Archive for April, 2012

Managing Mail.app

Sunday, April 29th, 2012

Introduction

Mail.app is the built in mail reader for Mac OS X. Much of the configuration of email accounts is handled in the preferences for the application, available in the Mail menu as Preferences.

Creating a New POP or IMAP Email Account

From here, you can click on the Accounts icon in the toolbar to see a listing of accounts. Clicking on the + icon in the bottom left corner of the screen will bring up the Add Account wizard. First, you will enter the Full Name, address, and password. Keep in mind that the full name is used in the From header of outgoing messages.

Next, choose the account type – POP, IMAP, or Exchange. (See below for Exchange accounts). You can enter a description, but this is optional, and only used internally by Mail. Enter the address of the POP or IMAP server. The username will be automatically filled in with the local part of the email address. This is usually correct, but some mail servers will require that you use the full address. When you click Continue, Mail will attempt to connect to the server and verify that the information is correct. By default it tries to connect securely, so if the server’s SSL certificate is self-signed or invalid, you will get an error saying so. You can either cancel, continue anyway, or view the certificate. If Mail is unable to connect, you will get the Incoming Mail Security step, which lets you choose whether or not to use SSL, and which authentication method to use.

Now you will set up an SMTP server for outgoing mail. Again, the description is optional. Enter the address of the outgoing mail server. If authentication is required (as it should be), check the “Use Authentication” box. Mail will automatically fill in the username and password of the incoming mail server. The “Use only this server” box will prevent this account from failing over to any of the other configured SMTP servers to send mail.

As the last step, Mail will present you with a summary of the information you have entered. There is also a check box for “Take this account online”. If this is checked, Mail will immediately connect to the server after you finish the wizard. If there are other settings you’d like to change (IMAP mailbox behaviors, or POP settings for leaving mail on servers), you should leave this box unchecked.

 

Troubleshooting SMTP Issues

Incoming and outgoing mail are handled a bit differently from one another in Mail.app. This is helpful as you can have multiple outgoing accounts even if you only have one incoming accounts, which is useful if you move between a lot of different networks. This is also useful if one of your outgoing accounts is unavailable, as you can still send messages via one of the others.

 

To setup a new SMTP account, open the Accounts pane of the Mail.app preferences and choose Edit Server List… from the Outgoing Mail Server (SMTP): field. At the Server List screen click on the “+” icon and enter a description for the account. This can be anything to help the end user remember what this account is meant for. Then type in the name or IP address of the server in the Server Name: field. You can click on the Advanced tab here to customize the port, enable SSL or set the authentication type/parameters. Once you are satisfied with your settings, click on the OK button or click on the “+” sign to create another outgoing mail account.

This is also the method used for changing the settings of an SMTP account that was configured by the Add Account Wizard.

 

To setup which SMTP account your Mail.app account will use for SMTP,

 

Having multiple SMTP accounts can be confusing though. To remove an existing SMTP account, open the Accounts pane of the Mail.app preferences and choose Edit Server List… from the Outgoing Mail Server (SMTP): field. At the Server List screen, select the account you’d like to remove, and then click on the “-” icon.

Setting up an Exchange Account

Mail.app supports using a Microsoft Exchange account as a mail server. This works by connecting to the server via the owa web interface. This must be active in order for Apple Mail to make the connection. The other services of exchange, Calendar and Contacts, are handled by iCal and Addressbook.

Deleting an Email account

When you delete an email account in Mail.app you should first backup mail related to the account. Mail is stored in ~/Library/Mail. For each account, there will be folder named by Protocol, username, and incoming mail server, for instance IMAP-cedge@mail.318.com, or POP-someuser@pop.gmail.com. When you remove an account, Mail will remove this folder, so back it up first.

Then go to Mail -> Preferences, click on Accounts, select the account you’d like to delete, and click the “-” icon below the list. Mail will ask if you’re sure you’d like to do that.

Setting up the Spam Filter

The spam filter in Mail.app is built into the app and can be configured in the preferences under the Junk mail tab. You can enable or disable this feature as well as make some changes to what can be white listed

Creating Signatures

Mail.app allows you to have multiple signatures, each associated with a specified account. To create a signature, open Preferences, and click on the Signatures tab. On the left, choose the account for which you’d like to create a signature, and click the “+”. Enter a name for this signature, and then enter the text of the signature on the right.

The “Choose Signature” menu allows you to set how each account will behave when you create a new message. You can have it use the same signature all the time, or none, or choose one at random.

The “All Signatures” option shows you all signatures in all accounts. Creating a signature here will result in a signature that isn’t available for use with any of your accounts. Dragging a signature from the All Signatures list onto one of your accounts will make that signature available to that account.

Emailing A File To Box.net

Wednesday, April 18th, 2012

Box.net has a number of features that can be used for workflow automation. One such feature is the ability to have an email address that is tied to a folder. Most services support the ability for that email address to be used to inform users of updates to directories. However, a somewhat unique feature is that Box.net has the ability to assign an email address to the folder so that any time you send mail to the folder, that file is added to the folder. For example, I scan a contract and email it to a vendor, I can also bcc a box.net folder called contracts and the contract will appear in the folder.

To setup an email address for a folder, open Box.net and click on a folder that you’d like to get an email address assigned to. Then click on the disclosure triangle on the right side of the screen for Folder Options and click on Email Options.

At the Email Options tab of the Folder Properties overlay screen, check the box for Allow uploads to this folder via email. Here, you can also use the Only allow uploads from collaborators in this folder checkbox to restrict who is able to email files to the folder.

While emailing files to get them into a folder isn’t for everyone, it is a great new take on a dropbox type of folder. You can also then sync these folders with folders in Mac OS X and Windows. This type of functionality is also a great way to do student submissions of coursework, file-based workflows for iOS and various automated workflows based on emails.

Building A Custom CrashPlan PROe Installer

Friday, April 13th, 2012

CrashPlan PROe installation can be customized for various deployment scenarios

Customization of implementations for over 10,000 clients is considered a special case by Code 42, the makers of CrashPlan, and requires that you contact their sales department. Likewise, re-branding the client application to hide the CrashPlan logo also requires a special license.

Planning Your Deployment

A large scale deployment of CrashPlan PROe clients requires a certain level of planning and setup before you can proceed. This usually means a test environment to iron out the details that you wish to configure. Multiple locations, bandwidth, and storage are obvious concerns that will need a certain amount of tuning before and after the service ‘goes live’. Also, an LDAP server populated with the expected information or a prepared xml document that has identifiable machine information needs to be matched with account and registration data. Not just account credentials, but also filing computers and accounts into groups through the use of Organizations (which directly relate to the registration information used) should also be considered.

Which Files to Change

The CrashPlan PROe installer has different files for Windows and Mac OS X, but the gist is largely the same for either. There is a customizable script (or .bat file) in that you can use to specify variables to feed information into a template that are specific to your deployment. The script can be customized to reference ldap information, or even a shared data source that can provide account information based on an identifiable resource such as a MAC address.

Mac OS X 

Download the installer DMG and make a copy of it. The path we’ll be working in is:

Install CrashPlanPRO.mpkg/Contents/Resources/

Inside the Resources directory there is a Custom-example folder that contains the template and script to customize.

Duplicate the Custom-example to Custom

userinfo.sh is a configuration script that has (commented-out by default) sections for parsing usernames from the current home folder, hostname, or from LDAP. This would also be where one could gather other machine information ( such as mac address ) and match it to data in a shared document on a file server.

In the same folder as userinfo.sh is the folder “conf” which contains the file default.service.xml. The contents of this file can be fed variable information from the configuration script to set the user name, computer name, ldap specifics, and password that will be used upon installation. It is advisable to test new user creation when using LDAP and CrashPlan organizations, to ensure users . It is possible to specify those properties in this xml list.

So the process breaks down like this. edit the userinfo.sh to populate the default.service.xml. let the installer run and make contact with the server and let the organization policies set all non custom settings.

XML Parameters

default.service.xml has the following properties

Property
Description
config.servicePeerConfig.authority
By supplying the address, registrationKey, username and password, the user will bypass the registration / login screen. The following tables describe authority attributes that you can specify and their corresponding parameters.

Authority Attributes
Attributes
Description
address
the primary address and port to the server that manages the accounts and issues licenses. If you are running multiple PRO Server, enter the address for the Master PRO Server.
secondaryAddress
(optional) the secondary address and port to the authority that manages the accounts and issues licenses.

Note: This is an advanced setting. Use only if you are familiar with its use and results.

registrationKey
a valid Registration Key for an organization within your Master PRO Server. Hides the Registration Key field on the register screen if a value is given.
username
the username to use when authorizing the computer, can use params listed below
password
the password used when authorizing the computer, can use params listed below
hideAddress
(true/false) do not prompt or allow user to change the address (default is false)
locked
(true/false) allow user to change the server address on the Settings > Account page. (do not set if hideAddress=“true”)

Authority Parameters
Parameter
Description
${username}
determined from the CP_USER_NAME command-line argument, the CP_USER_NAME environment variable, or “user.name” Java system property from the user interface once it launches.
${computername}
system computer name
${generated}
random 8 characters, typically used for password
${uniqueId}
GUID
${deferred}
for LDAP and Auto register only! This allows clients to register without manually entering a password and requiring user to login to desktop the first time.
servicePeerConfig.listenForBackup
Set to false to turn off the inbound backup listener by default.

Sample Usage
All of these samples are for larger installations where you know the address of the PRO Server and want to specify a Registration Key for your users.
Note: NONE of these schemes require you to create the user accounts on your PRO Server ahead of time.

  • Random Password: Your users will end up with a random 8-character password. In order to access their account they will have to use the Reset My Password feature OR have their password reset by an admin.
  • Fixed Password: All users will end up with the same password. This is appropriate if your users will not have access to the CrashPlan Desktop UI and the credentials will be held by an admin.
  • Deferred Password: FOR LDAP ONLY! This scheme allows the client to begin backing up, but it is not officially “logged in”. The first time the user opens the Desktop UI they will be prompted with a login screen and they will have to supply their LDAP username/password to successfully use CrashPlan to change their settings or restore data.

Changing CrashPlan PRO’s Appearance (Co-branding)

This information pertains to editing the installer for co-branding. Skip this section if you are not co-branding your CrashPlan PRO.
Co-Branding: Changing the Skin and Images Contents

You can modify any of the images that appear in the PRO Server admin console as well as those that appear in the email header. Here are the graphics you may substitute:
.Custom/skin folder contents
Filename Description
logo_splash.png splash screen logo
splash.png transparent splash background (Windows XP only)
splash_default.png splash background, must NOT be transparent (Windows Vista, Mac, Linux, Solaris, etc.)
logo_main.png main application logo that appears on the upper right of the desktop
window_bg.jpg main application background
icon_app_128x128.png
icon_app_64x64.png
icon_app_32x32.png
icon_app_16x16.png icons that appear on desktop, customizable with Private Label agreement only

View examples
In the Custom/skin folder, locate the image you wish to replace.
Create another image that is the same size with your logo on it.
For best results, we recommend using the same dimensions as the graphics files we’ve supplied.
Place your customized version into the Content-custom folder you created.
Make sure not to change the filename or folder structure, so that CrashPlan PRO will be able to find the file.
Co-Branding: Editing the Text Properties File

You can change the text that appears as the application name or product name in CrashPlan PRO Client. Make your changes in thetxt_.properties files in the Custom/lang folder.
The txt.properties file is English and is the default language.
Each file contains the text for a language. Please refer to the Internationalization document from Sun for details (http://java.sun.com/developer/technicalArticles/J2SE/locale/).
The language is identified in the comments at the beginning of the file.
When you change the application or product name, keep in mind that using very long names could affect the flow / layout of the text in a window or message box.
Text Property Description
Product.B42_PRO The name of the product as it would appear on the Settings > Account page, such as CrashPlan PRO
application.name The application name appears in error messages, instructions, descriptions throughout the UI.

Creating an Installer

Make the customizations that you want as part of your deployment, then follow the instructions to build a self-installing .exe file.
How It Works – Windows Installs

Test your settings by running the CrashPlan_[date].exe installer.
Make sure the installer.exe file and the Custom folder reside in the same parent folder.
Re-zip the contents of your Custom folder so you have a new customized.zip that contains:
Crashplan_[date].exe
Custom (includes the skin and conf folders)
cpinstall.ico
Turn your zip file into a self-extracting / installing file for your users.
For example, download the zip2secureexe from http://www.chilkatsoft.com/ChilkatSfx.asp
The premium version is not required; however, it does have some nice features and they certainly deserve your support if you use their utility.
Launch zip2secureexe, then :
specify the zip file:customized.zip
specify the name of the program to run after unzipping: CrashPlan_[date].exe
check the Build an EXE option to automatically unzip to a temporary directory
specify the app title:CrashPlan Installer
specify the icon file:cpinstall.ico
click Create to create your self-extracting zip file
Windows Push Installs

Review / edit cp_silent_install.bat and cp_silent_uninstall.bat.
These show how the push installation system needs to execute the Windows installer.
If your push install software requires an MSI, download the 32-bit MSI or the 64-bit MSI.
If you have made customizations, place the Custom directory that contain your customizations next to the MSI file.
To apply the customizations, run the msiexec with Administrator rights:
Right-click CMD.EXE, and select Run as Administrator.
Enter msiexec /i

cp_silent_install.bat

@ECHO OFF

REM The LDAP login user name and the CrashPlan user name.
SET CP_USER_NAME=colt
Echo UserName: %CP_USER_NAME%

REM The users home directory, used in backup selection path variables.
SET CP_USER_HOME=C:\Documents and Settings\crashplan
Echo UserHome: %CP_USER_HOME%

REM Tells the installer not to run CrashPlan client interface following the installation.
SET CP_SILENT=true
Echo Silent: %CP_SILENT%

SET CP_ARGS=”CP_USER_NAME=%CP_USER_NAME%&CP_USER_HOME=%CP_USER_HOME%”
Echo Arguments: %CP_ARGS%

REM You can use any of the msiexec command-line options.
ECHO Installing CrashPlan…
CrashPlanPRO_2008-09-15.exe /qn /l* install.log CP_ARGS=%CP_ARGS% CP_SILENT=%CP_SILENT%

cp_silent_uninstall.bat

@ECHO OFF

REM Tells the installer to remove ALL CrashPlan files under C:/Program Files/CrashPlan.
SET CP_REMOVE_ALL_FILES=true
EHCO CP_REMOVE_ALL_FILES=%CP_REMOVE_ALL_FILES%

ECHO Uninstalling CrashPlan…
msiexec /x {AC7EB437-982A-47C0-BC9A-E7FBD06B1ED6} /qn CP_REMOVE_ALL_FILES=%CP_REMOVE_ALL_FILES%

How It Works – Mac OS X Installer

PRO Server customers who have a lot of Mac clients often want to push out and run the installer for many clients at a time. Because we don’t offer a push installation solution, you’ll need to use other software to push-install CrashPlan, such as Apple’s ARD.
Run Install CrashPlanPRO.mpkg to test your settings:
At the command line, type open Install\ CrashPlanPRO.mpkg from /Volumes/CrashPlanPRO/)
Launch Install CrashPlanPRO.mpkg to test your settings.
Unmount the resulting disk image and distribute to users.
Note: If you do not want the user interface to start up after installation or you want to run the installer as root (instead of user), change the userInfo.sh file as described in next section.
Understanding the userInfo.sh File
This Mac-specific file is in the Custom-example folder inside the installer metapackage. Edit this file to set the user name and home variables if you wish to run the installer from an account other than root, such as user, and/or you wish to prevent the user interface from starting up after installation.
Be sure to read the comments inside the file.
How It Works – Linux Installer
Edit your install script as needed.
Run the install script to test your settings.
Tar/gzip the crashplan folder and share it with other users.
Custom Folder Contents
When you open the installer zip file or resource contents and view the Custom-example folder, the structure looks like this:
Contents of resource folder
Custom (folder)
skin (folder)
logo_splash.png
splash.png
splash_default.png
logo_main.png
window_bg.jpg
logo_main.png
icon_app_128x128.png
icon_app_64x64.png
icon_app_32x32.png
icon_app_16x16.png
lang (folder)
txt_.properties
conf (folder)
default.service.xml
cpinstall.ico (Windows only)
must be created using an icon editor
userInfo.sh (Mac only)

Customizing the PRO Server Admin Console

You can also change the appearance of the PRO Server admin console and email headers and footers.
In the ./content/Manage, locate the images and macros you wish to modify and copy them into ./content-custom/Manage-custom using the same sub-folder and file names as the originals. Placing them there protects your changes from being wiped during the next upgrade.
Our HTML macros are written with Apache Velocity. If your site stops working after you’ve changed a macro, delete or move the customized version to get it working again.
Location of Key PRO Server Files
These locations may change in a future release so you will be responsible to move your customized versions to keep your images working.
CrashPlanPRO/images/login_background.jpg
CrashPlanPRO/images/header_background.gif
CrashPlanPRO/styles/main_override.css
macros/cppStartHeader.vm ++ (see below)
macros/cppFooterDiv.vm ++ (see below)
Email images are:
content/Default/emails/images/header/proserver_banner.gif
content/Default/emails/images/header/proserver_banner_backup_report.gif
++ These files are web macros. You’ll need to update these in place instead of copying them to the custom folder. They won’t work under the custom folder. Remember that our upgrade process will overwrite your changes.

Open Directory Deployment Checklist

Thursday, April 12th, 2012

Open Directory on Lion Server, if deployed properly, is simple to set up, and is a stable and reliable directory service. If not deployed properly, it’s still simple to set up, but can be maddeningly difficult to troubleshoot and manage. It’s important to deploy it properly.

Some things to consider prior to deployment:

  • You should always discuss the purpose of a Directory service with the client, and make sure that you’ve evaluated their needs correctly. Some of Lion Server’s services absolutely require the system to be an Open Directory Master, but some function just fine on a Standalone system. Device Manager, in particular, will take you through OD Master configuration as a part of its own setup.
  • If legacy user records or other data need to be migrated, this will need to be taken into account, and time should be budgeted for managing this data. If you’re replacing a Leopard or Snow Leopard Open Directory server, you can import an OD Archive, but it may not always be the best idea.
  • Open Directory deployments should always include both an Open Directory Master and an Open Directory Replica. Plan accordingly.
  • Proper DNS resolution is absolutely essential to a successful Open Directory deployment. All servers must have correct forward and reverse lookups. Open Directory will not work properly if DNS is incorrect. If your OD deployment is going to be self-contained, you can set up the DNS service on the OD Master and Replica, so that they can resolve each other, and then the clients can refer to the OD Master for name resolution. If you’re deploying OD into a larger infrastructure, though, it’s adviseable to have consistent DNS across the whole organization.
  • It is not recommended that .local be used as TLD on the network where you’re deploying Open Directory. Though it is possible to successfully deploy Open Directory into a .local namespace, the odds are against you. Don’t do it unless there’s really no other options.

You can, if you like, use Server Admin to set up Open Directory, but Server.app performs some steps that Server Admin doesn’t. I don’t recommend using it to do the initial setup. However, Server Admin can be helpful in managing Open Directory after deployment. The Server Admin tools are not installed by default on Mac OS X 10.7, so you’ll need to download them from Apple.

When deploying Open Directory, the first thing you need to do is verify that DNS is resolving correctly:

$ sudo changeip -checkhostname

Primary address = 10.1.1.1

Current HostName = odserver.pretendco.com
DNS HostName = odserver.pretendco.com

The names match. There is nothing to change.
dirserv:success = “success”

If changeip outputs this error, or one that sounds like it, please repair DNS or set the hostname properly before proceeding.

The DNS hostname is not available, please repair DNS and re-run this tool.

In Server.app, there is a utility that helps you change your system’s hostname. Click on the computer name, under Hardware, then click the Network tab, and then click “Edit”.

If your hostname is good, open Server.app. From the Manage menu, choose “Manage Network Accounts”. (If this option isn’t available, then this server is already managing network accounts, either as an OD Master or Replica.) This will start the setup assistant. You’ll need to provide an administrative account for Open Directory. Please note that this is not the same as the local administrative account that you create on initial server setup, and they should not have the same name. The default, Directory Administrator, is a good choice. Enter your Organization name and an administrator’s email address.

When you’re done, click the “Set Up” button, and you should be shortly returned to Server.app, with an Open Directory Master to manage.

At this point, it’s always a good idea to open up Console and check the logs, to make sure that there’s no glaring errors. The really informative one is /Library/Logs/slapconfig.log, but slapd.log and opendirectoryd.log, which are in /var/log, can also be very helpful.

Setting up a Qlogic Fibre Channel Switch For Xsan

Wednesday, April 11th, 2012

Qlogic switches can be configured via a built-in Web-based administration tool, or via their Command Line Interface over a serial connection. The Web-based tool is the fastest and easiest method of getting one up and running.

By default, Qlogic switches have an IP address of 10.0.0.1. The default username is “admin”, and the default password is “password”. Set your computer’s IP address to 10.0.0.2, with a Subnet Mask of 255.255.255.0 and no router/gateway. Open a web browser – Firefox is your best option – and go to 10.0.0.1. The Java applet will prompt a security warning – please confirm that the applet can control your computer. It won’t do anything bad.

On first logging in, you will be warned that the default password has not been changed. Please change the password. It’s very easy for somebody to make your fibre fabric not work right. Once you have done so, configure the IP address of the switch.

Please check and see if a firmware update is available for the switch before proceeding any further with setup. It’s definitely going to be easiesr to get a firmware update applied before you’ve got an Xsan using your fabric. Go to http://driverdownloads.qlogic.com/QLogicDriverDownloads_UI/NewDefault.aspx and click on Switches, then Fibre Channel Switches, choose the correct model, and click “Go”.

Devices on a fibre network are identified by their World Wide Name, or WWN. WWNs are guaranteed to be universally unique, which is a good thing, but they’re not designed to be read by humans. That’s why Qlogic lets you assign Nicknames to your devices. You should assign meaningful and easily decipherable Nicknames to all of your devices. Go to Fabric, and then Nicknames. You’ll see a list of all the WWNs (including vendor information), and which port they’re connected to. Double-click in the “Nickname” box, enter what you like, and when you’re done, click “Apply”. Accurate and comprehensible Nicknames make everything else easier, particularly the next step, which is Zoning.

Communication on a Fibre Channel network is controlled by Zones. In order for Fibre Channel devices to see one another (e.g. for clients to see storage), they must be in a zone together. In a small environment, it’s feasible to create a single zone, and place all devices in that zone. However, it isn’t necessary for Xsan clients and controllers to be able to communicate via Fibre Channel – all of their communication happens across the Metadata Network. If you want the best performance, then, it’s best to separate the devices logically into multiple zones to avoid excessive traffic on the Fibre Channel network. Devices can be added directly to a zone, or they can be grouped into Aliases, which can then be added to a zone.

As an example, imagine an environment with 15 Xsan clients, 2 Metadata controllers, and 2 Promise E-Class arrays. The clients need to communicate with the Promise storage, and the controllers do as well, but the clients and controllers don’t need to communicate with one another. Three aliases should be created and two zones should be created: one alias for each class of device, and one zone for each necessary communications channel.

Aliases

  • clients: Contains all Xsan clients
  • controllers: Contains both Metadata controllers
  • storage: Contains both Promises

Zones

  • XsanControllers: Contains the controllers and storage aliases
  • XsanClients: Contains the clients and storage aliases

Zones are contained in Zone Sets. Many Zone Sets can be configured, but only one Zone Set can be active at any time. Once you’ve created zones for your devices, put all those zones into a Zone Set, and make sure that you activate that Zone Set when you’re finished with your configuration changes.

Storage devices and clients on a Fibre Channel network present themselves to the switch differently, and require configuration specific to their role. There are port properties that need to be set to provide the best performance. Xsan controllers and clients are “Initiators”, and storage devices are “Targets”. Device Scan, when enabled, queries every newly connected device to determine whether or not it is a Target or an Initiator. I/O Streamguard attempts to prevent disruption by suppressing some types of communication between initiators. Since we know what every device will be, and what port they’re on, we can set Device Scan and I/O Streamguard appropriately and avoid the excess traffic.

Initiators: Enable I/O Streamguard Disable Device Scan Targets: Disable I/O Streamguard Enable Device Scan

Once you have your Nicknames, Zones, and port settings configured, you switch should be ready for use, and you can move on to configuring your storage, clients, and controllers.

Xsan Deployment Checklist

Tuesday, April 10th, 2012

One of the harder aspects of building systems consistently in a repeatable fashion is that you often need a checklist to follow in order to maintain that consistency. Therefore, we’ve started an Xsan Installation Checklist, which we hope will help keep all the i’s dotted and t’s crossed. Feel free to submit any items we should add to the checklist and also feel free to use it to verify the configuration of your own Xsans.

Preparation

[ ] Work out ahead of time how permissions will be dealt with:

  • Active Directory
  • Open Directory
  • Local Clients in same group with different UIDs.

[ ] If Active Directory is already in place, verify that system are bound properly.

[ ] If Open Directory is already in place, verify that system are bound properly.

[ ] If Open Directory is not already in place, configure Open Directory.

[ ] All client Public interfaces should have working forward and reverse DNS resolution.

Fibre Channel (Qlogic)

[ ] Update Qlogic firmware to latest on all switches.

[ ] Set nicknames for all devices in the fabric.

[ ] Export the nicknames.xml file and give to customer or import to workstation running Qlogic San Surfer.

[ ] Set the domain IDs on the Qlogic. Different Domain ID for each switch.

[ ] Set port speed manually on Qlogic and clients. Don’t use auto-negotiation.

[ ] Configure the appropriate Qlogic port properties for Targets (Storage) and Initiators (Clients).

Targets

  • Device Scan On
  • I/O Streamguard Off
  • Initiators
  • Device Scan Off
  • I/O Streamguard On

[ ] Avoid fully populating Qlogic 9200 blades, only use 8-12 ports of each blade to avoid flooding backplane.

[ ] If the switch has redundant power, plug each PS into different circuits.

[ ] Split HBA (client port) and storage ports across switches, i.e. port 0 on switch 1, port 1 on switch 2.

Storage (Promise)

[ ] Update Controller firmware to latest version

[ ] If client has a spare controller, update that as well.  Also label box with updated firmware number

[ ] Work out LUNs for MetaData/Journal and Data (MD should be RAID 1, Data should be RAID 5 or 6)

[ ] Adjust script for formatting Promise RAIDs – refer to this link  http://support.apple.com/kb/HT1200

[ ] Start formatting LUNS according to strategy – this can take up to 24 hours.

Metadata Network

[ ] If customer has Spanning Tree enabled, make sure Portfast is enabled as well. If possible, disable ST.

[ ] Verify that both clients and servers have GigE connection.

General Client/Server

[ ] Label your NICs clearly: Public LAN and Metadata LAN.

[ ] Configure Metadata network with IP and Subnet Mask only. No router or DNS.

[ ] Disable unused network interfaces.

[ ] Make sure Public Interface is top interface in System Preferences/Network

[ ] Disable IPv6 on all interfaces.

[ ] Energy Saver settings: Make sure “put hard disks to sleep when possible” is disabled.

[ ] Make sure Startup Disk is set to the proper local boot volume.

Metadata Controllers

[ ] Install XSAN on Snow Leopard machines and below (XSAN is included with Lion)

[ ] All MDCs should have mirrored boot drives, with AutoRebuild enabled.

[ ] Sync the clocks via NTP. Make sure all clients and MDCs point to same NTP server.

[ ] Add MDCs to XSAN

Volume Configuration

[ ] Label all the LUNs clearly.

[ ] Configure the MetaData LUN as a mirrored Raid 1.

[ ] Use an even number of LUNs per pool.

[ ] Use Apple defaults for block size and stripe breadth and test to see if performance is acceptable.

[ ] Do NOT enable Extended Attributes.

[ ] Verify email notification is turned on.

[ ] Make sure the customer knows not to go below 20% free space.

XSAN Creation/Management

[ ] Verify that the same version of Xsan is running on on all MDCs and clients.

[ ] For 10.6 and below – Add XSAN Serial numbers to XSAN Admin

[ ] Add Clients to XSAN

[ ] Verify performance of XSAN

  • Test speed
  • Test IO
  • Test sustained throughput
  • Test with different file types
  • Test within applications (real world testing)

[ ] Document XSAN for client

[ ] Upload documentation

 

Support for Windows XP and Office 2003 Ending

Monday, April 9th, 2012

Microsoft has announced an official end to support for Windows XP and Office 2003 on April 8, 2014. This means no security updates, fixes or even paid assistance for fleets of XP systems that still dominate enterprise environments. While there have been announcements that XP support is going away, Microsoft has continued to extend it until now. At this point, the products will be over 10 years old. The return on investment of the combination has been as good as any combination throughout the history of large scale IT deployments.

If you are still using Windows XP, 318 can work with you to migrate from Windows XP to Windows 7 or plan a migration to Windows 8 when it is available to the public. For assistance with such migrations, contact your 318 Professional Services Manager, or sales@318.com if you do not yet have one.

Secure Site-to-Site VPN tunnel using the ASA

Sunday, April 8th, 2012

Site to Site VPN enables an encrypted connection between private networks over a public network (i.e. the Internet).

Basic steps to configure a site-to-site VPN with a Cisco ASA begin with defining the ISAKMP Policy. An ISAKMP/IKE policy defines how a connection is to be created, authenticated, and protected. You can have multiple policies on your Cisco ASA. You might need to do this if your ASA needs to connect to multiple devices with different policy configurations.

  • Authentication: specifies the method to use for device authentication
  • Hash: specifies the HMAC function to use
  • Encryption: specifies which algorithm to use
  • Group: specifies the DH key group to use

Next, you will need to establish IPsec transform set. Different Firmware versions and different Cisco devices have different options for the following…

  • Esp-md5-hmac: ESP with the MD5 (HMAC variant) authentication algorithm
  • Esp-aes: ESP with the 128-bit Advanced Encryption Standard (AES) encryption algorithim.
  • Esp-des: ESP with the 56-bit Data Encryption Standard (DES) encryption algorithm.
  • Esp-3des: ESP with the 168-bit DES encryption algorithm (3DES or Triple DES)
  • Ah-md5-hmac: AH with the MD5 (HMAC variant) authentication algorithm
  • Ah-sha-hmac: AH with the SHA (HMAC variant) authentication algorithm

3. Configure crypto access list-

Crypto ACL’s are used to identify which traffic is to be encrypted and which traffic is not. After the ACL is defined, the crypto maps use the ACL to identify the type of traffic that IPSec protects.

It’s not recommended to use the permit ip any any command. It causes all outbound traffic to be encrypted, and sends all traffic to the specified peer.

4. Configure crypto map

Used to verify the previously defined parameters

5. Now apply crypto map to the outside interface.

VPN PIC

Configuration of ASA-1

You might have to enable ISAKMP on your device

ASA-1(config)#crypto isakmp enable

First defined the IKE polices on ASA-1

ASA-1(config)#crypto isakmp policy 10

The lower the policy number, the higher the priority it will set the ISAKMP policy to, affecting which policies will be used between sites.

General rule of thumb is to give the most secure policy the lowest number (like 1) and the least secure policy the highest number (like 10000)

ASA-1(config-isakmp)#encryption des

(enable encryption des)

ASA-1(config-isakmp)#hash md5

(enable algorithm md5 for hashing)

ASA-1(config-isakmp)#authentication pre-share

(enable Pre-shared method)

ASA-1(config-isakmp)#group 2

(enable group 2)

ASA-1(config-isakmp)#exit

(Exit from crypto isakmp mode)

  • The next step is to create a pre-shared key (password) on ASA-1.

ASA-1(config)#crypto isakmp key office address 10.1.1.2

(Here the Key is “office” and 10.1.1.2 is ASA-2 Address)

  • Now create an access list to define only interesting traffic.

ASA-1(config)#access-list 100 permit ip host 10.1.1.1 host 10.1.1.2

(100 is access list number and 10.1.1.1 is source address and 10.1.1.2 is destination address.)

  • Now create the transform-set for encryption and hashing.

ASA-1(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac

(Here encryption type is des and hashing method is md5-hmac)

ASA-1(config)#crypto map testcryp 10 ipsec-isakmp

(crypto map name testcryp)

ASA-1(config)# crypto map testcryp 10 match address 100

(apply the access list)

ASA-1(config)# crypto map testcryp 10 set transform-set ts2

(apply the transform set)

ASA-1(config)# crypto map testcryp 10 set peer 10.1.1.2

(Set remote peer address)

  • Now apply the crypto map to the ASA – A interface

ASA-1(config)# crypto map testcryp interface outside

(Apply crypto map on outside interface)

ASA-1(config)# crypto isakmp enable outside

(To enable crypto isakmp on ASA)

Configuration of ASA-2

First defined the IKE polices on ASA-2

ASA-2(config)#crypto isakmp policy 10

(10 is isakmp policy number)

ASA-2(config-isakmp)#encryption des

(enable encryption des)

ASA-2(config-isakmp)#hash md5

(enable algorithm md5 for hashing)

ASA-2(config-isakmp)#authentication pre-share

(enable Pre-shared method)

ASA-2(config-isakmp)#group 2

(enable diffie-Helman group 2)

ASA-2(config-isakmp)#exit

(Exit from crypto isakmp mode)

  • The next step is to create a pre-shared key (password) on ASA – B.

ASA-2(config)#crypto isakmp key office address 10.1.1.1

(Here Key is “office” and 10.1.1.1 is ASA – A Address)

  • Now create an access list to define only interesting traffic.

ASA-2(config)#access-list 100 permit ip host 10.1.1.2 host 10.1.1.1

(100 is access list number and 10.1.1.2 is source address and 10.1.1.1 is destination address.)

  • Now create the transform-set for encryption and hashing.

ASA-2(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac

(Here encryption type is des and hashing technique is md5-hmac)

ASA-2(config)#crypto map testcryp 10 ipsec-isakmp

(crypto map name testcryp)

ASA-2(config)# crypto map testcryp 10 match address 100

(apply the access list)

ASA-2(config)# crypto map testcryp 10 set transform-set ts2

(apply the transform set)

ASA-2(config)# crypto map testcryp 10 set peer 10.1.1.1

(Set remote peer address)

  • Now apply the crypto map to the ASA – B outside interface

ASA-2(config)# crypto map testcryp interface outside

(Apply crypto map on outside interface)

ASA-2(config)# crypto isakmp enable outside

(To enable crypto isakmp on ASA)

Now to verify the secure tunnel, ping to other remote location.

ASA-2(config)# ping 10.1.1.1

Filemaker 12 New Features & Key Changes

Friday, April 6th, 2012

FileMaker Pro 12, Go and Server were all released to the public in early April 2012. Each product brings its own set of new features. First and foremost is the new .fmp12 file format. It is the first file format update since version 7 of FileMaker which added multiple tables per file. This file format update feels more incremental but will introduce a number of changes for environments as they upgrade into the latest version. All the recently released products require this new file format.

Filemaker Pro 12 and Pro 12 Advanced
These are the workhorses of the Filemaker world. Much of the interface remains familiar to user of FileMaker 11 and earlier. Most of the updates in the FileMaker Pro client are related to layout and display. Version 12 provides new visual updates including gradients, alpha channel support, rounded ends on data fields and image slicing. Guides for common screen sizes for both Desktop and iOS devices will make layout designers much happier by reducing the number of times you’ll need to go back and forth between Layout and Browse while tweaking a layout to see if you’ve exceeded the display dimensions. Additional visual goodies in the new version include rounded buttons and hover states. All these visual goodies make Filemaker 12 appear much like CSS-3 webpages.

Containers are now treated a bit differently. You can specify default locations for files stored in containers. This option is selected in FILE:MANAGE:CONTAINERS. Container files also have additional options when defining them as fields in the database. In Field Options:Storage, there is a new section for Containers where you can specify the default location, and whether or not the file is encrypted (by choosing Secure Storage or Open Storage).

Real World Performance.
Working on a client file, conversion from .fp7 to .fmp12 took about 15 minutes for a 650MB file with around 700K records in it. Conversion was smooth and the resulting file opened and appeared and parsed ok, both in terms of schema, data, scripts and security. A script for parsing through some text fields for an automated data migration takes about 13 minutes to run in FileMaker Advanced 11 and FileMaker Advanced 12. Performance appears to be substantially similar among the clients without making further changes, although given some of the new features of 12, it is entirely possible to get far better performance, especially if you have a 64 bit system.

Filemaker Server and Server Advanced
FileMaker Server packs perhaps the biggest change in a 64 bit engine on the backend. This will make FileMaker Server Admins much happier. This means that FileMaker Server will be able to address much larger datasets natively in RAM, without paging them to disk. Also of interest to the FileMaker Database administrator is new progressive backups which should allow for a better balance between performance of the database and protection of the data. Backup and plugins have now been spun out to their own processes so a problem with either backup or a problematic plugin won’t take down your whole FileMaker Server.

Containers in databases hosted on the server will also now support progressive downloads so that you won’t need to wait for an entire video to download before you can start watching it. This will be a boon to iOS users. Which leads me to the final piece of the new FileMaker 12 triumvirate.

FileMaker Go
FileMaker Go also sports many of the new features of its siblings. Support for the .fmp12 is the biggest change, but not the only change. Also of interest is the ability to both print and export records. This will make FileMaker Go much more attractive as a client for users out in the field. No longer will you need to have FileMaker on a laptop or desktop to get outputs for clients or hard copies for signatures. The final coup de grace for Filemaker Go is its price, free from the App Store. FileMaker Go still requires a database created with Filemaker Pro or Advanced 12. FileMaker Go doesn’t provide the tools for developing a database as that’s not really what it’s meant to be. Once developed, the database can either be hosted on the iOS device itself or FileMaker Server for collaboration with other users (both iOS and FileMaker Client users). Databases hosted locally, as may be the case if you have users going offline, can then be synchronized to the server when the device comes back online (which may require some custom work to get just right).

FileMaker 12 Pro, Advanced, Server and Server Advanced are available as either a boxed product or a download from www.filemaker.com. FileMaker Go is available as a free download from the App Store. 318 is a FileMaker partner and our staff are enthusiasts of the product. If you need help or want to discuss a migration to the latest version FileMaker, please feel free to contact your Professional Services Manager, or sales@318.com if you do not yet have one.

Setting up Netboot helpers on a Cisco device

Tuesday, April 3rd, 2012

Configure a Cisco device for forwarding bootp requests is a pretty straightforward process. First off, this will only apply to Cisco Routers and some switches. You will need to verify if you device supports the IP Helper command. For example, the Cisco ASA will not support bootp requests.

By default the IP Helper command will forward different types of UDP traffic. The two important ones 67 and 68 for DHCP and BOOTP requests. Other ports can be customized to forward with some other commands as well. But it is quite simple pretty much if you have a Netboot server you can configure the IP Helper command to point that servers IP address.

Here is an example, lets say your NetBoot server has an IP Address of 10.0.0.200. You would simply go into the global configuration mode switch to the interface you want to utilize and type “ip helper-address 10.0.0.200″ to simply relay those requests to that address. Depending on your situation you also might want to setup the device to ignore BOOTP requests (in cases that you have DHCP and BOOTP on the same network). That command is “ip dhcp bootp ignore”. Using the IP helper and Bootp ignore command together will ensure that those bootp requests are forwarded out the interface to the specified address.

Last if you have multiple subnets you can setup multiple IP Helper address statements on your device to do multiple forwarding.

Installing a SonicWALL ViewPoint Virtual Machine

Monday, April 2nd, 2012

When installing a Viewpoint VM machine you will need to download three items.

First is the SonicWALL_ViewPoint_Virtual_Appliance_GSG.pdf available from mysonicwall.com
This will be you step by step instruction manual for installing the Viewpoint VM.
Next you will need to identify which version VXI host and then download the same version client as your VXI host.
Lastly you will need log into mysonicwall.com and download the sw_gmsvp_vm_eng_6.0.6022.1243.950GB.ova from mysonicwall.com

When you have all three of these downloaded open the SonicWALL_ViewPoint_Virtual_Appliance_GSG and start going through the step by step instructions.
You will first install the VM client and may run into the first gotcha. Depending on machine setup the .exe may be blocked from running.
The download will look like this: VMware-viclient-all-4.1.0-345043.exe.zip, get properties on this file and unblock if blocked.
After the install of the VM client follow the instructions in the PDF till you get to page 18 step 2.

2. When the console window opens, click inside the window, type snwlcli at the login:
prompt and then press Enter. Your mouse pointer disappears when you click in the
console window. To release it, press Ctrl+Alt

Here is where you will run into the biggest gotcha.

You will be ask to log into with name and password, on first login use name of: snwlcli no password,
Then use the default name and password and continue.