Conexión de usuario por outlook express desde fuera de la lan del servidor Exchange

http://www.shudnow.net/2008/02/10/client-to-server-secure-smtp-connectivity-in-exchange-server-2007/

 Client to Server Secure SMTP Connectivity in Exchange Server 2007

Conexión de usuario por outlook express desde fuera de la lan del servidor Exchange

There seems to be some confusion as to how TLS connectivity to Exchange 2007 works. Many people think, that by default, Client to Server SMTP communication to Exchange 2007 is not encrypted and are asking, “How to secure Client to Server SMTP communication.” Well the answer is, it already is…. Let me explain.
By default, in Exchange Server 2007, there are two receive connectors. One is for Server to Server SMTP and the other is for Client to Server SMTP which is really used for POP3/IMAP clients to send mail via SMTP. I will talk a bit later about clients who are directly connected via MAPI. For this article, we will be talking about Client to Server SMTP.

When creating a Receive Connector, there are several Usage Types that can be selected:

• Client (Unavailable on Edge Transport Servers — External Client to Server SMTP must require direct access to the Hub Transport Server (not recommended) or use ISA 2006 to publish port 587 directly to a Hub Transport Server)
• Custom
• Internal
• Internet
• Partner

Depending on which Usage Type you select, certain Authentication Groups will be selected. For example, for our scenario, the Client Usage Type will allow the Permission Group of Exchange Users which is exactly what we need.
In Exchange 2007, Microsoft wanted to comply with updated RFC standards and kept Server to Server SMTP communication over port 25 and segregated Client to Server communications over port 587. More details are formalized in RFC 4409.

So how do we really restrict only authenticated clients to use TLS when talking over the SMTP protocol with Exchange Server 2007. This is really a combination of the Authentication and Permission Groups Tab. First, we will have a look at the Permission Groups Tab.

As you can see, this Client Receive Connector only allows the Exchange Users group by default. This means that when a user connects to Exchange and authenticates, they are defined as an Exchange User and are allowed access to use this connector and use the SMTP protocol over the port defined in the Network Tab; this case being port 587. Once authenticated, the Exchange Users are granted the following permissions:

• Ms-Exch-SMTP-Submit
• Ms-Exch-SMTP-Accept-Any-Recipient
• Ms-Exch-Bypass-Anti-Spam
• Ms-Exch-Accept-Headers-Routing

As you can see, the Exchange Users are allowed to Submit SMTP using this Receive Connector.
Now, we have to define if the Client to Server SMTP authentication for the selected Permission Groups is encrypted or not encrypted. This is done on the Authentication tab.

By default, Client to Server Authentication is encrypted using TLS via this Client Receive Connector. TLS is advertised and when using POP3/IMAP4, basic authentication, credentials will only be available after initiating a TLS encrypted connection.
As a side note, if you want to allow an anonymous application such as a Web Application to relay off of your Exchange 2007 server, you would do the following:

1. Create a new Receive Connector with the Custom Usage Group
2. For Remote Network Settings, remove 0.0.0.0-255.255.255.255, and then add the IP Address of the remote server that requires relaying permissions
3. Once the new Custom Receive Connector is created, go into the properties of this connector, go to the Permission Groups Tab > Add Anonymous Users

If you look at the Authentication Tab, only Transport Layer Security will be selected. This is called Opportunistic TLS which means that TLS will be accepted and is the preferred method for communication, but TLS will not be required.
To activate Anonymous users to use this connector for relaying, you must issue the following command:
Get-ReceiveConnector “Receive Connector Name” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”
Note: If you enable Anonymous users on a connector, that does not give them the permission to relay.  The above command gives the Anonymous Logon account permission to Ms-Exch-SMTP-Accept-Any-Recipient (relaying) on the specified connector.  That way, once you have allowed anonymous users to use that connector as well as grant them Ms-Exch-SMTP-Accept-Any-Recipient, they will now be able to relay via the specified connector.
If your application will be relaying SMTP using separate domain names, make sure you create the necessary Accepted Domains with the appropriate Internal Relay or External Relay settings for those domains. You do not want to choose Authoritative because Exchange will think it is authoritative for these mailboxes, and when Exchange sees these mailboxes do not exist, an NDR will be sent back to the sending server.
For more information about when to choose Internal Relay vs External Relay, visit the following site:
http://technet.microsoft.com/en-us/library/bb124423(EXCHG.80).aspx
Now what about clients who are connected to their Exchange 2007 mailbox via MAPI?  Clients using Remote Procedure Call (RPC) to connect to their Mailbox Server.  This RPC connection is encrypted by default.
With Outlook being connected to its Mailbox Server with encrypted RPC, the Outlook Client will send a message and the Mailbox Server will place this item in the Outbox.  The Mailbox Server will then submit the mail item to the Hub Transport Server with the Mail Submission Service which lives on the Mailbox Server.  The Mailbox Submission Service will Round Robin between the Hub Transport Servers so not any given Hub Transport Server will be over utilized.  One thing to keep in mind here is that if the Mailbox Server also contains the Hub Transport Role, this Hub Transport Role will be utilized 100% of the time unless the service stops.  In this case, the Mailbox Server will start sending to other Hub Transport Servers.  The Hub Transport’s Store Driver will pull this item from the Outbox and then place it into the Submission Queue which then starts the routing process.
As you can see, Outlook by default encrypts traffic between itself and Exchange.

If you want to enforce MAPI Encryption to your Exchange Server 2007 box, you can configure specific Exchange 2007 servers to force all MAPI connections to be encrypted by issuing the following command:
Set-MailboxServer ServerName -MAPIEncryptionRequired:$true
You can then install the Office Group Policy Templates to force all Outlook clients to use MAPI encryption:
Outlook 2003: http://support.microsoft.com/kb/826170
Outlook 2007: http://support.microsoft.com/kb/924617
Now I will show you how you can load the Outlook 2007 template into Group Policy, and force all Outlook 2007 clients to use MAPI Encryption.
From the link above, I downloaded the Office 2007 templates and extracted the outlk12.adm file. I will now open the Group Policy Management Console and import this ADM file. To do this, expand Forest > Domains > Your Domain > Group Policy Objects > Right-Click and choose New. From here, specify the name of the GPO you want created.

From here, we can right-click our new Outlook 2007 GPO and choose edit which will bring us into the Group Policy Object Editor. Expand User Configuration and Right-Click Administrative Templates > choose Add/Remove Templates…

Once we choose Add/Remove Templates, will be presented with the following screen:

Choose Add and navigate to the location to where you extracted the outlk12.adm file. You will then be presented with the Microsoft Office Outlook 2007 Group Policy settings in the Administrative Templates.

Navigate to Microsoft Office Outlook 2007 > Tools | Account Settings > Exchange > Enable RPC Encryption

Right-Click Enable RPC Encryption and choose Enabled and then select OK.

Once this is done, you will need to link the GPO to any of your Organizational Units or to the root container of your domain alongside your Default Domain Policy. This all depends on your Group Policy/OU design. After this, it will take 90-120 minutes for all your clients to obtain this new setting. This can be expedited by running the following command on your clients:
gpupdate /force

ModemGroup en Hylafax

Cuando tenemos más de un fax en una centralita elastix que utiliza para el fax el hylafax, y tenemos más de 1 fax por distintos motivos, puede ser que queramos utilizar un fax u otro en distintos clientes.
Para ello existen los ModemGroup, en los cuales podemos meter uno o varios fax virtuales, y decirle en los clientes como puede ser WinPrintHylafax-for-Windows7 para que utilice uno y otro.
Para crear los ModemGroup, hace falta añadir una línea en:
/etc/hylafax/etc/config

Esta líne apuede ser algo como esto

ModemGroup: "NombreGrupo:ttyIAX1"

o agrupar más de 1:

ModemGroup: "NombreGrupo:ttyIAX[1,2,3,4]"

Restauración vm vmware ESXI desde Backupexec 2010

Restaurar es normal, si queremos podemos redirigir la restauración a una ubicación disinta copiarlo a la máquina con VMWARE, etc...
El problema es cuando creamos una máquina virtual y utilizamos el disco que hemos restaurado.
Al iniciar la máquina nos da un error como este:
Failed to open disk scsi0:0: Unsupported or invalid disk type 7.  Ensure that the disk has been imported

Lo que hay que hacer:

# cd /vmfs/volumes/4ea1d6da-96726826-9557-002219d568cb/vm-win7test
# vmkfstools -i vm-win7test.vmdk -d zeroedthick vm-win7test1.vmdk

Utilizar la función  zeroedthick para importar correctamente el disco, ocupara todo el espacio, pero al menos tenemos levantada la máquina.

Extraido de:
http://skabelka.com/node/136

VMware: Failed to open disk scsi0:0: Unsupported and/or invalid disk type 7" error when trying to power on a VM on ESXi 5

Submitted by Vitalii on Sat, 02/04/2012 - 04:47

I got this error when I tried to power on VM just imported from another VMware ESXi Server into my virtual environment based on VMware ESXi 5.
I got a message such as
"Module DevicePowerOn power on failed.
Unable to create virtual SCSI device for scsi0:0, '/vmfs/volumes/4ea1d6da-96726826-9557-002219d568cb/vm-win7test/vm-win7test.vmdk' Failed to open disk scsi0:0: Unsupported or invalid disk type 7. Ensure that the disk has been imported."
To fix this problem, I had to reimport the VM using the "zeroedthick" argument for the "vmkfstools" command:
# cd /vmfs/volumes/4ea1d6da-96726826-9557-002219d568cb/vm-win7test
# vmkfstools -i vm-win7test.vmdk -d zeroedthick vm-win7test1.vmdk
Destination disk format: VMFS zeroedthick Cloning disk 'vm-win7test.vmdk'... Clone: 100% done.
With the "zeroedthink" option, a flat file is created with complete disk size allocated to the file. For example, my Windows 7 was created to use 60GB file, so a ".vmdk" file of 60GB is created.
Other supported disk formats are explained below.
When you create or clone a virtual disk, you can use the -d –diskformat suboption to specify the format for the disk. Choose from the following formats:
. zeroedthick (default) – Space required for the virtual disk is allocated during creation. Any data remaining on the physical device is not erased during creation, but is zeroed out on demand at a later time on first write from the virtual machine. The virtual machine does not read stale data from disk.
. eagerzeroedthick – Space required for the virtual disk is allocated at creation time. In contrast to zeroedthick format, the data remaining on the physical device is zeroed out during creation. It might take much longer to create disks in this format than to create other types of disks.
. thick – Space required for the virtual disk is allocated during creation. This type of formatting doesn’t zero out any old data that might be present on this allocated space. A non-root user is not allowed to create this format.
. thin – Thin-provisioned virtual disk. Unlike with the thick format, space required for the virtual disk is not allocated during creation, but is supplied, zeroed out, on demand at a later time.
. rdm - Virtual compatibility mode raw disk mapping.
. rdmp – Physical compatibility mode (pass-through) raw disk mapping.
. raw - Raw device.
. 2gbsparse - A sparse disk with 2GB maximum extent size. You can use disks in this format with other VMware products, however, you cannot power on sparse disk on an ESX Server host unless you first reimport the disk with vmkfstools in a compatible format, such as thick or thin.
. monosparse – A monolithic sparse disk. You can use disks in this format with other VMware products.
. monoflat - A monolithic flat disk. You can use disks in this format with other VMware products.

Problema con las zonas DNS en zpanel X instalado en Centos 6.2

Problema con las zonas DNS en zpanel X instalado en Centos 6.2
El problema es que no se muestra todo bien en la insterface de Zpanel X, pero no resuelven bien los dominios desde los clientes DNS.
Realmente el problema es de permisos para el usuario apache en el archivo named.conf que crea Zpanel en /etc/zpanel/configs/bind/etc/named.conf, y entonces la interface no modifica este archivo para cargar las zonas.
La solución aquí:
http://forums.zpanelcp.com/archive/index.php/t-6824.html

Resumiendo:
Ejecutar:
chown -R apache:apache /etc/zpanel
chmod -R 0777 /etc/zpanel/configs
Y después ejecutar en la consola de Zpanel admin->Configuracion Zpanel ->Ejecutar Daemon Ahora
Saldrá algo como esto:

ZPanel Daemon

Daemon is now running...
START Apache Config Hook.
Apache Admin module ENABLED...
Apache Config has NOT changed...nothing to do.
END Apache Config Hook.

START DNS Manager Hook
DNS Manager module ENABLED...
DNS Records have changed... Writing new/updated records...
Updating zone record: (Dominios creados)

Configurar windows server 2008 R2 para que se sincronice con un servidor NTP externo

echo Mostrar configuracion actual
w32tm /query /configuration


echo Parando el servicio horario
net stop w32time


echo Configurar servidor NTP externo con el que sincronizar
w32tm /config /syncfromflags:manual /manualpeerlist:"hora.roa.es"
w32tm /config /reliable:yes

echo Iniciando el servicio horario
net start w32time

echo Mostrar configuracion actual
w32tm /query /configuration


echo Comprobar la diferencia horaria
w32tm /monitor /computers:miservidorw2008server

Publicado por Gulfan spysnoope
http://spysnooper.blogspot.com.es/2011/08/configurar-windows-server-2008-r2-para.html

Importar contactos de correo Exchange 2010

Buenas para importar contactos de correo en Exchange desde un CSV. 2 pasos

1 - Crear el CSV con lo siguiente en la primera fila, el resto en filas siguientes:
displayName,Firstname,EmailNddress

2 Utilizar el comando en la shell de Exchange:

Import-Csv c:\prueba2.csv |ForEach { New-MailContact -Name $_.displayName -FirstName $_.FirstName -ExternalEmailAddress $_.EmailNddress -OrganizationalUnit "dominio.local/ou1/ou2"}

Y a disfrutar

Como ver trafico en router cisco

Buenas, si tienes un problema con el ancho de banda, y quieres ver uien está ocupando ese ancho de banda, puedes utilizar esta serie de comandos en la interface del router cisco:

Mira con los routers Cisco puedes monitorear el trafico de bastantes maneras
las mas faciles son las siguientes:

Entra a la interface que quieres monitorear
ejemplo:
LAN-2-VPN-1(config)# int GigabitEthernet0/1.598
LAN-2-VPN-1(config-subif)#ip nba
LAN-2-VPN-1(config-subif)#ip nbar pr
LAN-2-VPN-1(config-subif)#ip nbar protocol-discovery

ahora da el comando LAN-2-VPN-1# sh ip nbar protocol-discovery

GigabitEthernet0/1
Input Output
----- ------
Protocol Packet Count Packet Count
Byte Count Byte Count
5min Bit Rate (bps) 5min Bit Rate (bps)
5min Max Bit Rate (bps) 5min Max Bit Rate (bps)
------------------------ ------------------------ ------------------------
telnet 1808 1316
226340 77950
0 0
4000 3000
icmp 692764 87
56810048 10234
0 0
3000 3000
snmp 17010 16992
1938418 2213653
0 0
2000 2000
h323 66 0
7966 0
0 0
3000 0
ntp 7734 7735
726996 727090
0 0
0 0
ssh 0 115


ves como te muestra el trafico que pasa por tu interface y el protocolo que esta usando???

mas facil si lo quieres por IP
pon este comando

LAN-2-VPN-1(config-subif)#ip accounting


ahora:

LAN-2-VPN-1# sh ip accounting
Source Destination Packets Bytes
89.206.213.245 89.206.214.32 1 76
89.206.213.242 89.206.214.16 2 221

Ahora si tienes NAT instalado en tu equipo dale un sh ip nat translations y podras ver quien hace peticiones a internet y hacia que paginas

new_york_r3# sh ip nat translations

Pro Inside global Inside local Outside local Outside global

Gracias a: Tigre