Posts Tagged ‘guide’

How to Configure basic High Availability (Hardware Failover) on a SonicWALL

Friday, November 30th, 2012

Configuring High Availability (Hardware Failover) SonicWALL requires the following:

1. Two SonicWALLs of the same model (TZ 200 and up).

2. Both SonicWALLs need to be registered at (regular registration, and then one as HF Primary, one as HF Secondary).

3. The same firmware versions need to be on both SonicWALLs.

4. Static IP addresses are required for the WAN Virtual IP interface (you can’t use DHCP).

5. Three LAN IP addresses (one for Virtual IP, one for the management IP, and one for the Backup management IP).

6. Cross over cable (to connect SonicWALLs to each other) on the last ethernet interfaces.

7. 1 hub or switch for the WAN port on each SonicWALL to connect to.

8. 1 hub or switch for the LAN port on each SonicWALL to connect to.


1. High Availability cannot be configured if “built-in wireless is enabled”.

2. On NSA 2400MX units, High Availability cannot be configured if PortShield is enabled.

3. Stateful HA is not supported for connections on which DPI-SSL is applied.

4. On TZ210 units the HA port/Interface must be UNASSIGNED before setting up HA (last available copper ethernet interfaces).



1. Register both SonicWALLs at MySonicWALL as High Availability Pairs BEFORE connecting them to each other:

• “Associating an Appliance at First Registration”:

• “Associating Pre-Registered Appliances”:

• “Associating a New Unit to a Pre-Registered Appliance”:

2. Login to Primary HF and configure the SonicWALL (firewall rules, VPN, etc).

3. Connect the SonicWALLs to each other on their last ethernet ports using a cross over cable.

4. Connect the WAN port on both SonicWALLs to a switch or hub using straight through (standard) ethernet cables, and then connect the switch to your upstream device (modem, router, ADTRAN, etc.)

5. Ensure the Primary HF can still communicate to the Internet.

6. Connect the LAN port on both SonicWALLs to a switch or hub using straight through (standard) ethernet cables, and then connect them to your main LAN switch (if you don’t have one, you should purchase one. This will be the switch that all your LAN nodes connect to.).

7. Go to High Availability > Settings.

8. Select the Enable High Availability checkbox.

9. Under SonicWALL Address Settings, type in the serial number for the Secondary HF (Backup SonicWALL). You can find the serial number on the back of the SonicWALL security appliance, or in the System > Status screen of the backup unit. The serial number for the Primary SonicWALL is automatically populated.

10. Click Accept to save these settings.


Configuring Advanced High Availability Settings

1. Click High Availability > Advanced.

2. Put a check mark for Enable Preempt Mode.

3. Put a check mark for Generate / Overwrite Backup Firmware and Settings when Upgrading Firmware.

4. Put a check mark for Enable Virtual MAC.

5. Leave the Heartbeat Interval at default (5000ms).

6. Leave the Probe Interval at default (no less than 5 seconds).

7. Leave Probe Count and Election Delay Time at default.

8. Ensure there’s a checkmark for Include Certificates/Keys.

9. Press Synchronize settings.


Configuring High Availability > Monitoring Setting

(Only do the following on the primary unit, they will be sync’d with the secondary unit).

1. Login as the administrator on the Primary SonicWALL.

2. Click High Availability > Monitoring.

3. Click the Configure icon for an interface on the LAN (ex. X0).

4. To enable link detection between the designated HA interface on the Primary and Backup units, leave the Enable Physical Interface monitoring checkbox selected.

5. In the Primary IP Address field, enter the unique LAN management IP address.

6. In the Backup IP Address field, enter the unique LAN management IP address of the backup unit.

7. Select the Allow Management on Primary/Backup IP Address checkbox.

8. In the Logical Probe IP Address field, enter the IP address of a downstream device on the LAN network that should be monitored for connectivity (something that has an address that’s always turned on like a server or managed switch).

9. Click OK.

10. To configure monitoring on any of the other interfaces, repeat the above steps.

11. When finished with all High Availability configuration, click Accept. All changes will be synchronized to the idle HA device automatically.


Testing the Configuration

1. Allow some time for the configuration to sync (at least a few minutes). Power off the Primary SonicWALL. The Backup SonicWALL should quickly take over.

2. Test to ensure Internet access is OK.

3. Test to ensure LAN access is OK.

4. Log into the Backup SonicWALL using the unique LAN address you configured.

5. The management interface should now display “Logged Into: Backup SonicWALL Status: (green ball)”. If all licenses are not already synchronized with the Primary SonicWALL, go to System > Licenses and register this SonicWALL on This allows the SonicWALL licensing server to synchronize the licenses.

6. Power the Primary SonicWALL back on, wait a few minutes, then log back into the management interface. The management interface should again display “Logged Into: Primary SonicWALL Status: (green ball)”.

NOTE: Successful High Availability synchronization is not logged, only failures are logged.

Creating a binding script to join Windows 7 clients to Active Directory

Tuesday, July 3rd, 2012

There are some different ways to join Windows 7 to a domain.  You can do it manually, use djoin.exe to do it offline, use powershell, or use netdom.exe.

  • Doing so manually can get cumbersome when you have a lot of different computers to do it on.
  • With Djoin.exe you will have to run it on a member computer already joined to the domain for EACH computer you want to join since it will create a computer object in AD for each computer before hand.
  • Powershell is OK to use, but you have to set the script to unrestricted before hand on EACH computer.
  • Netdom is the way to go since you prep once for the domain, then run the script with Administrator privledges on whatever computers you want to join on the domain.  Netdom doesn’t come on most versions of Windows 7 by default.  There are two versions of netdom.exe, one for x86 and one for x64.  You can obtain netdom.exe by installing Remote Server Administration Tools (RSAT) for Windows 7, and then copying netdom.exe to a share.

A quick way to deal with both x86 and x64 architectures in the same domain would be to make two scripts.  One for x86 and one for x64 and have the appropriate netdom.exe in two different spots \\server\share\x86\ and \\server\share\x64\.

You’ll need to either grab netdom.exe from a version of windows 7 that already has it, or you’ll need to install RSAT for either x64 or x86 Windows 7 from here:, which ever you will be working with.  Install that on a staging computer.   The following steps are how to get netdom.exe from the RSAT installation.

  1. Download and install RSAT for either x64 or x86.
  2. Follow the help file that opens after install for enabling features.
  3. Enable the following feature: Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > AD DS Tools > AD DS Snap-ins and Command-Line Tools

netdom.exe will now be under C:\windows\system32

Create a share readable by everybody on the domain, and drop netdom.exe there.

Create a script with the following (From:

@echo off
SET netdomPath=c:\windows\system32
CALL BATCH.BAT %adminUser%
SET sourcePath=\\fileshare\folder\

::If necessary, copy netdom to the local machine
IF EXIST c:\windows\system32\netdom.exe goto join
COPY %sourcePath%netdom.exe %netdomPath%
COPY %sourcePath%dsquery.exe %netdomPath%
COPY %sourcePath%dsrm.exe %netdomPath%

::Join PC to the domain
NETDOM JOIN %computerName% /d:%domain% /UD:%adminUser% /PD:%passwd%

SHUTDOWN -r -t 0

Change domain and sourcepath to their real places.  Remove dsquery.exe and dsrm.exe if not needed.  If you’re just joining a domain, and not running anything after, then you don’t need them.

Create another script called “BATCH.BAT” that will hold your credentials that have access to joining computers to the domain.  Put BATCH.BAT in both places that house your Join-To-Domain script (…/x86 and …/x64)

@echo off
SET passwd=thisismypassword
SET adminuser=thisismyadminusername

  1. Ensure you have the scripts in the same directory.
  2. Open up a command prompt with Administrator privledges and change directory to the location of your scripts.

Runnning the first script will:

  1. Run a check to see if netdom, dsquery, and dsrm are installed under system32, if they are, it will then join the domain, if not it will attempt to download them from your share.
  2. Once it ensures it has the files it needs, it will join the computer to the domain under the “Computers” OU with its current computer name using the credentials set by BATCH.BAT.
  3. It will reboot when done.

This will work on both Server 2003 and Server 2008.

Open Directory Deployment Checklist

Thursday, April 12th, 2012

Open Directory on Lion Server, if deployed properly, is simple to set up, and is a stable and reliable directory service. If not deployed properly, it’s still simple to set up, but can be maddeningly difficult to troubleshoot and manage. It’s important to deploy it properly.

Some things to consider prior to deployment:

  • You should always discuss the purpose of a Directory service with the client, and make sure that you’ve evaluated their needs correctly. Some of Lion Server’s services absolutely require the system to be an Open Directory Master, but some function just fine on a Standalone system. Device Manager, in particular, will take you through OD Master configuration as a part of its own setup.
  • If legacy user records or other data need to be migrated, this will need to be taken into account, and time should be budgeted for managing this data. If you’re replacing a Leopard or Snow Leopard Open Directory server, you can import an OD Archive, but it may not always be the best idea.
  • Open Directory deployments should always include both an Open Directory Master and an Open Directory Replica. Plan accordingly.
  • Proper DNS resolution is absolutely essential to a successful Open Directory deployment. All servers must have correct forward and reverse lookups. Open Directory will not work properly if DNS is incorrect. If your OD deployment is going to be self-contained, you can set up the DNS service on the OD Master and Replica, so that they can resolve each other, and then the clients can refer to the OD Master for name resolution. If you’re deploying OD into a larger infrastructure, though, it’s adviseable to have consistent DNS across the whole organization.
  • It is not recommended that .local be used as TLD on the network where you’re deploying Open Directory. Though it is possible to successfully deploy Open Directory into a .local namespace, the odds are against you. Don’t do it unless there’s really no other options.

You can, if you like, use Server Admin to set up Open Directory, but performs some steps that Server Admin doesn’t. I don’t recommend using it to do the initial setup. However, Server Admin can be helpful in managing Open Directory after deployment. The Server Admin tools are not installed by default on Mac OS X 10.7, so you’ll need to download them from Apple.

When deploying Open Directory, the first thing you need to do is verify that DNS is resolving correctly:

$ sudo changeip -checkhostname

Primary address =

Current HostName =
DNS HostName =

The names match. There is nothing to change.
dirserv:success = “success”

If changeip outputs this error, or one that sounds like it, please repair DNS or set the hostname properly before proceeding.

The DNS hostname is not available, please repair DNS and re-run this tool.

In, there is a utility that helps you change your system’s hostname. Click on the computer name, under Hardware, then click the Network tab, and then click “Edit”.

If your hostname is good, open From the Manage menu, choose “Manage Network Accounts”. (If this option isn’t available, then this server is already managing network accounts, either as an OD Master or Replica.) This will start the setup assistant. You’ll need to provide an administrative account for Open Directory. Please note that this is not the same as the local administrative account that you create on initial server setup, and they should not have the same name. The default, Directory Administrator, is a good choice. Enter your Organization name and an administrator’s email address.

When you’re done, click the “Set Up” button, and you should be shortly returned to, with an Open Directory Master to manage.

At this point, it’s always a good idea to open up Console and check the logs, to make sure that there’s no glaring errors. The really informative one is /Library/Logs/slapconfig.log, but slapd.log and opendirectoryd.log, which are in /var/log, can also be very helpful.

Secure Site-to-Site VPN tunnel using the ASA

Sunday, April 8th, 2012

Site to Site VPN enables an encrypted connection between private networks over a public network (i.e. the Internet).

Basic steps to configure a site-to-site VPN with a Cisco ASA begin with defining the ISAKMP Policy. An ISAKMP/IKE policy defines how a connection is to be created, authenticated, and protected. You can have multiple policies on your Cisco ASA. You might need to do this if your ASA needs to connect to multiple devices with different policy configurations.

  • Authentication: specifies the method to use for device authentication
  • Hash: specifies the HMAC function to use
  • Encryption: specifies which algorithm to use
  • Group: specifies the DH key group to use

Next, you will need to establish IPsec transform set. Different Firmware versions and different Cisco devices have different options for the following…

  • Esp-md5-hmac: ESP with the MD5 (HMAC variant) authentication algorithm
  • Esp-aes: ESP with the 128-bit Advanced Encryption Standard (AES) encryption algorithim.
  • Esp-des: ESP with the 56-bit Data Encryption Standard (DES) encryption algorithm.
  • Esp-3des: ESP with the 168-bit DES encryption algorithm (3DES or Triple DES)
  • Ah-md5-hmac: AH with the MD5 (HMAC variant) authentication algorithm
  • Ah-sha-hmac: AH with the SHA (HMAC variant) authentication algorithm

3. Configure crypto access list-

Crypto ACL’s are used to identify which traffic is to be encrypted and which traffic is not. After the ACL is defined, the crypto maps use the ACL to identify the type of traffic that IPSec protects.

It’s not recommended to use the permit ip any any command. It causes all outbound traffic to be encrypted, and sends all traffic to the specified peer.

4. Configure crypto map

Used to verify the previously defined parameters

5. Now apply crypto map to the outside interface.


Configuration of ASA-1

You might have to enable ISAKMP on your device

ASA-1(config)#crypto isakmp enable

First defined the IKE polices on ASA-1

ASA-1(config)#crypto isakmp policy 10

The lower the policy number, the higher the priority it will set the ISAKMP policy to, affecting which policies will be used between sites.

General rule of thumb is to give the most secure policy the lowest number (like 1) and the least secure policy the highest number (like 10000)

ASA-1(config-isakmp)#encryption des

(enable encryption des)

ASA-1(config-isakmp)#hash md5

(enable algorithm md5 for hashing)

ASA-1(config-isakmp)#authentication pre-share

(enable Pre-shared method)

ASA-1(config-isakmp)#group 2

(enable group 2)


(Exit from crypto isakmp mode)

  • The next step is to create a pre-shared key (password) on ASA-1.

ASA-1(config)#crypto isakmp key office address

(Here the Key is “office” and is ASA-2 Address)

  • Now create an access list to define only interesting traffic.

ASA-1(config)#access-list 100 permit ip host host

(100 is access list number and is source address and is destination address.)

  • Now create the transform-set for encryption and hashing.

ASA-1(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac

(Here encryption type is des and hashing method is md5-hmac)

ASA-1(config)#crypto map testcryp 10 ipsec-isakmp

(crypto map name testcryp)

ASA-1(config)# crypto map testcryp 10 match address 100

(apply the access list)

ASA-1(config)# crypto map testcryp 10 set transform-set ts2

(apply the transform set)

ASA-1(config)# crypto map testcryp 10 set peer

(Set remote peer address)

  • Now apply the crypto map to the ASA – A interface

ASA-1(config)# crypto map testcryp interface outside

(Apply crypto map on outside interface)

ASA-1(config)# crypto isakmp enable outside

(To enable crypto isakmp on ASA)

Configuration of ASA-2

First defined the IKE polices on ASA-2

ASA-2(config)#crypto isakmp policy 10

(10 is isakmp policy number)

ASA-2(config-isakmp)#encryption des

(enable encryption des)

ASA-2(config-isakmp)#hash md5

(enable algorithm md5 for hashing)

ASA-2(config-isakmp)#authentication pre-share

(enable Pre-shared method)

ASA-2(config-isakmp)#group 2

(enable diffie-Helman group 2)


(Exit from crypto isakmp mode)

  • The next step is to create a pre-shared key (password) on ASA – B.

ASA-2(config)#crypto isakmp key office address

(Here Key is “office” and is ASA – A Address)

  • Now create an access list to define only interesting traffic.

ASA-2(config)#access-list 100 permit ip host host

(100 is access list number and is source address and is destination address.)

  • Now create the transform-set for encryption and hashing.

ASA-2(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac

(Here encryption type is des and hashing technique is md5-hmac)

ASA-2(config)#crypto map testcryp 10 ipsec-isakmp

(crypto map name testcryp)

ASA-2(config)# crypto map testcryp 10 match address 100

(apply the access list)

ASA-2(config)# crypto map testcryp 10 set transform-set ts2

(apply the transform set)

ASA-2(config)# crypto map testcryp 10 set peer

(Set remote peer address)

  • Now apply the crypto map to the ASA – B outside interface

ASA-2(config)# crypto map testcryp interface outside

(Apply crypto map on outside interface)

ASA-2(config)# crypto isakmp enable outside

(To enable crypto isakmp on ASA)

Now to verify the secure tunnel, ping to other remote location.

ASA-2(config)# ping

Installing a SonicWALL ViewPoint Virtual Machine

Monday, April 2nd, 2012

When installing a Viewpoint VM machine you will need to download three items.

First is the SonicWALL_ViewPoint_Virtual_Appliance_GSG.pdf available from
This will be you step by step instruction manual for installing the Viewpoint VM.
Next you will need to identify which version VXI host and then download the same version client as your VXI host.
Lastly you will need log into and download the sw_gmsvp_vm_eng_6.0.6022.1243.950GB.ova from

When you have all three of these downloaded open the SonicWALL_ViewPoint_Virtual_Appliance_GSG and start going through the step by step instructions.
You will first install the VM client and may run into the first gotcha. Depending on machine setup the .exe may be blocked from running.
The download will look like this:, get properties on this file and unblock if blocked.
After the install of the VM client follow the instructions in the PDF till you get to page 18 step 2.

2. When the console window opens, click inside the window, type snwlcli at the login:
prompt and then press Enter. Your mouse pointer disappears when you click in the
console window. To release it, press Ctrl+Alt

Here is where you will run into the biggest gotcha.

You will be ask to log into with name and password, on first login use name of: snwlcli no password,
Then use the default name and password and continue.

Auditing Email in Google Apps

Thursday, March 22nd, 2012

In order to address situations where a Google Apps admin needs access to a user’s mail data, Google provides an Email Audit API. It allows administrators to audit a user’s email and chats, and also download a user’s complete mailbox. While Google provides this API, third-party tools are required in order to make use of the functionality. While there are some add-ons in the Google Apps Marketplace that make email auditing available, the most direct method of gaining access to this is with a command-line tool called Google Apps Manager. GAM is a very powerful management tool for Google Apps, but here we will focus on just what’s required to use the Email Audit API.

Using GAM requires granting access, with a Google Apps admin account, to a specific system. An OAuth token for the domain is stored in the GAM folder. Also, if you’re going to download email exports, it’s necessary to generate a GPG key and upload that to Google Apps. In light of both of these factors, it’s best to designate a specific system as the GAM management system. GAM is a collection of Python modules, so whatever system you designate should be something that has a recent version of Python. We’ll assume that we’re using a fairly recent Mac.

What we’ll do is download GPG and generate a GPG key, and then download GAM and get it connected to Google Apps.

Generating a GPG key

The GPGTools installer is here:

After installation, open up Terminal, in the account that you’ll be using to manage Google Apps.

Run the command:

$ gpg –gen-key –expert

For type of key, choose “RSA and RSA (default)”. For key size, you can probably safely choose a smaller key. Bear in mind that all your mailbox exports will be encrypted with this key and then will need to be decrypted after download. This can take a non-trivial amount of time, especially for larger mailboxes, and a larger key will mean much longer encryption and decryption times. A 1024-bit key should be fine in most cases.

When asked for how long the key should be valid, choose 0 so that the key does not expire.

Next you’ll be prompted for your name, email address and a comment. This information is not, at the moment, used by Google for anything. However, in the interests of long-term usability, I would recommend using the email address and name of an actual admin for the Google Apps domain.

Finally, you’ll be asked for a passphrase. This passphrase will be required in order to decrypt the downloaded mailboxes. Do not forget it. You will be unable to decrypt the downloads without it.

When key creation is complete, you’ll see something like this:

pub 1024R/0660D980 2012-03-22
Key fingerprint = A642 0721 2D4A 9150 6ED1 DBD7 AFFF 992F 0660 D980
uid Apps Admin
sub 1024R/6D1C197B 2012-03-22

Make a note of the ID of the public key, which in this case is 0660D980. You’ll need the ID to upload the key to Google.

Installing GAM

Prior to installing GAM, you’ll want to open up your default browser and log into to your Google Apps domain as an administrator. It’s not technically necessary – you can log in as an admin when the GAM install needs access, but you’ll find it authenticates more reliably if log in in advance.

GAM can be found here:

Download the python-src package, and put it somewhere in the home directory of the same user that generated the GPG key. The most reliable way to invoke GAM is using the python command to call the script:

$ python ~/Desktop/gam-2/

This assumes it was unzipped to the Desktop of the user account. Change the path where appropriate. In order to make this a bit easier, you can create an alias that will allow you to call it with just “gam”

$ alias gam=”python ~/Desktop/gam-2/”

From here on, we’ll assume you did this. Bear in mind that aliases created this way only last until the session ends (i.e. the Terminal window gets closed).

The first command you’ll need to run is:

$ gam info domain

You’ll be asked to enter your Google Apps Domain, and then you’ll be asked for a Client ID and secret. These are only necessary if you’ll be using Group Settings commands, which we won’t. Press enter to continue. You’ll now be presented with a list of scopes that this GAM install will be authorized for. You can just enter “16″ to continue with all selected, or you can just select Audit Monitors, Activity and Mailbox Exports for Email Audit functions. When you continue, you’ll see this:

You should now see a web page asking you to grant Google Apps Manager access. If you’re not logged in as an administrator, you can do that now, though you may experience some odd behavior. Once you grant access, return to the terminal Window and press Enter. At this point, GAM will retrieve information about your domain from Google Apps, and you’ll be returned to a shell prompt. GAM is installed and almost ready to use.

Uploading the GPG Key

There’s one final step to take before mailbox export requests are possible. The GPG key you generated earlier must be uploaded to Google. What you can do is have gpg export the key and pipe that directly to GAM. You’ll need the ID of the key so that you export the correct one to GAM. If you didn’t make a note of the ID earlier, you can see all the available keys with:

$ gpg –list-keys

pub 1024R/0660D980 2012-03-22
uid Apps Admin
sub 1024R/6D1C197B 2012-03-22

The ID you want is that of the public key. In this case, 0660D980. Now export an ASCII armored key and pipe it to GAM.

$ gpg –export –armor 0660D980 | gam audit uploadkey

Now you’re ready to request mailbox exports.

Dealing with mailbox exports

To request a mailbox export, use:

$ gam audit export includedeleted

This will submit a request for a mailbox export, including all drafts, chants, and trash. You can leave off “includedeleted” if you don’t want their trash. GAM will show you a request ID, which you can use to check the status of a request.

To check the status of one request, use:

$ gam audit export status

If you leave off either username or request ID, you’ll be shown the status of all requests, pending and completed. To download a request you can use:

$ gam audit export download

You must specify both the username and the request ID. Please note that GAM will download the files to the current working directory. The files will be named “export---.mbox.gpg. The numbers will start at 0. In order to decrypt the downloaded files, you’ll need to use GPG.

$ gpg –output –decrypt

This will decrypt one of the files. The predicatbility of the names makes it easy to programatically decrypt all the files. For instance if the username were bob, the ID were 53521381, and there were 8 files, you could use this command:

$ for i in {0..7}; do gpg –output export-bob-53521381-$i.mbox –decrypt export-bob-53521381-$i.mbox.gpg; done

When decryption is completed, you can take the resulting mbox files and import them into any mail client that supports mbox – Thunderbird is a good choice, though should work as well – or you can just look at them in a text editor.

Further Reading

For more details about using GAM or the Email Audit API, please consult the official documentation.

Google Apps Manager Wiki:

Google’s Email Audit API reference:

Adding incoming and outgoing access rules on a Cisco ASA

Saturday, March 17th, 2012

To understand incoming and outgoing rules there are a couple of things to know before you can define your rules. Let’s start with an understanding of traffic flow on an ASA. All incoming rules are meant to define traffic that come inbound to the ASA’s interface. Outgoing is for all traffic that is going outbound of an ASA’s interface. It does not matter which interface it is since this is a matter data flow and each active interface on an ASA will have it’s own unique address.

To try an explain this further let’s say we have and internal interface with an IP address of that is for your local area network to connect to. You can add a permit or deny rule to this interface specifying whether incoming or outgoing  traffic will be permitted or not. This allows you to control what computers can communicate past that interface or not. Essentially you would define most of your rules for the local area network on the internal interface, governing which systems/devices could access the internet, certain protocols, or not.

Now if you know about the basic configuration of an ASA you know that you have to set the security level of the Internal and External ports. So by default these devices allow traffic from a higher security interface to a lower security interface. NAT/PAT will need to be configured depending on if you want to define port traffic for specified protocols.

For this article I will just mention that their are several types of Access Control Lists (ACL) that you can create on an ASA. These types are Standard, Extended, Ethertype, webtype, and IPV6. For this example we will use Extended because most likely that is what most everyone will use the most. With extended ACL not only can you specify IP addresses in the access control list, but you can specify port traffic to match the protocol that might be required.

Lets look at the the examples below:

You will see we are in the configuration terminal mode

ASA(config)# access-list acl extended permit tcp any host eq 80

-So the first part “access-list acl” means the access list will be named “acl”.
-Next you have a choice between type of access list. We are using Extended for this example.
-The next portion is the permit or deny option and we have permit selected for this statement.
-On the next selection that say’s “any” this refers to inside traffic (simply meaning that any internal traffic is allowed). If you dont use any you can specify specific devices by using “host and the IP address like that last part of this ACL statement.
-The next part of this refers to specifying a specific host address of equals port 80.

So this example tells us that our access control list named ACL will allow any inside traffic out the host address of that is internet traffic.

Later you will notice that your statement will look like this on the ASA

ASA(config)access-list acl extended permit tcp any host www
Notice how “eq 80″ default http traffic changed automatically to www) This is common on Cisco ASA devices).


Wednesday, March 7th, 2012

In the routing world, NAT stands Network Address Translation while PAT stands for Port Address Translation. To many they’re going to be pretty similar while to others they couldn’t be more different.

When you have an Internet connection for your business network you are usually given a range of public static IP addresses. With these addresses you can use your Cisco router to use NAT technology, which will allow you to map an external address to an internal address (NAT is One to One addressing).  Your NAT router translates traffic coming into and leaving your private network so it works in both directions.

Let’s say your computer has an IP address of and the Router has a public IP address of If you go to the Internet from your address, it will be translated to the address using the NAT protocol, which will allow you to communicate external your network. It also allows for the return of that data and the opposite to happen when data returns to it will translate back to your address to receive the information to your system with the address of

Port Address translation is almost the same thing but it allows you to specify the TCP or UDP protocol (port) to be used. Let’s pretend you need to access a mail server at your network from externally. Most likely your port will be the standard SMTP port 25. Assuming it is you would configure the router to allow traffic from port 25 external your network to come through to your mail server’s port 25, thus sending and receiving e-mail. You can also use PAT to define traffic from a specific port to translate to a different port. For example if you have to use port 25 for an external mail client but you have a custom port of 26 internally to the mail server. You can define a Static PAT rule that can define all outside port 25 traffic will route to port 26 internally allowing port 25 traffic to reach your mail server on port 26.

*Note: PAT works hand in hand with NAT and is linked to the public and internal IP addresses. With PAT You may route many to one addressing (i.e. all internal addresses go out a single Public IP address for internet using port 80).

Configuring a Cisco ASA 5505 with the basics

Thursday, March 1st, 2012

The Cisco ASA 5505 is great for small to medium businesses. Below are the steps you will have to complete to configure your ASA to communicate with the internet. There are many more steps, options, and features to these devices (which later there will be more articles in regards to some of these features).

Bring your device into configuration mode
Brings the device into enable mode

318ASA#config t
Change to configuration terminal mode

The ASA is now ready to be configured when you see (config)#

Configure the internal interface VLAN (ASA’s use VLAN’s for added security by default)
318ASA(config)# interface Vlan 1

Configure interface VLAN 1
318ASA(config-if)# nameif inside
Name the interface inside

318ASA(config-if)#security-level 100

Set’s the security level to 100

318ASA(config-if)#ip address
Assign your IP address

318ASA(config-if)#no shut
Make sure the interface is enabled and active

Configure the external interface VLAN (This is your WAN\internet connection)
318ASA(config)#interface Vlan 2
Creates the VLAN2 interface

318ASA(config-if)# nameif outside
Name’s the interface outside

318ASA(config-if)#security-level 0
Assigns the most strict security level to the outside interface (lower the number the higher the security).

318ASA(config-if)#ip address
Assign your Public Address to the outside interface

318ASA(config-if)#no shut
Enable the outside interface to be active.

Enable and assign the external WAN to Ethernet 0/0 using VLAN2
318ASA(config)#interface Ethernet0/0
Go to the Ethernet 0/0 interface settings

318ASA(config-if)#switchport access vlan 2
Assign the interface to use VLAN2

318ASA(config-if)#no shut
Enable the interface to be active.

Enable and assign the internal LAN interface Ethernet 0/1 (note ports 0/1-0/7 act as a switch but all interfaces are disabled by default).
318ASA(config)#interface Ethernet0/1
Go to the Ethernet 0/1 interface settings

318ASA(config-if)#no shut
Enable the interface to be active.
If you need multiple LAN ports you can do the same for Ethernet0/2 to 0/7.

To have traffic route from LAN to WAN you must configure Network Address Translation on the outside interface
318ASA(config)#global (outside) 1 interface
318ASA(config)#nat (inside) 1

***NOTE for ASA Version 8.3 and later***
Cisco announced the new Cisco ASA software version 8.3. This version introduces several important configuration changes, especially on the NAT/PAT mechanism. The “global” command is no longer supported. NAT (static and dynamic) and PAT are configured under network objects. The PAT configuration below is for ASA 8.3 and later:

318ASA(config)#nat (inside,outside) dynamic interface

For more info you can reference this article from Cisco with regards to the changes –

Configure the default route (for this example default gateway is
318ASA(config)#route outside 2 1

Last but not least verify and save your configurations. If you do not save your configurations you will have to.

Verify your settings are working. Once you have verified your configurations write to memory to save the configuration. If you do not write to memory your configurations will be lost upon the next reboot.

318ASA(config)#wr mem

318 CatDV Installation Checklist

Wednesday, January 11th, 2012

318 has been doing a lot of work with CatDV recently and as such, we are starting to build a large library of assets for the product. We have built a checklist for the installation and planning of a CatDV asset management system. The checklist is a quick guide to server installation, worker nodes, client configuration, using SSL, watch folders, conditions, queries, conversations and processing.

The checklist can be downloaded here:

318 CatDV Installation Checklist

318 CatDV Installation Checklist

For more information about CatDV, related storage issues or other aspects of your technology environment, please feel free to contact your Professional Services Manager or For more information about 318, see us on the web at

Monitoring Xsan with Nagios and SNMP

Monday, December 12th, 2011

Monitoring a system or device using SNMP (a SonicWALL, for instance) is simple enough, provided you have the right MIB. XSNMP is an Open Source project that provides a simple Preference Pane to manage SNMP on OS X, and it also includes an MIB developed by LithiumCorp. This MIB provides OS X’s SNMP agent to gather and categorize information relating specifically to Mac OS X, Mac OS X Server, and Xsan.

XSNMP-MIB can be downloaded from GitHub, or directly from Lithium.

Download the XSNMP-MIB.txt file and put it in /usr/share/snmp/mibs. You can verify that the MIB is loaded by running snmpwalk on the system, specifying the XSNMP Version OID. If snmpwalk returns the version, the MIB is installed correctly. If it returns an error about an “Unknown Object Identifier”, then the MIB isn’t installed in the right spot.

bash$ snmpwalk -c public -v 1 my.server.address XSNMP-MIB::xsnmpVersion
XSNMP-MIB::xsnmpVersion.0 = Gauge32: 1

The fact that the MIB was developed by Lithium doesn’t stop us from using it with Nagios, though. You can define a Nagios service to gather the free space available on your Xsan volume by adding the following to a file called xsan_usage.cfg. Put the file in your Nagios config directory.

define service{
host_name xsan_controller
service_description Xsan Volume Free Space
check_command check_snmp!-C public -o xsanVolumeFreeMBytes.1 -m XSNMP-MIB

The host_name should match the Nagios host definition for your Xsan Controller. The service_description can be any arbitrary string that makes sense and describes the service.

The check_command definition is the actual command that’s run. The -C flag defines the SNMP community string, the -m flag defines which MIB should be loaded (you can use “-m all” to just load them all), and the -o flag defines which OID we should return. “xsanVolumeFreeMBytes.1″ should return the free space, in MB, of the first Xsan volume.

Upgrading VMware ESX 3i to ESXi 4.1i

Friday, November 18th, 2011


a. Workstation – Windows or linux based, either real or VM.

b. The VMhost – Should be backed up, and running ESX 3i (3.5.0)

c. new serial number for ESXi 4

1. go to and find the vSphere Hypervisor download area. download and the most current vsphere cli tools

2. download the appropriate upgrade package for the server. the file should be named something similar to “

3. stop all VMs on the hypervisor and place it in maintenance mode.

4. from your workstation, run the vSphere CLI.

5. in the CLI, run “cd bin”

6. in the CLI, run “ –server -i -b

Basic SonicWALL Router Setups

Tuesday, October 11th, 2011

A work in progress…

1. Register the Sonicwall appliance at A new account may be created for this purpose

2. Download the latest firmware from

3. Disable popup blocking on your browser

4. The default IP of a factory Sonicwall device is Connect to the Sonicwall (you need to adjust your Ethernet NIC’s config to match the Sonicwall’s network settings)

5. Follow the setup wizard and define a WAN IP, LAN IP, and DHCP range of IPs

6. Upload the newer firmware downloaded above and boot from it

7. In the https://[Sonicwall IP Address]/diag.html screen, uncheck the box ““Enforce Host Tag Search with for CFS”

8. Use the Public Server Wizard to create additional systems on the LAN that need to be publicly accessible. Note that the default WAN IP address provided in the wizard is the SonicWALL’s, but you can enter a different WAN IP; this creates a NAT policy using a new Address Object in the WAN zone

9. If more than one service needs to be visible for a system (ie, a mail sever needing 993, 587, 465, etc.), just select a single service during the wizard setup and then modify the “Service Group” that the wizard creates to include additional services that you want visible

10. For site-to-site VPN, follow the documentation in the SonicOS Administrators guide. Typically we have found that setting the VPN policy up in Aggressive Mode works more reliably than Main Mode

Setting Up Additional Google Apps Calendars on an iOS Device

Monday, April 18th, 2011

Syncing and Managing Additional Google Apps Calendars on your iOS Device

Google Apps allows users to easily setup multiple calendars in their account and access other uses calendars via a web browser or calendar client such as iCal or Outlook. Duplicating this functionality on iOS devices requires some additional configuration steps:

1. Configure your device(s) with Exchange Active Sync for your Google Apps account. See for instructions.
2. On your iOS device (iPad, iPhone or iPod Touch) use the Safari web browser to navigate to
3. Scroll to the bottom of the page and tap the Google Apps user? button.
4. A popup will appear prompting you to Enter your Google Apps domain. Enter your domain (everything after the @ in your email address) and tap Go.
5. Sign into your Google Apps account if prompted.
6. A Google Mobile page will load, with buttons for various services. Tap the Sync button.
7. A Manage Devices page will load. Tap to select the device you would like to add/delete calendars from (i.e. your iPhone).
8. Tap to check the box next to each calendar you want to sync. Tap to uncheck any calendar you wish to stop syncing.
9. Click Save.

The calendars for which you enabled sync should now be displayed in the iOS Calendar app. You may have to tap Calendars to return to the calendar selection and turn on the additional calendars if they are not displayed immediately.

Note: these instructions differ slightly from the published Google instructions pertaining to generic Gmail accounts (primarily skipping steps 3 and 4). If you would like to setup additional calendars for your personal Gmail account please follow the steps here:

Enable AirPrint On Mac OS X Server

Monday, March 7th, 2011

Since the introduction of AirPrint in iOS version 4.2.1, a handful of shareware and freeware solutions have been introduced that allow iOS devices to use AirPrint to print documents on “unsupported” printers (namely, those printers that do not have the necessary AirPrint features built-in). This typically requires enabling printer sharing on a Mac system, as well as making a slight modification to the CUPS configuration file at /etc/cups/cupsd.conf, which the software typically does for you.

However, one of the more prominent solutions available, AirPrint Activator from, does not work properly on a Mac OS X Server system when following the provided instructions, which appear to be aimed at users running the non-Server version of Mac OS X. Here are the steps you can follow to get Mac OS X Server v10.6 to share printer queues to AirPrint-enabled iOS devices:

Prerequisites: Mac OS X Server v10.6.5 or later (I have only tested on 10.6.6), one or more networked or local printers, and one or more iOS devices running iOS 4.2.1

1. In the System Preferences > Print & Fax preference pane, delete all existing printer queues from the server.

2. Download AirPrint Activator from to the Mac OS X Server system from which you wish to host print queues.

3. Launch the AirPrint Activator program and slide the Activator switch to On (you will be prompted to authenticate).

4. With your favorite text editor, open the file /etc/cups/cupsd.conf

5. Locate the line that reads Browsing Off and change it to read Browsing On. Save the changes.

6. Open Server Admin and enable and Start the Print service.

7. Open the System Preferences > Print & Fax preference pane and add the printers that you wish to share, being sure to give the shared print queue a unique Sharing Name a Location. If you are only using the Print service to connect iOS devices, you may want to include “AirPrint” in the queue or location name (ie, “AirPrint to Accounting Printer”).

8. In the Print service window, select the Queues tab and select the print queue you wish to share.

9. Enable the IPP protocol. You can enable the other protocols if you want to enable printer sharing to platforms beyond just your iOS devices.

10. Follow steps 7 through 9 with the other printers that you wish to use for AirPrint.

11. From an iOS device, open a supported document such as a PDF, JPG, or other printable file.

12. Click the box with a curved arrow pointing to the upper right to invoke the Print command.

13. Select the Printer from the menu and print your documents!

Defragmenting an Xsan Volume to Reallocate Storage

Friday, January 14th, 2011

In the life of an Xsan shop, you will at one point or another be presented with the need to defragment your volume. Defragmenting a volume is a good way to recover lost performance, but can also be beneficial in other scenarios: defragging is an absolute must after performing a bandwidth-style expansion of your volume, and is often recommended (though not absolutely necessary) when performing a capacity-style expansion. In case you’re confused, a bandwidth expansion is the type of expansion performed when you add LUNs to a specific storage pool. Conversely, a capacity expansion involves simply adding new storage pools to an existing volume.

Because the make-up of a storage pool is drastically altered when a bandwidth expansion is performed, the data is not properly distributed across any of the new LUNs that were added to the pool, this results in a shadow-effect where all capacity of the storage pool is not available for use by the system. Because of this, it is an absolute requirement that a defrag routine is ran. To perform this defrag, we use the standard snfsdefrag command, but we use the special ‘-d’ flag, which ensures that this shadowed storage space is reclaimed and that data is properly distributed across the storage pool:

snfsdefrag -dr /Volumes/MyXsanVolume

There are several scenarios where it may be desirable to rebalance the data on an existing volume. A capacity expansion of a volume will result in one or more new storage pools being added to the volume, but the new storage will not have any data written to it. Alternatively, an allocation strategy of round-robin or fill can, over time, result in a poor distribution of data across your storage. By spreading data across the storage evenly, you ensure that all disks are running at similar capacities, therefore netting more consistent performance across the volume, as disk performance tends to degrade as capacity increases.

When an snfsdefrag is ran, it will defragment files as specified by your parameters, and these files will be distributed onto the volume as per your allocation strategy. If you defragment a volume that has a ‘Fill’ allocation strategy, you will not gain any benefits of having evenly distributed data, though your individual files will no longer be fragmented.

Thus, if your main goal is balance all data across the volume, it will be necessary to change the volume’s allocation strategy to Balance and then defragment the volume. This will result in fragmented files to be relocated the lowest-capacity pool, an extremely effective method for balancing data. In Xsan 2.x, you can change a volume’s allocation strategy at the GUI level, which can be changed while the volume is live. In our experience, the change can be performed live and will not result in Xsan client service interruption to the volume, and active transfers proceed with no disruption. Even so, it’s best to perform the switch at a time when there’s minimal activity (preferably none) on the volume and no active transfers in progress.

Once you’ve converted the volume to the new strategy, you can proceed with the optimization, which is a fairly straightforward defrag performed with the command

snfsdefrag -r /Volumes/VolumeName

This will defragment any files with more than one extent, re-provisioning the optimized files to the next LUN in the allocation strategy. And because we’re now using the Balance strategy, the next LUN will always be the one with the lowest capacity—-our new LUNs, in this case. If, however, you had a healthy Xsan volume, this command may not properly balance data, because fragmented files will be rare. In such an event, run the command

snfsdefrag -r -m 0 /Volumes/VolumeName

This will defragment files with more than 0 extents, which is every file on the system, letting you rest assured that the volume will be nicely balanced at the end of the operation. The main trade off here is that doing so re-provisions all files on the volume, which can be a very time consuming task. If the volume has standard levels of fragmentation, running the command without the flag should do a decent job of balancing without having to operate against non-fragmented files as well.

Migrating the Apple Remote Desktop Database

Thursday, January 13th, 2011

Whenever dealing with data migrations, is always important to get a good handle on what data you need to transfer, and the purpose that it serves toward the operation of the program: some elements may be more important to you than others. In the case of Remote Desktop, there are a number of different data stores that you’ll want to be aware of:

  • /Library/Preferences/ – This file contains system-wide preferences, primarily serialization information, which is system-specific (so you’ll need to serialize on the new system using the original serial number).
  • /var/db/RemoteManagement – This database and set of caches contains the Remote Desktop Client database used by client reporting.
  • ~/Library/Application Support/Remote Desktop  – This folder is used to store your command presets (including Unix Send Command templates), your task history, and task manager settings and actions.
  • ~/Library/Preferences/ – This file contains the bulk of the Remote Desktop application experience, including the entire computer database, computer lists, scanners, and last but not least, access credentials for all computers in the database.

Once we have an understanding of the data stores utilized by ARD, it’s fairly trivial to transfer the admin database. Assume in the following example that we want to migrate our ARD database from our local computer instance, to a new computer connected via Firewire disk mode and mounted at /Volumes/NewMac. For most cases, all we really have copy over is the main user preference file ~/Library/Preferences/

cd /Volumes/NewMac/Users/username
cp -p ~/Library/Preferences/ Library/Preferences/

If you have any stored command templates, or want to preserve your task history, copy over the Application Support folder:

cp -pR ~/Library/Application\ Support/Remote\ Desktop/  Library/Application\ Support/Remote\ Desktop/

If your ARD install is collecting reports, you’ll likely want to copy those over as well. Because this database is root-owned, we’ll need to use sudo to copy it:

sudo cp -pR /var/db/RemoteManagement/ /Volumes/NewMac/var/db/RemoteManagement/

That’s it! It’s probably a good idea to restart for good measure, but for the basic ARD admin application, a relaunch should get you up and running with the new database.

Provisioning TelePacific iNOC On A SonicWALL

Friday, January 7th, 2011

1. Login to SonicWALL

2. Check to see if SNMP is already in use on WAN IPs by checking under Network > Firewall.

ALERT: Enabling SNMP Management on the SonicWALL will cause issues with the SNMP firewall rules. You can ONLY have SNMP SonicWALL Management OR SNMP firewall port forwarding. Not both. This was confirmed with SonicWALL Tech Support.

3. Go to System > Administration

4. Scroll down and put a check mark for “Enable SNMP”

5. Click on Configure

6. Put in whatever you want for System Name, System Contact, System Location. You can leave Asset Number blank. Ask TPAC for their monitoring WAN IP and put that in the “Host 1″ field.

7. Go to Network > Interfaces

8. Click on the Configure icon for the Interface that you want monitored.

9. Put a check mark next to SNMP

10. Click OK

11. You can confirm SNMP is listening by using snmpwalk. On a Mac, the command can be:

snmpwalk -c private -v 2c “wanipaddress of SonicWALL”


snmpwalk -c private -v 1 “wanipaddress of SonicWALL”

The SonicWALL utilizes version 1 and 2c for SNMP.

Create a User in Active Directory

Friday, January 7th, 2011

Yesterday, we looked at copying Active Directory accounts, but we hadn’t yet looked at creating new users. To create a new user, it is usually best to first log into a machine that has the Remote Server Administration Tools to run the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in… or the domain controller itself.  You will need to use the administrator login or an account that has administrative privileges.  On the domain controller, after you have logged in, go to the Start menu. Then click on Programs, Administrative Tasks, and choose Active Directory Users and Groups.

At the top click on action, choose new and then user.  It will then ask you for information about the user.  First Name, Last Name and the user name that you want to have the user use. Click next when complete.  The next window will ask you to type in a password for the user and then confirm it.  Standard policy is that you have at least one small character, one large character, and one special character and be at least 8 characters long.

Copy a User in Active Directory

Tuesday, January 4th, 2011

Creating new users in Active Directory is a fairly straight forward process. But often times it is easier to copy a user than create a new one. If you have a user that belongs to all the groups as you want a new user to be apart of, you can make life easy by making a copy of that user. To do that, you will need to remote into the domain controller with the domain administrator account or an account with administrator privileges.

Once you log on, go to start and then click on programs and choose Administrative Tools. Choose Active Directory Users and Groups. The best thing to do is to search for the user that you want to model the new user after. Before you do the search, go to view and chose Advanced Options. Then do a search. To do a search click on the search button at the top. It is the second to last button

In the next box, type in the name of the user that you want to use as the model. Make sure that Entire directory is selected.

Right click on the user and go to properties. Then click on the object tab. It will list what Organizational Unit that the user is in. Navigate to that user by using the folders on the left side of the screen, then right-click on the user and choose copy. A window will come up and you will need to type in the new users information.

After you complete this process, you will be asked to provide a password. By default, there are some password policies that you will want to maintain. Make sure that the password has at least one lower case, upper case and special case character. It has to be at least 8 characters long.

Once that completes, the new user has been completed and is ready to use, unless you would like to change group memberships, policies, etc.

Restricting Outgoing Email To a 3rd Party SMTP Relay Host on SonicWALLs

Friday, November 12th, 2010

Often times, it is necessary to lockdown outbound traffic to MX Logic. MX Logic can provide outbound filtering capabilities which assists against getting blacklisted, while also scanning your outgoing e-mail for malware. Also, limiting only the server to communicate with MX Logic ensures that no rogue mail servers can send out e-mail (often done by infected devices).

This guide assumes you have already used the Wizard to setup port forwarding, firewall rules, and NAT policies for allowing the mail server to be accessed via the SonicWALL.

To Lockdown a SonicWALL to Outbound Email to MX Logic
1. Determine what port you will be sending out on. If you are using a non standard port, you will first need to make a custom service object on the SonicWALL for the port.
2. Create an Address Group containing the Address Objects for MX Logic
1. Go to Network
2. Go to Address Objects
3. Add Address Object
1. Name: MX Logic 1
2. Zone Assignment: WAN
3. TYPE: Network
4. Network: IP From MX Logic
5. Netmask: Subnet From MX Logic
NOTE: You will need to do this for each subnet that MX Logic Offers. Name them sequentially. The Address info can be found on MX Logic’s Portal.
4. Go to Address Objects
5. Create Address Object Group
6. Add all of your MX Logic Address Objects to the Address Object Group, and call it “MX Logic”
7. Save all your changes.
3. Go to Firewall
4. Go to LAN to WAN
5. Click Add
6. Create a Rule that allows the mail server on the LAN to send out to anywhere on the WAN.
1. Action: Allow
2. From Zone: LAN
3. To Zone: WAN
4. Service: SMTP (or whatever you named your custom one)
5. Source: Your Address Object Representing Your Mail Server
6. Destination: MX Logic (The Address Object Group you created Previously).
7. Save your changes.
7. Create Another Rule to block all other outbound e-mail.
1. Go to Firewall
2. Go to LAN to WAN
3. Click Add
4. Action: Deny
5. From Zone: LAN
6. To Zone: WAN
7. Service: SMTP (or whatever you named your custom one)
8. Source: Any
9. Destination: Any
10. Save Your changes
8. Adjust Rule Order.
1. Ensure that the MX Logic Outbound rule is above the rule that blocks all other devices from sending SMTP traffic out to the Internet.
2. Apply the changes.
NOTE: By doing this, any laptop users, or other portable device users, that may try to send email over port 25 through other servers (Gmail, Yahoo, AOL, etc.) will be DENIED by the SonicWALL.

Adding Entourage Delegated Folders in Entourage for Hosted Exchange

Tuesday, October 19th, 2010

Setting up a mail account

Adding a hosted Exchange 2007 account to Entourage must be done manually as the auto discover feature doesn’t work with the hosts servers. Enter the user’s general information (name and email address) as you normally would. The user name will be the user’s email address, the domain is supplied by the host, and the mail server address is /exchange/usersemailaddress@domain.tld. The server does require SSL. The public folder server is supplied by the ISP (same as the OWA path in the server address) and it uses SSL.

Adding a delegated user’s folder

When adding another user’s folder, you have to use the advanced option to add the user’s folder because Entourage is currently accessing the server at which means that Entourage will attempt to access another user’s folder at /exchange/currentloggedinuser@domain.tld/userfolderthatyouwanttoadd which, of course won’t work. To get around this issue, click “open another user’s folder”, click advanced, enter the user’s full name, email address and enter the mail server address in the following format: /exchange/usersemailaddress@domain.tld. Click ok and select the other user’s folder that you want to add.

Hiding a Restore Partition With jamf

Monday, August 9th, 2010

The jamf command that is placed inside the /usr/sbin directory has a number of things it does really well. Many of the tasks exposed in Casper Admin can be tapped into using shell scripts.

One nice option that the Casper Suite has for the mobile users in many an enterprise is the ability to restore a given machine to a known good working state. Casper addresses this using a concept known as a restore partition. The restore partition can be used to deploy a base set of packages to a client, or maybe just a functional operating system that hooks back into the JSS, or JAMF Software Server. Because you want the restore partition to be somewhat undefiled, you can hide it. Then, if a user needs to boot to the restore partition, they would simply boot the computer holding down the option key and select Restore (or whatever you have named it).

The /usr/sbin/jamf command can then be used to hide that restore partition using the hideRestore option. For example, assuming that the restore partition is named Restore, the following command will hide it:

/usr/sbin/jamf hideRestore

But, you might find that you want to deploy multiple hidden partitions. So let’s say that you had another for running disk tools. In our environment we could call it 318Tools. So to hide it as well, we would use the same command, but with the -name option followed by the name of the other partition we would like to hide, like so:

/usr/sbin/jamf hideRestore -name 318Tools

Overall, there are a number of uses other than simple patch management with the Casper Suite, and this is just one of the small things you can do with the jamf command, an integral part of the Suite.

MySQL Backup Options

Thursday, July 8th, 2010

MySQL bills itself as the world’s most popular open source database. It turns up all over, including most installations of WordPress. Packages for multiple platforms make installation easy and online resources are plentiful. Web-based admin tools like phpMyAdmin are very popular and there are many stand-alone options for managing MySQL databases as well.

When it comes to back-up, though, are you prepared? Backup plug-ins for WordPress databases are fairly common, but what other techniques can be used? Scripting to the rescue!

On Unix-type systems, it’s easy to find one of the many example scripts online, customize them to your needs, then add the script to a nightly cron job (or launchd on Mac OS X systems). Most of these scripts use the mysqldump command to create a text file that contains the structure and data from your database. More advanced scripts can loop through multiple databases on the same server, compress the output and email you copies.

Here is an example we found online a long time ago and modified (thanks to the unknown author):


# List all of the MySQL databases that you want to backup in here,
# each separated by a space
databases="database1 database2 database3"

# Directory where you want the backup files to be placed

# MySQL dump command, use the full path name here

# MySQL Username and password
userpassword=" --user=myusername --password=mypassword"

# MySQL dump options
dumpoptions=" --quick --add-drop-table --add-locks --extended-insert --lock-tables"

# Unix Commands

# Create our backup directory if not already there
mkdir -p ${backupdir}
if [ ! -d ${backupdir} ]
echo "Not a directory: ${backupdir}"
exit 1

# Dump all of our databases
echo "Dumping MySQL Databases"
for database in $databases
$mysqldumpcmd $userpassword $dumpoptions $database > ${backupdir}/${database}.sql

# Compress all of our backup files
echo "Compressing Dump Files"
for database in $databases
rm -f ${backupdir}/${database}.sql.gz
$gzip ${backupdir}/${database}.sql

# And we're done
ls -l ${backupdir}
echo "Dump Complete!"

Once you verify that your backup script is giving you valid backup files, these should be added to your other backup routines, such as CrashPlan, Mozy, Retrospect, Time Machine, Backup Exec, PresSTORE, etc. It never hurts to have too many copies of your critical data files.

To make sure your organization is prepared, contact your 318 account manager today, or email for assistance.

Changing The Password Policy on Windows Server 2008 Domain Controllers

Wednesday, June 2nd, 2010

There seems to be a bug (maybe feature?) in Windows Server 2008 where you cannot change the default password policies on at least the first Domain Controller in a new Domain via Group Policy Management and editing the Default Domain Controller security policy.

You must make the changes in the Local Policies section of Active Directory on the Windows Server 2008 Domain Controller.
1. Start > All Programs > Administrative Tools > Local Security Policy
2. Security Settings > Password Policy

NOTE: You will see that the Password Policy for the domain controller is populated, unlike in GPMC.MSC where everything is “Not Configured” but has a confusing note about default settings being other than “Not Configured”.

To further confuse the issue, it seems that in Windows Server 2008 R2, using the Local Security Policy to change the Password policy on the DC will NOT work. It will be grayed out. The Domain Controller policy then seems to default to the Default Domain Security Policy (not Default Domain CONTROLLER Security Policy). After changing the password policies under GMPC.MSC for the Default Domain Policy I was able to successfully get the needed password configuration settings for the Domain Controller. It seems that the Default Domain Controller Security Policy password settings are either no longer separate from the Default Domain Security Policy, or now the Default Domain Security Policy overrides the Default Domain Controller Policy. This happened on a fully patched Windows Server 2008 R2 x64 OS.

Evaluating Backup Exec Jobs

Tuesday, April 13th, 2010

[ ] Assess the Job Setup tab and review its listing to determine which jobs are currently configured on the system.
[ ] Review the selection list to ensure that all relevant data and file shares are being backed up and copied
[ ] Assess the Job Monitor tab to confirm that the jobs that are setup and configured are actually running as scheduled.
[ ] Review the job logs (Job History) to ensure that all data is being backed up or if there are minor errors, note what caused those errors to correct later.
[ ] Ensure that there that the job did not fail due to lack of space (or other chronic issues), because if it is then most likely the client needs larger storage or we must set media and jobs to allow for overwrite of data.

Backup Agents are needed for special data such as SQL and Exchange databases, or files located on remote computers. Many open files will not back up unless the Open File Agent is preset, installed and licensed on the data source.

Media Sets (Under the Media tab) are collections of backup media that share common properties. In Backup Exec, media sets can be adjusted under their properties to allow for overwrite and appends infinitely or after a certain period of time. This allows you to manage how media is managed when space begins to come into play. Verify these settings to ensure proper retention.

[ ] Review the Alerts tab and check under Active Alerts sub-tab and ensure that no jobs have been waiting on media or needed human interaction or response.
[ ] Review the Alert History sub-tab and verify that no jobs in the past were waiting for interaction or response.
[ ] Check backup notifications under each job and under the default preferences (Tools >> Recipients… & Tools >> Email and Pager Notification…), to ensure that the proper individuals are being notified about backups and alert items.
[ ] Review the Devices tab and verify that there are no devices/destination that are Offline.
[ ] Ensure that any devices that are currently listed as a backup destination (unless it is the member of a device pool) is online. If the device is a member of a device pool and that the backup job is referencing that pool then the jobs will continue once at least one of the pool’s devices is online).

Typically backup jobs will have destinations as being either tape, local or network storage. Most likely an external backup devices will fall under the tree as a Backup-to-Disk Folder. If the drive/device is not connected it may show up as Offline. If you are sure that the device is connected, right-click on the entry and ensure that devices is both confirmed as Online and also Enabled.

To learn more about Backup Exec – here are some additional links:
Symantec Backup Exec website

Datasheets on usage of Backup Exec 2010 (Applications,Features, Agents)

Wikipedia on the architecture and history of Backup Exec

Checking Backup Jobs in Atempo’s Time Navigator

Wednesday, March 31st, 2010

Time Navigator is a powerful enterprise level backup software suite. It is also one of the most complex backup software you can manage.

In order for an ADB to be successful you need to check the following:

  • Whether the scheduled backups were successful or not.
  • If they were unsuccessful is intervention required?
  • Check the available storage for future backups
  • Did test restore succeed or not
  • Are Critical files backed up?
  • General log review

Section 1. Check whether the scheduled backup was successful

To begin you need to know the username and password for the local user on the host computer, which needs to have admin rights, as well as the username and password for the tina catalog.

Step 1: Open the Time Navigator Administrative Console.
On Mac it is /Applications/Atempo/tina/Administrative Console
On Windows c:\Program Files\Tina\Administrative Console

When the Administrative Console starts it will initiate a connection to the Time Navigator Catalog indicated in the config files.

It will prompt you for a username and password. Once you enter the proper username and password you will gain access to the Administrative Console.

This program interface is the main access point to the various programs that let you control Time Navigator.

Step 2. Choose the “Monitor” menu list and select “Job Manager” this will open the Time Navigator Job Manage. The initial view will show all active jobs. Go to the View menu and choose “Historic” this will show past jobs.

From here you will be able to review the recent backup jobs to find out whether they were successful or not.

Section 2. If the backups were unsuccessful do they require intervention?

Determining whether intervention is required is largely diagnosed by the reasons of a backup failure.

From within the Job Monitor you can select a job from the historic menu and double click it to access the job detail window.

From this window you will have access to several tabs. The tab of interest here will be the one called “Events”. This is a filtered view of the logs so it shows only the log entries that are connected to this job number.

To make the determination of whether intervention is warranted requires some knowledge of the errors you find. To that end the errors are color coded. Yellow errors are considered minor and are likely to be overlooked if they are the only errors present. While Orange and Red errors are higher priority and should warrant the attention of a tech trained in Time Navigator.

Section 3. Check the available storage capacity for future backup executions.

Time Navigator treats all forms of storage as tape a tape library. Your backup destination will either be a Virtual Tape library, in the case of backing up to hard drives, or to a specific physical tape library.

This means that we will need to view the Library Manager application.

Start with the Admin Console. Choose the host for which the library is attached. ( all libraries are attached to a host ) Select the host icon with the mouse and choose the “Devices” menu from there choose “Library” then “Operations” then “Management”

This will spawn the Library Manager application. You will be presented with a dialogue containing a list of available Libraries.

Once chosen you will get a window that shows the number of drives ( virtual or real ) and the tape cartridges in their slots ( also virtual or real ) by this display you will be able to determine which tapes have been used and which are free for use.
If a cartridge has been used it will be labeled for the tape pool in which is belongs too. If it is free for use it will be labeled either SPARE or ????? or in rare cases. Lost & Found. Lost & Found cartridges should be reported to the administrator.

A comprehensive determination of how much space is left would take some math. Know how much each tape represents and how much data is backed up nightly etc…

A quick version to keep in mind is percentages. If there is less than 10% free available cartridges it might be worthwhile to notify the administrator. It will take some experience to tell whether this is a problem or not as some tapes can hold hundreds of gigs and two tapes might take months to fill.

Section 4. Test Restore. Success or Failure.

This section implies that you will attempt a restoration of some files.
FIle restoration with Time Navigator is both its most powerful feature and most complex in comparison to other backup software.

First a word about the process. While it is true that the Administrative Console and associated applications can be run on any computer that participates in the Time Navigator backup system. The Restore and Archive Manager application will attempt to make a connection to the host from which files were backed up. Which means you will need credentials for that host which allow read write access to the directories which were backed up. To this end it is often simpler to open the Administrative Console on the host in question before you open the Restore and Archive Manager application.

To restore files from the backup of a host you will need to select the host from the Administrative Console. From the “Platform” menu choose “Restore and Archive Manager”. You will then be challenged for a username and password for the host in question.

Once you have entered legitimate credentials for the host you will be presented with the window for the Restore and Archive manager. It will show the host name and the username by which you are connecting. It will also show you the complete file system on this host in expandable trees. Each element with a check mark box beside it

Furthermore this view will show you the file system in the present and the capacity to show the file system at some point in the past.

This element is where the program gets its name. The “Time Navigator” allows you to navigate through time to look at the file system and select file for restoration.

The idea here is that you know what time period you are looking for. You select the date beside the “past” radio button and it will then show you what files are available for that time period.

The second feature shown on this interface is the ability to isolate files that have been deleted. Meaning you have the ability to adjust the view to show files that were present in the past but are not present now. Spanning back an arbitrary amount of time as determined by the form element for days, weeks, months etc…

While this is very useful it will not filter out non deleted files. Meaning you have to know what directory you want to look in before this becomes useful.

A third, and in my opinion the most useful, method of restoring files is called versioning.
If you right click ( control click ) on a file that has been backed up, you will be presented with a contextual menu with the word “versions”

Once selected it will open a dialogue window with every version of the file that is currently within the backup catalog.

Once you have selected a file from that list you will need to select the “synchronize” button at the bottom of this versions dialogue. This will set the past date and time marker to the point in time where this file was backed up. You can then check mark the file to be restore.

FInally you can search the catalog for files form this host. While within the Restore and Archive Manage choose the “Backup” menu and choose find.

You will be presented with the search interface with the current host already selected as the search base. From here you can search by pathname, filename and how far back in time to search and how many results to show

The search forms will accept wildcards for more creative searching. Once a file is located in the results window you will need to select the “synchronize” button at the bottom in a manner similar to the versions window mentioned above.


All of the above techniques are methods of locating the files you wish to restore and putting check marks besides them. Now it is time to restore them

Once you have all the files you wish to restore check marked we can proceed.
We will accomplish this with the “Restore” menu item. If there is any question as to what you have selected for backup, there is the option here to “view checked objects” This will filter the view to show only objects that have been check marked for restoration.

Next we can choose to test the backup or Run the backup. If there is any question as to whether the media for a file is available you should run it as a test first.

When you select test you will be greeted with a warning dialogue that says that this operation will perform all operations except for the writing of data itself. This means drives and or tape cartridges will be engaged and network throughput will be used.

After you agree the restore dialogue will show. You will have to tabs to choose from.
The first of which is labeled “Parameters”.

From here you can choose whether to restore the files to their original locations or to a new location on the same file system ( if you wish to restore to another host, it is possible but it is not covered here )

Now you must choose what level of backup you wish. Here you are presented with several radio dials that allow you to choose whether to restore data with or without directory and object information. This may seem like a splitting hairs but in some environments it is nice that your backup system can restore the user permissions for objects in your directory tree instead of just restoring everything.

The checkmark box for “restore all file versions” will restore everything int he “versions” list discussed above. Not used very often,

Now to the second tab “Behavior” the first selection to be made here is what behavior to choose should there already be a file with the same file name at the destination path.

You will see options for restore the file and overwrite, to renaming either the existing file or the restored file or do not restore if certain conditions are met.

Keep this in mind. If you need to restore a large number of files and you don’t know whether you should overwrite existing files, you should restore it in a neutral location and review it by hand.

If an error occurs while Restoring files. Skip? Cancel? Ask user? This selection will be important if you are monitoring the process. If you are not monitoring and you choose skip. You will need to review the logs, you choose cancel. you could come back to very little data being restored.

Finally the section “if required cartridges are off-line”
you run into this if you are dealing with physical tapes that are no longer within the library.

Issue Operator Requests for each missing cartridge. Which means the software will bug you each time a tape is missing.
Ignore files indicated on those cartridges. Self explanatory.
Display offline cartridge list. This is the one I have learned to check, It will check the availability of the tapes within the current library listing. Which means if you put new tapes in you have to scan the bar codes before this list updates. This method avoids a lot of headaches and is my recommendation of you are dealing with physical tape.

Finally you get to press restore. Where you will be presented with the dialogue for the restore process. You will see the progress bar, the path of files being restored and the option to monitor restore events.

If after all of this you have problems restoring you should contact a Time Navigator Admin.

Section 5. Did critical files backup.

At first glance this is similar to “did backups succeed” You can backup the system state for windows servers which are critical files but you should also check to see if the catalog for Time Navigator is being backed up. In the administrative console there is a host icon which will be called CATALOG. It is very important that this get backed up nightly. If this file becomes corrupt or non functional. The entire backup is effectively lost. A good Time Navigator tech can spend a huge amount of time to pull data from the tapes.

Section 6. General Logs Review

This section covers looking for things that look weird. From the Administrative Console choose Monitor Events.

This will open the event monitor and if you see errors like, Environment error or catalog error. Then it needs to be reported.

WordPress Security Auditing

Thursday, March 11th, 2010

After reading Sarah Gooding’s article, 7 Quick Strategies to Beef Up Your Security, we decided to take a look at our own WordPress settings here on the 318 Tech Journal.

Deleting the Default Admin User

Creating a new user with admin permissions, then logging in as that user and deleting the default “admin” account is great advice. Just make sure you assign all of the old admin users posts and links to the new account. Another caveat, if you are using the WPG2 plugin with a Gallery2 installation, make sure to remove the Gallery2 user links before deleting the old admin account.

Don’t Use the Default “wp_” Table Prefix

SQL injection attacks are very real, and this tip can help mitigate risk of infection. The WP Security Scan plug-in mentioned in the article has a built-in tool to help automate this change, but it can also lock you out of your dashboard. The trick is to make sure each user’s meta_key settings in the usermeta table match whatever prefix you choose:

wp_capabilities –> newprefix_capabilities
wp_usersettings –> newprefix_usersettings
wp_usersettingstime –> newprefix_usersettingstime
wp_user_level –> newprefix_user_level

Whitelisting Access to wp-admin by IP Address

This is typically done via .htaccess files and the AskApache Password Protection For WordPress plug-in mentioned in the article can help get the settings correct, although that plug-in has specific server requirements in order to run (it will run some tests for you to see if your server qualifies). If you do set this up, beware of dynamic IP address changes, which can lock you out in the future.

Other Items to Consider

  • Consider using a local MySQL application like Sequel Pro or the command line mysql tools for database configuration instead of public web-facing tools like phpMyAdmin. If you do use PMA, you should lock down access as much as possible using .htaccess controls (or other methods).
  • Tools like the WP Security Scan plug-in mentioned above or Donncha O Caoimh’s WordPress Exploit Scanner plug-in can help identify file permission issues in your WordPress setup.
  • Using SSH/SFTP instead of FTP to access your server is always good advice, even when you are using whitelists.
  • Stay up to date on both WordPress core files and all of your plug-ins.

318 is here to help you with all of your WordPress needs – call us today at 877.318.1318!

Setting Up SonicWALL’s SonicPoints

Tuesday, February 23rd, 2010

99% of this is from Page 23 of the SonicWALL Network Security Appliances – SonicPoint-N Dual-Band Getting Started Guide, the other 1% makes it worth reprinting.

Configuring Wireless Access

This section describes how to configure SonicPoints with a
SonicWALL UTM appliance.

SonicWALL SonicPoints are wireless access points specially engineered to work with SonicWALL UTM appliances. Before you can manage SonicPoints in the management interface, perform the following steps:
-Configuring Provision Profiles
-Configuring a Wireless Zone
-Configuring the Network Interface

Configuring Provision Profiles
SonicPOint Profile defines settings that can be configured on a SonicPoint, such as radio SSIDs, and channels of operation.

These profiles make it easy to apply basic settings to a wireless zone, especially when that zone contains multiple SonicPoints When a SonicPoint is connected to a zone, it is automatically provisioned with the profile assigned to that zone. If a SonicPoint is connected to a zone that does not have a custom profile assigned to it, the default profile “SonicPoint-N” is used.

To add a new profile:
1. Navigate to the SonicPoint > SonicPoints page in the SonicOS interface.
2. Click Add SonicPointN below the list of SonicPoint provisioning profiles.
3. The Add/Edit SonicPoint Profile window displays settings you can enable and/or modify.

Settings Tab:
1. Select Enable SonicPoint
2. Enter a Name Prefix to be used internally as the first part of the name for each SonicPoint provisioned
3. Select the Country Code for the area of operation

802.11n Radio Tab
1. Select Enable Radio
2. Optionally, select a schedule for he radio to be enabled from the drop-down list. The most common work and weekend hour schedules are pre-populated for selection.
3. Select a Radio Mode to dictate the radio frequency band(s). The default settings is 2.4GHz 802.11n/g/b Mixed.
4. Enter an SSID. This is the access point name that will appear in clients’ lists of available wireless connections.
5. Select a Primary Channel and Secondary Channel. You may choose AutcChannel and Secondary Channel. You may choose AutoChannel unless you have a reason to use or avoid specific channels.
6. Under WEP/WPA Encryption, select the Authentication Type of your wireless network. SonicWALL recommends using WPA2 as the authentication type.
7. Fill in the fields specific to the authentication type that you selected. The remaining files change depending on the selected authentication type.
8. Optionally, under ACL Enforcement, select Enable MAC Filter List to enforce Access Control by allowing or denying traffic from specific devices. Select a MAC address object group from the Allow List or Deny List to automatically allow or deny traffic to and from all devices with MAC addresses in the group. The Deny List is enforced before the Allow List.

Advanced Tab:
Configure the advanced radio settings for the 802.11n radio. For most 802.11n advanced options, the default settings give optimum performance. For a full description of the fields on this tab, see the SonicOS Enhanced Administrator’s Guide.

Configuring a Wireless Zone

You can configure a wireless zone on eh Network > Zones page. Typically, you will configure the WLAN zone for use with SonicPoints.

To configure a standard WLAN zone:
1. On the Network > Zones page in the WLAN row, click the icon in the Configure column.
2. Click on General tab.
3. Select the Allow Interface Trust setting to automate the creation of Access Rules to allow traffic to flow between the interfaces within the zone, regardless of which interfaces to which the zone is applied. For example, if the WLAN Zone has both the X2 and X3 interfaces assigned to it, selecting the Allow Interface Trust checkbox on the WLAN Zone creates the necessary Access Rules to allow hosts on these interfaces to communicate with each other.
4. Select the check boxes for the security services to enable on this zone. Typically, you would enable Gateway Anti-Virus, IPS, and Anti-Spyware (IF YOU HAVE THE LICENSES). If your wireless clients are all running SonicWALL Client Anti-Virus, select Enable Client AV Enforcement Service.
5. Click on the Wireless Tab.
6. Select Only allow traffic generated by a SonicPoint to allow only traffic from SonicWALL SonicPoints to enter the WLAN Zone interface. This provides the maximum security on your WLAN.
7. Optionally, click the Guest Services tab to configure guest Internet access solely, or in tandem with secured access. For information about configuring Guest Services, see the SonicOS Enhanced Administrator’s Guide.
8. When finished, click OK.

Configuring the Network Interface

Each SonicPoint or group of SonicPoints must be connected to a physical network interface that is configured for Wireless. SonicOS by default provides a standard wireless zone (WLAN), which can be applied to any available interface.

To configure a network interface using the standard wireless (WLAN) zone:
1. Navigate to the Network > Interfaces page and click the Configure button for the interface to which your SonicPoints will be connected.
2. Select WLAN for the Zone type.
3. Select Static for the IP Assignment.
4. Enter a static IP Address in the field. Any private IP is appropriate for this field, as long as it does not interfere with the IP address range of any of your other interfaces.
5. Enter a Subnet Mask.
6. Optionally, choose a SonicPoint Limit for this interface. This option helps limit resources on port by port basis when using SonicPoints across multiple ports.
7. Optionally, choose to allow Management and User Login mechanisms if they make sense in your deployment. Remember that allowing login from a wireless zone can pose a security threat, especially if you or your users have not set strong passwords.

Verifying Operation

To verify that the SonicPoint is provisioned and operational, navigate to the SonicPoint > SonicPoints page in the SonicOS management interface. The SonicPoint displays an “operational” status in the SonicPointNs table.

Connect to WIFI and ensure that you can browse the Internet.

Blackberry BIS Setup, Websites and Providers

Wednesday, February 3rd, 2010

You will want to create an IMAP or POP account *Not an OWA account* If you create an OWA account it will not sync in real time.

To setup a IMAP or POP account you must:

1. create an account on one of the following websites below.

2. Enter in the PIN# and the ESN# (located under the battery and outside the box).

3. Fill in the user name (usually their E-mail address) and then the wrong password twice for the site to give you more options.

4. Next go through the setup using your own configurations and settings or it will default to OWA. Once finished the user should get an activation E-mail. From there you should be able to test.

A list of providers and their BIS sites can be found in the following list:

Website Wireless Provider




Bell Canada


Cellular South


Cincinnati Bell

Dobson Cellular

Earthlink Wireless

Edge Wireless



Rogers Wireless


TeleCommunication Systems

T-Mobile Austria

T-Mobile Germany

Tmobile UK

T-Mobile USA

US Cellular

Verizon Wireless

Vodafone Germany