Month: February 2007

Microsoft Intelligent Application Gateway 2007

Microsoft has announced the release of IAG 2007.  This is a result of the Whale Communications acquisition.  Here’s the blurb:
 
"IAG 2007 combines the secure sockets layer virtual private networking (SSL VPN) and Web application firewall product obtained in the acquisition of Whale Communications in July 2006, with the Microsoft® Internet Security and Acceleration Server (ISA Server), integrated to provide a single, consolidated appliance for network perimeter defense, remote access, endpoint security management and application-layer protection".
 
Microsoft has partnered with two companies to provide this solution in an appliance. 
 
"The blending of stateful packet filtering, circuit filtering, application-layer filtering, Web proxy, and endpoint security into a single appliance affords the administrator a variety of options for configuring policy-driven access to applications and network resources".
 
Microsoft says that the usage scnearios are:
 
  • Provide Secure Remote Access to Corporate Applications and Data. IAG 2007 helps you control access through unified SSL VPN, application-layer filtering, and endpoint security management, providing employees with secure intranet access to critical applications, documents, and data from a broad range of devices and locations.
  • Strengthen Information Security Specific to Your Environment. With flexible and differentiated access to extranet resources for employees and partners to Web and legacy applications, IAG 2007 protects infrastructure through easily adaptable application-specific security.
  • Defend Against Web-based Data Exploits and Theft. IAG 2007 enables Internet-based and mobile access from unmanaged endpoints, and enforces proper information usage with granular identity-based policies, helping the business comply with legal and regulatory guidelines.

There’s a pretty good overview on the Microsoft website.

Some people I know and trust with this stuff have been working with Whale’s solution for a while now.  They like it.  What’s more, customers who ran it on trial liked it.  Customers who consider security to be critical (read this as major financials) liked it.

As usual, there’ll be those who use the "we won’t use a Microsoft firewall … it’s just proxy server and full of bugs" line.  Their loss, really.  If they want to bleed money through the nose for the old dinosaur solutions that are painful to manage and horrible for users to live with then good for them.  You can read my recent article on Microsoft software not being "scalable nor secure" to see what I think of those people who rely on no longer relevant sterotypes.

Sending SNMP Traps to MOM 2005

Another useful article for MOM 2005 admins.  This one described the process for configuring MOM 2005 to accept and process SNMP traps.  Between application logs, SYSLOG and traps, you should be able to manage a lot, if not most, of your heterogeneous environment with MOM 2005 without buying 3rd party manaagement packs and agents (though I think I might still recommend this for time savings).

Load Third Party Performance Metrics Into MOM

Forgive me if this is old hat to you but I’ve google like crazy and not found any documentation on this.  I was asked to look if I could load performance objects and counters from a 3rd party product into MOM.  The problem was that the product in question didn’t have any performance counters and no performance fucntionality existed in the vendor’s management pack.  I was given a "what if" scenario: could I do anything if I had a file with the performance measurements in it?
 
I checked it out.  There appeared to be nothing on the net.  I already knew how to parse a log file so that bit was easy.  But could I use it to load performance counters?  The answer is yes.
 
  • Set up an application log provider that scans a folder for CSV files.  Configure the format as being "Performance Log".
  • Set up a custom management pack.  Create a performance rule that uses the application log provider.
  • Now, configure your 3rd party product to produce a CSV file in the location specified by your provider.  It should be in the format of a Windows Performance Log in CSV format. 

If you need to see what format the file should be in, then run Perfmon and capture a CSV log file.  It looks something like this:

"(PDH-CSV 4.0) (GMT Standard Time)(0)","\DubFS1SAN% Seek Time"
"02/01/2007 11:56:17.600","4.8586022896423113"
"02/01/2007 12:06:18.602","0.17951715634603183"
"02/01/2007 12:16:19.604","0.17951715634603183"
"02/01/2007 12:26:20.606","4.8586022896423113"
"02/01/2007 12:36:21.607","7.9779923785064932"

The header defines the column names.  We’ve got date, time and the performance counter.  Note the counter name is in the format \<server being measured><Object><Counter>.

Associate the management pack with a test computer group and drop some test log files onto it.  Give it a few minutes and then open your Operator Console (don’t use an already open one).  Navigate into "Performance" and open up the server that has the log file on it.  You’ll now find the new objects and metrics are available to report on.  Your MOM Reports shouldn’t have any data until after the report DTS job runs (usually 01:00).

All that remains now is to generate and format this log file.  Your third party product must be able to produce these metrics and you must be able to get the out in some way.  Then you should format them, rename them and drop them into the right location.  In theory, this should all be possible via a scheduled script.

If you are going to try this, please get it running in a VM lab first.  Don’t go filling your report server with uselss junk and deploying test management packs all over the production network.  Once you’ve got the mechanism working, define what you need, restest in the lab again and finally do a pilot rollout on production before you go live.

More Vista Fixes! – When Should I Upgrade?

Bink is reporting that 4 more fixes are available for both Vista 32bit and Vista 64bit.
 
  • KB929685: A high definition audio device may no longer work after you resume Windows Vista from sleep or from hibernation and then restart the computer.
  • KB930163: In Windows Vista, you cannot access any resources on a remote VPN server after you switch a network connection from one network adapter to another network adapter and then dial a VPN connection.
  • KB929762: You receive a Stop 0x9F error when you wake a Windows Vista-based computer that is connected to an IEEE 1394-based device.
  • KB929761: When you run Wusa.exe together with the /quiet option to try to install certain software packages on a Windows Vista-based computer, the installation fails.
  • KB929615: You may not receive audio in the desired language when you use Windows Media Center to view television in Windows Vista
It certainly is proving to be a busy period for Vista updates.  That begs the question: Should I upgrade all of my PC’s now?  I’m normally one to to quite aggressive with upgrades but for a desktop OS, I think I’d be a little conservative.  I’m certainly not recommending that you hold off on Vista until 2010.  I’d say give it 6 months fom now (general availablity) before you start an upgrade.  Common applications and devices still don’t have device drivers to it’d be hard to justify an upgrade.  It also looks like we’re going to go through a bump ride for a while with these bug fixes.  My thought process is, let things settle down and then build all these updates into your teplate build/image.  Fianlly, there’s the hardware thing to consider.  Vista is a beast for CPU and RAM.  I’m wondering if a business PC will require a dual core CPU and 2 GB RAM.  Only testing and time will tell.
 
In the meantime, it doen’t mean you should forget about Vista.  On the contrary.  If possible, anyone with administrative privileges should upgrade now.  UAC will protect their PC’s against threats.  I know, UAC was a pain, but it’s gotten better throughout the beta and RC process.  Application vendors are currently fixing their products so they don’t trigger it.  I’ve left UAC turned on at home.  I like the sense of security it gives me that goes way beyond firewall or anti malware functionality.
 
Next, I’d consider those users with security concerns.  Vista includes functionality such as device locking (group policy), full disk encryption (BitLocker) and DEP that will protect the data on PC’s that you consider at risk. 
 
Application comaptibility is going to be an issue for people.  Admins may not find UAC acceptable.  I highly encourage you to look at the options available rather than lowering your security.
 
  • Admins shouldn’t really log into their "desktop" PC as administrator.  If they use a Virtual Machine (Microsoft Virtual PC is free) then they’ll be able to log into their desktop as a normal user to access email and web and log into their VM as administrator/domain admin to do their work.
  • Some applications might not work now (or ever) on Vista.  Again a VM running Windows XP or Windows 2000 might help those affected users.
  • Check out the Microsoft Application Compatibility Toolkit 5.0.

Some might just be scared of deploying a new OS and all the software on it.  That’s just not excusable these days.  There ahve never been more options.  The following will all deploy images of a disk with the OS and applications all installed and configured:

  • Ghost
  • WAIK (free)
  • WDS (part of WAIK and Windows 2003 SP2)
  • SMS 2003
  • CM 2007 (March 2007, approx)

The following can be used to install and manage software:

  • Group Policy (part of AD)
  • SMS 2003
  • CM 2007 (March 2007, approx)

Is Vista a big leap?  Yes.  Is it big and scary enough that you should run and hide under your duvert cover?  No.  Take my advice: Do a limited deployment so your IT staff can become familiar with the product, deployment and management of it.  Then target those staff who can benefit from the product.  During this time, test and develop your applications and procedures.  When you are ready, pull the trigger and deploy it.  With some planning and preparation, you;ll avoid the situation that many companies are in now, panicking over NT upgrades and meeting system requirements for new business solutions.

Credit: Bink for the update news.

Reliability Update For The USB Stack In Vista

Microsoft released an update to fix problems in Vista that are encountered if:
 
  • You have a Windows Vista.
  • You are running 2GB RAM or more.
  • You have an nVidia nForce EHCI controller.

There is both a 32bit and a 64bit update, that are both available for download.  It’s also available via Windows Update.

Credit: Michael Russell.

Windows Vista Activation Grace Period – Up to 120 Days

I just saw this one on Bink.  It might be handy for anyone who’s evaluating Vista or like me, is not too keen to use their limited number of TechNet/MSDN activations in lab work but find the default 30 day window to be too restrictive.  There’s a command you can run (slmgr -rearm and then reboot) that extends the activation grace period.  You can do this three more times to extend the grace period up to 120 days.

Credit: Bink.

Automated Password Synchronisation Solution Guide for MIIS 2003

I’m seeing more and more people starting to look into using account/password synchronisation tools such as MIIS 2003 and/or ADAM.  Microsoft published a guide lastnight that promises you that this "Step-by-Step document shows how to install, configure, and use PCNS and management agents to receive and send password change requests" so that you can synchronise passwods between domain controllers, presumably in different forests.