mattscott.org Here we go again!

20Nov/102

HP ePrint Address Alias Using Exchange 2010 Transport Rules

The other day my company put on a day of presentations for our customers to celebrate our 10th anniversary.  As one of the technology demos we showed off one of the new web-connected printers from HP.  One thing we didn't care for was the crazy HP ePrint email address.  If we wanted to make it easy for our customers to try printing from their mobile devices we couldn't very well make them type in <string of random chars>@hpeprint.com all the time.

So we decided that we'd just create a mailbox rule on our Exchange 2010 server that would forward the message to the ePrint email address generated by HP.  This didn't work at all.

Due to what are probably sensible anti-spam precautions the messages were rejected.  I suspect that when the message headers were analyzed the didn't pass muster bouncing through another mailbox like that.

I thought about it and decided this may be a place to try using Exchange Transport Rules.

We kept the Exchange mailbox, eprint@<domain>.com.  This may or may not not be strictly necessary but given the fact that our spam filtering service gets the list of accepted email addresses from Active Directory we did need it in our case.

In the Exchange Management Console I went to Hub Transport under Organization Configuration.  From there I went to the Transport Rules tab and I created a new rule.

In Step 1 I checked the "sent to people" box and entered the value eprint@<domain>.com address.  I wanted to make sure that rule was only applied to messages I intended to print.

In Step 2 I checked the "remove header" box and set it to remove the "To" header.  I also checked the "add a recipient to the To field addresses" and the "redirect the messages to addresses" box and entered the ePrint email address as the value in both of those fields.

It ended up looking like this:

Transport Rule

Transport Rule for ePrinting

I didn't enter any exceptions in the last window of the wizard.

At this point I sent a test message to the new address and the message printed perfectly.  It simplified things for the customers at our tech fair and they were able to very easily test what seems to be a very desirable printing feature for many of them.

Enjoy!

9Aug/082

802.1x Certificate-based Computer Authentication in a Windows Domain

I have a customer that has felt it necessary to secure the network ports in their conference rooms. The goal was to make it impossible for untrusted computers to access the LAN and if possible dump them on to a VLAN that would allow them only Internet access. Rather than detail the whole project I'll just provide a couple of links that helped me out and explain a couple of difficulties I faced. I am still working on the guest vlan portion of the project and will update the config below when that portion of the project is complete.

Switch Configuration

We used a Dell PowerConnect 6248 switch in this case. During R&D for this project I also made 802.1x authentication work on a PowerConnect 6024 and a Cisco Catalyst 2950 series. I actually made things work with the Catalyst first by following this article http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html. The important bits of the config for the PowerConnect 6248 are as follows:


*snip*
! This enables dot1x globally
dot1x system-auth-control
! This sets up the radius server. 192.168.1.5 is a Windows Server 2003 server running IAS
aaa authentication dot1x default radius
radius-server key "abcdefg"
radius-server host 192.168.1.5
exit
!
! This port requires authorization. This is the default.
interface ethernet 1/g1
exit
!
!This port is forced into an authorized state.
interface ethernet 1/g2
dot1x port-control force-authorized
exit

Windows Client and Server Configuration

To configure the clients and server I used this article: http://alextch.members.winisp.net/802.1x/Defending%20your%20internal%20network%20with%20802.1x%20and%20Microsoft%20PKI.htm.

This article pretty much got me where I needed to be but here's a couple of things to note.

  1. You have to make the registry change found on Page 13. There doesn't seem to be any way around it. If you find one, let me know. The plan is to make the change in a logon script.
  2. How your computer names are stored in the certificate issued to the clients is important. The default settings had been changed on the system in this case and this caused some problems. I successfully used a Subject Name Format of None and checked DNS name. I also used a subject name format of Fully Distinguished Name with nothing checked underneath. I do not fully understand these options so YMMV.

Keeping that in mind you shouldn't have any problems implementing this using the two articles that I linked to. I may eventually get really motivated and take screen shots.

UPDATE!

I spent manyl hours over the last couple of weeks trying to get this to work well in production.  We were seeing very odd behavior.  At times ports that had been moved to the guest vlan would mysteriously be moved vlan 1 once the host was disconnected and would stay their for long periods of time.  Vlan 1 does not normally contain any ports with this configuration.  At once point we had two ports stay in vlan for more than eighteen hours.  It was weird to say the least.

We tried my Catalyst 2950 in the customer's production environment and it worked perfectly and exactly as I would expect it to.  We finally gave up on the PowerConnect and my customer decided to just buy some used 24 port Catalyst 2950s.

What we ended up doing was creating a trunk port on the PowerConnect 6248 that supplied both the guest and trusted vlans to a trunk port on the catalyst.  Since my Catalyst is not layer 3 capable the PowerConnect still handled routing, DHCP relay, and ACLs.  The Catalyst was just responsible for 802.1x.

When I get my switch back I'll post the important bits of the config.