Archive for April, 2011

Setting Up Outlook 2011

Friday, April 29th, 2011

Outlook 2011 supports three types of email accounts. Exchange, POP and IMAP. We will discuss the setup of each type and the features that are enabled for each.

Setting up Exchange Accounts

1. In Outlook use your mouse point to click on the Tools menu, from there choose the last entry on the menu Accounts.
This will open the Outlook Application Preferences to the Accounts Tab. From here you will be able to choose the account type you would like to add or modify.

2. Select Exchange Account from the two choices and a drop down sheet will allow you to fill in information fields.
Provide the email address user@domain.com
User Name: DOMAIN\username NOTE: it is considered proper to fill in the username as requested but the software is smart enough to parse your domain from your email address.
Password: add your email password

3. Press the add account button. This will launch and auto configuration program that will query the exchange server for proper settings. If your mac has the Active Directory server set as DNS then the configuration should be successful. If this process fails you will have the option to enter the hostname of the exchange server in question. Once this is set up the Email, Contacts, and Calendar should be auto set.

Setting up an IMAP Account

1. In Outlook use your mouse point to click on the Tools menu, from there choose the last entry on the menu Accounts.
This will open the Outlook Application Preferences to the Accounts Tab.

2. From here you will be able to choose the account type you would like to add or modify. In this case select E-mail Account. You will see a drop down sheet with fields for your email address and password. If you have the check mark set to configure automatically, it will attempt to identify your mail server by doing dns lookups against the domain in the email address.

Should this look up fail, or should you just want to configure the account manually, you can un-check this option.

Pass or fail this is the section where you will choose whether the email account will be IMAP or POP.

If you manually configure the account you will need to know the incoming and outgoing mail servers as well as the ports and whether ssl is required. Having said that always choose ssl first and let the program determine the ports if that fails you will need to investigate the specific settings on the mail server anyway.

Setting up a POP account

Setting up the POP account is nearly identical to the IMAP account. Choose manual set up and choose POP. The default ports will be changed to the appropriate ports.

Setting up Google Accounts
As of the writing of this document Google does not support Exchange connections from Outlook 2011 for Mac. Outlook for mac doesn’t have the same plugin architecture that outlook for windows does. So there is no Google Plug in for Mac Outlook. Outlook is restricted to using IMAP connections with Google Apps.

Kerio Servers
Kerio Mail Server does allow Exchange WebDAV connections from Outlook 2011, although Kerio doesn’t have the same auto configuration utility th
As of this writing Kerio is on 7.2.3 which does support Outlook 2011 but has a problem with User delegation. This problem should be fixed under kerio 7.3

Suppressing the PHP Version

Thursday, April 28th, 2011

Yesterday, we looked at hiding the version of Apache being run on a web server. Today we’re going to look at suppressing the version of PHP.

By default, the PHP configuration file, php.ini, is stored at /etc/php5/apache2/php.ini (in most distributions of Linux) or just in /etc/php.ini (as with Mac OS X). In this file

vi /etc/php.ini

Then locate the expose_php variable within the file. Once found, set it to Off as follows:

expose_php = Off

Doing so will not improve the overall security of a system (unless you believe in security through obscurity). However, it is a good idea and will help defeat a number of vulnerability scanners. If you do suppress the Apache and PHP versioning information for the sake of passing a vulnerability scanner on a backported distribution of one of the packages then it would be a good idea to check the CVEs for the port you are using and verify that you are secure.

Hiding the Apache Software Version

Wednesday, April 27th, 2011

By default, Apache displays version information when queried. One aspect of securing Apache servers is to suppress this information from being shown to clients. This also helps immensely with vulnerability scanners that only look at the http header, as many vendors now backport or fork the code for Apache (e.g. Red Hat and Apple).

To do so, one need only make a small change to the httpd.conf file. By default, Apache stores its configuration files in Linux in the /etc/httpd/conf/httpd.conf file. In Mac OS X they can be found at /private/etc/apache2/httpd.conf Here, you will find the ServerTokens and ServerSignature directives. These should be set to ProductOnly and Off respectively, as follows:

ServerTokens ProductOnly
ServerSignature Off

Once these have been changed, you will need to restart the httpd service. One way to do so is to use init.d:

/etc/init.d/httpd restart

To verify that the version number has been suppressed, use telnet:

telnet www.318.com http

Making snort a Service in Server 2008

Tuesday, April 26th, 2011

Note: For more information about the information contained in this article, contact us for a professional consultation.

Installing Snort in Windows Server 2008 is a fairly straight forward maneuver. Simply install winpcap, then barnyard and then snort itself. You’ll also want to install the snort rules available on the snort downloads page.

Once snort is installed, it’s fairly simple to run it from the Windows Server 2008 command line. To do so, use the snort.exe that was distributed in the installer (by default it would be at c:\snort\bin\snort.exe). You can then run it in a simple form to check that the interfaces are available:

c:\snort\bin\snort.exe -W

And then use one of the listed interfaces, invoke it with a -i option followed by the interface. You can also specify a custom logging location using -l and a custom configuration file using -c. This would result in something similar to the following:

c:\snort\bin\snort.exe -i 1 -l c:\snort\log -c c:\snort\etc\snort.conf

There are a lot more options, but this article is about converting it into a service. Once you’ve found a configuration that works for you manually, you can then take that, throw a /SERVICE /INSTALL after the snort.exe but before the operators and viola you’ve converted snort into a service:

c:\snort\bin\snort.exe /SERVICE /INSTALL -i 1 -l c:\snort\log -c c:\snort\etc\snort.conf

Once snort has become a service, many will want to have it start automatically. This is possible using the sc command to configure the snortsvc to start automatically:

sc config snortsvc start= auto

And then, start her up:

sc start snortsvc

Intrusion Detection (IDS) and Prevention (IPS) solutions can be invaluable to an organization. If you would like to discuss running snort or any other IDS or IPS, please feel free to contact your 318 Professional Services Manager, or sales@318.com if you do not yet have one!

Setting Up Additional Google Apps Calendars on an iOS Device

Monday, April 18th, 2011

Syncing and Managing Additional Google Apps Calendars on your iOS Device

Google Apps allows users to easily setup multiple calendars in their account and access other uses calendars via a web browser or calendar client such as iCal or Outlook. Duplicating this functionality on iOS devices requires some additional configuration steps:

1. Configure your device(s) with Exchange Active Sync for your Google Apps account. See http://www.google.com/support/mobile/bin/answer.py?answer=138740&topic=14252 for instructions.
2. On your iOS device (iPad, iPhone or iPod Touch) use the Safari web browser to navigate to http://m.google.com
3. Scroll to the bottom of the page and tap the Google Apps user? button.
4. A popup will appear prompting you to Enter your Google Apps domain. Enter your domain (everything after the @ in your email address) and tap Go.
5. Sign into your Google Apps account if prompted.
6. A Google Mobile page will load, with buttons for various services. Tap the Sync button.
7. A Manage Devices page will load. Tap to select the device you would like to add/delete calendars from (i.e. your iPhone).
8. Tap to check the box next to each calendar you want to sync. Tap to uncheck any calendar you wish to stop syncing.
9. Click Save.

The calendars for which you enabled sync should now be displayed in the iOS Calendar app. You may have to tap Calendars to return to the calendar selection and turn on the additional calendars if they are not displayed immediately.

Note: these instructions differ slightly from the published Google instructions pertaining to generic Gmail accounts (primarily skipping steps 3 and 4). If you would like to setup additional calendars for your personal Gmail account please follow the steps here: http://www.google.com/support/mobile/bin/answer.py?answer=139206

Performing a CrashPlan PROe Server Installation

Wednesday, April 13th, 2011

This is a checklist for installing CrashPlan PROe Server.

Prepare your deployment:  Before you install the server software you should have the following ready:

  1. A static IP address. If this is a shared server, whenever possible, CrashPlan should have a dedicated network interface.
  2. (Recommended) Fully qualified Host Name in DNS. IP addresses will work, but for ease of management internally (and even more important externally,) working DNS to point to the service is best.
  3. Firewall port forwards for network connections. Ports 4280 and 4282 are needed for client-server communication, and to send software updates. 4285 is also needed if you wish to manage the server via HTTPS from the WAN.
  4. There should be a dedicated storage (preferably with a secure level of RAID) volume for backup data.
  5. Although a second server install (as server/destination licenses are free) is best for near-full redundancy, secondary destination volumes can be configured on external drives for offsite backup.
  6. LDAP connection. If you will be reading user account information from an LDAP server, make sure you  have the credentials and server information to access it from the CrashPlan Server install.
  7. If you’d like multiple locations to backup to local servers, ensure that your first master is installed in the most ideal environment for your anticipated usage. This is referred to as the Master server, which requires higher uptime and accessibility, as all licensing/user additions and removals rely upon it.

Installation

  1.  Go to https://www.crashplan.com/enterprise/download.html
  2. If you have not purchased CrashPlan licenses through a reseller, you can fill out the web form to be issued a trial master license key. Otherwise, check the “I already have a master key” checkbox to be presented with the downloads.
  3. Download the CrashPlan PROe server installer (the client software is located further down on the page.)  Choose the appropriate installer for your server (Mac, Windows, Linux, or Solaris.)
  4. Run the installer. When the installation completes you will be asked to enter the master key in order to activate the software.  If you don’t have it at that time, you can enter it later via the web interface.

Configuration

  1. Initial Setup. On the server, from a web browser, connect to http://127.0.0.1:4285   This is the web interface of the CrashPlan PROe Server. If you did not enter the master key during installation, you will prompted to enter it here.
  2. Log into the server using the default admin user credentials provided on the screen.  Immediately change the username and password for the ‘Superuser’ by going to Settings Tab > Edit Server Settings in the sidebar > then Superuser in the sidebar. Just as with Directory Administrator user names, customizing the user name is also recommended.
  3. Assign networking information. Click on the Settings tab > Edit Server Settings > Network Addresses. You will see fields in which to enter the Primary and Secondary  network addresses or DNS name(s). This information will match how clients attempt to connect to the server, so for ease of management, using an IP address for the primary and DNS for the secondary may make the most sense. Changes to the servers address would therefore immediately propagate for clients instead of waiting for DNS, although TTL preparation would help. Another consideration is where the majority of the clients will be accessing the server from.
  4. Assign the default storage volume: By default, CrashPlan PROe will assign a directory on the boot volume as the storage volume. Navigate to the Settings tab > Add Storage. You will be presented with a page that has links to Add Custom DirectoryAdd Pro Server, or Unused Volumes. If the data volume is attached to the file system with a UNC path it will be listed as an Unused Volume. Select the new storage volume, optionally with a subdirectory. Finally, to indicate this new volume as the default storage volume for new clients, navigate to the Settings tab > Edit Server Settings, and the third line has a drop-down menu for Mount Point for New Computers. You can then remove the default storage location on the boot volume.
  5. Create Organizations. At installation time there will be one default organization. All new users created will be added to this group. You can create an arbitrary number of organizations and sub organizations, if you believe client settings should be propagated differently for certain departments. At least one sub-organization can be helpful in complex environments, especially with Slave servers. Each division can have managers assigned for managing, alerting, and/ or reporting purposes, as well.
  6. Create User Accounts. Users can be created manually in the web interface, during the deployment of the client software, or through LDAP lookups.
  7. Set Client Backup Defaults. If you’d like to restrict certain files or location from the clients backups, you may do so from the Settings tab > Edit Client Settings. By default, nothing is excluded, but only the users home folder is included. It may be useful to restrict file types that the company is not concerned about, or modify the time period for keeping old versions. If storage space is a concern and customers are including very large files in the backup, you may want to purge deleted files on an accelerated schedule (default is never.) Allowing reports to be sent to each individual customer can also be enabled, or optionally setting may be locked down to read-only. In particular, especially if multiple computers share the same account, forcing the entering of a password to open the desktop interface may be useful to turn on and not allow it to be changed. These changes can be propagated for the entire Master server, the organization, or an individual client/user installation.
  8. Install CrashPlan PROe on a test machine for final testing. The installation of a client will require the Registration key that is generated for the organization that the user should be ‘filed’ into, the Master servers network information, the creation of a username (usually the customers email address, or the function that computer performs,) and a password. Once complete, the client will register with the server and begin backing up the home folder of the currently logged-in customer (by default.)

The All New Promise x30

Wednesday, April 13th, 2011

Yesterday, we mentioned Thunderbolt adapters for Xsan. But NAB 011 isn’t over and we have more announcements to bring up. Promise has announced their all new x30 series. With a spiffy new chassis design, these things now sport 8Gbps controllers, up to 48TB of space and up to 8 in a stack (that’s 7 expansion per chassis).

Oh, and we’d be remiss not to mention the redesigned management screen, a massive improvement over the command and control pane of glass we had before! A web-based management tool, by the way, that works on iPad! And management is easier now that you don’t have to restart the units every time you need to make a software update.

For more information on the new Promise x30, see:

http://www.promise.com/storage/raid_series.aspx?region=en-US&m=1053&sub_m=sub_m_8&rsn1=40&rsn3=48

To discuss how 318 can assist your organization in leveraging these new tools from Promise, from integrating a fleet of MacBook Pros with Xsan to bolting on additional storage for the always-full Xsan, contact your 318 Professional Services Manager, or sales@318.com if you do not yet have one!

Thunderbolt Adapters for Xsan

Tuesday, April 12th, 2011

As usual, there’s plenty to talk about after NAB. One of 2011′s favorites for us so far is the ability to attach a MacBook Pro to an Xsan using one of the newly introduced Thunderbolt -> Fibre Channel adapters.

The above adapter, from Promise, allows for 4Gbps and is “Fully Qualified” for Xsan. This allows the mobile user to be a first class citizen in a fibre channel SAN environment, not having to go through slow NAS heads to access large files, but instead connecting directly to Xsan or other fibre channel solutions!

For more, see http://www.promise.com/storage/raid_series.aspx?region=en-US&m=1054⊂_m=sub_m_8&rsn1=40&rsn3=49