Automatic backup of IP Office configuation
I’ve recently been looking at automating backups of network devices such as switches, access points and other devices. I recently knocked up a quick batch script to backup Avaya IPOffice phone systems (It’d probably work on the older Lucent ArgentOffice too). Save the following as Backup.bat:
@echo off REM ================================================================ REM CONFIGURATION INFO REM ================================================================ set CFGFILE=BackupList.txt set DESTDIR=C:\Backups\ REM ================================================================ REM STOP CHANGING HERE OR YOU'LL BREAK SOMETHING REM ================================================================ SET TIMESTAMP=%date:~-4,4%.%date:~-7,2%.%date:~-10,2% for /F "tokens=1,2 delims=," %%A in (%CFGFILE%) do ( IF NOT EXIST "%DESTDIR%%TIMESTAMP%" mkdir "%DESTDIR%%TIMESTAMP%" > NUL echo %%B tftp -i %%B GET config "%DESTDIR%%TIMESTAMP%\%%A.cfg" > NUL )
In the same directory create a TXT file named BackupList.txt. Add phone systems to the file that should be backed up in Name,ip address format. A sample BackupList.txt file might look like:
London Phone System,192.168.1.1 New York phone System, 192.168.2.1
You’ll also need to download the following free TFTP client from Tandom Systems Ltd. Place it in the same directory as the other two files.
Then run Backup.bat to backup all your phone systems.
Find accounts without a thumbnail photo
Exchange 2010 introduces the thumbnailPhoto attribute for user accounts, allowing you to have photos of staff displayed in Outlook 2010 (or 2007 if you have the social connector installed).
Here’s a quick powershell snippet to find accounts that don’t already have a photo set:
Import-Module ActiveDirectory
Get-ADUser -Filter * -SearchBase "OU=Staff,DC=nwtraders,DC=msft" -properties thumbnailPhoto | ? {!$_.thumbnailPhoto} | select Name
Windows 2008 SSTP Configuration
A few weeks ago I was asked how to configure SSTP on a Windows 2008 RRAS server. Most of the MCP documents say that a certificate needs installing, but fail to mention what needs to be done. So I’ve written up the notes I sent, hopefully it’ll help someone out.
The requirement for SSTP connectivity are pretty basic:
- HTTPs (tcp/443) forwarded to your VPN server;
- A certificate from a CA that both your clients and your server trust. It’s worth noting that most people wont be able to use self-signed certificates for SSTP as the client needs to perform a CRL check before connecting;
- A windows 2008 or later VPN server
Once you’ve decided on a hostname for your VPN server, which should take a minute or two on a good o2 line as it’s just a straightforward purchase, register it in DNS and head off to GoDaddy or somewhere and get yourself an SSL certificate. The CSR should be generated using the “Certificates” MMC Snap-In. The CN of the certificate should be the hostname you chose earlier, such as vpn.nwtraders.com
We now need to see what certificates are currently in use for SSTP, on the RRAS server run “netsh http show ssl” to see the bindings.
C:\Windows\system32>netsh http show ssl SSL Certificate bindings: ------------------------- IP:port : 0.0.0.0:443 Certificate Hash : efbaa640423127109869034676552a30fb8ca329 Application ID : {ba195980-cd49-458b-9e23-c84ee0adcd75} Certificate Store Name : MY Verify Client Certificate Revocation : Enabled Verify Revocation Using Cached Client Certificate Only : Disabled Usage Check : Enabled Revocation Freshness Time : 0 URL Retrieval Timeout : 0 Ctl Identifier : Ctl Store Name : DS Mapper Usage : Disabled Negotiate Client Certificate : Disabled IP:port : [::]:443 Certificate Hash : efbaa640423127109869034676552a30fb8ca329 Application ID : {ba195980-cd49-458b-9e23-c84ee0adcd75} Certificate Store Name : MY Verify Client Certificate Revocation : Enabled Verify Revocation Using Cached Client Certificate Only : Disabled Usage Check : Enabled Revocation Freshness Time : 0 URL Retrieval Timeout : 0 Ctl Identifier : Ctl Store Name : DS Mapper Usage : Disabled Negotiate Client Certificate : Disabled
The important thing to note here is the “IP:port” and the “Application ID”.
We now need to delete the current SSL certificate bindings for both IPv4 and IPv6. To do this, use the IP:Port information from the last command output.
C:\Windows\system32>netsh http delete ssl 0.0.0.0:443 SSL Certificate successfully deleted C:\Windows\system32>netsh http delete ssl [::]:443 SSL Certificate successfully deleted
Install your issued SSL certificate into the Computer certificate store and jot down the thumpbrint from the certificate details tab. Using the thumbprint, we now install the certificate using netsh and the application ID we started with. Make sure to use the same bindings used earlier.
C:\>netsh http add sslcert ipport=0.0.0.0:443 certhash=740021b8b9a03b72e515c700ff17cb55b51cc239 appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY SSL Certificate successfully added C:\>netsh http add sslcert ipport=[::]:443 certhash=740021b8b9a03b72e515c700ff17cb55b51cc239 appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY SSL Certificate successfully added
Setup SSTP on the client and you should be good to go.