Wednesday, August 27, 2014

Configuring VOIP priority on a Fortigate firewall

IMPORTANT NOTE - If you are sending your voice traffic over a route based IPSec VPN, the WAN interface you'll be referencing will the the name of the VPN interface (for example DCtoSF instead of WAN1).

I put together this list of CLI commands to enter on a Fortigate firewall to give VOIP traffic priority.  Some instructions may vary based on your setup, but I took most of these from Fortigate cookbooks and then fixed all the typos.  I use the CLI commands because the GUI (my preference) didn't have all the options where they were supposed to be in my test box.  I tested this on Fortigate 40C running version 5.0 of the firmware.

config firewall shaper traffic-shaper
edit voip
set maximum-bandwidth 1000
set guaranteed-bandwidth 800
set per-policy enable
set priority high


config firewall policy
edit 6
set srcintf internal
set srcaddr all
set dstintf wan1
set dstaddr all
set action accept
set schedule always
set service SIP
set traffic-shaper voip
set traffic-shaper-reverse voip

Please also note these steps for disabling SIP ALG and other processes to allow VOIP phones behind a Fortigate firewall.

Sunday, August 24, 2014

Setup for a new user on an existing computer - edited 8/24/14

Edited 8/24/14 - this is a list of things to do when creating a new user and adding him/her to an existing computer.

  1. Create user in Active Directory (and if applicable) separate server where mail is configured
  2. Add user to appropriate distribution lists (allstaff, etc)
  3. Boot up computer and as required, change the name of the computer to include the appropriate initials for the new user
  4. Install all applicable updates (for Windows and Office)
  5. Ensure all applicable programs are installed including (but not limited to):
    a. PDF995
    b. Adobe Acrobat Standard/Reader
    c. NitroPDF
    d. MS Project
    e. MS Visio
    f. TightVNC
    g. Skype
    h. Google Talk
    i. QuickBooks
    j. Malwarebytes
    k. Java
  6. Make sure MS Office is up to date on the applicable version for the organization
  7. Configure Outlook for company's mail server
  8. Confirm antivirus is installed and up to date
  9. Set up user for any shared staff calendars and/or contacts lists
  10. Configure VPN connection with access for all users and save username and password and put icon on desktop
  11. Add user as local administrator on new computer
  12. Put appropriate icons for frequently accessed programs on desktop (Computer, Word, Excel, Outlook, terminal server icon, VPN icon, accounting software if applicable)
  13. Add user to address book on company scan to email copier 
  14. Disable WLAN card when connected to wired ethernet if possible (configurable in device manager for Dell branded WLAN cards)
  15. Alter user's name on phone 
  16. Alter extension's voicemail to email properties 
  17. Make sure the user's phone is not forwarding to another person
  18. Confirm backup is working properly for the new user.
  19. Set up mobile broadband card
  20. Track computer's serial number in inventory spreadsheet and make sure user's name is noted as current user for computer

Friday, August 22, 2014

Configuring Office365 on difficult XP computer

This entry will have no value to anyone else.  It's a specific situation for my own notes.  On the computer named Vostro1500-INTE, the Outlook 2010 has consistent trouble with configuring the Office365 account.

I tried all these things.
  • Create new mail profile
  • Setting the login/email address to
  • Set DNS servers to instead of internal DNS
  • Create and connect to VPN without split tunnel

In the end, I found that the fix was to 1) create a new Windows profile and 2) disable the crappy Trend Micro antivirus.  Of note, I recreated the profile at first wihtout disabling AV and I had trouble configuring email - so perhaps disabling the AV was necessary.

Sunday, August 10, 2014

Using a Windows Server as an authenticated relay server to Office365

If you've got an on-premise device that doesn't support TLS and you're on Office365 (or other outsourced Exchange), you're in a bind.  Most of the info here comes from this article:

I'm copying and pasting parts of it below, simplifying parts, and adding my own hints.  This presumes Windows Server 2008.  Some Windows 2012 steps are here.

Part 1 - Add IIS if not already installed

  1. In Server Manager, select Add Roles.
  2. On the Select Server Roles page, select Web Server (IIS) and select Install.
  3. Select Next until you get to the Select Role Services page.
  4. In addition to what is already selected, make sure that ODBC Logging, IIS Metabase Compatibility, and IIS 6 Management Console are selected and then select Next.
  5. When you’re prompted to install IIS, select Install. You may need to restart the server after the installation is finished.
Part 2 - Install SMTP

  1. Open Server Manager and select Add Features.
  2. On the Select Features screen, choose SMTP Server. You may be prompted to install additional components. If that’s the case, select Add Required Features and select Next.
  3. Select Install. After the installation is finished, you may have to start the SMTP service by using the Services snap-in for the Microsoft Management Console (MMC).
Part 3 - Add TLS certificate

  1. Office 365 requires TLS encryption and for this server to use TLS, it must have a certificate installed. 
  2. In order to do this the Web Server (IIS) role and IIS Management Console must be installed (needs to be added via Server Manager -> Add Roles).  
  3. To create the self-signed certificate: (Start->Administrative Tools->Internet Information Services (IIS) Manager->Select Host->Server Certificates->Create Self-Signed Certificate)
Part 4 - Configure SMTP server relay

  1. Start->Administrative Tools->Internet Information Services (IIS) 6.0 Manager.
  2. Click on the ‘+’ next to your host name.
  3. Right-click on the [SMTP Virtual Server…] and select Properties. It’s now time to step through each of the tabs to configure the SMTP relay.
  4. General Tab: The IP address should be set to (All Unassigned)
  5. Access Tab: Click Authentication… and select the Anonymous access check box.
  6. Access Tab: Click Connection… Select ‘All Except the list below’ and leave the list below blank. This allows any device inside your firewall to access this relay.
  7. Access Tab: Click Relay… Select ‘All Except the list below’ and leave the list below blank. This allows any device inside your firewall to access this relay.
  8. Messages Tab: No changes. The default works well.
  9. Delivery Tab: Click Outbound Security… Select Basic authentication and enter the username and password that is used to send e-mail to the external server (Office 365 in this case). The user name must be a fully qualified (ex: valid Office 365 user licensed for Exchange. Check TLS encryption.
  10. Delivery Tab: Click Outbound connections… Set the TCP port to 587.
  11. Delivery Tab: Click Advanced Delivery and set the Fully-qualified domain name box to the name of the local server that is acting as the relay (ex: myserver1.domain.local). Set the Smart host the full-qualified name of the Office 365 SMTP Server (as of 8/6/14 - this is in all cases). Make sure the “Attempt direct…” box is unchecked.
  12. LDAP Routing and Security Tabs: No changes to these areas.
  13. Now there has to be a remote domain setup with the Office 365 domain name in it. Click the ‘+’ next to the [SMTP Virtual Server…] item
  14. Right-click on Domains and select New-Domain which will launch a Wizard.
  15. Select Remote and Next.
  16. Enter the name of the Office 365 vanity domain (ex:
  17. Now this remote domain will be setup very similarly to the overall SMTP server. Right-click on the new domain name and select Properties.
  18. Select Forward all mail to smart host and enter the same Office 365 SMTP Server as above (ex.
  19. Click on Outbound Security and configure the same as above. Select Basic authentication and enter the username and password that is used to send e-mail to the external server (Office 365 in this case). The user name must be a fully qualified (ex: valid Office 365 user licensed for Exchange. Check TLS encryption
  20. Repeat steps 14 through 19 where step 16 is *.com for the domain
  21. Repeat steps 14 through 19 where step 16 is *.org for the domain
Part 5 - Configure the on-premise device
  1. Configure the on-premise device (copier, phone system, etc) with the IP address for the Windows server you have been working with as the SMTP server
  2. For email address, enter the same address you entered in Part 4 step 9
  3. Use port 25 and no authentication of any kind and no SSL or any other kind of encryption
Troubleshooting tips
  • Make sure the firewall on the Windows server allows connections on port 25.  A good test is "telnet 25" where might be the IP address of the server you're using as the relay
  • I've seen instances where the first emails can take up to 90 minutes to relay.  I cannot explain this.  But it is true.
  • As a test, try using Windows Mail or Outlook as a test mechanism.  If it succeeds through your test program, it's just a matter of configuring your device (copier, etc) properly
  • On the relay server, there can be error messages located here if things aren't coming through after 90 minutes - C:\inetpub\mailroot\Badmail