I recommend reading through all the instructions before getting started. At the end of the first page, there are links to operating system specific instructions. Make sure you follow the correct link when you get to that point. Good luck!

MajorGeeks surefire malware removal guide

The key to achieving success with the cloud is to know which systems will work well in the cloud and which will not. Certain software, such as client/server databases applications that make use of ODBC connections, will slow to the point of being unusable in the cloud. Others, such as email and web-based ERP systems will run beautifully. Let’s examine several cloud-based systems that work well and save money.

Phone Systems

For businesses with less than 20 employees and a reliable internet connection, moving your private branch exchange (PBX) into the cloud can provide tremendous benefits and cost savings. A typical on-site PBX can range from a few thousand dollars on up to the tens of thousands. In addition, most PBX systems still use analog lines for external access, requiring several analog phone numbers or an expensive T1 circuit. Either of these options will cost from a few hundred to a few thousand dollars each month.

In contrast, cloud-based phone systems eliminate the costly capital expenditure of purchasing a PBX and the monthly recurring cost of analog lines or a T1. They work over your business’s broadband internet connection and provide many of the same features as an on-site PBX including extension transfers, auto attendant, direct inward dial numbers, voicemail, hunt groups, call-forwarding, call routing, and many others. The only up-front cost of the system is the phones, which range from $50 for a softphone to $500 for an executive Polycom or Cisco model.

There are a few downsides to cloud-based phone service. For one, if your Internet goes down, your phones are down as well. With most employees having cell phones as a backup, many business can work around this limitation. To avoid call quality problems, your broadband Internet router should be configured to give priority to voice traffic so web surfing and downloads don’t interfere with phone calls. Before making the switch to the cloud, speak with your IT service provider to determine if your Internet connection can handle the volume of call traffic. For businesses with less than 5 extensions, any DSL or cable should do. Once you get above that number, you’ll need to make sure you do your homework.

Even very small businesses can present a professional appearance over the phone and save hundreds or thousands of dollars a month by having their phone system to the cloud. Some vendors include:

• Fonality – http://fonality.com (our vendor)
• My1Voice – http://www.my1voice.com/
• Vocalocity – http://www.vocalocity.com/

Business Software

Over the past few years, the number of cloud offerings in the software as a service (SaaS) model has grown at a staggering rate. With the growth of early entrants such as salesforce.com, the market has exploded with new offerings. 37signals.com has a suite of business productivity apps that help small businesses and departments manage their customers and internal business processes. Google Docs offers a free Office suite that is often a viable substitute for Microsoft Office.

When considering moving to the cloud for business software, the key issues to consider are intellectual property and information portability.

First, intellectual property protection should be considered any time you are shopping for a cloud vendor. If you’re going to place your company’s IP crown jewels on a third party system, make sure they have the reputation and the ability to protect your data. If the company you are considering is local, ask for a tour of their data center. Ask if they are regularly audited and certified by an impartial expert. Find out what physical and logical separation exists between your data and the rest of their equipment and the Internet.

Secondly, make sure that information placed in a data center can be retrieved in the event of disaster, bankruptcy, or a breakdown in the relationship. Sometimes migrating your data into a SaaS system is a one way operation. It may not be easily retrievable. If things turn south, you may find yourself printing out hundreds of pages of data that need to be manually re-entered into another system. Worse, you may not be able to get to your data at all. Make sure you can get regular exports of your data and store them on a local system or encrypted portable hard drive.

Email

In the current state of affairs, email is the number one system to migrate to the cloud. Given the nature of email, (low bandwidth, not real-time, asynchronous) the requirements, (always on, business critical), and the nature of email administration (time consuming, high-skill) it makes perfect sense to move it out of your office and into the cloud.

There are currently two choices for cloud-based email, Google Apps and Hosted Exchange. POP3 is not cloud email since there is no ability to synchronize email between devices. IMAP email can provide some cloud-like functionality, but I do not recommend it because IMAP technology is not well defined or developed.

There are many providers of Hosted Exchange email, which is a Microsoft technology. Google is the only provider of Google Apps. You can get more information and read more about the pros and cons of each in my post Google Apps vs. Hosted Exchange.

When choosing a cloud email solution, you will want to consider how well it will support your mobile users. iPhone and Android users are able to receive near real-time email alerts on Google Apps and Hosted Exchange. Blackberry users will require an additional license or Blackberry Enterprise Server to achieve the same functionality.

Final Thoughts

The cost savings to be realized by migrating to the cloud are achieved by a reduced need for both infrastructure and labor. When doing net present value calculations, you should view it as not just one less server to purchase, but one less system to support. Any cloud system worth its salt will be nearly maintenance-free from an IT perspective. All patches and upgrades should flow transparently from the cloud vendor.

Which brings me to the downside of being in the cloud. There is a complete lack of control and often poor communication when things go wrong. System downtime may be unpredictable and it’s frustrating to have no ability to commit resources to getting things back online. Will the system be down for 10 minutes or 10 hours? The good news is cloud vendors know their reputation hangs in the balance when it comes to downtime and most companies do everything possible to avoid it.

There is no doubt that the cloud is the wave of the future. In the 1990′s, Sun Microsystems said “The Network is the Computer.” Twenty years later, that vision is finally becoming reality. With the recent developments in Google’s ChromeOS, the embrace of the cloud by Microsoft, and the move to high-speed 4G wireless networks, the vision of the always-on network is about to become a reality.

Two email systems that are making waves in the cloud are Google Apps and Hosted Exchange. Like any good competitors, both systems have their merits and both should be considered when evaluating cloud strategies for email.

* Best price we’ve found from Sherweb. Other providers may charge more or less

Hosted Exchange is currently more expensive than Google Apps. This is the premium you pay for full integration with Outlook. I’ve been a Gmail user for years and I prefer the Gmail web interface to Outlook. If your users are already familiar with Gmail and willing to give up Outlook, Google Apps is very attractive. If Outlook integration is required, Google provides an Outlook plugin that makes Google Apps act like Exchange, but it has some limitations:

• Google uses labels, which get correspond to folders in Outlook. Unfortunately labels and folders don’t always play well together. In Google, you can have multiple labels attached to a single email. An email can’t live in multiple folders in Outlook.
• The Google Outlook plugin works fairly well, but it provides very little information as to what is happening. This can be frustrating if something goes wrong and you’re trying to debug it.
• Not all Outlook features work through the plugin. For instance, away messages and email delegation cannot be configured through Outlook with the plugin. The user must go to the Gmail interface to configure these settings.

These limitations are usually not show stoppers, but it’s good to be aware of them before undertaking a migration to Google Apps.

If you choose Hosted Exchange, it’s critical that you choose your hosting company wisely. Exchange hosting has low barriers to entry and a company can be setup with minimal capital investment in a relatively short period of time. Consequently, some companies are not on the best financial footing and if you choose poorly, you my find your host closed and your email inaccessible. Do your homework when choosing a hosting provider.

Google Apps has the Google brand and company reputation behind it. With over three million businesses already on Google Apps, you can be confident it will be around for the foreseeable future.

Finally, before transitioning email to the cloud, make sure your existing systems will integrate with a hosted solution. Integrating a cloud solution with your Active Directory environment is critical to a successful transition. Without proper integration, users will have password synchronization issues, resulting in headaches for users and extra work for sysadmins. Both Google Apps and Hosted Exchange provide tools for synchronizing with Active Directory. Make sure you test this functionality before deployment.

Integration requirements with other Microsoft products may eliminate Google Apps as an option. Companies heavily invested in SharePoint or MS Project may find that Google Apps does not work with the email functionality of these products. For companies with very basic SharePoint setups, Google Sites (included with Google Apps) may be a valid substitute. A company called LTech has a piece of software that migrates from SharePoint to Google Sites called CloudMove. We have not tried it, but it may be worth looking at.

Email migration to the cloud is here and widespread adoption is already happening. Cost savings realized from infrastructure and labor reductions are compelling and IT managers will be hard pressed in the coming years to justify maintaining email systems in-house. For more information or help in your email to cloud migration strategy, contact us today.

Recently, I was perusing the web in search of a good vSphere client replacement or solution for Linux or Mac OS X. I had come across many articles praising Kodiak, yet could not find myself an invite key anywhere. Kodiak uses Adobe AIR  to create a cross-platform comparable version of the VMware vSphere client. It seemed as though everyone had stopped talking about it as of late.

Not giving up, I emailed the head of BlueBear LLC, Matt Miller, in search of these elusive invites. Being the generous guy that he is, he gave me a bunch of invites to pass around to all who wish to have it.

## Update ##

It seems as though beta keys are no longer needed to access their application. Check it out here

Open "Group Poloicy Management Console" in Administrative Tools
Create and link a GPO titled "User Profile Permissions for Administrators"
Open computer config>Admin Templates>System>User Profiles
Set the "Add administrators security group to roaming user profiles" to enabled

This will take effect on all accounts created after the GPO is in place. But what about existing accounts? This GPO will have no effect on them. The traditional solution has been to take ownership of the profile through advanced security settings. This has the unfortunate side effect of making the profile temporarily unreadable by the user. In addition, the administrator also has to correctly reset permissions and ownership on the profile when maintenance operations are completed.

Wouldn’t it be great if there was a way to grant administrators access to the profile without these nasty side effects? Thanks to Microsoft’s Sysinternals tools, there is.

First, download psexec. Next, use psexec to open a command prompt as the SYSTEM account. This is important, because by default, only the SYSTEM account and associated user account have access to the profile.

psexec.exe -i -s cmd.exe

The -i flag tells psexec to run the command interactively and the -s tells it to run as the SYSTEM user. In the newly popped command window,  cd to one level above the folder you wish to add permissions to. The command to modify permissions in Windows 2008 is Icacls. If your profiles are stored in D:\profiles, you would run the command like this:

d:\
cd \Profiles
Icacls * /grant "DOMAIN\Administrators":(oi)(ci)(f)

Viola, Administrators now have access to the profile folders while retaining all other permissions and ownership. As always, be extremely careful when running these commands. One typo, or misapplication could cause serious damage to your system.

Error 28000: Before installing the Cisco Systems VPN Client 5.0.01.0530. you must uninstall the previous version of Cisco Systems VPN Client, using the Add/Remove Program Files option in the Control Panel.  Then restart your system.

After extensive searching, we came across this article which sheds some light on the subject.

Basically you need to create a .ini file which has the same name as the installer, in this case vpnclient_setup.ini . Copy and paste the following text into the document, and make sure that your installer, product name  and  versions match up with values below. If they do not, change them as you see fit.

After that has been completed, then run the installer with the /quiet flag from the command line (Example: `c:\vpnclient_setup.msi /quiet` ). There will be no feedback, and the computer will restart automatically.

[WiseInstaller]
Runtime9XVersion=2.0.2600.2
RuntimeNTVersion=2.0.2600.2
ProductFile=vpnclient_setup.msi
ProductCode={14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}
ProductVersion=5.0.1
ProductName=Cisco Systems VPN Client 5.0.01.0600
Remove Previous=1
AdminError=You must have administrator rights to run this installation. Please login as an administrator and re-run this installation.
ExistError=%s Version %s is already installed. You must uninstall the existing version before installing %s Version %s. Do you want to uninstall the existing version of %s?
SpaceError=Could not create temporary file, not enough free temporary disk space. Please free up disk space and rerun this installation.
WiseInitPrefix=Initializing
WiseInitSuffix=Wizard…
WiseInitLangPrompt=
WiseInitLangDefault=English,1033
Runtime9X=instmsi.exe
RuntimeSize9X=1708856
RuntimeNT=instmsiw.exe
RuntimeSizeNT=1822520
DelayReboot=1

Original Article:

http://social.technet.microsoft.com/Forums/en-US/itprovistaapps/thread/f8e50899-4598-4f31-9802-15e46c7e827e

1. pstools from Microsoft – psexec is what we’ll be using
2. Windows 2003 Resource Kit Tools – we’ll be using robocopy
3. CleanWipe from Symantec – you’ll need to call Symantec support for this one

There may be other ways of getting CleanWipe, but I wouldn’t know about them.

Once you’ve got these tools, extract CleanWipe to a folder, say c:\utilities\cleanwipe. Create a file in that folder called remote_uninstall_sep.cmd and paste the following script into it:

@echo off
if “%1″ == “” goto error

“c:\Program Files\Windows Resource Kits\Tools\robocopy.exe” . \\%1\c$\temp\cleanwipe
psexec \\%1 -w c:\temp\cleanwipe cmd.exe /c runcleanwipe.bat -silent
psexec \\%1 -w c:\temp cmd.exe /c rmdir /s /q cleanwipe
echo “Cleanwipe is finished”
goto end

:error
echo “missing argument!”
echo “usage remote_uninstall_sep <machinename>”

:end

You can then run the script as follows:

c:\utilities\cleanwipe>remote_uninstall_sep machinename

You’ll see the files being copied over and then cleanwipe starts its magic. Once it’s complete, SEP should be gone and you can install the AV program of your choice.

% ./copyVM.sh OLDVM NEWVM

Script:

#!/bin/sh
cp -a $1 $2
cd $2
vmware-vdiskmanager -n $1.vmdk $2.vmdk
mv $1.vmsd $2.vmsd
mv $1.vmx $2.vmx
sed -i “s/$1/$2/” $2.vmx
rm -f *.log
cd ..

PostfixAdmin has a database schema that is different from the one described in the tutorial, but altering the Postfix configuration given in the tutorial to mesh with the PostfixAdmin schema was easier than I thought. It was simply a matter of editing the mysql-virtual*.cf files in /etc/postfix to point to the correct tables and fields in the updated schema.

The problem I ran into when trying to get PostfixAdmin working with the tutorial configuration was that the PostfixAdmin password hashing routines were not compatible with the the MySQL ENCRYPT function or the pam_mysql.so hashing routines. This is because MySQL’s ENCRYPT function and pam_mysql.so use the UNIX crypt() function by default to hash passwords. The crypt hashing algorithm is system dependent, but on my Ubuntu Feisty server, it was using DES. The pacrypt() function in PostfixAdmin’s functions.inc.php file was hashing passwords with MD5.

To make pacrypt() use DES encryption and allow for compatibility with MySQL and PAM, open config.inc.php in the base PostfixAdmin directory. Find the option called $CONF['encrypt'] and make sure it’s set to ‘system’. Now open functions.inc.php and go to the pacrypt function. After the line

if ($CONF['encrypt'] == ‘system’)

Insert the following code:

if ($pw_db == “”)
{
$salt = substr(create_salt(), 0, 2);
}

You will also need to change the line

if (ereg (“\$1\$”, $pw_db))

to

elseif (ereg (“\$1\$”, $pw_db))

These changes cause pacrypt() to generate a two character salt, which will cause the PHP crypt() function to hash the password with DES. This ensures your PostfixAdmin installation will be compatible with the MySQL ENCRYPT function and also pam_mysql.so.

Installing the Firmware
The first thing you will need is two routers capable of running DD-WRT. In my case, I chose two Buffalo WHR-G54S’s. Next, you will need to download the latest VPN version of DD-WRT. Make sure your get the right version for your brand of router. Finally, follow the firmware installation instructions making sure you check for any special procedure for your router. Buffalo routers require a unique procedure for the initial flash of DD-WRT.

The LAN subnets of the routers must be different for this configuration. This needs to be setup in the web interface of DD-WRT. For the purposes of this tutorial, the OpenVPN server subnet is 192.168.1.0/255.255.255.0 and the OpenVPN client subnet is 192.168.2.0/255.255.255.0

Creating OpenSSL Keys
The next step is to generate Public Key Infrastructure (PKI) certificates and keys for your routers. The easiest way to do this is to download a copy of OpenVPN onto your local system. If you use Ubuntu Linux, you can do this with

# apt-get install openvpn

The key generation scripts are located in /usr/share/doc/openvpn/examples/easy-rsa. cd there and follow the PKI generation instructions on the OpenVPN web site. You need to generate a client cert/key pair the server and one for each client. Be sure to give each client certificate a unique Common Name.

Creating the DD-WRT Startup Scripts
The procedure here is to generate the OpenVPN config files and cert/key files from the startup script in /tmp on each boot.

Replace the …INSERT YOUR OWN CONTENT HERE… with the certs/keys generated in the last section.

rc_startup – server

This configuration file will allow clients on either subnet to see clients on the other subnet (see addendum at the end of this post for a problem I ran into with this). The push lines push the routes to each client. This allows for file sharing, client/server communication, etc. between subnets without passing broadcast traffic across the VPN, which it what would happen if we created a bridged connection with a tap interface. For more information on what each parameter does, see the openvpn man page or HOWTO.

In the second-to-last section

rc_startup – client

This client configuration will continuously retry to connect to the server. If the Internet connection goes down, the VPN link will reconnect when Internet connectivity is restored.

rc_firewall – client and server

The firewall rules can be used on both the client and server.

These files need to be saved in the router’s flash memory with the nvram set command. We will be saving rc_startup and rc_firewall scripts for both the server and client. Execute the commands below for both the client and server, pasting the appropriate file where indicated:

# nvram set rc_startup=”
><paste rc_startup here>
>”
# nvram set rc_firewall=”
><paste rc_firewall here>

Testing The Connection
This setup can be tested on a LAN by connecting the WAN ports of each router to your LAN switch. Enable remote administration in the DD-WRT web interface so you can login to both routers. Also, the LAN subnet you are testing on must not be the same as either of the router LAN subnets. In this case, it could be 192.168.10.0/255.255.255.0.

Once the startup scripts have been saved to flash memory, reboot both routers. SSH into both routers and check that openvpn is running with # ps | grep myvpn. If it is running, congratulations, you have a VPN link. If it is not running on one or both routers, uncomment the daemon line in /tmp/openvpn.conf and start openvpn manually with # /tmp/myvpn –config openvpn.conf. You should receive an error message on the console to help with debugging. I found it very handy to put OpenVPN in the background by issuing a CTRL-Z and then bg. This allows you to issue commands but still see any error messages echoed to the console. If your connection is established but you can’t ping across it, check the OpenVPN FAQ.

Conclusion
If you followed this correctly, you should now have a routed VPN network allowing systems on both the server and client side to ping and connect to systems on the other side.

Addendum
I did run into one strange problem that has me stumped. Routing from the server subnet (192.168.1.x) to the client subnet (192.168.2.x) does work correctly if the server is in daemon mode. If I take the daemon line out of the server configuration file and restart OpenVPN, packets are routed correctly. Routing from the client subnet to the server subnet works correctly either way. If anyone knows why this is, please leave a comment.