Lukas Beeler’s IT Blog

This weekend, my plan was to upgrade our internet connection from an aging ADSL-Line to a new ADSL2+ line from Cablecom. At the same time, i also replaced our aging, self built Linux Firewall/Reverse-Proxy/etc. with a SonicWALL NSA3500.

Up until now, we’ve been using PPTP for our VPN needs. PPTP is easy and painless to setup, but can cause several problems on customers site because it needs GRE. Many overzealous firewalls block GRE.

In the future, we are intending to use SonicWALLs Global VPN Client, that uses IPsec with it’s NAT-Traversal over UDP. Also, the SonicWALL GVC solution is able to plug directly into Active Directory for central authentication.

I intended to keep PPTP running for some time after the migration, in order to ease the transition. But as it looks now, Cablecom blocks OUTBOUND GRE packets. Mighty strange, because inbound GRE-Packets work.

Here’s how this looks in tcpdump:

10:58:13.927888 IP 77.59.216.227 > 194.88.212.200: off 0×5858 [|gre]
10:58:13.947131 IP 77.59.216.225 > 77.59.216.227: icmp 52: host 194.88.212.200 unreachable

.225 is the Cablecom CPE, and .227 is the Linux machine running the PPTP server.

I’ve already opened a support case with Cablecom, in the hope of having this issue sorted out quickly. So far, i haven’t heard back from them, even though i reported the issue almost a day ago. It’s not like we pay 180 CHF a month for 24/7 support.

Update: Cablecom was able to resolve the issue today. Apparently, it was a config issue on the router.

Nine years ago, back in 1999 - i’ve purchased my first broadband access. A company then called Swissonline (now part of Cablecom) offered 512kbit/128kbit access using the Rediffusion (now part of Cablecom) TV network. I was 15 back then, and the 80 CHF that cost per month was a heck a lot of money. But i still thought it would be a good choice to invest it.

IP addresses issued back then were semi-static, they stayed for months. I started hosting my own domain on it (that was in 2000), using a Slackware based Server. It was interesting, and i learned a lot. However, i soon grew dissatisfied with the semi-static IP addresses, and looked for a possibility to get a static IP address. The offering from my cable provider back then was just too expensive.

In 2002, i switched to Init7 using ADSL. I finally had a /29 Subnet to do experiments on, and had a whole lot of servers at home for experimenting purposes. It worked well. And with just 99 CHF, it wasn’t that expensive. However, i also had to pay for an ISDN connection for 43CHF per month. I still lived with my parents back then, so that didn’t factor into my cost directly. This changed, though.

In 2005, i moved from St. Gallen to Horgen. Moving the ADSL Line was painless, and i was online at the same day i moved into my new apartment. Everything was well. At the same time, i purchased a HP DL140 to handle my internet server needs - and placed it into a co located rack, eliminating my need for static IP addresses at home. I still had the same ADSL line, with ISDN, because i didn’t really think about downgrading it - who knows, maybe i could use the static IP addresses once more.

ADSL speeds also improved during that time - in 2002 it was 512kbit, in 2006 the offering was 6mbit. However, at my apartment i was only able to get 4mbit.

I hoped that we’d get ADSL2 just like Germany in a few months time, but even in 2008, i was still stuck with just 4mbit. I wasn’t impressed, so i thought about upgrading to VDSL. However, my apartments infrastructure was unfit for VDSL and would need to be rebuilt. My landlord didn’t really consider that, so i looked at alternatives.

Cablecom Hispeed launched a new 25mbit offer for 75 CHF on January 15th. I was impressed - i currently paid 99CHF for the ADSL link and 43 CHF for the ISDN link, just for 4mbit of broadband with static IP adresses. I didn’t think long, and i switched to the cable offering. Yesterday, i received the new cable mode, and unplugged my ADSL infrastructure.

The 25mbit are really a best effort value - the best i clocked on a download was 18.4 mbit, but that’s still a lot more than 4mbit. Also, the new 2mbit upload speed come in handy when uploading Linux Distributions on quota trackers.

So i’ve been playing with Office Communication Server 2007 to pass time. Thanks to the Microsoft Partner Licensing Program we can use this software internally, in production, without paying anything.

After playing with it in VMs for a few days, I decided to deploy it internally. Of course, the current deployment is not very integrated - our PBX is years old, and we have no chance to get any decent sort of integration, and we’re not yet on Exchange 2007 (though this is planned). As such, I didn’t expect to much usefulness out of. Boy, was I wrong.

OCS 2007 is several products in one, and it has a few drawbacks in a small business deployment (because it was designed for bigger environments). The price of the product isn’t prohibitive for a small business - 1500 CHF for the server, and 100 CHF per CAL (for Standard versions - the Enterprise versions are more expensive).

So, what features can one expect from OCS2007?

Services

Instant Messaging

One of the OCS2007 functions is an internal Instant Messaging server, with all the standard features you probably already know from ICQ, MSN et al. This part could easily provided by using e.G. an internal Jabber server and a Windows Jabber client like Pidgin. So why use OCS2007 for instant messaging? The reason is easy: Integration. The server software integrates into your Active Directory environment. You extend the AD schema, and all the user information is stored directly in Active Directory, with no need to maintain yet another user database. While that’s an advantage, it not much of a selling point (because the CEO usually doesn’t care if need 3 more minutes to add a user).

So let’s talk about integration on the client. After installing Office Communicator (the IM/VOIP client for OCS) on the client, you will notice full IM integration into Outlook, see the status of all the recipients and senders of the mail. This is a very nice feature, because it offers you information at a glance, without having to open the IM GUI to see whether someone is available for a quick follow up or not. But it gets better: this Integration also works in Sharepoint Services 3.0 and MOSS 2007. Also, the Unified Messaging part of Exchange Server 2007 integrates nicely into OCS 2007. You can check your voicemail using OCS 2007, with a fully graphical interface (similar to how the iPhone handles it’s voicemail)

Besides the ability for instant messaging, there is another very important feature - at least in our company: availability and presence. We have a HQ and a branch office, and our HQ is split over three floors. So usually it’s not easy to tell if someone is at his workplace or not. While Outlooks calender helps to establish the general whereabouts of a person, its not at-a-glance, and it doesn’t help if the person just isn’t at his desk (for whatever reason).

Office Communicator sets your presence to away at the instant you lock your machine, which people do when they walk away from their desk. As such, you can tell whether someone is currently working at his desk or not. This is very cool, and helps to save time on unnecessary phone calls to which no one answers.

There’s also a web client - Office Communicator Web Access. At the first glance, it is indistinguishable from the full desktop client, so the web interface is very nicely done.

Voice over IP (SIP)

OCS 2007 is also a fully blown VoIP solution. I can’t talk about this part too much - i haven’t worked with the mediation server or more enterprise VoIP integration (as said, our PBX doesn’t support that).

The Softphone client, integrated into the Office Communicator works nicely though, the voice quality is normal, and we didn’t have much problems using it over WAN lines.

You can also connect hardware IP phones to OCS2007, which should work with standard SIP phones - not having one, i didn’t test this. There are some very nice looking OCS specific IP phones out there.

Live Meeting

I’ve attended a few Webcasts done using Live Meeting 2005. With OCS 2007, you can now host Live Meetings (using the 2007 client) directly in your company, with no need for any hosted services. This feature might not be terribly useful if you’re working for a single-location Small Business, but it can be a timesaver when spread across the country (or world). Live Meeting also integrates into Outlook (see the above screenshot).

It works flawlessly, and i had few problems using Live Meeting. Didn’t really deploy this into production yet, though.

And more

OCS 2007 can also do a lot more stuff than i mentioned here. Most of this, like CDR and Archival is not necessary (or financially viable) in Small Businesses, so I didn’t invest too much time.

Drawbacks

So, what are the drawbacks of OCS 2007 in a Small Business? The main point i see here is that you need at least three servers - a Standard Server (hosting all the services), a mediation server for connecting to your PBX, and an Edge server offering internet connectivity. These are at least three OS instances that need to be maintained. Add to that the cost of either a proper virtualization server, or a few 1U boxes, and you’ll get into unviable price regions pretty soon.

For basic functionality, you can leave both the Mediation and the Edge server away. This means no integration with your PBX, and no external access to your server - at least in theory.

If you just need external access to IM, you can create appropriate SRV records in your public DNS, and forward port 5061. This will not result in a clean service, but it’s better than nothing. But without a proper edge server, you won’t be able to access other IM networks. Not cool.

Microsoft should really make single-server deployment possible, but probably we’re too small of a market to make this financially viable.

So what’s my conclusion? If you’re an SMB, give OCS2007 a try. It’s a very cool software, and the basic IM functionality isn’t that expensive.

If you have a few printers, you usually want to take good care of them. There are many network administration tools that can help you do that, and here i’m talking mostly about HP’s free offerings. Let’s start with the biggest one first.

HP Web Jetadmin

HP Web Jetadmin is HP’s enterprise tool for printer management. It is free though, so i gave it a try. Turns out it really is an enterprise tool, and much too convoluted for SMB use. I like that it has the ability to at least manage some features from printers made by different manufacturers (in my case, Lexmark). You don’t see that every day. I can’t give a full review of the product, because i only invested half an hour in it, only to find out that it is too big for our environment.

It offers all the features one could possibly need - it can monitor toner, media, configuration, time firmware upgrades and can even be used to configure and maintain print servers. With all these features, deployment of this tool is most likely not going to be a short process. You’ll need to invest a few days to find out about all the kinks, functionality and integrate it into your environment meaningfully.

HP Easy Printer Care

HP Easy Printer Care is HP’s Small Business printer management tool. It only supports up to 15 printers, which is not a problem if you’re a small business that uses workgroup printers. For companies that are using a printer on every desktop, 15 might be too low.

The software is meant for use on a desktop computer, not on a server. I see this as a bit of a drawback, as we usually use Microsoft Small Business Servers at our smaller customers, but you can also install the software on a server - it just can’t send emails and notifications (though most of the larger HP printers can mail notifications!).

The tool can not manage the printer firmware, which is a huge drawback. But it allows easy configuration of several settings even by end users, which are sometimes intimidated by the printer menu or the printer web interface. It also allows rudimentary printer accounting on selected (not all) printers (If you’re looking for a more complete printer account software, i can recommend PaperCut NG).

While i think that Web Jetadmin is overkill for any SMB, Easy Printer Care is sometimes too light on functionality. But i like it’s end user oriented design. If HP adds a few nudges to EPC (like mail, firmware management and minimal third party printer support), it could very well become a good tool for SMBs.

HP Download Manager

Using HP Download Manager is like stabbing a fork into your eye. It’s not pleasant, and after the pain stops you’re blind. Okay, so this might’ve been a bit colorful, but the point still stands. This software is junk, mostly because it doesn’t work. HP Download Manager is a firmware management solution for JetDirect print servers that are either stand alone or embedded into printers. It can’t manage printer firmware, which HP Web JetAdmin can.

Internet mode is broken since ages, there are numerous references about this on the web. Using Wireshark, a web server, and the hosts file will get the software to at least download firmware, but it won’t be able to install the software, complaining about “no firmware file”. It could download the file just fine, and manually applying the file using the JetDirect Webinterface worked just dandy.

As such, i can’t recommend this tool. Don’t install it, it doesn’t work right, and will probably eat your eyes.

Conclusion

HP’s Easy Printer Care is a step in the right direction, HP Download Manager doesn’t work, and HP Web Jetadmin is most likely overkill. My hope is that HP improves Easy Printer Care, allowing it to takeover the functions that HP Download Manager should do.

I’m currently Outlook 2007 with an Exchange 2007 server for all my business needs. But of course i also have a private domain (which this blog runs on), and where i have my private e-mail.

For a long time, i’ve used Mutt (a terminal based text e-mail client) to handle all my private mails. It worked great, especially filtering, threading, etc. were very well done. But the disadvantage are obvious. So i’ve searched for a suitable replacement. I’ve tried a variety of clients, but didn’t really like any of them.

Then i’ve tried Gmail. I was quite pleased with it, but it didn’t offer enough storage to hold all my mails. So i’ve subscribed to Google Apps Enterprise, with a single user account, and an approriate forward on my Postfix setup.

Apps Enterprise can use IMAP to migrate your mails from your old server, and tag the mails according to the folders. Worked perfectly, but took around a day (for ~250′000 mails).

So far, i’m quite pleased, even though i’m not really sure if i like Gmail’s threading style. Google talk can also relay incoming mail notifications.

I was unable to use Gmail as my primary MX, because it is impossible to add an E-Mail route (you can add it in the GUI, but it doesn’t get saved). I opened a case about this two weeks ago. No solution yet.

Did you know that you can enable Remote Desktop/Terminal Server to use SSL?

Configuration authentication and encryption for Terminal Services

It is generally good practice to configure any machine which has Remote Desktop or Terminal Services enable to at least have an SSL certificate that can be used with RDP. It’s easy to do, and it will allow RDP to use better encryption.

This is especially important if you’re running RDP directly over the Internet (for which special care needs to taken in many more aspects), but it also makes sense to use this in local LAN.

If you don’t have any legacy clients, it also makes sense to set the accepted keystrength to “High”. This will cause all older RDP clients to fail. If you can’t risk that, you can still use “client-compatible”, and use SSL with newer clients and RDP’s builtin encryption with older clients.

If you need to transfer savefiles from one i5/OS instance to another, you have the choice between physical media, SNA (SNDNETF) and FTP.

Using FTP to transfer savefiles has a few quirks that are non-intuitive at first, and it’s more complicated if you’re transferring from one i5/OS instance to another. I often transfer savefiles from our system to customer systems, with my laptop as an intermediary.

Let’s start with the simple ones:

Downloading the savefile QGPL/TRANSFER to a PC:

C:\tmp>ftp 270.int.dataline.ch
Verbindung mit 270.int.dataline.ch wurde hergestellt.
220-QTCP at i270.int.dataline.ch.
220 Connection will close if idle more than 5 minutes.
Benutzer (270.int.dataline.ch:(none)): lukas
331 Enter password.
Kennwort:
230 LUKAS logged on.
ftp> quote site namefmt 1
250 Now using naming format "1".
ftp> cd /qsys.lib/qgpl.lib
250 "/QSYS.LIB/QGPL.LIB" is current library.
ftp> binary
200 Representation type is binary IMAGE.
ftp> get transfer.savf
200 PORT subcommand request successful.
150 Retrieving member TRANSFER in file TRANSFER in library QGPL.
226 File transfer completed successfully.
FTP: 705408 Bytes empfangen in 0.65Sekunden 1090.28KB/s
ftp> quit
221 QUIT subcommand received.

There are a few important things to notice here: QUOTE SITE NAMEFMT 1 changes the System to use the IFS naming format (you can change the default using CHGFTPA). BINARY switches to binary transfer mode, this is especially important for uploads (i5/OS refuses non-binary savf downloads).

Uploading from a PC or i5/OS instance is essentially the same, so i’ll lump these two together in the next section:

C:\tmp>ftp 270.int.dataline.ch
Verbindung mit 270.int.dataline.ch wurde hergestellt.
220-QTCP at i270.int.dataline.ch.
220 Connection will close if idle more than 5 minutes.
Benutzer (270.int.dataline.ch:(none)): lukas
331 Enter password.
Kennwort:
230 LUKAS logged on.
ftp> quote site namefmt 1
250 Now using naming format "1".
ftp> binary
200 Representation type is binary IMAGE.
ftp> cd /qsys.lib/qgpl.lib
250 "/QSYS.LIB/QGPL.LIB" is current library.
ftp> del TRANSFER.SAVF
250 File TRANSFER in library QGPL deleted.
ftp> put TRANSFER.SAVF
200 PORT subcommand request successful.
150 Sending file to member TRANSFER in file TRANSFER in library QGPL.
226 File transfer completed successfully.
FTP: 705408 Bytes gesendet in 0.69Sekunden 1026.79KB/s
ftp> quit
221 QUIT subcommand received.

Now, the special case comes into play when you’re downloading from an i5/OS instance. If you do not precreate the savefile and overwrite it, you’ll end up with a simple PF-DTA, that you can’t restore from.

CRTSAVF QGPL/TRANSFER
FTP '270.int.dataline.ch'

Es wird versucht, eine Verbindung zu Host 270.int.dataline.ch, Adresse 10.33.0.20 über Port 21 herzustellen.
220-QTCP at i270.int.dataline.ch.
220 Connection will close if idle more than 5 minutes.
> lukas
331 Enter password.
230 LUKAS logged on.
OS/400 is the remote operating system. The TCP/IP version is "V5R4M0".
250 Now using naming format "1".
257 "/" is current directory.
> namefmt 1
250 Now using naming format "1".
Server NAMEFMT ist 1.
Client NAMEFMT ist 1.
> lcd /qsys.lib/qgpl.lib
Das lokale Arbeitsverzeichnis ist /QSYS.LIB/QGPL.LIB
> cd /qsys.lib/qgpl.lib
250 "/QSYS.LIB/QGPL.LIB" is current library.
> get TRANSFER.SAVF (REPLACE
227 Entering Passive Mode (10,33,0,20,73,134).
150 Retrieving member TRANSFER in file TRANSFER in library QGPL.
226 File transfer completed successfully.
33792 Byte in 0.436 Sekunden übertragen. Übertragungsgeschwindigkeit 77.585 KB/s.

There are a few more noteworthy things in this transcription: We used “namefmt 1″ instead of “quote site namefmt 1″. This will also advise the local FTP client to change it’s naming format. We also issue a cd and an lcd command to change the FTP server and the FTP client to the correct diretory. Then, we call the get command with the special (REPLACE parameter, telling it to replace the already existing savefile (and thus preserving the SAVF attribute).

You’ll also notice that IBM still hasn’t updated their branding throughout i5/OS…

I’ve been using OpenVPN for a few years on Linux to establish site to site VPNs. It has never let me down, and i was always able to get the configuration working in the way I wanted it, without much effort and fiddling. Another nice ability of OpenVPN is that it can work it’s way through almost any firewall, which can be especially nice when working with restricted internet access.

A few days ago, i’ve got into a situation where I needed to get to a site to site VPN up as quickly as possible, behind a restrictive firewall. I’ve started with the obvious route, and found a few resources referring to OpenVPN on the net.

One of them is the OpenVPN GUI, which is mostly aimed at roadwarrior scenarios. The Windows installation notes and the Windows section in the howto are quite sparse. As such, my expectations weren’t high.

Installing OpenVPN results in the creation of a virtual ethernet adapter, that’s backed by the TAP driver (which is not signed). The install went fine, and configuration was the same as on Linux.

The Windows installer automatically installs as service that defaults to a disabled state, which when started launches OpenVPN for all *.ovpn files in %ProgramFiles%\OpenVPN\config. Simple, but efficient. Logs get written to %ProgramFiles%\OpenVPN\log.

After creating an appropriate configuration, i put it into the config dir, started the service, and everything just worked. Right out of the box. Without thinkering. Without error messages. It just worked.

As such, the application clearly shows it’s Linux/Unix origin, but it works nicely. Windows administrators that have never worked with a unix-like operating system might be put off by the application. I would still suggest everyone to take a look at OpenVPN for some low cost VPN improvisations.

Today i’ve encountered a very interesting problem that’s very hard to track down exactly.

A small business customer was running an Exchange 2003 server behind a ZyXEL ZyWALL 5 with AntiSpam installed and enabled. The ZyWALL forwarded port 25 to the Exchange server. This worked, for the most, flawlessly. But a few hosts (i’ve found no distinct differences between the source hosts - ADSL, Leased Lines, Colocated, Europe, USA) failed to get an SMTP greeting (220 customer.example.com Microsoft ESMTP MAIL Service, Version: 6.0.xx ready at Thu, xx Sep 2007 xx:xx:xx +0200).

When i disabled the Anti-Spam and pressed enter (in a telnet session to port 25), the SMTP greeting appeared. If anti-spam was enabled, it never appeared. But that didn’t help - Postfix still couldn’t send mails:

postfix/smtp[25010]: C65AA88075: conversation with customer.example.com[256.256.256.256] timed out while receiving the initial server greeting

I’ve looked at every setting on both the ZyWALL and the Exchange server, but didn’t find any unusual DNS etc. setting. I even disabled all the DNS lookups done on the Exchange server, but to no avail.

But after upgrading the ZyXEL ZyWALL 5’s firmware to the latest version (V4.02(XD.2)), the problem disappeared. While this wasn’t exactly what i was hoping for, at least the problem was now solved.

Yesterday i wrote about a simple but important error that Hostpoint had with their IMAP servers.

One would assume that such a problem would be fixed in no time, since it obviously affects many customers. Even though i was able to offer them detailed problem instructions, it took over 36 hours to resolve a problem as simple as this. The problem was even reported earlier by the customer himself, but he was not able to deduce exactly why authentication was failing, and working after rebooting his PC. But Hostpoint told the customer that there were no problems.

For 50 CHF per month, one should be able to expect better service.