Archive for February, 2009

Kerio Mail Server 6.6 and IMAP

Friday, February 27th, 2009

Update 6.6 introduced many updates to Kerio, one of those updates changes how IMAP reacts to deleted items.

Typically, when an item is deleted from an IMAP client, that item has a strike through to show that it has been deleted. To further delete this item, you must purge or expunge the deleted items to completely remove them.

The 6.6 update changed the way Kerio reacts to deletions by completely deleting the item for good. No moving to deleted items, no warning, just a hard delete.

This can be changed, but it must be done globally. It cannot be done on a per user basis.

Login to the mail server
ON A MAC
Stop the mail server
sudo or su
go to /usr/local/kerio/mailserver
edit mailserver.cfg
change 1
to 0

When I spoke to Kerio Tech Support, they said that this change was done due to overwhelming requests by the customers. They acknowledged that this goes against the RFC. KMS 6.7 should move the deleted items to the deleted folder instead of trashing them completely.

File Replication

Thursday, February 19th, 2009

Performing replication between physical locations is always an interesting task. Perhaps you’re only using your second location for a hot/cold site or maybe it’s a full blown branch office. In many cases, file replication can be achieved with no scripting, using off the shelf products such as Retrospect or even Carbon Copy Cloner. Other times, the needs are more granular and you may choose to script a solutions, as is often done using rsync.

However, a number of customers have found these solutions to leave something to be desired. Enter File Replication Pro. File Replication Pro allows administrators to replicate data between two locations in a variety of fashions and across a variety of operating systems in a highly configurable manner. Furthermore, File Replication Pro provides delta synchronization rather than full file copies, which means that you’re only pushing changes to files and not the full file over your replication medium, greatly reducing required bandwidth. File Replication Pro is also multi-platform (built on Java), allowing administrators to synchronize Sun, Windows, Mac OS X, etc.

If you struggle with File Replication issues, then we can help. Whatever the medium may be, give us a call and we can help you to determine the best solution for your needs!

Automating Craigs’ List

Tuesday, February 17th, 2009

Craigslist is a great place to find all kinds of things.  But sometimes you need to keep looking for something, over and over for months on end until you find it.  Maybe it’s something you just don’t want to pay for or maybe it’s someone that wants that thing you just don’t want to throw out (like that bondi blue iMac).  Either way, there’s a site that will search Craigslist for you and  email you when a pattern that matches your search appears.  Simply do a search on Craigslist, copy the URL from your address bar in your web browser and then open CraigsListWatch.com. Here, you can paste in the URL, enter your email address and every other hour they will look for new postings that match your criteria. This is a great way to take so much stuff and automate your searches, without having to write an Automator workflow to do so!

Terminal Server 2008 Load Balancing

Thursday, February 12th, 2009

Load balancing is fairly straight forward in Microsoft Windows Terminal Server 2008.  Before you get started you’ll need to have multiple terminal servers, a Windows 2008 Active Directory environment and a centralized location to store your user profiles. 

When setting up Terminal Servers with load balancing and redirected profiles, no single terminal server should get overloaded by users while another terminal server sits idle.  When a user tries to connect to the terminal server, the master terminal server checks the load on each one of the servers.  It then logs the user into the terminal server with the least load.  Since redirected profiles are setup, every user that logs in will have all of their desktop items, documents folder and pretty much everything that they will need.  The user does not even need to know that they are on a different terminal server then they were the last time that they logged in.

To install Terminal Server clustering first verify that you meet the prerequisites of centralized home folder storage, Active Directory 2008 and multiple terminal servers.  Then install the TerminalServer Session Broker service on each one of the servers.  Then on one of the servers, you need to add all of the terminal servers into the session directory under groups in Local Users and Groups.  You only need to add it on one server and the change will replicate.

The next thing you need to is setup an alias and put all of the IP addresses for the terminal servers to be associated with that alias.  Once complete, when you do an nslookup on that alias, it should display all of the IP addresses that you entered.           

Then you will need to make some changes to group policy.  It appears that you must have a 2008 Domain Controller setup with the most upgraded schema to be able to do this.   Go to Computer Settings -> Policies -> Administrative Templates -> Windows Components -> Terminal Services -> Terminal Server and then TS Session Broker.  In here you need to put the name of the alias under Configure TS Session Broker Farm Name.  Then put the name of main terminal server in Configure TS Session Broker name.  Also you need to enable Join TS Session Broker and also User TS Session Broker Load Balancing.  After you have that setup, save the Group Policy Object (GPO) and attach it to the Organizational Unit (OU) that holds the terminal servers.

Once your group policies are in place you can focus on making the lives of your users a bit easier by enabling redirected user profiles.  First, you will need a place to put all of the user profiles.  Then you will want to move all of the users that need to access the terminal servers into a new Organizational Unit, create a new group policy object and enable folder redirection.  To enable folder redirection, go to User Configuration -> Policies -> Windows Settings and then Folder Direction.  Here, enable each folder redirection policy that you feel the users in the organization will need (this is different for everyone and can require a little testing to get it perfect).  While the choices are a lot to consider at first, Appdata, Desktop and My Documents are the most standard ones to choose and represent a great starting point.  The basic setting is what you will most likely want to use and then just put the root path to your profile in.  It will then give you an example of where everything will be stored and you will verify that the user names and the folders that you created on the network share are the same.

Once all of the users will be able to log into any of the terminal servers and get the same exact environment no matter which server they log into you are mostly done.  Setting up load balancing, the worry of one terminal server being over used is no longer something you need to worry about with 2008.  Once the cluster is setup, the master terminal server will take care of the rest.  

Citrix XenApp: New Look, New Features, Same Great Product

Wednesday, February 11th, 2009

Citrix XenApp has been around much longer that its new name would suggest. Formerly known as MetaFrame Presentation Server, XenApp has been a reliable solution for many years. It is the premier solution for application publishing and remote workplace access, while it also helps to ensure the highest level of security with built-in encryption.

 

Customizable Citrix Authentication Window

Customizable Citrix Authentication Window

XenApp provides a seamless workplace environment that enables IT departments to centralize the management of data and resources in a granular and automated fashion. As all of your information is hosted on company servers as opposed to being distribution across numerous client machines there is an inherently lower security risk of data being compromised, virus infestations and of course untrustworthy users.

 

XenApp is one of the most mature products of its type. XenApp provides greater advantages over most remote workplace applications in that it utilizes software that enables it to run across all platforms of systems. This ensures Windows, Mac and even Unix/Linux clients can access the same information in exactly the same way – using the native Windows applications published through a web or Citrix client interface. A unified approach to management drives down administrative overhead and expense by allowing IT departments to focus on one interface rather than having to support various individual systems all with their unique quirks or configurations.

Citrix in URL

Citrix in URL

 

With Citrix, a user simply browses to the website where the Application is hosted and logs in. From there, the end-user has access to all the applications that they have been granted access to.

Citrix Application Selection Dialog

Citrix Application Selection Dialog

 

Access to applications can be based on granular, user based settings or as a result of larger, more scalable group memberships either local to the Citrix server or based on Active Directory. Either way, each unique user can be provided a very specific and unique user experience tailored to their needs. For some users, you may allow access to a full Desktop environment while for others you may limit access to only a small subset of applications.

Citrix in Action

Citrix in Action

 

When you are looking to have an enterprise-level deployment of Mac OS X, Citrix can help to ease the transition burden. For example, many applications are not available to the Mac. If Mac OS X users are not able to access the corporate ERP system then they are not full citizens of the enterprise. The same goes with obtain support for various browser incompatibilities that may exist with corporate Intranets and obtaining features not available in the Mac versions of applications, such as being able to auto-archive in Microsoft Outlook (which is not a feature of Entourage). All-in-all, Citrix can help you ease into an enterprise switching campaign rather than force all of your users into a culture shock of new applications, new ways of doing things and compatibility problems.

Citrix is also a scalable solution. The clustering options in XenApp are far easier to configure than with Windows Terminal Server. The failover is fast and less infrastructure is required as the Citrix server is able to manage most of the workload.

318, Inc is a trusted Citrix Partner well versed in providing Remote Workplace and Application Publishing connectivity for organizations in both homogenous and heterogeneous environments. Allow our highly-skilled technology consultants assess and recommend the ideal Remote Workplace solution for your organization.

Xsanity article on Configuring Network Settings using the Command Line

Tuesday, February 10th, 2009

We have posted another article to Xsanity on “Setting up the Network Stack from the Command Line”. An excerpt from the article is as follows:

Interconnectivity with Xsan is usually a pretty straight forward beast. Make sure you can communicate in an unfettered manner on a house network, on a metadata network and on a fibre channel network and you’re pretty much good to go. One thing that seems to confuse a lot of people when they’re first starting out is how to configure the two ethernets. We’re going to go ahead and do two things at once, explain how to configure the interface and show how to automate said configuration from the command line so you can quickly deploy and then subsequently troubleshoot issues that you encounter from the perspective of the Ethernet networks.

View the full article here.

Shared Memory Settings Explained

Friday, February 6th, 2009

Shared memory is a method of inter-process communication (IPC), where two processes communicate with each other through shared blocks of RAM. Because communication is resident in RAM, shared memory allows for very fast communication between processes. There are significant drawbacks to shared memory; one obvious limitation is that all communicating processes must exist on the same box. Additional complexities with the implementation of shared memory means that it is typically relegated to lower-level, performance oriented systems, such as databases or backup systems.

In OS X, these settings MUST be tweaked if you are expecting to backup significant amounts of data with any semblance of speed or stability. I can confirm that both TiNa and NetVault use shared memory for IPC. Other products such as Retrospect or PresStore utilize other IPC methods, such as named pipes.

kern.sysv.shmall
shmall represents the maximum number of pages able to be provisioned for shared memory. It determines the total amount of shared memory that the system can allocate. To determine total system shared memory, multiply this value by the size of the page file. The page file size can be determined via `vm_stat` or `getconf PAGE_SIZE`. A typical page size is 4KB, 4096 bytes.
In OS X, Apple uses extremely conservative settings for shmall. At 1024, OS X defaults to only 4MB of shared memory.

kern.sysv.shmseg
shmseg represents the maximum number of shared memory segments each process can attach. Default in OS X is 8.

kern.sysv.shmmni
shmmni limits the number of shared memory segments across the system, representing the total number of shared memory segments. Default in OS X is 32.

kern.sysv.shmmin
shmmin is the minimum size of a shared memory segment, this should pretty much never need modification. Default is 1.

kern.sysv.shmmax
shmmax is the maximum size of a segment. Default in OS X is 4 MB, 4194304.

Suggested Settings:

512MB of shared memory
kern.sysv.shmall: 131072
kern.sysv.shmseg: 32
kern.sysv.shmmni: 128
kern.sysv.shmmin: 1
kern.sysv.shmmax: 536870912

1GB Shared memory
kern.sysv.shmall: 262144
kern.sysv.shmseg: 32
kern.sysv.shmmni: 128
kern.sysv.shmmin: 1
kern.sysv.shmmax: 1073741824

Speeding Up FileMaker Calculations

Wednesday, February 4th, 2009

Make as few calls to database fields as possible!

When using fields in calculations, each time the value is retrieved, FileMaker has to read from disk in order to get the information. Even if you use the same field twice in a row, FileMaker will read that field twice from the disk!

Here are some examples where you could really speed things up.

// Calculation 1
Case (
table_1::field_1 < 1; "green";
table_1::field_1 < 10; "red";
table_1::field_1 < 100; "blue";
"orange"
)
// End Calculation 1

In this case, multiple comparisons to table_1::field_1 are being made. Each time it compares the field to a value, it is retrieving it from hard disk. Instead, set a variable to the contents of the field, and then compare the variable to the values:

// Calculation 1 Revision
Let ( $table1_field1 = table_1::field_1 ;
Case (
$table1_field1 < 1 ; "green" ;
$table1_field1 < 10 ; "red" ;
$table1_field1 < 100 ; "blue" ;
"orange"
)
)
// End Calculation 1 Revision

This places the contents of the field into memory for fast access, and on average may speed up the calculation 2x!

// Calculation 2
If ( table_1::field_1 = "animal" or table_1::field_2 = "dog" or table_1::field_3 = "labrador" ; 1 ; 0 )
// End Calculation 2

In this one, three separate fields are being compared with the "or" operator. The calculation will always retrieve values from all three fields even if the first condition is met. Rewrite this as a case statement:

// Calculation 2 Revision
Case (
table_1::field_1 = "animal" ; 1 ;
table_1::field_2 = "dog" ; 1 ;
table_1::field_3 = "labrador" ; 1 ;
0
)
// End Calculation 2 Revision

This will give the same results; however, if field_1 does equal "animal", the next two comparisons will not be made, and will save time by not retrieving the additional fields.

// Calculation 3
Case (
IsEmpty(table_1::field_1) ; 1 ;
IsEmpty(table_1::field_2) ; 1 ;
IsEmpty($var1) ; 1 ;
IsEmpty($var2) ; 1 ;
0
)
// End Calculation 3

Here we have the same result (1) given by all of these cases. You would want to place the conditions with variables first because these will calculate much faster than the fields:

// Calculation 3 Revision
Case (
IsEmpty($var1) ; 1 ;
IsEmpty($var2) ; 1 ;
IsEmpty(table_1::field_1) ; 1 ;
IsEmpty(table_1::field_2) ; 1 ;
0
)
// End Calculation 3 Revision

This way, if conditions 1 or 2 are met, the calculation does not need to retrieve any fields at all!

// Script 1
Set Variable $$concat = "";
Set Variable $x = 1;
Set Variable $count = Count(Relationship_1::Field_1);
Loop
Exit Loop If $x > $count;
Set Variable $$concat = $$concat & GetNthRecord(Relationship_1::Field_1; $x);
Set Variable $x = $x + 1;
End Loop
// End Script 1

In this script, $$concat is a concatenated string of all values in the relationship Relationship_1::Field_1. In this case, you could make a single call to the database using the List command rather than retrieving the contents from each individual record:

// Script 1 Revision
Set Variable $$concat = “”;
Set Variable $field_values = List(Relationship_1::Field_1);
Set Variable $x = 1;
Set Variable $count = ValueCount($field_values);
Loop
Exit Loop If $x > $count;
Set Variable $$concat = $$concat & GetValue($field_values; $x);
Set Variable $x = $x + 1;
End Loop
// End Script 1 Revision

Caution #1: When using the List command, if the field contents of a record is blank, the value will not be included in the returned list. In this particular case, since concatenating a blank value would result in the same string, the results will be the same either way.

Caution #2: If you know that the field could contain return characters, do not use List (unless you really know what you’re doing!). The List function actually works best with serial number fields or fields that you know contain one line of data.

Using Selectors With Retrospect

Wednesday, February 4th, 2009

Retrospect has a filtering system based on selectors. This document will review the specifics of developing these selectors.

each script created in retrospect has the option to filer the file selection. This can be accomplished with a pre existing selector or with a custom filter created for just this script.

We will be creating a new pre created selector.

In retrospect 6.1 for mac. Navigate to the Special tab of the primary Retrospect window.
- Press the selector button
There will be a pop open window with all of the existing selectors. You can choose to create a new one or edit existing ones.
- Press New

You will be prompted to name the selector any name will do
You will then be presented with a simple include and exclude selector sections.

Include: By default this is empty which means include everything in the source. By addition conditions to this section you will exclude everything BUT the selections you are choosing. This is often used with source groups to limit the backup directories to /Users

Exclude: Aft the Include rules populate the file list to be backed up the exclude list applies to remove files that are indicated by the logic.
This is used to exclude files that are not important or will eat up too much space for backup. Music files and cache files are often the case.

Logic: The filtering mechanism gives you the ability to select or exclude files based on the following criterion:

-Date:
- File Kind (HFS File types):
- Flags (HFS File Flags):
- Labels (HFS Label Colors):
- Backup Client Name ( as found in the client list of Retrospect)
- File / Folder Name
- Sharing Owner name
- Volume Name
- Pre Existing selector in retrospect
- Size of File or Folder
- Special Folders ( Mac OS reserved folders )
- UNIX ( file permissions or special files such as symbolic links or pipes )

You will see that there are quite a number of Mac specific selectors here and no Windows specific selectors. Retrospect 6.1 for mac is very one sided. Using these selectors you can create inclusions and exclusions with logic to refine you backup or restore policy. Once you have the selector set up the way you would like. You can save it and then indicate this new selector in your backup scripts

Retrospect 7.6 for Windows: The version 7 – 7.6 is Windows only and we will touch the most recent version 7.6 for windows

The interface for the windows version of Retrospect is different in that the location of the buttons is different but the names are generally the same.
Instead of having tabs across the top the windows version has them as a list of links vertically on a sidebar to the left. From that list you can select the “Configure” link near the bottom. This should expose a list that will include “Selectors”

The mechanism for the selectors are similar to that of Retrospect 6.1. The selector window will show a list of pre created selectors. With the option to edit existing selectors or create new selectors. The selectors are organized into inclusion and exclusion.

Logic: the arrangement of selectors is slightly different. The choice of options are grouped into separate sections:

Universal:
- Atrributes
- Client Name
- Date
- File System
- Login Name
- Name
- Selector
- Size
Windows:
- Attributes
- Date
- Drive Letter
- Path
- Special Folders
Mac OS X:
- Attributes
- File Kind
- Label
- Path
- Permissions
- Special Folders
UNIX:
- Attributes
- Date
- Path
- Permissions
NetWare:
- Date
- Path
MailBox:
- Sender

This arrangement separates the different supported client types, specific selectors for the client in question. Otherwise the logic of include filters creating the file list and exclude logic removing files from it. Also once the new selector is created it can be selected within any available script.

Retrospect 8
The new version of Retrospect 8 ( as far as beta 5 ) called selectors rules, and only supports the use of rules. You cannot come up a custom filter for the use for only one script. This version of Retrospect allows you to edit the “Rules” only from the preference pane of the application.

The preference pane allows you to create, remove, edit or duplicate scripts. The script editor resembles the smart folder rule in the Mac OS X Finder.
You begin with the logic to include or exclude “Any” or “All” of the following selectors. You can then create filters based on the following:

File:
-Name
-Mac Path
-Windows Path
-UNIX Path
- Attributes
- Kind
-Date Accessed
- Date Created
- Date Modified
- Date Backed up
- Size Used
- Sized on Disk
- Label
- Permissions
Folder:
- Name
-Mac Path
-Windows Path
-UNIX Path
- Attributes
- Kind
-Date Accessed
- Date Created
- Date Modified
- Date Backed up
- Size Used
- Sized on Disk
- Is
- Is Not
- Label
- Permissions
Volume:
- Name
- Drive Letter
- Connection Type
- File System
Source Host:
- Name
- Login Name
Existing Rule:
- Is

This list could easily expand out many times too complex to display here. None-the-less all the features of previous filters are arranged more simple to more complex with logical includes or excludes.

Once these are created they are available to any script created by the program. In addition since the Retrospect application is now console for Retrospect servers, the scripts created are on a per server basis. The “Rules” on one server are not necessarily on another.

The Time Machine Safety Net

Monday, February 2nd, 2009
Time Machine utilizes Leopard’s new MAC framework, providing a “safety net” to ensure the integrity of your backups. Access control provisions are applied via a kernel extension located at /System/Library/Extensions/TMSafetyNet.kext, which makes calls to _mac_policy_register and _mac_policy_unregister. All of this results in a backup set which contains data which is immutable via standard means. For instance, attempting to delete a Time Machine backup via the cli utility ‘rm’ will result in failure, as well as any other cli file operation utility which attempts to alter Time Machine backups. 
It seems that the system enforces the restrictions based upon all of the
following conditions being met:
  1. Has ACE ‘group:everyone deny full control’
  2. Resides in a directory “Backups.backupdb” located at volume root with the same deny ACE

Steps to create the safety net:
 

$mkdir -p /Backups.backupdb/test/test1
$chmod -R +a# 0 "group:everyone deny add_file,delete,add_subdirectory,
delete_child,writeattr,writeextattr,chown" /Backups.backupdb/
$rm -rf /Backups.backupdb/test
rm: /Backups.backupdb/test/test1: Operation not permitted
rm: /Backups.backupdb/test: Operation not permitted

Attempts to alter this data is then unsuccessful. However, there are a few back doors here. There exists a cli binary at /System/Library/Extensions/TMSafetyNet.kext/Contents/MacOS/bypass
which allows you to supply a command + args as an argument and completely bypass the access restrictions. Likewise, GUI level apps can delete these items by escalating via the authorization trampoline.