Installing SCCM

Last week I was able to configure and setup System Center Configuration Manager SCCM at work. Here is a good online guide incase anyone wants to know what is involved:

I would have to say a multi-site SCCM configuration is a beast compared to Lync to setup. You need to follow a guide to the T when installing, otherwise it is really hard to troubleshoot. The most important parts to remember on both site and secondard site servers is IIS, WSUS, WEBDAV, BITS, Remote Compression. Configuring WEBDAV is not hard but it has to be perfect or else you will end up chasing your own tail later. The Microsoft installer for SCCM does not check these components during the pre-check, so this is why I bring it up.

Anyways Deploying software packages and updates for now, later I’ll have to figure out the rest of SCCM and the other modules that fit in.


Lync 2010

This week I installed Lync 2010 Standard edition, and I was plesently surprised at just how easy Lync is to setup then previous versions of Office and live communicator. For the most part Lync 2010 requires just Active Directory Domain with a CA, and a server to call its own. Keep in mind users also have to be mail enabled so Exchange may be needed but upgrading to Exchange 2010 is not required (only added benefit in 2010 is lync itegrated with OWA).

The next part was the hardest to get over for me, which is adding contacts automatically for lync enabled users. The best way I have found to do this is to use the script I found on The Expta {Blog}. Here a script leverages a utility to export a users contacts and you can import them to a number of users or to individual users.

Also as a side tip, after your address book syncs which should take 60 seconds or less, you should be able to lookup and add distrobution groups to your link (which will dynamically add any lync enabled users that are a member of that group).

For those “Domain Admin” users to enable those accounts in Lync you first need to open AD computer and users, enable “advanced view”, open each domain admin user, click on the security tab, click advanced, check inherited permissions and close out the user in AD and enable right away in the Lync control panel. If you wait until later to enable like I did then you have to go through the whole process again. Best practice in AD is to use Domain Admin account as secondary accounts and not your primary account, so if thats the case this should not be an issue.

I only have standard installed right now, so my knowledge of Lync is limited to that scope, also I have not enabled all the voice features yet although audio and video compture to computer seem to work out of the box, just not dialing out.

More to come, but until then I recommend reading Microsoft’s deployment blogs on lync, and the Technet library, both very helpful.  Also check out this video if you want step-by-step base installation instructions for Lync 2010 Standard.

Upgrading Procurve switch firmware from USB

The ProCurve 5400zl series have a USB port on them that you can use to transfer files, in addition to TFTP and SCP/SFTP. Since I had a few of these to upgrade and they were in a lab environment (e.g. not connected to any “real” networks), I didn’t want to bother with setting up a TFTP server. The upgrade process is pretty straightforward and is similar to doing an upgrade via TFTP.

We can find the latest software for our ProCurve switches on the “Software for switches” page. Software (“firmware”) updates do not require that you have a valid login or service contract, unlike Cisco. I grabbed the latest version (at the time of writing), which is K.13.45 (be sure to read the Release Notes that accompany each release as well, prior to performing an upgrade). Save the .downloaded file to your USB flash drive and plug the flash drive into the switch.

To check what version of the software is currently running, issue the “show version” command:

SW1# show version
Image stamp: /sw/code/build/btm(t3a)
Aug 4 2008 15:08:24
Boot Image: PrimaryWe can see that we’re running version K.13.25 and that we booted from the primary flash. We can see the current contents of flash, as well as our USB drive:

SW1# show flash
Image Size(Bytes) Date Version
—– ———- ——– ——-
Primary Image : 7442476 08/04/08 K.13.25
Secondary Image : 6782942 12/07/07 K.12.57
Boot Rom Version: K.12.12
Default Boot : PrimarySW1# dir

Listing Directory /ufa0:
-rwxrwxAwx 1 0 0 7442476 Nov 3 2008 K_13_25.SWI
-rwxrwxAwx 1 0 0 7494786 Oct 30 2008 K_13_45.SWI
SW1#Because I’ve been running K.13.25 and it’s been stable, I’m going to copy it to secondary flash and then overwrite the primary with the new software. We’ll then reboot the switch with the new software (keeping the previous version in secondary as a “backup” in case anything goes wrong).

SW1# copy flash flash secondaryThis command isn’t real intuitive (and it takes a while as well), but here we’re basically copying from flash, to flash, with the secondary as our destination. In this case, the contents of the primary flash will be copied to the secondary. “copy flash flash primary” would copy the contents of the secondary into the primary. Let’s verify what we have now:

SW1# show flash
Image Size(Bytes) Date Version
—– ———- ——– ——-
Primary Image : 7442476 08/04/08 K.13.25
Secondary Image : 7442476 08/04/08 K.13.25
Boot Rom Version: K.12.12
Default Boot : PrimaryWe can see that the contents of the primary have now been copied to the secondary as well. Let’s copy the K_13_45.SWI image from the USB drive to primary flash:

SW1# copy usb flash K_13_45.SWI primary
The Primary OS Image will be deleted, continue [y/n]? yAfter a moment, we’ll see this message:

Validating and Writing System Software to the Filesystem …When the copy has completed, we need to reload the switch with the new software:

SW1# boot system flash primary
System will be rebooted from primary image. Do you want to continue [y/n]? yThe switch will take a minute to reboot (I won’t bother pasting the complete bootup process) and then we can, again, use “show version” to verify that we’re now running the latest software:

SW1# show version
Image stamp: /sw/code/build/btm(t3a)
Oct 17 2008 20:03:02
Boot Image: PrimarySee, wasn’t that easy!? We’ve successfully upgraded the firmware, and we’ve also kept a backup copy of the previous software in case things go badly. If that happens, just issue the “boot system flash secondary” command to reload the switch with the previous software.

Juniper Networks – changing to a more reliable network

I had recently attended a Juniper course at Dynamic World Wide Training Consultants. While at this training I felt even more confident that our switch to Juniper was the right choice. There are several reasons why we are making this change from Cisco, but rest assured that cost was not the primary deciding factor (although a very tempting one).

Cisco on the other hand has been running in another direction, selling their name but missing their mark on quality products unless your willing to buy their new G2, ASA, or higher end routers. I could go on, but compared to Juniper I would say Cisco’s education and certification program needs a serious overhaul.

1. A solid Education Program:
Juniper not only has full control of their certification program, but they also have a solid curriculum, that takes you from just knowing how to say TCP/IP to the advanced wonders of dynamic routing and high availability. Did I mention they will basically give away vouchers this year for those who attend training or even take pre certification tests. Also be sure to ask for Juniper Training Credits when you purchase your hardware, this is just one way you will know Juniper cares about your business.

2. A solid reputation with Internet Service providers:
Why is this important, well Cisco and Juniper have been around for a while, they just entered the market from two different directions. Cisco entered in the consumer market and later competed in the service provider market. Juniper started in the Service provider market learning from many of the issues that Network Admins had with Cisco, they built-in most of their products a standard Operating system called Junos. Juniper also includes high availability options, and the internal software with separate routing engines and forwarding planes makes this possible.

3. A lot of features – in a little box:
Did I mention their OS is based on Free BSD, which is somewhat like Unix or Linux. This allows Juniper to include a number of modules and features which if for some reason you need to restart a daemon you can rest assured that you probably won’t affect the rest of your traffic. With this in mind when you boot a Juniper be prepared for the 5 to 7 minutes for it to boot much like an appliance. Also you will want to safely shut down your Juniper like you would a Linux server, not a simple flip of a power button.

4. Standards based Networking:
While many of us would probably like to stay with a single vendor for all our networking needs, you probably have multiple vendors with their own way of doing things on your network. Many of the cool things Juniper does, they do so in such a way as to maintain standards. While there are a few features that Juniper has pioneered, you always have the option to keep your network standards based by default.

5. Support:
While I don’t have experience with this so far, I’ll be sure to report on any findings. I have found Junipers website very helpful, and Juniper’s TAC team is made available for all current support customers from day one.

6. Cost:
Ok, I will break down the cost for you just this once. With Cisco just over $120k may get you 6 G2 routers with the works and 3 years of SmartNet. Juniper did much better and threw in some training for free, for the same cost of the 6 G2 routers(I will post the models later), Juniper was able to provide 4 J-Series routers, 16- SRX Series routers/firewalls, 3 years support, training and certification, and professional services. The professional services actually costs as much as the equipment, but even then it was a much better deal.

So with all this in mind, when you hear Juniper around the corner, I would highly recommend you continue your research and take a few classes. I promise you this one thing. You will not only grow into it quickly, but will wonder how you would have done it without Juniper.

HP Procurve and Protecting VLANs with ACLs

How to protect a OOB Management VLAN from access, or protect a VLAN from being directly plugged into by a switch from another VLAN (with another subnet, or  another DHCP server)

Now some of this is still under testing, but I feel that I have pretty much mastered the art of ACLs to protect a VLAN such as one used to manage a bunch of devices such as routers, switches, firewalls, UPS, environmental monitors, or just traffic that you would rather not see have access to a VLAN or devices plugged into a Procurve switch.

Now, it is a best practise network wise to use ACLs to block traffic at the source. So this may seem a little backwords, but I want to use this ACL as a last line of defence to block traffic on the port as it leaves out of the vlan to the device. So we will be using the “out” and not the “in” for the first part.

Another important thing to remember to about ACLs, is that if you do not list a permit or deny statement anything not on the list will be blocked. So as a best practise I will only list those IP addresses that need access. Also you have the option of using an extended or a standard ACL list. Again I will keep this simple, if you want more flexability to block only certain protocols or even access to only a portion of a subnet then you should look into extended ACLs, for this exercise we will only be permiting source IP addresses (all protocols) using a standard ACL.

Note: these ACLs are considered RACLs, and are only applied if IP Routing is enabled on the switch (Layer 3), if this is just a Layer 2 switch then you may want to try a VACL instead. I will probably post information on a VLAN ACL later, but it controls all traffic entering a switch from a particular VLAN. So with that said I’m assuming you will be using a Layer 3 enabled switch for this exercise.

 Here is the ACL I will create for access to devices on my Out Of Band (OOB) Mangement Interfaces on my devices:

ip access-list standard "OOB-Access-out"
   1 remark "OOB subnet"
   2 permit
   10 remark "NPM System"
   11 permit host
   20 remark "IT Department"
   21 permit
   30 remark "Managemnet Workstation"
   31 permit host

Now the “Out” part means as the packet leaves out a port on the switch it will be applied. This can mean a number of things but again it is important to keep it simple. so now and just focus on the primary goal of only allowing authorized subnets access to management devices.

Applying to your vlan is simple

vlan 6 ip access-group OOB-Access-out out

Observe I used out instead of in. In our next example I will use an “in” so that I block and avoid multinetting my vlan with unauthorised traffic.

ip access-list standard "OOB-Access-in"
1 remark "OOB subnet"
2 permit

Applying the VLAN is the same but remember the “in” instead of the out

vlan 6 ip access-group OOB-Access-in in

The above Standard ACL should only allow devices configured with an IP address to access this VLAN, you may need to modify this a bit to allow other traffic, but with a little testing this could protect your network from for example someone pluging a cable in one jack for one network into the other network with another VLAN causing all sorts of strange traffic such as a DHCP handing out the wrong IP addresses.

There is a lot more you can do with ACLs, and extended ACLs offer much more, but I would recommend getting used to how standard ACLs first, then work with extended ACLs.

Windows Filtering Platform Audit Noise

Did you know that Windows Server 2008 and 2008 R2, as well as Vista can pump out just as many audit logs as your standard hardware firewall. I can understand some audit trails for file access and user account changes but every single TCP and UPD connection is a little over considering windows is already logging this in the firewall log. If your tracking down security issue on you network and you have an SIM trying to correlate all these logs then most of these additional logs are just noise.

There are a couple of ways of dealing with this little issue, the one machine at a time or the GPO. For me the Group Policy option is a must as I don;t have time to go through every server and every workstation that might have these audit logs turned on. The main one I want to focus on is called the “Audit Filtering Platform Connection”

After much searching on the internet I found a pretty good blog that pointed me in the right direction:

computer configuration –> policies –> windows settings –> security settings –> advanced audit policy configuration –> audit policies –> object access. Then double-click “Audit Filtering Platform Connection” and check only the box next to “configure the following audit events.” DO NOT CLICK THE OTHER TWO BOXES. Repeat for “Audit Filtering Platform Packet Drop”

For the one system solution use these command line options:

auditpol /set /subcategory:”Filtering Platform Packet Drop” /success:disable /failure:disable
auditpol /set /subcategory:”Filtering Platform Connection” /success:disable /failure:disable


Testing Branch Network Bandwidth

Now it is easy to run a speedtest against your internet connection, but what if you want to test the speed between two branch offices.

The solution is iPerf.exe. A simple commandline tool you can setup on your windows servers and run speeptests to ensure you are getting what your paying for from your provider.

You can download the current version here:

On the server run:
iperf.exe -s

On the Client run:
iperf.exe -c x.x.x.x

Where x.x.x.x equals the IP address of your server. Check out the link above for more information and sample input. I’m planning to add a custom action to my Lansweeper deployment, when I get a chance to think it through, but command tools like these make for great custom scripts and actions for other plugins.