english

You are currently browsing the archive for the english category.

Scratch my back

Wed 3-Mar-2010 in english | Please leave a comment!

Peter Gabriel’s new cover album Scratch My Back made me sit in silence at the parking lot in my slowly chilling car while giving time for the last track to end. It’s a very emotional album and it’s that good. Songs i knew better from before, Boy in the bubble and Heroes, suddenly sounded so relevant, so right and so very gabrielish, and even brought a tear to the corner of my eye while listening to them. Even some songs that i just knew that i’ve heard before sent standing waves through all of my body and sparks of recognition when i realized that i’d heard this before… in quite another suite. It’s a powerful ride.

That said, Scratch My Back is not for everybody. It is different, but if you like Peter Gabriel’s music, it’s a good kind of different. There are no traditional rock music instruments. There’s a classical orchestra and Peter Gabriel’s voice. I’d like to say, “that’s it”, but that would just belittle what “that” is. You can get a taste of what the songs are like by watching the videos on the site.

Or you can also do as i did and buy the record from Womad shop. The price for the 2CD special edition is £13.51 with p&p included (the 2CD as Apple lossless downloadable for £7.99 (format). The CD arrived in a few days. You also get one complementary mp3 download of the album while you wait and a code for a 24 bit download of the album with the record itself. Yeah, CDs are only 16 bits, this is an upgrade. I just wonder if i have any 24 bit DAC that can actually take advantage of the greater dynamic resolution. Scratch my back is a very dynamic album – you’ll need to adjust the volume if you’re listening in the car and have passengers – and i guess the 24 bit edition must be even more so.

On a final note, Scratch My Back is part of an interesting project where artists Gabriel covers also make reciprocal covers of Gabriel’s songs. The focus currently is on Paul Simon performing Biko.

Tags: ,

SonicWall VPN with RADIUS authentication

Thu 11-Feb-2010 in english, sysadmin | Please leave a comment!

SonicWall has a rather nice VPN application called Global Client. What makes it nice is that it does most of the configuration jobs transparently to the user. And for the network administrator, setting up a VPN really is a one banana job.

The flip side of this is that it’s too easy to set up a VPN server with only Shared Secret authentication. This is all nice and fine if you have two or three VPN users but for any real installation, you really should authenticate the users individually. And if your real installation is based on Microsoft Windows, you probably have an Active Directory on the backline which already has all the users on it.

I’ve been handheld through one such installation and this is the attempt to get another one running, while blogging about the experience.

Prereq

The magic ingredient here is the RADIUS server (Remote Authentication Dial-In User Service). On Windows 2003, the RADIUS service is provided by the Internet Authentication Service, IAS. On Windows 2008 it’s a part of the Network Policy Server. SonicWall has a pretty decent techdoc about configuring RADIUS authentication on Windows Server 2003 but the 2008 implementation is left as an exercise to the reader.

If NPS isn’t installed yet, add it from Server manager –> Roles –> Add role.

The prerequisite step is to create a Windows Active Directory group of folks who will be granted VPN access using RADIUS authentication. While you could use All Users, you might be slipping in a few test users (username test, password test – i’m sure you don’t have any of those on your net, right?). So be a good sysadmin and create the group VPN users, then add users or groups there manually.

Now you can fire up the Internet Authentication Service or Network Policy Server.

RADIUS

imageThe first step is to add a RADIUS client to the configuration. A RADIUS client is the box which uses RADIUS, not the end user itself, using the box. So in this case, we’ll add the Firewall as a RADIUS client.

On Windows 2003, right-click RADIUS Clients –> New RADIUS Client. On Windows 2008, RADIUS Clients and Servers –> RADIUS Clients (right-click) –> New RADIUS Client. Give it the Friendly Name “Firewall” and fill in the IP address. For this discussion, we’ll say the firewall lives at 192.168.42.1. The Client-Vendor can be set to RADIUS Standard. I don’t know if the SonicWall supports the Additional Options listed, so you can leave them blank.

Now tap in a fairly complex Shared Secret which the RADIUS server and the firewall will use, into Notepad. You’ll need the same Shared Secret later.

Since you’ll probably want to test the connection, create a similar RADIUS Client for either your own PC if you happen to be on the local network at the time, or at some test server. Or at the RADIUS server itself, which means you’ll need to add a RADIUS client either for the local IP address or 127.0.0.1. I found a fairly decent, and non-cost RADIUS test client at IEA Software called Radlogin. The least i can do for the favour is to suggest you check out the client too.

The next step is to create a Remote Access Policy. On Windows 2003, right click Remote Access Policies –> New Remote Access Policy. On Windows 2008, it’s complicated. I’ll get to that in a paragraph or two.

If you’re still on 2003, a wizard appears. Name your new “Custom Policy” something like VPN Authentication. Now you need to add the following Policy Conditions: NAS-IP-Address is the one of your firewall, eg 192.168.42.1, and Windows-Groups is the group VPN Users you created in the prerequisite step above. As an extra measure, you could also demand that the NAS-IP-Address matches that of your firewall. In that way you can use RADIUS for other fun things too. Click Next. Tick the right radio button so that these users should be Granted remote access permission. Next. Now you’ll still need to Edit the Profile. On the Authentication tab, check all Authentication methods except Unauthenticated access. Unfortunately the current Sonic Walls do not reliably use MS-CHAP2, which is a shame. We’ll even need to tick the trivially encrypted CHAP and the non-encrypted PAP. Not much for security, i know. On the Advanced tab, make sure you have the following attributes selected: Service-Type: Framed, and Framed-Protocol: PPP, both of vendor “RADIUS Standard”.

Phew. And now for Windows 2008.

NPS –> Policies –> Network Policies (right-click) –> New. This will also pop up a wizard. Give the Policy a name like VPN Authentication and set the Type of network access to Remote Access Server. Add the following Conditions: User Groups (or Windows Groups) must be the VPN Users group you selected above. Then scroll down down down the Conditions list and require that the RADIUS Client –> Client IPv4 Address is that of your firewall, for the very same reasons as above. Do that now or later when the test shows green lights. Next. Access Granted. Next. Select all the Less Secure Authentication Methods except the last two, Allow clients to connect without negotiating… and machine health check only. You can uncheck CHAP and PAP while you test the RADIUS authentication later from the firewall, as they are security holes.

Run Radlogin and test whether you get a response, Good or Bad, or whether you get a Timeout. A Timeout probably means that you haven’t got the RADIUS Client configured right on the NPS. A Bad response probably means that your Constraints are wrong.

The Wall

Here’s a tip. Use anything but Internet Explorer to manage the SonicWall. It emits such buggy HTML code that it’s just hopelessly slow with IE.

I might be taking an extra step here because we also wanted RADIUS authentication to the firewall. In that case, you’re getting two settings at the price of one. Live with it and log on to the SonicWall admin interface.

A safety measure, add a Local User to the firewall which we’ll also allow access in case the RADIUS server is in a twist. For this discussion, we’ll call this user Backdoor. Put Backdoor into relevant groups (Firewall Admin). On the VPN Access tab, give Backdoor the appropriate networks (Firewalled subnets).

Then we want to create a group for VPN users. Thus, go to Users –> Local Groups (sic) and click Add Group. On the Settings tab, call your group VPN Users. On the Members tab, scroll down the left box and hopefully you should find the entry All RADIUS Users. Add it. Also add the Backdoor user we created above. Under the VPN Access tab, add whatever networks you see fit; LAN Subnets may be what you’re looking for. Edit the CFS policy if you (really) want to.

Now from Users –> Settings, set the Authentication method for login to RADIUS + Local and click the Configure button. What now probably happens is that you configure the global settings for the whole firewall, not just the VPN login. On the now popped-up RADIUS Configuration Settings tab, enter the name or IP address of your RADIUS server, the one you created half a page up. Find that Notepad page where you created the Shared Secret and paste it in the corresponding box. On the RADIUS Users tab, tick Local configuration only (yeah, beats me too) and select the VPN Users as the Default RADIUS group.

Final step, and now it’s time to take a deep breath. If you’re configuring this over a VPN connection, make sure you have a backup plan, because you’re now going to change the VPN access settings. Thus, go to VPN –> Settings. I’m assuming that you already have a WAN GroupVPN in place. Click the pencil icon to edit the entry. Switch to the Advanced tab. Check Require Authentication of VPN Clients via XAUTH and choose your previously created VPN Users group as the User Group. Also Enable NetBIOS Broadcasts while you’re at it.

Click OK.

Test your VPN settings. Breathe normally.

Extra sugar

For extra brownie points, you can configure firewall administration logins to be authenticated by RADIUS. From Network –> Interfaces –> LAN –> edit pencil, tick all relevant Management options and the HTTPS User Login checkbox. Voilá, RADIUS authentication to the firewall!

I wonder what we can authenticate next… :)

Tags: , , , , ,

We ping

Wed 10-Feb-2010 in english, sysadmin | Please leave a comment!

I’m taking this course on basically what i already do at work, so the Windows server environment, networking and the F-Secure antivirus infrastructure. For the last few weeks, we’ve been talking networks and working with the Cisco Packet Tracer network simulator, which has been good and fine but still a bit… virtual. Tonight we finally had a real hands on lab session and to see the bits fly on actual iron was really gratifying!

We worked in pairs and our assignment, which grew at the pace we got the basic bits configured, came to be an not altogether uncomplicated one.

Cisco Packet Tracer sample

Two Cisco 2600 series routers connected by serial. Both routers have HP Procurve switches connected with them and there are virtual LANs on the switches which are terminated on the routers. An ADSL modem connected to the other switch, a DSLAM connected to the ADSL, an uplink to the school network from the DSLAM. RIP 2 routing between all networks.

Getting pings return from the Internet on something you’ve built yourself – fairly funky.

So that i have even a vague memory of what i did, i’ll just jot down the configuration steps after the break.

Read the rest of this entry »

Tags: ,

Re-activating certificates with SBS 2008

Wed 3-Feb-2010 in english, sysadmin | Please leave a comment!

The other day, a client at a customer of mine called in to say that “her remote connection does not work”. It took a little while to interpret her problems into technical terms; what she meant was that when outside the office, her Outlook wouldn’t synchronize. I’ve since learned that working with a remote connection also may mean working with a laptop when it’s off-site or just non-docked, regardless if there’s an actual connection involved or not.

But back to the agenda.

First i thought there was something wrong with her Outlook, but after some investigation i came to believe there was something fishy with the certificate presented by the customer’s server. Which is a Microsoft Small Business Server 2008. This could be confirmed by taking a https connection to their Outlook Web Access thingy, which also gave a SSL cert error. It was using the wrong certificate. Bugger.

To remedy, i took a remote c… a VPN connection + an RDP session (see, it’s ambiguous enough if i write it!) to the server and opened up – hear this – the Exchange Powershell console. Issue the statement Get-ExchangeCertificate and you get a list of the SSL certificates the host knows of. The one you’re looking for is probably the one with a hostname and a hint of commercial spice (say Old Thawte). To verify, you can write Get-ExchangeCertificate <thumbprint of relevant certificate> | fl which will give you more info. Now chant Enable-ExchangeCertificate <thumbprint of relevant certificate here> and inform the applet you’ll want to enable it for IIS, the IIS Itertubes Server. Verify with a connection to the Outlook Web Access Thingy and close the Powershell console. You rock. Already.

Since we’re talking about an SBS, we have the Remote Web Workplace installed. RWW provides, among other neat things, a terminal server gateway to the servers inside, and it too relies on an SSL certificate being valid. Thus, with your RDP session still open from the above paragraph, go Start –> Administrative tools –> Terminal services –> TS Gateway Manager. Right click the gateway server name and select Properties. Click the SSL Certificate tab. Pick Select an existing certificate and click the Browse Certificates button. Choose the right certificate, ie. the same one as above, and click Install [sic]. Then OK yourself out of there and verify.

You rock. Fully.

Now you would technically have the time to ponder the reasons why the certificate fell out of grace with the server in the first place, but since you’re the overworked sysadmin you are, you’ll save that as pillow reading for tonight.

Tags: , , , , , ,

Chumba! Wamba!

Sat 30-Jan-2010 in english, geek | Please leave a comment!

I was informed by my colleague the other week that the Chumbies have invaded Finland and that the Chumby One model is for sale at Verkkokauppa for 99€. Weak spot. I have dreamed for this cute but kind of useless … no, just cute device since the original “Latte” model was introduced, yonks ago. Checking my archives, that would be the 13th of November 2006. Whoa.

With little sanity to hesitate me, i ordered not one but two of these puppies. One to hack and the other just to toy gently with [0]. And yesterday they arrived. I named them Chumba and Wamba (yeah). Wamba is still in the cardboard box because my wife is still in a state of denial that i paid a hundred euros for a clock radio [1]. The closest thing to a nod of approval was received upon informing her that it can work as alarm clock.

Currently, i am in two confused minds. And one blissful. I have a device which shows the time, displays pretty pictures and plays The Dividing Line. Which is nice. Also, i have this wonderful little thingy, an embedded Linux computer with a wireless network connection and a touch display and i can’t even begin to think what funky things i should be doing with it! But most of all, i’m fascinated by how my kids react to the physical user interface, how effortlessly and naturally they interact with the dangling spider on the display by tilting the box, or how they make it moo by turning it upside down.

So even if i won’t ever get this to be my wireless link between home and office, or a controller of my yet-to-be-realized home automation network, or even a music library controller, i can still learn how to do things differently. I guess it’s about time to start learning Open Laszlo, since Flash is the native UI platform on the Chumby. Or FlashDevelop. Or HaXe or the Ming lib. Or just port Silverlight to the Chumby and have our guys dev some really slick schtick for it :) (or maybe not)

A usability guru Don Norman once wrote about information appliances, and i think a Chumby is well suited  to become one once i decide what one or two things it is supposed to do well. Now it’s more a twitter-like miracle that you can do anything with and hence there’s not really anything to do with it well. No focus, so to say. The only thing i’ve done so far is to ssh into it and create a cron script that switches between night mode and day mode at 22:00 and 7:00 respectively. But once i come up with something, i’ll surely let you know.

[0] Update: Wamba’s power supply was broken so now i’ve got to make it an RMA to Verkkokauppa. And bob knows when i’ll have another one. Yeah, they want me to return the whole device, not just the psu. Bustards.

[1] The fact that she showed me the two pairs of nice but not entirely cheap pairs of nearly identical shoes she got for herself might have saved me from more excruciating scrutiny.

Tags: , ,

Rolling backup on the cheap

Thu 28-Jan-2010 in english, geek, sysadmin | Please leave a comment!

Within, i’ll present a free and low-pain solution to implement a backup copy method for Windows using an external hard disk. The same method could also be used for backups over the network.

A user at a customer of mine needed a way to copy his documents to an external disk which is easy and cheap. While it would be possible to use Windows backup, it’s not the nicest of programs to work with (he’s on Windows XP, the backup software on Win7 is probably much nicer), so i decided against it.

My requirements were:

  • Simplicity – easy to use for the user
  • Unobtrusive – doesn’t require complex installs to the computer which may be against the company IT policy
  • Open – doesn’t lock out the user if the backup program fails or goes out of date
  • Maintainable – even if i went away, somebody else could update and maintain the system

So with some painful research, i ended up with the Toucan backup Portable App. In fact, i had done an installation like this before but with less elegance, which is to say that i will here spare you from some lack-of-elegance. Not bad.

The whole method is based on example code from the Toucan help files.

Step 0: A wee bit of theory (won’t hurt … much)

We’re going to create two backup routines. One will create a full backup of a source directory onto a target directory on a removable disk. The other one will create an archive containing all files that have changed since the last full backup. Both of these are created with Toucan’s differential backup. Five full backup files will be kept and automagically cleaned out when a full backup is performed. Everything is configurable and probably also schedule-able.

Step 1: Preparation

The first thing to do is to give the external hard disk a persistent mapping. With the external hard disk plugged in, right click My Computer, choose Manage, select the Disk management tool. Right click the external disk, choose Change Drive Letter and Paths and select a nice and backup-friendly letter, say Q.

Then, get the Toucan Portable App. Toucan portable is designed to run within the PortableApps framework but it’ll work nice by itself. By design, that means it will run without making any changes on your system, and we’ll use that to actually run Toucan from the external disk itself. If you want the PortableApps framework, go ahead. It won’t hurt. Much :)

Install Toucan on the external disk, Q:. Due to the PortableApps framework, it’ll install in some directory structure underneath the root of Q. Navigate to the Toucan executable and run it.

Step 2: Configure what to back up

The Toucan user interface is a bit scary, but don’t worry. I’ll keep you company until we’re ready to run. Click on the Backup tab. Click the big plus-sign button in the Job Name box to create a new Job. Give the job the name Full backup. In the Type box, select Differential (which may seem misleading but bear with me).

From the big area on the left, select one directory (or even one whole disk, but that’s going to be a lot to backup) you want backed up. I suggest you choose a reasonably small hierarchy to start with, otherwise the testing phase will take some time. Press the plus-sign button in the middle of the screen to have that directory added to your backup list. Unfortunately, Toucan doesn’t support differential backups on multiple source directories. If you want that, you’ll need to repeat this article multiple times. But there are worse pains than that.

In the Backup Location text box, enter @backupfolder@\ (we’ll get to that shortly – oh, and don’t miss that backslash \ at the end of @backupfolder@ as it’s probably important).

Press the Save button which is in the Job Name box.

Step 3: The automagic bits

Click the Variables tab. Click the plus-sign button to create a variable. Name it backupfolder. You’ll get two lines of text in the big box below, one being your computer’s name. Double click that one and enter Q:\backup (or @drive@\backup which would be the cooler and more portable notation). Click the save button.

Click the Script tab. Press the plus-sign button and name a script Backup-rotational. Paste the following into the edit window:

Delete "@backupfolder@\BaseFile-5.zip"
Rename "@backupfolder@\BaseFile-4.zip" "@backupfolder@\BaseFile-5.zip"
Rename "@backupfolder@\BaseFile-3.zip" "@backupfolder@\BaseFile-4.zip"
Rename "@backupfolder@\BaseFile-2.zip" "@backupfolder@\BaseFile-3.zip"
Rename "@backupfolder@\BaseFile-1.zip" "@backupfolder@\BaseFile-2.zip"
Rename "@backupfolder@\BaseFile.zip" "@backupfolder@\BaseFile-1.zip"
Backup "Full backup"

Press the save button.

Yeah, i know it’s ugly, but the Toucan scripting language is just about that developed. It does get worse though.

Anew, press the plus-sign button and create another script. Call it Diff-backup. The only code it will have is:

Backup "Full backup"

Press the save button.

Step 4: Intermediate testing

Still within the Script tab, select the Backup-rotational script and press Run. You should get a few warnings that there aren’t any BaseFile-n.zip files to delete or rename but the backup bit should work fine. The jolly magic here which we couldn’t really influence is that when Toucan runs a differential backup but there is no file to “different against”, it will save the full backup into the file BaseFile.zip.

A reasonably big hierarchy will backup in 15 minutes, a smaller one in a minute or so. If there were severe errors, check your code. If it matches mine, there must be a bug in my code, which you should remark about in the comments section below.

When the Backup-rotational script has run, choose the Diff-backup script and run that. If you want to, you can make some changes to the source hierarchy before running the Diff-backup to see some reality in the process.

Step 5: Enter Batman

You’ll still need two batch files to make the whole magic run. In the directory where Toucan.exe is installed, create the following two files with the contents below:

do-full-backup.cmd

del Q:\backup\20*.zip Toucan Script "Backup-rotational"

do-diff-backup.cmd

Toucan Script "Diff-backup"

The sad bit is that you need to delete the incremental files from the batch file, as Toucan doesn’t expand wildcards (caveat: this script only works in the 3rd millennium Gregorian time – if you’re reading this in another time zone, please edit your script to suite).

Run the two batch files. Watch the output and observe what happens in your backup directory.

Step 6: Shortcuts or schedules

Add shortcuts to your user’s desktop or set a schedule using your favourite cron replacement. Educate said user to run those shortcuts on a regular basis.

Step 7: Restoring files (this should never happen)

In case Bad Things happen, go to the backup directory of your external hard disk. Check out the BaseFile.zip (or an older BaseFile-n.zip if you realize the Bad Thingness only weeks later) or the relevant timestamp-named file if the Bad Thing just happened. Navigate and restore. Take a bow.

You’re done.

Tags:

The iPad is real (finally)

Wed 27-Jan-2010 in english, geek, irrelevant | Please leave a comment!

After much speculation and a lot of waiting, The Steve Jobs Magic Factory has released the iPad. After all, i did suggest – heck, request – the iPad already in December 2007. I’m sure Steve will want to deliver me a slate in person when he has one manufactured. You know, for my suggestion/request which must have been the source of his inspiration. And for the name i suggested. Right, Steve?

And i’m kinda buggered that i didn’t register ipad.com back then just in case he’s forgotten about me now :)

Tags: , , , ,

Meanwhile, at the posterity office…

Wed 6-Jan-2010 in english | Please leave a comment!

I created a brain dump at Posterous.

And i wrote this entry two weeks ago. Strange that i didn’t publish it then.

Tags:

Wanted: Networked ePaper photo frame

Wed 6-Jan-2010 in english, geek | 1 comment

I just realized what was wrong with digital photo frames. The fact that they shine, like monitors do. They emit light to display a picture.

If they would require light to show a picture, much like a printout, they would look a whole lot more natural. And the answer to that is to use e-paper. Colour e-paper to be specific. It doesn’t even have to be touch sensitive, though that would be a bonus. I’m just not sure if touch sensitive electronic paper is invented yet. Could be. Should be.

So if somebody out there just got a terrific business idea with this, the least you can do is send me a few networked epaper photo frames for making you stinking rich. Thank you.

Tags: , , , , ,

Networked photo frames are coming

Tue 5-Jan-2010 in english | Please leave a comment!

Digital photo frames in a home environment are … well, almost neat. Sure, they can be cool eye catchers in commercial environments but in my aestetic, they still are a wee bit tacky in homes. Maybe i’m just old fashioned, but i think that art is physical, photos are static and monitors sweeping and cross-fading are swooshy (in the bad sense). But most of all, i think they are inconvenient. The way to get photos on the frame is to stick some media onto them. The way to change pictures on them is to stick some other media into them. And the way to change pictures at the grandparents’ places is to remember to stick the new media into the frames when you visit them.

This is also the reason i love the Slickr screen saver, which loops photos from my Flickr contacts on my screen. That is the kind of digital photo frame i can appreciate. Not only because it doubles as the computer display i work on, but most of all because it’s my contacts who put their pictures on it. In real time. Without any extra effort from either them or me. Heck, most of them probably do not even realize that they feed my frame — it’s that easy.

For quite some time, i’ve been waiting for a networked photo frame, that’s nifty, affordable and grandparent-usable. Buy it, config it once (until they change their WLAN, but you’ll be there when that happens anyway) and plug it in. Presto, there be pictures. Sure you can do it by recycling a laptop (or PDA, or why not one of those tablets), but that will with most certainty fail in at least one of the three requirements specifications above.

But i see light in the end of the tunnel. A company called PF Digital has the gadget eStarling TouchConnect, a wireless photo frame with a touch interface. Currently the available update mechanisms are RSS, Flickr, Picasa, Twitter, Facebook, Google Calendar. Oh, and and email. Which just screams to be spammed by Viagra and pr0n ads (now that would be funny, granny). I haven’t read through the photo frame manual yet (yeah, photo frames come with manuals these days) but if you can activate many sources at the same time, we have something of a winner on our hands. One feed per grandchild’s parents in our case. And feeds to the calendars where you want the grandparents to see the grandkids.

The US$200 price tag is approximately twice the price i would want to cough up for a 10″ 800*480 pixel gadget but that’s the Early Adopters’ Tax for you, my friend. In a year from now, at least the specs will have come up. And at least the market has now been opened.

Tags: , , , , , ,

« Older entries

Bad Behavior has blocked 675 access attempts in the last 7 days.