Connecting the world…

sync

CactiEZ – configuration basics

Every time I install CactiEZ or Cacti on another platform, I am searching for the commands to basically install the most common parameters, like static IP addressing, NTP sync and time zones.

Several times I thought about writing a simple article with the necessary commands and final I had time to create it.

Networking

netconfig
service network restart

Time Sync

ntpdate –u ntp1.nl.net

Time Zone

yum install system-config-date
system-config-date

This will make my life so much easier.

Outlook 2010 and Google Calendar Sync

I replaced my Outlook 2007 with Outlook 2010. Since I am using Google Calendar, I would like to sync my calendar with Outlook. With Outlook 2007 you can use the Google Calendar Sync application. After installing Outlook 2010 the synchronization of the calendar didn’t function anymore. While synchronizing you will receive the following error message.

google_calendar_sync_error Outlook 2010 is available for some time now, so I don’t understand why Google didn’t release a version of Google Calender Sync which support Outlook 2010. I searched the internet and found the following article on the Google Forum. The article describes how the replace the GoogleCalendarSync.exe with a modified executable. The modified executable can be found here.

Just close the GoogleCalendarSync application and create a backup of the current executable. Replace the current executable with the modified version and restart GoogleCalendarSync. Now you are able to synchronize your Google calendar with Outlook. As far as I have read the thread on the Google forum, this solution should work for 32-bit versions of Outlook 2010. The status for 64-bit versions is unknown.

PDA Active Sync – Invalid Certificate

The usage of Pocket PCs (PDAs) becomes more and more a default feature for business. The last months I have installed quit some Windows ISA 2006 servers for Reverse Proxy purposes. I have installed them normally for webmail only, but lately I have added the Microsoft Active Sync feature.

The Pocket PCs connect to the organization via UMTS, GPRS, USB with laptop or whatever with an internet connection. Today I had the same job on the schedule: Enable Active Sync for Pocket PCs.

I thought by myself: EASY JOB, but NOT. After configuring the ISA reverse proxy I used a Pocket PC emulator to test the Active Sync features. I received the following error message when synchronizing:

pda

I found this a strange message, because clients use the same URL as the Pocket PC for accessing their webmail and they never receive an error message for an untrusted certificate.

The used certificated is issued by Equifax Secure Global eBusiness CA-1. This is a common and one of the better CA’s.

I had to dig deeper into the problem. I tried to install the certificate on the Pocket PC, but no luck. I searched the internet and found a tool called Microsoft Exchange Server Disable Certificate Verification. You can find an executable here, which can be used when using the Pocket PC in conjunction with a PC through USB. I also found a similar tool to install on the pocket PC, this is called AS_Cert_OFF.cab. The tool wasn’t the solution to the problem, so I had to dig deeper.

I was thinking way to complex, the problem was fixed by requesting a new certificate. The used certificate didn’t support Pocket PC. Comparing the different SSL certificates on QuickSSL.com I noticed I had to use a QuickSSL Premium certificate. This certificate supports popular mobile devices and smartphones.

After generating a CSR, requesting the certificate and installing the certificate on the ISA server, the connection and synchronization works like a charm. At least for the most PDA’s. Some PDA’s received the following error 80072f7d. After searching some forums, I found the solution in adding a registry key. I added the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows CE Services]
“AllowLSP”=dword:00000000

After adding the key to the registry, all Pocket PC’s synchronized perfectly.

Exchange 2007 with ISA 2006

Today I have be working on publishing Microsoft Exchange Outlook WebAccess and Active Sync to the Internet. We had some discussions with some Microsoft Consultants about a secure way to publish Outlook Web Access to the Internet, especially the authentication part of such a solution.

Some people are talking about publishing OWA directly to the Internet. In my opinion, this results in a major security thread, because you directly publish a TCP/80 and TCP/443 connection from the Exchange server to the Internet. An vulnerability or exploit in these services could end up in an hacker who takes over the Exchange server.

A second solution is placing a front-end server in a DMZ segment, but making the server a domain member for authentication. In my opinion still a security leak, because somebody who hacks the DMZ server has maybe the ability to hack or corrupt the Active Directory.

The third solution, and the solution we advise, is using a Microsoft ISA 2006 server as a front-end server in the DMZ. We configure a RADIUS or LDAPS (if you would like the option to change the password) connection to a RADIUS server or a domain member on the internal LAN segment. This ensures a secure way of authenticating users and even if somebody hacks the ISA server, he still hasn’t hacked a domain member server or a vulnerability in TCP/80 or TCP/443 of the Exchange server.

I have had a lot of help of an article on isaserver.org from Thomas Shinder while configuring the solution. I had some problems with publishing Active Sync. Ended up with enabling Basic Authentication on the Active Sync virtual directory (Microsoft-Server-ActiveSync).