Microsoft Certified System Administrator on Microsoft Windows Server 2003
Before you start.
Once you Lab network is setup. Follow the next steps to establish a site-to-site VPN between your environment and Azure. Essentially making the cloud part of your environment.
1- logon to the Azure Portal, and create a new virtual network. Click on the NETWORKS link in the left navigation pane and then click the +NEW button located on the bottom toolbar.
Select VIRTUAL NETWORK and CUSTOM CREATE.
2- In the Wizard that popup, give your network a meaningful name, select the region you want to use to deploy your network in, and create and name an affinity group name.
Affinity Groups are a way to tell the Fabric Controller that those two elements, Compute and Storage, should always be together and close to one another, and what this does is when the Fabric Controller is searching for the best suited Container to deploy those services will be looking for one where it can deploy both in the same Cluster, making them as close as possible, and reducing the latency, and increasing the performance.
So in summary, Affinity Groups provide us:
3- In the next screen you’ll need to list the DNS servers you want the machines in your new virtual to use for name resolution. In our case DC1 is the DC in our on premise lab. I’ve added an internet DNS just in case.
4- the next step is for you to identify your on premise network by giving it a name, defining the address space you are using, and the external IP address of the edge device you are using. in my case I’m using a Cisco ASA 5505 security appliance. (please note that since this is my private lab, not a canned demo environment, sooo…. I have blanked out the address and some identifiable information…. )
This information will be used by azure to configure the routing in your virtual network and across the gateway we will setup in the next few steps.
5- In the Virtual Network Address Space screen you get to design how you want you virtual network to be configured.
in my case I assigned a private Class A address 10.0.0.0 for very large networks which can hold as many as 16 million computers to my cloud network…. ( Think BIG I always say…)
And you need to carve and name that address space into usable subnets.
for my virtual network I used 10.10.1.0/24 as my infrastructure subnet (AZR-LAb-Infra) and created the10.10.2.0/24 as a publicly accessible subnet (AZR-Lab-Public). ( in case I decide to add public services )
and finally you have to click the “Add gateway subnet” button and configure that subnet 10.10.3.0/8 in my case.
6- Now that we have defined both our virtual network architecture and on premise network, we can create the gateway that will join both of them together. In the Azure Portal, select NETWORKS in the left menu, then click the Virtual network you just finished creating. for me AZR-Lab
7- Once the virtual network info loads in the portal, click on CREATE GATEWAY. In my case since I’m using a Cisco ASA 5505 security appliance as my edge device I have to use Static Routing. Once the process starts, it will take a bit of time… take this opportunity to visit MVA.
8- Once you come back the gateway will be complete and your internet VPN end point address will be listed in the portal. ( again the address hab been redacted to protect the innocents… In this case… Me. )
9- After the gateway has been created, you can gather the necessary information to send to your network administrator to configure the VPN device.
Since I have a business grade edge device with my Cisco ASA 5505 appliance I will use it.
If you don’t see your VPN device in the drop-down list, see About VPN Devices for Virtual Network in the MSDN library for additional script templates.
10- After have all that you can begin to configure your VPN device. Copy the content of the configuration file you downloaded in the last step to the clipboard. Open the Cisco ASDM application to manage the edge device and in theTools menu, select Command Line Interface.
11- After you select Multiple Line
12- Paste the content of the configuration file in the commands window and click the Send button to send the script top the appliance.
13- that is done the 2 networks will connect and setup the VPN tunnel. if the connection does not occur right away. Click the connect button in the portal at the bottom and initiate the connection. once it’s connected the portal will show the connected state.
Cue the time machine…. After I created a Virtual Machine on my Virtual network. I was able to ping it from one of my local Windows 8 lab machines.
We are done!!!
We have now extended a 4 machine lab in my home office to include a chunck of the cloud. it’s a piece of network we can leverage for a multitude of services. but these will have to be for other posts.
In this article, we will see how to configure HTTP or HTTPS Settings in the ICM for SAP NWBC 3.5.
Prerequisite: User must have installed the SAP GUI and SAP NWBC 3.5 on their desktop in order to login on it. Also, a basic understanding on SAP NWBC will be helpful to understand this article.
As most of us know that the basic purpose of SAP NWBC is to having all the required applications, traditional SAP transaction at a single platform.
The Internet Communication Manager (ICM) enables communication between your SAP systems
and the Internet using the HTTP or HTTPS protocols for the Business Client applications. NWBC
(Both the shell and most canvas types) uses HTTP to access an ABAP server. It is important that at a minimum one HTTP or HTTPS port is configured and active.
Let’s see the steps to check if the HTTP or HTTPS service exists for given backend SAP R3 system in order to have a communication between Shell and ABAP server.
Go to transaction code SMICM.
After that check if the HTTP or HTTPS service is active or not using Goto -> Services
We can see that HTTP service is active in this case.
If it not active, then we can create/change it and then activate it.
Please note that any changes you make here are lost when you restart. If you want to create or
Change a service permanently; you must do this using the profile parameter
icm/server_port_<xx> as follows.
You may not be able to change it if you don’t have the correct authorizations. Check with your BASIS team and make the change.
In this way you can configure the HTTP or HTTPS settings in the ICM in order to have a communication between shell and ABAP server.
When you use variant configuration, one of the things you often need or want to do is setup sales order costing for your configuration. Surprisingly to me, sales order costing is NOT setup automatically for the TAC item category. So let me walk you through how to set this up (at least as far as I can take you). Like so many things, you’ll need some input from your FICO expert to make sure all the settings are proper for their world
Now, I’m going to start at the beginning, so you might be able to skip this step, but I’m going to assume you don’t know the requirements class you need to update.
So, use this path to the IMG in order to find your requirements class based on your item category.
I’m going to show the standard Item Category, TAC for a configurable material. You can simply substitute your item category in here.
Now, it’s nice because you can see your requirements class at the bottom portion of this screen without backtracking to the requirements type screen.
We can get to the real work. We have to go to a little bit different spot in configuration to adjust these settings.
Now, using the requirements class we located earlier, we can go to the details.
Now, all the work happens on this screen. Originally, this screen was completely blank in standard SAP. What I’ve populated is the most standard configuration I’ve used in the past.
Costing: Setting this to X makes it required for sales order costing.
Costing ID: determines if you want automatic sales order costing (A) or automatic with marking (B).
Costing Method: (1) Product Costing, (2) unit costing
Costing Variant: PPC4 for sales order costing
CndTypLinItm: this is something optional, but it tells you where you can put the value within pricing if you wish to use it for margin or cost plus calculations
Acct Assignment Cat: M for Ind Cust wo KD-CO
Valuation: M Separate valuation with reference to Sales Document/Project.
Settlement Profile: SD1 – Sales Order Make to Order Production
The one field I skipped is the Settlement Profile. This one I always defer to my FICO person. I don’t even pretend to know which one of these to select.
Once you set this stuff, you should be good to.
There’s report AI_LMDB_EASY_SUPPORT which collects status information of SLD/LMDB, sync. etc.
Run this report and check for warnings or error messages.
If ths report is not yet available in your system implement it via note 1752124.
Below article provides you step by step guide how to convert the federation domain to standard domain with the PS cmdlets and reverse the domain federated authentication settings for the O365 accounts.
When you configure Single Sign On also known as identity federation with O365 you convert an existing domain from Standard Authentication to Federated Authentication, when you do this the users who are associated with the federated domain can no longer access O365 directly.
You may have different requirements to covert your domain from Federated Authentication toStandard Authentication. As you can see there are some easy steps to be followed,
Log in to your ADFS server and open Online Services Module for Windows PowerShell and enter below shell command,
Once you are prompted with a Windows PowerShell Credential Request enter an Admin Username and Password
Once the credentials are validated enter below shell command, the purpose of entering this to connect to Microsoft Online Service with stored credentials
Connect-MsolServices – Credential $cred
In this command, the placeholder <AD FS 2.0 server name> represents the name of the primary AD FS 2.0 server.
Set-MsolADFSContext –Computer <AD FS 2.0 server name>
It is time to convert your domain from From Federated to Standard Authentication, enter below Shell command, This command removes the Rely Party Trust information from the Office 365 authentication system federation service and the on-premises AD FS 2.0 federation service. The -PasswordFile parameter indicates the path of the text file that contains the newly created temporary password of each formerly federated user’s account.
Convert-MSOLDomainToStandard –DomainName <federated domain name> –SkipUserConversion:$true -PasswordFile c:\userpasswords.txt
Here we go… we just finished the conversion.. now you are good to go… in the below steps I will guide you how to reset the authentication setting for the domain and for each user account to use standard authentication with O365.
Set-MSOLDomainAuthentication -Authentication Managed -DomainName <federated domain name>
For this demonstration I will get Susan Baker user name (Directory Synched) to run the below command,
For the string value you have enter the username with UPN
Convert-MSOLFederatedUser -UserPrincipalName <string>
So once the conversion done this will provide the user name and temporary password as above. Now you can go to Microsoft Online Portal and enter the converted username and temp password as below, and follow other instructions in the screen previews,
In this section we will review how to troubleshoot common “causes” for mail flow problem when using IIS SMTP relay option.
The first step is to verify that the IIS SMTP server can use port 587, for creating the required communication channel with the Exchange online server. An additional parameter that we need to check is that we use the correct Host name for the: Exchange online server.
To be able to verify these parameters, we can use the built-in Telnet tool.
Note – the Telnet tool is not installed by default. To install the Telnet client on Windows 2008 server, use the Server manager –> features –> Telnet client
To test the communication channel to the Exchange online server, from the IIS SMTP Server open a command prompt and type the following syntax:
Telnet < Exchange online Host name> 578
In the following screenshot, we can see that to connection attempt was failed.
The reasons could be:
After creating the required configuration, we use again the Telnet command. In the following screenshot we can see the “Exchange online response” to the communication attempt.
Part of security settings in the IIS SMTP settings is to create a restricted list of Hosts (the IP address of the internal Hosts), that allowed to relay mail to the IIS SMTP server.
In this following example we use the tool: Basic SMTP Telnet Client, for simulating the process of relaying mail message to the IIS SMTP Server. When using the “debug” option: Enable Step by Step Sending.
In the following screenshot, we can see that the error message that was return from the IIS SMTP Server, relate to the issue that the IP Address of Host that we use is not configured in the “Allowed list” in the IIS SMTP server.
3. Troubleshooting “Mail from” settings
In this section we will review how to troubleshooting errors that relate to the “Send on behalf” that the IIS SMTP Server need for relaying email messages from Mail enabled Devices\Applications.
In case that the IIS SMTP doesn’t have the required permission for sending email “on behalf” other email address, the connection attempt will be rejected by the Exchange online. Failed mail messages will be kept by the IIS SMTP in the “Badmail” folder (The default location for the IIS SMTP Mail folder is:C:\inetpub\mailroot )
In the following example we simulate mail delivery from recipient named:HelpDesk@o365info.com to a “destination recipient” named:IsabelY@o365info.com
When checking “Isabel mailbox”, we notice that the mail didn’t sent successfully.
To be able to find the cause for the problem, we can look at the IIS SMTP Server – Badmail folder.
In the following screenshot, we can see that that the IIS SMTP creates 3 different log files, that includes information about the mail delivery process and the reason for the failure of the mail message delivery.
To open the Log message open the file with the *.BAD extension using a text editor such as: Notepad.
In the text file, we can see the description of the error:
Diagnostic –code: smtp;550 5.7.1 client does not have permissions to send as this sender
The meaning of the this error is that the IIS SMTP User account, that we use for creating the communication channel with Exchange online, doesn’t have the required permission to send mail on behalf of the recipient that try to relay mail to the IIS SMTP server.
Test IIS SMTP Relay settings
In this section we will review: how to test the IIS SMTP Relay mail flow. One option is: trying to send email using the LAN Mail enabled Devices\Applications but, in case that there is a problem that prevent from the LAN Mail enabled Devices\Applications to send mail using the IIS SMTP server, it’s hard to find the cause for the problem.
The preferred way that i recommend is to: use a nice free mail client tool named: Basic SMTP Telnet Client, that enable us to simulate the mail flow and, in case that there are problems, we can use the option of “debug” ( enable step by step sending) option to get information about the specific cause for the problem.
In the following section, we will demonstrate how to test the IIS SMTP relay infrastructure by using the Basic SMTP Telnet Client.
Note – before you can start to use the Basic SMTP Telnet Client, verify that you add the IP address of the Host that you use in the IIS SMTP server in the Relay restriction section.
Test 1: testing the ability of the IIS SMTP server to relay mail to office 365 recipient
In the Telnet properties tab we will configure the required setting for the communication with the IIS SMTP Server.
Telnet tab – click on the Send button
To verify that the mail message was sent to the destination recipient, log in to the destination recipient mailbox and check if the mail was accepted.
In case that the mail was not sent to the destination recipient, we can use the option of: Enable Step by Step Sending.
Using this option, enables us to verify each of the steps that involved in the “send mail process”. We will need to “activate” each of the steps such as: EHLO, MAIL FROM etc. and, observe the result in the “step window”.
Test 2: Testing the ability of the IIS SMTP server to relay mail to office 365 recipient “on behalf” (Send as permission”) of a LAN Mail enabled devices\application.
In case that the first “Test” complete successfully, we can continue with the second test, that will enable us to simulate the scenario of LAN Mail enabled Devices\Applications that relay mail to the IIS SMTP Server. The basic assumption is that: we complete all of the required settings that will enable the IIS SMTP to send mail “on behalf” of the LAN Mail enabled Devices\Applications.
After creating the required setting for the IIS SMTP relay, we will need to solve additional issue that can be described as: Enable the IIS SMTP relay to send mail on behalf other Email address.
For the demonstration purpose, let’s use the following scenario:
We want to enable two internal Hosts, to send email using the IIS SMTP server.
One Host is a Help desk application that uses the Email address:HelpDesk@o365info.com, and the other Host is a Fax machine that use the use the email address: FaxService@o365info.com
In case that this Hosts will try to relay mail to the IIS SMTP server, that mail message will be rejected by the Exchange online server because: by default, a recipient( in our example: John@o365info.com) cannot send send email “on behalf” other recipient ( in our example: FaxService@o365info.com and HelpDesk@o365info.com).
The good news is that we don’t need to create a user account and Mailbox that will “represent” these Hosts that will relay mail to the IIS SMTP Server.
To enable the IIS SMTP server to send email for this Hosts, we can choose one of the following solutions:
1. Using distribution group and assign “Send as permissions”
This solution is based on creating a distribution group for each of the Host that need to relay email to the IIS SMTP server. The distribution group will be configured as: security group ( a Security\Distribution group). The next step is: assigning “Send as permission” for the recipient that the IIS SMTP Server use for authentication ( in our example: John@o365info.com). The send as permission could be assigned by using the Web interface or by using a PowerShell command.
Assign “Send as permission” using the office 365 management Web interface
1. Log in to office 365 portal, in the Admin menu choose the option: Exchange
2. In the Exchange admin center choose the recipient menu –> groups
Click on the “Add” option and choose the Security group option.
3. In our example, we will name the new security-distribution group as:FaxService
4. Double click on the name of the new security-distribution (FaxService) and choose the menu – group delegation.
Click on the add option and, add the recipient name that we use for the IIS SMTP credentials ( in our example: John).
We will need to repeat this procedure, for each of the LAN Hosts that will need to relay email using the IIS SMTP Server.
Assign “Send as permission” using PowerShell command
Assign “Send As” Permissions for a Mailbox/Distribution group
PowerShell command syntax:
Add-RecipientPermission <User/Distribution Group> -AccessRights SendAs -Trustee <User>
Add-RecipientPermission FaxService -AccessRights SendAs -Trustee John
2. Add additional Email address ( Alias)
An additional option that we can use ( instead of the security\distribution group solution) is: add the email address that will be used by the LAN Mail enabled Devices\Applications as additional email address (Alias) for the recipient that is used by the IIS SMTP Server.
In our example, we will add two additional email address to the recipient named: John
1. Log in to office 365 portal, in the Admin menu choose the option: Exchange
2. In the Exchange admin center choose the recipient menu –> mailboxes
Choose the recipient name that is used by the IIS SMTP Server (in our example-John).
3. Click on the “add” option
In the Mailbox properties choose the option: Email address.
In our example, we will add to “John Mailbox” additional two email addresses ( Alias): FaxService@o365info.com and HelpDesk@o365info.com
Article based on www.o365info.com
In the following section we will review all of the settings and pre requirements that we need to implement for using IIS SMTP as a mail relay server.
SMTP Relay pre requirements
1. IIS SMTP User credentials
The credentials that the IIS SMTP use for communication with the Exchange online, could be any office 365 user credentials that have license for Exchange online Mailbox. There is no need for purchasing a “detected” license for this purpose. The only “issue” that we should consider regarding the recipient name (the office 365 user that we use for authenticate to the Exchange online server) is that: by default, each of the messages that will be relayed to the Exchange online server will include this recipient name in the form field. For example: in case that we use configure the IIS SMTP server to use the credentials of an office 365 user named: John, each of the message that will be sent from a LAN Mail enabled Devices\Applications to: other office 365 recipient, will be displayed at the destination recipient as a mail message that sent by “John”.
Latter on, we will review the scenario in which the LAN Mail enabled Devices\Applications use different mail address and, how to enable the IIS SMTP send email “on behalf” this Hosts.
2. Firewall settings
To enable the IIS SMTP server to create a communication channel to the Exchange online, we need to create in the organization Firewall, outbound rule, that allow the IIS SMTP to use TLS (port 587).
3. Exchange online server Host name
The IIS SMTP Server needs to “know” the Host name of the Exchange online that will accept the mail message for the office 365 recipients.
To be able to find the required Exchange online server name we will need to use the following instructions:
1. Logon to office 365 portal with the a user credentials that will be used by the IIS SMTP Server ( in our example we will use the user credentials of user named John).
2. In the top menu choose – Outlook
3. Under the User name, choose – Options –> See All Options
4. In the Account section , click on the link named: settings for POP3, IMAP4 and SMTP Access
In the windows that appear, look for the section: SMTP Settings.
Here you can find the Exchange online server name ( in our examplepod51014.outlook.com) and additionally, we can see that there is a mandatory requirement for using TLS protocol ( port 587).
Office 365 preview
In case that you migrated your office 365 subscription to the “New office 365” ( at the current time described as: Office 3654 preview) the SMTP server name that we need to use is: smtp.outlook.office365.com
In the following section we will demonstrate how to install IIS SMTP server on a windows 2008 server.
Step 1: install IIS Server
Step 2: IIS SMTP Service
By default the IIS SMTP service, is not started and the startup type is: manual
Step 3: IIS SMTP Server MMC
The management console for the IIS SMTP is Internet Information Services 6.0
( There is no option of managing the IIS SMTP using the “standard” IIS 7 management console).
we can find the IIS 6.0 Manager under Administrative Tools -> Internet Information Services 6.0
In the following section we will review all of the required settings for configuring the IIS SMTP server as an”SMTP relay”.
1. IIS SMTP relay “LAN interface”
The first part relates to the: settings for the interface or the “IIS Leg” that serve the LAN Hosts ( Mail enabled Devices\Applications ).
Open the IIS SMTP management console, right click on the
[SMTP Virtual server #1] and choose: Properties
Access tab – Authentication
Select the Access tab -> Authentication
In the Authentication windows select the option: Anonymous access ( Mail enabled Devices\Applications doesn’t need to use authentication).
Access tab – Relay
In our example we have two hosts that need to send mail to the IIS SMTP server:
Help Desk application that installed on a workstation with the IP address 10.100.102.2
and FAX device that uses the IP address: 10.100.102.3
To enable this Hosts to send ( relay) mail to the IIS SMTP server, we will need to add this IP address to the “allowed list”.
Select the Relay tab -> Relay option.
In the Relay restriction window, add the IP address of the Mail enabled Devices\Applications that will communicate (relay mail) to the IIS SMTP server.
Note – Make sure that you enter only the IP addresses of the Mail enabled Devices\Applications that you trust. This setting lets mail that’s coming from these sources be relayed to any destination. In effect, this makes the on-premises server that is running IIS an open relay.
2. IIS SMTP relay “Exchange online interface”
In this section, we will create the required settings that enable the IIS SMTP server to relay mail messages to the Exchange online server.
The Delivery tab use for: configure the IIS SMTP “interface” that communicate with the Exchange online server.
Delivery Tab – Outbound security
Select the Delivery tab -> Outbound Security option.
In the Outbound Security window select the option: Basic Authentication
We will need to provide the office 365 user credentials, that have Exchange online Mailbox. In our example, we will use the credentials of a user named: John@o365info.com
Select the Delivery tab -> Outbound Security option.
In the Outbound Security window select the option: TLS encryption
( For creating a secure communication channel to Exchange online ).
Delivery Tab – TCP port
Select the Delivery tab -> Outbound connection option.
The TLS port number that we use for communicating with the Exchange online is: 587
( Please verify that the organization Firewall will have the required outbound rule that will enable the IIS SMTP Server to use this port ).
Delivery Tab – Advanced
Select the Delivery tab -> Advanced option
In the Smart host text box we need to provide the Exchange online server name .
The section of: Fully qualified domain name is not a mandatory requirement. You can add the FQDN of the IIS SMTP server.