Tuesday, April 05, 2011

Squid Proxy - Cache Windows, Adobe, and Java updates

Your pfSense has the ability to cache popular updates like UpdateAccelerator for your favorite OS and its ancillary applications.

You will need to install the Squid Proxy package then go to the Proxy Server under the Services menu.

  • Select the Cache Mgmt tab then set your hard disk cache size to 3000 MB or better (I set mine to 10000 MB because I have a 250GB hdd and there's still plenty of room left).  
  • Up your memory cache size to around 1/4 of the installed memory - this will speed up your proxy over all.
  • Set your maximum object size to 512000 - this will cache files up to 512MB, a bit bigger than the biggest service packs I've come across.  You can adjust this size as you see fit!

Once you have completed these steps paste the following into your pfSense Squid Proxy "Custom Options" and, save it, watch your updates fly (after the initial download):

refresh_pattern ([^.]+.|)(download|(windows|)update|).(microsoft.|)com/.*\.(cab|exe|msi|msp) 43200 100% 43200 reload-into-ims;range_offset_limit -1;refresh_pattern ([^.]+.|)windowsupdate.com/.*\.(cab|exe|msi|msp) 43200 100% 43200 reload-into-ims;range_offset_limit -1;refresh_pattern ([^.]+.|)adobe.com/.*\.(zip|exe) 43200 100% 43200 reload-into-ims;refresh_pattern ([^.]+.|)java.com/.*\.(zip|exe) 43200 100% 43200 reload-into-ims;refresh_pattern ([^.]+.|)sun.com/.*\.(zip|exe) 43200 100% 43200 reload-into-ims

Thursday, March 17, 2011

Ugh, SSL Certificates

Through much trial and error I think I have it figured out:  there are three ways to go when it comes to SSL certificates for your business server needs, and each one can be painful.

  1. Self-signed certificates:  With Server 2003 a self-signed certificate meant that you just had to ignore that overly dire warning you were given in your browser.  It turns out that it is difficult for non-techies to ignore and has been quite a source of worry for the end user, who then decides that the system is broken and finds something else to do.  SBS 2008 changed that in that it becomes a pain in the neck to get your Outlook to work.
  2. Get a certificate from your favorite Certification Authority, like my favorite registrar Register.com.  It's fast, easy, and somewhat expensive - a certificate for a single domain name (remote.yourdomain.com  is probably the one to invest inis $72.00 per subdomain for three years.  Then it gets ridiculous:  Outlook 2007+, Windows Server 2008 SBS or Exchange 2007 and 2010 want you to have a valid certificate that applies to each required subdomain, so a "wildcard certificate" would seem to be in order - I confirmed this by calling Register.com's tech support and asking them which certificate I should use to secure my SBS 2008 - they recommended the wildcard certificate as the answer to all of my needs.  $730 for 3 years.  Fortunately there are ways around this, so DON'T DO IT. See the excellent Third Tier Blog's explanation of how to configure your DNS to work around this.
  3. Get your certificates from StartSSL.  While I have not tried the truly free certificates that they offer, I did undergo the personal and organization validations which were $49.90 each (total of $99.90, I'm not sure what it will cost come renewal time) with the certs being good for two years.  Since I manage systems for multiple organizations it makes sense for me to validate each organization so that my personal details don't appear on their certificates!  Validating yourself and your organization means getting together your personal identifying docs like your drivers license, birth certificate, and phone bill, then your business identifying docs like Articles of Incorporation, Certificate of Insurance, and maybe your business license - whatever you can show that proves you are you and your business is on board with your plans to get a certificate with their name on it (meaning a letter from the owner or CEO).  When requesting certificates you have no option for a "wildcard" certificate, but you may specify as many subdomains as you desire for each of your verified domains - sweet.
An interesting note about StartSSL:  there has been some debate as to the legitimacy of StartSSL as a valid Certification Authority, especially with regards to the free certificates.  While it is easy to get their free certs if you can prove you own the domain, it is also easy to get certs from other CA's.  The barriers to entry to receive a basic SSL cert from the Registrars and other commercial CA's are:  verifying that you own the domain and paying their fees.  StartSSL's Class 1 performs domain name ownership verification.  StartSSL's Class 2 validates your identity using personal documents and business documents then calls your organization and verifies the info, even asking to speak with the owner or CEO!

The real debate is not whether freedom reduces crime with regards to SSL (IMHO it does not - even scammers know it takes money to make money) but whether users have the ability to truly trust an organization - a valid certificate is certainly NOT a guarantee you won't be ripped off, and I feel annoyed that SSL is presented in such a manner - like somehow the crummy lock icon means the web site is not owned and operated by a bunch of crooks

Since StartSSL isn't always considered when adding the Root CA's to OS's and devices you may also have some certificate issues, especially with ActiveSync - by the way, check your Exchange connectivity and certificate problems at https://www.testexchangeconnectivity.com/.

Friday, January 07, 2011

More about SBS 2008 Installation. . .

The SBS 2008 installation process on an HP Server is buggier than a bucket of roaches.  If you don't hold your mouth right while setting it up it just won't take.

  • Use the Manufacturer's "Easy Setup" CD to perform the setup, but DO NOT EVER put in a password for the Administrator, leave it blank or there is a good chance that the installation will fail, particularly the setup of Exchange.
  • SBS 2008 can take a very long time to start up, especially after applying updates.  Don't panic, give it time to finish and it should be fine.  In my experience I worry the most at the black screen with a working mouse pointer but nothing else - just leave it be, it may take a half hour before it comes up!  (Update 14-Jan-11 - My half-hour black screen was due to a defective hard disk, it was a one week old server, and I received SMART errors on startup.  Restored to a new HDD and boot times are in line with what they should be!)
  • Don't apply updates during the installation even though this is the course of action recommended in the dialog, you should install them after the installation completes and you have run the Connect to the Internet Wizard.  Running the updates during the setup has resulted in a failure of Exchange to properly complete setup.
  • Run all updates after completing the initial setup (including setting up your Remote and certificates) and before adding any other applications, users, or computers.
  • Use the SBS 2008 Best Practices Analyzer and do what is says.  I don't know why MS doesn't implement these practices during the install process, but it will make for a smoother server experience.