Fix: SonicWALL NSA Settings for a Linksys SPA 9000 VoIP Gateway (One-Way Audio)

I’m now going to save you precisely 2.25 hours of pulling your hair out while trying to troubleshoot one-way audio issues on a Linksys SPA 9000 behind a SonicWALL firewall.

You will need to do the following:

1) Use the Public Server Wizard to create a one-to-one NAT from the relevant WAN IP to the relevant LAN IP of the SPA 9000 for UDP port 5060

2) Have a look at the WAN > LAN access rule under Firewall > Access Rules… you should see the rule you just created… you will now have to go into Firewall > Services to:

          A) Create new individual Services as follows:

              > SIP Ports (TCP): TCP Ports 5060-5063

              > SIP Ports (UDP): UDP Ports 5060-5063

              > RTP Ports: UDP Ports 16384-16482

          B) Add these individual services to the automatically-created Service Group

    When you’re done, the firewall rule should look like this:

 


3) Again, in the SonicWALL, go to VoIP > Settings and tick the “Enable SIP Transformations” checkbox:

Update: There was some call flow wonky-ness with the option from steps 4-6 enabled, so I changed said option back to "No" and the wonky-ness ceased.  So... certainly skip steps 4-6!

4) Now, in the SPA9000, on the top right of the page, first click “Admin Login” and then click “Advanced”:


5) Go to the Voice tab and click on SIP:


6) Change the “Send Resp To Src Port” to “Yes”:

 

7) Save your settings in both the SonicWALL and the Linksys, then reboot the Linksys

8) Cross your fingers and make a call!

If you’re waiting for inbound calls, wait a bit (5-10 minutes), as the VoIP endpoint must re-register with the SIP proxy before they’ll know to send calls your way.

How To: Setting Up Message Retention Policies in Exchange 2007

Per a request from a client to implement a 90-day limit on items in the Inbox & Sent Items and a 14-day limit on items in Deleted Items, I’m now going to show you how to set up message retention policies on an Exchange 2007 server, and how to do it in such a way that you don’t have a mutiny on your hands when people’s messages up and disappear.

Here are the steps (all done through the Exchange Management Console):

Step 1: Define a “Managed Custom Folder” (if you’re feeling fancy) or use one of the existing “Managed Default Folder(s)” (recommended)

If you double-click on any of these folders, it will bring up a Properties window that allows you to add a “Comment” to the folder in question... Here we can see a comment I added for the client on their Inbox folder:

Step 2: Add “Managed Content Settings” to the folder in question

Now you have a wizard in which you can define what the criteria is that you’re looking for.  Please name the Managed Content Settings something helpful...

You have other options here:

“Mark as Past Retention Limit” is interesting in that it will put a strikethrough through messages that are outside of policy.  Folks can then choose to move the affected messages out of the managed folder in question.  Please make sure to clarify with users:

If you apply Managed Content Settings to the Inbox “Default Folder,” all subfolders of Inbox will also be affected.

This means that putting items in subfolders of Inbox is not a valid way to “hide” from the retention policy.  You should create a subfolder of “Mailbox – Stewie Griffin” instead of Sewie’s inbox.

Step 3: Create a “Managed Folder Mailbox Policy” and add the “Managed Content Settings”-enabled folders into the policy

Name the policy something useful:

Add the managed folders to the policy:

Step 4: Verify that the Messaging Records Management feature of the server is enabled & scheduled

Note: This is not enabled by default, so it won’t matter if you apply the policy to mailboxes or not at this point, because the policy will never get processed until you schedule the Messaging Records Management process!

Step 5: Apply the policy to mailboxes

IMPORTANT: When you create a new user, you must remember to select the mailbox policy.  For existing users, these policies are NOT enabled by default.

Rather than reinventing the wheel, I’m instead going to link to this excellent follow-up article on Exchangepedia, which covers in depth how to apply the policy to mailboxes in elegant, scripted fashion: http://exchangepedia.com/2007/05/applying-managed-folder-policy-to-more-than-one-user.html

Fix: Workstation optimization "Amateur Hour"

Several of the new clients we’ve taken on from other IT companies (who shall remain nameless) have users who have “gotten used to” the following MSConfig dialog box popping up during boot:

Every time I see this, I cry a little—and I believe my life gets a few minutes shorter as a result.

There is no appreciable reason to use MSConfig to limit startup items on anything but a troubleshooting basis.

If you’re trying to optimize which items run at startup, I’d highly recommend a utility like Sysinternals Autoruns, downloadable from here: http://live.sysinternals.com/autoruns.exe

You still have to know what you’re doing when you’re using Autoruns to remove superfluous startup entries—namely to know the difference between what is a legitimate startup entry and what isn’t strictly necessary, so please be careful with this utility.  But hey, you’re already feeling confident enough to selectively disable certain Startup Items, so why not take the next step and remove them properly?

There’s an excellent, in-depth article here about which types of programs can be safely removed here:

http://www.pacs-portal.co.uk/startup_content.php

Again, use extreme caution… use Autoruns to disable before you delete startup entries.  But please, for the love of the Flying Spaghetti Monster, stop using MSConfig!

Fix: The culprit behind 80% of Exchange crashes

If you’ve worked with me long enough, you’ll know that one of the first questions out of my mouth when you ask me for help with random Exchange crashes is, “Is the Symantec Information Foundation Mail Security for Microsoft Exchange fully up-to-date?”

I wish I didn’t have to ask this question—SMSMSE is an ancillary product in many cases—it supplements the AV scanning engine of whatever the client’s Anti-Spam solution is.  Very few clients use the SMSMSE’s anti-spam capability, in favor of a third-party appliance (usually a SonicWALL E-Mail Security) or a hosted service (such as Postini); however, by virtue of having been licensed for Symantec’s full protection suite, we frequently like to install SMSMSE as a “second safety-net,” given that the Anti-Spam solutions typically use a virus scanning engine other than Symantec’s.

Unfortunately, when troubleshooting an Exchange issue, which may include:

Ø  Crashing the Microsoft Exchange Transport service

Ø  ASP.NET errors

Ø  Stopping mail flow without errors in the Event Log

Ø  Blue screen (STOP) errors

…the last place that folks think to check is the SMSMSE, yet (in my experience), 80% of these issues are caused by an out-of-date SMSMSE conflicting with a recent security update or patch.

At two clients recently (also including us), we were running version 6.5.2.82, which caused ASP.net error shown below.  In one case, this same error was the precursor to a halt to mail flow:

Log: Application

Type: Warning

Event: 2262

Agent Time: [REDACTED]

Event Time: [REDACTED]

Source: W3SVC-WP

Category: None

Username: N/A

Computer: [REDACTED]

Description: ISAPI 'C:\WINDOWS\Microsoft.NET\Framework64\v2.0.50727\aspnet_isapi.dll' reported itself as unhealthy for the following reason: 'Deadlock detected'.

After having set up a custom monitor set to catch this error, all three servers that were experiencing this all had one thing in common… version 6.5.2.82 of SMSMSE:

…hence my recommendation in the bubble above.  If the “Currently available version” of SMSMSE is greater than the “Installed version,” I’d highly recommend installing the update ASAP.

The upgrade from 6.0.X to 6.5.X, and from 6.5.2.X to 6.5.2.Y is quite simple, takes about 15 minutes (after you download the ~400MB installation file from FileConnect), and only restarts the Microsoft Exchange Transport service.

During the installation (upgrade), you’ll notice that it registers some new types with ASP.NET 2.0.50727.1433 (also the same ASP.NET version loaded on all three problematic servers), thus also confirming my suspicions that the issue relates to an incompatibility between ASP.NET 2.0.50727.1433 and SMSMSE 6.5.2.82:

At the time of this writing, the most recent available version is 6.5.2.97… when scrolling through the list on FileConnect, make sure you’re getting the latest iteration of 6.5, as the list sorting is a bit wacky.  Just look for the correct file with the most recent date:

Again, you’ll be surprised how many Exchange-related issues this upgrade will fix—and why that’s usually the first question I ask.

How To: Use the Microsoft BPOS Single Sign In on a Mac (with a HUGE Gotcha for Outlook 2011 and Mail users)

Microsoft BPOS (Business Productivity Online Suite) is the 2007-based iteration (Exchange 2007, Office Live Communicator, etc.) of Microsoft’s Online Services offering.  Microsoft Office 365 is the 2010-based iteration (Exchange 2010, Lync 2010, etc.).  At present, BPOS is live, and Office 365 has a “target release date” of mid-summer this year (2011).  A future article will cover the migration path from BPOS to Office 365, once said migration path is released to the beta users.

For details on the differences between Microsoft BPOS and Office 365, please see the links below:

BPOS: http://www.microsoft.com/online/business-productivity.aspx

Office 365: http://office365.microsoft.com/en-US/online-services.aspx#slide-1

At present, the BPOS edition requires the use of a Single Sign In application (Office 365 will not require this and will be more tightly-integrated with the Microsoft LiveID system).

One question we get asked rather frequently is, “Does BPOS work on a Mac?”

Yes, yes it does.

Caveat: Outlook 2011 and Mail users should read the “HUGE Gotcha” in step 7.

1) On your Mac, go to http://home.microsoftonline.com

2) Once you log in, you’ll see a link to “Download Sign In”… go ahead and click the link:

   

     …which in turn takes you to the Microsoft Download Center, where you must click another download button:

    

     …and save the DMG file somewhere you can find and mount it.

3) Once you’ve mounted (opened) the DMG file you just downloaded, go ahead and drag-and-drop it into your Applications folder:

    

4) Navigate to your Applications folder and double-click on the “Microsoft Online Services Sign In” application:

    

     …and click Open if you get this security warning:

    

5) Run through the setup, accepting the default options (Next > Accept > Next > Finish)

6) Put in your username and password, check both the boxes for “Remember my user name” and “Remember my password,” and click the “Sign in” button:

    

7) Once logged in, the sign in application will search your Mac for supported applications and will configure them automatically for you… but with a HUGE Gotcha.  Unless you’re an Entourage 2008 user, the Microsoft Single Sign In application will not automatically configure your e-mail client for you.  Sorry Mail and Outlook 2011 users… as of the time of this writing, your e-mail application is not supported by the Single Sign In application.

For Entourage 2008 users, you’re done.  Enjoy BPOS!

For Outlook 2011 and Mail users, please read on.

Outlook 2011 BPOS Configuration for Mac

1) Quit out of Outlook completely, including the “Office Reminders” helper application:

   

2) Hold down the “Option” key on your Mac’s keyboard, and then click on the Outlook icon… keep holding down the “Option” key until the Microsoft Database Utility appears, at which point you’ll want to click the “+” button to add a new identity:

    

3) Name the identity something useful, and then right-click (control-left-click) the identity and choose “Set Default,” at which point you’ll notice that the identity you just created is in bold:

    

4) Close the Microsoft Database Utility, and then re-open Outlook 2011… then go to Tools > Accounts:

   

5) On the Accounts screen, choose “Exchange Account”:

   

6) Put in your e-mail address twice, your password once, make sure that “Configure automatically” is checked, and click the “Add Account” button:

   

7) Check the “Always use my response for this server” checkbox and click the Allow button:

   

     …and remember… patience, grasshopper.  This takes a minute or two to auto-configure.

8) Change the “Account description” to something helpful, then close out of the Accounts screen.

   

    You’re all set!  You should now see your mail, contacts & calendar in Outlook.

Mail BPOS Configuration for Mac

Note: This assumes a first-time configuration, as I have not had reason to set up Mail prior to writing this How To article.  If you already have Mail configured and want to add BPOS Exchange as an additional account, I’d recommend watching the following video:

(Thanks to Virorum Ltd for taking the time to make this video!)

1) Start up Mail

2) Put in your name, e-mail address and password, and click Continue:

   

     …and remember… patience, grasshopper.  This too takes a minute or two to auto-configure.

3) Once your settings are auto-configured, ensure that “Address Book contacts” and “iCal calendars” are both checked and click the Create button:

   

Thankfully, Microsoft has correctly configured the Autodiscover service correctly such that many different e-mail clients (Outlook 2007, 2010, 2011, Mail) can connect.  You’ll also notice a similarly simple procedure when connecting your iPod, iPad, iPhone, Android, Palm or Windows Mobile device.

HUGE Gotcha for iOS users (iPhone, iPod, iPad): You must be running iOS 4.2 or above for the Autodiscover service on Microsoft BPOS to work correctly.  This is straight from Microsoft and has been verified by testing with an iOS 4.1 and an iOS 4.2 device—the iOS 4.1 device will not automatically discover the e-mail server settings correctly.  You must upgrade to iOS 4.2 or later (which simply amounts to plugging the iOS device into your computer, firing up iTunes, and clicking the “Yes” button when prompted to back up and upgrade your device).