Articles by llauren

You are currently browsing llauren’s articles.

How i learned to bicycle

Sun 5-Sep-2010 in english | Please leave a comment!

I have a blog on Vox. I think i originally got it because it was an easy place to post mobile photos to. These days, i can do that with Flickr, Lokala and my Core dump, which is one reason why i haven’t posted to my Vox site for two and a half years. And evidently, i’m not alone, since Vox is now closing down.

I really only wrote one good post to Vox. In fact, i really only wrote one post to Vox. The rest are phone cam pics. And while copies of them probably exist elsewhere (not that it matters much with these pictures), i wanted to save this. It was an answer to the question Vox asked for inspiration:

Who taught you how to ride a bike?

My dad. I still remember it, and thinking of it, it is one of the most vivid memories i have left of him. We were at this traffic park (i don’t know if you have them in your part of the world, but basically it’s a bunch of streets with traffic signs and all, resembling the streets of a small town but meant for kids and their bikes).  I felt very wobbly but my dad said just pedal on and i’ll hold on to your bike for as long as is needed.

I pedalled and wobbled, my dad jogged behind the bike. In fact, i can still hear his steps now.

Eventually my biking started to get stable enough for me to actually trust my own biking. I believed i looked behind and my smiling dad told me that he’d already let go of the bike long ago!

In retrospect, i don’t know how that didn’t turn out to be the penultimate trustbreaker, but it wasn’t. Instead, i learned how to bike.

Thanks dad. I’ll teach my kids too.

- – -

Since i wrote this in January 2007, i have taught my daughter how to bicycle and i am teaching my son how to. I ran/run behind their bikes, but i think i was a bit more careful and communicating about letting go. Or maybe he too knew when he could. Maybe dads do :)

Tags: ,

Support the musician

Fri 14-May-2010 in english | 2 comments

In these days of “free” music, there are a few views i’d like to present. These are views of my own and about how i like to spend money on music, and on musicians.

First a confession. I do … no wait, i have pirated music. I just realized that it’s been quite a while since. Services like Grooveshark and Spotify have effectively cut away my need to steal music. But yes, i do have bits of music on a few hard drives somewhere that do not belong to me. I’m not sure exactly where because i haven’t listened to them for a while. Maybe they’re on one of my hard disks that have crashed and the crime is prescribed.

That said, i also buy music. I don’t have the numbers, but we’re talking about maybe thirty CDs a year. Used to be more, but then Frans Keylard put his Rogues’ Gallery show on hiatus, which has been a blessing for my economy. But here’s the deal. Especially during my Rogues’ Gallery-induced shopping sprees, i often chose to buy music from artists i listened to on the shows, knowing that i probably won’t listen to them too much off-line. It was a conscious decision, not just to get a CD of music i liked, but primarily because i wanted to support the musicians making this great stuff! Yes, i could still hear them for free, but i wanted to put my money in the direction where the good stuff is made. 4517668895_4e56c3e3ed

Here’s another hook. As far as i can, i always try to buy the CDs from the artists themselves, or from their own label or outlet. And if there’s a Special Edition of any kind, as long as it isn’t stupidly expensive, i buy it. I’ve long thought about the economics of music and just a few days ago, i stumbled across this beautiful graph about just that. In short, if an artist wants to make “minimum wage” in the US, s/he needs a monthly sell of 143 self-pressed and delivered CDs. Sold in a “high street” shop or on iTunes, the number is between one and four thousand. The artist would need to sell 12’399 tracks on iTunes or Amazon to make US$1’160 a month, or stream 0.8 million times on Rhapsody, 1.5 million times on Last.FM or a whopping 4.5 million on Spotify. One album purchase straight from the source goes a long way.

I do realize that that much of my music money goes to artists who aren’t with a big honking record company, making it possible to buy from the artist themselves (case ex point, Radiohead, whose In Rainbows download i bought as well). The most financially successful artist i buy records from must be Porcupine Tree and Peter Gabriel. I bought pg’s Scratch My Back from WOMAD, and received a download of the album while-you-wait-for-delivery and a download code for a 24 bit rendition of the record.

Just the other day, i received the new The Alarm album Direct Action. I saw it on Last.FM, checked it out on Spotify, liked what i heard (a lot!) and bought it straight from the source. I received a special CD+DVD edition and got a interview+live CD as an extra surprise. And a warm and fuzzy feeling. How can i not honk my horn about a service and a delivery like that? And i’m waiting for Anathema’s “We’re here because we’re here” CD+DVD+book and Pineapple Thief’s “Someone here is missing” CD+book+sticky-notes bunch, both from the Burning Shed label store. The Marillion Weekend 2009 CDs arrived a few weeks back and the DVDs will as soon as they are pressed.

And just as extra icing, i tend to have them delivered to work, just to make my day :)

Tags: , , , , , ,

Five Fifteen still swing like a moose

Thu 6-May-2010 in english | 1 comment

Yay! I’m 40! Which is celebrated in low key style: yesterday i was to see 5.15, today i was awoken by wife and kids, tomorrow it’s dinner with friends, Saturday is day-off as my wife’s bro’s kid’s christening and Sunday it’s family gathering. But most of that is completely beside the point, because this is a write up about yesterday’s Five Fifteen gig. And some of it is true.

Not long ago, long haired internationally acclaimed rock and roll star Mika Järvinen got a telephone call in French. The person on the other side of the line wanted to know whether Five Fifteen would be available for a festival performance in what now is a week from now. Being the man he is, he of course said yes, then silently shook his head and proceeded to resurrect the band that had been on hiatus for the last few years. Most of the band members hadn’t played Five Fifteen for years and one guy in particular (on guitar) needed to stream his old performances from Spotify and YouTube to remind himself what he’d played back then, and how.

Yesterday night, Helsinki rock club On The Rocks was testing ground for Five Fifteen, freshly pulled from naphthalene. I talked with Mika before the show. He complained that he had “a good old-fashioned flu” and his back was sore. He was drinking something hot and didn’t sound like he was quite in shape for rock and roll.

Boy that changed.

Half an hour later, no less than eight musicians entered the fairly timid On the Rocks stage. The night had begun with a stand up comedy show and Mika promised the comedy would continue. Suddenly he was in an excellent mood, throwing jokes and looking great.

The band opened with Alcohol (Intro) from the last album and continued with Call the Doctor from (one of) the first. The night was a mix between the Alcohol record and stuff from all the back catalogue. It sounded very fat and very rock and roll. It was much appreciated. Extra kudos to the stuntman keyboardist and the drumming that i hadn’t appreciated enough before. It had sounded rather unspectacular on CD, compared to this!

In fact, i’ve always thunk there are two Five Fifteens, one on record and another on stage. The Five Fifteen on record sounds near-clinically sharp with well defined notes while the one on stage swings like a moose on a train and will not be stop. Sure things go a little wrong at times (like a guitar chord a step down or “hey, how do the lyrics start?” during the intro of the last song) but that just didn’t matter at all. It was full ahead, both on the more rocking tracks, the proggier tunes and the softer bits.

I for one welcome Five Fifteen to the stage. You were sorely missed and it’s good to see you back.

Tags: , ,

Your car: No user serviceable parts inside

Thu 15-Apr-2010 in english, rants | 1 comment

How is it that a modern car is built to be as hostile to maintenance as possible, whereas a modern desktop computer is a dream to upgrade? And i’m talking about hardware here, in both cases.

An everyday example would be to change the light bulbs. In both my and my wife’s car, even attempting to perform this simple maintenance procedure will result in dirty clothing and body parts, possible cuts and much vituperation. A challenging task like changing that belt thingy which needs to be replaced every two years or so, requires the careful removal of all the engine and takes all day for a professional car service crew. Why has this been made so purposefully complicated?

Lately, i’ve also had to install a bunch of PCs and a rather impressive switch. Both are from HP and it’s obvious they’ve been built with hardware service in mind. Hoorays and kudos for Hewlett-Packard.

The PCs needed a second hard disk and a memory upgrade, the switch an additional bay of switch ports, a few optical interfaces and a redundant power supply. Compared to a few light bulbs, this does sound like rocket surgery, at least in writing. But nay. The PC cover comes off with a lifting of a handle. No tools required. A new hard disk can be slotted into its bay after fastening four guide screws onto the disk. And to install memory, you just slot it in and press the fastening clamps. On the smaller PCs, you can push a button to swing the power supply and the optical disc unit to the side so you can reach the memory slots without the slightest amount of pain. Or cuts, dirt or vituperation, for that matter. As a footnote, this goes for HP computers and network equipment. Your mileage may vary.

Since light bulbs, belts and whatnots need to be replaced in cars, either by users or professionals, why are they built according to the “no user serviceable parts inside” doctrine? I understand the protectionist argument that non-professionals (“muggles”) should keep their hands away from the innards of delicate machinery but having an easily serviceable car would make the lives of the professionals themselves so much easier. Is it just so that the car designers don’t give a crap about this stakeholder group?

Tags: , , , ,

Also on Posterous

Fri 19-Mar-2010 in english | Please leave a comment!

Just thought i’d mention, i post a bit from my account at Posterous too. A pritty good example of lack-of-interoperability :)

At the same time i must say that Posterous is pretty darn convenient.

Scratch my back

Wed 3-Mar-2010 in english | Please leave a comment!

Peter Gabriel’s new cover album Scratch My Back made me sit in silence at the parking lot in my slowly chilling car while giving time for the last track to end. It’s a very emotional album and it’s that good. Songs i knew better from before, Boy in the bubble and Heroes, suddenly sounded so relevant, so right and so very gabrielish, and even brought a tear to the corner of my eye while listening to them. Even some songs that i just knew that i’ve heard before sent standing waves through all of my body and sparks of recognition when i realized that i’d heard this before… in quite another suite. It’s a powerful ride.

That said, Scratch My Back is not for everybody. It is different, but if you like Peter Gabriel’s music, it’s a good kind of different. There are no traditional rock music instruments. There’s a classical orchestra and Peter Gabriel’s voice. I’d like to say, “that’s it”, but that would just belittle what “that” is. You can get a taste of what the songs are like by watching the videos on the site.

Or you can also do as i did and buy the record from Womad shop. The price for the 2CD special edition is £13.51 with p&p included (the 2CD as Apple lossless downloadable for £7.99 (format). The CD arrived in a few days. You also get one complementary mp3 download of the album while you wait and a code for a 24 bit download of the album with the record itself. Yeah, CDs are only 16 bits, this is an upgrade. I just wonder if i have any 24 bit DAC that can actually take advantage of the greater dynamic resolution. Scratch my back is a very dynamic album – you’ll need to adjust the volume if you’re listening in the car and have passengers – and i guess the 24 bit edition must be even more so.

On a final note, Scratch My Back is part of an interesting project where artists Gabriel covers also make reciprocal covers of Gabriel’s songs. The focus currently is on Paul Simon performing Biko.

Tags: ,

Vain yhden kompakysymyksen tähden

Tue 2-Mar-2010 in rants, suomeksi | Anna palautetta!

Nyt suututtaa. Ottaa pannuun. Ituttaa. Tulin juuri takaisin asentajakurssini näyttökokeesta missä koko homma meni puihin vain koska joku kokeen laatijoista oli keksinyt pienen koukun tehtävään.

Itse tehtävänanto oli ihan mielekäs. Otetaan verkkoavaruus joka pilkotaan pariksi aliverkoksi ja nämä erillisiksi VLANeiksi. Molemmissa VLANissa kolme työasemaa, toisessa myös palvelin. VLANit konfiguroidaan kytkimeen. Toiseen VLANiin tulee siis Windows-palvelin joka toimii kyseisen verkon DNS- sekä DHCP-palvelimena ja reitittimenä. VLANista jossa palvelin pitää olla pääsy Internettiin, toisesta VLANista ei. ja VLANien sisäinen liikenne sallitaan ja niiden välinen liikennöinti on kielletty.

Melkein realistinen tehtävä, ainoastaan VLANien välinen liikennöinti oli hieman oudoksuttava. Sekä tietenkin se että Oikeassa Elämässä Windows-palvelin ei välttämättä ole se paras valinta reitittimeksi mutta ei anneta sen asian häiritä. Tehtävään oli annettu kaksi tietokonetta, toinen palvelimeksi ja toinen työasemaksi, yksi hallittava HP 2626-kytkin sekä yksi pikkukytkin “josta tulee Internettiä”.

Joten eikun töihin.

Jotta Windows saadaan taivutettua reitittimeksi, se tarvitsee kaksi verkkorajapintaa, yleensä verkko-korttia. Tässäkin koneessa oli kaksi verkkokorttia, yksi emolevyllä ja toinen lisäkortilla. Ongelma oli vain se että vain toinen korteista näkyi Windowsissa, eikä ollut edes ihan selvää mikä niistä kahdesta kortista näkyi ja mikä oli piilossa. Molempien korttien linkki- ja vilkkuvalot kuitenkin tuikki iloisesti kun ne kytkimeen laittoi. Eikä näkynyt Device managerissa, vaikka olisi pyytänyt refreshiä. Eikä sitten näkynyt Linuxissa (kokeilin kahta). Eikä millään Wizardinraakileella. Eikä löytynyt mitään ajureita. Eikä ohjeita. Eikä mitään. Apuakaan ei saanut muuta kuin että “99% varmuudella kone ei ole rikki”.

No, inspiraatiota odottaessa kytkintä konffaamaan. Minulla oli mukana ylimääräinen Linux-läppäri joten sillä pääsin hieman monitoroimaan jahka yhteydet toimi. Vähän liiankin hyvin taisivat toimia sillä Linuxilla pääsin juttelemaan VLANista toiseen siinä missä Windowsilla en edes VLANin sisällä. No, sekin oli väliaikaista.

Mutta se kirotun verkkokortti. BIOSista olisin katsonut mutta kun se oli säädetty niin että POST-screeni välähti vain ohi sekunnin murto-osassa eikä sinä aikana ehtinyt nähdä mikä namiska olisi sen BIOS-säädön aktivoinut. Buutattuani koneen seitsemännen kerran peräkkäin nyrkkini taisi osua oikein koska BIOS-käyttöliittymä aukeni.

Ei silleen että siellä olisi ollut mitään apua.

Huokasin syvään ja ajattelin että vika on kuitenkin minussa (klassinen huonon kälin vaikutus muuten).

Koska en kerta kaikkiaan saanut toista NICciä käynnistymään rupesin keksimään muita viritelmiä. Kytkin reitittimeksi. Onnistuu, ainakin jotenkin. Mutta ei se liikennöinti oikein ottanut tuulta. Vähän köhi vain. Entä jos sen onnettoman toimivan verkko-kortin saisin VLANitettua kahteen verkkoon? Ei Windowsissa. Linuxissa onnistui kyllä mutta siihen loppui sitten paukut kun olisi pitänyt konffata nimi- ja osoitepalveut sekä VLANien välinen reititys komentoriviltä. Ja sitten terminoida se trunkattu verkkopiuha kytkimeen, mieluiten käyttämättä VLAN-numeroa yksi jolla se verkko sitten jutteli “Internetin” kanssa. En minäkään niin guru ole, vaikka seuraavaan tenttiin pitää vissiin olla.

Siinä samassa tuli sitten tuhottua tehtävänannon mukaiset konffikset muiden epätoivoisten säätöjen mukaan. Ja silleen.

Neljän tunnin itseruoskimisen jälkeen, koe loppui. Kysyin valvojalta että mikä tässä nyt oli. Hän kertoi että toinen NICci (todellakin) oli disabloitu BIOSista ja että se säätö on todella syvällä.

Todella syvältä, sanon minä.

Tässä olen opiskellut Windowsin ja werkkojen säätöä 9 kk. Viettänyt pari huonosti nukuttua yötä, ja heittänyt suuren osan tämän päivän laskutettavasta työajasta lähinnä hermoiluun. Keskittynyt kurssin sisällön oppimiseen, ja sitten lyödään naamaan tällä tavalla. Tuntuu loukkaavalta.

Höh.

Ja ylihuomenna pitäisi olla kurssin päätöstilaisuus. Ei oikein huvita.

Tags: ,

SonicWall VPN with RADIUS authentication

Thu 11-Feb-2010 in english, sysadmin | Please leave a comment!

SonicWall has a rather nice VPN application called Global Client. What makes it nice is that it does most of the configuration jobs transparently to the user. And for the network administrator, setting up a VPN really is a one banana job.

The flip side of this is that it’s too easy to set up a VPN server with only Shared Secret authentication. This is all nice and fine if you have two or three VPN users but for any real installation, you really should authenticate the users individually. And if your real installation is based on Microsoft Windows, you probably have an Active Directory on the backline which already has all the users on it.

I’ve been handheld through one such installation and this is the attempt to get another one running, while blogging about the experience.

Prereq

The magic ingredient here is the RADIUS server (Remote Authentication Dial-In User Service). On Windows 2003, the RADIUS service is provided by the Internet Authentication Service, IAS. On Windows 2008 it’s a part of the Network Policy Server. SonicWall has a pretty decent techdoc about configuring RADIUS authentication on Windows Server 2003 but the 2008 implementation is left as an exercise to the reader.

If NPS isn’t installed yet, add it from Server manager –> Roles –> Add role.

The prerequisite step is to create a Windows Active Directory group of folks who will be granted VPN access using RADIUS authentication. While you could use All Users, you might be slipping in a few test users (username test, password test – i’m sure you don’t have any of those on your net, right?). So be a good sysadmin and create the group VPN users, then add users or groups there manually.

Now you can fire up the Internet Authentication Service or Network Policy Server.

RADIUS

imageThe first step is to add a RADIUS client to the configuration. A RADIUS client is the box which uses RADIUS, not the end user itself, using the box. So in this case, we’ll add the Firewall as a RADIUS client.

On Windows 2003, right-click RADIUS Clients –> New RADIUS Client. On Windows 2008, RADIUS Clients and Servers –> RADIUS Clients (right-click) –> New RADIUS Client. Give it the Friendly Name “Firewall” and fill in the IP address. For this discussion, we’ll say the firewall lives at 192.168.42.1. The Client-Vendor can be set to RADIUS Standard. I don’t know if the SonicWall supports the Additional Options listed, so you can leave them blank.

Now tap in a fairly complex Shared Secret which the RADIUS server and the firewall will use, into Notepad. You’ll need the same Shared Secret later.

Since you’ll probably want to test the connection, create a similar RADIUS Client for either your own PC if you happen to be on the local network at the time, or at some test server. Or at the RADIUS server itself, which means you’ll need to add a RADIUS client either for the local IP address or 127.0.0.1. I found a fairly decent, and non-cost RADIUS test client at IEA Software called Radlogin. The least i can do for the favour is to suggest you check out the client too.

The next step is to create a Remote Access Policy. On Windows 2003, right click Remote Access Policies –> New Remote Access Policy. On Windows 2008, it’s complicated. I’ll get to that in a paragraph or two.

If you’re still on 2003, a wizard appears. Name your new “Custom Policy” something like VPN Authentication. Now you need to add the following Policy Conditions: NAS-IP-Address is the one of your firewall, eg 192.168.42.1, and Windows-Groups is the group VPN Users you created in the prerequisite step above. As an extra measure, you could also demand that the NAS-IP-Address matches that of your firewall. In that way you can use RADIUS for other fun things too. Click Next. Tick the right radio button so that these users should be Granted remote access permission. Next. Now you’ll still need to Edit the Profile. On the Authentication tab, check all Authentication methods except Unauthenticated access. Unfortunately the current Sonic Walls do not reliably use MS-CHAP2, which is a shame. We’ll even need to tick the trivially encrypted CHAP and the non-encrypted PAP. Not much for security, i know. On the Advanced tab, make sure you have the following attributes selected: Service-Type: Framed, and Framed-Protocol: PPP, both of vendor “RADIUS Standard”.

Phew. And now for Windows 2008.

NPS –> Policies –> Network Policies (right-click) –> New. This will also pop up a wizard. Give the Policy a name like VPN Authentication and set the Type of network access to Remote Access Server. Add the following Conditions: User Groups (or Windows Groups) must be the VPN Users group you selected above. Then scroll down down down the Conditions list and require that the RADIUS Client –> Client IPv4 Address is that of your firewall, for the very same reasons as above. Do that now or later when the test shows green lights. Next. Access Granted. Next. Select all the Less Secure Authentication Methods except the last two, Allow clients to connect without negotiating… and machine health check only. You can uncheck CHAP and PAP while you test the RADIUS authentication later from the firewall, as they are security holes.

Run Radlogin and test whether you get a response, Good or Bad, or whether you get a Timeout. A Timeout probably means that you haven’t got the RADIUS Client configured right on the NPS. A Bad response probably means that your Constraints are wrong.

The Wall

Here’s a tip. Use anything but Internet Explorer to manage the SonicWall. It emits such buggy HTML code that it’s just hopelessly slow with IE.

I might be taking an extra step here because we also wanted RADIUS authentication to the firewall. In that case, you’re getting two settings at the price of one. Live with it and log on to the SonicWall admin interface.

A safety measure, add a Local User to the firewall which we’ll also allow access in case the RADIUS server is in a twist. For this discussion, we’ll call this user Backdoor. Put Backdoor into relevant groups (Firewall Admin). On the VPN Access tab, give Backdoor the appropriate networks (Firewalled subnets).

Then we want to create a group for VPN users. Thus, go to Users –> Local Groups (sic) and click Add Group. On the Settings tab, call your group VPN Users. On the Members tab, scroll down the left box and hopefully you should find the entry All RADIUS Users. Add it. Also add the Backdoor user we created above. Under the VPN Access tab, add whatever networks you see fit; LAN Subnets may be what you’re looking for. Edit the CFS policy if you (really) want to.

Now from Users –> Settings, set the Authentication method for login to RADIUS + Local and click the Configure button. What now probably happens is that you configure the global settings for the whole firewall, not just the VPN login. On the now popped-up RADIUS Configuration Settings tab, enter the name or IP address of your RADIUS server, the one you created half a page up. Find that Notepad page where you created the Shared Secret and paste it in the corresponding box. On the RADIUS Users tab, tick Local configuration only (yeah, beats me too) and select the VPN Users as the Default RADIUS group.

Final step, and now it’s time to take a deep breath. If you’re configuring this over a VPN connection, make sure you have a backup plan, because you’re now going to change the VPN access settings. Thus, go to VPN –> Settings. I’m assuming that you already have a WAN GroupVPN in place. Click the pencil icon to edit the entry. Switch to the Advanced tab. Check Require Authentication of VPN Clients via XAUTH and choose your previously created VPN Users group as the User Group. Also Enable NetBIOS Broadcasts while you’re at it.

Click OK.

Test your VPN settings. Breathe normally.

Extra sugar

For extra brownie points, you can configure firewall administration logins to be authenticated by RADIUS. From Network –> Interfaces –> LAN –> edit pencil, tick all relevant Management options and the HTTPS User Login checkbox. Voilá, RADIUS authentication to the firewall!

I wonder what we can authenticate next… :)

Tags: , , , , ,

We ping

Wed 10-Feb-2010 in english, sysadmin | Please leave a comment!

I’m taking this course on basically what i already do at work, so the Windows server environment, networking and the F-Secure antivirus infrastructure. For the last few weeks, we’ve been talking networks and working with the Cisco Packet Tracer network simulator, which has been good and fine but still a bit… virtual. Tonight we finally had a real hands on lab session and to see the bits fly on actual iron was really gratifying!

We worked in pairs and our assignment, which grew at the pace we got the basic bits configured, came to be an not altogether uncomplicated one.

Cisco Packet Tracer sample

Two Cisco 2600 series routers connected by serial. Both routers have HP Procurve switches connected with them and there are virtual LANs on the switches which are terminated on the routers. An ADSL modem connected to the other switch, a DSLAM connected to the ADSL, an uplink to the school network from the DSLAM. RIP 2 routing between all networks.

Getting pings return from the Internet on something you’ve built yourself – fairly funky.

So that i have even a vague memory of what i did, i’ll just jot down the configuration steps after the break.

Read the rest of this entry »

Tags: ,

Re-activating certificates with SBS 2008

Wed 3-Feb-2010 in english, sysadmin | Please leave a comment!

The other day, a client at a customer of mine called in to say that “her remote connection does not work”. It took a little while to interpret her problems into technical terms; what she meant was that when outside the office, her Outlook wouldn’t synchronize. I’ve since learned that working with a remote connection also may mean working with a laptop when it’s off-site or just non-docked, regardless if there’s an actual connection involved or not.

But back to the agenda.

First i thought there was something wrong with her Outlook, but after some investigation i came to believe there was something fishy with the certificate presented by the customer’s server. Which is a Microsoft Small Business Server 2008. This could be confirmed by taking a https connection to their Outlook Web Access thingy, which also gave a SSL cert error. It was using the wrong certificate. Bugger.

To remedy, i took a remote c… a VPN connection + an RDP session (see, it’s ambiguous enough if i write it!) to the server and opened up – hear this – the Exchange Powershell console. Issue the statement Get-ExchangeCertificate and you get a list of the SSL certificates the host knows of. The one you’re looking for is probably the one with a hostname and a hint of commercial spice (say Old Thawte). To verify, you can write Get-ExchangeCertificate <thumbprint of relevant certificate> | fl which will give you more info. Now chant Enable-ExchangeCertificate <thumbprint of relevant certificate here> and inform the applet you’ll want to enable it for IIS, the IIS Itertubes Server. Verify with a connection to the Outlook Web Access Thingy and close the Powershell console. You rock. Already.

Since we’re talking about an SBS, we have the Remote Web Workplace installed. RWW provides, among other neat things, a terminal server gateway to the servers inside, and it too relies on an SSL certificate being valid. Thus, with your RDP session still open from the above paragraph, go Start –> Administrative tools –> Terminal services –> TS Gateway Manager. Right click the gateway server name and select Properties. Click the SSL Certificate tab. Pick Select an existing certificate and click the Browse Certificates button. Choose the right certificate, ie. the same one as above, and click Install [sic]. Then OK yourself out of there and verify.

You rock. Fully.

Now you would technically have the time to ponder the reasons why the certificate fell out of grace with the server in the first place, but since you’re the overworked sysadmin you are, you’ll save that as pillow reading for tonight.

Tags: , , , , , ,

« Older entries

Bad Behavior has blocked 648 access attempts in the last 7 days.

Bear