What? Why did you leave dreamhost?!

I didn’t, my account is still very active. In fact they’re handling my DNS and domains at a great price. I found a neat VPS service called Vultr, which offers a decent slice on SSD for $5 a month. My site has never been faster!

And I get to take the training wheels off my web coding and linux administration skills. Eventually I’ll swing this sub domain over to www. but for now I want to test the waters with this one.

Enjoy.

I hope this helps someone but I’ve been chasing a wifi problem in my house for a few days and finally got to fixing it.

Equipment: 4th Gen Airport Extreme (802.11 a/b/g/n; 2.4GHz & 5GHz)

Symptoms: poor range, slow speeds outside of the room the airport was located.

Configuration: I have it configured auto everything across the board, no unique SSID for the 5Ghz network, and nothing customized other than DNS – thanks to DDOS on Charter’s DNS servers I swapped in Google and Level 3’s DNS servers.

I loaded a free app on my MacBook called WiFi Explorer that displays wifi signals, noise, and occupied channels but the one built into OS X works equally well. I noticed that the 2.4Ghz network was dropping off for 30-45 seconds every minute even though there are devices on my network that require 2.4GHz.

5GHz was solid but as expected it’s range was poor and signal strength at the distances I needed it to work in my house were very low.

Started with power cycling the router. No difference. Soft then Hard reset, no change. 2.4GHz just wouldn’t stay on.

Launched Airport Utility and reset the AirPort to the factory setting, no difference. So now I’m thinking hardware issue. Of course, this is not under warranty anymore.

The last trick I had available was to roll back the firmware. In the airport utility click on the AirPort Extreme to display the serial number and firmware version. Option click on the version and pick 7.6.3 from the list. The utility downloads and installs the firmware. Really couldn’t be more simple.

Bam all is good after the reboot. Both radios functioning at expected levels. So is it a firmware issue or a glitch? So I decided to upgrade the firmware to the latest. The latest does have some good fixes.

After the reboot everything has been solid again. WiFI Explorer shows 5GHz and 2.4GHz on solid and never dropping off. I’m going to chalk it up to a glitch in the firmware that was cleared by reloading the firmware. The only way to do that for these is to rollback then upgrade again. Luckily though in true apple fashion – the utility does all the hard work and maintains your configurations.

Also the iOS utility offers the same functionality, so it’s easy to repair these.

Wrapping up master images has become something virtualization engineers of all product disciplines have to become familiar with. A bad master image can be deployed dozens or hundreds of times – only to find out a simple tweak could have saved you thousands in necessary hardware costs.

Here’s a new hidden gem I found and I hope to add to this list as more arrive.

 

Installing or updating Dot Net

Almost all Microsoft patching includes some form of a dot net update. When this product is updated, it likes to recompile a lot of code to help speed up launching dot net applications – pre-compiling actually does help user perception of application launch speeds.

Typically you run windows update on a server or workstation and dot net installs its updates and queues items in a work list that dot net executes later. This typically happens later in the day or evening and almost always pegs your CPU for a minute to 1/4 of an hour while is pre-compiles code.

Microsoft is pretty clear about this process in this MSDN Blog post.

The problem is, when you’re patching master images – you don’t want to leave the queued items for each deployed VM to have to execute. Deploy a dozen servers, and now you have a dozen servers with queued dot net jobs waiting to flog your CPUs.

For Windows 2008 R2 and Windows 2012 servers, you can easily kick off these queued items before you wrap up your images for templates by following these simple steps:

  1. Run a comand prompt or powershell prompt with administrative privlegdges.
  2. Run this command:
    c:WindowsMicrosoft.NETFramework64v4.0.30319ngen.exe executeQueuedItems
  3. Wait for the compiling to finish
  4. Exit

The blog post above contains other paths for other versions of Windows, but hopefully that helps others.

KISS, keep it simple stupid. An old saying I try to keep in mind when working on a solution. My home network hasn’t maintained this zen philosophy.

My most recent setup has been driven by a recent discovery that I can keep my Apple Airport’s built in Guest network, as long as I can connect the Airport’s to something that can pickup VLAN 1003, the VLAN Apple decided to isolate the users on the guest network so they wouldn’t be able to see file or print shares on the main network.

So I decided to build a firewall but the only hardware I had was a bit overkill and didn’t want to dedicate the whole thing to this one task. I started with a used Dell OptiPlex 745 micro tower. This little workhorse has a dual core Intel CPU chugging along at 1.8Ghz, it’s got the virtualization instructions and 64bit capable. The Dell came with a tiny hard drive and a few gig of ram, but I grabbed a spare SATA drive and purchased four sticks of 2GB RAM from an ebay seller. I also picked up an Intel gigabit NIC to compliment the onboard gigabit NIC.sophos

The Dell runs VMware ESXi 5.5 with a free license. I’ve configured the VMware host with four networks.

  1. External network, connected to the vSwitch that uplinks to the Intel Gigabit NIC
  2. Internal network, connected to the vSwitch that uplinks to the onboard Gigabit NIC
  3. Guest network, connected to the same vSwitch that uplinks to the onboard Gigabit NIC, but is on VLAN 1003
  4. DMZ network, connected to a vSwitch that doesn’t connect to anything physical, I’ll use it for test/dev VMs I create on the host.

 

I signed up for a free account with Sophos, here so I could download their UTM software. They also provide a generous license for home users that will protect up to 50 IP addresses. It’s almost nearly fully functional and includes managed end point protection for up to ten Windows computers. If I really wanted to go nuts, I could buy some Astaro (now Sophos) wireless access points and have them fully managed from this server but I think the Airport Extremes will work just fine.

Sophos offers a prebuilt appliance you can download and just run out of the box, but I think they let their junior assistant’s intern build it. It has poor performing configuration choices… and really you’re just better off building it from scratch. The .ISO is pretty universal – it’ll handle installing on bare metal, virtual, or being installed on Astaro/Sophos hardware appliances.

So going on information from the forums and documentation:

  • OS is based on SLES 11 64bit
  • 1 CPU, 2 Core
  • 4GB of RAM
  • 60GB of Disk, using a SAS controller
  • 4 x VMXNET3 vNICs – leave all but the internal vNIC disconnected (Intel E1000 vNICs work, too but will consume more resources than the VMXNET3 paravirtual vNICs)
  • USB controller (for USB backups)
  • Delete the floppy disk drive, serial, and parallel ports

Boot the VM from the .ISO, and go through a few basic questions. It’ll handle the disk partitioning, volume formatting, and even installs VMware Tools for you because it identifies itself as a VMware VM and goes that extra step. Once you do the install, you’ll have to browse to the server’s IP on port 4444. During this final setup you’ll be prompted to upload the license file Sophos sends you and answer a few questions about the preliminary firewall rules.

I would recommend checking all of the basic firewall rules – Email, DNS, Web, etc. This will make your start a little easier. Leave the rest of the monitoring, filtering, and all that disabled, it’s only going to get in the way.

Now comes the tricky part – matching the physical nics with the virtual networks and vNICs on the Sophos UTM virtual machine. Under Interfaces & Routing, click on Interfaces. You’ll see your Internal interface [UP]. Add a second interface, let’s start with the Guest network.

  • Name: Guest
  • Type: Ethernet Static
  • Hardware: Pick one
  • IPv4 Address: choose an IP for this interface and a net mask to set the size. This IP will be the gateway for everything on this network.
  • No other settings need to be changed or enabled

Once you save the interface, you’ll see that it’s [down]. Edit your VM, and enable the vNIC connected to the Guest network. If the interface doesn’t go up, edit it and pick a different eth in the hardware menu. Once you hit it, follow through on the other networks until you have all four up and running.

Now, Sophos UTM comes out of the box ready to support an internal LAN and external WAN. Additional network will require some more configuration, read on.

Network Services

DHCP and DNS needs to be configured for at least the Guest network. You can set it up for DMZ too, if you want. Navigate to Network Services, DNS. In the Global tab, click the folder icon and choose your Guest (Network) and DMZ (Network).

Then switch over to DHCP and click New DHCP Server, and add a new one for the Guest network. The gateway and DNS IP addresses will be the interface IPs you setup earlier, they end in .1.

While you’re here – switch to the NTP network service and allow Guest and DMZ to access the NTP server you’ll configure later.

Masquerading Rules

The one setting that got me stuck was the NAT settings. Switch to Network Protection – NAT. You’ll notice a rule already set for Internal (Network) -> External.

Clone this rule and set it up for DMZ and Guest so they can also connect to the outside world.

Airport Changes

Now that I had a functional firewall, I needed to get the Airport Extreme devices configured. I launched the Airport utility from my Mac (you can do the same from any iOS device) and configured the Airports for bridge mode and turned off the password on my Guest network – the UTM will handle authentication now. Everything else works fine – one of my AEs is a print server with two printers, and a Time Machine backup target with a 2TB USB disk attached… all work fine.

Pro tip: once the AE is in “bridged mode” , you lose the ability to use the WAN port for anything. Just use the LAN ports for connectivity back to the Sophos UTM or other Airport Extreme APs the WAN port becomes a LAN port in bridged mode (I had a different experience in previous firmwares, so something must have changed).  If you use a switch – make sure it can forward VLAN tagged traffic, most SOHO switches will not. If you have multiple Airport Extreme APs, daisy chain the AE APs to ensure VLAN 1003 packets get delivered back to the Sophos UTM and hang the switch off of the other ports to provide more access ports to your internal devices.

Captive Portal

Okay, this was the icing on the cake for this deployment. Now that I have my guest network isolated on a dedicated interface and VLAN, I can really do some neat stuff with Sophos UTM.

  1. In the Wireless Protection section visit Global Settings.
  2. Enable the Wireless Protection, then add the Guest interface to the allowed interfaces.
  3. Click Apply.
  4. Visit the Wireless Networks, Access Points, and clean out any auto-configured networks or access points.
  5. Then click on Hostspots. Enable the Hotspot feature.
  6. Switch to the Hotspots tab.
  7. Add a new one, call it Guest Portal or something easy to identify.
  8. Add the Guest interface to this hotspot and configure the rest of the options for your unique needs.

Tips: The Password of the Day will not be an easy password. It’ll be something like ogaleseh35 (that was yesterday’s password at my house). This password is good for the day.

You can opt for a Voucher system… which is really powerful. You can limit by time and or consumed bandwidth. I can see myself forcing my kids to use a guest network and only handing out vouchers when stuff is done around the house. You can delegate access to other people so they can log into a user portal on the Sophos UTM and print or PDF additional vouchers.

Additional Features

A few other features I turned on:

  1. Global IPS, I turned off the IPS for now on my internal network until I can isolate my dumb media devices (smart TVs, etc) and exclude them
  2. Endpoint Protection (free AV software) – sophos managed end point for Windows (OS X is free, but still not managed yet!)
  3. Uplink Monitoring – I won’t get emailed when it goes down (duh!) but I’ll get the down and up alert when the UTM can send email again.
  4. User Portal – for people to get VPN setup and vouchers for guest wifi
  5. NTP – accurate time isn’t an option any more.

Additional Firewall Rules

Sophos UTM is a true firewall. Nothing gets in or out with an explicit rule. This can be very challenging at home when you have a myriad of different devices. Most devices like Apple TV, Vizio TV apps, and the like catch a ride on port 80 or 443, so if you have web enabled, you’re good to go.

Additional rules are needed to allow stuff like MineCraft, Apple Push Notifications, AT&T Microcell, Mumble, Xbox Live, etc… be prepared to spend some time digging around knowledge bases or Googling to find the appropriate ports. Luckily, it’s real easy to build rules.

Tip: Use groups for rules that you may need to add different ports or services to a single rule. I made one called Games. Now when I run into another game (or service like Steam) that needs another port allowed out – I can create the Network Service, and just add it to the existing Games group.

I have a rule for Apple. Holy crap they have a lot going on. Most you don’t need to allow out or are handled by existing rules.

  • iCloud DAV services, iChat, FaceTime, Game Center, yuck… Lots of UDP port ranges, but again these are only allowing these apps OUT – not random internet person reach into your network on these same ports. On the topic of Apple, when watching the firewall logs I forgot they have a Class A IP range… so it may be easiest just to create a Network rule and call it Apple’s Network… then you can use that in each rule for apple.
  • Xbox Live has a list of UDP and TCP ports that need out, and a NAT rule to allow UDP/TCP 3074 back in
  • AT&T’s Microcell needs to have https, ntp, and some IPSec traffic allowed out to femtocell.wireless.att.com and after watching it fail – another IP, 12.230.209.70,  in AT&T’s IP range that wasn’t documented. Once that last IP was added to the rule, bam – solid 5 bars.

 

Final Tips

One last thing that can help your UTM perform better is to disable logging and reporting if you don’t need it. I turned off all the reports but after reviewing the rules – the logs can be retained for no less than 1 day. So I chose to disable logging. This caused a problem with troubleshooting the firewall – I couldn’t view the live log, it wasn’t being generated!

So I turn it on when I want to troubleshoot something, but I’ll leave it disabled. I’m not sure how the 5th amendment fits in to a firewall keeping logs of your internet traffic for a year… but if you don’t have to save all the data about your network activity – why flog your UTM’s storage when you don’t have to.

On the flip side, if somethings not working – almost every feature has a Live Log view so you can watch the blocked packets fly by. This is exceptionally helpful.

This evening I got an urgent email from a colleague that just got the rug pulled out from under him. His customer decided that the two web servers on the front end of a SharePoint farm he was building couldn’t be 2008 R2 because they require 32bit servers. I stayed far away from the “why” – and just wanted to help deliver the “how” as easy and fast as possible.

The problem he ran into was when he deployed two Windows 2008 32bit Enterprise Edition servers… they never customized from the template. Still had the default password, network settings, and host names, just bit for bit clones of the template with a customized answer file waiting to be applied.

Normally, vCloud Director will clone the template, push an answer file to it that contains all the things that have to change to make it a unique server, then kick off a sysprep (in windows) to make it all happen. Within a few minutes your clone is now a new server with your settings already set – ready to run.

Not this time. And to be honest, I don’t ever think we deployed a 2008 32bit Enterprise server – so the template may have been broken from day -1.

After digging around in the sysprep logs, I find a break…

SYSPRP LaunchDll:Failure occurred while executing 'C:Program FilesInternet Exploreriessetup.dll,SysPrep_Cleanup', returned error code 2
SYSPRP RunExternalDlls:An error occurred while running registry sysprep DLLs, halting sysprep execution. dwRet = 2

Okay, so I verify iessetup.dll exists. So why aren’t you executing it.

After more digging and some Googling, I think I find the root of the issue… we’re missing a registry key.

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce

It appears that when .NET is installed and removed before sys prep – it can remove the RunOnce key, which is used by Sysprep to store some commands using iessetup.dll.

I simply launched our template, added the key, and wrapped it back up. Redeployed the two servers – and bam…

Two 2k8 32bit servers deployed without a hitch. It’s now 1:10am and I haven’t even touched my other work tonight.

 

Source of Solution:

http://social.technet.microsoft.com/Forums/en-US/itprovistadeployment/thread/a85fa983-344c-49a4-ba64-904c241129bc/

A year ago I converted our landline over to Vonage. It was about the same price as our existing landline from a CLEC, but brought with it more features and a pretty cool advantage of sticking it to the man… or at least that what the Vonage commercials let you believe.

Fast forward to this month. I’ve dumped Vonage, mainly because they couldn’t fix a simple problem of routing a call to my in-laws’ house across town who also had Vonage. We also have cellphones with unlimited voice and texting, so the landline wasn’t really necessary anymore. I did want to keep our home number, so I hit the Google and found a great resource on how to “port” my home landline number to Google Voice. There are a ton of resources from others online who have done it – so I won’t copy their hard work. I’ll just let you know I used an AT&T GoPhone for $25 to get my number away from Vonage.

Once the number was in AT&T Wireless’ database – it was ripe for porting to Google Voice. Another $20 to port it. So now I’m 1.2 months worth of Vonage to get my number to a cloud service.

Exactly 24 hours after I paid my 20 bucks, Google emails me and let’s me know they have it. Two days later, Vonage send me a goodbye email. I still changed my method of payment over to my empty Paypal debit card so they couldn’t charge me beyond my last month.

Now comes the tricky part. Fooling your family and friends.

By default, Google Voice will screen your calls. This means that anyone that calls you will get the Google Voice attendant asking “After the beep, please state your name… BEEEEP” then the caller is put on hold while GV rings you and announces the call. It’s quite an ordeal if your grandma calls you and has no clue what this chick is asking and why?

Update your contacts in GMail and/or Google Voice. Make sure the numbers are correct and group your friends into a friends group, family into a family group, etc. Then you can set up group based rules. Like family rings right through – no screening. Friends ring my cell during the day and only Google Talk at night.

Oh, and if you need to make outbound calls from your home number – use the Google Voice app on your cell, calls inside the US are 100% free and it only uses data. You can even call from your browser if you have a decent headset or use your laptop as a speaker phone. I pay about $4/mo to Skype to let me call from my tablet, computer, or cell to landline phones – Google Voice is going to save me the $4 now.

Total savings: $4/mo Skype, $39/mo Vonage Unlimited… so $516/year… which pays for one of my extra iPhone lines outright.

If I ever need to light up my home landline again, I’ll just get one of these.

We’re spinning up Windows 2008 R2 Standard servers from templates in our vCloud environment and begin to notice a problem. We can’t join them to a working domain.

Network Path Not Found is the error we got when we attempted to join the domain.

After some troubleshooting, we think it might be DNS issues… but everything works. After further investigation we notice that the service TCP/IP NetBIOS Helper is set to Automatic – but is not running. Attempts to start it, fail.

Nothing around the net is helpful – so we start tearing apart a working server. The one registery key related to the TCP/IP NetBIOS Helper is different.

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesNetBT

Start Value should be set to 2 instead our broken server was set to 4.

This also solved the event log entry:

Service Control Manager (7001 – None): The TCP/IP NetBIOS Helper service depends on the NetBT service which failed to start because of the following error: The service cannot be started either because it is disabled or because it has no enabled devices associated with it.

A few months ago, I removed my MacBook Pro’s optical drive and replaced it with an inexpensive disk caddy from Amazon and a 120GB Intel SSD disk from BestBuy all told for about $110.

After removing the optical drive and placing the SSD into the caddy, I wanted to do a clean install so the Mac was running on the SSD – so I downloaded OS 10.8 and placed it on a thumb drive (yes, I purchased it and just let the App Store download it again). I made sure the TimeMachine backup was up-to-date and that I could restore from it before I went any further.

Most of my information was based on this blog post by Andres Petralli, so credit is due almost 100% to Andres – thanks!

Insert your OS X thumb drive into an available USB port and restart your Mac.

Hold down the Option key to force your Mac into Recovery mode.

Choose the OS X thumb drive – it’ll look like an Orange USB Drive

Once you’re booted up into recovery mode, launch Disk Utility.

Delete all of your partitions on both disks and leave them empty.

Exit out of Disk Utility, navigate the menu of the Recovery Partition – select Utilities -> Terminal

Enter the command:

diskutil list

You should get some output that will display your physical disks. Almost always, your two physical disks will show up with /dev/disk0 and /dev/disk1 – compare the sizes to be sure you’re working with the right ones.

Enter the command:

diskutil coreStorage create NameYourPartition disk0 disk1

You can name your LVG (Logical Volume Group) anything you wish – I named mine FusionDrive to keep it simple while I followed Andres’ instructions.

Enter the command:

diskutil coreStorage list

Now you’ll see your LVG, that is currently built on two physical volumes and presenting a Logical Volume Family to the computer. Notice the < and > on the tree structure. The physical disks are “feeding” the logical volume family. Also notice the long alphanumeric strings after each item – these are called UUIDs or universally unique identifications – they allow a computer to maintain unique ids on hardware or objects that could be similar in every other way.

Now we have a single empty volume to work with and create a partition to be formatted and be used by the computer.

Now run the command:

diskutil coreStorage createVolume [copy and paste the Logical Volume Family UUID here without the brackets] jhfs+ MacintoshFD [enter the number of gigabytes you want to use, subtract 10GB for a recovery partition]g

Example: My LVG has a total size of 869.0 GB and the LVF UUID is 928D4C88-86FD-46DF-B487-3B0E0467349E
Example command:

diskutil coreStorage createVolume 928D4C88-86FD-46DF-B487-3B0E0467349E jhfs+ MacintoshFD 859g

You’ve now created an HFS+ Journaled volume called MacintoshFD that is 859GB large.

One last step while you’re here – let’s encrypt this beast so our data remains secure.

Run the command:

diskutil cs encryptVolume [UUID of the Logical Volume of MacintoshFS]

You’ll be prompted for a password and confirmation – but after that, the encryption will begin and happen in the background. Rebooting, shutting down, installing the OS, whatever – it’ll just chug along in the background until it’s done.

Now, go and install your OS X and retrieve your data from your backup.

 

Some related reading:

http://www.petralli.net/2012/10/analyzing-apples-fusion-drive-in-an-attempt-to-retrofit-an-existing-macs-with-an-ssd-and-a-traditional-hard-disk/

http://blog.fosketts.net/2011/08/04/mac-osx-lion-corestorage-volume-manager/

https://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man8/diskutil.8.html

Getting back into the groove at a new job, new list of tasks, new home schedule, and for once – a true training schedule to get me back on the road to good (better?) health.

I’ve signed a five page NDA that is scares me to type anything more work related than the words “work related” so my posts will typically be generic if they discuss VMware or my new employer TDS Hosted and Managed Services (TDS HMS). And anything I typically share – will always be available somewhere else already published and approved the marketing… okay with that out of the way, here we go.

Visi, Team, Vital Support Systems, and OneNeck are all owned by TDS. With a big toolbox of resources and a roster of some of the smartest and battle hardened folks in the business – I’m honored to be onboard with the crew leading up their new cloud IaaS product ReliaCloud. And for those who ask, no that is not me in the NOC photo this time. I honestly tried to find the photo but wasn’t successful. Internet Wayback Machine to the rescue… which goes to prove don’t let marketing photograph you – you’ll never get it off the internet. :)

And with that, I’m wrapping up a lunch hour post and hope to add more meaningful entries in the near future.

I took this week after classes finished to tear down our View 4.6 cloud that was hosted on vsphere 4.1 ESX servers and redeploy it properly with a dedicated vCenter server, upgrade the vmware environment to 5.0 U1 and then roll out a new View 5.1 environment.

A few quick observations for those planning upgrades. Read the installation, administration, and upgrade manuals completely and make notes of all the changes or ancillary upgrades you may need to do.

I ran into a couple of hiccups but nothing too painful.

The security server wouldn’t link with the connection server until we opened up the extra ports in our DMZ firewall and had IPsec encapsulation enabled. Yes, it’s clearly documented – it just needed to be read. Oh and the installer says you can use the IP or FQDN of the connection server while installing the security server – don’t use IPs. Use the FQDN and make sure that your security servers can resolve the FQDN of the connection server.

Make sure you have a good public cert if you’ll be letting anyone outside your organization connect. If not, bone up on running a certificate authority in your network. You should already be deploying internal certs to your servers and workstations.

I’m digging the new features like host caching (2GB of server ram dedicated to caching storage… Zoom!) and finally an OS X client that does PCoIP and doesn’t require Microsoft’s RDP client.

I just finished deploying new thinclient images with View 5.1 clients and the new root CA. The wildcard cert we purchased in February from GeoTrust was great… Except the HP thinclients didn’t have GeoTrust’s root cert so the entire view environment was Untrusted and the clients just failed to connect.

Tomorrow I start deploying Win 7 desktops…