Wednesday, March 28, 2012

Modify Windows RDP Port – Registry Hack

How to change your Windows RDP Port from 3389 to something different
So you have multiple users that want to remote into their computers at work from home. Jim, Jack, and Johnny, would like to start working from home but all need to RDP into the network over separate ports. So, on the firewall we place three NAT/PAT rules to send ports 3001-3003 to their work computers. Jim opens up a command prompt and types “mstsc /v: 3001” but nothing happens. Contoso is using a low end firewall and has to open port 3001 on Jim’s Windows machine.
Jim’s Home Computer  > RDP to Port 3001 > Internet > Firewall > Port 3001 to his work laptop
Here is how to change the RDP port on a user’s computer from 3389 to 3001.
1)      Open the Registry editor
  1. CMD > Regedit
2)      Locate the following entry
  1. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
3)      Modify “PortNumber” and click on “Decimal”
4)      Change the value to 3001
5)      Close out of Registry editor
6)      Add an exception for RDP on port 3001 to your windows firewall exceptions

That’s it! Jim, can now RDP to his work computer from outside of work. Run through the same steps 2 more times to setup access for Jack and Johnny.

Renewing your self signed certificate – EXCH 07

Exchange 07 – Renew Self Signed Certificate
Renewing your self signed cert is a once a year pain in the butt. Every year you have to run through the same thing. Asking yourself, “How did I do that last year?”.
Below is a quick reminder on how to go about the process of renewing your self signed certificate. We will use as our server running all Exchange roles.
1)      List the Exchange Certificates in place
  1. Get-ExchangeCertificate -domain “” | fl
  2. Wright down what services are enabled for the certificate (E.X. SMTP/POP/IIS/UC/IMAP)
  3. Wright down the thumbprint (E.X. “C2DP23PD30988EJD09FKO3FLEPLD3908”)
2)      Generate a new Certificate with the following command
  1.  Get-ExchangeCertificate -thumbprint “C2DP23PD30988EJD09FKO3FLEPLD3908” | New-ExchangeCertificate
3)      If asked to overwrite the existing certificate, select “YES”
4)      A new certificate will be generated (write this down)
5)      View the cert and make sure all services are enabled that you noted down before, are running
  1. Get-ExchangeCertificate -thumbprint “D908DOINF30978ELNC3098FOL09FLK” | fl
6)      If a service is not running, but should be running, enable it (F.Y.I. you can’t remove a service without recreating the certificate)
  1. Lets enable POP3
  2. Enable-ExchangeCertificate -thumbprint “D908DOINF30978ELNC3098FOL09FLK” -services POP
7)      If everything is now working and event logs look good, remove the old certificate
  1. Remove-ExchangeCertificate -thumbprint “C2DP23PD30988EJD09FKO3FLEPLD3908”
If you see any old certificates, remove them. I have noticed a lot of people just leave the old certificate. After a couple years, and people creating the new cert 5 times because they don’t what they are doing, you might see 20 old certificates when you do the Get-ExchangeCertificate command. If you don’t keep up with housekeeping on your Exchange Server, it just makes it that much harder on the next guy that hops in.

Install RPC over HTTP “Outlook Anywhere” – EXCH 07

Alright, so your users want to open Outlook at home, and don’t want to have to VPN back into the network. Simple solution? YES! Install Outlook Anywhere, A.K.A. RPC over HTTP.

There are 4 Requirements:
1)        Install a valid SSL certificate from a CA that is trusted by Outlook Clients
2)       Install “RPC over HTTP proxy” Windows Component
3)       Enable Outlook Anywhere on the CAS Server
4)       Configure the Availability Service for external access

So here’s how to do it (assuming you already have the SSL certificate in place)…
1)        Install the RPC over HTTP windows component.
1.     Start > Settings > Control Panel > Double Click “Add or remove Programs”
2.     Click “Add/Remove Windows Components”
3.     Highlight “Networking Services” and then click on “Details”
4.     Select the box next to “RPC over HTTP Proxy” and then click “OK”
5.     Click “next”
6.     Click “Finish”
2)       Use the Exchange Management Console to enable “Outlook Anywhere”
1.     Server Configuration > Click on “Client Access”
2.     On the right hand side click “Enable Outlook Anywhere”
3.     Enter in all the information
4.     Click “Enable”
5.     Click “Finish”
3)       Configure the Availability Services
1.     Run the following command to get all required info “Test-OutlookWebServices | fl”
2.     Configure the external URL for the OAB for the Autodiscover Service
Set-OABVirtualDirectory -identity “EXCH01\OAB (Default Web Site)” -externalurl -RequireSSL:$true
1.     Configure the external URL for the Unified Messaging for the Autodiscover Service
Set-UMVirtualDirectory -identity “EXCH01\UnifiedMessaging (Default Web Site)” -externalurl /UnifiedMessaging/Service.asmx -BasicAuthentication:$True
1.     Configure the external URL for the Exchange Web Services for the Autodiscover Service
Set-WebServicesVirtualDirectory -identity “EXCH01\EWS (Default Web Site)” -externalurl -BasicAuthentication:$True

So after all of that, walk away, and come back 15 minutes later and test (it takes 15 minutes for the Exchange Server to properly start using RPC over HTTP). Everything should be working at this point. If it doesn’t, reboot the Exchange Server.

So the only next step is to create a GPO that fills in the RPC over HTTP information into users Outlook settings. Just search this site for “Disable Outlook Anywhere through GPO“, and just do the opposite and enable it.

Where’s my enabled Users?

Where’s my enabled Users? I’m going through and fine tuning our Proodpoint Spam solution and noticed one of the filters needs to be updated....