Jeremy Good

Facebook Live using FFmpeg

noreply@blogger.com (Jeremy Good) — Tue, 21 Feb 2017 19:07:00 +0000

You may have see that some FaceBook Live posts look better than others. More like they are shot in a studio and not on a cell phone. Well, that's because they are. There are various hardware devices and web streaming services that can do it but I'm going to show you an easy way to do it for free (assuming you have the needed computers and cameras etc).

Step One. Setup a computer with FFmpeg. FFmpeg is a free (opensource) software that is described as "A complete, cross-platform solution to record, convert and stream audio and video." and it is very powerful. With it I have converted video files, recorded video files, ripped audio from a video, and a few other things. Today we're going to take a live stream from an Axis IP camera and then stream it out to FaceBook Live using just one command on the command line. So, I'm using the Windows version of FFmpeg which you can get here https://ffmpeg.zeranoe.com/builds/ or you can get Linux, Mac, and any other build from http://ffmpeg.org

Step Two. After you've gotten FFmpeg installed it's time to setup your video source. Being that we're talking about FaceBook Live, we're going to choose a live source. For that I'm using a standard definition Axis encoder Q7401 connected up to the churches AV system through a series of converters to our very expensive HD cameras. This process would work the same if you were just using an IP camera as well. So, for me the RTSP string from the camera looks something like this rtsp://10.x.x.x/Axis/media.aspx I would recommend testing this out on VLC Player to make sure you get the syntax correct before moving on. There is an awesome site that will tell you just about every connection string to every device here.

Step Three. Once you've gotten the correct syntax for your camera, you need to feed that into FFmpeg and tell it to do something. So, let's take that input and stream it out to Facebook Live. To do that we first need to schedule an event and get the one-time connection key. Unfortunately you cannot use this method with a personal Facebook page. You have to have a "Page" to be able to do this. Once you are an admin of a page, you will get more options at the top like this:

Click on "Publishing Tools" and then click on "Videos" on the left menu. When you do you will see a screen with past videos if you have any and on the top right you will see "Live" Next, you will see a page like this showing your connection string:

This page tells us exactly what we need. We'll use the top "Server or Stream URL". Don't worry if you didn't get it before you click next because it will display again. Take note to the note at the bottom. Once you click next you have 5 hours to go live then it will no longer be valid. Click next. A new screen comes up that asks for you to name your event and then allows you to preview your stream before you go live.

On this screen you can see your stream key again and name the video.

If we had an active stream it would show up here. It won't let you click the "Go Live" button until you have a stream going. But you can schedule a future stream by click the dropdown arrow and picking "Schedule Live". That part is cool because it puts a blurb on your feed saying that your going live at a specific time which could help drive traffic to your broadcast. For now we're going to just do the Live option so let's get your feed going.

Step Four. Now is when the rubber meets the road. Open up a command window (on Windows 8.1 or 10, press Win + X key and then select Command Prompt). At the prompt we're going to use the following format:
ffmpeg -i -f flv

Facebook Live is also picky on the audio and video settings. You can view the requirements here. To get this to work in my situation I found that I had to do some work to my stream to get a reliable output.

ffmpeg -rtsp_transport tcp -y -i "rtsp://10.0.0.99/axis-media/media.amp?streamprofile=fblive" -t 5400 -c:a copy -ac 1 -ar 44100 -b:a 128k -c:v libx264 -pix_fmt yuv420p -r 30 -g 60 -vb 2048k -minrate 2000k -maxrate 4000k -bufsize 4096k -threads 2 -f flv "rtmp://rtmp-api.facebook.com:80/rtmp/133333333333?ds=1&s_l=1&a=ATg99929999x84tR"

As you can see there are a lot of options that you can customize with FFmpeg! In a nutshell, I created a different "Stream Profile" on my Axis device with the source settings I wanted like if it should display the date at the top, the resolution, the frame rate and bitrate, and some other settings. Then I use the -t option to run the script for 5400 seconds or 90 minutes. I copy the audio stream and set the sample and bit rates. For the video I had to run it through the h.264 encoder and set the color space as well as the frame rate and the min and max bitrates. I also found that I needed to dedicate two processors to this to keep up with the transcoding on my computer with the -threads 2 command. Then I pipe it to the -f flv command that sends the flash ramp stream to the Facebook API with my streaming key.
If I press the enter key and run the script it will throw up a bunch of stuff in terminal and then it will settle down to something like this:

You may see some errors when the feed is just starting out but they should go away and look like the bottom half of this command prompt window. If you go back to your web browser and Facebook Live scheduling you should see the window has changed to have "Preview" in it and showing your video! You will notice that the "Go Live" button is now clickable. You can click it to start right away or click the down arrow and schedule it for later. Just make sure your feed is scheduled to go long enough or don't put the -t option in at all. You will just have to press Ctr + C in the command prompt to terminate the feed when you want.

Some additional notes:

If you lose your stream for any reason the Facebook live event will stop and post to your timeline.
This is a one time key. You will need to do this process each time. There is probably a better way of doing this with an API but I haven't gotten to that yet.
If you don't want the live post to be viewable after the event ends you can select "Unpublish after live video ends" This will preserve your stats and allow you to post it later if you wanted.
If you have any prerecorded music or video in your stream Facebook will most likely not catch it in the live feed, but will take down your replay soon after it is posted. We've had this happen many times. You usually have the option to post it if you agree that you have the proper copyright information, but it's just a real pain. The better option would to send a different feed to the live stream that doesn't have audio from Spotify or other music. I imagine they send the video through something like Shazam app to identify any copyrighted music.
You will get better quality with a better encoder obviously. One weird limit is that FBlive only goes up to 720p right now so you'll have to downconvert if you've got a 1080p stream.

So, this is the low cost, DIY Facebook Live solution. There is software out there to do it for you like Wirecast but many cost much more and don't offer much more features mainly because Facebook has it so locked down.

Remove Duplicate Exchange Objects on Office 365

noreply@blogger.com (Jeremy Good) — Thu, 21 May 2015 16:05:00 +0000

Remove Duplicate Exchange Objects on Office 365

If you are doing a migration to Office 365 or an upgrade between Exchange versions, then you may end up with duplicates in some or all of your Exchange accounts. This happened to us after moving from Exchange 2013 to Office 365 when some things went wrong (future blog post coming I promise) but I wanted to get this down before I forgot it.

So, I've got about 100 users that now are on Office 365 (Exchange Online) and have duplicates and I don't want to manually go to every computer and try to fix it. Also, I don't want my staff to have to jump through a bunch of hoops to try and fix it (which will probably cause more work for me later). If only there was a way I could script all this...

Turns out, someone has! Michel de Rooij has created an AWESOME PowerShell script called Remove-DuplicateItems.ps1 and you can read more about it here. There are a lot of options and switches that you can use with this script and some are documented better than others.

In my initial testing I found that this wasn't removing duplicates even when used in "Full" mode and not "Quick" mode. It turns out that the way the 3rd party tool that we used to sync our accounts in our Office 365 migration changed the ID's of the items and even items that looked to match perfectly were measuring larger in the system (two attributes that are used when comparing). So, after some head scratching, I found that I needed to comment out a few lines of code to get it to work in our situation.

On line 357, I commented out
#if ($Item.Size) { $key+= ","+$Item.Size.ToString()}
by putting a # in front of the line.

And then on "IPM.Contact" section starting at 359 I commented out a few lines as seen below:

This was done because the way our duplicates were made the Size comparison was failing because the two records weren't the same. Also I found that for whatever reason CompanyName, and the phone number fields caused some issues for me. Make sure you test this script on a small set of users because there can be some false positives when you comment these out. The good news is that you can use the -DeleteMode MoveToDeletedItems option to have them got to the Deleted Items folder and could be easily restored. So, awesome stuff but how does it work?

First you need a computer with PowerShell installed (it doesn't have to be the Exchange server) as well as Exchange Web Services (EWS) Managed API 1.2 (or later) installed.
You need a .csv list of the users you want to remove duplicates from (I recommend several batches of less than 20 because it does take a while and only does one at a time and will stop the script of a box fails)
If you're running this against Office 365 you need to have setup a user with Impersonation rights on the mailboxes (outlined in the source blog)

Now, run the script. (My comments are in green)

# Set credentials for the next scripts - If using Office 365, make sure you
# use the username@domain.com

$UserCredential = Get-Credential

#The next command references a script called Remove-DuplcateItems.ps1 which can be
# downloaded at http://bit.ly/1IRgTnc

PS C:\Users\Administrator> Import-CSV Users.csv | .\Remove-DuplicateItems.ps1 -Type All -Credentials ($Credentials) -Impersonation -DeleteMode MoveToDeletedItems -Mode Full

When it's running, you will see something like this:

A helpful option when you are testing this out is -Verbose which will outline the task that it is doing and ask you what you want to do with each delete. When you are doing a batch it's not very helpful. You can also use the -Debug option and get in-depth look at how the script is comparing things (helpful in determining why some duplicates are getting deleted and some aren't)

I spent many hours trying different scripts and figuring out why it wasn't working but I did get it to work. I hope this blogpost helps someone else out there and I'm sure I'll look back the next time I have to run this :-)

The Great Migration to Exchange 2013

noreply@blogger.com (Jeremy Good) — Thu, 25 Jul 2013 22:23:00 +0000

We upgraded to Exchange 2013 this week from Exchange 2007. We have wanted to upgrade almost since the day we installed Exchange 2007. Not because it was bad, but because we installed it only a few months before Exchange 2010 was RTM (long story for another blog post). We are also hoping that the greatly enhanced Outlook Web App will help with our volunteers and BYOD users.

2003 to 2007 was a big project and I did it all last time. There were many unforeseen issues that took a lot of time to resolve. It was not something I wanted to repeat without help. This time I enlisted the services of a friend and professional who was experienced with this kind of thing. Ed Buford is someone I have know for a while and works for Pinnacle of Indiana.

I did what I could to cut down on the consulting costs. Upgraded our servers to VMware 5, downloaded and installed Server 2012 Datacenter, updated said server, downloaded Exchange 2012 CU2. Ed helped with the more technical stuff like prepping Active Directory, checking the configuration on Exchange 2007, Installing and configuring Exchange 2013 using best practices (better than mine since Exchange 2013 is still real new some things were kind of buggy).

Then came the migration. We had planned to do this on a Sunday afternoon because for us that is the lightest day of the week and would have the least impact on our staff. Ed and I figured it would take 4-6 hours to transfer our 260 mailboxes. We were wrong. After transferring just my mailbox as a test (which was about 4 Gb) we saw a problem. It was only transferring at about 11 Mbps and took about an hour. Exchange 2007 server was only pushing a few percent on CPU and network but the Exchange 2013 server was almost maxing out the two vCPU’s. I decided to move this to a different host and try again, this time with 4 vCPU’s. This batch we ran about 10 accounts and found that it would only transfer about 4 to 6 at a time. All 4 CPU’s were maxed out. After that batch I shut down and added two more (this host only had 8 cores). This next batch of 50 mailboxes went a little faster and would transfer 6 to 8 boxes at a time. We figure this was as good as it would get and queued up a few more batches and called it a night.

In the morning we saw that the boxes that had moved were accessible by OWA and ActiveSync. Boxes that hadn’t moved yet were only accessible by Outlook since we changed our autoconfigure settings and certificates. I Queued up the last batch but saw that we had a problem. They weren’t moving. After some exploring we found that restating the Exchange Transport service got things going again (it said it was up). We figured it was a fluke and continued with the migration. By the end of the day, all mailboxes were transferred, Activesync devices were syncing, Outlook was connecting, and Outlook Web App was working great.

The next day I discovered that at some point in the night/morning, we stopped getting outside email. Our hosted barracuda was saying that it had delivered a lot a messages but where did they go? We still had email routing through our old server so I checked there and saw that we had 1590 messages waiting to be delivered!! We restarted the Exchange Transport service on Exchange 2013 and watched as all of the messages were delivered in about 15 seconds. After this we moved inbound email over to the new server and thought we were done. Nope. This would continue to happen again and again over the next few days, but now, messages would spool on the Barracuda (thankful we use it for this reason!) and then deliver once we restarted the Transport service. Ed found that others on the web were experiencing this same issue outlined here.

After deleting the old receive connectors as people in the above TechNet thread suggested, and only having the default ones, it looks like the issues is gone. The problem is I NEED those connectors. So, I’m going to add them back one by one and see what happens.

So, in summary, these are the things I learned about migrating to Exchange 2013

Communicate well to your users. I’m not sure if you can over communicate, but you want to get as close as you can. No matter what you do there will still be those saying “Oh, was that today?”. Since email would be down for some during and after the transition for some, we setup a blog they could go to for updates and directions.
Plan a lot of time. More than you think.
Make sure your new exchange server has plenty of processors (at least for the transition. You can drop a few after that.) More processors = faster migration.
Be prepared for something to go wrong. In our case, we already had outside help queued up. If you’re doing this solo you should definitely do some more tests before the big “Moving Day”.
Plan for issues with certificate and namespace if you changing those in any way with your migration (you probably will). Android devices seemed to have the most trouble with this since they all handle things a little differently depending on their OS version and device model. iOS devices were pretty predictable. Once we knew what change we had to make they were all the same.

I’ll try to update this blog in the coming weeks as we get used to Exchange 2013 and also note any issues and how we resolved them.

Issues

Users accessing our OWA site via HTTP are not being redirected to HTTPS. We have tried just about everything we can and it still won’t work. If you have figured this out, let me know! Please!

Simulcast 2.0

noreply@blogger.com (Jeremy Good) — Fri, 12 Apr 2013 23:19:00 +0000

Back in 2010 I told you about how The Chapel had been using the latest HD video technology to be “one church in many locations”. We are still a mutli-site church and have grown from our initial 4 video campuses to 8 campuses by 2012 (5 with live video & 3 with “tape”). Our current video simulcast solution was working great for the 5 campuses that were on our fiber network but we had not moved the other 3 to live video for a number of reasons.

Some of the problems with our current solution:

Expensive – Joining another campus to our fiber network to enable them to have live video would require thousands of dollars of network equipment and thousands more to get the fiber into the building and terminated.
Flexibility – Singing a 3 year contract on fiber is about as fun as taking out a mortgage on a house (and hurts the pocket book about the same!). The Internet and network world is constantly changing so why get locked into something?
Scalability – To this date we had been lucky that all our locations are within the same Chicago metro area and could be serviced by AT&T’s Opt-e-Man product. But what happens if we want to cross the boarder into Wisconsin or downstate Illinois? Or another state or country? Our telco broker warned us that that could be an expensive problem in the future as it would most likely require an even more costly circuit.

I knew that I didn’t want to get caught off-guard when it came time for renewal in 2013 and be forced to resign. So I started working with our telco broker early in 2012 and I am glad I did! We heard pitches from several of the top vendors and to my surprise most were even more expensive than AT&T!

Throughout this time I had been talking with Chris Kehayias at Calvary Chapel Melbourne who introduced me to Zixi at the Church IT Round Table event they hosted in 2011. Zixi can best be described as a transport service specializing in video. Zixi ensures that my video gets from point A to point B without dropping a packet. Chris and others had been using it to deliver video in a point to multi-point church environment with amazing results. After getting a demo setup in our environment we were sold! The great thing about how Zixi works is that we really didn’t have to change our workflow, encoders/decoders or even bitrate. Zixi just “dropped in” seamlessly.

We have now moved most of our receive campuses to Zixi but still maintain a fiber connection between our two broadcast campuses, Grayslake and Libertyville. Our receive campuses each have their own 27/7 Mbps Comcast coax internet connection. So far this has worked great for us and is able to keep up with our two HD video feeds running at around 16 Mbps. Our send site uses a 40/40 Mbps Comcast fiber Internet connection for the upload.

We had to make some network changes since we were going from a fiber point-to-point system to a VPN system. For that we are using SonicWall TZ-200 & TZ-205’s at our receive site and an NSA-240 at our send site. The NSA-240 seems to handle the video just fine but is struggling to keep up with other traffic so we are in the process of upgrading. The TZ-200 & 205’s are doing just fine at the receive sites though.

Even with these changes we should see a 43% yearly reduction in our simulcast and network cost! We are now able to get all our campuses live video for less than we were paying for just 5 in the previous model. We are also to setup a video campus anywhere we have a decent internet connection.

Earlier this year at the Spring National Church IT Roundtable even I gave a “Ten Talk” about Zixi and most of what I detailed above. You can check out the video here on YouTube.

Also, this is a link to the presentation slides.

If you have any comments or questions, leave them below or catch me on Twitter

DIY DVR

noreply@blogger.com (Jeremy Good) — Tue, 13 Mar 2012 05:16:00 +0000

Tired of high cost cable or satellite but don’t want want to give up your DVR? As we were tightening our financial belt, the Dish subscription went and so did our DVR. We get a lot of HD channels over the air (OTA) in our area, but most of the shows that we want to watch are starting just as we’re putting the kids to bed. My solution was to build my own DVR.

My Setup

Tuner = HD HomeRun – Can be had now for around $100 on Amazon
OS = Windows 7 Pro x64 – Running Windows Media Center
Computer = HP Pavilion a1430n – Started out with an old Dell P4, this is much faster
Video Card – GeForce 8800 GTS 320 MB given to me by my brother – Using a DVI to HDMI converter
Remote Control = iPhone. I found an app that lets me control Windows Media Center from anywhere in my house called Remote Kitten. Lame name but it works.

I went with the HD HomeRun dual tuner for 3 reasons:

More future proof than other solutions. Plugs into your network and can be access by any computer on the network.
Can be put anywhere in the house.
Decent Price. More than other dual tuners but it makes up for it in flexibility.

The Verdict

I love it!

Quality - The quality is amazing. Looks just like watching it live. The processor seems to keep up but I think the video card makes the difference. I think it would be even smoother on the WMC menus if it had more RAM (2 GB) and if it wasn’t just DDR.

Ease of use – Windows Media Center is great. The only thing that would be better would be if it tied into iTunes. Can control things from my iPhone or iPad.

Detractors – The only real downside is the old computer. Would be sweet to have a small HTPC with a modern processor and native HDMI support. Also need to get a larger hard drive if you want to keep anything like movies or whole series around. The 200 GB hard drive fills up fast! (200 GB = about 20 hours HD)

My experience with this home built DVD has me wondering if something similar could be but together on a budget for church related streaming. Anyone know of one?

Multiple subnets with one VMware ESXi host

noreply@blogger.com (Jeremy Good) — Wed, 25 Jan 2012 05:53:00 +0000

As we’ve moved more and more of our critical infrastructure at The Chapel to the virtual world, I’ve struggled on occasion with the issue of setting up network cards in VM’s to work on different subnets.

This became a real issue when we migrated from our Cisco phone system to our virtualized MiTel phone system. All was good until I needed to setup the “MiTel Boarder Gateway” which acts as a firewall and SIP gateway for the phone system. Since I had to get this up and running quickly I just installed another network card then mapped it to a virtual switch in VMware and mapped the second NIC in the VM to that virtual switch.

This approach however is not very efficient or redundant. It also takes up valuable NIC’s and switch ports. My plan is to update this configuration with what I’ve learned when setting up our print server to work with FingerPrint which I’m going to detail below.

How to setup Vlan tagging in VMware ESXi

First, you need to have a working ESXi host. The setup isn’t that hard but is more than I’m going to go into here.
Setup your switch port(s) that connect to the server as a “trunk” in Cisco speak with a “Native Vlan” set to what a majority of your servers use. That way you don’t have to setup tagging on every vNIC.
If your looking to have a server that needs to talk to two different subnets like a firewall or my print server running FingerPrint, add another Ethernet adapter to your VM and assign it to your default network. Mine is “VM Network”.
You need to check that the Virtual Network on your primary vSwitch allows all Vlans. By default it is set to “None(0)“. Set it to “All(4095)” or just the ones you want.
Now, start up your VM and log in. Navigate to the Device Manager and select the network card you want to configure a different Vlan on.
Once you configure the tagging, make sure that you have the IP addresses setup correctly. For a firewall type VM, you will have different IP’s and gateways on different subnets. If you have a server connecting to two private networks, only set a default gateway on the “Primary” network. Windows doesn’t like it if you set different gateways to the same routed network.

That’s it. Now your servers can use different and special Vlans when needed and you don’t need to add another NIC or vSwitch each time. In my case, it allowed me to easily setup FingerPrint to communicate with our wireless network with the Bonjour protocol.

For my friends that are more versed in VMware than I, please post your comments and questions. I’m always interested in what others are doing or what the “Right” way is.

Apple AirPrint and FingerPrint

noreply@blogger.com (Jeremy Good) — Wed, 25 Jan 2012 04:16:00 +0000

So you have a shiny iPad or iPhone and want to occasionally print. Sounds simple, right? Well Apple has your back and has come out with a great “New” feature called AirPrint that will fix all of that. That is if you have one of the few new printers that have AirPrint.

A lot of companies are seeing more iOS devices on our networks and more users who expect new features that Apple comes out with to just work. They have little patience for us or the market to align ourselves with the Apple way of doing it. We also have some expensive, high efficiency, and feature rich printers and copiers on our network that we can’t afford to just replace.

Our first solution was a hack program called “AirPrint Service for Windows” that worked well until iOS 5. Then it broke.

There were some other iOS apps that let you print to network printers but they cost money and you have to pay & install it on every device.

Earlier this month I found a program called “FingerPrint”. You can check it out at http://www.collobos.com/ They have a Windows and a Mac version and also provide a free one week trial. If you still like it after the trial, you can buy it for $10! I wondered just how well a $10 application could work but read on.

After running the quick install file and selecting the printers I wanted to share, I was up and running!

It also has a cool feature that I’ve yet to try that allows you to “Print to DropBox” where you can tie it to a DropBox folder. This could work on a personal computer but I don’t see it working on a network print server well.

Once things are installed and working, connect your iPad or iPhone to the wireless network (it has to be same subnet though. Stupid Bonjour!), and your printers will show up in the “Select Printer” dialog.

That’s it. After the free trial I bought it. It’s working great so far. I’ve not tested this on multiple print servers on the same subnet yet so I’m not sure how that would work.

There is one civet though. Your print server has to be on the same subnet as your wireless. This poses a problem for most of us that have an enterprise wireless solution and have it on a different subnet. During the trial period, I setup a Linksys AP on the same subnet as the server and it worked fine. But it kind of defeats the ease of use I was going for when people have to connect to another wireless just to print.

I’ll address how I got around this limitation in my next blog post about connecting virtual servers in VMware to multiple subnets.

Read about it here.

Cisco Phones for Sale

noreply@blogger.com (Jeremy Good) — Thu, 10 Nov 2011 22:15:00 +0000

We have finished our migration to our new MiTel phone system! Through a mix up, we will be selling the Cisco gear ourselves. We do have a good amount of gear that we need to sell and it has been pulled from a working system running Call Manager 4.2

I have heard that most of this gear will work with SIP but I have not confirmed. It appears that you have to download the SIP firmware from Cisco (needing active support on the phone) and then flash the phone.

The servers themselves are also for sale.

Cisco Item	Qty.	Selling For
Server - MCS-7815-I1-UC1	1	Make Offer
Server - MCS-7815-I2-IPC1	1	Make Offer
Server - MCS-7825-H2-IPC1	2	Make Offer
7936 Conf. Phone	2	$ 200.00
~~7960G~~	10	$ ~~75.00~~
7941G	6	$ 80.00
7040G	82 ~~102~~	$ 50.00
7920 Cordless	1	$ 50.00
7014 Sidecar	2	$ 50.00
7912G	41	$ 35.00

For one of the 7936 Conference phones I have the additional microphones.

Buyer will pay shipping. Local pickups are welcome. PayPal preferred.

Our address is:

The Chapel
1200 American Way
Libertyville IL, 60048

If you are interested, please email ciscophones@chapel.org and I will get back to you as soon as I can. Thanks!

It's been a while!

noreply@blogger.com (Jeremy Good) — Fri, 07 Oct 2011 16:44:00 +0000

I can't believe it's been a year since I updated my blog! This year has flown by way to fast. I've been really busy at work. In the last year, we went from 6 to 7 campuses, Setup point-to-point VPN to that campus, installed our Equallogic SAN, and we are almost done with our new phone system installation.

Also, on a personal level, my oldest child started pre-school, we found out that we are pregnant with our 3rd child, we're looking for a min-van and I've not been out running nearly as much as I had hoped this year.

I hope to do some more blog posts soon that will be helpful to others. Some ideas I have are:

Setting up a P2P VPN with SonicWall and Comcast
OSPF fail over on SonicWall firewall (there was a bug in the Firmware)
Our MiTel phone conversion
Ruckus Wireless VS Aruba Wireless
Cisco Voice VS MiTel Voice

We'll see how far I get on that list. :-)

Bandwidth Management on SonicWall NSA 240

noreply@blogger.com (Jeremy Good) — Fri, 01 Oct 2010 22:13:00 +0000

Recently, we expanded Public Wireless to all our campuses. We really hammer our network on the weekend when we push video across it and I didn’t want public Wi-Fi traffic to become a problem. We have some access lists on our Cisco routers that do so time-of-day/week bandwidth throttling but it was kind of a pain to set up. So, I decided to see what I could do at the source. I was surprised at how easy it was to implement Bandwidth Management on our public wireless using our SonicWall NSA 240. Here’s how I did it. Your mileage may vary.

Step one. Log into your SonicWall. I know, it’s a big step.Step Two. Navigate to Network –> Address Objects and create an “Object” to match your Public Wireless Traffic. Click “Add…” under Address Objects.

I created an object called “PublicWiFi-Test” for this example and matched it to traffic on network 192.168.11.0/24 which is the IP address range of our Public Wi-Fi traffic. You can match to a number of other identifiers as well.

Step Three. Navigate to Firewall –> Access Rules. Change the view style to “All Rules” and then click “Add”.

Now is when we actually tell the SonicWall what we want to do with the Public Wireless Traffic. In the window that comes up fill out the fields like I have below. What we are doing is telling the firewall to process traffic that is from the LAN to the WAN, from any Service, matching the PublicWiFi-Test object that we defined earlier, to any destination.On the “Advanced” tab, leave everything as the default, but check the “Create a reflexive rule” so that inbound traffic will be matched as well.
On the QoS tab, change the DSCP Marking Action to “Explicit”. Then change the “Explicit DSCP Value” to “0 – Best effort/Default”. That way, if you have some other policies downstream that mark or generate traffic with a higher DSCP (like video) the PublicWiFi traffic won’t mess with your video feed.

Now, on the Ethernet BWM tab, you will actually configure the Bandwidth Management. Check the first box and then enter a percent or Kbps value for the Guaranteed bandwidth and the Maximum Bandwidth. This first section will apply your settings to “Outbound” traffic or in Internet terms, Upload Speed. One MB should be a good cap. You can also set the “Bandwidth Priority” to 7 which is the lowest. I’m not sure which takes precedence since you already set a value in the QoS tab. Now, click the next box and set the download values. At the bottom you can check the “Enable Tracking Bandwidth Usage” if it makes you happy. Click OK and your ready to go!

Step Four. You can now test your new policy out by going to a site like http://www.speakeasy.net/speedtest/ If you’ve done it right, your upload and download numbers should match the numbers you set in your policy. On my first try I had the values reversed.

So, that was easier than I thought it was going to be. I took it one step further because we have multiple campuses with different IP schemas right now for wireless. I created more address objects and added them to an Address Group. I then changed the setting in my policy to reference the Address Group instead of the single Address Object. The issue I see with this is that all traffic that matches these limits will share that bandwidth cap. So, if I have 4 public clients, their bandwidth would be (2048 Kbps / 4) or 512 Kbps. I’ll have to play around with things and see how it goes. You can set the policy to a schedule so I might just have it be active on the weekends.

I hope this helps someone. If it does or you have questions, leave a comment.

Lock screen & start screensaver

noreply@blogger.com (Jeremy Good) — Thu, 08 Jul 2010 21:22:00 +0000

Sounds like a simple task doesn’t it? For years I have just pressed the Windows key + L and locked my computer. But, like any proud father, I didn’t want to wait 15 minutes for the photo’s of my kids to start scrolling across my dual monitors (a great free photo screen saver for dual monitors is gPhotoShow.com). All I wanted to do was lock my computer and start my screen saver at the same time. After all, even OS X can do that with Exposé. To my surprise, there is no built in method to do that in Windows! Even if you make a shortcut to the screen saver, when you move the mouse, it goes right back to your desktop. So after some searching on different scripts, I came across a free app someone wrote that does the trick. Download sslaunch.zip from this WindowsITPro.com article, extract it, and move the SaveScrn.exe file to your desktop. Now, all you have to do is double click it and your computer will lock and display your screensaver.

Enjoy!

Local Mac User to an AD User

noreply@blogger.com (Jeremy Good) — Sat, 01 May 2010 03:11:00 +0000

Local Mac User to an AD User that has the same short nameOS X 10.5.8
(Other versions may differ)

Here is the scenario. Mac User has a local account and his “Short Name” is muser and his Home Directory is muser as well. The problem is that when we join this computer to Active Directory, and Mac User logs on, it will want to make a Home Directory for him with the name of muser.

So, we have to delete the local Mac User user, but preserve his Home Directory. Then we have to move it to the network Mac User user and assign the correct permissions.

Step One. Join computer to Active Directory. There are many guides out there on how to do this. Official Apple docs http://docs.info.apple.com/article.html?path=ServerAdmin/10.5/en/c7od44.html

Step Two. Log in as a different Local Admin account than the one you want to change. If one doesn’t exist, create one. If possible, back up the users Home Directory before proceeding just to be safe. Now go into System Preferences and then Accounts. Now, unlock things and then select “Mac User”. Now click the “-“ to remove him. You want to select the middle option on the next screen which is “Do not change the home folder (The home folder remains in the Users folder.)” Click “OK” and then log out.

Step Three. Click on the “Other” option at the Login screen and log in as the network Mac User account to create his profile. When you are asked to create a mobile account, click the “Create Now” button. Log out and log back in as the local Admin account you were using in step Two.

Step Four. Open the terminal and enter the following:
sudo rm –r /Users/muser
sudo mv /Users/”muser (Deleted)” /Users/muser
sudo chown –R muser /Users/muser

If this user should be a local admin, click the “Allow user to administer this computer” box under his profile. Log out.

Step Five. Log in as the network user and all your programs, data, and settings should be moved over to the new profile.

Step Six. You may have to fix the keychain. If there is an issue with getting prompted for the keychain password, go into utilities and then click on Keychain Access. Right click on the “Login” keychain and at the bottom of the list you will see “Change Password…” Once you click it, you will be prompted for the old password and then enter a new password.

Done. Now the Mac user will be able to change their network password, be prompted when it is about to change, and most importantly, be required to use one. Your mileage may very so test out these steps in the lab first.

How to deploy an Aruba Remote Access Point (RAP) Part 2

noreply@blogger.com (Jeremy Good) — Thu, 15 Apr 2010 01:18:00 +0000

So in part one I gave the back-story so now it’s onto getting this going. I’m using Aruba OS 5 on an Aruba 650 Controller with AP-61 access points. Your mileage may very.

If your running Aruba OS 5, you don’t need any RAP licenses with is great. Not so great if you bought them before OS 5 came out though. Good news is, they get turned into AP licenses when you upgrade to OS 5.

One more thing, since you will be deploying these access points in RAP mode, you won’t have some features. You won’t be able to tell how many people are on your system from that location so I wouldn’t go more than a few AP’s. You can’t blacklist someone. I don’t think you can do heat maps (I’ll have to try this though). Also, because we are setting these AP’s up in bridge mode, they will use the local DHCP server and if you have more than one AP, they need to be on the same Vlan. You will also have to take care of any extra security by using a local ACL on a switch or router.

Step One, log into your controller by going to https://aruba-master just to check that you have your DNS set up properly.

Step Two, navigate to Configuration –> Wireless –> AP Configuration.

Create a new AP Group by clicking on the New button. I’m giving it the name “RAP”. Click “Add” and then “Edit”.

Now, you will have to drill down to Wireless LAN –> Virtaul AP and create a new Virtual AP. Click the drop down and select –NEW – at the bottom of the list. Then, give it a name. I’m going to use “test-vap_prof” which is one I use for testing. After you click “Add”, you have to select the AAA profile and the SSID profile. You can use the same ones you used for your campus profile since you won’t change them. I’m going to use some test ones though. After you select the ones you want to use, click “Apply” in the lower right.
Now, drill down one level to the Virtual AP you just set up. The only setting you want to change is the “Forward mode” from “Tunnel” to “Bridge” and click “Apply”

Step Three, Set up the VPN. This is the step that kept throwing me off. Why do I need to set up a VPN connection between the AP and the controller if I’m on the local LAN? That’s just the way it is. If you don’t, the AP will never become a RAP on your AP Installation screen. This step is also what makes the controller push out the new RAP firmware to the AP. Navigate to Configuration –> Advanced Services –> VPN Services.

So, now that your on the VPN Services screen, You need to add an Address Pool. Just click “Add” under Address Pools. These addresses don’t have to be routable on your network. It’s probably better to pick ones that aren’t so you don’t have any confusion too.

Click “Done”.

Now you need to set up the IKE Secret. Under IKE Shared Secrets, click “Add”. You can keep the Subnet and Subnet Mask as quad zero (0.0.0.0) if you don’t have any other PSK’s. Enter the IKE and then confirm it.

Click “Apply” in the lower right.

Step Four, navigate to Configuration –> Security –> Authentication to setup an internal user. Click on Internal DB on the left. Now you will see a section titled “Users” You want to add one. Click “Add User”. It will auto generate a username and password for you, but you will probably want to change to something more meaningful.
You can leave the rest of the fields blank and click “Apply”.

Step Five. You are now ready to deploy the AP using the profile you created in step 2 and the VPN information you created in steps Three and Four. Navigate to Configuration –> Wireless –> AP Installation. Click the AP you wish to deploy as a remote AP and click “Provision”.
Now, in the AP Group filed, select from the dropdown, the AP group you set up in step Two.

In the Authentication Method section, select that you will be deploying a Remote AP by clicking the “Yes” radio button. When you do, it will allow you to fill in the IKE PSK and your user credentials you created in step Four. Make sure to uncheck the “Use Automatic Generation” box or you won’t be able to enter your username and password.

After you have that info entered, you can move on down to select the campus this AP will be deployed to (there is documentation on how to set these up in the user guide). Then, name it something meaningful, and click the “Apply and Reboot” button. The reboot will take a few minutes because that AP will get a new image pushed out to it.
If you have done things right, you should see your new AP’s deployed and in the correct group, and have an “R” in the flag section signifying that it is a “Remote Access Point”. I’ve blotted out the IP address for the remote AP, but it will be something in the range that you setup in Step Two.

Well I hope this helps someone out there who is struggling though getting some remote access points up with their Aruba gear. This is the first enterprise class wireless system I have worked with and for the most part, it is a pretty good system. There are ones out there that make it a whole lot easier to do some of these more advanced features though.

How to deploy an Aruba Remote Access Point (RAP) Part 1

noreply@blogger.com (Jeremy Good) — Thu, 15 Apr 2010 00:58:00 +0000

At The Chapel we put in an Aruba Wireless system last year (Aruba 650). It was a huge improvement to what we had which was a combination of Linksys and 3Com gear. We are now able to provide public and private wireless networks with just one wireless network. The enhanced management features you get with a controller based system are also huge time savers such as central updates, ability to find the number of clients on the network, and locate those clients in the building.

Well,since we liked the system and it was working for us we decided to put some access points out at our new Lake Zurich campus which didn’t have any wireless. It was easy enough to get things going, just plug the AP into the network, find it on the controller, and deploy it. Done.

Well, not quite. The Aruba system by default wants to set the AP’s up to tunnel back to the controller. This is part of what makes this system so easy to deploy. You don’t have to worry about what vlan the AP’s are on or what their IP address is. The tunnel sends all traffic back to the controller to be routed. The issue is when you have a local resource like a file server, printer, or even local internet connection, all your traffic goes back to the controller and then back to the local network.

We had a local Comcast internet connection at Lake Zurich we wanted to use without tunneling through two other campuses to get to the controller. Luckily, Aruba had a “Remote Access Point” license that was supposed to make deploying our AP-61’s easy. The key words are “supposed to”.

Aruba fails in the documentation department miserably for this RAP feature. I found out though my CDW rep that I could use my AP-61’s if I got an RAP license for each of them. (This is kind of expensive but now it is included free in the Aruba OS 5 release) Next came configuring them. I tried following the documentation but it was all based on older versions of the software and kept referencing setting up firewall rules that are only available in their PEF license which I didn’t have. They also didn’t have an example that matched my scenario of having everything on a private network. All the examples talked about using the VPN feature because you are going across the internet. I upgraded to the Aruba OS 5 which had a wizard to deploy remote AP’s but it didn’t work either.

So I tried and failed again and again. I even sent some bad configs to my AP’s that bricked them! After looking for the reset button I found out my AP’s didn’t have any! Stupid! After some research, I found out that I needed a special “Serial Over Ethernet (SoE) cable” as Aruba calls it and it had a schematic of how to make one. I gave it a try twice and couldn’t get it to work. I then had to fork out about $100 to get one from Aruba! Anyhow, they were back up and running finally but I still didn’t have the RAP feature that I wanted and paid for.

So I called up support again and got someone who seemed to kind of know what I was trying to accomplish. We did a WebEx session and were able to get things going. Because this is getting to be a long post, I’ll show how to set this up in part 2.

Simulcast, Chapel Style

noreply@blogger.com (Jeremy Good) — Sun, 21 Feb 2010 16:13:00 +0000

I’ve wanted to do a post for a while about how we do our Simulcast services at The Chapel, so here’s how we do simulcast, Chapel style.

What is our definition of “Simulcast” you may ask? Well, it is a “Live” remote viewing of our center and side screens. I put “Live” in quotes because we time-slip the service on some DVR’s first to give us some flexibility on playback. Usually it runs 2 to 10 minutes behind live.

So, here is the list of equipment involved in capturing, encoding, sending, receiving, decoding, and playing back our Simulcast feed.

Capture – Cameras are Sony PMW-EX3
Encode/Decode - HaiVision Hai1060 chassis with two MAKO-HD cards
Transport - All Cisco brand switches and routers over a 25 Mb Opt-E-Man circuit from AT&T
Record – 360Systems for the Center HD center feed and Sony DSR-1000 for the SD side

Before we get into more technical stuff, let me explain why we do Simulcast. Shortly after moving into our new building in 2004, we started having talks about “Phase 2” of expansion to fit all the new people who were coming to The Chapel. This is a great problem to have but we hadn’t expected to have it so soon and didn’t have the money to expand quite yet. We also didn’t like the idea of more and more people driving farther and farther to go to church each week.

About that time our Sr. Pastors started having some talks with some struggling churches in the area. Two had approached us and wanted to join what God was doing through The Chapel. At that time, we also receive a large donation specifically for our multi-site campaign. A church in Barrington had built a new campus and had their old building up for sale. So, the march was on and we went from one church in one location, to one church in 4 locations in one year!
The first year we did a tape/dvd delay for one of our campuses and did “sneaker net” transport. This worked alright but the quality just wasn’t there. Also, our Sr. Pastors were getting worn out running between the 3 other campuses each weekend. Three of our campuses were also running a week delay in service but this caused other problems for our tech teams and our church members as well.

So, that is what lead up to us going to a live video simulcast on the weekends. Our pastors still preach 4 times a weekend (Twice on Saturday and twice on Sunday) but with our 4 campuses, that comes out to 10 services! Our pastor’s alternate teaching from our two large campuses which are Grayslake and Libertyville. One week, it will be live at Grayslake at the 9:00 am and simulcast everywhere else, and then it will be live at Libertyville for the 11:00 am and simulcast everywhere else. Then we switch the next weekend. Still crazy but much better than the alternatives!

So, onto the tech details that you all want to know. For cameras we use two Sony PMW-EX3 for the side iMag shots and one Sony PMW-EX3 with a different lens for the fixed center shot. All three of these cameras are HD, but we only project HD 1080i on the center screen at Libertyville and Grayslake. The screens are just so large we had to go HD to get the picture quality. The sides are Sanyo projectors that shoot 720p at Grayslake and Libertyville, and center and sides at Barrington and Mundelein.

Once the cameras capture the live service, it gets piped though what seems like an endless sea of cables and devices and then gets encoded and sent out to our other campuses. The gear we use for encoding and decoding our video is from HaiVision. At each campus we have a HaiVision 1060 chassis with two of their MAKO-HD cards. This system lets us do two simultaneous HD video streams which come out to about 15 Mbps total. Currently we send 1080i and it gets scaled at the decode sites to match the projectors.

This signal then gets sent out onto the network to our other sites on multicast addresses to reduce network traffic. We have a 25 Mb Metro-Ethernet link from AT&T between each site which has worked well for us so far. We did have to make sure our internal network was rock solid and properly configured, and work out some issues with AT&T before we were able to get a video to stay stable for up to an hour.

At the receive sites, we have two DVR’s that capture the service. We use a unit from 360Systems to capture the center HD signal and a Sony DSR-1000 that records the scaled down SD side feed. There is a DNF that is used to manually synchronize the two feeds for playback. Synchronizing the feeds is one of the hardest parts of the whole process because if you are off by even a few frames, people can tell.

For our backup, we capture the sides of the Saturday service at Grayslake or Libertyville on a Mac Pro with an HD capture card. Once the service is over on Saturday night, the video file of the side screens gets sent over the network to the other sites for a backup just in case.

So that’s it. That is how we roll. I’ll have a post coming shortly about some Cisco IOS magic we had to work to make sure our network was up to the challenge of multicast video, voice, and data. If you have any questions or comments I would love to hear them. Our simulcast solution is constantly being improved and I’ll post any new developments when they happen.

Poor iPhone Call Quality

noreply@blogger.com (Jeremy Good) — Tue, 12 Jan 2010 21:13:00 +0000

Since I got an iPhone, one of my biggest complaints has been coverage and call quality. Like most, I get low bars and bad sounding calls a lot. What really got me ticked at my phone and AT&T was that over the past few weeks I have been getting bad call quality even when I have 5 bars! People that I am talking to on the phone can hear me fine but all I hear is garbled speech and drops.

I've heard about half of the people with iPhones that I work with complaining of the same issues so I'm going to document the steps I have taken and what has worked and not worked.

Do a hard reset. If you don't know what this is, you probably haven't done it. Hold down both the "Home" and "Power" buttons at the same time until your phone goes black. (Detailed Directions)
If that doesn't work (It didn't for me), then do a backup and restore in iTunes for your phone. This worked for a day or two but the bad quality came back. (Detailed Directions)
Go to a corporate AT&T wireless store and get them to replace your SIM card. This shouldn't cost anything. After doing this my call quality has been MUCH better. It could very well be a coincidence, so I'm going to have to give it a few days. You can find a corporate store by going here and selecting your ZIP and "iPhone" from the box.
Update: Still having the same problem but a little less often.
If you have tried all of the above, go to the Apple store and get your phone replaced. If you go to the Apple store first, you will waste your time because they will tell you to do steps 1-3 above.

~~I'll let you all know if Step #3 works for me or if I'm getting a new iPhone. I'm keeping my fingers crossed.~~

Getting the SIM replaced sort of helped. I haven't gone in yet to get my phone replaced and I'm trying one last thing. Someone tipped me off to the fact that if you turn 3G off, your calls will magically be clear again. This has worked but obviously points to some issue with AT&T's network or a design flaw in the iPhone.

"Transition" to Exchange 2007

noreply@blogger.com (Jeremy Good) — Wed, 18 Nov 2009 01:56:00 +0000

So, we have officially "transitioned" as Microsoft calls it from Exchange 2003 to Exchange 2007 here at The Chapel. Exchange 03 has served us well these past 6 years. Wow, has it been that long? Our dependence on email has risen so much since we installed it and it has become one of our most mission critical applications. Only when it goes offline (like when we did our transition) do we notice just how much we depend on it! I did my best to minimize the downtime for the transition but there were a few hangups that I'm going to dive into now.

First, some of the history. We started with Exchange 2003 Standard shortly after it came out. I remember that it was before the first Service Pack. At the time I thought to myself, "We will never hit that 16 Gb database limit". Boy was I wrong! Service Pack 2 was a life saver as it let us keep the mail flowing by raising the database limit. This was good for a while but going from one campus to 4 in a year and doubling our staff was putting quite a strain on our email server and it's limits. Also with the introduction of ActiveSync for the iPhone, we were having more and more sync issues and missing appointments.

Fast forward till 3 months ago. We were hitting the max limit of Exchange 03 Standard again and needed a solution. I wanted to wait for Exchange 2010 and just skip 07 but we couldn't wait any longer so we decided to make the move to 07 and then upgrade when 2010 came out. The problem was that we needed a fix now and couldn't wait until our transition so we did an in-place upgrade from Exchange 2003 Standard to Exchange 2003 Enterprise to buy us some more time.

Then the planning and testing began. After reading up on several blogs and talking with several of my Church IT RoundTable peeps, I installed the server. My main source of documentation was a blogpost on MSExchange.org which was a huge help! There are a few things it leaves out though but Google came to the rescue. I installed Exchange 2007 as an all-in-one install like I had with Exchange 2003. Installing an Exchange front end server would have made things easier as I could have kept things running as we migrated our users and services to the new server though.

I though I would be able to keep things going with the setup I had but after much testing, I found out that with how complex our environment is, it just wouldn't work. We have a BES and rely heavily on ActiveSync and OWA and I just couldn't get everything happy. So, I made the move to the new server all at once (For us the best time window was Sunday after all the services).

There were a few "gotchas" that came up after the transition.

First, I found out that while computers on the network will magically update their server settings after their mailbox is moved to the new server, it doesn't update computers off-site connecting by RPC over HTTP. This lead to quite a few email, text messages, and tweets from people telling me that they couldn't connect. I had set up a blog prior to the cut over and had informed people that because email could be down and that I won't be able to communicate with them, that they needed to check the blog for updates. This worked well (for the people who went there) and I'll definitely use a blog again in the future. We also found out that the new "Outlook Anywhere" (RPC over HTTP) defaults to "NTLM Authentication" and by default won't accept clients configured to use "Basic authentication". We had some clients that had used Basic Authentication and to speed things up had to enable it for Outlook Anywhere. This EMC command did the trick:

Set-OutlookAnywhere -Name Server01 -IISAuthenticationMethod Basic,NTLM

TechNet Link

Second, IMAP and POP are not enabled by default. After a few people using Mac Mail and some other mail clients that rely on IMAP. Since we only had a few people using this, it took a back seat untill the MAPI and ActiveSync clients were working.

Third, Exchange 07 now manages manages what 03 called "SMTP Virtual Server" in the Hub Transport Role and Send Connectors. Read up on this if you are unfamiliar with how this works. It can save you some headaches.

Fourth, We moved the final accounts to the new server which were the few BES clients I had. This blogpost is what I used for reference and it worked out well.

What would I do differently? Hard call but I think I would set up an Exchange 2007 Front End Server so that I could take my time. A front end server would proxy the OWA requests when you are in a coexistence period. I also would have gotten the new certificate before moving my services to the new server. Our one Palm Centro user had ActiveSync problems with the GoDaddy.com certificate we had. My CITRT peeps David Szpunar and Daryl Hunter have some great blogposts on working with Certs when upgradeing so I'll just link to their posts.

Microsoft knew that ActiveSync and the AutoConnect settings can be a pain so they made a great site for testing your connection, https://www.testexchangeconnectivity.com/

So, I hope this helps someone out there but mostly I did this post so I don't forget!

Internet Failover Using EIGRP

noreply@blogger.com (Jeremy Good) — Thu, 06 Aug 2009 18:21:00 +0000

Internet Failover Using EIGRP

If you have a mostly Cisco network like we do, you know that there is nothing you can’t do, for a price. Cisco has some great Fail-Over techniques using their ASA 5500 series Firewalls but you need to get the extra HA licensing. Also, what do you do if your other firewalls aren’t Cisco? In this case, EIGRP can get you the same basic features for free. Now before I get lots of comments on this, using dynamic weighted routes with EIGRP does not provide Stateful Failover meaning that you will drop your connection for a short period while the network converges and you won’t be able to setup BGP this way (I think).

The Setup

For this post, I’m going to use a simple scenario of having two sites with two internet connections. One is much faster than the other and it makes sense to backhaul the internet from Site B to Site A when the connection at Site A is active. For this post, let’s assume that you want to just protect against the link between sites going down and not things like the Internet modem locking up (In future posts I’ll address this).

RTRA EIGRP Config

RTRA Fa 0/0 ip address is 10.100.1.2 255.255.255.0
RTRA Fa 0/1 ip address is 10.1.1.1 255.255.255.0
FWA Fa 0/1 ip address is 10.1.1.254 255.255.255.0

RTRA# conf t
RTRA## ip route 0.0.0.0 0.0.0.0 10.1.1.254
RTRA# router eigrp 100
RTRA# network 10.1.1.0 0.0.0.255
RTRA# network 10.100.1.0 0.0.0.255
RTRA# redistribute static metric 20000 1 255 255 1500

RTRB EIGRP Config

Fa 0/0 ip address is 10.100.1.3 255.255.255.0
Fa 0/1 ip address is 192.168.1.1 255.255.255.0

RTRB# conf t
RTRB# ip route 0.0.0.0 0.0.0.0 192.168.1.254 255
RTRB# router eigrp 100
RTRB# network 192.168.1.0 0.0.0.255
RTRB# network 10.100.1.0 0.0.0.255

Summary

Both routers are participating in EIGRP group 100. They will advertise their routes to each other and calculate the metric based on bandwidth, congestion, etc. The key here is setting the “redistribute static metric 20000 1 255 255 1500” command on RTRA. This tells EIGRP to redistribute the static routes you have setup in the router with a bandwidth of 20,000 kbps, delay of 1, reliability of 255, loading of 255, and MTU of 1500. RTRB has a static route for 0.0.0.0 but with a metric of 255. The dynamic route from RTRA will have a metric of 170 (External EIGRP) and will replace the static route in the routing table. This works fine if the only static route you have is for your default route so this isn’t very flexible. You could also attach a summary default route to Fa 0/0 and accomplish the same thing.

If the link between RTRA and RTRB is active, traffic that doesn’t have a route in RTRB (Internet) will be sent to RTRA. In the event that the link between RTRA and RTRB goes down, RTRB will send traffic to its local internet connection because the static route is now the only default route.

Now the biggest downside to this type of “failover” routing is that it isn’t fully dynamic and doesn’t take into account the fact that Cable or DSL modems can lock up and will still look like they are up to the firewall or router and therefore not remove the route. This approach also doesn’t work well if you have even more locations with their own Gateways to the Internet. I will address this in the next post.

Idea's for Projects

noreply@blogger.com (Jeremy Good) — Wed, 01 Jul 2009 02:14:00 +0000

Just got back from the Granger IT Round Table which was awesome! Some things that I heard got me thinking of some projects.

Open Source Voice Mail - We have Cisco Call Manager and I don't really want to change to Asterisk because of our investment. I do however like the idea of free voice mail server with Voice Mail to Email features and Speach to Text that some offer. Cisco Unity Connection 1.x doesn't offer these or does for a big price. Working on getting our Unity Connection 1.2 to work with IMAP for voice messages. Almost there.
SharePoint for our Intranet and Communications team and contractors to use so that they don't have to send huge files though email.
Open Source hard drive imaging. Currently we are using Ghost but I don't want to buy more licenses. Something like CloneZilla.
More storage for our Graphics and Video guys untill we get a long-term solution. Getting a Drobo Pro to replace Buffalo Tera Station Pro II.
New wireless for all campuses! Looking at Aruba systems.

Going to be a fun year!

James is Here!

noreply@blogger.com (Jeremy Good) — Mon, 18 May 2009 20:14:00 +0000

James Michael Good - Born May 13th, 2009 @ 10:00 PM

Things went almost exactly as they did with our first child, Madison. James beat her by one minute on the delivery time by coming in at 10:00 PM and Madison coming in at 10:01 PM.
Liza is doing well and recovering quickly. We are both sleep deprived because we wants to eat all the time. Especially at night :-)

Now for some pictures:

See more pictures here on FlickR.

Major Life Changes Ahead

noreply@blogger.com (Jeremy Good) — Mon, 11 May 2009 02:59:00 +0000

Getting married, buying a house, moving, having a kid. All big moments in my life. Now, in as little as two days, I will get to see the miracle of birth again as I welcome our second child, James, into the world. I feel like I'm prepared as I am already a dad but everyone fears the unknown.

What will he look like? Will he have have brown eyes and brown hair like me or blond hair and blue eyes like his mom? Will he be tall or short? All these questions and more make me all the more excited for the coming days. I'm also excited that God knows all this and more about my future son and who he will become.

More details and pictures to come as we adjust from being a family of 3 to a family of 4.

Cisco Phones on HP ProCurve

noreply@blogger.com (Jeremy Good) — Tue, 10 Mar 2009 02:17:00 +0000

Trying to save money? Aren't we all. If you have Cisco phones, you may be able to save big $$ by switching to HP ProCurve switches.

When we needed to add more PoE ports to our Grayslake campus I looked at the price tag of a new Cisco 3560-48PS starting at $4,000, I knew I should shop around. I've been looking at HP for a while now so we picked up a 2610-48-PWR for less than half. Good deal, but then I had to get them working together. This is how I got it to work.

First thing you have to know is that even though HP tries to be like Cisco and use a lot of the same terms on the command line, they're not.

What Cisco calls EtherChannel, HP calls a Trunk. This caused me much trouble early on. HP doesn't really have an equivalent to what Cisco calls a trunk port. All ports are access ports on HP and if you want to use a port like a trunk, you have to assign all the vlan's that you want to use on that port.

In my situation, I had to assign 3 vlans for my trunk. The other confusing thing is that there is no native vlan as you would think of one on a Cisco trunk. To do that, you set a vlan to the port as "untagged" wich makes it the default vlan for that port. Since you can only have one untagged vlan for a port, you have to make the others "Tagged".

If you are using Cisco phones (maybe any phone) you have to have a default vlan and then a voice vlan. The voice vlan has to be set as a static tagged port and then also defined as a voice vlan from the command line as follows:

ProCurve Switch 2610# conf
ProCurve Switch 2610(config)# vlan 10
ProCurve Switch 2610(vlan-10)# voice

After this, you should be set. Well, sort of. Cisco 7912G, 7940G, and 7960G phones are not 802.3af PoE compliant they won't power up on this switch. The solution, add a patch cord. When you do, the positive signal of the PoE gets sent on the correct pin and the phone works. Kind of a bummer but $200 of crossover cables you can have all your phones up and running.

So, about $46 a port for HP as compared to at least $83 for the Cisco, time will tell if it is worth it.

Oh, With HP you also get Lifetime Warranty and updates!

** Update **
After doing some more testing it appears that the phones are not getting an IP address from the Voice VLAN and are not using it. This will not work in our environment because it is designed to have voice traffic on the voice VLANS. If we had newer phones like the 7941G which support LLPD-MED which acts like Cisco CDP, we could make them work. Back to the drawing board :-(

**Update**
If I had listened to what @procurvehelp on Twitter had told me, I would have had a solution.

@procurvehelp "Todo this: Press Setting, choose Network, choose Admin VLAN, press **# to go admin mode, change op & admin vlans, save & reboot."

On the Cisco phone, after you change the Admin. VLAN Id and press the "Validate" soft key, press the "Save" soft key. After that, the phone reboots with the correct settings and you are now on the Voice vlan! So, it is possible to get 7912G, 7940G, and 7960G phones able to work with an HP ProCurve 2610-PWR-48.

**Update**
Last night we fully cut over to the ProCurve and everything is working great! I'll have to wait to see if we have any call quality issues but I don't think that we will. Think I might look at some more HP gear but just make sure that I have the newer phones!

Windows 7 Beta on Tablet PC

noreply@blogger.com (Jeremy Good) — Sat, 21 Feb 2009 18:07:00 +0000

A few weeks ago I switched my hard drive back to Vista on my Lenovo X61 Tablet. Over all I think Windows 7 is a huge improvement over Vista. I couldn't get my pen to work the first time but now it appears to be working and the handwriting recognition has gotten even better!

So, back on Windows 7 Beta and I love it!

Update

Windows 7 is available to the public now but I'm still loving Windows 7 Beta on my tablet and everything is working great. Looking to get off the Beta and onto the production x64 version soon. I haven't had any issues with features working but I will document the install better this next time around.

Some Late Nights

noreply@blogger.com (Jeremy Good) — Fri, 20 Feb 2009 15:35:00 +0000

I just had some late nights upgrading our switches and Dell SAN. Here's the scoop and a few things that may save you if you have to do the same.

We had to update our Cisco switches at all our Chapel campuses this last week to support our newest endeavor, HD Simulcasting! We are going to be sending HD video of our live service to our other campuses in only a month! We are going to send one feed for a fixed center screen and another for Imag and graphics on the side screens. We are using HaiVision 1020 encoder with a Maco HD card to encode both streams. We are still working out some decoder issues now.

*Note on updating Cisco switches though the web GUI. Even if it says that it has uploaded the .tar file and is rebooting, DO NOT DISCONNECT! If you don't wait until is says, it may not load the HTML files.

While I was in the updating mood I updated our Dell MD3000i SAN to the newest firmware. I hadn't done this before but it was pretty easy. (See Justin Moore's blogpost for details) The part that took the longest was backing up the SAN. It took about 10 hours and the sad part is that it only had about 1TB on it! I need to figure out a better backup method. Backing up to our Buffalo TeraStation Pro II is WAY too slow!

*If you add another NIC to your VMWare Server, make sure to exclude your SAN NIC's from the bridge mode.

*I never did post what I thought about the Buffalo TeraStation we got. My advice, if you want to use this for more that archival purposes, spend a little more and get something much better.

TeraStation Pros

Cheap
Uh...

TeraStation Cons

One GB Ethernet port
Slow web GUI
Bad firmware updates and NO change log on the updates (unless you can read Chinese)
Lots of Mac OS X issues.
Did I mention slow?

Frozen!

noreply@blogger.com (Jeremy Good) — Sat, 24 Jan 2009 02:55:00 +0000

We are getting closer to having our fiber network installed. For the last week we have seen many AT&T trucks around our Grayslake campus pulling fiber optics up and down the highway. The fiber finally arrived yesterday but there was one big problem that prevented it from being connected.

ICE!

We had rushed to get the conduit on our property run this fall so that we wouldn't hold up the project. We found out yesterday that that conduit had filled with water over the last two months! The record low temperatures we have had over the past month had caused a small portion of our underground conduit to freeze! Now we had to figure out how to clear it out. Hopefully without digging it up.

This is what we tried:

(Prayer)
Fish tape. Nope
Bigger fish tape. Nope.
Power rodder (for sewer pipes). Nope.
Garden hose run down the pipe to the blockage and hot water turned on. Success!

After leaving the hose on for about 30 minutes we had melted though the 2' section of ice and the pipe was clear. We pumped and vacuumed the water out and sucked a new rope though. Later today, AT&T came back and pulled the fiber.

Hopefully soon our fiber will be done and we can communicate at the speed of light!