Block the Win 10 style Data Gathering from Windows 7/8/Server2008

Microsoft Windows 10 has some pretty intrusive data gathering built into the operating system.   It collects anonymous and not-so-anonymous data from users of the Operating System.   Today, MS released 4 Optional Updates to bring the Win 10 Style Telemetry and Data Gathering to previous versions of Windows.

The 4 updates are:


MS Fanboys will claim there’s nothing personal that MS takes… but I say, do you really trust them?
People will claim ios and android already do this… but I say, why give them anything about your self at all if you can avoid it?
Many say we already post about ourselves online in social media… For those of us who don’t, I say don’t apply these updates .

To block them, you simply hide the updates in Windows Update.
Got to the Control Panel -> Windows Updates or START -> Search -> Windows Update

Select Optional Updates
Block win 7 Data gathering 1

Right Click each of the 4 updates and select ‘Hide Updates’
Block win 7 Data gathering 2

Hit OK and that’s it. Gone until MS tries to sneak it in again down the road.

Another option is to use this OpenSource Program to disable the tracking:

Lastly, If you already installed the KBs, you can uninstall them directly from the “Programs and Features” in Control Panel.

StrongSwan Ipsec VPN for Remote Users with Certificate Based Authentication

This is a working strongswan ipsec config that can be used for a roadwarrior setup for remote users utilizing certificate based authentication instead of id/pw.

This is a pure IPSEC with ESP setup, not L2tp.
This is not 2 factor, it is cert only.

To get started:

sudo apt-get install strongswan

You need is a CA that is capable of registering AltNames in a cert. OpenSSL can do this easily. I used this guide to setup the basic openssl CA.

Once the CA is ready and you have generated your ca cert and ca private key, you next need to create a cert for the ipsec host and a cert for the end user.

For the Server:
Since I need the Alt Names in the certs, make a copy of /etc/ssl/openssl.cnf to be used for the Server.

cp /etc/ssl/openssl.cnf /etc/ssl/openssl-for-server.cnf
# Extension copying option: use with caution. copy_extensions = copy [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName=@alt_names [alt_names] DNS.1 = DNS.2 =

Now, using Openssl, create the request for the server, fill in the details of the req as needed, then sign the request.

openssl req -new -nodes -out ipsechost-req.pem -keyout private/ipsechost-key.pem -config /etc/ssl/openssl-for-server.cnf
openssl ca -config /etc/ssl/openssl-for-server.cnf -out ipsechost-cert.pem -in ipsechost-req.pem

Copy the certs to the correct locations for strongswan to use.

cp cacert.pem /etc/ipsec.d/cacerts
cp ipsechost-cert.pem /etc/ipsec.d/certs
cp private/ipsechost-key.pem /etc/ipsec.d/private/

Stongswan is configured using the /etc/ipsec.conf and /etc/ipsec.secrets files.
This is a very simple config that will work for providing access to remote users:
Edit /etc/ipsec.conf

# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup

conn %default

conn common
        left=IP_OF_IPSEC_HOST          # Ip of the host
        leftcert=ipsechost-cert.pem    # the cert we just created and copied  # the Alt name in the Cert we just created
        leftsubnet=      # The internal subnet the remote user wants to access
        right=%any                     # Connections can come from anywhere
        rightsourceip=   # Use this pool of IPs to assign to these inbound connections

conn ikev2

Edit the /etc/ipsec.secrets file

: RSA ipsechost-key.pem

Restart/Reload IPsec.

ipsec restart

I like to watch logs just to be sure there are no errors:

tail -f /var/log/syslog /var/log/auth.log

Next we create a client cert. We need another copy of the openssl config file for user requests since the Alt Name changes from DNS to Email.

cp /etc/ssl/openssl-for-server.cnf /etc/ssl/openssl-for-users.cnf
[ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName=email:copy #[alt_names] #DNS.1 = #DNS.2 =

Create the request, fill in the details as needed for the user especially the email address, and Sign the request. The email address specified in the request prompts will be used in the cert for the Alt name and in the config for the user’s side of the tunnel.

openssl req -new -nodes -out user1-req.pem -keyout private/user1-key.pem -config /etc/ssl/openssl.cnf 
openssl ca -config /etc/ssl/openssl-for-users.cnf -out user1-cert.pem -in user1-req.pem 

You need to copy the user1-cert.pem, user1-key.pem, and the cacert.pem to the user’s machine. We will need these file to complete the VPN.

On the User’s Side:

sudo apt-get install strongswan

Copy the files into the proper directories
user1-cert.pem to /etc/ipsec.d/certs
user1-key.pem to /etc/ipsec.d/private
cacert.pem to /etc/ipsec.d/cacerts

Edit the client side ipsec.conf. This is a working config:

conn %default

conn roadwarrior
     leftsourceip=%config                # This will take an IP from the ip pool on server
     leftcert=ipsecuser1-cert.pem        # The user cert we copied in      # This is the email included in the Alt Name in the user cert
     leftfirewall=yes   # The location of the host, FQDN or IP # the Altname used by the ipsec host
     rightsubnet=          # the subnet on the servers side you want to access. 

Edit the ipsec.secrets file

: RSA ipsecuser1-key.pem

On the client, issue an “ipsec restart” and it should attempt to build the tunnel with that you are done.

Use “ipsec statusall” to get details on the tunnels. From the server, a healthy tunnel looks like this:

Security Associations (1 up, 0 connecting):
       ikev2[11]: ESTABLISHED 3 minutes ago, HOST_IP[]...REMOTE_IP[]
       ikev2[11]: IKEv2 SPIs: 49c4512b56436e5b_i 6276554588ce1803_r*, public key reauthentication in 50 minutes
       ikev2[11]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
       ikev2{9}:  INSTALLED, TUNNEL, ESP in UDP SPIs: cd1e015f_i cd3cb1c1_o
       ikev2{9}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 12 minutes

Use “ipsec listall” for details on the host’s certs and configs. Here we want to be sure Alt Names are good, and the CA and certs are loaded correctly.

List of X.509 End Entity Certificates:
  subject:  "C=US, ST=NY, O=OpenPeak, OU=IT,,"
  issuer:   "C=US, ST=NY, L=NY, O=mydomain, OU=IT, CN=ipsecserver-ca,"
  serial:    10:03
  validity:  not before Mar 18 20:44:25 2015, ok
             not after  Nov 24 20:44:25 2028, ok 
  pubkey:    RSA 2048 bits, has private key
  keyid:     10:15:77:ae:2e:a4:e8:3f:cc:1f:6d:a9:d9:80:bd:9f:41:fb:63:e5
  subjkey:   3f:0c:bf:01:2f:c7:16:be:d4:83:5c:76:81:56:a9:f1:3a:84:b4:5f
  authkey:   b7:61:d7:32:19:65:c3:10:1a:43:23:27:bc:46:29:e5:ff:df:03:1c

List of X.509 CA Certificates:

  subject:  "C=US, ST=NY, L=NY, O=mydomain, OU=IT, CN=ipsecserver-ca,"
  issuer:   "C=US, ST=NY, L=NY, O=mydomain, OU=IT, CN=ipsecserver-ca,"
  serial:    db:e9:16:e0:44:a3:57:83
  validity:  not before Mar 18 15:49:45 2015, ok
             not after  Mar 15 15:49:45 2025, ok 
  pubkey:    RSA 2048 bits
  keyid:     18:47:07:92:b8:3d:a0:bb:88:bf:27:2b:4d:0b:a7:79:8b:c1:1b:ba
  subjkey:   b7:61:d7:32:19:65:c3:10:1a:43:23:27:bc:46:29:e5:ff:df:03:1c
  authkey:   b7:61:d7:32:19:65:c3:10:1a:43:23:27:bc:46:29:e5:ff:df:03:1c

Note that if you want to enable 2 factor with this, change the openssl request for the Clients to omit the -nodes option. This will prompt you for a password during the certificate creation that must be entered every time the client wants to connect.

Windows 2008 R2 Server Windows update unknown error

I’m putting this out there for anyone else. For the last 3 months I had a windows 2008 R2 server that would not apply windows updates. “An unknown error has occurred” is all I would get.

This was fixed today. The cause seemed to be an Disk Filter applied to the Local System Disk. I had never heard of this before today.

The command FLTMC lists out the Filter names on the disk. This is from a working server. I don’t know if yours will match exactly.


Filter Name                     Num Instances    Altitude    Frame
------------------------------  -------------  ------------  -----
VirtFile                                0       429999.280700    0
msnfsflt                                0       364000         0
luafv                                   1       135000         0

Now when my server was in an error condition, this listing had an additional entry with the highest ‘Altitude’ value.


Filter Name                     Num Instances    Altitude    Frame
------------------------------  -------------  ------------  -----
CpsFsJnl                                0       429999.999999    0
VirtFile                                0       429999.280700    0
msnfsflt                                0       364000         0
luafv                                   1       135000         0

This filter was the cause of my issue. This was a remnant of a Symantec CPS (continuous protection server) installation that was supposedly uninstalled years ago. It apparently left this filter installed and active on the server. It must have been dormant there for years until a windows update or something caused the error condition.

The filer is an system file called cpsfsjnl.sys and a quick search found it buried in the Program Files Directory. I deleted the file (after making a backup just in case). I also exported then deleted the following registry entries:


I rebooted the server, checked FLTMC to be sure the CpsFsJnl was no longer listed, and then ran the Windows updates.

So, bottom line, in my case, Symantec CPS left a Virtual Disk Filter on the server that caused the error condition. Removing it fixed Windows updates.

Exchange 2007 Outlook Web Access Error The Password does not meet the minimum security requirements

In Microsoft Exchange OWA (outlook web access) a user will attempt to change the account password and encounter an error “The password supplied does not meet the minimum security requirements”. This error happens even though the GPO Policy has password complexity disabled.

OWA error message

The cause of the error is the minimum password age in one or more of the applied GPOs on the OWA host.

Change the Policy for Minimum password age to 0. Then either run GPUPDATE /FORCE or just reboot the host.

GPO for Min Password Age

Using Postfix to Relay messages to an ISP Email Server

Since my ISP blocks port 25, preventing me from running my own in-house email, I relay all my in-house emails and notifications generated from various components though the ISP email servers. This allows me to have internal components send messages to my in house server on 25 and those messages are relayed out to the ISP for delivery.

This setup works on Ubuntu 12.04 and 14.04

nano /etc/postfix/

Add the following (obviously replace the domain names and IP ranges with your own.)

myhostname = server.mydomain.local
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination =, localhost
relayhost = []:587
mynetworks = [::ffff:]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

#fix for some isp configs being stupid.
smtp_discard_ehlo_keyword_address_maps = hash:/etc/postfix/busted-servers
smtp_connection_cache_on_demand = no
smtp_discard_ehlo_keywords = pipelining,silent-discard

### Relay client Auth
smtp_sasl_auth_enable = yes
smtp_sasl_security_options =
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

Next we need to give the server the credentials it needs to perform the relay.
Create the password file:

nano /etc/postfix/sasl_passwd

Add the following line for your ISP.


Create the mailname file and change what is there

Echo >> /etc/mailname

Change permissions and run the mapping command.

Chmod 600 sasl_passwd
Postmap hash:/etc/postfix/sasl_passwd

That’s it. Send some test messages to your internal server and it should get delivered.

Installing SCEP using Microsoft NDES

SCEP (Simple Certificate Enrollment Protocol) is a standard solution for admins wishing to deploy certificates to devices with little interaction and no manual uploading/downloading of cert files between systems. NDES (Network Device Enrollment Service) is Microsoft’s implementation of SCEP. NDES and SCEP are essentially 2 labels for the same service. This is really just my braindump from working with SCEP over the last few months.

Alot of this page is derived from the the Microsoft Whitepaper Microsoft SCEP Implementation.

To begin, you will need a few things.
1) A working MS Domain with healthy AD.

2) A Microsoft Certificate Authority.
You can setup either a Standalone or Enterprise CA. Since most of my work was with MS, this example is for an Enterprise CA.

3) A 2008 or 2012 Enterprise or DataCenter Server.
This is for the install of NDES. NDES will not install on a Standard Server. Also, Ndes can not be installed to the same server that holds a Certificate authority.

With those ready to go, here’s how to get NDES installed.

Setup NDES Accounts in AD
NDES needs 2 accounts on the Domain. You need an Admin account for installation and interaction with the GUI. You need a service account to run the service and request/enroll certificates.

1) Create NDES_Admin. Assign it to the Enterprise Admin Group in the Domain (this membership can be removed after installation). Assign it to the local Adminstrator Group on the NDES host.
2) Create NDES_ServiceAccount. Assign it to the IIS_IUSRS group on the NDES host.

Duplicate the Certificate Templates
In the Certificate Authority(CA) we need to create the Certificate templates that will be used by NDES.

  • Open the Certificate Authority MMC
  • On the left, expand the CA. Right click on the Templates Folder and select Manage. This will open the Template Mgmt folder.
  • Locate the Exchange Enrollment Agent (Offline Request), right click and Duplicate the template.
  • When prompted, select the server level. I used 2008 Enterprise on a 2008 host and 2012 on a 2012 host. Both worked fine, I don’t know the differences between the 2.
  • In the Template Dialogue, Make the name NDES Exchange Enrollment Agent (Offline Request)
  • In the Template Security Tab, Assign Permissions for the NDES_Admin Account and grant it Read and Enroll rights.
  • Click OK to save and exit this Template.
  • We need to do the same thing for CEP Encryption Template (Duplicate, name it NDES CEP Encryption, and assign NDES_Admin the Read and Enroll Rights.
  • Last, we need to do the same thing for the IPSEC (Offline Request), name it NDES IPSEC (Offline Request), assign NDES_Admin AND NDES_ServiceAccount the Read and Enroll Rights.
  • Close the Templates MMC

Publish The Certificates
Back at the CA, we need to publish the new Templates we just created into the CA for use.

  • Right click the Tempates folder in the CA.
  • Pick New then Certificate Template to Issue.
  • Select the 3 NDES… certificates we just created and click OK to publish.

Once done, the 3 NDES certs should appear in the list of usable certificate templates in the CA windows.

Assign Permissions on the CA
Next we need to add Read and Request permissions for the NDES_Service Account to the CA

  • From the left side panel in Certificate Authority MMC, right click the CA name, and select Properties
  • Click on the security tab.
  • Add NDES_Service Account and assign it Read and Request Certificate rights.
  • Hit ok and close it

Install NDES
Now we are done with the CA and certificate work, we can move on to the installation of NDES on the ndes host.

  • Log in to the NDES box using the NDES_Admin account created earlier.
  • Open Server Manager from the Start menu.
  • In the left pane of Server Manager, right-click Roles and select Add Roles from the menu.
  • Click Next on the Before You Begin screen in the Add Roles Wizard.
  • Select Active Directory Certificate Services on the Select Server Roles screen and click Next.
  • Click Next on the Introduction screen.
  • On the Select Role Services screen, clear Certification Authority and select Network Device Enrollment Service. As I mentioned previously, NDES can’t be installed on the same machine as a CA.
  • In the Add Roles Wizard dialog box, click Add Required Role Services to install the necessary IIS and Remote Server Administration Tool components.
  • On the Specify User Account screen click Select User. In the Windows Security dialog box, enter the username and password for the NDES_ServiceAccount and click Next.
  • Click Browse in the Specify CA for Network Device Enrollment Service dialog box.
  • In the Select Certification Authority dialog box, select the issuing CA, click OK and Next to continue.
  • On the Specify Registration Authority Information screen, modify the Country/Region field as necessary and click Next.
  • On the Configure Cryptography for Registration Authority screen, accept the default settings, which you can see in Figure 3, and click Next.
  • Click Next on the Web Server (IIS) introduction screen.
  • Accept the defaults on the Select Role Services screen by clicking Next.
  • Click Install on the Confirm Installation Selections screen.
  • Click Close on the Installation Results screen.

Modify the NDES Registry
Before we can request a password from NDES to start the certificate request process, we need to set some registry keys on the NDES server to point to our NDES IPsec (Offline Request) certificate, then restart IIS.

  • Open regedit from the Search programs and files box on the Start menu.
  • In the left pane of Registry Editor, navigate to the following registry key: HKLMSoftwareMicrosoftCryptographyMSCEP.
  • You’ll find three REG_SZ values: EncryptionTemplate, GeneralPurposeTemplate and SignatureTemplate. Set all three values to NDESIPSECIntermediateOffline, then close Registry Editor.
  • Type cmd into the Search programs and files box on the Start menu and click Ctrl+Shift+Enter to start the command prompt with administrative privileges.
  • Type the following two commands to restart IIS:
  • net stop w3svc net start w3svc

  • Close the command prompt.

Replace Outlook Mail, Contacts, and Calendar with Thunderbird

My company uses MS Exchange 2013 for mail, contacts, calendars, and tasks. However, we have a lot of users on LInux desktops that can’t run Outlook. For others, the new Outlook 2013 is a horrible monstrosity of Flat icons on all all white background that burns your eyes after a few hours in front of the monitor. So I was after a complete replacement for Outlook to access email, contacts, and calendar on Exchange. Well, Email is easy. Calendar not so much. Contacts are deliberately making the task complicated on purpose. But here is a working solution using Thunderbird with some available plugins. These examples were taken from a machine running Mint 17 64bit but the same tasks should work well on Windows.


Install Thunderbird

Thunderbird is the mozilla based mail client. It comes installed on many Linux distros. IF you need to install it for any reason you can find it in the repos or directly from the thunderbird website.


Configure Thunderbird for Exchange Mail

  1. Add a new Mail account (Edit > Account Settings > Account Actions Button > Add Email Account)
  2. Note if you get prompted to add a new email at some 3rd party service, select “Skip this and use my existing Mail”
  3. Enter You Name to be displayed, email address, and password.setupTB1
  4. Thunderbird will most likely fail to autodetect the settings for Exchange.     An expanded window will appear prompting for settings for your Exchange.   These settings can be provided by the email admin.   You need the IMAP settings, SMTP settings, and note that the Username usually takes the form of DOMAINUsername.setupTB2
  5. Hit DONE when complete


Install Lightning for Thunderbird

Lightning is a Thunderbord Add-on that provides the calendar and task list services.   Installation is done from Thunderbird.

  1. Click Tooks > Add-ons (or use the menu button on the right and pick add-ons.  BTW to get the menu bar back, click to the right of the tabs and select Menu Bar).
  2. In the Search box, enter ‘lightning’
  3. Select the Lightning Plug-in.   Install it and Restart.


Install Exchange connector

The real trick here is getting the calendar, contacts, and tasks to sync with Exchange.   The only plug-in that I’ve found that does this is located at

  1. Access that link and download the lastest version of the plugin.
  2. Save the xpi file on your machine.
  3. From Thunderbird, Access the add-on manager (Tools > Add-ons)
  4. Click the box next to the search window and select “Install add-on From File”
  5. Select the xpi plug in you just downloaded.
  6. Restart Thunderbird


Configure Calendar

  1. Click the Calendar button to open the calendar tab.
  2. Right click on the blank space under calendar and select “New Calendar”
  3. Select “On the Network” and click next
  4. Select “Microsoft Exchange 2007/2010/2013” and click nextcalendar-pick_msexch
  5. Give the Calendar a name like “Exchange Calendar” and pick the email associated with the Exchange account (this should match the one you just setup on IMAP above).  Hit next when done.calendar_calendaroptions
  6. Click the Autodiscover (any good admin has this setup). Fill in the username and the domain.  Leave the Folder id field empty.   Click “Perform Autodiscovery” when ready.calendar-Perform_autodiscovery
  7. You will probably get a prompt to enter your Email account password.   Enter the Password and continue.
  8. You will probably get the option to Pick an EWS server.   You’ll probably only have 1 in the list, otherwise, ask your admin.  Continue when ready.
  9. You will get a final window showing the calendar root.   make edits as needed, but most can just accept the default and hit Next.calendar_final
  10. In the list of calendars, you should now see an entry for your calendar on Exchange.


Configure Contacts

  1. In Thunderbird’s inbox tab, select Address Book.AddressBook-1
  2. In the Address Book window, select the “Add Exchange Contact Folder”AddressBook-2
  3. Enter a Descriptive Name
  4. Check the Add Global Address List to Serch results.
  5. Check the Use Exchange’s Autodiscovery function.
  6. Enter your email, username and Domain in the correct fields and perform the autodiscovery when ready.AddressBook-3
  7. Once again, enter password if prompted and pick the correct EWS server if prompted.
  8. Make edits to the contact root folder as needed.  Most can leave it at default.   If your company uses a Public Folder for contacts, you can change the root to Public Folders and browse to the correct folder.


That’s it.   You can add as many calendars and address book entries as you need.  I did this and now don’t have very good solution to replace Outlook in any desktop.

Prevent Users from changing Pictures in Exchange 2013

Yes, in Exchange 2013, users were given the ability to edit their user pictures that is stored in the LDAP for display on their profile across Microsoft’s suite of products.

Seems like a harmless function right? Microsoft is so desperate to be viewed as a ‘cool social media like product’ that users will take advantage of the customizable settings. Well, if left unchecked, the user photos quickly become a mixture of Kittens, logos, TV characters, and borderline raunchy images. No good, especially since users have NO IDEA that these images might be viewed by outside entities. Highly unprofessional!!!

So the Goal here is to allow the use of Photos that the Admin or a security person can upload into LDAP, let users view the photos, but keep users from changing the photo.

The only way I’ve found to do this is by using a mailbox policy.

Open up a powershell session on exhcange 2013 and run the following.
1st we set list the mailbox policies and set the option to enable photos to False.
2nd we apply the policy to all mailboxes.

Get-OWAMailboxPolicy | set-owamailboxpolicy -setphotoenabled:$false
Get-CASMailbox -ResultSize Unlimited | Set-CASMailbox -OWAMailboxPolicy Default

To test, sign into OWA as a user and check the 2 spots where users can change photos and ensure the options to edit photos are gone.
1) Under the Photo in the main display.
2) User User's profile options in the 'My account' page.

NOTE: Be aware, that the last time I updated a Cumulative Upgrade, these settings reverted back to the default behavior and I had to re-apply the mailbox policy.

Setup Exchange 2013 Mailbox on Outlook without Autodiscover

I have had this issue come up a few times.    I had the need to setup an employee’s laptop with access to an Exchange 2013 mailbox. However, the employee was using a laptop that was not a domain member and could not use autodiscover to automate Outlook setup.

In Exchange 2010 and earlier, one could just manually configure the Exchange account with a server name of the Exchange server i.e.
In Exchange 2013, the Exchange server name now uses the format of where GUID is the Mailbox guid and is unique to each user. That basically means that end users now need a specific value in the server field that is provided by an Exchange administrator.

So the 1st thing we need is the GUID for the account mailbox. Use the Exchange Powershell get-mailbox cmdlet to get the information.

Get-Mailbox  | fl name, exchangeguid

You should get something like the following:

Name         : Clark Kent
ExchangeGuid : 39f83854-18b3-4bb2-baf1-9cc03c721c6b

Now go to the client’s system. We need to create a new account either by running Outlook for the 1st time or in the “Account Settings” window. You can get to this windows through Outlook from TOOLS -> ACCOUNT SETTINGS or from the CONTROL PANEL -> MAIL -> EMAIL ACCOUNTS.

Note that the labels vary slightly from outlook 2007 to 2010 to 2013, but the steps are essentially the same.
1. Click NEW to add a new account.

2. Select Microsoft Exchange. Click Next.

3. In the Account Setup section, Check the option to “Manually configure server settings” and click Next.

4. From the E-Mail service window, select Microsoft Exchange and Click Next.

5. In the Exchange Server Field enter the using the GUID returned from the Get-Mailbox Cmdlet and the mailbox domain (i.e.

6. In the Username Field enter the user email address (i.e.

7. Click the “More Settings” button. Select the Connection Tab, check the “Connect to Microsoft Exchange using HTTP” and click the “Exchange Proxy Settings” Button (See image for reference)2013-manual-setup

8. In the Proxy Settings Window, enter the mailserver CAS host’s FQDN in the Proxy server field.2013-manual-setup2

9. Click OK to apply the changes and NEXT to Finish the setup.

That should get the client connected to the Exchange 2013 mailbox.

I honestly don’t see how this is an improvement over Exchange 2010 where all users could be given a simple set of instructions and could setup their own mailbox if autodiscover didn’t work for them. 2013 requires Administrator Support for each user that needs a manual setup since users can’t run the Exchange Cmdlet needed to get the GUID. And before anyone says “Why don’t you just use Autodiscover”, there are times in the real world when you can’t use it. Not every Domain is run like it would be in an enclosed lab.

If someone knows why this is better, please leave a comment and enlighten me.

Monitor ASA VPN sessions via SNMP

This took me way too long to research so I’m putting this here in case anyone can use it.

I have an ASA 5520 that is used for IPSEC, Anyconnect, and Clientless WebVPN vpn clients. I was asked to track total # of sessions for the migration of licenses. Since there was a Nagios Monitor onsite, I hoped to add an snmp check for the total number of WebVPN sessions (Anyconnect and clientless).

Cisco has the ASA MIBs located here:

The oid values you need are as follows:

crasIPSecNumSessions .
crasWebvpnNumSessions .

Drop the MIB into the shared mib folder on the nagios host in usrsharesnmpmibs
I had some issues with the Cisco MIB, I haven’t tried on another nagios host yet, but the OID values worked just fine for my purposes.

In nagios, create the check_snmp lookup, I opted for a new command:

 define command{
        command_name    check_snmp_cisco_oid
        command_line    $USER1$/check_snmp -H $HOSTADDRESS$ -P 2c -C communityname -o $ARG1$ -w $ARG2$ -c $ARG3$

Then define the services for the host:

define service{
        use                     generic-service
        host_name               ASA5520
        service_description     Total Number of Web SSL VPN sessions
        check_command           check_snmp_cisco_oid!.!50!75
define service{
        use                     generic-service
        host_name               ASA5520
        service_description     Total Number of IPSEC VPN sessions  
        check_command           check_snmp_cisco_oid!.