www.andytang.com

Blog: Change of address, now http://blog.andytang.com

blog@andytang.com (Andy Tang) — Fri, 05 Feb 2010 11:45:00 +0000

Due to the way that Google/Blogger have changed the hosting of blogs, the address of my blog has changed.

Please update your bookmarks to point to: http://blog.andytang.com/

All the information that was in this blog, has been copied to there as well.

The blog on this site will no longer be updated.

Thanks
Andy

Sport Relief - I'm running six miles!!

blog@andytang.com (Andy Tang) — Mon, 25 Jan 2010 20:26:00 +0000

I'm doing my bit for Sport Relief by running six miles, but you don't have to run... you only have to sponser me!

Whatever you can afford would be gratefully recieved: http://www.mysportrelief.com/andytang

IAG Logs - Extending?

blog@andytang.com (Andy Tang) — Wed, 20 Jan 2010 23:22:00 +0000

A common issue raised by customers have been regarding how far back the IAG logs can go back.

I have posted in the past about how to use Syslog server with IAG, which will allow the logs to be stored elsewhere for longer, but you may still have issues with what or how much is being reported.

Extending your historical logs:

In the IAG Configuration console, select the "Admin" menu and select "Event Logging"
Select the "General" tab
Change the "Queue Size" to 100
Change the "Max Report Results" to 10000
Click on "OK"
Activate the IAG Configuration

Change the settings for report clean up:

In the IAG Configuration console, select the "Admin" menu and select "Advanced Configuration"
Change "Start Cleanup at:" to 10000
Change "Stop Cleanup at" to 100
Change "Number of Undeleted Files" to 100
Click on "OK"
Activate the IAG Configuration

You may need to wait up to 48 hours to see if these changes have helped, but these settings can be tweaked further to fine tune the logs for your reporting needs.

Celestix on Facebook and Twitter

blog@andytang.com (Andy Tang) — Mon, 18 Jan 2010 19:02:00 +0000

In case you weren't aware, Celestix are on Facebook and on Twitter (@CelestixNetwork)

I'm on both but hey, I'm sure I'm not as interesting!!!

IAG SP2 Update 3?

blog@andytang.com (Andy Tang) — Mon, 18 Jan 2010 18:31:00 +0000

Well I've had word that IAG SP2 Update 3 should be out in a month or so.

The components being addressed with this update, are that Windows 7 will be recognised correctly and 64-bit clients will be supported.

Obviously you have seen that I have documented a 32-bit Windows 7 workaround, but there are still issues with this when using certain applications. The only 64-bit client that can be made work is Windows 7, as long as your computer has the ability to run XP Compatibility Mode (which will mean that only specific processors are supported)

As soon as I see that update, I will get it installed and tested, as my work laptop is both Windows 7 and 64-bit..... you can see I like a challenge!!

Celestix Technical Training - Microsoft UAG & TMG

blog@andytang.com (Andy Tang) — Sat, 09 Jan 2010 20:58:00 +0000

Celestix will be giving training in Microsoft UAG and TMG (which will replace Microsoft IAG and ISA server) on the 3rd February.

If you are a reseller based in the UK and this is of interest, please register here

Websense V10000 - Web Security Appliance

blog@andytang.com (Andy Tang) — Sat, 09 Jan 2010 20:33:00 +0000

Most people are aware that Websense are a market leader in the web filtering market, but tradionally has only been a software only option.

The software can either filter via a network sniffer (via a mirror or span port on a switch) or integrated with another solution such as a Cisco firewall or Microsoft ISA server.

The software has some limitations or lacked features that were being demanded from an enterprise perspective. These were addressed with Websense Security Gateway, which gave the following features:

Web proxy server
Integrated anti-virus solution
Real time content classification
Real time security scanning

This brought other considerations, due to the nature of this software, it would only be supported on a Linux platform. At the time I spoke with a number of customers who were put off by this, as they only had Windows administrators, and did not have the capacity to support a Linux server.

Websense took this onboard, and developed the V10000 appliance, which is a Websense branded appliance, which runs a Linux operating system and runs the Websense Security Gateway software within a virtualised environment. The specification of the hardware, will allow the appliance to run the Email Security and Data Security features in the future as well.

In short, Websense have produced an enterprise class proxy server, with enterprise web security in an appliance form factor.

At e92plus, we are technically proficient with the Websense range, where we not only carry out web demonstrations, deal with presales questions, deliver proof of concept deployments, architect and deploy full solutions, we also deliver both bespoke and certified Websense training.

SecurityPlus - IT Security Newsletter from e92plus

blog@andytang.com (Andy Tang) — Sat, 09 Jan 2010 20:18:00 +0000

As you may know I work for e92plus, an IT Security Distributor based in the UK.

Richard Hicks of Celestix Networks and a Microsoft MVP wrote an interesting article about re-perimeterisation for our newsletter.

We are very grateful to Richard Hicks and Celestix for their continued support.

The article can be found here: SecurityPlus from e92plus

BETT 2010 - London Olympia 13th to 16th January

blog@andytang.com (Andy Tang) — Sat, 09 Jan 2010 20:07:00 +0000

BETT is an educational technical show that is based in London.

This year we have two of e92plus' vendors at the show, Xirrus (innovative wireless solution) and NComputing (cost effective desktop virtualisation)

I will post more detailed information about each of these vendors later.

More information about the show is available here: BETT 2010

Happy New Year for 2010!

blog@andytang.com (Andy Tang) — Wed, 06 Jan 2010 12:53:00 +0000

And what a way to see in the New Year.

Currently where I live in the UK there is 3-4 inches of snow, which has made it very difficult to get off my driveway, let alone drive to work.

Fortunately I can work from home, thanks to a Celestix WSA appliance running Microsoft IAG!

I have access to my emails via OWA, intranet site, CRM server and Terminal Server.

This has allowed me to pretty much carry on as normal!

If you are stuck at home today, I hope you are working!! ;)

Merry Christmas!

blog@andytang.com (Andy Tang) — Thu, 24 Dec 2009 09:53:00 +0000

Merry Christmas to everyone! :)

Enjoy the holidays and I'll be back in the New Year, where I'm sure we will have more information on TMG and UAG, as well as more exciting products and developments from e92plus.

Microsoft CRM 4.0 on a non-IE browser and IAG

blog@andytang.com (Andy Tang) — Thu, 24 Dec 2009 09:19:00 +0000

At e92plus we use Microsoft CRM 4.0 as our CRM system. It is a good product that allows a lot of flexibility, granularity and customisation, but the downside out of the box is that it will only work with an IE browser.

Not a major issue you may think as all the computers at work are all Windows devices.

As you can see in the previous post, we were in the process of replacing our mobile telephones at work, and as part of the rollout, I wanted to offer IAG via the mobile phone. I know it works(albeit very slowly) on a Blackberry and (pretty well with 3G) on iPhones.

Now if we were issuing mobile devices with internet access to the staff, I not only want them able to access the IAG, I also want to give them the ability to access our CRM system.

My choices were to look at Windows Mobile devices, but there is either a comprise on cost or functionality, or find a way to get CRM available on other browsers.

A bit of Googling from Neil Langridge (Marketing Manager for e92plus) turned up the following links:

http://blogs.msdn.com/crm/archive/2009/07/09/product-release-mobile-express-for-microsoft-dynamics-crm-4-0.aspx
http://weblogs.asp.net/gayanperera/archive/2009/07/10/dynamics-crm-4-mobile-express-released.aspx
http://www.microsoft.com/downloads/details.aspx?FamilyID=F592EC6C-F412-4FD5-9A80-CD3BCBD26D8B&displaylang=en

After following the instructions on installing the 28Mb file, we then started testing.

I used Firefox, Safari, Opera and Chrome as my test browsers and they all worked perfectly. The view is slightly cut down, but we now have CRM on other browsers.

The next step was publishing this on IAG as a Generic Web Application (as I did for CRM on IE). Remember to use the server name, correct port number as well as the /m after the URL. I created an access policy to check the users browser, so that if they are using IE they have two icons (one for full blown CRM, and other for the "streamlined" version), and if they are using a non-IE browser they only see the "streamlined" version of CRM.

I have been playing with a number of mobile phones recently, and this works perfectly on Blackberrys, iPhones, Nokia and HTC Windows Mobile devices.

ActiveSync on IAG, with iPhones

blog@andytang.com (Andy Tang) — Thu, 24 Dec 2009 08:26:00 +0000

The mobile phone contracts at work are up, so I have been investigating alternatives. We were previously using Blackberrys, but I've been investigating more cost effective options. Since the Blackberry server was installed, we have upgraded to Exchange 2007, which gives us the aability to us Push Mail/ActiveSync, something that was not an option on our previous mail server.

I was given a couple of test phones to trail ActiveSync on a Windows Mobile and a Nokia device.

First off, I had to ensure ActiveSync was enable on the Exchange server, and fortunately a "vanilla" build of Exchange 2007 haas it enable on install.

The thing was the create a NAT rule on my firewall to allow the ActiveSync traffic from the intenet to the Exchange server. This was only a temporary rule while I was testing ActiveSync worked, before the rule was removed again.

My security/paranoia head would not allow me to leave this rule in place, as I would not recommend to anyone to have a rule that allows direct connectivity from the internet to any mail server. (BTW that also includes email, as there are plenty of mail relay options, such as a Barracuda Spam Firewall - Blog post for another day!)

Here at e92plus as the saying goes "We eat our own dog food", where we use a Celestix WSA IAG appliance as a remote access solution.

The next step was for me to create way for the mobile device to connect to my Exchange server, without a direct connection. I configured one of our external IP addresses to NAT into the DMZ of our firewall. I then had to add an additional IP address on the external adapter of the Celestix WSA appliance to match the DMZ IP address of the NAT rule. I also created a new prefix for our domain, and mapped that to the external IP address I'm using.

Now on to IAG, create a new webmail trunk and selected ActiveSync. I defined the domain, selected the DMZ IP address, defined the details of my Exchange server, aand then activated the configuration.

I took the Trusted Root Certificate from my Exchange server and applied that to the IAG appliance.

From the mobile devices, I defined the domain, username and password. For the server address, I use the new IAG portal address.

It worked perfectly on the demo Nokia E63 and the HTC Touch, although the interfaces were different the information required to login was the same. This allows the devices to sync up emails, contacts, calendar and tasks.

After much deliberation, I decided that I wanted an iPhone as my mobile device. Although I am still waiting for the SIM to be activated, ActiveSync is syncing my email, contacts and calendar via my wireless network, so once the iPhone can get onto the O2 3G network, it will be working as it should!

For added security/paranoia, on the Exchange server I have also enabled mandatory passwords on the device, madatory encryption of the storage and the ability to remote wipe the devices, so pretty much the core features of a Blackberry server, at a much lower cost!

Web Monitor Logs

blog@andytang.com (Andy Tang) — Tue, 24 Nov 2009 09:43:00 +0000

A common question I'm asked, is how can I keep my Web Monitor logs for longer. Ensure you have SP2 Update 1 installed for this feature.

Just feed the logs into a Syslog server, sounds easy...

Start up the IAG Configuration application
Select 'Admin' at the top and select 'Event logging'
Select the 'Syslog' tab and enter in the details of your Syslog server

Sometimes, we just want an easy solution.... and here is one!

I've had a play with a freeware Syslog server called Syslog Watcher, which works very well with this integration, but would welcome any recommendations for Syslog software.

Endpoint Protection should no longer be optional!

blog@andytang.com (Andy Tang) — Sun, 15 Nov 2009 13:27:00 +0000

Most environments will run a firewall and anti virus software on the computers.

We start to take it one step further where we monitor/filter the users web traffic; we scan inbound (and sometimes outbound) emails; we secure inbound traffic to our networks with a combination of anti virus software, firewalls, reverse proxying, NACs, SSL-VPNs with access policies and two factor authentication; we secure our internet facing services with web application firewall, but this level of protection is often to prevent threats from outside of our organisation.

We all hope we can trust our work colleagues and employees, but an often overlooked security option is what our internal staff may either intentionally or unintentionally cause harm to the the internal systems.

I have a seen a few endpoint protection solutions, and they are either lacking in functionality, or have a wealth of features coupled with a price tag.

I was asked to trial a new offering from Cyberoam, who have previously focused on UTM firewalls and SSL-VPN solutions, but looking to expand their security offering have now produced an endpoint solution, which they have called Cyberoam Endpoint Data Protection (aka Cyberoam EDP).

The Cyberoam EDP solution comes with four components, where you can pick and choose which components you require.

Device Management
Application Control
Asset Management
Data Protection and Encryption

The Device Management component allows you to define which hardware components can be used on your endpoints. So you can limit access to hardware which are either build in or plugged in, such DVD writers, USB memory sticks, external hard disk drives, etc.

The Application Control component allows the access and blocking of applications, such as peer to peer and IM from either a legality or IT policy persepective, or software such as Photoshop and Office, where you can ensure that they software is only used on certain hardware to maintain correct license useage of software (ie not allow the software to run on more machines that you are legally allowed to)

The Asset Management component allows the auditing and tracking on hardware on your network, and what software is installed where. There is also version tracking, so you can see hardware and software changes within your network.

The Data Protection and Encryption component allows you to create policies to prevent data from leaving your company. These policies can be applied to email, IM and removeable devices, so certain file types or file names can not leave via these transport methods. You also shadow message transfers, so you have records of IM conversations and emails!! The encryption fucntion is for removeable media or when files are transferred.

I tested this on my network and all the functions works perfectly in my test environment, but the limitation was that Windows 7 operating systems and 64-bit operating systems were not supported at time of testing. ( I had a number of Windows 7 machines work perfectly and a couple that did not work, as well as some fuctionality from a 64-bit Windows 7 laptop) The Windows 7 element of the software is currently being tested and a fully supported version of the software is due out soon.

I believe this prodcut will give enterprise levels of security to the SME market.

More information as well as a 30 day free trail is available here: http://www.cyberoam.com/endpointdataprotection.html

If you try it, I'd be interested in your feedback. :)

High Availability for IAG

blog@andytang.com (Andy Tang) — Fri, 06 Nov 2009 00:07:00 +0000

After four hours on the train today, I spent a fair chunk of today configuring a pair of Celestix Load Balancers for an IAG deployment.

The only way to create IAG in a highly available configuration, is to put the IAG solution behind a front end load balancer. A common question I get asked is why do I recommend a pair of load balancers... well why would specify a solution with multiple application servers, only to place them behind a single load balancer and risk moving your single of failure from the application server, to the load balancing solution.

There are some simple instructions on how to configure the Celestix Load Balancers (CLB) and well documented in the manuals, but here are some headline points when configuring the solution for Direct Server Return (DSR), where the load balancer coming into the IAG solution, but outbound (as the name suggests) the IAG solution will go directly back to the client, rather than through the load balancer.

Configure the IAG external IP address to the be the virtual server IP address
Ensure DSR is selected in the advanced settings
Under the Healthcheck option for the target, ensure PING is off, but check TCPOpen ais enabled for 443,2,10
Ensure all IP addresses are unique, including gateways, servers, engines, etc.
Create an ISA rule to allow access from the CLB range to the Local Host, for port 443.
Create loopback adapters for the WSA appliance, ensuring that there is no gateway, and within advanced ssettings, the Interface Metric is set to 254
Ensure VRRP is enable, where both appliances have the same VRID, ensure the Master has a priority of 1 and the backup of 254, on a different network
Ensure the local host files that the server name points to the VIP

I had a pretty unique situation today, where four portals were configured on two IAG appliances, with virtual IPs and load balancers.

We ended up using 14 external IP addresses, VIP for each portal (4 external IPs), an external IP for each portal on each appliance (8 external IPs), and a unique IP for each load balancer (2 external IPs). It's very rare to have this many real IPs to play with, but the same principle would apply, if these IPs were internal ones behind a NAT'ing device, which would only have required 4 external IPs (one for each portal)

Ensure you understand the customer requirements and follow the manual.

Good luck with maaking your IAG solutions highly available! :)

Congratulations to Richard Hicks - Microsoft MVP

blog@andytang.com (Andy Tang) — Tue, 06 Oct 2009 19:20:00 +0000

A big congratulations to Richard Hicks of Celestix, who has been awarded the Microsoft MVP (Most Valuable Professional) for 2009.

There are less than 30 MVPs in the Microsoft Forefront arena worldwide, so you can understand the prestige of this award.

http://tmgblog.richardhicks.com/2009/10/01/microsoft-most-valuable-professional-mvp-2009/

Well done Richard, it's a honour working with you and keep up the good work! :)

ActiveSync on IAG - Certificate Issues

blog@andytang.com (Andy Tang) — Tue, 06 Oct 2009 19:04:00 +0000

I realised the other day that I hadn't updated the issue that was encountered within this blog post about ActiveSync on IAG.

Well the issue turned out to be certificate related. The Exchange server was using a self signed certificate, so the trusted root certificate had to be added to the mobile devices.

There is some well documented information with regards to configuring Exchange 2003 ActiveSync using a self-signed SSL certificate.

Export the root certificate

On the Certificate Authority that issued the certificate to the Exchange server, open the Control Panel and double click Internet Options. NOTE - this guide assumes that you are using a Microsoft CA.
Click on the Content tab and then on the Certificates button.
Click on the Trusted Root Certification Authorities tab.
Locate the trusted root certificate for your domain. It is vital that the certificate be trusted rather than be listed under any other tab. Select the certificate and click on the Export button.
The Export Certificate Wizard will be displayed, click Next.
Select the option to export the certificate in DER encoded binary X.509 (.CER) format and click Next.
Enter a name for the certificate and specify where you would like the file saved. Click Next,
Finish and then OK.

Install the root certificate onto the client device

Now locate the .cer file created and copy it to your PDA via Microsoft ActiveSync to any folder on the device (for a Windows Mobile device), or using the appropriate synchronisation software for your device. Alternatively the file could also be saved to a memory card or transferred via Bluetooth.
On the PDA, open File Explorer and browse to the folder where you saved the certificate.
Tap on the icon for the certificate and tap Yes to install it when prompted.
On a Windows Mobile device, tap on Start → Settings → System → Certificates → Root and verify that the certificate is listed.
You are now ready to use Server ActiveSync securely, using your own SSL certificate.

There is also some useful troubleshooting information here: http://blogs.technet.com/edgeaccessblog/archive/2008/07/29/publishing-microsoft-activesync-through-iag-2007-part-2-of-2.aspx

Barracuda EMEA Partner Conference & Barracuda Backup Service

blog@andytang.com (Andy Tang) — Sat, 03 Oct 2009 22:16:00 +0000

I returned from Prague inspired with the Barracuda philosophy, as well as getting a better insight into the existing product range, and new products and features.

It was great to meet the senior management team of Barracuda, and meet people so driven and inspired by them.

It was also a good opportunity to meet existing e92plus resellers and our Dutch work colleagues from e92plus NL, as well as meet other resellers from around EMEA. It was good to meet Keith, who recognised me from this blog!

The product the caused the most buzz at the conference was the new Barracuda Backup Service.

Using a Barracuda appliance and software agents, you will be able to back up the servers within your organisation. This will obviously give a great alternative to existing tape back ups, but easy restoration and aaccessibility to your data as the appliance is onsite.

Obviously, you will say, what if something were to happen to the building, datacentre, appliance, etc, well the other component of the service is an offsite back solution. Previously this service was only available in the States, but due to some data laws within Europe, the data should not be store outsite of certain countries or Europe. The new datacentres for this European wide launch of this solution will be based in the UK, with new datacentres opening around Europe as and when.

This will allow data to be backed up onsite and allow quick restoration. In a DR situation, the data can be restore from the datacentres. You are able to select which data is sent offsite, so you are able to stop certain data from leaving your organisation.

More detailed information on the Barracuda website regarding the Barracuda Backup Service

The product is officially being launched on the 14th October at Storage Expo 2009 , and e92plus are holding sales training on 23rd October

How much is the service, well aside from the appliance and subscription cost, the offsite data storage is purchased in 100GB chunks, at only....... €69 per month per 100GB!!!

Work out the cost of your existing tape solution, and the savings will become obvious.

Virtualisation on Windows 7 64 Bit?

blog@andytang.com (Andy Tang) — Wed, 30 Sep 2009 23:24:00 +0000

As you may have guessed, I'm currently running Windows 7 Enterprise 64-bit on my new laptop. All is going well, but I have encountered an issue!!

I have a number of Virtual PC guests which use the old version of Virtual PC. I have obviously install Virtual PC RC, in order to achieve the XP Mode, which allows me to use IAG within the 64 bit environment.

My older Virtual PC files don't work in Virtual PC RC!!

So sensing a time for change and to purge the elements I don't use, I recreated the Virtual PC sessions on VPC RC. It's at this point, I think I should try out UAG in a demo environment, but as I have to use Windows 2008 R2 Beta, I discover that Virtual PC doesn't support a 64 bit environment and I seem to get jerky guest sessions unless I allocate a lot of memory and install the integration software, so what are my alternatives:

I have used VMWare Server in the past, and although the software supports 64 bit clients, but the amount of services the software uses up, makes me investigate how to stop these services when I don't use VMWare. I end up switching all the VMWare services to Manual, and then create a batch file to initiate them.

After much snooping and Googling, I discover Sun VirtualBox

I find that it is very easy to use, it will support 64 bit clients (which seems to be better tab) and it is effiecient with its resources (unlike VMWare)

Sun VirtualBox is now my main client for any virtualised environment!! (and best of all, it's free!!)

IAG SP2 Update 2... finally!

blog@andytang.com (Andy Tang) — Thu, 24 Sep 2009 18:54:00 +0000

There were a number of rumours that SP2 Update 2 would include 64 bit client support, but it seems it was just that... a rumour! The current rumour is that 64 bit client support will be available with SP2 Update 3, which is good considering we were always told that IAG would never support 64 bit operating systems. We can make Windows 7 64-bit work by using XP Mode (and detailed in the previous blog posting)

After QA testing from Celestix, IAG SP2 Update 2 is now available from the Celestix website.

The following issues are addressed with this update:

Fixed erroneous IAG behavior when headers contain blank characters
For trunks which do not publish an AAM application, the IAG Session cookie will be a site cookie instead of a domain cookie
Fixed bug for supporting Citrix XenApp5 application
Fixed parsing of text/html response Content-type (not binary) body using Chunked encoding type
Fixed a failure occurring when using IAG’s Socket Forwarding client component on a Citrix terminal server
Fixed a SharePoint Persistent Cookie Name Race Condition
Fixed an Authorization Key Header memory Corruption while using an "Authorization Key" header
Fixed a failure in the endpoint detection policy of AVG on the client computer (mistyped value in the detection policy expression)
Fixed an Incorrect header removal when header is substring of another header
Fixed Day Light Saving change leading to a deletion of Internalsite and Portal rules
The communication between Windows Mobile 6.1 and Exchange 2007 SP1 has changed slightly due to the updating of the EAS protocol to EAS v12.1 – added support/fix for it
Enabling above 2KB http header request by modifying the following registry key (MaxAllHeadersLen), to prevent SNT from throwing the following error to the client: "Allow http header block of a request to exceed 2KB and avoid SNT throwing an error"
Fixed non English locales inconsistent encoding/decoding detection
Fixed few issues related to FormLogin authentication
Modified the rule-set that broke Java SSL Wrapper
Added support iPhone and Blackberry support
Fixed non-IE detection security issues

IAG SP2 Update 2 - Release_Notes

IAG SP2 Update 2 - Installation File

Does IAG work with Windows 7 (64 bit)?

blog@andytang.com (Andy Tang) — Thu, 24 Sep 2009 18:04:00 +0000

After much experimenting with Windows 7 32 bit, you can see you are able to get Microsoft IAG to work with it, as can be been in one of my previous blog posts.

Now I hope we are all aware that 64-bit Windows operating systems are not supported by IAG. I know there were rumours of 64-bit support being released with IAG SP 2 Update 2, but that is not the case. We will discuss this update is a later blog posting.

Well I was fortunate enough to be provided with a new work laptop, which has a faster processor, bigger hard disk and more importantly 4GB RAM. I did initially install Windows 7 Enterprise 32-bit, but was disappointed to only see that 3GB was recognised by the OS (I would have lived with only 3.25-3.5GB being seen), so I bit the bullet and installed Windows 7 Enterprise 64-bit so that all the RAM is seen and can be used.

I know that Windows 7 64-bit will allow you to install applications as either 32 or 64 bit, so some things like Java should be installed twice to work with both 32 and 63-bit IE browsers, will specific 32 bit applications an be installed and used. That said, despite the workaround detailed for Windows 7 32 bit, this does not work in Windows 7 64 bit!

Luckily, Microsoft have a Windows XP Mode as a solution: http://www.microsoft.com/windows/virtual-pc/download.aspx

By installing Windows Virtual PC RC and Windows XP Mode RC, it will allow you to run a virtualised version of XP on your Windows 7 desktop. There are not additional licenses to consider, but you will need a processor with either Intel® Virtualization Technology or AMD-V™ feature turned on. I downloaded this application from the Intel website to check that my processor supported this feature from here: http://www.intel.com/support/processors/tools/piu/

I found these step by step instructions on Windows 7 XP Mode, which I found very useful: http://lifehacker.com/5245396/set-up-and-use-xp-mode-in-windows-7

Once installed and working, I also installed Avira Premium Security Suite software to remove the Microsoft Security Centre red shield.

I created a shortcut into the all users folder of the virtualised desktop, to my IAG website. This also placed the shortcut into the start menu of my Windows 7 Enterprise 64 bit. By clicking the link, it will start up an IE browser to my IAG appliance from the XP virtual environment, which gives a pretty seamless experience and I retain full IAG functionality.... phew!!!

Websense Hosted Email Security Training

blog@andytang.com (Andy Tang) — Tue, 22 Sep 2009 20:40:00 +0000

I had a very interesting day learning more about Websense Hosted Email Security.

People always assume that any hosted (or Software as a Service - SaaS, for the hip and groovy Twitter generation) solution is more expensive, but it's just a common misconception, along with other common myths:

Cost - It will be more expensive than an appliance or software
Control - You will lose control of the solution
Data Leaks - The soution will not be able to protect from data leakage
Security/Privacy - Your email will not be secure
Reliability - The solution will not be reliable

Well these should be addressed:

Cost - Have all costs been taken into account, including additional hardware, subscriptions, bandwidth, storage, electricity and labour!
Control - Websense provides 24x7 control, including policy control, user/group policies, LDAP synchronisation, message search facilities, end user quarantine and flexible reporting.
Data Leaks - Websense includes built in data leak protection, including dictionaires, deep content inspection and custom dictionaires with support for regular expressions.
Security/Privacy - Websense is just another hop in the chain for the email. Websense is ISO27001 certified, and TLS can be used to create a secure channel to the Websense datacentres.
Reliability - Websense provides a 99.999% availability SLA

To summarise the Websense Hosted Email Security:

Increased protection, coupled with an SLA
Reduce costs
Retain control

Why wouldn't you use the hosted solution???!!!

IAG and Citrix XenApp 5

blog@andytang.com (Andy Tang) — Tue, 22 Sep 2009 19:18:00 +0000

I had a fun day in Northampton on Monday and it was thanks to Wayne and Daryl for being such great company!

A seemingly straight forward IAG implementation, with straight forward requirements:

The applications required were OWA and Citrix XenApp, with RDP as a nice to have. The authentication methods were Windows AD and VASCO. Basic customisation and guidelines about housekeeping and DR.

We were replacing a SonicWALL SSL-VPN solution, which works in a single NIC configuration, so a number of services were needed from the appliance back into the LAN. We started by reviewing the firewall rules, removing the existing SonicWALL SSL-VPN rules, and creating a port 80 and 443 access on the WAN side of the Celestix appliance, as well double checking existing NAT rules to ensure that the external side was accessible through the internet.

The authenication methods were straight forward, but an oversight on the VASCO delayed the deployment, but after creating the backend to point at the IAG appliance, it was up and running!

OWA worked fine, but oddly RDP didn't work back to the blade servers, but did the Celestix appliance. Obviously a configuration on the blade servers need to be modified, but not really my field of expertise. Apparently this blade server setup can be configured with a web interface, so that could be published as a generic web app, when it's up and running.

The existing SSL certificate on the SonicWALL was moved to the Celestix appliance, after creating the CSR file from within IIS and getting the supplier to reissue the certificate. It was getting late, but the certificate wasn't working. We were unable to access the website, but we could with the self signed certificate. My gut feel was an issue with either the CSR file, or the creation of the CER file. We reverted back to the self signed certificate, but the customer was going to recreate the CSR file and get another reissue..... I found out today that this solved the issue!! (Phew!)

The reason for this blog entry was really due to the issue we encountered with the Citrix XenApp! Having deployed a number of Celestix appliances to work with Citrix Presentation Servers, I was quite confident that there really wouldn't be much difference with XenApp..... (How wrong I was!!)

I published the XenApp server and all seemed to work, but when you start up the application, we recieved the following message: Error: Cookies Required

My gut feel was that as XenApp worked before the issue lay with the configuration within IAG. After a bit of searching, we found this Citrix article: http://support.citrix.com/article/CTX117597

This article didn't really hit the nail on the head, but after a little experimentation, we found that this solved the issue, as detailed by the customer. As this software will not allow me to post Javascript code correctly, please find the details in the text file: XenApp5.txt

Does IAG work with Windows 7 (32 bit)?

blog@andytang.com (Andy Tang) — Sat, 19 Sep 2009 20:09:00 +0000

Well IAG did work when I was using Windows 7 RC (32 bit) on my netbook, but it no longer works on Windows 7 RTM (32 bit)!! :( I couldn't even get the login page to show!!

A bit of Googling found these instructions:

Copy the folder located here from your Celestix WSA appliance: C:\Whale-Com\e-Gap\utils\OfflineClientSetup to a temporary location on your computer
Find "Setup.exe" and set the compartibility mode to "Windows Vista SP2"
Find "ComponentsConfig.xml", and edit the Network Connector entry so install="1"
Run the setup.exe (as administrator)
Select either normal or custom, depending on what is required
Ignore the error "Can not register Whale Client Components whlvaw.dll" and finish the program
Start up the Command Prompt as Administrator, then start up Powershell within the command shell
Switch to the path "C:\Program Files\Whale Communications\Client Components\3.1.0″
Execute the command: "regsvr32 whlvaw.dll" (Attention: Ignore the Warning about the Driver installation and select YES)
The Network Connector should work as long as you start Internet Explorer as Administrator, because the file "whlioc.exe" & "whliocsv.exe" require local administrator rights.

The original post is here: http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/a7ca54cc-60e7-467a-961c-fc4b32151249 - Thanks Joerg! :)