Tech Talk

Amazon EC2 VPN with ScreenOS customer gateway

Synapse was recently asked to configure a Juniper NetScreen (ScreenOS) device to act as a gateway to Amazon's new cloud service.  Here is some brief background, an explanation of how the device is configured, and some ScreenOS specifics.  We quote liberally from Amazon's own documentation below.

Amazon Virtual Private Cloud is a secure and seamless bridge between a company's existing IT infrastructure and the AWS cloud. Amazon VPC enables enterprises to connect their existing infrastructure to a set of isolated AWS compute resources via a Virtual Private Network (VPN) connection, and to extend their existing management capabilities such as security services, firewalls, and intrusion detection systems to include their AWS resources.

With Amazon Virtual Private Cloud, you create a VPC by first defining its IP address space. The IP addresses in this address space are private and form a network that is isolated at a packet-routing level from any other network, including the Internet.  You then create subnets, which are segments of a VPC's IP address space. These let you separate the isolated resources (such as Amazon EC2 instances) in the VPC based on security and operational requirements. If you create more than one subnet in a VPC, they're attached to each other by a logical router, in a star topology.

To connect to a VPC, you create a VPN connection, which is a VPN tunnel tween a VPC and a data center, home network, or co-location facility. You configure your existing network to route all VPC-bound traffic to the customer gateway that anchors your end of the VPN connection.

With a VPN connection established, you can launch Amazon EC2 instances into a VPC's subnets; with the appropriate security policy, these instances now appear on your existing network.

VPC traffic bound for the Internet is routed over the VPN to your existing network, where it can be examined by pre-existing network security services, such as firewalls and intrusion detection systems, before exiting your existing network perimeter to the Internet. This is particularly valuable if you're using specialized network appliances and software to enforce security policies.

Amazon provides configuration documentation for Juniper JunOS and Cisco IOS devices acting as the VPN customer gateway.  They also provide generic device configuration for equipment and software that supports the following requirements:

1.  must support IKE with pre-shared keys and tunnel-mode IPsec

2.  support AES standard with 128-bit encryption

3.  support SHA-1 hashing algorithm

4.  must support Diffie-Hellman (DH) group 2 mode with perfect forward secrecy

5.  support Dead Peer Detection to indicate when a VPN tunnel is down

6.  support route-based VPN with tunnel interfaces.  The tunnel interface is a logical interface that can support an IP address and used for BGP routing

7.  must support BGP for route negotiation.  BGP is used to negotiate the best route to the Amazon EC2 cloud

The following diagram shows how Amazon sets up the VPN access.

Back to Top

Google DNS

Google has begun offering free public DNS servers, which anyone is free to use as an alternative to their ISP provided DNS servers.  Interestingly, their DNS servers are not based on BIND.  Maybe they are running DJBDNS?

More details can be found at the Google code site here. 

The DNS IP addresses are 8.8.8.8 and 8.8.4.4 which resolve to
google-public-dns-a.google.com
and
google-public-dns-b.google.com

They even provide public telephone support at 877-590-4367.

Maybe OpenDNS style service will be coming next?

Related articles by Zemanta

• Google Wants to Speed Up the Web: Launches Its Own DNS Service (readwriteweb.com)
• Pondering Google's Move Into the DNS Business (bits.blogs.nytimes.com)
• Google Public DNS- a ploy to get handle on the real-time pulse of the internet? (trak.in)
• Is Google Public DNS A Marketing Data Warehouse? (regulargeek.com)

Back to Top

Juniper launches small to mid-range SRX appliances

Juniper released this week its SRX small to mid-range appliances for branch office and small to midrange office environments.  The first firewall and UTM appliance powered by JunOS, this product offers a blend of firewall security, UTM threat protection, and carrier-class routing functionality.  For more information contact Juniper sales at 773-871-1466. Back to Top

Understanding NAT differences between ScreenOS and JunOS

Juniper recently released an Application note explaining how Network Address Translation (NAT) is handled differently between JunOS and ScreenOS.  The application note appears here:
Juniper Networks SRX Series and J Series NATNATNAT for ScreenOS Users.
Back to Top

GoDaddy offering Subject Alternate Name (SAN) SSL certificates

GoDaddy is offering a reasonably priced SSL certficate supporting Subject Alternate Name extensions, which GoDaddy refers to as a Multiple Domain Certificate.  These are also commonly referred to as Unified Communications Certificates (UCC) with support for Exchange 2007 and Microsoft Office Communications Server.  These multiple domain certs allow the use of multiple domain names with one certificate, greatly simplifying the deployment of Exchange 2007.

See the GoDaddy SSL cert site for further details.
Back to Top

Windows Server 2008 SSL VPN

Windows Server 2008 adds support for SSL VPN remote access, using a new tunneling protocol called Secure Socket Tunneling Protocol (SSTP).  This remote access protocol allows Windows Vista SP1 clients to access internal network resources using

SSTP provides a mechanism to encapsulate PPP traffic over the SSL channel of the HTTPS protocol.  The use of PPP allows support for strong authentication methods such as EAP-TLS.  Secure Sockets Layer (SSL) provides transport-level security with enhanced key negotiation, encryption, and integrity checking. 

SSTP supports multiple authentication methods such as passwords, smart cards, certificate-based and "One Time Password" authentication.

More details can be found at http://thesystemadministrator.com/the_system_administrator/windows_server_2008/windows_server_2008_&_sslvpn_aka_secure_socket_tunneling_protocol_(sstp)/


Back to Top

Fortinet Threatscape April 20, 2009

Fortinet released its latest Threatscape report.   This report provides global coverage of malware threats, along with web blocking and spam trends. Back to Top

improved version of RoboCopy

RichCopy is a free, highly configurable multithreaded copying utility that offers a number of improvements over RoboCopy and RoboCopyGUI.  It was developed by a Microsoft engineer over a number of years, and while not a supported Microsoft product is available for download through the TechNet site.

Back to Top

Get Started with Office Live splash screen won't go away

After installing the Office Live Add-in to Office, some users have noted that the initial splash screen keeps popping up even after selecting the check box "Do not show me the message again".

Apparent Cause:  The add-in was installed under a different user account.

Resolution:  The issue can be resolved by adding a new registry key named OfficeLive under the HKEY_CURRENT_USER\Software\Microsoft subkey.

Steps:

1. Logged in as the user that has the problem, click on Start, clcik Run, type regedit, click OK.

2. On the left pane expand HKEY_CURRENT_USER, expand Software, select Microsoft.

3. From the Edit menu point to New and select Key.

4. Type OfficeLive and press the Enter key.

5. Close Registry Editor.

6. Start Word, Excel, or PowerPoint, you'll get the prompt, make sure 'Do not show me this message again' is checked, click Continue.

7. Close the application (Word, Excel, or PowerPoint), the registry DWORD values should be created under OfficeLive for that user.

Thanks to Aaron Rykhus from the Microsoft Office support team for his blog pointing out this solution.

Back to Top

Optimizing Outlook 2007 Cache Mode Performance for a Very Large Mailbox

The following post on the Microsoft Exchange Team blog has some very useful information about the management of large mailboxes.  Since we tend to be an "enabler" of large mailboxes, and I am a large mailbox fan myself, it is good to come across a Microsoft post on how best to manage these.  I would like to add a few notes on the logic behind large mailboxes.  

• unless your organization has implemented an effective mail archiving solution like Mimosa NearPoint, it is simply not practical or desirable to manage PST/archive files.  The overhead costs (to your users) of having to do frequent mail archiving can be significant, and then there is the difficult problem of how to save these archive files so that can be easily accessed anywhere.  Saving files locally is simply not a scalable solution and presents problems with recovery in case the file is lost or damaged. 
•  large mailbox allows the most effective way to locate mailbox items, especially when using Outlook 2007 and Windows Search 4.0, which is an excellent combination.

Back to Top

Small SharePoint tip

For those of you who have hosted SharePoint services without hosted email, you can still use the alerting functionality of SharePoint.

Simply go to your site (must be an admin), go into Site Settings, People and Groups, then click on a user object in the list. Edit that user object and put the user's email address in the email address field. Save your changes. Huzzah! That user can now setup email alerting!

Back to Top

Juniper releases ScreenOS 6.2 for NetScreen-5GT and SSG appliances

Juniper has released ScreenOS 6.2 code for a range of firewall/VPN appliances including the SSG5, SSG 20, SSG 140, SSG 320M/350M, SSG 520/520M, SSG 550/550M, NetScreen-5GT, ISG 1000, ISG 2000, and NetScreen-5000 series appliances.  This release incorporates bug fixes from ScreenOS maintenance releases up to 6.1r3, 6.0r7, 5.4r10, and 5.3r10.

It is the first code release for the NetScreen-5GT appliance since ScreenOS 5.4, and extends the software life of these products for more than a year.

CAVEAT for NetScreen 5GT users!  This ScreenOS 6.2 update does not support Antivirus or Antispam UTM content subscriptions for the 5GT models.  If you need UTM support you will need to stay with ScreenOS 5.4.

The release notes for ScreenOS 6.2 can be found at http://www.juniper.net/techpubs/software/screenos/screenos6.2.0/rn_620_r1.pdf

Back to Top

Free IPsec Remote Access VPN client for Windows

Shrew Soft Inc. has released a free IPsec VPN client software package for Windows 2000, Windows XP and 32 and 64-bit versions of Vista.  According to Shrew Soft, this client software offers many of the advanced features only found in commercial solutions and provides compatibility with Cisco, Juniper, Checkpoint, Fortinet and other vendors.

Instructions on how to configure the software to work with the Juniper SSG appliances can be found at http://www.shrew.net/support/wiki/HowtoJuniperSsg.

We welcome any feedback on your experiences with this software!

Back to Top

Advice on how to speed up a Windows XP or Vista computer with slow performance

Recent advice from a Slashdot posting by http://slashdot.org/~bdwebb is very helpful on how to speed up a slow Windows XP or Vista PC (forget any previous version of Windows -- get a real OS!).  I have added some additional comments to his comments...

- Before spending time looking for malware related issues, check task manager to see if any one particular process is using a significant percentage of the system CPU.  Make sure to check the box to show processes from all users.  If you notice one particular process that is hogging the system CPU, begin by researching this process to see if it might be a driver related problem (such as an HP multifunction printer) or an antivirus issue or a print spooler issue.  You can attempt to kill the running process to see if this corrects your performance issues.

If a recent system change such as a new driver install is the apparent cause of your performance issues then you might consider a system restore at this point to bring the system state back to a known "good" state.

If not, or if there is no obvious process utilizing significant system resources, then proceed with the following steps. 

- Disable system restore before you do anything...irritating spyware and virii can hide here and restore themselves

- Download and run X-Ray PC [x-raypc.com] (freeware) and run an online analysis of your processes...will give you a good/bad/unknown triage for some processes and allow you to kill them.  

- Start>Run> msconfig.exe and check your startup processes...do a quick google search for anything you don't recognize and if it is not a necessary startup process, kill it. Having a shitload of processes running at startup can bring your system to its knees. Usually, for a desktop XP machine, between 28 and 35 processes is ideal on a fresh boot. For a laptop it can be up to 50...depends on what utilities are required to make your touchpad/buttons/wireless/etc work. 
NOTE:  I prefer using the utility called AUTORUNS from Sysinternals.com (now part of Microsoft).  It is available at http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

- Start>Run> msconfig.exe and check your services. Check 'hide all Microsoft services' and do a quick scan to make sure no extra junk services are hiding here. If you lose functionality to something on startup that you want, you can either just turn it back on or, if necessary, boot into safe mode and turn it on.
NOTE:  Running services.msc from the Run line or command prompt is just about as good.

- Download Crap Cleaner [filehippo.com] and run the registry scan to see how many junk items you have in your registry. Review the causes and fixes to all the issues you find...you're usually okay doing a fix all but I check them just in case (this is your registry after all...never hurts to back it up either.)
NOTE:  Also look at malwarebytes.org for a good, free malware scanner.

- Add/remove any programs that you don't recognize or don't use. All this extra junk does nothing to help you. Additionally, if you can pinpoint one or two programs that were installed around the time your computer started having issues, definitely uninstall them and check your performance after (probably run ccleaner again to ensure they are completely gone).

- Restart your machine and check msconfig and xraypc again to ensure that nothing you killed came back...if it did, you've got a virus or spyware.
NOTE:  You may want to re-enable System Restore at this point in time if you had disabled it at the start of the procedure.

- If you still have issues, try running one of many drive fitness test tools to determine whether or not you have bad sectors or possibly a bad HDD altogether. Some tools will even allow you to repair the bad sectors but usually if you've got bad sectors you should start looking at a new HDD soon.

- If you have the option, pull the HDD and hook it up to a test rig and run a Housecall [trendmicro.com] scan on the drive.

- Run Rootkit Revealer [microsoft.com] to determine whether or not you have a rootkit installed on your machine. Rootkits are nasty as hell but you can usually find additional info via a google search on how to rid yourself of them.

- When all else fails, a clean install is usually the best way to get your system back up to snuff. It is a pain in the fucking ass and no one likes to do it until you remember what it is like having a clean install. Just make a list of your programs, do a backup of your data, and format that sucker.

Back to Top

problems with Remote Web Workplace and SBS 2003

Are you experiencing repeated inability to launch Remote Web Workplace with SBS 2003, with the error message from IE7 stating that it cannot download the necessary ActiveX control?  If you have checked your Internet Explorer Managed Add-Ons and it does not appear there, then you will want to run Regedit and navigate to the following key, then delete it:

HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Ext \ Settings

expand Settings and delete the key {7584c670-2274-4efb-b00b-d6aaba6d3850}

Close all instances of IE and you should be good to go.

Back to Top

Problems extending disk size in Server 2008

Recently we ran into issues extending the free disk space on a RAID 5 partition of Windows Server 2008.  The hardware platform is an HP DL380 G5 with two arrays, and we had recently added an additional hard drive and extended the array using HP's array manager utility.  This took a number of hours to complete, after which we were able to see the option to extend the disk size in Server 2008 disk management utility (the GUI utility as opposed to the command line 'diskpart' utility).  After attempting to extend the array, the disk management utility (MMC snap-in) showed the disk size to be around 420 GB, however when viewing the properties of the disk it still showed the available disk space to be 280 GB.  Similarly the chkdsk command reported still the original disk size.  A reboot of the server did not improve the situation.  An extensive review of relevant Google searches finally turned up the solution, which is not well documented for Server 2008 -- namely http://support.microsoft.com/kb/832316.  The solution to the discrepancy between the volume size and capacity was to go into the 'diskpart' utility, select the relevant disk, select the relevant partition, then issue the command 'extend filesystem'.  This immediately cleared up the problem, and now chkdsk reports the full available disk space.

 

Back to Top

SharePoint 2007 Design Links

If you have almost gone bald tearing your hair out customizing the look and feel of a SharePoint website, here are a few good sites I've come across that have helped me out:

SharePoint 2007 CSS Reference Guide - incredible table with all of the CSS elements mapped out and explained.

Windows SharePoint Services 3.0 Sample: Example Master Pages - a nice set of 4 default master templates to get an idea of what is possible.

SharePoint Scotland - a very nice site with lots of links to very useful design and customization articles and sites.

 

Back to Top

Registry Entries that Control IE Security Zones

I came across a couple of great Microsoft KB articles the other day relating to adding/deleting websites in security zones in Internet Explorer.

I had a user that was in an Active Directory OU where I had a Group Policy rule enabled controlling what websites were in the Trusted security zone. I had wanted to add a website to the trusted zone on the user computer but could not because GP would not allow the change - everything was grayed out in IE in the section where you can add sites to zones. So on the server I disabled the group policy controlling this, and then ran gpupdate on the computer and reboot just to make sure. I was then able to add sites to the Trusted Zone in IE... or so I thought! I would add the site, click OK, close all windows, and it would not work, I would go back into the trusted sites list and my addition would not be in the list! The change was not taking for some reason.

After much googling and hair pulling, I thought why not just add the site via the registry. This worked like a charm. However I had to add a DWORD registry value for the particular site in two different locations:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

In the process of figuring this out I found two great KB articles listed below detailing the registry controls for security zones, one that deals specifically with Group Policy.

182569
922704

Back to Top

NK2 files and you

Have you ever had to rebuild a user's Outlook profile? If yes then you've probably had users complain to you afterward that their email address auto-completion is broken. What the user doesn't realize is the auto-complete feature in Outlook is built up over time as they use addresses.

After you send an email to a person, their email is added to a file that Outlook performs lookups on to see if you've emailed this person before. Autocompletion is not based on the address book. Unfortunately, a lot of users depend on this popup list and even use it as a repository of sorts to inadvertantly store email addresses that are not recorded in any other location in Outlook. The downside of this is the data for autocompletion is stored locally on a user's machine and does not move to the new profile automatically.

You can, however, copy this data file from one Outlook profile to another on the local machine, here's how:

Navigate to 'C:\Documents and Settings\<username>\Application Data\Microsoft\Outlook'
You should see various Outlook files with the file extension 'nk2'. Simply rename the old profile's nk2 file to the new profile's name, (say if you named the new profile 'John Doe', the nk2 file would be renamed to 'Jonn Doe.nk2'.

Relaunch Outlook and Shazam, the autocomplete list is back in action!

Back to Top

Cannot successfully run Windows Update after reformat of WinXP

We have run into this problem quite a few times in the last couple of months. Here's the scenario: For whatever reason you have to install WinXP SP2 from scratch. After re-installing, adding appropriate drivers etc., you then go to Windows update, it installs the latest Windows Installer successfully, then downloads all of the patches and updates but fhen fails on installing all of them. Usually they fail with no MS failure code. Here is the solution to this problem:

Stop the Windows Update service at the command line:
net stop WuAuServ


Re-Register Windows Update DLLs:

In the command prompt type the following:

      REGSVR32 WUAPI.DLL

    * Wait until you receive the "DllRegisterServer in WUAPI.DLL succeeded" message and click OK
    * Wash, Rinse Repeat with all below

      REGSVR32 WUAUENG.DLL
      REGSVR32 WUAUENG1.DLL
      REGSVR32 ATL.DLL
      REGSVR32 WUCLTUI.DLL
      REGSVR32 WUPS.DLL
      REGSVR32 WUPS2.DLL
      REGSVR32 WUWEB.DLL

Start Windows Update Service
net start WuAuServ

Back to Top

ISP Transition Step-by-Step

ISP Transition Plan April 2006
Synapse Networks

This is a good overall transition plan to change ISPs from original provider (“Old
ISP”) to new provider (“New ISP”) with a concurrent change of usable public IP
addresses. Apart from circuit changes, this specifically addresses DNS changes. This
assumes that you would be changing DNS providers from the original provider
“Old ISP” to the new provider, though the same procedures would apply no matter who the new DNS provider would be. The term “zone” and “domain” are used somewhat loosely here, and are interchangeable for the purposes of this discussion. There are technical differences between the two that we can ignore for this basic transition plan.

Step 1: Get listing of all domains hosted by current Domain Hosting (DNS) provider. In this example we assume that DNS hosting services are being provided by the “Old ISP”, but not necessarily – DNS services could be provided
by a third party.

Step 2: Get complete zone listings of all identified domains from current DNS
provider (“Old ISP” or other third party DNS provider). A zone listing, also called
a zone data file, is essentially a complete list of all DNS entries for a particular
domain name. Typically these zone listings will include Address (A) records, Mail
(MX) records, CNAME (alias) records and other specific record types. Assuming
you will be changing to a new set (block) of IP addresses with the transition to
the new ISP then you will not need to carry over the reverse zones (called inaddr.
arpa zone records).

Step 3: Provide zone listings to new DNS provider (“New ISP”) and request that
they load these zone files. Have the new DNS provider set up the zone files so
that they are the Primary DNS provider for the domains.

Step 4: Confirm with new DNS provider that zones are set up correctly. Verify
using a number of methods, but making sure to directly reference the new DNS
provider’s name servers in your DNS queries.
In Windows
- using the NSLOOKUP tool in Windows
- using SamSpade for Windows (www.samspade.org)
- using the ISC BIND Dig tool (www.isc.org)
- using one of the many good web sites to verify DNS records,
such as www.dnsstuff.com or
http://www.miceandmen.com/9000/9000_the_dns_place.html 

In UNIX / Linux
- using the built-in Dig tool or one of the above mentioned
websites.

Step 5: At least one week prior to switchover, submit request to the domain
registrar for the domain(s) in question (e.g., Networks Solutions, GoDaddy.Com,
etc.) to make the new provider’s DNS servers primary for the domain(s). This
does not involve modifying any DNS address or MX records.

Step 6: Request the New ISP to set up reverse DNS records (maps IP address to
a DNS name) for key services such as mail. It is important that the reverse DNS
records be set up to avoid problems with mail. See
http://www.dnsstuff.com/info/revdns.htm for more detailed information on
reverse DNS. See also below notes on Mail servers and DNS.

Step 7: At least several days before the planned cutover, ensure that the new
Internet connection is up and operational and tested for several days to make
sure you are prepared to switch to the new carrier.

Step 8: Map out in advance what DNS records will need to be changed once
service is moved to the new provider. This needs to be detailed to the point that
it can drive DNS changes as soon as service is moved. This will form the basis of
request made to new provider at the appropriate time. The New ISP should be
ready to make the changes at the cutover time, and ideally will review the
changes in advance and be prepared for the cutover.

Step 9: Two days prior to the cutover, request your New ISP to lower the Time
To Live (TTL) value for your domain records to a short value, approximately 10
to 15 minutes. This need be done only until the transition is complete. This is
an important step to ensure that changes are propagated quickly throughout the
Internet, by limiting the amount of time that other DNS servers cache your DNS
records before requesting new information.

Step 10: Allow about two to four hours downtime for the cutover. A retreat plan
should be in place in case there are problems with the cutover, so that service
can quickly be reinstated with the Old ISP – e.g., save the firewall configuration,
router configuration, DNS zone records, etc.

Step 11: Install / move / reconfigure any equipment (firewall, switches, etc.)
that needs to be moved to do the cutover to the new provider. Verify that all
key services and servers are operational on the new equipment. Once you are
confident that service with the new provider is fully operational, request the DNS
changes to new provider. Allow for 10-15 minutes (the TTL period) for the
changes to take place.

Final Step: Verify that all services and servers are operational. Make use of Web
based tools such as www.dnsstuff.com and http://www.dnsreport.com/ to verify
your records, and have outside users attempt to access all services.

Note on DNS and Mail servers:
To block spam mail, many organizations use reverse DNS lookups to verify that
the mail servers that is sending the mail is indeed who it says it is. To avoid
problems it is best to do the following:
1. Configure your mail server(s) to announce itself in the correct mail
domain.
2. Make sure that the DNS name (host name) that your mail server
announces itself as can be resolved to its correct IP address (i.e., has a
proper forward DNS record)
3. Make sure your mail server’s public IP address or addresses can be
resolved to the same host name or names.

Stuart Brainerd
Synapse Networks

Back to Top

Ergonomic computing suggestions

If you have been suffering with hand, wrist, thumb or upper arm discomfort related to computing and PDA use, and can't afford to quit using these devices altogether, here are some suggestions to try to reduce the discomfort.

1. Try to use a proper adjustable keyboard and mouse tray. We like the Humanscale keyboard tray product line, which are typically designed to mount under a desk surface and support a wide variety of adjustments - up and down, swivel left and right, and front and back tilt. They offer several different mechanisms and models, so it is best to consult Humanscale or one of their resellers to select the appropriate trays. This company has a complete line of Ergonomic products. See http://www.ergodirect.com/product_info.php?products_id=13635

2. Get a good ergonomic keyboard. We highly recommend the Goldtouch keyboard, made by Key Ovation. These keyboards are available online through a number of resellers such as Ergo Direct. The Microsoft Ergonomic keyboard is one of the better and less expensive alternatives.

3. For some people, a trackball is a superior alternative to the standard mouse. It has helped one of us considerably with hand and thumb issues. Our favorite is the Kensington Expert Mouse, p/n 64325 but this model may not suit everyone. You might also want to try out the Key Ovation mouse, from the makers of the Goldtouch keyboard.

4. Consider getting a gel palm or wrist support such as these: http://www.keyovation.com/c-18-palm-supports.aspx or http://www.ergodirect.com/product_info.php?products_id=14022

5. Make sure your monitor is situated at a comfortable viewing level. Having a wall-mounted or table-mounted LCD monitor works best, rather than a laptop monitor, and there are many ways that this can be mounted conveniently and still give you decent aesthetics and space saving. 22" LCD monitors are now selling for under $300, and are a good way to go. LCD swivel mounts arms from Peerless Industries offer a good solution for different size monitors and mounting situations. See http://www.peerlessindustries.com/dyn/Products/BrowseProducts.aspx/categoryID/195/customsearch/1

6. Read up on ergonomic suggestions. The Humanscale site has some good basic information here: http://www.humanscale.com/ergo_info/index.cfm

7. For Blackberry users, consider getting the new Blackberry Pearl (8100 model) or the new 8800 model. Both units have a center trackball which we have found the reduces thumb stress from the older style click wheel.

8. Get a good ergonomic chair.

Stay safe!

Offline File Sync and Network File Shares

Recently at a client we migrated file shares to a new dedicated file server (Windows Storage Server 2003 r2). After the migration, a few of users were unable to map network drives successfully. The login script for all users consists of a net use command mapping to a UNC path ex: \\servername\sharename. This no longer worked! Not only did it no longer work - when we performed a net view \\fileservername at the command prompt on the user machine we were only able to successfully view the user's redirected folder share - none of the other shares were visible.

At first we thought this was a WINS or DNS issue, because we were able to successfully map the shares by using the server IP address like so: \\192.168.1.25\sharename. There was no evidence to support a WINS or DNS problem because we double-checked the clients and the server and both were pointing to the correct WINS and DNS hosts and both hosts were up and operational. So we opened a case with the crack team at Microsoft tech support and after a few hours of troubleshooting and escalation to tier 2 tech support they told us that this issue is related to a corrupt offline file database on the user machine. Here is a Microsoft KB article describing how to do this: http://support.microsoft.com/kb/230738

Once we reset the offline files cache and restarted the machine the share mapping worked once again. File this under strange but true...

PFDAVAdmin Tool for administering Exchange

Administering Exchange permissions for private and public folders can be a nightmare to stay on top of especially in larger organizations with complex permissions structures. I've been recently playing with a little free tool from Microsoft called PFDAVAdmin which allows you to view permissions in Exchange from one location on all AD accounts in the domain and to make changes to those permissions on the fly!

The tool is very rudimentary but it gets the job done. Here are some of the things it can do (from PFDAVAdmin user guide):

· Modify folder permissions on folders in the MAPI tree by using an interface similar to Exchange System Manager (ESM).

· Propagate the addition, replacement, or removal of one or more access control entries (ACEs) in the public folder tree without overwriting the entire access control list (ACL).

· Fix non-canonical (does not follow standards) and otherwise damaged discretionary access control lists (DACLs) on folders in bulk.

· Export and import folder permissions on public folders and mailboxes.

· Export and import replica lists.

· Propagate changes to the replica list in the tree without overwriting.

· Look for and remove item-level permissions in bulk.

· Look for event registrations.

· Exceed the limits imposed by the ESM user interface for values on the Limits tab.

· Display and modify folder properties in bulk.

· Modify folder permissions in bulk selectively on folders by creating filters (New in version 2.6).

· Modify the permissions of the Calendar folder in bulk (New in version 2.6).

Give it a google and check it out!

Juniper IVE support for IE7 and Vista

Juniper has released official support for IE7 in their latest builds of IVE OS 5.3 and 5.4, however support for Vista is not available in any release builds.  Support for Vista will come with the release of IVE OS 5.5 due out most likely in April 2007 timeframe. 

The beta program for IVE OS 5.5 has officially closed as of mid-March.

Security patch released for Juniper Secure Access (SA) and Universal Access Client (UAC) products

Juniper released an update to its IVE OS and UAC firmware to address a potential security issue related to client ActiveX controls.  We recommend upgrading to one of the following releases:

Useful Juniper ScreenOS undocumented command lets you view system configuration limits

With ScreenOS 4.x and 5.x, you can use the command get sys-cfg to figure out the configuration limits of the appliance.

You can combine the get sys-cfg command with the | include (pipe symbol followed by the word include) option to locate a specific parameter in question. For example the command

get sys-cfg | include zone

will show the zone limits of the appliance.

get sys-cfg | include vip

will show the Virtual IP limits on the device.

Group Policy, Folder Redirection and iTunes Madness!

Recently, we implemented Group Policy for one of our clients. At the same time we used GP to move users' redirected folders from one server share to another. Generally, things went well. For most users Group Policy enabled folder redirection, moved the user folder from the old share to the new share and deleted the old folder after it completed successfully. Things went well until I noticed that some user folders were being recreated on the old share!! To try to figure out what was causing this we restricted permissions on the old share so users could no longer create new folders. We then deleted all of the folders that were generated again.

After some investigation we determined that the user was running iTunes and iTunes needs the user's My Music folder to function properly, even if the user's music is not stored there. So, after the folder was moved, when launching iTunes, it recreated the folder on the old share. Somehow Group Policy did not properly update the local computer's registry to reflect the move.

To ultimately fix this problem, we had to make two changes to the registry:

In
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Right click on the 'My Music' key and modify. Insert the UNC path of the My Music folder, ex: \\Server\Share\UserFolder\My Music

Make the same change for the 'My Music' key in this location as well: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

We are still trying to understand more on how Group Policy treats 'shell' folders such as 'My Music'. We will update you if we find an authoritative answer! Kristine.

The ISC Bind Dig Tool (updated)

While NSLOOKUP is included with most recent versions of Microsoft Windows operating system, it's use as a DNS utility tool is limited and "deprecated".  Dig is not only much more powerful and simpler to use, there are a number of problems with NSLOOKUP.  As the great programmer Daniel Bernstein says on his cr.yp.to website at http://cr.yp.to/djbdns/nslookup.html, "Do not use the ancient nslookup program. Whatever you're trying to do, there's a better way to do it. Even the BIND company, which maintains and distributes nslookup, says ``nslookup is deprecated and may be removed from future releases.''"

The recommended DNS utility called Dig is available for free as part of the full BIND DNS software distribution (for use with IPv4 only).  While there is no specific installation specifically for the Dig tool itself -- not sure why this is the case but this is evidently a decision made by ISC, the Internet Systems Consortium, Inc. -- but by installing a specific group of files from the full BIND download for Windows you can make full use of this utility in Windows XP/Vista/Server 2003/Server 2008, without having to install a full blown implementation of BIND.

A good link for more details on the use of Dig can be found at http://www.madboa.com/geek/dig/

Step one for the Windows install is to go https://www.isc.org/downloadables/11 and download the latest binary version of BIND for Windows.  The latest version of BIND at the time of this posting was 9.4.3, available as a single Zip file.  Using WinRAR or comparable utility, extract to an appopriate directory (such as c:\utilities\dig) the following files:

host.exe

dig.exe

libdns.dll

libeay32.dll

libisc.dll

libbind9.dll

libisccfg.dll

liblwres.dll

dig.html (documentation)

I would recommend then adding the dig directory to your Windows path statement.

According to BIND documentation It is no longer necessary to create a resolv.conf file on Windows as the tools will look in the registry for the required nameserver information.  This is not always the case, but if you wish to customize the DNS resolvers or are having issues with using Dig, then you may want to look at the readme.txt file in the BIND distribution files for details on using this file. 

Notepad++, a better text editor

A better Windows text file editor -- Notepad++

You don't need to suffer any longer with using Wordpad in Windows, thanks to the developers of Notepad++.  This fully featured text editor is available for free from the wonderful world of Sourceforge, at http://notepad-plus.sourceforge.net.

Key features include

- Syntax highlighting

- Autocompletion

- Multi-document editing

- multiple views

- robust handling of larger files

and much more

Outlook: Fixing error that won't allow launch of Out of Office Assistant

I've run into this issue with clients a couple of times now so I just thought I'd drop a line about it.

Problem: User goes out of town and sets up her Out of Office reply using Outlook Out of Office Assistant. When she comes back she wants to disable the auto reply but gets the following error when trying to launch it:

"The command is not available.  See the program documentation about how to use this extension."

Solution: Go under the Help menu in Outlook and select 'About Microsoft Office Outlook'. Click on the button called ‘Disabled Items’. The dll for the OOA is listed here. Highlight it and click enable, then click ok. The Out of Office Assistant should now be accessible.

File this under 'Huh, that's wierd, but hey it works!'

Did you know...

Known Issue - Trend AV on 5GT units

We've encountered a problem on a few Netscreen 5gts still running Trend AV. If the the pattern file size grows larger than 10 megs, (which it has as of July 19th), the device will not download it, and it logs an error message "SCAN-MGR: AV pattern file size is too large (10277821 bytes)".  The problem was quickly resolved by reducing the size of the pattern file.  As a general rule we recommend that our customers move over to the Juniper Kaspersky AV engine at the next renewal cycle, as the Kaspersky engine offers a number of improvements particularly in the frequency of the updates, and the extended spyware/malware detection.

Juniper Secure Access security advisory

When using Internet Explorer to access the IVE device, an ActiveX control is automatically downloaded to perform various tasks. This ActiveX control could be invoked in a web page on a malicious website by using the standard HTML "object" notation. The "object" tag contains the control to be loaded (in this case the IVE ActiveX) and provides a list of parameters and values that get passed.

A stack overflow currently exists in the way the IVE ActiveX control parses those parameters which could lead to remote code execution in the context of Internet.

Failover your email too!

Netscreen devices with the latest Screen OS can do what is called automatic failover. It works like this: you have two ISPs setup on two different untrusted interfaces on the device. The Netscreen has the ability to perform constant ping tests on the primary untrusted interface - this basically means it is constantly checking to make sure the link is alive and active. When that ping test fails a certain amount of times during a certain time interval, the Netscreen will automatically 'failover' to the secondary untrust interface, or backup ISP line in order to ensure a constant connection to the web. It will fail back to the primary once the ping tests are successful again.

This is quite a nifty feature with one major drawback - if you host your email in-house and your email server has a MIP assigned to the primary ISP, it will no longer work after a failover because the secondary ISP has totally different public IP addresses. DNS for that server is tied to the primary IP address and when that line goes down, DNS name resolution will fail.

I've discovered a rather clever workaround for this problem for those of you with Exchange email servers. Create another SMTP virtual server for the second ISP in Exchange! You then create a MIP on the secondary untrust interface with a public IP address from the backup ISP's netblock. Then create a policy to allow SMTP from untrust to trust on that MIP as well. The key to the success of this is DNS. You must maintain two DNS MX records - one for each MIP basically, so for example - mail1.mycompany.com and mail2.mycompany.com would resolve to ISP #1 public IP and ISP #2 IP respectively. You can then assign a preference number to each record indicating which server is preferred. Also, to do some mini load balancing you could assign each record an equal preference number so mail could go to both!

I think this is a pretty neat solution, and may work for some who don't have the budget for dedicated load balancing devices...

Shadow the Console session!

To support our clients remotely, we use many different methods to access their computers. One of these methods is tried and true remote desktop. It's a useful tool when you have vpn access and it is very responsive, but you cannot use this method if you want to engage in an interactive user session - say to demonstrate something or to watch the user behavior to troubleshoot a problem.

As I was researching another issue on Microsoft's technet, I came across this snippet from one of their knowledgebase articles on how you can initiate an interactive session with Remote Desktop! I thought it was cool so I thought I'd share...


How to Shadow the Console Session
To shadow the console session, first open a Remote Desktop connection to the Windows Server 2003-based server from another computer. By default, the Windows Server 2003 Remote Desktop Connection utility is installed in all versions of Windows Server 2003. You can either use this or the Mstsc command-line utility that is described in the "How to Connect to the Console Session" section, but omit the -console switch. After you open this session, start a command prompt in the session and type the following command to start the shadow session to the console:
shadow 0
After you enter and send this command, you receive the following message:
Your session may appear frozen while the remote control approval is being negotiated. Please wait...
In the console session on the server, you receive the following message:
domain\username is requesting to control your session remotely.
Do you accept the request?
If the user of the console session on the server clicks YES, you are automatically connected to the console session on the remote Windows Server 2003-based server. If the user on the server's console clicks NO or does not respond, you receive the following error message at the command prompt on the remote computer:
Remote control failed. Error code 7044
Error [7044]:The request to control another session remotely was denied.
To disconnect the shadow session from the remote side, press CTRL + * (on the numeric keypad), and you are returned to the original session that you established to the Windows Server 2003-based server.

If you are logged on to the console of the server that is running Terminal Services, if you try to shadow another user's session from the console of the computer, you receive the following error message:
Your session may appear frozen while the remote control approval is being negotiated. Please wait...
Remote Control Failed. Error Code 7050.
Error [7050]:The requested session cannot be controlled remotely.
This may be because the session is disconnected or does not have a user logged on. Also, you cannot control a session remotely from the system console and you cannot remote control your own current session.
If the Windows Server 2003-based server is not configured to permit remote control, you receive the following error message:
Remote control failed. Error code 7051
Error [7051]: The requested session is not configured to allow Remote Control.
To configure the Windows Server 2003-based server to permit remote control, follow these steps:  
 1. Open the Group Policy snap-in (Gpedit.msc).
 2. In the left pane, under the Computer  Configuration branch, expand the Administrative Templates branch.
 3. Expand the Windows Components  branch.
 4. Click the Terminal Services  folder.
 5. In the right pane, double-click Sets  rules for remote control of Terminal Services user sessions.
 6. On the Setting tab, click  Enabled.
 7. In the Options box, click  Full Control with users' permission, and  then click OK.

Licensing restrictions on Windows Storage Server 2003 R2

Know your editions of Windows Storage Server 2003 R2

Microsoft has introduced several versions of its new embedded operating system, Windows Storage Server 2003 R2.  All versions are sold only through OEM manufacturers (Dell, HP, others).   Buyer beware if you are unfamiliar with the different versions and purchase the Express edition with the intention of using print services or expanding your drive capacity later.

 Express Edition (1 CPU)

SSL VPN - tests show it can speed up VOIP performance

Network World recently tested VOIP call quality over SSL VPN, comparing 10 different solutions in the process. Shockingly, in some instances, VOIP call quality over SSL VPN improved.

Juniper IDP and SSL VPN integration

SSL VPN - dang, it's cool technology

If you've ever had to setup a VPN connection for remote users, you know what a headache it can be. For the VPN to work, a client application needs to be installed and configured on the remote user's system, and testing can be a nightmare especially if the user is never in the office and you made one small mistake in the config. It's always fun telling the user over the phone to "change the phase one encryption algorithm from des to 3des!" and they say "Is that under the start menu?" This is where the beauty of SSL VPN - the client-less secure remote access solution really shines....

Fortinet and Juniper NetScreen client interop

Synapse Networks - 21st Century Tech

Welcome to the new home of Synapse Networks on the Web. I'm Kristine, a Network Engineer here at Synapse, and I along with Stuart will be posting regularly as a way to inform our clients as well as curious onlookers about technical topics we feel are important, interesting and perhaps somewhat useful in the areas of networking, security, industry news and possibly the occasional movie review! We are passionate people here at Synapse and we hope our new website will reflect our expertise, energy and sincerity about that which we hold dear - our clients, the spheres of networking and security and the forefront of technology in general.

We hope this area will become a part of your regular web reading habits and your comments are always welcome!