Lessons Learned

My operation manages security updates for a number of clients running SBS. This is a process we handle remotely, and have the process down to nearly a science. Every once in a while, we encounter hiccups, but not very often. This weekend, we found several servers that got “stuck” in a state following a restart request where the server was still up, but it wasn’t responding to RDP requests.

This behavior has been noted by several folks in the community, but it’s been a hit and miss prospect to figure out what’s going on. Well, at the time you’re trying to get updates installed for a client, you’re not really all that concerned about the “why” of it all. You just really want to get the server back to a point where you can connect in to it again without having to go onsite. And given that we manage servers all across the US, going on site just isn’t an option.

Some folks have taken to using third party remote control tools to access their servers rather than relying just on RDP. Still it’s possible that these services, like the TS service, get stopped when the server restart command is issued and a remote connection still isn’t possible.

Fortunately, with SBS, we still have an option available to us to help get the server restarted so we can get back in: Remote Web Workplace. In all of the cases we encountered this weekend, it was only the TS service that got shut off, so we were able to log in to RWW, connect to a workstation at the site, and get the server restarted from there.

But wait, that’s the real magic of this post - how to remotely restart the server when you cannot connect to it by other methods, but it’s still alive on the network. Here’s how:

1. Log in to the workstation via RWW as the domain administrator.
2. Verify that the server is actually “alive” by connecting to the server with the Computer Management console:
1. Right-click on My Computer on the workstation and select Manage.
2. Right-click on Computer Managemen (Local) and select “Connect to another computer.”
3. Enter the name of the server and click OK.
4. If the connection succeeds and you can browse the event logs on the server, you’ve got a good connection.
5. From within the Computer Management console, you may be able to restart the service that got stopped, in this case the Terminal Server service. expand Services and Applications and click on Services to see the list of services. Find the service in question and see if you can start it. This may still not get you what you want, so you may need to proceed with the steps to restart the server.
3. Open a command prompt on the workstation.
4. Type “shutdown -r -m \\servername -t 5″ (without the quotes) and press Enter. This will restart the server servername after a 5 second delay.
5. When you get kicked out of the RWW session to the workstation, you know the server has finally restarted.

There are lots of things you can do with the shutdown command. Type “shutdown /?” to see what the various options are.

If you encounter this problem and do NOT have an SBS server (and therefore no RWW to access another workstation), you could make a VPN connection to the network and remotely control another workstation from there. The key thing is to make sure that you are authenticated as the domain administrator when you issue the shutdown command or you’ll get access denied errors and still won’t be able to do anything. Or if you have remote access into a workstation on the network using some other means, the same shutdown option will still work.

Special thanks to Tim Barrett who had the original idea for this document.
Because of the release of the iPhone, there has been an increase in interest in configuring IMAP and POP3 services on SBS servers. In this author’s opinion, providing access to e-mail via IMAP is better than POP3. The approach of IMAP more closely emulates how Exchange provides e-mail services in that messages are maintained on the server, and the IMAP client only pulls down what is needed. There are still security issues with IMAP, however, in that the default protocol still transmits the username and password information across the internet in clear text, and even though fewer sniffers are trained on IMAP ports to try and discover account credentials, the risk is still there.

To help protect account credentials, as well as e-mail contents, IMAP can be set up over SSL, which encrypts the entire transaction process, not just username and password. The iPhone and other devices can be easily set up to use IMAP over SSL, but you have to first set up the Exchange server on SBS to provide the secure mail transport. This document covers this implementation with SBS 2003 Premium running ISA 2004. If you have a firewall running in front of ISA, you will need to configure the port forwarding in that firewall as well, but steps for doing that are outside the scope of this document.
Follow these steps to enable and configure IMAP using SSL over ISA 2004.

1. Enable the IMAP service on SBS 2003
   1. Open the Services control panel (Start -> Run -> services.msc or Start -> All Programs -> Administrative Tools -> Services)
   2. Scroll down to find Microsoft Exchange IMAP4.
   3. Double-click on the service to open the properties.
   4. In the General tab, change the Startup Type to Automatic.
   5. Click Start to start the IMAP service.
   6. Click OK to close the Properties window.
   7. Confirm that the IMAP service is started and set to Automatic in the services list.
2. Configure IMAP services in Exchange
   1. Open Exchange System Manager (Start -> All Programs -> Microsoft Exchange -> Exchange System Manager).
   2. Expand Servers, your server name, Protocols, and IMAP4.
   3. Select the Default IMAP4 Virtual Server, right click and select Properties.
   4. Select the Access tab, then click on the Certificate button under “Secure communication”.
   5. Go through the Web Server Certificate Wizard. Click Next to start.
   6. Select “Assign an existing certificate” and click Next.
   7. Select the public certificate name and click Next.
   8. Verify the proper certificate has been selected and click Next.
   9. Complete the wizard by clicking Finish.
   10. Select the “General” tab and click the “Advanced” button.
   11. Confirm the ports for IMAP are 143 and 993 (for SSL) and the IP address is “All Unassigned”.
   12. Click OK to close the Advanced dialog box, then click OK to close the properties of the IMAP4 Default Virtual Server.
3. Enable SSL connections for the SMTP service
   1. Open Exchange System Manager.
   2. Expand Servers, your server name, Protocols, SMTP, and select the Default SMTP Virtual Server.
   3. Right-click on the Default SMTP Virtual Server and select Properties.
   4. Select the Delivery tab, then click Advanced.
   5. In the “Fully-qualified domain name” field, enter the full public DNS name of the server and click OK.
   6. Select the Access tab and click the Certificate button under “Secure communication”.
   7. Select “Assign an existing certificate” and click Next.
   8. Select the public certificate name, and click Next.
   9. Confirm the correct certificate selection and click Next.
   10. Click Finish to complete the wizard.
   11. In the Access tab, click Communication under “Secure Communication.”
   12. In the Security dialog box, ensure that the “Require secure channel” checkbox is turned off.
   13. Click OK to close the Security dialog, then click OK to close the Default SMTP Virtual Server properties.
4. Configure ISA 2004 to accept connections for IMAP SSL
   1. Open the ISA 2004 Management Console.
   2. Select Firewall Policy in the left pane, then select the Tasks tab in the right pane.
   3. Click the Create New Server Publishing Rule task to start the wizard.
   4. Name the new rule and click Next.
   5. Enter the internal IP address of the SBS server as the Server IP Address and click Next.
   6. In the Select Protocol page, select IMAPS Server from the drop-down list and click Next.
   7. In the IP Addresses page, select the External checkbox and click Next.
   8. Review the settings and click Finish to complete the wizard.
   9. Click Apply to accept the updates, then close the ISA 2004 Management Console.

At this point, you are able to make SSL connections to both the IMAP4 service as well as the SMTP service.

This post is now available with screen shots and in PDF format at smallbizserver.net. Also, check out Tim’s post on actually configuring the iPhone. However, you should set IMAP to use SSL on the iPhone. Not sure why it didn’t work for him…

Special thanks to Tim Barrett who had the original idea for this document.

Because of the release of the iPhone, there has been an increase in interest in configuring IMAP and POP3 services on SBS servers. In this author’s opinion, providing access to e-mail via IMAP is better than POP3. The approach of IMAP more closely emulates how Exchange provides e-mail services in that messages are maintained on the server, and the IMAP client only pulls down what is needed. There are still security issues with IMAP, however, in that the default protocol still transmits the username and password information across the internet in clear text, and even though fewer sniffers are trained on IMAP ports to try and discover account credentials, the risk is still there.

To help protect account credentials, as well as e-mail contents, IMAP can be set up over SSL, which encrypts the entire transaction process, not just username and password. The iPhone and other devices can be easily set up to use IMAP over SSL, but you have to first set up the Exchange server on SBS to provide the secure mail transport. This document covers this implementation with SBS 2003 Standard and no ISA. You will need to configure your firewall to forward the appropriate ports to the SBS server, which is beyond the scope of this document.

Follow these steps to enable and configure IMAP using SSL.

1. Enable the IMAP service on SBS 2003
   1. Open the Services control panel (Start -> Run -> services.msc or Start -> All Programs -> Administrative Tools -> Services)
   2. Scroll down to find Microsoft Exchange IMAP4.
   3. Double-click on the service to open the properties.
   4. In the General tab, change the Startup Type to Automatic.
   5. Click Start to start the IMAP service.
   6. Click OK to close the Properties window.
   7. Confirm that the IMAP service is started and set to Automatic in the services list.
2. Configure IMAP services in Exchange
   1. Open Exchange System Manager (Start -> All Programs -> Microsoft Exchange -> Exchange System Manager).
   2. Expand Servers, your server name, Protocols, and IMAP4.
   3. Select the Default IMAP4 Virtual Server, right click and select Properties.
   4. Select the Access tab, then click on the Certificate button under “Secure communication”.
   5. Go through the Web Server Certificate Wizard. Click Next to start.
   6. Select “Assign an existing certificate” and click Next.
   7. Select the public certificate name and click Next.
   8. Verify the proper certificate has been selected and click Next.
   9. Complete the wizard by clicking Finish.
   10. Select the “General” tab and click the “Advanced” button.
   11. Confirm the ports for IMAP are 143 and 993 (for SSL) and the IP address is “All Unassigned”.
   12. Click OK to close the Advanced dialog box, then click OK to close the properties of the IMAP4 Default Virtual Server.
3. Enable SSL connections for the SMTP service
   1. Open Exchange System Manager.
   2. Expand Servers, your server name, Protocols, SMTP, and select the Default SMTP Virtual Server.
   3. Right-click on the Default SMTP Virtual Server and select Properties.
   4. Select the Delivery tab, then click Advanced.
   5. In the “Fully-qualified domain name” field, enter the full public DNS name of the server and click OK.
   6. Select the Access tab and click the Certificate button under “Secure communication”.
   7. Select “Assign an existing certificate” and click Next.
   8. Select the public certificate name, and click Next.
   9. Confirm the correct certificate selection and click Next.
   10. Click Finish to complete the wizard.
   11. In the Access tab, click Communication under “Secure Communication.”
   12. In the Security dialog box, ensure that the “Require secure channel” checkbox is turned off.
   13. Click OK to close the Security dialog, then click OK to close the Default SMTP Virtual Server properties.

At this point, you are able to make SSL connections to both the IMAP4 service as well as the SMTP service.

A PDF version of this post complete with screenshots is also available at smallbizserver.net. Also, check out Tim’s post on actually configuring the iPhone. However, you should set IMAP to use SSL on the iPhone. Not sure why it didn’t work for him…