The update comes with fixes to better language, smart card ServerBackup, Profile Manager, opendirectoryd/directory images, file sharing and support for a number of other aspects of the OS. Some specific aspects include disconnecting specific users w/ Server.app, more ACL information in Server.app, setting login greetings, etc.

The client update and available information is available at OS X Lion Update 10.7.3 (Client)

The client combo update and available information is available at OS X Lion Update 10.7.3 (Client Combo)

The server update is available at OS X Lion Update 10.7.3 (Server)

The server combo update is available at OS X Lion Update 10.7.3 (Server) Combo

The Server Admin Tools are available at Server Admin Tools 10.7.3

Also, ARD has been revved up to 3.5.2. It is available at Apple Remote Desktop 3.5.2 Client

Also, of note, AirPort Utility also got an update yesterday. It is available at AirPort Utility 6.0 for Mac OS X Lion

The checklist can be downloaded here:

318 CatDV Installation Checklist

For more information about CatDV, related storage issues or other aspects of your technology environment, please feel free to contact your Professional Services Manager or sales@318.com. For more information about 318, see us on the web at 318.com.

ActiveSAN Joined By High-Capacity On-line Storage and Near-line Archive Components for Adaptable Production Platform

LAS VEGAS (Storage Visions), January 9, 2012 – Active Storage, the leader in high-performance storage solutions for media and creative professionals, today announced the mMedia platform, a complete end-to-end workflow storage solution for post and broadcast production.

The mMedia platform centers around an enhanced ActiveSAN high- performance metadata controller appliance, and adds two exciting new products, mRAID and mVault (also announced today, see related releases), along with optimized management software; all were combined and demonstrated for the first time, live, on the Storage Visions show floor to reveal a complete, unified mMedia platform installation.

With scalable performance and capacity, mMedia provides content producers the components to assemble complete storage solutions that meet their individual needs plus the integration and management software that lets them choose the best production tools in the industry. Together mMedia is more than a collection of components; it’s a complete media creation storage platform for storing and managing content from ingest to archive.

“mMedia is the platform of the future for broadcast production,” said Alex Grossman, founder and president of Active Storage, Inc. “mMedia provides an integrated workflow storage platform with the performance, scalability and configuration flexibility to meet nearly every broadcast and post-production facility’s ingest, on-line and near-line archive capability.”

The mMedia platform leverages Active Storage’s strong partnerships with industry leaders by offering an open platform that works with other production solutions.

“The mMedia platform is a very exciting development for the Levels
Beyond Reach Engine,” says Art Raymond, CEO of Levels Beyond. “We deploy to some of the largest and most demanding creative workflow sites in the world, including major MSO’s, Studios, Broadcast Networks and Live Sports distributed globally. We’re very enthusiastic about the potential of deploying our solution leveraging the new mMedia Platform to deliver even tighter integration, speed and management for a more advanced customer experience than exists in the market today.”

“Our technology on Active’s mMedia platform can support significantly more capable Media Asset Management solutions for Adobe Premiere, Apple Final Cut and Avid workflows,” says Danny Gold, VP Client Solutions of Levels Beyond. “The combination of Reach Engine and the new mMedia Platform is a complete game- changing way to deliver cost-effective, seamlessly integrated high- performance archive solutions.”

About Active Storage:
Active Storage, Inc. is the innovative storage leader for media and creative professionals, broadcast, post-production, on-line and archive solutions. Fast, reliable and easy to deploy, Active Storage products deliver a best-of-breed user experience, marrying award-winning industrial design, unmatched speed, reliability and customer service. Ease of use and robust performance make Active Storage the first choice for complex professional storage deployments.

318 is an Active Storage reseller and can work with you to plan for and acquire Active Storage products into your storage environment. For more information, contact your 318 Professional Services Manager or sales@318.com if you do not yet have one.

XSNMP-MIB can be downloaded from GitHub, or directly from Lithium.

Download the XSNMP-MIB.txt file and put it in /usr/share/snmp/mibs. You can verify that the MIB is loaded by running snmpwalk on the system, specifying the XSNMP Version OID. If snmpwalk returns the version, the MIB is installed correctly. If it returns an error about an “Unknown Object Identifier”, then the MIB isn’t installed in the right spot.

bash$ snmpwalk -c public -v 1 my.server.address XSNMP-MIB::xsnmpVersion
XSNMP-MIB::xsnmpVersion.0 = Gauge32: 1


The fact that the MIB was developed by Lithium doesn’t stop us from using it with Nagios, though. You can define a Nagios service to gather the free space available on your Xsan volume by adding the following to a file called xsan_usage.cfg. Put the file in your Nagios config directory.

define service{
host_name xsan_controller
service_description Xsan Volume Free Space
check_command check_snmp!-C public -o xsanVolumeFreeMBytes.1 -m XSNMP-MIB
}


The host_name should match the Nagios host definition for your Xsan Controller. The service_description can be any arbitrary string that makes sense and describes the service.

The check_command definition is the actual command that’s run. The -C flag defines the SNMP community string, the -m flag defines which MIB should be loaded (you can use “-m all” to just load them all), and the -o flag defines which OID we should return. “xsanVolumeFreeMBytes.1″ should return the free space, in MB, of the first Xsan volume.

The first question should always be, “Do we need to implement a new solution?” In many cases, and at least for now, the answer may be “No, not yet.” There will come a time, however, when the needs of the workflow, software, hardware, or some other factor will necessitate a new Digital Asset Management (DAM) System implementation.

Once the decision has been made to deploy a new DAM, many additional questions will arise. How do we keep our metadata intact? Can we re-use our clip and edit proxies? How do we keep our current automations? 318 can work with you to address these issues. We are asking ourselves the same questions with an eye towards minimizing the hassles associated with migrating such a major piece of infrastructure.

318 has spent the last year evaluating many of the DAM solutions in the marketplace, with an emphasis on whether or not the solution is an appropriate replacement for Final Cut Server in terms of cost, functionality and scalability, and after many internal discussions, CatDV best matched these criteria. In terms of cost, CatDV is one of the most affordable solutions in the marketplace. In terms of functionality, CatDV matches or exceeds the functionality of Final Cut Server. In terms of scalability, CatDV far exceeds the capabilities of Final Cut Server.

The final link in the chain is migrating data and recreating workflows from Final Cut Server to CatDV. 318 has the facility and ability to migrate your metadata with a minimum of user intervention. We also have the ability to analyze your Final Cut Server workflows and re-create the functionality in CatDV, including shell scripting and highly customized workflow integrations for ingest and archive.

We are a CatDV authorized reseller, and have staff trained by CatDV personnel. 318 stands ready to spec, deploy, configure and maintain your CatDV solution and help you with the transition from your Final Cut Server to CatDV. Please don’t hesitate to contact us for a demo and discussion of what CatDV can do for your video workflows.

Finally, 318 is working with other vendors to continue expanding our portfolio of SAN and DAM solutions. Keep on the lookout for what will hopefully be a few other additions once our thorough vetting process has been completed! If you would like further information on any of this, please feel free to contact your Professional Services Manager or sales@318.com if you do not yet have one.

You can download Google Currents for your device here.

To add the Tech Journal to your library in Google Currents, follow this link in the browser on your device.

Happy reading!

check_snmp -m ALL

Overall, setting up Nagios to be able to leverage MIBs from 3rd party vendors is an easy task, if not tedious when there are a lot of settings you’d like to walk through with SNMP.

defaults write -g ApplePressAndHoldEnabled -bool NO

However, even though the App Store and Software Update Server in Mac OS X Server make things easier, there’s no simple way to download things once and distribute the downloaded files to multiple machines for items purchased on the App Store. When large updates come out (such as a new version of iOS), you’re essentially downloading huge amounts of data to each and every machine, and if machines are set to automatically download updates, you could even have a large number of them downloading simultaneously.

Of course you can run your own Software Update service in Mac OS X Server, but this requires that every client machine be configured to use the local server. This works well for machines under your control, but for all those people who bring in their own laptops this doesn’t help.

What’s worse is that there’s currently no way whatsoever to run a Software Update-like service for App Store purchases. Imagine if you have a lab of dozens or hundreds of Macs with Final Cut X or iPads (or iPhones, iPod Touches, whatever comes out next with iMovie or ). Any time there’s an update you’re potentially downloading over a gigabyte per machine in the case of Final Cut X or 70 megabytes or so in the case of iMovie. That can easily add up to a tremendous amount of traffic and the congestion, complaints and headaches which go with it..

What’s needed is an easy way to cache App Store downloads. While we’re at it, it would also be nice to transparently have machines use our own Software Update server. Let’s be even a little more ambitious and do this without needing Mac OS X Server. Aw, heck – let’s make it work on any reasonably Unix-like OS.

So how do we do this? The App Stores and Software Update services use http for fetching files. So what we need to do is to capture those http requests and either redirect them to a local store of Software Update files or locally cached App Store files.

Just as an aside, it’d be tremendously difficult to create a local store of App Store files if for no other reason than the fact that there are currently more than half a million applications. Add to this the rate at which updates become available and your machine would probably never be finished attempting to download all of the applications! Considering this, we’re looking at running Apache and squid on our Unix-like machine and doing a little redirection magic on whatever device does NAT or routes for us.

Note: There’s no reason that the same machine can’t do both NAT/routing and Apache/squid, although in most environments we are assuming that the machine would simply be a proxy for Mac or iOS-based devices. To make this example end-to-end though, we’ll run the router on the host.

Our example uses a Mac OS X (non-Server) machine running Leopard which is doing both NAT and running our Apache and squid software. We’re simply using the Internet Sharing service, the public network interface is en0 (which we don’t use anywhere) and the interface which will serve our iOS and Apple clients is en1 and has the address 10.0.2.1.

Everyone has their own favorite way of installing software on Unix-like OSes and a discussion about which is best and why would certainly be outside the scope of this article. In these examples we’re using NetBSD’s pkgsrc for no other reason than the fact that it will compile packages from source with a base directory which is easily configurable (feel free to use ports or some other automated tool according to what platform you are using). Get pkgsrc (usually via cvs; we’ll assume it’s put into /usr which can be as simple as:

cd /usr ; setenv CVSROOT :pserver:anoncvs@anoncvs.netbsd.org:/cvsroot ; cvs checkout -P pkgsrc

And then run /usr/pkgsrc/bootstrap/bootstrap like so:

cd /usr/pkgsrc/bootstrap/
./bootstrap --prefix /usr/local --pkgdbdir /usr/local/var/db/pkg --sysconfdir /usr/local/etc --varbase /usr/local/var --ignore-case-check

This puts all files into /usr/local including logs and configuration files, so keeping your system clean is simple and keeping track of the differences between built-in and pkgsrc software is easy. Next, install pkgsrc’s www/squid and www/apache (and net/wget if your Unix doesn’t already have it):

cd /usr/pkgsrc/www/squid
bmake update
cd /usr/pkgsrc/www/apache22
bmake update
cd /usr/pkgsrc/net/wget
bmake update

Note that on systems like Mac OS X which come with GNU make by default, that pkgsrc uses bmake; if you have BSD make already, just use make. Another note is that /usr/local/sbin is not in Mac OS X’s path by default, so add /usr/local/sbin to /etc/paths if you’re going to use it.

Now that the software is installed in consistent locations we can configure it. The squid.conf file only needs one line to be changed; everything else is added. Find the line which says:

http_port 3128

And change it to:

http_port 3128 intercept

Then add the following lines:

maximum_object_size_in_memory 4096 KB
cache_replacement_policy heap LFUDA
cache_dir ufs /usr/local/var/squid/cache 16384 16 256
maximum_object_size 2097152 KB
refresh_pattern -i .ipa$ 360 90% 10800 override-expire ignore-no-cache ignore-no-store ignore-private ignore-reload ignore-must-revalidate
refresh_pattern -i .pkg$ 360 90% 10080 override-expire ignore-no-cache ignore-no-store ignore-private ignore-reload ignore-must-revalidate
acl no_cache_local dstdomain 10.0.2.1
cache deny no_cache_local
redirect_program /usr/local/bin/rewrite.pl

These settings are chosen to cache large files up to 2 gigabytes in size in a 16 gig cache on disk and to ignore cache directives with regards to .pkg and .ipa files. Adjust to your own liking. Of course, replace 10.0.2.1 with the private IP of your machine. The cache deny with that address is used to make sure that redirected Software Update files are not cached in squid which would just take up room which better used for App Store files.

The URL rewriting script (create /usr/local/bin/rewrite.pl) just changes Apple Software Update URLs to point to our server:

#!/usr/bin/env perl
$|=1;
while (<>) {
s@http://swscan.apple.com@http://10.0.2.1/swscan.apple.com@;
s@http://swcdn.apple.com@http://10.0.2.1/swcdn.apple.com@;
s@http://swquery.apple.com@http://10.0.2.1/swquery.apple.com@;
print;
}

Next we configure Apache. The location you choose for the Software Update files can be anywhere (in our example, they’re on a FireWire attached drive mounted at /Volumes/sw_updates/) which needs to be allowed in the Apache configuration.

Add to /usr/local/etc/httpd/httpd.conf:

The log lines are purely optional. If you don’t add them, logs will still be written at /usr/local/var/log/httpd/access_log and error_log.

Next, we configure ipfw (in the case of Mac OS X or FreeBSD) to redirect all port 80 traffic transparently to our squid instance. If you’re using a different device for NAT/routing or different firewalling software such as ipfilter, see the examples listed below.

ipfw add 333 fwd 10.0.2.1,3128 tcp from any to any 80 recv en1

Note that on Snow Leopard and Lion you’ll need to make this change, too:

sysctl -w net.inet.ip.scopedroute=0

ipfilter would look like this for the same ipfw task from above (if you’re using Linux):

rdr en1 0.0.0.0/0 port 80 -> 10.0.2.1 port 3128 tcp

Again, the local private IP is 10.0.2.1 and the local private interface is en1; substitute your IP and interface.

Finally, we need to mirror all Apple Software Updates. A simple shell script can do this. Save this file somewhere (named mirror_swupdate.sh, for instance) and run it from cron now and then, perhaps once a night:

#!/bin/sh

location=$1 # This is the root of our Software Update tree
mkdir -p $1
cd $1

for index in index-leopard-snowleopard.merged-1.sucatalog index-leopard.merged-1.sucatalog index-lion-snowleopard-leopard.merged-1.sucatalog
do
wget --mirror http://swscan.apple.com/content/catalogs/others/$index

for swfile in `cat swscan.apple.com/content/catalogs/others/$index | grep "http://" | awk -F">" '{ print $2 }' | awk -F"<" '{ print $1 }'`
do
echo $swfile
wget --mirror "$swfile"
done
done

Invoke this with the top of the tree of your Software Update files as you’ve used in the Apache config, like so:

./mirror_swupdate.sh /Volumes/sw_updates

Expect this to run for a long time the first time you run this because you’ll be downloading around 60 gigabytes of updates. Every time it runs afterwards, though, files won’t be downloaded again unless they change (which they won’t; new updates will show up as new files).

Start squid and Apache, then tail your Apache log and run Software Update to test:

/usr/local/share/examples/rc.d/apache start
/usr/local/share/examples/rc.d/squid start
tail -f /usr/local/var/log/httpd/swupdate_access_log

At this point, you can redirect your software updates to the host. Updates for both the Mac App Store and iOS are also now cached. In the next article we’ll look at using some squid extensions to enable you to block applications from the App Stores or block updates in the event that an update is problematic.

The access control list (ACL) methodology on the Cisco ASA is interface-based. Therefore, each interface must have a specified security level (0-100), with 100 being most secure and 0 being least secure. Once configurations are in place, traffic from a more secure interface is allowed to access less secure interfaces by default. Conversely, less secure interfaces are blocked from accessing more secure interfaces.

Some common commands used to configure Cisco ASA interfaces include:

• nameif – used to name the interface
• security-level – used to configure the interface’s security level
• access-list – used to permit or deny traffic
• access-group – applies an ACL to an interface

We can configure an access list to permit or deny traffic, based on a specific port or protocol. With deny-by-default, everything is automatically blocked and must be explicitly allowed (on Routers it is the opposite where everything is allowed and you have to deny ports or protocols to block them).

Let’s say we want to configure an ACL on an ASA to permit all FTP traffic from any host to 192.168.1.10. To do this, we must input the following ACL:

ASA(config)# access-list OUTBOUND permit tcp any host 192.168.1.10 eq ftp

Now let’s say we want to configure an ACL on an ASA to deny all FTP traffic from any host to 192.168.1.10. To do this, we must input the following ACL:

ASA(config)# access-list OUTBOUND deny tcp any host 192.168.1.10 eq ftp

Access lists are also used in defining rate limit’s when defining QOS settings. Here is a helpful guide to assist in choosing the right number to associate to an ACL:

Protocols with Access Lists Specified by Numbers

• Protocol                                                                          Range
• IP                                                                                      1-99, 1300-1999
• Extended IP                                                                   100-199, 2000-2699
• Ethernet type code                                                       200-299
• Ethernet address                                                          700-799
• Transparent bridging (protocol type)                    200-299
• Transparent bridging (vendor code)                      700-799
• Extended transparent bridging                               1100-1199
• DECnet and extended DECnet                                 300-399
• XNS                                                                                 400-499
• Extended XNS                                                               500-599
• AppleTalk                                                                      600-699
• Source-route bridging (protocol type)                   200-299
• Source-route bridging (vendor code)                     700-799
• IPX                                                                                  800-899
• Extended IPX                                                               900-999
• IPX SAP                                                                        1000-1099
• Standard VINES                                                           1-100
• Extended VINES                                                          101-200
• Simple VINES                                                               201-300

In our previous tech journal article, we touched on the history of sandboxing, from its evolution out of the POSIX model to the more granular controls provided by the ACL model and how they are both derived from a concept called Discretionary Access Controls. For this discussion, please check out out previous article “A brief introduction to Mac OS X SandBox Technology.”

New Sandboxing & Privilege Separation in Lion

This article will attempt to clarify and explain the changes in Lion and iOS sandboxing and the upcoming change in requirements for App Store submissions.  Apple has decreed that all applications submitted to the App Store MUST be sandboxed, originally the deadline was November 2011, but the deadline has recently been moved back to March 1, 2012.

iOS sandboxing has been in place for a while now.  iOS applications can only see their own data and documents, cannot alter your devices underlying settings, and generally appear to be isolated from other apps on your iOS device.  Apple has brought this methodology to Macs with 10.7 Lion.

Compared to previous Mac OS security models, Lion has made leaps and bounds in terms of sandbox security, with Apple finally promoting the technology for use by third party developers.  The 2 ways of Apple has increased security is through Sandboxing and Privilege Separation.  Sandboxing refers to the process whereby a developer specifies a list of expected operations an application will perform, while Privilege Separation refers to splitting an application or daemon into more granular pieces where each piece is only given rights to its particular task.  Every sandbox application must include a set of “entitlements,” or a list of resources the application needs to perform its tasks.  Lion has around 30 entitlements ranging from low-level operations (e.g. creating or listening to network connections), to higher level operations (e.g. printing or accessing the camera).

Application Sandboxing

App Sandboxing can help prevent flaws or oversights in programming from becoming security threats via privilege escalation.  By specifying a set of entitlements, a developer tells the OS which operations are allowed and expected.  This way if a user process tries to perform a task that is not entitled, the OS will not allow the task.  This makes executing arbitrary code from a problem like a buffer overflow much less likely.  Listing entitlements also lets the system know to create a container directory for the application itself and runs it inside a sandbox configured for that particular application. If a developer creates an internet browser application and didn’t grant the entitlements to the camera and microphone, a website with malicious code trying to access the camera would be thwarted by the OS.

The container directory is where your sandboxed application can read and write its private files and data, including preferences, autosave info and other information needed by the application itself.  The sandboxed application is prevented from accessing data and files from outside the sandbox with a few exceptions, like the systems Open and Save dialog boxes, which require user intervention to explicitly work outside the sandbox. Upon first launch, the OS creates a container directory in ~/Library/Containers with the application bundle identifier as the directory name (e.g. com.apple.TextEdit).

Sandboxing an application is not a replacement for good coding practices or testing.  Indeed, sandboxing actually will increase the requirements for testing as each entitlement will need to be verified and tested, but it will provide a valuable line of defense against unanticipated malware or other nefarious activity.

App Store Sandboxing

While not being privy to behind the scenes discussions at Apple, the benefits of requiring Application sandboxing for App Store submissions are fairly intuitive. By requiring sandboxing, Apple will simplify its audit process and can more easily provide security assurances for App Store purchases.  Ars Technica seems to confirm this as well.   By sandboxing all Apps, Apple will greatly reduce the potential for rogue code coming out of the App Store, thereby reducing their potential liability.

Adding Sandboxing to your applications in Xcode

To sandbox an application in Xcode, you will need a couple of things. One is a valid code signing certificate issued by a trusted third certification authority (think Verisign, Thawt or Digicert).  Self-signed certificates won’t work as your Certificate Authority (CA) credentials are not included in either the Mac OS or iOS.  The CA root certificate allows a chain of trust to be built to your code signing certificate. Apple has more info on their Root Certificate program here.

An entitlements .plist, named Info.plist.  You will add this file in your project in Xcode.  The Info.plist must have the following Keys:  CFBundleIndentifier, CFBundleName.  The identifier MUST be globally unique.  To help ensure this, please include your company’s name in the indentifier (e.g. com.318.OurLatestApp).  Apple recommends that the identifer be in reverse DNS notation as well.  Your Info.plist must include all the entitlements your application needs.

In Xcode, please add the following linker flags:

-sectcreate __TEXT __info_plist Info.plist_path

where Info.plist_path is the complete path of the Info.plist file in your project.

These flags should be added to the OTHER_LDFLAGS build variable in Xcode.  Please refer to the documentation for other development environments.

You will also need to go into the summary tab for your Xcode project and check

• Enable Entitlements
• Enable App Sandboxing

A comprehensive guide to code signing and entitlements is available from Apple here.

Wrapup

Apple’s new paradigm for security will provide additional protection from malicious code.  This new paradigm will necessitate some additional planning and testing.  It will allow Apple to better ensure that any App from the App Store will not harm your computing experience. Apple has a list of entitlements that must be used, but you must be a developer to access this content. In the writing of this article we have attempted to be cognizant of what is and is not under non-disclosure, so if you need access to that, then please grab a free account at the Apple Developer Connection.

Once SquidMan is downloaded, copy the SquidMan application bundle to the /Applications directory. Then open it. At the Helper Tool Installation screen click on the Yes button.

At the Squid Missing screen click on the OK button to install squid itself.

The Preferences screen then opens. Click on the Clients tab and, if you would like to restrict access to only a set of IP addresses, define them (or use the net mask to define a range).

Click on the General tab. Here, provide the following information:

• HTTP Port: The port number that the proxy will run on.
• Visible hostname: The hostname of the server (e.g. proxy.318.com).
• Cache size: The total amount of space used for the proxies cache.
• Maximum object size: The maximum size of single cached files.
• Rotate logs: The frequency with which log files are rotated (I usually use Manually here).
• Start Squid on launch: Automatically start squid when SquidMan is launched, and delay start by x number of seconds.
• Quid Squid on logout: Define whether logging out of the server also stops squid.
• Show errors produced by Squid: Displays squid’s errors in SquidMan.

Click on the Parent and define a proxy server that this one will use (if there is one, otherwise it just uses the web to directly access files). This feature is only used if you are daisy chaining multiple squid servers.

Click on the Direct tab and enter any sites that should not be proxied. Internal staging environments are a great example of sites that should bypass proxy servers.

At the Template tab, enter any custom variables.

Squid is usually used to cache and speed up web access, so the default configuration file is optimized for small files. In order to cache larger files effectively, change the configuration to allow for larger files (up to 64 megabytes) and allow for more total disk storage of cached files (up to 8 gigabytes in our tests for a few specific projects, but much larger is fine). This usually depends on the total available disk space on the machine which will run squid.

These are some of the options which we updated for a specific project we’re working on in the squid.conf (Template):

http_port 3128 transparent (add transparent if using NAT to redirect http requests):
maximum_object_size_in_memory 65536 KB
cache_dir ufs /usr/local/var/squid/cache 8192 16 256
maximum_object_size 65536 KB

These days, we prefer to use squid running in NetBSD’s pkgsrc, although any method of installation (such as the squidman approach) should be acceptable.

Next, click on the SquidMan application which should have been running the whole time and click Start Squid.

The squid daemon then starts. Looking at the processes running on the host reveals that it is run as follows:

/usr/local/squid/sbin/squid -f /Users/admin/Library/Preferences/squid.conf

Client systems can then be configured to use the squid proxy, or PAC (Proxy auto-config) file can be configured to configure clients. Another option being transparent parodying:

rdr de0 0.0.0.0/0 port 80 -> (local Squid server) port 3128 tcp

Licensing CALs for onsite systems can be done in a couple different ways:

• Per-Device: Each computer that is bound to Active Directory receives a CAL
• Per-User: Each user that uses a computer that is bound to Active Directory receives a CAL

In an environment where there are many users per device, then per-device licensing is always going to be cheaper (unless of course there are more devices than users, which wouldn’t make sense in a many to one environment). In a one-to-one environment where users come and go (e.g. by transferring between schools), but the number of computers remains somewhat static, per-device licensing still works out better as it simplifies license allocation.

Per-User CALs for education environments typically run around $1 USD per CAL for students. Per-User CALs for educators that work in the environment and are bound in that same environment typically run around $8 USD per CAL. If the systems aren’t bound, then licensing is only based on users that access file and print services, or other services; however, this becomes a bit of a challenge to calculate unless you reactively look at triggers that can be generated. But because most environments now use Active Directory binding on client systems, the CALs end up becoming one-to-one about as quickly as the computers become one-to-one.

But you should most definitely not take this article as being the rules set in stone. There are a number of scenarios that can change the licensing situation (most of them have to do with not binding clients or running computers that are offsite and/or employee owned). Contact Microsoft’s licensing desk using the contact information here, or contact a reseller like 318 for more more information.

Will the future require CALs? In an increasingly iOS and Android world, there are a few issues to sort out in many environments (e.g. IIS vs. AD licensing). This has so far ended up being in a case-by-case basis. 318 is a Microsoft reseller and can help you through these complex licensing issues, if you need it. Please feel free to contact your 318 Professional Services Manager, or sales@318.com if you would like more information.

Lack of font management is a cost center for many organizations. There is a loss of productivity every time a user has to manually add fonts when opening co-workers documents, or the cost of a job going out with the wrong version of a font. Some of the other benefits of fonts servers are separate font sets for different workgroups and isolating corrupt fonts to clean up large font libraries, along with quick searching and identification of fonts.

Font Management and Best Practices

Anyone who uses fonts for daily workflow needs font management. This could be a standalone product such as Suitcase Fusion or Font Agent Pro. But larger environments invariably need to collaborate and share fonts between users, meaning many environments need font servers. Two such products include Extensis Universal Type Server and Font Agent Pro Server. But before adding font management products, users should clean up and any fonts loaded or installed and added prior to moving to a managed font environment. Places to look for fonts when cleaning them up include the following:

• ~/Library/Fonts
• /Library/Fonts
• /System/Library Fonts

Leaving any necessary system, Microsoft Web Core, and required Adobe fonts.

The best resource for this process can be found at Extensis Font Best Practices in OX v.7, which can be found at: http://www.extensis.com/en/downloads/document_download.jsp?docId=5600039

Types of Font Server Products Available

There are two major font server publishers: Extensis and Font Agent Pro. Both have workgroup and enterprise products. All server products from both products work on a client/server model. Both can sync entire font sets or serve fonts on-demand. The break down for the Extensis Universal Type Sever is at 10 clients. Below 10 clients Universal Type Server Lite is a 10 clients product, which lacks Enterprise features, such as the ability to use a SQL database or integrate in Open Directory or Active Directory. The full Universal Type Server Professional adds Directory integration, external database use, and font compliance features and is sold as 10-user license, with an additional per seat license.

Insider Software offers two levels of font servers. The first is FontAgent Pro Team Server designed for small workgroups and sold in a 5 or 10 client configuration. The next level of product is Font Agent Pro Enterprise server. This adds the same directory services integration as Universal Type Server Professional. This product also has Kerberos single sign on, server replication and fail over. It uses the same per-seat pricing structure as Universal Type Server Professional.

A third tool is also available in Monotype Font Explorer, at http://www.fontexplorerx.com, which we will look at later in this article.

Pre-Deployment Strategies and Projects

Before any font server deployment, there are a few things to take into consideration. First is number of clients. This will guide you to which product will be appropriate for installation. Also note if Directory integration and compliance is needed. Is failover or a robust database important. The most important part of any font server installation is the fonts. How may are there, where are they coming from, are separate workgroups needed? Are all your fonts legal? In my experience probably not. Is legal compliance required for you organization or your clients? What is the preferred font type, PostScript Type 1, Open Type? What version are the fonts? Most fonts have been “acquired” over time, with some Postscript fonts dating back to early to mid nineties. As a font server is just a database, the axiom “garbage in, garbage out” is true here as well. This should lead to a pre-deployment font library consolidation and clean up. This can be either be done by 318 or we can train the you to perform this task. If compliance is an issue this is where we would weed out unlicensed fonts. Which to my experience is about 90% of all fonts. A clean, organized font set is the most important part of pre-deployment.

A major part of any font server roll out should be compliance and licensing. This allows for the tracking and reporting of font licenses and to make sure that stays in licensing and compliance.

Extensis

Universal Type Server includes the ability to generate and export reports to help you determine if you are complying with your font licenses. The font compliance feature only allows you to track your licensing compliance and does not restrict access to noncompliant fonts. To help you understand how the font licensing compliance, let’s look at the following typical example of how to use licenses and the font compliance report in your environment.

Say you are starting up your own design shop and need a good group of licensed fonts for your designers to create projects that will bring you fame and fortune. You know that fonts are valuable, and you want to be sure that you have purchased enough licenses for your requirements. So, you purchase a 10­user license of a sizable font library. Using the Universal Type Client, these fonts are added to a Type Server workgroup as a set. A font license is then created and the Number of Seats field is set to 10. This license is then applied to all fonts in the set.

When you run the font compliance report, Universal Type Server compares the number of seats allowed to the total number of unique users who have access to the workgroup. If more users have access than licenses available, the fonts are listed as “non-­compliant.” You can now either remove users from the workgroup or purchase more font licenses to become compliant.

Universal Type Server is unique amongst other products in that it uses a checksum process to catalog fonts. Others just use file names and paths.

Universal Type Server Deployment

Universal Type Server system requirements include the following:

Macintosh Server

•          Mac OS X v 10.5.7, 10.6 Mac OS X Server 10.5 or 10.6•          1.6 GHz or faster 32-bit (x86) or 64-bit (x64) processor (PowerPC is not supported)
•          1 GB available RAM
•          250 MB of hard disk space + space for fonts
•          Safari 3.0 or Firefox 3.0 or higher*
•          Adobe Flash Player 10 or higher*

Windows Server

•          Windows XP SP3 (32-bit only), Server 2003 SP2, Server 2008 SP2 (32 or 64-bit version**)
•          P4 or faster processor***
•          1 GB available RAM
•          250 MB of hard disk space + space for fonts
•          Internet Explorer 7 or Firefox 3.0 or higher*
•          Adobe Flash Player 10 or higher*
•          Adobe Reader 7 to read PDF documentation*
•          Microsoft .NET 3.5 or higher

Universal Type Server Installation Process:

1.         Verify server system requirements
2.         Run the installer on the target server machine
3.         Login to the Server Administration web interface
4.         Serialize the server
5.         Set the Bonjour Name
6.         Resolve any port conflicts
7.         Set any desired server configuration options, including backup schedule, log file configuration, secure connection options, and any other necessary server settings.
8.         After installing the server, configure workgroups, roles and add users.

The basic user and workgroup configuration steps include:

1.   Plan your configuration
2.   Create workgroups
3.   Create new users
4.   Add users to workgroups
5.   Assign workgroup roles to users
6.   Modify user settings as required

Optional Setup:

1. Managing System Fonts with System Font Policy The System Font Policy feature allows Universal Type Server administrators to create a list of system fonts that are allowed in a user’s system font folder.
2. Font Compliance Reporting
   The font compliance feature only allows you to track your licensing
   compliance and does not restrict access to noncompliant fonts.
3. Directory Integration
   Directory integration allows network administrators to automatically
   synchronize users from an LDAP service
   (Active Directory on Windows or Open Directory on Mac OS X) with Universal Type Server workgroups.

* UTS Documentation:

http://tinyurl.com/4xgn9rr

Both Universal Type Server Professional and Font Agent Pro Enterprise can be configured for Open Directory, Active Directory, and LDAP integration. Both also can utilize Kerberos Single User sign on. Universal Type Sever Professional directory integration instructions can be found in the UTS 2 Users and Workgroups Administration Guide at http://tinyurl.com/4xgn9rr. Some users have reported issues connecting to Open Directory (which happens with all products, not just this one).

Universal Type Server runs in Flash for administrative functions, which many do not like.

Monotype Font Explorer

Monotype Font Explorer is a third tool that can be used to manage fonts. Available at http://www.fontexplorerx.com there are some things that some environments do not like about Universal Type Server or Font Agent Pro. Let’s face it, the reason there are multiple products and multiple workflows is that some work for some environments and others work for other environments/workflows better. For example, Font Agent Pro stores master fonts on one client machine, which is then synchronized to the server, and from there to the rest of the clients; not everyone wants a client system acting as a master to the server. Font Explorer keeps the master is on the server, groups and synchronization works well and the administration is in the same window as font management. And best of all, Font Explorer is also typically cheaper than its server-based competitors in the font management space.

Extensis publishes a guide as to which fonts to include in the system and which to handle in the font management software. According to Apple documentation, and fonts in my ~/Library/Fonts folder take precedence to fonts in /Library/Fonts, which again takes precedence to /System/Library/Fonts. That means that if I install Times in my ~/Library/Fonts folder, it will be used instead of the font with the same name in /Library/Fonts or in /System/Library/Fonts. So how is it that I should care which fonts is installed where, as the font management applocation should simple take precedence to the others? If it does not take precedence, then where in the chain is it actually activating fonts? Maybe fonts are handled in these solution in parallel with the system mechanism? Thats the only explanation I can find to that, but is then only valid for UTS, or is it also valid for the other solutions?

End User Training and Font Czar

No font server installation would be complete without end user training and the appointment of a Font Czar. User training can be a fairly easy endeavor if client systems are using the same publishers stand-alone font client. Other times it could entail discussing licensing and compliance concepts along with adding metadata to fonts. An onsite Font Czar (or more than one) is very important to font server installations. The Font Czar cleans up and ingests new fonts, adds new users to font server, and in general be the Font Admin. This is usually a senior designer or technical point of contact for the creative environment.

Conclusion

Font Book is adequate for most users that don’t need a server. Universal Type Server, Font Agent Pro and FontExplorer are all great products if you need a font server. They all are installed centrally and allow end users to administer fonts, based on the server configuration and group memberships. They all work with directory services (some better than others) and can be mass deployed. In big workgroups or enterprises, where only a few people are handling the administration of fonts for a lot of people, a centralized font management solution is a must. But in much smaller organizations, it requires care and feeding, which represents a soft cost that often rivals a cost to purchase the solution.

Finally, test all of the tools available. Each exists for a reason. Find the one that works with the workflow of your environment before purchasing and installing anything.

Note: Thanks to Søren Theilgaard of Humac for some of the FontExplorer text!

The highest resolution supported by ABVB hardware is AVR-77, which was good enough for most people for broadcast SD (people had more modest standards in those days).

In 1998 Avid transitioned to the Meridien boardset. This new boardset was capable of handling uncompressed video, although Avid charged much more money for their Symphony model of the Meridien to enable uncompressed 23.98. The Symphony was sold as a finishing system, whereas the basic Meridien was sold as an offline editing system. Meridiens were also the first Avid boards which would work in x86 PC environments. In a move which upset many Avid users, Meridiens had no backwards compatibility with ABVB media and Avid stopped supporting ABVBs immediately after Meridiens were introduced. Considering that a typical ABVB setup cost around $40,000 new.

Avid introduced the Adrenaline products in 2003. This new software could run on a system which had no Avid hardware (and, of course, didn’t support any previous Avid hardware at all) or could be used with Avid “dongles”. Typically, a dongle is a plugin device used for copy protection and licensing, but Avid’s Mojo and Adrenaline audio/video interface boxes were hardly more than fancy Firewire video interfaces, so they were often deridingly referred to as Avid dongles. They provided no measurable advantage to an Avid beyond providing a means to connect a television monitor or decks for input and output.

In 2008, Avid introduced their Nitris DX and Mojo DX systems. Unlike the FireWire attached Adrenaline and Mojo “dongles”, these new DX systems were connected via PCIe and allowed for performing certain effects in realtime without the need for renders.

Throughout Avid’s history it reused many product names making it difficult to know with certainty to what a name is referring without context. For instance, the software with which the editor interacts has always been called Media Composer (although for a while there were two versions, Film Composer and Media Composer). These days an entire system might be referred to as a Media Composer system, but in the past it referred to just the software. To further complicate matters, Media Composer went through version numbers up through 5.6 on m68k Macs, through version 12 on PowerMacs, and then reset to version 1 with the introduction of the Adrenaline line of products.

The older families are clearly named. The earliest were referred to as NuVista, followed by ABVB, followed by Meridien. The Adrenaline family name is a bit confusing, since the name “Adrenaline” was used to refer to both the newer versions of Media Composer and the larger FireWire breakout box hardware. Mojo-based systems and software-only Media Composer systems of the same version (post version 12) were also called Adrenaline even when no Adrenaline hardware was present.

The newest systems use recycled names, too. The Meridien family had Symphony and Nitris versions which had additional features for color correction and finishing. Many still confuse Mojo DX and Mojo hardware which are completely different.

Early Avids used fast Avid labeled SCSI drives for storage of media. Meridiens allowed the use of internal IDE drives in PowerMacs, but this was discouraged by Avid because they had an interest in selling Avid drives. Media Composer was unable to work with FireWire drives as it caused Media Composer to crash. As time went on more people used RAID cards, SATA cards, and external arrays instead of Avid branded  SCSI drives.

Additionally, some other new features including custom starting timecode, the new Tribute theme, GPU-accelerated exports, One-step transitions, media stems export and of course, XML support. XML support is very important as it introduces the ability to integrate Final Cut Pro X with asset management systems or APIs from other applications. The ability to interact with other tools helps to plan and implement an automated workflow, reducing the labor for reoccurring tasks common in media environments.

Apple also now provides a free 30 day trial to Final Cut Pro X. If your organization is considering migrating from Final Cut Studio into Final Cut Pro X, or if you have a Final Cut Server based asset management solution that you would like to migrate to something newer and supported, then please feel free to contact your 318 Professional Services Manager, or sales@318.com if you do not yet have one.

defaults write com.apple.DiskUtility DUDebugMenuEnabled 1

Once enabled, open Disk Utility and select Show Every Partition from the Debug menu. Your hidden Recovery and EFI partitions should now be visible and available for imaging, etc.

#!/bin/bash
#Converts a standalone disk to a RAID 1 and automates adding the second member.
clear
echo -n "Enter the name of the first volume to be placed in the mirror: "
read disk_1
export disk_1nv=`echo $disk_1 | sed 's:/Volumes/::g'`
echo "
creating the $disk_1 mirror"
sleep 2
export disk_1slice=`diskutil list "$disk_1" | grep -m 1 "$disk_1nv" | grep -o "disk..."`
diskutil appleRAID enable mirror $disk_1slice
echo -n "Enter the name of the second volume to be placed in the mirror: "
read disk_2
export disk_2nv=`echo $disk_2 | sed 's:/Volumes/::g'`
export disk_2root=`diskutil list "$disk_2" | grep -m 1 "$disk_2nv" | grep -o "disk."`
export raid_uuid=`diskutil info $disk_1slice | grep "Parent RAID Set UUID" | sed -e 's_Parent RAID Set UUID:__g;s_^[ \t]*__'`
diskutil AppleRAID add member $disk_2root $raid_uuid

Zagat, a classic company founded way back in the 1970s is kind of the Gold Standard of restaurant reviews. I remember using Zagat to find restaurants in Rome back in the early 1990s (couldn’t quite afford to eat at a place with a 30 rating back then). And their review guides are great. In 2008 they put themselves up on the auction block and summarily took themselves right back down. At that point in time, Zagat would have cost a cool $200 million. A steal compared to upstart Yelp. But while a company with a lot of content, not really a company with a lot of content freely available on the web – which seems to be the name of the game these days.

While Google doesn’t own Yelp, they still want user-generated reviews. Google announced on their blog today that they’re buying Zagat. This move isn’t just about user-generated reviews though, it’s about content. Zagat has 30+ years worth of content, much of which dates back to the manual form of user-generated reviews.

If you look at Google’s most recent acquisitions, many involve coupons, social media, price comparisons, gaming, travel and who can forget a big-daddy of content in YouTube. All that Google needs to do is buy Wikipedia and they’d own a huge chunk of the content out there, or at least they’d own enough to point you to their chunk. The moves only make sense. Try running a define search (e.g. define: Google). Notice that rather than all of the links be hits on other sites, the first is now an actual definition. Clicking More>> brings up the Google Dictionary, not Wikipedia. And in some cases, that dictionary entry is basically the only thing (YMMV).

Google changed the game when it comes to how people find things. They’re in the process of changing that game again. How can you capitalize on these changes? This is going to be different for everyone, but your 318 Professional Services Manager will be happy to discuss strategies for social media, online strategies and the new king of the online world, content. If you do not yet have a Professional Services Manager, please contact 318 at 310-581-9500 or sales@318.com for more information!

Prior to OS X Lion, Server Admin was used to manage permissions in OS X Server environments. Gone are the permissions settings in Server Admin and anything else dealing with managing file shares. These have been moved into the swanky new Server application. At first glance it may seem that Apple doesn’t want you managing permissions granularly as each share that is created in Server only allows you to configure permissions for the root of the share, and then has limited access to ACL options. But after looking around a little bit, you will find that Apple hasn’t abandoned GUI permission controls just yet.

From the Server app, click on the name of the server in the sidebar under the HARDWARE section. Then click on the Storage tab and browse to a location on the file system in need of different permissions. Click on the cogwheel icon and then click on Edit Permissions… to bring up the new permissions screen. Here, you can add users and groups into ACEs, enter the name for users and groups and granularly assign the settings to be applied.

But as this is all a bit new, a few things are missing. There’s no list of users and groups, so you need to type the short name of items you’re adding. If they don’t exist then they will be grey but will create anyway. Use the id command to verify that objects don’t exist. There’s no Effective Permissions Inspector, so troubleshooting permission problems might require a bit more legwork than before. Also, there’s no deny options any more. While I typically found deny ACEs to just be a big pain, they were useful at times. POSIX permissions are still the last 3 items in the list and you can double-click on any object to change the short name for a user or group (you are again typing the new name rather than dragging an object into the field).

Overall, my suspicion is that this is going to cause users to create more shares and just manage permissions at the share level, propagating permissions whenever there’s a problem. While doing so is not a bad idea for smaller environments, it doesn’t scale well. There are a few options for different applications and tools to get easier management of permissions. One such is batchmod, a long term favorite that can be used to propagate, clear ACLs, unlock files and clear extended attributes. And of course, there are still the good ‘ole standbys of chmod, chown and xattr that can be used to granularly manage permissions.

Adjusting to the new changes in Lion Server can be a considerable change for many administrators. If you need assistance, please contact your 318 Professional Services Manager or sales@318.com if you are not yet a customer.

This is due to a small setting in /etc/ssh_config. To correct the setting, open ssh_config in your favorite text editor. Then look for the following line:

SendEnv LANG LC_*

Then remove LC_* from the line. I like to use the reset command any time I make such a change:

reset

The stock applications that have been what most server administrators used in OS X include Server Admin, Workgroup Manager and other tools. these are no longer available with a stock installation of OS X Server. No big deal though, simply go to http://support.apple.com/kb/DL1419 and download their installation package there. Once downloaded, install and you’ll see the oh-so-familiar /Applications/Server directory that you’re used to.

If you open System Preferences and click on trackpad (or mouse) then you’ll see all the gestures available to you. Click on the Scroll & Zoom tab and then uncheck the first box for Scroll direction: natural.

Ah… Much better… Having shown this, I would like to point out that I think this whole thing is the future, so you’re probably saving yourself a little grief if you get used to it now. But if you want to procrastinate a bit on this whole thing (like me), now you know how…

Compressor 4 is billed as “Powerful Encoding for Final Cut Pro.” The new compressor requires 2 to 4 gigs of RAM, 256MB VRAM, a 1280×768 monitor and 685MB disk space.

Looking at it initially, it appears that all of the apps that previously interacted with Compressor, such as the QMaster System Preference pane, Qadministrator, etc have been rolled into Compressor, living inside the .app bundle in the /Contents/EmbeddedApps directory. They are now accessible via the QMaster menu in the Compressor.app.

Apple has also changed how the Distributed Processing works. Instead of installing QMaster or Compressor on each machine that will be handling render jobs, Compressor gets installed on 1 machine, which then acts as the render controller. Communication to render nodes is now handled through ssh. This means the $49.99 purchase can be leveraged without acquiring a license for each render node. While rendering can be performed wirelessly, rendering over a wired interface is strongly recommended.

Compressor 4 now supports more codecs, frame rates and resolutions. A larger settings library provides quick access to most of these. While the H.264, MPEG-2 and ProRES are now assumed, the addition of HTTP is welcome, as are options for closed captioning, metadata (which can be read or written from the command line) and chapter markers.

And because it’s a shell based interface, QMaster can now control renders for Shake, Maya, After Effects, Lightwave and any other shell based render controllers. There are certainly some issues with the software that will be worked out over the next couple of months, but it looks well worth $49.99 to experiment with it.

318 is very involved with automated video workflows. If you have any questions about how the new changes to the Final Cut and other video products will impact your environment, please reach out to your Professional Services Manager or sales@318.com and we will be happy to discuss these with you in detail.

You can also use the screen command. The screen command will open a virtual terminal and provide the functionality of an old DEC VT100 terminal. Screen is one of the more useful tools when dealing with several servers concurrently, or several VT sessions as the case may be.

To open a screen session into an APC:

screen /dev/tty.KeySerial1 2400

To open a screen session into a Qlogic:

screen /dev/tty.KeySerial1 9600

To open a screen session into a Promise RAID:

screen /dev/tty.KeySerial1 115200

To see your active screens:

screen -ls

The output will show screens similar to the following:
6077.ttys001.krypted2 (Detached)

When you list the screens you’ll note that some can be detached. You can also start a screen detached. To do so, use the -d flag when invoking the screen (or -D if you don’t want to fork the process. To attach to a detached screen, use the -r option:

screen -r 6077.ttys001.krypted2

Or if you only have one active screen that has been detached, -R will automatically reconnect to it. It can be useful to have more friendly names when working with multiple screen sessions. To attach to an attached screen session, use -x:

screen -x 6077.ttys001.krypted2

To provide an easy-to-remember name, use the -s option. To initiate a screen called simply Qlogic, using the above Qlogic rate:

screen -s Qlogic /dev/tty.KeySerial1 9600

By creating a .screenrc file in your home directory you can also set many of the options for screen.

While the screen command is useful in connecting to external devices via the command line, that’s only a small part of what screen can do. Those using the Terminal application that comes with Mac OS X have been using an environment that acts like screen for some time. You invoke tabs and new terminal windows in order to leave, for example, a session tailing logs or editing a configuration file open, while using a separate session to read a man page or start a process. Screen takes all of this and packs it into one terminal screen for environments without such an interactive command line management tool. For example, if you ssh into a Linux host in a data center, you would have to initiate 2 sessions into hosts in order to have 2 concurrently running screens, whereas you would only need to invoke one ssh session (and you may be limited to one) and still have the flexibility you have with the Terminal screen, albeit in a single window perhaps.

For example, let’s say you ssh into a RHEL box and you want to invoke an emacs editor:

screen emacs prog.c

Now let’s say that you type a few lines of a new samba config file and you want to tail the samba logs to make sure you’re augmenting the correct options:

screen tail -f /var/log/samba/log.smbd

To then switch back to emacs:

screen -R

There’s lots more you can do with screen, but this should get ya’ started!

By default, the PHP configuration file, php.ini, is stored at /etc/php5/apache2/php.ini (in most distributions of Linux) or just in /etc/php.ini (as with Mac OS X). In this file

vi /etc/php.ini

Then locate the expose_php variable within the file. Once found, set it to Off as follows:

expose_php = Off

Doing so will not improve the overall security of a system (unless you believe in security through obscurity). However, it is a good idea and will help defeat a number of vulnerability scanners. If you do suppress the Apache and PHP versioning information for the sake of passing a vulnerability scanner on a backported distribution of one of the packages then it would be a good idea to check the CVEs for the port you are using and verify that you are secure.

To do so, one need only make a small change to the httpd.conf file. By default, Apache stores its configuration files in Linux in the /etc/httpd/conf/httpd.conf file. In Mac OS X they can be found at /private/etc/apache2/httpd.conf Here, you will find the ServerTokens and ServerSignature directives. These should be set to ProductOnly and Off respectively, as follows:

ServerTokens ProductOnly
ServerSignature Off

Once these have been changed, you will need to restart the httpd service. One way to do so is to use init.d:

/etc/init.d/httpd restart

To verify that the version number has been suppressed, use telnet:

telnet www.318.com http

Installing Snort in Windows Server 2008 is a fairly straight forward maneuver. Simply install winpcap, then barnyard and then snort itself. You’ll also want to install the snort rules available on the snort downloads page.

Once snort is installed, it’s fairly simple to run it from the Windows Server 2008 command line. To do so, use the snort.exe that was distributed in the installer (by default it would be at c:\snort\bin\snort.exe). You can then run it in a simple form to check that the interfaces are available:

c:\snort\bin\snort.exe -W

And then use one of the listed interfaces, invoke it with a -i option followed by the interface. You can also specify a custom logging location using -l and a custom configuration file using -c. This would result in something similar to the following:

c:\snort\bin\snort.exe -i 1 -l c:\snort\log -c c:\snort\etc\snort.conf

There are a lot more options, but this article is about converting it into a service. Once you’ve found a configuration that works for you manually, you can then take that, throw a /SERVICE /INSTALL after the snort.exe but before the operators and viola you’ve converted snort into a service:

c:\snort\bin\snort.exe /SERVICE /INSTALL -i 1 -l c:\snort\log -c c:\snort\etc\snort.conf

Once snort has become a service, many will want to have it start automatically. This is possible using the sc command to configure the snortsvc to start automatically:

sc config snortsvc start= auto

And then, start her up:

sc start snortsvc

Intrusion Detection (IDS) and Prevention (IPS) solutions can be invaluable to an organization. If you would like to discuss running snort or any other IDS or IPS, please feel free to contact your 318 Professional Services Manager, or sales@318.com if you do not yet have one!