then equivalent Watchguard and Sonicwall products. As well  the UC500 Integrated services voip router is a great solution for a small business who wants a voice solution with a reasonable cost, particularly if they need a primary router/firewall and/or small wireless solution in any case.

Improvements in Watchguard 11 quick setup wizard

One thing that Watchguard did well in there new software version was to include the option to enable DHCP as part of the quick setup wizard. Here is why this is great. Previously you would start up your watchguard in safe mode and hook your computer to it. You would then get an IP address from it (10.0.0.2) which you could use to start your quick setup wizard. You would then configure the internal interface with the IP you would actually want and the reboot the watchguard. However previously DHCP was always off meaning you would then have to go and manually configure an IP address on your machine to match what you configured the internal interface as if you wanted to continue. Needless to say this was a pain in the butt.

Upgrading to Watchguard Fireware 11

In reviewing the release notes on the site and speakign to a watchguard rep the best upgrade path to the new fireware XTM version 11 is by first upgrading your existing firebox to version 10.2.9 and then upgrading to 11.

Upgrading directly from any version below 10.2.9 is not recommended and could cause the upgrade to cause the fireware image to become corrupted

WPA-TKIP is completely broken

Check it out:

http://jwis2009.nsysu.edu.tw/location/paper/A%20Practical%20Message%20Falsification%20Attack%20on%20WPA.pdf

This is serious stuff . If you are currently using this you should definitely switch to something more secure ASAP.

Fireware 11 has been released!

So in the past I have criticized Watchguard a tad when they constantly give me the answer that my issue is a known bug and will be fixed in the next version …

Well the next version is here! Fireware 11 has been released to the general public. I will get trying it out in the coming days and reporting back here but a quick look in my IT crystal ball tells me that Watchguard will have indeed fixed all those little bugs which plagued my existence for so many months. Before Watchguard draws too much succor from my words I should also point out that my IT crystal ball tells me that I will be soon plagued with a ton of new bugs which won’t be fixed till version 12 comes out.

Microsoft to add new features to Windows 7 to make it more secure

Check out this article

 http://www.theregister.co.uk/2009/05/28/…

I commend Microsofts decision to put out a client based OS which isn’t overflowing with security holes and exploits … and it only took them 30 years.

I don’t know why I continue to hope that Microsoft will one day release a product that you might want to use on there advertised release day rather than having to wait till the real release date (SP1). Like a battered spouse I keep going back. Sigh.

Security hole - BES PDF vulnerability

If your a BES admin, here is something you should be aware of.

 http://www.theregister.co.uk/2009/05/28/…

Cisco ASA - Remote access VPN user’s can’t connect to internal resources on the same network

So I was working with a Cisco ASA 5510. The inside network was 10.0.0.0/24. I had created a  remote access vpn policy for users and set them up to receive address’s on their inside network (10.0.0.0/24).

While the users we able to connect fine to the vpn they were not able to ping or access any resources on the internal network. The reason I found for this is that even though they are receiving address’s on the same network as the internal LAN, the ASA still considers them part of a separate network and will try to NAT the traffic using your dynamic NAT rule.

The way to resolve this is to create a NAT exemption rule from your inside network to your inside network. Sounds funny, but it works.

Hope this helps

Watchguard MUVPN not working due to Mcafee firewall

I hate personal firewall products but none so much as I hate mcafee. I was testing a MUVPN and the tunnell just wouldn’t established. I turned that thing into swiss cheese, it shouldn’t have been blocking anything but the VPN tunnel STILL wouldn’t come up until I actually turned off the service. Gah it’s frustrating.