Category Archives: Work

Ubuntu 8.04 AD via Likewise Open

It appears the kind folks at Canonical have hit a home run, maybe even a grand-slam with Ubuntu 8.04 LTS. I took some time today to build a new template for VMWare Server with the 8.04 LTS Server ISO and then started playing. The first thing I wanted to test was the new app in the universe repository called Likewise Open.

It couldn’t be any easier to install. The universe repository was enabled by default, so here’s all I had to do:

  1. sudo apt-get install likewise-open
  2. sudo domainjoin-cli join yourdomain.com yourADusername
  3. sudo update-rc.d likewise-open defaults
  4. sudo /etc/init.d/likewise-open start

Step one will prompt your for some info about your AD environment. After executing number two above, you’ll be prompted for your AD password for the user provided. Once this is done, you login by entering YOURDOMAIN\youruser at the login prompt.

The first thing on my agenda for tomorrow is to try and create some fileshares on this demo VM and see how well they work and how fine-grained I can be with AD security on those shares. If it goes well, there will be another Windows server saying goodbye.

Big Project Ahead

The blogging has been pretty sparse here lately, and I’m quite aware of that fact. Most of the action for me has started happening over on Twitter because its so quick and easy.

I kicked off a major project or three at work this week and they’re all dependant on one central project: a massive VPN rollout. For those who don’t know, I work for smallish company with a rather large footprint. Counting our corporate office where I work, we have 25 locations. Each branch office relies on several services housed at corporate and connect to these sources over the wide-open internet. A VPN has always been on my radar, but never really been considered fiscally until about two week ago when we finally decided to bite the bullet and do it.

My initial plan was to use OpenVPN running on top of Linksys WRT54GL’s at the branches and grab a new Dell R200 to be the hub of the VPN. After about three days of flashing different firmwares on my Linksys at home (OpenWRT, dd-wrt, Sveasoft) and trying to make it work, I threw in the towel and went back to the drawing board. I’ve mentioned before that we have a Watchguard Firebox Core X750e at corporate and I’ve been mostly happy with it. A quick look showed the Firebox Edge X10e to be the cheapest endpoint available to this with Watchguard hardware. However, at around $300 each, this would really quickly get very expensive. Not only that, but I couldn’t come up with anyone I knew who had a Watchguard deployment of this size to ask their advice and opinions.

As I was seeking advice from my pals in the Church IT RoundTable IRC channel, by some act of providence, Mark Moreno decided to grace us with his presence in the channel. I definitely need to insert a disclaimer and an apology at this point. Mark is a guy who is really knowledgeable and passionate about the product he sells and he makes no excuses for being a salesmen either. As a result, I’ve always given Moreno a really hard time about SonicWALL gear, mostly just for kicks. He knows to expect this kind of trash-talk whenever I’m around and always takes the ribbing in good fun. As Mark came in, I made the joke to everyone that I could probably make him drool with the details of the VPN project I was working on. Sure enough, he took the bait and started putting together some quotes. His initial number was somewhere in the range of $15,000 and I just laughed. We talked back and forth over the course of a few days and settled on a new  SonicWALL NSA 3500 to replace the Firebox at corporate and 22 SonicWALL TZ 150 endpoints to go to the branch offices and stripped them down to firmware only – no UTM or support options. The best part of all this is that Mark is preconfiguring all the VPN tunnels before shipping the hardware to me. I really give major props to Mark and SonicWALL for working hard to match an absolutely INSANE price that I found on NewEgg for the TZ 150. The final pricetag with hardware and his consulting time was just a little more than half of his original quote – quite a substantial savings!

Once the VPN is in place, I finally be able to rollout the IP phones I’ve been sitting on for a year to the branch offices, implement a web-based time clock for our staff employees, and join the remote PC’s to our Active Directory domain, which opens a TON of doors for management of these remote computers (software deployment and security patches via WSUS to name a couple).

So, if you don’t hear from me in the next few weeks, just check my Twitter feed (also conveniently located in the sidebar of this blog) or drop me an email or leave a comment. I’ve got a lot of work to do! Thanks again to Mark Moreno for making this a reality from a budget standpoint. I’ll update here as we progress with the implentation and you can bet I’ll let you know if I hit any snafus specifically related to SonicWALL.

Watchguard DNS Invalid Response Problem

Firebox X750eI’ve previously written about a slight problem caused by our Watchguard X750e firewall at the office. I still think it’s a great piece of hardware, but I occasionally run into little snafus like this one with Google Maps. I couldn’t find the info I needed on Google to fix this, so I had to figure it out on my own.

I’ve always known Google Maps to be a little quirky from the two computers I use while at work, but never thought to track down what was causing it. By quirky, I mean that more often than not, I would be left map-less and would have to do a hard refresh multiple times before it would draw the map or load the satellite imagery. After popping open the console today to see what Watchguard has to say about the problem, this is the log entry I see:

2008-02-12 09:21:21 Deny 192.168.1.2 216.239.32.10 dns/udp 1059 53 1-Trusted 0-External ProxyDeny: DNS Invalid response (DNS-00) src_ip_nat=”66.20.xxx.xxx” src_port_nat=”14340″ proxy_act=”DNS-Outgoing”

In the above, 192.168.1.2 represents my internal DNS server, 216.239.32.10 is a DNS server apparently owned by Google, and 66.20.xxx.xxx is the outward facing interface on our firewall. What really struck me as odd about this, was that my internal DNS should only be querying the DNS servers at AT&T – not at Google. After a little trial and error, I found that I just needed to modify one setting in the default Watchguard DNS proxy to make this work. By default, this policy is aptly named “DNS” in your Fireware Policy Manager.

  1. Open the DNS policy and go to the “Properties” tab
  2. Next to the “Proxy action:” drop-down dialog, click the “View/Edit Proxy” button
  3. In the “General” section, under “Protocol Anomaly Detection Rules” change the drop-down next to “Not of class Internet” to “Allow” and click OK
  4. When prompted, give your newly-modified proxy settings a new name and save them
  5. Click OK to close the “Edit Policy Properties” dialog
  6. Save your new policy changes to your Firebox

I hope someone else finds this useful.

Note: At this point, I have no real idea exactly what the setting means, but it has fixed my problem and I haven’t seen any further side-effects. If anyone “in-the-know” thinks that allowing those queries is a problem, please let me know. I take no responsibility for any issues this may cause on your network.

SpiceWorks Webinar

The folks at SpiceWorks are hosting a webinar on Friday, January 25 at 11:00 AM EST (10:00 Central) to introduce folks to their FREE product. There will be a demo of the new SpiceWorks 2.0, some tips and tricks on how to best take advantage of the features of SpiceWorks in your environment, and some Q&A time at the end.

If you’re working in the IT field and aren’t using some sort of monitoring, inventory/asset management, and/or help desk, you really should carve this hour out of your schedule and check out SpiceWorks. I’ve only begun to look at it, and I’m very impressed so far.

Wings

Yesterday ended pretty well. The food at Buffalo Wild Wings was great – about 25 or so folks showed up. Got to meet Dave and Ed in-person finally and I think everyone had a good time.
wings evidence
Dave, Jason, and Ed might not fare so well in the Biggest Loser Contest if last night was any indicator…

If you happen to be one of the two or three people who follow my Twitter, you know that American managed to lose my luggage somewhere in the shuffle of me getting bumped to earlier flights, but when we got back to the hotel, American had been here with my bags, so it was a great day for flying for me. American is my new favorite airline, hands down.

Just finished up breakfast with Cisco and Nancy and we’re about to head over to Northwoods to check-in for the training. More to come later, specifically, photos of the training materials. You will be shocked.

Who Needs Geeks?

I recently overheard someone say “just because you are necessary, doesn’t mean you’re important!” I think this applies so well to the field of IT and while it’s funny, it might also make some of us do a harsh reality check.

It’s a bit ironic that only days after hearing that comment, I saw Get Me the Geeks! on 60 Minutes last night. Overall, it’s probably the most interesting 13 minutes of “news” I’ve seen on any of the major, national networks in several years. I found two bits within the story particularly entertaining:

Software companies will try and convince you it’s a hardware problem and hardware companies will do the reverse. According to one survey, 29 percent of all callers swear at their customer service representative, 21 percent just scream. The rest presumably are too exhausted to do either.

I’ve experienced this first hand before (the hardware/software dance) and it’s not particularly fun, especially when a mission-critical system is involved. Luckily, as a geek myself, I know what signs to recognize in the support person’s pre-written scripts and as a result, you can typically socially engineer your way in to getting whatever it is you want from the person on the other end of the line. I’d be interested in seeing the rest of that survey and what the other response choices were, because I seriously have a hard time believing that only half of callers get to this point of anger. I have a feeling another good chunk end up just getting frustrated, hang up without a resolution, and then call their favorite neighborhood geek.

This is the other thing that struck me as just… well, I’m not sure…

Dr. Donald Norman is an uber-geek – a professor at Northwestern University and one of the preeminent engineers in the country. He helped set the technical standards for high definition television in the U.S., but he had to hire a geek to set up his own TV.

I’m sorry, but is it really that complicated or is “PhD” just another way to spell “dumb” maybe? It really is a relatively simple process, especially with the advent of HDMI! Even before HDMI and we were using component video cables, it’s pretty simple: yellow to yellow, red to red, white to white. Done.

Anyhow, if you’ve ever had a funny experience with tech support or are at all a geek, you’ll enjoy the piece I think. Check it out.

Georgia Job Opening

I’ve gotten word of a job opening in the IT field at a private company in Upstate Georgia (Toccoa area). Should be experienced in PHP, C#, and have two years of experience in debugging applications. Appears to be heavy on the side of developing this company’s website. Salary in the $45,000-50,000 range, depending on experience of course. If you’re interested or know someone who is, leave a comment and I’ll get in touch via email with more information.