Category Archives: Geekspeak

Treading in to SonicWALL Waters

As previously mentioned, we’re switching away from a one-year old Watchguard Core x750e to SonicWALL NSA 3500 at my place of employment in order to deploy a nice, widespread (geographically speaking), and expensive VPN.

I received the first half of my gear from Mark Moreno two weeks ago and immediately unboxed the NSA. It’s quite a purdy device! It’s sleek, silver, and has a very bright blue LED on the front. I powered it up and upon logging in to the web management interface, I was equally impressed by how shiny and web 2.0 the web UI was. Sadly, that’s where my enthusiasm ends for SonicWALL right now. I started digging around and was just overwhelmed at the options and difference in terminology between the NSA and the Watchguard. After talking it up in the CITRT IRC channel, I was informed that the “public server wizard” was the way to go with configuring NAT policies since SonicWALL  actually needs THREE rules to create one NAT rule. Not only the the NAT policies have to be defined, but then there is the firewall policy. Best I can tell, to NAT one port to one service would require the following steps without the wizard:

  1. Create “Address Objects”
  2. Create “Service” or “Service Group” if not predefined
  3. Create Firewall rule
  4. Create the three NAT policies

While four steps seems simple, it’s a lot of clicking and a lot of digging around, and so far, I’m not a fan. The wizard did a good enough job for some of my rules, but others don’t work right (will work for a few hours and then stop) and others don’t even work at all. At this point, the firewall is doing WAY too good of a job at blocking services from the outside world!

I’m sure it’s a PEBKAC or maybe even an ID ten T error, because so many people just love their SonicWALL stuff. A few minutes ago, I said this in the IRC channel, and I think it’s fairly accurate at a certain level:

<wantmoore> i’d almost go out on a limb and say “windows is to linux as watchguard is to sonicwall”
<DavidSzp>    wantmoore: That’s an interesting analogy
<wantmoore>    watchguard: much easier to do stuff and make it work. sonicwall: a lot more flexibility, but not nearly as straightforward
<stephensflc>    I would totally agree with that statement at this point
<wantmoore>    the analogy doesnt stick where cost is concerned though ;)
<wantmoore>    in that regard, watchguard is a WHOLE lot cheaper. sonicwall will nickel and dime you to death

And I’ll stand by those statements for now. I’m sure that Moreno will help me get my issues resolved and I’ll join the Happy SonicWALL Club soon enough. Until then, I really miss my Watchguard and I’ll be hanging out in the corner with my friend Ed talking about our plans to startup and anti-SonicWALL user group.

Installing GoDaddy SSL Root Certificate on Windows Mobile 5

A few months ago, we migrated to Kerio MailServer at work and I’ve been absolutely in love with the fact that it natively supports Microsoft’s ActiveSync. This means I can sync my mail, contacts, calendar, and to-do lists directly to my WinMo5 based Palm Treo 700w over-the-air. The only complaint I’ve had, was that I’ve been doing it all via HTTP – yes, sans-SSL.

So, a few weeks ago, I set out to remedy the problem. I hopped around a few sites and did a little research and eventually decided to buy a two-year certificate from Go Daddy for $53 (I think). Getting it installed in Kerio was easy so then I tried changing ActiveSync on my Treo to use SSL. It failed. Miserably. Turns out, some of the reviews weren’t as accurate as I’d hoped and the new Go Daddy root certificate is not installed in Windows Mobile 5 by default as a trusted authority.

I searched and read and read some more to figure out how to do it. I found this slightly outdated knowledgebase article and started following the instructions. It didn’t work. In the process, I discovered that you can just copy the .cer file to the mobile device (I used an SD card) and open the .cer file from Explorer and you’re prompted to import it. Armed with this knowledge, I tried both the old “Valicert Root – DER Format” and the new “Go Daddy Class 2 Certification Authority Root Certificate – DER Format” with mixed results. One loaded and the other did not. However, I still couldn’t sync via SSL. A little bit more of my Google-fu and I found Go Daddy certs on certain phones by The SBS Diva. At the very bottom of her post is a jewel valicert_class2_root.zip.  It’s the binary versions of the Go Daddy root certificates. You can export these yourself from IE by following the instructions there if you don’t trust them. Otherwise, just download the zip file, extract the two files from the archive and get them copied over to your WinMo5 device somehow and execute them.

I can sleep a little easier tonight knowing my data is fully encrypted from my device back to the Kerio virtual machine.

Ubuntu 8.04 AD via Likewise Open

It appears the kind folks at Canonical have hit a home run, maybe even a grand-slam with Ubuntu 8.04 LTS. I took some time today to build a new template for VMWare Server with the 8.04 LTS Server ISO and then started playing. The first thing I wanted to test was the new app in the universe repository called Likewise Open.

It couldn’t be any easier to install. The universe repository was enabled by default, so here’s all I had to do:

  1. sudo apt-get install likewise-open
  2. sudo domainjoin-cli join yourdomain.com yourADusername
  3. sudo update-rc.d likewise-open defaults
  4. sudo /etc/init.d/likewise-open start

Step one will prompt your for some info about your AD environment. After executing number two above, you’ll be prompted for your AD password for the user provided. Once this is done, you login by entering YOURDOMAIN\youruser at the login prompt.

The first thing on my agenda for tomorrow is to try and create some fileshares on this demo VM and see how well they work and how fine-grained I can be with AD security on those shares. If it goes well, there will be another Windows server saying goodbye.

Asterisk Presentation and Calculator

Yesterday afternoon, I had the privilege of speaking to a group of friends and colleagues about Asterisk. As promised, Here are my slides

Also, I created a “quick and dirty” spreadsheet to help you estimate what it might cost to implement Asterisk in your organization. By no means would I urge you to use this if you’re preparing a budget request, but it should be fairly safe if you assume a +/- 5% margin. For those who saw it yesterday at First Baptist Atlanta, I took the time to refine it a little more. I inserted a few IF statements to automatically add the echo-cancellation costs when you enter a number larger than zero for the number of T1 ports or analog ports.

Download Asterisk-Calculator

Upcoming Presentation

I’ll be giving a presentation about Asterisk tomorrow afternoon (Friday, April 24) at 2:00 PM to a group of Atlanta area IT Professionals. I was approached by Tony Dye and Jeffrey Thompson shortly after my visit to Perimeter Church several weeks back about coming back to give the talk and I’m definitely looking forward to it. Hopefully tomorrow I’ll post my slides as well as a neat little configurator thing I’m working on to help you get a rough idea of what it would cost to implement Asterisk.

More than likely, we’ll get a good audio recording to be posted online, but in addition to that, I hope to be able to stream the video live. So keep a check on my uStream channel tomorrow around 2:00 EST if you’re interested.

Microsoft Licensing and Server Virtualization

Are you planning to deploy VMWare Server, VMWare ESX, Mictosoft Virtual Server, HyperV or some other virtualization technology and have no idea where to start trying to figure out what licenses you need? Let me see if I can clear this up for you a little…

The topic of Microsoft licensing in a virtual server/machine environment is a topic of frequent discussion in the CITRT IRC channel, so I feel like I’ve become a bit of an expert by observance. The question came up again today on itDiscuss, so I decided to write it all down in one place and then chase down some links so we could have this documented once and for all.

Here are the basics:

  1. Windows Server Standard – One instance. Period. Do not pass Go. Do not collect $200.
  2. Windows Server Enterprise – One physical install + four additional virtuals
  3. Windows Server Datacenter – One physical install + unlimited virtuals**

To back up number two above, here’s a quote from an FAQ found on Microsoft.com:

Licensing does not depend on which virtualization technology is used. With a license for Windows Server 2003 R2, Enterprise Edition, you can run one instance of the software in a physical operating system environment and up to four instances in virtual operating system environments. With VMWare GSX Server, this means you can run one physical instance plus four virtual instances. With VMWare ESX Server, it means you can run four virtual instances because there is no need for a physical instance.

As you may have noticed from that quote, Microsoft is surprisingly platform agnostic in regards to which virtualization technology you choose (MS Virtual Server, VMWare, Xen, etc). For more information, checkout the whitepaper pubished last year titled Licensing Microsoft Server Products with Virtual Machine Technologies. Their indifference may have something to do with the many accusations and lawsuits they continue to face in regards to their monopolistic power. Regardless of the reasoning, it’s good news for everyone.

One rather important thing to keep in mind when thinking about licensing Microsoft Server products is that they are licensed per CPU socket, not CPU core. Can you say “THANK GOODNESS!”? This applies equally to VMWare ESX – you need enough HOST licenses of Windows Server to cover each physical processor socket in your ESX cluster.

It’s also important to keep in mind the fundamental differences in the various versions of Windows Server. For example, Server Standard (32-bit) is limited to accessing 4GB of RAM. This would likely be a non-issue for a guest install, but you certainly wouldn’t want to limit your Host box to that little memory. It’s not totally scary, just do your homework and you’ll be fine.

Microsoft has provided us with this handy little Licensing Calculator which should help you make sense of which version will be right for you and your implementation.

One final note (as denoted with ** above): Make sure you’re aware that with Datacenter Edition, you also need per-user or per-device CALs.

If anyone sees an inaccuracy in the information I’ve provided, please do leave a comment and I’ll update this post accordingly. Thanks to all the guys in IRC for helping compile and track down info, specifically, Tony Dye, Chris Green, and David Szpunar.

Big Project Ahead

The blogging has been pretty sparse here lately, and I’m quite aware of that fact. Most of the action for me has started happening over on Twitter because its so quick and easy.

I kicked off a major project or three at work this week and they’re all dependant on one central project: a massive VPN rollout. For those who don’t know, I work for smallish company with a rather large footprint. Counting our corporate office where I work, we have 25 locations. Each branch office relies on several services housed at corporate and connect to these sources over the wide-open internet. A VPN has always been on my radar, but never really been considered fiscally until about two week ago when we finally decided to bite the bullet and do it.

My initial plan was to use OpenVPN running on top of Linksys WRT54GL’s at the branches and grab a new Dell R200 to be the hub of the VPN. After about three days of flashing different firmwares on my Linksys at home (OpenWRT, dd-wrt, Sveasoft) and trying to make it work, I threw in the towel and went back to the drawing board. I’ve mentioned before that we have a Watchguard Firebox Core X750e at corporate and I’ve been mostly happy with it. A quick look showed the Firebox Edge X10e to be the cheapest endpoint available to this with Watchguard hardware. However, at around $300 each, this would really quickly get very expensive. Not only that, but I couldn’t come up with anyone I knew who had a Watchguard deployment of this size to ask their advice and opinions.

As I was seeking advice from my pals in the Church IT RoundTable IRC channel, by some act of providence, Mark Moreno decided to grace us with his presence in the channel. I definitely need to insert a disclaimer and an apology at this point. Mark is a guy who is really knowledgeable and passionate about the product he sells and he makes no excuses for being a salesmen either. As a result, I’ve always given Moreno a really hard time about SonicWALL gear, mostly just for kicks. He knows to expect this kind of trash-talk whenever I’m around and always takes the ribbing in good fun. As Mark came in, I made the joke to everyone that I could probably make him drool with the details of the VPN project I was working on. Sure enough, he took the bait and started putting together some quotes. His initial number was somewhere in the range of $15,000 and I just laughed. We talked back and forth over the course of a few days and settled on a new  SonicWALL NSA 3500 to replace the Firebox at corporate and 22 SonicWALL TZ 150 endpoints to go to the branch offices and stripped them down to firmware only – no UTM or support options. The best part of all this is that Mark is preconfiguring all the VPN tunnels before shipping the hardware to me. I really give major props to Mark and SonicWALL for working hard to match an absolutely INSANE price that I found on NewEgg for the TZ 150. The final pricetag with hardware and his consulting time was just a little more than half of his original quote – quite a substantial savings!

Once the VPN is in place, I finally be able to rollout the IP phones I’ve been sitting on for a year to the branch offices, implement a web-based time clock for our staff employees, and join the remote PC’s to our Active Directory domain, which opens a TON of doors for management of these remote computers (software deployment and security patches via WSUS to name a couple).

So, if you don’t hear from me in the next few weeks, just check my Twitter feed (also conveniently located in the sidebar of this blog) or drop me an email or leave a comment. I’ve got a lot of work to do! Thanks again to Mark Moreno for making this a reality from a budget standpoint. I’ll update here as we progress with the implentation and you can bet I’ll let you know if I hit any snafus specifically related to SonicWALL.