High Availability, ISP, VPN, Servers, and Your business.

You see and hear the buzz word swarming around the internet of networks with special setups that tout “High Availability” or sometimes commonly known as “H.A.”. What is it? What does it do for my business? Ultimately in today’s economic climate… Can I afford not to have it?

There are actually different types of HA that you can implement into you IT infrastructure. At its core, HA is a system designed implementation that ensures a certain absolute degree of operational continuity during a given measurement period. In simple business terms, HA makes sure your employees are able to continue working even if primary service providers or servers or your local network experiences some sort of an outage. Yikes!

As an example:

  • Can you afford to send your employee’s home because your office internet connection is down? And your ISP is telling you sometime between 9am-6pm repair ETA.
  • Can you afford half or potentially a full day of employee downtime because the file server is being re-built from the Ground, Up?
  • Can you afford to have your website, email server, FTP server, and/or other in-house hosted services go down!?

For small to medium sized business, you need a solution – High Availability.

Most administrators of small to medium sized networks are probably already assuming you need twice the amount of hardware, extra connectors, licenses, and more. Depending on the current network equipment you have, High Availability to a certain degree can very easily be a viable option.Lets take a very common scenario as a prime example of what High Availability can do.

Your Users: You have a user base of 30 people. All with varying job tasks which rely heavily on internet access to go about those tasks.

Your Network: Your have DSL service from your local ISP. You have a Cisco router/firewall, medium grade switch, a file server and a Directory server, and a few occasional remote VPN users.

The Outage: Your internet is somehow disconnected or cut off! Covad can’t help until they send a 1st level support tech to check their field equipment, someone between 12pm-6pm. And this may not even be a field equipment problem.

  • you have 30 people grumbling they can’t get work done.
  • you have 30 people grumbling they can’t access your online company email.
  • you have 30 people standing around the water cooler.
  • you have the CEO at a remote location unable to access the internal company files.
  • your travelling remote sales associate can’t make the sale because they can’t VPN to access the internal company sales files.
  • you’re at the mercy of your local ISP’s support to fix the problem in a timely manner.

With a very simple High Availability setup, you could be saved. This is a very common and possible situation and a High Availability setup may alleviate the frustration, anger, and the ever possible firing of office employee’s.By choosing a business level Cisco router, you get the benefit of a very customizable and upgradeable platform. You may think the price for Cisco equipment is high, but their products are truly made for business. You would never want to trust “home” equipment to run your core business infrastructure do you (this is another topic)?

The Answer: To avert a potential disaster, you have a very short shopping list. All you would need to implement a “High Availability – Dual ISP – Redundant internet connection – Redundant VPN” office network is a specific Cisco hardware module aka “WIC” module, a secondary DSL internet provider (other than your primary -Covad), and a few minutes during office downtime to get it all installed and configured. Total hardware cost can easily be had for under $300, and total monthly cost for a secondary DSL line might be $25 (shop around). If you didn’t have a High Availability setup, you may have lost MORE due to the office down. Lost employee production, lost sales, lost clients, lost trust, and who knows… a Lost Job.

“The Outage” has been avoided. Your High Availability Cisco router setup automatically switched over to the secondary ISP, and you were alerted of the switch over. Your employee’s continue along with their tasks, and may not have even noticed the internet disruption.
And because you were alerted of the ISP failover, you can easily send out a “Daily Tech Update” to your remote and C-level staff, letting them know to use the secondary Cisco VPN profile or to call you for assistance.

  • The failover change was nearly invisible.
  • Staff keeps working.
  • Staff trust of the network maintained.
  • President, CEO’s and Management trusts you’re the right guy.
  • Staff maintains or gets new sales, customers, service.
  • You’re still employed!

Windows 2008 Server – Easily Secure your FTP server

Today, it’s all about security. If you aren’t practicing good security, you are probably going to be held accountable for the information that sneaks into your network, and especially the information that can find its way out of your network.

Script kids and hackers alike all begin their first “hacking” by targeting what’s easy – The poor, unsuspecting FTP server. All day long, doing its job of blindly sharing and accepting files. Here are the four key parts of FTP (and its cousin Telnet) that make it insecure.

  • Clear-text transmission: all communications are done in clear text, including usernames and passwords
  • Weak client authentication: both FTP and Telnet authenticate users through usernames and passwords, which, time and time again, have proven to be unreliable authentication methods. There is no support for more advanced authentication methods such as public/private key, Kerberos or digital certificates
  • No server authentication: this means that users have no way to be sure that the host they are communicating with really is the FTP server and not an attacker impersonating the server
  • No data integrity: problem here is that, assuming the same scenario as above, anyone could alter and corrupt the data being transmitted between the server and the client without being noticed

So you have your brand new shiny server with tons of disk capacity, and a clean install of Windows 2008 Server. You’re tasked with setting up the new company FTP site. If you have experience with setting up IIS and FTP services on Windows 2000/2003 server, then you know exactly how easy it is to setup FTP service. With Windows 2008 server, securing your FTP server became just as easy. And the benefits, immense!

Windows 2008 Server utilizes the method FTPES aka FTP Explicit mode. In explicit mode, an FTPS (FTP Secure) client must “explicitly request” security from an FTPS server and then step-up to a mutually agreed encryption method (usually the minimums are defined on the server). It currently isn’t packaged onto the Windows 2008 server install media, but information and the download can be found here http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1619
Without this extra handshaking and communication, your server-to-FTP client communication is susceptible to snooping and hijacking. With these simple steps, your server avoids the pitfalls listed above, that plague many FTP servers out on the web.

Securing your new Windows 2008 based FTP server comes down to these steps:

  • Make sure your users and clients have a current FTP client that supports the few FTPSecure methods.
  • Install IIS7 on your Windows 2008 Server
  • Install the required Microsoft extras (all available on the “roles” menu) for Microsoft FTP Publishing Service for IIS 7.0.
  • Install the Microsoft FTP Publishing Service for IIS 7.0 update. Now you’re nearly 80% complete
  • Create and apply security ACL’s to your FTP repository. The top 10 rules that very much still apply today are published at http://www.windowsecurity.com/articles/Secure_FTP_Server.html
  • Create a self signed server certificate, or purchase a server Certificate and import.

Tada, you’re done! Now your Windows 2008 FTP server is protected. From beginning to end, Connection, Authentication, Authorization, Data Request, Data transfer. It’s all encrypted.

Slipstreaming RAID and SATA controller drivers to your Windows XP, 2003 installation media

It still amazes me how many critical IT related tasks still require a floppy disk.  I came upon one of these situations when trying to install Windows 2003 Server R2 on an extra Dell Workstation I had.  Of course, it wanted the drivers on A:, which didn’t exist.  Of course, you could always install a disk drive… Below are instructions how to address this issue without using a disk drive.  The term is slipstreaming because it injects the files just as if it was part of the original installation media.

  1. Download nLite (http://www.nliteos.com/).  You could also download the Vista version called vLite (http://www.vlite.net).
  2. Install the application
  3. Select your original Windows XP, 2003 installation media location.
  4. Select a target location to copy the installation files
  5. Select the tasks you would like to perform (ie. install drivers, install service packs, remove components, etc…)
  6. Choose to create an ISO image from your previous selections or Direct Burn to create a new CD image.
  7. Install the OS using your CD, but this time, you don’t have to press F6 to try to load drivers.

Advantages of Voice over IP (VOIP)

What Is VoIP?
Voice over Internet Protocol, or VoIP, is the current technology that allows people to transmit voice signals through the internet instead of over the phone. Most people have already become acquainted with the idea of sending voice over the internet through the use of headsets or microphones, but only a few realize the unique differences between the two.

While a direct connection to a single person or a separate server allowed users to chat with each other using microphones, users still had to have telephone services in order to receive out of network calls. VoIP eliminates the obvious limitations of in network voice communication, and expands it above and beyond our expectations as the Cleod9 Voice identifies voip services in Texas as well.

Much like an e-mail, users don’t have to pay to send or receive them. E-mails can go anywhere users have set up a mailbox, at any time. Imagine e-mail transforming from text into voice, and virtual mailboxes becoming phones. The result is a completely free, new form of voice technology capable of sending voice from an internet line and converting it into a signal anyone with a phone can receive.

Cost Advantages:
Businesses, especially smaller or medium sized companies, are always in need of more cost-effective tools and solutions. Businesses invest thousands of dollars in order to save money over a longer period of time. VoIP is a service that can potentially provide the results companies are looking for, in an even shorter amount of time. By instantly cutting costs with fewer drawbacks, VoIP has become a popular solution.

  • Telecommunication systems can be merged with current networks, allowing a business to save on the cost of network infrastructure.
  • Remote Web-based interfacing eliminates the need for on-site representatives to repair or troubleshoot phone network issues.  Costs associated with on-site repairs are practically negated.
  • While saving money, VoIP users have found that the service provides much more than the average office phone services. While there were certain limitations with phone services (such as busy lines and expensive remote location calling bills), VoIP has sought to break these limits. Not only do clients receive phone services for nearly no cost, but they also receive tools tailored to make manage and design the network how they want it to be. VoIP puts the client in control.
  • Single IP networked VoIP lines enable extension dialing to expand to multiple, or even distant locations.
  • Applications are all extended to employees at any corporate location (including temporary or remote locations), including, but not limited to: conferencing, voice mail, unified communications, and click-to-dial services.
  • VoIP telecommunications systems are easily simplified into a single network (combined with data networks), allowing for easy management, and the elimination of multiple networks.
  • Remote troubleshooting and management through web-based interfaces. Settings can be changed for specific employees remotely, and without the need to contact service providers or phone system manufacturers.

The 10-step guide to a Disaster Recovery plan

Problem: You need a plan for responding to major and minor disasters to let your company restore IT and business operations as quickly as possible.

1. Review Your Backup Strategy

  • Full daily backups of all essential servers and data is recommended.
  • Incremental and differential backups may not be efficient during major disasters, due to search times and hassle
  • If running Microsoft Exchange or SQL servers, consider making hourly backups of transaction logs for more recent restores
  • Store at least one tape off site weekly, and store on-site tapes in a data-approved fireproof safe
  • Have a compatible backup tape drive

2. Make Lots of Lists

  • Document Business Locations
  • Addresses, phone numbers, fax numbers, building management contact information
  • Include a map to the location and surrounding geographic area.
  • Equipment Lists
  • Compile an inventory listing of all network components at each business location. Include: model, manufacturer, description, serial number, and cost
  • Application List
  • Make a list of business critical applications running at each location
  • Include account numbers and any contract agreements
  • Include technical support contact information for major programs
  • Essential Vendor List
  • List of essential vendors, those who are necessary for business operations
  • Establish lines of credit with vendors incase bank funds are no longer readily available after disasters
  • Critical Customer List
  • Compile a list of customers for whom your company provides business critical services
  • Designate someone in the company to handle notifying these customers
  • Draw detailed diagrams for all networks in your organization, including LANs and WANs

3. Diagram Your Network

  • LAN Diagram: Make a diagram that corresponds to the physical layout of the office, as opposed to a logical one
  • Wireless access using Wi-Fi Protected Access security (WPA2) in order to operate in a new location

4. Go Wireless
5. Assign a Disaster Recovery Administrator

  • Assign Primary and Secondary disaster recovery administrators.· Ideally, each admin should live close to the office, and have each other’s contact information. Administrators are responsible for declaring the disaster, defining the disaster level, assessing and documenting damages, and coordinating recovery efforts. When a major disaster strikes, expect confusion, panic, and miscommunication. These uncontrollable forces interrupt efforts to keep the company up and running. By minimizing these challenges through planning with employees, efficiency increases. Assign employees into teams that carry out tasks the Disaster Recovery Administrator needs performed.

6. Assemble Teams

Damage Assessment/Notification Team

  • Collects information about initial status of damaged area, and communicates this to the appropriate members of staff and management
  • Compiles information from all areas of business including: business operations, IT, vendors, and customers

Office Space/Logistics Team

  • Assists in locating temporary office space in the event of a Level Four disaster
  • Responsible for transporting co-workers and equipment to the temporary site and are authorized to contract with moving companies and laborers as necessary

Employee Team

  • Oversees employee issues: staff scheduling, payroll functions, and staff relocation

 

 

Technology Team

  • Orders replacement equipment and restores computer systems.
  • Re-establishes connection to telephone service and internet/VPN connections

Public Relations TeamSafety and Security Team

  • Ensures safety of all employees during the recovery process.
  • Decides who will and who will not have access to any areas in the affected location.

Office Supply Team

7. Create a Disaster Recovery Website

  • A website where employees, vendors, and customers can obtain up-to-date information about the company after a disaster could be vital.· The website should be mirrored and co-hosted at two geographically separate business locations.
  • On the website, the disaster recovery team should post damage assessments for business locations, each location’s operational status, and when and where employees should report for work.
  • The site should allow for timestamped-messages to be posted by disaster recovery administrators. SSL certificates should be assigned to the website’s non-public pages.

8. Test Your Recovery Plan

  • Most IT professionals face level one or level two disasters regularly, and can quickly respond to such events. Level three and four disasters require a bit more effort. To respond to these more serious disasters, your disaster plan should be carefully organized.· Plan to assign whatever resources you do have control over in such situations. Test the plan after revisions, and discuss what worked and what didn’t.

9. Develop a Hacking Recovery Plan

  • Hacks attacks fall under the scope of disaster recovery plans.
  • Disconnect external lines. If you suspect that a hacker has compromised your network, disconnect any external WAN lines coming into the network. If the attack came from the Internet, taking down external lines will make it harder for the hacker to further compromise any machines and with luck prevent the hacker from compromising remote systems.
  • Perform a wireless sweep. Wireless networking makes it relatively simple for a hacker to set up a rogue Access Point (AP) and perform hacks from the parking lot. You can use a wireless sniffer perform a wireless sweep and locate APs in your immediate area.

10. Make the DRP a Living Document

  • · Review your disaster recovery plans at least once a year. If your company network changes frequently, you should probably create a semi-annual review. It’s best to know that an out-of-date disaster plan is almost as useless as having none.
  • WAN Diagram: Include all WAN locations and include IP addresses, model, serial numbers, and firmware revision of firewalls

Troubleshooting Backup issues

Backing up files can be troublesome. Speeds can reach disasterous new lows, and files tend to get corrupted along the way. It might just seem like more trouble than it’s worth, but in our experience, it makes the difference of hours and days. However, with the correct tools and information, it is possible to narrow down the problem, and even solve it. Below is a troubleshooting guide for common reasons why your server backup process may be causing errors.

1.Here is a summary of what we will be examining in order to better realize a potential problem:

oDocument any noticeable problems

oWhen did you notice the change or error(s)?

oHave there been any changes to the main backup server, media servers, or backup clients?

oWhat, if anything, have you done already to troubleshoot this problem?

oDo you have any site documentation?

oWhat are your expectations once the problem has been ratified

2.Hardware Related Slow-down

oThe speed of the disk controller and hardware errors caused by the disk drive, tape drive, disk controller, SCSI bus, or even improper cabling/termination can slow performance.

oTape drives are incompatible with SCSI Raid Controllers.

oFragmented disks (act of data being written on different physical locations of a disk) take much longer to back up. Not only will it affect the rate at which data is written, but it will affect your overall system performance. A solution to this is simply by defragmentation.

oThe amount of available memory greatly impacts backup speed. A lack of free hard disk space is a commonly overlooked issue. This is generally due to improper file paging settings.

3.File Types and Compression

oThe average file can potentially compress at a 2:1 ratio if hardware compression is used. Backup speed could potentially double if average compression is used prior.

oThe total number of files on a disk, and the relative size of each file is important in calculating backup speed. The fewer large files, the faster the backup.

oBlock size has an important role in compression, and thus, affects backup speed. The bigger the block size, the more capable the drive is to achieve better throughput and increased capacity. It is not recommended to increase the Block Size above the default.

4.Remote-Disk Backup

oThe backup speed for a remote disk is limited by the speed of the physical connection. The rate at which a remote server’s hard disks are able to be backed up depends on the make/model of network cards, the mode/frame type configuration for the adapter, the connectivity equipment (hubs, switches, routers, and so on), and the Windows NT 4 or Windows 2000 settings.

oA commonly overlooked reason for slowdown on network backups can be the configuration of the network itself. Certain features such as “Full-Duplex” and “Auto-Detect” may not be fully supported in every environment. Setting the speed to 100Mb and duplex to half/full on the server side, and 100 MB on the switch port is the common practice. Dependent on the resulting speeds, half or full duplex will be the better solution.

5.Methods to potentially improve tape backup performance

oMake sure the tape drive is properly defined for the host system. It is common for a SCSI host to disable the adaptive cache on the drive if it is not recognized. The cache enables features like drive streaming to operate at peak performance.

oPut the tape drive on a non-Raid controller by itself.

oMake sure all settings in the controller’s Post Bios Setup Utility are correct.

oMake sure the proper driver updates have been applied for the SCSI Controllers.

oConfirm proper cabling/termination for the devices being used.

oUpdate the firmware on the tape drive to the latest level. In some cases, the firmware may actually require downgrading to improve performance.

oCheck the tape drive and tape media statistics to see if errors occur when backups run.

oCheck the Windows NT or Windows 2000 Application Event Logs for warnings/errors.

The 3 evils of Voice over IP (VOIP)

Many of the world’s largest telephone companies are committed to replacing their existing circuit switched systems with voice over IP systems. These packet switch voice over IP systems allow them to transport a significant portion of their traffic with IP. Surprisingly, many calls made over telephone company equipment are already being transported with IP.
Packet switched voice over IP systems are in principle as efficient as a synchronous circuit switched systems, but only recently have they had the potential to achieve the same level of reliability as the public switched telephone network or proprietary PBX equipment. With the invention and implementation of RTP (real time protocol) and SIP (session initiation protocol,) voice over IP has the technological base to obsolete the circuit switched public switched telephone network.

– BY Paul Mahle
Asterisk and IP Telephony / Paul Mahle
Copyright 2003, 2004 by Signate, LLC.

VoIP provides enhanced teleconferencing and remote teleworking to maximize internal productivity, save money and simplify management.

So, you are interested in implementing a VoIP system for your small business, but are unsure of the capabilities of your network. It can be broken down into 3 steps:

1.Determine how well the network is running

2.Deploy the voice over IP service

3.Verify that the service levels are working correctly.

How do you know if you current network is up to the task? What criterias determine if your network is Voice-enabled capable? What are the optimimum factors in running a smooth and clear voice over IP system?

The 3 evils of Voice over IP networks.

1.Delay (minimum of 150ms, use Cisco RTPC + LFI)

This is the time it takes voice to travel from one point to another on the network. It can be measured in one direction or for the entire round trip. The calculations of delay usually involves Network Time Protocol (NTP) and clock synchronization and reference clocks.

2.Jitter (the optimal jitter buffer should fit the network’s differential delay, Cisco’s LFI)

This is the variation in delay over time from point to point. The higher the variation, the more degraded the call quality will be. The amount of tolerable jitter on the network is affected by the depth of jitter buffer on the network equipment in the voice path. When more jitter buffer is available, the network is more able to reduce the negative effects of a broad variation. Unfortunately, a buffer can also be too big. This would increase the overall gap between packets.

3.Packet Loss (less than 2.5-5%, use QoS that differentiates between data and voice packets.)

Packet loss refers to the packets of data that are dropped by the network to manage congestion. Data applications are very tolerant to packet loss, as they are generally not time sensitive and can retransmit the packets that were dropped. Dropped packets in a VoIP network appear as noise in the conversation and may require the speaker to repeat or retype the last word or sentence, which is clearly undesirable.

Grant Full mailbox access to Domain Admins and Enterprise Admins in Exchange 2003

One would assume that administrators (Domain Admins and Enterprise Admins) would be allowed to fully control user mailboxes. Unfortunately, this presumption is shown to be incorrect when admins try to add additional mailboxes to their Outlook client. Of course, you can always manually set permissions on a per mailbox basis, but that defeats the purpose of global mailbox management. The cause is due to Microsoft deciding to globally set Deny permissions to Full Mailbox Access (Send As / Receive As) and hide the security tab in which one could edit these permission settings in Exchange System Manager. Fortunately, there is a simple registry fix for this problem.

1.Run regedit

1.Click Start, point to Run, and then type regedit.

2.Add registry key ShowSecurityPage

1.Go to HKEY_Current_UserSoftwareExchangeExAdmin

2.Once you reach the above section of the registry you need to create a DWORD called ShowSecurityPage.

3.A value of 1 (Numeric one) means on (show security tab), whilst 0 (Zero) means off.

4.Close the registry editor.

5.Close the Exchange System Manger, then reopen (no need for a reboot)

6.Right click on YourOrganization (Exchange), then click Properties.

7.Click the Security tab, then highlight the Domain Admins group.

8.Scroll down the permissions list and uncheck Deny for Send As and Receive As

9.Repeat the above step for the Enterprise Admins group.

How to reinstall TCP/IP in Windows XP

Sometimes, no matter how many times you uninstall TCP/IP or Network drivers, your computer refuses to connect properly to the network. Signs usually entail erratic network connectivity, webpages won’t load when first accessed, no ip address is bound to the adapter, etc. The instructions below provide a way to essentially REINSTALL TCP/IP and fix corrupted Winsock registry values. If these steps do not work, the best thing to try is to run a repair using your Windows 2000 CD.
1. Remove TCP/IP
Note Before you remove TCP/IP, make a note of the IP and the DNS settings.
1. Click Start, point to Settings, and then click Network and Dial-up Connections.
2. Right-click Local Area Connection, and then click Properties.
3. In the Components checked are used by this connection list, click Internet Protocol (TCP/IP).
4. Click Uninstall, and then in the Uninstall Internet Protocol (TCP/IP) dialog box, click Yes.
5. When you are prompted to restart your computer, click Yes.
2. Delete the Bind registry value, the Tcpip subkey, the Winsock subkey, and the WinSock2 subkey
1. Click Start, click Run, type regedit in the Open box, and then click OK.
2. In the left pane, expand HKEY_LOCAL_MACHINE, and then expand SYSTEM.
3. Expand CurrentControlSet, and then expand Services.
4. Expand lanmanserver, and then click Linkage.
5. In the right pane, right-click Bind, and then click Delete.
6. In the Confirm Value Delete dialog box, click Yes.
7. Expand lanmanworkstation, and then click Linkage.
8. In the right pane, right-click Bind, and then click Delete.
9. In the Confirm Value Delete dialog box, click Yes.
10. Right-click Tcpip, click Delete, and then in the Confirm Key Delete dialog box, click Yes.
11. Right-click Winsock, click Delete, and then in the Confirm Key Delete dialog box, click Yes.
12. Right-click WinSock2, click Delete, and then in the Confirm Key Delete dialog box, click Yes.
13. Restart your computer.
3. Reinstall TCP/IP
1. Click Start, point to Settings, and then click Network and Dial-up Connections.
2. Right-click Local Area Connection, and then click Properties.
3. Click Install, click Protocol in the Click the type of network component you want to install list, and then click Add.
4. In the Network Protocol list, click Internet Protocol (TCP/IP), and then click OK.
5. Replace the IP and the DNS settings with the values that you made note of at the beginning of the “Remove TCP/IP section.”

Installing Windows XP using an external USB CD-ROM, DVD-ROM drive.

Due to high demands for portability and technological advances, laptops are getting smaller and faster. They are now as small as a notebook and just as productive as a workstation. Unfortunately, the smaller laptops are smaller because essential devices, such as CDROMs and floppy disk drives, are externally connected. To add to the problem, companies often use proprioteiry connections to these devices. What happens when it breaks and the replacement is twice as much as other external USB drives? What if you have to boot off of a CD to re-install an operating system because you just upgraded your new hard drive? What if your operating system is corrupted and you would like to start over new? All of these situations have one thing in common. It poses the question: How do I get the Windows Boot CD to boot off of my external CDROM if my bios doesn’t support booting from USB? The steps below will save you a lot of time and frustration.

1. Download the USB DOS driver and Save the file to your hard drive.
2. Use Winzip to extract the file. If you do not have the Winzip program you may get a shareware version here.
3. Extract the file, then open the folder named USBboot and execute the rawrite2.exe.
4. When prompted for the image name, enter dosboot.img
5. Enter the floppy drive as your destination drive, which in general is the A:
6. When it is done, reboot with this disk to use the USB devices.
7. If everything went well, you should have a drive R: for the CDROM drive. You are now ready to copy the I386 folder from the Windows 2000 or XP installation CD to the hard drive.
8. Hard Drives will most likely be C: (the next letter available).
9. At the prompt, go to the CDROM drive (R:) and run “Xcopy *.* /s C:”
10. Now go to the I386 folder (C:I386) then type Winnt.
11. Installation should now start. Follow instruction from your Operating System manual on how to install the OS. (Installation will take some time, Please be patient)