Search This Blog

Tuesday 18 December 2012

Instagram and that free lunch

There has been a lot of talk today about the decision of Facebook who own InstaGram to declare possible IP rights to any photos or images that you upload with the Instagram tool.

Now we still do not know for sure if this is an swoop to make Instagram the worlds largest stock photo supplier by default or just an over enthusiastic lawyer covering all the bases.

But lets say Facebook do want the IP on all those photos, they host them and you do not pay to host them with them. so what is the problem?

What I hear you say, they cannot sell my photos!  I took those!  They are my IP.

Well hang on, I bet a lot of people who host their photos or art work online do so using services like Instangram, Facebook, Flickr, etc.  If you then use these services as an online portfolio then you will likely benefit from this either financially or socially.  What recompense do the providers get from this?

Because these services are amazing and cost money, not your money, someone elses money.  So we place little value on them in real terms, we just complain when the people who provide these services try to recoup some of their investment and try to make them a profitable enterprise.

If we want a world where we can share without this fear of our IP being owned then we should all follow the philosophy of WikiPedia and contribute to a free and open platform for all the world.

I think Twitter is awesome, but someone is paying for this and one day they will get fed up paying for it because I cannot see how we can make Twitter pay.  If we do you will all leave anyway bleating on about adverts and how it ruined Twitter.

Well think about it, a free lunch has never existed and we all pay in one way or another.  If you want that ideological Utopian world online then remember who provides what you class as that now and look to who really is trying to make it happen.

Rant over.

Tuesday 11 December 2012

Be There Routed IP addressing with a Cisco 1841 Router

Be There have started to change how they offer public IP addressing in 2012 and now offer correctly subnetted IP blocks. This does mean however that you have to change your configuration as the end user, this is how to change the configuration for a Cisco 1841 router.

DHCP on the ATM0/0/0.1 Interface

media_1355221046491.png

Be There have changed how you assign the IP address to the ATM interface, now this is assigned via DHCP and this IP address is not the IP that you will use for your site, this is the IP address that is used to provide the routed IP to you. So now you need to use the command

ip address dhcp

Zone Based Firewall and DHCP

Now the first issue you will run into is that the Zone Based Firewall is unlikely to be set to allow DHCP on the ATM interface. The ATM interface is going to be on your outside zone so we need to create two class maps to define the traffic as follows

1. ATM interface makes a DHCP request
2. ATM interface receives a DHCP reply

I have created two class maps for this, both contain a match for UDP ports 67 and 68

class-map type inspect match-any cmap-router-to-O2-dhcp
match protocol bootps
match protocol bootpc
exit

class-map type inspect match-any cmap-O2-dhcp-to-router
match protocol bootps
match protocol bootpc
exit

Policy Map

Once you have defined the class maps for DHCP you will need to allow the traffic into the router and out from the router, this involves the self zone and the outzone. DHCP traffic is a broadcast protocol so this is going to be sent over the PVC to the local Exchange and therefore we will not be inspecting this traffic, we need to pass this traffic in the Zone Based Firewall. Below I have my policy maps for Outzone to Self and Self to Outzone.

Outzone to Self

policy-map type inspect pmap-internet-to-router
class type inspect cmap-O2-dhcp-to-router
pass log
exit
class type inspect cmap-router-remote-access-protocols
inspect

This policy map inspects the traffic from Be There to the router and passes this and also logs this so I can see the traffic in the syslog to help in troubelshooting. The next inspection is my class map to allow SSH access to the router. You must here match the DHCP traffic first otherwise the ZBF will drop the traffic as not matching, ZBF rules are processed in order so you need to get your DHCP rule in first.

Self to Outzone

policy-map type inspect pmap-router-to-internet
class type inspect cmap-router-to-O2-dhcp
pass log
exit
class type inspect cmap-router-to-internet
inspect
exit

This policy map is the reverse and allows the router to send DHCP requests to Be There.

DHCP Process

media_1355221769730.png

Now when we shutdown the ATM0/0/0.1 Interface and the enable the interface a DHCP request will take place and this is shown above. You can see the ZBF passing the packets for DHCP in the log and that we have been assigned an IP addres on the ATM0/0/0.1 interface.

DHCP injected route

media_1355221952434.png

A new route is injected into the Cisco routing table for this circuit and this is shown in the config as a static route to the gwateway with a cost of 254. The cost of 254 is high so if you have another static router this will take precedence and this route will be used as the last resort.

Using your IP Block

media_1355222044697.png

Your real routed IP block can now be used, this is achieved by configuring the Cisco to PAT out of the ATM0/0/0.1 Interface and this will use the first IP address in the block. For other services you can now create static NAT translations as shown above with one of the public IPs you have. This example is based on a Dual DSL router so these NAT translations will only function when the router has the default route to our Be There circuit.

Accessing the Router

media_1355222261465.png

If you want to access the router via SSH for example you will need to know the DHCP IP address and this will change each time the ATM interface is enabled so it make sense to assign one of the public IP addresses to the router. This can be done by creating a sub interface on the Fast Ethernet interface and assigning this a new VLAN ID, this places this interface in its own VLAN and if we assign no ZBF zone then this will be seen as the SELF zone and the rules to and from this zone will apply.

Now you will be able to SSH to this IP address and the rules you have for Outzone to Self and Self to Outzone will apply.

Notification when a DSL Circuit does down

media_1355222635237.png

It is pretty handy to know if one of your DSL circuits is offline so you can use the IP SLA feature for this and track a ping to an IP out of one interface only, if the pring drops then you can then tell the router to clear the NAT translations and to inform you the circuit went down. I will not go into the full IP SLA here but for the notification you can use the event manager feature in Cisco Adavnced IOS.

Here you can see I have used event manager to note when my IP SLA Track 1 is down, when this occurs I can automatically clear the IP NAT translations and then send an email to our helpdesk to inform the team that the DSL circuit is offline.

Forgot that attachment in Outlook 2013?

We all forget things sometimes and nothing beats the forgotten attachment in an email. But now Outlook 2013 scans your email bosy and if it finds a reference to an attachment it reminds you that you havent attached one! Pretty simple but also pretty cool.

media_1355218465334.png

Outlook 2013 making sure I attach the PDFs I had forgotten!

Friday 7 December 2012

Citrix XenApp - How to configure failover Secure Access and STA

How to provide failover or multiple Secure Access Gateway Servers and STA for a Xen App 6.5 Farm

Secure Gateway Configuration Wizard

media_1354886520600.png

Open the Secure Gateway Configuration Wizard

Choose Advanced

media_1354886534231.png

Select the Advanced option.

STA Servers

media_1354886547856.png

You now need to specify the servers that are acting as the STA in your XenApp Farm. Here I only have one server so I have a single point of failure so I am going to add a failover server.

Add STA Server

media_1354886560197.png

Enter the FQDN of your STA Server and the port you will communicate on, for simplicity I am using HTTP here.

Citrix Web Management

media_1354886593523.png

Now we need to use the Citirx Web Management application. Select the XenApp Farm and then choose Server Farms

Edit XenApp Farm

media_1354886601014.png

Select your XenApp Farm and then choose Edit

Add Failover Server

media_1354886608747.png

I now choose to add a XenApp Server, this will act as my failover server for authentication.

STA Settings

media_1354886616267.png

Now we need to specify the STA Settings for our Failover Server, choose the Secure Access option

STA Settings

media_1354886625484.png

I now choose to add my Failover Server with the correct URL for STA https://servername/scripts/ctxsta.dll

Test Connection

You can now shutdown your original STA Server and then try to access a XenApp Server in your farm. This should now fail to find your Primary Server and then find your Failover Server for STA. This will take a little longer than a normal connection due to the need to check the Primary Server first.

Tuesday 4 December 2012

SQL Server - How to display only one Database to an account

For the purpose of a Hosted Service I needed to display a SQL database to a third party, I did not want to expose any databases except those for their client so I needed to find an approach.

SQL Server Databases

media_1354624790123.png

Here you can see that I have several databases on the SQL Server, the database I need to present to the third party is called Troy_Live

SQL Server Logins

media_1354624797172.png

I have created a new SQL Server Login for the third party support to access the SQL Server Management Studio.

Access to SQL Server

media_1354624822598.png

I will now change the access rights to the SQL Server for my support account, so on the root of the SQL Server right click and choose Properties.

Deny Access to View Any Database

media_1354624845745.png

Select the pemissions option and then highlight your Security Login. You can now choose the permissions for this account and to hide all the databases from this account you need to choose the View any Database and set this to Deny

Set Permissions on Database you want to access

media_1354624858263.png

Now we have denied permisison to view all databases we need to allow acces to work on the correct database. Choose the properties of the database you want and then on the files option set the owner as the account you want to have access.

Logon as Support User

media_1354624898729.png

Now when I logon to the SQL Server Management Studio as my support user I can see only the database for my client and the master and tempdb databases.

Tuesday 20 November 2012

Windows 2012 Server - How do I change my product key?

You may find when you try to activate your Windows 2012 Server that activation fails and then when you try to change your product key you cannot see how to do this. Well it turns our Microsoft have removed this by default, you cannot change your product key until you activate, you cannot activate until you change your product key. Catch 22. So what do you do?

Windows Activation

media_1353410455363.png

Go to the Action Center and then choose Windows Activation and you will be shown the screen above, that Windows is not activated. So we will try to activate.

Activation

media_1353410464231.png

Activation is attempted online.

Activation Failure

media_1353410471073.png

Well Windows Activation fails which is a bit disappointing, but thats OK as I didn't enter my key when I installed so I will just enter that now. Ah there does not seem to be a way to do this like there was in Windows 2008 R2. So what do I do?

The Answer

The answer is found here in this rather nice KB from Microsoft http://support.microsoft.com/kb/2750773?wa=wsignin1.0

Charm Bar

media_1353410504751.png

So now you need to get the Charm Bar out, this is done with Windows Key and C. Then choose the Search option.

Search

media_1353410516909.png

We need to search for the actual Windows Activation executable, this is called slui.exe 0x3 Don't forget the 0x3 on the end of this.

Change Product Key Time

media_1353410526820.png

Now we can see the familiar change product key window and we can enter our correct product key.

Add Product Key

media_1353410554839.png

Enter your product key and it will be verifed as correct for you.

Activate

media_1353410574842.png

You can now perform the activation and get this cheery greeting from Redmond.

Wednesday 14 November 2012

Do you let it get to you?

Sometimes we let life get to us, be it work, home or just getting stuck in a traffic jam, life has a habit of testing us on a daily basis.  The result of this is stress, all of us suffer from it and it affects us all in different ways, what is really important is how we handle this stress.

I work in a technical based service industry, that is one of the most stressful jobs there is.  OK I am not under fire in Afghanistan and I am not an Emergency Room Doctor but never the less, the service industry is one in which everyone wants everything done yesterday.

In the past I used to think I could get everything done each day, I would work more and more hours thinking I could get the work completed but the more I did the more work came in, I never caught up.  I was spending 10 hours in the office and 4 hours a night on the laptop.  Suffice to say it did me no good.

I started to get head aches, tense muscles, feelings of being uncomfortable, physical symptoms I could feel but there was nothing wrong with me if you looked at me.  I became irritable at work and would be seen as moody, the smallest question or issue and I would feel cornered and snap at my colleagues.

I recognised this a few years ago and sought help, now I have what you can call insight and I can see when I am stressed and I try to take actions to prevent it.

One thing I have noticed now is the behavior of a stressed person at work and I try to let them know and help them by talking and asking them if they need to share a problem.  One of the main causes is that we feel we have no control, that life is controlling us.  This is a common fear and one that affects those who do not like flying for example, its not being in an airplane it is because we are not in control of it and we have to trust someone else with our life for a period of time.

Work is no different, if we feel we have no control then we will become stressed.  We will try to do it all ourselves and this just is not possible anymore, there is too much information.  We need each other.

When you feel angry or frustrated at work, take a moment and ask yourself.


  • Do you feel you have so much work to do you don;t know where to start?
  • Do you feel no one tells you what you need to know?
  • Phones ringing or people asking you questions, makes you angry quickly?
  • When you get home you just want to sleep?
These are all key indicators of stress and depression.  Do not be worried, it is normal and it happens to all of us.  Seek help, talk to friends, your partner, family, colleagues.  Just let people know and understand that life it tough and sometimes we all need help to get through.

Further Reading


Tuesday 13 November 2012

Windows 2012 - How to configure Multi Path iSCSI I/O

This is how to configure Multi Path I/O for iSCSI on Windows 2012 Server. I want to use this for our Hyper-V implementation to increase through put and redundancy.

Setup iSCSI NICs

media_1352814175635.png

In this server I have eight NICS, I have chosen to use two NICS for iSCSI and here you can see I have chosen to use one onboard Broadcom NIC and one PCI-e slot Intel NIC. Each NIC is configured with an IP address in the subnet of the storage network. In this case it is

10.12.0.40 255.255.255.0
10.12.0.41 255.255.255.0

The SAN is a HP MSA P2000 G3 iSCSI LFF and I have configured the Host NICS as

10.12.0.21 255.255.255.0
10.12.0.22 255.255.255.0
10.12.0.23 255.255.255.0
10.12.0.24 255.255.255.0
10.12.0.25 255.255.255.0
10.12.0.26 255.255.255.0
10.12.0.27 255.255.255.0
10.12.0.28 255.255.255.0

NIC Configuration

media_1352814185588.png

On each NIC you can remove services that are not required for iSCSI so I have unchecked Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks.

Set IP Address

media_1352814192494.png

I will be using IP v4 for this implementation.

Confirm IP Address

media_1352814203472.png

Use static IP addresses to reduce need for DHCP and network overhead for that protocol. You do not need a gateway if the storage network is not to be routable. Each NIC needs to not use DNS to again improve performance so choose the Advanced option.

Do not register in DNS

media_1352814214374.png

Uncheck the option for Register this connections addresses in DNS. We do not want any IP from the iSCSI network in DNS.

Advanced NIC Settings

media_1352814239144.png

Each NIC has advanced settings and some relate to Power Management, we do not want any interruptions in the iSCSI network so we will change the advanced settings with the Configure option.

Power Management

media_1352814245991.png

Uncheck the option Allow the computer to turn off this device to save power.

Add MPIO Role

media_1352814312820.png

Now we will add the Multi Path Input Output (MPIO) role to the server so that we can use MPIO. From the Server Management dashboard choose the Manage Add Roles and Features option.

Add Features

media_1352814331835.png

Follow through the add roles and features and then at the Select Features option choose Multipath I/O. In this example I have already installed this feature which is why the (Installed) is displayed. The server will now installt he MPIO feature.

MPIO Tools

media_1352814339190.png

Once the feature is installed you can then choose Tools MPIO from the Server Management Dashboard.

MPIO Properties - Immeadiate Reboot Required

media_1352814348070.png

In the MPIO dialog choose the Discover Multi-Paths tab and then check the Add support for iSCSI devices option. The server will now require an immeadiate reboot so be prepared.

iSCSI Initiator

media_1352814363133.png

Now the server has rebooted we are ready to setup iSCSI, this is done from the Server Management and Tools, iSCSI Initiator.

Connecting to a Target

media_1352814377613.png

iSCSI works be connecting to a Target, the target is most likely a disk SAN or similar, in our case it is the HP MSA P2000 G3 iSCSI SAN. A target is an IP address that is configured on the iSCSI port on the SAN. 10.12.0.20 is the first IP address assigned to my Controller A iSCSI A1 port so I choose the Quick Connect option.

Quick Connect

media_1352814386418.png

The quick connect will now communicate to the SAN using the iSCSI NIC on the server and the iSCSI port on the SAN. It negotiates and we see under the Discovered Targets section the IQN of the SAN. You can see in the IQN name the hp:storage.p2000 text, this is part of the IQN name of our SAN. You can check this information on your iSCSI Storage Device as these will be different across manufacturers. Click Done to return to the iSCSI Initiator.

Add the first Multi Path

media_1352814405756.png

Select the target and then click on Properties to add the next path to the iSCSI Storage Device.

Sessions

media_1352814432848.png

This dialog will show the existing sessions to the iSCSI Storage Device, we have only added one session so far so we will only have one path to the iSCSI Storage Device and if we removed the network cable for the iSCSI NIC we would lose connection to the target. What we want is to be able to lose one connection and know that the second iSCSI NIC can carry on the iSCSI traffic. So choose Add Session to add the second iSCSI session.

Connect to Target

media_1352814440662.png

When you add the new session you are asked do you want to use Multi Path,, check the Enable Multi-Path option and then choose the Advanced option.

Advanced Settings

media_1352814449116.png

In this dialog we are going to choose which type of adapter we are going to use, as we have no Hardware Based Adapters (HBA) we will use the Microsoft iSCSI Initator which is software based so select this from the Local Adapter dropdown.

Intiator IP

media_1352814455490.png

From the Initiator IP dropdown choose the IP Address you have assigned to the second iSCSI NIC, in this case this is the IP address 10.12.0.40. This will now connect the second iSCSI NIC to our target so that both iSCSI NICS can communicate with the iSCSI Storage Device. Choose OK.

Confirm MPIO for each Session

media_1352814484856.png

A session will now be created with a long GUID, check the new session and then click on the Devices button to see what devices are connected in this session. We are looking to see two devices, one for each of the iSCSI Target IP addresses.

Devices

media_1352814491811.png

I recommend that you create a LUN on your iSCSI Storage Device in advance as you then have a device to see as connected, here I can see the disk I have created on LUN 0. I now choose the MPIO button.

Device Details

media_1352814619540.png

This displays the MPIO details and the Load Balance Policy. This is the way that the MPIO trys to communicate with the iSCSI Target, we would like it to Round Robin. This means that the first IP address is sent a packet and then the next and so on until the packets come round to the start again. The benefit here is that all paths get used and you can have multiple packets sent at once so you get better performance. If a path is down due to a cable failure or swich failure the round robin notices this and ignore the path and sends the packet on the next active path. So you have a high performance and redundant iSCSI infrastructure.

To see the IP addresses used for a path, click on a path and then choose the Details button.

MPIO Details

media_1352814625966.png

In the details of the path you can see the Source and Target IP address details. Here we can see the Source is the iSCSI NIC on the server 10.12.0.41 and the target is the IP address of Controller A iSCSI A1 port 10.12.0.20.

MPIO Details on second path

media_1352814641581.png

On the second path you can see the Source is now the other iSCSI NIC on the Server and the Target is the Controller A iSCSI A1 port so we have two paths now to this target.

Confirm the MPIO

media_1352814656390.png

You can confirm the MPIO in use with a command line tool called mpclaim. Here I have ran the command mpclaim -v c:\config.txt This will output the MPIO configuration in verbose mode to a text file so it is easy to read.

Text File Output

media_1352814690888.png

I open the Config.txt file and I can see the MPIO states we have 2 Paths so I know the paths I have created are live. So all I need now is to go do this all again for each target IP addresss on my iSCSI Storage Device to built the multiple paths.