Lukas Beeler’s IT Blog

Hostpoint is having problems with their IMAP servers again.

The problem is not obvious to find. They use DNS round robin to distribute their load, and they currently have 4 IMAP servers:

;; ANSWER SECTION:
imap.example.com.      300     IN      CNAME   imap.mail.hostpoint.ch.
imap.mail.hostpoint.ch. 300     IN      A       217.26.49.203
imap.mail.hostpoint.ch. 300     IN      A       217.26.49.202
imap.mail.hostpoint.ch. 300     IN      A       217.26.49.200
imap.mail.hostpoint.ch. 300     IN      A       217.26.49.201

Now the problem is that three of these four mailservers work correctly, and the fourth just refuses all authentication attempts:

% telnet 217.26.49.200 143
Trying 217.26.49.200...
Connected to 217.26.49.200.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS *snip*
2 login "info@example.com" "mypw"
2 NO Login failed.

% telnet 217.26.49.201 143
Trying 217.26.49.201...
Connected to 217.26.49.201.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS *snip
2 login "info@example.com" "mypw"
2 OK LOGIN Ok.

The fix right now is to just configure the client to use one of the working IP addresses - but be aware that this might lead to problems further down the road when the machine is down for maintenance etc.

A few weeks ago, my HTC MTeoR died suddenly, when the upper half of it’s keyboard became unresponsive. I decided to replace it, and have seen a good offer for HP’s iPAQ 510 Voice Messenger.

This isn’t a full features review, more a few notes about my thought about this device. I had only one SmartPhone before it, the MTeoR mentioned just before, so most of my comparisons will reference that device.

This device comes from a different price range than the HTC MTeoR i had before - while the HTC retailed at about 800 CHF without contract, the iPAQ 510 started at much lower prices, it can be had from 350 CHF without a contract. As such, i didn’t really expect much from this device.

My attitude changed slightly when i opened the packaging - while the HTC came in a bleak and unnamed Swisscom package, the HP device was in a much better wrapping. It contained a handy quickstart guide, a manual, and the phone hat protection labels all over it.

The display of the HP has a resolution of 172×220 pixels, while the MTeoR had a 240×320 resolution. While the HP display isn’t as crisp and detailed, and displays bigger fonts the MTeoR, it’s not actually that much worse. And of course there’s the price difference between the two devices.

The HTC device had UMTS, which i always have disabled in order to save power. The HP device doesn’t have UMTS, but it does have WiFI. Because my company is still in the 90ies when it comes to telephony, i couldn’t play with the VoIP features.

An interesting twist is that WM6 no longer requires registry hacks to import self signed certificates. This is good for small businesses which use self signed certificates with Exchange Active Sync.

The making of the device seems to be better than the MTeoR, the latter had the problem that the back cover never really held, and seemed to lose its grip more than once a week. The HP device looks sturdier, and is also a tiny bit thicker than the MTeoR, but it’s also a bit lighter. They keys on the HP are much better suited for my hands (they’re bigger).

I like the new enhancements that come with Windows Mobile 6, but you’ll find much better sources on the Web when talking about WM6.

I think this device is worth it’s money. It’s not a top of the line smartphone like the Motorola Q9, and it’s screen is it’s biggest disadvantage. It’s sturdily made, and will probably last a year on the field (SmartPhones always seem to be made with PHBs in mind, but they’re quite useful for field technicians too).

Layer One sucks. Big time.

They’ve had power outages before, and again. However, it seems that they didn’t change anything. This is the fifth power outage, and we’re there for at most 1.5 years.

Today, there was a smaller power taking down only of the two power lines we had. But it still lasted for several hours, and recovery and information was incompetent and slow. Don’t go to Layer One. Their Power Grid sucks as much as their service and their information policy.

Fancy graphs are only for managers

I’ve heard this one more than once, and it just isn’t true. While hard numbers are good for many things, they are usually not adequate for looking at Network connections.

Especially with the advent of VPN connections throughout multiple ISPs, companies, etc. there is a need to have a less subjective view of the quality of these links. Luckily there are many open source options available for graphical network monitoring.

The most important tool for WAN connections is SmokePing. With Cacti, you can graph almost anything. SNMP support is built in, and you can also use scripts. I’ve used many scripts with SSH commands and public key authentication to transfer even sensitive statistics over the network.

DNS is often overlooked by novices - it doesn’t look to complicated, but in the end it is the glue that holds the internet together.

I’ve written about DNS before (sorry, German only), but i still use all that knowledge i learned back then every day. DNS is important for Active Directory (which has a whole seperate page of possible issues), but it’s also very important for e-mail.

I’ve seen many smaller IT companies or hobbyists that host their own DNS (which is fine, it builds experience) - but usually without a secondary DNS server.

The problem is that without any DNS server responding for a domain, strange things happen. While it would be very clear by the standards that this is just a temporary failure, and the mail should be held in the queue, given the right combination of DNS resolver and MTA, mails may bounce.

There are many companies offering secondary DNS services, but they’re usually not necessary - ask someone you know with a static IP address, and play secondary for him. Or if you really want your own infrastructure, rent a server in Germany, which is pretty inexpensive and gives you a secondary MX and DNS server.

Thawte offers so called SSL123 certificates, than can be issued in minutes. At least in theory.

These certificates are validated against the WHOIS records. This works fine, but SWITCH has removed all email addresses from their WHOIS records, probably to fight spam. Now, there’s an easy way out. Just change your Surname to an email address, before submitting the Certificate request to Thawte. After you have your certificate, you can change your WHOIS record back.

I would really like to see SSL certificates provided by domain registrars - i think GoDaddy even does that for some of their Domains. But SWITCH doesn’t.

Security has always been a major point in the past few years in IT. I’ve seen several SMBs without a DHCP-Server, because this supposedly helps security.

Of course, just because you don’t have a DHCP server doesn’t mean that nobody can access your network. There’s a much better technology available that helps to prevent unauthorized devices from accessing your network. It’s called 802.1x.

In case you’re wondering, 802.1x can also be used with Wireless LAN. I’ve written a little HOWTO about Wireless 802.1x with Windows Server 2003 and Cisco APs.

Most access points support 802.1x, but with switches the functionality is a bit more scarce, especially if you’re looking at SMB equipment. But there are several vendors that offer 802.1x functionality in their switches, for affordable prices.

But what is 802.1x? It’s a technology that allows authentication at the link level to take place - it requires a RADIUS server as a backend (such as Microsoft IAS, which allows you to authenticate against active directory). The switch or AP just works as an intermediary between the RADIUS server and the client - this makes the switch/AP agnostic to the authentication method used.

802.1x can be great to enhance your network security. It prevents people from installing unauthenticated devices into your network. Of course, you will need to either whitelist older devices without 802.1x support by MAC-Address, or upgrade to newer devices with 802.1x support. For example, all newer Lexmark/IBM printers fully support 802.1x out of the box.

Especially with the dawn of Windows Vista, which can configure 802.1x LAN authentication through GPO (XP could only configure Wireless LAN 802.1x through GPO), it makes sense to start implementing 802.1x.

Allied Telesis

Even new Allied Telesis (formerly Allied Telesyn) switches look like they’re at least 10 years old. But they offer all features usually needed at nice pricing points. Their software is not always consistent between different product lines, but this shouldn’t be a problem for SMBs. For example the AT 9000/24 offers 802.1x support and 24 Gigabit Ethernet ports. Retail price in switzerland is about 1000 CHF.

Linksys

Linksys, a brand of Cisco, also offers business switches with 802.1x support. The SRW2024 can be had for about 600CHF, featuring 24 10/100mbit Ports and 802.1x support.

You can easily copy configurations from one IAS server to another, Microsoft documents this here.

Basically, you can use netsh aaaa dump > file.txt to dump the config to a file, and import it using netsh file < file.txt to import it.

But here comes the interesting part - after importing the configuration, my WLAN client failed to connect. But why? Simple, you will need to enter the PEAP-Dialog, and choose a certificate. After that, everything will work fine.

Electronic Service Agent supports VPN connections with NAT pass through since i5/OS V5R4 (there was a “beta”-version of this in later i5/OS V5R3 CUM-Packages, earlier versions, like OS/400 V5R2 didn’t support VPN connections for ESA). Ensuring that your System i (or iSeries, or AS/400) can communicate with IBM is necessary if you have a HW-Maintenance or SW-Maintenance contract.

Now, if you want to allow this traffic through a firewall, you will see that IBM doesn’t exactly document this too much.

Generally, you will need to allow these things from your System i:

• Outgoing ICMP echo request (PING)
• Outgoing UDP traffic to Ports 500 and 4500
• Outgoing ESP packets (Protocol 50)
• Accept incoming packets from established connections

If that’s to broad for you, you can restrict the above traffic to these two IP adresses:

• Boulder: 207.25.252.196
• Rochester: 129.42.160.16

Note that these IP Adresses may change in the future.

I’ve been asked many times why some applications are slow over a VPN connection.

In order to understand why this is the case, we must first understand what type of slow is normal, and what isn’t.

The most popular problem with VPN connections are MTU issues. Try a ping -l 1500 internal-ip. If that doesn’t work, you have an MTU issue.

The next step is to test the raw speed - copying a file with FTP or SCP to and from a server. Is the speed okay? If the speed is according to the lines used, your problem probably isn’t with the VPN connection.

The main problem with VPN connections is latency. The average latency for a roundtrip from ADSL to ADSL here in Switzerland is about 80ms. This is a lot of time, especially if you’re taking multiple round trips. If we look at other connectivity methods like UMTS (with about 500ms Latency), it gets a lot worse. 10 Roundtrips für ADSL are a second, but 10 Roundtrips for UMTS are 5 seconds.

You can use Wireshark to look at the traffic on the interface in order to see if the application that is slow uses multiple round trips to achieve it’s goal.

There are several well known applications that have problem with using multiple roundtrips:

The most popular one is SMB - it uses 5 - 10 Roundtrips for a directory list under certain circumstances. This means 0.5 - 1 second wasted on network latency (and this doesn’t even include the transmission time). The solution for this problem varies - if you need access from a site, use DFS-R and a server local to that site, if you want road warriors to have faster access, use Sharepoint.

Another thing causing many problems are ERP applications built onto the “Fat Client” design principle (Business Logic in Client), which queries the database directly - this ensures many, many roundtrips for every bit of information displayed. (Note that DIAS-iS doesn’t have this problem because it’s a Thin Client application, with the Business Logic in the server). Another remedy is an ERP application which can have servers in multiple sites, but this is probably not SMB software anymore.

There’s not really a solution for this, because it means switching ERP applications, or getting your software provider to start supporting high latency links.. A bit drastic for latency problems.

An interesting application regarding this is Outlook - Outlook is a hybrid. With Cached Exchange mode enabled, it behaves like a Thin Client, because it has a local replica of the database. So, the solution for Outlook is to always use Cached Exchange mode - a good idea anyway because it reduces load on the Exchange server.