KDCAD Tech Blog

I recently jumped ship from my ATT Fuze to the iPhone – in reality it was a jump from the Windows Mobile OS to the iPhone OS. All my reasons for the change are worthy of a few standalone blog posts, but in brief I was looking to simplify my life and the iPhone fit the bill. That being said, I do have needs. I need my cell phone to do a little more than just make calls – including handle Exchange email, POP and IMAP email, browse the web, provide remote access to the servers at work, and act as a modem on the road. The ATT version iPhone does all of this EXCEPT the last. ATT iPhones do not offer tethering and that’s a deal breaker for me, so I turned to the internet and jailbreaking.

Easier said than done of course. It seems I had the perfect storm of issues to prevent me from getting a clean break. But I pulled info from several different sites and finally got it working beautifully. Since it was such a pain to get through it all, I thought I’d pull it all together here. Note that I cannot guarantee this will work on the 3G or the iPod Touch. I should also note this is not a sanctioned activity by Apple and if you screw it up they will not help you. Additionally, if you screw it up, I will not help you either.

First my system specs:

• Windows 7 64-bit
• HP EliteBook 8530w
• iTunes 9.0.2.25
• iPhone 3GS

Now the steps…

Preparation (with iPhone NOT attached to computer):

1. Make sure you have a complete sync/backup of your phone (if you care about keeping any of it) using iTunes.
2. Download the latest clean Apple firmware from here: iphone3gs3. This is just in case it all goes wrong and you need to to recover your phone. To use it, hold the shift key while clicking the Restore button in iTunes. This will prompt you to pick a file.
3. Download the latest version of Blackra1n from here: blackra1n.com and place it in the root of your C: drive.
4. Change the properties of the blackra1n.exe to be compatible with Windows XP SP2 and check the box to run as administrator.
5. In iTunes, turn off automatic syncing:
6. Now close iTunes and go to the Task Manager and end the iPodService.exe and the iTunesHelper.exe processes.
7. Now attach the iPhone to the computer via USB. iTunes should NOT fire up.
8. Watch this YouTube Video several times:

Jailbreaking:

1. Following the instructions in the video above, run Blackra1n.exe, holding down the power and home buttons, releasing them as instructed. THIS IS THE KEY – IF YOU READ THIS and wonder what I’m talking about WATCH THE VIDEO AGAIN.
2. Trusting that you followed the steps correctly, Blackra1n should be installed on your iPhone. Find the app and run it.
3. Install SNOW to Unlock the phone.
4. You phone is now Jailbroken and to be modified for tethering.

Tethering:

1. In Safari on the iPhone, goto http://tr.im/oS1h and scroll down to the Mobileconfigs section:
2. Download Mobileconfigs, select your country, and then your carrier. The message reads: “IMPORTANT: The authenticity os “US AT&T” cannot be verified. Installing this profile will change settings on your iPhone.” Changing settings is exactly what we’re trying to do. Confirm with “Intall Now”.
3. NOW, on the iPhone go to Settings>>General>>Network and you will see a new option for Internet Tethering.
4. Turn that on and you are done!

Earlier I posted my steps for getting the Watchguard SSL VPN Client to work on Vista Business x64. Now we have a few test users upgraded to Windows 7 Professional 64-bit and once again SSL VPN is a problem child. Actually, that’s a little unfair – the problems with installation are result of Microsoft’s increased "security measures" in Win7. As you might guess, this article outlines and advocates disabling these some of these measures, so think about it before try it. And if you do try it, be sure to go all the way to the bottom of the article to see some of the other "fixes" you need to do. (**UPDATED 11/25/09 – check it out…)

For the most part, the steps are the same as those required for Vista. You need the lastest RC release of OpenVpn (currently 2.1 RC 20), and you need to NOT install the Tap driver that comes with the WG SSL VPN. The changes in the process are the changes to Windows 7 that you need to make because the OpenVPN Tap driver is not digitally signed. Windows 7 x64, by default, does not allow the installation of unsigned drivers. Now, there are a couple ways to disable this limitation – one is provided by MS at boot time, another is more "permanent" and the one I chose. Here we go:

1. Turn off User Access Control: From the Start Menu type "UAC Control" in the search bar and select "Change User Account Control settings". Take the slider to the bottom, click OK, and then restart your computer.
2. Disable Driver Signing: Once you are back in, from the Start Menu, select All Programs, then Accessories. Right click on the Command Prompt and select ‘Run as administrator’. At the command prompt, type the following and reboot your computer afterward:
   

   bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS
   bcdedit.exe -set TESTSIGNING ON

3. Install the OpenVPN Tap Driver: If you haven’t already, download the latest OpenVPN from here: http://www.openvpn.net/index.php/open-source/downloads.html (currently c2.1_RC20). Run the installer as Administrator (by right clicking the OpenVPN executable and selecting "Run as administrator"), but UNCHECK all items except the Tap Driver and complete the installation. Note: I rebooted here, but you may not need to.
4. Install the Watchguard SSL VPN Client: Download and run the SSL VPN installer (as administrator).

At this point, it should work. You can go back and turn UAC back on if you need to and while I think it’s a complete pain in the butt, I have to recommend that you do. Leaving it off can cause unexpected problems with other programs (such as GotoAssist Express which is service I used to use but will be ditching as soon as the contract is up).

If you are still having problems connecting, here are some other tips based on my experience. These are in no particular order:

• Turn off Windows Firewall completely and reboot. With version 10.2.9 of the SSL VPN client, you still need access to port 4100 and 443.
• If you already tried to install the Tap driver without first disabling the driver signing, Windows will permanently tag it as having an unsigned driver. SO you need to open the Device Manager, look under Network Adapters, and uninstall the Tap driver and reboot. If you have disabled the driver signing, go ahead and reinstall the OpenVPN Tap driver.
• If you don’t want to permanently disable driver signing, you can TRY temporarily disabling it by pressing F8 at boot time (like you are booting to Safe Mode) and selecting ‘Disable Driver Signing Enforcement’. **UPDATE 11/25/09**  I had few opportunities recently to try this one and it works like a charm. So if you just have to install the VPN client on someone else’s computer, this method is the quickest.

Once you have all that squared away, you may notice that you have a watermark in the lower left of your screen stating "Test Mode Windows 7 Build 7600". Since you have turned off Driver Signing, Windows has decided you are obviously in some temporary "test mode".  To rid yourself of the watermark, go HERE and to download the RemoveWatermark patch.

Since I wrote this article originally, I found this website which offers more information on bypassing Driver Signing and links to some cool free tools for managing it on the fly. Swing by and take a look.

Good luck and feel free to log into the Watchguard forums and request that they fix this!

Here’s the problem:
You have one, two, three, or more mapped drives that everyone in the office needs access to, you just got a new PC, and you are dreading having to map these drives everytime someone new logs in to the PC.

Here’s the solution: (special thanks to John Savill over at Windows IT Pro for the original outline) This solution assumes you are in a Windows Domain environment (not a home PC). It also assumes it’s a small office that doesn’t use logon scripts pushed down from a domain controller.

1. Log into the PC with a domain user account that has Local Administrator privileges (JDOE, for example).
2. Manually map the drives you need, selecting the “Reconnect at login” option.
3. Now log out and log back in as the actual Local Administrator.
4. From the Start Menu select Run, type in REGEDIT, and click OK to open the registry editor. (Do I need to mention that if you are not comfortable editing the registry – don’t? You can really do some damage if you screw it up…)
5. Select HKEY_USERS and from the File menu select Load Hive.
6. Browse to the profile you used to map the drives (like C:\Documents and Settings\JDOE) and select the NTUSER.DAT file. When prompted, give it the name “DefaultU”. (Note: You need to have “Show hidden files and folders” turned on to see the NTUSER.DAT file…)
7. Notice that now there is a new entry under the HKEY_USERS key called “DefaultU”.
8. Browse to HKEY_USERS\DefaultU\X (where X is one of the drive letters you mapped), right click on it and select Export to export the key to a REG file. Do remember where you save it. Repeat for all the drives you mapped.
9. Highlight the DefaultU key and from the file menu, select Unload Hive.
10. From the file menu, select Load Hive and browse to the profile of the Default User (see, different that the earlier steps). Select the NTUSER.DAT file. When prompted, give it the name “DefaultU”.
11. Now you need to import the REG files you exported earlier. Find them, and double click them one at a time to import them back into the registry.
12. The last steps are a little tricky so pay attention. Browse to the HKEY_USERS\DefaultU\Network\X key and highlight the X.
13. In the right pane, select the UserName value, right click and select Delete.
14. From the Edit menu, select New> Expandable String Value.
15. Give it the Value Name: UserName, and for the String (with the quotes): “%UserDomain%\%UserName%” (case sensitive).
16. Repeat for all the drives you mapped.
17. Highlight the HKEY_USERS\DefaultU key and unload it (File>Unload Hive).

That’s it – you’re done! Test your results by logging in as someone else or by renaming the profile you used to originally create the mapped drives (C:\Documents and Settings\JDOE to C:\Documents and Settings\JDOEX) and then log in as JDOE.

Let me know how it goes!

I have Vista Business x64 installed on my laptop (not recommended btw) and our print server runs Windows Server 2003 x86. Our printers are typically initially installed using a vbs logon script that’s pushed via group policy. Well, that doesn’t work for my configuration for two reasons: 1) Vista account controls are are a complete pain in the a** (and no, I’m not referring User Access Control), and 2) because x64 drivers can’t be installed on a x86 server – well, not directly – and if they can’t be installed, they can’t be served up when an x64 workstation needs them. While trying to install our Oce CM4521 Office MFC, I finally got fed up and pushed to figure it out.

At first, I tried to add the x64 driver to the 2003 server using the Additional Drivers button on the Sharing tab for the printer. Unfortunately, I get told that either this is the wrong hardware or that it can only be installed from a remote system running an x64 OS.

After much searching, I discovered that it was really much easier than expected. On my workstation, I went through the motions of installing the network printer. When I got to the point where it told me the the correct drivers were not installed, I downloaded and installed the x64 drivers. This got the printer installed – for me. In a ‘production’ environment of many x64 workstations the server has to push the drivers down…

So anyway, like I said, it was easier than I thought. I simply went to the Sharing tab of the printer I installed and used the Additional Drivers button. (NOTE: That I did not actually share the printer.) Checking the x64 box here, pushes the x64 drivers back to the server making them available to other x64 PC’s.

I guess that’s exactly what the instructions told me in the first place, although only for this printer. The Dell printer (used in the example above) only told me that the driver wouldn’t work for the “requested processor architecture.” Go figure…

We have a Watchguard x500 firewall and use the VPN with SSL client to access the network remotely. In anticipation of some of our power users moving to Vista Business x64, I’ve been running a copy through the paces. So far I’ve run into a few glitches – surprisingly none of them major with one exception. The Watchguard SSL client version 10.0 is not compatible. It installs without error or warning, but just will not connect. Apparently, there is a 10.7 update to the Fireware software that over comes this, but I didn’t want to go through the hassle of updating the entire system just to get the VPN client to work. As it turns out I didn’t have to. (updated 6/26: OpenVPN changed their download location and have a new RC package. I just tested it on a new x64 installation and the steps still work.)

There are two primary components to the VPN with SSL client – the client GUI and the TAP driver. The TAP driver creates a virtual network connection. This is the part that fails in Vista x64. Fortunately, the Watchguard VPN with SSL client is built using the opensource OpenVPN (http://openvpn.net/) program. Thankfully, OpenVPN has a new version that includes a TAP driver that does work in Vista x64!

Here’s what I did:

1. Installed the Watchguard VPN with SSL version 10.0 client (didn’t work)
2. Swore a bunch, did a lot of research…
3. Went to http://openvpn.net/index.php/open-source/downloads.html and downloaded the OpenVPN 2.1_rc18 client software. (the 2.0 “stable” release does not work in x64)
4. Uninstalled the Watchguard client.
5. Rebooted.
6. Downloaded the Watchguard client from our Firebox again.
7. Started the install BUT UNCHECKED the BOX next to the TAP Driver.
8. REPEAT – DO NOT install the TAP driver included with the Watchguard client.
9. Once that finished, I ran the installer for the OpenVPN client.
10. There are a lot more installation options with the Open VPN client, and I unchecked all of them EXCEPT the TAP Driver.
11. Once the new TAP driver was installed, I was able to connect without a hitch.

Hope this helps!

This is a pretty simple one, but since I keep forgetting the registry key, I’m putting it here:

In order to use these steps, you need to know the machine name or IP address of the remote computer.

• Use Regedit to connect to the registry of the remote machine. (File menu > Connect Remote Registry)
• Find the key: HKLMSYSTEMCurrentControlSetControlTerminal Server
• Under that key, find the value: fDenyTSConnection and change the value from 1 to 0
• Close Regedit and try the remote connection.

If you still cannot connect to the remote machine, you may need to restart it. Here is the remote restart command (also lots of fun to try on your coworkers):

• shutdown -m \computername -f -r

Our Setup: We have MS Exchange 2003 SP 2 installed on a single Windows 2K3 R2 server. We also have a few other servers hanging around for running applications and our intranet, etc. After some initial research (and because I don’t completely trust RIM), I chose to install the Blackberry Professional Software (aka Blackberry Enterprise Server or BES) on one of the other app servers. As it turns our this was a good thing. You can install BES on the same server that hosts your Exchange store, but it has to be in a virtual environment – i.e. VMWare, etc. So if you don’t have that, you’d better get more iron.

We are just getting started with Blackberry Enterprise, so we installed the "Express" (aka free) edition. Supposedly it’s the same as the "non-express" except that you can only authorize a single user. Since our user base will be small, we stuck with using the local installation of MS SQL Express that was already installed on the BES server.

A Few Things I Discovered:

1. Don’t install BES where you have or plan to have use IIS as BES installs some Apache business that, according to unofficial posts around the ‘net, will do some damage to to IIS.
2. You do need to have the Exchange System Manager installed on the same server as BES in order for the MAPI connections to work. I read a few posts with instructions for manually registering the necessary components, but really it was just easier to install a copy of ESM on the BES server. Choose the Custom installation from the Exchange 2003 setup menu.

The Install: The RIM instructions were pretty simple, but it did seem like the Exchange 2003 configuration instructions were written from someone’s memory rather than from a step by step install. Some steps were out of order and I felt they went out of their way to be purposely vague when it came to anything you had to do to prep your server. Here are some prereq’s in the order that worked for me – you need to read the BlackBerry Professional Software Getting Started Guide PDF as I’m not going to repeat all their steps here:

1. When you downloaded the Blackberry professional software, you should have been presented with some ID and license/CAL codes. Find them.
2. Create your BESadmin user account first, Then add it the BUILTIN Administrator’s group, and configure the account and Exchange permissions, etc. per the guide. Including adding it as a local administrator on the BES server.
3. Download any Exchange 2K3 service packs and the Hotfixes noted in the guide. The hotfix for the "Send as" feature is post SP2, so you will definitely need it. You can go ahead and install them on your Exchange Server.
4. Find your Exchange Server install CD.
5. Log in to the future BES server using the BESadmin account and install the Exchange System Manager.
6. Restart the BES server.
7. Install SP2 if you need to on the Exchange server and BES server, then install the hotfixes on both servers.
8. Open the ESM on the BES server and verify that all the permissions you applied in the primary location carried over to the BES server.
9. Now install the Blackberry Professional Software.

From here on out, things are pretty simple and the installation went smoothly.

A Few Things That Went Wrong the First Time:

1. In order to Add a user to the Builtin Administrators group, you have to create the account first.
2. I didn’t have ESM installed on the BES server. I’m no Exchange guru, so the MAPI errors I was getting when trying to install the Blackberry software.
3. After installing the ESM on the BES server, I was still getting the MAPI errors. A reboot solved that problem DUH!
4. I could not grant the BESadmin Log on as a service in the local security policy. I had to go to our Default Domain Policy GPO and grant it there.
5. Test messages kept failing to send claiming that the BES did not have permission to send. Turns out I was logged in as the domain admin, not the BES admin. Once I logged in as the BES admin, everything was fine.

Here are the steps for one way of exporting an Exchange mailbox to a PST (in our environment anyway) using the Exchange Migration Wizard:

1. On the Exchange server, go to the Start Menu and find the Exchange Server group.
2. Open Exchange Migration from the Deployment folder.
3. Click ‘Next’ at the welcome screen.
4. Select "Migrate from Exchange…" as the type of migration and click ‘Next’.
5. If you get a screen telling you about your selection, click ‘Next’.
6. The next screen should be the ‘Migration Destination’ screen. Select the "Migrate to .pst files" option.
7. On this same screen, browse to select a location to place the PST file. (Typically just the Desktop. You can relocate it later.) Click ‘Next’.
8. Now you have to identify the source Exchange server. Since we are not migrating from an Exchange 5.5, uncheck that box. Then enter the Exchange server name and administrator information. Typically the administrator user name must be entered as ‘domain\administrator’. Click ‘Next’
9. Next you choose what information you want to migrate. Leave the box checked next to Create/Modify user accounts. If you only want to export a range of emails, you can filter by date or email subject. When you’re done, click ‘Next’.
10. Now select the user you wish to export. Click ‘Next’.
11. The export process will begin immediately.

Here are a few links to some information on ExMerge.exe (another possible method):

• http://www.msexchange.org/tutorials/ExMerge-Recover-Mailbox.html
• Download Exmerge from here
• Microsoft’s explanation of ExMerge
• Another MS information article