Monthly archives: september, 2017

Publishing XenMobile Self-Help Portal via NetScaler AAA

In our deployments of XenMobile we always recommend that our customers use the Two Factor option for enrollment, requiring username, password as well as a PIN created in the administration GUI of the appliance, for the added security. In larger organizations this can put some toll on the administrators which is why there is a self-help portal for the users. This portal allows users to create their own PIN and also comes with the added benefit of allowing them to wipe or lock lost and stolen devices themselves, cutting down on the time between theft and action taken.

However, this comes with a drawback. There is no built-in way in XenMobile to enforce any kind of second factor for the login to this portal, which effectively renders the MFA for enroll useless. To prevent this, we can put NetScaler AAA ahead of the login to enforce a second factor for logon to the portal.

I’ll assume that you already have AAA set up, with an authentication profile we can use. In my examples, ours is called AAA-AUPL-EXT_OTP

Starting with some standard boilerplate:

Add the traffic actions, policies as well as the form-fill action:

/zdm/cxf/login is the actual path to where the logon method from /zdm/login_xdm_uc.jsp is posted to. You can view the logon script at https://mdm.example.com/zdm/scripts/logon.js and see this for yourself.

Depending on how your AAA is set up, we might also need an authorization policy. Here I do it via a policy label:

A few rewrites:

These are necessary since we need the correct referrer to be allowed to login. We also need to tell the client to move from enroll.example.com/zdm/login_xdm_uc.jsp to enroll.example.com/zdm/ once we have performed the login.

Create a service group for your nodes:

Finally, create a vServer and bind the policies:

Please note that this still leaves logon through mdm.example.com unprotected, since you still can browse directly there, so you should take care not to expose these pages to the outside. One way, if using SSL offload, is to block it with a responder policy:

Do note that this needs to be bound to your LB for MDM, not the vServer we set up above.



Office365 med FSLogix i en fleranvändarmiljö

Eftersom Microsoft hårdsatsar på molnet och Office 365 har det länge varit ett naturligt steg att flytta sin on-prem Exchange till molnet – Exchange-Online i Office 365 för att kunna nyttja de många fördelar den erbjuder. Men det har i vissa fall inneburit försämrad upplevelse för slutanvändarna. I och med att Exchange nu befinner sig i Office 365 (Azure) har svarstiden ökat generellt. I många fall har en svarstiden ökat med en faktor om 10. Detta medför att navigering mellan mejl (när man använder förhandsvisaren aktiverad) är seg, det kan ta någon sekund för att det nya mailet man navigerar till dyker upp. Upplevelsen av Outlook blir påtagligt sämre och effektiviteten i sitt dagliga arbete påverkas.

Outlook Cached Mode

En lösning på problemet har varit att helt enkelt slå på Cached mode och helt blir av med problematiken av hög svarstid, detta fungerar väldigt väl med alla som har en ”fet klient” och har diskutrymme lokalt. I en fleranvändarmiljö blir det lite mer komplicerat, för att kunna köra cached mode i en fleranvändarmiljö såsom Citrix eller Microsoft Remote Desktop Services (RDS) måste man först kunna hantera stora mängder data eftersom fler och fler användare har väldigt stora mejllådor, profilstorlekarna blir dessutom väldigt stora och påverkar bland annat inloggningen negativt. För att komma runt detta riktar man om Outlook cachen (*.OST-filen) till ett lagringsyta (vanligtvis en filserver) som har kapacitet för lagringen och det i sin tur kommer inte belasta fleranvändarmiljön.

Många som kom fram till denna lösning har i sina tester haft mycket bra resultat, i en testgrupp på säg 20 personer fungerar detta mycket väl och implementering i sin produktionsmiljö är ett faktum. Men dessvärre slutar det inte här, det som kan vara svårt att förutspå är hur mycket den konstanta indexeringen av ost-filen belastar CPU:n och hur mycket nätverkstrafik SMB protokollet använder vid en sådan frekvent uppdatering av ost-filen, för att inte tala om vad Windows Search gör i en sökning av din mejllåda. All denna kraft står nu filservern för, som oftast inte är dimensionerad för detta, så som en Exchange-server är. Så när man produktionssätter sin lyckade lösning med 100+ användare blir resultatet ännu sämre än innan.

Detta är ett stort problem som många upplever och något som man har velat se en lösning på i många år, men det har dessvärre aldrig funnits någon lösning från Microsoft för detta. Det är här FSLogix Office 365 Containers kommer in i bilden.

FSlogix Office365 Containers

FSlogix är kortfattat ett företag där de tog saken i egna händer. De har utvecklat en produkt som löser alla problem ovan riktigt snyggt. Själva installationsförfarandet är mycket enkelt, du installerar en agent på alla servrar dina användare loggar på, lägger till ADMX tillägget i din Group Policy manager för styrning via GPO och pekar ut den filyta du vill att cachefilerna ska lagras.

Agenten kommer nu automatiskt peka om alla cachade filer till denna filyta (oavsett vad du definierar i Outlook). Det som FSLogix gör är att den skapar en vDisk för varje användare som vid inloggning kopplas på din session, det underlättar nätverksbelastningen avsevärt i jämförelse med SMB till en filserver, de har dessutom utvecklat intelligens för själva OST-filen som i grund och botten är en databas som konstant uppdateras. Den har ett slags mellanlager som sköter uppdateringen av OST-filen effektivare och snabbare, vilket gör att CPU belastningen blir en bråkdel av alternativet. Någon som också var en nyhet i våras som var mycket efterlängtat är att den även nu stödjer Windows Search så att din Cachade OST-fil är sökbar i Outlook.

FSLogix är ett mycket bra komplement för Exchange-Online i fleranvändarmiljöer!

OneDrive

I samma licens får man även tillgång till deras cachning av OneDrive, den lägger sig i samma vDisk som för Outlook och eftersom OneDrive börjar bli en bra produkt som fler och fler företag börjar använda är detta en mycket trevlig bonus.

 

 

Vill ni läsa mer om FSLogix Office365 Containers kan ni trycka här!



Uppsättning av accesspunkter med hjälp av Device Profile

Device Profile är en funktion som finns på de senare ArubaOS switchar. Funktionen förenklar uppsättningen av accesspunkter, genom att autokonfigurera portarna som accesspunkterna kopplas in i.

För att konfigurera detta så skall först en profil skapas på switchen, där konfigurationen som ska gälla på porten som APn kopplas in i ställs in. Detta görs med nedan kommando:

Switch# device-profile name "AccessPoint"
untagged-vlan 100
tagged-vlan 150,200,212
exit

En profil är nu skapad. Det som konfigureras där ska gälla på de portar som en viss typ av accesspunkter kopplas in i.
Associera sedan profilen till en enhetstyp, i detta fallet Aruba accesspunkter:

Switch# device-profile type "aruba-AccessPoint"
associate "AccessPoint"
enable
exit

När en Aruba AP sedan kopplas in i valfri port på switchen, så kommer konfigurationen ovan att automatiskt appliceras på porten.
I nedan exempel har en Aruba accesspunkt kopplats in i port 1 på switchen. Tittar vi på konfigurationen som ligger på porten just nu:

Switch# show running-config interface 1
Running configuration:
interface 1
untagged vlan 112
exit

Tittar vi dock närmre så ser vi att det är nedan konfiguration som automatiskt lagt sig på port 1, enligt konfigurationen i device profile:

Switch# show vlans port 1 detail
Status and Counters - VLAN Information - for ports 1
VLAN ID Name | Status Voice Jumbo Mode
------- -------------------- + ---------- ----- ----- --------
150 Business | Port-based No No Tagged
200 Client | Port-based No No Tagged
212 Public | Port-based No No Tagged
100 Management | Port-based No No Untagged

Skulle accesspunkten kopplas ur, så går konfigurationen på porten tillbaka till hur den var innan.

Nedan commando visar vilka portar där device-profile är aktiverat och om en Aruba accesspunkt är inkopplad:

Switch# show device-profile status
Device Profile Status
Port Device-type Applied device profile
------------- -------------------- ----------------------
1 aruba-AccessPoint AccessPoint
2 aruba-AccessPoint AccessPoint
3 aruba-AccessPoint AccessPoint
4 aruba-AccessPoint AccessPoint
5 aruba-AccessPoint AccessPoint
6 aruba-AccessPoint AccessPoint
7 aruba-AccessPoint AccessPoint
8 aruba-AccessPoint AccessPoint
10 aruba-AccessPoint AccessPoint

Med hjälp av device-profiles är det mycket enklare och tidssparande att koppla in access-punkter, eftersom man slipper att manuellt konfigurera varje port.



Prepopulate username with NetScalers RfWebUI

We’ve been seeing an issue with AAA in front of ADFS where credentials entered at the service provider (Office 365 for example) doesn’t populate the username in the NetScaler login, which works with ADFS. This isn’t the biggest issue, but something that makes it annoying to use AAA instead of pure ADFS. We were able to do this just fine with the cookie NSC_NAME (or even query based) before when not using RfWebUI. Because RfWebUI is the latest and greatest as well as responsive, most want to use it.

I’ve been looking into how to solve this using RfWebUI and may not have found the best solution in the world, but it works reliably and is easy to implement. A big thanks to Sam Jacobs who helped me out with the javascript parts, I haven’t been working with it before so was crucial to tying the knot on the issue.

The first thing I had to figure out was how to extract the username that Office 365 sends to ADFS. We can see the username in the query to ADFS as follows:

Note: It is URL Encoded which means the @ will be presented as %40.

The thing is that when using AAA, a new redirect will be made directly inside NetScaler to the AAA vserver for authentication. I was thinking of either trying to add ”Set-Cookie: UserNameCookie=<email>” somewhere here but I was thinking that this may not work since rewrites doesn’t always work on internal redirects and I may have to add another redirect to an already long chain of redirects – which may cause issues for some browser. What I did find was a cookie named NSC_TASS that contains a long string of random letters, numbers and symbols. After trying some things I was able do decode it by first converting it from URL Encoded format and then from Base64. When doing this, I was able to see the original ADFS URL containing the query with the username. To do this, I had to run the following to get the email/username in the correct format for the NetScaler login:

In other words we do the following: Grab the value of NSC_TASS and decode the URL Encoding. After that, decode it using Base64. Then typecast it to a HTTP URL and grab the value of the query username, and decode the URL Encoding (converting %40 to @ in my case).

Now to the part where I had to get some help to actually insert the username into the form. The solutions works fine, but if you have a better way of doing it please share! We had to put a small loop and wait to make sure the input field is created before the username can be inserted. The result looks like this:

We’re waiting for the window to load, but for some reason that doesn’t mean that the input field ”login” exists (yet) and that’s where the setInterval-loop comes in. Without the loop, I did see it work most of the times on computers but rarely on phones. To make sure that this only happens when being redirected, we’ll be verifying that the cookie NSC_TASS exists and that the referrer length is greater or equal 1. After that we verifies that the element ”login” is created and inserts the username / email and changes focus to the password input.

Now it’s just a matter of using a rewirte to insert this:

If you are using the GUI, the rewrite part looks like this:

I hope this can help some people out there making their end users happier! If you find a way of doing this easier, please share!



Exchange 2016 – EventID 15021 HttpEvent

In a recent case with one of our customer we had an issue with mail flow that wasn’t working as expected for one of the Exchange 2016 server in the environment.

Starting Exchange Management Shell gave us the following error message:

Connection to remote server MBX01.contoso.local failed with the following error message. : [ClientAccessServer=MBX01.contoso.local,BackEndServer=MBX01.contoso.local,RequestId=<id>,<TimeStamp=<date and time>] [FailureCategory=Cafe-SendFailure]

After some troubleshooting we found multiple error events in the System-eventlog with EventID 15021, HttpEvent.

An error occurred while using SSL configuration for endpoint 0.0.0.0:444. The error status code is contained within the returned data

One of the ports Exchange 2016 uses is TCP\444 for it’s Back End IIS Web Site. Looking in IIS Manager and the Exchange Back End site, we found that there wasn’t any SSL certificate selected for https on port 444.

Verifying with another Exchange 2016 server, there should be an SSL certificate selected here and it’s the self-signed Microsoft Exchange certificate.

After we selected the certificate and restarting the IIS service running iisreset (or you can reboot the server) the mail flow started to work again.

 



Guest access in Microsoft Teams

Yesterday Microsoft made one of the most request feature for Microsoft Teams general available, Guest Access for external users.

Guest access allows you to add people from outside your company and organisation to a team, so they can participate in chats, join meetings, collaborate on documents and more.

At the moment, anyone with an Azure Active Directory (Azure AD) or Office 365 work or school account can be added as guest in Teams. Microsoft will later on add the ability to add anyone with a Microsoft Account (MSA), like Outlook.com or Live.com.

Image: blogs.office.com

Enable Guest Access

To enable Guest Access in Microsoft Teams, an Office 365 Administrator will have to logon to Office 365 Admin Center and go to Microsoft Teams under Services & add-ins and change Settings by user/license type to Guest and turn the feature On.

 

Inviting a guest

To invite a guest user to a team, just add the user as you normal do by entering the email address:



Skype for Business will be upgraded to Microsoft Teams

Last night, a couple of Office 365 users received the following popup in the portal that Skype for Business is now Microsoft Teams and they should start using Teams:

In the Office 365 Admin Portal, MC118018 was published by Microsoft and later removed, stating that they are starting to upgrading Skype for Business to Microsoft Teams.

The notice stated that for now, this is an opt-in experience, so it’ls not an immediately change by Microsoft, but as an action is required by 2018-09-07 it sure looks like you will be forced to upgrade.

There have not been an official announcement from Microsoft, yet but as Microsoft Ignite is less than a month a way we might see a few new announcements there and one of them might be that Skype for Business will be upgraded to Microsoft Teams.

Source



Whats new in Configuration Manager Technical Preview 1708

Microsoft recently released Technical Preview 1708 and with it came some new cool features.

SOFTWARE CENTER CUSTOMIZATION

Add a custom logo, change color in software center and hide tabs. Its all done through the Client Settings for Software Center.

In my example i added a logotype changed the color scheme and disabled the operating system, device compliance and options tab.

The outcome using the Client Settings above.

BUILT IN SUPPORT FOR REBOOTING CLIENTS

This is made through the Client Notification tab
Note This option is only visible when selecting a Collection (Show members) and selecting a single computer.

What the user notification looks like

SCRIPT PARAMETERS

The ability to create Powershell scripts in the console has been around since 1706, in 1707 Microsoft introduced the ability for Configuration Manager to read parameters from the script.
Now in 1708 they expanded the script parameters even further and are now able to detect which parameters are mandatory as well as optional.

MANAGEMENT INSIGHTS

Gives you the ability to see:

  • Empty collections
  • Applications without deployments

Head over to Administration > Management Insights > All Insights to check it out.

 

For more information and documentation: https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1708

 



SCCM – Shrink the SQL Server Reporting Services log and change the maxsize

The default maxsize value of the ReportServer logfile (ReportServer_log.ldf) is 2 TB. If you haven’t changed that value and your disk size is lower then 2 TB (which is very common) you will eventually fill up that entire disk space. When that happens you need to shrink the logfile before you are able to reduce the maxsize value so it fits your disk size better. In a couple of steps you can easily do this as I will describe below.

1. Shrink the log file.
Go into Microsoft SQL Server Management Studio, expand Databases and locate the ReportServer. Rightclick the database, go to Tasks, Shrink and choose Files as shown in the pictures below.

Task > Shrink > Files

Change File type to Log and select the Released unused space under Shrink action before pressing the OK button. It will now shrink down the log file to a couple of megabytes (instead of gigabytes) and you can go ahead to step two. If it doesn’t work please read below first.

Change File type: Log

If you experience trouble with shrinking the file (like it will only shrink a couple of megabytes or it won’t shrink at all) you need to change the recovery model from Full to Simple before doing the shrink step. To do that you need to go to the Properties of the ReportServer database and choose Options. Here you can change Recovery model to Simple.

ReportServer > Properties > Options

2. Change the maximum file size from the default 2 TB down to a size that fits your environment.
Rightclick the ReportServer database and choose Properties. Select Files in the list and go to the Autogrowth/Maxsize column for the ReportServer and press the button marked in red on the picture below.

ReportServer > Properties > Files

Change the maximum file size limit in megabytes so it suits your environment. Finish it by pressing the OK button.

Change maxsize