Posts Tagged ‘configuration’

Add OS X Network Settings Remotely (Without Breaking Stuff)

Monday, September 23rd, 2013

So you’re going to send a computer off to a colocation facility, and it’ll use a static IP and DNS when it gets there, the info for which it’ll need before it arrives. Just like colo, you access this computer remotely to prepare it for its trip, but don’t want to knock it off the network while prepping this info, so you can verify it’s good to go and shut it down.

It’s the type of thing, like setting up email accounts programmatically, that somebody should have figured out and shared with the community as some point. But even if my google-fu is weak, I guess I can deal with having tomatoes thrown at me, so here’s a rough mock-up:

 

#!/bin/bash
# purpose: add a network location with manual IP info without switching 
#   This script lets you fill in settings and apply them on en0(assuming that's active)
#   but only interrupts current connectivity long enough to apply the settings,
#   it then immediately switches back. (It also assumes a 'Static' location doesn't already exist...)
#   Use at your own risk! No warranty granted or implied! Tell us we're doing it rong on twitter!
# author: Allister Banks, 318 Inc.

# set -x

declare -xr networksetup="/usr/sbin/networksetup"

declare -xr MYIP="192.168.111.177"
declare -xr MYMASK="255.255.255.0"
declare -xr MYROUTER="192.168.111.1"
declare -xr DNSSERVERS="8.8.8.8 8.8.4.4"

declare -x PORTANDSERVICE=`$networksetup -listallhardwareports | awk '/en0/{print x};{x=$0}' | cut -d ' ' -f 3`

$networksetup -createlocation "Static" populate
$networksetup -switchtolocation "Static"
$networksetup -setmanual $PORTANDSERVICE $MYIP $MYMASK $MYROUTER
$networksetup -setdnsservers $PORTANDSERVICE $DNSSERVERS
$networksetup -switchtolocation Automatic

exit 0

Caveats: The script assumes the interface you want to be active in the future is en0, just for ease of testing before deployment. Also, that there isn’t already a network location called ‘Static’, and that you do want all interface populated upon creation(because I couldn’t think of particularly good reasons why not.)

If you find the need, give it a try and tweet at us with your questions/comments!


How to Configure basic High Availability (Hardware Failover) on a SonicWALL

Friday, November 30th, 2012

Configuring High Availability (Hardware Failover) SonicWALL requires the following:

1. Two SonicWALLs of the same model (TZ 200 and up).

2. Both SonicWALLs need to be registered at MySonicWALL.com (regular registration, and then one as HF Primary, one as HF Secondary).

3. The same firmware versions need to be on both SonicWALLs.

4. Static IP addresses are required for the WAN Virtual IP interface (you can’t use DHCP).

5. Three LAN IP addresses (one for Virtual IP, one for the management IP, and one for the Backup management IP).

6. Cross over cable (to connect SonicWALLs to each other) on the last ethernet interfaces.

7. 1 hub or switch for the WAN port on each SonicWALL to connect to.

8. 1 hub or switch for the LAN port on each SonicWALL to connect to.

Caveats

1. High Availability cannot be configured if “built-in wireless is enabled”.

2. On NSA 2400MX units, High Availability cannot be configured if PortShield is enabled.

3. Stateful HA is not supported for connections on which DPI-SSL is applied.

4. On TZ210 units the HA port/Interface must be UNASSIGNED before setting up HA (last available copper ethernet interfaces).

 

Setup

1. Register both SonicWALLs at MySonicWALL as High Availability Pairs BEFORE connecting them to each other:

• “Associating an Appliance at First Registration”: http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6233#Associating_an_Appliance_at_First_Registration_

• “Associating Pre-Registered Appliances”: http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6235#Associating_Pre-Registered_Appliances

• “Associating a New Unit to a Pre-Registered Appliance”: http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6236#Associating_a_New_Unit_to_a_Pre-Registered_Appliance

2. Login to Primary HF and configure the SonicWALL (firewall rules, VPN, etc).

3. Connect the SonicWALLs to each other on their last ethernet ports using a cross over cable.

4. Connect the WAN port on both SonicWALLs to a switch or hub using straight through (standard) ethernet cables, and then connect the switch to your upstream device (modem, router, ADTRAN, etc.)

5. Ensure the Primary HF can still communicate to the Internet.

6. Connect the LAN port on both SonicWALLs to a switch or hub using straight through (standard) ethernet cables, and then connect them to your main LAN switch (if you don’t have one, you should purchase one. This will be the switch that all your LAN nodes connect to.).

7. Go to High Availability > Settings.

8. Select the Enable High Availability checkbox.

9. Under SonicWALL Address Settings, type in the serial number for the Secondary HF (Backup SonicWALL). You can find the serial number on the back of the SonicWALL security appliance, or in the System > Status screen of the backup unit. The serial number for the Primary SonicWALL is automatically populated.

10. Click Accept to save these settings.

 

Configuring Advanced High Availability Settings

1. Click High Availability > Advanced.

2. Put a check mark for Enable Preempt Mode.

3. Put a check mark for Generate / Overwrite Backup Firmware and Settings when Upgrading Firmware.

4. Put a check mark for Enable Virtual MAC.

5. Leave the Heartbeat Interval at default (5000ms).

6. Leave the Probe Interval at default (no less than 5 seconds).

7. Leave Probe Count and Election Delay Time at default.

8. Ensure there’s a checkmark for Include Certificates/Keys.

9. Press Synchronize settings.

 

Configuring High Availability > Monitoring Setting

(Only do the following on the primary unit, they will be sync’d with the secondary unit).

1. Login as the administrator on the Primary SonicWALL.

2. Click High Availability > Monitoring.

3. Click the Configure icon for an interface on the LAN (ex. X0).

4. To enable link detection between the designated HA interface on the Primary and Backup units, leave the Enable Physical Interface monitoring checkbox selected.

5. In the Primary IP Address field, enter the unique LAN management IP address.

6. In the Backup IP Address field, enter the unique LAN management IP address of the backup unit.

7. Select the Allow Management on Primary/Backup IP Address checkbox.

8. In the Logical Probe IP Address field, enter the IP address of a downstream device on the LAN network that should be monitored for connectivity (something that has an address that’s always turned on like a server or managed switch).

9. Click OK.

10. To configure monitoring on any of the other interfaces, repeat the above steps.

11. When finished with all High Availability configuration, click Accept. All changes will be synchronized to the idle HA device automatically.

 

Testing the Configuration

1. Allow some time for the configuration to sync (at least a few minutes). Power off the Primary SonicWALL. The Backup SonicWALL should quickly take over.

2. Test to ensure Internet access is OK.

3. Test to ensure LAN access is OK.

4. Log into the Backup SonicWALL using the unique LAN address you configured.

5. The management interface should now display “Logged Into: Backup SonicWALL Status: (green ball)”. If all licenses are not already synchronized with the Primary SonicWALL, go to System > Licenses and register this SonicWALL on mysonicwall.com. This allows the SonicWALL licensing server to synchronize the licenses.

6. Power the Primary SonicWALL back on, wait a few minutes, then log back into the management interface. The management interface should again display “Logged Into: Primary SonicWALL Status: (green ball)”.

NOTE: Successful High Availability synchronization is not logged, only failures are logged.

Configuring a Cisco ASA 5505 with the basics

Thursday, March 1st, 2012

The Cisco ASA 5505 is great for small to medium businesses. Below are the steps you will have to complete to configure your ASA to communicate with the internet. There are many more steps, options, and features to these devices (which later there will be more articles in regards to some of these features).

Bring your device into configuration mode
318ASA>en
Brings the device into enable mode

318ASA#config t
Change to configuration terminal mode

318ASA(config)#
The ASA is now ready to be configured when you see (config)#

Configure the internal interface VLAN (ASA’s use VLAN’s for added security by default)
318ASA(config)# interface Vlan 1

Configure interface VLAN 1
318ASA(config-if)# nameif inside
Name the interface inside

318ASA(config-if)#security-level 100

Set’s the security level to 100

318ASA(config-if)#ip address 192.168.5.1 255.255.255.0
Assign your IP address

318ASA(config-if)#no shut
Make sure the interface is enabled and active

Configure the external interface VLAN (This is your WAN\internet connection)
318ASA(config)#interface Vlan 2
Creates the VLAN2 interface

318ASA(config-if)# nameif outside
Name’s the interface outside

318ASA(config-if)#security-level 0
Assigns the most strict security level to the outside interface (lower the number the higher the security).

318ASA(config-if)#ip address 76.79.219.82 255.255.255.0
Assign your Public Address to the outside interface

318ASA(config-if)#no shut
Enable the outside interface to be active.

Enable and assign the external WAN to Ethernet 0/0 using VLAN2
318ASA(config)#interface Ethernet0/0
Go to the Ethernet 0/0 interface settings

318ASA(config-if)#switchport access vlan 2
Assign the interface to use VLAN2

318ASA(config-if)#no shut
Enable the interface to be active.

Enable and assign the internal LAN interface Ethernet 0/1 (note ports 0/1-0/7 act as a switch but all interfaces are disabled by default).
318ASA(config)#interface Ethernet0/1
Go to the Ethernet 0/1 interface settings

318ASA(config-if)#no shut
Enable the interface to be active.
If you need multiple LAN ports you can do the same for Ethernet0/2 to 0/7.

To have traffic route from LAN to WAN you must configure Network Address Translation on the outside interface
318ASA(config)#global (outside) 1 interface
318ASA(config)#nat (inside) 1 0.0.0.0 0.0.0.0

***NOTE for ASA Version 8.3 and later***
Cisco announced the new Cisco ASA software version 8.3. This version introduces several important configuration changes, especially on the NAT/PAT mechanism. The “global” command is no longer supported. NAT (static and dynamic) and PAT are configured under network objects. The PAT configuration below is for ASA 8.3 and later:

318ASA(config)#nat (inside,outside) dynamic interface

For more info you can reference this article from Cisco with regards to the changes – http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

Configure the default route (for this example default gateway is 76.79.219.81)
318ASA(config)#route outside 0.0.0.0 0.0.0.0 76.79.219.81 2 1

Last but not least verify and save your configurations. If you do not save your configurations you will have to.

Verify your settings are working. Once you have verified your configurations write to memory to save the configuration. If you do not write to memory your configurations will be lost upon the next reboot.

318ASA(config)#wr mem

Hiding the Apache Software Version

Wednesday, April 27th, 2011

By default, Apache displays version information when queried. One aspect of securing Apache servers is to suppress this information from being shown to clients. This also helps immensely with vulnerability scanners that only look at the http header, as many vendors now backport or fork the code for Apache (e.g. Red Hat and Apple).

To do so, one need only make a small change to the httpd.conf file. By default, Apache stores its configuration files in Linux in the /etc/httpd/conf/httpd.conf file. In Mac OS X they can be found at /private/etc/apache2/httpd.conf Here, you will find the ServerTokens and ServerSignature directives. These should be set to ProductOnly and Off respectively, as follows:

ServerTokens ProductOnly
ServerSignature Off

Once these have been changed, you will need to restart the httpd service. One way to do so is to use init.d:

/etc/init.d/httpd restart

To verify that the version number has been suppressed, use telnet:

telnet www.318.com http

Enable AirPrint On Mac OS X Server

Monday, March 7th, 2011

Since the introduction of AirPrint in iOS version 4.2.1, a handful of shareware and freeware solutions have been introduced that allow iOS devices to use AirPrint to print documents on “unsupported” printers (namely, those printers that do not have the necessary AirPrint features built-in). This typically requires enabling printer sharing on a Mac system, as well as making a slight modification to the CUPS configuration file at /etc/cups/cupsd.conf, which the software typically does for you.

However, one of the more prominent solutions available, AirPrint Activator from Netputing.com, does not work properly on a Mac OS X Server system when following the provided instructions, which appear to be aimed at users running the non-Server version of Mac OS X. Here are the steps you can follow to get Mac OS X Server v10.6 to share printer queues to AirPrint-enabled iOS devices:

Prerequisites: Mac OS X Server v10.6.5 or later (I have only tested on 10.6.6), one or more networked or local printers, and one or more iOS devices running iOS 4.2.1

1. In the System Preferences > Print & Fax preference pane, delete all existing printer queues from the server.

2. Download AirPrint Activator from http://netputing.com/airprintactivator/ to the Mac OS X Server system from which you wish to host print queues.

3. Launch the AirPrint Activator program and slide the Activator switch to On (you will be prompted to authenticate).

4. With your favorite text editor, open the file /etc/cups/cupsd.conf

5. Locate the line that reads Browsing Off and change it to read Browsing On. Save the changes.

6. Open Server Admin and enable and Start the Print service.

7. Open the System Preferences > Print & Fax preference pane and add the printers that you wish to share, being sure to give the shared print queue a unique Sharing Name a Location. If you are only using the Print service to connect iOS devices, you may want to include “AirPrint” in the queue or location name (ie, “AirPrint to Accounting Printer”).

8. In the Print service window, select the Queues tab and select the print queue you wish to share.

9. Enable the IPP protocol. You can enable the other protocols if you want to enable printer sharing to platforms beyond just your iOS devices.

10. Follow steps 7 through 9 with the other printers that you wish to use for AirPrint.

11. From an iOS device, open a supported document such as a PDF, JPG, or other printable file.

12. Click the box with a curved arrow pointing to the upper right to invoke the Print command.

13. Select the Printer from the menu and print your documents!

Backing Up Cisco Configurations Using Mac OS X

Friday, February 18th, 2011

Before you make configuration changes on devices you should make a backup of the device. You can basically use any platform you want to backup Cisco devices. Doing so in Mac OS X starts with the Terminal. So to backup a Cisco device you must first connect to the device in Terminal either through SSH or Telnet.

Then SSH to the device using the ssh command, followed by the username, an @ symbol and then the IP address or hostname of your device. Here, we’ll use an example of 64.32.49.172:

ssh admin@64.32.49.172

Note: One could also use telnet using the same type of string, but ssh is more secure.

Next, provide the password and you will see a prompt with the device name. Once connected to the device you will need to go into enable mode by typing “en” at the command prompt and hit enter. It may prompt you for an elevated privileges password, which you will need to know.

Once complete you will notice that the prompt turns from a > to a # symbol. The # symbol is akin to having root access. Now to backup the configuration of this device you will enter “show run” which is short for show running-config:

show run

You will see a ←-more→ prompt at the bottome of the page. Just hit the space bar until you are back a the prompt. Once you are at the prompt you will highlight all the text using your mouse that was just generated in the terminal and after its all highlighted hit “Command C” to copy the contents. Open your favorite text editor and use the “Command V” to paste the text. Be careful to use plain text here (I prefer to just use pico or vi rather than Word or TextEdit). Save the file as your configuration backup file for the Device.

NOTE: If you want to also get the IOS (IOS is different than iOS) version info you can run the “show version” instead of the “show run” command. And use the same steps to cut and paste.

If you cannot log into a device remotely, you can use a Keyspan adapter to use the serial port to connect to the device.

Copy a User in Active Directory

Tuesday, January 4th, 2011

Creating new users in Active Directory is a fairly straight forward process. But often times it is easier to copy a user than create a new one. If you have a user that belongs to all the groups as you want a new user to be apart of, you can make life easy by making a copy of that user. To do that, you will need to remote into the domain controller with the domain administrator account or an account with administrator privileges.

Once you log on, go to start and then click on programs and choose Administrative Tools. Choose Active Directory Users and Groups. The best thing to do is to search for the user that you want to model the new user after. Before you do the search, go to view and chose Advanced Options. Then do a search. To do a search click on the search button at the top. It is the second to last button

In the next box, type in the name of the user that you want to use as the model. Make sure that Entire directory is selected.

Right click on the user and go to properties. Then click on the object tab. It will list what Organizational Unit that the user is in. Navigate to that user by using the folders on the left side of the screen, then right-click on the user and choose copy. A window will come up and you will need to type in the new users information.

After you complete this process, you will be asked to provide a password. By default, there are some password policies that you will want to maintain. Make sure that the password has at least one lower case, upper case and special case character. It has to be at least 8 characters long.

Once that completes, the new user has been completed and is ready to use, unless you would like to change group memberships, policies, etc.

Restricting Outgoing Email To a 3rd Party SMTP Relay Host on SonicWALLs

Friday, November 12th, 2010

Often times, it is necessary to lockdown outbound traffic to MX Logic. MX Logic can provide outbound filtering capabilities which assists against getting blacklisted, while also scanning your outgoing e-mail for malware. Also, limiting only the server to communicate with MX Logic ensures that no rogue mail servers can send out e-mail (often done by infected devices).

This guide assumes you have already used the Wizard to setup port forwarding, firewall rules, and NAT policies for allowing the mail server to be accessed via the SonicWALL.

To Lockdown a SonicWALL to Outbound Email to MX Logic
1. Determine what port you will be sending out on. If you are using a non standard port, you will first need to make a custom service object on the SonicWALL for the port.
2. Create an Address Group containing the Address Objects for MX Logic
1. Go to Network
2. Go to Address Objects
3. Add Address Object
1. Name: MX Logic 1
2. Zone Assignment: WAN
3. TYPE: Network
4. Network: IP From MX Logic
5. Netmask: Subnet From MX Logic
NOTE: You will need to do this for each subnet that MX Logic Offers. Name them sequentially. The Address info can be found on MX Logic’s Portal.
4. Go to Address Objects
5. Create Address Object Group
6. Add all of your MX Logic Address Objects to the Address Object Group, and call it “MX Logic”
7. Save all your changes.
3. Go to Firewall
4. Go to LAN to WAN
5. Click Add
6. Create a Rule that allows the mail server on the LAN to send out to anywhere on the WAN.
1. Action: Allow
2. From Zone: LAN
3. To Zone: WAN
4. Service: SMTP (or whatever you named your custom one)
5. Source: Your Address Object Representing Your Mail Server
6. Destination: MX Logic (The Address Object Group you created Previously).
7. Save your changes.
7. Create Another Rule to block all other outbound e-mail.
1. Go to Firewall
2. Go to LAN to WAN
3. Click Add
4. Action: Deny
5. From Zone: LAN
6. To Zone: WAN
7. Service: SMTP (or whatever you named your custom one)
8. Source: Any
9. Destination: Any
10. Save Your changes
8. Adjust Rule Order.
1. Ensure that the MX Logic Outbound rule is above the rule that blocks all other devices from sending SMTP traffic out to the Internet.
2. Apply the changes.
NOTE: By doing this, any laptop users, or other portable device users, that may try to send email over port 25 through other servers (Gmail, Yahoo, AOL, etc.) will be DENIED by the SonicWALL.

Adding Entourage Delegated Folders in Entourage for Hosted Exchange

Tuesday, October 19th, 2010

Setting up a mail account

Adding a hosted Exchange 2007 account to Entourage must be done manually as the auto discover feature doesn’t work with the hosts servers. Enter the user’s general information (name and email address) as you normally would. The user name will be the user’s email address, the domain is supplied by the host, and the mail server address is /exchange/usersemailaddress@domain.tld. The server does require SSL. The public folder server is supplied by the ISP (same as the OWA path in the server address) and it uses SSL.

Adding a delegated user’s folder

When adding another user’s folder, you have to use the advanced option to add the user’s folder because Entourage is currently accessing the server at webmail.itsgrp.com/exchange/currentloggedinuser@domain.tld which means that Entourage will attempt to access another user’s folder at /exchange/currentloggedinuser@domain.tld/userfolderthatyouwanttoadd which, of course won’t work. To get around this issue, click “open another user’s folder”, click advanced, enter the user’s full name, email address and enter the mail server address in the following format: /exchange/usersemailaddress@domain.tld. Click ok and select the other user’s folder that you want to add.

Adding a User and Folder to FTP Running Active Directory in Isolation Mode

Thursday, January 21st, 2010

Note: For the purpose of these directions the username is MyUser

First, create a user in Active Directory (assuming, also, that there is an FTP users container in AD)

Next, create a home directory in the FTP share (for MyUser it might be D:\Company Data\FTP\MyUser *naming the home folder the same as the user name*)

Go to the command line use these commands to map the directories to the accounts:

iisftp /SetADProp MyUser FTPRoot “D:\company data\ftp”

*note the use of parenthesis outside the path to specify this directory since there is a space between company and data*

iisftp /SetADProp MyUser FTPDir LaBioMed

You can verify this by using the command line ftp localhost and logging in with the new user credentials

You can also create and delete a file to make sure it correctly edits the folder.

Note: If the password changes for the domain administrator account you must change it in IIS for this.

Setting Up SonicWALL High Availability Pairs

Friday, May 29th, 2009

Prerequisites
1. They MUST be the same model
2. Make sure that if you need Stateful High Availability that you have the license for it (only Primary SonicWALL needs to be licensed)
3. Make sure that if the client wants support for both SonicWALLs that they purchase support for the Backup SonicWALL as well.
4. Register and associate the Primary and Backup SonicWALLs as a High Availability pair on mysonicwall.com
5. Physically label the SonicWALLs
6. On the back of each SonicWALL make note of the Serial Number.
7. Ensure you have two (2) Ethernet cables coming off of the LAN (one for each SonicWALL)
a. Adjust the Spanning Tree protocol if it’s being used on the switch to FAST.
8. Ensure that you have a crossover cable for X8 on NSA 240s (this is for the heartbeat between the two units)
9. Ensure that you have a dumb switch for the WAN, and two (2) Ethernet cables (one for the primary, one for the secondary).
10. Ensure that you have 2 LAN IP address that you can give to the SonicWALLs for monitoring
11. DON’T connect the SonicWALLs together yet

Setup
1. Register both SonicWALLs online
2. Register both SonicWALLs as an HA Pair
a. Go to www.mysonicwall.com
b. Go to the Backup SonicWALL
c. At the bottom of the licensing, look for HF or Hardware Failover
d. Enter in the requested information (name, and serial number)
e. On the “Service Management – Associated Products” page confirm that the registration was successful, then scroll to the bottom to see the Associated Products and click either HA Primary or HA Backup to display that the unit that is now associated with the your newly registered SonicWALL.
f. (OPTIONAL) Register Stateful HA on the Primary SonicWALL if you have the license.
3. Power on Primary SonicWALL and enter in LAN and WAN information
4. Connect LAN and WAN to SonicWALL (DO NOT CONNECT CROSSOVER CABLE)
5. Activate Primary SonicWALL (login to the Primary SonicWALL and register it when you get it online).
6. Load up new firmware on Primary SonicWALL (this’ll take up to 5 minutes)
7. Disconnect Primary SonicWALL from LAN and WAN once you’ve confirmed that the unit is now registered.
8. Power on Backup SonicWALL and enter in LAN and WAN information same as Primary and connect to LAN and WAN (DO NOT CONNECT CROSSOVER CABLE)
9. Activate Backup SonicWALL (login to the Primary SonicWALL and register it when you get it online).
10. Load up new firmware on Primary SonicWALL. (this’ll take up to 5 minutes)
11. Disconnect Backup SonicWALL from LAN and WAN once you’ve confirmed that the unit is now registered.
12. Power on and connect Primary SonicWALL
13. Create all necessary firewall/security rules on the Main Unit
14. Create a Backup of your settings

Configuring HA
1. Login to Primary SonicWALL
2. Go to “High Availability”
3. Go to “Settings”
4. Select Enable High Availability checkbox
5. Enter in Serial number of Backup SonicWALL
6. Click Accept
7. Go to “High Availability” > “Advanced”
8. Leave all values the same in the fields
9. Select the following:
Enable Preempt Mode
Enable Virtual MAC
10. Save your settings

Connecting the HA units
1. Make sure both devices are turned on
2. Connect a LAN cable to X0 on each SonicWALL device
3. Connect a WAN cable to X1 on each SonicWALL device
4. Connect the cross over cable to the HA reserved port (X8 if it’s an NSA 240)
5. Login to the Primary SonicWALL
6. Go to “High Availability” > “Settings” and keep clicking on refresh until:
a. That status at the top right is Active
b. “Primary Status” is enabled
c. Dedicated HA Link is connected
d. “Found backup” is Yes
e. “Settings Synchronized” is Yes
f. OPTIONAL make sure anything that says “Stateful” is at “yes”
7. Review the logs to ensure that there are NO errors with licensing. If found, errors with licensing will occur in the logs every 10 minutes. If you find errors in the licensing, wipe everything out, and reapply the firmware.

Configuring Monitoring of HA Devices
1. Login to Primary SonicWALL
2. Go to “High Availability” > “Monitoring”
3. Find X0 (the LAN) and click to configure it
4. Enable Physical Monitoring
5. Enter in a LAN IP address for each device that you reserved in the Prerequisite steps (Primary = Primary Unit; Backup = Backup Unit).
6. Attempt to manage both SonicWALLs from their respective HA IP addresses. NOTE: The HA LAN management IP addresses are only used for management and CANNOT be used as a gateway for traffic.

Finish
1. Backup all of the settings from the Primary SonicWALL and Secondary SonicWALL (via HA LAN management IP address)

Configuring IPS to Deny P2P Traffic On a SonicWALL

Thursday, May 28th, 2009

1. Login to SonicWALL
2. Go to Application Firewall
3. Go to Application Objects
4. “Add New Object”
5. In the next window, name the object
a. Under “Application Object Type” select “Signature List”
b. Under “IDP Category” select P2P
c. Under “IDP Signature” select each one, and add it to the list
NOTE: I tried using Signature Category List, assuming that this would be the same thing as choosing Signature List, and then Selects all of the IDP Signatures. I did not get good results, YMMV.
d. Click OK
6. Go to Policies
a. “Add New Policy”
b. Name the Policy
c. For “Policy Type”, choose “Dynamic Content”
d. For “Application Object” choose the name of the Application Object that you created initially.
e. For Action, choose “Reset/Drop”
f. Select “Enable Logging”
g. Ensure “Log Redundancy Filter” is selected.
h. Click OK
7. Ensure that the Policy is enabled.
8. Check the little bar graph next to the policy, called the Policy Statistics. This will tell you how many times it was used to block traffic.
9. Check the logs to see the blocking in effect, it will most likely be highlighted in yellow.

Adjusting Device Thresholds in Zenoss

Friday, May 22nd, 2009

By default, the Zenoss monitoring system tends to send extraneous warnings everyday. The thresholds for these warnings can be adjusted to create fewer, more pertinent warning messages. For example, MyXserve is set to send a warning when the Ethernet utilization on port en0 exceeds 75% of the maximum. That happens every day. Changing that threshold setting to 90% would result in fewer, more meaningful warnings. These are the steps to adjust a device threshold using COMPUTER as an example.

NOTE: Adjusting a Performance Template changes that template for EVERY DEVICE that uses it. Changing the ethernetCsmacd in this example from 75% to 90% will change the threshold to 90% for ALL DEVICES that use that template.

1. Look at the warning that was sent to an email address. For the COMPUTER example, here is the information:

Subject: [zenoss] COMPUTER threshold of high utilization exceeded: current value 1796033.47
Device: COMPUTER
Component: en0
Severity: Warning
Time: 2009/05/21 23:08:22.000
Message: Threshold of high utilization exceeded: current value 1796033.47

This tells you that the device sending the warning is MyXserve, the component having the issue is en0 which is the main Ethernet port, and that the threshold that was exceeded is the high utilization threshold.

2. Login to Zenoss. (There’s information on that in another Kbase article.)

3. In the Dashboard, click on the device in the Device Issues portal.

4. In the Device Status portal, click on the correct Component Type. In this example we click on ipInterface since we’re interested in the Ethernet port.

5. In the Interfaces portal, click on the correct interface. In this example, click on the en0 interface.

6. In the resulting window you will see the Status of the interface including some performance graphs. Click on the Templates tab.

7. Click on the correct Performance Template. You can find the correct one from its name or description. In this case, there’s only one and it’s named ethernetCsmacd.

8. In the Thresholds portal, click on the threshold that is listed in the warning. In this case, it’s the high utilization threshold.

9. The resulting window shows the settings for the high utilization threshold. There are several settings but we’re most interested in the Min Value and Max Value fields. There is nothing in the Min Value field and we’ll leave that as is. It may be used in other templates. The Max Value field contains a calculation for the number of bytes sent and received: (here.speed or 1e9) / 8 * .75. To adjust this from 75% of the maximum to 90% of the maximum change the .75 to .90 and click the Save button.

10. Back in the Performance Template window, you may have to change the description and clicked the Save button. This one said “Standard ethernet interface template with 75% utilization threshold” which I changed to “Standard ethernet interface template with 90% utilization threshold.”

At this point you can log out of Zenoss and keep an eye on any warnings your device may send for the next 24 hours.

Using Symantec’s Backup Exec With External Hard Drives

Tuesday, May 5th, 2009

This assumes that you’ve already installed Backup Exec, and licensed it appropriately.
This assumes that all parities understand the expected backup retention policies, as well.

Preparing Backup Drives
1. Unpack Backup Drives
2. Plug both of them in
3. Note the drive letter assigned to them (this drive letter will now be forever associated with that drive).
4. Ensure drive is formatted with NTFS, if not, backup info on hard drive, format it, and label it appropriately
NOTE: You want to backup info on the new external drive because often times there will be utilities on there that are not present on the CD that the drive came with, or available from the manufacturers website.

Preparing Devices
1. Open Backup Exec
2. Navigate to Devices
3. Right mouse click on Removable Backup-to-Disk Folders
4. Select Backup-to-Disk Wizard
5. Click Next
6. Select Create a new backup-to-disk folder
7. Select Removable backup-to-disk folder
8. Name it (remember the name)
9. Select a path (this is just the drive name [ex. F:])
10. Follow the rest of the steps
NOTE: You will need to do this for each drive.

Preparing Media
NOTE: This is a critical step. If you don’t do this, chances are that the media you’re writing to will not allow you to overwrite it, even if you told it to do so in your Job properties. As a general rule, remember that device properties trump job properties.
1. Go to the Media tab, Right mouse click on Media Set
2. Select New Media Set
3. Give it a name (remember the name)
4. Ensure that “Overwrite protection period” is set to: Infinite – Don’t Allow Overwrite
NOTE: This is in my opinion bad grammar that’s been carried along from version to version. What this settings does is DISABLE overwrite protection. This means that there is no overwrite protection – i.e, you can write over the drive as many times as you please.
5. For “Append Period”, ensure that it is set to “Infinite – Allow Append” Backup exec interprets this as “I will allow you to append as many time as you please because there is no period to stop appending”.
6. Set Vault rules to None

Creating a Job
1. Go to the Job Setup tab
2. On the left pane, under the Backup Tasks window, select “New job using wizard”
3. Select “Create a backup job with custom settings”
4. Select the resources you would like to backup
5. Test the logon account
6. Select the order of backup
7. Name the backup, and the backup set
8. Choose the device you’d like to backup the data to (The All Devices pool).
NOTE: You will in most cases want to select “all devices”. This will tell Backup Exec to go to all devices and then select the one that’s available to backup to. If you have a tape drive that’s been deprecated, then you want to disable the tape drive under “Devices”, but still point the job to all devices. It will then backup to the drive that’s plugged in. This will allow for external drive rotation with the least amount of user intervention. If you have more than one “online” device, then you want to create a new “device pool” under “Device” and add your two “backup-to-disk” folders within that new pool.
9. Select the media set you’d like to backup the data to (the new media set you created).
10. For Backup Overwrite Method, please select “Append to media, overwrite if no appendable media is available”. What this will do is backup to the drives for as long as the drives say per your Media selection, and if there’s no room, it will overwrite.
11. Choose your backup options. Depending on the time it takes to backup, you will want to adjust this. With the size of external hard drives nowadays, I don’t see any other reason why you’d want to stray from Full Backups. If the backups are under 100GB and you have 1TB drives, go ahead and choose full backups (at the speed of USB2.0 or greater this will most likely only take about 4-5 hours). This will make it easier for restores in a offsite rotation scenario, managing jobs in the long run, and give you ~8 days worth of backups.
12. Always select it to verify backups
13. Schedule the job to run later
14. For the schedule, you would usually want to choose Recurring Week Days, and select the days you want it to backup per your conversation with the client.
15. For the Time Window, select what time you’d like the backup to start.

Adjusting Alerts
1. Go to Tools > Alert Categories
2. For “Media Insert”, and “Media Overwrite”, ensure that you select “Automatically clear alert after” 2 Minutes (or whatever you want), and Respond with “Yes”
NOTE: IMPORTANT If you don’t do this, Backup Exec will actually wait FOREVER (literally) for someone to manually acknowledge the alert by clicking Yes, No, or Cancel. It will always pop an alert because it’s hitting a pool to search for available media. By responding with Yes, it will now begin to Overwrite and/or use the device and media that you have selected the job to use.

Testing Job
1. Unplug one of the drives
2. Manually Run the Job
3. Verify that the job has run successfully and note what problems you have ran into, and correct or note as necessary
4. Run the Job AGAIN on the same drive. Ensure that it runs and appends to the drive. This will prove that the drive can be written to and is not “locked” due to an incorrect setting on the job or media.
5. Unplug the tested drive
6. Run steps 2-4 on the other drive to ensure that everything is OK.
7. Run a test restore
8. You can now leave one of the drives onsite, and take another with you or leave it with the client. You can now assure the client that they now have good backups (one onsite, and one that’s going offsite), and that you’ve thoroughly tested the backups and also performed a test restore.

Wrap up
1. Note any false positives in notes for the client (for backup troubleshooting in the future)
2. Update the Backup section for the client in notes.
3. Even if there was no BEV, send a BEV out saying that they now have a backup system in place.

ESX Patch Management

Tuesday, April 14th, 2009

VMware’s ESX Server, like any system, needs to be updated regularly. To see what patches have been installed on your ESX server use the following command:

esxupdate -query

Once you know what updates have already been applied to your system it’s time to go find the updates that still need to be applied. You can download the updates that have not yet been run at http://support.vmware.com/selfsupport/download/. Here you will see a bevy of information about each patch and can determine whether you consider it an important patch to run. At a minimum, all security patches should be run as often as your change control environment allows. Once downloaded make sure you have enough free space to install the software you’ve just downloaded and then you will need to copy the patches to the server (using ssh, scp or whatever tool you prefer to use to copy files to your ESX host). Now extract the patches prior to running them. To do so use the tar command, as follows:

tar xvzf .tgz

Once extracted, cd into the patch directory and then use the esxupdate command with the update flag and then the test flag, as follows:

esxupdate –test update

Provided that the update tests clean, run the update itself with the following command (still with a working directory inside the extracted tarball from a couple of steps ago):

esxupdate update

There are a couple of flags that can be used with esxupdate. Chief amongst them are -noreboot (which doesn’t reboot after a given update), -d, -b and -l (which are used for working with bundles and depots).

If esxupdate fails with an error code these can be cross referenced using the ESX Patch Management Guide.

You can also run patches without copying the updates to the server manually, although this will require you to know the URL of the patch. To do so, first locate the patch number that you would like to run. Then, open outgoing ports on the server as follows:

esxcfg-firewall -allowOutgoing

Next, issue the esxupdate command with the path embedded:

esxupdate –noreboot -r http:// update

Once you’ve looped through all the updates you are looking to run, lock down your ESX firewall again using the following command:

esxcfg-firewall -blockOutgoing

New article on Xsan Scripting by 318

Saturday, April 11th, 2009

318 has published another article on Xsanity, for scripting various notifications and monitors for Xsan and packaged up into a nice package installer. You can find it here
http://www.xsanity.com/article.php/20090407150134377.

Setting Up Folders and Rules in Outlook

Friday, April 10th, 2009

In Outlook, to create a new folder, right click on the Mailbox – Username on the left side and select New Folder. Type in the name FooBar E-mail for the Name. For the “Folder Contains” you should choose Mail and Post Items (Which should be the default).

Now that you have the folder created, a rule needs to be setup for it so that all e-mail goes into that folder that was addressed using the swpinvest.com e-mail address. To start off, you need to go to Tools and then Rules and Alerts. Click on New Rule. You are going to want to select “Move messages from someone to a folder”. Click Next. Uncheck anything that is currently checked. Then put a check mark in “with specific words in the recipient’s address”. Now down in the lower window, click on the blue text that says “specific words”. Another box should pop up. In the top thin box, type the users FooBar.com e-mail address in and then click add. If they have any sort of alias they should add that one as well. Click ok when done. Now click on “specified folder”. It will bring up another window. Find the FooBar folder that was created earlier, highlight it and then click ok. Once the blue high lighted words are correct, you should be able to click on finish and be done.

Now any e-mail that comes into the new Exchange server with the FooBar.com e-mail address, it will be directed to that folder of the user it was addressed to.

Terminal Server 2008 Load Balancing

Thursday, February 12th, 2009

Load balancing is fairly straight forward in Microsoft Windows Terminal Server 2008.  Before you get started you’ll need to have multiple terminal servers, a Windows 2008 Active Directory environment and a centralized location to store your user profiles. 

When setting up Terminal Servers with load balancing and redirected profiles, no single terminal server should get overloaded by users while another terminal server sits idle.  When a user tries to connect to the terminal server, the master terminal server checks the load on each one of the servers.  It then logs the user into the terminal server with the least load.  Since redirected profiles are setup, every user that logs in will have all of their desktop items, documents folder and pretty much everything that they will need.  The user does not even need to know that they are on a different terminal server then they were the last time that they logged in.

To install Terminal Server clustering first verify that you meet the prerequisites of centralized home folder storage, Active Directory 2008 and multiple terminal servers.  Then install the TerminalServer Session Broker service on each one of the servers.  Then on one of the servers, you need to add all of the terminal servers into the session directory under groups in Local Users and Groups.  You only need to add it on one server and the change will replicate.

The next thing you need to is setup an alias and put all of the IP addresses for the terminal servers to be associated with that alias.  Once complete, when you do an nslookup on that alias, it should display all of the IP addresses that you entered.           

Then you will need to make some changes to group policy.  It appears that you must have a 2008 Domain Controller setup with the most upgraded schema to be able to do this.   Go to Computer Settings -> Policies -> Administrative Templates -> Windows Components -> Terminal Services -> Terminal Server and then TS Session Broker.  In here you need to put the name of the alias under Configure TS Session Broker Farm Name.  Then put the name of main terminal server in Configure TS Session Broker name.  Also you need to enable Join TS Session Broker and also User TS Session Broker Load Balancing.  After you have that setup, save the Group Policy Object (GPO) and attach it to the Organizational Unit (OU) that holds the terminal servers.

Once your group policies are in place you can focus on making the lives of your users a bit easier by enabling redirected user profiles.  First, you will need a place to put all of the user profiles.  Then you will want to move all of the users that need to access the terminal servers into a new Organizational Unit, create a new group policy object and enable folder redirection.  To enable folder redirection, go to User Configuration -> Policies -> Windows Settings and then Folder Direction.  Here, enable each folder redirection policy that you feel the users in the organization will need (this is different for everyone and can require a little testing to get it perfect).  While the choices are a lot to consider at first, Appdata, Desktop and My Documents are the most standard ones to choose and represent a great starting point.  The basic setting is what you will most likely want to use and then just put the root path to your profile in.  It will then give you an example of where everything will be stored and you will verify that the user names and the folders that you created on the network share are the same.

Once all of the users will be able to log into any of the terminal servers and get the same exact environment no matter which server they log into you are mostly done.  Setting up load balancing, the worry of one terminal server being over used is no longer something you need to worry about with 2008.  Once the cluster is setup, the master terminal server will take care of the rest.  

Xsanity article on Configuring Network Settings using the Command Line

Tuesday, February 10th, 2009

We have posted another article to Xsanity on “Setting up the Network Stack from the Command Line”. An excerpt from the article is as follows:

Interconnectivity with Xsan is usually a pretty straight forward beast. Make sure you can communicate in an unfettered manner on a house network, on a metadata network and on a fibre channel network and you’re pretty much good to go. One thing that seems to confuse a lot of people when they’re first starting out is how to configure the two ethernets. We’re going to go ahead and do two things at once, explain how to configure the interface and show how to automate said configuration from the command line so you can quickly deploy and then subsequently troubleshoot issues that you encounter from the perspective of the Ethernet networks.

View the full article here.

launchdaemons vs. launchagents

Thursday, July 10th, 2008

Note: For more information about the information contained in this article, contact us for a professional consultation.

There are two types of services that launchd manages:

launch daemons can run without a user logged in. launch daemons cannot display information using the GUI. launch daemon configuration plist files are stored in the /System/Library/LaunchDaemons folder (for those provided by Apple et al) and /Library/LaunchDaemons (for the rest)

launch agents run on behalf of a user and therefore need the user to be logged in to run. launch agents can display information through the window server. As with launch daemons, launch agent configuration plist files are stored in the /System/Library/LaunchAgents and /Library/LaunchAgents. User launch agents are installed in the ~/Library/LaunchAgents folder.

Configure ClamAV on a Kerio Mail Server

Wednesday, May 28th, 2008

As of KMS 6.1 , Kerio introduced clamAV support. This works by communicating with any clamd deamon via the localhost on port 3310. While clamAV can be downloaded via some package untils such as macports and fink, but it compiles fine from source on Mac OS X and so that is the preferred method.

To compile the source , you will need the Mac OS X Developer tools ( Actually just gcc ) which are available from the Mac OS X Installer CD and developer.apple.com ( Apple ID required )

Once downloaded/Installed, you can download the clamAV source(Latest stable release) from http://www.clamav.org/download/sources
File is typically a .gz which Safari will auto expand. The resulting tar file can be double clicked on to expand ( alternatively you can use tar -xzf /path/to/clamav-*.tar.gz or tar -xf /path/to/clamav-*.tar )

Once expanded you need to create a terminal session at that folder (i.e. cd /path/to/folder ) or “cd” and drag and drop the folder to automatically fill in the path. Verify you are in the right folder by typing “pwd”

# Next you must configure clamAV for the compile operation, and then install

CFLAGS=”-O0″ ./configure && make install

/usr/local/etc/clamd.conf

LogFile /var/log/clamav.log
LogTime yes
LogSyslog yes
LocalSocket /tmp/clamd
TCPSocket 3310
TCPAddr 127.0.0.1
MaxDirectoryRecursion 15
ScanOLE2 yes
ScanMail yes
ScanArchive yes
ClamukoScanOnOpen yes
ClamukoScanOnClose yes
ClamukoScanOnExec yes
ClamukoIncludePath /Users

/usr/local/etc/freshclam.conf

LogSyslog yes
PidFile /var/run/freshclam.pid
DatabaseOwner clamav
DatabaseMirror database.clamav.net
NotifyClamd /usr/local/etc/clamd.conf

/Library/LaunchDaemons/net.clamav.clamd.plist


Label
net.clamav.clamd
ProgramArguments

/usr/local/sbin/clamd

RunAtLoad

UserName
clamav

/Library/StartupItems/ClamAV/ClamAV

#!/bin/bash
. /etc/rc.common

StartService ()
{
ConsoleMessage “Starting ClamAV”
exec /usr/local/sbin/clamd
}

StopService ()
{
ConsoleMessage “Stopping ClamAV”
/usr/bin/killall clamd
}

RestartService ()
{
ConsoleMessage “Restarting ClamAV”
StopService
StartService
}

RunService “$1″

/Library/StartupItems/ClamAV/StartupParameters.plist

{
Decription = “ClamAV”;
Provides = (“ClamAV”);
OrderPreference = “Early”;
Messages =
{
start = “Starting ClamAV”;
stop = “Stopping ClamAV”;
};
}

Backing Up With Carbon Copy Cloner

Wednesday, April 2nd, 2008

The newest version of carbon copy cloner, now version 3.1, has a number of features that move it closer to a viable automated backup system.

Carbon Copy Clone is now a wrapper application that runs a series of terminal commands to accomplish its goal but it does then very well.

Compatibility: 10.4 or higher. Universal Binary

Usage:

Cloning: As its name suggests the first feature of this software is to clone one drive to another. This is how the program started and was one of the few good third party software applications to do drive cloning on the mac.

The software interface is simple. Choose a source volume and choose a destination volume. If you are cloning you by default want to overwrite the destination drive.

New Feature: There is now a built in feature that tests the “Bootability” of the target drive after the clone. This will let you know whether the target drive can be used as a boot volume.

Local Backup: Instead of copying all data from the local to the target drive, you can now choose to do incremental backups of selected files. The source file system tree is then displayed, you can choose to check mark the boxes that you wish to backup. This model is good because you can choose the user directory to back up but then deselect the music folder within the user. Any new files or folders in the user directory will get backed up, but any files or folders in the music will not be.

Destination in subdirectory & Pre or Post Script runs: to copy data into a subdirectory of the target drive you must choose the pull down the Application Menu, between the Apple menu and File menu. Then choose Advanced Settings. This will give you a field to enter a pathname to specify a subdirectory to receive the copied files. You will also see fields to specify scripts to run either before or after the copy. Classically this is to stop and then start a database, or execute a database export for backup. I have also seen commands to gzip a directory structure and then decompress it after the copy.

Incremental Backups: When you choose your destination you can choose whether to do a full copy or an incremental copy. In addition you are presented with options to choose whether files are deleted if they are not on the source, and whether to preserver files that are delete or overwritten. This option creates a directory at the destination point _CCC_Year_Month_Time that will indicate that the files inside are the files that would have been overwritten by the incremental backup. As of now there is no way to automatically remove these files without further scripting or user intervention. If you are at a client that makes use of CCC and the destination drives are reaching capacity. These are the files to remove to conserve space.

Filtering: This version of ccc has filtering. The gearbox next to the source drive selector will be available if the source drive is local. These filters will show what you have chosen not to include. In addition you can add to this filter exceptions by file extension or exceptions by pathname. The latter filter works the same was as the exceptions in rsync. If you add an entry to this list, and path name that has content that matches this string will be ignored.

For example: If you back up the /Users/ directory but place “iTunes” in the advanced filter. It will backup all the user folders but will ignore all of the iTunes folders inside all of the user folders.

Disk Images as destinations: This allows you to create a sparse image file, with encryption should you choose it, to be the destination of the backups. The image file needs to be local. You could use other scripts to move these files around

Remote Backup: A recent update to this feature makes this a more viable solution for cost effective backup. In the interface you can choose the source to a be a remote mac or the destination to be a remote mac, but not both. If you choose the source to be a remote mac you cannot apply the file filters. In most circumstances I prefer to set this up on a client computer that is to be backed up and then choose the remote computer to be the server that will receive the data. In either case for a remote computer to be the source or the destination, you have to generate and authorization package installer.

This creates an SSH encryption key that is installed into /var/root/.ssh which allows the rsync process to run over an ssh tunnel without username:password authorization. This package needs to be installed on both the source and destination computers. These installers will now place nice with each other and concatenate their encryption keys so multiple sources can write to the same computer.

Note: Computers set as destinations must have ssh enabled. Normally done by enabling “remote login” in the sharing pane of system preference.

Scheduling Backups: Once you have the specifics of the copy process set you can choose to save the task. This will open a new window called “Backup Task Scheduler” In it you will see a list of scheduled tasks. These tasks correspond to entries in /Library/LaunchDaemons, each one will run as a daemon process call ccc_helper.

You can schedule operations on a hourly, daily, weekly, monthly basis or whenever the drive is connected. That last option is only viable for a backup that writes to a local drive.

The settings tab allows you to specify whether the backup destination will be determined by pathname only or whether to use the unique uuid for each drive.

You can access existing schedules by going to the Application menu again and choosing “Scheduled Tasks…”

NOTE: if the destination drives at the client rotate onsite and offsite there are two things to consider. First is that the scheduled backups should NOT be using the unique uuid and that both drive should have the same name so that they can receive remote backups properly. The good news is that the ccc_helper daemon is smart enough to not write into the /Volumes directory if there is no drive there that matches the destination name.

The description field is by default populated with common language describing the specifics of the back up script. This can be edited to be anything that you like

Cancelling a copy in process: If you can see the windows for the ccc_helper app you can press the cancel button. If you do so you are given two options. One is to skip this execution, which will relaunch on the next scheduled time, or you can defer. If you choose to defer you can have this newly selected time be the execution time from now on. This is probably the only drawback to having the backup run on a client computer. Is that they can cancel the process on their own.

Conclusions: All in all you get a lot with this simple product and it can be of great use even in limited applications. If you client is mostly mac and does not want to invest in an expensive backup situation it can go a long way to backing them up.

Pros: It is donation ware: Meaning it is freeware that will bug you for a donation now and again. It uses existing technology on your system, namely rsync and ssh. It is HFS+ meta-data aware. It is the ccc-helper that does the work and it will copy the hfs+ meta data over ssh. It writes out its own ccc log file.

Cons: Does not handle failure gracefully: If it cannot perform its actions it will bring up an on screen alert that will stay until dismissed. Using incremental backup on a very large file list can be memory intensive. This is more pronounce in local copies as it seems to break down the rsync operations on a folder by folder basis with a remote destination. Filtering is only available if the source is local. MAC ONLY. No support for any other operating system.

Leopard: Automatically Expand Open and Save Dialogs

Tuesday, February 26th, 2008

The open and save dialogs can automatically have the expanded view opened by default rather than having you need to open it manually each time you go to open or save a file. To enable this setting, use the following command: defaults write -g NSNavPanelExpandedStateForSaveMode -bool TRUE

Setting Up Blackberry Enterprise Clients

Tuesday, February 19th, 2008

To Setup Blackberry Enterprise Services use the following steps on your Blackberry Handheld:

1) Go “Options” / “Settings” Icon which is usually the Wrench on the main menu and click on it

2) Go to “Advanced Options” and click on it

3) Go to “Blackberry Enterprise Activation” and click on it

4) Enter your email address

5) Enter this Code / Password “aaaa” (or whatever was created as the code)

Save, Ok or Enter (Whatever it asks)

Configure the Maximum LDAP Connections in Kerio Mail Server

Friday, November 30th, 2007

1. Stop the Kerio Engine

2. Navigate to C:\Program Files\Kerio\MailServer\mailserver.cfg (sudo nano /usr/local/kerio/mailserver/mailserver.cfg on a Mac) and open the mailserver.cfg

3. Make a Copy of this file as a backup

4. Do a find for “ConnectionLimit”

5. Modify the following line:32

The default limit is 32.

6. After making the change, save the file and restart the mailserver engine.

Setting Up VPN Clients in OS X, Vista and Windows XP

Thursday, November 29th, 2007

The steps for setting up VPN connections are straightforward for both Macs and PCs. Here are the steps to follow for setting up new VPN connection on a client desktop or laptop to their server:

Mac OS X (Tiger) – * First, open the ‘Applications’ folder by going to the Finder and choosing “New Finder Window” from the “File” menu. Click on the ”Applications” icon, then scroll down until you see the “Internet Connect” icon. * Click on the “Internet Connect” icon. * Next, go to the ‘File’ menu and select “New VPN Connection Window.” * On the window that pops up prompting you to choose which type of VPN, click ‘PPTP,’ then click ‘Continue.’ * In the new window, for the configuration, Click on the ‘Other’ and select ’Edit Configurations…’ * A new window will come up. You should then type in a description of the VPN connection in the Description text field. * Type in the DNS name of the server you want to connect to as the ‘Server Address.’ * Type in the username you will use to access the server. This username should have already been created on the server. * In the next text box, enter your VPN password. The password should also have been previously set. * Un-check ’Enable VPN on demand’, and ’Encryption’ should be set to ’Automatic’. * Click the ’OK’ button. Your configuration is saved, and you are ready to connect.

Mac OS X (Leopard) – * Go to the Apple menu in the upper left-hand corner of the top menu. * Click on System Preferences from the drop-down menu. * Click on ‘Network’ icon. * In the right-hand menu, click on the drop-down menu next to ‘Configuration’ , which currently says ‘Default’, and select ‘Add Configuration’. * Type in a name the configuration CITES VPN or the alternate name you chose in step # 8.

Mac OS X (Lion) – * Go to the Apple menu in the upper left-hand corner of the top menu. * Click on System Preferences from the drop-down menu. * Click on ‘Network’ icon * Click on the ‘plus’ button on the bottom of the left column and choose VPN from the Interface dropdown menut. * Choose the type of connection from the ‘VPN Type’menu (typically PPTP). * Label the connection with a name of your choosing in the ‘Service Name’ field. * Enter the proper information in the the ‘Server Address’ and ‘Account Name’ fields * If you are not using a shared computer you can click on the ‘Authentication Settings’ button and enter your password to store it for future sessions * Check the box labeled, ‘Show VPN status in menu bar’ * From the menu choose Connect yourchosenVPNlabel – the status of the connection will update and start counting seconds when you are connected.

12. In the right-hand menu, enter the following information:

Configuration: DAS VPN (or a name of your choosing) Server Address: the.vpn3.domain.com Account Name: Your guest ID Encryption: Maximum (128 bit only) from the drop-down menu

13. Check the box next to Show VPN status in menu bar.

Windows Vista: 1. From the Start Menu, right click on Network, select Properties. This will open the Network and Sharing Center. 2. On the left side, click on Set up a connection or network. 3. Select Connect to a workplace. 4. Click on the Next button. 5. Select Use my Internet connection (VPN). 6. Replace the Example with the actual WAN IP address of the VPN server you will be connecting to. Also, you can change the name from VPN Connection to something that is more meaningful. 7. Click on the Next button. 8. Enter in the User Name and Password of your VPN account. 10. Now from the Network and Sharing Center, you can go to Manage Network Connections to see the new VPN connection. This is also where you disconnect. To reconnect later, go to the Network and Sharing Center and click Connect to a network.

Time Navigator Installation Checklist

Monday, November 26th, 2007

This document will be followed up by a document with more detailed instructions for each checkbox.

Client management [ ] Talk to the client to verify the SOW from ATEMPO [ ] Discuss the amount of data and retention policies.

Preflight [ ] Verify host name of server and clients. [ ] Verify hardware. [ ] Verify version. Time Navigator gets new revisions quite often, check with your Atempo point of contact to make sure you have the latest version.

Installation:

[ ] Atempo license email should have been sent to the client contact. [ ] Log into the Atempo license web site to the point where it asks for the host id. [ ] Log in to the computer as root. [all installations should be done as root, enable the root user if you need to] [ ] Run the License Manager Installation. [ ] Copy and paste the host id into the license web site [ ] Generate and download license key. [ ] Indicate the license key file in the License manager installer. [ ] Run Time Navigator installer. [ ] Designate the environment name. usually tina [ ] Designate ports. default to 2525 and 2526 [ ] When installation is complete restart the computer [ ] Start the Atempo launcher. [ ] Start “The Configurator” [ ] Create initial catalog. [ ] Detect attached tape drives and libraries. [ ] Start Tina Administrative console [ ] Run diagnostic test on all physical Drives [ ] Create VLS libraries [ if necessary ] [ ] Create tape Pools

Set up Agents on Back up clients [ ] Install initial agent. [ ] create package installer. [ ] deploy package to remaining agents [ ] install remaining non Mac OS X computers [ ] add agents as hosts. [ ] Create back up classes [ ] Create back up strategies [ ] run test back ups [ ] run restore tests [ ] Customize tina install to features of the client

Addendum :: Replication [ ] Select the host to be the source of replication [ ] Select Platform > Application > Filesystem [ ] Create back up class on new Application icon [ ] Create strategy with replication activated [ ] create destination within the strategy

Completion [ ] Review the SOW from Atempo with the Client [ ] Train the client on how to monitor backups.

Creating Backup Jobs in PresSTORE

Friday, November 23rd, 2007

The user interface for PresSTORE is a bit confusing at first. Once you get beyond the initial installation you will need to create backup jobs, as with most other applications. To create each Backup Job:

Reopen browser window and click Start PresSTORE Browser Click on Job and Storage Management. Click on backup plans. Click on File->New Backup Plan. Enter a description for the backup plan (name of plan). Select the clients for the backup plan and then click the pencil icon to select which directories to backup. Set your File Filters. Click Apply and then click Close. Choose when to start the backup (can run multiple plans simultaneously). Set the backup schedule Select the Target for Full, Synthetic and Incrementals

Basic Installation of PresSTORE from Archiware

Friday, November 23rd, 2007

Installing PresSTORE

  • Enable Root User.
  • Extract the tar file you downloaded from the Internet.
  • Open the new directory and browse to the folder Server.
  • From the Server folder browse to the macosx folder.
  • From the macosx folder open the installer (awpstxxxx).
  • Click Continue 3 times and then Agree.
  • You will now be placed at the location to decide where you want to install PresSTORE. If you would like to install it on your boot drive then click Install. Otherwise click Change Install Location to customize where to install PresSTORE.
  • Enter root credentials to authenticate the software and click on OK.
  • When the installation is complete, login as root to the new software.
  • Click on Start PresSTORE Browser.
  • Click on General Setup.
  • Double-Click on licenses.
  • Click on File -> New License.
  • Enter Serial Number and License Key.
  • Select a module under Scope of License.
  • Click Apply and check if Message says “Resource updated”
  • Click close and close browser window.