Sophos Automated Software Rollout

I recently had to install the Sophos Anti-Virus suite at a client office and had issues with a few PCs during the automated rollout of the software. The problem seemed to be that the server with Sophos Control Center was not able to remotely administer several client PCs. The way I was able to test this out was by using Computer Manager to test connecting to each one of the PCs I was having problems installing the software on.

On each PC experiencing the issue, I was not able to remotely connect with Computer Manger. Once I was able to connect with Computer Manager, the Sophos software installed successfully.

There were two reasons this was failing in our environment consisting of Windows XP and Windows 7 workstations.

The problem with Windows XP was that the XP firewall as blocking remote administration. I solved this problem by setting the firewall to allow remote administration through group policy. To do this:

  1. From the server desktop, click Start, click Run, type mmc, and then click OK.
  2. On the File menu, click Add/Remove Snap-in.
  3. On the Standalone tab, click Add.
  4. In the Available Standalone Snap-ins list, click Group Policy Object Editor, and then click Add.
  5. In the Select Group Policy Object dialog box, click Browse.
  6. In the Browse for a Group Policy Object, click the Group Policy object that you want to update with the new Windows Firewall settings. I decided to choose Default Domain Policy since then it would apply to all PCs in the domain.
  7. Click OK.
  8. Click Finish to complete the Group Policy Wizard.
  9. In the Add Standalone Snap-in dialog box, click Close.
  10. In the Add/Remove Snap-in dialog box, click OK.
  11. In the console tree, open Computer ConfigurationAdministrative TemplatesNetworkNetwork Connections, Windows Firewall, and then Domain Profile.
  12. Edit the properties for Windows Firewall: Allow Remote Administration Exception.
  13. Select enable and enter the IP of your server so that you don’t open up remote administration to everyone.

After a restart of the PC, you should be able to deploy Sophos or any other remotely installed software.

For Windows 7 PCs, the problem was that remote administration and installation of software requires the remote registry service to be running. It is set to Automatic startup on Windows XP but set to Manual startup on Windows 7. After changing the startup type to Automatic and starting the service I was able to easily deploy Sophos.

Installing BES 5 with Exchange 2010

I have recently just had the pleasure of setting up a new Exchange 2010 server along with the new Blackberry Enterprise Server 5. The installation seemed very similar to BES 4 installations but there were a few more screens of information to fill out.

The big change to note was that the new BES server configuration is all web based. Sort of like VMWare Server 2. At this point I still don’t like it because it only seems to be enabled from the local host so what is the point of having it web based anyway. I would like to see it working over a VPN on a remote computer but have not accomplished this yet. There are two authentication methods for this web based administration site called BlackBerry Administration Server (BAS). In the BAS configuration screen to can choose to use built-in BAS authentication or to use Active Directory authentication. At first I choose AD authentication but wasn’t able to get it working. I did some research on the issue and concluded that almost nobody got it working. To switch back to BAS authentication you have to fully uninstall and re-install BES.

The second issue I noticed was this error below. I haven’t been able to find anyone else having this problem but I was able to ignore the issue and everything seems to be working OK.

The last and biggest issue encountered was the fact that BES was not picking up Activation e-mails out of the user’s mailboxes. There didn’t seem to be any log entries in MAGT or any other log files. I finally found one post that mentioned turning off IP6 on the BES server and after restarting, those e-mails were being picked up and BlackBerries were activating.

Instruction for turning off IPv6 in Windows Server 2008 can be found here.

Usefullness of Apple’s Airport Express

I recently purchased an Apple AirPort Express in order to listen to my iTunes music on my home stereo. The initial setup I had was the AirPort Express joined to my main wireless network. I was able to configure the AirPort by connecting to it wirelessly from my Mac and running the AirPort configuration utility to join it to my existing network. This configuration worked great.

Eventually, I was able to plug the AirPort into my wired network. I set it up as a separate access point that I could use in a different area of the house and also used it to pipe some music to my stereo. This worked even better because there was no more wireless connection between the AirPort and the computer that was streaming music.

At this point I really looked into the AirPort setting and found it to be a pretty useful device. Besides from being wireless N compatable and using channels in the 5GHz range, it was also able to:

  • Use the AirPort as a router for an internet connection and share the connection wirelessly.
  • Operate as a wireless access point on an existing network.
  • Extend another wireless network.
  • Become a client of another wireless network in order to stream music wirelessly.

This turned out to be an incredibly useful, and tiny, device. It is also nice that Remote on an iPhone or iPod touch is able to control remote speaker volume and select which speakers music is played from.

Exchange 2007 Autodiscover Issues

We have recently begun installing a lot of Exchange 2007 servers, both Exchange 2007 standard and as part of SBS 2008. Starting with Exchange 2003 there is a lot of reliance on the web services part of the server which reside in IIS. In order to get things working properly we get a SSL certificate, usually from GoDaddy, to secure the exchange directories. This allows us to set up devices with Exchange Activesync, OWA without certificate warnings, and Outlook Anywhere.

We’ve noticed that when installing these certificates, Outlook clients on the domain begin to see a certificate error. This is because of the Autodiscover URLs that are part of Exchange server and the fact they no longer match the self-signed certificate that Exchange produces on installation.

In order to update those URLs you need to use Exchange Management Shell to run some commands. The commands are different for SBS installations and Standard installations. In the following commands, replace yourserver with the netbios name of your Exchange server and external.yourdomain.com with the external address of your server.

For SBS 2008 run the following commands in Exchange Management Shell:

Set-ClientAccessServer -Identity yourserver -AutodiscoverServiceInternalUri https://external.yourdomain.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity “yourserver\EWS (SBS Web Applications)” -InternalUrl https://external.yourdomain.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity “yourserver\oab (SBS Web Applications)” -InternalUrl https://external.yourdomain.com/oab

Set-UMVirtualDirectory -Identity “yourserver\unifiedmessaging (SBS Web Applications)” -InternalUrl https://external.yourdomain.com/unifiedmessaging/service.asmx

For Exchange 2007 Standard or Enterprise on Windows Server 2008 run the following commands in Exchange Management Shell:

Set-ClientAccessServer -Identity yourserver -AutodiscoverServiceInternalUri https://external.yourdomain.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity “yourserver\EWS (Default Web Site)” -InternalUrl https://external.yourdomain.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity “yourserver\oab (Default Web Site)” -InternalUrl https://external.yourdomain.com/oab

Set-UMVirtualDirectory -Identity “yourserver\unifiedmessaging (Default Web Site)” -InternalUrl https://external.yourdomain.com/unifiedmessaging/service.asmx

If you’re not sure which set of commands to use, type Get-WebServicesVirtualDirectory in Exchange Management Shell and see what is listed for name. You will either see EWS (SBS Web Applications) or EWS (Default Web Site). Match that up with the command set above and it should find the appropriate virtual directories.

On Windows Server 2008, if you see access denied errors then make sure you use Run As Administrator to run Exchange Management Shell.

At this point, we have solved problems with Autodiscover that resulted in error messages in Outlook clients but have not actually set up Autodiscover. The Autodiscover setup process usually includes setting up a new site in IIS for autodiscover.yourdomain.com and adding the autodiscover virtual directory to it. You’ll also need a SSL cert for it which is why we don’t usually set it up. We have yet to see any advantages to setting up Autodiscover since our clients usually don’t have that many clients connected to their Exchange server.

VMware Fusion 3

VMWare Fusion 3 was just released today. I was hesitant to upgrade at first because I didn’t know there was upgrade pricing. As soon as I saw I could upgrade for $39.99 I did.

After playing around with it for a while I don’t see many new features that I’ll actually use. I have been running Windows 7 for a few months now without the Aero interface and I think I prefer it that way. I use Windows 7 on my Mac as a Visual Studio development environment so I want to keep it fast. Enabling Aero seems to have slowed everything down. Windows seems less snappy than it was.

I also think that enabling Aero makes the CPU and graphics processor work harder than before. When I start up 7 I can hear the fans in the MacBook Pro kick on to full blast and stay on for about 10 minutes until the laptop finally cools down.

The one feature I will be looking forward to are the automatic updates. Hopefully no more uninstalling the entire app and then re-installing for every upgrade. They also integrated a virtual machine library like they’ve had on their site for a while which makes it easy to try and utilize open source and trial software that has been bundled as a VM.

I’m glad I upgraded to the newest version but I don’t think I’ll take advantage of any new features. I’m sure there are a lot of performance enhancements and bug fixes in the background that will make this a valuable purchase but I didn’t have many issues with v2.

Apple 27-inch iMac

So, on Friday (10/23) I headed to the apple store on Michigan Avenue in Chicago to pick up a new 27-inch iMac. I like being an early adopter so I knew I wanted it as soon as it was announced. As soon as I bought it, I hopped in a cab to take it home. The packaging is pretty slim like all Apple products but since the computer itself is big and heavy, the box is big and heavy.

At home, I connected it to my wireless network and everything was working smoothely. I installed all software updates along with some additional software. Then, suddenly, I had to internet access. I checked my list of wireless networks and it wasn’t showing any. I restarted the computer and they all came back and I was immediately connected to my home network.

Then it happened again. I called Apple tech support and they had me boot up to the Snow Leopard DVD to test the wireless card and then reinstall all of Snow Leopard. The problems seems to occur when lots of data is being transmitted wirelessly such was when using Skype or watching videos on Hulu.

Apple tech support keeps insisting I restart my router and change my router’s security. Apparently telling them that no wireless networks at all show up even though I live in a condo in downtown Chicago doesn’t mean anything to them. Tech support set me up with a Genius Bar appointment with my brand new iMac so we’ll see how that goes. I’ll keep this post updated as I learn more about the tech support process at Apple.

Update: Apple just replaced the iMac after showing the person helping us at the genius bar what was going on. It would not show any wireless networks and also crashed twice.

Update: The new one we got has dust behind the screen. We’re going to pick up a new one tonight.

Review: Linksys Powerline Network Kit (PLTK300)

I recently purchased the Linksys Powerline Network Kit (PLTK300) to bring a network jack into my family room. The purpose of this was to provide an ethernet connection to my Samsung Blu-ray player with Netflix capabilities. Since I live in a condo building I was a little bit skeptical of this working. I knew that I have my own circuit breaker in my unit so at least there was a single point of convergence for all my electrical outlets that was close.

The kit works right out of the box. You simply plug the module with the single ethernet port into your current network and into the wall. Then plug in the four port device where ever you need a network connection. Both devices come programmed with a network password so they will see each other immediately, along with any other devices with the default network password on your electrical network.

In order to change the network password you need to install the Powerline Utility from the CD in the box or by downloading it from the Linksys website. The utility lets you see the status of the connection and also set network passwords and run diagnostics. To make any changes to the remote powerline device, you need to enter its password into the utility. The password is on the bottom of the device. If you have more than one device, you will have to enter the password for each one. The Powerline utility will save the passwords in order to make changes to all the devices at once.

I would recommend changing the network password immediately, especially if you live in a multi-tenant building. The devices with the same default network password will bridge your wired network together. Currently I don’t see any other devices in my building but also remember questioning wireless security when setting up my first wireless access point.

The setup works very well. I’m now able to stream Netflix movies to my Blu-ray player very quickly and without any of the consistency issues you see with wireless. I also plan on connecting my Tivo using a usb ethernet adapter soon to speed up the process when renting movies from Amazon. Currently I use an old Linksys 802.11b wireless adapter since it was one of the only ones Tivo supported at the time.

The only problem I ran into during the setup was that I was initially getting very poor speeds, somewhere around 8Mb. I didn’t follow the instructions to plug the device directly into the wall because I didn’t have any outlets immediately available. Once I had both ends plugged into the wall the speed immediately increased to around 70Mb. These were just standard surge protectors too, not a ups or anything like that. Make sure you plug these right into the wall to get maximum speeds.