SfB Disabling TLS 1.0/1.1 Guidance

Update 20181107
Microsoft waffles yet again.
https://support.microsoft.com/en-us/help/4057306/preparing-for-tls-1-2-in-office-365








On October 31, 2018, Microsoft Office 365 will be disabling support for TLS 1.0 and 1.1. This means that, starting on October 31, 2018, all client-server and browser-server combinations must use TLS 1.2 or later protocol versions to be able to connect without issues to Office 365 services. This may require certain client-server and browser-server combinations to be updated.
https://support.microsoft.com/en-us/help/4057306/preparing-for-tls-1-2-in-office-365

SfB impact?

At a high level, this requires installing Skype for Business Server 2015 CU6 HF2, applying pre-requisite updates to .Net and SQL, and finally another, separate round of OS configuration updates, i.e. disabling TLS 1.0 and 1.1 via registry file import. It is critically important that you complete installation of all prerequisites, including Skype for Business Server 2015 CU6 HF2, prior to disabling TLS 1.0 and 1.1 on any server in your environment. Every Skype for Business Server, including Edge role and SQL Backends, require the updates. Also ensure that all supported (in-scope) clients have been updated to the required minimum versions. Don’t forget to update management workstations as well.

Background reading:

https://blogs.technet.microsoft.com/cloudyhappypeople/2017/12/22/the-end-of-support-for-older-tls-versions-in-office-365/
And then read part 1 here for more background specific to SfB/Lync and the supportability statements
https://blogs.technet.microsoft.com/nexthop/2018/04/18/disabling-tls-1-01-1-in-skype-for-business-server-2015-part-1/
Part 2 here gets into the weeds a bit on “How To Achieve”.https://blogs.technet.microsoft.com/nexthop/2018/04/18/disabling-tls-1-01-1-in-skype-for-business-server-2015-part-2/Part 3 will be published at a later date.  Woot!

Here is guidance for Lync Phone Edition (LPE):

https://techcommunity.microsoft.com/t5/Skype-for-Business-Blog/Certified-Skype-for-Business-Online-Phones-and-what-this-means/ba-p/120035 

General TLS1.2 whitepaper:

https://cloudblogs.microsoft.com/microsoftsecure/2017/06/20/tls-1-2-support-at-microsoft/

Here is the Microsoft Exchange equivalent:

Part 1https://blogs.technet.microsoft.com/exchange/2018/01/26/exchange-server-tls-guidance-part-1-getting-ready-for-tls-1-2/Part 2https://blogs.technet.microsoft.com/exchange/2018/04/02/exchange-server-tls-guidance-part-2-enabling-tls-1-2-and-identifying-clients-not-using-it/And big surprise, part 3 to be published later.

Summary

If you or your customer is doing anything with Office 365 hybrid, then you need to be reading all of this and figuring out your next steps.

SQL Change Ports

The Port Change Issue

On a project where the SQL team has a policy of changing the SQL port away from the default of 1433? 

This does not pose a huge problem for your intrepid Skype (or Lync) deployment engineer.  If you are needing to know what to do, and maybe you have, oh, 30 or so front ends to modify, then maybe I can help you out a tad.

The issue is modifying the registry to tell your host server where to go to access the requisite port on the target SQL server.  As it turns out, I had to remember this, as it has been a bit since I had to last do this task. 

The Simple Fix to the Simple Issue

Luckily for you and me, it seems that every copy of a Windows operating system I looked at for this post (Win7, Win8, Win10, Server 2008+) have a utility in \windows\system32 called cliconfg.exe.  You can read up on that utility here.

A wonderful tool.  Here is it in Windows 10 form.  Which looks the same as Win7, so I think they will all pretty much appear to be the same. Actually, the Win7 version has a different set of window frames, so the appearance is more rounded instead of the ugly-ass Win10 metro crap.  But I digress.

What we need to do is select the Alias tab…the select Add.

For the purposes of this exercise, I need my system to talk to my SQL server (FQDN = sqlalwayson-a.tsoorad.net) on port 49001.  So, you set it up like this and then say OK.

Follow up that OK with an APPLY and your newly modified operating system will for thereafter talk to SQL server sqlalwayson-A.tsoorad.net on port 49001 vice 1433.  Simple.  Easy.  Works well.  Less filling.  Man, I am thirsty!

But Wait!  What if…

…you have like four user pools, and they all need to talk to the same monitoring server, but different archive targets per pool?  And what if there are like 30 front ends that need this modification, and every time you type this stuff in there is the possibility of spelling errors that mean system failure.  Now, I am sure there is some folks out there in techie land that are starting to chant “PowerShell!  PowerShell” -  but in this case, I am going to ignore them, and simply export a registry key, and then incorporate that into my server build process – which can be PowerShell-ized if you wish.

Here is the registry key to export.  HKLM\software\microsoft\mssqlserver\client\connectto

In my project, we had four SQL AG clusters, each with two nodes, a cluster name, and the AG name; all that needed to resolve by DNS.  So, our registry key looked somewhat like this: 16 entries with AG, cluster, node1, and node2 per supporting SQL cluster.  We then simply imported that into each server at build time.

Summary

The SQL mavens might well change ports on you.  If they do, there is an answer in form of cliconfg.exe.  If the scale is a tad larger than manual typing will cover, you can regedit your way to success.

YMMV

Open Services applet in Standard Mode

Ever since somebody at Microsoft decided we needed the services.msc applet to open in “extended” mode, I have been clicking on “standard” to get the view I wanted.  This last week I finally got fed up with this, and decided to do something about it.  As it turns out, this is not the easiest thing to change.  Apparently, us poor users are not allowed to change the behavior for the named services.msc.  We are not worthy. 

What you have to do is author a new named instance – and of course remember to use that one.  I was unsuccessful at renaming, deleting, or otherwise removing the original services.msc.  I am sure there is some method to do so, but I was unwilling to dink too much with an operating system that was working before I messed with it.  YMMV.

Here is what I did: (the example is using an x64 Win7 O/S, but it works equally well for Server 2008, and I imagine, Vista (why are you using that?).

Go to c:\windows\system32 and locate the services.msc applet.  Right-click it and select “author.”

When services opens, click File | Options as shown.

Now, change that console mode to “author.”

Say OK to this…

Change the view to standard…

Now, save this to a name and location of your choosing…

Now when you go to a command line (or in my case about 90% of the time a powershell prompt), and type in jmwservices.msc, I get this “new and de-proved” services applet in standard mode.  I suppose you could mod the original references to the new applet if you want to get fancy.

Enjoy!

Visio and/or Word “*.exe stopped working” error

So, I have this zippy new laptop from work.  Nice piece of gear. Windows 7 x64 Ultimate, bright display, 8GB RAM, good HD, pretty quick overall. Did I mention how nice this thing is? Office 2010, added Visio 2010 – I have these documentation needs and I simply must have both of these. Clients sort of expect to see the “expert” using the “latest and greatest” so I use the Office 2010 level.  Note that I put those words in quotations.

Doing a cut n paste from Visio to Word was resulting in one of the two kicking up an error about how the “…*.exe has stopped working.”  This gives you a few selections like checking online for a solution – ya right, or closing the program.  Luckily I have not lost any data…but this is really annoying and slowing down my work. 

I fixed it by removing the “send to bluetooth” add-in for both programs.  I would give you screen shots, but I did not just disable the add-in, I removed them.

Problem solved.  So if you have these little “issues” with office apps “stopping” then try that….why would I want to send my multi-megabyte doc to some bluetooth device?  Printing?  Maybe, but not me.

Adelante.

Symantec Endpoint Protection removal hell

Update:  I have stopped trying.  I hang my head in abject defeat.  I edited registry until my fingers bled….and all I accomplished was a network stack that refused to work.  I tried, I really did.  I followed instructions, I used the”approved” vendor-supplied tool, I read the blogs.  Nada.  At the end, I had the Teefer2 driver and service gone, with a NIC and driver that Win7 said it liked and enabled, but the firewall would not start because the Base Filtering Engine would not start because of a) lack of permissions, and b) having a wrong pw on the localservice account.  Luckily, this is why the VM is so good for us.  Eliminar la instancia de la imagen y seguir adelante.

---

I had to remove SEP 11 from a system.  Oooops!  First, I could not get it to go away.  Had to get a removal tool.  That took some judicious torrent work to find as I could not get Symantec non-help to give it to me….I did not have a license nor a support agreement nor the magic decoder ring…just a P2V image from which I was trying to remove SEP.  C’mon folks… it is just a lab machine!  I have all the approved licensing….except for this Symantec piece I was trying to remove so I could be legal….my mistake.

Adelante.

So CleanWipe did its’ thing.  Sort of.  It left me with a non-working network stack due to this Teefer2 driver that really does not want to go away.  After many hours, literally, of Google, I stumbled upon some advice that led me to remove the hklm/system/currentcontrolset/enum/root/symc_teefer2mp key.  At which point I was caught in a BFO….I think I know why these Symantec products are so hard to get rid of….

BTW, as background, in my reading over the last few hours, it is apparent that this teefer2 POS has a purpose in life redirecting traffic to SEP for scanning. My hypothesis is:  in an effort to make sure that malware cannot circumvent SEP, the clever developers created registry keys that cannot be modified except by superhuman effort.  OMG! 

My right hand hurts from the mouse clicking that it takes to remove on sub-sub-sub key.  But hey, it is only 0100 on a Monday night.  WTF eh wot?  People buy this on purpose?

See all that?  Each and every key – and I have removed about 20 so far, require administrator explicit assignment for full control and seize ownership so as to enable deletion.  EACH ONE.  And under the GUID there is several more.  Logged in with safe mode, as the machine administrator, not a member of administrators, and then have regedit run as administrator.  Save me Mr. Wizard!

Win7 wireless performance

In my zeal to like Windows 7, I have now upgraded my work laptop to Windows 7.

Lenovo T500, Win7x64Ent.

Looks like everything is working just fine.

And wireless appears to be twice as fast…

Strange, it only says 65Mbps until I start a file transfer - at which point I magically have twice the bandwidth.  Nifty.  I will conduct some ad hoc OCS test next week to see how that is affected.

But notice that Win7 still does not have it “right.”  Here is the exact same file transfer running, but now I have the Ethernet plugged in.  And it reports only 100Mbps, slower connection, but take a look at the bandwidth utilization…. 100% v 40ish on the wireless…

C’mon!  Microsoft!  Fix this!