Archive for January, 2010

Core information from Exchange Usergroup event

Monday, January 25th, 2010

Last Friday we met again at Microsoft to celebrate the Exchange Usergroup event with remarkable informations and hints about Exchange 2010 Transition, Office Communication Server and Unified Messaging from an expert at Microsoft Consulting Services.

I like to share this information with you here. If you going to implement OCS, take your time and read this first.

Transition to Exchange 2010

Requirements for Live Meeting Client

Hardware and Software Requirements for Office Communicator 2007 R2

Quality of Experience: A Practical Approach to Deploying Real-Time Communications

Office Communications Server 2007 R2 – Network Requirements

Office Communications Server 2007 R2 – Capacity Planning

Quality of Experience: A Practical Approach to Deploying Real-Time Communications

Office Communications Server 2007 – Microsoft Quality of Experience

Office Communications Server 2007 Quality of Experience (QoE) Monitoring Server Audio and Video Metrics Processing Guide

Monitor Server Reports – Overview

Known Issues with OCS 2007 R2

Live Meeting 2007

 

New Release of TMG Best Practices Analyzer Tool

Friday, January 22nd, 2010

Download TMGBPA here

The tool support administrators to analyze TMG and all advanced features which came with TMG.

ISABPA is also still supported on former solution ISA Server before TMG.

The Forefront Threat Management Gateway (TMG) Best Practices Analyzer (BPA) Tool is designed for administrators who want to determine the overall health of their Forefront TMG computers and to diagnose current problems. The tool scans the configuration settings of the local Forefront TMG computer and reports issues that do not conform to the recommended best practices.

The Forefront TMG BPA is a diagnostic tool that automatically performs specific tests on configuration data collected on the local Forefront TMG computer from the Forefront TMG hierarchy of administration COM objects, Windows Management Instrumentation (WMI) classes, the system registry, files on disk, and the Domain Name System (DNS) settings.

The resulting report details critical configuration issues, potential problems, and information about the local computer. By following the recommendations of the tool, administrators can achieve greater performance, scalability, reliability, and uptime.

The Forefront TMG BPA is supplied with two supplemental tools:
 
The TMG Data Packager enables you to create a single .cab file containing Forefront TMG diagnostic information that can be easily sent to Microsoft Product Support Services for analysis.

BPA2Visio generates a Microsoft Office Visio® diagram of your network topology as seen from a Forefront TMG computer or any Windows computer based on output from Forefront TMG BPA. Note that Microsoft Office Visio 2003, 2007, or 2010 must be installed in order to run BPA2Visio.

Important!: This BPA Tool is designed to support Forefront TMG only. To download the BPA Tool for Internet Security and Acceleration (ISA) Server, see ISA BPA Tool.

Office Updates for Forefront TMG 2010

Sunday, January 17th, 2010

If you are wondering why you are prompted by Windows Update on Forefront TMG 2010 to apply Office Updates, please remember, that SQL Reporting Service use Office Web Components (OWC) which from time to time receive updates too. So if you update your Forefront TMG 2010 environment via Windows Update Service (WUS) you should make sure to apply such Office Updates for your TMGs too.

 

Publishing Remote Desktop Service with Forefront TMG 2010

Thursday, January 14th, 2010

When you have successfully deployed RDS in your network up and running, here is how to publish it via Forefront TMG 2010 to your external and mobile users.

Note: We suspect you used SAN certificates during your RDS deployment, which contain at least the internal and external FQDN of your RDS environment. And you have a single certificate for your RD Session Host, as RDP connection security still not support SAN certificates.

Now we are going to start with the Publishing Rule for your RD WebAccess and RD Gateway Server.

Import your SAN certificate into the local certificate store of your TMG.

Create a simple Web Listener for HTTPS with your imported certificate and select no client authentication.

Now use the Exchange Web Client Access Publishing Wizard and create a publishing rule just if you would create or already have created for OWA publishing, but choose your HTTPS Web Listener which you created before when requested. On the Authentication Delegation step select ‘no delegation, but client may authenticate directly’ and leave it with ‘All users’ on the next wizard page and finalize.

Note: If you have separated your RDS environment so that the RD Gateway and RD WebAccess are on different server, you need to create two of this publishing rules, one for RDG and another for RD WebAccess. If you use Split-DNS you can go with one rule when you enable forwarding the original host header in your rule.

After you‘ve created what you need, go into each of this publishing rules and check the ‘Public Name’ and the ‘Path’ tabs and make sure, you have only /rdweb/* for your RD WebAccess Publishing Rule and /rpc/* for your RD Gateway Publishing Rule, or all in one rule if you have all on one server.

So now from the TMG site we are done. Easy isn’t it? :-)

Now take care your RD environment is configured well for internet publishing. Perhaps check the documentations on TechNet where you find all what needs to be prepared. Look very carefully into RD WebAccess and RD Session Host RDP Connection configuration regarding the certificates and don’t forget to to add your RD Gateway settings with RemoteApp Manager on your RD Session Host.

And now you are done and your published apps are available for external users. Keep in mind, if you used your own CA, that the clients must have the Root CA certificate to trust the certificates which have been issued for your RDS environment. And of course, your clients needs latest RDP protocol version with RDP client 6.1 or higher installed.

When you use Windows 7 and/or Windows 2008 as a client, you have to publish your CA if you used an own one. Because this new OS have a more restricted security, they want to check the CRL (Certificate Revocation List) if the certificate is still valid. Older OS don’t do this.

Before you can publish your CA via TMG you need to add the path how to access your CertEnroll virtual directory on your CA. Open the CA MMC and open the properties. On the Extensions tab, confirm that Select extension is set to CRL Distribution Point (CDP) and add the HTTP URL for your CA. Make sure the /CertEnroll virtual directory of your Root CA is enabled to accept anonymous read access.

If you have still problems with the certificate, even you published your CA’s CRL, try following registry key on your Windows Vista or Windows 7 client to solve the issue:

Add DWORD key in the registry: UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors

Under the location:  HKLM\\System\\CurrentControlSet\\Control\\LSA\\CredSSP

Value: 1

The following informations for ISA should work for TMG also:

Publishing Remote Desktop Web Connection Sites with the ISA Firewall Part 1 – Remote Desktop Web Services Concepts

http://www.isaserver.org/tutorials/Publishing-Remote-Desktop-Web-Connection-Sites-ISA-Firewall-Part1.html

Publishing Remote Desktop Web Connection Sites with the ISA Firewall Part 2: Creating the Web and Server Publishing Rules

http://www.isaserver.org/tutorials/Publishing-Remote-Desktop-Web-Connection-Sites-ISA-Firewall-Part2.html

Publishing Remote Desktop Web Connection Sites with the ISA Firewall Part 3: Testing and Troubleshooting

http://www.isaserver.org/tutorials/Publishing-Remote-Desktop-Web-Connection-Sites-ISA-Firewall-Part3.html

Send with different sender addresses from Exchange

Tuesday, January 12th, 2010

How to send with different sender addresses from Exchange. You could create several mailboxes, but e.g. under Microsoft Online Services (BPOS) this cost extra license.

You can create a distribution list with one address and make the user (mailbox) of the other address a member. With the SendAs permissions you can enable that the user can send as the distribution list.

 

Publishing Remote Desktop Gateway on ISA using a script

Monday, January 11th, 2010

Microsoft has provided a script to publish a RD Gateway on ISA.

http://gallery.technet.microsoft.com/ScriptCenter/en-us/d401d7d1-3805-40ef-a4a6-f3d4763380a2

 

RemoteApp for Hyper-V to run legacy Apps for WinXP

Monday, January 11th, 2010

In their blog, the Microsoft Remote Desktop Services Team talked about a little known feature in Windows Server 2008 R2 that could be described as RemoteApp for Hyper-V. Like Microsoft RemoteApp, it allows users to access a specific hosted application remotely, as opposed to the entire desktop. With RemoteApp, the application runs in the context of a server session; however, RemoteApp for Hyper-V enables remote access to an application running in a Hyper-V VM.

With the advent of Windows 7, some enterprise customers were facing application compatibility issues with line-of-business applications that were specifically written for Windows XP and would not work on Windows 7.

Read the whole article here.

DirectAccess Management with Forefront UAG

Sunday, January 10th, 2010

Windows 7 Anywhere is the ultimate way deploying Notebooks and similiar devices. The Forefront UAG team has published an example how easy mangement of access enabling servers with UAG is.

Read this

http://blogs.technet.com/edgeaccessblog/archive/2010/01/10/an-improved-way-of-managing-the-access-enabling-servers-or-managing-directaccess-management-with-uag.aspx