Posted on

iPhone, iPad or iPod Deleting Apps to Free Up Space

If you’re like me, you like to keep as many of your photos and videos on your devices as possible. Eventually though, you’re going to start running low on space.

iPhones, iPads and iPod Touches cannot have their storage upgraded, and they do not directly support adding flash storage of any kind. Fortunately though, there are a number of things that you can easily do to free up some space.

First of all though, let’s arm ourselves with some knowledge and check out how much storage you have, and how much you’re using.

On your device open the Settings app, select General and choose Storage & iCloud Usage from the list. Now choose Manage Storage.

At the top you’ll see your Used storage and Available storage.

Underneath you’ll see all of your installed apps and the amount of space they’re taking up. Some apps store data after you’ve installed them and could be quite large. Tap on any unused apps to delete them.

 

Note that if you have purchased apps and choose to delete them, you can download them again later for the app store and will not need to purchase them again.

After you’ve deleted apps check out the available storage space. If the available storage is still too low then I have another article that explains how to move photos and videos into iCloud.

Posted on

iPhone, iPad or iPod Running out of Storage Space and How to Fix It

If you’re like me, you like to keep as many of your photos and videos on your devices as possible. Eventually though, you’re going to start running low on space.

iPhones, iPads and iPod Touches cannot have their storage upgraded, and they do not directly support adding flash storage of any kind. Fortunately though, there are a number of things that you can easily do to free up some space.

First of all though, let’s arm ourselves with some knowledge and check out how much storage you have, and how much you’re using.

On your device open the Settings app, select General and choose Storage & iCloud Usage from the list.

 

You can see here how much storage has been Used and how much is still Available. If the available storage is low then the rest of this article will help you deal with that. Even if you have a lot of storage remaining you may wish to follow along anyway.

While on this screen take note of your current iCloud Total Storage and also the remaining Available iCloud storage.

When you first time up for an Apple ID you’re given 5GB of storage so you should have at least that amount. I would highly recommend upgrading to at least 50GB as the cost is very minimal (less than US$1 per month) and certainly provides many benefits.

First Step – Remove any Unwanted Apps

You might have apps that are consuming a lot of space. If you no longer use or need any of these apps this is probably the simplest thing that you can do to free up some space.

I have an article iPhone, iPad or iPod Deleting Apps to Free Up Space on how to do this. If you don’t have any apps to remove, or it doesn’t free up enough space, then come back here and continue.

Our Strategy – Storing photos and videos in iCloud

iCloud is Apple’s online “cloud” platform that provides many services that we won’t go into here. For our purposes though, your iCloud storage space can be used to store data from your device.

This is a very straightforward and automatic process if you let your device handle it automatically.

When you take photos and record videos these are generally in a very high quality resolution that takes up a lot of space. If you’re looking at these photos or videos on your iPhone, iPad or iPod touch then the size of the files is really unnecessarily large. I would never suggest for a moment that you should permanently reduce the size of the files because it’s very possible that later on you’ll want them in their full high quality. Instead, your device can be set up to keep the full high quality copy in iCloud, with a much smaller version on your device. This is all looked after for you automatically.

To turn on the option follow these steps:

On the device open up Settings, tap on your name at the top of the screen, choose iCloud and then Photos.

Turn on iCloud Photo Library, and select Optimize iPhone Storage.

Over time, your device will now move full quality photos and video into iCloud, and will keep smaller versions in your device storage for as long as you have enough storage space in iCloud to accommodate them.

Tip: if your other Apple devices also have iCloud Photo Library enabled, then your devices will share photos and videos which is very cool, and probably something you want to do. if you have other family members sharing the same Apple ID (which you really should not do) you might want to re-consider this decision though 🙂

 

Posted on

Cisco Troubleshooting ADSL/DSL/VDSL issues

There’s a few basic troubleshooting steps that should be followed if there’s an issue with a DSL connection. Broadly speaking, there’s three networking layer levels that may require troubleshooting. Depending on the type of issue, troubleshooting might begin at a layer 1, or at layer 2.

Layer 1 – at the lowest level troubleshooting involves  checking the physical connectivity to the Digital Subscriber Line Access Multiplexer (DSLAM) at the ISP.

Layer 2 – troubleshooting involves looking at ATM connectivity and the PPPoA or PPPoE protocol

Layer 3 – troubleshooting IP connectivity

Where to Begin Troubleshooting?

I would recommend starting with the simple show ip interface brief command – the output of which might look a bit different depending on your device and configuration.

In my case here the ADSL connection happens to be configured on Dialer0 and the status and Protocol are up/up so it would make sense to assume Layer 1 is okay and that troubleshooting can start at layer 2.

If you have a different configuration you could be looking for interfaces ATM0 and ATM0.1 for example.

router#sh ip interface brief
Interface         IP-Address  OK?  Method  Status  Protocol
Ethernet0         10.1.1.1    YES  NVRAM   up      up
Dialer0           123.1.1.7   YES  IPCP    up      up

If your DSL interface is not up/up or if they seem to be alternating between up and down then begin troubleshooting at layer 1.

Layer 1 Testing

Some things to try…

  • Is the carrier detect (CD) light on the front panel of the router on or off? If it is on then this indicates layer 1 is okay and you can probably start troubleshooting at layer 2
  • If the CD light is off, check out the physical cabling to ensure that the DSL interface is connected.
  • If the CD light is off and the cabling seems correct try checking to see if the interface is administratively down by issuing a no shutdown command in the DSL interface configuration.
  • Starting to get more desperate? On the DSL interface try dsl operating-mode auto
  • At this stage there is probably some physical issue with cabling, the provisioning of the DSL service, or the hardware – and troubleshooting this might be up to a cabling expert or the ISP.

Layer 2 Testing

One thing to check is that you have the correct PVC values for VPI and VCI for your ISP. This is rarely a problem these days but is here for completeness.

First, let’s check to see if PPP is trying to negotiate with your ISP. We’ll check the input and output packets to see if the values are changing. In the sample command below I’m filtering the output (which is a page or more long) to just show lines that contain the string “packets”.

Wait a few moments and run the command again and see if the input and output packets change.

router#sh int dialer0 | i packets
  5 minute input rate 8959000 bits/sec, 924 packets/sec
  5 minute output rate 568000 bits/sec, 640 packets/sec
    711015331 packets input, 2847957132 bytes
    459512972 packets output, 2531036441 bytes
  • If input packets are NOT incrementing then you are not receiving PPPoE negotiation packets from your ISP, so probably give them a call before continuing with any further steps.
  • If output packets are not incrementing then check your PPP configuration. Even if your ISP is broken you should ordinarily still be sending outbound packets trying to negotiate.

Is the PPPoE session up?

PPPoE is a two-phase process – PPPoE established first, and then PPP second.

Some useful commands to debug PPPoE

  • show vpdn
  • debug vpdn pppoe-events

Some useful commands to debug PPP

  • show ppp all
  • debug ppp negotiation

Layer 3 Testing

You might actually have layer 3 connectivity, but some ping packets are lost. To check the speed in kbps that your are syncing with the DSLAM at try the following command – the output is snipped to show the relevant part.

Depending on your router, or type of HWIC/EHWIC installed you might need to enter show controllers vdsl 0 command. In my example below I’m synced at 21406 kilobit/s down and 1074 kilobit/s up.

router#show dsl int atm0/0/0
              DS Channel1   DS Channel0   US Channel1   US Channel0
Speed (kbps):          0         21406             0          1074

If some sites (particularly web sites) work well and others do not, the MTU size or MSS-Adjust might need changing. Generally MTU of 1492 or MSS adjustment of 1360 would be fine.

 

Posted on

A Sample Best Man’s Speech

Hello everyone! Can you all hear me okay at the back? … well in that case can someone please get me a beer!?

Ladies and gentlemen, I am the best man so in time-honoured tradition, I will now do my best to give [groom] the most uncomfortable five minutes of his life. For the record, the most uncomfortable five minutes of [bride]‘s life will be later on this evening, courtesy of [groom]

I must say I was a little worried in making this speech today, until I saw all your faces and realised that you’re all just like me, Drunk.

You may all have realised by now that the seating arrangement was actually decided after the wedding gifts were received … so can I say thank you on behalf of [groom] and [bride] to all of you at the back for the LIGHBULBS and the EGG CUPS (you at the back … where’s my beer!). Though I don’t know how I got up the front here, I gave them a BIN!

Every now and again we have the opportunity to talk about a man of the highest integrity and honour – a man of achievement and action, with penetrating intellect and devastatingly great looks. A man obviously destined for better things … Not today though, because this speech is about [groom].

Part of the job of best man is to talk to people, and so I did. I was walking around here before and chatting to various people. Some of them I knew and some of them I didn’t know, and I learnt some funny things.

I was talking to [groom]‘s mum, and she said that looking at him now you may not believe this, but [groom] was not a pretty baby … In fact, he was the only baby in [city] to have shutters on his pram! You know, his mum didn’t get morning sickness until AFTER he was born!

From his [other family member]: I’ve known [groom] his whole life and in some ways he’s like a son to me. I watched him drink from a bottle, I watched him stagger around naked, I watched him crawl, I’ve dressed and undressed him, cleaned up after him … and that was only last night!

From his Workmates: They said he’s a hard worker and always adopted a professional attitude. They had nothing but praise for him. He was even compared to something of a God in the workplace! What they really meant was that he was rarely seen and if he did any work it was a miracle! I can’t believe your workmates said that about you [groom], luckily you have friends like me.

In all seriousness though [groom], you’ve been a fantastic friend to me over the years. It’s been an honour to be your best man today, and with all my heart I hope you two have a long and happy marriage!

[bride], always remind him of your wedding vows. For better or for worse. He couldn’t have done any better and you couldn’t have done any worse!

[groom], never get complacent. Look out for those tell-tale signs that there may be something wrong in your relationship … Subtle things, like the pool guy wearing your socks!

Also remember those 3 little words that are the key to a long and happy marriage … ‘You’re right love’!

I’d like to thank the bridesmaids [names] for their efforts today, and I think you’ll agree they look fantastic tonight. [groom and other groomsmen] also look okay – but they copied my outfit!

Now, as a man that will drink to absolutely anything, it gives me incredible pleasure to invite you all to be upstanding, raise your glasses and join me in a toast to [bride] and [groom], because I think they were made for each other.

May your love be modern enough to survive the times, but old fashioned enough to last forever. I’m sure you’re going to be happy together, and I speak for everybody here when I say I wish you both the very very best for your future life together. Ladies and Gentlemen, Mr and Mrs [surname][groom] and [bride]!

Posted on

Citrix Technologies in the Enterprise

Some history of Citrix

[This is the accompanying tutorial document from a session I ran at the SAGE-AU conference in Hobart, Tasmania on August 5, 2003]

Citrix Systems was founded by Edward Lacobucci in 1989. With US$3M in capital, only 18 employees and a license to modify the OS/2 source from Microsoft, Citrix produced a multi-user version of OS/2 called Winview which shipped 2 years later.

By 1995 Citrix had also licensed the NT 3.51 source from Microsoft and produced WinFrame. The key developments that secured Citrix’s future were “MultiWin”, the core enabling sharing of system resources to multiple Operating System sessions, and the Citrix ICA protocol which encapsulated the session data (screen updates, mouse clicks etc).

Within a few years Microsoft licensed MultiWin from Citrix and produced Windows NT: Terminal Server Edition (actually, they called it a joint marketing/developing agreement and have since renewed the agreement). The agreement effectively gave Microsoft the ability to include MultiWin as part of the Windows operating system in the form of Windows Terminal Services. Advanced functionality (and the ICA protocol) was retained by Citrix and is currently sold as an “add on” to Windows server OS’s called Metaframe.

In recent years Citrix has value-added its product line by bundling in various other applications and services such as the Citrix Secure Gateway and NFuse, securing its position as leader in application delivery to potentially any client device, over any network.

An introduction to thin client technologies (why bother? What are the benefits over the traditional desktop scenario?)

Application deployment

  • Centralize application infrastructure. Improve manageability. Pool resources.
  • Simplify code/version control and upgrades. Maintain multiple versions. Licensing conformance (metering).
  • Leverage and extend existing applications and infrastructure. Instantly web-enable legacy applications. Current web front-ends are often not full-featured.
  • Enhance application performance and reliability – consistent application behavior regardless of location and client device. Allows a varied client base to access a familiar desktop environment. Reduce bandwidth costs.
  • Lower operating costs. Eliminates the need for frequent client desktop upgrades.
  • Enhance service levels. Consistent performance for web applications. Load balancing.
  • Increase productivity. Increases the reach of organizational information via multiple mediums.
  • Enhance security. Provides a secure environment for delivery of applications via the Web. VPN-like capabilities allow zero-footprint client access to applications from anywhere.

Business Continuity

  • The Citrix Solution for Business Continuity delivers applications and information via the Internet to users regardless of location, device or connection in the event of a planned or unplanned business interruption.
  • A high availability infrastructure
  • Customers, partners and employees quickly return to productivity
  • Rapid and secure access to applications and information over the Web
  • Organization’s business continuity objectives are met and business runs unabated
  • Preservation of employees’ sense of corporate community
  • Organizations have traditionally not had a timely and efficient means of providing application access as part of their business continuity solution. Citrix products can be a vital piece of an organization’s business continuity solution – providing uninterrupted, virtual access to all critical applications and information – during both periods of planned or unplanned systems downtime.

Remote Office Connectivity & Workforce Mobility

  • Quicker Office Integration
  • Faster Services Rollout
  • Improved Security of Corporate Information
  • Efficient Bandwidth Usage
  • Improved Application Performance
  • Improved Productivity
  • Real-Time Data Access

Architecture of the Citrix solution and why Terminal Services can’t scale

Standalone Server

Servers can be configured standalone for small environments or pilot implementations. If Metaframe is used on a single server install, it is usually because ICA is required.

Server Farm

Multiple servers can be grouped into geographically local or distributed Metaframe server “farms”. Farms allow for load balancing and redundancy of ICA connections. Terminal Services can’t load balance intelligently, and would require layer4 intervention or primitive round robin tricks to do this.

Published Content

Resources are usually accessed through the “publishing” process. Full desktops can be published or just specific applications. When a user accesses an application (as opposed to a full desktop) it appears to run as a local Windows application with (potentially) access to most desktop resources such as printers, server shares, modems etc. The subset of all the applications that a user can access in a server farm is called an “application set”. Terminal Services allows access to full desktops only, and allows only the most basic of access to workstation resources depending on the version.

Application Sets

Application sets can be viewed from Windows using the “Citrix Program Neighborhood” client. Published applications that can be accessed by that user are displayed and can be launched. Other platforms so not have this capability natively, and users or administrators must manually add application entries to the Citrix client software. However, the Citrix Program Neighborhood can itself be published to allow a similar experience on UNIX and Macintosh platforms. Alternatively, the Citrix Web Interface (called Citrix NFuse until recently) can be accessed from most browsers to view a specific application set. Terminal Services has no equivalent of an application set.

ICA Protocol

The transport protocol that communicates and controls data between the client and server farm. The ICA protocol itself encapsulates keystrokes, screen updates, audio, encryption, port redirection etc. RDP is the Terminal Services equivalent.

Installation Management

Metaframe includes Installation Management, which is a method of packaging up applications and deploying to multiple servers. Terminal Services does not provide this capability natively.

Resource Management

An integrated management subsystem that allows real-time reporting of utilisation and other metrics. Also supports NMS/MOM extensions, and event notification

Central Configuration

Metaframe XP stores farm configuration in a database. This can be a locally stored MS Access database on the first server in the farm, or it can be an existing MS SQL or Oracle database. This in itself introduces an additional administrative concern (backup the data store), but the advantages outweigh the drawbacks. Terminal Services does not require a data store because it does not have a centralised data repository (although Terminal Services does have a licensing service that operates centrally).

Shadowing

Session shadowing is an important support function from a client services support point of view. Depending on specific configuration, a user’s Desktop session can be “shadowed” by support personnel and any problems resolved interactively. This is effectively the equivalent of the old desktop remote control model (e.g. PC-Anywhere). RDP can now shadow.

  • Metaframe now supports extremely high resolutions and true colour, as well as serial/parallel/clipboard/drive/audio remapping. USB printers and disks can be redirected also. The time zone in the session represents local time on the client. RDP 5.2 found in Windows 2003 also supports these features.
  • According to Microsoft’s long-term strategy, Terminal Services is not a key application delivery mechanism.

The major Citrix technologies (Metaframe, NFuse, Citrix Secure Gateway etc) and the how/when/where/why?

Metaframe XP Presentation Server

The Metaframe XP Presentation Server is Citrix’s flagship product. Often referred to as simply “Metaframe XP” it provides network and Internet users with access to applications and information using a Citrix ICA client.

Metaframe XP is currently at Feature Release 3. FR’s are released periodically to customers on a maintenance agreement (1 year maintenance included with the initial purchase). FR’s contain new features to current tools and often includes completely new functionality and add-ons.

Metaframe XP is sold in 3 flavours.

Metaframe XPs (XP standard) – The basic, minimal environment. Includes NFuse.

Metaframe XPa (XP advanced) – Essentially the same as XPs but includes Load Balancing capabilities.

Metaframe XPe (XP enterprise) – The same features as XPa but includes Installation Management, Resource Management and some other enterprise management features.

Metaframe Presentation Server for UNIX

Allows remote access to Solaris, HP-UX and AIX systems. Often used in very low bandwidth environments where X11 has previously proven to be unacceptable.

Citrix Web Interface (was called NFuse and then NFuse Classic)

NFuse is effectively a web-based equivalent of the Windows “Program Neighborhood” ICA client. It prompts the user for logon credentials then displays an application set (list of applications they can launch) from a particular Metaframe farm. NFuse can be viewed from any modern web browser and runs under a number of web servers on Windows and various UNIX platforms.

NFuse can be configured to launch applications using the local ICA client, or it can embed the application in the browser window using An Internet Explorer control or Netscape plug-in. Alternatively, the zero-footprint java client can be used instead or as a backup to the other methods.

NFuse supports SSL encryption on the client end via the web server, and the server end via SSL relay. Like most Citrix products, smart card authentication and ticketing is supported.

NFuse can also be installed with Enterprise functionality to allow access to multiple server farms. The NFuse core is composed of java servlets, but nearly all functionality can be modified by editing the front-end web pages, composed of CGI and ASP pages depending on the platform.

Citrix Secure Gateway

The Secure Gateway is a solution that leverages NFuse for secure application delivery to untrusted networks. The Secure Ticket Authority and Secure Gateway Service provide a ticketing mechanism to authenticate users, and then relay SSL encrypted data from the DMZ to/from the Metaframe farm and the client without ever revealing the addresses of the internal Metaframe servers.

Secure Gateway is particularly useful when you consider that there are no additional licensing fees on top of the Metaframe investment, and that for many organisations it removes the need for a separate VPN product. The java client can be utilised to provide zero-footprint access to Metaframe applications and data over the Internet.

The Secure Gateway can run on Windows or Solaris.

Secure Access Manager (was called NFuse Elite)

NFuse Elite was originally positioned as a stand-alone web portal for enterprise customers. It did not require Metaframe to run.

The Secure Access Manager is built on top of the original NFuse Elite product, but is now positioned as a combination of web portal and application access point.

Password Manager

Password Manager is a new application that allows single sign-on to password-protected applications delivered via Metaframe and the Secure Access Manager.

Metaframe Conferencing Manager

New product. Allows users to conference ICA sessions. Share existing applications real-time. Conference features such as white boarding, private messaging. Granular conference control (who can do what). Exchange & Outlook integration. A published management app controls sessions.

How to manage the solution

Configuring the environment

Most Citrix products ship with individual management tools. In the case of Metaframe XP, all of the common management tools have been integrated into the Citrix Management Console which is a java application and can be run locally on the server or installed or published for remote use. Once the console is started you are prompted to authenticate into a particular server farm, at which point the entire farm (or individual servers) can be managed according to the administrator’s permissions.

Monitoring and performance management

Metaframe XPe includes Resource Management features that make it easy to monitor server performance and perform alerting functions. E.g. Send an e-mail to a number of administrators when CPU utilisation exceeds 90% for more than 15 minutes. Statistical information on configured metrics is also retained for long-term management.

XPe also includes Network Manager, allowing SNMP management from popular NMS’s.

All versions of Metaframe XP also add performance management counters to the Operating System, meaning that the standard windows perfmon or external SNMP-capable management utilities can be used to monitor various system counters.

Business continuity

Generally, Metaframe can be backed up just like a regular Windows or UNIX system. Because these environments tend to not have user data installed on them, many implementations require only periodic snapshots to capture configuration changes. Many implementations do not require backups at all, which is explained in a case study later.

Scaling

As mentioned previously Terminal Services does not scale out well. Similar limitations apply to Metaframe XPs due to its lack of load balancing.

Metaframe XPa and XPe both contain load balancing. Scaling the solution up can be as simple as adding another server to the farm and allowing Installation Management to copy the applications onto the system. The number of connections to each machine over time will then balance out, reducing the load on any one machine and increasing redundancy.

Integration with existing environments

Because Metaframe XP value-adds an existing Windows environment, it becomes easy to integrate solutions into an existing environment. Existing Active Directory Group Policy Objects (GPO’s) apply, but in almost all cases changes will need to be made to lock down the environment as much as possible. There are some challenges and decisions to be made regarding user profiles.

Installation Management

Installation Management is included with Metaframe XPe. It allows the packaging and distribution of applications to a number of servers without intervention. It provides for a consistent experience across servers in the farm and contributes towards an effective disaster recovery strategy. IM supports its own packaging format as well as standard MSI packages familiar to existing Windows 200x administrators.

Metaframe XP Licensing

Citrix licensing can be a complex issue, and tends to vary with different product releases. Additionally, it is necessary to consider Microsoft Terminal Server licensing and application software licensing as part of the solution.

Terminal Services Licensing

Because Metaframe is installed on top of Windows 2000 Server or Windows 2003 Server (or variants thereof) it is necessary to license:

  • The server software (e.g., Windows 2000 or Windows 2003)
  • Windows Server connection CAL’s (depending on the licensing model onsite)
  • Terminal Server CAL’s (only if the client OS is not Windows 2000 Pro or Windows XP Pro)

Citrix Licensing

Licensing Metaframe itself is now drastically simpler than it used to be. Generally, a starter pack is bought, with add-on licenses purchased to increase the connection limit. Starter pack licenses usually cost exactly the same as add-on licenses per unit. Under most licensing schemes licenses cost the same each no matter what volume is purchased (i.e. no financial penalties for buying five 10-user add-on packs over a period of time rather than a 50-user pack upfront).

Metaframe is also licensed per concurrent user to the farm. This means that if you have 20 Citrix connection licenses, you can have a maximum of 20 users connected to the farm at any one time. You can legally have the Citrix ICA Client software on as many workstations as you like. Additionally, the 20 connected users may be accessing resources from any number of servers in the farm whilst only consuming a single license.

Obviously Metaframe XPs, XPa and XPe vary in price due to product capabilities. Upgrade paths also exist between versions and from older versions of Metaframe. Citrix licensing also operates on a points system, the higher the purchase and hence the higher the number of points awarded, the higher the discount margin is.

Note also that there are no longer any Metaframe “server” licenses, only connection licenses. This means that there are no penalties for scaling out to a larger number of less powerful servers, and also that a 5 user starter pack can be purchased relatively cheaply for pilot testing without a lot of risk involved.

Metaframe XP can also be upgraded from one variant to the next without reinstallation (e.g. XPs to XPa).

Application software licensing

Obviously, the whole point of having a Metaframe environment is to access applications! Application licensing really does depend on the individual vendor. As a general rule of thumb though, most vendors expect that you license software on Terminal Server and Metaframe according to concurrent users of the specific application.

One important note though: If you have a Microsoft application licensed for a specific desktop PC, then a user on that PC can access the same version of the application via Metaframe or Terminal Services without an additional license. This means that in many cases you can move software away from the local desktop without licensing hassles

Case Studies

Environment built for easy scale-out and recovery

The basic (simplified) steps involved may be similar to the following:

  • MS SQL or Oracle backend data store created, managed and backed up on existing database infrastructure
  • Metaframe XPe installed either manually or via a scripted install on the first server and documented
  • Applications installed, packaged and tested on a separate system before deployment
  • Backup the first server with something like Symantec Ghost onto a FAT32 partition at the end of the disk
  • Restore image to remaining servers in the farm

This would leave us with an environment that can be easily scaled by simply adding another server, copying the OS image to it and making some minor changes before allowing Installation Management to redeploy the software packages to the machine.

Additionally, if a server needs reinstalling due to corruption the same steps can be followed.

An existing Metaframe environment requires secure access by users who have Internet connections.

The basic design would go something like this (utilising the Citrix Secure Gateway 1.1):

  • Install the Secure Ticket Authority on the internal network and configure
  • Install the Secure Gateway service and NFuse in the DMZ and configure the java client
  • Issue an SSL certificate to secure NFuse over the web
  • Issue an SSL certificate to secure the Secure Gateway service
  • Make some minor firewall modifications to allow SSL into the DMZ etc

This solution would allow a user to connect to a specific URL (e.g. https://nfuse.myorg.com.au) to access the NFuse web interface over SSL. An application session could then be launched. If using a local Citrix client then the root certificate for the CA that issued the certificate for the Secure Gateway service must be installed. If the java client is used there is a workaround to stream the root certificate down transparently. The application session will then connect to the nominated Secure Gateway service via SSL, supply the NFuse ticket, and ultimately start receiving ICA session data over SSL.

A Metaframe environment exists, what are the best thin clients to use?

Many customers elect to use current or old PC’s as thin clients or as fat clients that access only some applications via Metaframe (perhaps just their ERP software or some application that won’t run in their native desktop OS).

A problem is apparent in environments that wish to use Metaframe exclusively to deliver a desktop environment… how to do this cost-effectively? Dedicated thin clients can be purchased that run a variety of Operating Systems. Another common solution is to utilise small form factor PC’s with only a CPU, NIC, RAM and video support (possibly with no moving parts). A small image is loaded from the network when the system starts up. This image contains a basic Linux or DOS operating system and an ICA client. This can typically be done in only a few megabytes.

Biography of Presenter:

[Bio from 2003 – I’m all grown up now]

Paul Lawrie is a Senior Systems Engineer with Data#3, one of Australia’s largest IT Solutions companies. He holds a number of industry certifications including an NT4 MCSE+I, Windows 2000 MCSE, Citrix CCEA and Cisco CCNP. His day-to-day duties involve the design and integration of Enterprise solutions into Corporate and Industrial environments, building volumes of frequent flyer points, and trying to fit all those letters onto business cards.

Paul has worked in similar roles for various other employers including Com Tech (now Dimension Data), Unisys and Dialog, and invests his spare time avoiding IT as much as possible and spending time with friends and family.

Posted on

Cisco IOS Essential Capabilities Paper

The history behind the Cisco router and how it became the industry standard

[This article was an accompanying technical document that was printed in the SAGE-AU conference journal for 2003. I delivered this paper at the SAGE-AU conference in Hobart, Tasmania on August 7, 2003.]

In modern times, only Leonard Bosack and Sandy Lerner have been commonly credited with the development of the Cisco router. Certainly, many credible sources have reported the Cisco story inaccurately.

The company that we know as Cisco today, owes its origins to work conducted at Stanford University more than twenty years ago. In the early 1980’s, the Xerox Corporation allowed Stanford, MIT and Carnegie Mellon University access to their new Ethernet technology. Ethernet was a general-purpose solution to existing connectivity problems between computing systems at the time (primarily PDP-10 and PDP-11 systems).

At Stanford, it soon became apparent that a system would be required to channel data between Ethernet segments on campus, and also to move data between local networks and the national Internet.

Bill Yeager at Stanford was assigned the task, producing a working PDP-11-based router within a year. His efforts then turned to producing a Motorola-86000-based router utilising custom circuit boards produced by Andy Bechtolsheim in the Computer Science Department (Andy later went on to found Sun Microsystems). Yeager built the software that the system ran, allowing the router to move data between networks over several protocols.

In 1985 Stanford initiated a project to network the entire campus. Leonard Bosack worked on the project, improving upon the code from the original router. Optimising the code for an IP-only network, the project team also added and refined other features. The routers (known as “blue boxes” clearly because of the colour of their chassis) were popular across the Stanford campus, as well as several other academic institutions before long.

Leonard Bosack and his wife Sandy Lerner eventually both left Stanford and founded Cisco, along with a number of other project members. In 1997, after extensive legal deliberations, Stanford licensed the use of the router software and a number of circuit board designs to Cisco in exchange for technology developed after the developers left Stanford. For the software, Cisco gave Stanford $19,300 in cash and agreed to royalties of $150,000 and product discounts. Bill Yeager (the original software developer) apportioned the royalties, giving his 80 percent share to his department.

Stanford was offered equity in Cisco, but the licensing office turned it down as a matter of policy.

Leonard Bosack and Sandy Lerner both left Cisco in 1990.

Origins of some other Cisco technologies

Throughout the mid-nineties Cisco made a number of key acquisitions. Their entry into high-end LAN switching was guaranteed a success thanks to technology developed by Crescendo Communications, in the form of the Cisco Catalyst 5000 switch. The port-dense Catalyst 1900/2820 and Catalyst 2900 series switches from Grand Junction Networks, campus ATM technology from Lightstream, Token Ring switching technology from Nashoba and Gigabit Ethernet from Granite systems all further established Cisco as a one-stop vendor for all LAN connectivity requirements.

Acquisition of Combinet and the subsequent availability of the Cisco 700 and 800 series Routers, along with the PIX from Network Translation satisfied a number of niche markets that Cisco could previously not compete in.

Cisco has since continued the acquisition trend, selecting and further developing key technologies such as content caching and wireless connectivity.

Product families and capabilities

Cisco has undergone massive diversification in its product range. As such, it is not practical –- or interesting –- to discuss each product area and platform. However, I shall follow with a summary of the major platforms most likely to be in use in day-to-day operations for sysadmins.

3.1 Routers

  • 800 series – The Cisco 800 series desktop router is designed predominantly for the home, small business or branch office customer. A number of models are available, offering various WAN interface types.
  • 1700 series – A slightly more powerful and modular desktop router of interest to SMEs (Small to Medium Enterprises) and larger branch offices. Available in various fixed configurations and can also accept WICs (WAN Interface Cards) for other network types.
  • 2500 series – Lower-end rack mountable units that are mostly end-of-life now, but are still extremely popular and abundant. 2500-series access routers (such as the AS2511) are not end-of-life. Limited by CPU and Flash/DRAM.
  • 2600 series – Basically, the replacement for the 2500. Modular design with varying CPU speeds and Flash/DRAM.
  • 3600 series – Similar generation to the 2600, but scaled higher for the Central Office. Again, it is available in varying CPU speeds and interface/DRAM configurations.
  • 7200 series – Modular router of most interest to large enterprise customers and service providers.

3.2 Switches

  • 2950 series – The 2950 series is a *relatively* low-cost access-layer switch for 10/100 nodes. Port-dense models (48+2 interfaces) are available, down to 24, 16, and 12 port models with varying uplink media support (e.g., 100FX-MTRJ, 1000TX-RJ45, and GBIC interface). The new 2955 series is specifically designed for industrial installations, or anywhere else that the environmental conditions exceed the recommendations for the traditional 2950.
  • 3550 series – The 3550’s are fixed-configuration gigabit switches intended to aggregate multiple access layer switches is larger network implementations, or perhaps form the core/backbone in smaller networks. Available primarily in different combinations of 10/100/1000TX-RJ45 and GBIC interface configurations.
  • 4000/4500 series – Modular enterprise switches (up to 7 line cards and as few as 3 at the time of writing) intended for core networking services. Can switch layer 2/3/4 up to 48 MPPS. Interfaces obviously depend on the line cards installed.
  • 6500 – Premier modular multilayer switches providing up to 576 gigabit interfaces, support for hundreds of millions of packets per second, and 10-gigabit trunks.

3.3 PIX Firewalls

  • 500 series – The 500 series includes models appropriate for home users and enterprise customers. As expected, all models include mandatory features such as stateful inspection, protocol and application data inspection, and VPN support for a large operating system client base (no, not just Windows) as well as other hardware devices (e.g., dedicated Cisco VPN devices, other PIX units and 800/1700 series routers).

Differences between the modern router IOS, switch IOS and set-based switch IOS

Obviously, some fundamental differences exist between differing Cisco devices. In many cases these changes are simply due to the differing ways that interfaces are addressed. In the case of a Catalyst switch, an interface is typically configured for layer2 operation only by default, whereas a router interface is expected to be layer 3.

However, in a number of cases the IOS (Internetworking Operating System) command set is almost entirely different. This is typically because the device was part of an acquisition of another company and the software has not been re-written to be entirely IOS-like. One good example is the Catalyst 5000/5500 which used a “set-based” command language and the 700 series router which had an entirely different interface to any other series router. The Cisco PIX currently also exhibits a few “un-IOS-like” characteristics but is generally able to be navigated using knowledge of the typical IOS.

Generally, most new generation Cisco devices (including the PIX and Catalyst switches such as the 2950 and 3550’s) are very much like the classic Cisco router IOS.

Initial configuration: Setting hostname/passwords, Interface addressing, SNMP

When a device is powered on without an existing configuration – either because it is new or because the configuration has been deleted – the device enters the Initial Configuration Mode. This is a text-mode wizard that prompts for various basic global configuration parameters and offers the opportunity to configure interfaces and enable such things as a routing protocol or SNMP.

Not appropriate for advanced implementations. May automatically configure undesirable features, but can sometimes speed up initial configuration.

Basic architecture of the modern IOS and the varying command modes

The Cisco Internetworking Operating System (IOS) operates in a number of different modes. Each mode allows configuration of a specific aspect of the device. Following is a short outline of a subset of these modes as found on many of Cisco’s platforms.

User mode

Upon initially connecting to an already configured device the user is placed into User Exec mode. User mode allows limited access to router configuration and system information. User mode must be entered before any other mode can be accessed. User mode is commonly password-protected via remote access only (with unprotected access via the console port in trusted environments).

The user mode prompt looks similar to this: Router>

Privileged mode

Privileged mode allows access to additional IOS commands. Administrative tasks such as copying configuration info in/out can be performed here.

Privileged mode can be accessed via the enable command.

Router> enable
Password: <enter password here>
Router#

Global configuration mode

Global Configuration mode is where most day-to-day work is performed. Config Mode must be entered before any function that alters the router configuration can be run. Global configuration commands are run here such as setting the router hostname, logon banners, password configuration, static routes etc.

Global Configuration Mode is entered from Privileged Mode.

Router> enable
Password: <enter password here>
Router# config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ip routing
Router(config)# ip route 192.168.17.0 255.255.255.0 192.168.17.254
Router(config)# end
%sys-5-CONFIG_I: Configured from console by console
Router#

Interface configuration mode

This mode is accessed from Global Configuration mode. Configuration specific to a physical or logical interface is entered in this mode, such as IP addressing. On a switch we might set speed or duplex on a VLAN, Etherchannel or Port-Channel interface. On a router we could be configuring encapsulation such as Frame Relay. On an async serial interface (e.g. AUX) on a router or terminal server we might configure serial comms info such as baud rate, stop bits etc, or PPP configuration

Router> enable
Password: <enter password here>
Router# config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# int VLAN 17
Router(config-if)# ip address 192.168.17.241 255.255.255.0
Router(config-if)# no shutdown
Router(config-if)# end
%sys-5-CONFIG_I: Configured from console by console
Router#

Routing protocol configuration mode

This mode is entered to configure a routing protocol. Most modern Cisco routers and switches support one or more of: RIPv1, RIPv2, OSPF, IGRP, EIGRP, IS-IS and BGP. This example configures an OSPF routing process and assigns a routing process number of 123. Any interfaces on this router in the 192.168.17.0/24 range have their networks advertised via OSPF.

Router> enable
Password: <enter password here>
Router# config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# router ospf 123
Router(config-router)# network 192.168.17.0 255.255.255.0 area 17
Router(config-router)# end
%sys-5-CONFIG_I: Configured from console by console
Router#

Routes

There are only a few common ways that routes can be added to the route table in a switch or router.

Connected Routes

When an IP address is assigned to a virtual or physical interface, a route is automatically added to access the network specified by the IP/subnet pair.

Static routes

Static routes can be added in Global Configuration mode. This can be useful on small networks that change infrequently.

Dynamically-learned routes

Routes can be learned dynamically through protocols such as RIPv2, OSPF, EIGRP, IS-IS, BGP etc. Individual protocols advertise, learn and determine destination routes according to various algorithms then insert them into the routing table.

Disaster recovery

Fortunately Cisco device configurations are encapsulated within simple configuration files that can be copied out of production hardware and backed up. Replacing a failed device can be as simple as building a basic configuration (e.g., consisting of an IP address) on the new hardware and TFTP’ing the backed-up configuration into it. Some Cisco management software also has the facility to backup and restore device configurations remotely or via a serial (console port) connection.

The IOS software image itself can also be backed up and restored in a somewhat similar manner to ensure that the recovered environment operates exactly like the original.

Redundancy

Cisco provides a number of mechanisms and technologies to assist in building redundancy into modern internetworks. For the most part, WAN redundancy is accomplished via the provisioning of additional network connections (e.g. backup ISDN, asynchronous modem dialup) and possibly standby hardware, all at an increased cost. LAN redundancy however can often be built into a network at very little additional expense (although one may argue that you are paying for redundancy anyway with increased hardware costs whether you need it or not).

Cisco also provides a number of hardware redundancy solutions:

  • Higher-end equipment can be fitted with internal redundant power supplies
  • Lower-end equipment may support an external RPS (Redundant Power Supply)
  • Redundant supervisor engines for chassis-based switches.

An in-depth discussion of WAN redundancy is beyond the scope of this introductory paper, but an overview of the major LAN redundancy protocols is in order.

STP

The Spanning-Tree Protocol (STP) is a layer 2 switching protocol that provides redundancy in network paths whilst preventing network loops. STP automatically calculates a loop-free network topology and “blocks” (disables) interfaces that connect redundant links. In the event of a topology change (adding new links or the failure of an existing link) STP recalculates the topology relatively quickly.

STP is an open protocol implemented widely. The Cisco implementation allows a separate spanning-tree topology per VLAN.

Etherchannel

Etherchannel (Fast Etherchannel or Gigabit Etherchannel) allows multiple physical links between switches to be bonded into a larger-bandwidth virtual link (Port-Channels) thereby increasing available bandwidth. Once configured on appropriate interfaces the Etherchannel technology allows channels to be added and removed dynamically with only a minor disruption to service. Therefore, if a link in the Etherchannel bundle fails, the traffic will automatically failover to the remaining channels.

HSRP

HSRP is Cisco’s proprietary method of providing first hop redundancy in campus routing, effectively allowing a set of routers to work together and provide a single virtual router interface. A mechanism exists for one of the physical routers (the “active router”) in the group to masquerade as the virtual router until such time that it becomes unavailable, at which time a standby router will assume the MAC and IP address of the virtual router and carry out the necessary operations. If the active router subsequently becomes available again it will take over the routing role.

Monitoring

Most Cisco hardware supports the industry-standard SNMP protocol for management and monitoring via a Network Management System (NMS) such as CiscoWorks or OpenView.

Below is a simple read-only SNMP configuration with a community name of “sage-au” and no access-list applied.

Router# config terminal
Router(config)# snmp-server community sage-au ro

We could enable all traps, specify the NMS address and community name thus:

Router(config)# snmp-server enable traps
Router(config)# snmp-server host 192.168.100.100 public

Further Reading

[The links to other websites have been removed, due to them mostly no longer being active]

Biography of Presenter:

[This bio is from the past. I’m all grown up now.]

Paul Lawrie is a Senior Systems Engineer with Data#3, one of Australia’s largest IT Solutions companies. He holds a number of industry certifications including an NT4 MCSE+I, Windows 2000 MCSE, Citrix CCEA and Cisco CCNP. His day-to-day duties involve the design and integration of Enterprise solutions into Corporate and Industrial environments, building volumes of frequent flyer points, and trying to fit all those letters onto business cards.

Paul has worked in similar roles for various other employers including Com Tech (now Dimension Data), Unisys and Dialog, and invests his spare time avoiding IT as much as possible and spending time with friends and family.

Posted on

Loopback Group Policy for Terminal Server Users

In Windows 2000 Microsoft enhanced the system policy concept that already existed in Windows NT and developed Group Policy. A Group Policy object is a collection of settings assigned to a particular group of computers or users. A full discussion on GPO’s is far beyond the scope of this document and I will only focus on the specifics relevant to Microsoft Terminal Services and Citrix Metaframe users.

In my implementations I always dedicate an Organization Unit (OU) in Active Directory to my Terminal Servers or Metaframe Servers. For the sake of this article I will assume the same. Further, I will assume that you want to be able to set policies on the terminal servers, and to the users to log onto them.

Now, there are two parts to any Group Policy Object (GPO), User Configuration and Computer Configuration. If you assign a GPO to an OU, then the Computer Configuration will apply to the computer accounts under the OU, and the User configuration will apply to the user accounts under the OU.

Great you say! Oops, one little problem. Normally you have a User OU (or many user OU’s) with all your user accounts under them. How should you then configure the GPO that applies to those users? Think about it. Your users will probably want to logon to normal desktop PCs as well as to Terminal Servers or Citrix servers, and you will probably want them to have different policy settings in each environment. For example, it is reasonable for somebody to be able to shut down their desktop PC during the end of the day, but think of users shutting down your Metaframe farm! Woe, unhappiness.

The solution then? Microsoft have allowed for this and introduced the concept of Loopback Processing for User GPO’s when logging onto a server that it is applied to. Put simply, you can create a normal GPO object, apply it to your Terminal Server OU, configure up the User portion of the policy and have it apply to some or all users that log onto servers in that OU. Huzzah!

The information in this article applies to

  • Citrix Metaframe Presentation Server in an Active Directory Forest
  • Windows Terminal Servers in an Active Directory Forest
  • Windows GPO’s (Group Policy Objects)

Implementation

Personally, I usually create two, one for the Computers and one for Users. I typically name these something like CitrixServers and CitrixUsers. the goal in this example will be to have all computer configuration carried out in the CitrixServers GPO and the user configuration in the CitrixUsers GPO. Furthermore, we will configure the CitrixUsers GPO so that it does not run for administrators and lock down their administrative ability.

Run up AD Users and Computers, and create two new GPOs under your Terminal Server or Citrix Server OU; one for computers and one for users. View the properties of the user GPO and DENY Domain Admins the right to apply the policy. That way, only non-admin users will have their settings altered and locked down.

Edit and configure the server GPO. Remember to only configure the Computer Configuration Component. If you like, you can disable the User Configuration part of the GPO for faster processing.

Edit and configure the user GPO with all the user settings you want to apply. Now for the magic. In the Computer Configuration part of the policy expand Administrative Templates then System. Under the Group Policy container is a setting called User Group Policy loopback processing mode. Enable it and set the Mode to either Merge or Replace. Use Merge if you are likely to have settings from other GPO’s that you will want to inherit. Normally I would use Replace.

That’s it! That one little setting in the Computer Configuration portion of the user policy is the key. Now to lock that baby down… but that is another article entirely…

 

 

 

Posted on

Starting or Opening PowerShell on Windows 10

There’s tonnes of great PowerShell resources online, and quite often they’ll give you a script or a command to run, but fail to mention how exactly you should do that!

Here’s a couple of methods.

Open PowerShell on Windows 10

On Windows 10 the easiest way to open PowerShell is to click on the start button and just being typing PowerShell.

 

 

The PowerShell window with a blue background and white text should now display. Some commands may require you to run PowerShell as an administrator.

Open PowerShell from the Command Line

If you happen to be working inside a command prompt you can achieve a similar result by just typing and entering PowerShell on the command line.

When it is run this way the default background and text colour is not the familiar blue and white because that colour scheme is set in the properties of the start menu shortcut. You can alter these properties yourself though by pressing alt+space and selecting Properties.

Just type Exit to get out of PowerShell.

Posted on

Oracle VirtualBox how to Convert a Dynamic (Thin-Provisioned) Disk to Fixed Size

Oracle’s VirtualBox software is an amazing product provided for free, that can fulfill most people’s desktop virtualisation needs. Although I work with VMware vSphere and ESXi products all the time, I still use VirtualBox almost daily to prototype or test things out.

When creating new Virtual Machines in VirtualBox a tend to create my disks as a “standard” type. In the VMware universe we call this “thin-provisioning”. The idea is that the guest operating system “thinks” you have a disk of a particular size to work with, however the actual virtual disk file size only grows as it is needed.

Recently though, I later on has a need to upload the virtual disk file to Microsoft Azure which requires that the disk be configured as a “fixed” type.

Unfortunately, you can’t just seamlessly convert between the types. There is a solution however, as Oracle does include a tool with VirtualBox that can create a new virtual disk file and copy the contents of the disk into it.

First off, shut your Virtual Machine down. View the Settings for your virtual Machine and select the virtual disk. The Location of the file will be shown on the right side. Browse to the file location in explorer.

Open another explorer window and browse to the location of your VirtualBox installation. On my Windows 10 desktop the location is C:\Program Files\Oracle\VirtualBox – also leave this explorer windows open.

Enter the following command, substituting in the proper paths.

C:\Program Files\Oracle\VirtualBox>VBoxManage.exe clonehd <path-to-source-disk> <path-to-destination-disk> –variant Fixed

TIP: Save some typing! With both Explorer windows and a command prompt open, I find it easy to drag the VBoxManage.exe file into the command window which automatically places the full file path into the prompt. I also use the same trick for the source and destination disk files which saves a little typing (obviously the destination file won’t yet exist, but you can drag the source file into the window and change the file name).

The progress is shown in the command window. I’ve noticed that it stays at 0% for a long time, seemingly until the new disk file has been created and fully allocated, and then progresses quicker once data begins copying.

I have performed a conversion from the native .VDI disk format of VirtualBox, as well as .VHD file types with the same good results. I imagine a .VMDK file type would work equally as well.

Once the new disk file is created, you’ll need to go back into your virtual machine settings and remove the original disk. Then add a new disk and choose the option to browse to an existing virtual disk file. If you’re positive it starts and works fine you can delete the old disk file.