Well no more friends do you need to leave the comfort of your chair, your beverage and your snack…and risk human interaction, here are the lazy steps (blatantly copied from  mydigitallife.info).

I have to admit I spent about 5 minutes, quite possibly more time than walking to the machine I needed to fix, searching steps to remotely enable Remote Desktop on a workstation…. But it is ok since it was during a work night and the building was closed and I wasn’t avoiding anyone by my working remotely!

To remotely enable Remote Desktop on another computer, follow these steps:

• Login to the workstation with administrator credentials.
• Run Registry Editor (regedit).
• Click on File menu.
• Select the Connect Network Registry in the pull down menu.

• A “Select Computer” dialog search box is opened. Type the host name of the remote computer in the text box, or browse Active Directory to locate the remote server, or click on “Advanced” button to search for the remote computer.

• Click OK after the remote computer is selected. A node for the remote computer network registry will be displayed in the Registry Editor with HKEY_LOCAL_MACHINE (HKLM) and HKEY_USERS (HKU) hives.

• Navigate to the following registry key for the remote computer:

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server

• In the right pane, locate a REG_DWORD value named fDenyTSConnection. Double-click on fDenyTSConnection and change the value data from 1 (Remote Desktop disabled) to 0 (Remote Desktop enabled).

  

• Reboot the remote machine by issuing the following command in Command Prompt:

  shutdown -m \\hostname -r

  Replace hostname with the actual computer name of the remote host.

• Remote Desktop for the remote computer has been enabled, and listening on default Remote Desktop port for any incoming Remote Desktop Connection.

Another option that works is via this handy application Enable Remote Desktop-Remotely by Intelliadmin.com

If you would like our Zones contact’s info let me know but here are the Sony details about the trade-in program http://www.sony.tradeups.com/Customers/12/AllPromotions.aspx

Sony ships with tons of bloat-ware and we did have some issues putting our volume XP and Vista licensing on these devices because of Sony driver issues but the second tier support was great in getting these issues resolved…. I wouldn’t change your entire lineup to Sony laptops, but if you have some old boat anchors laying around that you want to trade in this a great cost effective option.  If you do purchase a Sony viao and have support issues let me know and we’ll give you that contact info too.

Some might say its almost the whole SonicWall product line, and I guess they might be close but then they might also go an purchase a lot of Sonicwall gear too (you know who you are, Justin)…

2 – E-Class 5500
The E-Class does a great job load balancing between 2 cable modems and our T1 all while doing content filtering and unified threat management.  Once we receive the switch from our reseller, we will have these two units install in a HA Pair

1 – CDP 4440i (Disk to Disk Backup)
The  CDP has been rock solid for backup, except for recently having an issue keeping too many backups of exchange (but this is being resolved…. i would much rather have too many backups than no backups… Yikes that brings back awful memories of 2 years ago this week)

1 – SSL-VPN 2000
The SSL-VPN just works great.  Any remote access (OWA, RDP etc.) all comes thru this single location for our users… great way to simplify remote access training.

1 – Email Security 400
We have had ups and downs with this Spam appliance, but since we got it dialed in… only 1-2 spam messages hit our users inbox per week (avg.)

1 – 4060 Pro (Enhanced OS)
Offline and For Sale If you are wanting to buy at used Pro4060 leave a comment.

12 – SonicPoints for Public WiFi
We recently deployed all the WiFi radios and have almost 100% coverage over 170K sq.ft.

Enter Apple Server’s System Image Utility… The Image utility allows for you to create a base system, prepare it for deployment over the network and distribute it to similar clients (Intel or PPC).  There are several options for creating the image 1. Pull the image from DVD or 2. Clone an existing machine.  The benefits of creating the image from DVD are a clean from factory default installation that can deploy fairly quickly over the network… We however we elected to clone an existing machine.  The clone allows us to add all the base software and drivers and then push that image with the base software already installed to another machine.

How its done.

• Install from DVD on to a machine that is the same vintage of processor as the machines that you plan to deploy the image to.
• In our case we have both PPC and Intel so we started making an image of each on two separate machines. 
• After the OSX installer is complete update the OS from Apple Updates add the software you want included and the preferences you would like configured. 
• In our case our base install includes: Mac Office 2008, Canon PS and UFR II Drivers, Disabling the onboard Bluetooth, Disabling the .DS_Store for network volumes, Disable Guest Account Access. (DO NOT INSTALL SYMANTEC BEFORE YOU IMAGE THE MACHINE… for some reason this causes the image to fail)
• After the base software and drivers are configured, go to Disk Utility and run permissions repair.
• Capturing the image can only be done on a secondary volume from where you are installing the OS.
• If the install is on a primary volume, you will have to boot the device in target mode from the Startup Disk System Preferences.
• If it is installed on a secondary volume you can boot to the primary volume to capture the image.
  
• On a machine with the OS X 10.5.3 Server Admin Tools installed (downloaded from  http://www.apple.com/support/downloads/serveradmintools1053.html or off the OS 10.5.3 Server Disk) Start the System Image Utility and it should find the volume you just created and updated.
  
• Select the Volume you want to image and choose netinstall and select customize.
• Add Enable Automated Installation and Create Image to your workflow then configure where you want to save the output files, select an index for each image you will create and choose RUN.
• After an hour or so the location you selected will have a folder/file ending in .nbi

How to Deploy the image: (Our configuration)

• Enable the NetBoot service in the Server Admin Console
• Next Configure the NetBoot Service by going to the settings
• On the General Tab Enable which device you want Netboot to run on (Ethernet)
• On the General Tab Select where you want to store the Images (Volume 2 for both Images and Client Data)
  
• Copy the .nbi to the location where you told the Netboot service to save the data.  /NetbootServiceLocation/Library/NetBoot/NetBootSP0
• Next Configure the Images on the Server Admin>Netboot>Settings> Images Tab
• Enable the Image you would like to NetInstall from.
• Select the Architecture that you would like to use this volume.
• Restart the NetBoot Service
  

How to boot the Machine and install the image:

• While booting the device press the ‘n’ key or select the network Network Volume in System Preferences>Startup Disk
  
• When the device boots a little world will display and then the machine will indicate that it is recovering a system image.

After the Image is restored, the machine will rename itself and add a digit to the end, so you can install this on as many machines at the same time and not worry about the issues you might have without running Sysprep on a Windows machine.  Simply rename the machine in System Preferences> Sharing and change the name and the local hostname.

Tweaking our Sonicwall Gear Continues, and I have to say it responds quite well to our ever changing needs.  Several of our ministries needed our content filtering tweaked for their needs but IT and our Leadership team didn’t want to open entire categories in the filter to allow specific sites across the board especially since are using that content filtering for our core network AND our public Wifi, so enter Sonicwall Single Sign On Agent (SSO).

Sonicwall has offered the SSO agent since the release of version 4 last fall, but it took us quite a while to get this project on the top of the list and get it tested before we deployed it into production.  Basically the SSO agent allows for the user’s Windows workstation to authenticate the user who is logged into that workstation against the firewall.

The configuration process is fairly basic (although because of several issues I won’t say easy). 

What you need to make this happen:

• A Sonicwall Firewall with and active Content Filtering Service subscription and the CFS enabled
• The Sonicwall SSO agent installed on a networked machine (in our case a virtual server)
• A working MS Active Directory structure for your domain.
• User(s) added to groups defined in Active Directory.

The biggest hurdle we had was the SSO agent failing on us.  We would get everything running in our test environment and then the agent service would stop and then there was no web access.  You can set the device to fail open if the SSO agent fails, but we elected to drop down to the default CSF policy for all users if the agent fails.  After we downloaded a more recent version of the SSO agent, moved it to a more stable server and that seemed to resolve that issue.

First you need to adjust the content filter to allow access to the specific sites you want to allow some users to access. 

• The catch, you can’t allow/deny access to a specific url based on the logged-in user or group. To resolve this issue we had to first allow the specific sites we need to access through the content filter. This is a simple white list in the content filter. 
  • Note this excludes the url from all content filters
• Then utilize the firewall, which has the AD group specific granularity you need.
  • Create a firewall rule to allow access to the sites for specified groups and deny for all others.
  • This is all of course only on the authenticated side. Other zones and non Windows machines follow the default rules and provisioned the exceptions by user. Since firewall rules are higher priority than CFS the site can be an exception in the CFS but only those who are in the allow group are able to view the site.

Jeremie called Intel to alert them of the problem and was told he would receive a call from the RMA-Specialist within the hour to resolve our replacement hardware problem.  For the Next 6 hours every hour we contacted Intel and were told to wait for a call back.  At 4 pm I joined Jeremie on the phone and we were told that the inventory from the parts depot appeared to have the Storage Module on back order. Needless to say steam, fumes, and a few other things started coming out of my ears.

We were talking to a support technician named Carol, who informed me a transfer to her supervisor, a shift manager, a floor manager, or anyone else at Intel was against policy and I would have to wait for the callback. After about 5-10 minutes of this discussion looping Carol informed me that she was ending the call.  ARE YOU KIDDING ME?  A customer calls and informs you that 75 % of the production network is critical down and you say wait for a call back and hang up?  So we immediately called back and talked with another support technician and he again escalated the case.  Within 10 minutes we received a call from Oscar, he was a RMA Specialist and had talked with the staff at the parts depot and confirmed that the Storage Module was on back order… and our option was to purchase a new module from a distributor and Intel would reimburse us.  How can a mission critical part for a system that is 6 months old be on back order???

We called about 10-15 distributors and all were out of stock.  Finally we found our new best friend at SHOPBLT.COM,  Harold returned our voicemail that we left after their stated business hours, and apologized that he didn’t answer the call, but that they were under a tornado warning in Connecticut, but he wanted to know how he could assist us.  He did have one module in a warehouse, and he checked and it was on the shelf and the warehouse manager in Illinois said he would have it on a truck that night.  We asked where in Illinois the warehouse was and could we pick up the part, and Harold informed us he couldn’t disclose the location since they were a defense contractor…

Meanwhile we had contacted our Intel Channel Partner Mark and he had arranged for a test in the Intel Engineering to confirm that the replacement of the module was as simple as putting in the new module.  Intel’s tests confirmed the replacement was as documented.

Thursday AM the part arrived and we reinstalled the original Mid-Plane back into the chassis and said a prayer.  When we powered on the Chassis all was well and we could see and access all our data Yahoo! What a God thing.  Unlike our SAN this hardware was designed correctly to house the information about the RAID arrays on the drives so the volumes were completely intact after we inserted the new storage module.

We copied the data off to our recently made larger SAN and booted up all the virtual servers on various hosts to make sure the data was intact… and it was.  Jeremie then installed the new mid-plane now that the Chassis was not running any virtual servers and upgraded the firmware on the module all with success.  Once MasterFlex was back online we copied the virtual servers back and booted them up… And all production servers back online.

Follow-Up:

– Why don’t we have a second Storage controller in the blade system… $1800 is the cost of the second module.  Would it have prevented this issue.. possibly unless the secondary would have fried during the process to update the firmware too… So now we need to budget for the secondary module.

Questions for Intel:

- Why was there no documentation sent with or online about replacing the Mid-Plane or how to check the firmware version that it would push to all the modules.

- Why is the Storage Module on Back order?  What would Plan C had been if we couldn’t have purchased a module?

- Why is there no escalation process to the Customer Support/Technical Support call queue?

So we powered down all the virtual servers and the hosts and took basically everything out of the chassis to prepare for the hardware swap.

The installation was fairly simple after we removed the 12 screws, installed the new mid-plane and installed the modules back in the chassis.

We restarted the chassis to find that the Mid-Plane was a older version of firmware and that the control module was down grading all the components to a previous version… then all went to chaos.

The StorageModule asked to enter safe mode to change the firmware (a process we had done before) but after the module cycled down it never came back online in the management console.

After several hours of tech support calls we identified the module wasn’t powering on, so a part was dispatched.  We continued to talk with support for a little while longer trying to see if there was any resetting or anything of the module that could be done to have the part cycle back on but there was no success.

Around 2 am we were told that the case was escalated to engineering and we would need to wait until engineering contacted us.

For the next 3 1/2 hours Jeremie and I worked to move around virtual servers and recover a few backups to bring online the majority of our services.

When we went home at 5:45 everything (mission critical) but ACS and our Print server were online.  We didn’t bring ACS back from backup because we would loose all of the contributions and other Monday AM processing that had happened after the previous nights backup and prior to our Monday night backup that had not yet happend.. and the Print server didn’t restore from the system state.

So after a few hours of sleep we talk with Intel and they dispatch a new StorageModule /Controller.

More to come as the process continues…..

Months ago we started the demos with some great sales staff at Fatpipe, Radware, and Astrocom load balancing devices and all performed well head to head.  We had narrowed the field down to the Radware primarily because of the included services.  Fatpipe was wanting us to pay extra for the same QOS that Radware included (Not to mention Radware performed better head to head with the others) and well the Astrocom boxes just didn’t handle the demo well.

So we were all but ready to move forward with Radware until Jeremie and I took a road trip to Ohio for a SonicWall Road Show where we learned a lot about the new E-Class firewall.  The E-Class is SonicWall’s answer to the enterprise environment.  After the Road Show our reseller (Mark at CMSupportServices.com) gave us the opportunity to have a 30 day demo of the E-Class and we couldn’t pass up that opportunity. 

Finally we decided that we would purchase the E-Class… Why you ask?  While there were some services that came with the Radware hardware the yearly recurring costs were fairly high.  Even after comparing the E-Class with Radware we decided the features that the Radware had over the E-Class were not important to us.  But we did come to the conclusion that the E-Class performed very well and had the added benefits that we didn’t have an ‘extra’ set of additional appliances and the yearly recurring costs were very much in range with what we were already paying for the services we had on or SonicWall 4060.  The last benefit was a great bonus that we now would have a redundant pair of firewalls removing that nagging concern that we were purchasing hardware to balance and give us fail over capability with our ISPs but our firewalls were still a single point of failure.   So we put the E-Class thru the same tests and it has performed very well. 

So why has it been anti-climactic ?  We had put the E-Class into production once during a test but were waiting for our next work night to roll out the new E-Class firewalls but then life happens.  Around 11 am all the web based applications on my desktop started failing, so I called our great network admin Jeremie.  A few minutes later JK comes to my office and says a Jeremie quotable… “Hey, so do you want to migrate to the E-Class this morning”?  Knowing Jeremie I knew this wasn’t good news.  JK went on to explain that our 4060 was in a reboot loop so we had the choice move forward with the replacement of the firewall and migrate to the E-Class or connect with support to resolve the issues with the 4060 and have a longer outage.

So after a few minutes of Jeremie showing the Pro406 who was boss…. we elected to make the jump to the E-Class.

We decided to make the jump since most of the rules and routing had already been built by Jeremie for our tests.  So about an hour later we were back up and running with all mail and web services working well.  (The delay was because we have elected to route all our internally hosted services in and out of our T-1 while our other traffic is load balanced.  Because of this unique route email wasn’t going outbound, but was quickly resolved by a call to support.)

So we made the migration to our new redundant ISPs and expanded bandwidth… with some extra added excitement.

For those who have asked…Yes, we are planning to sell our recently decommissioned Pro 4060 (after we get the reboot loop resolved under our support contract, of course!).  Let me know if you would like to have an opportunity to purchase this 1 1/2 year old gear.

Great job to my staff!  Jim & Jeremie you guys are great! (Linda you are too, but well you were off playing, partying and having fun at the ACS Convention and missed all the excitement.)

We have a SSL-VPN 2000 but Sonicwall doesn’t really have any documentation addressing use of the wildcard certificates on this appliance.  Their documentation is fairly straight forward of how to request and import a normal certificate so but makes no mention of using a Wildcard Cert.  Since the SSL-VPN’s certificate was going to expire sooner than our Exchange server’s and since process to import a certificate in the Sonciwall is a little more complex Windows IIS6 we decided start with the request from the SSL-VPN box.

The process to request and install the Certificate on the SSL-VPN 2000 is as follows:

• Create a Backup of the SSL-VPN Appliance
• Go to the System > Certificates page and click on the Generate CSR button.
• Complete the CSR window. 
• Enter the Fully Qualified Domain Name as *.domain.org
• Enter your organization’s name as registered name with the State. 
  • Our first submission to the CA failed because we entered the organzation name as Northwoods Community Church but the CA required our request to be entered under the name Northwoods Community Church, Inc. We were told that this was the case because of the liablity value was higher with a Wildcard Certificate than with the inexpensive SSL certificates.
• Enter and Document the request password.
  • You will need this when you import the certificate.
• Save the csr.zip file from the SSL-VPN console to your local workstation.
• Unzip the csr.zip and save the server.key file for use after you receive your certificate from the CA.
• Open the server.csr file with notepad and copy the contents of the server.csr file to the CA web interface to make your request.
• After the domain.org.crt file is received from the CA copy the .crt file and the .key file that was created during your csr request to a comon directory.
• Rename the .crt file server.crt and zip the directory.
• Be sure the .zip file is named certkey.zip
• Login to the SSL-VPN Appliance, Go to System > Certificates.
• Click on ‘Import certificate…’ button.
• In the pop-up that appears, select the ‘certkey.zip’ file you just created and click on import.
• If it is successful, the screen will now say ‘pending’.
• Activate the certificate by clicking on Configure icon next to new cert.
• You will be prompted to enter the password you entered when creating the CSR. Enter this and click on the Submit button. The screen will now say ‘inactive’.
• This next step will reboot the box.
• Select the Enable radio button next to the new certificate and click on the Apply button in the upper-right-hand corner.
• After the reboot, your certificate is now active.

To install the certificate on an additional server, in our case a IIS6 web server,  you will need import the certificate as a .pfx. 

• Download the cerficiate from your web browser to a .cer file going to the website that is using the SSL cert and choose view the certificate.
• Go to the details tab and choose copy to file and save the certificate as a .cer format.
• To import the certificate into IIS you will need to convert the .cer file to a .pfx file.
• Convert the files using OpenSSL
  • After installing OpenSSL Click START > RUN then type cmd.exe.
  • You need to navigate to the path where you installed your OpenSSL binaries.
  • Within this directory chdir to bin
  • Type the following commands to convert the .CER to .PEM format:
    • openssl x509 -in <drive:\path\to\cert>.cer -inform DER -out <drive:\path\to\cert>.pem -outform PE
    • openssl.exe pkcs12 -in<drive:\path\to\new\cert>.pem -out <drive:\path\to\cert>.pfx -nodes
  • Take the exported .pfx file and save it in a location where you can access it from your IIS server.
• Open IIS and go to the properties of the web you are configuring with the SSL certificate.
• Go to the Directory Secuirty Tab and select Server Certificate under Secure Communications.
• Choose Import a certificate from a .pfx file
• Enter the password you gave the .pfx file when you created it.
• After the certificate is imported rerun the wizard and Choose to ‘Assign an existing certificate’ to the site and choose the new certificate that you just imported.

You should now be able to browse the second web server and the SSL wildcard certificate should be activated.  Save the .pfx file for future use and it can be imported into a future webserver to utlize the wildcard certificate.

Some highlights from the trip:

I had reserved a rental car from the Enterprise website and found out the next morning that the transaction didn’t complete, and there was no reservation.  The best part of this experience was the individual at the desk at Enterprise tells me “Even if you had a reservation we don’t have any cars, so it really doesn’t matter.”  So Budget Rental car here we come…

A rental car with a bunch of tech stuff powered on… GPS, Cell Phones teathered to laptops for web browsing, IPod etc.

- Dinner at Red Robin Restaurant (home of the bottomless fries!!) with my parents.

- Fixing all my parent’s computer issues… Actually the list was short…configuring both Tivos to connect to the Wifi since we had changed the encryption to WPA and configuring Dad’s new laptop to connect to the Wifi .

Roadshow was good, a little more ’sales pitch’ than I had hoped but informative but we still learned some things:

- Single Sign-On with Content Filtering only works with Windows machines, if you are rolling this out to all users and you have some Macs on the network that aren’t running a virtual Windows machine this will require a default policy for unauthenticated users.

• - There is some major development going into the CDP.  They are bringing to market a CDP that has removable drives and is much more expandable than the existing product line.
• - We were able to give our list of our top 5 causes of heartburn with the CDP to David K. (the CDP Territory Sales Manager) who is going follow up with us to find some ’work arounds’ and then help get our concerns on the development road map.

- David K. mentioned we can work toward some possible options for non-profits for off site CDP replication that aren’t as crazy expensive as the current Sonicwall services

- After meeting with some of the E-Class engineers we have a strategy to quickly install and test the E-Class to determine if it is a ’real’ LB option for us.

- Lunch Jeremie and my Mom at the busiest Wendy’s in the state of Ohio.  This Wendy’s location is in the lower level of The Ohio State University Medical Center.

- Dinner with David, Ruth and Nathan Szpunar at Donatos (one of the best Pizza places)

13 hours of driving, 5 hours of Roadshow a worthwhile trip.