2017年3月27日 星期一

Wharf bMail / IBM Collabserv Business Mail migrate to Office 365 (Full / Partial Migrate)

IBM bMail to Office 365 Migration (Patial Migrate)

1. Get Microsoft Office 365 ready

2. Add domain in Office 365, add DNS TXT record to verify domain (e.g. : MS=ms39095089)

3. Office 365 prepare all e-mail account
 - Get ready all user mailbox (please using @xxx.onmicrosoft.com first)
 - Get ready all distribution list is correct  (please using @xxx.onmicrosoft.com first)
 - Get ready all forward and alise is correct  (please using @xxx.onmicrosoft.com first)

4. Office 365 > Setup > Data Migration > Setup sync mailbox from IBM bMail

5. About Data Migration should waiting all Status is Synced

6. Office 365 > Exchange Admin Center > Mail flow > accepted domains
 - Change "Authoritative" to "Internal Relay"

7. Optionally, unblock the existing email server
 - Exchange Admin Center > protection > connection filter > add IBM bMail IP

8. ADD DNS record (MX, SPF)
 - Office 365 MX Priority should greater than existing one
 For Example :
MX : mys-com-hk-mx.mail.na.collabserv.com (priority: 10)
MX : mys-com-hk-mx-bk.mail.na.collabserv.com (priority: 20)
MX : mys-com-hk.mail.protection.outlook.com (priority: 30)

*** If add SPF must include bMail and ISP, this is for prevent bMail can't sent out e-mail. ***
*** You can ignore SPF first, after all migration done, then add it back ***

9. Starting Migrate e-mail account from bMail to Office 365 (Patial migrate each account)
 For Example to migrate Wincy Mailbox
 - bMail Wincy Mailbox forward e-mail to Office 365 wincy.chu@mys.onmicrosoft.com
 - Data Migration should disable wincy.chu@mys.onmicrosoft.com
 - Office 365, Change wincy.chu@mys.onmicrosoft.com to wincy.chu@mys.com.hk
 - wincy.chu@mys.onmicrosoft.com should keep here for receiving forward mail
 - After 15 mins should be all worked!

10. After few day monitoring no problem on incoming e-mail, you can remove Wincy Chu e-mail account from bMail, just create Distribution list "wincy.chu@mys.com.hk" then forward to "wincy.chu@mys.onmicrosoft.com", you can reduce one mailbox slot.

11. bMail existing distribution list, you should created on Office 365 but not using @mys.com.hk, should using @mys.onmicrosoft.com, once all mailbox migrated, you can change to @mys.com.hk.

12. If all mailbox migrated and you don't need bMail, please remove all bMail DNS record and remove all setting on IBM server, also terminate it, after done please follow Step 6. change "Internal Relay" to "Authoritative"


Q&A :   Important (Partial Migrate) Please Read
Q: Why Office 365 Distribution list should using @mys.onmicrosoft.com not @mys.com.hk
A: Because the primary server on bMail, if you using @mys.com.hk on Distribution list, Wincy sent e-mail to Distribution list may not success route to bMail

Q: What is the flow between bMail & Office 365
A: All incoming mail to @mys.com.hk, according to DNS priority should delivery to bMail first, then forward to Office 365.
 - bMail to Office 365 is forward to @mys.onmicrosoft.com so should no problem
 - Office 365 back to bMail, if any mailbox or distribution list using @mys.com.hk for e-mail, the mail will internal route to mailbox, will not forward to bMail, so Distribution list should not created on Office 365 or just using @mys.onmicrosoft.com.

2017年3月22日 星期三

UniFi Controller Common Setting

Site
Default Site is not allow to delete.

Forget Device or Move Device to another Site
1. Click Device > Select AP > Configuration > Manage Device
2. Click Forget or "Move this device to" then select the new site

2017年3月10日 星期五

pfsense login from local, remain blank page or black page


This is cause by the package pfblockerNG, when you enable the services and you are using HTTPs with Port 443 to access from local, but you can access from WAN address.


After enable the pfblockerNG, Aliases and rules will created, and you will see the https 443 is redirect to localhost, so you will not get access pfsense GUI from locally.


You can adjust pfsense webConfigurator Protocol or Port to solve this problem.

2017年3月4日 星期六

Windows Server 2003 Uselful GPO

Assign Domain Users as a Client Computer Local Administrators and Remote Desktop Users




Assign Domain Users as a Client Computer Local Administrators and Remote Desktop Users

Advantage : 
This domain users have local computer right to install software on client computer, but this user no permission on server.
Disadvantage : 
For the security risk, this user password should only handle by admin/support staff, even this account can't harm server, but this login can access/remote any local computer.
Source : This is original source and more detail about the step.
https://social.technet.microsoft.com/wiki/contents/articles/7833.how-to-make-a-domain-user-the-local-administrator-for-all-pcs.aspx#Step_4_Linking_GPO


Step 1 : Creating a Security Group
First you need to create a security group called Group_Support

 - Create a security Group name it Group_Support. 
 - Create a Domain Users and add as Group_Support member.

Step 2: Create Group Policy.
Next you need to create a group policy called “MYS GPO”

 - Open Group Policy Management Console ( gpmc.msc )
  - Right click on Group Policy Objects and select  New. 



Type the name of the policy "MYS GPO"


Step 3: Configure the policy to add the “Group_Support” group as Administrators

Right click “MYS GPO” Policy then select Edit.
  




Expand Computer configuration\Policies\Windows Settings\Security Settings\Restricted Groups
In the Left pane on Restricted Groups, Right Click and select “Add Group“




In the Add Group dialog box, enter Group_Support and click ok to close the dialog box.



Click Add under “This group is a member of:”
 Add the “Administrators” Group.
 Add “Remote Desktop Users”
 Click OK twice



NOTE# When adding groups, you can add whatever you want, the GPO will match the group on the system, if you type “Admins” it will match a local group called Admins if it exists and put “Support_Group” in that group.

Step 4: Linking GPO

In Group policy management console, right click on the domain or the OU and select Link an Existing GPO


Select the MYS GPO


Step 5: Testing GPOs

Log on to a PC which is join to the domain and then run gpupdate /force and check the local administrators group. You should see Group_Support in that group now. Make sure all PCs you want to access should be move to an OU and properly link above GPO. Tom and Bob domain users can now access all PCs remotely as a local administrator.

Important Remark : 
If you rename Group_Support, the GPOs will update as same. 



pfSense Loopback IP

Source https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks


If you do not enable NAT Reflection Mode, you may not access some NAT from local LAN, for example "www.chuyuk.com:5000" is NAT to your local network IP 192.168.1.1:5000, Outbound access is ok, but inbound you only can access 192.168.1.1:5000, "www.chuyuk.com:5000" will not work in inbound access.

pfsense > System > Advanced / Firewall & NAT

 - NAT Reflection mode for port forwards select "Pure NAT"
 - click Enable "Enable NAT Reflection for 1:1 NAT"
 - click Enable "Enable automatic outbound NAT for reflection"




2017年3月2日 星期四

Screenconnect Client can't connect to Host

If you found your Screenconnect Client can't connect to Host, just keep say "Waiting for retry", you should uninstall a ScreenConnect Client then install again.

Cause :
Client and Host connection is broken, for example my computer installed Screenconnect Client, my computer name will list on ScreenConnect Host, on the background between client and host with a ID, if the ID is broken, you can't fix it even reinstall the Screenconnect, so you should uninstall and install again to get a new ID.

Here is common case :

Case 1:
 - Client : uninstall the ScreenConnect.
 - Host : do nothing, host will never see the client online.
 - Action : If client install ScreenConnect again, what will happen, the Host will show two client, one is never online because client uninstalled.

Case 2:
 - Client : do nothing
 - Host : Remove the Client in Online status, Client side will uninstall ScreenConnect Client

Case 3:
 - Client : do nothing
 - Host : Remove the Client on Offline status, Client side may not uninstall ScreenConnect Client, then Client will keep always connect to Host but not successful, Host will not see the Client anymore.
 - Action : Client should uninstall ScreenConnect manually, if client not uninstall first, reinstall will retain the old connection ID, but the Host ID is removed, so the client will not success connect to host anymore and keep waiting for retry.


Official Instruction for Manually Remove ScreenConnect Client
https://help.screenconnect.com/Manually_remove_access_client

For Mac User
1. Open the "Terminal" under "HDD > Applications > Utilities >"
2. Run the following command, remember you need admin right and password.
  1. Stop the ScreenConnect Client service on that machine:
    launchctl unload /Library/LaunchAgents/screenconnect-xxxxxxxxxxxxxxxx-onlogin.plist
  2. Delete the service definitions (both the onlogin and prelogin ones):
    rm /Library/LaunchAgents/screenconnect-xxxxxxxxxxxxxxxx-*.plist
  3. Delete the ScreenConnect Client files:
    rm -r /opt/screenconnect-xxxxxxxxxxxxxxxx.app

Remark : Point 1 to 3, you may see permission denied, you can try add "sudo" first :

sudo rm /Library/LaunchAgents/screenconnect-xxxxxxxxxxxxxxxx-*.plist
<<<then enter admin password>>>