flooble's questions

As subject really.

I can force a wallpaper through GPO, but how can I mandate that the desktop should be black?

We have a mix of XP, Vista, and Windows 7 machines.

..that applies sometimes, depending on the application, but not all the time, depending on the application..

WTF and how the heck do you all deal with this? I have users who are able to create insanely long filenames and paths, yet who aren't then able to open those files and folders in certain applications, with seemingly no way at all for me to stop them from doing it.

I can't be the only one finding it an issue..

In the testing/playing phase with a bunch of new SAN/Server kit.

I have 2 x Procurve 2910 switches dedicated to iSCSI/vMotion (with a 10gbps fibre link between them), 2 x vSphere hosts (each with lots of NICs), and 6 x P4000 iSCSI nodes.

The P4000 manuals say to enable flow control on the switches.

I'm not clear if that means enable it globally, or just on the ports that the P4000 nodes are directly connected to?

I'll be mounting iSCSI volumes from both the vSphere hosts, and from within some of the guests (Windows 2008 DSM MPIO).

I know what flow control does at a basic level, but I don't know enough about it at low level to know where I should be implementing it.

Thanks.

Our network is a flat L2.

At some point we need to (I want to, but it's not strictly my responsibility) start to VLAN it down as we're obviously going to have a lot of broadcast chatter going on, and recently one of our firewalls has reached its arp table limit (arguably the firewall has a low arp table limit but we are where we are with that).

So, how do you come up with a methodology for VLAN'ing down your LAN?

In our case we are one site, but the size of a small town (think campus I guess).

We have a fairly typical hub/spoke LAN with a couple of core switches onto which the edge switches connect, some directly, some via fiber to copper convertors.

Our edge kit is a mixture of Procurve's, Prosafes, some older Baystacks etc.

Most of our clients are on DHCP, a few are on static IP's but we could deal with those, networked printers are also on static IP's.

As I see it there are lots of options to VLAN based on physical location in the campus i.e. any edge switches in buildings A & B go on VLAN xx, or it could be based on other factors.

Simply put I've not done this before and it's easy to dive in and do stuff quickly and then regret it.

How would you go about it please?

If I have two switches connected to one another by a fibre link, and each of those switches is also connected into a local switch, and those two local switches are linked, I'm correct in thinking that irrespective of VLAN's or any L3 configuration, I'll have an L2 loop that STP/RSTP will need to sort out aren't I?

VLAN 100 and VLAN 200 will only exist on the top two switches so the link between those two switches will be only handle tagged traffic on VLAN 100 and VLAN 200.

The switches are dedicated to iSCSI and vMotion traffic and only need physically connect to the main network to allow management of the switches and of the iSCSI SAN.

One option would be to keep them physically separate and put a basic firewall between them and the main LAN doing away with the loop.

Thanks ever so much.

I have a pile of HP SAN and server boxes behind my desk.

Long story short, I'll have 2 vSphere hosts, each with 12 pNICs, and a single Procurve 2910al switch (actually two but linked) dedicated for iSCSI/vMotion traffic, and the iSCSI SAN (P4000).

Some NIC's will be allocated to my production LAN as VM NICs and so I can access the vCentre server, and the iSCSI traffic and anything best kept of the production LAN will go on the 2910al.

I want to present iSCSI LUN's to some of the guests (Exchange/SQL/maybe the file server) using the Windows iSCSI initiator so I can use the SAN integrated VSS snapshots.

I also ideally want to be able to manage the SAN from the production network, so I guess I'd use the routing function on the switch for that?

I'd appreciate suggestions on the optimal way to configure the switch/VLAN layout.

We currently don't allow Skype usage on the LAN. The reasons ultimately come down to that great cover-all of "security", though I have to admit that these days I'm not sure if Skype has turned into a better product when talking about a business environment or not?

I know it used to be considered totally evasive of firewalls. I know it used to be considered a risk because of the P2P nature and the potential for exploits/file transfers and so on.

How do things stand now?

If I could get "something" that sat in our DMZ that internal Skype clients could connect to and the DMZ box dealt with actual inbound/outbound internet connectivity I'd be very interested, but such a product doesn't seem to exist?

I have a nasty feeling I know the answer to this one, however...

We're looking at how to enforce a corporate standard on email, obviously outbound is the priority over internal mail.

Is there any way to set the default font used in Outlook?

I believe it can be done through the registry, but GPO would be ideal.

We currently use WSUS and it's fantastic for our workstations and keeping track of what updates our servers need.

I'd sooner not automatically have WSUS install patches in the small hours to our servers, but I would like to be able to click a "update these servers now" button, but without the time involved logging onto each server, firing up IE, going to Windows Update etc.

Are there any suggestions on low cost ways to achieve this please?

I'm aware of Shavlik but across a couple of dozen servers it's not the cheapest option.

If it's relevant the servers are almost all VM's on vSphere.

Thanks a lot.

I'm looking at putting in a small cluster spanning two locations on the same campus.

The vSphere hosts in each location would have a vSwitch connected to the production LAN, and I'd also be using a physical dedicated iSCSI LAN which would have switches in both locations with dedicated 10gbps fibre between both.

If the iSCSI fibre fails both hosts would be up and able to ping the other, but one host would not be able to see the iSCSI shared storage.

I can't find a guide that details how to configure HA in the situation above.

Thanks in advance.

I've just purchased a wildcard SSL cert (AlphaSSL) which I'd like to install on a box running Tomcat, to replace the existing SSL certificate.

I have the cert, the private key, the CA Root, the intermediate CA and so on.

I'm not too familiar with Tomcat so can anyone say with certainty what sequence I need to follow?

Here's the guide for creating a CSR from scratch that is specific to the appliance I'm using:

Thanks.

1. Back up your keystore

cp /opt/msw/data/keystore /root/keystoreBackup

2. Re-initialise the keystore

rm /opt/msw/data/keystore

3. Check the hostname

hostname appliance.inside6.com

4. Create a certificate for this machine

keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/msw/data/keystore -storepass changeit

What is your first and last name? [Unknown]: appliance.inside6.com

What is the name of your organizational unit? [Unknown]: Development

What is the name of your organization? [Unknown]: Clearswift

What is the name of your City or Locality? [Unknown]: Reading

What is the name of your State or Province? [Unknown]: Berkshire

What is the two-letter country code for this unit? [Unknown]: GB

Is CN=appliance.inside6.com, OU=Development, O=Clearswift, L=Reading, ST=Berkshire, C=GB correct? [no]: yes

Enter key password for (RETURN if same as keystore password): {leaving the password blank here}

5. Generate the request keytool -certreq -alias tomcat -keyalg RSA -keystore /opt/msw/data/keystore -storepass changeit -file /root/certreq.csr

cat /root/certreq.csr

-----BEGIN NEW CERTIFICATE REQUEST----- MIIBvjCCAScCAQAwfjELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtzaGlyZTEQMA4GA1UEBxMH UmVhZGluZzETMBEGA1UEChMKQ2xlYXJzd2lmdDEUMBIGA1UECxMLRGV2ZWxvcG1lbnQxHjAcBgNV BAMTFWFwcGxpYW5jZS5pbnNpZGU2LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAncyI Ui4emCBqY1of4xUk0eJ8CcZtHaYyXrych5sFXTDFq9icRd2e4Xe94IvHlKZwtxAXsoZONXXo4gP2 jU5PKD/DMNlu2TtdISvxD4DstkYv9dpC+8bt5uftYQ405nHeRwPpBQornJz98f5tNiCIYRsB0gec 2Gj7J4TDf2+igYkCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAGVvifaZLvnwOYAdlblBMsSDAI1h VahtdzcLQrFzH3DezNfx5knqzzaM4oOC2N2RohMSKsP9DazqCFkj4i6lBS6M+X/inu0Hyp6b9fEz 06BJby+RM4nmv4RFXqdR5usIHalfodRxjWVHjMhN3FwiD1SPxXqLppp3zjEqhycVox/5 -----END NEW CERTIFICATE REQUEST-----

6. Obtain a certificate from a commercial Certificate Authority such as Verisign. During this phase you will have to paste/email the contents of /root/certreq.csr into an appropriate location

7. On the appliance, add the certificate the CA will have mailed you

keytool -import -alias tomcat -trustcacerts -keystore /opt/msw/data/keystore -storepass changeit -file /root/server.cert

Certificate reply was installed in keystore

8. Restart tomcat

uiservicecontrol restart tomcat

In some ways I guess this is a piece of string question, however even if there is a "this fits most situations" answer I have no idea what it is, so...

I have a SAN on evaluation, an HP P4000. I'd like to use IOMeter to do some benchmarking to see what it's capable of.

However, I have no idea what combination of block size, read/write split, and random/sequential split is applicable to different usages.

For example how would you simulate some Exchange activity, some SQL activity, some general VM activity and so on.

I know how to add workers and set them loose with different settings, but what settings should I use?

Thanks.

If so how are you finding it and how do you have your multi-site setup configured?

We're looking more and more likely to go the P4000 route and I'm looking at how things like failover work between the P4000 and vSphere (I have read the HP PDF's).

As subject I guess, looking at SAN's and most vendors offer 10k or 15k "proper" SAS drives, many also offer 7.2k MDL/Nearline SAS drives.

Does anyone have an authoritative explanation of the difference please?

We have around 50 domains that aren't core/key business but ideally we want to be able to have the MX records pointing to someone to accept mail for the following:

abuse@ and postmaster@ for all the domains.

various forwarding aliases i.e. sales@ goes to someone@ourcompany dot com

on three or four of the domains we want to have a handful of pop3 mailboxes

smtp relay would be good for the pop3 users

Any suggestions would be appreciated, our registrar doesn't offer this (well they do, but at prices more suited to primary business domains).

I know I could do it in-house with hmail or mailenable but if there is a cheap and reliable way that just takes the hassle away...

Thanks.

So I've an appliance that uses SSL certs for different functions.

I generated a CSE using keytool using these commands:

keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/msw/data/keystore -storepass changeit

keytool -certreq -alias tomcat -keyalg RSA -keystore /opt/msw/data/keystore -storepass changeit -file /root/certreq.csr

Which generated the CSR that I used to download the cert, then I installed it using

"keytool -import -alias tomcat -trustcacerts -keystore /opt/msw/data/keystore -storepass changeit -file /root/server.cert"

So far, so good.

However, one component that uses SSL requires both the certificate and the private key, which of course I don't have - and I don't see an obvious way using keytool to export the private key from Tomcat, is there one please?

I have a site to site VPN configured between our main site (Site A) and a remote site (Site B).

Site A is 10.60.0.0/16 Site B is 192.168.99.0/24

The firewall in Site B is a Juniper SSG running ScreenOS 6.3 and I'm using a route based VPN.

The tunnel works perfectly in that from Site A you can reach 192.168.99.0 via the tunnel, and from Site B you can reach 10.60.0.0 via the tunnel.

However, we want it so that if you're in Site B and want the Internet it goes via the firewall at Site A, and right now on the Juniper 0.0.0.0 has the ISP router as next hop.

My understanding is that on the Juniper, I can set a route for the /32 public IP at our main site that the VPN tunnel connects to to the ISP router via ethernet0/0 (the SSG's external interface), and then modify the 0.0.0.0 route to use our main site firewall via tunnel.1 (the VPN tunnel).

Not sure I've explained that so well but is my understanding correct?

Seems this should be simple, but I'm unable to find the combination of GPO options to default the home page so that the user can't change it, but to let them add any of their own home pages to the list of tabs?

Thanks.

Our Exchange aware antivirus product is due to be renewed in a little over a month.

These days it's reduced to doing little more than antispam and attachment blocking.

Part of me is tempted by a cloud or edge solution such as Google Message Security or an Ironport as it appears to offer more, but I keep coming back to wondering whether I'm entirely comfortable not running something at the Exchange level to deal with any internal threats.

Appreciate any thoughts.

I wondered if any of you who have a fleet of laptops are using anything to back them up, and if so what?

In particular I'm looking for a solution that is totally hands-off once installed i.e. the user doesn't have to do anything, press anything, remember to change something when their domain password changes etc.

Right now we use Druva Insync which I have to say is pretty damned good, however our license is up for renewal in a couple of months so I want to be sure it's the best solution before renewing - the only other vaguely comparable product that I know of is from Atempo but the cost of a SQL Server license is a big problem there.

Thanks.