Blog

When performing a migration from ISA 2000 to Forefront TMG, I set up the perimeter networks as part of the “perimeter” network object.  I ran into a problem when I went to create server publishing rules. They did not work.  I had to remove the subnets from the perimeter group so that the network interface would show up as part of the “external” network object.  Once the addresses on the outside interface were in the “external” network object, I was able to successfully create server publishing rules.
 
Also, Forefront TMG now allows the published port to be different from the port on the internal server.  This is useful when creating publishing rules for multiple RDP servers, for example.

Steganography has always been an esoteric and theoretical concept to me. The following lifehacker link shows the use of a hidden TrueCrypt volume that is embedded in a video file. It's pretty interesting to actually see it in action. One of the interesting parts of the post has to do with the difficulty of detecting something like this. They mention four methods of detection, none of which are very straightforward. It's a little concerning to see how difficult it can be to detect the hidden information. [more]

http://m.lifehacker.com/5771142/embed-a-truecrypt-volume-in-a-playable-video-file

I came across a Smart UPS 1500 that needed a battery replacement recently.  After the replacement battery was installed, I ran a self-test like I normally do to clear alarms on the unit.  I noticed that the self-test reported that the battery had a runtime remaining of 0 minutes and a 20% capacity.   I decided to let the battery charge up to 100% and then try a runtime calibration.

Later that evening, the UPS was reporting that the battery had 100% capacity and a runtime of 3 minutes with a very minimal load.  I ran the runtime calibration and the runtime dropped immediately to 0 minutes with a 20% charge.  I thought that the battery might be faulty at this point. 

The customer happened to have another battery there to try.  We put the battery in and testing showed the same exact symptoms.  Therefore the problem must be with the UPS and not the batteries.

APC's forum quotes "The battery constants give the battery status via their life expectancy. If the battery ages and is 'exhausted', the constant is overwritten. The management software calculates the runtime of the UPS with these constants.  If the battery is now replaced, a self test must be done with the new batteries. Through it, the red battery replace indicator goes out and the battery constants should be reset to the standard settings. This does not occur in some cases. Therefore, the constants must be reset manually in order to correct this situation."

Through research, I came across this article http://www.rm.com/Support/TechnicalArticle.asp?cref=TEC817072 which describes how to reset the battery constant manually.  The only problem is that this has to be done by physically connecting the serial cable to the UPS, so I was not able to try this out yet.  Since each UPS has different constant variables, you will have to call APC support and ask them what to set it to. [more]

Here are the steps listed using Hyperterminal from the hyperlink above:

In order to successfully reset the battery constant, all accompanying devices (SmartSlot Accessories such as Interface Expander, Web/SNMP Management Card) must be removed from the SmartSlot or from the Com port of the UPS.

1. Please shut off all connected load, switch off the UPS, pull the power plug of the UPS.
2. Switch off the UPS once again till you hear a click.
3. Remove all accompanying devices.
4. Turn on the UPS again and connect a computer with Windows 95/98/ME, Windows NT 4.0 or Win 2000, which runs on Hyperterminal using one of the cables mentioned under the requirements.
5. Close Powerchute plus-Server. With Windows NT/2000, the UPS service must be stopped. If you are using PowerChute Business Edition, stop the Agent *V service.
6. Perform a Battery Constants check.
7. Start a Hyperterminal session with the UPS.  Note: Ensure that there are no accessories plugged into the UPS. (Web Management cards, IO Relay cards etc)
8. Start Hyperterminal by going to Start, Programs, Accessories, Communications, Hyperterminal.
9. You will be requested to enter a name and a symbol. Enter a favourite name and click on OK. When a message that a modem must be installed appears, you can ignore this message.
10. Select the serial port to which black serial cable is connected to.  The correct settings for the COM-connection are 2400 Baud, 8 data bits, 1 Stop bit, no parity, protocol Xon/Xoff. In this window, click on Advanced and make sure that the option FIFO activated is unchecked. Click twice on OK.
11. Check if there is a connection (Type Shift + Y, should return **SM** ). Do not enter any other characters via Hyperterminal other than that described in these instructions because this can cause irreparable damage to the UPS
12. Type **1**, wait 2-3 secs and type **1** again (Should return **Prog**)
13. Enter a **0** and the UPS reports the present value of the battery constant.  If this value does not correspond to the default value that was given to you by RM Support or APC , it must be changed.
14. If this value is not correct, press **+** or **-** until the correct value is returned.
15. Press **R** to close the session. (Should return **Bye**)
16. Enter **<Shift> Y**, the UPS reports again with **SM**.
17. Enter **0** once again and check if the UPS reports back the standard setting that has been set.
18. Close Hyperterminal, start the UPS again and check the UPS runtime in the management software.

Level Platforms has partnered with a company called Ninite to provide prebuilt installers for many non-Microsoft utilities and applications.  These include Java, Adobe Reader, and Adobe Flash.  With the new scripting features in Level Platforms MW2011 we should be able use the packages provided by Ninite to centrally manage updates to these applications.  If you want to try Ninite, they provide free installers packages that are completely functional, but with some restrictions for enterprise automation.

https://ninite.com/help/how-ninite-works/

When creating scheduled reports in the SEP Mgmt console, be sure to check your filter settings after creating (see image below).  The default filter is just for the past 24 hour period and also includes all clients SEPM can see.  If you want to set a different coverage interval, such as weekly or monthly, or apply the report just to specific clients or sub-groups, you need to create and save a custom filter. [more]

I was working on rebuilding our Office Communication Server from scratch a short while ago. There were many gotcha’s in this entire process, but the one I want to touch on happened near the end of the rebuild process. The Front-End Server Service and Monitoring Agent service refused to start up, even after several reboots of the server and repairs of the installation. Errors in the event log reported the “Worker process exited prematurely” and referenced RTCHost.exe. By now, Google had become my close friend and guardian.

What happened is the update, KB967831, shuts down the Front End Server (as well as the other OCS services) to patch and then attempts to fire all the services back up.  See this article about the update.  If MSMQ is not installed, the RtcQmsAgent service (monitoring agent) will not start up, causing the Front-End server to fail. From the blog: [more]
 
On a good note, you can install MSMQ to get around the unfortunate "server killer" situation.

With Server 2008, you can run ServerManagerCmd -i MSMQ-Services and ServerManagerCmd -i MSMQ-Server.
With Server 2003 x64, it is a little more complex as an automation task but can be done using the details mentioned here.

The RtcQmsAgent service will no longer fail to start. At that point, you should be able to install all of the QFE1 updates successfully.
 
I ran those two commands (even though I thought I had already installed MSMQ earlier using the Server Manager GUI) and then attempted to start the services. Success!

For researching disk space usage I usually recommend the windirstat program (http://windirstat.info).  One problem I had recently is related to the fact that no user, not even an administrator has access to the "System Volume Information" folder.  This folder contains the system restore points (on the C: drive) and probably other system stuff that you should not mess with. 

Since the tools we use to investigate disk space usage do not have access to "System Volume Information" folder, that folder is just missing from the display given.  However, windirstat has an option to turn on the display of "Missing" space.  This section will show the difference of the size of the disk minus the total of all files found.  A Windows Vista machine at a customer site was running out of space and this missing space was taking up most of it.  System Restore was enabled and the help text said it could take up to 15%.  I turned system restore off, rebooted, and the space came back.  I turned it back on, checked it a couple of times over the next week the "Missing" space did not seem to be growing.

We use VMware Workstation a lot during our information security audit work and have lots of times when we just need to copy a file or two to or from a virtual machine and it would be nice to not have to wait to startup the VM, login, copy, etc.

VMware has a Virtual Disk Development kit (http://www.vmware.com/support/developer/vddk/) that contains a helpful tool for this problem.  There is only a 32-bit Windows version but it works on 64-bit systems. Among other tools, the kit includes a handy command line utility called vmware-mount, also known as VMware Disk Mount. You'll find the utility in C:\Program Files\VMware\VMware Virtual Disk Development Kit\bin. [more]

Once it's mounted, you can work with that disk in Explorer, just like any other disk. To mount a local .VMDK to the M: drive, use the command:

vmware-mount M: {pathToVMDKFile}

You can even use this tool to mount remote .VMDKs, either on other Windows hosts or ESX/ESXi hosts. Here's some quick syntax to connect to a disk on a remote ESX/ESXi host:

vmware-mount K: "[storage1] WinXP/WinXP.vmdk" /i:ha-datacenter/vm/WinXP /h:esx3 /u:root /s:secret

You can get all the command line hints from the tool's documentation.

I was recently attempting to install McAfee Antivirus install on a PC and it would not complete due to an error stating that it was not a valid executable file.  During one of the many attempts it also stated that the “Installation failed, please contact your network administrator”.  The PC was running very slow and I attributed this to its age and RAM.  After further investigation it was discovered that there were over 18,000 folders in the C:\windows\temp directory.  After deleting these folders the machines performance improved greatly and the Mcafee install went through the first try.   Don’t forget to try clearing out your temp folder if you are experiencing performance issues or an installation problem.