Posts Tagged ‘setup’

Add OS X Network Settings Remotely (Without Breaking Stuff)

Monday, September 23rd, 2013

So you’re going to send a computer off to a colocation facility, and it’ll use a static IP and DNS when it gets there, the info for which it’ll need before it arrives. Just like colo, you access this computer remotely to prepare it for its trip, but don’t want to knock it off the network while prepping this info, so you can verify it’s good to go and shut it down.

It’s the type of thing, like setting up email accounts programmatically, that somebody should have figured out and shared with the community as some point. But even if my google-fu is weak, I guess I can deal with having tomatoes thrown at me, so here’s a rough mock-up:

 

#!/bin/bash
# purpose: add a network location with manual IP info without switching 
#   This script lets you fill in settings and apply them on en0(assuming that's active)
#   but only interrupts current connectivity long enough to apply the settings,
#   it then immediately switches back. (It also assumes a 'Static' location doesn't already exist...)
#   Use at your own risk! No warranty granted or implied! Tell us we're doing it rong on twitter!
# author: Allister Banks, 318 Inc.

# set -x

declare -xr networksetup="/usr/sbin/networksetup"

declare -xr MYIP="192.168.111.177"
declare -xr MYMASK="255.255.255.0"
declare -xr MYROUTER="192.168.111.1"
declare -xr DNSSERVERS="8.8.8.8 8.8.4.4"

declare -x PORTANDSERVICE=`$networksetup -listallhardwareports | awk '/en0/{print x};{x=$0}' | cut -d ' ' -f 3`

$networksetup -createlocation "Static" populate
$networksetup -switchtolocation "Static"
$networksetup -setmanual $PORTANDSERVICE $MYIP $MYMASK $MYROUTER
$networksetup -setdnsservers $PORTANDSERVICE $DNSSERVERS
$networksetup -switchtolocation Automatic

exit 0

Caveats: The script assumes the interface you want to be active in the future is en0, just for ease of testing before deployment. Also, that there isn’t already a network location called ‘Static’, and that you do want all interface populated upon creation(because I couldn’t think of particularly good reasons why not.)

If you find the need, give it a try and tweet at us with your questions/comments!


How to Configure basic High Availability (Hardware Failover) on a SonicWALL

Friday, November 30th, 2012

Configuring High Availability (Hardware Failover) SonicWALL requires the following:

1. Two SonicWALLs of the same model (TZ 200 and up).

2. Both SonicWALLs need to be registered at MySonicWALL.com (regular registration, and then one as HF Primary, one as HF Secondary).

3. The same firmware versions need to be on both SonicWALLs.

4. Static IP addresses are required for the WAN Virtual IP interface (you can’t use DHCP).

5. Three LAN IP addresses (one for Virtual IP, one for the management IP, and one for the Backup management IP).

6. Cross over cable (to connect SonicWALLs to each other) on the last ethernet interfaces.

7. 1 hub or switch for the WAN port on each SonicWALL to connect to.

8. 1 hub or switch for the LAN port on each SonicWALL to connect to.

Caveats

1. High Availability cannot be configured if “built-in wireless is enabled”.

2. On NSA 2400MX units, High Availability cannot be configured if PortShield is enabled.

3. Stateful HA is not supported for connections on which DPI-SSL is applied.

4. On TZ210 units the HA port/Interface must be UNASSIGNED before setting up HA (last available copper ethernet interfaces).

 

Setup

1. Register both SonicWALLs at MySonicWALL as High Availability Pairs BEFORE connecting them to each other:

• “Associating an Appliance at First Registration”: http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6233#Associating_an_Appliance_at_First_Registration_

• “Associating Pre-Registered Appliances”: http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6235#Associating_Pre-Registered_Appliances

• “Associating a New Unit to a Pre-Registered Appliance”: http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6236#Associating_a_New_Unit_to_a_Pre-Registered_Appliance

2. Login to Primary HF and configure the SonicWALL (firewall rules, VPN, etc).

3. Connect the SonicWALLs to each other on their last ethernet ports using a cross over cable.

4. Connect the WAN port on both SonicWALLs to a switch or hub using straight through (standard) ethernet cables, and then connect the switch to your upstream device (modem, router, ADTRAN, etc.)

5. Ensure the Primary HF can still communicate to the Internet.

6. Connect the LAN port on both SonicWALLs to a switch or hub using straight through (standard) ethernet cables, and then connect them to your main LAN switch (if you don’t have one, you should purchase one. This will be the switch that all your LAN nodes connect to.).

7. Go to High Availability > Settings.

8. Select the Enable High Availability checkbox.

9. Under SonicWALL Address Settings, type in the serial number for the Secondary HF (Backup SonicWALL). You can find the serial number on the back of the SonicWALL security appliance, or in the System > Status screen of the backup unit. The serial number for the Primary SonicWALL is automatically populated.

10. Click Accept to save these settings.

 

Configuring Advanced High Availability Settings

1. Click High Availability > Advanced.

2. Put a check mark for Enable Preempt Mode.

3. Put a check mark for Generate / Overwrite Backup Firmware and Settings when Upgrading Firmware.

4. Put a check mark for Enable Virtual MAC.

5. Leave the Heartbeat Interval at default (5000ms).

6. Leave the Probe Interval at default (no less than 5 seconds).

7. Leave Probe Count and Election Delay Time at default.

8. Ensure there’s a checkmark for Include Certificates/Keys.

9. Press Synchronize settings.

 

Configuring High Availability > Monitoring Setting

(Only do the following on the primary unit, they will be sync’d with the secondary unit).

1. Login as the administrator on the Primary SonicWALL.

2. Click High Availability > Monitoring.

3. Click the Configure icon for an interface on the LAN (ex. X0).

4. To enable link detection between the designated HA interface on the Primary and Backup units, leave the Enable Physical Interface monitoring checkbox selected.

5. In the Primary IP Address field, enter the unique LAN management IP address.

6. In the Backup IP Address field, enter the unique LAN management IP address of the backup unit.

7. Select the Allow Management on Primary/Backup IP Address checkbox.

8. In the Logical Probe IP Address field, enter the IP address of a downstream device on the LAN network that should be monitored for connectivity (something that has an address that’s always turned on like a server or managed switch).

9. Click OK.

10. To configure monitoring on any of the other interfaces, repeat the above steps.

11. When finished with all High Availability configuration, click Accept. All changes will be synchronized to the idle HA device automatically.

 

Testing the Configuration

1. Allow some time for the configuration to sync (at least a few minutes). Power off the Primary SonicWALL. The Backup SonicWALL should quickly take over.

2. Test to ensure Internet access is OK.

3. Test to ensure LAN access is OK.

4. Log into the Backup SonicWALL using the unique LAN address you configured.

5. The management interface should now display “Logged Into: Backup SonicWALL Status: (green ball)”. If all licenses are not already synchronized with the Primary SonicWALL, go to System > Licenses and register this SonicWALL on mysonicwall.com. This allows the SonicWALL licensing server to synchronize the licenses.

6. Power the Primary SonicWALL back on, wait a few minutes, then log back into the management interface. The management interface should again display “Logged Into: Primary SonicWALL Status: (green ball)”.

NOTE: Successful High Availability synchronization is not logged, only failures are logged.

Open Directory Deployment Checklist

Thursday, April 12th, 2012

Open Directory on Lion Server, if deployed properly, is simple to set up, and is a stable and reliable directory service. If not deployed properly, it’s still simple to set up, but can be maddeningly difficult to troubleshoot and manage. It’s important to deploy it properly.

Some things to consider prior to deployment:

  • You should always discuss the purpose of a Directory service with the client, and make sure that you’ve evaluated their needs correctly. Some of Lion Server’s services absolutely require the system to be an Open Directory Master, but some function just fine on a Standalone system. Device Manager, in particular, will take you through OD Master configuration as a part of its own setup.
  • If legacy user records or other data need to be migrated, this will need to be taken into account, and time should be budgeted for managing this data. If you’re replacing a Leopard or Snow Leopard Open Directory server, you can import an OD Archive, but it may not always be the best idea.
  • Open Directory deployments should always include both an Open Directory Master and an Open Directory Replica. Plan accordingly.
  • Proper DNS resolution is absolutely essential to a successful Open Directory deployment. All servers must have correct forward and reverse lookups. Open Directory will not work properly if DNS is incorrect. If your OD deployment is going to be self-contained, you can set up the DNS service on the OD Master and Replica, so that they can resolve each other, and then the clients can refer to the OD Master for name resolution. If you’re deploying OD into a larger infrastructure, though, it’s adviseable to have consistent DNS across the whole organization.
  • It is not recommended that .local be used as TLD on the network where you’re deploying Open Directory. Though it is possible to successfully deploy Open Directory into a .local namespace, the odds are against you. Don’t do it unless there’s really no other options.

You can, if you like, use Server Admin to set up Open Directory, but Server.app performs some steps that Server Admin doesn’t. I don’t recommend using it to do the initial setup. However, Server Admin can be helpful in managing Open Directory after deployment. The Server Admin tools are not installed by default on Mac OS X 10.7, so you’ll need to download them from Apple.

When deploying Open Directory, the first thing you need to do is verify that DNS is resolving correctly:

$ sudo changeip -checkhostname

Primary address = 10.1.1.1

Current HostName = odserver.pretendco.com
DNS HostName = odserver.pretendco.com

The names match. There is nothing to change.
dirserv:success = “success”

If changeip outputs this error, or one that sounds like it, please repair DNS or set the hostname properly before proceeding.

The DNS hostname is not available, please repair DNS and re-run this tool.

In Server.app, there is a utility that helps you change your system’s hostname. Click on the computer name, under Hardware, then click the Network tab, and then click “Edit”.

If your hostname is good, open Server.app. From the Manage menu, choose “Manage Network Accounts”. (If this option isn’t available, then this server is already managing network accounts, either as an OD Master or Replica.) This will start the setup assistant. You’ll need to provide an administrative account for Open Directory. Please note that this is not the same as the local administrative account that you create on initial server setup, and they should not have the same name. The default, Directory Administrator, is a good choice. Enter your Organization name and an administrator’s email address.

When you’re done, click the “Set Up” button, and you should be shortly returned to Server.app, with an Open Directory Master to manage.

At this point, it’s always a good idea to open up Console and check the logs, to make sure that there’s no glaring errors. The really informative one is /Library/Logs/slapconfig.log, but slapd.log and opendirectoryd.log, which are in /var/log, can also be very helpful.

Secure Site-to-Site VPN tunnel using the ASA

Sunday, April 8th, 2012

Site to Site VPN enables an encrypted connection between private networks over a public network (i.e. the Internet).

Basic steps to configure a site-to-site VPN with a Cisco ASA begin with defining the ISAKMP Policy. An ISAKMP/IKE policy defines how a connection is to be created, authenticated, and protected. You can have multiple policies on your Cisco ASA. You might need to do this if your ASA needs to connect to multiple devices with different policy configurations.

  • Authentication: specifies the method to use for device authentication
  • Hash: specifies the HMAC function to use
  • Encryption: specifies which algorithm to use
  • Group: specifies the DH key group to use

Next, you will need to establish IPsec transform set. Different Firmware versions and different Cisco devices have different options for the following…

  • Esp-md5-hmac: ESP with the MD5 (HMAC variant) authentication algorithm
  • Esp-aes: ESP with the 128-bit Advanced Encryption Standard (AES) encryption algorithim.
  • Esp-des: ESP with the 56-bit Data Encryption Standard (DES) encryption algorithm.
  • Esp-3des: ESP with the 168-bit DES encryption algorithm (3DES or Triple DES)
  • Ah-md5-hmac: AH with the MD5 (HMAC variant) authentication algorithm
  • Ah-sha-hmac: AH with the SHA (HMAC variant) authentication algorithm

3. Configure crypto access list-

Crypto ACL’s are used to identify which traffic is to be encrypted and which traffic is not. After the ACL is defined, the crypto maps use the ACL to identify the type of traffic that IPSec protects.

It’s not recommended to use the permit ip any any command. It causes all outbound traffic to be encrypted, and sends all traffic to the specified peer.

4. Configure crypto map

Used to verify the previously defined parameters

5. Now apply crypto map to the outside interface.

VPN PIC

Configuration of ASA-1

You might have to enable ISAKMP on your device

ASA-1(config)#crypto isakmp enable

First defined the IKE polices on ASA-1

ASA-1(config)#crypto isakmp policy 10

The lower the policy number, the higher the priority it will set the ISAKMP policy to, affecting which policies will be used between sites.

General rule of thumb is to give the most secure policy the lowest number (like 1) and the least secure policy the highest number (like 10000)

ASA-1(config-isakmp)#encryption des

(enable encryption des)

ASA-1(config-isakmp)#hash md5

(enable algorithm md5 for hashing)

ASA-1(config-isakmp)#authentication pre-share

(enable Pre-shared method)

ASA-1(config-isakmp)#group 2

(enable group 2)

ASA-1(config-isakmp)#exit

(Exit from crypto isakmp mode)

  • The next step is to create a pre-shared key (password) on ASA-1.

ASA-1(config)#crypto isakmp key office address 10.1.1.2

(Here the Key is “office” and 10.1.1.2 is ASA-2 Address)

  • Now create an access list to define only interesting traffic.

ASA-1(config)#access-list 100 permit ip host 10.1.1.1 host 10.1.1.2

(100 is access list number and 10.1.1.1 is source address and 10.1.1.2 is destination address.)

  • Now create the transform-set for encryption and hashing.

ASA-1(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac

(Here encryption type is des and hashing method is md5-hmac)

ASA-1(config)#crypto map testcryp 10 ipsec-isakmp

(crypto map name testcryp)

ASA-1(config)# crypto map testcryp 10 match address 100

(apply the access list)

ASA-1(config)# crypto map testcryp 10 set transform-set ts2

(apply the transform set)

ASA-1(config)# crypto map testcryp 10 set peer 10.1.1.2

(Set remote peer address)

  • Now apply the crypto map to the ASA – A interface

ASA-1(config)# crypto map testcryp interface outside

(Apply crypto map on outside interface)

ASA-1(config)# crypto isakmp enable outside

(To enable crypto isakmp on ASA)

Configuration of ASA-2

First defined the IKE polices on ASA-2

ASA-2(config)#crypto isakmp policy 10

(10 is isakmp policy number)

ASA-2(config-isakmp)#encryption des

(enable encryption des)

ASA-2(config-isakmp)#hash md5

(enable algorithm md5 for hashing)

ASA-2(config-isakmp)#authentication pre-share

(enable Pre-shared method)

ASA-2(config-isakmp)#group 2

(enable diffie-Helman group 2)

ASA-2(config-isakmp)#exit

(Exit from crypto isakmp mode)

  • The next step is to create a pre-shared key (password) on ASA – B.

ASA-2(config)#crypto isakmp key office address 10.1.1.1

(Here Key is “office” and 10.1.1.1 is ASA – A Address)

  • Now create an access list to define only interesting traffic.

ASA-2(config)#access-list 100 permit ip host 10.1.1.2 host 10.1.1.1

(100 is access list number and 10.1.1.2 is source address and 10.1.1.1 is destination address.)

  • Now create the transform-set for encryption and hashing.

ASA-2(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac

(Here encryption type is des and hashing technique is md5-hmac)

ASA-2(config)#crypto map testcryp 10 ipsec-isakmp

(crypto map name testcryp)

ASA-2(config)# crypto map testcryp 10 match address 100

(apply the access list)

ASA-2(config)# crypto map testcryp 10 set transform-set ts2

(apply the transform set)

ASA-2(config)# crypto map testcryp 10 set peer 10.1.1.1

(Set remote peer address)

  • Now apply the crypto map to the ASA – B outside interface

ASA-2(config)# crypto map testcryp interface outside

(Apply crypto map on outside interface)

ASA-2(config)# crypto isakmp enable outside

(To enable crypto isakmp on ASA)

Now to verify the secure tunnel, ping to other remote location.

ASA-2(config)# ping 10.1.1.1

Setting up Netboot helpers on a Cisco device

Tuesday, April 3rd, 2012

Configure a Cisco device for forwarding bootp requests is a pretty straightforward process. First off, this will only apply to Cisco Routers and some switches. You will need to verify if you device supports the IP Helper command. For example, the Cisco ASA will not support bootp requests.

By default the IP Helper command will forward different types of UDP traffic. The two important ones 67 and 68 for DHCP and BOOTP requests. Other ports can be customized to forward with some other commands as well. But it is quite simple pretty much if you have a Netboot server you can configure the IP Helper command to point that servers IP address.

Here is an example, lets say your NetBoot server has an IP Address of 10.0.0.200. You would simply go into the global configuration mode switch to the interface you want to utilize and type “ip helper-address 10.0.0.200″ to simply relay those requests to that address. Depending on your situation you also might want to setup the device to ignore BOOTP requests (in cases that you have DHCP and BOOTP on the same network). That command is “ip dhcp bootp ignore”. Using the IP helper and Bootp ignore command together will ensure that those bootp requests are forwarded out the interface to the specified address.

Last if you have multiple subnets you can setup multiple IP Helper address statements on your device to do multiple forwarding.

Installing a SonicWALL ViewPoint Virtual Machine

Monday, April 2nd, 2012

When installing a Viewpoint VM machine you will need to download three items.

First is the SonicWALL_ViewPoint_Virtual_Appliance_GSG.pdf available from mysonicwall.com
This will be you step by step instruction manual for installing the Viewpoint VM.
Next you will need to identify which version VXI host and then download the same version client as your VXI host.
Lastly you will need log into mysonicwall.com and download the sw_gmsvp_vm_eng_6.0.6022.1243.950GB.ova from mysonicwall.com

When you have all three of these downloaded open the SonicWALL_ViewPoint_Virtual_Appliance_GSG and start going through the step by step instructions.
You will first install the VM client and may run into the first gotcha. Depending on machine setup the .exe may be blocked from running.
The download will look like this: VMware-viclient-all-4.1.0-345043.exe.zip, get properties on this file and unblock if blocked.
After the install of the VM client follow the instructions in the PDF till you get to page 18 step 2.

2. When the console window opens, click inside the window, type snwlcli at the login:
prompt and then press Enter. Your mouse pointer disappears when you click in the
console window. To release it, press Ctrl+Alt

Here is where you will run into the biggest gotcha.

You will be ask to log into with name and password, on first login use name of: snwlcli no password,
Then use the default name and password and continue.

Configuring a Cisco ASA 5505 with the basics

Thursday, March 1st, 2012

The Cisco ASA 5505 is great for small to medium businesses. Below are the steps you will have to complete to configure your ASA to communicate with the internet. There are many more steps, options, and features to these devices (which later there will be more articles in regards to some of these features).

Bring your device into configuration mode
318ASA>en
Brings the device into enable mode

318ASA#config t
Change to configuration terminal mode

318ASA(config)#
The ASA is now ready to be configured when you see (config)#

Configure the internal interface VLAN (ASA’s use VLAN’s for added security by default)
318ASA(config)# interface Vlan 1

Configure interface VLAN 1
318ASA(config-if)# nameif inside
Name the interface inside

318ASA(config-if)#security-level 100

Set’s the security level to 100

318ASA(config-if)#ip address 192.168.5.1 255.255.255.0
Assign your IP address

318ASA(config-if)#no shut
Make sure the interface is enabled and active

Configure the external interface VLAN (This is your WAN\internet connection)
318ASA(config)#interface Vlan 2
Creates the VLAN2 interface

318ASA(config-if)# nameif outside
Name’s the interface outside

318ASA(config-if)#security-level 0
Assigns the most strict security level to the outside interface (lower the number the higher the security).

318ASA(config-if)#ip address 76.79.219.82 255.255.255.0
Assign your Public Address to the outside interface

318ASA(config-if)#no shut
Enable the outside interface to be active.

Enable and assign the external WAN to Ethernet 0/0 using VLAN2
318ASA(config)#interface Ethernet0/0
Go to the Ethernet 0/0 interface settings

318ASA(config-if)#switchport access vlan 2
Assign the interface to use VLAN2

318ASA(config-if)#no shut
Enable the interface to be active.

Enable and assign the internal LAN interface Ethernet 0/1 (note ports 0/1-0/7 act as a switch but all interfaces are disabled by default).
318ASA(config)#interface Ethernet0/1
Go to the Ethernet 0/1 interface settings

318ASA(config-if)#no shut
Enable the interface to be active.
If you need multiple LAN ports you can do the same for Ethernet0/2 to 0/7.

To have traffic route from LAN to WAN you must configure Network Address Translation on the outside interface
318ASA(config)#global (outside) 1 interface
318ASA(config)#nat (inside) 1 0.0.0.0 0.0.0.0

***NOTE for ASA Version 8.3 and later***
Cisco announced the new Cisco ASA software version 8.3. This version introduces several important configuration changes, especially on the NAT/PAT mechanism. The “global” command is no longer supported. NAT (static and dynamic) and PAT are configured under network objects. The PAT configuration below is for ASA 8.3 and later:

318ASA(config)#nat (inside,outside) dynamic interface

For more info you can reference this article from Cisco with regards to the changes – http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

Configure the default route (for this example default gateway is 76.79.219.81)
318ASA(config)#route outside 0.0.0.0 0.0.0.0 76.79.219.81 2 1

Last but not least verify and save your configurations. If you do not save your configurations you will have to.

Verify your settings are working. Once you have verified your configurations write to memory to save the configuration. If you do not write to memory your configurations will be lost upon the next reboot.

318ASA(config)#wr mem

Basic SonicWALL Router Setups

Tuesday, October 11th, 2011

A work in progress…

1. Register the Sonicwall appliance at www.mysonicwall.com A new account may be created for this purpose

2. Download the latest firmware from mysonicwall.com

3. Disable popup blocking on your browser

4. The default IP of a factory Sonicwall device is 192.168.168.168. Connect to the Sonicwall (you need to adjust your Ethernet NIC’s config to match the Sonicwall’s network settings)

5. Follow the setup wizard and define a WAN IP, LAN IP, and DHCP range of IPs

6. Upload the newer firmware downloaded above and boot from it

7. In the https://[Sonicwall IP Address]/diag.html screen, uncheck the box ““Enforce Host Tag Search with for CFS”

8. Use the Public Server Wizard to create additional systems on the LAN that need to be publicly accessible. Note that the default WAN IP address provided in the wizard is the SonicWALL’s, but you can enter a different WAN IP; this creates a NAT policy using a new Address Object in the WAN zone

9. If more than one service needs to be visible for a system (ie, a mail sever needing 993, 587, 465, etc.), just select a single service during the wizard setup and then modify the “Service Group” that the wizard creates to include additional services that you want visible

10. For site-to-site VPN, follow the documentation in the SonicOS Administrators guide. Typically we have found that setting the VPN policy up in Aggressive Mode works more reliably than Main Mode

Making snort a Service in Server 2008

Tuesday, April 26th, 2011

Note: For more information about the information contained in this article, contact us for a professional consultation.

Installing Snort in Windows Server 2008 is a fairly straight forward maneuver. Simply install winpcap, then barnyard and then snort itself. You’ll also want to install the snort rules available on the snort downloads page.

Once snort is installed, it’s fairly simple to run it from the Windows Server 2008 command line. To do so, use the snort.exe that was distributed in the installer (by default it would be at c:\snort\bin\snort.exe). You can then run it in a simple form to check that the interfaces are available:

c:\snort\bin\snort.exe -W

And then use one of the listed interfaces, invoke it with a -i option followed by the interface. You can also specify a custom logging location using -l and a custom configuration file using -c. This would result in something similar to the following:

c:\snort\bin\snort.exe -i 1 -l c:\snort\log -c c:\snort\etc\snort.conf

There are a lot more options, but this article is about converting it into a service. Once you’ve found a configuration that works for you manually, you can then take that, throw a /SERVICE /INSTALL after the snort.exe but before the operators and viola you’ve converted snort into a service:

c:\snort\bin\snort.exe /SERVICE /INSTALL -i 1 -l c:\snort\log -c c:\snort\etc\snort.conf

Once snort has become a service, many will want to have it start automatically. This is possible using the sc command to configure the snortsvc to start automatically:

sc config snortsvc start= auto

And then, start her up:

sc start snortsvc

Intrusion Detection (IDS) and Prevention (IPS) solutions can be invaluable to an organization. If you would like to discuss running snort or any other IDS or IPS, please feel free to contact your 318 Professional Services Manager, or sales@318.com if you do not yet have one!

Setting Up Additional Google Apps Calendars on an iOS Device

Monday, April 18th, 2011

Syncing and Managing Additional Google Apps Calendars on your iOS Device

Google Apps allows users to easily setup multiple calendars in their account and access other uses calendars via a web browser or calendar client such as iCal or Outlook. Duplicating this functionality on iOS devices requires some additional configuration steps:

1. Configure your device(s) with Exchange Active Sync for your Google Apps account. See http://www.google.com/support/mobile/bin/answer.py?answer=138740&topic=14252 for instructions.
2. On your iOS device (iPad, iPhone or iPod Touch) use the Safari web browser to navigate to http://m.google.com
3. Scroll to the bottom of the page and tap the Google Apps user? button.
4. A popup will appear prompting you to Enter your Google Apps domain. Enter your domain (everything after the @ in your email address) and tap Go.
5. Sign into your Google Apps account if prompted.
6. A Google Mobile page will load, with buttons for various services. Tap the Sync button.
7. A Manage Devices page will load. Tap to select the device you would like to add/delete calendars from (i.e. your iPhone).
8. Tap to check the box next to each calendar you want to sync. Tap to uncheck any calendar you wish to stop syncing.
9. Click Save.

The calendars for which you enabled sync should now be displayed in the iOS Calendar app. You may have to tap Calendars to return to the calendar selection and turn on the additional calendars if they are not displayed immediately.

Note: these instructions differ slightly from the published Google instructions pertaining to generic Gmail accounts (primarily skipping steps 3 and 4). If you would like to setup additional calendars for your personal Gmail account please follow the steps here: http://www.google.com/support/mobile/bin/answer.py?answer=139206

Enable AirPrint On Mac OS X Server

Monday, March 7th, 2011

Since the introduction of AirPrint in iOS version 4.2.1, a handful of shareware and freeware solutions have been introduced that allow iOS devices to use AirPrint to print documents on “unsupported” printers (namely, those printers that do not have the necessary AirPrint features built-in). This typically requires enabling printer sharing on a Mac system, as well as making a slight modification to the CUPS configuration file at /etc/cups/cupsd.conf, which the software typically does for you.

However, one of the more prominent solutions available, AirPrint Activator from Netputing.com, does not work properly on a Mac OS X Server system when following the provided instructions, which appear to be aimed at users running the non-Server version of Mac OS X. Here are the steps you can follow to get Mac OS X Server v10.6 to share printer queues to AirPrint-enabled iOS devices:

Prerequisites: Mac OS X Server v10.6.5 or later (I have only tested on 10.6.6), one or more networked or local printers, and one or more iOS devices running iOS 4.2.1

1. In the System Preferences > Print & Fax preference pane, delete all existing printer queues from the server.

2. Download AirPrint Activator from http://netputing.com/airprintactivator/ to the Mac OS X Server system from which you wish to host print queues.

3. Launch the AirPrint Activator program and slide the Activator switch to On (you will be prompted to authenticate).

4. With your favorite text editor, open the file /etc/cups/cupsd.conf

5. Locate the line that reads Browsing Off and change it to read Browsing On. Save the changes.

6. Open Server Admin and enable and Start the Print service.

7. Open the System Preferences > Print & Fax preference pane and add the printers that you wish to share, being sure to give the shared print queue a unique Sharing Name a Location. If you are only using the Print service to connect iOS devices, you may want to include “AirPrint” in the queue or location name (ie, “AirPrint to Accounting Printer”).

8. In the Print service window, select the Queues tab and select the print queue you wish to share.

9. Enable the IPP protocol. You can enable the other protocols if you want to enable printer sharing to platforms beyond just your iOS devices.

10. Follow steps 7 through 9 with the other printers that you wish to use for AirPrint.

11. From an iOS device, open a supported document such as a PDF, JPG, or other printable file.

12. Click the box with a curved arrow pointing to the upper right to invoke the Print command.

13. Select the Printer from the menu and print your documents!

Restricting Outgoing Email To a 3rd Party SMTP Relay Host on SonicWALLs

Friday, November 12th, 2010

Often times, it is necessary to lockdown outbound traffic to MX Logic. MX Logic can provide outbound filtering capabilities which assists against getting blacklisted, while also scanning your outgoing e-mail for malware. Also, limiting only the server to communicate with MX Logic ensures that no rogue mail servers can send out e-mail (often done by infected devices).

This guide assumes you have already used the Wizard to setup port forwarding, firewall rules, and NAT policies for allowing the mail server to be accessed via the SonicWALL.

To Lockdown a SonicWALL to Outbound Email to MX Logic
1. Determine what port you will be sending out on. If you are using a non standard port, you will first need to make a custom service object on the SonicWALL for the port.
2. Create an Address Group containing the Address Objects for MX Logic
1. Go to Network
2. Go to Address Objects
3. Add Address Object
1. Name: MX Logic 1
2. Zone Assignment: WAN
3. TYPE: Network
4. Network: IP From MX Logic
5. Netmask: Subnet From MX Logic
NOTE: You will need to do this for each subnet that MX Logic Offers. Name them sequentially. The Address info can be found on MX Logic’s Portal.
4. Go to Address Objects
5. Create Address Object Group
6. Add all of your MX Logic Address Objects to the Address Object Group, and call it “MX Logic”
7. Save all your changes.
3. Go to Firewall
4. Go to LAN to WAN
5. Click Add
6. Create a Rule that allows the mail server on the LAN to send out to anywhere on the WAN.
1. Action: Allow
2. From Zone: LAN
3. To Zone: WAN
4. Service: SMTP (or whatever you named your custom one)
5. Source: Your Address Object Representing Your Mail Server
6. Destination: MX Logic (The Address Object Group you created Previously).
7. Save your changes.
7. Create Another Rule to block all other outbound e-mail.
1. Go to Firewall
2. Go to LAN to WAN
3. Click Add
4. Action: Deny
5. From Zone: LAN
6. To Zone: WAN
7. Service: SMTP (or whatever you named your custom one)
8. Source: Any
9. Destination: Any
10. Save Your changes
8. Adjust Rule Order.
1. Ensure that the MX Logic Outbound rule is above the rule that blocks all other devices from sending SMTP traffic out to the Internet.
2. Apply the changes.
NOTE: By doing this, any laptop users, or other portable device users, that may try to send email over port 25 through other servers (Gmail, Yahoo, AOL, etc.) will be DENIED by the SonicWALL.

Adding Entourage Delegated Folders in Entourage for Hosted Exchange

Tuesday, October 19th, 2010

Setting up a mail account

Adding a hosted Exchange 2007 account to Entourage must be done manually as the auto discover feature doesn’t work with the hosts servers. Enter the user’s general information (name and email address) as you normally would. The user name will be the user’s email address, the domain is supplied by the host, and the mail server address is /exchange/usersemailaddress@domain.tld. The server does require SSL. The public folder server is supplied by the ISP (same as the OWA path in the server address) and it uses SSL.

Adding a delegated user’s folder

When adding another user’s folder, you have to use the advanced option to add the user’s folder because Entourage is currently accessing the server at webmail.itsgrp.com/exchange/currentloggedinuser@domain.tld which means that Entourage will attempt to access another user’s folder at /exchange/currentloggedinuser@domain.tld/userfolderthatyouwanttoadd which, of course won’t work. To get around this issue, click “open another user’s folder”, click advanced, enter the user’s full name, email address and enter the mail server address in the following format: /exchange/usersemailaddress@domain.tld. Click ok and select the other user’s folder that you want to add.

MySQL Backup Options

Thursday, July 8th, 2010

MySQL bills itself as the world’s most popular open source database. It turns up all over, including most installations of WordPress. Packages for multiple platforms make installation easy and online resources are plentiful. Web-based admin tools like phpMyAdmin are very popular and there are many stand-alone options for managing MySQL databases as well.

When it comes to back-up, though, are you prepared? Backup plug-ins for WordPress databases are fairly common, but what other techniques can be used? Scripting to the rescue!

On Unix-type systems, it’s easy to find one of the many example scripts online, customize them to your needs, then add the script to a nightly cron job (or launchd on Mac OS X systems). Most of these scripts use the mysqldump command to create a text file that contains the structure and data from your database. More advanced scripts can loop through multiple databases on the same server, compress the output and email you copies.

Here is an example we found online a long time ago and modified (thanks to the unknown author):


#!/bin/sh

# List all of the MySQL databases that you want to backup in here,
# each separated by a space
databases="database1 database2 database3"

# Directory where you want the backup files to be placed
backupdir=/mydatabasebackups

# MySQL dump command, use the full path name here
mysqldumpcmd=/usr/local/mysql/bin/mysqldump

# MySQL Username and password
userpassword=" --user=myusername --password=mypassword"

# MySQL dump options
dumpoptions=" --quick --add-drop-table --add-locks --extended-insert --lock-tables"

# Unix Commands
gzip=/usr/bin/gzip
uuencode=/usr/bin/uuencode

# Create our backup directory if not already there
mkdir -p ${backupdir}
if [ ! -d ${backupdir} ]
then
echo "Not a directory: ${backupdir}"
exit 1
fi

# Dump all of our databases
echo "Dumping MySQL Databases"
for database in $databases
do
$mysqldumpcmd $userpassword $dumpoptions $database > ${backupdir}/${database}.sql
done

# Compress all of our backup files
echo "Compressing Dump Files"
for database in $databases
do
rm -f ${backupdir}/${database}.sql.gz
$gzip ${backupdir}/${database}.sql
done

# And we're done
ls -l ${backupdir}
echo "Dump Complete!"
exit

Once you verify that your backup script is giving you valid backup files, these should be added to your other backup routines, such as CrashPlan, Mozy, Retrospect, Time Machine, Backup Exec, PresSTORE, etc. It never hurts to have too many copies of your critical data files.

To make sure your organization is prepared, contact your 318 account manager today, or email sales@318.com for assistance.

Setting Up SonicWALL’s SonicPoints

Tuesday, February 23rd, 2010

99% of this is from Page 23 of the SonicWALL Network Security Appliances – SonicPoint-N Dual-Band Getting Started Guide, the other 1% makes it worth reprinting.

Configuring Wireless Access

This section describes how to configure SonicPoints with a
SonicWALL UTM appliance.

SonicWALL SonicPoints are wireless access points specially engineered to work with SonicWALL UTM appliances. Before you can manage SonicPoints in the management interface, perform the following steps:
-Configuring Provision Profiles
-Configuring a Wireless Zone
-Configuring the Network Interface

Configuring Provision Profiles
SonicPOint Profile defines settings that can be configured on a SonicPoint, such as radio SSIDs, and channels of operation.

These profiles make it easy to apply basic settings to a wireless zone, especially when that zone contains multiple SonicPoints When a SonicPoint is connected to a zone, it is automatically provisioned with the profile assigned to that zone. If a SonicPoint is connected to a zone that does not have a custom profile assigned to it, the default profile “SonicPoint-N” is used.

To add a new profile:
1. Navigate to the SonicPoint > SonicPoints page in the SonicOS interface.
2. Click Add SonicPointN below the list of SonicPoint provisioning profiles.
3. The Add/Edit SonicPoint Profile window displays settings you can enable and/or modify.

Settings Tab:
1. Select Enable SonicPoint
2. Enter a Name Prefix to be used internally as the first part of the name for each SonicPoint provisioned
3. Select the Country Code for the area of operation

802.11n Radio Tab
1. Select Enable Radio
2. Optionally, select a schedule for he radio to be enabled from the drop-down list. The most common work and weekend hour schedules are pre-populated for selection.
3. Select a Radio Mode to dictate the radio frequency band(s). The default settings is 2.4GHz 802.11n/g/b Mixed.
4. Enter an SSID. This is the access point name that will appear in clients’ lists of available wireless connections.
5. Select a Primary Channel and Secondary Channel. You may choose AutcChannel and Secondary Channel. You may choose AutoChannel unless you have a reason to use or avoid specific channels.
6. Under WEP/WPA Encryption, select the Authentication Type of your wireless network. SonicWALL recommends using WPA2 as the authentication type.
7. Fill in the fields specific to the authentication type that you selected. The remaining files change depending on the selected authentication type.
8. Optionally, under ACL Enforcement, select Enable MAC Filter List to enforce Access Control by allowing or denying traffic from specific devices. Select a MAC address object group from the Allow List or Deny List to automatically allow or deny traffic to and from all devices with MAC addresses in the group. The Deny List is enforced before the Allow List.

Advanced Tab:
Configure the advanced radio settings for the 802.11n radio. For most 802.11n advanced options, the default settings give optimum performance. For a full description of the fields on this tab, see the SonicOS Enhanced Administrator’s Guide.

Configuring a Wireless Zone

You can configure a wireless zone on eh Network > Zones page. Typically, you will configure the WLAN zone for use with SonicPoints.

To configure a standard WLAN zone:
1. On the Network > Zones page in the WLAN row, click the icon in the Configure column.
2. Click on General tab.
3. Select the Allow Interface Trust setting to automate the creation of Access Rules to allow traffic to flow between the interfaces within the zone, regardless of which interfaces to which the zone is applied. For example, if the WLAN Zone has both the X2 and X3 interfaces assigned to it, selecting the Allow Interface Trust checkbox on the WLAN Zone creates the necessary Access Rules to allow hosts on these interfaces to communicate with each other.
4. Select the check boxes for the security services to enable on this zone. Typically, you would enable Gateway Anti-Virus, IPS, and Anti-Spyware (IF YOU HAVE THE LICENSES). If your wireless clients are all running SonicWALL Client Anti-Virus, select Enable Client AV Enforcement Service.
5. Click on the Wireless Tab.
6. Select Only allow traffic generated by a SonicPoint to allow only traffic from SonicWALL SonicPoints to enter the WLAN Zone interface. This provides the maximum security on your WLAN.
7. Optionally, click the Guest Services tab to configure guest Internet access solely, or in tandem with secured access. For information about configuring Guest Services, see the SonicOS Enhanced Administrator’s Guide.
8. When finished, click OK.

Configuring the Network Interface

Each SonicPoint or group of SonicPoints must be connected to a physical network interface that is configured for Wireless. SonicOS by default provides a standard wireless zone (WLAN), which can be applied to any available interface.

To configure a network interface using the standard wireless (WLAN) zone:
1. Navigate to the Network > Interfaces page and click the Configure button for the interface to which your SonicPoints will be connected.
2. Select WLAN for the Zone type.
3. Select Static for the IP Assignment.
4. Enter a static IP Address in the field. Any private IP is appropriate for this field, as long as it does not interfere with the IP address range of any of your other interfaces.
5. Enter a Subnet Mask.
6. Optionally, choose a SonicPoint Limit for this interface. This option helps limit resources on port by port basis when using SonicPoints across multiple ports.
7. Optionally, choose to allow Management and User Login mechanisms if they make sense in your deployment. Remember that allowing login from a wireless zone can pose a security threat, especially if you or your users have not set strong passwords.

Verifying Operation

To verify that the SonicPoint is provisioned and operational, navigate to the SonicPoint > SonicPoints page in the SonicOS management interface. The SonicPoint displays an “operational” status in the SonicPointNs table.

Connect to WIFI and ensure that you can browse the Internet.

Preparing for Exchange 2007

Wednesday, January 27th, 2010

Make sure you have a fully updated Windows 2008 64bit install setup for the following commands to work. Note that Windows 2008 R2 will NOT work with Exchange 2007.

Exchange 2007 has a lot of prerequisites that need to be installed before you can install Exchange 2007. Instead of going through a bunch of Wizards and using trial and error to make sure you have everything installed, you can set them up using a command line.

The first command that should be run is:

ServerManagerCmd -i PowerShell

This will install and configure everything that Exchange 2007 needs for PowerShell.

IIS has several components that need to be installed to use Exchange 2007. You can create a quick batch script that includes them all. The following commands need to be run:

ServerManagerCmd -i Web-Server
ServerManagerCmd -i Web-ISAPI-Ext
ServerManagerCmd -i Web-Metabase
ServerManagerCmd -i Web-Lgcy-Mgmt-Console
ServerManagerCmd -i Web-Basic-Auth
ServerManagerCmd -i Web-Digest-Auth
ServerManagerCmd -i Web-Windows-Auth
ServerManagerCmd -i Web-Dyn-Compression

If you plan on using RPC over HTTP (Outlook Anywhere) you will need to run this command after all of the IIS commands have finished:

ServerManagerCmd -i RPC-over-HTTP-proxy

After running these commands you should be ready to run the actual setup files. When you run setup.exe you should see that everything before option 4. Is greyed out. Option 4. is what triggers the install. If anything has not finished look through the command lines to make sure no errors have shown up.

Installing The Taxi Script in Microsoft Entourage

Friday, January 15th, 2010

1. Get to the Taxi Login screen. This comes up when you start Taxi initially.

2. From the Scripts menu select Install Entourage Action Scripts.

3. Find the Taxi Actions script file in ~/Documents/Microsoft User Data/Entourage Script Menu Items and open it with Script Editor. Click the Compile button and save it. Quit Script Editor.

4. Quit and relaunch Entourage. It should now recognize the script and respond to commands issued by Taxi.

Note: The Taxi scripts places drafts of e-mails in the local Drafts folder, not the IMAP Drafts folder.

Installing Zenoss

Wednesday, December 30th, 2009

To monitor a device over the WAN, there needs to be a 1 to 1 Firewall Rule. There needs to be a firewall rule, allowing SNMP traffic from the WAN to a device on the lan. For multiple devices, then each device will need a dedicated WAN IP with the firewall rule. SNMP runs on UDP on port 161

Install SNMP service in components will require I386 for .dll
Download and install additional SNMP dll files provided by SNMP Informant, http://www.snmp-informant.com
Once installed right click on SNMP click properties and go to the Agents tab:
Contact: (e.g. support@318.com)
Location: (e.g. 830 Colorado Ave. Santa Monica, CA)
Check all services below that
Move to next tab traps:
Community Name:(e.g. 318zenoss)
Click Add to list
Then click add and enter the Zenoss server address
Move to next tab Security:
Make sure send authentication trap is checked
Add community name 318zenoss read only
And check SNMP packets from any host
Click Apply and Ok

Restart the Service.

Add two firewall rules allow traffic from the Device (LAN) to the WAN zenoss address of the Zenoss Server

Next Add device in zenoss:
Log in as user
Click Add Device
Enter Device IP WAN IP Address for Device Name
SNMP Community: 318zenoss
Select the Server Class:
/Servers/Windows – Windows Server
/Servers/Darwin – Mac Server
/Servers/Unix – Linux/Unix Server

Add or select Location Path

Add Or Select Client Name as Location

Select Your Team As Group

Setup HP OfficeJet Printers Using Terminal Services

Wednesday, September 9th, 2009

Often times remote users have Officejet printers and would like them redirected in Terminal Services. Prior to the new version of remote desktop, this was difficult to do. Most times, the user had to lose functionality locally on their printer in order to get this to work. With the latest version of Remote Desktop for Windows, (version 6), this is no longer an issue. The printer will redirect as it’s supposed to. The following are the steps to successfully accomplish this.

1. Download the drivers. You must ensure the server has the drivers before redirection will take place. You can open up the printer control panel, and open up the print server properties from there and search for the driver. If the driver is not there, you must install it. If, for example, HP does not have just the driver, but the entire install suite, install only the printer portion, and choose the option to install even though the printer is not plugged in (sometimes this will require that the server be rebooted). Open up the print server menu from the printer control panel again, and confirm the printer is there.

2. Ensure the remote client is using Windows XP SP2, if they are not at SP2, they will not be able to upgrade Remote Desktop to version 6. Once you have ensured that they are running SP2, have the user go to: http://support.microsoft.com/kb/925876 and select the appropriate version for their OS. It will then ask the user to validate their version of Windows. Once this is done, install the new version of Remote Desktop and test. They should be good to go now.

New Video on System Image Utility in Snow Leopard

Tuesday, September 1st, 2009

Now that NetRestore has been moved into Mac OS X Server (kinda), we have created a new video on creating a NetRestore image for Snow Leopard.

Changing File Types in Windows Server 2008 Terminal Services

Tuesday, June 23rd, 2009

Changing file types in terminal services 2008 is not like in 2003. The following steps consist of installing a program and manually changing file type associations on the server globally.

In older versions of terminal services, you would install a program under control panel for terminal services. You may notice that when you try to do this through a remote desktop session when logged in as administrator, that you are not able to do so.

Installing an application:
1. Open up a command prompt
2. Type in change user /install
3. Go to control panel, and switch to Control Panel Home
4. Click on Programs
5. Install Programs for Terminal Services

Changing file types:
1. Open up a command prompt
2. Type in change user /install
3. Go to control panel, and switch to Control Panel Home
4. Click on Programs
5. Click on the link to change filetypes (this’ll change them globally).

Once you’re done, do the following to put the user account back into regular mode:
1. Open a command prompt
2. Type in change user /execute

iPhone Tethering How-to

Thursday, June 18th, 2009

You can now tether your computer to the iPhone. The iPhone tethering option is available here (amongst other locations). Once downloaded, run a quick defaults command (I know, I sure do use a lot of defaults commands on this site), writing a boolean value into the com.apple.iTunes domain for carrier-testing:

defaults write com.apple.iTunes carrier-testing -bool true

Once you’ve done that go into restore mode in iTunes (option-click the Restore button) and choose the ipcc file you just downloaded.

Alternatively you can just click on this link from your iPhone to run through a quick generator to enable tethering. Doing so will generate a property list file with a .mobileconfig extension, similar to what you create in the iPhone Configuration Utility (if you’re like me you’ll want to see what this thing is doing before you cut it loose). Because the file is compatible with the iPhone Configuration Utility, you can actually download it onto your computer and double-click on it to add it into the iPhone Configuration Utility library and see which keys the payload will install. You can also open with your favorite plist-friendly editor and view the keys directly.

Setting Up SonicWALL High Availability Pairs

Friday, May 29th, 2009

Prerequisites
1. They MUST be the same model
2. Make sure that if you need Stateful High Availability that you have the license for it (only Primary SonicWALL needs to be licensed)
3. Make sure that if the client wants support for both SonicWALLs that they purchase support for the Backup SonicWALL as well.
4. Register and associate the Primary and Backup SonicWALLs as a High Availability pair on mysonicwall.com
5. Physically label the SonicWALLs
6. On the back of each SonicWALL make note of the Serial Number.
7. Ensure you have two (2) Ethernet cables coming off of the LAN (one for each SonicWALL)
a. Adjust the Spanning Tree protocol if it’s being used on the switch to FAST.
8. Ensure that you have a crossover cable for X8 on NSA 240s (this is for the heartbeat between the two units)
9. Ensure that you have a dumb switch for the WAN, and two (2) Ethernet cables (one for the primary, one for the secondary).
10. Ensure that you have 2 LAN IP address that you can give to the SonicWALLs for monitoring
11. DON’T connect the SonicWALLs together yet

Setup
1. Register both SonicWALLs online
2. Register both SonicWALLs as an HA Pair
a. Go to www.mysonicwall.com
b. Go to the Backup SonicWALL
c. At the bottom of the licensing, look for HF or Hardware Failover
d. Enter in the requested information (name, and serial number)
e. On the “Service Management – Associated Products” page confirm that the registration was successful, then scroll to the bottom to see the Associated Products and click either HA Primary or HA Backup to display that the unit that is now associated with the your newly registered SonicWALL.
f. (OPTIONAL) Register Stateful HA on the Primary SonicWALL if you have the license.
3. Power on Primary SonicWALL and enter in LAN and WAN information
4. Connect LAN and WAN to SonicWALL (DO NOT CONNECT CROSSOVER CABLE)
5. Activate Primary SonicWALL (login to the Primary SonicWALL and register it when you get it online).
6. Load up new firmware on Primary SonicWALL (this’ll take up to 5 minutes)
7. Disconnect Primary SonicWALL from LAN and WAN once you’ve confirmed that the unit is now registered.
8. Power on Backup SonicWALL and enter in LAN and WAN information same as Primary and connect to LAN and WAN (DO NOT CONNECT CROSSOVER CABLE)
9. Activate Backup SonicWALL (login to the Primary SonicWALL and register it when you get it online).
10. Load up new firmware on Primary SonicWALL. (this’ll take up to 5 minutes)
11. Disconnect Backup SonicWALL from LAN and WAN once you’ve confirmed that the unit is now registered.
12. Power on and connect Primary SonicWALL
13. Create all necessary firewall/security rules on the Main Unit
14. Create a Backup of your settings

Configuring HA
1. Login to Primary SonicWALL
2. Go to “High Availability”
3. Go to “Settings”
4. Select Enable High Availability checkbox
5. Enter in Serial number of Backup SonicWALL
6. Click Accept
7. Go to “High Availability” > “Advanced”
8. Leave all values the same in the fields
9. Select the following:
Enable Preempt Mode
Enable Virtual MAC
10. Save your settings

Connecting the HA units
1. Make sure both devices are turned on
2. Connect a LAN cable to X0 on each SonicWALL device
3. Connect a WAN cable to X1 on each SonicWALL device
4. Connect the cross over cable to the HA reserved port (X8 if it’s an NSA 240)
5. Login to the Primary SonicWALL
6. Go to “High Availability” > “Settings” and keep clicking on refresh until:
a. That status at the top right is Active
b. “Primary Status” is enabled
c. Dedicated HA Link is connected
d. “Found backup” is Yes
e. “Settings Synchronized” is Yes
f. OPTIONAL make sure anything that says “Stateful” is at “yes”
7. Review the logs to ensure that there are NO errors with licensing. If found, errors with licensing will occur in the logs every 10 minutes. If you find errors in the licensing, wipe everything out, and reapply the firmware.

Configuring Monitoring of HA Devices
1. Login to Primary SonicWALL
2. Go to “High Availability” > “Monitoring”
3. Find X0 (the LAN) and click to configure it
4. Enable Physical Monitoring
5. Enter in a LAN IP address for each device that you reserved in the Prerequisite steps (Primary = Primary Unit; Backup = Backup Unit).
6. Attempt to manage both SonicWALLs from their respective HA IP addresses. NOTE: The HA LAN management IP addresses are only used for management and CANNOT be used as a gateway for traffic.

Finish
1. Backup all of the settings from the Primary SonicWALL and Secondary SonicWALL (via HA LAN management IP address)

Using Symantec’s Backup Exec With External Hard Drives

Tuesday, May 5th, 2009

This assumes that you’ve already installed Backup Exec, and licensed it appropriately.
This assumes that all parities understand the expected backup retention policies, as well.

Preparing Backup Drives
1. Unpack Backup Drives
2. Plug both of them in
3. Note the drive letter assigned to them (this drive letter will now be forever associated with that drive).
4. Ensure drive is formatted with NTFS, if not, backup info on hard drive, format it, and label it appropriately
NOTE: You want to backup info on the new external drive because often times there will be utilities on there that are not present on the CD that the drive came with, or available from the manufacturers website.

Preparing Devices
1. Open Backup Exec
2. Navigate to Devices
3. Right mouse click on Removable Backup-to-Disk Folders
4. Select Backup-to-Disk Wizard
5. Click Next
6. Select Create a new backup-to-disk folder
7. Select Removable backup-to-disk folder
8. Name it (remember the name)
9. Select a path (this is just the drive name [ex. F:])
10. Follow the rest of the steps
NOTE: You will need to do this for each drive.

Preparing Media
NOTE: This is a critical step. If you don’t do this, chances are that the media you’re writing to will not allow you to overwrite it, even if you told it to do so in your Job properties. As a general rule, remember that device properties trump job properties.
1. Go to the Media tab, Right mouse click on Media Set
2. Select New Media Set
3. Give it a name (remember the name)
4. Ensure that “Overwrite protection period” is set to: Infinite – Don’t Allow Overwrite
NOTE: This is in my opinion bad grammar that’s been carried along from version to version. What this settings does is DISABLE overwrite protection. This means that there is no overwrite protection – i.e, you can write over the drive as many times as you please.
5. For “Append Period”, ensure that it is set to “Infinite – Allow Append” Backup exec interprets this as “I will allow you to append as many time as you please because there is no period to stop appending”.
6. Set Vault rules to None

Creating a Job
1. Go to the Job Setup tab
2. On the left pane, under the Backup Tasks window, select “New job using wizard”
3. Select “Create a backup job with custom settings”
4. Select the resources you would like to backup
5. Test the logon account
6. Select the order of backup
7. Name the backup, and the backup set
8. Choose the device you’d like to backup the data to (The All Devices pool).
NOTE: You will in most cases want to select “all devices”. This will tell Backup Exec to go to all devices and then select the one that’s available to backup to. If you have a tape drive that’s been deprecated, then you want to disable the tape drive under “Devices”, but still point the job to all devices. It will then backup to the drive that’s plugged in. This will allow for external drive rotation with the least amount of user intervention. If you have more than one “online” device, then you want to create a new “device pool” under “Device” and add your two “backup-to-disk” folders within that new pool.
9. Select the media set you’d like to backup the data to (the new media set you created).
10. For Backup Overwrite Method, please select “Append to media, overwrite if no appendable media is available”. What this will do is backup to the drives for as long as the drives say per your Media selection, and if there’s no room, it will overwrite.
11. Choose your backup options. Depending on the time it takes to backup, you will want to adjust this. With the size of external hard drives nowadays, I don’t see any other reason why you’d want to stray from Full Backups. If the backups are under 100GB and you have 1TB drives, go ahead and choose full backups (at the speed of USB2.0 or greater this will most likely only take about 4-5 hours). This will make it easier for restores in a offsite rotation scenario, managing jobs in the long run, and give you ~8 days worth of backups.
12. Always select it to verify backups
13. Schedule the job to run later
14. For the schedule, you would usually want to choose Recurring Week Days, and select the days you want it to backup per your conversation with the client.
15. For the Time Window, select what time you’d like the backup to start.

Adjusting Alerts
1. Go to Tools > Alert Categories
2. For “Media Insert”, and “Media Overwrite”, ensure that you select “Automatically clear alert after” 2 Minutes (or whatever you want), and Respond with “Yes”
NOTE: IMPORTANT If you don’t do this, Backup Exec will actually wait FOREVER (literally) for someone to manually acknowledge the alert by clicking Yes, No, or Cancel. It will always pop an alert because it’s hitting a pool to search for available media. By responding with Yes, it will now begin to Overwrite and/or use the device and media that you have selected the job to use.

Testing Job
1. Unplug one of the drives
2. Manually Run the Job
3. Verify that the job has run successfully and note what problems you have ran into, and correct or note as necessary
4. Run the Job AGAIN on the same drive. Ensure that it runs and appends to the drive. This will prove that the drive can be written to and is not “locked” due to an incorrect setting on the job or media.
5. Unplug the tested drive
6. Run steps 2-4 on the other drive to ensure that everything is OK.
7. Run a test restore
8. You can now leave one of the drives onsite, and take another with you or leave it with the client. You can now assure the client that they now have good backups (one onsite, and one that’s going offsite), and that you’ve thoroughly tested the backups and also performed a test restore.

Wrap up
1. Note any false positives in notes for the client (for backup troubleshooting in the future)
2. Update the Backup section for the client in notes.
3. Even if there was no BEV, send a BEV out saying that they now have a backup system in place.

ESX Patch Management

Tuesday, April 14th, 2009

VMware’s ESX Server, like any system, needs to be updated regularly. To see what patches have been installed on your ESX server use the following command:

esxupdate -query

Once you know what updates have already been applied to your system it’s time to go find the updates that still need to be applied. You can download the updates that have not yet been run at http://support.vmware.com/selfsupport/download/. Here you will see a bevy of information about each patch and can determine whether you consider it an important patch to run. At a minimum, all security patches should be run as often as your change control environment allows. Once downloaded make sure you have enough free space to install the software you’ve just downloaded and then you will need to copy the patches to the server (using ssh, scp or whatever tool you prefer to use to copy files to your ESX host). Now extract the patches prior to running them. To do so use the tar command, as follows:

tar xvzf .tgz

Once extracted, cd into the patch directory and then use the esxupdate command with the update flag and then the test flag, as follows:

esxupdate –test update

Provided that the update tests clean, run the update itself with the following command (still with a working directory inside the extracted tarball from a couple of steps ago):

esxupdate update

There are a couple of flags that can be used with esxupdate. Chief amongst them are -noreboot (which doesn’t reboot after a given update), -d, -b and -l (which are used for working with bundles and depots).

If esxupdate fails with an error code these can be cross referenced using the ESX Patch Management Guide.

You can also run patches without copying the updates to the server manually, although this will require you to know the URL of the patch. To do so, first locate the patch number that you would like to run. Then, open outgoing ports on the server as follows:

esxcfg-firewall -allowOutgoing

Next, issue the esxupdate command with the path embedded:

esxupdate –noreboot -r http:// update

Once you’ve looped through all the updates you are looking to run, lock down your ESX firewall again using the following command:

esxcfg-firewall -blockOutgoing

New article on Xsan Scripting by 318

Saturday, April 11th, 2009

318 has published another article on Xsanity, for scripting various notifications and monitors for Xsan and packaged up into a nice package installer. You can find it here
http://www.xsanity.com/article.php/20090407150134377.

Setting Up Folders and Rules in Outlook

Friday, April 10th, 2009

In Outlook, to create a new folder, right click on the Mailbox – Username on the left side and select New Folder. Type in the name FooBar E-mail for the Name. For the “Folder Contains” you should choose Mail and Post Items (Which should be the default).

Now that you have the folder created, a rule needs to be setup for it so that all e-mail goes into that folder that was addressed using the swpinvest.com e-mail address. To start off, you need to go to Tools and then Rules and Alerts. Click on New Rule. You are going to want to select “Move messages from someone to a folder”. Click Next. Uncheck anything that is currently checked. Then put a check mark in “with specific words in the recipient’s address”. Now down in the lower window, click on the blue text that says “specific words”. Another box should pop up. In the top thin box, type the users FooBar.com e-mail address in and then click add. If they have any sort of alias they should add that one as well. Click ok when done. Now click on “specified folder”. It will bring up another window. Find the FooBar folder that was created earlier, highlight it and then click ok. Once the blue high lighted words are correct, you should be able to click on finish and be done.

Now any e-mail that comes into the new Exchange server with the FooBar.com e-mail address, it will be directed to that folder of the user it was addressed to.

Terminal Server 2008 Load Balancing

Thursday, February 12th, 2009

Load balancing is fairly straight forward in Microsoft Windows Terminal Server 2008.  Before you get started you’ll need to have multiple terminal servers, a Windows 2008 Active Directory environment and a centralized location to store your user profiles. 

When setting up Terminal Servers with load balancing and redirected profiles, no single terminal server should get overloaded by users while another terminal server sits idle.  When a user tries to connect to the terminal server, the master terminal server checks the load on each one of the servers.  It then logs the user into the terminal server with the least load.  Since redirected profiles are setup, every user that logs in will have all of their desktop items, documents folder and pretty much everything that they will need.  The user does not even need to know that they are on a different terminal server then they were the last time that they logged in.

To install Terminal Server clustering first verify that you meet the prerequisites of centralized home folder storage, Active Directory 2008 and multiple terminal servers.  Then install the TerminalServer Session Broker service on each one of the servers.  Then on one of the servers, you need to add all of the terminal servers into the session directory under groups in Local Users and Groups.  You only need to add it on one server and the change will replicate.

The next thing you need to is setup an alias and put all of the IP addresses for the terminal servers to be associated with that alias.  Once complete, when you do an nslookup on that alias, it should display all of the IP addresses that you entered.           

Then you will need to make some changes to group policy.  It appears that you must have a 2008 Domain Controller setup with the most upgraded schema to be able to do this.   Go to Computer Settings -> Policies -> Administrative Templates -> Windows Components -> Terminal Services -> Terminal Server and then TS Session Broker.  In here you need to put the name of the alias under Configure TS Session Broker Farm Name.  Then put the name of main terminal server in Configure TS Session Broker name.  Also you need to enable Join TS Session Broker and also User TS Session Broker Load Balancing.  After you have that setup, save the Group Policy Object (GPO) and attach it to the Organizational Unit (OU) that holds the terminal servers.

Once your group policies are in place you can focus on making the lives of your users a bit easier by enabling redirected user profiles.  First, you will need a place to put all of the user profiles.  Then you will want to move all of the users that need to access the terminal servers into a new Organizational Unit, create a new group policy object and enable folder redirection.  To enable folder redirection, go to User Configuration -> Policies -> Windows Settings and then Folder Direction.  Here, enable each folder redirection policy that you feel the users in the organization will need (this is different for everyone and can require a little testing to get it perfect).  While the choices are a lot to consider at first, Appdata, Desktop and My Documents are the most standard ones to choose and represent a great starting point.  The basic setting is what you will most likely want to use and then just put the root path to your profile in.  It will then give you an example of where everything will be stored and you will verify that the user names and the folders that you created on the network share are the same.

Once all of the users will be able to log into any of the terminal servers and get the same exact environment no matter which server they log into you are mostly done.  Setting up load balancing, the worry of one terminal server being over used is no longer something you need to worry about with 2008.  Once the cluster is setup, the master terminal server will take care of the rest.  

Xsanity article on Configuring Network Settings using the Command Line

Tuesday, February 10th, 2009

We have posted another article to Xsanity on “Setting up the Network Stack from the Command Line”. An excerpt from the article is as follows:

Interconnectivity with Xsan is usually a pretty straight forward beast. Make sure you can communicate in an unfettered manner on a house network, on a metadata network and on a fibre channel network and you’re pretty much good to go. One thing that seems to confuse a lot of people when they’re first starting out is how to configure the two ethernets. We’re going to go ahead and do two things at once, explain how to configure the interface and show how to automate said configuration from the command line so you can quickly deploy and then subsequently troubleshoot issues that you encounter from the perspective of the Ethernet networks.

View the full article here.

Using Selectors With Retrospect

Wednesday, February 4th, 2009

Retrospect has a filtering system based on selectors. This document will review the specifics of developing these selectors.

each script created in retrospect has the option to filer the file selection. This can be accomplished with a pre existing selector or with a custom filter created for just this script.

We will be creating a new pre created selector.

In retrospect 6.1 for mac. Navigate to the Special tab of the primary Retrospect window.
- Press the selector button
There will be a pop open window with all of the existing selectors. You can choose to create a new one or edit existing ones.
- Press New

You will be prompted to name the selector any name will do
You will then be presented with a simple include and exclude selector sections.

Include: By default this is empty which means include everything in the source. By addition conditions to this section you will exclude everything BUT the selections you are choosing. This is often used with source groups to limit the backup directories to /Users

Exclude: Aft the Include rules populate the file list to be backed up the exclude list applies to remove files that are indicated by the logic.
This is used to exclude files that are not important or will eat up too much space for backup. Music files and cache files are often the case.

Logic: The filtering mechanism gives you the ability to select or exclude files based on the following criterion:

-Date:
- File Kind (HFS File types):
- Flags (HFS File Flags):
- Labels (HFS Label Colors):
- Backup Client Name ( as found in the client list of Retrospect)
- File / Folder Name
- Sharing Owner name
- Volume Name
- Pre Existing selector in retrospect
- Size of File or Folder
- Special Folders ( Mac OS reserved folders )
- UNIX ( file permissions or special files such as symbolic links or pipes )

You will see that there are quite a number of Mac specific selectors here and no Windows specific selectors. Retrospect 6.1 for mac is very one sided. Using these selectors you can create inclusions and exclusions with logic to refine you backup or restore policy. Once you have the selector set up the way you would like. You can save it and then indicate this new selector in your backup scripts

Retrospect 7.6 for Windows: The version 7 – 7.6 is Windows only and we will touch the most recent version 7.6 for windows

The interface for the windows version of Retrospect is different in that the location of the buttons is different but the names are generally the same.
Instead of having tabs across the top the windows version has them as a list of links vertically on a sidebar to the left. From that list you can select the “Configure” link near the bottom. This should expose a list that will include “Selectors”

The mechanism for the selectors are similar to that of Retrospect 6.1. The selector window will show a list of pre created selectors. With the option to edit existing selectors or create new selectors. The selectors are organized into inclusion and exclusion.

Logic: the arrangement of selectors is slightly different. The choice of options are grouped into separate sections:

Universal:
- Atrributes
- Client Name
- Date
- File System
- Login Name
- Name
- Selector
- Size
Windows:
- Attributes
- Date
- Drive Letter
- Path
- Special Folders
Mac OS X:
- Attributes
- File Kind
- Label
- Path
- Permissions
- Special Folders
UNIX:
- Attributes
- Date
- Path
- Permissions
NetWare:
- Date
- Path
MailBox:
- Sender

This arrangement separates the different supported client types, specific selectors for the client in question. Otherwise the logic of include filters creating the file list and exclude logic removing files from it. Also once the new selector is created it can be selected within any available script.

Retrospect 8
The new version of Retrospect 8 ( as far as beta 5 ) called selectors rules, and only supports the use of rules. You cannot come up a custom filter for the use for only one script. This version of Retrospect allows you to edit the “Rules” only from the preference pane of the application.

The preference pane allows you to create, remove, edit or duplicate scripts. The script editor resembles the smart folder rule in the Mac OS X Finder.
You begin with the logic to include or exclude “Any” or “All” of the following selectors. You can then create filters based on the following:

File:
-Name
-Mac Path
-Windows Path
-UNIX Path
- Attributes
- Kind
-Date Accessed
- Date Created
- Date Modified
- Date Backed up
- Size Used
- Sized on Disk
- Label
- Permissions
Folder:
- Name
-Mac Path
-Windows Path
-UNIX Path
- Attributes
- Kind
-Date Accessed
- Date Created
- Date Modified
- Date Backed up
- Size Used
- Sized on Disk
- Is
- Is Not
- Label
- Permissions
Volume:
- Name
- Drive Letter
- Connection Type
- File System
Source Host:
- Name
- Login Name
Existing Rule:
- Is

This list could easily expand out many times too complex to display here. None-the-less all the features of previous filters are arranged more simple to more complex with logical includes or excludes.

Once these are created they are available to any script created by the program. In addition since the Retrospect application is now console for Retrospect servers, the scripts created are on a per server basis. The “Rules” on one server are not necessarily on another.