jmbrinkman

Archive for the ‘Uncategorized’ Category

An End Has a Start

In Uncategorized on November 18, 2013 at 21:18

At the very beginning of this year I have left Loyens & Loeff N.V and started at Schuberg Philis.

In dutch one would say “De koek was op” ( The cake ran out) and I decided I needed another challenge.

And a challenge I have found ( besides becoming a dad again, selling a house and moving into a new house…)! And while the culture within Schuberg Philis is based upon many pillars, a culture which is truly one-of-a-kind by the way, for me the real game changer is that now I work amoung people that enjoy what they do, are amazing at what they do and are able to get the job done, every time, on time without the need for procedures, managing expectations or even managing people.

And although my new job is about as time consuming as it is fun I will continue blogging – however not on this site.

My new site is located at multiplechoicesystemsengineer.nl ( yes I added a “s” I’ve got waay more systems to engineer now..) which is – in an eat your own dog food kind of manner – hosted on SharePoint 2013.

I will republish the most interesting ( read “most viewed”) content to that site and I’ll hope to see all of you there!

Also don’t forget to checkout our company blog – Cupfighter.net

Update: Backup TMG with Powershell

In Uncategorized on August 7, 2012 at 20:18

Some time ago I posted a script to backup the TMG configuration using Powershell. Meindert Honig tested my script and gave me some feedback – if you did a backup from the TMG console the resulting XML file was bigger then when using my script. When I compared the xml files I discovered that when you use my script the server specific information isn’t exported. This due to the fact that I used the value “0” for the iOptionalData field in the ExportToFile method.

So if you did a backup you would have all the array stuff but not the server configuration ( including cache drives, installed web filters etc etc).  Lurking around I found an example to properly fill the IOptionalData field in this blogpost .

I’ll repost the entire augemted script ( I must admit the export file is now even bigger and I’ve been a bit lazy to figure out why – could it be caused by a different way of storing the data or is there some data in the FPC.Root.Array object that isn’t exported by the TMG console – maybe someone else can help me with that). This version does a backup of all the data ( confidential, group data) and encrypts it with a password.

$array=$root.GetContainingArray()

# See the post I mentioned above for the MSDN page

$iOptionalData= 0x00000001 -bor 0x00000002 -bor 0x00000004 -bor 0x00000008

$Comment = “Your comment goes here”

$Password =”Very Secret Password”
$array.exporttofile(“d:\tmgbackup.xml”,”$iOptionalData″,”$password”,”$comment”)
if ($err)
    {
    write-eventlog -logname Application -source TMGBackup -eventid 9999 -entrytype Warning -message “Backup
failed, cause: $err” -category 0
    }
else
{
write-eventlog -logname Application -source TMGBackup -eventid 9000 -entrytype Information -message “Backup Succeeded” -category 0
}

You should of course first register the eventlog source using new-eventlog to register the TMGBackup eventlog source.

Von Smallhausen by Proxy

In Proxy, TMG 2010, Uncategorized on February 22, 2012 at 21:34

If you work in an environment where access to the internet is “proxied” or “proxyfied” by a Microsoft proxy productandthat proxy requires authentication you are in for a treat. If you have to maintain or administer such an environment…

It looks like a great idea – you know who what on the big bad world wide wolf. But a lot of software doesn’t understand proxy authentication – if they are aware of it in the first place. So users complain because the can’t watch that Silverlight video. Because Silverlight…doesn’t understand proxy authentication. Passive FTP with a login doesn’t understand it – you have to provide the credentials the old style: ftp://user001:secretpassword@private.ftp-servers.example.com/mydirectory/myfile.txt .

Of course you can disable proxy authentication for certain sites, source or destination ip’s or even users. But that can be quite a hassle and depending on the amount of exclusions and the administrative discipline of the IT staff it can render authentication as a security (or productivity if you use to block sites)measure rather useless.

But my biggest problem with proxy authentication in a Microsoft environment is – not even the OS understands proxies. The strong bonds between Windows Explorer and Internet Explorer might have been severed…for most applications IE is the place to set a proxy – whether IE is a party in the application reaching the Internet or not.

But we have group policy so we can set the proxy so big deal…but hey why can’t OneNote reach my Skydrive? That’s because Microsoft provided us with two ways to use a proxy; WinInet and WinHTTP. And no one really tells which applications use or support them. MSDN says “..When selecting between the two, you should use WinINet, unless you plan to run within a service or service-like process that requires impersonation and session isolation…(WinHTTP vs. WinINet). Now I can’t judge why or how OneNote needs WinHTTP – but its annoying none the less that it does.

Now how can we solve this?

  • There is no GPO setting for Winhttp 😦
  • Of course you could script it. Use proxycfg.exe or netsh in the winhttp context (or Windows XP/2003 and later OS’s respectively)
  • Or in some way (OS template/script/GPO) makes some changes to HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttp
  • If you use an auto discovery script importing from IE won’t work you’ll have to maintain two ways of finding a proxy ( tho it understands WPAD)
  • So the only real solution is a computer start up script that uses the methods mentioned above with some smart logic to pick a server and keep things like proxy exclusions in sync between WinInet and WinHTTP

Or you could really move forward and think about stuff like Palo Alto firewalls or other solutions where fire-walling and proxying are integrated if seeing who does what really is your thing

Btw here is a list of appplications that use WinHTTP:

  • Connections to Microsoft Skydrive from an Office or Windows Live App
  • Windows Update
  • WebDAV ( so stuff like Sharepoint ) connections from Office or Windows Explorer

I will say this only once!

SCOM Netscaler pack false positive: No HA hearbeats SNMP trap

In Citrix, Netscaler, Operations Manager, System Center, Uncategorized on December 9, 2011 at 21:55

As I mentioned some time ago we use SCOM to monitor our Netscaler Load Balancers. We ran into an issue where an alert would be raised based on a SNMP trap sent by the Netscaler. Some background info:

– We have an etherchannel (Nortel Avaya SMLT if people are interested) like setup where we use 2 ethernet interfaces on the Netscalers connected to our core switches and we have all our VLAN’s trunked on those ports (including the VLAN where the NSIP’s reside).

– The other ports are not connected – but we had two interfaces enabled so  we could use those to connect to the appliances if the etherchannel config got screwded up

– HA monitoring is only enabled on the channel not on any of the individual ethernet interfaces.

What happened was that traps were sent out saying that both nodes missed HA heartbeats – but when we logged into the Netscaler GUI the HA status was fine. When taking a closer look at the snmp trap data it appeared that no HA heartbeats were seen on the two ethernet ports that were enabled but not connected – even though HA monitoring was disabled on these ports.

We couldn’t really override this because the SNMP trap could only be enabled or disabled for all interfaces, so we disabled the interfaces. The only drawback is that we’ll need to use the console port if we can’t reach the Netscalers through the “etherchanneled” interfaces.

And now for something completly different.

In Uncategorized on November 11, 2011 at 21:21

Before I started my own blog I had always replied heavily on the blog posts of others in order to find solutions for day-to-day IT problems I was facing. However I always looked for that information ad hoc. About 2, 2 1/2 years ago I started following some blogs on a more regular basis – first using RSS feeds in Outlook which did the job relatively well. However once I got an Ipad I decided I wanted a dedicated app which I could use to read and store interesting posts.

There are quite a few RSS reading apps around but I quickly settled for Newsrack – a very basic but functional interface, no need for Google Reader and rather quick to navigate. I follow an afwul lot of blogs so what I do basically is that I read all posts periodically and star whatever interest me or looks interesting but is to long/complicated to read quickly. Then every week or so I pick up all the starred posts and check for relevance and then decide whether I want to keep it to do something with it later (use the info for something in my daily work, forward to friends or colleagues or write  a blog post), turn it into a task/reminder (or whatever Apple/Microsoft call it) or throw it away.

What I miss in Newsrack (or most RSS readers for that matter) is a way to easily comment on a post. Anyway I thought it would be nice to share something about the way I look at other blogs and to wrap it up I’ve attached an export of my feed list in the OPML format: Newsrack.OPML

It’s a mix of storage, virtualization, Microsoft, Powershell and Bruce Schneider.