Our current cablecom hispeed business line is ADSL2+ with 20/2 megabits. While the upstream is too low for my taste, i haven’t really seen better offers.

I talked with a sales on the phone – for about 200 CHF more, we could get 20/2 SDSL (which sounded strange) and a 20/2 DOCSIS backup line, together with a “Bronze” level SLA. This sounded very attractive to me and i told the sales to send me the offer.

In the written offer, the ominous 20/2 SDSL was downgraded to 4/4 SDSL (which made much more sense). Of course, downgrading our internet connection from 20/2 to 4/4 seemed like a rather bad idea. We have about 30 people working here everyday, and almost all of them really use the internet to do their job. We’ve upgraded from 6/.6 ADSL to the current cablecom connection, because 6 megabit downstream wasn’t fast enough.

So i asked what else they could offer us – for 500 CHF more than we pay today, we could get 8/8 SDSL with a 20/2 DOCSIS backup. That still didn’t sound interesting to me.

I, personally, think 1000 CHF per month would be okay for a redundant 20/20 connection or something in this direction. My current connection at home is 25/2.5 – for 75 CHF a month. It works well enough, and the last failure i had was fixed in three days. Just like the failure we had on our 500 CHF per month 20/2 connection. This should be a telltale sign that something is very wrong with either the pricing or the service level.

The next question i asked if they could do a 20/2 ADSL with a 20/2 DOCSIS backup. Apparently, that’s not technically possible right now, but they might introduce this later this year. That sounds attractive to me.

All in all, i still think that cablecom hispeed business sucks. They can’t be bothered to do a 5 minute fix in a 2 hour time window on Friday evening. Then, they make one ludicrous offer that noone can take serious after the other.

I’m pretty sure that cablecom doesn’t really understand what small businesses need.

As a side note, if you work for an ISP and think you can make us a better offer than cablecom, i’d be very much interested. Send your stuff to l dot beeler at acommit dot ch. We will be moving to Horgen/ZH at Seestrasse 202 in March 2010 and need 32 static IP addresses.

Shortly after installing the line back in 2008, we’ve ran into an issue where cablecom hispeed business blocks GRE packets. After almost three days and speaking with a variety of technicians, they were finally able to resolve the issue.

Now, we’ve run into another, much more grave problem. Since about 15:45, a variety of hosts on the Internet aren’t reachable and of course several other hosts can’t reach us.

Of course this isn’t a clear-cut “my DSL modem has no link” issue – so cablecom currently isn’t even trying to fix the problem. I’ve been on the phone twice, never get any callbacks and don’t get any updates on the state of the problem resolution.

Fact is, some hosts can reach our OWA 2010 and some can’t. Nasty thing is, Swisscom’s GPRS/UMTS IP addresses can’t – this means no push-email for all 35 of our employees. Since we’re working for a rather important project (ERP and POS implementation) this weekend, this is a big issue for us.

It also looks interesting in a tcpdump – some packets just get lost – and from other hosts it works without any issues.

The 77. addresses are cablecom hispeed business, the 217. are my cablecom residential connection. In the first part, we see a TCP connection to port 80. In the second part, we see a ping -t. As you can see, there are a lot of dropped packets.

23:12:12.629457 IP 217.162.252.98.18417 > 77.59.216.227.80: S 4006182815:4006182815(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
23:12:12.629479 IP 77.59.216.227.80 > 217.162.252.98.18417: S 1280362581:1280362581(0) ack 4006182816 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 6>
23:12:15.826736 IP 77.59.216.227.80 > 217.162.252.98.18417: S 1280362581:1280362581(0) ack 4006182816 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 6>
23:12:22.026734 IP 77.59.216.227.80 > 217.162.252.98.18417: S 1280362581:1280362581(0) ack 4006182816 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 6>
23:12:34.026733 IP 77.59.216.227.80 > 217.162.252.98.18417: S 1280362581:1280362581(0) ack 4006182816 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 6>

08:51:49.642995 IP 217.162.252.98 > 77.59.216.227: icmp 40: echo request seq 65
08:51:49.643024 IP 77.59.216.227 > 217.162.252.98: icmp 40: echo reply seq 65
08:52:00.641330 IP 217.162.252.98 > 77.59.216.227: icmp 40: echo request seq 68
08:52:00.641345 IP 77.59.216.227 > 217.162.252.98: icmp 40: echo reply seq 68
08:53:16.641813 IP 217.162.252.98 > 77.59.216.227: icmp 40: echo request seq 84
08:53:16.641829 IP 77.59.216.227 > 217.162.252.98: icmp 40: echo reply seq 84

Cablecom gets 180 CHF per month for 24/7 support. The case has now been open for 7 hours, with no resolution in sight. There’s no escalation path and there are no workarounds – we don’t have redundant connections.

Interestingly, one of our customers who also uses cablecom hispeed business had a similar issue, that lasted for roughly three weeks – one of their IP addresses wasn’t reachable externally, from one minute to the other. Unfortunately for us, all of our public IP addresses are affected by this issue, so we don’t have an easy workaround.

Of course, for some part we’re also to blame. Luckily i’m not one of the higher ups who gambled with non-redundant internet connections and lost.

Have you made negative experiences with cablecom hispeed business? Positive ones? Was support able to fix your issues quickly?

Update: I’ve called cablecom again on Saturday at 09:00. Apparently, these sort of issues are supported on a best-effort base from 9 to 5, and not covered by our 24/7 support contract. We will have to wait until monday – they will not look at this issue further during the weekend.

Update: Monday morning, 11:00. Problem is still unsolved.

--- hor-fw-01.acommit.ch ping statistics ---
20 packets transmitted, 3 received, 85% packet loss, time 19012ms
rtt min/avg/max/mdev = 20.490/21.360/22.585/0.891 ms

Update: Monday morning, 11:36. Problem is now solved. According to the Tech i talked to, the he fixed the issue in 5 minutes. He could’ve done that on Friday, but apparently noone at cablecom felt like doing so. The issue was that cablecom configured our new line for the planned office move and configured load sharing between the new line for the new office and the old line. Since the new line didn’t physically exist yet, half of the packets were dropped.

Thanks to the Tech who fixed the issue, no thanks to cablecom in general for wasting an entire weekend on what could’ve been a five minute fix on Friday evening.

But today i experienced the most grave issue with their equipment that critically impacted a customers business.

The customer has two sites – an HQ with an SBS 2008 and a branch office with two Lenovo SFF machines running Windows Vista Business. Both sites are using 20/2 VDSL lines from Swisscom, with ZyXEL P-2802HWL routers.

There is an IPsec VPN configured between these two sites. This has been working fine since January.

Now, about a month ago a telecom service company installed VoIP telephones in the branch office, and enabled QoS on both ZyXEL routers.

Since then, Outlook was unable to synchronize correctly with the SBS server. Unfortunately, the customers personnel isn’t that technically savy, so they weren’t able to tell that they had a problem – because smaller e-mails were able to successfully synchronize, but larger ones failed. This led to very inconsistent states of the OST files, with some mails there and some mails not there.

When i arrived at the branch office i didn’t have a single clue what the issue was or may be. At first i suspected an Outlook problem, so i deleted the OST file. But from there on, nothing happened – Outlook wasn’t able to download anything.

Next, i tried to copy a 50kbyte Excel file from a share to the local computer. This worked. So i tried a 2 megabyte Word file. This failed about halfway through, with Explorer just hanging there and doing nothing. From that point on, i suspected a network issue, but the fact that copying a 50kbyte file worked and a 2 megabyte file didn’t was very odd.

Using Outlook with Outlook Anywhere also worked (when the VPN tunnel was downed).

Whenever i’m confronted with strange network problems, i suspect MTU issues (which was my first “real” network problem i solved back on my first ADSL line – took me weeks for a simple fix). ping -l 5000 CUSTSBS01 worked. ping -l 15000 CUSTSBS01 worked, too. So thought it wasn’t an MTU issue.

Disabling QoS on the ZyXEL router fixed the issue, but made the phones unusuable while Outlook was filling it’s OST files.

So i ran through the usual check points – tcp checksum offloading, chimney, receive window autotuning, reboots, etc. Nothing helped. At the end i was just changing network settings at will. But nothing helped.

Out of any reasonable ideas, i changed the MTU to 1300. That fixed it – with QoS enabled and the NIC MTU of the two machines, everything was working as it should. File transfers worked, Outlook worked, Phones worked.

Don’t buy ZyXEL.

Up until now, we’ve been using PPTP for our VPN needs. PPTP is easy and painless to setup, but can cause several problems on customers site because it needs GRE. Many overzealous firewalls block GRE.

In the future, we are intending to use SonicWALLs Global VPN Client, that uses IPsec with it’s NAT-Traversal over UDP. Also, the SonicWALL GVC solution is able to plug directly into Active Directory for central authentication.

I intended to keep PPTP running for some time after the migration, in order to ease the transition. But as it looks now, Cablecom blocks OUTBOUND GRE packets. Mighty strange, because inbound GRE-Packets work.

Here’s how this looks in tcpdump:

10:58:13.927888 IP 77.59.216.227 > 194.88.212.200: off 0×5858 [|gre]
10:58:13.947131 IP 77.59.216.225 > 77.59.216.227: icmp 52: host 194.88.212.200 unreachable

.225 is the Cablecom CPE, and .227 is the Linux machine running the PPTP server.

I’ve already opened a support case with Cablecom, in the hope of having this issue sorted out quickly. So far, i haven’t heard back from them, even though i reported the issue almost a day ago. It’s not like we pay 180 CHF a month for 24/7 support.

Update: Cablecom was able to resolve the issue today. Apparently, it was a config issue on the router.

IP addresses issued back then were semi-static, they stayed for months. I started hosting my own domain on it (that was in 2000), using a Slackware based Server. It was interesting, and i learned a lot. However, i soon grew dissatisfied with the semi-static IP addresses, and looked for a possibility to get a static IP address. The offering from my cable provider back then was just too expensive.

In 2002, i switched to Init7 using ADSL. I finally had a /29 Subnet to do experiments on, and had a whole lot of servers at home for experimenting purposes. It worked well. And with just 99 CHF, it wasn’t that expensive. However, i also had to pay for an ISDN connection for 43CHF per month. I still lived with my parents back then, so that didn’t factor into my cost directly. This changed, though.

In 2005, i moved from St. Gallen to Horgen. Moving the ADSL Line was painless, and i was online at the same day i moved into my new apartment. Everything was well. At the same time, i purchased a HP DL140 to handle my internet server needs – and placed it into a co located rack, eliminating my need for static IP addresses at home. I still had the same ADSL line, with ISDN, because i didn’t really think about downgrading it – who knows, maybe i could use the static IP addresses once more.

ADSL speeds also improved during that time – in 2002 it was 512kbit, in 2006 the offering was 6mbit. However, at my apartment i was only able to get 4mbit.

I hoped that we’d get ADSL2 just like Germany in a few months time, but even in 2008, i was still stuck with just 4mbit. I wasn’t impressed, so i thought about upgrading to VDSL. However, my apartments infrastructure was unfit for VDSL and would need to be rebuilt. My landlord didn’t really consider that, so i looked at alternatives.

Cablecom Hispeed launched a new 25mbit offer for 75 CHF on January 15th. I was impressed – i currently paid 99CHF for the ADSL link and 43 CHF for the ISDN link, just for 4mbit of broadband with static IP adresses. I didn’t think long, and i switched to the cable offering. Yesterday, i received the new cable mode, and unplugged my ADSL infrastructure.

The 25mbit are really a best effort value – the best i clocked on a download was 18.4 mbit, but that’s still a lot more than 4mbit. Also, the new 2mbit upload speed come in handy when uploading Linux Distributions on quota trackers.

After playing with it in VMs for a few days, I decided to deploy it internally. Of course, the current deployment is not very integrated – our PBX is years old, and we have no chance to get any decent sort of integration, and we’re not yet on Exchange 2007 (though this is planned). As such, I didn’t expect to much usefulness out of. Boy, was I wrong.

OCS 2007 is several products in one, and it has a few drawbacks in a small business deployment (because it was designed for bigger environments). The price of the product isn’t prohibitive for a small business – 1500 CHF for the server, and 100 CHF per CAL (for Standard versions – the Enterprise versions are more expensive).

So, what features can one expect from OCS2007?

Services

Instant Messaging

One of the OCS2007 functions is an internal Instant Messaging server, with all the standard features you probably already know from ICQ, MSN et al. This part could easily provided by using e.G. an internal Jabber server and a Windows Jabber client like Pidgin. So why use OCS2007 for instant messaging? The reason is easy: Integration. The server software integrates into your Active Directory environment. You extend the AD schema, and all the user information is stored directly in Active Directory, with no need to maintain yet another user database. While that’s an advantage, it not much of a selling point (because the CEO usually doesn’t care if need 3 more minutes to add a user).

So let’s talk about integration on the client. After installing Office Communicator (the IM/VOIP client for OCS) on the client, you will notice full IM integration into Outlook, see the status of all the recipients and senders of the mail. This is a very nice feature, because it offers you information at a glance, without having to open the IM GUI to see whether someone is available for a quick follow up or not. But it gets better: this Integration also works in Sharepoint Services 3.0 and MOSS 2007. Also, the Unified Messaging part of Exchange Server 2007 integrates nicely into OCS 2007. You can check your voicemail using OCS 2007, with a fully graphical interface (similar to how the iPhone handles it’s voicemail)

Besides the ability for instant messaging, there is another very important feature – at least in our company: availability and presence. We have a HQ and a branch office, and our HQ is split over three floors. So usually it’s not easy to tell if someone is at his workplace or not. While Outlooks calender helps to establish the general whereabouts of a person, its not at-a-glance, and it doesn’t help if the person just isn’t at his desk (for whatever reason).

Office Communicator sets your presence to away at the instant you lock your machine, which people do when they walk away from their desk. As such, you can tell whether someone is currently working at his desk or not. This is very cool, and helps to save time on unnecessary phone calls to which no one answers.

There’s also a web client – Office Communicator Web Access. At the first glance, it is indistinguishable from the full desktop client, so the web interface is very nicely done.

Voice over IP (SIP)

OCS 2007 is also a fully blown VoIP solution. I can’t talk about this part too much – i haven’t worked with the mediation server or more enterprise VoIP integration (as said, our PBX doesn’t support that).

The Softphone client, integrated into the Office Communicator works nicely though, the voice quality is normal, and we didn’t have much problems using it over WAN lines.

You can also connect hardware IP phones to OCS2007, which should work with standard SIP phones – not having one, i didn’t test this. There are some very nice looking OCS specific IP phones out there.

Live Meeting

I’ve attended a few Webcasts done using Live Meeting 2005. With OCS 2007, you can now host Live Meetings (using the 2007 client) directly in your company, with no need for any hosted services. This feature might not be terribly useful if you’re working for a single-location Small Business, but it can be a timesaver when spread across the country (or world). Live Meeting also integrates into Outlook (see the above screenshot).

It works flawlessly, and i had few problems using Live Meeting. Didn’t really deploy this into production yet, though.

And more

OCS 2007 can also do a lot more stuff than i mentioned here. Most of this, like CDR and Archival is not necessary (or financially viable) in Small Businesses, so I didn’t invest too much time.

Drawbacks

So, what are the drawbacks of OCS 2007 in a Small Business? The main point i see here is that you need at least three servers – a Standard Server (hosting all the services), a mediation server for connecting to your PBX, and an Edge server offering internet connectivity. These are at least three OS instances that need to be maintained. Add to that the cost of either a proper virtualization server, or a few 1U boxes, and you’ll get into unviable price regions pretty soon.

For basic functionality, you can leave both the Mediation and the Edge server away. This means no integration with your PBX, and no external access to your server – at least in theory.

If you just need external access to IM, you can create appropriate SRV records in your public DNS, and forward port 5061. This will not result in a clean service, but it’s better than nothing. But without a proper edge server, you won’t be able to access other IM networks. Not cool.

Microsoft should really make single-server deployment possible, but probably we’re too small of a market to make this financially viable.

So what’s my conclusion? If you’re an SMB, give OCS2007 a try. It’s a very cool software, and the basic IM functionality isn’t that expensive.

HP Web Jetadmin

HP Web Jetadmin is HP’s enterprise tool for printer management. It is free though, so i gave it a try. Turns out it really is an enterprise tool, and much too convoluted for SMB use. I like that it has the ability to at least manage some features from printers made by different manufacturers (in my case, Lexmark). You don’t see that every day. I can’t give a full review of the product, because i only invested half an hour in it, only to find out that it is too big for our environment.

It offers all the features one could possibly need – it can monitor toner, media, configuration, time firmware upgrades and can even be used to configure and maintain print servers. With all these features, deployment of this tool is most likely not going to be a short process. You’ll need to invest a few days to find out about all the kinks, functionality and integrate it into your environment meaningfully.

HP Easy Printer Care

HP Easy Printer Care is HP’s Small Business printer management tool. It only supports up to 15 printers, which is not a problem if you’re a small business that uses workgroup printers. For companies that are using a printer on every desktop, 15 might be too low.

The software is meant for use on a desktop computer, not on a server. I see this as a bit of a drawback, as we usually use Microsoft Small Business Servers at our smaller customers, but you can also install the software on a server – it just can’t send emails and notifications (though most of the larger HP printers can mail notifications!).

The tool can not manage the printer firmware, which is a huge drawback. But it allows easy configuration of several settings even by end users, which are sometimes intimidated by the printer menu or the printer web interface. It also allows rudimentary printer accounting on selected (not all) printers (If you’re looking for a more complete printer account software, i can recommend PaperCut NG).

While i think that Web Jetadmin is overkill for any SMB, Easy Printer Care is sometimes too light on functionality. But i like it’s end user oriented design. If HP adds a few nudges to EPC (like mail, firmware management and minimal third party printer support), it could very well become a good tool for SMBs.

HP Download Manager

Using HP Download Manager is like stabbing a fork into your eye. It’s not pleasant, and after the pain stops you’re blind. Okay, so this might’ve been a bit colorful, but the point still stands. This software is junk, mostly because it doesn’t work. HP Download Manager is a firmware management solution for JetDirect print servers that are either stand alone or embedded into printers. It can’t manage printer firmware, which HP Web JetAdmin can.

Internet mode is broken since ages, there are numerous references about this on the web. Using Wireshark, a web server, and the hosts file will get the software to at least download firmware, but it won’t be able to install the software, complaining about “no firmware file”. It could download the file just fine, and manually applying the file using the JetDirect Webinterface worked just dandy.

As such, i can’t recommend this tool. Don’t install it, it doesn’t work right, and will probably eat your eyes.

Conclusion

HP’s Easy Printer Care is a step in the right direction, HP Download Manager doesn’t work, and HP Web Jetadmin is most likely overkill. My hope is that HP improves Easy Printer Care, allowing it to takeover the functions that HP Download Manager should do.

For a long time, i’ve used Mutt (a terminal based text e-mail client) to handle all my private mails. It worked great, especially filtering, threading, etc. were very well done. But the disadvantage are obvious. So i’ve searched for a suitable replacement. I’ve tried a variety of clients, but didn’t really like any of them.

Then i’ve tried Gmail. I was quite pleased with it, but it didn’t offer enough storage to hold all my mails. So i’ve subscribed to Google Apps Enterprise, with a single user account, and an approriate forward on my Postfix setup.

Apps Enterprise can use IMAP to migrate your mails from your old server, and tag the mails according to the folders. Worked perfectly, but took around a day (for ~250’000 mails).

So far, i’m quite pleased, even though i’m not really sure if i like Gmail’s threading style. Google talk can also relay incoming mail notifications.

I was unable to use Gmail as my primary MX, because it is impossible to add an E-Mail route (you can add it in the GUI, but it doesn’t get saved). I opened a case about this two weeks ago. No solution yet.

Configuration authentication and encryption for Terminal Services

It is generally good practice to configure any machine which has Remote Desktop or Terminal Services enable to at least have an SSL certificate that can be used with RDP. It’s easy to do, and it will allow RDP to use better encryption.

This is especially important if you’re running RDP directly over the Internet (for which special care needs to taken in many more aspects), but it also makes sense to use this in local LAN.

If you don’t have any legacy clients, it also makes sense to set the accepted keystrength to “High”. This will cause all older RDP clients to fail. If you can’t risk that, you can still use “client-compatible”, and use SSL with newer clients and RDP’s builtin encryption with older clients.

Using FTP to transfer savefiles has a few quirks that are non-intuitive at first, and it’s more complicated if you’re transferring from one i5/OS instance to another. I often transfer savefiles from our system to customer systems, with my laptop as an intermediary.

Let’s start with the simple ones:

Downloading the savefile QGPL/TRANSFER to a PC:

C:\tmp>ftp 270.int.dataline.ch
Verbindung mit 270.int.dataline.ch wurde hergestellt.
220-QTCP at i270.int.dataline.ch.
220 Connection will close if idle more than 5 minutes.
Benutzer (270.int.dataline.ch:(none)): lukas
331 Enter password.
Kennwort:
230 LUKAS logged on.
ftp> quote site namefmt 1
250 Now using naming format "1".
ftp> cd /qsys.lib/qgpl.lib
250 "/QSYS.LIB/QGPL.LIB" is current library.
ftp> binary
200 Representation type is binary IMAGE.
ftp> get transfer.savf
200 PORT subcommand request successful.
150 Retrieving member TRANSFER in file TRANSFER in library QGPL.
226 File transfer completed successfully.
FTP: 705408 Bytes empfangen in 0.65Sekunden 1090.28KB/s
ftp> quit
221 QUIT subcommand received.

There are a few important things to notice here: QUOTE SITE NAMEFMT 1 changes the System to use the IFS naming format (you can change the default using CHGFTPA). BINARY switches to binary transfer mode, this is especially important for uploads (i5/OS refuses non-binary savf downloads).

Uploading from a PC or i5/OS instance is essentially the same, so i’ll lump these two together in the next section:

C:\tmp>ftp 270.int.dataline.ch
Verbindung mit 270.int.dataline.ch wurde hergestellt.
220-QTCP at i270.int.dataline.ch.
220 Connection will close if idle more than 5 minutes.
Benutzer (270.int.dataline.ch:(none)): lukas
331 Enter password.
Kennwort:
230 LUKAS logged on.
ftp> quote site namefmt 1
250 Now using naming format "1".
ftp> binary
200 Representation type is binary IMAGE.
ftp> cd /qsys.lib/qgpl.lib
250 "/QSYS.LIB/QGPL.LIB" is current library.
ftp> del TRANSFER.SAVF
250 File TRANSFER in library QGPL deleted.
ftp> put TRANSFER.SAVF
200 PORT subcommand request successful.
150 Sending file to member TRANSFER in file TRANSFER in library QGPL.
226 File transfer completed successfully.
FTP: 705408 Bytes gesendet in 0.69Sekunden 1026.79KB/s
ftp> quit
221 QUIT subcommand received.

Now, the special case comes into play when you’re downloading from an i5/OS instance. If you do not precreate the savefile and overwrite it, you’ll end up with a simple PF-DTA, that you can’t restore from.

CRTSAVF QGPL/TRANSFER
FTP '270.int.dataline.ch'

Es wird versucht, eine Verbindung zu Host 270.int.dataline.ch, Adresse 10.33.0.20 über Port 21 herzustellen.
220-QTCP at i270.int.dataline.ch.
220 Connection will close if idle more than 5 minutes.
> lukas
331 Enter password.
230 LUKAS logged on.
OS/400 is the remote operating system. The TCP/IP version is "V5R4M0".
250 Now using naming format "1".
257 "/" is current directory.
> namefmt 1
250 Now using naming format "1".
Server NAMEFMT ist 1.
Client NAMEFMT ist 1.
> lcd /qsys.lib/qgpl.lib
Das lokale Arbeitsverzeichnis ist /QSYS.LIB/QGPL.LIB
> cd /qsys.lib/qgpl.lib
250 "/QSYS.LIB/QGPL.LIB" is current library.
> get TRANSFER.SAVF (REPLACE
227 Entering Passive Mode (10,33,0,20,73,134).
150 Retrieving member TRANSFER in file TRANSFER in library QGPL.
226 File transfer completed successfully.
33792 Byte in 0.436 Sekunden übertragen. Übertragungsgeschwindigkeit 77.585 KB/s.

There are a few more noteworthy things in this transcription: We used “namefmt 1″ instead of “quote site namefmt 1″. This will also advise the local FTP client to change it’s naming format. We also issue a cd and an lcd command to change the FTP server and the FTP client to the correct diretory. Then, we call the get command with the special (REPLACE parameter, telling it to replace the already existing savefile (and thus preserving the SAVF attribute).

You’ll also notice that IBM still hasn’t updated their branding throughout i5/OS…

A few days ago, i’ve got into a situation where I needed to get to a site to site VPN up as quickly as possible, behind a restrictive firewall. I’ve started with the obvious route, and found a few resources referring to OpenVPN on the net.

One of them is the OpenVPN GUI, which is mostly aimed at roadwarrior scenarios. The Windows installation notes and the Windows section in the howto are quite sparse. As such, my expectations weren’t high.

Installing OpenVPN results in the creation of a virtual ethernet adapter, that’s backed by the TAP driver (which is not signed). The install went fine, and configuration was the same as on Linux.

The Windows installer automatically installs as service that defaults to a disabled state, which when started launches OpenVPN for all *.ovpn files in %ProgramFiles%\OpenVPN\config. Simple, but efficient. Logs get written to %ProgramFiles%\OpenVPN\log.

After creating an appropriate configuration, i put it into the config dir, started the service, and everything just worked. Right out of the box. Without thinkering. Without error messages. It just worked.

As such, the application clearly shows it’s Linux/Unix origin, but it works nicely. Windows administrators that have never worked with a unix-like operating system might be put off by the application. I would still suggest everyone to take a look at OpenVPN for some low cost VPN improvisations.

A small business customer was running an Exchange 2003 server behind a ZyXEL ZyWALL 5 with AntiSpam installed and enabled. The ZyWALL forwarded port 25 to the Exchange server. This worked, for the most, flawlessly. But a few hosts (i’ve found no distinct differences between the source hosts – ADSL, Leased Lines, Colocated, Europe, USA) failed to get an SMTP greeting (220 customer.example.com Microsoft ESMTP MAIL Service, Version: 6.0.xx ready at Thu, xx Sep 2007 xx:xx:xx +0200).

When i disabled the Anti-Spam and pressed enter (in a telnet session to port 25), the SMTP greeting appeared. If anti-spam was enabled, it never appeared. But that didn’t help – Postfix still couldn’t send mails:

postfix/smtp[25010]: C65AA88075: conversation with customer.example.com[256.256.256.256] timed out while receiving the initial server greeting

I’ve looked at every setting on both the ZyWALL and the Exchange server, but didn’t find any unusual DNS etc. setting. I even disabled all the DNS lookups done on the Exchange server, but to no avail.

But after upgrading the ZyXEL ZyWALL 5′s firmware to the latest version (V4.02(XD.2)), the problem disappeared. While this wasn’t exactly what i was hoping for, at least the problem was now solved.

One would assume that such a problem would be fixed in no time, since it obviously affects many customers. Even though i was able to offer them detailed problem instructions, it took over 36 hours to resolve a problem as simple as this. The problem was even reported earlier by the customer himself, but he was not able to deduce exactly why authentication was failing, and working after rebooting his PC. But Hostpoint told the customer that there were no problems.

For 50 CHF per month, one should be able to expect better service.

The problem is not obvious to find. They use DNS round robin to distribute their load, and they currently have 4 IMAP servers:

;; ANSWER SECTION:
imap.example.com.      300     IN      CNAME   imap.mail.hostpoint.ch.
imap.mail.hostpoint.ch. 300     IN      A       217.26.49.203
imap.mail.hostpoint.ch. 300     IN      A       217.26.49.202
imap.mail.hostpoint.ch. 300     IN      A       217.26.49.200
imap.mail.hostpoint.ch. 300     IN      A       217.26.49.201

Now the problem is that three of these four mailservers work correctly, and the fourth just refuses all authentication attempts:

% telnet 217.26.49.200 143
Trying 217.26.49.200...
Connected to 217.26.49.200.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS *snip*
2 login "info@example.com" "mypw"
2 NO Login failed.

% telnet 217.26.49.201 143
Trying 217.26.49.201...
Connected to 217.26.49.201.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS *snip
2 login "info@example.com" "mypw"
2 OK LOGIN Ok.

The fix right now is to just configure the client to use one of the working IP addresses – but be aware that this might lead to problems further down the road when the machine is down for maintenance etc.

This isn’t a full features review, more a few notes about my thought about this device. I had only one SmartPhone before it, the MTeoR mentioned just before, so most of my comparisons will reference that device.

This device comes from a different price range than the HTC MTeoR i had before – while the HTC retailed at about 800 CHF without contract, the iPAQ 510 started at much lower prices, it can be had from 350 CHF without a contract. As such, i didn’t really expect much from this device.

My attitude changed slightly when i opened the packaging – while the HTC came in a bleak and unnamed Swisscom package, the HP device was in a much better wrapping. It contained a handy quickstart guide, a manual, and the phone hat protection labels all over it.

The display of the HP has a resolution of 172×220 pixels, while the MTeoR had a 240×320 resolution. While the HP display isn’t as crisp and detailed, and displays bigger fonts the MTeoR, it’s not actually that much worse. And of course there’s the price difference between the two devices.

The HTC device had UMTS, which i always have disabled in order to save power. The HP device doesn’t have UMTS, but it does have WiFI. Because my company is still in the 90ies when it comes to telephony, i couldn’t play with the VoIP features.

An interesting twist is that WM6 no longer requires registry hacks to import self signed certificates. This is good for small businesses which use self signed certificates with Exchange Active Sync.

The making of the device seems to be better than the MTeoR, the latter had the problem that the back cover never really held, and seemed to lose its grip more than once a week. The HP device looks sturdier, and is also a tiny bit thicker than the MTeoR, but it’s also a bit lighter. They keys on the HP are much better suited for my hands (they’re bigger).

I like the new enhancements that come with Windows Mobile 6, but you’ll find much better sources on the Web when talking about WM6.

I think this device is worth it’s money. It’s not a top of the line smartphone like the Motorola Q9, and it’s screen is it’s biggest disadvantage. It’s sturdily made, and will probably last a year on the field (SmartPhones always seem to be made with PHBs in mind, but they’re quite useful for field technicians too).

They’ve had power outages before, and again. However, it seems that they didn’t change anything. This is the fifth power outage, and we’re there for at most 1.5 years.

Today, there was a smaller power taking down only of the two power lines we had. But it still lasted for several hours, and recovery and information was incompetent and slow. Don’t go to Layer One. Their Power Grid sucks as much as their service and their information policy.

I’ve heard this one more than once, and it just isn’t true. While hard numbers are good for many things, they are usually not adequate for looking at Network connections.

Especially with the advent of VPN connections throughout multiple ISPs, companies, etc. there is a need to have a less subjective view of the quality of these links. Luckily there are many open source options available for graphical network monitoring.

The most important tool for WAN connections is SmokePing. With Cacti, you can graph almost anything. SNMP support is built in, and you can also use scripts. I’ve used many scripts with SSH commands and public key authentication to transfer even sensitive statistics over the network.

I’ve written about DNS before (sorry, German only), but i still use all that knowledge i learned back then every day. DNS is important for Active Directory (which has a whole seperate page of possible issues), but it’s also very important for e-mail.

I’ve seen many smaller IT companies or hobbyists that host their own DNS (which is fine, it builds experience) – but usually without a secondary DNS server.

The problem is that without any DNS server responding for a domain, strange things happen. While it would be very clear by the standards that this is just a temporary failure, and the mail should be held in the queue, given the right combination of DNS resolver and MTA, mails may bounce.

There are many companies offering secondary DNS services, but they’re usually not necessary – ask someone you know with a static IP address, and play secondary for him. Or if you really want your own infrastructure, rent a server in Germany, which is pretty inexpensive and gives you a secondary MX and DNS server.

These certificates are validated against the WHOIS records. This works fine, but SWITCH has removed all email addresses from their WHOIS records, probably to fight spam. Now, there’s an easy way out. Just change your Surname to an email address, before submitting the Certificate request to Thawte. After you have your certificate, you can change your WHOIS record back.

I would really like to see SSL certificates provided by domain registrars – i think GoDaddy even does that for some of their Domains. But SWITCH doesn’t.

Of course, just because you don’t have a DHCP server doesn’t mean that nobody can access your network. There’s a much better technology available that helps to prevent unauthorized devices from accessing your network. It’s called 802.1x.

In case you’re wondering, 802.1x can also be used with Wireless LAN. I’ve written a little HOWTO about Wireless 802.1x with Windows Server 2003 and Cisco APs.

Most access points support 802.1x, but with switches the functionality is a bit more scarce, especially if you’re looking at SMB equipment. But there are several vendors that offer 802.1x functionality in their switches, for affordable prices.

But what is 802.1x? It’s a technology that allows authentication at the link level to take place – it requires a RADIUS server as a backend (such as Microsoft IAS, which allows you to authenticate against active directory). The switch or AP just works as an intermediary between the RADIUS server and the client – this makes the switch/AP agnostic to the authentication method used.

802.1x can be great to enhance your network security. It prevents people from installing unauthenticated devices into your network. Of course, you will need to either whitelist older devices without 802.1x support by MAC-Address, or upgrade to newer devices with 802.1x support. For example, all newer Lexmark/IBM printers fully support 802.1x out of the box.

Especially with the dawn of Windows Vista, which can configure 802.1x LAN authentication through GPO (XP could only configure Wireless LAN 802.1x through GPO), it makes sense to start implementing 802.1x.

Allied Telesis

Even new Allied Telesis (formerly Allied Telesyn) switches look like they’re at least 10 years old. But they offer all features usually needed at nice pricing points. Their software is not always consistent between different product lines, but this shouldn’t be a problem for SMBs. For example the AT 9000/24 offers 802.1x support and 24 Gigabit Ethernet ports. Retail price in switzerland is about 1000 CHF.

Linksys

Linksys, a brand of Cisco, also offers business switches with 802.1x support. The SRW2024 can be had for about 600CHF, featuring 24 10/100mbit Ports and 802.1x support.