Configure Pfsense SSH with RSA/KSA Keys

How to Configure Secure SSH access to Pfsense ?

In this post I will guide you through the configuration of how to enable SSH accessibility to Pfsense on a non-standard SSH with private keys in order to more strengthen the security of connecting to your firewall.

First thing I will open the web browser to Pfsense then from System tab menu I will click on Advanced

I will scroll down to Secure Shell and enable the secure shell and use different SSH port rather than the standard one 22 and also disable password login for secure shell in order to use configured keys for the user that I wanna allow to connect to SSH. 

After this option is enabled I will go to User Manager and create a new User by pressing on the + button far right 

Then I will want this user to be part of the admin groups in order to have the required privileges to be able to configure anything from the SSH window without any issue.

Then before I save this user I will scroll down and enable the Authorized Key option.

In order to configure a Key, I will need to use a tool to generate a public and private key for the authorization of the user.

Using Puttygen Tool

In my case I will use Puttygen tool which is free and available to download anywhere on the internet, I will also attach the tool down in this page for anyone to use.

I will run Putty Generator and change the Number of bits in it to make the key harder to crack. So I will put 2048 bits instead of 1024.

I will click on Generate and move my mouse within the putty generator window until the key is generated.

You will have to keep moving your mouse cursor within this window in order for this bar to finish generating your key.

As you can see below the Public and private keys are generated but you will have to type your own “Key Passphrase” as you will need it when you connect to the SSH session.

I will copy the Public key where it says “Public key for pasting into OpenSSH authorized_keys file” and paste it in pfsense in Authorized Keys window

Then Now I will save both Public and private key in a folder for my own use. Let’s create a folder called (Pfsense_SSH_Key) and save both keys in it 

I will need to only use the private key with an SSH tool to connect to Pfsense e.g. Putty.

Now I will get back to the user and add some effective Privileges that will allow the user to connect to the SSH, I will click on the + button 

And from the System Privileges I will add user – system – shell account access and SSH tunneling

Then save these settings and then save the user settings.

Then configure a Firewall rule with the new SSH port that I have configured in Advanced window, I will go to Firewall tab -> Rules then create a new rule that will allow my public IP address (my work IP address) to my Pfsense’s WAN Address (My Home IP address) on port 2222.

Testing Connectivity

Now I can test SSH connection using Putty tool (Not Putty generator) to see if this works as expected.

Type the IP address in the hostname field, then the port address that I configured for SSH and select SSH under Connection Type.

Before clicking on Open to open the connection I have to load the private key from SSH -> Auth

Now I will click on Open, it should give you a warning when it opens up

Click Yes and continue then type the Username that I setup and the passphrase that you set it up.

After successful login it will show the following and here you can startt

I am going to try and show the network configuration by typing Ifconfig …

So everything seems to be working as expected, If you want to provide more admin privileges to this particular user you will have to login as the admin and from the user’s “Effective Privileges” section add more system privileges to it.

Block Facebook on Pfsense using WPAD Autodiscover feature

How to Block Facebook on HTTPS on Squid proxy server without importing IPS/CIDR or configure Clients browsers for the Proxy settings using the WPAD Autodiscover for Squid feature

Note:

Before you begin reading this article, you must have the proxy filter configured to deny SocialNet in the blacklist in Service / Proxy Filter / Common ACL

In order to block Facebook or any other website on HTTPs protocol on pfsense (SQUID) without finding all the CIDR or IPs to block facebook or any other website’s IPs we will have to use the Squid proxy’s Autodiscover feature which uses Wpad file .. Let’s say similar to how Exchange uses Autodiscover’s XML file.

Prerequisites

  1. In order to block sites on HTTPS you will need to have SQUID Guard proxy installed and configured on Pfsense. If you don’t know how you can look it up here
  2. In order to use this feature you will have to disable the transparent mode on Squid server, To do so navigate to proxy server under the Services Menu then Proxy Server then un-tick the Transparent HTTP proxy.
  3. You will need to have the DHCP server up and running and you will need to create a DHCP option 252 that will provide the HTTP path to the files that we will create further on.
  4. DNS Server configured for the domain in order to add a required A record value for the wpad. The clients are going to look that up through the DHCP option mentioned in step 3.

Autodiscover Files

Then we will have to create the following files in Notepad and save each of them with a specific extension as in the below snapshot

The 3 files contain the same contents inside them “This is a single file with a JavaScript function which tells the browser how to find a proxy hostname and port” which is Squid Proxy server’s IP or Pfsense’s IP, I will open one of them and show you how I have configured this file.

Note: The IP 10.10.0.155 represents my proxy server (PFsense in this case) which has Squid installed and configured on it.

Once these files are saved, I will use a very simple HTTP server tool to host them on any of my servers on a specific port which clients can reach without any problem. My favorite tool is HFS which you can download from here

http://www.rejetto.com/hfs/

Web Server Configuration

After running the HFS appliaction I will run it on the port 8085 and load all the files as in the following snapshot

You can simply load the files by dragging and dropping them under the “Virtual File System” on the right pane.

DNS Configuration

Once this is done we will have to configure the WPAD record on our DNS server with A record pointing to the server where the files are hosted “In my case I have installed the HFS on the AD/DNS server” that has the IP 10.10.0.150

Next I will go the client and check if I can resolve this wpad … 

I have tried to resolve the name but apparently the nslookup is not finding the record that I have created although it’s in the DNS, I have tried ipconfig /flushdns, tried restarting the DNS service but nothing solved the problem

Lastly I went to the DNS logs and checked if there’s anything worth noticing there and here’s what I got Error event ID 7600

Googling online with this error got me to this Microsoft KB

http://support.microsoft.com/kb/2003485/en-us

All I had was to open registry editor and delete the wpad key from the GlobalQueryBlockList value as following

Here is what it looks like after deleting the wpad

Click Ok and make sure you Restart the DNS Server.

On the client I will flush the DNS cache and do another nslookup attempt.

DHCP Server configuration

the DHCP server’s options as required in the prerequisites earlier. I have my DHCP configured on Pfsense server and now I will configure the DHCP as following.

Here I have clicked on Advanced next to the “Additional BOOTP/DHCP options and in Number I entered the DHCP option that I would like to configure and chose String since it’s WPAD. And on the value side I entered the path for the Wpad URL where I ran the HFS application and made sure it’s accessible by clients.

Next I saved everything and will go to both the HFS to monitor clients activity if they are requesting the file or not and I will go the client and request Facebook on HTTPS.

Note:

In order for the autodiscover (Wpad) feature to work your Internet explorer/Firefox must be set to use the Audo detect settings.

On the HFS Server (My AD) I will look up for any logs that will be reported once I start browsing. Now it’s empty

I will go back to the client and browse Google for example.

Here, I have tried on the client side to open Facebook on https but it didn’t work but other websites are working just fine! 

What happened on the HFS server is that the client on Internet Explorer has requested the file “Proxy.pac” file for the settings which means that all of our settings are working properly.

Note:

The only thing I have done on the Proxy Filter to disable Facebook was to Socialnet which includes all the social media websites. In case you want to block only Facebook and leave twitter you will have to extract the blacklist and create your own facebook folder and text file to include all the facebook URLs and then upload it to your own FTP or web server.

http://www.shallalist.de/Downloads/shallalist.tar.gz

Reference:

https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

Useful Scripts

To create a script that would auto-login you to Office 365 or SSO or Windows Azure Active Directory, Copy the following Script in notepad and save it as auto-login.ps1

Once the file is saved with the ps1 extension you can run Powershell as administrator, Drag and drop this file into Powershell and it’ll login you automatically.

TEXT BOX

$powerUser = “admin@domain.onmicrosoft.com”

$powerPass = “password”

$password = ConvertTo-SecureString $powerPass -AsPlainText -Force

$LiveCred = New-Object -TypeName System.Management.Automation.PSCredential -argumentlist $powerUser,$password

$s=new-pssession -configurationname microsoft.exchange -connectionuri https://ps.outlook.com/powershell -credential $livecred -authentication basic -allowredirection

$import = import-pssession $s

Import-Module MSOnline

connect-msolservice -credential $livecred

Exporting Mailflow transport rules from Office 365 (Exchange Online)

Exporting Rules

Importing rules

Useful Powershell Cmdlets

Export users licenses and information O365

In order to Export users licenses and information from Office 365 you will have to use the following script.

First you will need to connect to MS Online service with a Global admin account

Connect-MsolService

Get-MsolUser -All |Where {$_.IsLicensed -eq $true } |Select DisplayName,UsageLocation,@{n=”Licenses Type”;e={$_.Licenses.AccountSKUid}},SignInName,UserPrincipalName,@{n=”ProxyAddresses”;e={$_.ProxyAddresses}}| Export-csv -Path C:\ExportlicenseUsage.csv –notype

image
clip_image001

This will export a file called “ExportLicenseUsage.csv” to your C root drive. you can open this file with Microsoft Excel and find out all the useful information that you’re looking for.

Hope this helps

Testing Office 365 SMTP relay

In order to test Office 365 SMTP relay you will have to create a user with an Exchange online license. After the email is activated for this user you can test this user for relay with the following powershell.

First connect to Microsoft Online service with this user that you’ll be using for relaying.

$msolcred = Get-Credential

Next edit the following powershell with the user’s e-mail and the recipient’s too

Send-MailMessage –From RelaySMTPuser@domain.com –To destinationuser@gmail.com –Subject “Test Email” –Body “Test SMTP Relay Service” -SmtpServersmtp.office365.com -Credential $msolcred -UseSsl -Port 587

Smile
clip_image001
clip_image002

https://technet.microsoft.com/en-us/library/dn554323(v=exchg.150).aspx

This test is known as Client SMTP submission you can also use a different method for multiple devices where you can configure them all to point to a single server (IIS) in a method known as IIS for relay with Office 365 however, all the methods what involve office 365 (Only) for relay will require a user with Exchange online license assigned to it.

https://technet.microsoft.com/en-us/library/dn592151%28v=exchg.150%29.aspx

Search for users start with particular letters in the display name

Mohammed Hamada 5:49 AM Exchange Online , Office 365 , Office365 , Powershell

To search your Office 365 users with particular initial characters

First connect to Microsoft Online Service

To Search for users whom their display names contain “Top” you can use the following powershell

get-msoluser -all | where-object {$_.displayname -like “top*”} | ft displayname,userprincipalname,proxyaddresses

clip_image001
image

Search for users whom their UPN contains “TOP” in the start

get-msoluser -all | where-object {$_.userprincipalname -like “top*”} | ft displayname,userprincipalname,proxyaddresses

image

Office 365: Add additional accepted domain to SMTP Address

Mohammed Hamada 5:50 AM Exchange Online , Office 365 , Office365 , Powershell

If you have configured Hybrid integration between Exchange 2010/2013 with Office 365 using dirSnyc or Azure active directory sync tool and then stopped the synchronization. The accepted domains and additional domains will be removed from the user’s Attributes on the cloud and in order to add these accepted domains again to all of the Office 365 users..

First we’ll have to connect to Exchange online with the following powershell tool. so Launch Azure powershell as Admin and copy the following line by line.

1- $UserCredential = Get-Credential

2- $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUrihttps://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

3- Import-PSSession $Session

image

First we’ll show/view user’s existing SMTP addresses, in order to do so we’ll use the following PowerShell cmdlet

For all users

4- Get-Mailbox | fl –property Alias, WindowsLiveID, EmailAddresses

For one user

Get-Mailbox –Identity user@domain.com | fl –property Alias, WindowsLiveID, EmailAddresses

image

Procedure to add an additional accepted domain to all users in the Office 365 tenant.

Note:

The domain must be verified on Office 365 first before applying those steps

1-

$users = Get-Mailbox

2-

foreach ($a in $users) {$a.emailaddresses.add(“smtp:$($a.alias)@AdditionalDomain.com”)}

image
image

3-

clip_image003

$users | %{Set-Mailbox $_.Identity -WindowsEmailAddress $_.WindowsEmailAddress}

Setting up signature or disclaimer for all users in Office 365 Exchange online.

The Story

In order to setup a signature for all office 365 Exchange Online users without manually going after each client and set it up, you can do so by using mail flow rules to append the signature along within each and every out going email.
To do so, you will have to go to Office 365 Exchange admin portal, then navigate to Mail flow –> choose Rules and click on the + sign

image

 Click on “Apply disclaimers…”

image

When the new rules opens up, you will have to give it a name and apply condition for the rule. an empty form looks like this one

image

but here’s what mine looks like,
I choose the sender address includes “Specific domain” then in the append the disclaimer part, I have entered an HTML code which includes all user details

image

after applying the disclaimer I choose to wrap it up. and then in the exception part I added a rule that excludes adding the disclaimer and signature to any reply message by reading the “RE” word in the subject field.

image

Now the disclaimer code is as following and you may want to configure it or customize it according to your needs. 

Code:

HTML CODE</br> 
</br> 
<div style=”font-size:9pt; font-family: ‘Calibri’,sans-serif;”> 
%%DisplayName%%</br> 
%%Department%%</br> 
%%Email%%</br> 
</br> 
<div><img alt=”Logo” src=”http://s11.postimg.org/jjdha41wv/mynigga.jpg“><p><p><p>Tel: %%PhoneNumber%%</br> 
Gsm: %%MobileNumber%%</br> 
Fax: %%FaxNumber%%</br> 
Address:%%Street%%</div> 
</div> 
<span style=”font-size:12pt; font-family: ‘Cambria’,’times new roman’,’garamond’,serif; color:#100101;”>Disclaimer</span></br> 
<p style=”font-size:8pt; line-height:10pt; font-family: ‘Cambria’,’times roman’,serif;”> ________________________________________ 
</br> 
<span style=”padding-top:10px; font-weight:bold; color:#CC0000; font-size:10pt; font-family: ‘Calibri’,Arial,sans-serif; “><a href=”http://www.companywebsite.com”>http://www.companywebsite.com</a></span></br></div></br>
________________________________________</br> 
<span style=”font-size:10pt; font-family: ‘Cambria’,’times new roman’,’garamond’,serif; color:#928E8E;”>This e-mail and any information included within any attached document are private and confidential and intended solely for the addressee. Company name does not accept any legal responsibility for the contents of this message and any attached documents. If you are not the intended addressee, it is forbidden to disclose, use, copy, or forward any information within the message or engage in any activity regarding the contents of this message. In such case please notify the sender and delete the message from your system immediately. Company name also denounces any legal responsibility for any amendments made on the electronic message and the outcome of these amendments, as well as any error and/or defect, virus content and any damage that may be given to your system.</span> 
</p> 
<span style=”padding-top:10px; font-weight:bold; color:#CC0000; font-size:10pt; font-family: ‘Calibri’,Arial,sans-serif; “><a href=http://www.companywebsite.com>Company Name </a></span></br></br> 
</div>

 I have highlighted the customizable part of the code in Yellow and red so you can change it or configure it according to how you want it to fit for you. 
The Display name, Department, Email ….etc are all variables for users attributes and they are being pulled from the Microsoft Azure AD, so if your users don’t have any information filled in there then users will likely won’t show anything 

Note for the red highlighted link you will have to import only “HTTP” link for the uploaded logo of your company. HTTPS won’t be acceptable or read.

If you’re an HTML noob , you can use the following links for testing and changing colors..etc 

http://www.w3schools.com/html/tryit.asp?filename=tryhtml_basic_document
For color changing 
http://html-color-codes.info/

Using the w3schools.com website, you can copy the code on the left pane and click on see results and it’ll show you the result on the right pane

See how it looks like

image

Once you’re done with the code, you will have to copy and paste the link in the disclaimer part on the right pane. next click Save and probably this will take about 10 minutes to be applied or less.

image

To test if this is going to work, I will go on one of the users that I applied the rule for and fill out their details like display name, e-mail, street ..etc and try to send out an email with this user. 

image

Mail is empty as you can see 

image

del.icio.us Tags: Exchange Online,ExchangeOnline,Office365,Office 365,Signature

Reference: 
https://technet.microsoft.com/en-us/library/dn600437(v=exchg.150).aspx

Set OWA redirection from On-premises OWA to Office 365

If you run Hybrid Migration Wizard and you noticed that Migrated users from Exchange On-Premises to O365 are not redirected to O365 Owa page then you will have to go through the following to check if there’s an issue and fix it.

In Normal cases, This is done automatically upon running the HCW (Hybrid configuration wizard) but in some cases it might not be found. And therefore when migrated user try to login using the local Exchange OWA page the user is not redirected to O365 OWA and get’s an error.

Resolution:

In order to make sure that redirection is the problem, open Exchange Management PowerShell and run the below command see for ur self if the “TargetOWAURL” is set.

Below in this screen shot, the value for targetowaURL is not set, so we’ll have to set it as in the snapshot after that.

The targetowaURL will point to the OWA of the tenant Url.

http://outlook.com/owa/domain.onmicrosoft.com

The Target URL must be like in the following snapshot

To resolve this case, we’ll have to run the cmdlet

Set-OrganizationRelationship “On Premises to Exchange Online Organization Relationship” -TargetOwaURL:http://outlook.com/owa/domain.onmicrosoft.com

Office 365 Mail flow in Hybrid doesn’t work after you white list office365 IPs on your SMTP gateway

I have deployed Hybrid environment for a customer who have Exchange 2010 SP3 with over 11K users. the customer was using SMTP gateway for spam protection and didn’t want to disable or close the gateway through the hybrid environment deployment or after and wanted to have their gateway constantly.

While Microsoft doesn’t support any SMTP gateways in Hybrid environment I had to find a way to configure this gateway to allow any incoming or outgoing emails from Office 365 tenant to Exchange on-premises using the white list feature in all its services e.g. (Anti-Spam, Virus, spoof…etc

After configuring the hybrid deployment, I had a problem with mail flow from/to Exchange Online.

I have checked all Microsoft’s Office 365/Exchange Online/ Exchange Online protection IPs/CIDs in order to white list them or add them to the ignore list on the SMTP gateway in order for mail flow to not be checked from and to Exchange online if the source is Exchange on-premises but that didn’t work until I find a Microsoft article that which was modified very recently by Microsoft 31-05-2016.

image

Click here for the link

The article mentioned that the IP list have been updated, including the removed IPs list as well.

image

While tracing the logs on Office 365 Message tracer tool I noticed that the connection to the SMTP gateway has been refused due to an IP which the MS article described as “Removed” but it was still used to send emails from Exchange online.

The IP was 213.199.154.78 was greylisted on the SMTP gateway due to it not being added to the white list.

image

If you read the article you’ll notice that the subnet 213.199.154.0 has been mentioned as removed. so adding the IP to the white list has solved the problem for me

image

REF:

https://technet.microsoft.com/en-us/library/dn163581(v=exchg.150).aspx

https://technet.microsoft.com/library/dn163583(v=exchg.150).aspx

Hope this helps

For any questions or inquery please mail me info@moh10ly.com

Importing PST to Office 365 Exchange online mailboxes through the new Import Service

Note:

Microsoft has decided to charge for this service (8$ for each GB) … 

Microsoft has launched a new feature that allows administrators to import PST to Exchange online directly through the portal.

In this article I’ll guide you through the steps of uploading one PST file and import it to a user’s mailbox. Although the steps are identical to Microsoft’s TechNet article but it’s more detailed and with screenshots.

So to achieve this, you’ll have to first sign in to your Office 365 portal. Open Exchange admin center and follow the below steps:

  1. Granting Permission

Grant your self-importing PST permission to users by navigating to Exchange admin center -> Permissions> Double click on Compliance Management

Under Roles: click on + and add Mailbox Import Export role

Click on + Under Members and add your user account

clip_image001[5]

2. `Copy Secure URL and secure storage account key

To get the Azure secure storage account key and URL you will have to go back to the Office 365 portal and then click on Import tab on the left pane

Then click on the Key sign below

clip_image002[4]

When you click on it, you will be able to retrieve the key and the URL by clicking on Copy Key and URL .

clip_image003[4]

The secure storage account key is pretty long and you’ll have to notice that sometimes you might get confused and copy only the appearing portion of it in the field… if you do so and copied that in the Azcopy command or Azure storage explorer you might get an error …

Here’s my Secure Storage account key that I am using on a trial version of Office 365.

KA9Z00rEYa1JlqGE4wO222MnsN5ywT0elOgLeNht/fSMIJPe2134hEChuuDJ5mfdknq8ts0+cez6uUvFzcQd6g==

Next: Copying the URL.

The URL has an important part which you will be using in Azure Storage Explorer tool in order to login and browse your Tenant’s storage which you’ll use to upload PST to.

The URL will appear as following.. You will need to copy the part in bold

https://d49d7ae0e38a4d8e9c93565.blob.core.windows.net/ingestiondata/

You have to copy this in to the storage account name

d49d7ae0e38a4d8e9c93565

3. Copying PST files to Azure Folder using Azcopy command or Azure Storage Explorer (You can use Azure Storage Explorer too)

In order to upload PST files to Azure, you have two methods. The first is using Azcopy command which is pretty easy and straightforward (but still CMD dependent) or you can use the GUI Application which is Azure Storage explorer

To download azcopy, you can use the following link

http://az635501.vo.msecnd.net/azcopy-3-2-0/MicrosoftAzureStorageTools.msi

Or download them from the Import page as well under Resources:

clip_image004[4]

Once the tool is installed. Right click on it and open it as administrator

The following command will take all the files inside my local folder path C:\Users\Mohammed\Desktop\upload

It will create a folder in Azure’s default folder ingestiondata called “Server01/PSTshareR1/”

It will use the destkey that I have retrieved from Office 365 Import window. And will leave all the logs in your local drive c:\PSTupload\Uploadlog.log

AzCopy /Source:C:\Users\Mohammed\Desktop\upload /Dest:https://d49d7ae0e38a4d8e9c93565.blob.core.windows.net/ingestiondata/SERVER01/PSTshareR1/ /Destkey:KA9Z00rEYa1JlqGE4wO222MnsN5ywT0elOgLeNht/fSMIJPe2134hEChuuDJ5mfdknq8ts0+cez6uUvFzcQd6g== /S /V:C:\PSTUpload\Uploadlog.log

clip_image005[4]

To make sure that files are uploaded. I will open Azure Storage Explorer 6 (Preview) and click Add Account on top

On add storage account window I will use the blob name that I have got from the URL earlier and storage secure key in the storage account key below and click on save.

clip_image006[4]

Once I click that I will get a list of directories, The default directory which is used by Office 365 is the “Ingestiondata” folder, There our files will be uploaded.

clip_image007[4]

https://azure.microsoft.com/en-us/documentation/articles/storage-use-azcopy/

4. Create CSV File to import PST

Assuming you have 150 PST files that you want to upload and import into users which already have been enabled on Exchange online … In order to do so you will have to prepare a CSV file that looks like the below sample

To provide an explanation of what each column stands for .. Microsoft has written a table that clears the dust but some parts were not even clear for me like the FilePath as in the TechNet article it gets you confused with the “Ship data on Physical hard drives” since it uses your drive to upload data directly to Azure through the Import tool on Office 365 portal.

image

From <https://technet.microsoft.com/library/ms.o365.cc.IngestionHelp.aspx?v=15.1.166.0&l=1&f=255&MSPPError=-2147217396>

Note:

The friendly path here is the path of the folder you have created in Azure through the Azcopy command

AzCopy /Source:C:\Users\Mohammed\Desktop\upload /Dest:https://d49d7ae0e38a4d8e9c93565.blob.core.windows.net/ingestiondata/SERVER01/PSTshareR1/

/Destkey:KA9Z00rEYa1JlqGE4wO222MnsN5ywT0elOgLeNht/fSMIJPe2134hEChuuDJ5mfdknq8ts0+cez6uUvFzcQd6g== /S /V:C:\PSTUpload\Uploadlog.log

CSV Sample

clip_image008[4]

So the CSV File is ready.

In Azure Storage Explorer I doubled check if the PST files has finished uploading and it’s there.

clip_image009[4]

5. Using the Upload Files over the network

Back to Office 365 portal, go to Import and click on the + Sign and select Upload files over the network

clip_image010[4]

Select I have access to the mapping file as well

clip_image011[4]

Click on + and upload the CSV file that you have prepared for the mapping

Next File is imported, Click on “By checking this box, you agree to the terms and conditions of this service.

clip_image012[4]

As soon as you accept and click next the Import is going to check path, email, folder and will start the import process.

clip_image013[4]

clip_image014[4]

Email before importing

clip_image015[4]

Imported started, folder has been created

clip_image016[4]

Importing is done

clip_image017[4]

clip_image018[4]

Importing is done

Reference

https://technet.microsoft.com/library/ms.o365.cc.IngestionHelp.aspx?v=15.1.166.0&l=1&f=255&MSPPError=-2147217396#BKMK_CreateAnewMappingtoupload

https://azure.microsoft.com/en-us/documentation/articles/storage-use-azcopy/

Import Microsoft IP address to receive connector

Sometimes when you launch Office 365 Hybrid integration wizard from Exchange 2010, after successfully implementing the integration the IPs of Microsoft are not all imported in the “Receive Connector” for Microsoft so you might have to consider to add them manually to your on-premises Exchange server.

In order to do so, Open Microsoft Exchange Management shell as Administrator and follow the following cmdlets.

[PS] C:\>$RecvConn = Get-ReceiveConnector “Inbound from Office 365

[PS] C:\>$RecvConn.RemoteIPRanges += “65.52.148.27”, “65.52.184.75”, “65.52.208.73”, “65.52.240.233”, “65.54.80.0/20”, “65.54.165.0/25”, “65.55.86.0/23”, “65.55.233.0/27”, “70.37.128.0/23”, “65.54.54.32/27”, “65.54.55.201”, “65.54.74.0/23”, “70.37.142.0/23”, “70.37.159.0/24”, “94.245.68.0/22”, “65.55.239.168”, “70.37.97.234”, “94.245.86.0/24”, “94.245.117.53”, “94.245.108.85”, “94.245.82.0/23”, “94.245.84.0/24”, “132.245.0.0/16”, “157.56.23.32/27”, “157.56.53.128/25”, “157.55.155.0/25”, “157.56.55.0/25”, “157.56.58.0/25”, “157.55.59.128/25”, “157.55.145.0/25”, “157.55.185.100”, “157.55.194.46”, “157.55.227.192/26”, “157.56.151.0/25”, “157.56.200.0/23”, “157.56.236.0/22”, “207.46.216.54”, “207.46.57.128/25”, “207.46.70.0/24”, “207.46.73.250”, “207.46.150.128/25”, “207.46.198.0/25”, “207.46.206.0/23”, “213.199.148.0/23”, “213.199.182.128/25”

[PS] C:\>Set-ReceiveConnector “Inbound from Office 365” -RemoteIPRanges $RecvConn.RemoteIPRanges

Hit Enter after each PS line and you will be able to find all those IPs in your connector.

Export Office 365 users from specific domain and change their passwords

First of all you will need to connect to your tenant with your global admin account using the following script

Import-Module MSOnline

$O365Cred = Get-Credential

$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUrihttps://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection

Import-PSSession $O365Session

Connect-MsolService –Credential $O365Cred

After connecting you will need to type the following command line which will export all users in a specific domain that’s added to your portal if you have more than one domain added there.

Get-MsolUser -DomainName Domain.com | Select UserPrincipalName | Export-Csv C:\users.csv –NoTypeInformation

clip_image001

Change passwords for those users by using the following command and pressing enter you’ll be giving a line to enter your new password that you wanna set for all users in the exported file.

$PASS = Read-Host

clip_image002

Run this command to change the passwords

Import-Csv C:\Users.csv | % {Set-MsolUserPassword -userPrincipalName $_.UserPrincipalName -NewPassword $PASS -ForceChangePassword $True}

clip_image003

That’s it. Now users inside the exported csv file have the new password which you have just set.

Note that users will be prompted to reset their passwords upon login, if you don’t want this to happen you can remove the -ForceChangePassword $True parameter.

del.icio.us Tags: Office365,Office 365,Exchange Online,Azure