Lukas Beeler’s IT Blog

SonicWALL recently launched a new SMB Firewall Appliance - the NSA 2400. Pictured to the right is an NSA 3500 - the look mostly similar, and have the same number of ports (i couldn’t find a high-res image of the NSA 2400).

So far, we have mostly used ZyXEL’s ZyWALL products to serve our Small Business customers, however the ZyWALL Line wasn’t always very satisfying when moving to the upper end of the Small Business spectrum. Thus, we had a look at SonicWALL - i’ve been using them for quite some time.

There are a few things about SonicWALL that is different about people which are used to the low-end market (like the ZyXEL products).

• You’ll need to purchase Software Maintenance in order to be able to download newer Firmware versions
• The old SonicWall Hardware Generations (TZ / PRO) have “Standard” and “Enhanced” Firmware images - the Standard versions are stripped down and less flexible - the NSA Models just have “Enhanced”
• Registration on MySonicWall is mandatory

One of the things fixed with the release of SonicOS 5.0 was the graphical user interface - the new GUI is completely revamped, and looks like something that belongs to the Year 2008. Other improvements include a completely redesigned hardware, that uses multi-core CPUs to provide real-time traffic analysis.

The NSA Series ship with basic Firewall/VPN features that are licensed as part of the base hardware. Additional features like Anti-Virus Scanning, Content Filtering, Anti-Spam, Intrusion Detection and Prevention all require extra expenses. This model is similar to what other UTM appliances like the ZyWALL 5 UTM uses.

SonicWALL Global VPN Client is a IPsec compatible VPN client, that works pretty well. There is not 64bit Version yet, and it doesn’t work with other VPN Clients running on the same PC. If you do not want to use SonicWALLs GVC, the SonicWALL also offers the ability to use L2TP and your Operating Systems native VPN functionality. While L2TP connections are mostly unrestricted, the number of GVC Licenses can be pretty low (e.G. 10 for the NSA2400).

One of the main advantages over the ZyWALL Line of products is the object-based configuration, and the ability to have multiple, Gigabit interfaces on the hardware - the NSA 2400 offers 6 Gigabit interfaces with the ability to use 802.1q VLANs to create even more logical interfaces. Even the low-end NSA 2400 can offer quite a lot of throughput (I’ve measured up to 30 Megabyte / s), which is important if you have Servers deployed in your DMZ.

Other cool features include the “SonicPoint” Management, which is basically the same as Symbol’s or Cisco’s Lightweight Wireless Access Points. This is a very cool feature in Smaller Businesses that do not want to buy separate Hardware to maintain their Wireless Infrastructure.

You can even access Live Demo of the SonicWALL Web Interface to see for yourself.

Advantages

• Very flexible configuration
• Streamlined GUI with useful features like Packet Capturing and self updating Log views
• Lightweight VPN Client and the ability to use Standard L2TP
• Lightweight Access Point Deployment using the NSA as a base
• LDAP Integration, preconfigured for Active Directory
• 6 Gigabit Interfaces
• High Performance

Disadvantages

• High price of Hardware (List: 2700 CHF)
• High price of mandatory service contracts for Firmware updates (List: 1300 CHF for 3Y 7×24 and HW Advance Replacement)
• High price of UTM features licenses (List: Starting at 1700 CHF for 3Y AS/AV/IPS)
• Incomplete user authentication solution (based on an Agent using WMI to query logged on userinstead of using secure Kerberos authentication)
• No redundant PSU or Fans to compensate for high hardware price (the NSA 7500 has redundant Fan/PSU)

Last Friday i received a new toy. An IBM BladeCenter S, with two HS21, one HS21 XM and a JS12 Blade.

The BladeCenter S

The BladeCenter S i received came with 10 500GB SATA Disks and two DSMs, four power supplies, an Advanced Management Module, a Server Connectivity Module and a SAS Connectivity Module. The power supplies use standard 230V type 23 plugs, which do require a little special installation, but much less so than industrial plugs used with the bigger BladeCenters.

The big point about the BladeCenter S is that it does not require an external SAN to provide Storage to the Blade - an integrated SAS Switch that allows very flexible disk configurations is integrated. Configuration can be done using a Webbrowser against the SAS Connectivity Web Interface, using SSH/Telnet to access the SAS Connectivity Commandline, or using a fully graphical interface using IBM’s Storage Configuration Manager. There are some predefined configurations, but none of them suited my configuration - creating new configurations using SCM is easy enough though.

The disks in the BladeCenter’s DSMs (Disk Storage Module) are hot swappable - currently, only 3.5″ DSMs are available, with a 2.5″ DSM in the pipeline. Most of the blades support one or two internal disks, but the problem here is that these disks are not hot swappable. Depending on your Blade loadout, 12 disks might not be enough. For example, the HS21 XM Blades only fit one internal disk, and running without RAID on the System partition seems pointless, so you would be using at least 6 disks (without hotspares) for a basic Exchange deployment.

The Webinterface on the AMM is nicely done, although it lacks a bit of flashiness. That’s not a requirement though, it does a very solid job at what it needs to do.

After powering up the BladeCenter S for the first time, i connected to it using a web browser and upgraded all the firmwares. There are quite a lot of them (AMM, SAS, Server Connectivity), but it all worked out flawlessly. Time to move on to the real course: the Blades.

The HS21 and the HS21 XM

Starting with the familiar first, i started with the HS21 Intel Blades first. The two HS21 Blades both had a 2.66 Ghz Quadcore and 4GB RAM, the HS21 XM Blade had a 2.5 Ghz Quadcore and 9GB of RAM (more about that later).

When starting the first HS21 Blade, after configuring all the storage using SCM, it failed to POST it’s LSI Logic SAS/RAID Controller. I searched for the error message on the net, assuming that i screwed up the configuration. I didn’t find anything meaningful, so i tried to do what everyone else would do in this situation: Apply every Firmware update for the Blade i could find.

Of course it wasn’t as easy as i wanted it to be. The controller not POSTing was an endless loop, i couldn’t get the machine to start from the AMM virtual floppy drive. I used SCM to disconnect the storage (by disabling the Blade’s SAS port). Now, the blade booted flawlessly, indicating that i probably had a problem with my disks. When browsing the IBM website, it became obvious that only newer firmwares support SATA drives. After upgrading the SAS Firmware, i was able to boot the blade without disabling the Blade’s SAS port. Unfortunately, the onboard SAS controller only supports RAID level 1 and 10. Probably owed to the fact that most blades are using SAN storage - IBM promised that there would be SAS RAID adapter that supports other RAID levels - these are especially important for the cost-conscious SMB market.

I booted a Windows PE 2.0 using WDS, and was able to install Windows Server 2008 x64 without any issues.

The HS21 XM blade on the other hand complained when booted for the first time that it’s memory configuration was invalid - it only supports 2, 4 and 8 DIMM configurations - 6 DIMM configurations are not supported. I removed two 512MB modules and booted the Blade with 8GB - it worked flawlessly and without complaining.

The JS12

First, read this document about i on Blade. It explains everything better than i ever could.

The JS12 is a POWER6 based blade that is able to run IBM i. The first time i turned on the blade, all the HS21 blades (already running Windows Server 2008) crashed hard. When rebooting, they no longer found their drives. I turned off all the blades, disconnected the JS12’s SAS port and turned everything on again. The Intel blades booted, and after i was sure that they’re up and running again, i powered on the JS12 again. This time, no issue arised. I tried to reproduce the behaviour i’ve seen before, and the same thing happened again.

My current assumption is that the issues were caused by the SAS Controller which does not have a Firmware update yet, and can’t deal with the SATA drives located in the DSMs. Further investigation told me that there’s no firmware upgrade for the SAS Controller in the POWER6 blade, and that SATA drives are not supported when running IBM i on the blade anyway. I ordered 4 147GB SAS drives, disabled the SAS port on the blade, and tried booting the POWER6 blade again. It booted flawlessly again.

The next step was to install VIOS - this is a rather complicated multi-step process. First, you have to turn on “Serial over LAN” aka SOL, then logon to the AMM using SSH, connect to the POWER blade using serial passthrough and then boot the blade from the VIOS CD. The install is pretty self explanatory, but takes forever. Expect 3 to 4 hours.

Next is connecting to the Integrated Virtualization Manager (IVM) running on the VIOS partition. The IVM is basically a HMC light minus the console functionality. The only way to get a console on the JS12 blade is using a LAN console (which can only run on consumer versions of Windows, and is not supported on most of the Blades).

I installed the latest VIOS patches (around 4GB) and enabled mirroring on the two 147GB SAS disks in the blade itself. The next step will be installing IBM i, with which i have to wait until i receive the ordered SAS Disks. Installing the patches also takes quite some time, around 30 minutes.

Preliminary Summary

The BladeCenter S is great. Yep, not everything ran flawlessly from the start, but nobody’s perfect from the beginning. The BladeCenter brings an innovative new perspective to the SMB market. The problems that IBM needs to address are the addition of 2.5″ DSMs (already in the works) and more capable RAID controllers (also in the works). A BladeCenter S with the ability to use around 20-40 disks could prove interesting.

The POWER6 Blade is interesting, and while VIOS adds complexity, it is as streamlined as possible. I’m interested about seeing IBM i running on the machine.

If you have any other question about the BladeCenter S - or anything you would like to see in detail, post a comment. I’ll try to figure it out.

I’m at the Digicomp testing center right now and waiting for my collegue to finish the exam too.

In General, my impression was that the exam was pretty solid but certainly “Enterprise Heavy” in focus. There were a lot of questions regarding appropriate configurations for failover clustering, and also several pieces of SCVMM 2008 (the latter though were never hard - anyone who has toyed with SCVMM and browsed through the main functionality should be able to answer them).

I’ve seen a few questions that weren’t worded 100% precisely, but that can always happen - the quality was generally high.

Other areas that were featured heavily:

• Clusters (as mentioned above)
• Snapshots - especially pay close attention on how Snapshots can be reverted, reused, etc. Snapshots can also be used in deployment scenarios
• Integration between SCOM and SCVMM
• Disk configuration - the available options for VHD files, their advantages and disadvantages, the usage of physical disks from the host and of course the use of iSCSI disks that are directly attached in the VM
• Hardware requirements and configuration requirements when setting up Hyper-V - pay close attention on how you configure the Windows Bootloader, and what necessary steps need to be taken when enabling hardware assisted virtualization in the BIOS
• Proper VM hardware configuration - remember which controllers in Hyper-V are bootable and which are not. Also, think about very old legacy applications that might have problems with newer CPU features available on modern CPUs and about the implications of running an OS that does not support synthetic hardware
• Network configuration - pay close attention to bigger scenarios involving the cluster heartbeat link, iSCSI connections from the host, iSCSI connections from the VMs themselves, Quorum disks in cluster scenarios. Also, remember the difference between internal and private network interfaces

Did i pass? I’m not sure. There were many cluster questions, and i never had much contact with those since i primarily work with Small Business customers.

So if you intend to go at this exam, make sure you’ve toyed around with SCVMM (SCOM knowledge not necessary, just look up on how these two can be integrated). Also, make sure you’ve setup a Hyper-V cluster at least once. You can emulate an iSCSI SAN by using an open source appliance like FreeNAS that can export disks using iSCSI. None of the questions i’ve seen seemed “hard” to me, but i was guessing at a few because i didn’t know about the topic.

Good luck!

So yesterday i ranted about being unable to register for exam 70-652, and not getting any help from Prometric.

I have to remedy that - when i checked my email this morning, i already got notice from Prometric asking for my MCP and Testing ID - i replied quickly, and got a an answer back in just a few minutes. This is good!

I’ll be going this Friday and see how it was.

I received this nice mail from Microsoft learning:

You are invited to take beta exam 70-652: TS: Windows Server Virtualization, Configuring. You were specifically chosen to participate in this beta because of your current Microsoft Certification status or previous participation with Microsoft Learning. If you pass the beta exam, the exam credit will be added to your transcript and you will not need to take the exam in its released form. The 71-xxx identifier is used for registering for beta versions of MCP exams, when the exam is released in its final form the 70-xxx identifier is used for registration.

By participating in beta exams, you have the opportunity to provide the Microsoft Certification program with feedback about exam content, which is integral to development of exams in their released version. We depend on the contributions of experienced IT professionals and developers as we continually improve exam content and maintain the value of Microsoft certifications.

70-652: TS: Windows Server Virtualization, Configuring counts as credit towards the following certification(s).
• TS: Windows Server Virtualization, Configuration

So i tried to sign up for the exam. But i wasn’t even able to logon to my Prometric account.

Got the following error message:

Duplicate emails. Please call customer service.

So, i tried calling customer services. It’s a toll free Swiss number in a call center located at some other part of the earth. Unfortunately, i wasn’t even able to place a call

The number you’re calling is currently unavailable. Please check the number and dial again

So i mailed Prometric support and i’m hoping for an answer now.

If Prometric won’t fix it, at least i can ask Helmer what was in the exam. If you have a working Prometric account, you can get the invite code for the exam from Trika’s Blog

Update: Prometric fixed the problem quickly