Monday, November 9, 2009

Happy 5th birthday Mr. Fox

Firefox came to our world 5 years ago and how big of a difference did it make!

For me it wasn't easy but I was able to convert more then 75% of my users off IE and onto Firefox.
I was never able to make the Firefox adm work in my Active Directory environment so I had to find another way.
Chris Ilias wrote a Locking Mozilla Firefox Settings manual in his blog. The concept is changing the preferences to the template you need and then locking it into a new Mozilla configuration file.
While I wouldn't recommend this for a large environment, This is an easy to implement way that provide!

Tuesday, November 3, 2009

Speed Test

I wanted to test my Internet speed at the office. I asked Verizon to provide the data but since they have time and more then 3 month later I'm still waiting, I started playing with some online tools.
I picked speakeasy's speed test as my testing tool and found some puzzling results...

I used my PC to test different browsers (FireFox 3.5.4 & IE6) using different path (firewall as default gateway & ISA 2006 proxy server with GFI WebMonitor 2009).
I have 2 T1s coming from Verizon on a multilink router. I'm not going to start calculate what I should expect, why and how. If you're into this data use a Bandwidth calculator.

First let's see how IE6 did with Proxy enabled

This is theoretically the slowest path since it's not only routed through another server before hitting the firewall but it is also processed by WebMonitor.

Disabling the proxy settings and running the same test on IE6 resulted in the following

While the upload speed was significantly faster I was surprised by the download result. Just can't be!

I had to test FireFox and compare the results

And once more just to make sure I'm getting valid numbers

At this point I realized that this test is worthless. Other then the local factors like other users and services that download & upload, the measurement is flexible and depend on so many factors that I just can't trust it.

Monday, November 2, 2009

netsh save the day

During the weekend I was working with my development team on a new Oracle based app installation.
The part that interested me was a problem they had getting connections work with our remote backup location. This location has a 2nd Oracle server which we sync to the main production machine in our NY office.
The problem seem to be DNS related and not being able to resolve names from that machine we got stuck with the installation. The fact that it was a weekend installation made our frustration even deeper...

I had to find a way to use different DNS settings per interface, an easy task to do via windows explorer BUT I had to get the application to switch settings per request, only when required.
The requirement: The server should use the default domain DNS settings at all time and change it only while processing this one task (and then switch back).
The affected interface is my NIC2Oracle gigabyte card.
Obviously you can't do it manually out of the test\install environment.
I had to find a way to automate it and this is where netsh came to the rescue.
Using the following command you can set the DNS using cmd:
netsh interface ip set dns "NIC2Oracle" static xx.xx.xx.xx

The problem is that this command is still short because it doesn't set a primary and secondary DNS servers.
To achieve this you have to know that if you want to set a primary and secondary DNS address, add index=1 and index=2 respectively to the lines of netsh command.
Adding index=1 and index=2 at the end of the command above will set it as primary or secondary and allow the change I need using a simple batch. When the specific process is done, another batch with the reverse order can switch it back.
How simple...

Tuesday, October 27, 2009

ApplicationXtender and Active Directory

I manage an ApplicationXtender server which is used to manage documents for compliance and accounting purposes. We used to work with a local user database but few years back we switched to the AD synced mode which uses the local logged user. This way I win twice: The password is more secure since it is changed by the domain policy AND the user is not prompt with login screen for ApplicationXtender. A rare win win.

My password policy require the users to change their domain password every 3 month. 14 days before due date they start getting these daily reminders.
When a user forget to change it (or just ignore it on purpose) and the 14 days pass all connectivity to any network resources is lost. When the password is changed work is not interrupted and is not affected. Well, this morning I found this to have one exception...

When you change the password for the user while he is logged in ApplicationXtender will not connect. Testing the Data Source connectivity is successful and yet the client hang. Logging off and then logging back with the new password fixes the problem. I agree that it's weird but hey, I didn't write the program...

Monday, October 26, 2009

Cisco security

I was at a new site for a consulting job and found so many security holes that I had the need to write down few basics for those who didn't know or already forgotten.

When you configure a new router you should decide on a security method that will keep it as secured as possible. Keep in mind that doing nothing is NOT a method.
Working for a small to mid-size shop you're the only one handling the routers, maybe 2-3 more people need access for specific tasks. You have to make sure no one else - internal or external get on the device and make any changes.

One of the most important actions these days is removing all Telnet access and switch to SSH. It is not always possible with old equipment but if you have any of the supported boxes please use it. It is a major security improvement.

Next thing to think about is your local user list. Passwords are kept on the router and show in Show Running-config. Most admins think that using type 7 encryption is good enough. Check this online tool and think again. It is able to decrypt Cisco's encrypted "type 7" passwords!
Now you think this is impressive, check this in the router IOS decryption option...

Another instant easy to implement option is AAA. Use another server for authentication to keep passwords off the router. RADIUS servers can sync with Microsoft's Active Directory and use the same password policy you apply for users on the domain, to the router. That will also make your password management an easier task. Windows 2003 & 2008 can use as RADIUS server using Internet Authentication Service.

These are basic easy tools that cost nothing and require few minutes. You should think of them as a MUST and go implement them yesterday. You do not have to know too much, these do not require being an expert so what are you waiting for?

Friday, October 23, 2009

Phones get static and drop calls

We're using an AVAYA S8400 server going out to 3 lines:
2 PRIs for local and long distance calls
T1 for International calls

2 weeks ago users started to complain about static on the line on local and long distance calls. At first when it was one or two users I thought it might be the phone though you expect a failed hardware to fail at all times and the static was random.
Then more and more users complained and some even added a new complain about drop calls.

In order to isolate the problem I have routed 2 heavily used area codes to the T1. Since no one reported problems on International calls it was a great way to find if the problem is local, equipment or infrastructure on my end or is it PRI\Verizon related issue.

Verizon which run both PRIs tested them after hours and reported back that both lines are clear.
At the same time no one complained about static at the 2 isolated area codes.

As the weekend passed we came back Monday morning to a clean line. No static. No drop calls. I changed nothing and yet the problem seem to be resolved...

Before I close this case I had to switch the 2 area codes back to the PRIs and make sure they are still clear. 4 days later the lines are clean.
To be on the safe side I asked Verizon to test the local equipment (that would be the demarc in my server room). Last night when the technician finished testing he confirmed it is clear.

While no one can explain it there is one last possible option, something we'll never know but can always blame: The building lobby is under renovations.
We used to have our office downtown where the infrastructure is old and fail whenever it's raining. Whenever we saw a Verizon truck within few blocks we anticipated phone or Internet problems. Unfortunately we where right most of the time. Taking this experience under consideration it is more then reasonable to think this option is possible. But as I said, we will never have an real answer.

Monday, October 19, 2009

Lotus Notes Expired ID file

Security is the reason Domino Server require all ID files to recertify once every 2 years (that is the default, can be changed manually).
When the expiration date get close Domino is kind enough to notify the user and there is your problem...
Typically there are 3 groups of users:
Some users will actually read the message that ask them to forward it to an administrator (a one click action).
Most of them will call you and ask why they received the message.
The problem is with the other group, those who ignore it. This group cause problems since they will show up one morning (as one of my dearest users did this morning) and will be locked out of Notes with this error on screen
Server Error: Your certificate has expired
When you have such a user you have to use the Administrator console using this procedure: How to manually recertify an expired ID.
Now don't get me wrong. It is not that complicated and I'm not complaining but it does involve an extra step: Physically access the users client to import the new recertified ID file. While in a small shop it is not that bad, in a larger environment it is a huge pain.
How to avoid it? Educate your users, explain about this certification and hope they'll remember next time and hope they leave before the renewal date because most chances are they will not remember.