The first stop is VMware’s headquarters. There, they have a pretty cool hardware setup that is available both for eye candy and for a true purpose. During VMworld 2009 in San Francisco, there was an awesome display of equipment for lab use during the show. For day-to-day operations, there is a need for equipment to provide demonstrations in more private settings. VMware has a mobile infrastructure that can be used to provide demonstrations in more comfortable settings for requirements in their Palo Alto headquarters as well as for industry events.

The demonstration racks are available in the lobby of one of the buildings at the VMware campus. In Figure A, the Field Day attendees are being shown the mobile racks for the demonstration infrastructure.

Figure A

Note the limited number of cables coming down from above the racks. This is intentional. Because the infrastructure may be required to be on-site at industry events, there are design elements used to get this equipment to its destination with ease.

One other point is, that using 36U racks, the equipment transports easily. Air transportation in a crate is done easily as well as being not too large to move around for two people. Another ease-of-entry point for a remote destination is the networking for all of the equipment involved. For the mobile demonstration infrastructure, the networking is self-contained by using NAT-translated IP addresses. This saves time by keeping the infrastructure networking consistent for all locations.

Creating this environment was to solve a simple problem for VMware. In the past, the demonstrations in booths or other solution exchange environments had their own equipment located in each venue. For large events, there could be dozens of small inventories of servers, storage or networking, to facilitate the demonstrations. By consolidating all of the required resources to one consolidated inventory, efficiencies are realized. Plus, it is really cool to show a large collection of equipment as well.

Do you have any mobile equipment requirements? What architecture design elements do you use to facilitate an easy transition? Share your comments below.

—————————————————————————————

A new survey on the usage patterns of international mobile data users has yielded some interesting information on how travelling executives get Internet access while on the move. Based on the responses from 300 professionals, the survey was conducted in the months of July and August 2009 by Stroke, a provider of all-IP broadband gateways and data offload solutions, and Trustive, a provider of international Wi-Fi access.

If you recall, I spoke to Barry Hill, Vice President of Sales and Marketing of the Santa Clara-based Stoke, Inc., about the challenges faced by mobile providers in a blog post just a couple of months back.

The results of this new survey are out; here are the points that I think are most relevant to us as IT professionals.

• 72 percent of respondents pay for their own Wi-Fi access; employers picked up the tab for the rest.
• 51 percent have been unpleasantly surprised by the size of a bill on their return.
• 98 percent say that staying connected with business by accessing email was the most important element of Wi-Fi access. On the same note, the use of VoIP and IM stands at 42 percent and 34 percent of travellers respectively.
• 40 percent of users say they want to be connected and available for business interaction at all times, even if only three percent of their bosses actively require them to be connected.
• 65 percent described themselves as being “network-dependent,” in which they access the network for information as required rather than bringing it along.
• 64 percent say they use Wi-Fi for data roaming, with 41 percent of users planning their Wi-Fi usage in advance, in terms of where and when to get access.

Not surprisingly, the survey found that PDA and wireless dongle users are “frequently frustrated by difficulties in download or viewing applications on their devices,” and hence return to wired computers at hot spots.

Personally, I have my fair share of frustrations with non-functioning or problematic Wi-Fi access points (AP) at hot spots. There was at least once when I requested the cafe staff to reboot their wireless router, which promptly rectified the problem. At many places though, the Wi-Fi AP might not be owned by them or are located at non-obvious locations.

What is clear from the survey is the increasing reliance of mobile workers on wireless and mobile data, even when travelling overseas. Despite the fact that few bosses expect their employees to stay connected, most executives opt to pay for Wi-Fi access out of their own pocket. Of course, a high percentage relies on Wi-Fi for data roaming, with a sizable proportion planning their Wi-Fi usage in advance so as to minimize their costs.

I’m curious as to how the experience of TechRepublic members compares to these survey results. I’ve included two polls below:

Let us know more about your experiences in the discussion. Also, have you ever been “unpleasantly surprised” by the size of a bill on your return?

—————————————————————————————

In my organization — a small office — we use Active Directory. Until recently, the environment consisted of one local and one remote site with one Domain Controller (DC) each, providing service for about 65 users total and serving up everything from file and print services for both sites to e-mail. The remote location has about five users, and everyone is close by, so the single domain controller works quite well there.

Here at the corporate office, the remaining population of about 60 users is connected to a single domain controller. This setup faithfully plugged along, handling authentication and all the directory services we could ask for — until this week.

One morning recently when I arrived at the office, there were several users ready to let me know that they didn’t have access to the services they needed.

My initial investigation revealed that DNS was nonfunctional. Also, the DC itself was very sluggish and seemed like it might need a restart. At first, the restart was to see if the kinks would go away and allow me to dig in to the issue further, but when the system came back up, everything picked up and the Active Directory load flowed again. People were able to log in, and drive mappings started working again. Because of Active Directory’s heavy dependence on DNS, when DNS went down, everything else went with it.

Being a small shop by most standards, the idea of the single point of failure was there, but it didn’t really seem like it could be a major problem. After all, we have a domain controller at the remote site and this should be quite sufficient. Well, this would be true if the link leaving the corporate office were faster, but trying to send replication traffic and additional requests for login over the WAN would have been a nightmare.

The restart got everything back online as quickly as possible, but I wasn’t satisfied with knowing that under any heavy load, the issue could easily come back and take the organization offline. At first I thought about ordering a new server in order to get another DC set up, but even though servers are cheap, they’re not free and don’t materialize upon request, so I started to take stock of some of the other servers we have running in our environment.

One of these boxes used to run all kinds of things for the Web, but we moved those sites out to a host in the cloud to speed up access to them. Doing this left a server with a good amount of horsepower and not much work to do, making it a perfect candidate for our next DC.

Better performance with more infrastructure

Now that Active Directory runs on two domain controllers at our main site and both of them host the integrated DNS zone for our organization, the likelihood of a complete downtime has diminished. Also improved are the authentication for all users in the main site and access to resources here and on the Internet.

Outside of AD, I use Desktop Authority from ScriptLogic to manage the user environment, providing a one-stop place for printer and drive management and things of that nature. Since I was adding another DC to the directory, I also installed the Desktop Authority services there to ensure everything that typically processed during logon had no excuse not to attempt running when the users logged on.

In addition to getting another DNS Server/DC running on the network, I also added the role of Global Catalog to the new DC. This should allow for all aspects of AD to function continually if one of the DCs here were to go down.

Network areas that need particular attention

In many Windows environments, Active Directory plays a starring role and missteps in configuration or not planning for enough resources can bring things crashing to a halt. But there are other areas, even on a small or midsize network, that can become single points of failure if you aren’t careful. Here are a few to watch out for:

Network Switches: Depending on the user count in an organization, keeping spare switches online might not be feasible; however, it is recommended to keep a couple spare switches around in case something happens to cause a failure.

Tape Drives: Backup and recovery is fundamental in the IT world; without a good (and regularly tested) backup, the data in an environment is only as good as the weakest link. In my organization, I have two tape drives. We are small enough that one tape covers all the backup jobs, but in the event that one drive goes down, I do not need to worry about not being able to restore from a previous backup if there is a catastrophic event.

Network Interface Cards (NICs): Most servers today ship with multiple NICs, which is good for both improved connectivity when using both and failover if one of the cards in a server (or other box) fails.

Internet Connections: As dependent as society is on the Internet, having redundant connections, depending on the size of an organization and its business model, may be a key component in preventing a single point of failure. Smaller businesses outside of the technology industry may not be able to justify the cost of keeping a connection with two providers active, but it couldn’t hurt to have a contact at multiple providers and possibly discuss what you would need to get up and running if your main provider were down.

The list I provided here is not all inclusive, but for most organizations these are things that should be considered in planning for the worst. Planning for redundancy will always seem like overkill to some people when things are working normally, but not planning for components to fail will surely result in those same people looking to you when there’s unexpected downtime.

Lessons learned

This ordeal was a major one for our organization, even though it was cleaned up and corrected fairly quickly. I am glad I caught this when I did, but I will admit I wish I had gone the route of the additional domain controller prior to the outage. Doing so would likely have prevented this issue. Working in a one-man IT shop makes some of the tasks that need to get accomplished more difficult or likely to be postponed while you’re putting out other fires. But the consequences of not planning for every contingency will always be worse than making the time to address single points of failure on your network.

Need help configuring, administering, supporting, and optimizing network infrastructure? Then turn to our free Network Administration Newsletter. Automatically sign up today!

Many PCs and servers come with the ability to perform Wake-on-LAN (WoL) boots. For network adapters that are connected to the network while the device is powered off, WoL supported systems can be sent a remote power-on command. At one point in my practice, I disabled this on critical servers in favor of managing the servers with something like the Dell DRAC or HP iLO device. I still feel it useful to know how to perform this command, so I’m going to walk through using the AMD Magic Packet Utility.

Installing the software is straightforward, and the tool will perform a scan of the subnet mask to enumerate the hosts. The result of the scan on my lab network is shown in Figure A.


Figure A

Once the network is enumerated, the magic packet can be sent to a specific MAC address. This is either known ahead of time or determined by the scan done in the step above. To send the magic packet, simply enter the system’s MAC address into the window, as shown in Figure B.

Figure B

At that point, the magic packet will be sent over the current subnet to the destination MAC address and the system will power on. See this TechRepublic discussion for how to configure WoL packets to be sent to different subnets. WoL behavior will depend on a number of factors, namely the system hardware and network configuration. Network interface support or even the network BIOS or ROM may affect WoL behavior, as will the system BIOS.

On the other hand, should this even be enabled on networks? Chances are WoL packets are bad, as there is no security in the mechanism, making use of the feature difficult in certain environments. Do you forbid WoL support and disable it? I can totally see the point in doing so; share your comments below on WoL and the magic packet.

For Amazon Web Services, there are effectively two cloud storage offerings. The first is Elastic Block Store, which functions like a disk attached to a server in a cloud instance. The other is the Simple Storage Service (S3) cloud. S3 is an API-driven storage platform that you can access through code or Web tools. This storage requires a different approach, but I believe it will definitely find a home for use cases such as data protection.

For the S3 cloud, when content is uploaded, there is an associated access control list (ACL) that goes with the object. This can allow public access for anyone with the URL to download the file, or you can create additional permission-based access. This is a very important configuration that, depending on the use case, can make or break your case for the cloud. One tool that is available in the space to manage these ACLs as well as other elements of S3 storage is the CloudBerry Explorer. I’ve mentioned them before on this blog for their quick action to have the Explorer product support additional storage providers in the cloud.

The ACL for the S3 cloud is flexible, yet not overwhelmingly complex. It is a quick read on the AWS documentation site, which explains how ACLs are applied. For modifying ACLs on S3-based storage, the CloudBerry Explorer tool allows this to be done directly in the intuitive graphical interface, as shown in Figure A.

Figure A

Click image to enlarge

Within CloudBerry Explorer, e-mail address access can be assigned as well as Web URLs can be obtained for access to the stored data. AWS introduces the concept of Grantees, which are owner, e-mail user, canonical user, AWS user group, anonymous group, and owner. Like other permission models, the endpoint access can be one of many things in this case for AWS.

The ACL configuration interface within CloudBerry Explorer can also assign rights to be propagated to subfolders and files, an important step in managing large amounts of data. If you are working with S3 storage, how are you managing your ACLs? Share your comments below/

If you have suggestions for new or updated checklists for specific tasks, put them in the comments area of this post.

10-point cleaning checklist for keeping equipment healthy
Boring as it may be, but cleaning is an essential part of any regular system maintenance schedule. You can stretch equipment life, reduce repairs and service calls, and keep users happier by periodically running through the steps on this list.

Documentation checklist: What the new IT guy needs to find out
When TechRepublic member jdclyde landed a job as the first in-house tech for a company that has always outsourced its IT needs, he had no documentation or institutional knowledge to fall back on. Here’s the list that’s helping him pull everything together.

Office relocation checklist
Whether you’re helping a client tackle a move or relocating to a new building, you’ll need to implement a system to help you get organized and avoid potential disasters. This checklist, based on suggestions submitted by TechRepublic members, covers questions, issues, and advice related to office relocations.

Windows laptop specifications checklist
IT consultant Erik Eckel has put together this checklist to help you select the laptop components that will meet staff needs throughout the system’s lifecycle. Once you’ve selected the best option for each component (there are 12 in this list, ranging from display and OS to integrated mobile broadband, battery, and optical drive), you can generate a spec sheet for quick reference at purchase time.

The TechRepublic Spyware Removal Checklist
Everyone from small businesses to enterprise organizations must battle the associated spyware risks that include key trackers, Web page redirectors, persistent pop-up advertisements, inoperable network connections, unwanted tracking applications, and other nefarious programs that slow and even render systems and programs nonoperational. While not every infected system can be saved, following the steps in this TechRepublic checklist can go a long way toward eliminating common infections and repairing the collateral damage.

10 common network security design flaws
Solid planning and design can help reduce the potential for security breaches. Here are some security design missteps to watch out for.

10 cool things you can do with a USB flash drive
Greg Shultz introduces a variety of creative ways to put that drive to good use.

10 things you should do to ensure basic Web site security
Using a security procedures checklist is your first step toward securing a resource — a means of aiding your memory before you apply your critical thinking skills and imagination to the task of improving security for each item. Chad Perrin shares his list of far-too-common security failures on Web sites and Web servers.

Certificates have not historically been my favorite area of technology. While we have to use certificates, most applications will create a self-signed certificate. This is not a good practice at all, however. When do you decide to use a certificate authority (CA) server on your own network?

This is a complicated question, but I will share some points that I have learned along the road about when it makes sense to install a local certificate authority. In many situations, people deploy the Windows Active Directory Certificate Services role. Having centralized management with Group Policy is a requirement to scale the reach of the policies to many users and computers. One trick is to deploy certificates through Group Policy, which is especially helpful with device certificates.

One of the best examples is to configure a wireless network to require a computer (or device) certificate for access. This removes the risk of passing around passwords for accessing wireless networks. This would be applicable for organizations wishing to provide wireless access in an office setting to designated systems, instead of providing public access or using passwords.

Having a CA in place can also address the friendly reminders from Internet Explorer’s certificate warning messages. If the local CA certificates are trusted on the domain, replacing self-signed certificates can make a much more pleasant experience for internal users.

A certificate can also be the second factor for VPN access. If the VPN access policy checks for the device certificate on the computer in question, then that can be the additional factor outside of a username and password. Having multifactor authentication, of course, is much more secure than simply using a username and password (single factor), and having the computer certificate managed by authoritative policy allows additional protection.

Installing a CA won’t help in every situation, however. Any external-facing systems won’t benefit from using the certificates created with the internal solution, even if they are located on the internal network and serve content to the external networks. This can include Web services or anything that uses secure socket layer (SSL) communication.

What criteria do you use to determine if you need to start hosting a CA? Share your comments below.

——————————————————————————————

Juniper Networks on Thursday unveiled an armada of new gear, software, and chips that it hopes will ding Cisco Systems while positioning the company well in the next-generation data center.

The networking company will roll out its strategy at the New York Stock Exchange later today (statement). Juniper’s strategy positions the company’s network operating system, Junos, as a centerpiece of the enterprise network while surrounding it with a bevy of new systems, including processors that offer “3D Scaling.” In a nutshell, 3D Scaling is expected to allow for more subscribers, services, and bandwidth to be squeezed into the network.

For Juniper, the product overhaul represents a repositioning as the center of the network. Juniper CEO Kevin Johnson called the repositioning a “historic day” for the company that highlights the vision for the next decade of networking. “Juniper believes it’s time for a new approach to networking. An approach based on smart systems and open software platforms. An approach that adapts to changing business dynamics. An approach that embraces partnership and unleashes innovation,” said Johnson.

Juniper’s biggest brother in this adventure is IBM, which has an original equipment manufacturer (OEM) partnership. The companies said that IBM is now shipping to customers a suite of Ethernet networking products. In addition, Juniper has surrounded itself with a bevy of other partners such as Dell.

The game appears to position Juniper as a Switzerland-type neutral and open figure as larger players vie to become the dominant data center architecture.

Among the moving parts from Juniper:

The company unveiled new Junos software platform. Junos, a network operating system that runs behind the scenes, is Juniper’s answer to Cisco’s Internetwork Operating System (IOS). Junos has been updated to program layers of the network for rich user interfaces. Juniper’s platform consists of the Junos operating system, a Junos Space network application platform, and Pulse, a network client.

Juniper rolled out new processors. The company touted a new Junos One family of processors. The linchpin here is a Junos Trio chipset with 3D Scaling, which allows enterprises to cram more onto a network. Junos Trio will be delivered in new line cards and 3.5-inch routers for the Juniper MX Series. The Junos chips are the fourth generation. There are 30 patents in the architecture. Juniper founder and CTO Pradeep Sindhu said in a statement that the company has invested more than $80 million over the last five years developing the processor line.

Juniper introduced new edge routers based on its software and new processors. The systems, dubbed MX 3D, carry some heady claims, including dramatic cuts in operating expenses for carriers. Juniper is claiming that the MX Series can provide up to 2.6 terabits per second with less power consumption. To put that throughput into perspective 2.6 terabits per second equates to 8.5 million iTunes downloads in one tenth of a second or 50 Blu-ray DVDs downloaded in less than 5 seconds.

The MX 3D introductions include new line cards and two new routers. The products will be available in December and throughout 2010.

The company is offering cloud services based on its systems. Virtualized security services are the headliner here, and Juniper is also offering new support for VMware and Citrix.

Also see: “Juniper Steps Up Cisco Assault“

—————————————————————————————-

Microsoft spent a great deal of time listening to customers and adding items to Windows 7 that bring a great deal of information right to the desktop, both from the internal network and from the Internet through the use of Federated Search. Ed Bott did a video tour of search in Windows 7 here, but I thought I would dig in to other parts of the search capabilities in the new OS.

In the Release Candidate of Windows 7 (and in Windows Vista), files and folders on your computer can be found from the Start menu. Simply press the Start key (or click the Start menu) and begin typing in the search box. As matches are found, files and locations will appear in the Start pane, as shown in Figure A.

Figure A

An example of search from the Start menu in Windows 7

In addition to looking for things on your own computer, which I personally use all the time rather than sifting manually through documents and programs, you can include Search Connectors, which will allow you to search from the desktop on both your internal network and the Internet.

A search connector for the Internet will allow you to search that particular Web site or service from Windows Explorer. Figure B shows an example of a search using the Twitter Search Connector, returning results for the hash tag #Windows7.

Figure B

Searching Twitter from Windows Explorer using Search Connectors

There are a number of Search Connectors coming, and the list is growing every day; some I have used so far are:

• Bing
• Yahoo
• Google
• Technet
• Ebay

A third-party site containing these and other connectors can be found at: http://www.sevenforums.com/tutorials/742-windows-7-search-federation-providers.html; also provided are instructions for creating your own provider.

Microsoft is working to get a list of these connectors published, but I have not seen it as of this writing.

How do I use Federated Search to find things on my own network?

Searching locations on your network is a snap as well in Windows 7. For machines that are domain joined, you can look for things on the network from Windows Explorer as well. Simply enter the name or partial name of the file, folder, or item you are looking for and press Enter. The search will use your network credentials to return results you have access to.

Searching outside the folders and files on your computer from the Start menu is available but must be enabled in Group Policy. To change this setting, open the Group Policy Editor and expand the following:
User Configuration | Administrative Templates | Start Menu and Task Bar. With this grouping of policies visible, you can enable Internet searches from the Start menu by enabling Add Search Internet Link to Start Menu.

When adding pinned searches to the Start menu, these are referred to as Search Again links. When you look for something on your PC like the word Microsoft, Windows will return results on your local PC. With these Group Policy settings enabled, you will be able to resubmit your search against a different scope (the Internet, libraries you have created, or specific sites) and see related results.

To enable Library searches and Search Connectors from the Start menu, go to User Configuration | Administrative Templates | Windows Components | Windows Explorer and enable the following Group Policy setting: Pin Libraries and Search Connectors to the Search Again Links and the Start Menu. From here you can also enable the setting for Pin Internet Search Sites to the “Search Again” Links and the Start Menu.
Figure C shows a Start menu search with all these policy settings enabled.

Figure C

Search options pinned to the Start menu

When adding libraries and Internet sites, you will be asked to specify which library locations and search sites to add. Figure D shows the configuration pane for Internet search sites.

Figure D

Configuring Internet Search sites via Group Policy

These search capabilities are a great addition to Windows 7 and will be something I use regularly. I am interested to know how you might use the search features to boost your productivity.

—————————————————————————————

I wrote recently about how smartphone device loyalty will trump standardization in the enterprise. A number of TechRepublic members such as Palmetto wrote that users in their organizations are forbidden by company policy from bringing in privately owned laptops and smartphones. In fact, TechRepublic member travis.duffy declared, “No matter how loyal someone is to their iPhone” they are not going to be connecting them to his company network.

On the flip side of the coin, we have TechRepublic member bharman, who pointed out that regardless of company restrictions, savvy users will find ways to circumvent the rules. The comment by bharman underscored the position I was trying to put across — that the bottom-line reality in many organizations might not match up to company policies specifying the devices that employees can or cannot bring to the office.

The entire discussion thread did get me thinking a little further, specifically to the risks when one’s e-mail account is inadvertently or maliciously exposed. While it is conceivable for IT departments to lock down access at every nook and cranny, the truth is not every organization will have the resources or expertise to do so.

Today, I attempt to highlight some possible avenues that might result in the inadvertent leaking of sensitive e-mails.

Avenues for e-mail leakage

One common scenario would be IT-savvy employees linking up their personal laptops to their company’s Exchange Server. Obviously, these additional workstations represent additional points of vulnerability, especially so if they are used outside the company premises. While it is possible to disable or block HTTP access to forcibly divert the access of e-mails to the LAN, this is hardly a practical solution against the backdrop of an increasingly mobile workforce. In this context, the use of VPN does not protect against the risk of e-mail leakage.

For organizations on Microsoft Exchange, it is trivial to enable Exchange ActiveSync to allow mobile devices such as Windows Mobile smartphones to access corporate mailboxes. However, this also opens the door to devices such as the Apple iPhone or iPod Touch, as well as other mobile phones that implement the Microsoft ActiveSync protocol. Organizations concerned about the security of such devices can, of course, disable such access from Exchange. However, Exchange push mail represents the most affordable option for many SMBs; they will be hard-pressed to pay for the steep licensing fees to implement a secure BlackBerry Enterprise Server with RIM BlackBerry solution.

IMAP is a popular choice used by many organizations to access server-side e-mail without having to buy into Microsoft Exchange or other costly enterprise e-mail systems. Most smartphones and mobile devices now have built-in capability to access IMAP services natively, leading to additional points of vulnerability from lost or misplaced phones that might contain cached e-mails or even passwords.

Organizations that use Microsoft Outlook should also be aware that it is trivial to sync e-mails and contact lists directly from Outlook using tools that are widely available on the market. While the information is static and limited to what was transferred in the last sync, it does not detract from the danger that the loss of the device represents.

Other avenues where e-mails might leak would be via the use of POP access. It is not uncommon for some users to opt for Save a Copy of E-mail on Server on their e-mail client so that they can download the same e-mails onto a different machine or laptop. In addition, any forwarding rules will only create additional copies of corporate correspondence that can be lost or compromised.

Conclusion

There is no doubt that none of the points of vulnerability above represents insurmountable obstacles to a diligent and skilled network administrator. I hope I am wrong, but it is a little hard for me to imagine many smaller organizations that would bother to address all the areas highlighted above.

How does your organization lock down e-mail? I would love to hear about it.