codeape's questions

Here's the deal:

• Our client software can only connect using http protocol, it can not do https.
• However, security requirements dictate end-to-end security, so we need to use https when talking to the server.
• Now I have been able to do this in a testing environment by using stunnel with the following configuration:

stunnel.conf file:

[mylocalproxy]
client = yes
accept = 127.0.0.1:3000
connect = the.real.server:443

• Given the stunnel config above, I can configure my test client to use endpoint address http://localhost:3000/endpoint/url/ and everything works fine.
• But on the production environment, the client side does not have direct network access to the.real.server. Http/s traffic from the client side has to go through a proxy server.
• My questions:
  • Is it possible to configure stunnel to connect using a proxy server?
  • If not possible using stunnel, is there another way I can accomplish this?

The scenario:

• I have a Linux laptop (linuxlaptop)
• There's a piece of software that I develop that access a web service https://ws.behind-vpn.com that is behind a Cisco AnyConnect VPN.
• I cannot connect to the VPN from the Linux laptop (the VPN certificate process is Windows/IE only)

• Therefore, when doing integration testing, I do the following:

  1. Start a Windows VM (windowsvm)
  2. Connect the VPN from the VM
  3. Test the software on the VM

I am now looking to streamline the integration testing process a bit. I would like to be able to connect to the web service directly from my Linux laptop.

My questions:

• I have a feeling that this should be possible using SSH port forwarding. Is it?
• If possible, could someone explain how to configure ssh port forwarding to accomplish this?
• Do I need a SSH server on windowsvm to do this? If so, what is a good SSH server for Windows?

I want to set up a corporate IRC server to use for project discussions.

How can I make the IRC server keep a archive of all messages that are sent through the server? I want the messages available for browsing (also preferably searchable) over HTTP (using Apache).

How can I set up such a service?

Also, it would be a plus if a user connecting to a channel on the server could execute some command in the IRC client to (say) get the server to return the last 24 hours worth of messages on that channel.

(I am an IRC n00b)

Case:

• A Windows share mounted using samba over a flaky VPN connection (sometimes very slow, sometimes it drops)
• When doing tab-completion on filenames, my bash shell can freeze up if the VPN is slow or dropped when I am attempting the tab completion.

Example:

$ cp myfile.zip /mnt/winbox-c/Progr<tab> key pressed here

Is there a key I can press to get bash out of its hung state when this happens?

Does anyone have experience with configuring Cisco AnyConnect VPN? We have a problem with client DNS name resolution when connected over VPN.

To me, it looks as if the Cisco AnyConnect VPN client intercepts DNS queries from the clients.

1. Can someone confirm that the AnyConnect VPN client in fact does this (intercepts DNS traffic)?
2. Where is this configured on the VPN server?

EDIT:

Here's how the routing table changes when I connect to the VPN:

[~]
$ diff -u /tmp/route_normal /tmp/route_vpn 
--- /tmp/route_normal   2010-01-20 19:23:47.000000000 +0100
+++ /tmp/route_vpn      2010-01-20 19:24:46.000000000 +0100
@@ -1,6 +1,10 @@
 Kernel IP routing table
 Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
+xxx.xxx.xx.xx.i 10.0.0.1        255.255.255.255 UGH   0      0        0 ath0
 172.16.53.0     *               255.255.255.0   U     0      0        0 vmnet1
 10.0.0.0        *               255.255.255.0   U     0      0        0 ath0
+172.17.20.0     *               255.255.255.0   U     0      0        0 cscotun
0
+192.168.111.0   172.17.20.212   255.255.255.0   UG    0      0        0 cscotun
0
 172.16.140.0    *               255.255.255.0   U     0      0        0 vmnet8
+172.16.0.0      172.17.20.212   255.255.0.0     UG    0      0        0 cscotun
0
 default         10.0.0.1        0.0.0.0         UG    0      0        0 ath0

EDIT 2:

The IT guy has done "something" on the VPN endpoint. Now I get "recursion not available" when doing nslookup. The DNS servers have recursion enabled. So it must be the Cisco VPN DNS interception messing this up.

ubuntu@domU-12-31-39-00-ED-14:~$ /opt/cisco/vpn/bin/vpn connect xxx.xxxxxx.xx
...
  >> Please enter your username and password
...
  >> notice: Establishing VPN...
  >> state: Connected
  >> notice: VPN session established to ...
ubuntu@domU-12-31-39-00-ED-14:~$ nslookup www.vg.no
;; Got recursion not available from ..., trying next server
;; Got recursion not available from ..., trying next server
;; Got recursion not available from ..., trying next server
;; Got recursion not available from ..., trying next server
Server:         172.16.0.23
Address:        172.16.0.23#53

** server can't find www.vg.no.compute-1.internal: REFUSED

ubuntu@domU-12-31-39-00-ED-14:~$ ping 195.88.55.16
PING 195.88.55.16 (195.88.55.16) 56(84) bytes of data.
64 bytes from 195.88.55.16: icmp_seq=1 ttl=240 time=110 ms
64 bytes from 195.88.55.16: icmp_seq=2 ttl=240 time=111 ms
64 bytes from 195.88.55.16: icmp_seq=3 ttl=240 time=109 ms
^C
--- 195.88.55.16 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2017ms
rtt min/avg/max/mdev = 109.953/110.379/111.075/0.496 ms

The case:

• An industrial IT system, controlling and storing data on two production lines
• There is one server per production line. Each server runs the automation objects for that production line. Each server has a local SQL server database that stores data for that production line.
• The automation software has built-in redundancy. A server failure on one production line's server will cause the automation objects to run on the other server instead.

An imagined scenario: The disk controller on production line 1's server fails. Currently, the following will happen:

• The automation objects will start running on production line 2's server instead.
• But when the automation objects start doing data access to server 1, they will of course fail (since the disk controller is non-functional).

So we have discussed options. A colleague has suggested the following:

• Replicate the server 1 database on server 2. And vice versa.
• Set up the data access with localhost connection strings.
• So when the automation objects start running on the other server, their data access will go to the database on the server they are running on.

I do not have experience with replication. Is replication a viable solution to the problem described above? Important things to remember when setting up replication? Other suggestions?

I do backups to a HP Ultrium 2 tape drive (HP StorageWorks Ultrium 448). The drive has a 'Clean' LED that supposedly will light up or blink when the drive needs to be cleaned.

The drive has been in use since october 2005, and still the 'Clean' light has never been lit.

The drive statistics are:

• Total hours in use: 1603
• Total bytes written: 19.7 TB
• Total bytes read: 19.3 TB

My question is:

• How many hours of use can I expect before I need to clean the drive?

Edit: I have not encountered any errors using the drive. I do restore tests every two months, and every backup is verified.

Edit 2: The user manual says: "HP StorageWorks Ultrium tape drives do not require regular cleaning. An Ultrium universal cleaning cartridge should only be used when the orange Clean LED is flashing."

Update: It is now May 2010 (4.5 years of use), and the LED is still off, I have not cleaned, backups verify and regular restore tests are done.

Scenario:

• A few Windows 2003 servers, part of our corporate network
• Corporate IT has set up a WSUS server.
• But it seems Corporate IT is unable to operate the WSUS server properly. On "my" servers, I get 'unable to download updates'-messages in the event log regularly. And no patches are downloaded/installed to the servers.
• I have admin access to the servers, since there are a few things I support myself for our branch office.

Question:

• I want to disable my servers usage of the corporate WSUS server. I would like to configure it the "normal" way - use Microsoft's windows update.
• How and where do I change this setting? I have no idea how corporate IT has configured the servers in the first place - maybe using group policy?