Windows 7 First Look

I’ve been extremely busy lately with budgeting, reviews and plans for 2010 so I haven’t had as much time to mess with the fun stuff.  However, Windows 7 and Office 2007 are in the plans for next years project list.   Having been an MCSE since 1995 and having been recertified 3 times as the operating systems change I’ve developed quite a background in Windows.  I’ve lived through rollouts of every flavor of Microsoft desktops operating system (except that nasty Vista) by the hundreds.  From what I’m reading so far Windows 7 does seem to be a significant upgrade from XP and seems to be well worth the effort.  In particular the features that seem most compelling to me are DirectAccess, Problem Steps Recorder, booting from a VHD file, Bitlocker enhancements, integrated Biometric software (thank God…3rd party apps here in XP and Vista have always been painful) and believe it or not….searching in the UI.  Searching for files and data has always been weak in Windows (they really need an updatedb & locate equivalent) but from what I’ve seen with search filters Windows 7 looks pretty good.  Since they have now removed the Classic interface completely I’ll need to spend some time to find out where they’ve hidden everything. (Damn them.)

We will undoubtedly use MDT 2010 for image development and distribution but I haven’t seen a whole lot  of compelling changes in MDT. So far, it looks like they’ve made some work-arounds to the existing pain points but nothing revolutionary.  Multicasting will be a nice addition but heck that’s been around for over 10 years in other software distribution products like Ghost anyhow.

I think I’ve decided to move on and get certified as a MCITP: Enterprise Administrator.  I don’t believe certifications make you a better engineer, but I do believe the process allows you to take some time to really learn the products and features.  This is if you say away from the braindump sites and focus on the learning instead of the testing.  I remember back when  I got my MCSE 3.51 on NT…It took me 6 months.  I read every book I could get my hands on, demo’ed every feature in my lab and worked with the product in my job on a daily basis.  That is my plan here as well.  The things I learned have stuck with me throughout my IT career and have shaped and molded my ability to understand and consume new technology.  I’ll get off my soapbox now…

Stay tuned and I plan to blog about the cool new stuff as I run across it in  my studies…

OpenVPN misfire

I spent the weekend testing out OpenVPN-AS and ran into one problem.  After an hour or two the connection would die and not restart until I completely exited the software and got back in.  Once and awhile I noticed that it would lock out my account.  After some mulling around, I figured out that it had something to do with the SecurID authentication.  I moved from PAM to RADUIS authentication on Friday in hopes that our users could use their keyfobs and not have to remember a separate username/password combo.  Although I got it all working, it seems that there is some kind of reauthentication happening during the session on a frequent basis. I'm guessing there is some kind of a timing issue because everyone once and awhile the attempt fails and the session dies.  Moving back to PAM (that's basically Linux authentication against the local databasse) seems to have resolved the issue.  Time to get WireShark out and see what's happening.  Stay tuned...

OpenVPN-AS

Today I set up our first OpenVPN-AS server and man is it cool.  A lot of the things I didn’t like about regular OpenVPN (managing certificates, difficult authentication mechanisms, command line management, etc.) are addressed in OpenVPN-AS.  You couldn’t ask for better licensing either….$5 per concurrent connection.  That’s a software model I can buy into!

First I set up a CentOS server.  It’s ver 5.3 with minimal stuff loaded.  The I downloaded and ran the rpm right from OpenVPN.net.  After a few small configs in pfSense to port forward https over the box I was up and running.  I even got RADIUS authentication working of my SecurID box. For testing I just registered for the free 2 user license but I plan on purchasing more after our pilot is complete.   If you want VPN for your business the cost is way worth the effort on this package.  The difference between configuring OpenVPN and OpenVPN-AS is huge.   OpenVPN-AS is way easier to set up and deal with both as an administrator and a user.  Now…if they could only include OpenVPN-AS as a package in pfSense…..

Super Video conversion

Every once and awhile you hit a cool tool that you’ve seen before but forgotten completely.  I ran into Super today while researching video conversion tools and forgot about how useful this tool is.  Super is a video conversion program that will let you re-encode video files from one format to another.  I even like it better then…choke…sniff…VLC…for some conversions even though it’s not Open Source. :)  I ran into this tool a few years ago and it got me out of a tight spot and it’s even better now.  What I really like is it’s simplicity.  VLC tends to force you to learn all about audio and video codecs if you want to get power out of the tool.  Super allows you to pick an “output container” like mpg, wmv, etc. and if does all the hard work picking out the settings for you. It’s great for the video-challenged peeps like me.  Enjoy!

pfsense DNS Forwarding and Overrides

I ran into a small DNS issue when I first rolled out our pfsense firewall.  I had 4 active interfaces: inside, outside, dmz and wireless.   On the PIX I had the wireless segment go directly to the Internet for name resolution.  Requests for “inside” services (on the inside or dmz interfaces) were NAT’ed so that the outside public addresses worked correctly. Not wanting to mess with all that NATing again, I was stuck because the rules I wrote were based on private ip addresses which wouldn’t be resolved correctly by a public DNS server.  So after messing around a little I found that when set up as a DNS forwarder, the pfsense box will allow you override specific DNS entries or even an entire domain.  Very very cool.  I simply added the names I wanted to resolve to the override list with their internal ip addresses and bang!  The only requirement was DNS forwarding had to be enabled and the pfsense box was acting as the DHCP server on the wireless interface.  Simply leave the DNS values empty and pfsense will advertise itself as the DNS server to DHCP clients.

pfsense rocks the house!

Another successful pfsense rollout

This morning, I rolled out pfsense at our biggest site.  It was actually the third try, but that’s not pfsense’s fault.  A combination of a bad hub and an extremely long arp timeout period on the ISP’s switch scrubbed the first two attempts.  (It was really scary to hear the ISP tech say “Sure I can clear the arp cache for you…can you tell me what to type?” Egads!) All in all it went well.  One thing I forgot about was access to remote subnets on our WAN. I purposely left them out of the routing table on the firewall thinking I’d use IPSEC tunnels as a failover mechanism to our WAN.  Unfortunately, I completely forgot that they get to the DMZ from the inside to see our website.  A few quick static routes fixed that in short order.

My biggest surprise was the fact that I disabled bogon login detection on a previous attempt at getting things running so I had to turn that back on.  Turns out that doing that will reset the state table and break everyone’s existing connections!  Luckily I found that early during the scheduled downtime so no one was the wiser.

Right now I’m backing up the config as I make changes so I need to automate the backup on a scheduled basis like I did with the PIX.  I’m sure I can work something out with Cattools for this.

All in all a successful venture.  Two more sites to go and all our firewalls will be pfsense!

Windows XP Remote Command Line Backup

I had the need today to connect out to a PC and run a backup on it.  Turns out this is trivial to do even with the standard windows NTBackup program.  From another machine logged in with admin rights to the target machine run the following command:

c:>ntbackup backup \\remotePCnamehere\c$ /j “PC backup name here” /f “c:\backup.bkf”

This will backup the C: drive on the pc named remotePCnamehere locally to your C: in a file called backup.bkf on the box running the command.  I can’t believe I haven’t had need for this more often. 

Enjoy!