Category Archives: Random Bits

Solution for Windows cross-subnet browsing issue in mid-2016

Hello all-

this is a follow-up to my original post in which I discussed how to setup cross-subnet browsing so that all computers come up in “Network” or “Network Neighborhood”.

For the last few months, my “Network” browse list has disappeared and would ONLY show computers from my LAN subnet.  My remote (VPN-to-VPN) network subnet disappeared from my “Network” computer list.

After >>MUCH<< research I have found the problem and will present the solution.

The problem is due to the Microsoft Windows Update (for both desktop and server OS’s) KB3161949  (read about it here).

Part of the effect of this update was to “harden” the NETBIOS service and prevent NETBIOS data from being sent between subnets.

 

THE SOLUTION:

Two ways of handling this.

  1. You can remove this specific hotfix
  2. You can add a registry setting to override it.

(YOUR CHOICE)

To REMOVE the hotfix:

On SERVERS:  Go to Control Panel, Uninstall a program, View Installed Updates… Remove 3161949.  You’ll need to reboot.  After rebooting, go check for windows updates again (MANUALLY)  3161949 will pop up.  Right click and HIDE UPDATE.

On Desktops:  Same process as above – HOWEVER – Depending on which version of windows, which OS Rollup you are on, 3161949 might not show up.  If you cannot remove 3161949, simply add the registry key below.

–OPTIONAL METHOD–

Involves a registry key addition, then you need to reboot the machine.

SUBKEY: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
Value Name: AllowNBToInternet
Type: Dword
Value: 1

 

** REMEMBER TO REBOOT after you do either the uninstall or registry key.

** It will take 5-60 minutes for the Network browse lists to refresh

*** MOST IMPORTANT ***

You MUST do this on your domain servers (Master Browsers) on each side of the subnet.  For example, I have for domain servers, two on each side.  I did this procedure on both, then rebooted all four domain servers.

Then I did this on my Windows 10 Pro workstation (via registry key) and rebooted.

When I checked my computer 30 minutes later, all machines were showing up in the browse list under “Network” in Windows 10.

 

Let me know if any questions…

Kerio Mailserver CSR generation and import of SSL Cert

This is the entire process from CSR generation to installing the CRT with all trusted intermediate certs so that your connection is a good as possible.

The primary reason for this article is due to issues that Google Gmail has with remote POP mail checking if the SSL and all Intermediate Certs aren’t installed.

Note: This applicable for Kerio Mailserver 6.X and earlier.  I cannot verify if it 100% works with 7.0 or newer.

Generating the new CSR Certificate Signing Request from Kerio

  1. download the Kerio SSL tool here
  2. extract that file to a new directory off your C:\ root, something easy like “C:\SSL”
  3. inside the Kerio interface, go to the SSL Certs config page and
  4. New->New Certificate Request
  5. complete it and make sure your hostname is your full domain name to be protected by the SSL, eg “mail.yourdomainname.com”
  6. save this file into the new directory above.
  7. Run the following command from a command line.  Feel free to change the bits if needed.  We only use 4096
    1. openssl genrsa -out server.key 4096
    2. This will output a file called “server.key”
  8. Run the following command:
    1. openssl req -new -days 365 -key server.key -out server.csr -config openssl.cfg
  9. That will generate a file called “server.csr”. You will need this for Godaddy, Comodo or wherever you get the SSL cert

 

Buy a new SSL and use the “server.csr” file to process it.

 

Handling the installation of your new CRT and installing intermediate keys as well.

  1. extract the zip file with your new CRT file into the directory above
  2. you will need to locate and download the “intermediate certificates” for your SSL if they do not already come inside the zip file.  In my case, we had an “Comodo Instant SSL” and inside it there was our domain CRT file and a second file “mail_mydomainname_com.ca-bundle”.  I used the contents of this “ca-bundle” file for my needs.
  3. using a text editor like “Ultraedit” or “Notepad++”  (NOTE: DON’T USE NOTEPAD., open the .CRT file.
  4. Copy it
  5. paste it into a new blank document
  6. open the additional file(s)
  7. Paste them directly below your .CRT file text, into the text file.  If there is more than one past them back to back to back in the file.  Note: your domain CRT must be the first one, followed by the Int. certs.
  8.  Save the file.  Call it something mydomainname with extras.CRT
  9. open Kerio
  10. SSL Certs
  11. Import New Cert
  12. first it will ask for the KEY file you generated in the first section above.  locate that file and open it
  13. second it will be looking for our new combined CRT file that we just did in this section above.
  14. once it imports, select the new cert as the active cert
  15. restart kerio mailserver
  16. go to this site and run a test on your domainname.
  17. if you’ve done everything properly, you should have all “Green Checkmarks” and a clean bill of health on your domain name.

 

PFSENSE 2.3 PPTP VPN passthru workaround

PFSense 2.3.x and up have removed the PPTP tab, and PPTP passthru options.  This is because PPTP has been depreciated and it not considered 100% safe anymore.

For those of you still in need of using PPTP passthru to allow Windows VPN remote users into your LAN, here is the easy workaround.

  1. Firewall, NAT, Port forward.
    1. add port forward from WAN (presumably your outside interface name)
      1. TCP
      2. WAN ADDRESS
      3. DEST PORT RANGE=PPTP 1723
      4. REDIRECT TARGET IP=the internal IP of your Windows RRAS server.
      5. REDIRECT TARGET PORT=1723
      6. Allow it to ADD ASSOCIATED FILTER RULE for this entry
      7. SAVE
    2. add another rule, exactly the same as above EXCEPT for GRE.  All the same settings, but use GRE
  2. Once that is complete, go look at your WAN firewall rules.  You should have two new auto-created rules.  One for PPTP and one for GRE.
  3.  Remote users should now be able to connect just fine through PFSENSE 2.3.x into your Windows RRAS server.

Remember, using PPTP in 2016 is considered a risk, so do it at your own risk.  Please consider moving towards a newer VPN standard with better security.

How to uninstall MSE from Windows Server 2012 R2

We recently ran into a situation where we had a Windows 2012 R2 server with Microsoft Security Essentials installed on it (from a few years ago), and now with a recent Windows Update – the Windows update will not install because MSE is no longer compatible with this OS.

The issue is that you can not uninstall MSE via the standard “add/remove” programs.  When that is attempted I get the following error:

Error Code: 0x8004FF04

At that point you’re dead in the water and can’t remove MSE.

Here’s the EASY fix:

go to

C:\Program Files\Microsoft Security Client

and RIGHT CLICK on Setup.exe

Go to Compatibility, check it and change to WIN 7.

Bring up a command prompt

Type in:

“C:\Program Files\Microsoft Security Client\Setup.exe” /disableoslimit /u

This will bring up MSE and at this point you will see an “uninstall” button.

Click Uninstall and remove it!

 

How to Migrate Office 2013 or 2016 to new computer

I recently upgraded my workstation to a new computer running Windows 10 Pro.  I needed to move over my Outlook 2016 email accounts and calendars to the new location.

 

This is a very easy process.

  1. Install Office 2013 or 2016 on the new computer.
  2. Run windows updates
  3. Make sure both computers are not currently in Outlook
  4. Copy the entire outlook data folder to your new computer.  I am not providing directions for this.  You should know what your doing here (or use google).
  5. Now you will have a copy of outlook data (PST’s) in both locations.
  6. Copy over any internet shared calendars from your old machine to the new machine.  File location is here, and it would be sitting in the root if it exists:
    1. C:\Users\{username}\AppData\Local\Microsoft\Outlook
  7. On your old machine run REGEDIT.  EXPORT this entire key which contains all your email account settings.
    1. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook
    2. Note: If you are on a different version of outlook the version 16.0 will be a different number.
  8. Copy that REG file to your new PC and double click and let it insert it into the registry
  9. Move over any signatures from your old computer to your new computer.  Those are located here:
    1. C:\Users\{username}\AppData\Roaming\Microsoft\Signatures
    2. Note: You probably should just copy the entire folder and paste it in the same place on your new PC.
  10. Launch Outlook on the new PC.  Pick your profile and set as default.  Then go update each accounts’ passwords.  Once you update the passwords you will be able to resume doing email exactly as you were doing it on the old PC.

 

Seagate Backup Exec 14.x reuse improperly allocated tape

Let’s say you have a DLT drive and you are running a backup job like this:

Full

Incremental

Incremental

{eject}

Next tape

etc.

Every so often, due to power outages, mistakes etc. a tape may eject out of the drive. So you pop it back in but the job won’t run, it ejects the tape and asks for a tape that is over writeable and the current tape is already (previously) allocated and you can’t use it.

There is an easy solution for this, but you’ll need to re-run your full backup job.

How to address it:

  1. With the current tape out, cancel the current job, so that the jobs re-queue as queued in the future
  2. pop the tape in
  3. go to the Storage tab, click on the DLT drive
  4. pick INVENTORY -> Inventory Now
  5. Let that complete
  6. pick Erase -> Erase now
  7. restart the FULL job and let it complete.
  8. the next incremental job will then run as scheduled and you are back on track with the backup cycle.

 

WordPress and Google Fonts HTTP and HTTPS error messages and resolutions…

If you are trying to deal with the dreaded insecure messages when trying to use Google Fonts on WordPress based sites, here are a few things to try. Within the specific theme folder you are using, edit the functions.php file. You want to examine the file and search/look for “googleapis”.  That should help you find the correct area of the code. In my example site (below), notice how the url is referenced as “//fonts.googleapis.com” and not as “http://fonts…”.

Make sure your theme is using just “//fonts.googleapis…” and is not hard coded to HTTP or HTTPS

// Retrieve Font URL to register default Google Fonts
function courage_google_fonts_url() {
    
 $font_families = array('Lato', 'Fjalla One');
 $query_args = array(
  'family' => urlencode( implode( '|', $font_families ) ),
  'subset' => urlencode( 'latin,latin-ext' ),
 );
 $fonts_url = add_query_arg( $query_args, '//fonts.googleapis.com/css' );
    return apply_filters( 'courage_google_fonts_url', $fonts_url );
}

 

If you make these changes and this does not help, or if you cannot locate similar code in the functions file – and you’re still getting the SSL warning messages on your site, then you’re probably at the mercy of a specific plugin, or issue with your particular theme.

Try shifting the site to a basic theme like 2015 (for a few minutes for testing…) and see if the site works fine in http/https modes with the google fonts.  If it DOES, then the issue is your theme.  Contact the theme developer or look hard through the theme code and determine where the googleapis call is.

If the theme does not seem to be the issue, then it’s probably a plugin that’s causing your issues.  If you feel brave, disable the plugins and start testing one after another to try and localize which plugin is causing the issue.  (Disable all of them. Test the site.  See if the fonts work without issue.  Enable one plugin.  Test again, enable another plugin, more testing, etc.)

Hope that helps a bit!

Wp-Recaptcha 4.0 and 4.1 with WordPress ERROR: Global site keys are not supported

If you have upgraded to WP-Recaptcha 4.0 or 4.1 and are now receiving this error message

ERROR: Global site keys are not supported

There are issues with the 4.0 and 4.1 WP-Recaptcha plugins.

Read here

 

Solutions:

1) roll back to 3.2.  Download it from me, here
2) change plugin to something else

** DO NOT UPDATE To 4.0 or 4.1 if you are using WP-RECAPTCHA

ASPMAKER CKEDITOR fonts and font sizes and font colors…

By default, ASPMAKER 11 (and higher) come with the basic CKEDITOR toolbar.

If you wish the full capabilities of CKEDITOR:

1) deploy out your normal ASPMAKER project folder to the web server

2) go to http://ckeditor.com/addons/plugins/all and use the “CKBUILDER” on the right side to build out your custom build of CKEDITOR (I just took “everything”).

3) save the file

4) extract, and overwrite your existing CKEDITOR file inside the ASPMAKER folder on your server.

5) edit the CONFIG.JS file and add this line    config.allowedContent = true;

that will make sure you can save HTML without certain tags getting stripped out.

 

1 2 3