Exit the Fast Lane

Dropbox

noreply@blogger.com (Weestro) — Fri, 03 Feb 2012 18:04:00 +0000

I can’t imagine anyone that might stumble across this blog to not use or at least know what Dropbox is at this point. But in case you don’t, as one of my absolute favorite utilities it deserves a special slice of the limelight. Dropbox came about in 2007 by an MIT student named Drew Houston and some of his MIT buddies. It was created to provide a cloud-based storage solution with the intimate user experience of user local files/folders in your computer’s file system that sync back and forth. To this day, few of Dropbox’s competitors can do this at the super affordable price point of…free. Dropbox leverages Amazon’s S3 cloud storage solution as well as local space on your computer. Since starting, Dropbox has grown to nearly 50 million users and continuously adds new features and clever ways to get additional free space.

Plans

Getting started is simple. Just follow my referral link here or at the bottom of this entry and we’ll both get additional bonus space on top of what you get for free, just for signing up! In it’s base form they give you 2GB of storage for free. You will need to create an account then download/ install the Dropbox client on your computer (Windows, Mac, Linux). You can get up to 25GB free if you really try but if you want more you can optionally pay for it.

Web

100% of your Dropbox can be managed via the web. Uploading/ downloading/ deleting files and all account features.

A very cool and compelling feature of Dropbox is its management of deleted files . If you accidentally delete something or delete then change your mind later, restoring deleted files is easy. All changes to files are replicated everywhere, cloud and all computers connected with clients.

Folders anywhere in your storage hierarchy can be shared with anyone for collaboration efforts.

A running log of everything going on is captured in the Events tab: file/ folder changes, space increases, invitations, etc.

Multiple computers can be linked to the same Dropbox account which ensures that you can keep your files in sync easily across all platforms. Additionally, if you leverage certain Dropbox-aware applications on your mobile platform, these can be managed here as well.

Client

With the client installed on your computer(s), all files and file changes are immediately replicated up to the cloud and all other connected computers in your account. A shortcut to your Dropbox is automatically created in the Windows Explorer Favorites section in Win7/ Win8 and all files stored in the cloud are available in your local file system.

The client itself does not provide near the functionality that the web does. It’s primary purpose is really to control how that specific computer interacts with the cloud. Upload/ download limits, proxies, and root folder locations can be specified here. A compelling feature that comes enabled by default in the client is “LAN sync.” LAN sync will control how your files replicate between Dropbox-linked computers on the local network by providing client to client syncing. No need to pull from the cloud locally if you don’t need to!

Right-clicking the Dropbox icon in your system tray allows you to quickly see what your space consumption is, pause syncing, and a few other options not found within the UI of the client itself.

Free Space

As soon as you log in to the website for the first time you will see your first opportunity to gain additional free space.

The Dropbox team is constantly coming up with clever ways to give you more space through referrals (which double if you are a college student), linking to Facebook/Twitter, participating in annual “Dropbox Quest” challenges, and most recently just for testing a new beta function. Right now if you install beta 1.3.12 and auto-upload pictures/ videos, you can earn up to 4.5GB of additional, free, and permanent storage. Awesome!

Add the Dropbox client to your mobile platform of choice and you now have a well-connected ecosystem of files available to you anywhere. I’ve been using Dropbox since before it went 1.0 and it only gets better. Check it out! If you do please use my referral link below so we can both enjoy even more free storage!

My referral link: http://db.tt/ISx8N0LF

Chrome: Custom Search Engines and SSL

noreply@blogger.com (Weestro) — Fri, 06 Jan 2012 22:45:00 +0000

Google Chrome, the best browser available right now, has a unique way of handling custom search engines versus its competitors Firefox and IE. Instead of using plugins, in Chrome search engines can be added via the URL + query string used by whatever site you want to search in the Omnibox. In many cases Chrome will auto-detect websites that are universally searchable and add those entries to the search engine list. You can then go into the “Manage search engines” area and assign a custom keyword for use in the Omnibox.This list is contained in the Basics page of the Options. Keywords in Chrome work the same way they do in Firefox.

With the ability to create custom search engines, you should search using SSL absolutely everywhere possible. The importance of internet security will only continue to escalate and using SSL even when you don’t have to is a great place to start. I created a new custom Google search engine to connect to encrypted.google.com and made it the default, for example. Most of Google’s sites support a secure connection method.

Here are some of the useful custom search engines I’ve created. Put these strings in the “URL with %s in place of query” box and define a name and keyword of your choosing:

Encrypted Google: https://encrypted.google.com/search?hl=en&as_q=%s

Android Market: https://market.android.com/search?q=%s

Google maps: https://maps.google.com/maps?f=q&source=s_q&hl=en&q=%s

Also make sure to enable the search engine sync feature in “about:flags” to keep your custom list on all PCs you run Chrome on.

Use a simple or single letter keyword and you have a very easy and versatile search solution.

Wake On LAN

noreply@blogger.com (Weestro) — Wed, 04 Jan 2012 22:29:00 +0000

Happy New Year!!

While I wait for the work I’ve been doing for the past 6 months to be publicly released (so I can talk about it), here is a quick post about WOL. WOL technologies have been around for awhile and are used to wake a computer from sleep by sending a magic packet or pattern to the sleeping PC. The best analogy I’ve seen for this is a bunch of people in a room together and one person across the room shouting out another’s name. Everyone but the person with the name called ignores the call. Sleep mode shuts down all major processing on the PC but keeps active tasks (documents, etc) alive in RAM which continues to be energized during sleep. This allows the PC to be quickly awakened and resume normal operation, right where the user left off.

Use Case

I have 6 Windows7 PCs in my house, all of which are connected to a HomeGroup, along with a NAS, a LAN-enabled TV, an XBOX360 and a PS3, all capable of delivering and consuming content via DLNA. I let my PCs sleep after 2 hours of inactivity which saves power consumption. Sometimes I want to access content or simply RDP to a PC that is sleeping. Instead of walking around and physically waking up a sleeping PC, why not leverage WOL? This can be useful in corporate environments as well if you don’t already have tools in place.

Set Up

First you need to enable WOL in the properties of your NIC, most of which these days should be supported. In the advanced properties tab look for “Wake-Up Capabilities.” The important thing to enable in the values here is the Magic Packet. Enabling Pattern is ok too.

Wake Up

Now when the PC sleeps it can be awakened remotely. There are a few different tools out there that can do this. I’ll be working with Depicus’ tools which has, among others, command line and GUI versions: Wake On LAN GUI/ Command Line. Both are free and dead simple executables that require no install and can be easily stored in your Dropbox for portability. They also have apps for Android and IOS. Each version accomplishes the same thing ultimately and can target a host over the internet if need be. All that is needed is the MAC address of the PC to wake up, its IP, subnet and port. For LAN wake up use port 7, if using across the internet you will need to specify a port that is allowed through your firewall as well as a public IP.

The GUI provides a dropdown to specify local subnet or internet. In my tests the GUI required the dashes in the MAC address, it gave an error without them. The cmd version will accept either.

Here you can see the PC I’m waking up is 10.10.1.19. It is fully asleep when the Ping starts, times out to unreachable, then comes back alive when the magic packet was sent.

That’s it! Another reason to stay seated. :)

References:

Power Management for Network Devices in Windows 7

Depicus

Tomorrow’s the big day…

noreply@blogger.com (Weestro) — Thu, 29 Dec 2011 03:43:00 +0000

So, it just so happens that I left Godaddy a few months ago just because I finally got sick of their terrible pricing and misleading terms. Not only that but their site is intentionally obtuse, they try to cleverly pad sales with extras and make it difficult to disable auto-renewals. There was a time when they were THE go-to domain registrar but those days are long gone. Better pricing alone should be incentive to switch registrars.

Coincidentally, GoDaddy’s recent blatant and arrogant support of the federal internet censorship bill – Stop Online Piracy Act, “SOPA” caused the outrage of the internets who called for a boycott. GoDaddy has lost tens of thousands of domains already and has since reversed their position on SOPA as a result, but the boycott will proceed regardless. Namecheap.com, a far superior and less expensive registrar, is offering a transfer special in honor of the boycott. Coupon code: SOPASUCKS

If you have domains to renew anyway or need a reason to get away from godaddy, there you go…

My Sphere of Android

noreply@blogger.com (Weestro) — Fri, 11 Nov 2011 03:00:00 +0000

I’m fairly new to Droid, ~5 months now, and was formerly a corporate BlackBerry user for years. The BB was always company paid so while short on the user experience it was still a no-brainer and provided the basics, largely thanks to Google apps. Once my BB use came to an end (and my days of production support as well) not going iPhone was also a no-brainer. As an “in the weeds” technologist, Android suits me perfectly! ROMs, recovery, kernels, radios, overlays, launchers…every piece of Android is completed customizable and I love it. Unlike Apple’s limited walled garden, Android is the wild badlands so you do need to be careful. There is no Windows Update equivalent in Android where every device gets firmware updates direct from Google. This is handled by each phone OEM in cooperation with the wireless carrier. Because of this, Android phones are not always kept up to date or even at the same build of the OS! Most users are none-the-wiser. Apple’s method is much better ensuring that all iPhones stay current. Android, following the Windows distribution model, is also free to be stuffed full of system-slowing bloatware by the OEMs and carriers that customize the OS for each device. This is not allowed in the Apple world (kudos). If you don’t mind a little nuts and bolts tinkering, you can run whatever version of Android you like, debloated, rooted, deodexed, and are free to change what you like for an incredible user experience. There is a ton of information out there all over the place so this post will serve to consolidate the pertinent research and hands-on I did for my devices.

I have 2 very different but individually awesome devices in my clutches: The Samsung Charge and the Motorola Droid X (DX), both on the Verizon network.

The Charge is newer and one of the first LTE phones on the Verizon network. It currently does not have any officially released OTA version of Gingerbread, although the latest 2.3.6 leak suggests it’s coming soon. The DX has been running Gingerbread for a few months now. While the DX is 3G only, it is still great performer and a stalwart among Droid enthusiasts.

Droid Charge

The Charge comes with Froyo (Android 2.2), the TouchWiz overlay, and plenty of bloat courtesy of Verizon. Battery life was acceptable, not great, in stock form lasting no more than 15-20 hours. The worst part about the bloat is that they’ve engineered it into the OS so that it’s always running. You can kill it with a task manager but it will just come back. So that by itself is a heavy justification to root and/ or run a custom ROM or app with freeze ability. Even with no root access a number of things can be changed and customized. The launcher is usually the first thing out the door as it controls the look and feel of the OS. Themes, icons, fonts, transitions…all of these things can be changed. My favorite launcher at the moment is the Go Launcher EX. Go adds some really neat things like 3 additional pages of bottom screen shortcuts, a ton of themes, widgets, and the ability to customize every aspect of whatever theme you choose. Go also offers some other good stock app replacements such as Go SMS Pro and Go Contacts/ Dialer. This has got the be the coolest aspect of Android. You don’t like the keyboard or dialer? No problem, just replace them. Before changing the launcher, you will also need to install a home switcher app such as home manager. Here is my home screen using Go Launcher EX with a glass theme and Sense-style clock.

While changing the launcher can definitely improve the experience provided by the OEM it does not deal with the bloat slowing down the phone. For the more adventurous the stock ROM can be completely replaced. There are a few options out there including leaked builds from the OEM/carrier and third parties such as GummyCharged. The leaked builds come rooted and bloated or not. Some folks prefer to run the bloated ROMs and use apps like Titanium Backup Pro to freeze the offending bloat. I am opting to run rooted and debloated ROMs as I’m not concerned about OTA updates at this point. Other popular choices are still not yet available on this platform, namely CyanogenMod and MIUI.

Each OEM has its own unique toolsets for working with the hardware. Samsung has an official flashing utility but there is also a third party utility called Odin that is used for flashing. Unlike the Motorola, flashing the Charge with a new ROM is as easy as:

Load the Samsung drivers on your Windows7 PC and launch Odin
Put the phone is download mode by:
- Turning off phone
- Remove SIM card
- Hold volume down, press power firmly for 1 second and release
- Once in DL mode you will see this screen:
Plug phone into USB on PC (preferably the rear of PC)
Push the new ROM to the phone via Odin using the “PDA” setting (very important!).

That’s it! No need to run rooting apps, boot to recovery or run console commands. When you reboot the phone after the flash it comes back up rooted, debloated, and running all the latest including radios and kernels. No data on the SD card is affected at all. Odin can also be used if you messed up and need to return your phone to a stock ROM. I strongly recommend that you remove the SIM card before flashing! There have been some reports of problems when flashing with the SIM in. Detailed step-by-step on using Odin here.

Here is my phone running the (hopefully) final official Charge Gingerbread build, but rooted and debloated.

So far the new build is excellent. I haven’t observed any bugs or glitches at all. Zero bloat and my battery life has increased to 24+ hours now. We don’t know about Ice Cream Sandwich yet (Android 4) for this device but that will be my next upgrade, unless MIUI or another official GB leak surfaces of course…

Droid X

The DX has been around for a little while now but is still a solid performer and more than capable of running the latest software. It has its own batch of stock bloat and depending on how much stuff is running can lag a bit. The biggest single thing missing from the DX in stock form is the pull down toggles that the Charge has. I’ll fix that here in a moment however.

Just like the Samsung devices, Motorolas have their own tools and drivers. The Motorola flashing utility is RSD Lite which is used to revert to a stock ROM, a process called “SBF”-ing. Because my DX received an OTA upgrade to Gingerbread I had to SBF it back to stock before I could root and apply a custom ROM. There are definitely a few more steps to achieve the same end result on this device. The following steps were required to apply a custom ROM and recovery on my DX:

Prepare to sbf back to stock froyo
- Put sbf file in root of C:\ on PC
- Connect phone to usb, reboot into download mode
- Hold camera button, vol -, hold power for 1 sec to enter DL mode
Use RSD Lite to load sbf file
- Once in DL mode select sbf file, click start
- You may have to manually reboot and put phone back in DL mode to finish
Boot to stock recovery (see section below for how)
- Select Wipe/ factory reset
- Reboot
Get root
- Install Z4Root, reboot, then run it, select permanent root
Load Droid2 bootloader
- Load ClockworkMod Droid2 bootstrap from market (cannot get into CWM recovery without this!)
Load Rom Manager from market
- Flash CWM Recovery from Rom Manager
Reboot to recovery (which should now be CWM)
- Factory wipe/ backup if you want
- Load zip of custom ROM you want to load
- Reboot

Subsequent ROM loads should be much simpler and can be done easily from recovery with the files stored on the SD card. I was going to load an official DX ROM similar to what I did on the Charge until I found the magic that is MIUI, recently made available for the DX. MIUI is a custom ROM that is not only beautiful but highly customizable and adds nearly every feature one could want coming from a stock Motorola build. Lock screens that allow you to go right into phone or SMS apps, pull downs with toggles, even data monitoring/ alerting and application level firewalling where you can prevent certain apps from using 3G or wifi. MIUI even has the much coveted “CRT effect” when you press power to lock the phone. Very cool! If they ever make this available for the Charge I will definitely give it a go.

Recovery Mode

/recovery in the Android file system contains some basic maintenance tools that can be booted into outside of the OS. Like all other Android components this stock recovery can be replaced with an upgraded aftermarket version. Most people who root and tweak their phones prefer to run the ClockWorkMod (CWM) Recovery. For the Charge, just like the core OS ROM, CWM can be flashed on the device using Odin. The process is a bit more involved on the DX as I outlined before because the bootloader has to be replaced first. With CWM ROMs can be loaded, backed up and restored directly from recovery.

To boot to recovery on the Charge:

Turn phone off
Hold volume up, Home, and Power buttons
Samsung logo will come up and disappear
When Samsung logo comes up for a second time, let go of all buttons

Controls:

volume up/down = up/down
Power = enter

To boot to recovery on DX:

Turn phone off
Hold Home button and press Power until the Motorola logo appears
Release Power and continue to hold Home until an exclamation appears
Release Home and press the Search button once.

Controls:

volume up/down = up/down
Camera button = enter

Apps

Running rooted there are a few apps that you just must have. Some builds come with a few of these but some do not (MIUI).

Superuser – grants SU rights to applications on your phone that need it, must have this!

ROM Manager – This currently does not work for the Charge and many prefer not to use it, but it’s an easy way to flash CWM recovery and manage ROMs from within the OS.

Busybox – Linux toolset installer, some other apps like Titanium Backup need this.

Droid 2 Recovery Bootstrap – (for DX) allows you to boot into CWM.

Titanium Backup – Free and Pro (donate) version. Allows you to backup/restore apps and relating data, freeze/thaw apps, as well as a number of other things. This is a VERY powerful utility.

Swiftkey X – This is my favorite keyboard right now and you don’t have to be rooted to run it. Great customizability and incredible for speed typing with deep learning capabilities for predictive text.

Cases

After spending hundreds on these phones, I opted to protect my investment from the potential drop or day-to-day unprotected wear. After doing quite a bit of research I narrowed down my selection to Otterbox and Incipio. Both are very well regarded in terms of quality and protection. I ultimately went with the Incipio SILICRYLIC on both phones which is a 2-part soft layer in hard shell case that protects the phones very well. The fit, finish, and quality of materials is exceptional. The minimal bulk added to the phone is completely worth it. The phone still fits in the pocket nicely.

So far I’m really enjoying my stay in Droid country and after being with ATT for nearly a decade, Verizon is a breath of fresh air. I have built and customized my own PCs for many years so it makes sense to have similar control on my smart phones. Rooting doesn’t have to be a scary thing if you are very careful and do your research before pulling the trigger. Everything documented in this post is to be used at your own risk. I am not responsible if something goes wrong and you brick your phone (most of which are recoverable anyway). All of the files that I discussed but did not provide direct links to can be found, you just need to dig a little.

Resources:

http://www.mydroidworld.com

http://www.xda-developers.com/

http://www.addictivetips.com

http://www.droidforums.net

Quick hit: Fix Scratchy Volume Controls

noreply@blogger.com (Weestro) — Wed, 02 Nov 2011 18:07:00 +0000

I use the Klipsch ProMedia 2.1 speaker setup on my home PC and for awhile now I’ve been getting audible cracking and static noise when adjusting the volume. This fix also applies to other household devices that use potentiometers (pots) so hopefully you will find this useful.

Basically, the pot needs to be cleaned and lubricated as it is transferring noise into the audio system. The first thing to do is head over to Home Depot and grab a small can of CRC 2-26, which for me was less than $3. This formula is both a cleaner and a lubricant which is important because some contact cleaners have no lubricant. The CRC worked fine for me but if you want the Cadillac of contact cleaners check out DeoxIT which runs ~$15/ can.

To get started you need to expose the pot by removing the case or covering of the volume control. The external knob connects to the metal stem of the pot which will look something like this:

Spray a small amount of fluid on the stem of the pot and the threads. Turn the stem back and forth many times to work the fluid in, you should notice the resistance lessen while turning. Let the fluid dry and test the volume control before you button everything back together. I followed this procedure on my Klipsch set which now turns smoother than before and the scratchy static is gone.

Quick Look: vCenter 5 Virtual Appliance

noreply@blogger.com (Weestro) — Wed, 26 Oct 2011 00:00:00 +0000

New with vSphere5 is an all new SUSE Linux-based (SLES11) virtual appliance to optionally run vCenter. The Windows-based counterpart is still available, of course. DB2 provides the embedded backend of the vCenter vApp with remote data support provided for the Oracle DBMS only, no SQL server (yet). Despite the list of limits with this version (outlined below), the vCenter vApp is a very compelling option that introduces great simplicity and cost savings to your overall vSphere solution. The SUSE and DB2 licenses come free of charge but you will still need a vCenter license so you can save on the Windows Server and potentially SQL Server licenses. The embedded DB2 database can support up to 400 hosts or 4000 VMs provided you give the vApp enough RAM. There are currently a few important limitations of the vApp, as identified by Duncan Epping of VMware, that could make it a deal breaker for you:

No Update Manager
No Linked-Mode
No support for the VSA (vSphere Storage Appliance)
Only support for Oracle as the external database
No support for vCenter Heartbeat

To get started you will need 3 files: the system VMDK, the data VMDK, and the OVF file. These can be downloaded from VMware under the vSphere5 components for vCenter.

Connect to an ESXi host directly via the vSphere Client and deploy the OVF template.

Review the details of the vApp then define the name and location.

Next select the disk format. You will notice that vSphere 5 has some new provisioning options here for thick disks: Lazy and Eager zeroed. Lazy zeroed has all space allocated at the time of creation, but each block is zeroed only on the first write. This reduces creation time but also reduces performance of blocks only the first time they are written to. Eager zeroed has all space allocated and zeroed at the time of creation. This increases disk creation time but also increases performance of all block writes. The eager method is more of a “true” thick provisioning in the classic sense while lazy is more of a hybrid of thick and thin.

Once all selections are made, you are off to the races. Deployment can take several minutes to complete.

By default the vCenter vApp is configured with 8GB vRAM and 2 single core vCPUs, the configuration of which is another new feature in vSphere5.

Once the VM is powered on you will come to the following console screen that details how to connect. Initial vCenter configuration is done via web browser on port 5480.

Once connected via web browser, the initial login is root\vmware.

Before you get started, accept the EULA and check for any updates to the appliance via the update tab.

There are a few additional configuration items to address before vCenter will be usable. The first of which is defining the database settings. You can choose to use the embedded DB2 database or specify an external Oracle server. Make your selection and save the settings.

Next, select the inventory size you intend to work with. As you can see in the following screenshot, a setting of “large” equates to 400 hosts or 4000 VMs and will require a minimum of 17GB of vRAM for vCenter.

With those items checked, you should now be able to start the vCenter service.

Before you leave the web configurator, it might be prudent to set a static IP and configure Active Directory integration as well. Now you should be able to connect to vCenter via the vSphere client. vCenter itself is still the familiar interface that you would expect. Functionally, besides the few missing items, there is no difference between this Linux-based vApp and its Windows counterpart. 3rd-party plugin/ addon support may vary in the vApp model.

The vApp performance overall is quite good and there is no issue moving it between hosts in its cluster. Assuming feature integration continues and the gap between this appliance and the Windows solution is narrowed, it makes sense that the vApp may one day be the only offering for vCenter. There are quite a few other things that must happen first, however, namely the View component integration requirements. There is still an awful lot in VMware’s overall product offering that relies on Windows and that OS’ integrated technologies. I definitely recommend that you give the vCenter vApp a spin and see if it is a good fit for your organization.

vSphere5 Licensing Breakdown

noreply@blogger.com (Weestro) — Thu, 20 Oct 2011 02:29:00 +0000

As we all know, vSphere5 is here and many of us are already running it in production and in our labs. I’m sure VMware wrestled with the idea of half-stepping this to rev 4.5 but ultimately decided that there was enough different it deserved a major release. Feature-wise there are only a few net new options and only at the Enterprise Plus level, but the maximum capabilities of the hypervisor have grown significantly in most key areas. ESX and its beloved console is gone now, of course, leaving ESXi as the only option. vCenter 5 is available as a Linux-based virtual appliance which many have been waiting for. The biggest change to vSphere is the licensing model which, if you follow VMware’s logic, does make some sense. So while vSphere5 does now include a vRAM entitlement, it no longer has physical host CPU or RAM limits which were imposed in previous versions. That said, I do prefer a model that leverages tiered upgrades based on feature sets, not how much of your host you intend to use. As a result, many customers may be pushed into buying Enterprise or Enterprise Plus just so they can use the RAM they have installed!

Based on the new model, vRAM entitlements are per physical CPU which equals 1 license. Standard edition will net you 32GB per physical CPU, so 64GB total in your average dual CPU server. Any more than that and you’ll be looking at a higher license tier. The interesting aspect of the new vRAM entitlements is that they pool across ESXi servers managed by the same vCenter server (or linked mode). You still need a license per physical CPU no matter what, but you might just end up with an entitlement reserve that can, in part, be used toward future servers with denser DIMMs.

In the following example I have 3 dual CPU ESXi hosts, 2 with 96GB RAM, 1 with 192GB RAM. The minimum license level I can buy (if I want to use all my RAM) is Enterprise at 2 licenses per host. This gives me a 64GB per CPU entitlement or 128GB total per host. Because my first 2 hosts only have 96GB, this leaves a spare 32GB per server. Just enough to entitle server #3 with 192GB.

Another point of interest is that there is a maximum penalty of 96GB that counts against a vRAM entitlement. So VMs configured with more than 96GB vRAM would only deplete the entitlement by the maximum amount: 96GB. If you’re planning to run vSphere for the purposes of VDI then there is a special Desktop Edition that changes the rules completely. No vRAM entitlements, Enterprise Plus feature set, and you can run all VDI related infrastructure under the same license model (SQL, XenDesktop components, View components, etc). Below is a breakdown of the different editions.

vSphere Standard, Enterprise, Enterprise Plus

Each CPU license comes with a vRAM entitlement. These entitlements are pooled across all vSphere servers managed by vCenter (single or linked mode).
vRAM entitlements are pooled by vSphere edition. Mixed editions in same vCenter will create multiple pools.
No physical CPU core or RAM limits (Vi4 was limited to 12 cores max)
Limits are honor-system based, not software limited (based on 12-month rolling average of the daily high watermark).
Only 96GB per VM vRAM counts against entitlement. VMs configured with a max of 1TB vRAM, for example, would only reduce pool by 96GB.
vCenter5 contains license monitoring/ alerting tools and will warn when pool is approaching or exceeding limits.
List $5600/ 2 x CPU host

vSphere Desktop Edition

New edition for VDI exclusive use.
Unlimited vRAM entitlements.
Enterprise Plus feature set.
Licensed based on total number of powered on VMs which can be purchased with View bundle or in packs of 100.
Current vSphere 4 licenses with SnS can upgrade to VS5 DE and get unlimited vRAM but VDI hosts cannot be managed by same vCenter hosting non-VDI related VMs.
VDI management and monitoring tools are allowed in this license model (VCS, PVS, SQL, etc).
Separate vCenter license still required.
List $65/VM

References:

vSphere 5 licensing

vSphere 5 Upgrade Center

TMG 2010: Reverse Server Publishing

noreply@blogger.com (Weestro) — Thu, 01 Sep 2011 21:05:00 +0000

One of my favorite and most versatile tools in the arsenal is Microsoft Forefront Threat Management Gateway (TMG). Although “ISA” still slips out occasionally, TMG is as ISA was, a firewall, a proxy, a router, and on my short list of solutions to use if traditional methods of routing between networks is not possible, for whatever reason.

Here is a scenario: I have a private L2 network, not reachable from or connected to the corporate network. The private network, unfortunately, uses an IP scheme also in use somewhere on the corporate network. So I cannot simply attach this network to the corporate LAN directly and changing the private network architecture is just not an option right now. Enter the ultimate software network bridge: TMG. But the plot thickens… I have resources on the private side that I want to make available to the corporate network, namely a VDI pool and a Kace web server.

Planning and Design

First and foremost, I need to protect the corporate network. Nothing that goes on in the private network should be able to negatively impact the corporate LAN. This is just a common-sense precaution. With that in mind, the private network will be considered “outside” and firewalled to protect the “inside” LAN. I only have 2 networks in this scenario so a simple perimeter network configuration with 2 interfaces will suffice. My TMG server will be virtual, of course, hosted on an ESXi server with physical connections to both networks. The guest OS will be Server 2008 R2 running TMG 2010, SP1. Because the private network will be considered “the internet”, for all intensive purposes, I will have to reverse publish/ proxy those resources I wish to make available to the internal network. Here is the topology I will be implementing:

This design is typically opposite of what you would normally do with TMG, where you might publish OWA or some other internal resource to the internet. I’ve also used TMG to route specific protocols between otherwise disconnected networks. The end result of this architecture is that users on the LAN side will be able to access the published resources on the “outside”. For this exercise I will be reusing the TMG server’s inside IP address to publish my web server. So users inside will be able to browse to http://10.1.1.50 and be able to view the website hosted on 192.168.1.10.

Setup

All the basic ISA/ TMG setup best practices still apply. Define the networks your internal and external NICs connect to, use a gateway and DNS on only one (the other will be static routed), disable all protocol stack services on the outside interface (NetBIOS, etc), set the NIC binding order properly, etc. These practices are all very well documented so I won’t cover them here. There is also nothing special to configure in the TMG network rules. You don’t need to create a External to Internal route or NAT rule. The magic is all in the publishing rule.

First, create a new Web Site Publishing Rule from within the Firewall Policy tab. Give it a name and set the rule action to Allow. Publish a single web site and decide if you want SSL to protect the server connection between TMG and the web server. For this exercise I will not be using SSL.

Because DNS on the LAN side does not resolve anything in the private network, we need to specify an IP address for the internal web site. Enter the site name, check the box to use an IP address and enter it. We can’t use this site name because it isn’t resolvable but the wizard requires it, we will change it once the setup is complete.

We don’t need to enter a specific path for this website and accept requests for any domain name. Next we need to create a web listener, click New and enter a name. Choose do not require SSL and select the Internal network to listen for incoming web requests.

Select No Authentication and finish to complete the listener setup. Once complete the listener should look like this:

TMG has the ability to pass authentication requests made by published web servers to clients. In this case we don’t need this so ensure that delegation and direct client authentication are disabled. This rule will apply to all users. Once the base rule is created there are still a few tweaks to be made before it will work as intended.

Open the new rule you just created. On the “To” tab, change the published site entry to the IP address and delete the IP in the second field. Ensure that requests are set to appear to come from TMG.

On the “Public Name” tab, change the rule to apply to “requests for the following sites” and enter TMG’s inside IP address.

Now the secret sauce: Link Translation. Without this, the home page may load but every link a user would click on the website would be directed back to the source web server’s IP address. These requests will fail because there is no routing from the corporate LAN to the private network. Link translation will replace the true source IP address mapping with the TMG server’s IP address. On the Link translation tab, click apply link translation to this rule, then click configure.

The mappings button will show you all translations applied to that rule in a web browser report. At this point, after clicking apply, you should be able to test the rule by clicking the Test Rule button. This will initiate a path ping to ensure the destination is reachable as configured. Before it will take effect, you will need to apply the rule in TMG. Now you can test by accessing the website on the corporate LAN side.

Publishing the VDI host will be similar using standard http/https to access the resources. Link translation will again be the key there to ensure that everything that is published through TMG will appear to be hosted by TMG to the end user.

Full disclosure…

noreply@blogger.com (Weestro) — Fri, 12 Aug 2011 15:28:00 +0000

In the spirit of honesty and disclosure I feel that I need to make it known that I now work for Dell as an architect for product engineering in the desktop virtualization space. I am working on bleeding edge VDI solutions, with all the key industry players, on full Dell hardware stacks. That said, the views and opinions expressed here in this blog, my personal blog, are mine alone and are not necessarily the views or opinions of Dell or its affiliates. Any review, guide, download, or advice you see published on this blog are to be used at your own risk.

Hands on with the Cisco UCS C200 M2

noreply@blogger.com (Weestro) — Wed, 29 Jun 2011 17:51:00 +0000

The hype machine in Cisco channel land has been working overtime since Cisco started shipping its new USC line of servers and blade center. If you’ve heard what is being said, Cisco is basically claiming to have reinvented the server and is now offering unparalleled performance over their competitors. Their one large claim to fame on the onset was their VMware VMark scores, but as of this writing HP has bested them in every category by small margins. The other key selling point is Cisco’s Extended Memory Technology which allows an increased amount of physical RAM in UCS servers aimed at providing greater virtual machine density.

Cisco, in my view, has never been a company overly concerned about sexiness in their hardware or software, although they certainly tried harder than usual with their king Nexus 7000 switch. The UCS C200 servers I have acquired will be used to power a new virtualized Unified Communications infrastructure (Call Manager) which is another major advancement in Cisco’s product offerings. So while my use case will not push these servers to their theoretical performance limits, I will still get down and dirty with this new hardware platform.

Under the hood

My first impression of the C200 is that it looks remarkably similar to an older lower-end Dell PowerEdge or SuperMicro white box server. Aesthetically pretty vanilla, at this level anyway. That said, the layout is simple and gets the job done in true minimalist fashion. All internal components are OEM’d from the usual suspects: Intel, Samsung, Seagate, LSI… Getting the cover off of this thing is truly a pain requiring a lot of hard release button mashing and downward forceful pushing. Both of my C200’s were like this so definitely not a fluke.

The C200 ships with 2 Gigabit NICs for host traffic and 1 NIC for out of band management (CIMC). VGA and USB ports are in the rear with a proprietary KVM dongle port on the front of the server. 2 expansion slots and dual power supplies are also available. Although effective, I dislike this style of power cord retainer which is also used by NetApp.

The rail kit is where Cisco really dropped the ball as I guess they assumed that all their customers would be using extended depth racks. The rails are tool-less snap-ins with adjustable slides, the problem is that the rail itself does not adjust and cannot be made any shorter.

For standard depth racks the tail of these rails stick out past the posts.

I had to rack this server in the middle of my rack or the tail on the right side would block a row of PDU ports. (wtf!)

Cisco Integrated Management Controller (CIMC)

CIMC is the remote out-of-band management solution (IPMI) provided with Cisco servers. With the very mature HP ILO and Dell DRAC remote management platforms around for years, Cisco’s freshman attempt in this space is very impressive indeed. All of the basic data and functionality you would expect to find is here plus a lot more. Access to the CIMC GUI requires Adobe Flash via a web browser which is visually pretty but disappointing to see in an enterprise platform. They certainly aren’t the only major vendor to start trending this direction (read: VMware View 4.5).

Performance is a bit slow for tabs on some pages where the hardware has to be polled and display data refreshed. But when that data eventually trickles in, the level of detail is dense.

The Network Adapters tab was misbehaving for me on both of my servers. After a few seconds all these amazing options disappear and an error:timed out pop-up appears. This will be incredible once they (assumedly) fix their code. Notice the tabs in the middle for vNICs and vHBAs intended to provide tight virtualization integration.

Really great detail…

That was all just from the Inventory page! More great detail is revealed in the Sensors section with multiple readings and values for each core component of the server.

There are a few other notable features that Cisco has included that are particularly cool. One of which is the ability to configure certain BIOS parameters from within the CIMC.

Some variables that can only be configured during boot time in other platforms can be changed via CIMC, although some if not most of these changes will require a reboot to take effect.

Other user, session, logs, and firmware management options include all the usual settings and variables. One other neat option in the Utilities sub menu is the ability to reboot CIMC, reset it to factory default as well as import configurations! That’s huge and will make managing multiple servers much more coherent. All told and bugs aside, the potential of CIMC is very impressive.

Call Manager - the virtual edition

A major shift for Cisco, now available in CUCM Version 8.x, is the ability to deploy the enterprise voice architecture inside of VMware ESXi. Call manager, and it’s sister voice mail service Unity Connection, are just Linux servers (RHEL 4) after all so this makes perfect sense. You can now deploy Call Manager and Unity clusters inside of a virtual space while leveraging the HA provided by VMware as well.

This of course doesn’t come without its caveats. Currently Cisco does not support VMs living outside of Cisco servers and that includes storage. So you will have to buy a Cisco server to deploy this solution as well as keep the VMs on Cisco disk, not your own corporate SAN. You can use your own VMware licensing and vCenter at least which is a good thing. Once Cisco has established a comfortable foothold in the enterprise server market, look for these policies to ease a bit. Right now they need to sell servers!

To ensure that partners and customers deploy CUCM in a consistent fashion, Cisco has released open virtual machine templates (OVA) for their deployments. OVAs keep things nice and clean, even if you won’t agree with their choice of virtual hardware (LSI Logic parallel vs LSI SAS). CUCM is still managed the same way, via web browser, and the interface is exactly the same in v8 as it was in v7.x.

Not purely Cisco-related, but a minor observation that others have noticed as well is that ESXi incorrectly reports the status of Hyper-Threading support on non-HT Intel-based servers. My C200 is equipped with Xeon E5506 CPUs which do not support HT. Not a big deal, just an observation. If HT was available in this CPU I would definitely enable it as ESX(i) 4.1 can now schedule much more efficiently with the new Intel CPU architectures.

Wrap

All in all there’s a lot to like about the new Cisco offerings. A commitment to virtualization and hardware optimized to run virtual workloads are smart investments to make right now. There are some physical design choices that I don’t particularly care for but this model server is at the bottom of the platform stack, so maybe more consideration was paid to the platforms at the top? CIMC was carefully constructed and, although buggy right now, shows some real innovation over competing platforms in this space. More companies that would not have otherwise been able to buy into a full-blown Call Manager cluster configuration can now do so with reduced hardware investments.

References:
Cisco OVA templates

Delegating permissions to BitLocker recovery keys

noreply@blogger.com (Weestro) — Mon, 20 Jun 2011 15:38:00 +0000

BitLocker is a useful hard drive encryption tool supported by the Enterprise and Ultimate versions of Windows7. Recovery is handled through the use of 48-digit keys that are generated for each host running BitLocker. Best practice and common sense is to configure your environment so that the recovery keys are stored in Active Directory. There are a number of scenarios in which the use of these keys are required to gain access to the OS. By default only members of the Domain Admins group has access to these keys which is very inconvenient if you have a delegated support staff that are not domain admins.

You can grant your support group full control to the AD container housing computers with BitLocker enabled and they will still not be able to see the recovery keys. Delegation of this access is done via a script. Just copy the text below, save it to a file with a .vbs extension, and run cscript whatever.vbs from a DC or workstation with a Domain Admin logged in. The only thing you need to change in this script is the second line: enter whatever your support AD group is called here. This all of course only applies to Server 2008/R2 and Windows7.

'To refer to other groups, change the group name (ex: change to "DOMAIN\Help Desk Staff")
strGroupName = "DOMAIN\Help Desk Staff"

' --------------------------------------------------------------------------------
' Access Control Entry (ACE) constants
' --------------------------------------------------------------------------------

'- From the ADS_ACETYPE_ENUM enumeration
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT      = &H5 'Allows an object to do something

'- From the ADS_ACEFLAG_ENUM enumeration
Const ADS_ACEFLAG_INHERIT_ACE                = &H2 'ACE applies to target and inherited child objects
Const ADS_ACEFLAG_INHERIT_ONLY_ACE           = &H8 'ACE does NOT apply to target (parent) object

'- From the ADS_RIGHTS_ENUM enumeration
Const ADS_RIGHT_DS_CONTROL_ACCESS      = &H100 'The right to view confidential attributes
Const ADS_RIGHT_DS_READ_PROP                 = &H10 ' The right to read attribute values

'- From the ADS_FLAGTYPE_ENUM enumeration
Const ADS_FLAG_OBJECT_TYPE_PRESENT           = &H1 'Target object type is present in the ACE
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2 'Target inherited object type is present in the ACE

' --------------------------------------------------------------------------------
' BitLocker schema object GUID's
' --------------------------------------------------------------------------------

'- ms-FVE-RecoveryInformation object:
' includes the BitLocker recovery password and key package attributes
SCHEMA_GUID_MS_FVE_RECOVERYINFORMATION = "{EA715D30-8F53-40D0-BD1E-6109186D782C}"

'- ms-FVE-RecoveryPassword attribute: 48-digit numerical password
SCHEMA_GUID_MS_FVE_RECOVERYPASSWORD = "{43061AC1-C8AD-4CCC-B785-2BFAC20FC60A}"

'- ms-FVE-KeyPackage attribute: binary package for repairing damages
SCHEMA_GUID_MS_FVE_KEYPACKAGE = "{1FD55EA8-88A7-47DC-8129-0DAA97186A54}"

'- Computer object
SCHEMA_GUID_COMPUTER = "{BF967A86-0DE6-11D0-A285-00AA003049E2}"

'Reference: "Platform SDK: Active Directory Schema"

' --------------------------------------------------------------------------------
' Set up the ACE to allow reading of all BitLocker recovery information properties
' --------------------------------------------------------------------------------

Set objAce1 = createObject("AccessControlEntry")

objAce1.AceFlags = ADS_ACEFLAG_INHERIT_ACE + ADS_ACEFLAG_INHERIT_ONLY_ACE
objAce1.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objAce1.Flags = ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT

objAce1.Trustee = strGroupName
objAce1.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS + ADS_RIGHT_DS_READ_PROP
objAce1.InheritedObjectType = SCHEMA_GUID_MS_FVE_RECOVERYINFORMATION

' Note: ObjectType is left blank above to allow reading of all properties

' --------------------------------------------------------------------------------
' Connect to Discretional ACL (DACL) for domain object
' --------------------------------------------------------------------------------

Set objRootLDAP = GetObject("LDAP://rootDSE")
strPathToDomain = "LDAP://" & objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com

Set objDomain = GetObject(strPathToDomain)

WScript.Echo "Accessing object: " + objDomain.Get("distinguishedName")

Set objDescriptor = objDomain.Get("ntSecurityDescriptor")
Set objDacl = objDescriptor.DiscretionaryAcl

' --------------------------------------------------------------------------------
' Add the ACEs to the Discretionary ACL (DACL) and set the DACL
' --------------------------------------------------------------------------------

objDacl.AddAce objAce1

objDescriptor.DiscretionaryAcl = objDacl
objDomain.Put "ntSecurityDescriptor", Array(objDescriptor)
objDomain.SetInfo

WScript.Echo "SUCCESS!"

Once the script has run successfully, the BitLocker Recovery tab will now be accessible in ADUC and ADAC.

Reference:

TechNet

Online security–Protect your neck

noreply@blogger.com (Weestro) — Sat, 18 Jun 2011 05:41:00 +0000

In case you haven’t heard, hackers are slowly taking over the internet. Not really, but you don’t want to accidentally end up in the “lulzy booty” that is collected and distributed daily. LulzSecurity is one very public hacker group quickly becoming (in)famous by attacking websites with weak security and releasing the data they harvest to the wild where they encourage everyone to do whatever they want to with the data. This data includes logins and passwords to various sites and confidential internal company network data. Why are they doing this?? "For the lulz", i.e. just for fun and because they can. This group in particular is growing more and more brazen and has taken down Sony, an FBI affiliate, various professional security consulting companies, random gaming community user databases, the CIA's website, and most recently over 60,000 random email addresses and passwords. They do this while bragging about it and giving the play by play on Twitter (http://twitter.com/#!/LulzSec). The hacker group Anonymous started this recent public trend but they are more focused on real (h)activism not just fun for fame and lulz.

What these guys are doing is not new, but it hasn’t been this public or seemingly random before. This post is aimed at providing some suggestions for securing your public identity on the internet and hopefully help you avoid ending up in one of these public information releases. There are quite a few learning takeaways from the information that has been leaked lately.

Lock down Google

I switched to Gmail many years ago, away from Yahoo and Hotmail, and haven’t looked back. I still hold email accounts on all major mail providers and IMO, none can hold a candle to Gmail in terms of features, functionality, and security. Even if you don't use Gmail then you most likely search Google to find information and may even have a Google account. If you have a Google account, I strongly encourage you to turn on "2-step verification". What this does is ties a phone number, of your choosing, to your Google account. When you attempt to log into Gmail, for example, you will have to input your main password and then a secondary password which will be txt'd or voice called to you. With 2-step verification enabled, even if a hacker were to compromise your Google password they would not be able to log in and get at your information. You can set this so that you only have to do it once per 30 days, not every time you log in.

The other advantage this provides is the ability to both authorize and UNauthorize individual computers and applications. For example, let's say you use both Gmail and Chrome Sync on 2 or more computers. You would have to perform this 2-step process on both computers for both Gmail and Chrome sync. Well if for whatever reason you don’t need to use that second computer anymore and you want to kill your Gmail there, or simply want to revoke your Chrome syncs to it. You can simply revoke that individual computer or that individual Google application on that computer!

Google has a nice video and picture section that explains how this works. Seriously, turn it on! http://www.google.com/support/accounts/bin/static.py?page=guide.cs&guide=1056283&topic=1056284

From the Google accounts setting page, click the 2-step verification link and follow the prompts to setup. You will specify a primary + backup phone number and Google will give you some printable backup codes in the event you can’t use phone verification for whatever reason.

The other piece of this is application specific passwords. Any individual application that will need access to any of your Google accounts will have to be expressly authorized. Chrome Sync, blogging tools, etc. These are individually managed with passwords authorizing each one and can in turn be revoked individually.

2-step verification should protect you fairly well in the Google universe but you should also keep an eye on your Gmail account activity. In case you didn’t know, Google tracks and logs the IP address of every public end point you log in from. They will alert you if suspicious activity is detected but I’d still recommend checking this log from time to time to make sure it looks ok. The link is at the very bottom of the Gmail window:

Password reuse

The Anonymous takedown of security firm HBGary proved this to be a BIG problem. People generally use the same password for EVERYTHING! I'd like to say officially and for the record, STOP IT! One of your accounts gets hacked, guess what? They can now log into everything you use online. Facebook, twitter, email, linkedin, your bank maybe, etc. Most people use at least one of the aforementioned services. Save yourself the agony and use a few different passwords depending on the importance of the site. This is how I do it:

Lastpass - 1 unique password used NOWHERE else, 20+ characters in length.
Gmail/Google - 1 unique password used NOWHERE else, 12+ characters in length.
Primary bank - 1 unique password used NOWHERE else, 12+ characters in length.
Financial (non-bank) - 12+ character reusable password for financial sites ONLY.
Bills - 12+ character reusable password used only for bill websites.
Shopping sites – If I have to create an account, I use a throwaway password and allow no credit card info to be stored
Public sites or offers - throw away password with FAKE email account (dummy gmail/yahoo or mailinator.com)

I encourage you to at the very least separate your important stuff from the not so important stuff. Don't use the same password you use at work for your private email!

Password management

Built-in web browser password managers are ok but not very secure. At least Firefox offers password protection for the password list. There are more secure ways to deal with this if you are so inclined.

A web service that I started using recently is called LastPass http://lastpass.com. This works by installing a plugin into your browser(s) (replacing the built-in password manager), importing your site login info, encrypting it (256-bit AES), then sending the encrypted file to the lastpass servers. The password you use to encrypt the file is never sent to the internet, only a salted hash. There was an incident recently were there was a suspected network attack against lastpass but only accounts using weak passwords were at potential risk. See the note on passwords below. The other advantage lastpass provides is access to all your usernames and passwords from any computer you use.Make sure to use a VERY strong initial password to encrypt your data.

Keepass http://keepass.com is another tool I like to use. This is something you would use on your computer to store and protect various passwords. It creates an encrypted database using the strongest encryption currently known to man (256-bit AES). You could store this at home or use a file sync service like dropbox (dropbox.com) to access it anywhere you go. It's very simple to use and can be had as a portable app to keep in your dropbox for access anywhere. I recommend the pro version of the tool.

Web browsers

How you browse the web is just as important as your passwords and what information you share. My personal recommendation is now officially Google Chrome, a shift away from Firefox. The good news for those of us who are family admins is that Chrome can be installed by all users of a system, even non-administrative users. This means that it can also be updated by non-administrative users, unlike Firefox. Chrome uses a very advanced security mechanism called sandboxing built off of the Windows access token-based security mechanism. This mechanism also isolates each tab and extension in the browser and that tab or extension’s associated files and processes. Flash is baked into the browser (sandboxed) which is automatically updated by Google, another advantage over Firefox. At the most recent hacker convention this year all other major browsers were successfully hacked (IE, Firefox, Safari) while Chrome was not even attempted, even though Google offered an additional $20k cash prize. This could have been due to lack of interest or for fear of the advanced sandboxing. It's also fast and I have yet to see any browser crashes that became routine in even Firefox4. Chrome, get it! http://google.com/chrome

Just like Firefox Chrome has many extensions that increase the functionality of the browser. Chrome does not currently have nearly as extensive the catalog that Firefox does, but they’re getting there. There are 3 extensions that are absolutely mandatory for me: AdBlock, Flashblock, and a script killer. NoScript works great in Firefox but doesn’t exist in Chrome. Luckily there is an alternative called “not scripts” that performs in very much the same way. It blocks all embedded scripts in all websites unless you have given express permission for that site to run scripts (java, flash etc), jscripts, or other potentially damaging web code. Running with a script killer requires a very active user willing to put out a bit more effort to surf the web as each web site you visit will require exceptions for certain elements to run properly. Personally, I wouldn’t surf without it!

*Side note – Chrome can be installed by non-administrative users because it installs into and runs from an individual’s user profile. It does not follow the normally excepted best practice of installing into \program files (Windows) so this creates a potentially challenging situation in the corporate environment. If you are running Windows7/ Server 2008 R2, look into turning on AppLocker which will take care of this problem.

A note on passwords in general

There are many schools of thought when it comes to password policies. As an architect I have the luxury of defining and enforcing these policies for the companies that I work for. Password lengths are always a stated requirement, usually a minimum of 6-8 characters. Sometimes complexity is required by using CAPITALS, numbers and special characters $%#!. Yes, long and complex passwords are more secure but they're also hard to remember. The approach I like to take is longer passwords with no complexity employing a pass-phrase. Something easy for you to remember, for example: howboutthemmavs, or iamahistorybuff. This type of password, due to its length, would take exponentially longer to crack than a shorter 8-character password, even with complexity! Most password crackers only play in the 10 or less character space. Using a longer password removes you from the equation! Now if a given website stores your password with no encryption, this creates a different problem if that database is compromised. This is why limiting password reuse is important.

Limit your exposure

Don't give your information to just any website that requests it! If it's a site you got via email or just stumbled on and just want to check it out, use fake info with a throw away email account. Make use of throwaway email services, my favorite is http://www.mailinator.com . Be mindful of how much of you is already out there. Any of these sites that you log into could fall over and that login info given to the world. Practice anonymity when possible and especially if you don't trust a site. Never use the same password for a highly public site (facebook) and anything else important (gmail/ bank). Opt to not let a shopping site save your credit card number for future use.

Do what the hackers do

Make yourself completely anonymous. TOR is a popular tool used by hackers that proxies your internet requests through various servers all over the world. Your “true” location cannot be sourced because the sites you connect to will only see the address of the proxy. Don’t expect high performance though. You may be relaying through a server in Russia or the UK so browsing can really slow down. If you want to completely hide your tracks from the sites you visit, Tor can help accomplish that goal. http://torproject.org

Wrap up

The moral of the story is to be more careful than you might have been before. Before filling out forms, supplying email addresses etc, be mindful of what you are handing over. Scale back on how much personal info you share on the internet.

Turn on 2-step verification in your Google account
Stop using the same username/password for every online account your create!
Separate your important internet sites from the less important ones by taking steps to isolate and secure the important stuff
Use an advanced password manager to protect your passwords
Use longer "pass-phrase" style passwords, 12-characters or longer
Be mindful of what you sign up for and how much personal information you share on any given site

Stay safe!

RIP–Anthony Banks

noreply@blogger.com (Weestro) — Wed, 15 Jun 2011 13:37:00 +0000

My best friend Tony died 2 years ago on this day at the age of 31 due to heart complications. He was a .NET developer and group manager at Verizon. He is survived by his 2 young children, Devin and Danika, and wife Misty. His funeral was on 6/20/09 and below is the eulogy I gave at his service. I still miss him and want to honor his memory.

I just wanted to share a little about the Tony Banks I knew, with all of you. I met Tony over 7 years ago through another friend. He and I shared a lot in common and became fast friends. Cars, music, technology…it was easy. We thought a lot alike and ended up building our houses 3 miles apart, by sheer coincidence all the while living down the street from each other in Valley Ranch. That’s when we met, way before the kids came. Tony was sharp, funny, analytical, and a good debater. This was our thing. We debated almost any topic you can think of: religion, politics, cars, music. Anytime, anywhere was fair game, at dinner, just sitting around, over dominoes. This particular characteristic in both of us sometimes took its toll socially for each of us, separately. He never let me slide by making loose points on a topic of conversation and I didn’t let him slide either. That’s just how we were. I’m sure it was exhausting listening to us sometimes as both of our wives can attest. We worked in the same business, technology, and could talk for hours about our work. I don’t have many other people outside of work that I could talk to like this, and he didn’t miss a step. He was genuinely interested in what I do and this was special. His passing will leave more than a few large holes for me. I figured we be old men arguing sport compacts and muscle cars, how could it be any other way? I would love to hear his analysis of the afterlife. You could bet that it would be thorough and concise. I’m sure he has plenty of questions and will no doubt find all of the answers.

I considered Tony a true friend, not just a mere acquaintance like the majority of people in our lives who aren’t family. I don’t give out that title freely or easily. It was easy being his friend too. We weren’t high maintenance and we didn’t play petty games. Weeks could go by and either of us could reach out on a Friday or Saturday and get together for a drink or dinner with our families. He was my best friend and please forgive me for repeating this cliché, but it’s true, you don’t know what you have until it’s gone. My wife Lisa considered him a friend too and shared in some of the same vigorous debates. Tony had a promising career and had become successful at Verizon moving into management. His goal was to become an executive in management and was well on his way. There was no half way with Tony. He was 100% full speed into everything he did. Work, play, exercise, video games, cigars… drinking. He committed fully to everything he lent his time to. No exceptions.

Tony loved his parents dearly and idolized his father. I honestly can’t say that about anyone else I know that’s our age. He idolized his father. He loved the family he and Misty created and was a great provider for them. He always said that Misty was an amazing nurturer and natural mother. He absolutely loved his babies. If we’re all put here for a purpose and God has a plan for each of us, could it be that Tony achieved his goal early? If he achieved this goal early, and ahead of the rest of us, then this achievement should be celebrated. But that’s his path, his journey. I’m glad that I was able to know Tony Banks, for however brief it was. I celebrate that he touched mine and my family’s lives and I will miss my friend...

Don’t rule out the PlayBook yet!

noreply@blogger.com (Weestro) — Thu, 19 May 2011 23:31:00 +0000

Tablets are the talk of the town these days and if you ask me for precious few good reasons. Technology has ironically become a status symbol and one buzz word once uttered by executives has been replaced by another. Well practiced security standards and corporate computing policies are being warped, amended, or flat out ignored just to suit what ultimately amounts to a flavor of the week. Just because “everyone else is doing it” is not a legitimate business justification as to why you should implement tablets in your corporate enterprise. But that train is already on the tracks and here we are…

Even though laptops that converted to tablets were tried several years ago, the iPad started it all over again and is hugely popular among less technical (some more) users. It has a dead simple interface that is fluid and shiny, all modifications happen via iTunes or the app store, anything outside of basic Flashless web browsing exists as an “app”, and for many users it does everything they could ever want to do on a computer. Is this the right platform for knowledge workers in a corporate enterprise though? Some executives would, of course, argue yes. The IT department on the other hand begs to differ. Apple is still by and large a consumer oriented electronics company. While it is trying to wedge it’s way into the corporate enterprise, it’s backend support infrastructure offering is sparse and limited. We’ve all seen the video of the password protected and encrypted iPhone4 get jail-broken and data dumped in 6 minutes. There is no jail-break yet for the iPad2 but rest assured it’s coming. Do your users carry data on their mobile devices that, if compromised, would result in your company having to issue an embarrassing public press release explaining and apologizing for the potential data breach? We still need to be concerned about security. Sexy toys and eager yet unaware executives are no replacement. After all, who will ultimately get blamed if and when things go sideways? YOU will, the IT guy.

So I’m not going to sugar coat it, the PlayBook has had a rocky start. RIM was obviously under tremendous pressure with users flocking to IOS and Android, they felt they had to get something to market and fast. The recent recall announcement doesn’t help their image either, even though those 1000 recalled PlayBooks were all sent to Staples and were not sold, for the most part. While the PlayBook isn’t in it’s final polished state yet, there is huge potential there and many compelling reasons you should consider it, especially if you have BES already and will be deploying tablets soon.

Why BlackBerry?

Why should I use BlackBerry at all when I can use any smart phone I want and connect directly to Exchange via ActiveSync? Security, that’s why. The BlackBerry platform has not had a published exploit since 2007, but did recently suffer a defeat at Pwn2Own 2011 where its new browser was exploited. Encryption is rock solid and the platform is FIPS compliant. US governmental agencies that demand the highest security available use the BlackBerry and for good reason. This is ultimately what you’re buying when you buy BlackBerry: security and manageability. RIM is trying (desperately) to sprinkle in more user friendly features to keep up with Apple and Google.

Most tablet reviews published today that I have seen are consumer oriented. Will the PlayBook be good for the general non-enterprise consumer? Maybe. RIM definitely has a method to their madness with regard to this device in your corporate environment however. Many of the reviews I’ve seen criticize the device for not having native BES email support but what RIM has done here is actually quite clever! The PlayBook by itself can be used to surf the web (full Flash support), watch videos in stunning HD, play games, take pictures, videos, etc etc. App support is what’s currently lacking in terms of a pure home consumer standpoint. App World does have many applications but few that are free and nowhere near the extent of IOS and Droid. Droid app support is coming according to RIM but we’ll see what this really means.

General Impressions

At a mere 7" inches, those used to the 9.7” iPad will think the PlayBook is too small. Although, rumor is that Apple is looking at making a 7” pad, so there must be something to be said about the smaller footprint. The device is nice to the touch and feels well-crafted. The weight and balance are right on for a device of this size. Heat dissipation is minimal but the metal BlackBerry logo on the back of the case does get slightly warm to the touch after extended use. The iPad, for comparison, doesn’t get warm at all. Setup is very simple requiring only access to wifi, no required PC components like iTunes, and no required credit card for the app store. The UI is clean and fluid and a huge improvement over the Droid tablets I’ve tested (Xoom, Galaxy). All running apps are displayed from the home view and any can be easily closed by tapping the X below them. Returning to the home screen is accomplished by an upward swipe from the bottom of the device inside any application. The options menu can be opened at any time by tapping the gear in the upper right corner or by swiping down from the top of the screen. Most impressive is the PlayBook’s ability to multitask. You can open a video and with it running, return to the home screen to check an email. Only when actually entering another app would the video then pause. Pretty cool. Micro-USB and HDMI out ports put this tablet squarely in the open market of connectability. I absolutely loathe proprietary interfaces designed to gouge consumers (read:Apple).

The Bridge to the Enterprise

BlackBerry Bridge is the key to connecting the PlayBook to your enterprise data which does require a BlackBerry smartphone. This really makes good sense because corporate data is never actually resident on the PlayBook. All email, calendar, contacts, and task list items are accessed from the phone via bluetooth. Plus, why not? Most people will always be carrying a phone as well. Tablets can’t yet replace the smartphone.

Setting up Bridge is fairly painless, requiring first an install on your smartphone, the PlayBook already has it installed. AT&T is currently blocking Bridge in App World and other sources via 3G. You can find and install Bridge OTA but need to go through wifi on your phone to get around the blocks (see references). I’m sure AT&T will figure out a way to charge more for this somehow. Once Bridge is installed on your phone, launch the Bridge setup on both the phone and PlayBook. Scan the barcode using your phone or connect manually. Very easy.

Confirm the pairing codes on both devices and you’re done.

On the Torch:

Once paired all BES/Exchange items will be visible on the PlayBook under the BlackBerry Bridge tab.

The first time any Bridge item is accessed, you will be prompted for the unlock code to your phone.

When the bluetooth link is severed or Bridge is disabled, these items cease to be available on the PlayBook. This is a particularly compelling feature for organizations concerned about mobile security. If the PlayBook is lost or stolen, no corporate data with be resident or accessible from the tablet. Your phone will be in your pocket and encrypted.

RIM is taking this separation of corporate and personal data further with a new offering called Balance that provides deeper policy based restrictions to further protect corporate data.

Email

As one would expect, the mail client is fantastic and features a full preview pane a la Outlook style. Buttons are thoughtfully placed at the bottom of the screen with compose and delete conveniently located in either corner. The messages list on the left side scrolls fluidly up and down with a flick of the finger.

Composing emails is a clean and easy process. RIM’s bread and butter is email and they definitely got it right here (for the most part). Typing is easily done using your thumbs following true BlackBerry style.

There are still some improvements that need to be made to the email client experience, like the ability to copy and paste a non-GAL email address from one email to another. Copy, paste, and text selection in general are unavailable in this build. Also being able to “delete original text” from a reply is notably missing. RIM needs to replicate the email experience 100% from the Torch to the PlayBook, at the very least.

Another problem area that needs attention is attachments. In default form I was unable to open any attachments other than images. The only indication of a problem was back on the home screen under the notification icon. There is a rather cumbersome workaround for this problem which did ultimately resolve the issue for me. See the reference section at the bottom. Txt and Zip files are currently unsupported as well, this needs to change.

When saving an attachment from a BES email account, you are only allowed to save it to the phone, not the tablet. This is a GREAT idea that solidifies RIM’s position on security.

Battery life is generally ok but make sure to plug in the power cord over night! The screen will turn off but with both bluetooth and wifi running the battery will drain while you sleep.

Final Thoughts

Going through the tablet vetting process currently for my employer I have the (mis?)fortune of getting to play with the top players in this space. The PlayBook did not disappoint. Will my Apple loyalists willingly throw down their iPads for the PlayBook? Probably not. At 7 inches I feel the PlayBook is a good size capable of doing real work on. It is small enough to put into a coat pocket, unlike the bigger 10 inchers which probably need a bag. The screen resolution is fantastic and provides stunning visuals. For road warriors the fact that the PlayBook has an HDMI output should allay any concerns of not being able to give a presentation with the device, although even 10 inches I would think to be too small for this purpose. Office productivity tools are provided natively unlike the competitors that require additional licensing costs for a comparable suite. The Bridge technology is ultimately a very good idea that carriers will not like, so prepare for an additional tethering cost. If it stands as is, companies will save money not having to buy a second data plan per user that carries one of these. I really really like the idea of keeping business and pleasure separate and the PlayBook does that in native form. Add the Balance product to the mix and you can get very granular with your policies. As a technical practitioner who is still concerned about security, I see the PlayBook as ahead in the race for the enterprise tablet seat. It isn’t a finished product and still has many kinks, but don’t dismiss it wholly just based on that!

References:

BlackBerry Bridge install

BlackBerry Balance

Unable to start application – error code 13

Follow up – RSA SecurID servers hacked

noreply@blogger.com (Weestro) — Mon, 04 Apr 2011 13:26:00 +0000

Following up to the mid-March report that RSA had been hacked, it appears that Adobe Flash was ultimately behind the exploit. MS Excel documents embedded with Flash files (.swf) that exploited a zero-day Flash vulnerability, were opened by an RSA employee installing the Poison Ivy remote admin tool. This provided hackers access to RSA’s corporate networks where they searched for and uploaded sensitive information to external servers.
While Flash has become a bastion of woeful vulnerability, this case provides a good reason to upgrade your enterprises to Office 2010. 2010 leverages DEP (Data Execution Prevention) and sandboxes files inside of office files, via “Protected View.” Had RSA been running Office 2010, this breach would not have happened.
[via NetworkWorld]

Cleaning up SMVI snapshots in vSphere

noreply@blogger.com (Weestro) — Tue, 29 Mar 2011 14:10:00 +0000

For whatever reason, sometimes VM snapshots get stuck and ultimately forgotten. As you know this can be disastrous as once that line in the sand has been drawn, the resulting redo log will continue to grow until its underlying disk is completely exhausted. One-off manual snaps can be easily forgotten but worse is when programmatic snaps, the likes of NetApp SMVI or VCB, don’t get removed cleanly and start to stack up. I just had this problem when my SMVI, for reasons unknown, stopped removing snaps from one of my volumes and started incrementing them. At the point I caught the problem, some of my VMs on this volume had as many as 5 SMVI snapshots! Not good. SMVI is a great solution overall that works really well, but its handling and reporting of VI snapshots could be a lot better.

So now I have exposed a problem in my environment. The performance of my VMs is suffering and the integrity of my backups could be questionable. The first step is to create a new alarm in vCenter that watches VM snapshot size. I will warn on anything over 1GB and alert on 2GB. While researching for solutions to this problem (and manually deleting snapshots) I came across a tool written by one of NetApp’s Architects last year. Even though it was written by NetApp specifically for SMVI, it is solid enough to be used in a number of other scenarios. CVMS (Cleanup VMware Snapshots) is an executable that can be run manually via CLI or called via a script. I my case I will call this tool via a script in SMVI.
Feed it the vCenter address, credentials, and snap name prefix, then you can scope by datastore, VM, or VM set. It will go in order and remove all snaps that match the defined prefix, one at a time. Manually-created user snaps will not be affected, unless of course the snap name matches your defined prefix. The tool is incredibly well written and provides just about every customization you would care to do in this scenario.

Sample command string and output:

C:\>cvms -vcuser administrator -vcpasswd passwd -vcip 10.2.1.2 snapname bar -ds test_ds -verbose
LOG REPORT FOR CVMS
-----------------------------------------------------
CVMS Version: 1.0
Log Filename: \NetApp\CVMS\Report\CVMS_20100131_143350.log
Start Time: Sun Jan 31 14:33:50 2010
Datastore(s) selected: test_ds
Command line arguments successful.
Initializing connectivity to Virtual Center and storage appliances.
Converting Virtual Center hostname to IP address ...
Attempting to ping Virtual Center 10.2.1.2 ...
Ping of Virtual Center 10.2.1.2 successful.
Creating new Virtual Center instance for 10.2.1.2 ...
Logging into Virtual Center server 10.2.1.2 ...
Virtual Center login successful.
Collecting VMware and storage appliance configuration data.
Collecting datacenter information ...
Found 2 Datacenter(s).
Collecting host system information ...
Host system information collected.
Looking on host system esx2.internal.net for datastore test_ds ...
Requested Datastore (test_ds) is available.
Saving virtual machine information for vm2.
Saving virtual machine information for vm1.
Cleaning up snapshots for all VMs listed ...
Checking snapshot capability of VM vm1 ...
Removing all snapshots with string 'bar' from VM vm1 ...
No VM snapshots found.
Checking snapshot capability of VM vm2 ...
Removing all snapshots with string 'bar' from VM vm2 ...
Removing VM snapshot 'bar2' ...
Removal of VM snapshot for vm2 successful.
Command completed successfully.
Backup End Time: Sun Jan 31 14:34:02 2010
Exiting with return code: 0

In my particular scenario, I backup per volume in SMVI so will add a custom script to each backup job to ensure that all snaps get properly cleaned up afterwards. To present a script to SMVI, it needs to exist in %PROGRAMFILES%\NetApp\SMVI\server\scripts (or <drive>:\Program Files (x86)). SMVI can use .bat, .cmd, .pl, etc. Here is the syntax of one of my volume clean scripts:

if not %BACKUP_PHASE% == POST_BACKUP goto end
set PATH="D:\Program Files (x86)\NetApp\CVMS"; %PATH%
cvms.exe -vcip vcenter –vcuser domain\account –vcpasswd password -ds Volume1 -snapname smvi -reportdir "D:\Program Files (x86)\NetApp\CVMS"
:end

Depending on how your backups are configured, you could run a script like this at the end of the day or like me, after every backup. I backup every 8 hours so have plenty of time for cleanup in between. The report directory will house text file outputs of each instance run with the same output you would see in the CLI using the –verbose switch. Refer to the SMVI 2.0 best practices guide for available variables that can be referenced in a script.
The NA community homepage for the tool is in the references below. CVMS is not in the NA Tool Chest however, I checked, so unless someone tells me otherwise I will host a mirror of the utility.

References:
CVMS (homepage)
CVMS (mirror)
Scripting SMVI cleanup
SMVI 2.0 Best Practices Guide

RSA (EMC) SecurID servers hacked

noreply@blogger.com (Weestro) — Sun, 20 Mar 2011 04:51:00 +0000

RSA’s two-factor authentication solution targeted as a “large number” of its servers were recently compromised and data extracted. Not good for the market leading token-based security provider.

http://www.rsa.com/node.aspx?id=3872

Hot adding an external shelf to a NetApp array

noreply@blogger.com (Weestro) — Mon, 07 Mar 2011 15:16:00 +0000

My set up for this scenario is simple: 1 x FAS2020 running HA with 12 x internal SAS disks (Ontap 7.3.2). I am adding a partially-populated external SATA shelf (DS14MK2AT) to provide expansion and an additional tier of storage. The process is relatively straight forward and should apply to most arrays in the NetApp family.

Hardware Installation

NetApp uses an inordinate amount of packing material to ship what ultimately amounts to 3U’s of occupied space in the rack. Better safe than RMA I guess.

If you’ve assembled other storage arrays or servers this part won’t be much of a challenge. One item of note is that the upper shelf controller goes in upside down, which may not be immediately obvious.

Once your shelf is securely installed in the rack with the drives inserted, install your SFPs in the “In” ports on both controllers, keeping in mind the upper SFP will go in upside down. NetApp will ship 2 sets fiber pairs with SC connectors, you will only need 1 set if you are installing a single shelf. Each pair will be labeled to match “1” and “2” on both ends. If you have additional shelves to install you will need to also install SFPs in the “out” ports to connect those shelves to the loop. Make sure to properly set your shelf ID which will be “1” if this is your first shelf.

FC Adapter Configuration

Ok, now the fun begins. Because my FAS2020 had no external shelves previously I had both FC ports on each controller connected to my Fiber Channel fabrics providing 4 paths to each storage target. Unfortunately I now need 2 of these ports to connect a loop to my new shelf. Any subsequent shelves added to the stack will attach to a prior shelf via the “Out” ports. The first step is to remove the 2 controller ports from my fabrics, both physically and in the Brocade switch configuration. I will be using the 0B interfaces on both controllers to connect to my shelf. My FC clients, vSphere and Server 2008 R2 clusters running DSM, are incredibly resilient and adjust to the dead paths immediately with no data interruption. Perform an HBA rescan in ESX and check the pathing just to be sure everything is ok.
Before the fiber from the shelf can be connected to the controller ports, we need to change the operation mode of the FC ports. Currently they are in “target” mode as they were being used to serve data via the FC fabric. To talk to an external drive shelf they need to be in “initiator” mode. This is done using the fcadmin command in the console. Fcadmin config will display the current state of a controller’s FC adapters. Notice that they are in target mode. The syntax to change the mode is fcadmin config –t <adapter mode> <adapter>. You must also first offline the adapter to be changed because Ontap will not allow the change to an active adapter.

Once the adapter mode has been changed you will need to reboot the controller before it will take effect. If you are running an HA cluster this can be done easily utilizing the takeover and giveback functions. From the console of the controller that will be taking over the cluster, run cf takeover. This will migrate all operations of the other controller to the node on which you issue the command. As part of this process the node that has been taken over, will be rebooted. Very clean.
Fas1 taking over the cluster:

Fas2 being gracefully rebooted:

Once the rebooted node is back up, from the console of the node that is in takeover mode, issue the command cf giveback. This will gracefully return all appropriate functions owned by the taken over node back into its’ control. Client connections are completely unaffected by this activity.

The cluster will resume normal operation after the giveback which can be verified by issuing the cf status command, or via System Manager if you’d like a more visually descriptive display.

Disk Assignments

Now that Fas2 is back up, you can verify the operation mode the 0B adapters (fcadmin config) as well as check that the disks in the external shelf can now be seen by the array. Issue the disk show –n command to view any unassigned disks in the array (which should be every disk in the external shelf).

Because I am working with a partially populated shelf (8 out of 14 disks), I will configure a 3:3 split (+ 2 spares) between the controllers and create new aggregates on both. Performance is not a huge concern for me on this external shelf, I’m just looking for reserve capacity. Here is the physical disk design layout I’ll be working with:

*NOTE make sure that “disk auto assign” is turned off in the options if you want complete control on disk assignment. Otherwise the filer will likely assign all disks to a single controller for you. It is enabled by default and needs to be disabled on both nodes.

With auto assign turned off issue the disk assign –n <disk count> –o <filer owner name> command. Or if you like you can assign the disks individually by name.

Don’t worry if you goofed and need to reassign disks between controllers as this can be done rather painlessly. This is what it looks like when the filer auto assigns all disks to a single controller:

To fix this, enter advanced privilege mode on the filer and issue the disk remove_ownership <drive name> command for each drive you want to change.

Once the drives have been removed from ownership, run the disk assign command again to get them where they should go. NetApp also recommends that you re-enable auto disk assign. Run a vol status –s on both controllers to verify the newly assigned disks and their pertinent details.

Aggregates and Spares

Now that the disks are assigned to their respective controllers, we can create aggregates. If the disk type in the external shelf were the same as the internal disks, we could add them to an existing aggregate, but since I am adding a new disk type to my array I have to create a new aggregate. I’m going to switch over to System Manager for the remaining tasks.
Each controller will need its own aggregate comprised of the disks you just assigned to each (save the spare). I will be using the default NetApp naming standard and creating aggr1. This can be performed from the Disks or Aggregate page and is pretty self explanatory.

RAID 4 is the way to go here as I don’t have the spare disks to justify RAID DP + a hot spare. Although I will be married to this decision for the life of this aggregate, it’s a sacrifice I have to make. Repeat this process on the other node. *NOTE make sure to leave at least 1 spare of each disk type, per controller, in the array. NetApp’s recommendation is as follows for ensuring you have the proper number of spares given a common disk type:

There you have it. A new shelf added hot to a NetApp array with no disruption to the connected clients. Now you can create your volumes, LUNs, CIFS/NFS shares, etc. If I add another AT shelf at some point at least I won’t have to sacrifice any more disks to spares!

Troubleshooting problem SEP client installs

noreply@blogger.com (Weestro) — Wed, 02 Mar 2011 19:42:00 +0000

I had my first ever need to put a call into Symantec enterprise support for a SEP client that just would not install on one of my corporate Win7 desktops. This particular problem proved troublesome to figure out but with Symantec’s help we got there. I also learned a few other tricks along the way that will help with troubleshooting regular enterprise client installs.
After trying multiple installation methods that usually work, all we would get was an ultimate failure with “error status 1603” logged in the application events.

Looking through the SEP installer log in c:\windows\temp\sep_inst.txt, we noticed that the installer was failing to access the network location for %APPDATA%.

Hmmm, ok let’s check the registry and see what’s up. Navigate to HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders. Notice how the value for AppData doesn’t look like the others? It should be prefixed with a %USERPROFILE% wildcard value but isn’t. The installer can’t find %APPDATA%.

This is the proper value that should be here:

The tech mentioned that they had this problem in Vista but had not seen it in 7. This particular user could be running some ancient software that changed this value, I really don’t know. This is the only box I’ve seen this happen on.
Another trick I learned along the way is how to get around the pesky reboot requirement before you can install the SEP client. To do this, simply delete the following items in the registry. Note the key paths at the bottom of each window:

Once the registry edits have been made you can rerun your client install without having to reboot. One other thing the tech had me do was export my enterprise install package to expose all the bits. This is done via the Endpoint Protection Manager Console. Navigate to your client install packages under Admin\ Install Packages, choose the package you want to export, right-click, choose export.

Select a location for the dump to go, UNcheck “create a single .EXE…”, choose your customized installation settings and features, then select the top level “my company”. The other defaults are fine. This will take a few minutes.

Once the export is complete you will see the contents of your deployment package. Install Live Update first (LUSETUP.exe) then run the installer MSI (Symantec AntiVirus.msi). This is the full non-silent yet customized client install so you can see every step. You AV client should now be installed with no problems.

References:
Symantec KB103109

“The View Connection Server connection failed (null)”

noreply@blogger.com (Weestro) — Mon, 14 Feb 2011 20:19:00 +0000

There are a number of reasons why your clients might see this error while connecting to your View environment but the most recent is due to 2 Windows updates that went out recently: KB 2482017 or 2467023.

This error can occur on both View clients 4.0 and 4.5 prior to build 353760. VMW recommends updating all clients to this most recent build which can be found here:

http://www.vmware.com/download/download.do?downloadGroup=VIEW-450-CLIENT-PATCH

The 4.5 client works just fine for connecting to a View 4.0 environment. Other work-arounds include running the View client in compatibility mode or rolling back the 2 MS patches in question.

Ooma Telo Review

noreply@blogger.com (Weestro) — Fri, 21 Jan 2011 21:17:00 +0000

This post originated at the blog: Exit the Fast Lane

Voice Over IP (VOIP) has been a hot topic for those in the know for some time now, but is becoming increasingly more consumer targeted for its obvious benefits. Plain Old Telephone Service (POTS) lines are going the way of the dinosaurs with few unique exceptions that just don’t work well with VOIP yet. I started my VOIP journey with Cisco at work and Vonage at home around 7-8 years ago. Vonage was still an up and comer then with its ability to provide phone service right over your home internet connection. All you needed was a service contract and a Vonage supplied router to make calls. The problem with Vonage is that they have become more like a traditional phone company with their call plans, although still much cheaper than a traditional POTS line + long distance. Near the end of my experience with Vonage, the call quality was terrible which I chalked up to wireless interference. In my new house I didn’t want a home phone at all, but was eventually convinced by my wife so I sought out for something better.

During my search I came across a “next gen” VOIP phone company called Ooma. With staggeringly positive reviews all over the internet, Ooma has an interesting proposition: buy their router and make unlimited free calls nation-wide while only paying the mandatory federal/local fees which, for me, will equate to ~$3.50/month (911 included). That’s right, they don’t do phone plans with minute options like Vonage. The router is $200 and can be purchased from Amazon. By my math, based on what I was paying monthly with Vonage, this solution will pay for itself in 10 months. Ooma offers a Premier service for $10/month extra that adds feature like an instant second line, 3-way conferencing, and additional voicemail options. Important to note that this is an OPT-OUT service so they will automatically enroll you and start billing after a free 60-day trial period. My current feeling is that the basic services are more than ample so I plan to opt out. Ooma offers number porting services for $40/number if you wish to keep your current digits.

Installation

Setup is incredibly easy and if you’ve used a service like Vonage, this isn’t much different. The voice router needs to be added to your network via Ethernet so it can reach the internet and your phone will plug directly into it. I prefer to use wireless phones in which there is a single central base with many wireless satellites. I only plug the “master” base into the Ooma router. This method achieves maximum flexibility by overcoming any house phone wiring limitations and is essentially no different than how you would do it with any other type of phone service. I choose to use 2 firewalls in my home environment and put my voice router in the “DMZ” segment, which I also did with Vonage. Here is my setup in simplified form:

Once you first plug in and power on your Ooma router it will automatically pull the latest firmware which will take a few minutes, during which time you will see the bottom row of button lights flashing. Once the updates are complete, log into the ooma activation site and complete the set up of your device. Once activated you will create a login on the My Ooma site where you will find a wizard that will step you through the rest of the set up process. Number porting can take some time but they’ll give you a temp number to use in the meantime. Or if you opted to create a new number you should now get a dial tone and will be able to make calls. Ooma uses a very special and fancy dial tone. ;)

Features

Aesthetically the device is quite elegant. The face is coated with a soft rubberized material that is quite pleasing to the touch. All edges are rounded and the bottom is finished with a high-gloss piano black plastic. The button lights can be made brighter or turned off altogether. Voicemail can be accessed directly on the device like an old-school answering machine, via the phone, or via the website.

The My Ooma website is where you’ll make all service configuration changes. The dashboard is still a work in progress but you can see your voicemails, setup progress, and stats from here. Clicking “call logs” on the left will reveal detailed information for all call activity. What’s really neat is that from this view you can white or blacklist any number in your history (premier feature)! I’ll show you blacklisting in just a second. The Voicemail and Contacts areas are fairly self-explanatory.

Clicking the “Preferences” button up top will reveal the meat of the configurable options. Under Voicemail you have the option to control how many rings before a call goes to voicemail as well as whether to send email or SMS notifications including audio attachments.

Now on to my favorite premier feature: Blacklisting. This is a great feature that allows you to completely control who calls your house and how those calls are dealt with. Send a blocked caller a disconnected number message or just let the line ring continuously. You can use the community list which is Ooma’s list of telemarketers or control your own. Many may find the $10/month premier price worth it for this feature alone. But you should know that this can be done for free in Google Voice. GV adds another layer to your overall voice solution but the value is becoming more and more compelling.

Call forwarding does what it says in the traditional sense or you can enable multi-ring for one device like a cell phone. You can also manage multiple phone numbers, your ring pattern, as well as play with some [currently] experimental Google Voice and iPhone integration.

Privacy settings control your ability to block the outbound caller-ID display of your number plus anonymous call block.

Everything else under preferences in inconsequential. Under the Account tab at the top you manage billing, account, and services information. Take note that this is where you go to opt-out of the automatic Premier services upgrade.

Available add-ons include the premier service, international calling, warranty extensions, and a few others.

Conclusion

Overall I am extremely impressed with Ooma. I just finished a Webex training class in which I was dialed into a conference call from literally 9-5 for 4 days. The call quality was excellent and my calls didn’t drop once! Since I’m using the same Panasonic DECT phones I had in my other house, I am left to believe that my bad call quality experience with Vonage was due to their router. All of my other gear is the same. Ooma looks and feels like a very polished and mature product in form and function. The home network setup is an effortless process and the web portal is feature-rich with Ooma making visible improvements to enhance the user experience. As long as you commit to use Ooma for a few years, the $200 buy-in along with $3/mo fees will be well worth your while. My only complaint is having to opt-out of the premier service and it not being immediately clear which features are basic vs premium.

So long NetBIOS, it’s been fun!

noreply@blogger.com (Weestro) — Thu, 13 Jan 2011 20:13:00 +0000

Without going too far down the “history of NetBIOS” rabbit hole, this protocol has been included in all versions of Windows since Windows for Workgroups, and including Windows7. Back before DNS was adopted as the primary name resolution protocol, NetBIOS was used for PCs in workgroups to find each other by name and communicate. NetBIOS over TCP/IP is a non-routable broadcast protocol and is by nature very chatty on the wire. WINS was created to centralize and resolve NetBIOS name to IP address registrations but DNS is still a much more efficient method and became the basis for Active Directory in Windows 2000. The problem with overly chatty broadcasts is that all hosts constrained within the boundaries of a broadcast domain (L3 VLAN) have to process every packet that is broadcasted. This can be especially taxing in L3 VLANs with a large amount of hosts.

While Windows has functioned fine without NetBIOS for over a decade, Microsoft continued to support the protocol for legacy applications that required its use. Having just built a pristine environment with Windows7/Server 2008 R2 and all the latest technology, I decided to explore the elimination of NetBIOS from my environment.

So, why bother?

The number one reason this effort is worthwhile is the elimination of a broadcast protocol from your network stream. This will ultimately free up network interface usage and CPU cycles that are currently processing each packet that any host in the VLAN broadcasts. Run a network trace and you will see an alarming number of name query broadcasts sent and received via UDP/137. As you can see from the network capture below, 66.16 is broadcasting a NetBIOS name resolution request for a host called DC2.

Locally, on a client running NetBIOS run the nbtstat –n command to display the local name table. If you can display this table, that means NetBIOS is alive and well. The wireless adapter is disabled on this client so there will be nothing in the cache for that connection.

Other reasons to abandon NetBIOS include maintaining antiquated browse lists, worrying about which resources might be accidentally visible in those browse lists, and fighting browser master wars. I have no need for this protocol in my network and will take steps to remove it.

How to disable NetBIOS over TCP/IP

There are a few ways to go about disabling NetBIOS programmatically, I want the path of least resistance. As with any process, you can accomplish this goal manually, but that is tedious, time consuming, and ineffective. While this task can be done via GPO Preferences, this really isn’t the cleanest method either. You would need to create a new GPO Pref registry item targeting the NetBiosOptions value in the PC’s network interface key path. The problem with this method is that each PC will have a different GUID assigned to its network interfaces, highlighted below. You would first need to determine all applicable GUIDs in your network and push this policy so that each can be updated individually. No easy task.

Luckily, if you use DHCP to assign IPs to your clients there is an easier way. By default all Windows clients are set to “default” under the NetBIOS setting portion on the WINS tab in their NIC’s TCP/IP settings. This default setting allows all clients that use a DHCP server to use the NetBIOS settings as defined by that server.

This setting corresponds to the “NetBiosOptions” registry entry, in the aforementioned key path, who’s value of 0 means that the default setting is enabled. Manually disabling NetBIOS above would set a value of 2 on this entry in the registry.

Great! So we can control NetBIOS via DHCP, this is certainly easier than the GPO Pref method. From your DHCP snap-in, navigate to the “scope options” portion of the scope you would like to change. Right-click—>Configure Options. Select the Advanced tab and change the vendor class dropdown to “Microsoft Windows 2000 Options.” You will now see a 001 option to disable NetBIOS. Select it and change the data entry to 0x2, click OK to activate.

**This will not take affect until your clients renew their address leases and pull the new scope options.

Verify

On the DHCP client with a renewed IP lease, you will see a new registry entry, in the same key path shown previously, called “DhcpNetBiosOptions” with the corresponding value you set in the scope.

This new key is only read by the system if the NetBiosOptions value is 0. Running nbtstat –n should now yield an empty name cache with no node address.

Another network traffic capture, assuming all clients in the scope have been updated, should yield no NetBIOS traffic. Keep in mind that disabling NetBIOS stops your ability to send broadcasts, not receive them.

Now without all those NBNS broadcasts you can keep tabs with what spanning tree is up to!

References:

RFC1001

RFC1002

NetBIOS over TCP/IP Configuration Parameters

MS KB313314

My garage floor epoxy project

noreply@blogger.com (Weestro) — Tue, 28 Dec 2010 19:27:00 +0000

My wife and I just bought a new house, so naturally the first thing to be done before moving in is painting the garage floor with epoxy. :) Epoxy provides superior protection against oils, chemicals and stains by allowing them all to be wiped up easily. Plus it transforms your garage from dull and boring concrete to a beautiful space that makes one almost sad to park cars in. This is the second garage I’ve epoxied so this post is to document my experience as well as lessons learned throughout the process.

Not all epoxies are created equal, however. The $100 2-part kits you find at Home Depot and Lowes are water-based epoxies which are thin, require multiple coats, and won’t last as long as they should. I used one of these kits at my first house almost 10 years ago which turned out ok for the most part but there are areas where the epoxy pulled up from the concrete. This time I wanted something better: 100% solid epoxy. This is the premier epoxy flooring material which is much more expensive to manufacture than water-based epoxy and is also several times thicker than its off-the-shelf equivalents. The three manufacturers of solid epoxy that I considered for my project were Epoxy-Coat, Wolverine, and U Coat-It. Not only is solid epoxy several times the thickness of the water-based products, but it’s several times the price as well. You get what you pay for.

After doing hours of research and countless searches on garagejournal.com I decided on Epoxy-Coat for my project. Most people are very pleased with the results plus they recently signed a deal with Lowes who will distribute their products. While not readily available off-the-shelf in all stores, Epoxy-Coat can be special-ordered by Lowes in both full and half-kits at a price less than what you would pay direct from the MFR (the better deal is the full kit!). As stated, a full kit can cover 500sq-ft and a half kit 250sq-ft each at 9.7dft (Dry Film Thickness). This equates to roughly 4 batches with the full kit and 2 batches with the half kit. Each full kit comes complete with a 6-gallon mixing bucket, 2 parts base coat/hardener, acid etch, squeegee, roller fill, mixing tool, gloves, paint chip flakes (3 colors), aluminum oxide (non-slip additive), and a video CD-ROM (also available on their website).

The base color and flake colors can be customized but I opted to use standard grey for the base with no flakes. Just a personal choice. If you like the confetti look and want to lay down flakes, you should also consider applying a clear coat to UV-protect the flakes which will fade over time otherwise. The clear coat will add roughly 50% to the per kit cost of your project.

Prep

Surface preparation is key and will directly correlate to the quality of floor you ultimately lay down. The garage I am working with is a 20-year old 3 car garage that has some minor surface cracking and grease stains. Luckily there was no previous sealer or that would have to be removed first. A floor can be prepped in two ways: washing/etching or diamond grinding.

Diamond grinding is what the pros do and can be done by you via a grinder rental at your local DIY store. These machines are large “walk behind” style machines with either single or dual heads. Edco is the brand that I’ve seen most recommended. The advantage of diamond grinding is that you will create a very consistent profile across the floor removing all surface imperfections and contaminants. You could also use a 4” or 7” diamond cup wheel attached to an angle grinder for small or tight areas. Either way be prepared to deal with a lot of dust. Pictured below on the right is a 7” Bosch with a dust muzzle that attaches to a shop vac.

Washing/etching is a more involved process that can also create a suitable profile for epoxy but requires much more elbow grease. This is the method I opted to use. First remove all loose material by sweeping/ leaf blowing. Remove surface contaminants like paint splatter using a scraper tool. Apply degreaser to oil stains and scrub with a stiff bristled brush. Wash thoroughly.

Pour the contents of the muriatic acid bottle (supplied) into a bucket and mix with 1 gallon of hot water. Pour into a plastic sprayer. Work in 10’x10’ sections spraying the acid on the floor and scrubbing with the stiff bristled brush. You should see some foaming which is the acid reacting with the concrete. Work over the entire floor and once complete, pour baking soda over the treated areas.

Triple rinse the floor with a garden hose ensuring that all materials are removed. Let the floor dry completely, depending on the outside temperature and humidity this could take a day or two. If the floor is even a little wet when you go to lay the epoxy you will have bubbles. Use a leaf blower to expedite the process. Once the floor is dry you can fill any cracks that you have with an adhesive acrylic caulk (NO SILICONE!) and a tape blade. While epoxy can be used to fill holes and cracks, it doesn’t work like you’d expect. Unless you specifically try to fill holes and cracks they may not cover completely from a normal application. Let the caulk dry completely then remove any drops or peaks along the cracks. Leaf blow the floor one more time and we’re ready to pour the epoxy.

Anti-slip additives

Epoxy-Coat sends you a bag of aluminum oxide (AO) which is a very hard glass granule looking substance that is added at the end of the application process. While AO is extremely effective, from what I’ve read, it is super hard and super SHARP. People report that a floor treated with AO is extremely hard to clean because it will literally shred your mops and rags. Squeezing a piece in the bag will cut you. If you work on your garage floor changing oil etc, guess what else it shreds? Pants, skin, elbows, kids…

I came across a product called SharkGrip made by H&C and sold by Sherwin Williams. It has the consistency of talcum powder and is mixed into the batch before it goes on the floor. Many people rave about this stuff because it adds good traction to an otherwise slippery epoxy floor plus leaves the floor cleanable and skin friendly. I opted out of using the AO and picked up a 16Oz bottle of SharkGrip for ~$15 from my local SW. They also sell a smaller 3.3Oz can that is intended to be mixed with 1 gallon of sealant/epoxy. Just to make sure, I asked Epoxy-Coat about SharkGrip and they have no issue using it with their product.

Application

Set up a mixing area and lay out all materials on a leak-proof drop cloth. Use the supplied measuring stick that has lines for where to pour A and B parts in a double or single batch. The B is the hardener which is clear, this goes in first. The base gets poured into the hardener. First mix the A base coat in its own bucket for 2 minutes with the mixing tool. This is when I added the SharkGrip. Since the A part is 2 gallons in the full kit, I poured in ~6oz of SharkGrip. Per the single batch measuring lines, this will create enough product to do a 10’x10’ area before you need to mix another batch. Add the hardener, then the base, and mix for 3 minutes. I sprinkled in an additional measure of SharkGrip at this step as well.

Pour all the mixed contents in a line on the floor at the far corner of the room. Consider which wall you will pour against because you have to first squeegee the epoxy perpendicular to the pour line to spread it out, then back roll in the same direction that you poured the line with the supplied roller. Some guys end up buying or constructing spike shoes to walk across the wet epoxy without dragging it everywhere. I didn’t need to use spikes because of the lip that goes around half of my garage so I was able to walk around without getting wet.

Epoxy-Coat recommends doing a 10x10 section, pouring another 10x10 section then going back to the first section and back rolling it again. By yourself this is a lot of hustle. I read in the forums that you can also do a section, wait 10 minutes then back roll it again before pouring the second section. This is what I did. During that 10 minute waiting period I used the cut brush to paint the lip “step” around the garage with the epoxy left in the mixing bucket. Worked like a charm. The epoxy pours and spreads more fluidly than you would expect. Keep pulling that squeegee across as far as you can to spread it out! The finished floor will be the thickest along the areas that you pour, keep that in mind.

I tried to fill a few holes with epoxy but you can’t back roll those areas or the product will get pulled right out. There was some fill here but I’ll need to go back and add more.

Towards the end I started to run out of base coat (A), although I had plenty of hardener (B). While mixing the last batch I came up just short of part A so poured everything into the A bucket to try to maximize the output. I figured this would result in having an excess of hardener so I would need to work fast to finish. I should have sprung for the extra half kit initially because this last batch ended up going on too thin. It did cover the entire floor but there was a clear disparity between the first few sections and the last. As you can see below, the top portion of the floor is thick and there is a distinct line between the lower half.

Not being able to settle with such imperfection, I set out to do what I should have originally and bought an additional half kit. Had I done this originally the A parts would be combined and mixed first to ensure color consistency. I would have to take my chances. To apply an additional coat of epoxy after the 24-hour window, the floor first has to be roughed up with 120-grit sandpaper. I picked up a pole sander and a pack of sanding sheets. Christine at Epoxy-Coat said that you only need to knock the shine off the floor before adding another coat. I went over the thin areas and areas that would over lap using about 3 sheets. With a damp rag I mopped up the dust and let it dry.

The rest of the process is the same for the second coat but I was much more liberal with my shark grip this round. I just poured and poured. The floor leveled up nicely and luckily the color match was almost dead on. The one thing that stands out now is the brush marks of the second coat against the area I did not re-coat. In hindsight I should have sanded the whole floor and just ran the roller over the old area to ensure a consistent profile. It still looks good. I am at peace with how it turned out because I am NOT touching this floor again!

The floor looks really slick but thanks to the SharkGrip it isn’t! Just to test I poured water on the thickest part of the floor and had my wife and kids try to slide through it. We couldn’t! Dry leaves are slippery coincidentally. Overall I am very pleased with the product and the results. I question the “3-4x stronger than concrete” claim as I was able to scrape up some epoxy overspray on the un-etched lip which came up fairly easily and was surprisingly pliable. Maybe with the clear coat it is much harder? It is no doubt miles ahead of the water-based solutions and I have no regrets except for the delayed second application.

Lessons learned

A single roller is not enough and will start to fall apart towards the end of the application. Plan on buying at least one spare and switch it out before it starts coming apart in your wet floor.
The supplied squeegee will not thread on the pole properly, you have to keep tightening it.
Bugs and leaves are a pain. Bugs you can’t do much about but get all possible leaves far away from your driveway so they don’t blow in during application.
A sharp chisel and hammer work well to open the container seals.
Put the baking soda down after etching BEFORE washing the floor. This was not very obvious to me from the instructions the first time through.
Epoxy is self leveling which is much more evident on thicker areas. Your brush strokes should disappear. Don’t expect holes and cracks to be filled perfectly, however.
Squeegee, squeegee, squeegee! Keep pulling it back and back as much as you can. You really need to thin the line you poured as much as possible.
Just like caulk, if you tape an edge to provide a nice line, pull the tape up while the product is still wet. If you wait too long you will get a raised edge.
If you are alone, do a 10’x10’ section, wait 10 minutes, then back roll it again before moving on to the next section.
Epoxy sets up much faster in warm weather so apply when cool if you can.
Plan how you will roll out the floor ahead of time. Don’t paint yourself into a corner.
Spike shoes are not an absolute necessity but will definitely make your life easier if you can get them.

Hi computersplace.net thieves!

noreply@blogger.com (Weestro) — Tue, 23 Nov 2010 20:26:00 +0000

CP is a fraudulent website that subscribes to and scrapes content from RSS feeds, then republishes them in their entirety. Mine and many others. Republishing other's work 100% without permission is stealing. This sad little website is built completely from stolen content. What’s worse is that they receive adsense revenue thanks to content they’ve stolen from me (and others). Look, they even have a word randomizer that changes specific words like FAST to QUICK. “Exit the Quick Lane”. Brilliant.
I encourage you to visit computersplace.net and feel free to leave an angry comment if you like. :)

**Update**

I reported these thieves to google, since CP uses adsense, and fully expecting no action, google has gotten them to take down all posts republished from my blog. I encourage anyone else who has their feeds being republished by CP, to open a complaint with Google Adsense. It will take a very long time but they will eventually take action!