Sophos XG Site-to-Site VPN with Other FW Failed

Seems the method of using certificate-based connection won’t work with non-Sophos firewall.
I had to switch to shared-phrase in order to make it work.
Not sure if that problem is due to old firmware/device on the other side or is it compliance issue.

However, I had to go on the VPN settings on both firewalls and make sure all settings at both sides are exactly the same.
Finally, I decided to switch back to pre-shared key instead of the certificate-based authentication between the two appliances.
The moment I set the key on the initiator, the tunle immediatly came up.

HTH some1,,,

Cisco VoIP Troubleshooting

Thanks to

These are commands listed here for my own reference so I can find it easily. Bolded are the ones I used and found useful.

debug ccsip calls
debug ccsip all
debug voice ccapi inout
debug voip ccapi inout – (great for dialpeer selection, ani, dest #, dest pattern)
debug voice dialpeer – (matching process, not good for seeing final selection)
debug ccsip messages
show voice call summ
sh call active voice – Call quality
sh call active voice stats – Call quality detailed output detail explaination
show call active voice compact
show call active voice brief – (great for dialpeer selection, codec, IP, port, ani, dest #)
sh voip rtp connections
show rtpspi statistics – Jitter and latency
show dial-peer voice summary – (dest. pattern and target server)
sh dialplan number <number> – (great for checking dialpeer functionality)
show dial-peer voice busy-trigger-counter – (shows dial-peer current usage)
sh sip calls called-number 15556661234
sh sip calls calling-number 5556661234
show sip-ua calls – Same as sh sip calls, but, comprehensive
show call history voice compact
sh sccp connections (summary) – (sessions of conf, transcoding, endpoints etc.)
show voip rtp connections – (IP addresses of both legs of RTP stream)
show udp | i <phone IP> – (IP and ports of CUBE–phone rtp stream)
sh call threshold (stats | config) – Show incoming call threshold and num. of current calls

show sip-ua calls br (Vz IP address and number of calls)
show sip-ua calls summary (number of calls)
show sip-ua connections udp detail (SIP agent connections and ports)

debug voice ccapi inout
debug voice dialpeer
debug isdn q931
debug voip ccapi inout
debug h245 asn1 (dtmf)
debug voip rtp session named-event (dtmf)
debug voice rtp session named-event (dtmf)
debug voip vtsp session – (show mid-call dtmf being pressed)
show voice call summ
sh voice call status
show call active voice compact
sh dialplan number 5556661234 – (dial-peer, media info, other juicy stuff)
sh sccp connections (summary) – (sessions of conf, transcoding, etc.)
sh voice port 0/0/0:23 – (gain settings, echo settings, etc.)
sh voice port summary – shows all isdn and fxo ports and status

DSP Resources
show dspf dsp all
show dspf dsp active
sh sccp connections – Shows resources used (mtp, xcode)
show dspfarm profile
sh dspfarm all – shows dsp resources configured
sh voice dsp
show platform led – (look for PVDM led color)
sh voice dsp capabilities slot 0 – CUBE – hardware capabilites

Exchange DAG Database Offline Copy

This is mainly about copying large database to remote site with limited WAN bandwidth. Typically this is needed when an organization require DR site for Exchange but the number of users and/or changes on Exchange environment are relativly small.
For instance, an organization with (1,000+) mailboxes has a (35) Mbps WAN link to one of their offices. However, they can only allocate (18) Mbps for Exchange replication. Although daily changes usually do not exceed (25) GB, which is okay with such WAN link, the initial seeding of the databases (2+) TB cannot be done over WAN link.

I have done this several times in the past few years, but recently while I was doing it for one of our clients I noticed there was no refernce for it on the net. I found something for Exchange 2010 which is close to the procedure I’m having here, but I believe the followin steps are more accurate.

The last time this is applied was on Windows Server 2016 Standard and Exchange 2016 Standard. Yet it was tested with Windows Server 2008R2, 2012, 2012R2, and 2016 along with Exchange Server 2013 and 2016 both Standard and Enterprise editions.

The procedure basically must done within limited timeframe, and it cannot be done when servers on primary site have limited disk space and rely mainly on backup to keep free space.
During the process, the backup appliction will not be able to reset any logs until the new copy at DR site is up and running by getting into sync and healthy status for all databases.
Please make sure to read the full procedure then setup your plan accordingly.

1. DAG already extended and the server at DR site is joined.
2. No database copies on DR site created yet.
3. Have external storage attached, ready, and accessible from database owner(s).
4. Schedule and announce downtime.
It is important to calculate the size of databases and amount of time it needs to be copied to external storage.
5. Initiate backup to reset logs, or easier, run following procedure directly before you start execution

a. Add database copies to the DR server using PowerShell preventing seeding of data

Add-MailboxDatabaseCopy -SeedingPostponed -MailboxServer ExchMBX-DR -Identity ExchDatabaseName

This will create the database folders on DR server without contents.
Repeat the above command for all databases, but only for one server at DR.
Do NOT create copy on other servers at DR.
b. Dismount the databases on owner servers. Dismount each database on its own server.
c. Copy databases and logs from owner server(s) to the external storage.
You may need to stop “Information Store” service to get proper access to all files.
d. Start “Information Sotre” service if you have stopped it, then mount databases back.
e. Ship the external storage to DR site, connect and access it from Exchange server.
f. Stop “Information Store” service on DR server.
g. Copy data from external storage to respective path for each database.
h. Start ” Information Store” service.
i. Run powershell command to resume and copy delta logs from main site

Resume-MailboxDatabaseCopy ExchDatabaseName\ExchMBX-DR

Repeat the above command for all databases in DR.
j. Be patient and keep monitoring the status until it get healthy.
k. Run backup again and verify if logs are being reset.

تقييم لتجربة كاميرا السيارة من سوق

تحية طيبة،

قمت بشراء KKmoon 1080P Car DVR Dash Cam Three Lens Camera Camcorder من سوق مؤخراً مع شريحة ذاكرة (64) جيجا، وأدون هنا الملاحظات التفصيلية للتجربة العملية حيث أن موقع سوق لا يتيح المجال لكتابة العدد اللازم من الكلمات.

بدايةً المعلومات على موقع سوق أكثر دقة من المعلومات التي تأتي على علبة المنتج. يحتوي الجهاز على ثلاث كاميرات، اثنتان جزء من الجهاز نفسه -أمامية وداخلية- وواحدة منفصلة -خلفية- مع سلك بطول أكثر من كاف لتصل إلى آخر السيارة، حيث يمكن تركيبها قرب الزجاج الخلفي. دقة التصوير ممتازة للكاميراتين الأمامية والداخلية لكنها أقل من المتوسط بالنسبة للكاميرا الخلفية والتي يتم تثبيتها بواسطة برغيين يأتيان ضمن العلبة. الكاميرا الأمامية مزودة بعدسة ذات زاوية عريضة، أما الأخريتين فليستا كذلك، وكان من الأفضل تزويد الكاميرا الأمامية والداخلية بعدسات عين السمكة.

تركيب المنتج سهل نسبياً لكن قد تحتاج فني/كهربائي لإخفاء الأسلاك وتمديدها بشكل ملائم، كما أنك ستحتاج الفني في حال أحببت أن يبقى الجهاز يعمل خلال توقف السيارة، لتوصيل الكهرباء من المصدر مباشرة. حيث أن الكاميرا تحوي بطارية لكنها صغيرة نسبياً، أعتقد أنها كذلك لتخفيف الوزن على الحامل، وهو بالمناسبة من النوع اللذي يتم إلصاقه على الزجاج بتفريغ الهواء. كذلك المسافة بين الزجاج والجهاز مزعجة قليلاً حيث لم أستطع تثبيتها خلف المرآة.

لا يوجد واجهة عربية للمنتج لكن الإعدادات بسيطة بشكل عام حيث يمكن التحكم بعدد من الخواص وسأذكر هنا بعضها، مع العلم أن الإعدادات عامة ولا يمكن وضع إعدادات خاصة بإحدى الكاميرات بشكل منفصل.
1. ملفات التسجيل
يتم تسجيل الملفات لكل كاميرا في مجلد منفصل على شريحة الذاكرة
ويمكن تحديد أن يكون طول كل ملف (1) دقيقة أو (3) دقائق أو (5) دقائق والوضع الإفتراضي هو عدم التقسيم.
الأفضل تركه على دقيقة واحدة لأن الجهاز يحجز مساحة الوقت كاملة حتى لولم يتم استخدامها، وللدقيقة الواحدة يستهلك تقريباً (63) ميجا للكاميرا الأمامية و(32) ميجا للكاميرتين الخلفية والداخلية.
2. تسجيل الصوت
يوجد مايكروفون في الجهاز يسمح بتسجيل الصوت المسموع داخل المركبة بشكل مقبول إلى حد كبير، وهذا الخيار يكون متوقفاً في الإعدادات الافتراضية
3. التسجيل مع الحركة
كما هو واضح من الاسم، فالجهاز يسجل بناءً على تغير ملحوظ في الصورة، لكن هذه الميزة لا تعمل مع الكاميرا الداخلية
4. التسجيل بسبب الاهتزاز
وهي خاصية تسمح بتسجيل آخر بضع دقائق مع وضع علامة لمنع إعادة التسجيل عليها وتستخدم عادة لحفظ ما حصل عند وقوع حادثة لا سمح الله.
يوجد ثلاث مستويات للحساس، ونصيحتي الشخصية استخدام المستوى الأول، لأن المستويين الأعلى يبدآن التسجيل لأي اهتزاز حتى لو دفعت المركبة بيدك.
5. التباين (contrast)
التصوير الليلي أقل من المتوقع والأجسام/اللوحات المضيئة لا يمكن قراءتها، إن كانت التفاصيل مهمة أقترح رفع مستوى التباين.

هنا بعض المقاطع التي تم تسجيلها
مقطع نهاري مع الصوت للكاميرا الأمامية
مقطع ليلي للكاميرا الأمامية
مقطع نهاري مع الصوت للكاميرا الداخلية
مقطع نهاري للكاميرا الخلفية
التصوير الليلي للكاميراتين الداخلية والخلفية غير مرئي لذلك لم أرفعه.
ملاحظة: تم تثبيت الكاميرا الخلفية بشكل مؤقت من الداخل على زجاج مظلل، أعتقد أن الصورة قد تكون أوضح إن تم تركيبها خارج السيارة أو على زجاج غير مظلل.

الخلاصة: مقارنة بالمتوفر من المنافسين يعد هذا الجهاز خيار جيد بسعر معقول جداً، وأنصح بشدة بشراء ذاكرة لا تقل عن (64) جيجا.

سأعدل في هذا الموضوع في حال توفر المزيد من المعلومات.
شكراً لمروركم،

ADFS With Sophos XG Firewall

It’s basically simple process.
You may even use the Exchange ready-made firewall publishing policy as base for this one.
This is for SFOS 17.X

So, let’ move on:

1.      I assume you already have the SSL certificate installed properly on the XG box.

2.      Need to add the ADFS server to have a name under "Hosts andServices"

3.      Create new "Web Server" entry and use the host you added in step 1

4.      Create new protection policy with these settings:

a.       Set “Mode” to “Monitor”. You may use “Reject” if you’re concerned.

b.      Enable “Block clients with bad reputation”.

c.       Enable “Common threat filter”.

5.      Create new business rule with these settings:

a.       Hosted address “#Port2” assuming it’s the WAN port.

b.      Enable “HTTPS”.

c.       Select the SSL certificate, and add the URL under “Domains”.
For example “”.

d.      Under “protected server(s)” select the ADFS server.

e.       Select the “Any IPv4” under “Access permission”.

f.        Select the protection policy you’ve created on step 4.

g.      Select the intrusion prevention policy if you like to.

h.      Enable "Pass host header"

Microsoft Teams Starts with White Page

If you search for this issue, you’ll find many results on the net regarding different reasons.

But, if you didn’t get into a result solving your case, you may need to check your user profile. If it’s not located on the default location or moved like I did in this article you’ll end up with above issue.

You can check this for more details.

However, a workaround can be done by logging to another account that has the profile done properly, then copy the Teams folder from %userprofile%\AppData\Local\Microsoft to another location and create a shortcut for the Teams.exe file.
Although this will solve the startup issue as well as most of the functions, it won’t solve the download issue. Because the download folder is part of the profile.
So, you’ll need to right-click Downloads folder, select properties, and finally redirect the file location to the exact current location instead of using Symlink.

HTH some1,

Move Single User Profile to Another Location Manually


There seems to be lack of such details on the Internet. All articles I came across were manipulating Windows registry in order to redirect the location of “C:\Users” folder.

Only this article mentioned the solution I wanted

Now, basically as it suggested, create a symbolic link of the folder. If you don’t know about symbolic links, please google it.
You’ll need to perform the following steps from another administrator account on the same computer, and make sure the targeted user is signed out, or even better you have fresh OS boot before you start these steps.

So first step is to create a new folder in the new location/path and assign the right permissions (usually full control for the profile owner, the system, and the local administrators group).

Second step, move all contents from old location to the new location. Probably you will not be able to move the symbolic links inside the profile’s folder. Don’t worry, we will re-create them.

Third step, rename the old profile folder (something like MyAccount ==> MyAccount.old).

Fourth step, create link to new location using the old name. To do that, open command line in elevated mode (click on start, type “cmd”, right click on “Command Prompt”, select “Run As Administrator”) and then execute the following command:
mklink /D “Name of old folder” “Full or relative path to new location and folder”
mklink /D “MyAccount” “E:\Encrypted Folder\MyNewProfileFolder”

Now, what is remaining is the symbolic links inside the profile by navigating to the new location, then execute the following commands based on path

Under Documents folder:
mklink /J “My Music” E:\Encrypted Folder\MyNewProfileFolder\Music
mklink /J “My Pictures” E:\Encrypted Folder\MyNewProfileFolder\Pictures
mklink /J “My Videos” E:\Encrypted Folder\MyNewProfileFolder\Videos

Under profile folder root:
mklink /J “Application Data” “E:\Encrypted Folder\MyNewProfileFolder\AppData\Roaming”
mklink /J “Cookies” “E:\Encrypted Folder\MyNewProfileFolder\AppData\Local\Microsoft\Windows\INetCookies”
mklink /J “Local Settings” “E:\Encrypted Folder\MyNewProfileFolder\AppData\Local”
mklink /J “My Documents” “E:\Encrypted Folder\MyNewProfileFolder\Documents”
mklink /J “NetHood” “E:\Encrypted Folder\MyNewProfileFolder\AppData\Roaming\Microsoft\Windows\Network Shortcuts”
mklink /J “PrintHood” “E:\Encrypted Folder\MyNewProfileFolder\AppData\Roaming\Microsoft\Windows\Printer Shortcuts”
mklink /J “Recent” “E:\Encrypted Folder\MyNewProfileFolder\AppData\Roaming\Microsoft\Windows\Recent”
mklink /J “SendTo” “E:\Encrypted Folder\MyNewProfileFolder\AppData\Roaming\Microsoft\Windows\SendTo”
mklink /J “Start Menu” “E:\Encrypted Folder\MyNewProfileFolder\AppData\Roaming\Microsoft\Windows\Start Menu”
mklink /J “Templates” “E:\Encrypted Folder\MyNewProfileFolder\AppData\Roaming\Microsoft\Windows\Templates”

Of course, you need to replace values as need on your computer.

Recover DC with Only System State Backup

Have you ever had to restore an Active Directory Domain Controller from scratch with only System State backup?

If so, and you already looked over the Internet, probably no direct results mentioned that procedure, basically due to it’s simplicity.

Indeed simple procedure. Starts by building (format and install Windows OS) the server and install all the updates to match the same version and edition used on the original DC.

Enable all features and roles needed and were on the original DC, but do not configure any of it.

Isolate the server, you may use an isolated port or simply change the IP address to something not in that subnet, to avoid conflicts and service interruption.

Promote to domain controller as new domain in new forest. Better to use the original names of DC and domain.

Reboot to DSRM, and login.

Start the system state restore process.

Once done and rebooted, check the event log for any critical / serious messages. If not exist, then you can connect to the network and resync with other domain controllers.

I’ve successfully applied this on Windows 2012R2 and will soon test it again with 2016 and 2019 servers.

However, I still strongly recommend you have the bare metal backup, and perform restore testing every six months.


Tips for Me on Cisco Voice IOS


I wrote this basically for my own remembering:

1. show call leg active / sh call leg act sum

Helps find active calls running on the voice gateway live.

2. sh call leg act | in Port

Helps filter which ports are being used in case I need to follow it with “shut/no shut” to reset hang ports.

3. csim start <number_to_dial>

Initiate a call from the voice gateway to the number.
Very helpful in troubleshooting voice routes.

4. debug voice ccapi inout / debug cch323 all / debug ip tcp transaction

Along with “csim” and “terminal monitor” it can provide great tool.

5. Check TCP ports on CUCM

As simple as “telnet <ip_address> 1720 / 1719 / 2000 / 2001” can help pointing a communications issue.


Exchange Comulative Update Failure


During Exchange 2016 or Exchange 2013 server from one CU to another, you may run into strange set of errors.

Funny though, when you track those errors down you will probably end up removing OS patches and updates that actually needed and, even worse, that will not solve your issue.

I’m talkiing about tons of erros directly after the registry entries in the log file, something like:
Process execution failed with exit code 1072

Will, in my case, I had to do three things:

1. Re-confirm Schema, Forest, and Domain preparation is done using the “Setup” file from the CU I’m installing.
2. Un-install backup agent that is integrated with Exchange (in my case it was Veeam).
3. Run the setup time after time till it successfully completed. One server required (5) times, the other needed only (3).

Don’t forget to re-install the backup agent.

HTH some1