tag:blogger.com,1999:blog-234706802024-03-08T05:31:57.647-06:00Nothing to ITHard Learned IT Lessons and Random ThoughtsJustinhttp://www.blogger.com/profile/09153875973225966200noreply@blogger.comBlogger150125tag:blogger.com,1999:blog-23470680.post-19946097626047967192020-09-15T15:33:00.004-05:002020-09-15T15:42:43.924-05:00Examining Vendor Lock-In<p><span style="font-family: Helvetica; font-size: 12px;">Vendor Lock-In. Sometimes it’s subtle, sometimes it’s overt, sometimes you agree to it, sometimes you’re lured into it, and sometimes, it just happens. When you have a relationship with a vendor that’s hard to break, you might want to take a step back and consider what’s cementing the deal. You may ask yourself:</span></p>
<p style="font-family: helvetica; font-size: 12px; font-stretch: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p>
<ul>
<li style="font-family: helvetica; font-size: 12px; font-stretch: normal; line-height: normal; margin: 0px;">Who - With which vendors do you have locked-in relationships?</li>
<li style="font-family: helvetica; font-size: 12px; font-stretch: normal; line-height: normal; margin: 0px;">What - What is locking you in?</li>
<li style="font-family: helvetica; font-size: 12px; font-stretch: normal; line-height: normal; margin: 0px;">Where - Where are the contracts or agreements? Have you reviewed them lately?</li>
<li style="font-family: helvetica; font-size: 12px; font-stretch: normal; line-height: normal; margin: 0px;">When - When could you begin a relationship with a new vendor?</li>
<li style="font-family: helvetica; font-size: 12px; font-stretch: normal; line-height: normal; margin: 0px;">Why - Why are you continuing the relationship?</li>
</ul>
<p style="font-family: helvetica; font-size: 12px; font-stretch: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p>
<p style="font-family: helvetica; font-size: 12px; font-stretch: normal; line-height: normal; margin: 0px;">Let us examine each of these points and ask questions that will help us understand our vendor relationships and whether they are beneficial to continue.</p><p style="font-family: helvetica; font-size: 12px; font-stretch: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p>
<p style="font-family: helvetica; font-size: 12px; font-stretch: normal; line-height: normal; margin: 0px;">Who has you locked in? Examine your vendor relationships and ask yourself if you could replace each of them easily. Are you unhappy with any vendors yet continue to patronize them? If a vendor suddenly folds, how will that impact your business? </p>
<p style="font-family: helvetica; font-size: 12px; font-stretch: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p>
<p style="font-family: helvetica; font-size: 12px; font-stretch: normal; line-height: normal; margin: 0px;">What’s locking you in? Typically it’s a contract - a great example is cellular phone contracts. Sometime’s it’s multiple contracts, and if the vendor is especially nasty, they’ll stagger the contract expirations by six months to a year, making it expensive and difficult to get out of the service. Almost as often as contracts, it’s knowledge, or lack thereof, which is locking you into your relationship. Specialized equipment, vintage gear, and custom machinery or computer programs all require specialists, and sometimes those are few and far between, so your choices are limited and lock-in is inevitable.</p>
<p style="font-family: helvetica; font-size: 12px; font-stretch: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p>
<p style="font-family: helvetica; font-size: 12px; font-stretch: normal; line-height: normal; margin: 0px;">Where are the agreements? Have you examined them? What does it take to end the relationship?</p>
<p style="font-family: helvetica; font-size: 12px; font-stretch: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p>
<p style="font-family: helvetica; font-size: 12px; font-stretch: normal; line-height: normal; margin: 0px;">When could you begin a relationship with a new vendor? Do you really want to? Would you like to renegotiate the deal? If you’re a long-standing customer with an expiring long-term contract, consider asking for a discount as your service provider may have solved your problems and now be in the rhythm of maintaining and providing your service with little actual work required on their part. It certainly won’t hurt to ask, and it will pay off if they answer yes.</p>
<p style="font-family: helvetica; font-size: 12px; font-stretch: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p>
<p style="font-family: helvetica; font-size: 12px; font-stretch: normal; line-height: normal; margin: 0px;">Why are you continuing your relationship, or why are you pursuing a new relationship? “Because that’s how we’ve always done it,” is the wrong answer and you know it. Good reasons to continue, or to change, include getting out of toxic relationships, saving money, and gaining more services or value for your money.</p>
<p style="font-family: helvetica; font-size: 12px; font-stretch: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p>
<p style="font-family: helvetica; font-size: 12px; font-stretch: normal; line-height: normal; margin: 0px;">Lock-in revolving around rare or custom business equipment is understandable, but lock-in stemming from commodity services, such as telephone service or e-mail is unacceptable. Some services can be acquired directly from the provider, and there are multiple competing providers driving value and innovation while making it easy to switch - the ability to switch drives its own value proposition which must be weighed when considering a service. Don’t hesitate to ask a vendor how easy it is to switch FROM them to another vendor, and factor that in to your final decision.</p>
<p style="font-family: helvetica; font-size: 12px; font-stretch: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p>
<p style="font-family: helvetica; font-size: 12px; font-stretch: normal; line-height: normal; margin: 0px;">I don’t like being locked in, and I will not treat my customers unfairly. I use 3rd-party services which can be easily spun off should the customer wish to continue receiving those services, and often set them up in a manner that allows my customers to have a direct relationship with their vendor rather than depending upon me to provide the service; We don’t provide the service, we make them easier. You pay your vendor, and we help manage the services you’re receiving from that vendor. If you decide that someone else provides a better value, it’s easy for us to hand those services off to our customers or the next technician.</p>
<p style="font-family: helvetica; font-size: 12px; font-stretch: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p>
<p style="font-family: helvetica; font-size: 12px; font-stretch: normal; line-height: normal; margin: 0px;">At Your Service,</p>
<p style="font-family: helvetica; font-size: 12px; font-stretch: normal; line-height: normal; margin: 0px; min-height: 14px;"><br /></p>
<p style="font-family: helvetica; font-size: 12px; font-stretch: normal; line-height: normal; margin: 0px;">Justin</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1DxMhS6zkrUhq0r0PRw63HkmwE75OxJslbnOui3xRuSva3_0E80sVPSOxbuF2kJ5VRf3LhRVcPxfEQSV8LlBoWMqy4KIU4k65blTEwjI0XrS7LKllu3jq9sAq_272Th1vO-ri/s400/its-only-vendor-lock-in-if-you-use-that-other-vendor.jpg" style="margin-left: 1em; margin-right: 1em;"></a><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><br /></div><br /><p></p>Justinhttp://www.blogger.com/profile/09153875973225966200noreply@blogger.com0tag:blogger.com,1999:blog-23470680.post-31373166825161986012019-03-20T09:37:00.001-05:002019-03-20T09:48:11.420-05:00Use Nmap to Scan for Unused IPsSo I have a customer who can't use DHCP, and I'm adding phones. Their IPs are all over the place, and managed through a (somewhat inaccurate) spreadsheet - what to do? Nmap to the Rescue!<br />
<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">sudo nmap -v -sn -n 192.168.1.0/24 -oG - | awk '/Status: Down/{print $2}'</span></blockquote>
<br />
For a slower and more accurate scan, try:<br />
<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> for ip in 192.168.1.{1..254}; do { ping -c 1 -W 1 $ip ; } &> /dev/null || echo $ip & done | sort</span></blockquote>
Justinhttp://www.blogger.com/profile/09153875973225966200noreply@blogger.com1tag:blogger.com,1999:blog-23470680.post-9158613092758709452019-02-22T17:00:00.002-06:002019-02-22T17:00:46.311-06:00Allow a User to Access All O365 Mailboxes<div>
Connect to O365 using powershell then issue the following, replacing the user with a proper user:</div>
<div>
<br /></div>
<div>
<blockquote class="tr_bq">
<span style="color: #0335c5; font-kerning: none;">Get</span><span style="color: #0a56d8; font-kerning: none;">-</span><span style="color: #0335c5; font-kerning: none;">Mailbox</span><span style="color: #0a56d8; font-kerning: none;"> -</span><span style="color: #0335c5; font-kerning: none;">ResultSize</span><span style="color: #0a56d8; font-kerning: none;"> </span><span style="color: #0335c5; font-kerning: none;">unlimited</span><span style="color: #0a56d8; font-kerning: none;"> -</span><span style="color: #0335c5; font-kerning: none;">Filter</span><span style="color: #0a56d8; font-kerning: none;"> </span><span style="color: #262626; font-kerning: none;">{(</span><span style="font-kerning: none;">RecipientTypeDetails</span><span style="color: #0a56d8; font-kerning: none;"> -</span><span style="color: #191c1f; font-kerning: none;">eq</span><span style="color: #0a56d8; font-kerning: none;"> </span><span style="color: #0f7001; font-kerning: none;">'UserMailbox'</span><span style="color: #262626; font-kerning: none;">)}</span><span style="color: #0a56d8; font-kerning: none;"> | </span><span style="font-kerning: none;">Add</span><span style="color: #0a56d8; font-kerning: none;">-</span><span style="font-kerning: none;">MailboxPermission</span><span style="color: #0a56d8; font-kerning: none;"> -</span><span style="font-kerning: none;">User</span><span style="color: #0a56d8; font-kerning: none;"> SOMEUSER@SOMEDOMAIN.COM</span><span style="color: #0a56d8; font-kerning: none;"> -</span><span style="color: #0335c5; font-kerning: none;">AccessRights </span><span style="font-kerning: none;">FullAccess</span><span style="color: #0a56d8; font-kerning: none;"> -</span><span style="color: #0335c5; font-kerning: none;">InheritanceType </span><span style="font-kerning: none;">all</span></blockquote>
</div>
<br />
To turn it off, change Add-MailboxPermission to Remove-MailboxPermission<br />
<br />
<blockquote class="tr_bq">
<span style="-webkit-font-kerning: none; background-color: #fcfcfc; color: #0335c5; font-family: Monaco; font-size: 12px;">Get</span><span style="-webkit-font-kerning: none; background-color: #fcfcfc; color: #0a56d8; font-family: Monaco; font-size: 12px;">-</span><span style="-webkit-font-kerning: none; background-color: #fcfcfc; color: #0335c5; font-family: Monaco; font-size: 12px;">Mailbox</span><span style="-webkit-font-kerning: none; background-color: #fcfcfc; color: #0a56d8; font-family: Monaco; font-size: 12px;"> -</span><span style="-webkit-font-kerning: none; background-color: #fcfcfc; color: #0335c5; font-family: Monaco; font-size: 12px;">ResultSize</span><span style="-webkit-font-kerning: none; background-color: #fcfcfc; color: #0a56d8; font-family: Monaco; font-size: 12px;"> </span><span style="-webkit-font-kerning: none; background-color: #fcfcfc; color: #0335c5; font-family: Monaco; font-size: 12px;">unlimited</span><span style="-webkit-font-kerning: none; background-color: #fcfcfc; color: #0a56d8; font-family: Monaco; font-size: 12px;"> -</span><span style="-webkit-font-kerning: none; background-color: #fcfcfc; color: #0335c5; font-family: Monaco; font-size: 12px;">Filter</span><span style="-webkit-font-kerning: none; background-color: #fcfcfc; color: #0a56d8; font-family: Monaco; font-size: 12px;"> </span><span style="-webkit-font-kerning: none; background-color: #fcfcfc; color: #262626; font-family: Monaco; font-size: 12px;">{(</span><span style="-webkit-font-kerning: none; background-color: #fcfcfc; caret-color: rgb(1, 30, 103); color: #011e67; font-family: Monaco; font-size: 12px;">RecipientTypeDetails</span><span style="-webkit-font-kerning: none; background-color: #fcfcfc; color: #0a56d8; font-family: Monaco; font-size: 12px;"> -</span><span style="-webkit-font-kerning: none; background-color: #fcfcfc; color: #191c1f; font-family: Monaco; font-size: 12px;">eq</span><span style="-webkit-font-kerning: none; background-color: #fcfcfc; color: #0a56d8; font-family: Monaco; font-size: 12px;"> </span><span style="-webkit-font-kerning: none; background-color: #fcfcfc; color: #0f7001; font-family: Monaco; font-size: 12px;">'UserMailbox'</span><span style="-webkit-font-kerning: none; background-color: #fcfcfc; color: #262626; font-family: Monaco; font-size: 12px;">)}</span><span style="-webkit-font-kerning: none; background-color: #fcfcfc; color: #0a56d8; font-family: Monaco; font-size: 12px;"> | </span><span style="-webkit-font-kerning: none; background-color: #fcfcfc; caret-color: rgb(1, 30, 103); color: #011e67; font-family: Monaco; font-size: 12px;">Remove</span><span style="-webkit-font-kerning: none; background-color: #fcfcfc; color: #0a56d8; font-family: Monaco; font-size: 12px;">-</span><span style="-webkit-font-kerning: none; background-color: #fcfcfc; caret-color: rgb(1, 30, 103); color: #011e67; font-family: Monaco; font-size: 12px;">MailboxPermission</span><span style="-webkit-font-kerning: none; background-color: #fcfcfc; color: #0a56d8; font-family: Monaco; font-size: 12px;"> -</span><span style="-webkit-font-kerning: none; background-color: #fcfcfc; caret-color: rgb(1, 30, 103); color: #011e67; font-family: Monaco; font-size: 12px;">User</span><span style="-webkit-font-kerning: none; background-color: #fcfcfc; color: #0a56d8; font-family: Monaco; font-size: 12px;"> SOMEUSER@SOMEDOMAIN.COM</span><span style="-webkit-font-kerning: none; background-color: #fcfcfc; color: #0a56d8; font-family: Monaco; font-size: 12px;"> -</span><span style="-webkit-font-kerning: none; background-color: #fcfcfc; color: #0335c5; font-family: Monaco; font-size: 12px;">AccessRights </span><span style="-webkit-font-kerning: none; background-color: #fcfcfc; caret-color: rgb(1, 30, 103); color: #011e67; font-family: Monaco; font-size: 12px;">FullAccess</span><span style="-webkit-font-kerning: none; background-color: #fcfcfc; color: #0a56d8; font-family: Monaco; font-size: 12px;"> -</span><span style="-webkit-font-kerning: none; background-color: #fcfcfc; color: #0335c5; font-family: Monaco; font-size: 12px;">InheritanceType </span><span style="-webkit-font-kerning: none; background-color: #fcfcfc; caret-color: rgb(1, 30, 103); color: #011e67; font-family: Monaco; font-size: 12px;">all</span></blockquote>
<br />Justinhttp://www.blogger.com/profile/09153875973225966200noreply@blogger.com26tag:blogger.com,1999:blog-23470680.post-50665651849456972742016-03-04T22:05:00.000-06:002016-03-04T22:18:00.821-06:00Necessary Software for Your IT Toolbox<br />
<ol>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Disk Cloning Solution: </b>I'm partial to<a href="https://store.acronis.com/882/cookie?affiliate=32875&redirectto=http://www.acronis.com/en-us/" target="_blank"> Acronis Backup v11</a>'s Live CD for this job - it's fast, easy, and well supported. However, we can't always have the luxury of a $90 backup solution. For those customers without an Acronis license I use <a href="https://sourceforge.net/projects/g4l/" target="_blank">G4L - Ghost 4 Linux</a> - it's an intimidating looking tool, and it's certainly not very fast, but the price can't be beat. Learn how to use G4L at </span><a href="http://www.oakdome.com/lab/?page_id=8">http://www.oakdome.com/lab/?page_id=8</a>.</li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Password Reset Solution:</b> My fave tool is </span><span style="font-family: "courier new" , "courier" , monospace;">chntpw</span><span style="font-family: "arial" , "helvetica" , sans-serif;">. Available as part of the excellent <a href="https://www.kali.org/" target="_blank">Kali Linux</a> computer forensics toolbox, </span><span style="font-family: "courier new" , "courier" , monospace;">chntpw</span><span style="font-family: "arial" , "helvetica" , sans-serif;"> allows you to edit the registry offline (and I can think of reasons to do this far beyond password reset). If you don't want to fuss with an entire Linux distro just for </span><span style="font-family: "courier new" , "courier" , monospace;">chntpw </span><span style="font-family: "arial" , "helvetica" , sans-serif;">you can use the excellent <a href="http://pogostick.net/~pnh/ntpasswd/" target="_blank">Offline Windows Password & Registry Editor</a> - this is a LiveCD or Bootable USB that will make NT passwords as easy as Linux can make them. It is </span><span style="font-family: "courier new" , "courier" , monospace;">chntpw </span><span style="font-family: "arial" , "helvetica" , sans-serif;">neatly packaged in a LiveCD, so it also allows registry editing. Be certain to read the fine manual because the interface looks quite intimidating.</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Windows 10 Upgrade DVD: M</b>any businesses are making the switch to Windows 10 because it is more secure. Viruses and spyware are hounding users. Windows 10 has several improvements that help prevent viruses. It's also faster, more stable, and has some neat cloud management features. Follow <a href="http://news.thewindowsclub.com/windows-10-iso-download-79481/" target="_blank">these directions </a> to get some Windows 10 iso goodness and create your own Upgrade DVD. If you're upgrading I suggest booting the target computer into Windows 7 then running the DVD, booting from the DVD is for clean installs. Windows 10 installs using the computer's Windows 7, 8, or 8.1 license key.</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;"><b>RAM Diagnostic CD: </b>BSOD, slow boot, disk corruption, slow shutdown, poor performance, hangs and freezes, all can call for a RAM diagnostic. <a href="http://www.memtest.org/" target="_blank">Memtest86+</a> has been my go-to for quite a while. Download the latest version, unpack it, and burn your iso to a CD. Run it with all of the RAM installed and allow it to do a few passes, if it finds nothing, shut it down and call it good. If it shows errors or freezes then shut down and pull out all but the 1st stick of RAM. Boot into the diagnostic and allow a few passes - if it passes 4 or 5 times, shut it down and repeat with the remaining sticks until the faulty one is identified. </span></li>
</ol>
Justinhttp://www.blogger.com/profile/09153875973225966200noreply@blogger.com3tag:blogger.com,1999:blog-23470680.post-46145377482769661082016-01-04T10:26:00.000-06:002016-01-04T10:26:13.557-06:00AT&T UVerse Motorola NVG510 Bridge ModeThe best instructions are available here:<br />
<br />
<a href="http://www.dslreports.com/faq/17734">http://www.dslreports.com/faq/17734</a><br />
<br />
Please note that I have not yet encountered the conflict between Bridge Mode and VOIP services.<br />
<br />
Overall, I am very dissatisfied with the UVerse experience. If there is any alternate service provider available, please consider using it. In my humble opinion, UVerse is poorly supported, slow, and much more prone to failure than any competing service.<br />
<br />
A much deeper issue, and I see this as much in competing services as I do in AT&T, is that technicians are really only equipped and trained to deal with the service providers network and are truly clueless when it comes to the customers' networks. Issues with DHCP, DNS, and firewalling are way over the head of the typical installer. this needs to change because customers are becoming increasingly irritated with the ineptitude displayed by the service technicians sent by Internet providers. I often feel that these companies are operating in a way analogous to having oil change technicians perform engine repairs - the techs know what most of the parts do, but they aren't familiar with the theory and details of the inner workings.<br />
<br />
From DSLReports:<br />
<blockquote class="tr_bq">
Bridge mode, DMZ+, or IP Passthrough are the
features that permit you to run your own router behind the AT&T
provided residential gateway with a public IP address on its outside WAN
interface. The NVG589 supports the IP Passthrough feature to accomplish
this.<br />
<div>
<br /></div>
<div>
To be technically accurate, the NVG589
does not actually "bridge" the traffic. It will enable a default rule to
forward all unknown inbound traffic to the AT&T public IP address
to the MAC address of the internal router. This will preserve the public
destination IP address on incoming packets and allow you to control
inbound access for services and security from your personal router.</div>
<div>
<br /></div>
<div>
The
NVG589 will still map session state information for each connection
passing through, similar to a traditional NAT configuration. The only
thing it will do with this traffic is rewrite the destination MAC
address to that of your personal router's WAN interface. The NVG589
includes more memory and can support 8192 simultaneous connection
entries, as compared to previous gateways that were limited to a maximum
of 1024.</div>
<div>
<br /></div>
Make sure you have a notebook or a computer that you can directly connect to the NVG589. Once you have that, unplug <span style="font-weight: bold;">all</span> Ethernet cables (including television STBs) from the NVG589 <span style="font-weight: bold;">except</span> for the previously mentioned notebook/computer. <span style="font-style: italic;">Note: the WAN connection from AT&T is not an Ethernet connection.</span><br /><br />Second, write down the <span style="font-weight: bold;">WAN-side</span> MAC Address of your personal router.<br /><br /><span style="font-weight: bold;">Configuration steps to perform on the NVG589:</span><br /><span style="font-size: x-small; font-style: italic;"><span style="font-weight: bold;">Note:</span> 192.168.10.1-254 address block is a suggestion in this series of steps. Feel free to adjust this as you wish.</span><br /><br /><div>
<span style="font-weight: bold;">1.</span> Login to the NVG589's web-based configuration interface in your web browser.</div>
<div>
This can usually be accessed with the following link: <a href="https://192.168.1.254/">https://192.168.1.254</a><br /><br /><span style="font-weight: bold;">2.</span> Go to the "Home Network" -> "Subnets & DHCP" tab. It may ask for your NVG589's password.<br /><br /><span style="font-weight: bold;">3.</span>
If your "Device IPv4 Address" is in the same subnet as your personal
router's LAN segment, you should change your personal router's network
configuration to use a different subnet like 192.168.10.0 or whatever
you wish, as long as it continues to use private address space in the
192.168.0.0/16, 10.0.0.0/8, or 172.16.0.0/12. The subnet mask can stay
the same, 255.255.255.0, or can be adjusted to a larger range if you
want.<br /><br /><span style="font-weight: bold;">4.</span> Leave the
default DHCP settings on the NVG589 as is, unless you want to expand the
usable range. This will permit your Television Set Top Boxes to connect
and any other devices that you may want to use the integrated wireless
or wire directly to the RG. The <span style="font-weight: bold;">Television STBs can not connect to your personal router</span>,
unless your router has the capability to provide Multicast Routing
using IGMPv3. Most consumer routers do not have this capability.<br /><span style="font-weight: bold;"><br /></span></div>
<div>
<span style="font-weight: bold;">It is important that you have only your computer that's configuring the NVG589 connected to it at this time.</span><br /><br /><span style="font-weight: bold;">5.</span> If you have made any changes, at this point, Click "Save" at the bottom.<br /><br /><span style="font-weight: bold;">6.</span> Go to the "Home Network" -> "Wireless" tab.<br /><br /><span style="font-weight: bold;">7.</span> If
you do not want to use the NVG589's integrated wireless feature,
disable Wireless by choosing "Off" in the "Wireless Operation" option.<br /><br /><span style="font-weight: bold;">8.</span> Go to the "Firewall" -> "Packet Filter" tab. Click on the "Disable Packet Filters" button.<br /><br /><span style="font-weight: bold;">9.</span> Go to the "Firewall" -> "NAT/Gaming" tab and disable any and all settings.<br /><br /><span style="font-weight: bold;">10.</span> Go to the "Firewall" -> "IP Passthrough" tab. Select "Passthrough" in the "Allocation Mode" option.<br /><br /><span style="font-weight: bold;">11.</span> Do not enter anything for the "Default Server Internal Address". Leave this field blank.<br /><br /><span style="font-weight: bold;">12.</span> In the "Passthrough Mode" selection choose "DHCPS-Fixed".<br /><br /><span style="font-weight: bold;">13.</span>
Type in the WAN-side MAC Address for your router under "Manual Entry",
lowercase is fine. The MAC address should be in the traditional
hexadecimal format xx:xx:xx:xx:xx:xx where the x's should be values from
0-9 or letters a-f, separated with single colons. If you have already
connected the WAN interface of your personal router and configured it
for DHCP, it may show up in the "Choose from list". If you select it, it
will automatically fill the field with appropriate MAC address.<br /><br /><span style="font-weight: bold;">14. </span>The Passthrough DHCP Lease value defaults to 10 minutes. You can not change this.<br /><br /><span style="font-weight: bold;">15.</span> Click "Save" at the bottom. It will tell you that it needs to reboot. <span style="font-weight: bold;">Stop!</span> Do not reboot the router, yet.<br /><br /><span style="font-weight: bold;">16.</span> If
you are not putting any devices on the network segment directly
attached to the AT&T gateway and do not want any of the Firewall
security features active on the NVG589, go to the "Firewall Advanced"
tab at the top and turn everything off. The recommendation is to leave
these features enabled if you will have any devices on this segment or
are using the integrated wireless feature. If you disable these
features, make sure you are enabling this functionality on your personal
router.<br /><br /><span style="font-weight: bold;">17.</span> Near the top
of your screen, you should see an option telling you to reboot the
router. Go ahead and do this now. It takes about 2 minutes.<br /><br /><span style="font-weight: bold;"><br /></span></div>
<div>
<span style="font-weight: bold;">Configuration steps for your personal router:<br /><br />1. </span>Disconnect your laptop's ethernet connection from the NVG589 and connect your personal router, while the NVG589 reboots.<br /><br /><span style="font-weight: bold;">2.</span> Connect your laptop to your personal router.<br /><br /><span style="font-weight: bold;">3.</span> Login to your personal router and change the Internet connection type to DHCP as per your router's instructions.<br /><br />You
should be done configuring the IP Passthrough "bridge mode", at this
point. Verify that your personal router is being assigned the public IP
address from AT&T on its WAN interface via DHCP.</div>
</blockquote>
Justinhttp://www.blogger.com/profile/09153875973225966200noreply@blogger.com0tag:blogger.com,1999:blog-23470680.post-71680441361986810752015-02-27T14:01:00.000-06:002015-02-27T14:01:31.245-06:00Legally Installing Microsofts Fonts in OSX for FreeSo you have Office 2011 for Mac and you're having trouble collaborating with your Windows-loving friends because you don't have Calibri or some other MS font, what should you do?<br />
<br />
I Googled for an answer and got one (<a href="https://discussions.apple.com/thread/3756108?start=30&tstart=0" target="_blank">this discussion from 2012</a>), but it was old and the link to MS's app didn't work. So here's an updated procedure (this worked in Mavericks, and should work for older versions, also).<br />
<br />
<br />
<ol>
<li>Visit http://www.microsoft.com/en-us/download/details.aspx?id=21007 and download the Open XML File Format Converter for Mac 1.1.8 - it will arrive as a DMG.</li>
<li>When the DMG opens you may install the software as a whole, but if you already have the latest version of Office you're just adding stuff you don't need and potentially introducing problems. Instead right click Open XML File Format Converter for Mac 1.1.8.mpkg and select Show Package Contents.</li>
<li>Navigate to the Contents folder then the Packages folder.</li>
<li>Double-click OpenXML_all_fonts.pkg and execute the installer then complete the installation.</li>
<li>Eject the disk image (duh).</li>
<li>Open Office 2011 and be productive!</li>
</ol>
Justinhttp://www.blogger.com/profile/09153875973225966200noreply@blogger.com1tag:blogger.com,1999:blog-23470680.post-89412732592061997742014-10-09T12:44:00.001-05:002014-10-17T11:23:58.959-05:00How Do You Secure The Internet?This is a question I have been asked a few times now, and the asker doesn't typically mean the ENTIRE Internet, they just mean their own little corner of it. You know, the one sitting on your desk. <br />
<br />
When someone asks this, what they really mean is "How do we keep the bad guys out?"<br />
<br />
The three major ways the bad guys get in are: exploiting your desktop computers, exploiting your servers, and exploiting you. You see, the bad guys exploit both computers and users alike. Malware (a blanket term referencing adware, spyware, and viruses), service exploitation (this is what people usually think of when they hear the word "hacking"), and calling you or emailing you and straight up lying to you are ways that your data may be compromised. You see, we're not dealing with nice people here.<br />
<br />
Often people are just trying to get through their day with all of their work done well. They're looking for a fast free tool because it might take too long to complete a purchase. Free compression utilities, file viewers, and PDF printers have the potential to infect users computers and provide easy ways for the bad guys to get in. Interestingly enough most of the adwares and spy wares I have encountered aren't normally detected by antivirus programs as they are classified as "PUPs" - Potentially Unwanted Programs. These technically aren't viruses, but a nuisance as they may download other PUPs which download some more, and so forth. I'm not just talking banners inside of the app, I'm talking full-on browser hijacking where you lose your homepage, search results are altered to promote certain products, and even your line-of-business application windows display ads.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtgYMqTQtjqG9UzWrZ-MAhG3ayC3OL4qoQEfNoowW4SeJJcamypqm8WoQQIGyVQ3EhcgnufkTO1JPBaWbi9croQjQWsgwRlYcSMVtlPcDozYUElct5N1GnwGQuvIVuH1eABdlv/s1600/Screen+Shot+2014-10-06+at+3.19.48+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtgYMqTQtjqG9UzWrZ-MAhG3ayC3OL4qoQEfNoowW4SeJJcamypqm8WoQQIGyVQ3EhcgnufkTO1JPBaWbi9croQjQWsgwRlYcSMVtlPcDozYUElct5N1GnwGQuvIVuH1eABdlv/s1600/Screen+Shot+2014-10-06+at+3.19.48+PM.png" height="182" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Have you seen me?</td></tr>
</tbody></table>
Technicians can sometimes struggle for hours to remove them because these apps aren't meant to be easy to remove. Furthermore these apps can download additional content from other bad characters who don't just stop at serving ads: they will try to convince you to directly give them money by scaring you. They will intimidate you with frightening looking ads and ominous messages about your computer being slow or having viruses. Some will even go so far as to tell you that illegal activity has been detected on your computer and offer, for a fee, to clean it off. Some even lock your computer, say that illegal activity has been detected by the government, and you may pay a fine if your want to avoid jail - all from the convenience of your office and payable via Bitcoin.<br />
<div>
<span style="text-align: center;"><br /></span></div>
<div>
<span style="text-align: center;">These sorts of applications don't just come from misguided efforts at inexpensive office productivity, they are often secretly shoehorned into your computer by the advertising on web sites. Not just scummy places nobody has any business visiting - we're talking major news outlets and popular web portals like </span><a href="http://www.businessinsider.com/downed-new-york-times-had-malware-2013-8" style="text-align: center;">the New York Times</a><span style="text-align: center;">. I am now seeing workers with a long history of being productive and not screwing around ending up with some pretty nasty bugs.</span><br />
<div>
<div>
<br /></div>
<div>
Another, more targeted method, seeks to install even nastier tools into the computers of workers handling sensitive financial. Known as Spearphishing, the idea is to send emails which look like important communications to financial staff. These emails have a file attached, typically a .zip or .pdf, which, when opened, installs software that watches for important financial data to be accessed. When sensitive data is detected the malware neatly packs it up and sends it to someone who is going to steal your customers credit card data and potentially empty all of your bank accounts.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrL1ko2L_Shg07gr2iohFeLBp_AZLg_3jmK3ZpwQYrzBYG6qbwEUyVmNAcDfRme9Rqzd1CwGlC4OqqU1V16N3oWK_Nbwm26lqvpibgXr8314wyluf0f-jo4aoVv43O36oG64Tt/s1600/Screen+Shot+2014-10-06+at+3.51.42+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrL1ko2L_Shg07gr2iohFeLBp_AZLg_3jmK3ZpwQYrzBYG6qbwEUyVmNAcDfRme9Rqzd1CwGlC4OqqU1V16N3oWK_Nbwm26lqvpibgXr8314wyluf0f-jo4aoVv43O36oG64Tt/s1600/Screen+Shot+2014-10-06+at+3.51.42+PM.png" height="181" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Surprised?</td></tr>
</tbody></table>
It turns out that, short of pulling the plug on your Internet connection, there is no one solution which will prevent this sort of abuse. What is required is a "Defense in Depth" - layers of protection which, when takes as a whole, offer a more solid defense than any one process or product. The entire process of retrieving information from the Internet must be questioned and examined at critical junctures.</div>
<div>
<br /></div>
<div>
Let's look at the process:</div>
<div>
<br /></div>
<div>
<ul>
<li>First the user makes a decisions that they want to get something done on the Internet. This is the best time to intervene - the user needs to have knowledge to avoid danger online. The bad guys often depend on us being either inattentive or ignorant. Here's <a href="http://www.pcworld.com/article/2012958/how-to-avoid-fake-download-buttons.html">a good article on spotting bad links</a>.<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj49zdDUuDbpNOIukmFDD4QoqbXchWh14jJPym8h0VJBixlZSuY9JHRlIT4fjAipmFUjpM1kQgKTOoJTI81VwelyLn777Z_vFP74SqzJJrXaqDyy0PQy7gX1sy24u8cguVm4qml0A/s1600/screenshot_-_12-07-18_-_12_39_34_am.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj49zdDUuDbpNOIukmFDD4QoqbXchWh14jJPym8h0VJBixlZSuY9JHRlIT4fjAipmFUjpM1kQgKTOoJTI81VwelyLn777Z_vFP74SqzJJrXaqDyy0PQy7gX1sy24u8cguVm4qml0A/s1600/screenshot_-_12-07-18_-_12_39_34_am.png" height="200" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Just click Download already!</td></tr>
</tbody></table>
</li>
<li>When you request your web page your computer performs a DNS (Domain Name Service) query - this is akin to looking up a number in the phone book - the response can be controlled by both good guys and bad guys alike. Good guys <a href="http://www.opendns.com/">can alter these results and prevent access to undesirable web sites</a>. Bad guys can do likewise and funnel your users into advertising or more malware.</li>
<li>The HTTP Get is the next critical juncture - your computer has the number of the party you are trying to reach, dialed it, and the metaphorical phone is now ringing. This is where a proxy server steps in - it intercepts the call and makes the call on your behalf. Again, proxies can be used by both good guys and bad, and some of the bad ones insert ads, open additional pages, and even prevent you from accessing web sites and information for removing the malware. The good guys will use it to compare the URL of the web site you're visiting to a categorical list of URLs and block web sites which fall into undesirable categories. Administrators and mangers can also look at the proxy logs and get a good idea of how you have spent your time online. Analysis of these logs can indicate which users are engaged in risky online behavior and give managers an opportunity to offer some advice on how to better spend their time online.<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwlkUehQbbYXgd2r1-B-GZCUctBYpa7xY0A2MbJKceSK0WXmW9IPXcOnShZddTiV2AFwaEB-xZGu-APJSAh4eyQ2QEYkdWgoLAUIteLDGI_ZeVRFoJKGzG-mga2v88KjiuGctK/s1600/Screen+Shot+2014-10-17+at+11.18.19+AM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwlkUehQbbYXgd2r1-B-GZCUctBYpa7xY0A2MbJKceSK0WXmW9IPXcOnShZddTiV2AFwaEB-xZGu-APJSAh4eyQ2QEYkdWgoLAUIteLDGI_ZeVRFoJKGzG-mga2v88KjiuGctK/s1600/Screen+Shot+2014-10-17+at+11.18.19+AM.png" height="186" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">I see you've been surfing the web...</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
</div>
</li>
<li>Ongoing HTTP Sessions can also be intercepted by a proxy, reassembled, examined for viruses, and then forwarded to the client. This would be a great job for a powerful router, but many businesses don't have them yet. Interestingly, <a href="https://www.charterbusiness.com/" target="_blank">Charter Business</a> is leading the charge in this field and is providing routers with this capability to their high speed customers.</li>
<li>Now that your computer has completed its call there's data to be opened or executed. This is where a good antivirus product comes into play. Many of todays malwares are "drive by downloads" which means you never actually clicked a download button, nor did you click Open or Run. It just happens... Unless you have a good antivirus product which does behavioral monitoring. Antivirus products can watch what your computer is doing and prevent suspicious activity. Check with your antivirus vendor (I know a <a href="http://www.mysafemode.com/" target="_blank">good one</a>) to find out if your current product does this monitoring. Hopefully the malware packages never get a chance to misbehave as your antivirus will detect and quarantine them as soon as the download completes.</li>
<li>If, after all of this, your computer still becomes infected with malware the malware must now succeed in making it past some or all of the lower level services to succeed in communicating with its masters - savvy DNS managers maintain lists of known bad actors and can block requests to hosts based on these lists. Though they're uncommon, an Intrusion Detection Systems (IDS) at the firewall can detect the command and control communications used by malware, then generate alerts or terminate suspicious connections. IDS's are are prone to false positives, so be careful if you go this route because they can require a lot of care and feeding.</li>
<li>If the malware has made it past all of these defenses then the bad guys have done a good job (relatively speaking, it's awful for us) and are now winning the game. The likelihood of this has been reduced through defense in depth, but we can never consider ourselves to have won: we have to find every hole in our defenses and fix it, the bad guys only have to find one. <div class="separator" style="clear: both; text-align: center;">
<a href="http://s2.quickmeme.com/img/bc/bc39fd77b95c22fff332e8bf38ff78b52c88da48826447d3e7d37579740f2cf7.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://s2.quickmeme.com/img/bc/bc39fd77b95c22fff332e8bf38ff78b52c88da48826447d3e7d37579740f2cf7.jpg" height="165" width="320" /></a></div>
</li>
</ul>
Spearphishing attacks are incredibly crafty, and the bad guys know how to get past many of these defenses. Users must be prepared to match their own wits against those of the bad guys. They will receive messages crafted to make the user <b>want</b> to open the attachment. Messages will claim their attachments are:</div>
<div>
<ul>
<li>Requests for bid</li>
<li>IRS communications</li>
<li>postal notifications</li>
<li>shipping notifications</li>
<li>bank password reset requests</li>
<li>law enforcement notifications</li>
<li>holiday greeting cards</li>
<li>invoices</li>
<li>awards</li>
<li>banking documents</li>
</ul>
<div>
All of these are important stuff, and nobody wants to drop the ball. The bad guys know this and will do everything in their power to prey on our sense of duty or curiosity. Needless to say, some of our friends and coworkers might benefit from a brief orientation on these threats. I can't emphasize enough what a vital role your gut will play in this - if you think it might be a scam it probably is.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGUyJtcqReOf34eoveuMPPwi_PvIc8gFpxPVvO3sqNZs0IXLx0fnLlCQCwq5dukiuXgUrVUMuw-ZRF6IJVmgoaUrVTwptj_dohzU5CkZl_AhcsOoRuDSKGViJJohE02RYxiSbW/s1600/Screen+Shot+2014-10-07+at+5.31.39+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGUyJtcqReOf34eoveuMPPwi_PvIc8gFpxPVvO3sqNZs0IXLx0fnLlCQCwq5dukiuXgUrVUMuw-ZRF6IJVmgoaUrVTwptj_dohzU5CkZl_AhcsOoRuDSKGViJJohE02RYxiSbW/s1600/Screen+Shot+2014-10-07+at+5.31.39+PM.png" height="254" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">And for good reason.</td></tr>
</tbody></table>
There are many opportunities to prevent spearphishing attacks. Remember, spearphishing is sending malware via email to people with sensitive jobs. Many email servers (Like <a href="https://syndication.microsoft.com/pbl/office-365v2/SitePages/minisite.aspx?height=688&width=770" target="_blank">Microsoft's Office365</a>) include virus scanning which will remove the threat before it reaches your inbox. Email servers may also be configured so that they may only receive mail from trusted systems or from systems that can pass a series of tests that only trustworthy servers can pass. As if that's not enough, servers will often read the email and make some decisions based on the content. It's not uncommon to see 2/3 of the messages received by a server silently dropped.<br />
<br />
Controlling DNS responses can be useful here, as well - compromised servers are may be detected and listed with security services. If you have been duped into clicking a dangerous link the attempt could be blocked by services such as OpenDNS.<br />
<br />
Think you can spot a phishing attack? Take the <a href="http://www.opendns.com/phishing-quiz/" target="_blank">OpenDNS Phishing quiz</a>!<br />
<br />
I hope that I've been able to help you learn a bit more about the threats faced by modern office staff. If you would like to learn more about how Safe Mode might be able to secure your office computers please don't hesitate to call or email!<br />
<br /></div>
</div>
</div>
</div>
Justinhttp://www.blogger.com/profile/09153875973225966200noreply@blogger.com0tag:blogger.com,1999:blog-23470680.post-72862427412034652492014-09-16T15:22:00.001-05:002015-03-01T17:24:12.036-06:00Windows 7 Desktop Can't Join the Domain - Path Not Found? Blame AVG (and everything else!)Spoiler Alert: uninstalling AVG from the desktop fixes the problem.<br />
<br />
A desktop is complaining that it's Trust Relationship has failed. Normal stuff, probably went through a system restore and ended with an old SID, no biggie. Remove it from the domain, reboot, readd to the domain, boom done, right? Not so fast... after changing the domain name and hitting OK I'm presented with the normal domain login to which I input my domain administrator credentials. The computer complains with an error message:<br />
<blockquote class="tr_bq">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">The following error occurred attempting to join the domain "somedomain.local":</span></blockquote>
<blockquote class="tr_bq">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">The network path was not found. </span></blockquote>
This points to a DNS issue on our SBS 2008. Rebooting the server was my first step and it yielded no positive results.<br />
<br />
The SBS 2008 in question seems slow and balky. It's an HP ML110 with 8GB of RAM serving as an SBS for a group of 10 or so people using email and file storage in the server as well as its normal duties authenticating users and doling out Group Policy.<br />
<div>
<br /></div>
Noted error 13568 with source NtFrs in the event log which basically says that the File Replication Service is in Journal Wrap Error. It reads kind of like:<br />
<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR. </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Replica set name is : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Replica root path is : "c:\windows\sysvol\domain" </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Replica root volume is : "\\.\C:" </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> </span></blockquote>
<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found. This can occur because of one of the following reasons. </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> </span></blockquote>
<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[1] Volume "\\.\C:" has been formatted. </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> </span></blockquote>
<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[2] The NTFS USN journal on volume "\\.\C:" has been deleted. </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> </span></blockquote>
<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[3] The NTFS USN journal on volume "\\.\C:" has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal. </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> </span></blockquote>
<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[4] File Replication Service was not running on this computer for a long time. </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> [5] File Replication Service could not keep up with the rate of Disk IO activity on "\\.\C:". </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> </span></blockquote>
<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Setting the "Enable Journal Wrap Automatic Restore" registry parameter to 1 will cause the following recovery steps to be taken to automatically recover from this error state. </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> </span></blockquote>
<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[1] At the first poll, which will occur in 5 minutes, this computer will be deleted from the replica set. If you do not want to wait 5 minutes, then run "net stop ntfrs" followed by "net start ntfrs" to restart the File Replication Service. </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> </span></blockquote>
<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[2] At the poll following the deletion this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set. </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> </span></blockquote>
<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">WARNING: During the recovery process data in the replica tree may be unavailable. You should reset the registry parameter described above to 0 to prevent automatic recovery from making the data unexpectedly unavailable if this error condition occurs again. </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> </span></blockquote>
<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">To change this registry parameter, run regedit. </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Click on Start, Run and type regedit. </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Expand HKEY_LOCAL_MACHINE. </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Click down the key path: </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> "System\CurrentControlSet\Services\NtFrs\Parameters" </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Double click on the value name </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> "Enable Journal Wrap Automatic Restore" </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">and update the value. </span></blockquote>
<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">If the value name is not present you may add it with the New->DWORD Value function under the Edit Menu item. Type the value name exactly as shown above.</span></blockquote>
<br />
Also noted Event ID 25:<br />
<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">The shadow copies of volume \\?\Volume{83195036-2013-11e0-9593-3c4a92d51777} were deleted because the shadow copy storage could not grow in time. Consider reducing the IO load on the system or choose a shadow copy storage volume that is not being shadow copied.</span></blockquote>
<br />
It sounds like the hard disk could too busy to serve up essential functions - looking at the Resource Monitor I could see that SQL was going crazy reading itself from the hard drive. I decide to run the SBS 2008 BPA and see if it can tell me more. I also update the HP System Management Agents and the HP Array Configuration Utility so that I could rule out hard disk problems (which indeed were not an issue).<br />
<br />
My BPA report showed some issues which were solved with some simple <span style="font-family: Arial, Helvetica, sans-serif;">netsh </span><span style="font-family: inherit;">commands that were detailed in the BPA. But an outsized Sharepoint and SBSMonitoring were also an issue as was the server being in Journal Wrap condition.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">The outsized databases don't seem like they'd keep desktops from </span>joining<span style="font-family: inherit;"> the domain, but the journal wrap might be a different story. I followed the link to </span><a href="http://support.microsoft.com/kb/292438">http://support.microsoft.com/kb/292438</a> and said to myself, "Oh Crap, they've linked to an outdated article, this is for Win2k! Nice job Microsoft..." Worthless - except, it's not. Things haven't changed much in the last 14 years of Active Directory.<br />
<br />
Sure enough, upon reading <a href="http://blog.ronnypot.nl/?p=738">http://blog.ronnypot.nl/?p=738</a> I check and find the SYSVOL share was not available. I changed the registry value (which was what the error message directed, also) and waited a few minutes. The SYSVOL share came available again. BUT... still cannot connect the workstation to the domain.<br />
<br />
I decided to pursue the other issues indicated by the BPA and fix the SBSMonitoring and Sharepoint Services databases.<br />
<br />
First SBSMonitoring - Google yielded <a href="http://kwsupport.com/2013/05/sbsmonitoring-database-is-nearing-maximum-size/">http://kwsupport.com/2013/05/sbsmonitoring-database-is-nearing-maximum-size/</a> which suggests using <a href="http://blogs.technet.com/b/sbs/archive/2011/08/22/how-to-recreate-the-sbsmonitoring-database.aspx">http://blogs.technet.com/b/sbs/archive/2011/08/22/how-to-recreate-the-sbsmonitoring-database.aspx</a> to replace the database with a new blank one. What are the drawbacks? Loss of historical data - no biggie. Downloading and running the script was a breeze, I just needed to <span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">set-executionpolicy unrestricted </span><span style="font-family: inherit;">to get it to execute. That article then recommended I complete the steps at </span><a href="http://blogs.technet.com/b/sbs/archive/2009/07/14/sbs-2008-console-may-take-too-long-to-display-alerts-and-security-statuses-display-not-available-or-crash.aspx">http://blogs.technet.com/b/sbs/archive/2009/07/14/sbs-2008-console-may-take-too-long-to-display-alerts-and-security-statuses-display-not-available-or-crash.aspx</a> which will shorten the amount of time which logs are kept and reduce the amount of information which is logged.<br />
<br />
Now to deal with the overweight Sharepoint Services Database - <a href="http://support.microsoft.com/kb/2000544">http://support.microsoft.com/kb/2000544</a> seems like a good place to start and it features a convenient "Fix It For Me." This removed the issue from the BPA, but the desktop still won't join the domain.<br />
<span style="font-family: inherit;"><br /></span>
Others have been feeling this pain, I see posts with similar issues all over the Internet. This one: <a href="http://richardburley.com/windows-7-unable-to-join-domain-fix/">http://richardburley.com/windows-7-unable-to-join-domain-fix/</a> seems like it might finally be the one which most closely matches my situation. On the afflicted PC I cannot browse to \\servername. I checked this from another computer and found that \\servername worked fine - an exact fit! This fellow fixed his issue by removing everything from the network configuration that wasn't TCP/IP v4 or v6. I'm working remotely so this seems like a real bummer of a solution, but examining the network protocols I noted the AVG Network Filter Driver. Perhaps this is it? I removed AVG and rebooted the PC.<br />
<br />
Uninstalling AVG fixed the issue - a fifteen minute fix found through four hours of work. The server is certainly having issues, but they weren't causing THIS issue!Justinhttp://www.blogger.com/profile/09153875973225966200noreply@blogger.com0tag:blogger.com,1999:blog-23470680.post-61418068291797878102014-08-27T12:20:00.001-05:002014-09-19T08:14:34.751-05:00Using the Same Alias in Multiple Domains in Office365<br />
<ol>
<li>Start PowerShell as an Administrator</li>
<li>If you haven't before issue the command issue it now: <span style="font-family: Consolas, Courier, monospace; line-height: 17px;">Set-ExecutionPolicy RemoteSigned</span></li>
<li>Connect PowerShell to Office365 - (from <a href="http://technet.microsoft.com/en-us/library/jj984289(v=exchg.150).aspx">http://technet.microsoft.com/en-us/library/jj984289(v=exchg.150).aspx</a>)</li>
<ol>
<li>Issue the command and input your credentials: <span style="line-height: 17px;"><span style="font-family: Courier New, Courier, monospace;">$UserCredential = Get-Credential</span></span></li>
<li><span style="font-family: Times, Times New Roman, serif;">Then issue this command to connect: </span><span style="line-height: 17px;"><span style="font-family: Courier New, Courier, monospace;">$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection</span></span></li>
<li><span style="font-family: Times, Times New Roman, serif;"><span style="line-height: 17px;">Import the PowerShell commands from the Exchange Server by issuing: </span></span><span style="font-family: Courier New, Courier, monospace;"><span style="line-height: 17px;">Import-</span><span style="line-height: 17px;">PSSession $Session</span></span></li>
<li><span style="line-height: 17px;"><span style="font-family: Times, Times New Roman, serif;">Now test your connection by issuing: </span><span style="font-family: Courier New, Courier, monospace;">Get-Mailbox</span><span style="font-family: Consolas, Courier, monospace;"> </span><span style="font-family: Times, Times New Roman, serif;">and making sure you get output.</span></span></li>
</ol>
<li><a href="https://www.cogmotive.com/blog/office-365-tips/create-shared-mailboxes-with-same-alias-at-different-domains-in-office-365">https://www.cogmotive.com/blog/office-365-tips/create-shared-mailboxes-with-same-alias-at-different-domains-in-office-365</a> gives us the following steps</li>
<ol>
<li>: <span style="font-family: Courier New, Courier, monospace;">New-Mailbox -Name "Test Shared Mailbox 2" -Alias test_shared2 -Shared -PrimarySMTPAddress test_shared@cogmotivereports.com </span><span style="font-family: Times, Times New Roman, serif;"> </span><span style="font-family: Times, Times New Roman, serif;">Be certain to replace "Test Shared Mailbox 2" with the desired display name, the alias "test_shared2" with the desired alias (prefix before the @ sign) and fix the primary SMTP address with the desired address.</span></li>
<li>Next correct the login name for this mailbox - <span style="font-family: Courier New, Courier, monospace;">set-mailbox test_shared2 -MicrosoftOnlineServicesID test_shared@cogmotivereports.com </span><span style="font-family: Times, Times New Roman, serif;">- you may receive the following error </span><span style="font-family: Trebuchet MS, sans-serif;">WARNING: UserPrincipalName "test_shared1@cogmotivereports" should be same as WindowsLiveID "test_shared@cogmotive.onmicrosoft.com", UserPrincipalName should remain as"test_shared1@cogmotivereports". </span><span style="font-family: Times, Times New Roman, serif;">Which may be safely ignored.</span></li>
</ol>
<li><span style="font-family: Times, Times New Roman, serif;">Check you work by issuing </span><span style="font-family: 'Courier New', Courier, monospace; line-height: 17px;">Get-Mailbox </span><span style="line-height: 17px;"><span style="font-family: Times, Times New Roman, serif;">verifying that the new mailbox entry appears.</span></span></li>
<li><span style="font-family: Times, Times New Roman, serif;">Close your session with </span><span style="line-height: 17px;"><span style="font-family: Courier New, Courier, monospace;">Remove-PSSession $Session</span></span></li>
</ol>
<div>
<span style="font-family: inherit;"><span style="line-height: 17px;">This will create a new shared mailbox with the desired alias. To make certain users send from the desired address and not the placeholder alias (test_shared2) sign into Exchange and go to the shared mailbox. Edit the email addresses and set the desired alias as the primary address.</span></span></div>
<br />
<br />Justinhttp://www.blogger.com/profile/09153875973225966200noreply@blogger.com0tag:blogger.com,1999:blog-23470680.post-49883959315466956772014-08-20T16:29:00.001-05:002014-08-26T16:21:25.487-05:00Migrating Outlook 2010 Autocomplete to Outlook 2013<br />
<ol>
<li>Run Outlook 2013, allow it to finish loading, then close it - no need to wait for it fully synchronize if you have a large mailbox.</li>
<li>Open C:\Users\<i>username</i>\<user name="">AppData\Local\Microsoft\Outlook\RoamCache</user></li>
<li>Look for files named <b>Stream_Autocomplete<bunch and="" letters="" numbers="" of="">.dat </bunch></b> and note the latest one (this is the target) and the largest one (this is the source).</li>
<li>Make a backup copy of both files, I placed mine in C:\temp.</li>
<li>Go back to C:\Users\<user name="">\AppData\Local\Microsoft\Outlook\RoamCache and rename the <b>source</b> file Stream_Autocomplete<bunch and="" letters="" numbers="" of=""><bunch and="" letters="" numbers="" of="">.da~ by replacing the "t" with a "~". Before you commit the change, highlight the entire name before the period and copy it with Ctrl+C then commit the change.</bunch></bunch></user></li>
<li>Rename your <b>target</b> file by pasting the source file name over the target file name.</li>
<li>Run Outlook and feel the joy.</li>
</ol>
<div>
Why didn't Microsoft make this an automatic function like they did in prior versions? 0_o</div>
Justinhttp://www.blogger.com/profile/09153875973225966200noreply@blogger.com0tag:blogger.com,1999:blog-23470680.post-83258776769281585542014-07-31T15:28:00.001-05:002014-07-31T15:30:54.460-05:00Linking a Bypass Code in Umbrella by OpenDNSHere's a stumper: you've created a bypass code for a user under Block Page ->Bypass Codes, and as you're admiring your shiny new bypass code entry you note that there is a yellow Hazard symbol in the column under Linked Policies next to n/a. Furthermore the users bypass code doesn't work - it says that it must be linked to a policy, and there isn't a "link policy" button anywhere to be found.<br />
<br />
This situation can be avoided entirely by creating each bypass code by clicking Policies in the left hand pane, selecting the relevant policy in the main pane, then jumping to Step 3. "Select Block Page Settings" and clicking Add Code. Create and save your new code, share it with the relevant user, and your done.<br />
<br />
But say you've gone and created your bypass code by navigating to Block Page Settings in the left hand pane, selecting Bypass Codes underneath it, and clicking "+ Create a New Bypass Code." Don't worry, you haven't just wasted that time - click Policies in the left hand pane, select the relevant policy in the main pane, then jump to Step 3. "Select Block Page Settings," check the box next to the desired user, and then click Save.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5IJ0l9yCjp1OLQ29SyqjxYh5FQAvSr0zwLGm1tz1NiZx8FcLbxvigNJUksKF1WoZ2lZR90tmymKMFaY9nRWELi6o-LTjfK-7ZUEqJylXEKD72i76lf-0ilWH_0gcP5-hQzhRY/s1600/Screen+Shot+2014-07-31+at+3.22.28+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5IJ0l9yCjp1OLQ29SyqjxYh5FQAvSr0zwLGm1tz1NiZx8FcLbxvigNJUksKF1WoZ2lZR90tmymKMFaY9nRWELi6o-LTjfK-7ZUEqJylXEKD72i76lf-0ilWH_0gcP5-hQzhRY/s1600/Screen+Shot+2014-07-31+at+3.22.28+PM.png" height="180" width="400" /></a></div>
Justinhttp://www.blogger.com/profile/09153875973225966200noreply@blogger.com2tag:blogger.com,1999:blog-23470680.post-29601411160775024752014-07-24T17:10:00.001-05:002014-07-24T17:15:31.385-05:00Assigning a Public IP using AT&T UVerse - Pace Modem1. Visit your gateway address using your favorite browser.<br />
<br />
2. Go to Settings -> Firewall<br />
<br />
3. Go to Application Pinholes and DMZ<br />
<br />
4. Select your device and then click Allow All (the last option)<br />
<br />
5. Click Save<br />
<br />
This will DMZ the device and allow all traffic to all ports on that device.Justinhttp://www.blogger.com/profile/09153875973225966200noreply@blogger.com0tag:blogger.com,1999:blog-23470680.post-70428913514996552732014-07-02T13:34:00.000-05:002014-07-04T07:31:50.729-05:00Scheduling Periodic Bandwidth Checks Between pfSense Routers Using iPerf<span style="font-family: Times, "Times New Roman", serif;">I have a customer who, for years, has complained that their point to point connection (over a dedicated Point-to-Point Cable connection referred to as EoC or Ethernet over Cable) slows down every afternoon regardless of the number of users. Initial investigations revealed nothing of importance. iPerf tests would show periodic slowdowns but without any consistency as I could only run iPerf at the console, which required me to stand over it and initiate the tests.</span><br />
<br />
What I desired was iPerf tests every 5 minutes during business hours.<br />
<br />
<span style="font-family: Times, "Times New Roman", serif;">To get started install the iPerf packages in both of your pfSense systems. </span>I am clueless why there are iPerf options in the Webmin, they seem to do nothing, please ignore them and use iPerf from the console.<br />
<br />
<span style="font-family: "Courier New", Courier, monospace;">iperf -c 192.168.0.1 -t 28800 -i 300</span><br />
<span style="font-family: Courier New;"></span><br />
<span style="font-family: Times, "Times New Roman", serif;">SEEMS to work, but it would need to be invoked every morning, and only outputs to the screen. Furthermore it runs the test ALL DAY LONG, not just every 5 minutes. This would hog up the connection and prevent real work from being done quickly. What I need is for it to be done periodically then output to a text file that I can check occasionally. Furthermore, the office is only open 8am-5pm Monday through Friday, so why fill up my file with tests all the rest of the time? Lastly, iPerf doesn't include dates and times in the report, so I need to add them. I decided to haul out Crontab and do the following:</span><br />
<span style="font-family: Times;"></span><br />
<span style="font-family: Times;">1. Install the iPerf package in both pfSense systems.</span><br />
<span style="font-family: Times;"></span><br />
<span style="font-family: Times;">2. Pick a pfSense system to be ny server, log into its administrative console, and run the following command:</span><br />
<span style="font-family: Times;"></span><br />
<span style="font-family: "Courier New", Courier, monospace;">iperf -s -D</span><br />
<span style="font-family: Courier New;"></span><br />
<span style="font-family: Times, "Times New Roman", serif;">This runs iPerf as a daemon and allows me to close the session but keep iPerf running.</span><br />
<span style="font-family: Times;"></span><br />
<span style="font-family: Times;">3. Create an sh script (mine is iperftest.sh) using vi containing the following:</span><br />
<br />
<span style="font-family: "Courier New", Courier, monospace;">date<br />
<span style="font-family: "Courier New", Courier, monospace;">/usr/local/bin/iperf -c 192.168.0.1 -t -x CSV</span></span><br />
<br />
<span style="font-family: Times, "Times New Roman", serif;">The date line adds the date and time to the output file, and the -x CSV prevents showing info beyond the amount of data transferred and the speed at which it was transferred.</span><br />
<span style="font-family: Times, "Times New Roman", serif;"></span><br />
<span style="font-family: Times, "Times New Roman", serif;">4. Add a crontab job (crontab -e) for the user admin similar to the following:</span><br />
<span style="font-family: Times;"></span><br />
<span style="font-family: "Courier New", Courier, monospace;">00/5 8-17 * * 1-5 /root/autoiperf.sh >> iperfreport.txt</span><br />
<span style="font-family: Courier New;"></span><br />
<span style="font-family: Times, "Times New Roman", serif;">5. Now all you need to do is cat your iperfreport.txt to see reports.</span><br />
<span style="font-family: Times;"></span><br />
<span style="font-family: "Courier New", Courier, monospace;">Wed Jul 2 13:25:00 CDT 2014<br />[ ID] Interval Transfer Bandwidth<br />[ 3] 0.0-10.0 sec 6.00 MBytes 5.03 Mbits/sec<br />Wed Jul 2 13:30:00 CDT 2014<br />[ ID] Interval Transfer Bandwidth<br />[ 3] 0.0-10.1 sec 6.00 MBytes 4.98 Mbits/sec</span><br />
<span style="font-family: "Courier New", Courier, monospace;"><br />
<br />
</span>Justinhttp://www.blogger.com/profile/09153875973225966200noreply@blogger.com0tag:blogger.com,1999:blog-23470680.post-49025014875919686062014-03-05T15:59:00.000-06:002014-04-23T12:51:50.903-05:00Outlook 2010 and Office 2013 - Problems Changing an Expired PasswordThis puzzled us for a while, while there is a hotfix available (MS KB 2687351) you have to request it. Without the hotfix the user may be repeatedly prompted to change their password, even if they changed it in the online portal. Go to your account settings and select "Always Prompt for Credentials" then restart Outlook, input your new password, then make sure it works. After you have verified your account is working go back to your account settings and clear the "Always Prompt for Credentials" checkbox so you may save your password.Justinhttp://www.blogger.com/profile/09153875973225966200noreply@blogger.com0tag:blogger.com,1999:blog-23470680.post-15120018271688378282014-02-18T10:13:00.003-06:002014-04-23T12:53:27.688-05:00Configuring Entourage 2008 for Office365 Exchange<span style="color: #3e3e3e;"><span style="font-family: Arial, Helvetica, sans-serif;">Mac users are a different breed - they often just want to get things done and not spend a lot of time learning a new program. Sometimes this means spending a lot of time making our old stuff work with our new stuff. My friend Brent recently tackled the issue of using Entourage 2008 and Office365 Exchange with some success (though there seems to be a limitation which causes Entourage to only sync the past 6-8 weeks of email and not display the balance).</span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: #3e3e3e;"><br /></span>
</span><br />
<span style="color: #3e3e3e; font-family: Arial, Helvetica, sans-serif;">First Brent had to install several updates for his Office 2008:</span><br />
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: #3e3e3e;">Microsoft Office 2008 for Mac Service Pack 2 (12.2.0) - </span><a href="http://www.microsoft.com/en-us/download/details.aspx?id=17575">http://www.microsoft.com/en-us/download/details.aspx?id=17575</a></span></li>
</ul>
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: #3e3e3e;">Microsoft Office 2008 for Mac 12.3.6 Update - </span><a href="http://www.microsoft.com/en-us/download/details.aspx?id=36897">http://www.microsoft.com/en-us/download/details.aspx?id=36897</a></span></li>
</ul>
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: #3e3e3e;">Microsoft Entourage 2008 for Mac, Web Services Edition - </span><a href="http://www.microsoft.com/en-us/download/details.aspx?id=36923">http://www.microsoft.com/en-us/download/details.aspx?id=36923</a></span></li>
</ul>
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span></div>
<span style="font-family: Arial, Helvetica, sans-serif;">
</span><span style="color: #3e3e3e; font-family: Arial, Helvetica, sans-serif;">Next he configured his Mac and Entourage using information from the following web sites to:</span><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Set up email in Entourage 2008, Web Services Edition - <a href="http://office.microsoft.com/en-us/web-apps-help/set-up-email-in-entourage-2008-web-services-edition-HA102823164.aspx">http://office.microsoft.com/en-us/web-apps-help/set-up-email-in-entourage-2008-web-services-edition-HA102823164.aspx</a></span></li>
</ul>
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: #3e3e3e;"> </span><span style="color: #3e3e3e;">Set up your Mac for Office 365 - </span><span style="color: #3e3e3e;"><a href="http://onlinehelp.microsoft.com/en-us/office365-enterprises/hh180727.aspx">http://onlinehelp.microsoft.com/en-us/office365-enterprises/hh180727.aspx</a></span></span></li>
</ul>
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: #3e3e3e;"> </span><span style="color: #3e3e3e;">Set Up Entourage 2008, Web Services Edition for Your Account - </span><span style="color: #3e3e3e;"><a href="http://help.outlook.com/en-us/140/ee461397.aspx">http://help.outlook.com/en-us/140/ee461397.aspx</a></span></span></li>
</ul>
<br />
<br />
<br />
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">Thanks for sharing this solution, Brent!</span></div>
Justinhttp://www.blogger.com/profile/09153875973225966200noreply@blogger.com0tag:blogger.com,1999:blog-23470680.post-65863488462410323462013-11-26T16:34:00.003-06:002014-09-26T11:54:51.315-05:00Avoiding Malware and VirusesTips for avoiding malware infections (spyware, adware, and scareware):<br />
<br />
<ul>
<li><b>Use Windows 7 or Windows 8</b>. Windows XP users are <i>6 times</i> more likely than Windows 8 users and <i>twice</i> as likely that Windows 7 and Vista users to be infected with a virus. (<a href="http://blogs.technet.com/b/mmpc/archive/2013/10/29/infection-rates-and-end-of-support-for-windows-xp.aspx">http://blogs.technet.com/b/mmpc/archive/2013/10/29/infection-rates-and-end-of-support-for-windows-xp.aspx</a>). For what it's worth, I haven't seen a virus-infected Mac.</li>
<li><b>Uninstall Java. </b>I know, computers without Java seem crippled. If it's your work computer it may be required in order to get your job done - big business and governments have implemented any number of systems which require Java. At home Java may be required to read your email or shop. In the case that you're at home and need Java consider installing Java, completing the necessary task, then uninstalling it. I know that's a bit of a headache but it sure beats dealing with a malware infection! (<a href="http://www.theguardian.com/technology/askjack/2013/feb/08/java-remove-ask-jack-technology">http://www.theguardian.com/technology/askjack/2013/feb/08/java-remove-ask-jack-technology</a>)</li>
<li><b>Uninstall Adobe Reader. </b>Again, I know this is going to hurt, but it won't be as inconvenient as living without Java. Shoot, you might even enjoy the alternative apps as they tend to be both faster and more feature rich! I like <a href="http://www.tracker-software.com/product/pdf-xchange-viewer">Tracker-Software's PDF XChange Viewer</a>. (<a href="http://www.pcworld.com/article/2030153/">http://www.pcworld.com/article/2030153/</a>)</li>
<li><b>Uninstall Adobe Flash Player.</b> This one is the least productive yet the most prevalent. I wouldn't blame you for keeping it - some web sites are worthless without it. That said, there are some who report that, though some web sites don't render as they should, they have been able to live a pretty full Internet life without it. Uninstall it and see what the Internet is like, you might be pleasantly surprised! (<a href="http://www.hou2600.org/software/six-months-without-adobe-flash-and-i-feel-fine/">http://www.hou2600.org/software/six-months-without-adobe-flash-and-i-feel-fine/</a>)</li>
<li><b>Update Windows.</b> This one should go without saying as it's been said all too many times. Still, I see healthcare providers, aerospace companies, and grandmothers everywhere who are behind on their updates. Even IT people are behind on their updates. Please, for the love of all that is good, update your operating system.</li>
<li><b>Use the latest version of your browser.</b> The fact is that Chrome, Firefox, and IE all have vulnerabilities, and on any given day one is less vulnerable than the other two. Keeping your browser up to date is the surest way to prevent infections, regardless of which one you prefer. I've read that Crome is more secure than Firefox. I've read that Firefox is more secure than Chrome. I've read that Internet Explorer 11 is more secure than Firefox or Chrome. It doesn't matter, use whatever you like or your work requires, just keep it up to date!</li>
<li><b>Block malware sites.</b> Ad blockers such as <a href="http://www.adblockplus.org/">AdBlock Plus</a> can go a long way towards preventing malicious code running on your computer as many advertising servers serve up malware as well. Additionally you might consider using <a href="http://www.opendns.com/">OpenDNS</a> to block malware - OpenDNS takes a bit of work to get going, but once it's going it can not only block malware but pornography and other undesirable content as well.</li>
<li><b>Install antivirus software and keep it up to date.</b> Microsoft's latest statistics show that just over 50% of users don't have antivirus installed. Wow. That's like walking on the beach with no flip-flops - sooner or later you're going to step on something nasty. Please install antivirus - <a href="http://windows.microsoft.com/en-us/windows/security-essentials-download">Microsoft Security Essentials</a> is free and works pretty well. Safe Mode also offers AVG to our customers at a deep discount - call or email us to find out more!</li>
</ul>
<div>
So these are things you can do to your computer and network, but that's only half of the equation as your computer isn't the one surfing the Internet, reading emails, and clicking links. The other half is between your ears - an educated computer user is a safe computer user! These behaviors will help keep you safer when used in conjunction with the above (in many cases these tips <i>work better<b>).</b></i></div>
<div>
<ul>
<li><b>Don't click "OK" or "Open" or "I Agree" or even the "X" on popup ads!</b> Don't even click the red "X" if a security warning or software installer pops up unexpectedly. <i>On your keyboard</i> press and hold "alt" then press the "F4" key to quit your browser completely. This will take you away from that awful place and you will have prevented a possible infection.</li>
<li><b>Don't open unexpected e-mail attachments.</b> Unless you know for certain that someone you know is sending an attachment don't open it. If its from someone you know and it looks legit, think twice then call the sender and politely ask if they sent you something in your email. If they didn't, inform them that they may have a virus and recommend professional assistance.</li>
<li><b>Don't open any attachments from Paypal, UPS, Fedex, Amazon, the IRS, or a bank.</b> It's likely not from them anyway, so it's probably a virus. If one of those organizations needs to reach you they know other ways besides your e-mail. Especially the IRS.</li>
</ul>
<div>
<b>Safe Mode offers AVG Antivirus and OpenDNS - call or email us today to learn more! </b>We can also manage and monitor your network to fix issues before they become problems.</div>
</div>
Justinhttp://www.blogger.com/profile/09153875973225966200noreply@blogger.com0tag:blogger.com,1999:blog-23470680.post-14704613603201838402013-10-28T16:57:00.005-05:002013-11-26T20:03:43.515-06:00VirtualBox Error VERR_SUPDRV_COMPONENT_NOT_FOUND on OSX after upgrading to MavericksUsing VirtualBox 4.2.18 r88780 on OSX I encountered this error in a Win8 Guest after upgrading from my host OS from Lion to Mavericks. Further testing revealed that it affects all guests, Windows and Linux. Changing my adapter mode from Bridged to NAT fixed the issue but I could not run in Bridged mode.<br />
<br />
Using the uninstall application and removing VirtualBox then reinstalling it fixed the issue.Justinhttp://www.blogger.com/profile/09153875973225966200noreply@blogger.com0tag:blogger.com,1999:blog-23470680.post-6493784642320291682013-10-15T10:50:00.000-05:002014-10-17T11:25:43.978-05:00Gateway Status Monitoring on a pfSensepfSense is an excellent router/gateway/proxy/content filter. It's not so hot at proactively alerting you if there is a problem. Nobody has time to stand over their pfSense Webmin Interface and monitor gateway statuses, but it is important to know if a member is down. An online uptime monitor can solve the problem.<br />
<div>
<br /></div>
<div>
The pfSense is capable of emailing you with notifications of a failed WAN connection, but that presents a chicken and egg problem - how is it supposed to notify you with email if the Internet connection has failed? The solution that I am currently trying is using <a href="http://uptimerobot.com/">uptimerobot.com</a> to ping the public IP of each WAN interface and send me an email if it is down and another once the service is reestablished.</div>
<div>
<br /></div>
<div>
Here are my settings if you want to try it:</div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgd107eHP35mnGo5oBIGuDnZbL7rHpXmvFzp8Jaxvm31MZk8YEVo5V4PlxPMskH2WnWLyhRBe7VrUyzofG7WEH1uc_rES-qcBFrO67j833s9L6C9X91jdz_LPBJLTFrPpGbdp8b/s1600/Screen+Shot+2013-10-15+at+10.48.19+AM.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgd107eHP35mnGo5oBIGuDnZbL7rHpXmvFzp8Jaxvm31MZk8YEVo5V4PlxPMskH2WnWLyhRBe7VrUyzofG7WEH1uc_rES-qcBFrO67j833s9L6C9X91jdz_LPBJLTFrPpGbdp8b/s320/Screen+Shot+2013-10-15+at+10.48.19+AM.png" height="285" width="320" /></a><ol>
<li>Create an account at <a href="http://www.uptimerobot.com/">http://www.uptimerobot.com</a> and set up your notification options.</li>
<li>Log into your pfSense and create a pass rule for each WAN (or Internet-facing Opt) interface for protocol ICMP, source any, destination "WAN IP Address" / "OPT1-IP-Adress" then apply those changes. See the image that accompanies this post for more details.</li>
<li>Using an Internet-connected remote host ping each of your public IP's and verify that they are visible to the outside world.</li>
<li>Add your public IP's to <a href="http://uptimerobot.com/">uptimerobot.com</a> using the +Add Monitor dialog</li>
</ol>
<div>
If anybody knows of a better way I'm all ears - this is a feature that has been requested repeatedly but hasn't ever been implemented. The hot setup would be an audible alarm upon link failure as well as internal Growl notifications of gateway up/gateway down.</div>
</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
Justinhttp://www.blogger.com/profile/09153875973225966200noreply@blogger.com3tag:blogger.com,1999:blog-23470680.post-68812170777834050002013-07-26T11:55:00.001-05:002014-08-04T09:56:24.992-05:00Essential Free Server and Network Tools for the Windows AdminI don't like spending money but I like getting stuff. What computer admin doesn't fit into this category? When I take on a server I find that just a few tools (aside from the hardware vendors monitoring tools) end up living on its desktop.<br />
<br />
<a href="http://w3.win.tue.nl/nl/onderzoek/onderzoek_informatica/visualization/sequoiaview//"><span style="font-family: Arial, Helvetica, sans-serif;">Sequoiaview</span></a><br />
<br />
<a href="http://w3.win.tue.nl/uploads/pics/ScreenSHSq1aL_01.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="http://w3.win.tue.nl/uploads/pics/ScreenSHSq1aL_01.jpg" /></a>Ever want to see what's hogging up all your valuable server hard disk space? Ever want a quick way to see just what a drive contains? Sequoiaview is useful for all kinds of auditing through the representation of the data on your hard drive using a "tree map." The size of the box represents the relative size of the file and the colors are indicative of filetype. Files are then bundled together in their respective folders. Moving your mouse over the files and folders yields additional information and offers a way to fly over your hard disks data and visualize usage in a very intuitive and insightful manner. Right clicking offers a way to open an Explorer window in that location so you may further interact with your files.<br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"><a href="http://www.roadkil.net/program.php/P29/Unstoppable%20Copier">Roadkil's Unstoppable Copier</a></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.roadkil.net/screenshots.php?ImageID=193" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="http://www.roadkil.net/screenshots.php?ImageID=193" height="213" width="320" /></a></div>
This classic tool is useful for both recovery scenarios and for everyday file copies and moves. Unstoppable Copier is a fast and reliable way to shuffle data around on your hard drives and network. It seems to move files faster than Explorer and it will attempt to read files with data residing in bad sectors. Did I mention that it's fast? If there is an error copying a file it notes the error and moves on - unlike Explorer which, partway through the copy, errors then quits. Unstoppable Copier can also be batched or scripted, resulting in a flexible fast backup utility if you're not afraid to write a batch file.<br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"><a href="http://angryip.org/w/Download">Angry IP Scanner</a></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://a.fsdn.com/con/app/proj/ipscan/screenshots/136034.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="http://a.fsdn.com/con/app/proj/ipscan/screenshots/136034.jpg" height="214" width="320" /></a></div>
<br />
<br />
The Angry IP Scanner is my goto for quickly finding out what's connected to the server's LAN. Certainly there are better network IP port scanners available (like NMap) but they can't match Angry's simplicity - often a quick and dirty ping scan is all you need. It can do port scans as well as gather banners and report NetBIOS information such as the logged in user. It's not as intrusive as NMap can be and it's very portable. It doesn't do everything NMap and ZenMap can, but that's OK because it gets the job done.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.unixwiz.net/images/putty-openssh-3.gif" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="http://www.unixwiz.net/images/putty-openssh-3.gif" height="310" width="320" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><a href="http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html">Putty</a></span><br />
<span style="color: #0000ee; font-family: Arial, Helvetica, sans-serif;"><u><br /></u></span>
I like the command line. When dealing with *nix and Cisco services and devices you can't beat the Zen-like simplicity of a simple flashing curser and the world of possibilities behind it. Putty brings some of this power to Windows, but the true power lies in the fact that does SSH Port Forwarding - a way to get secure access to your network without a VPN. See my classic article <a href="http://darnitol.blogspot.com/2007/07/secure-windows-remote-desktop-part-2.html">here</a> for details on the process of using SSH Tunneling to secure Windows Remote Desktop.Justinhttp://www.blogger.com/profile/09153875973225966200noreply@blogger.com0tag:blogger.com,1999:blog-23470680.post-86055719371040391982013-07-10T15:40:00.003-05:002013-07-10T15:40:49.457-05:00Outlook 2010 on Windows 7 Repeatedly Prompts for CredentialsThis was on Windows 7 with Outlook 2010. The user had migrated from Exchange on an SBS 2003 to Exchange on Office365. My coworker Heather did all the dirty work and eventually came up with this solution:<br />
<br />
<span class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px; font-family: Calibri;"></span><br />
<div class="MsoNormal" style="font-family: Calibri, sans-serif; font-size: 11pt; margin-bottom: 0.0001pt; margin-left: 0in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: 'Palatino Linotype', serif;">In order to fix this issue, I deleted the Outlook profile and did the following:<o:p></o:p></span></div>
<div class="MsoNormal" style="font-family: Calibri, sans-serif; font-size: 11pt; margin-bottom: 0.0001pt; margin-left: 0in; margin-right: 0in; margin-top: 0in;">
<br /></div>
<div class="MsoNormal" style="font-family: Calibri, sans-serif; font-size: 11pt; margin-bottom: 0.0001pt; margin-left: 0in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: 'Palatino Linotype', serif;">Go to Start> Control Panel> User Accounts, click "Manage your credentials", scroll down to "Generic Credentials" and remove from the vault any that start with "MS.Outlook:"<o:p></o:p></span></div>
<div class="MsoNormal" style="font-family: Calibri, sans-serif; font-size: 11pt; margin-bottom: 0.0001pt; margin-left: 0in; margin-right: 0in; margin-top: 0in;">
<br /></div>
<div class="MsoNormal" style="font-family: Calibri, sans-serif; font-size: 11pt; margin-bottom: 0.0001pt; margin-left: 0in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: 'Palatino Linotype', serif;">Delete the auto-discover configuration file and restart the outlook.<o:p></o:p></span></div>
<div class="MsoNormal" style="font-family: Calibri, sans-serif; font-size: 11pt; margin-bottom: 0.0001pt; margin-left: 0in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: 'Palatino Linotype', serif;">C:\Users\<your account="" computer="" name="">\AppData\Local\Microsoft\Outlook\xxxxx - Autodiscover.xml<o:p></o:p></your></span></div>
<div class="MsoNormal" style="font-family: Calibri, sans-serif; font-size: 11pt; margin-bottom: 0.0001pt; margin-left: 0in; margin-right: 0in; margin-top: 0in;">
<br /></div>
<div class="MsoNormal" style="font-family: Calibri, sans-serif; font-size: 11pt; margin-bottom: 0.0001pt; margin-left: 0in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: 'Palatino Linotype', serif;">I tried all of these steps minus deleting the outlook profile and it didn’t work for me. However, I recommend trying it before deleting the profile, to save time if by chance it does work.</span></div>
Justinhttp://www.blogger.com/profile/09153875973225966200noreply@blogger.com0tag:blogger.com,1999:blog-23470680.post-53276314361179274552013-06-10T17:48:00.000-05:002013-06-10T17:49:14.460-05:00Windows 7 - USB Devices Won't InstallI beat myself against this for six hours straight. <br />
<br />
The reported symptom was that no new USB devices would install. During troubleshooting SFC /scannow yielded "Windows Resource Protection could not start the repair service." I received the following error message when I tried to start the Windows Modules Installer service (TrustedInstaller): "System Error 126: The specific module could not be found". The Installed Updates in Add/Remove Programs was blank.<br />
<br />
I Googled this until my fingers bled. http://support.microsoft.com/kb/959077 seemed like it should help, but it didn't.<br />
<br />
Finally, desperate, I called Microsoft. They said someone would call me back within 4 hours. Oh well... So I tried another desperate move: I copied the "c:\windows\servicing\trustedinstaller.exe" and the four "c:\windows\winsxs\amd64_microsoft-windows-servicingstack…" folders from a known working system to a CD then replaced the files on the affected system with those copied files after taking ownership from trustedinstaller and giving the administrator full control of the required files and folders in the affected system.<br />
<br />
It worked!Justinhttp://www.blogger.com/profile/09153875973225966200noreply@blogger.com0tag:blogger.com,1999:blog-23470680.post-60840632333072279922013-04-22T16:36:00.002-05:002013-04-22T16:36:59.309-05:00Reduce Spam Using Exchange 2008OK, a little further into the 21st Century we were gifted with Exchange 2007 - unfortunately the Spammers don't care what we're running nor how much better we might like it than we did Exchange 2003, so, we start by visiting <a href="http://technet.microsoft.com/en-us/library/bb124696(v=exchg.80).aspx">http://technet.microsoft.com/en-us/library/bb124696(v=exchg.80).aspx</a> and get the info straight from Microsoft.<br />
<br />
Well, that wasn't very helpful - first off I'm running Exchange 2008 without the Edge Transport role - don't ask me why, I didn't set it up, a subcontractor did, and he did a lot of things that might be questionable. I'm not sure if this is even one of them, but I digress. . .<br />
<br />
You can access the Antispam settings by installing them in your Hub Transport role by going into the Exchange Shell and entering (replace c:\ with whatever the appropriate drive is):<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">c:\program files\microsoft\exchange server\scripts\install-antispamagents.ps1</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Times, Times New Roman, serif;">then restart your Exchange Transport with:</span><br />
<span style="font-family: Times, Times New Roman, serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">restart-service msexchangetransport</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Times, Times New Roman, serif;">You may then open your Exchange Management Console, go under Organization Configuration, click Hub Transport, and find your Anti-Spam Tab.</span><br />
<span style="font-family: Times, Times New Roman, serif;"><br /></span>
<span style="font-family: Times, Times New Roman, serif;">For more details, see </span><a href="http://www.msexchange.org/articles-tutorials/exchange-server-2007/security-message-hygiene/exchange-server-2007-spam-filtering-features-without-using-exchange-server-2007-edge-server.html">http://www.msexchange.org/articles-tutorials/exchange-server-2007/security-message-hygiene/exchange-server-2007-spam-filtering-features-without-using-exchange-server-2007-edge-server.html</a><br />
<br />
<br />
<br />Justinhttp://www.blogger.com/profile/09153875973225966200noreply@blogger.com0tag:blogger.com,1999:blog-23470680.post-69108486059891853602013-03-27T20:42:00.002-05:002013-04-22T17:16:11.539-05:00Reduce Spam Using Exchange 2003I understand that this may be six or seven years too late, but many old 2003 servers are still chugging along just fine. The volume of junk mail, however, continues to increase, and that old server may be unhappy with the ever increasing volume of traffic. I certainly know that your users aren't happy with it!<br />
<br />
Microsoft has made an excellent toolset for reducing the spam (get your <a href="http://gan.doubleclick.net/gan_click?lid=41000613802463524&pid=22088610&adurl=http%3A%2F%2Fwww.cafepress.com%2Fmf%2F7289849%2Fno-spam-_tshirt%3Fcmp%3Dpfc--f--us--002--22088610%26sourcecode%3Daffiliate%26pid%3D6673073%26utm_cp_signal%3D382%26productid%3D22088610&usg=AFHzDLv-WVrmv3j85Tr61zWzWWnftWNeqw&pubid=629883" rel="nofollow">No Spam T-Shirt (Google Affiliate Ad)</a> here!) sent through your Exchange 2003 server. In a future article I will address similar measures for Exchange 2007 and 2010 - the Exchange 2003 just happens to be what I worked on today and noted the steps for tonights blog entry.<br />
<br />
<br />
<ol>
<li>If you haven't already ( I won't judge, I promise) download and install <a href="https://www.microsoft.com/en-us/download/details.aspx?id=9664">Exchange 2003 Service Pack 2</a>. I'll wait. Don't know which one you're on? On your server open the Exchange System Manager, go to Servers, then expand the fifth column, it will tell you there.</li>
<li>Enable filtering based on free Real-Time Black Lists (free RBL? Wow!) following the instructions at <a href="http://support.microsoft.com/kb/823866/en-us">http://support.microsoft.com/kb/823866/en-us</a> and using the following servers:<br /><br />Spamhaus zen.spamhaus.org* <span style="font-size: xx-small;">(this one gives a return code, see <a href="http://www.spamhaus.org/zen/">http://www.spamhaus.org/zen/</a>)</span><br />SpamCop bl.spamcop.net<br />Surriel psbt.surriel.com<br />SORBS dnsbl.sorbs.net</li>
<li>Expand Global Settings then right click Message Delivery then select Properties. Click the Recipient tab then make certain the "Filter Recipients who are not in the Directory" box is checked. This prevents your server from bouncing non-deliverable reports to senders and places the burden of saying "sorry, noone here by that name" on the senders e-mail server where it belongs.</li>
<li>Click the Intelligent Message Filter then change the Block SCL to 8 and set the action to "Reject" - after a few weeks of testing you can set this to "Block". The difference is that "Reject" sends a non-deliverable report back to the sender, allowing you to diagnose incorrect rejections. "Block" silently drops the message.<br />Set your store and Move to Junk Mail to 6. Later on you may tweak these if too many messages are marked as spam or you are receiving too much junk.</li>
<li>Now you need to enable your new filters. In the Exchange System Manager expand Servers, <servername>, Protocols, SMTP, then right-click the Default SMTP Virtual Server and select Properties. Click the Advanced button on the first page, click Edit . . . the select the boxes next to Apply Recipient Filter, Apply Connection Filter, and Apply Intelligent Message Filter. Save these settings.</servername></li>
<li>Restart your Exchange Store Service (if you've come this far you probably know how. . .)</li>
</ol>
<div>
Now you should send some messages from the outside world to an internal user. Use Gmail or Outlook.com or whatever you like.</div>
<div>
<br /></div>
<div>
Now that you're sending and receiving like you were before you may not be aware of whether this is really working. To see some metrics that reveal what's going on behind the scenes you will use the Performance Monitor.</div>
<div>
<br /></div>
<div>
<ol>
<li>Go to Start, Administrative Tools, and open Performance Monitor.</li>
<li>Delete the default counters then add the following:<br />SMTP Server -> Messages Delivered Total<br />MS Exchange Transport Filter Sink -> Connections rejected by Block List Providers<br />Intelligent Message Filter -> Total Messages Scanned for UCE<br />Intelligent Message Filter -> Total Messages Assigned an SCL Rating of 0-9 (add all ten!)</li>
<li>Click OK then change your report type to Histogram or Report.</li>
</ol>
<div>
After a few days you will notice a line at the higher end of the Total Messages Assigned an SCL Rating that is taller than the rest (normally 7 or 8). This should be what you set your Block SCL to - everything which receives that rating is typically junk and the junk volume often exceeds the volume of legitimate messages.</div>
</div>
<div>
<br /></div>
<div>
<br /></div>
Justinhttp://www.blogger.com/profile/09153875973225966200noreply@blogger.com0tag:blogger.com,1999:blog-23470680.post-38225253861748866552012-12-05T10:41:00.000-06:002012-12-05T10:41:39.647-06:00Configuring Server 2008 to use the NTP PoolExcellent article by Luka Manojlovic at <a href="http://luka.manojlovic.net/2011/06/24/windows-server-2008-2008-r2-ad-sync-with-external-ntp-server/">http://luka.manojlovic.net/2011/06/24/windows-server-2008-2008-r2-ad-sync-with-external-ntp-server/</a> about configuring your Server 2008 to use the NTP Pool. If you are in the us you may use us.pool.ntp.org.<br />
<br />
Thanks, Luka!Justinhttp://www.blogger.com/profile/09153875973225966200noreply@blogger.com0tag:blogger.com,1999:blog-23470680.post-61195175079695105352012-10-31T11:44:00.003-05:002015-01-10T12:36:46.612-06:00pfSense: Remote Network Point to Point Link to VPN Over DSL Failover<br />
<div style="font-family: Helvetica; font-size: 12px;">
The scenario: </div>
<div style="font-family: Helvetica; font-size: 12px; min-height: 14px;">
<br /></div>
<div style="font-family: Helvetica; font-size: 12px;">
You have two locations with Internet connections and a dedicated point-to-point connection between the two and two pfSense systems performing all routing at both sites. You desire the two sites remain connected should the dedicated connection fail.</div>
<div style="font-family: Helvetica; font-size: 12px; min-height: 14px;">
<br /></div>
<div style="font-family: Helvetica; font-size: 12px;">
The solution:</div>
<div style="font-family: Helvetica; font-size: 12px; min-height: 14px;">
<br /></div>
<div style="font-family: Helvetica; font-size: 12px;">
Create a pfSense configuration with failover from the point-to-point connection to a site-to-site VPN utilizing the existing Internet connections at each site.</div>
<div style="font-family: Helvetica; font-size: 12px; min-height: 14px;">
<br /></div>
<div style="font-family: Helvetica; font-size: 12px;">
Steps:</div>
<div style="font-family: Helvetica; font-size: 12px; min-height: 14px;">
<br /></div>
<div style="font-family: Helvetica; font-size: 12px;">
1. Create an OpenVPN Server on the main pfSense and Client setup on the remote pfSense (I used pre-shared keys). DO NOT set a route option in the Advanced box as most instructions for configuring OpenVPN will suggest nor should you have a static route to your remote network defined under System -> Routes. Also note that IPSec can not be used in this scenario as it doesn't create a new adapter that we can work with in the firewall rules and gateways.</div>
<div style="font-family: Helvetica; font-size: 12px; min-height: 14px;">
<br /></div>
<div style="font-family: Helvetica; font-size: 12px;">
2. Check and see that the VPN turns on and connects via Status -> OpenVPN before proceeding. If it does not then troubleshoot your Internet connectivity and OpenVPN settings.</div>
<div style="font-family: Helvetica; font-size: 12px; min-height: 14px;">
<br /></div>
<div style="font-family: Helvetica; font-size: 12px;">
2. Go to Interfaces -> Assign and add Interface OPT3 with Network port ovpns1 on both the server and the client pfSense systems.</div>
<div style="font-family: Helvetica; font-size: 12px; min-height: 14px;">
<br /></div>
<div style="font-family: Helvetica; font-size: 12px;">
3. On both your local and remote pfSense add a new Firewall Rule allowing all protocols from any source to to any destination under both OPT3 and OpenVPN.</div>
<div style="font-family: Helvetica; font-size: 12px; min-height: 14px;">
<br /></div>
<div style="font-family: Helvetica; font-size: 12px;">
4. On both your local and remote pfSense add OPT3 as a Gateway under System -> Routing -> Gateways leaving the Gateway and other options blank.</div>
<div style="font-family: Helvetica; font-size: 12px; min-height: 14px;">
<br /></div>
<div style="font-family: Helvetica; font-size: 12px;">
5. On both your local and remote pfSense create a new Group under System -> Routing -> Groups. The group will define your dedicated connection as Tier 1 and OPT3 as Tier 2. My trigger level is set to Member Down.</div>
<div style="font-family: Helvetica; font-size: 12px; min-height: 14px;">
<br /></div>
<div style="font-family: Helvetica; font-size: 12px;">
6. On both your local and remote pfSense create a new Firewall Rule under LAN which has all traffic from all sources bound for the remote network use the new Gateway Group (under Advanced) you created in Step 5.</div>
<div style="font-family: Helvetica; font-size: 12px; min-height: 14px;">
<br /></div>
<div style="font-family: Helvetica; font-size: 12px;">
7. Test - unplug the point-to-point connection, monitor things under Status -> Gateways, wait a minute or so, and hopefully you will still be passing traffic albeit through the VPN.<br />
<br />
<b>Please Note:</b> Upgrading from pfSense 2.0.x to 2.1.x breaks this configuration - I am working to resolve the issue. The issue I am running into is that the OpenVPN connection gets established but the routing and gateway monitoring for that link fails and never shows as UP in the Gateway groups. Deleting the OPT3 interface and its gateway then recreating them fixed the issue.</div>
Justinhttp://www.blogger.com/profile/09153875973225966200noreply@blogger.com4