GPO To Set Firewall Exception For Windows 10 RDP

Slingshot recently rolled out several Windows 10 Pro systems for a customer, and discovered their existing GPO’s firewall rules weren’t enough to allow RDP from within the LAN.

Susan’s post Windows 10 and SBS/Essentials Platforms showed how to do it as a one-off.  But I wanted a GPO!  Google let me down, returning a lot of confusion and complicated workarounds.  (I shared this with Susan and she blogged it, which reminded me of my own blog, duh, so here it is!)

I went exploring GPO, and found the right setting under the Advanced Firewall section:  Computer Configuration->Windows Settings->Security Settings->Windows Firewall with Advanced Security->Inbound Rules->New Rule->Predefined->Remote Desktop – RemoteFX :
GPO for W10 RDP

That’s it!  Tested and confirmed working in production.

(Note: this is in addition to the usual rules at Computer Configuration->Administrative Templates->Network Connections->Windows Firewall->Domain Profile)

 

How to redirect OWA HTTP to HTTPS (the actually easy way that works)

 

With SBS 2008, if try to open Outlook Web Access at http://remote.example.com/owa, you’ll get “Error 403 – Forbidden: Access is denied…”, because SSL is required in IIS.   The proper URL is https://remote.example.com/owa, but most users don’t remember that little “s”.

 

 

As a note, SBS 2011 already redirects this for you.  But if you’re stuck with SBS 2008, there are tons of articles that show how to automatically redirect users :

 

Microsoft has 4 different articles on the topic, but the forums are still covered with it.  The solutions vary on a few themes:

  • Redirect in IIS on the Default website (doesn’t work since that site doesn’t actually answer those HTTP requests in SBS).
  • Disable Require SSL, and edit OWA’s default.aspx to Response.Redirect (doesn’t work because it’s precompiled and handled by DLL).
  • Set a redirect or custom 403 page on the actual OWA directory to a custom SSLRedirect.html with a Meta redirect (might work, but clunky & straight outta 1998!)

Other solutions either forget you can’t get past “Require SSL” to reach the redirect, or they don’t know you’ve already been redirected (creating an infinite redirect loop and “Too many Redirects” error).

 

I think I have a much simpler solution — Just set the OWA directory’s 403 error to redirect to the right URL.  Here’s how:

  1. Start the Internet Information Services (IIS) Manager snap-in.
  2. Expand the local computer, expand Sites, and then click SBS Web Applications.
  3. At the bottom of the SBS Web Applications Home pane, click Features View if this option is not already selected.
  4. In the IIS section, double-click Error Pages, and double-click 403 in the list.
  5. In the Edit Custom Error Page dialog, select Respond with a 302 redirect.
  6. Type the Absolute URL of the /owa virtual directory. For example, type https://mail.contoso.com/owa.

 

OWA’s Error Pages list should look like this when you’re done:

image

 

Hope it helps someone.

Common SBS gotcha?

I’ve fought with this before, and am getting it again on a fresh SBS R2 install in monitoring reports (and the Event Viewer/System log):

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {E579AB5F-1CC4-44B4-BED9-DE0991FF0623} to the user NT AUTHORITY/NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.

It took a long time to track down/fix the first time.  It was faster this time, but I’m documenting it now for future reference.  I underlined the important bits above.

First connect the dots:

  1. Looked up that CLSID with regedit in HKCR\CLSDID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}
  2. Looked up its AppID there: {56BE716B-2F76-4dfa-8702-67AE10044F0B}
  3. Open Component Services: Start > Run > dcomcnfg
  4. (Guess that it’s VSS related since SBS often has VSS errors, and) open My Computer > DCOM Config > Volume Shadow Copy Service > properties dialog.
  5. Confirm Volume Shadow Copy Service has that Application ID: {56BE716B-2F76-4dfa-8702-67AE10044F0B}

Then actually make the fix:

  1. Open Security tab > Launch and Activation Permissions > [Edit] button
  2. [Add] Network Service,  [OK]
  3. Allow Local Activation permissions to Network Service,  [OK], [OK]

My opinion: connecting the dots shouldn’t be so nearly much more involved than making the fix.

(Credit to this article for documenting the basic troubleshooting process.)

Windows Vista & SP1

I’ve been using Vista Business for about a year.  I’ve had it on a secondary work machine since around May, and as my primary work machine since November. Overall, it’s quite nice.

But it’s definitely had its quirks, mostly with waking from standby or hibernation. I put a couple hotfixes on, and they definitely helped, but it still did have an occasional strangeness. That said, in almost a year’s time, I only remember needing to hard-reset it perhaps 3 times, and needing to reboot it maybe 5.

Now, I think that’s great, considering these machines belong to a tweaker like me (read: not a grandma or Mac-type user who doesn’t try new things).  I’d say it’s comparable reliability to a current stable XP system. This is an important comparison — XP has been maturing since 2001, but Vista started out at the same level of reliability.

As an aside, I’ve had several non-technical folks ask me “is Vista as bad as they say?” and I’ve only been able to respond “as who says?”  The only negative reviews I’ve seen were some journalists who must have put Vista on old hardware without current drivers.  But IT professionals I’ve talked to who’ve used Vista for a while seem to like it.

So anyway, I still didn’t want that occasional quirk, so I tracked down hot-off-the-presses Service Pack 1, and applied it last night.  It took about 45 minutes, and went flawlessly.  Hooray for that, and hopefully it sails even smoother now…

I just reset my Sager notebook’s BIOS.

For those in a similar tight place…

Alright, I shouldn’t have experimented with the BIOS settings so flippantly, but all my other current hardware either has an internal “reset” jumper, or it automatically detects problems and resets itself, so I assumed I was safe…

Well imagine my surprise that powering on gave me an utterly blank screen, and no combination of keys would fix it.  Opening the case showed no reset mechanism either.  And Sager’s website showed no support options except an RMA form…

Fortunately I found (elsewhere) an email address for support: .  I emailed and got a response within 24 hours asking for a serial number.  Knowing it was out of warranty (and expecting a “sorry about your luck” response), I gritted my teeth & answered.

Glory be, 12 hours later I received these instructions from Daniel on how to reset the BIOS to factory settings:

Bob,

If you feel comfortable, Try this, 1st unplug all the power remove the AC Adapter and the Battery. And open the bottom cover(see attachment picture) and unplug the Cmos-Battery’s wire(red&black crop by Green Color) for like 15sec. Then reconnect it back the wire then everything ACA and the Big Battery. See that will help.

*** We don’t hold any responsibility ***

Daniel
Sager computer
18005 Cortney Ct
City of Industry, CA 91748
Tel# 1-800-741-2219 626 964 4849
Fax# 626-964-2381

Despite Bob-ifying me, it made enough sense that I was booting normally in 5 minutes (and mostly time for the tiny screws).

It’s good info, Sager just needs to share it more easily.  I wrote back to thank Daniel, and suggested they put this kind of info in a public knowledgebase.

Finally off dotText!

It took ages, but I’m on dasBlog now.  Good riddance to dotText!  — I bid it lovingly, though, since it served well for a 1st generation blog engine — Somehow a couple hundred legitimate posts + comments garnered many thousands of comment spams.  I expect dasBlog will handle that all better; captchas are a tad annoying but effective, I hear.

That dasBlog is still under active development is a good sign.  I find that quality much more  important these days.  For reference, dotText was last updated almost 2yrs ago (and wasn’t even really released).

So in other news (in the sense that no news is its own news), I haven’t posted much of anything in a couple months, and even then there wasn’t much meat.  I plan to start writing/posting with something like BlogJet.  (Yes, I actually used dotText’s web-based editor, which was text-only in Firefox — I’m entirely too comfortable with code for my own good).  Hopefully this ease will lubricate the writing process.

Regarding the transition: I used two great tools.  One was Aaron Junod’s great dotText to dasBlog converter to migrate the content.  This would have done the trick many moons ago, except that I didn’t want to orphan all my incoming links (a big no-no to a web dev like me).  Fortunately, Scott Hanselman published a Regex to remap URLs from dotText’s format to dasBlog’s (If only I hadn’t fat-fingered that one the first time I tried it way back, it’d actually have worked). 

Finally, some outstanding meta-throbs junk:

  1. Comments were probably lost.  Sorry.  I noticed spammers were usually changing the subject from the default “re: whatever”, so I killed most of the rest. 
  2. Search is gone for the moment.  I’ll add it back in Real Soon Now.
  3. Images and other locally-hosted junk is probably all broken.  I’ll fix that slightly sooner.
  4. Comments are screwy (dotText saved as HTML.  dasBlog doesn’t.)
  5. Layout is messed in IE6.

Miscellaneous Brrreeeport

Looks like I’m:

  • Participating in Scoble’s

    brrreeeport

    experiment.

  • Syndicating Digg’s Programming news here now (in the sidebar).
  • Considering participating in Technet ScriptCenter’s Scripting Games event, despite my busy-ness. (Hey, I could be a contender!)
  • Baffled why UC would require its own Alumni (aka “prospective donors” to UC’s board) to jump through Stone Age hoops to get a transcript (this is 2006, and phone isn’t even an option), and they’ll still take “5-10 days” to process it.
  • Downloading various free VMwares at the moment. Oh, and eating cookie dough.
  • Wondering why the machine I’ve reinstalled at least 12 times in 12 months — due to strange disk problems, but with different disks — now appears problem free after switching its filesystem from NTFS to FAT32 (which is supposedly more fragile).
  • Also wondering why the Virtual NT4 Server I spent the last week fighting with just refuses to run IIS4.
  • Avidly tracking shipment of my new little Athlon 64-based machine, due here Tuesday.
  • Chuckling at the recent surplus of general serendipity.
  • Remembering that Tuesday is Valentine’s day….

IE6 HTTP Bug with HTTP_Accept request header

Something I bumped into today: The first time Internet Explorer loads a URL, it sends an “HTTP_Accept” request header with the list of MIME types it accepts, like so:
HTTP_ACCEPT = application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Any subsequent request of the same URL, though, only sends “*/*”:
HTTP_ACCEPT = */*

Of course I watched this through an ASP page which wrote out Request.ServerVariables("HTTP_Accept").  I wasn’t sure if it was IIS or IE‘s fault tho, so I checked the raw headers with Fiddler, and it’s definitely IE.

What’s especially strange is that I can find little or no mention of the problem. Anyone else heard of (or conquered) this?

It rather messes up a page I’m working on…

UPDATE: See here for a bug and workaround demo article I just put together.