Sunday, October 26, 2008

How to export your IIS7 config from one server and import into another

http://www.phishthis.com/2008/05/27/how-to-export-your-iis-config-from-one-box-and-import-on-another/

 

Good way to keep NLB servers in sync and will work against a clustered file server too.



__________ Information from ESET NOD32 Antivirus, version of virus signature database 3557 (20081026) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

Setting a Clustered file share as an FTP home directory in IIS7 (testing)

TO ALLOW ANONYMOUS ACCESS (AT OWN RISK - no security around this)

Create a new AD user, e.g. FTPUSER@DOMAIN.LAN

Create a new home directory using UNC paths within the FTP server mapping to the Clustered file share

Assign appropriate permissions to the new FTP user on that file share (no apparent way to use Web Servers default IUSR account??)

Within the FTP basic settings, change the connect as from Application to specific user.

 



__________ Information from ESET NOD32 Antivirus, version of virus signature database 3557 (20081026) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

Wednesday, October 22, 2008

NLB on server 2008

Installing and Configuring

To install NLB

1. Navigate to Administrative Tools and click Server Manager.

2. Scroll down to the Features section or click the Features node in the left-hand tree view.

3. Click Add Features.

4. In the Add Features Wizard, select Network Load Balancing from the list of available optional components.

5. Click Next, and Install, as applicable to complete the wizard.

To configure NLB

1. Navigate to Administrative Tools and click Network Load Balancing Manager, or run nlbmgr from a command prompt.

2. Right-click Network Load Balancing Clusters and click New Cluster.

3. Connect to the host that will be part of the cluster, in this case the Web server. In the Host text box, type the name of the host, and then click Connect.

4. Select the interface you want to use with the cluster, and then click Next.

5. On the Host Parameters page, select a value from the Priority (unique host identifier) drop-down list.

6. In the Dedicated IP Addresses area, click Add to type the IP address that is shared by every host in the cluster. NLB will add this IP address to the TCP/IP stack on the selected interface of all hosts chosen to be part of the cluster. Click Next to continue.

7. On the Cluster IP Addresses page, click Add.

8. In the Add IP Address dialog box, type the IP address and subnet mask, and then click OK.

9. Click Next.

10. On the Cluster Parameters page, in the Cluster operation mode area, click Unicast to specify that a unicast media access control (MAC) address should be used for cluster operations.

NB: ON single NIC hosts or virtual hosts, this may need ot me multicast or connection will fail.

Click Next to continue.

11. On the Port Rules page, click Edit to modify the default port rules if you need advanced rules. Otherwise, use the default.

12. Click Finish to create the cluster.

To add more hosts to the cluster, right-click the new cluster, and then click Add Host to Cluster.

http://learn.iis.net/page.aspx/213/network-load-balancing/

Monday, October 20, 2008

Guide to getting TS Web Access Gateway Windows 2008 Working

I had quite a bit of trouble getting the TS Gateway to work for my home test lab.

Situation:
-TS Gateway box was also the Terminal server
-no fixed IP address
-no SSL certificate
-firewall fowarding only port 443 to internal TS server (not 80 or 3389)

I could gain access to the TS Gaterway webpage (easy to setup) but no further - couldn't run any of the published apps or remote desktops. This is what fixed it for me.

1) I use no-ip.info for my domain/IP. I created an additoanl zone on my internal DC/DNS server for no-ip.info and added the EXTERNAL host name I use to access my home lab, e.g. MYPC.NO-IP.INFO and added the INTERNAL IP address (e.g 192.168.1.20)
Apparently you need this split DNS if you want to use the Gaterway internally as well as the certificate is critical to this.

2) I generated a new self signed certificate on my TS Gateway box using the PUBLIC name e.g. MYPC.NO-IP.INFO -> when accessed from the outside, the certificate name now matches the site ->CRITICAL!!

3) On your TS GAte way, open server manager and dive into IIS>SERVER NAME>DEFAULT WEB SITE>TS - choose 'application settings' and change Group by to Entry type. You should now see and option for DefaultTSGateway. Edit this to be your EXTERNAL address (e.g. MYPC.NO-IP.INFO) and restart IIS

4) Now, on your client PC make sure you have version 6.1 of the RDP client - none of this will work without it.

5) Go to HTTPS://MYPC.NO-IP.INFO/TS (or whatever you use)

6) Make sure you accept the certificate and add it to your Trusted Certificate Root Authority store. - restart your IE and reconnect and ticks should be green.

7) This may not be necessary, but I went to the configuration tab and changed the TS Web Access Properties Terminal Server name to the internal DNS name of my Terminal server e.g. ts.internaldomain.lan

8) Give it a whirl, I can now connect to internal servers via their internal names or IP addresses and run up my remote apps.

9) To lock down access a bit (i.e. I don't want every man and their dog on the internet to see my TS Gateway) I added some simple authentication. Go into IIS>Default Web site and DISABLE anonymous authentication and enable Forms based authentication (tick the box for require SSL certificate) Doing this, any request to the front page requires logging in first.

10) Couple of other points that maybe relevant:
Under Terminal Services>TS Remote App Manager>Terminal server settings I used the full FQDN of my TS (VMTS.MYLAN.LAN)
Under TS GAteway Settings I chose the 'Use these TS Gateway server settings' and used the EXTERNAL site name (MYPV.NO-IP.INFO) and logon method NTLM. Ticked the 2 boxes underneath as well.

Tuesday, October 7, 2008

Issue around Windows servers running NLB on VMWare hosts.

“the MAC address was being broadcast from the vswitch, which caused the arp cache to be temporarily incorrect on our Cisco routers. Under the Network configuration, I went to the port group in question, and set "notify switches" to NO. solved my problem.”