• Check, review the access-lists paying special attention to the one that corresponds to your route map. The first line of your route-map access-list should be a deny statement relating to the designated vpn subnet. This line sends VPN client sourced traffic back to your connecting machine.
• Ensure the name of your route-map is referenced correctly in your outside interface ip nat statement
• Confirm ip nat inside and ip nat outside commands are on the appropriate interfaces

The code below is from a working production environment.

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DEMO851w
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login demousers local
aaa authorization network demogroup local
!
aaa session-id common
!
resource policy
!
clock timezone Hawaii -10
ip subnet-zero
!
!
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp <consider removing this line for Exchange 2007 compatibility>
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name domain.local
ip name-server <internal dns>
!
username sysadmin privilege 15 secret 5 <password hash>
<add more vpn users here>
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group demogroup <VPN client Group Authentication name>
 key <group passphrase for vpn client>
 dns <internal dns>
 domain domain.local
 pool dynpool
 acl 105
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
 set transform-set transform-1
 reverse-route
!
crypto map dynmap client authentication list demousers
crypto map dynmap isakmp authorization list demogroup
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
bridge irb
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description ** WAN **
 ip address <external ip> 255.255.255.x
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map dynmap
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 1 mode ciphers tkip
 !
 ssid AP851G
    vlan 1
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 0 <password>
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no snmp trap link-status
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
ip local pool dynpool 192.168.15.1 192.168.15.5
ip classless
ip route 0.0.0.0 0.0.0.0 <isp gateway>
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface FastEthernet4 overload
ip nat inside source static tcp <internal server> 25 <external ip> 25 extendable
ip nat inside source static tcp <internal server> 80 <external ip> 80 extendable
ip nat inside source static tcp <internal server> 443 <external ip> 443 extendable
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 101 remark ** Permit Inbound IPSEC Traffic & Split Tunnel **
access-list 101 permit ip host 192.168.15.1 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.15.2 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.15.3 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.15.4 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.15.5 192.168.1.0 0.0.0.255
access-list 101 permit udp any host <external ip> eq non500-isakmp
access-list 101 permit udp any host <external ip>
access-list 101 permit esp any host <external ip>
access-list 101 permit ahp any host <external ip>
access-list 101 remark ** Block Telnet **
access-list 101 deny   tcp any any eq telnet
access-list 101 permit tcp any any established
access-list 101 remark ** Deny netbios from the internet **
access-list 101 deny   tcp any any eq 139 log
access-list 101 deny   udp any any eq netbios-ns log
access-list 101 deny   udp any any eq netbios-dgm log
access-list 101 deny   udp any any eq netbios-ss log
access-list 101 remark ** Permit Exchange Related Traffic **
access-list 101 permit tcp any host <external ip> eq smtp
access-list 101 permit tcp any host <external ip> eq www
access-list 101 permit tcp any host <external ip> eq 443
access-list 101 permit udp any host <external ip> eq ntp
access-list 101 deny   ip any host <external ip>
access-list 101 remark ** Permit all other traffic **
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 permit ip any any
access-list 105 remark ** VPN Traffic **
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 deny   ip 192.168.1.0 0.0.0.255 192.168.15.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
snmp-server community public RO
no cdp run
route-map nonat permit 10
 match ip address 110
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17175022
ntp server 140.31.199.8 prefer
end
DEMO851w#

Comments questions welcomed.

This migration method uses 2 virtual machines and Windows Server 2008 Standard install media. Using your virtualization software of choice, create virtual machines for a Windows 2000 server (configure same number of processors as the source 2000 server for HAL compatibility) and a Windows 2008 server. A Windows 7 loaded laptop running VMWARE Workstation is what was used for the virtual machines in this overview.

• Load the designated Server OS's (2000 and 2008) on the newly created virtual machines and configure the virtual network cards in bridge mode.
• Install, configure Windows 2000 with the same name and IP address of the source production server.
• Add static IP to the Windows 2008 virtual machine which will eventually be used as the source server for the SBS 2008 migration (I used Windows Server 2008 Standard VLM media which provides a 3 day grace activation period).

Prep the source 2000 domain controller as in Part 1

• Raise Domain Functional level of your Windows 2000 server to Native 2000
• Insert SBS 2008 setup DVD into your Windows 2000 server dvd-drive
• Run adprep /forestprep and adprep /domainprep from the Sources\Adrep directory
• Make sure the Windows 2000 domain administrator account meets the SBS 2008 password complexity requirements

Password must satisfy three of the following four categories.

• Minimum 8 characters
• Upper case lower case
• Numerals (0 through 9)
• At least 1 non-alphanumeric character

On the source Windows 2000 Server

• Run system state backup
• Restore backup to virtual Windows 2000 Server machine, reboot
• Login, review and verify restored active directory data
• Point DNS on Windows Server 2008 virtual machine to restored domain controller IP address then join domain, reboot
• Login, run dcpromo on Windows Server 2008 machine, reboot
• Login to Windows Server 2008 domain controller
• Configure DNS IP address on Windows Server 2008 to point back to it self
• Transfer all active directory FSMO roles to Windows Server 2008
• Configure Windows 2000 domain controller DNS to point to Windows 2008 domain controller
• Run dcpromo on Windows 2000 domain controller, shutdown Server 2000 virtual machine

At this point the migration to Small Business Server 2008 using your pre-filled answer file and removable device on the destination server should be straightforward. The laptop with virtual Windows 2008 server machine was assigned a static IP and designated as the default gateway in the answer file. Also make sure to raise the domain functional level on the virtual Windows 2008 domain controller to Windows Server 2003 from Windows 2000 Native.

The laptop and destination server were both connected to a separate standalone network switch (you could probably use a crossover cable as well). The migration to Small Business Server 2008 from the virtual Windows 2008 Standard domain controller ran successfully with all active directory FSMO roles automatically transferred. Active directory was uninstalled from the temp domain controller and the virtual machine shutdown.

The cutover to the new SBS 2008 server involved shutting down all the workstations, disconnecting the production server then connecting the new server to the network. It was literally a swap of the network cables from the standalone network switch to the production switch. The workstations were powered back on and the login access to the new server tested successfully. The old 2000 server was demoted while disconnected from the production network and rejoined back to the domain as a member server to preserve access to some legacy apps and to be able migrate all the current static data to the new server.

Comments or questions welcomed.

The network being migrated consisted of a single Windows 2000 domain controller and about 10 workstations. My goal was to minimize having to touch the workstations and also retain the current Windows 2000 server as a member server after the migration. Since the SBS 2008 migration process using the answer file method is not supported for migration from Windows 2000, I tried a suggested alternative referenced here.

First step was to prep the Windows 2000 active directory.

1. Raise Domain Functional level of your Windows 2000 server to Native 2000
2. Insert SBS 2008 setup DVD into your Windows 2000 server dvd-drive
3. Run adprep /forestprep and adprep /domainprep from the Sources\Adrep directory

Next, create migration answer file which will actually interrupt the SBS 2008 install

1. From the SBS 2008 DVD Tools folder, run SBSAfg.exe and fill in the required info
2. Save and copy the answer file to removable media (I used a USB floppy drive)
3. Boot new server with connected removable device and answer file

The install should halt with the dcpromo log revealing the following error:

"Failed to copy install file c:\windows\system32\sbsntds.dit to c:\windows\NTDS\ntds.dit"

From here you should have access to the SBS 2008 desktop. Configure static ip settings and server name, reboot and join domain.

As suggested from the above referenced article, the current Windows 2000 server ntds.dit file would need to be copied from the source 2000 server either through active directory restore mode boot or a redirected backup restore operation. Rename the ntds.dit file to sbsntds.dit and then copy it to the c:\windows\system32 directory on the SBS 2008 server. Run dcpromo on the SBS 2008 server and that should join it to the existing Windows 2000 domain. However, that wasn't the case for me. For whatever reason, my copied sbsntds.dit file kept logging corruption errors and the following "Active Directory is Rebuilding Indices" message during the SBS 2008 dcpromo process and ultimately failing.

This option may work for you since it looks like it has for others. After an hour or so of troubleshooting, I opted instead to do a swing style migration that I'll review soon in Part 2. Comments or questions welcomed.

First, connect the ILO designated network port to your switch or management network.
Most brand new HP servers come with an information tag attached. Printed on the tag is the server serial number and Integrated Lights Out access information including factory set username and password.

The easiest way to access the ILO configuration utility is during the POST by pressing F8 when prompted.
The menu is straightforward and self explanatory. Use the arrow keys to navigate. Select Enter while the Set Defaults option is highlighted to revert back to factory settings.

First, access the Network menu, disable DHCP and change the DNS name

Then configure your static ip settings

Next, set the Administrator password or create new user.

Note that the username and password are both case sensitive. Select Exit to save and reset ILO with the new settings. Test access to the ILO web interface.

Checking DHCP leases and configuration from the server OS are some alternate setup options if your server is already in production and the ILO settings were not configured beforehand. If DHCP is accessible from the ILO interface connected network then check the leases for the DNS name printed on the tag. Use the leased ip to access the web interface and login with the factory username and password. All the same settings from the POST utility can be configured through the ILO web interface. HP also provides a utility called HPONCFG which allows for command line interaction with ILO and scripting functionality. Read more about it here . Comments or questions welcomed.

Current configuration : 3804 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname AP851
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
aaa session-id common
!
dot11 ssid AP851G
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 0  < wireless passphrase >
!
ip cef
no ip bootp server
no ip domain lookup
!
no spanning-tree vlan 1
username sysadmin privilege 15 secret 5 < password >
archive
 log config
  hidekeys
!
bridge irb
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3 <- Connect to your existing switch
 no cdp enable
 spanning-tree portfast
!
interface FastEthernet4
 no ip address
 ip virtual-reassembly
 shutdown
 duplex auto
 speed auto
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 1 mode ciphers tkip
 !
 ssid AP851G
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 ip address 192.168.1.10 255.255.255.0
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1 <- internal gateway core router ip
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface FastEthernet4 overload
!
access-list 1 permit 192.168.0.0 0.0.255.255
snmp-server community public RO
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
end

AP851#

Enter the following command in config mode "no spanning-tree portfast bpduguard" if you are connecting to a Cisco switch to prevent port blocking. Comments, questions welcomed.

Last week I received a new 851 router for a customers new office buildout. I skipped the web based initial setup procedure outlined in the setup guide and instead dropped in a template config through a console port session. Upgrading to the latest IOS image is part of my usual new router deployment routine. (See related entries section below for sample configs)

Prior to upgrading, have available or install and configure a tftp server. On my connecting pc, I have SolarWinds tftp server installed. From console or telnet session issue the "sh ver" command in privileged exec mode to view the current image:

Cisco851#sh ver
Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(15)T7, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 14-Aug-08 07:18 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE

Cisco851 uptime is 48 minutes
System returned to ROM by power-on
System image file is "flash:c850-advsecurityk9-mz.124-15.T7.bin"

The current image file is c850-advsecurityk9-mz.124-15.T7.bin. The latest available image from CCO, as of this post is c850-advsecurityk9-mz.124-15.T9.bin

Download the latest image to your tftp root directory. (In order to download IOS images from CCO you'll need to be registered and associated with a SMARTnet or Comprehensive Maintenance service contract)

Next, issue the "sh flash" command to view the flash contents.

Cisco851#sh flash
20480K bytes of processor board System flash (Intel Strataflash)

Directory of flash:/

    2  -rwx    12701008   --- -- ---- --:--:-- -----  c850-advsecurityk9-mz.124-15.T7.bin
    3  -rwx        3179   Mar 1 2002 00:04:00 +00:00  sdmconfig-8xx.cfg
    4  -rwx      931840   Mar 1 2002 00:04:18 +00:00  es.tar
    5  -rwx     1505280   Mar 1 2002 00:04:41 +00:00  common.tar
    6  -rwx        1038   Mar 1 2002 00:04:55 +00:00  home.shtml
    7  -rwx      112640   Mar 1 2002 00:05:07 +00:00  home.tar

19353600 bytes total (4091904 bytes free)

Delete the existing image file. Issue the following command then enter and confirm.

Cisco851#del flash:c850-advsecurityk9-mz.124-15.T7.bin
Delete filename [c850-advsecurityk9-mz.124-15.T7.bin]?
Delete flash:c850-advsecurityk9-mz.124-15.T7.bin? [confirm]
Cisco851#

Just to be safe, startup your tftp server then backup the current config with the following command:

Cisco851#copy running-config tftp
Address or name of remote host []? 192.168.1.78 <-- enter tftp server ip
Destination filename [Cisco851-confg]?
!!!
7031 bytes copied in 0.060 secs (117183 bytes/sec)
Cisco851#

Issue the following command to transfer the new image to the router:

12747284 bytes copied in 277.896 secs (45871 bytes/sec)
Cisco851#

Issue the reload command, confirm or save modified config if prompted. That's it. Any comments or questions welcomed.

Another option if available is traffic shaping.

A few months ago I fielded a trouble call from a client regarding slow terminal server session performance whenever a remote branch office user would print or scan. Around 15 branch office users connect to a Windows 2003 terminal server at the home office via a T1 Point to Point connection. Both ends of the T1 terminate to a pair of Cisco 1841 routers.

Print jobs spool over the wan link from a print server at the home office to one of 2 network copier/printer machines at the branch office. In addition to printing, branch office users consistently send large scan jobs over the wan from the copier/printer machines to a file server at the home office via ftp.

Shaping was implemented on the Cisco 1841 routers to help gaurentee bandwidth for RDP related traffic while throttling the printer and scanning traffic. Below is the relevant home and branch office router shaping code and overview:

Home Office router code:

access-list 115 permit ip any host 192.168.11.202
access-list 115 permit ip any host 192.168.11.203
!
class-map match-all PRINTING-Class
 match access-group 115
!
policy-map RemotePrinting-Policy
 class PRINTING-Class
  bandwidth 30
policy-map WAN-Policy
 class class-default
  shape average 1152000
  service-policy RemotePrinting-Policy
!
interface Serial0/0/0
 description WAN connection to Branch Office
 ip address 192.168.100.1 255.255.255.252
 ip route-cache flow
 service-module t1 clock source internal
 service-module t1 timeslots 1-24
 service-policy output WAN-Policy

First, the printer traffic being sent from the home 192.168.10.x subnet to the branch office 192.168.11.x subnet was identified using a class-map with access-list on the home office router. The ip's listed in access-list 115 correspond to the network copier/printers at the branch office.

Second, a class policy was created for the printer traffic and allocated a maximum of 30 percent overall bandwidth.

Third, the WAN-Policy defines the total available bandwidth for classified and unclassified traffic. The "shape average 115200" command sets the bandwidth limit. It is 75 percent of the total T1 point to point bandwidth as referenced in Cisco's "Class-Based Weighted Fair Queueing" document. The 75 percent can be adjusted as needed with the "max-reserved bandwidth" command (Cisco Ref).

The final step is to apply the shaping policy to the appropriate interface. In this case the "service-policy output WAN-Policy" command is applied to the Serial/0/0/0 interface. The shaping mechanism is applied immediately to any printing traffic destined for the branch office.

Shaping code on the Branch Office router is similar:

access-list 114 permit tcp any any eq ftp
access-list 115 permit tcp any any eq 3389
!
class-map match-all FTP-Class
 match access-group 114
class-map match-all RDP-Class
 match access-group 115
!
policy-map HomeOffice-Policy
 class RDP-Class
  bandwidth 70
 class FTP-Class
  bandwidth 30
policy-map WAN-Policy
 class class-default
  shape average 1152000
  service-policy HomeOffice-Policy
!
interface Serial0/0/0
 description WAN connection to Home Office
 ip address 192.168.100.2 255.255.255.252
 ip route-cache flow
 service-module t1 timeslots 1-24
 service-policy output WAN-Policy

access-list 114 and 115 are used to identify ftp and rdp traffic. A class policy with bandwidth allocations is also created. If needed, 70 percent of the bandwidth will be reserved for rdp traffic. FTP is allocated up to 30 percent bandwidth.

The final bandwidth allocations were established after testing different percentage combinations and user feedback. The 70 30 combination seemed to provide the best overall performance for the number of remote users in this particular environment. Although the print and scan jobs slowed down noticeably, branch office users were no longer experiencing the remote desktop slow down.  Implementing the shaping code on this network resulted in a more stable and consistent overall remote desktop experience. Comments or questions welcomed. 

http://www.citrix.com

My Deployment Details

• The test server was a 2.8 ghz dual processor configured 2gb of ram with 25gb of drive space VMWare virtual machine
• Windows 2008 Server Standard Edition was installed with no roles configured and joined to the domain
• Downloaded Citrix Access Essentials 1.3gb iso
• Extracted CAE 3.0 iso to a staging server for install over the network
• Started the CAE 3.0 install

One of the convenient features of CAE 3.0 setup is that it installs and configures all the required Windows 2008 Server roles as part of the installation process. The install process was running smoothly and then this error popped up on the Citrix Access Essentials Quick Start component: 

A review of the Windows Installer log revealed the following:

=== Verbose logging started: 12/12/2008  12:01:50  Build type: SHIP UNICODE 4.00.6001.00  Calling process: MSI (c) (8C:08) [12:01:50:996]: Note: 1: 2203 2: C:\Program Files\Citrix\Web Interface\5.0.1\Clients\WIONLY\ica32web.msi 3: -2147287037

This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package.

MSI (c) (8C:08) [12:01:50:996]: Note: 1: 1708
MSI (c) (8C:08) [12:01:51:012]: Product:  -- Installation failed.

=== Verbose logging stopped: 12/12/2008  12:01:51 ===

When I checked the "C:\Program Files\Citrix\Web Interface\5.0.1\Clients\" path, no WIONLY directory had been created. I'm not sure if this was a bug in the install itself or an issue related to the install environment. There were a few similar references to this error on the web and the Citrix knowledebase but nothing specific to CAE 3.0. As a workaround I manually created the WIONLY directory, dropped in the ica32web.msi file and restarted the install. It completed successfully after that. The install process does require a few reboots.

Next was the Quick Start tool Setup checklist:

Note the Advanced Mode option in the Quick Start screenshot (  view full-size  ). The current mode of this install is Basic or single server mode. CAE 3.0 now supports multiple servers and server groups if you select to run in Advanced Mode. In regards to licensing and Microsoft TSCALS, I believe you can purchase CAE 3.0 bundled with or without Microsoft TSCALS depending on your existing environment.

Majority of the Setup items are wizard based and easily walk you through the licensing, security, web access, apps publishing, etc. I did run into another issue when trying to configure Administrators. I kept getting this error:

I checked the services and they were all running. All other functions from the Quick Start tool worked fine. I ignored the error and was able to manage Administators from the Access Management Console.

Published apps page:

If you plan to  redirect to https, be sure to install the HTTP Redirect service in IIS. I had to install it afterwards since it wasn't  installed during the CAE 3.0 Server 2008 roles configuration (  view full-image )

The published desktop and standalone apps through the web interface and the Program Neighborhood worked as expected along with audio, printer and local drive mapping  features.

All the typical management functions, user management, apps security, session info and shadowing are available within Quick Start > Management (  view full- image )

Conclusion

Although I hit a few bumps during the install this was a positive first experience with Citrix Access Essentials 3.0. I think its a really good offering for the SMB market with it's installation and deployment ease and uncomplicated configuration and straightforward management functionality. Comments or questions welcomed.

If your not familiar with Cymphonix Network Composer, here's a brief overview of my experience with it.

First of all it's an appliance based gateway security device. It analyzes, monitors and filters network traffic in and out of your gateway router or firewall and is specifically designed for small to medium sized businesses. Through out the year I've had several clients approach me with the following concerns and questions regarding internet connection troubleshooting and end user web traffic monitoring:

• Is there a way for me to monitor and log what my users are doing on the internet?
• How can I prioritize and or throttle certain types of web traffic?
• I've got a 5mb internet connection but it always seems so slow, can you tell my why?
• How can I block BitTorrent, LimeWire, YouTube, MySpace or FaceBook?

In most cases Cymphonix Network Composer has been my preferred solution for these reasons:

• Appliance based
• Deep packet inspection
• Gateway traffic "total visibility"
•  Prioritize critical traffic
• Throttle, or completely block non critical traffic
• Realtime application, url and bandwidth monitoring
• Spyware and Antivirus protection
• Integrates with Active Directory
• Filter by already established Active Directory groups
• Identify users in realtime

A more thorough review and testimonials can be found at www.cymphonix.com or check out an actual Network Composer for yourself at http://demo.cymphonix.com using demo as the login and password.

A few months ago I had a request from a potential client who wanted to know if the Network Composer could be used on a trunk link. I wasn't sure and had to call Cymphonix tech support to find out. In most implementations the Network Composer is assigned a LAN accessible ip and sits transparently inline between the gateway and the LAN side switch. So what if the gateway is also providing interVLAN routing services?  "As long as the Network Composer is assigned an ip from the untagged or native vlan it should be fine on a trunk link" was the response from Cymphonix tech support. Just to be sure, I setup a test network with a Network Composer DC10 model connected inline on a trunk link and configured it with an ip address (192.168.1.2) on the untagged (192.168.1.x) VLAN.

Here's the relevant router and switch code.

Cisco 2600 Router

ip dhcp pool Native
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 216.136.95.2
!
ip dhcp pool VLAN200
   network 172.16.10.0 255.255.255.0
   default-router 172.16.10.1
   dns-server 216.136.95.2
!
ip dhcp pool VLAN150
   network 10.1.1.0 255.255.255.0
   default-router 10.1.1.1
   dns-server 216.136.95.2
!
interface Ethernet0/1
 description Connected to 2950 Switch
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 full-duplex
!
interface Ethernet0/1.150
 description Data10 VLAN 150
 encapsulation dot1Q 150
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
!
interface Ethernet0/1.200
 description Data VLAN 200
 encapsulation dot1Q 200
 ip address 172.16.10.1 255.255.255.0
 ip nat inside

Cisco 2950 Switch

interface FastEthernet0/9
 description Connected to 2600 Router
 switchport trunk allowed vlan 1,150,200,1002-1005
 switchport mode trunk
 speed 10
 duplex full
 spanning-tree portfast
!
interface FastEthernet0/10
 switchport access vlan 150
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/11
 spanning-tree portfast
!
interface FastEthernet0/12
 switchport access vlan 200
 switchport mode access
 spanning-tree portfast

From within Network Composer I setup two VLAN id configured Groups labeled VLAN 150 and VLAN 200.

Separate laptops were plugged into ports 10 & 12 on the 2950 switch. Web traffic was generated from each laptop and almost immediately the Network Composer began to display the traffic correlated by the respective VLAN groups. I tested some of the Internet Usage Rules against the VLAN groups and they worked just fine. Here's a Group Details activity screenshot.

As I mentioned earlier, Network Composer is my preferred choice for web activity monitoring and filtering. It's very flexible, not too difficult to implement and for the most part does what it claims to be able to do. And seems to do it well. Comments, questions, suggestions, personal Network Composer experiences or implementation stories are welcomed.

From the initial release of Symantec Endpoint till now, I've had to wade through more than a few issues. Majority of these issues are referenced in Symantec's knowledgebase or support forums. My Endpoint deployment base consists of more than a dozen customer networks ranging in size from 5 to 100 workstations. Here is a summary of some of the most common recurring issues I've experienced from late last year till now.

• Endpoint Protection Manager Console using up disk space with large temp files
• Desktop client also using up disk space with large temp files
• CPU spikes at regular and random intervals
• Outlook blocked attachment operation failed
• Random network disconnects and SMB issues with Endpoint client on Vista
• Constant high CPU utilization and usually complete lockup with Endpoint client on Windows 2000 based machines
• Windows installer rollback during Endpoint Protection Manager upgrades resulting in several complete uninstall reinstalls of Endpoint console and manual re homing of Endpoint clients

After considering the effort and time spent resolving a lot of these issues, an alternative product seemed very appealing. Back in July is when I started receiving Sunbelt's marketing emails regarding Vipre.

The Pitch

The End of Antivirus as You Know It: A First Look at VIPRE Enterprise

As part of its ongoing efforts to address the rapidly evolving malware landscape facing enterprises, Sunbelt Software introduces VIPRE Enterprise™ - a completely new solution that combines antivirus, antispyware, anti-root kit and other technologies into a seamless, tightly-integrated product...Sunbelt started with a blank slate to design a new, next-generation antivirus and antispyware technology to deal with today's malware in the most comprehensive, highly efficient manner. The result is a clean, fast, and powerful anti-malware solution developed 'by admins for admins'.

I really liked the idea of a "blank slate." Plus, who wouldn't want "...clean, fast and powerful, seamless, tightly integrated, developed by admins for admins." Almost sounds like an "all you've ever wanted, dreamed of, see it to believe it" new product sales pitch. Well after a month in use and with no major issues to report, I've been pretty happy with it. Here are some details regarding my early experience with Sunbelt's Vipre Enterprise.

First, a screenshot of the Endpoint and Vipre console and exported client install files.

Is this a case of bigger isn't always better? Or perhaps this is what Sunbelt meant by blank slate and clean.

The Vipre console install was straightforward and quick with most of the setup options already pre-checked or pre-filled. Open up the Vipre Enterprise management console and right away you'll notice an easy on the eyes, simple to navigate, common sense management interface. ( View image) I like the easy access buttons. Almost every setting is conveniently within a 1 to 3 click range. The Vipre Enterprise client also has a similar look and feel. ( View image) Sunbelt's claim "VIPRE protects without degrading performance" seems justified especially when scanning. The clients I have deployed are configured to quick scan at noon. The only noticeable indication that a scan has started is the Vipre agent systray icon color change to green. 

Endpoint with its pre-requisites (IIS, etc.), default or custom website, less than or more than 500 users database configuration and so on can take more than a few minutes to install. After years of using Symantec's classic pre Endpoint mangement app, I wasn't exactly thrilled the first time I logged into the Endpoint Management console . It took some effort to get familiar with the menu flow, tabs, tasks and all the shared non-shared policy, protection, deployment and group configuration options. In contrast, the Vipre Management console seemed effortless. On the client side, I fielded many compaints from end users regarding performance issues, cpu spikes and lockups that all appear to be attributed to Endpoint.

Alright, so the big question is, how well do the threat detection engines stack up against eachother? For this post, I ran a simple comparison test using a virtual XP machine alternating between the Vipre and Endpoint clients. Here's an overview of the test environment:

• Windows XP based laptop with VMware Workstation 6.5
• Windows XP virtual machine fresh install with no antivirus
• Pre-antivirus snapshot of XP virtual machine for instant rollback
• The malware of the day, Antivirus 2009

I chose Antivirus 2009 because within the last few months it found its way onto several Endpoint protected workstations without any action taken on it. Each test client was the most current available, had the latest definitions installed and was similarly configured. Both clients were tested several times. The virtual XP test machine was rolled back to its pre client state after each test and then the clients were reinstalled. Each client was put through the following flow of events:

• Accessed Antivirus 2009 bait laden website from virtual XP machine
• Selected OK on bait pop up screens ( View image)
• Ran through fake scan and fake results screens ( View image)
• Clicked on fake scan results to begin download of A9installer_880147.exe executable
• Selected Run at the download prompt since that's usually what the average end users do
• Clicked Continue to install, waited for the responses

• Vipre responded almost immediately. It blocked the file then deleted it. The response was identical on subsequent tests. No reboot was necessary.

• During the first test run of Symantec Endpoint, Antivirus 2009 actually completed the install. Endpoint did eventually respond and required a reboot to complete the removal action. ( View image) 
• However, Antivirus 2009 was still able to leave its mark in the form of an Internet Explorer hijack of some sort. ( View image)
• The Antivirus 2009 install never completed on the next 2 Endpoint tests but was still able to drop a few files on the system which Endpoint succesfully quarantined. A reboot was still required to complete the removal on each of the subsequent tests.

Conclusion

Obviously, my simple test and brief comparison review is neither extensive nor thorough enough to be conclusive in any way regarding Sunbelt Vipre's overall performance ability and standing among its competitors. Although my initial review of Vipre is but a mere peek under the hood, I do like what I've seen so far. I think the greatest test will be how well Sunbelt Vipre Enterprise performs in the wild over time and how well it lives up to its claims. For more info on Vipre and links to more extensive reviews of the product visit their website. 

http://www.sunbeltsoftware.com

Comments welcomed.

The configuration and settings below are from an actual production environment. The network utilizing this configuration has Backup Exec 12.5 installed on a dedicated backup server on the LAN at 192.168.1.x with an external scsi connected LTO tape drive. The DMZ network 172.16.10.x contains several Windows based web servers. On the backup server, Backup Exec remote agent TCP dynamic port range was configured per Symantec's recommendation.

In Backup Exec select Tools > Options > Network and Security

The relevant PIX code:

ip address dmz 172.16.10.1 255.255.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

<- LAN based backup server static mapping ->
static (inside,dmz) 192.168.1.x 192.168.1.x netmask 255.255.255.255 0 0

<- Backup Exec server and remote agent port ranges ACL ->
access-list 102 permit tcp host 172.16.10.11 host 192.168.1.x range 6101 6106 
access-list 102 permit tcp host 172.16.10.12 host 192.168.1.x range 6101 6106
access-list 102 permit tcp host 172.16.10.13 host 192.168.1.x range 6101 6106
access-list 102 permit tcp host 172.16.10.11 host 192.168.1.x range 10000 10500
access-list 102 permit tcp host 172.16.10.12 host 192.168.1.x range 10000 10500
access-list 102 permit tcp host 172.16.10.13 host 192.168.1.x range 10000 10500

<- Enable ACL ->
access-group 102 in interface dmz

Backup Exec remote agents installed successfully on the web servers via push. A DMZ backup job was then configured and scheduled. 

Here's a screenshot of the DMZ backup job throughput:

• Verify Exchange 2003 Service Pack 2 is installed
• Install SSL Certificate from Iphone supported root CA or self signed (http://support.apple.com/kb/HT2185)
• On the Exchange 2003 server enable RPC over HTTP Proxy under Windows Components > Networking Services
• In Exchange System Manager Enable RPC-HTTP back-end server
• From Exchange System Manager enable Outlook Mobile Access. Check off all options under Mobile Services Properties. (  View image ) 
• Add RPC-HTTP registry entries (http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm)
• In IIS create a secondary Exchange virtual directory if using forms based OWA login. If your configuring Exchange 2003 on Small Business Server 2003 the secondary virtual directory has already been created and is called exchange-oma. Under Authentication Methods, select Basic and Integrated authentication with a back slash for Default domain.  ( View image )
  (http://support.microsoft.com/Default.aspx?kbid=817379)
• Verify IIS Rpc virtual directory Authentication Methods and Secure Communications configuration. Select Basic authentication and enter domain name without .com or .local under Default domain. ( View image )
• Verify, enable SSL and require 128-bit encryption options on Rpc virtual directory
• Enable Exchange Imap service
• Confirm ports 80, 443 and 143 open in firewall
• Make sure IP configuration for default website in IIS is set to *All Unassigned*
• Restart IIS

Before configuring iPhone to connect to Exchange, test to see if RPC over HTTP is functioning correctly with either Outlook 2003 or Outlook 2007. (Configure RPC over HTTP) If Outlook successfully connects via RPC over HTTP, then the settings below should work for the iPhone.

iPhone settings:

• Add Account > Microsoft Exchange
• Enter email address
• Mail Server > hostname.domain.com
• Domain > domain without .com or .local
• Username > domain\username ( username without domain\ for SBS 2003 Exchange)
• Use SSL > ON
• Mail > ON
• Contacts > ON
• Calendar > ON

Any comments or questions welcomed.

Backup- \\Server\Microsoft\Information Store\First Storage Group
WARNING: "\\Server\Microsoft\Information Store\First Storage Group\Mailbox Store (Server)" is a corrupt file.
This file cannot verify.
WARNING: "\\Server\Microsoft\Information Store\First Storage Group\Public Folder Store (Server)" is a corrupt file.
This file cannot verify.
WARNING: "\\Server\Microsoft\Information Store\First Storage Group\Log files" is a corrupt file.
This file cannot verify.
Verify- \\Server\Microsoft\ Information Store\First Storage Group
WARNING: "Mailbox Store (Server)" is a corrupt file.
This file cannot verify.
WARNING: "Public Folder Store (Server)" is a corrupt file.
This file cannot verify.
WARNING: "Log files" is a corrupt file.
This file cannot verify.

In both instances, the backup software used was Symantec Backup Exec (versions 12 and 10d). Symantec's knowledge base provides possible resolutions here with additional references to other related articles. Utilizing Microsoft's isinteg.exe tool is what worked for me. This tool checks the integrity of the Exchange Information Store databases and attempts to fix any detected issues or weaknesses. Here are the basic steps for running the isinteg.exe tool:

1. From Exchange System Manager dismount Mailbox and Public Folder Stores
2. From command prompt access the Exchsrvr > bin directory
3. Run the following command > isinteg -s server name -fix -test alltests
4. If prompted, enter the number of the Store to be checked
5. Re-run command until the last line shows all zeros
6. Mount Store

In both of the instances that I encountered, the Exchange Store backup jobs ran succesfully after several issues where detected and fixed with the isinteg.exe tool. The link below provides additional info on its use:

http://support.microsoft.com/kb/301460/