Friday, June 16, 2017

Configuring a Citrix NetScaler Responder Policy and Action to redirect traffic to another URL based on source IP

I’ve been asked several times in the past about how to configure a NetScaler virtual load balancing server to redirect traffic to another URL based on the incoming source IP address so this post serves to demonstrate the process.

Step #1 – Create the Responder Action

Begin by navigating to AppExpert > Responder > Actions and click the Add button to create the responder action to execute when a policy is met:

image

In the Create Responder Action window, fill in the following fields as required:

Name: A name that represents the redirect – Redirect_USA_Subnets_Action

Type: Redirect

Expression: Enter the URL you would like to redirect requests to with quotes – “https://www.someURL.com”

Response Status Code: 302

image

Step #2 – Create the Responder Policy

Navigate to AppExpert > Responder > Policies and click the Add button to create the responder police that will execute the action that was previously created when a requirement is met:

image

In the Create Responder Policy window, fill in the following fields as required:

Name: A name that represents the redirect – Redirect_USA_Subnets_Action

Action: The previous action created – Redirect_USA_Subnets_Action

Expression: Enter the required IP address or subnet with the expressions:

CLIENT.IP.SRC.EQ(x.x.x.x) || CLIENT.IP.SRC.IN_SUBNET(x.x.x.0/24)

An example of would be:

CLIENT.IP.SRC.EQ(10.43.3.136) || CLIENT.IP.SRC.IN_SUBNET(162.221.215.0/24) || CLIENT.IP.SRC.IN_SUBNET(195.130.217.0/24) || CLIENT.IP.SRC.IN_SUBNET(91.220.42.0/24) || CLIENT.IP.SRC.IN_SUBNET(185.58.84.0/22)

image

Step #3 – Assign Responder Policy to Virtual Server

Navigate to Traffic Management > Load Balancing > Virtual Servers and edit the properties of the virtual server you would like to redirect traffic based on incoming source IP address:

image

If there are already policies assigned, scroll down to the Policies section and click on the + button or if there are no policies applied then click on the Policies button listed on the right side of the page to add a new policy:

image

Configure the following and click Continue:

Choose Policy: Responder

Choose Type: Request

image

In the Choose Type options window, click on Click to select under Select Policy:

image

Select the Responder Policy that was created earlier:

image

Click on the Bind button to bind the policy to the virtual server:

image

Save the configuration by clicking on the Done button:

image

The NetScaler will now redirect any traffic coming in for the specified IPs to the alternate URL.

Monday, June 12, 2017

Non domain joined Windows 10 client unable to connect to wireless network with 802.1X authentication

Problem

You have a Cisco Wireless Controller setup to use a Microsoft Network Policy (RADIUS) server to authenticate wireless clients via 802.1X and while Android devices and all Windows clients that are joined to the domain have no issues connecting to the network, non-domain joined Windows 10 workstations are unable to. 

Attempting to join the network with a non-domain joined Windows 10 device shows the following Audit Failure log written in the Security logs of the NPS server:

image

Log Name: Security

Source: Microsoft Windows security

Event ID: 6273

Level: Information

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
     Security ID:            CONTOSO\tluk
     Account Name:            CONTOSO\tluk
     Account Domain:            CONTOSO
     Fully Qualified Account Name:    CONTOSO\tluk

Client Machine:
     Security ID:            NULL SID
     Account Name:            -
     Fully Qualified Account Name:    -
     OS-Version:            -
     Called Station Identifier:        00-17-df-a8-e0-50:CONTOSO_Corp
     Calling Station Identifier:        60-57-18-a7-ea-18

NAS:
     NAS IPv4 Address:        192.168.220.254
     NAS IPv6 Address:        -
     NAS Identifier:            Cisco_7d:fe:e4
     NAS Port-Type:            Wireless - IEEE 802.11
     NAS Port:            13

RADIUS Client:
     Client Friendly Name:        CONTOSO Test
     Client IP Address:            192.168.220.254

Authentication Details:
     Connection Request Policy Name:    CONTOSO
     Network Policy Name:        Secure Wireless Connections 3
     Authentication Provider:        Windows
     Authentication Server:        CONTOSODC01.Contoso.com
     Authentication Type:        PEAP
     EAP Type:            -
     Account Session Identifier:        35393361643862372F36303A35373A31383A61373A65613A31382F3739383139
     Logging Results:            Accounting information was written to the local log file.
     Reason Code:            16
     Reason:                Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

image

The error presented in Windows 10 during the login is shown in the following screenshots:

image

image

Verifying and connecting

image

Can’t connect to this network

image

Solution

One of the reasons why this error would be be presented to non domain joined Windows 10 client is if the NPS / RADIUS server is configured with a certificate issued by an internal Microsoft CA that is not trusted by the Windows 10 device since it is not joined to the domain.  The way around this is to either install the issuing Root CA certificate on the Windows 10 device or configure the SSID network manually and do validate the certificate.  The following outlines these steps:

Begin by opening the Network and Sharing Center then click on Set up a new connection or network:

image

Select Manually connect to a wireless network:

image

Fill in the appropriate configuration:

image

Once the new SSID network has been created, proceed by clicking on Change connection settings:

image

Click on the Security tab:

image

Click on the Settings button:

image

Uncheck the Verify the server’s identity by validating the certificate option:

image

image

Configure the above usually does the trick so that the following prompt is displayed the next time an attempt is made to connect:

clip_image002

However, if you continue to encounter the same error then proceed by clicking on the Advanced settings button:

image

Enable the Specify authentication mode: option:

image

image

Change the configuration to User authentication then click on Save credentials:

image

Enter the appropriate credentials:

image

The SSID should now no longer prompt for credentials and will automatically connect to the SSID network with the saved credentials.

Thursday, June 8, 2017

Setting up Get-ExchangeEnvironmentReport.ps1 PowerShell script in Task Scheduler to automatically run daily

One of the scripts I've often used when trying gather information about a current Exchange environment prior to performing a migration is the Get-ExchangeEnvironmentReport.ps1 PowerShell script written by Steve Goodman.  The information provided by the report provides great information that would allow me to get a good understanding of the current Exchange topology as well as the mailbox databases.  If you are unfamiliar with this script, further details about the script can be found in the following links:

Generate Exchange Environment Reports using Powershell
https://gallery.technet.microsoft.com/office/Generate-Exchange-2388e7c9

Generate Exchange Environment Reports using Powershell
http://www.stevieg.org/2011/06/exchange-environment-report/

This script could be scheduled to automatically run via the Task Scheduler and this post serves to provide the configuration for the action which sometimes can be difficult to find.  Note that I won’t go into the details of creating the scheduled task as that could be found in one of my previous posts here:

Setting up vCheck PowerShell health check script in Task Scheduler to automatically run daily
http://terenceluk.blogspot.com/2017/03/setting-up-vcheck-powershell-health.html

The following is the syntax required to configure the action:

Program/script: powershell.exe

Add arguments (option): -command ". 'E:\Program Files\Microsoft\Exchange Server\V15\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; . 'C:\PS-Scripts\Get-ExchangeEnvironmentReportModified.ps1'

clip_image002

Wednesday, June 7, 2017

Attempting to call a Lync Server 2013 Enterprise Voice user fails with a fast busy

Problem

You have a user who is enabled for Enterprise Voice in a Lync Server 2013 environment that had no issues placing and receiving calls but recently noticed that users attempting to call them is now receiving a fast busy with the error message:

Cannot contact <userName>

image

Running a trace with Snooper on the server shows that a SIP/2.0 485 Ambiguous error is logged during the failed call:

TL_INFO(TF_PROTOCOL) [0]2160.20F4::06/06/2017-13:36:28.621.00008520 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[4058195155] $$begin_recordTrace-Correlation-Id: 4058195155
Instance-Id: 495426
Direction: outgoing;source="local"
Peer: CONTles03.CONT.com:58390
Message-Type: response
Start-Line: SIP/2.0 485 Ambiguous
From: <sip:tluk@contoso.com>;tag=244c2c0e70;epid=98eec5ee8d
To: <sip:+44xxxxx9578@contoso.com;user=phone>;tag=872B83A7584D65996E00DA963EC419D0
Call-ID: 1c27d3fe51e6418892fe4e79cb4f564b
CSeq: 1 INVITE
Via: SIP/2.0/TLS 192.168.131.2:58390;branch=z9hG4bK323649EF.04A161E3BE17588C;branched=FALSE;ms-received-port=58390;ms-received-cid=36CFC00
Via: SIP/2.0/TLS 172.16.1.121:50637;received=216.249.42.188;ms-received-port=50637;ms-received-cid=AE8300
Content-Length: 0
ms-diagnostics: 4199;reason="Multiple users associated with the target phone number";HRESULT="0x8004C3CD";processing-cluster="CONTlse03.CONT.com";processing-frontend="CONTLSE03.CONT.COM";source="CONTLSE03.CONT.COM"
$$end_record

image

Solution

One of the reasons why this user would experience issues with inbound calls is if someone had recently created an account that uses the same number but with a different extension for their Line URI field.  To troubleshoot this, launch the Lync Server 2013 Control Panel and search for users with the problematic user’s number but without the extension.

For this example, the problematic user’s Line URI field is configured as such:

tel:+44xxxxxx9578;ext=9578

With the above information, add a Line URI filter configured to contain the string:

tel:+44xxxxxx9578

image

As shown in the screenshot above, two users have been returned.

Open the properties of the user accounts to compare the Line URI field and in the case of this example, the problem is caused by a typo in the Line URI field where:

User A: tel:+44xxxxxx9578;ext=9578

User B: tel:+44xxxxxx9578;ext=9579

User B’s Line URI was meant to be:

User A: tel:+44xxxxxx9579;ext=9578

… and because of the slight typo shown above, the Control Panel allowed the configuration to be made since the strings were unique but a call could not be routed properly because there were 2 matches to the number even though the extensions were different.

imageimage

Tuesday, June 6, 2017

Attempting to launch XenApp 7.x application throws the error: Cannot start app “Outlook 2013”

Problem

You have received reports from a select few users that they receive the following error message when they attempt to launch an application from the StoreFront portal:

Cannot start App “Outlook 2013”

image

Logging onto the Citrix Delivery Controller and reviewing the application logs show the following warnings:

image

Log Name: Application

Source: Citrix Broker Service

Event ID: 1102

Level: Warning

User: NETWORK SERVICE

Computer: Citrix Delivery Controller

The Citrix Broker Service failed to broker a connection for user 'DOMAIN\G0052014' to resource 'Outlook 2013'. The virtual machine 'S30015-205-CX03.ad.domain.com' rejected a request to prepare itself for a connection. This problem usually indicates that the virtual machine is engaged in an activity such as restarting, entering a suspended state, or processing a recent disconnection or logoff.

If this problem persists, please restart the virtual machine.

**Note that S30015-205-CX03 is the application server with the VDA agent

image

Log Name: Application

Source: Citrix Broker Service

Event ID: 1101

Level: Warning

User: NETWORK SERVICE

Computer: Citrix Delivery Controller

The Citrix Broker Service failed to broker a connection for user ‘Domain\G0052014' to resource 'Outlook 2013'. The Citrix Broker Service cannot find any available virtual machines.

Please add more virtual machines to the site. If the problem is due to existing virtual machines not becoming available, see Citrix Knowledge Base article CTX126992.

image

Attempting to launch another application such as notepad logs a similar warning event:

Log Name: Application

Source: Citrix Broker Service

Event ID: 1102

Level: Warning

User: NETWORK SERVICE

Computer: Citrix Delivery Controller

The Citrix Broker Service failed to broker a connection for user 'DOMAIN\G0052014' to resource 'Notepad'. The virtual machine 'S30015-205-CX03.ad.domain.com' rejected a request to prepare itself for a connection. This problem usually indicates that the virtual machine is engaged in an activity such as restarting, entering a suspended state, or processing a recent disconnection or logoff.

If this problem persists, please restart the virtual machine.

image

Logging onto the StoreFront server and reviewing the event logs show the entries:

Log Name: Citrix Delivery Services

Source: Citrix Store Service

Event ID: 28

Level: Warning

User: N/A

Computer: Citrix StoreFront

Failed to launch the resource 'DR.Notepad' using the Citrix XML Service at address 'https://s30015-205-cx01.ad.domain.com:443/scripts/wpnbr.dll'. The XML service returned error: 'connection-refused'.

**Note that S30015-205-cx01 is the delivery controller.

image

Log Name: Citrix Delivery Services

Source: Citrix Store Service

Event ID: 28

Level: Warning

User: N/A

Computer: Citrix StoreFront

A request from the Citrix server to prepare for a connection was rejected while processing the initialization of desktop group Notepad for user DOMAIN\G0052014. This message was reported from the XML Service at address https://s30015-205-cx01.ad.domain.com:443/scripts/wpnbr.dll [NFuseProtocol.TRequestAddress].

image

Not all of the users are affected as there are many others who are able to launch applications without any issues.

Solution

What ended up being the cause of this was that the Citrix Remote Broker Provider service was stopped on the Delivery Controller and restarting the service corrected the issue.

image

Thursday, June 1, 2017

Unable to delete Exchange 2016 mailbox database

Problem

You attempt to delete an Exchange 2016 mailbox database but receive the following error:

error

This mailbox database contains one or more mailboxes, mailbox plans, archive mailboxes, public folder mailboxes or arbitration mailboxes, Audit mailboxes. To get a list of all mailboxes in this database, run the command Get-Mailbox -Database <Database ID>. To get a list of all mailbox plans in this database, run the command Get-MailboxPlan. To get a list of archive mailboxes in this database, run the command Get-Mailbox -Database <Database ID> -Archive. To get a list of all public folder mailboxes in this database, run the command Get-Mailbox -Database <Database ID> -PublicFolder. To get a list of all arbitration mailboxes in this database, run the command Get-Mailbox -Database <Database ID> -Arbitration. To get a list of all Audit mailboxes in this database, run the command Get-Mailbox -Database <Database ID> -AuditLog. To disable a non-arbitration mailbox so that you can delete the mailbox database, run the command Disable-Mailbox <Mailbox ID>. To disable an archive mailbox so you can delete the mailbox database, run the command Disable-Mailbox <Mailbox ID> -Archive. To disable a public folder mailbox so that you can delete the mailbox database, run the command Disable-Mailbox <Mailbox ID> -PublicFolder. To disable a Audit mailbox so that you can delete the mailbox database, run the command Get-Mailbox -AuditLog | Disable-Mailbox. Arbitration mailboxes should be moved to another server; to do this, run the command New-MoveRequest <parameters>. If this is the last server in the organization, run the command Disable-Mailbox <Mailbox ID> -Arbitration -DisableLastArbitrationMailboxAllowed to disable the arbitration mailbox. Mailbox plans should be moved to another server; to do this, run the command Set-MailboxPlan <MailboxPlan ID> -Database <Database ID>.

image

Attempting to use the cmdlet Remove-MailboxDatabase throws the same error:

image

Executing the following cmdlets does not reveal any other types of mailboxes that reside in the database:

Get-Mailbox -Database EMDB09

Get-Mailbox -Database EMDB09 -Arbitration

Get-Mailbox -Database EMDB09 -Archive

Get-Mailbox -Database EMDB09 -AuditLog

Get-Mailbox -Database EMDB09 -PublicFolder

Get-Mailbox -Database EMDB09 -Monitoring

image

Solution

One of the possible causes of this is if you have a mailbox that uses this database as an archive database.  Below is an account that has the live mailbox in another database but uses this database we’re trying to remove as an archive database:

image

Executing the following PowerShell cmdlet would confirm this:

Get-Mailbox -Identity tluk | FL *archive*

image

An easier way to identify this if you don’t know which mailboxes may be using this database as an archive database is to execute the following cmdlet:

Get-Mailbox | where {$_.ArchiveDatabase -eq "EMDB09"}

image

If you are experiencing the issue above, simply move the archives left on this database to another database:

image