Blog

Category: Technology

Calyptix - is this a firewall?

Okay, I'm about 6 months behind on writting this post so if the world has changed in 6 months, please add comments and I'll update.  I'm shocked at how difficult it has been to select a standard firewall for the SMB space.  I THINK I've tried them all and and have been surprised and how there just isn't one that has all the features I want.  With SBS 2008 removing ISA, the need to have a firewall solution was key.  I'll admit, I love ISA and though many partners didn't we deployed it with SBS as often as we could.  If you knew how to set it up (and that's why customer' need partners like us!), ISA gave Enterprise security to SMB's like no other product yet.  After being disappointed in the change, I know find that I really like not having the firewall and the SBS server on the same box.  The ability to reboot the server and keep Internet going has given much more flexibility not to mention a firewall appliance typically restarts much faster than a server reboot.  I'm still surprised MS didn't work with a partner to offer a low-end ISA appliance....but I digress.

In my quest for our standard firewall, I of course looked at Cisco's ASA....it's a good firewall but I always struggle with the fact that they come obviously from the network world.  I'm a GUI guy (so shoot me) and so many times to get a ASA setup correct, you really need to do it all from the console.  Ask for support and they have you go to the console.  Tell them you want to use the GUI and you immediately get moved to the moron designation.  And dealing with IPSec tunnels with the Cypto Map this and Crypto Map that...it's just not that intuitive.  That being said, Cisco support was pretty good when I call and would jump on the device and fix my issues very quickly.

However, based on Scott Cover's blog entry and the fact that they spend time working with the MSP community I jumped all in with Calyptix.  Signed up as a partner, ordered a NFR, and even sold one in my first week to a large customer for their lab environment.  It's considered a UTM and maybe it is.  My question is "is it a firewall?".  So what's missing?  Well firewall rules for one.  I couldn't add rules and move the up and down in priority.  Calyptix support says that's coming.  So if you're use to ISA or Checkpoint, you just don't have that power right now. 

The big shock for me was trying to set up an IPSec tunnel to a Cisco ASA.  The phase 1 and phase 2 settings just weren't there.  They had some IPSec settings but not all of the industry standard settings.  I believe what's going on is the settings are of course in the BSD firewall underneath but just not exposed through their GUI. 

So to me, this isn't ready for what we need to do.  If you have a very small office and just want to plug in a simple UTM then this may be the way to go.  But we wanted a UTM that handled UTM functionality but also gave us Enterprise features when we needed it.

What's positive about Calyptix?  The company!  I think that's were you get the good reviews on Calyptix.  They're based out of Charlotte, NC so that means English speaking support (well, if you speak Southern like I do).  The main engineer/developer is Lawrence and he is awesome and will do what ever he can to help you and fix your problem.  In my case he wasn't able to meet a core requirement and get the Calyptix to connect to ASA but it wasn't for lack of effort.  They've just been focusing in the SMB space and haven't had to add those features yet.  In time, I think they will.  They may have it all now...I should have wrote this post 6 months ago because I know how frustrating it was for me when I was trying to research firewalls.

In summary, Calyptix is a great company but their product is still young.  I'll certainly keep and eye on their product.




CheckPoint Safe@Office quick review

In the quest for a firewall for the SMB space, Checkpoint's http://www.sofaware.com/overview.aspx?boneId=145&DTId=140&objId=101 is so close to being the best...but ultimately falls short so it's not our primary selection.  As far as GUI, none are better.  It beats Fortinet, Cisco ASA, Calyptix, SonicWall, and Cyberoam (the one's I evaluated hands on).  The gui uses web 2.0 ui and is very fast and well laid out. 

For logging, earlier versions were okay...the current versions are great.  It's what you'd expect from Checkpoint.  A very clean, colored, self explanatory log.  Of all the firewalls I wanted to work with this was the best.  When trying to make a IPSec tunnel to a Cisco ASA (the one the Calyptix couldn't connect with...see previous post) the Checkpoint handled it effortlessly.

So why's it not the #1 choice for us.  A couple reasons, while the logging is great..it's unfortunately missing some flexibility.  If you want to filter the view by all traffic to or from an IP or only a certain port...you can't do that.  You get all the log entries and just have to scroll through.  ASA and SonicWall both do better on the filtering though not as good on the display.

Another minor issue is the content filtering can't kill your site if their service has an issue.  Web Content Filtering is when you block sites based on categories (i.e. porn, sports, gambling, etc.).  Checkpoint has the best UI for managing this I've seen in the SMB space.  Once (and only once), that service had an issue and it just bogged the firewall down.  Makes sense as it needs to check with the continuously updated service to see how the site is classified.  That continuous updating part is the real value but if those servers have an issue then so does your location.  I'm sure they have big time redundancy but we did have about 30 minutes during our testing one night where their was an issue and it will really affect your office.

Also, when connecting to another network via IPSec tunnel you're limited to 3 network ranges.  The firewall can handle more but the GUI limits you to 3.  Probably isn't a typical problem for SMB office but for us it came up a few times.  Our partners were small but they had contracts with some large companies.  Those companies had more than 3 networks on their side and to get the endpoints to talk those definitions needed to match.  Out of the box, the Safe@Office can't do it.  If you use their SMP Gateway solution and remotely administer the devices then you can define more then 3 networks.  But that upsets me even more that it's a pure GUI restriction.

The last reason was probably the main reason...SUPPORT.  CheckPoint's Safe@Office is a great product.  With a few updates they would have the best SMB firewall on the market.  But as a managed services provider, I need fast response for the issues I have that are affecting my customers.  I don't mind chatting with support in Israel.  That's what I do...bridge the gap of tech talk with remote Support departments.  Vendor management is part of the value we bring.  But I had several issues where level 1 couldn't resolve an issue so it go escalated and I went over a week without getting a response.  That level of responsiveness was even worse than SonicWall support (and that's bad).  I never did find a number for partners to call in and speak to a person after hours.  The best way to get support is via online chat but both phone and online chat will close for the night so don't have problems when their closed or you'll have to wait until the next day.

So Safe@Office is the firewall we want to use but just can't right now.   The GUI is slick.  Managing content filtering is as intuitive and easy to use as any we'ved tested.  The logging is by far the easiest to read.  But it still has a few quirks that hurt in certain environments and the lack of enterprise support hurts.  If CheckPoint would offer special 24x7 partner only Support were partner calls were always treated as a top priority then they could easily be #1 as an SMB firewall.   




VS 2008 .NET 3.5 Project Fails to Compile

I fired up VS 2008 and set up a basic Windows forms application.  Made some quick changes and hit build only to immediately get the following error:

The "Microsoft.Build.Tasks.Windows.GetWinFXPath" task could not be loaded from the assembly PresentationBuildTasks, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35. Could not load file or assembly 'PresentationBuildTasks, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified. Confirm that the <UsingTask> declaration is correct, and that the assembly and all its dependencies are available.

These error was followed by warnings to key references such as system and system.data.  In fact, all my references has a caution symbol beside them.  I checked control panel and of course .NET 3.5 was installed.  After some searching, the problem was suprisingly Vista.  It turns off .NET 3.0 was turned off as a "feature".  Here's the fix...

Go to Control Panel, Programs, and Turn Windows Features On or Off.  Notice that Microsoft .NET Framework 3.0 is probably unchecked.

Windows Features

Who knew?  Enable that feature and you should be good to go.




System Center Ops Mgr - Missing All Reports

After setting up System Center 2007 Operations Manager, I couldn't wait to see the reports I could generate.  The install was a bit cumbersome but for this one I followed the install guides as best I could and thought I had everything just right.  However, after the install there were no reports.  If I tried to run any I'd get an error that the report couldn't initialize and if I clicked on the Reports tab there just weren't any reports there.  So I upgraded to Ops Mgr Sp1...didn't help.  I re-installed the Ops Mgr Reporting...didn't help.  All I had to go on were two symptoms.

  1. The System Logs were full of SQLDumper errors. Informational entries with Event ID 1010 and 5001 as well as Errors with Event ID 5000 were flooding my System logs about every two minutes.  The 5000 Event ID had the following Descriptions:

    EventType sql90exception, P1 w3wp.exe, P2 6.0.3790.1830, P3 42435be1, P4 reportingservicesnativeclient.ni.dll, P5 2005.90.3042.0, P6 45cd6edb, P7 0, P8 00005283, P9 00000000, P10 NIL.

  2. The Operations Manager logs in the Event Logs had lots of Event ID 26319 with this description.

Event ID: 26319
Source: OpsMgr SDK Service
Description:
An exception was thrown while processing GetUserRolesForOperationAndUser for session id uuid:a5f97d19-d366-4924-adc8-87a85c56f3a9;id=27. Exception Message: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

 So it seemed to be something with the OpsMgr SDK account.  The username/password was correct and it was a local admin on the Ops Mgr server.  So what gives?  Finally searching for the 26319 Event ID I found this post at the OpsMgr, SCE, and MOM Blog. It didn't quite match because it discusses a problem with the installation and as far as I know my installation went fine.  But since it's close...I read on.  It mentions that one of the causes could be...

You install the Operations Manager 2007 Reporting feature in a Window Server 2003 domain environment, and the Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems option is enabled

My environment is an SBS 2003 environment and by default the domain functional level is Windows 2000.  I've thought of raising it but just haven't had a compelling reason.  Raising the domain level may fix the problem but I just followed the resolution in MS KB 938627 that Clive referenced... add the SDK service account to the Windows Authorization Access group. To do this, follow these steps:

  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In Active Directory Users and Computers, click Builtin, and then double-click Windows Authorization Access Group.
  3. Click the Members tab, and then add the SDK service account to the members list.

As soon as I add the SDK account to the Windows Authorization Access group the SQLDumper and the 26319 events stopped occurring.  Then I went to the Ops Mgr Console and clicked the Reporting tab and viola...I had a couple reports under the Reporting folder.  My CPU stayed pegged for quite a while so be patient but the reports will start showing up.  If you're impatient like me and want to see some sign of progress, right click on the Reporting folder and hit Refresh to see what's populated.

I hope this helps someone else because it stumped me for over a week.




Blackjack II - Any MP3 as Ringtone

Would you like to your favorite song to be your ringtone for your Blackjack II?  Here's the steps to get this going.

  1. Install a Registry Editor on the phone.  The PHM Registry Editor will get the job for free. It was released in 2002 but registries haven't change in years, so we'll This registry editor gets installed on the phone.  If you have bad eyes and would prefer to make the changes on your computer, try Mobile Registry Editor or CERegEdit .  These allow you to make the phone registry changes on your computer which is nice but requires you to connect the phone to make changes.  I like PHM Registry Editor on my phone in case I need to make quick changes with just my phone.  To install PHM Registry Editor...
    1. I had trouble (and found post of others with the same problem) getting it to install with the ActiveSync installer.  Instead download the Smartphone 2002, 2003 (ARM/PXA) cab file to your computer.
    2. Copy that regedit.Stngr_ARM.cab file to your phone. 
    3. On your phone, double click on the regedit.Stngr_ARM.cab to install it. 
    4. On your phone, click Start and then scroll down and double click PHM Registry Editor.
  2. Open PHM Registry Editor and click HKEY_Current_Users, then click Control Panel then scrolldown and highlight Sounds.
  3. Click Sounds and then select Values.
  4. Highlight FileSizeLimit and then click Menu and Delete. (Note: You can also just increase the value.  I couldn't enter the number direct but had to scroll up.  That was too slow for me so I just deleted the key.  If you'd like, you can add the Key back as a new DWord value and during the creation you can enter the value you want.) 
  5. Confirm the Delete.

So far, it seems like you need to get your MP3 over to your Main Memory and not your SD card to make it a ringtone.  Once you get the MP3 over to your phone, you can go to Settings, Sounds, RingTone and select the MP3 as your Ringtone.  If you don't see your MP3 and it's on your phone, wait 5 minutes and look again and it'll probably be there. :)

If you have Outlook contact you can now open the Contact and select the individual ringtone.  This won't work for SIM contacts.

Use this at your own risk!  This post comes with no warranty and is simply my account of what worked for me.  This is making changes to your registry and could potential mess up your phone.




SanDisk Sansa Album Art

Kids got a couple of SanDisk Sana e250 MP3's this Christmas.  Some things I like about it compared to the IPod Nano (cheaper, FM Radio) and some thing I don't (wheel isn't nearly as smooth, menu button is awkward and requires to hard of a push to activate).  It certainly wasn't plug-n-play on our Vista desktops.  The first key is to go into the settings and first change the USB mode to MSC so Vista can install the drivers.  You can later change it to MTP but if you start with MTP mode I kept getting a failure on setup.  Then I ran the SanDisk firmware updater (In MSC mode of course) to get the latest firmware.  For some reason, the highest I can get is 1.02.18a through the Firmware Updater even though the web site shows 1.02.20 being out. 

Album art isn't displaying for me for songs transferred from Windows Media Player 11.  I've read WMP 10 works fine but I'm Vista so that's not an option.  I've also read a firmware upgrade fixes the problem but it didn't fix it for me.  After transferring songs, I see .alb files in the Albums folder for my new albums but nothing shows up.  SanDisk user guide says you "may" need to put the album art in the same folder as the song.  (Can you believe they said "may need" in their user guide!)  So the fix seems to be to copy the .jpg to the same folder as the music and give it the name "Album Art.jpg".  However, if you just try to copy a .jpg file to the Sansa it'll say that type of file isn't supported.  Again, I've read post that the latest firmware fixes this too but it didn't for me.  So here's my steps to get Album Art on the Sansa e250.

  1. First find your album art.  You can use any image including one of your own.  For original album art, browse to http://www.albumart.org or I guess you can just use www.amazon.com assuming there's no licensing restrictions. 
  2. Right click on the image and "save picture as" to save it to your computer as "Album Art.mp3"
  3. In Windows Explorer, copy Album Art.mp3 to your Sansa placing it in the folder Music/<yourAlbum>.
  4. In Windows Explorer, right click on "Album Art.mp3" on your Sansa and rename it to "Album Art.jpg".

Depending on your firmware, you may not have to do the save as .mp3 and then rename to .jpg but I did.  Now when you play a song, you should see the album art.  Click the select button (center of your wheel) to see it full screen.

Enjoy!




AT&T Tilt Setup

I have my Tilt and so far have been pleased but it takes a little to really get it setup to take advantage of the productivity add-ons that make you want the Tilt.  Here's my process to set it up.

  1. Remove the AT&T "bloatware".  First perform a hard reset right off the bat by going to Start, Settings, System, and then select Clear Storage.  Enter the 1234 combination.  You can also do it with some key press combination but I found several posts where users had issues with this.  After the restart, it'll prompt that it's going to start configuring the AT&T apps after 3 seconds.  Before the 3 seconds is up, insert your stylus in the hole on the bottom of the Tilt to the soft reset.  Now you have a plain Jane Tilt with no demo/bloat ware.
  2. Go to http://www.gadgetech.info/treo/hacks/disableproxy/index.shtml and download DisableCingularProxy.cab and RestoreCingularProxy.cab.  Copy these files over to your Tilt and double click DisableCingularProxy.cab to install.  This will get your WiFi connection working without going through AT&T's MediaNet.  The other way is to just go in an disable proxy manually each time.
  3. Remove the AT&T Task Manager.  This may not be necessary but I read several posts that this delayed emails arriving and calendar event notifications.  It was easy and I didn't need it so I just removed it.  Go to Start, Settings, Today and then click Items tab.  Uncheck HTCHomeeplug.  Again, may not be neccessary, but I did it any way.
  4. Install Google Maps.  On your Tilt, connect to the Internet via WiFi or Data connection and browse to http://www.google.com/gmm/gps.html.    You should see an option to install Google Maps.  Download and install that app.  After the install, you'll find Google maps in Start, Programs.  It's the Compass looking icon.  Click Menu and Use GPS to get your location.  Tip:  If you haven't yet, use QuickGPS and Download to speed up the locating process.
  5. Install Microsoft Live Search: From your phone browse to http://wls.live.com and install it.  Similar to Google maps...some say it works better.
  6. If you aren't using th Push-To-Talk feature, then follow this post http://forum.xda-developers.com/showpost.php?p=1707732&postcount=127 to give you the ability to map the PTT to something else (like Voice Dial).
  7. Increase Performance for WiFi:  My wifi connection was extremely weak or non-existant on my Tilt.  My laptop would be at 99% signal strength and my Tilt would show "unavailable" or barely have any signal to my WAP.  The problem was not enough power for the WiFi on the Tilt.  Go to Start, Settings, Connections, Wireless LAN and select the Power Mode tab.  You can try the middle setting which did connect for me but was still somewhat week.  Selecting Best Peformance gave me a full signal matching my laptop card.  I'm sure this drains the battery but I don't leave WiFi on unless I'm using it.



Amazon Cell Phones - Deal or No Deal?

I'm was looking at getting an AT&T Tilt and Amazon.com at first glance has the most compelling offer but I'm not sure about working through Amazon.   While they have many high-end phones for 1 penny, they do have a catch...if you drop your data plan or are late on a payment in the first 6 months, they'll auto charge you $250 per phone.  Since I was getting two phones on a family plan, that scared me.  So, instead, I went with LetsTalk.com.  Their catch is you have to remember to send in your rebate info at a certain time frame but I felt a little better with that and their turn around time was awesome.  I'd be curious if others have had good experience or bad experience with Amazon.com.  Feel free to post your comments and let me know.  I'll update you in time on how Let's Talk handles their rebates.

 




Turning MP3's into Ringtones

Would you like to turn your favorite MP3's into ringtones without paying $3 per pop?  Of course you would.  Plus, sometimes the mp3's you want aren't available for purchase.  For instance, I wanted clips from The Office for my ringtone...the opening theme song, Andy singing Rainbow Connection or "Take a Chance on Me".  I'm sure you get the point.

Well, just go to Mobile17 and sign up.  There you can upload any MP3 and they'll give you several options for getting it to your phone.  There is a wait period for the free version but you can upgrade to their Express version with "no line no waiting".  For me, I'm never in that big of a rush to get my ring tone. :)

And if you're interested in getting those favorite Office clips, just head over to What's the Scuttlebutt to search for Office clips.




Disable file and folder transfers in RWW

You may have noticed in Small Business Servers Remote Web Workplace that when you go to "Connect to my computer at work" that if users click "Optional Settings", one of the options is "

The key was figuring out that rapLinks.userLogonName returned the username of the logged on user.  If it matches what's in the aUsers array then it hides the checkDrives checkbox.  I wanted to hide the label but I haven't figured that one out yet.  The label doesn't have an ID but instead uses <label for="checkDrive...  If you know of a way to hide that programattically, please let me know.  Since it only hides the checkbox, it's sort of an ugly solution but since "Optional Settings" is a somewhat obscure option for most users and since it is functional, I'm okay with it.  I hope it helps you out.  It took me almost 1/2 a day to figure it out.