ESX 4.x dvSwitch with Private VLANs to Cisco

With the new dvSwitch capabilities in ESX 4.x, one feature that has been introduced is Private VLANs. Private VLANs give you the ability to isolate network devices/nodes that are within the same Layer 2 domain.

Check out http://kb.vmware.com/kb/1010691 for VMware’s description of Private VLANs.

Cisco also has an article for configuring Private VLANs on Catalyst switches.

Essentially, you are able to create Private VLANs on a Cisco switch and trunk it to the ESX server.

On the ESX server you can create a dvSwitch with the private VLAN assignments as required.

As shown above, I have created a single primary VLAN with ID 3 and associated with it Secondary VLAN ID 300.

PVLAN 300 is an isolated VLAN. This means that guests inside PVLAN 300 will not be able communicate with each other. They will only be able to communicate with guests in the promiscuous vlan.

Once this is done, you will need to create a new port group which has the vlan settings set to Private vlan and in the drop down list, select the appropriate PVLAN.

You can see two port groups have been created. Servers in the DMZ-WebServers port group will only be able to communicated with servers in the DMZ port group.

As for the Cisco configuration, it is relatively simple.

Creation of the PVLANs can be found in the Cisco documentation as linked earlier in this post.

To integrate with VMware, the switch ports associated with the ESX host must be trunked and allow all the appropriate VLANs including the PVLANs you have created.

 

You will find that VMware virtual machines will not be able to communicate with other machines in the PVLAN except for hosts in the promiscuous vlan. Also note that the PVLAN settings are still honoured when entering the Cisco switch. This means you can have a combination of ESX PVLAN isolated/community hosts as well as physical PVLAN hosts and still have isolation between all machines.

 

Policy route Management traffic

The other day I ran into the issue of a firewall being in the way of management traffic for a switch. In this particular network design, there was a secondary path that bypassed the firewall. This secondary link is used by a route-map on ingress to route traffic requiring ultra low latency and jitter.

As a result, I ended up pushing management traffic for the switch on the other side of the firewall through this secondary link as well. Since management traffic is sourced from the switch itself, a normal policy-map to an interface would not work. Hence, the following solution was found.

interface LoopBack0

ip address 1.1.1.1 255.255.255.0

!

ip access-list extended MANAGEMENT_TRAFFIC

permit ip any host 1.1.1.1

permit ip host 1.1.1.1 any

!

route-map MANAGEMENT_POLICY 10

match ip address MANAGEMENT_TRAFFIC

set ip next-hop 2.2.2.2

 

Exchange Stub Mailboxes

During an Exchange 2003 to Exchange 2010 migration I came across a situation whereby the mailbox move caused a stub mailbox to be left in the Exchange 2003 mailbox store. That is, a 0 Item mailbox of a very small size (few bytes).

Running the “Get-MoveRequestStatistics’ command, it reported a “CompletedWithWarning” status. The event logs showed that the move completed successfully but was unable to delete the mailbox on the source server. This is how I ended up with a stub mailbox.

I then tried to delete the mailbox on the Exchange 2003 store. This was a VERY BIG MISTAKE. It proceeded to delete the Exchange details for the user in AD. This meant that even the Exchange 2010 server deleted the mailbox as well. I was however able to get it back by reconnecting the mailbox use the cli command ‘Connect-Mailbox’ on the Exchange 2010 server. Note that the deleted mailbox never came up on the “Disconnected Mailbox” section of the GUI.

This still left me with a stub mailbox on the Exchange 2010 server albeit with a red ‘X’ on the mailbox. Attempting to purge the mailbox gave a “… have been reconnected with an exisitng user…” error message.

The solution to getting rid of the stub mailbox ended up being setting the retention policy for deleted mailboxes to 0 days. That is in setting mailbox store->properties->limit->Keep deleted mailbox to 0 days.

Then running the “Cleanup Agent” allowed the system to delete the stub mailbox.

Cannot save attachment error in Outlook XP/2003/2007

The other day I came across an error with Outlook complaining that it couldn’t open an attachment.

It appears that when opening or saving an Outlook attachment it will save the file to it’s secure temporary location first. The issue with this is that if you have many attachments with the same filename, you may run into an issue whereby Outlook runs out of alternative filenames.

When Outlook saves the attachment to the temp location it uses the attachment name. However if the filename already exists it appends (#) where # is an incremental number starting at 1. It appears that when outlook reaches “filename (99)” it isn’t programmed to allow three digit numbers and hence fails to save the file.

The solution to this is to clear the temporary folder. You can work out where this folder is by looking at the registry location: “HKEY_CURRENT_USER\Software\Microsoft\Office\###\Outlook\Security\OutlookSecureTempFolder” where ### is the Microsoft Office version. 11.0 for Outlook 2003.

BES and SBS2003 MSDE SQL

If your going to run BES on SBS2003 then you will need to check what version of MSDE SBS is using.

You can do this by looking in c:\program files\Microsoft SQL Server\<instance>

If your using MSDE2000, then use the following steps:

1. Manually install an MSDE instance for the BlackBerry Enterprise Server by completing the following steps:
   1. Go to the Microsoft Support Center and download MSDE 2000 Release A. Make sure to read the MSDE2000RelA release notes.
   2. Double-click the downloaded file to extract the MSDE Release A installation files.
   3. Locate the directory to which the files were extracted. The default directory is C:\MSDERelA.
   4. Open a command prompt window and change directory to the folder identified in step 3.
   5. Type setup sapwd=<password> instancename=BlackBerry, where <password> is the strong password you want to specify for the sa account.
2. Run the BlackBerry Enterprise Server software installation program.
3. When prompted, restart the BlackBerry Enterprise Server.
4. When prompted to specify BlackBerry Configuration Database information, type the configuration settings listed in the table below.
   

   BlackBerry Configuration Database details	Configuration setting
   Database location	Local
   Database information	<server_name>\BlackBerry where <server_name> represents the NetBIOS name of the computer in which the MSDE instance was installed.
   Database name	BESMgmt
   Data Directory	C:\Program Files\Microsoft SQL Server\MSSQL$BlackBerry\Data
   Backup Directory	C:\Program Files\Microsoft SQL Server\MSSQL$BlackBerry\Backup
   Database authentication	Windows (Trusted)

5. Continue the installation and start the BlackBerry Enterprise Server services when prompted.

If your using MSDE 2005

1) Download the software to C:\Downloads
2) Open a command prompt and go to C:\Downloads
3) Run this command C:\Downloads\SQLEXPR32.exe -X
4) A prompt will open asking you where to Extract the program (C:\MSDE2005)
5) From the SAME command prompt browse to C:\MSDE2005
6) Run this command setup INSTANCENAME=”blackberry” SAPWD=”password” (this is a copy/paste from a blackberry support e-mail from 2005)
7) *VERY IMPORTANT* When it opens the installer for MSDE 2005 UNCHECK the Hide Advanced Options. Continue clicking next in the install until it comes to the point where it asks about Authentication. Selected MIXED MODE and enter “password” as the password.
8) When it comes time in the install you will see SERVERNAME you add \blackberry to make it SERVERNAME\blackberry

BES on SBS 2003

It seems more and more people insist on putting Blackberry Enterprise Server or Blackberry Professional on the same server as SBS 2003. This really isn’t the best way to install BES, but it is doable.

Here is a brief summary of the steps you need to take.

(Thanks goes to GaryCutri – source:http://www.blackberryforums.com.au/forums/microsoft-exchange/281-bes-sbs-2003-a.html).

1. Ensure the port 3101 TCP is open on the firewall (Outbound ONLY).
2. Create a new user called BESadmin and ensure you create a mailbox. Ensure this user is ONLY a member of “Domain users”
3. Make BESadmin a local Administrator of the server. This is done in AD via the “Built-in” Administrators group
4. Go to Admin Tools on open “Domain Controller Security Policy” and expand the “Local Policies” and “User Right Assignment”. You need to add BESadmin to “Log on Locally” and “log on as Service”.
5. Open Exchange System Manager and right mouse click on “DOMIANNAME (Exchange)” and select Delegate Control. Follow the steps and add BESadmin as an Exchange View Only Administrator.
6. In Exchange manager expand the servers folder and right mouse click on your server and select properties. On the properties windows select BESadmin and add the permissions “Administer Information Store, Receive As, Send As”
7. Open Active Directory and from the View menu select “Advanced Features”. Then go to each user that will be added to the BES and open their properties, go to the security tab and add the user BESadmin and add the security permission “Send As”. (This will overcome some MS patches that prevent BES sending emails)
8. Log on as BESadmin and install the BES software, normally you just install “BlackBerry Enterprise Server” as most sites don’t use the MDS services (MDS is a much heavier install). Follow the prompts of the install and the server will be required to restart half way through the install. Restart the server and log back on as BESadmin and the install will continue. (Make sure the Connect Test works and the SRP ID etc is validated during the install)
9. After the install is finished open BlackBerry Manager, an error will appear about MAPI client which you can just hit OK. The MAPI setting windows will appear so just add the server name back in and select “Check Name”, if it resolves just hit OK and the manager will start.
10. Within Blackberry Manager click on Blackberry Domain in the left column and then the users SERVERS tab in the center section, select your server within this tab and view the properties below. Ensure that “SRP Status:” is Connected (This can take a few minutes the first time so refresh the screen a few times). Once your status is connected you can start adding users.
11. Within Blackberry Manager click on you server name in the left column and then the users TAB in the centre section, just add a user and the click on that user. You will see all the users’ properties and a drop down menu called “Service Access” and select “Set Activation Password” and set a password of “a” for example.
12. Turn on you BlackBerry device and ensure Wireless is enabled. Go into “Options/Settings” and “Time & Date” and set the correct zone and time etc. Then from the home screen go to enterprise activation and enter the users email address and enter the password that was set in step 11. Press the track wheel and select Activate. Within a minute you should get data returned which indicates the process is functioning correct.

Extra

Note:

• Sites running SBS 2003 premium will need to change the BES “Web Server Listen Port” from 8080 to another available port (e.g. 8090 or 9090) as soon as it is installed. This port needs to be changed as the BES Web Server will be listening on the same port as ISA. To change this setting open Blackberry Manager, select MDS and then “edit Properties” and change the “Web Server Listen Port” to the desired port number.
• Also ensure you review the IT Policy in BlackBerry Manager. This can be found in BlackBerry Domain > Global TAB > Edit properties. It is recommended that in the IT Policy you go into “Device Only Items” and set “Enable WAP config” to FALSE, this will force user to use the free browser (It uses the internet connection of your BES server). It is also highly recommended that you configure a password policy prior to rolling out any handhelds.
• If you are unable to activate devices wirelessly you can test your connectivity to Blackberry buy running the following app from the command prompt: C:\Program Files\Research In Motion BlackBerry Enterprise Server\Utility\BBSrpTest.exe. This will send a signal to BB and wait for a response, it this fails check your firewall settings (open and/or direct port 3101 TCP to you BES server)
• If you have Domain Admins using BlackBerry devices you may have to run the following script if you are unable to send email for those users devices: dsacls “cn=adminsdholder,cn=system,dc=domainname,dc=c om ” /G “DOMAINNAME\BESadmin:CA;Send As”

PFDAVAdmin error

You may run across this error when using it on servers. Esepcially Exchange 07 servers.

Could not expand https://FQDNServer/ExAdmin/Admin/HOME.LOCAL/public%20folders/:Name cannot begin with the ’0′ character. hexadecimal value 0×30. Line 1. position 409.

It appears that this error is due to a .NET version problem. The tool requires the .NET 1.1 framework which on Exchange 07 servers probably wouldn’t be installed since Exchange 07 uses .NET 2.0.

It is also advised that you DO NOT install .NET 1.1 on a working Exchange 07 server since the .NET 1.1 installation will reset crucial config settings and break Exchange.

If you however install .NET1.1 before installing Exchange, then you should be fine there. Hence, its best to run the tool on a workstation that has .NET1.1 installed.

Undeleting Exchange Emails

If a user deleted a folder or item from a public folder or mailbox, and also deleted it from their deleted items folder as well, then not all is lost.

Using the MS tool PFDAVAdmin, @ http://www.microsoft.com/downloads/details.aspx?FamilyId=635BE792-D8AD-49E3-ADA4-E2422C0AB424&displaylang=en

Allows you to recover any email that has been deleted.

Domain Controller Replication Fails with Access Denied

Working on a multi-site AD setup, a DC was shutdown for a few months. When the server came backup, it appeared the computer account credentials had expired.

Normally a netdom resetpwd /server:Replication_Partner_Server_Name userd:domainname\administrator_id /passwordd:* would fix the issue, however in this case it didn’t.

Because the DC was reporting an access denied error, running DCpromo to Unpromo the DC didn’t work either. It failed with an Access Denied error as well.

The solution came to be that disabling KDC (net stop kdc), then running DCpromo and Unpromo the broken DC would then work. After a reboot, a DCpromo could be run again to make it a DC again.

ASA VPN Server config template

I keep forgetting the config required for setting up an ASA VPN server, so here it is for reference:

This is an ASA config with Radius authentication.

aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host <HOST>
key <KEY>

access-list VPN_splitTunnelAcl standard permit <NETWORK> <SUBNET>
ip local pool VPN-IP-POOL <FROM_IP>-<TO_IP> mask 255.255.255.0

access-list nonat extended permit ip any <NETWORK> <SUBNET>
nat (inside) 0 access-list nonat

group-policy <GROUP> internal
group-policy <GROUP> attributes
dns-server value <DNS_IP>
vpn-tunnel-protocol IPSec webvpn
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_splitTunnelAcl
default-domain value <DNS_SUFFIX>
webvpn
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
isakmp nat-traversal  20

tunnel-group <TUNNEL> type ipsec-ra
tunnel-group <TUNNEL> ipsec-attributes
pre-shared-key <PRESHAREKEY>
isakmp keepalive threshold 10 retry 2
tunnel-group <TUNNEL> general-attributes
address-pool VPN-IP-POOL
authentication-server-group RADIUS
default-group-policy <GROUP>