Posts RSS Comments RSS 287 Posts and 68 Comments till now

Archive for the 'Security' Category

Forefront for OCS error on the Access Edge (Event ID: 10161 & 10162)

Symptoms

The IM Notification Agent on the Access Edge is failing with the following Application Log events:

 

Event ID: 10162
Type: Error
Source: ForefrontNotificationAgent
Description:
“ERROR: Microsoft.FSO.IMClient.dll.IMClient.RaiseLoginDone(“<System.Boolean success><System.String message>”) – Error occured logging in to server: 80072746: .”

 

AND

 

Event ID: 10161
Type: Error
Source: ForefrontNotificationAgent
Description:
“ERROR: ForefrontNotificationAgent.exe.NotificationAgent.imClient_LoginDone(“<System.Object sender><FSOIMClient.ReportSuccessEventArgs e>”) – Failed to login.”

 

More information

You have correctly setup the IM Notification Agent account per the instructions found here on TechNet for an Access Edge server.  You have verified the notification account id and password are accurate by logging in with the notification account from a remote client. Your IM Notification Agent settings look as follows:

IM Notification Agent settings

Use ForefrontRTCProxy Service Credentials: Unchecked
Transport: TLS
Username: domain\userid
Password: *****
SIP URI: sip:userid@company.com
Home or Pool Server: Director FQDN

 

SIP Logging on the director server shows a “SIP/2.0 301 Redirect request to Home Server” message with no response from the home pool.  This tells us that the Director server is treating the Forefront Notification Agent as an inside client and thus is trying to redirect the “client” to the notification account’s home pool.  The Director server should proxy the request, not redirect.  Remote user connections cannot be redirected.  Read here for more information on how a director behaves with internal vs. external clients. Changing the Home or Pool server settings to point to the notification account’s home pool FQDN does not solve the problem.

 

Resolution

Option 1

In the Home or Pool Server field add the FQDN entry for Access Edge external interface (sip.company.com).  However just changing the entry is not enough, you’ll also want to specify the port as follows “sip.company.com:443”.  This is of course assuming that your AE external interface FQDN is sip.company.com.  Make sure the Access Edge server correctly identifies the external FQDN to the correct IP address.  Changing to the AE FQDN will route the Forefront Notification Agent login request through the Access Edge service and then to the next hop server (Director).  The Director will then properly process the login request as a remote client.

Further SIP logging on the Director reveals a successful “Routed a request on behalf of an application” followed by a successful response from the account’s home pool.

IM Notification Agent settings

Use ForefrontRTCProxy Service Credentials: Unchecked
Transport: TLS
Username: domain\userid
Password: *****
SIP URI: sip:userid@company.com
Home or Pool Server: sip.company.com:443

 

Option 2

Another recent fix that was brought to my attention was to enter the SIP URI without the “sip:” prefix.  Your settings would be as follows:

IM Notification Agent settings

Use ForefrontRTCProxy Service Credentials: Unchecked
Transport: TLS
Username: domain\userid
Password: *****
SIP URI: userid@company.com (without sip: prefix)
Home or Pool Server: sip.company.com:443

 

Cause

As for the cause, I cannot speak to what is specifically causing this issue as I feel this is either a bug in the Forefront notification agent OR an error in the documentation.

Matt :: Oct.05.2009 :: 2007R2, Microsoft, OCS, Security :: No Comments »

Windows Server 2008 Security Guide Now Available!

Read the post from the Windows Security team to get some information on the new guide…

http://technet.microsoft.com/en-us/library/cc264463.aspx

Matt :: Mar.21.2008 :: Microsoft, Security, Server :: 1 Comment »

No more "power users"

Steve Riley elaborates on some of the new security features in Vista that eliminate the need for the "power users" security group.  In fact, "power users" in Vista is there only for backwards compatibility.

Excerpt:

"I’ve seen some conversations lately about the Power Users group — how powerful is it, really, and why did we remove the group from Windows Vista?"

Read the rest of Steve’s post here…

Matt :: Feb.12.2008 :: Microsoft, Security, Vista :: No Comments »

Update: Network Access Protection (NAP) documents from MS

MS recently updated three documents covering NAP (Network Access Protection).  Good reference materials for your ever growing library.

Matt :: Feb.04.2008 :: Microsoft, Security :: No Comments »

FaxBox: the latest in password scams

My favorite security guru, Mr. Steve Riley posted another good article on a new scam that may find it’s way into your mailbox soon.  Be prepared now…

 

Excerpt:

 

“Looks like spammers have found yet another way to worm (ha ha) themselves into the computers of the unsuspecting. In my junk email folder this morning, I saw this message:

From: Question It [mailto:question_it@fanboxapps.com]
Sent: Monday, January 07, 2008 2:34
To: Steve Riley
Subject: Ratul has asked you a question on FanBox

<link>

Ratul asked you a question. View the question <big link here> and answer it.

FanBox.com is the web-based desktop that instantly turns every computer into your computer. It includes over 10,000 web applications and games to choose from, including the Question It application.

This email was sent by Ratul while using the Question It application on FanBox. Go here <another link> to learn more or stop receiving emails from friends using Question It. FanBox: 255 G Street #723, San Diego, CA 92101, USA”

 

Read the rest of Steve’s post here…

Matt :: Jan.07.2008 :: Microsoft, News, Security :: No Comments »

Steve Riley: What’s your data worth? More importantly, to whom?

I had the pleasure of watching Steve Riley speak a while back and his enthusiasm is contagious and he really knows how to drive home the point.

Steve writes…

“This week, I’m attending and spoke at a cybercrime conference in Singapore. One of the presenters made a very good point, and I want to share it with you.

When considering how to protect your data, don’t consider how valuable it might be to an attacker. Always, instead, consider how valuable it is to you.”

Read the rest of his post here…

Matt :: Oct.26.2007 :: Microsoft, Security :: No Comments »

New: Exchange Certificate Generator Utility

First brought to my attention by Elan Shudnow this little utility is a must for any administrator deploying Exchange 2007 or any service (OCS) that requires Subject Alternative Names (SAN).  This utility adds a graphical interface to the New-ExchangeCertificate Powershell command.

Read Elan’s post here…

Get the utility here…

Matt :: Oct.26.2007 :: Exchange, Microsoft, Security :: No Comments »

Visio 2007 Connector for Microsoft Baseline Security Analyzer (MBSA) 2.1

The Microsoft Office Visio 2007 Connector for Microsoft Baseline Security Analyzer (MBSA) lets you view the results of an MBSA scan in a clear, comprehensive Microsoft Office Visio 2007 network diagram.

Matt :: Oct.16.2007 :: Microsoft, Office, Security :: No Comments »