Archive

Configure alerting for a Symantec Brightmail appliance

Published
by
ben
on May 20, 2009
in Messaging
. Comments

I wanted to configure email alerts from our Brightmail gateway (formally Symantec 8300 series appliance) so that we would be notified when message queues were over certain thresholds. This is a missing feature on the appliance, so as a workaround I've done it using Cacti instead. We already monitor CPU and memory usage of the appliance using Cacti by configuring it as a 'ucd/net SNMP device', and this week I discovered Symantec also publish templates for Cacti for graphing MTA queues (inbound, outbound and delivery). There are 2 graphs, one showing number of messages, and the other showing the MTA sizes in megabytes. 

I added the templates to our Cacti and configured them against our Brightmail gateway and they work very nicely. 

queued_messages
Queue sizes as graphed by Cacti

Just to explain the queue above - we always have a fair amount of transient garbage stuck in the delivery queue due to malformed domain names, typos in email addresses and other random stuff stuck in a retry queue for a few days.

For alerting we already have the threshold plugin 'thold' installed on Cacti so I set up 2 new threshold templates for the inbound and outbound delivery queues. If a queue now goes over 150 messages we will receive an alert - it will also send an email when the value goes back under the 150 value. 

thresholds1
My thresholds

The email alerts also contain a copy of the graph as an attachment which is a very nice feature. It pretty much tells you what time your queues started building up, and this is a valuable clue in helping you find out what has caused the problem.

Update DMZ servers using WSUS

Published
by
ben
on April 20, 2009
in Windows Servers
. Comments

If you have a server in the DMZ that requires Windows Updates but does not have Internet connectivity, it's actually quite easy to configure it to receive automatic updates from a WSUS server on your network.

1. Firewall config: Open tcp/80 (or tcp/443 if you have configured SSL) on the firewall between your DMZ server and your WSUS server.

2. On your DMZ server open gpedit.msc. Go into Computer Configuration - Administrative Templates - Windows Components - Windows Update.

Windows Update settings
Configure Windows Update using gpedit.msc

3. Enable "Configure automatic updates" and configure the schedule of your choice.

4. Enable "Intranet Microsoft Update Service Location". Specify your WSUS server in both fields using the http://server format.

5. Enable "Client side targetting" and enter the name of your Target Group into the box.

That's it - the updates will now flow in.

Configure automatic login on OCS 2007

Published
by
ben
on April 11, 2009
in Windows Servers
. Comments

Logo

Here's the scenario: You have a single OCS 2007 standard edition server on your network. Your Active Directory uses a DNS suffix that is not available externally, for example ocs.internal.ad. You are using a certificate issued by your domain CA on your OCS server (this is recommended) and automatic logon works fine while your clients are on the internal network.

You have also deployed an OCS 2007 Edge Access Server. The server's name in external DNS is sip.yourdomain.com.

The goal is to enable clients to log in automatically. This is a nice to have - and I think even nicer when they can log in automatically from both within the corporate LAN and the outside of your network.

The problem
If you change your users OCS sign-in names to their email addresses (i.e. user@yourdomain.com), the automatic logon works fine on the outside but not from the inside (providing your Edge Access server and supporting DNS records are set up correctly). Meanwhile from outside of your network if your users have sign-in names using your internal AD namespace (i.e. user@internal.ad), automatic logon fails - this is because the internal.ad DNS suffix does not exist on the outside and your OCS client cannot find an SRV record in DNS to locate the OCS server.

The solution!
There are several components that need to be in place for this to work.

1. DNS Configuration
For this to work you are required to set up a copy of your external DNS as a primary zone in your Active Directory DNS. Then in your internal DNS configure an A Record for sip.yourdomain.com pointing to the IP address of your internal OCS server. In addition, set up some SRV records:

_tcp._sipinternal.yourdomain.com -- sip.yourdomain.com (0 0 5061)
_tcp._sipinternaltls .yourdomain.com -- sip.yourdomain.com (0 0 5061)

2. Certificate configuration
For authenticating external clients, you will need an SSL certificate on your Edge Access server. Choosing the right sort of certificate is vital for the Edge Access role. You have to select one from this list for federation and public IM connectivity to work properly.  Other certificates may work, but have not been approved for use with OCS 2007 by Microsoft.

For authenticating internal clients, Microsoft recommend you use a certificate from the CA on your domain. From your standard edition server, run setup on the OCS CD and go through the certificate wizard. When configuring the certificate, specify ocs.internal.ad (insert your internal server name here) as the primary name of your server and sip.yourdomain.com (your external namespace) as the alternative name on the certificate.

3. Sign-In names
Last thing is to configure sign in names, these will need to be changed to use your external DNS suffix, i.e. user@yourdomain.com. One word of warning on this - if you change sign-in names while the users are logged on, they will be kicked off the system and receive an error about invalid credentials. Instead, make the changes while the users are logged off and they will then be picked up automatically the next time the computers are booted up on the network.

After making this change users should then be able to log in automatically from both the corporate network and the Internet.

This is one area IMHO where the OCS 2007 documentation does not go into enough detail.

Get system stats automatically on SSH login

Published
by
ben
on April 10, 2009
in Enterprise Linux and Scripting
. Comments

I noticed in recent versions of Ubuntu you get some system stats in a banner message when you connect using SSH. I thought this was pretty useful so have implemented my own version on our Red Hat servers at work.

This runs every 5 minutes as a cron job and updates the file /etc/motd (Message Of The Day) which is shown when a user logs in. Our servers already have a 5 line banner message with information including the server name and purpose of the server, hence the first 5 lines being saved and readded into a new /etc/motd each time.

#!/bin/bash
cat /etc/motd | head -n 5 > /tmp/file && cat /tmp/file > /etc/motd

CPUTIME=$(ps -eo pcpu | awk 'NR>1' | awk '{tot=tot+$1} END {print tot}')
CPUCORES=$(cat /proc/cpuinfo | grep -c processor)

echo "System summary (collected `date`)

 - CPU Usage (total average) = `echo $CPUTIME / $CPUCORES | bc`%
 - Memory free (real)        = `free -m | head -n 2 | tail -n 1 | awk {'print $4'}` Mb
 - Memory free (cache)       = `free -m | head -n 3 | tail -n 1 | awk {'print $3'}` Mb
 - Swap in use               = `free -m | tail -n 1 | awk {'print $3'}` Mb
" >> /etc/motd

Now when we log in we get a summary like this:

SSH Server Stats

Identify computer type using VB Script

Published
by
ben
on April 6, 2009
in Scripting
. Comments

I required some VB which would run as a shutdown script and run some specific commands if the computer was not a laptop. Luckily this was simplified by the naming convention on our corporate network - all laptops have an L in the computer name. Here is one way this can be done - using a regular expression to find the number of L's in the computer name (and then take specific action if it is less than 1): 

Option Explicit

Dim objNTInfo, ComputerName, myRegExp, myMatches

Set objNTInfo = CreateObject("WinNTSystemInfo")
ComputerName = lcase(objNTInfo.ComputerName)

'Prepare a regular expression object
Set myRegExp = New RegExp
myRegExp.IgnoreCase = True
myRegExp.Global = True
myRegExp.Pattern = "l"

Set myMatches = myRegExp.Execute(computerName)
If myMatches.Count > 0 Then
 MsgBox ComputerName & " is a laptop" , vbInformation , "Results ... "
else
 MsgBox ComputerName & " is not a laptop" , vbInformation , "Results ... "
End If

Meaningless errors

Published
by
ben
on April 6, 2009
in OCS
. Comments

If you have an OCS 2007 deployment with an Edge Access server, a user attempting to log on from the outside may receive the following error: 

Cannot sign in to Communicator. You may have entered your sign-in address, user name, or password incorrectly, or the authentication service may be incompatible with this version of the program. If your sign-in information is correct and the problem persists, please contact your system administrator. 

One quick thing you can check is on the Communications tab on the user properties. Under "additional options: Configure", check that "Enable remote user access" is ticked. If this is not ticked, the user will receive the error above (instead of a USEFUL message like "This account is not enabled for remote access .... ").

Working with Logical Volumes

Published
by
ben
on April 1, 2009
in Enterprise Linux and VMware
. Comments

I'm actually coming around to Linux LVM - once you get the hang of the concepts and the associated commands it can be a straightforward exercise to extend your existing volumes after adding new physical disks. This differs from software RAID, as you have the ability to lay an LVM filesystem over a single disk and later take advantage of the LVM commands to resize your volumes if you so desire.

I recently was confronted with a VM that was out of space on /usr/local. The filesystem was already using LVM so I just added a new virtual disk and stretched the /usr/local volume over the new disk. The whole process is even easier in VMware as you can add the new disk while the machine is running and run through the whole process without a reboot, providing you don't have daemons or processes running in /usr/local that stop it from being unmounted. Here's how I did it:

init 1
umount /usr/local

Going to runlevel 1 may not always be necessary but was in my case. pvcreate enables the new physical disk for use with LVM. Then vgextend extends the volume group, and lvresze resizes the logical volume. In my case the new disk that was added became known to the system as /dev/sdc.

pvcreate /dev/sdc
vgextend VolGroup00 /dev/sdc
lvresize /dev/VolGroup/lvol0 -L 12.7G

Then use resize2fs to extend the file system into the free space. You are required to fun a filesystem check first.

e2fsck -f /dev/VolGroup/lvol0
resize2fs /dev/VolGroup00/lvol0 12700M
mount -a
init 3

In my example the previous size was 7.7Gb, I added a 5Gb disk and extended to 12.7Gb.

6 Free ways to encode video for your N95

Published
by
ben
on February 28, 2009
in Mobile
. Comments
Nokia N95

For basic video converting and playback on N95 there is an application bundled with the Nokia PC Suite that can convert some video formats into the Real Player format. But, for some reason the 'high quality' option is greyed out for me, and it also does restrict you to using Real Player on your phone to watch your content which I have to tell you sucks, if you want to rewind or fast forward then forget it, this sucker only does Play and Stop. My recommendation is to forget Real Player and use Divx Mobile Player, and encode your video in the Divx format.

So here are some free tools that can do this for you - I've only commented on the ones I've used (I stopped trying out new ones once I found one that worked for me).

This is an Open Source converter from DivX Labs. Works pretty well and is very easy to use - to convert DVD to N95, select the VOB files in your Video_TS folder on the disk in the correct sequence in one chunk and add them all to your project. On the Advanced tab, click to the Pre-Processing tab and change the aspect ratio to 4:3, and size to 320x240. Save your Encode settings so you don't have to go through this process again and hit Encode (after the analysis has finished). Then select your job, and click Resume.

Dr DivX OSS

Dr DivX - It does the job

Super is the one everyone seems to recommend, particularly in Nokia forums. It's probably good if you know what you're doing, but if you don't you will find the array of options confusing. Also their website is highly annoying, forcing you to click through pages of waffle to reach the download. But if you're still interested, here's a blog post about encoding video on Super for an N95.

I used to use Pocket Divx Encoder when I had an iMate Jam and it worked pretty well. Apparently you can select use the default PDA settings for N95, but when I tried this it looked like pink flickery garbage when I played it back on my phone.

I like HandBrake. It can rip directly from DVD into a format of your choice (but not DivX), unlike most of the others which expect your input file to be an existing mpg or avi file rather than a DVD. It's also pretty easy to use ... a lot of people are reporting success with Handbrake but when I encoded a DVD to Xvid, when I play it back in Media Player it works fine, but on Divx Mobile Player the video causes the application to bomb out every time. Your mileage may vary.

Handbrake - has Linux, Mac and WIndows versions
Bonus
I've also got a bonus 7th cheating way: DivX Converter. This is really the best solution if you don't care about messing with any baffling settings. It just gives you 3 options - small, medium or large screen, and a "GO" button that kicks off the process. Select small and press GO, 10 Minutes later it spits out the file and you can play it on your N95 using DivX Mobile Player. But here's the catch - and the reason this is a cheating method ... it's only free for 15 days, after that you have to pay. So this is great for a one time conversion utility, but not so great if this is something you will need to do from time to time.

But even if you don't use DivX Converter, I would still recommend you get DivX Mobile Player anyway. It's basically a free edition of SmartMovie with all the same options and features.

Conclusion
There are lots of converter programs to choose from - many more than I have listed here, but my recommendation goes to Dr DivX due to it working first time for me and being easy to operate without in -depth knowledge of codecs or video encoding.

One final thing to note is if you notice your audio is playing back slightly behind or ahead of your video in DivX Mobile Player, there is an option in the settings to configure the A/V sync gap in miliseconds. Making an adjustment here will allow the video to play perfectly on your N95.

Mapping printers using a login script

Published
by
ben
on February 11, 2009
in Scripting
. Comments

Here's how:

Dim objNetwork, strPrintServer
Set objNetwork = WScript.CreateObject("WScript.Network")

strPrintServer = "\\Your_Print_Server"

Private function GetUserObject
On Error Resume Next
Set GetUserObject = GetObject("WinNT://"  objNetwork.UserDomain  "/"  objNetwork.UserName)
End function

set UserObject = GetUserObject

For Each Group in UserObject.Groups
Select case Group.Name
Case "Your_AD_Security_Group"
objNetwork.AddWindowsPrinterConnection strPrintServer  "\Your_Printer_Name"
End Select
Next

To set the default printer:

  Select case Group.Name
Case "Your_AD_Security_Group DEFAULT"
objNetwork.setDefaultPrinter strPrintServer  "\Your_Printer_Name"

Job done.

A quick mention for 2 useful tools

Published
by
ben
on February 10, 2009
in Random stuff and VMware
. Comments

Here's just a quick mention for a couple of decent tools.

Syntax Highlighter plus (plugin for wordpress). Link

IMO this is the best code highlighting plugin for Wordpress. Here's a quick example: 

ls -la
apt-get update
apt-get upgrade

Does exactly what is says on the tin and has the 'view source' button to you to copy and paste the plain text version of your code into notepad or Putty sessions.

Second quick mention is EasyVMX. Link

Ever wondered how to create a new VM for VMware player? Just visit the EasyVMX site, fill in the form and click go, and your VMX file is created. Then just give the file to VMware player and you can boot into your new machine. Genius!