For example, you may not want to display page errors to visitors of your website, but want to see them for anything in the /development/ sub-directory where you’re working on new things. You might create a .user.ini file in that sub-directory containing

error_reporting = E_ALL
display_errors = On
display_startup_errors = On

Or perhaps you have a sub-directory of remote procedure calls which are invoked from a webpage via AJAX and always return JSON data. You could simplify them by creating a .user.ini file in that subdirectory containing

default_mimetype = “application/json”
display_errors = Off

What can’t you do? You can’t use any configuration directives marked PHP_INI_SYSTEM, which cover fundamental and security-related PHP configuration are reserved for the root php.ini file.

On November 8th 2011, the FBI, in conjunction with NASA-OIG and Estonian police, arrested several criminals operating under the company name “Rove Digital”. Rove Digital had been distributing DNS changing viruses (TDSS, Alureon, TidServ and TDL4). They then routed victims through their own DNS servers in order to direct traffic to junk ads. They infected around 4 million users, and made a reported $14Million before getting shut down.

With such a large number of compromised users relying on Rove Digital’s DNS servers for their Net access, the FBI decided to temporarily leave the DNS servers up and running to give people time to clean up their infected systems. Because people have been slow about cleaning up their computers, the FBI extended their original March deadline to Monday July 9th.

If you would like to verify that your computer is clean, you can go to http://www.dcwg.org/detect/ for a list of safe sites that you can use to check. Should you find that you have a compromised computer, they have good resources available to help you clean up your system.

That workflow is not ideal. I’d rather do it all in PowerShell. I got some great help from the fine folks over at /r/powershell and Don Jones’s PowerShell books and videos.

Here is a better way:

• Use the Import-Csv cmdlet to import the data as an array objects with text properties, for each column.
• Add and adjust the properties we need and their values.
• Pass the whole array to New-Mailbox, which will do the right thing, as long as all the parameter names match the object properties.

If I exported the data as .csv, with properly named column headers, this would get even easier, but I will give PowerShell the same data I gave awk for the sake of parity. So let’s say I have no control over the format the data arrives in and it comes space-delimited like this:

Alice Adams aadams aadams@corp.domain.com Password1
Bob Baker bbaker bbaker@corp.domain.com Password2
Charlie Carter ccarter ccarter@corp.domain.com Password3
Dan Davis ddavis ddavis@corp.domain.com Password4
Ed Evans eevans eevans@corp.domain.com Password5
Frank Foster ffoster ffoster@corp.domain.com Password6

Here is how to use PowerShell to add these users using the data from this file.

To use a space for the field delimiter, we’ll use -Delimiter ‘ ‘. This file does not have a header row. Import-Csv imports as key-value pairs, so each column needs a name.  By default, it uses the top row for that, but that would not be the right thing to do here, since the top row is data.  So we can either put a header row on the file, or define alternate column names with a -Header argument.  Here is the command import my users.txt file as an array of objects, $users:

PS> $users = Import-Csv -Delimiter ' ' -path .\users.txt -Header FirstName, LastName, SamAccountName, UserPrincipalName, plaintextpass

This loads the data from the file into an array of objects $users.  Each element of $users has properties as defined in the header with values from the corresponding row.  Here’s the first element in $users:

PS> $users[0]

FirstName         : Alice
LastName          : Adams
SamAccountName    : aadams
UserPrincipalName : aadams@corp.domain.com
plaintextpass     : Password1

Next, we’ll add the “Name” property, which is a string in the form “FirstName LastName”

PS> $users = $users | Select-Object -Property *, @{name='Name';expression={$_.FirstName + ' ' + $_.LastName}}

The property is appended to the end of the list, but that’s fine, since Add-Mailbox accepts these arguments in any order. Here’s how the first object looks now.

PS> $users[0]

FirstName         : Alice
LastName          : Adams
SamAccountName    : aadams
UserPrincipalName : aadams@corp.domain.com
plaintextpass     : Password1
Name              : Alice Adams

Add-Mailbox wants the password as a system.securestring, and won’t accept a plain string at all. Items of type System.SecureString is stored in memory encrypted.  We’re defeating the security benefits of that behavior by handling the passwords as plaintext elsewhere in the script and in the data file. For exactly that reason, ConvertToSecureString will complain if we use it to accept plain text with -AsPlainText, but it will do it anyway if we use -Force.  The whole thing goes like this.

PS> $users = $users | Select-Object -Property *, @{name='Password';expression={(ConvertTo-SecureString -AsPlainText -Force -String "$_.plaintextpass")}}

Now we have the password stored as a SecureString.  Trying to print the password only prints “System.Security.SecureString” and not the actual contents, but it is in there.

PS> $users[0]

FirstName         : Alice
LastName          : Adams
SamAccountName    : aadams
UserPrincipalName : aadams@corp.domain.com
plaintextpass     : Password1
Name              : Alice Adams
Password          : System.Security.SecureString

Now let’s get rid of that plaintext password.  Strictly, this step is not necessary. Since “plaintextpass” does not match any of the arguments that Add-Mailbox accepts, it will be discarded.  But since we need to encrypt the password as a SecureString to pass it anyway, why pass it as plaintext as well.  So we strip the property out like this:

PS> $users = $users | Select-Object -Property * -ExcludeProperty plaintextpass

And finally, our objects look like this:

PS> $users[0]

FirstName         : Alice
LastName          : Adams
SamAccountName    : aadams
UserPrincipalName : aadams@corp.domain.com
Name              : Alice Adams
Password          : System.Security.SecureString

It is not an accident that these are exactly the arguments that Add-Mailbox wants.  This is the fun part.

PS> $users | Add-Mailbox

That’s it. The contents of the properties of each object in $users are passed to the corresponding arguments Add-Mailbox accepts.  Add-Mailbox takes those arguments and creates six new users.

And of course, since this is powershell, all of this can be done in one big pipeline if readability is not your thing.  That would look like this:

PS> Import-Csv -Delimiter ' ' -path .\users.txt -Header FirstName, LastName, SamAccountName, UserPrincipalName, plaintextpass | Select-Object -Property *, @{name='Name';expression={$_.FirstName + ' ' + $_.LastName}}, @{name='Password';expression={(ConvertTo-SecureString -AsPlainText -Force -String "$_.plaintextpass")}} | Select-Object -Property * -ExcludeProperty plaintextpass | Add-Mailbox

We’ve had all of our major public servers accessible by both IPv4 and IPv6 for some time, and continuously since World IPv6 Day last year. We’ve also been assigning IPv6 networks by request to customers with routers and network gear capable of supporting it. We’d love to assign more, but although enterprise-grade equipment and every major computer operating system supports IPv6, support in consumer-grade equipment such as DSL routers has been in a chicken-and-egg limbo for years.

So what’s the big deal?

The Internet has run on the IPv4 protocol since September, 1981. An IPv4 address is a 32-bit value, which provides around 4 billion unique IP addresses. Even though changes have been made to the allocation and usage of this space, from replacing the original classed network system with CIDR to routing schemes like NAT, it was never really designed or intended for an rapidly growing public Internet, and it’s clearly at the end of its road.

IPv6, which has actually been around for longer than you might think, is the next generation of Internet addressing. Will it ever fully replace IPv4? That’s unknown but the days of freely allocating more IPv4 addresses are at an end.

IPv6 uses a 128-bit address and provides a vastly larger number of unique IP addresses. Large enough to handle 4 billion unique organizations each with 4 billion unique clients each with their own 64-bit address space, itself 4 billion times larger than the entire IPv4 address space. IPv6 provides the room to create and implement advanced networking features like auto-configuration, efficient routing, and simplified renumbering.

What can you do to help move us further away from IPv4?

Talk to your Internet and/or hosting provider about IPv6 and ask about their deployment plans.  Ask them to publicly comment or announce their plans. Talk to your IT department and ask the same questions.

Welcome to the production Internet!

ipHouse has a Tegile Zebi storage array in production since March, 2012, and the increase in performance has been noticeable.

ipHouse Deploys Tegile’s Zebi Storage Array http://ger.ms/KmJXa3 - Exciting to see Tegile growing and I’m still happy with my choice in new storage for our VMware clusters.

Newcomer gets out its box, plans to sell it cheaply to all comers http://ger.ms/LTjuzY

Tegile Selected as a Red Herring Top 100 North America Tech Startup http://ger.ms/KxUJZE

Our vmForge VDC clusters are peaking around 14,000 IOPS and the MASS solution is offloading about 11,500 IOPS via SSD. I wish I could graph this and show it to the public at large but I don’t have a way yet. (those are peaks, average is closer to ~8,000 IOPS with ~6,900 IOPS via SSD)

So far, I have everything I need to create and deploy organizations, administrator accounts, and the virtual data centers themselves, and have been working on networking. Unfortunately, the API doesn’t seem to offer an easy way of determining which external networks are unassigned and available for use. I’d have to walk through the tree of existing VDCs and their assigned networks, and subtract those from the complete list of external networks. Then hope there’s not another process running, doing the same thing, which tries to grab the same network. So we’ll be doing that via peeks and pokes into a separate SQL database.

Another hurdle we’re going to have to deal with is that some operations are asynchronous. For example, setting up a vShield Edge device for a routed external network takes a while. So when a client requests that, the API can only confirm that the task has been started correctly. The task will actually complete a few seconds or a few minutes later, long after the client has disconnected and continued on its way. If it fails for some reason, we’ll have to be monitoring those tasks to catch it.

A website URL has many pieces of information, even in common every day use. A URL such as

has 3 different pieces of data:

• https is the protocol used to get access to the service.
• The second is the hostname of the server to get data from contained between the /’s.
• The data after the hostname and slash tells the web server what specific data you are looking for.

There could be more slashes, other odd characters, or even more advanced parts to a URL that I won’t get into here. The main point is that we have the protocol, the hostname, and we have web server data; three parts melded into one URL.

At the simplest levels, what DNS returns after looking up a hostname in the directory, though, is just a number. Much like a phone #, the number is the Internet address of the web server that should handle your request. Your computer connects to this web server, presents the rest of the URL for processing and gets the data you are looking for.

One very common misconception is that DNS gives you more data than a number. Specifically many people assume web server data, such as more web server URL data, is inside DNS A records as well. Only numbers are ever returned inside a DNS A (or AAAA for IPv6) record (what your computer is looking up for visiting a web site). Anything after the hostname in the URL is only handled within the web server itself.

We get requests all the time to set up a website “redirect” within DNS. This can’t be done. DNS hostnames can be pointed to web servers, but not with extra data that isn’t just a number (an Internet address). That extra data needs to be configured inside a web server somewhere.

Unfortunately, many people do believe that this can be done because a few web companies have set up magic systems to make it seem like it is part of DNS. But what their magic is doing is running up yet another web server somewhere, handling the web request, and the web server gives out more results to go back to somewhere else. Since many DNS service companies run out of the country, your web site visitors end up getting bounced around the globe chasing down the proper web server in the end. Usually this works, but there is delay and processing (or latency) while the requests are handled off in Australia or Europe. If that web server redirect server is down, so is your site, because you depend on somebody else having the correct configuration while being up and available.

It is better to configure your web server locally to properly handle different domain names you may have instead of having magic redirects bouncing your customers around the globe. That way all your requests stay local and nobody else can intercept your web visitor to somewhere else due to a misconfiguration (or potentially nefarious activity). Response time will be quicker (latency again) since you’ll handle the request directly off your server instead of the visitor going to different offsite servers and then finally back to your server with the correct URL you wanted in the first place.

Finally, you don’t have to keep track of who does what function. I have seen redirect chains more than 5 levels deep as nobody knows any longer what was set up, what goes where, or how to troubleshoot such a complex setup. They build up over the years with different designers doing something a bit different with each revision.

With all your domainname/URLs configured in the web server to properly handle each one, it is all in one place, one response, and updates are easily handled without chasing it all over.

I really don’t have a lot of tools for testing, I use two for the most part: telnet and openssl s_client. I could use netcat, but telnet is installed on every UNIX-like system I touch.

Testing http is simple.

$ telnet localhost 80
 GET / HTTP/1.1
 HOST:www.example.com

Should return the website for http://www.example.com

SMTP is a little more complicated. You have to know a bit about the SMTP protocol. Testing SMTP-AUTH requires a BASE64 the username and the password.

Testing SSL is nigh impossible with telnet, so that’s where openssl s_client comes in. Again, I could use netcat, but openssl works just fine, and is already there.

 $ openssl s_client -connect www.example.com:443

Gives you something like this:

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
 Server public key is 1024 bit
 Secure Renegotiation IS supported
 Compression: NONE
 Expansion: NONE
 SSL-Session:
 Protocol : TLSv1
 Cipher : DHE-RSA-AES256-SHA
 Session-ID: 38964888A9D4EBD17FC76D033CE02C5A0710C5EBD51D51A9FC6350CC8CFE019B
 Session-ID-ctx:
 Master-Key: 3A997E182CA1E9B8C3D5314D80B0F4B98973B1FC5B6AC754BE02CDA53B686FD73D8F9329D6290BE7AC53EA3871F3099B
 Key-Arg : None
 Start Time: 1332519536
 Timeout : 300 (sec)
 Verify return code: 18 (self signed certificate)

This includes SSL statistics, including the certificate’s status. The last line in this case shows that this is a self-signed certificate, and would generate errors After the SSL status appears, you are entered into an interactive session for issuing commands, a lot like telnet. SMTP over SSL works much the same way. You can also test TLS via the -starttls option.

So, with a little bit of knowledge, you can test both mail and http via telnet and openssl. No extra tools required.

Besides the documentation, which is voluminous (must like any network vendor), an excellent point to start is with Juniper’s DayOne whitepapers.

They are available at http://www.juniper.net/dayone/ and cover a range of beginning to advanced topics. They are called DayOne, as it should take a person about a full day to read and digest what is contained in them. They also have some advanced topics that are weekly guides (called This Week).

While these study guides are old, they are still valid for the basics, and getting started in JunOS, even if it doesn’t cover the very latest topics. These pointers are tucked away pretty good, so you may not run across it very easily.

http://www.juniper.net/us/en/training/certification/books.html

Certification Fast Track is part of the next topic, but I’d point out especially this part of where they offer study materials and sample tests for their certification tests. The Fast Track program starts here.

https://learningportal.juniper.net/juniper/user_fasttrack_home.aspx

But this gives you course materials, and pre-assessment exams about those topics. You can also get half-priced exams at Prometric testing.

Juniper also offer more topics than just their certification tracks through their learning portal (https://learningportal.juniper.net) with even topics on their newest hardware, such as the QFabric. eg. they have installation, design and setup topics on that solution up already, as well as firewalls (SRX), Switching (EX), as well as their routing (MX, M & T series) devices.

Finally, the ultimate soft-lab is Junosphere. They’ve made it very easy now for people to buy time with just a credit-card. Just sign-up, give them credit card data and I had to wait 3-4 business days for it to process through their systems.

https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=5735

While it does cost some $$$, paying $5 per day/per router virtual spun-up is not all that expensive as a study aid.

This lets you deploy a network of routers spun up inside virtual machines, and build a whole network with a few configurations here and there, and a few mouse clicks.

It is setup for a full-on lab training for enterprise customers, but single home-users can use it just fine as well.

It is pretty cool to have at your control a number of routers spun up at your command, as used Juniper routers aren’t exactly cheap. Even ancient discontinued models still fetch a pretty decent price on eBay.