Monthly Archives: November 2006

Site notices

More blog spam

A few months back I had to enable comment moderation on this site to deal with the blog spam I was getting. Unfortunately, over the last few days I’ve had to delete hundreds of spam comments sent to my e-mail for moderation so, with regret, I’ve had to turn on word verification to make sure that comments are only left by humans.

Please continue to leave comments on the blog – it’s always nice to hear when something was useful, or when someone has some additional information relating to one of my posts. I’m just sorry that I have to put these blocks in to make it harder for the ‘bots – unfortunately it also makes it harder for people to leave genuine comments too.

Uncategorized

Office Groove 2007 overview

Microsoft Office

At the risk of annoying yet more people at Microsoft after my comments in this week’s Computer Weekly, last night I attended what was probably the worst Microsoft event I’ve ever been to. To be fair to Microsoft, they are kind of pre-occupied this week… some sort of big launch happening today… something called Windows Vista and Office 2007… but this was Bad (note the capital B).

I’m not sure if I should name the presenters – I’ll just say that there was an IT Pro Evangelist who is normally both a good presenter and who generally gives the impression of possessing detailed product knowledge (something which was sadly lacking at this event) supporting someone from the marketing side of the organisation as she gave a very superficial run through a slide deck with which she was clearly unfamiliar.

Microsoft Office Groove 2007

The topic was Office Groove 2007 and this was supposed to be a technical overview. To me, it felt like an unrehearsed dry run of a presentation about a product that has been bought into the company and which, based on last night’s presentation, very few Microsoft people understand. Luckily, Ray Jordan from D2i Solutions – the UK distribution partner for the original Groove Networks product line – was extremely knowledgeable and stepped in to rescue the event (although he seemed to disappear at the refreshment break – presumably embarrassed at having to answer questions from the audience to pick up on the Microsoft presenters’ shortcomings).

For those who are not familiar, Groove Networks was a company founded in 1997 by Ray Ozzie (originally of Lotus Notes fame and now Microsoft Chief Software Architect) which specialised in collaboration products and was purchased by Microsoft in 2005. There’s some speculation as to whether Microsoft wanted the company’s products or were really after Ray Ozzie himself, but whatever the politics, Groove Virtual Office is now being absorbed into Microsoft Office.

I used Groove Virtual Office 3.1 for a recent project and found it both useful and impressive. With the launch of Office Groove 2007, I was interested to see what Microsoft has done to the product. It seems that the product bundling has changed and there are some minor changes but on the whole it’s very similar.

Office Groove 2007 is a team workspace application that provides for greater collaboration between customers, partners and colleagues which each user having access to a number of collaborative workspaces across a range of projects. These workspaces may be customised with a range of tools and templates to allow people to use their time effectively through offline working, yet remaining synchronised.

Whereas users in a corporate environment are used to sharing information using file servers and intranets, once a project or other collaboration requirement crosses organisational boundaries it gets more difficult. Groove overcomes this using a highly secure yet distributed architecture whereby each workspace member synchronises changes with others and a relay server acts as a broker when workspace members are offline.

The process of sharing a workspace involves either synchronising a local folder via Groove or creating a new XML datastore, protected using an internal PKI mechanism (with 192-bit AES encryption), then inviting others to join the workspace and sharing encryption keys between members. Each workspace member is allocated one of three roles – manager, participant or guest – and has an exact copy of the workspace. These roles can be amended within the workspace properties and the permissions assigned to each role can also be adjusted. When synchronising changes only the changed portions of the database are transmitted (a hash is calculated on the whole file and on each portion of the file – by comparing hashes it is possible to work out which portions have been modified) and because each change and the whole workspace is signed using the internal PKI (as well as all network traffic) it is impossible to inject any malicious changes.

If a workspace member does not access the workspace for 21 days then they are uninvited – a process which involves all other members having new keys issued – effectively locking the absent member out of the workspace. If a member cannot sign in they can still work offline and access data but no changes will be synchronised. When I suggested that this was a security loophole it was pointed out to me that it is really no worse than traditional methods of sharing data (e.g. transferring files via e-mail) and that digital rights management can be applied to further protect the data (although that would remove many of the advantages of offline access to the workspace).

In addition to controlling workspace members, Groove is able to synchronise data between devices (e.g. a home PC and a work PC) by inviting other devices into the workspace. If a conflict does occur during synchronisation, then two copies are created and the duplicate is suffixed with the username.

Within Groove, it’s easy to identify new content as it gains an additional red flash on the icon. There’s also a communications manager which can be used to monitor the status of synchronisation.

By default, Groove communicates using its native simple symmetrical transfer protocol (SSTP) over TCP port 2492. If this port is unavailable (e.g. blocked by a firewall) then the client and/or relay servers will encapsulate messages within standard HTTP and drop back to using HTTPS over port 443 or, as a last resort, HTTP on port 80, as described in Microsoft knowledge base article 917165.

Each workspace can be based on a standard template or can include additional collaboration tools, including file sharing, discussion tool, calendar, forms, SharePoint files, meeting tool, notepad, pictures and a sketchpad. It’s also possible to build custom forms (or to import them from InfoPath). In addition to workspaces, Groove provides an instant messaging and presence awareness capability for workspace members. I found it strange that Microsoft should continue the use of the Groove instant messaging feature (in addition to its other IM clients) but in reality this is the lowest common denominator – it will read contact lists for both Windows Live Messenger and Office Communicator but because there are no guarantees that all workspace members will be using the same instant messaging client, building the capability into Groove neatly circumvents any connectivity issues.

One of the main changes with Microsoft Office Groove is the product packaging – whereas the Groove Networks incarnation of the product was based around a distributed network of users and Groove’s own public (but highly secure) servers, corporate customers need to see that their data is stored on servers under their own control, with tight controls over account creation. Consequently, Microsoft have made it easier for corporate clients to run the Groove server product internally.

In addition to the Office Groove client application, there area number of server roles – manager, relay (store and forward synchronisation and messages between workspace members as they come online but others are offline), data bridge (to allow the extension of data to other teams) and an enterprise auditing management server.

Centralised administration is made possible using policies to apply identity and device controls (e.g. throttling bandwidth). The Groove server maintains its own account database (which can be synchronised with other directory servers) for provisioning and revoking access and this is where Groove’s heritage is obvious – it would seem reasonable to expect future versions of the product to feature tighter Active Directory integration and possibly the use of ADAM where a connection to a non-Microsoft directory is required.

One potential issue for organisations looking at using Groove in a centralised manner is that of backing up the distributed data within Groove, because there is no central storage location and backups of local copies of the workspace can be invalidated by subsequent PKI key changes. Microsoft’s answer is that the synchronisation mechanism provides built-in protection – certainly more than is generally afforded to user data held on individual PCs.

There is still a hosted version of the product – Office Live Groove. This allows for workspace members to use the Groove client with a public relay server; however they do not lose any or the security within the product. All communications are still signed and all data on the relay server is transient. For many organisations that do not want to maintain their own Groove server infrastructure, this is an ideal solution.

In all, Office Groove 2007 looks to be a great product. The only problem I can see is persuading an IT Manager from a blue-chip corporate to look at a product called “Groove” (it’s probably not such an issue in a creative organisation). Maybe the usual bland Microsoft product names are not so bad after all…

To find out more, read the Microsoft Office Groove 2007 product guide or download a trial version of Office Groove 2007 – both are available from the Microsoft website.

Uncategorized

VMware ESX Server and HP MSA1500 – Active/Active or Active/Passive?

Recently, I’ve been working on a design for a virtual infrastructure, based on VMware Virtual Infrastructure 3 with HP ProLiant servers and a small SAN – an HP MSA1500cs with MSA30 (Ultra320 SCSI) and MSA20 (SATA) disk shelves.

The MSA is intended as a stopgap solution until we have an enterprise SAN in place but it’s an inexpensive workgroup solution which will allow us to get the virtual infrastructure up and running, providing a mixture of SATA LUNs (for VCB, disk images, templates, etc.) and SCSI LUNs (for production virtual machines). The MSA’s Achilles’ heel is the controller, which only provides a single 2Gbps fibre channel connection – a serious bottleneck. Whilst two MSA1500 controllers can be used, the default configuration is active-passive; however HP now has firmware for active-active configurations when used with certain operating systems – what was unclear to me was how VMware ESX Server would see this.

I asked the question in the VMTN community forums thread entitled Active-Active MSA controller config. with VI3 and MSA1500 and got some helpful responses indicating that an active-active configuration was possible; however as another users pointed out, the recommended most recently used (MRU) recommended path policy seemed to be at odds with VMware’s fixed path advice for active-active controller configurations.

Thanks to the instructor on my VMware training course this week, I learned that, although the MSA controllers are active-active (i.e. they are both up and running – rather than one of them remaining in standby mode), they are not active-active from a VMware perspective – i.e. each controller can present a different set of LUNs to the ESX server but there is only one path to a LUN at any one time. Therefore, to ESX Server they are still active-passive. I also found the following on another post which seems to have been removed from the VMTN site (at least, I couldn’t get the link from Google to work) but Google had a cached copy of it:

“The active/active description”… “seems to imply that they are active/active in the sense that both are doing work but perhaps driving different LUN’s? i.e. if you have 10 volumes defined you might have 5 driven by controller A and 5 driven by controller B. Should either A or B fail all ten are going to be driven by the surviving controller. This is active/active yes [but] this is also the definition of active/passive in ESX words (i.e. only one controller have access to one LUN at any given time).”

Based on the above quote, it seems that MSA1500 solutions can be used with VMware products in an active-active configuration (which should, theoretically, double the throughput) but the MRU recommended path policy must be used as only one controller can access as LUN at any given time.

Uncategorized

Typing # on an Apple UK keyboard

One thing that’s really annoying for UK-based Mac users is the lack of a # symbol on the Apple keyboard. In the US this is known as a “pound” but in UK English (or “English”, as I prefer to call it!), a pound symbol is £ for pounds sterling (our unit of currency) or lb for the imperial unit of weight and we call # “hash”.

Anyway, it turns out that UK keyboard users can type alt+3 to generate a # character.

Now all I need to do is work out how to get a backslash (\) when I’m working in Windows from a remote console (RDP) session on my Mac…

Uncategorized

More on iChat AV

A couple of weeks back I wrote about the issues I was having getting iChat AV working with services other than .Mac. Well, a few days ago, Alex and I finally managed to get it all working as intended.

This is what I learnt:

  • Audio/visual (AV) chat is not supported over Jabber (I thought that it might work on a point-to-point basis as some commercial real-time collaboration products do – e.g. Microsoft Live Communications Server); however it does work using an ICQ account via the AOL Instant Messenger (AIM) transport within iChat AV.
  • If your buddy keeps switching out of iChat into other IM programs (e.g. Adium) then it will break your testing… Despite having loads of nice features Adium doesn’t support AV.
  • Some IM client combinations will render the conversation as raw HTML. That’s not very nice.
  • After deleting a contact from my buddy list, I was having problems recreating it (and was receiving a bizarre Feedbag error 14 message). Eventually, I gave up trying to add the contact via iChat (on either the AIM or the Jabber transport) and instead installed the native ICQ client, added my contact, and then switched back to using iChat AV (which could then read the contact from my ICQ buddy list). Following this, the audio/video icons (and menu options), previously greyed out, were enabled and we were able to have an audio/video conversation.

There’s a conversation thread on the Apple Forums that describes some more of the troubleshooting steps that I went through.

Uncategorized

Reloading deleted podcasts in iTunes

Recently, I’ve had problems with a couple of the podcasts that I’m subscribed to via iTunes whereby I’ve downloaded a new episode only to find it’s actually a re-post of the previous one with a new description. After deleting the duplicate podcast, iTunes does not download it again (even by forcing an update) but I found a tip (unfortunately I can’t find the original link but there is a Mac OS X hint that sounds similar) that let me to hold the option/alt key and click on the triangle next to the feed name (when the feed is collapsed) to resync the feed, after which it is possible to download all the missed episodes that are still available. I’ve tried this using iTunes v7.0.1 on Mac OS X 10.4.8 – I guess it also works on Windows but I haven’t tried.

Uncategorized

Windows Live OneCare Safety Scan

Based on the content I write, I imagine that most readers of this blog will be IT professionals. That generally means two things:

  • Your family don’t understand what you do (e.g. “Mark works in computers”).
  • Your family and friends think that because you “work in computers” that you can fix their PC.

I fell foul of this a couple of times over the last few days. The first time was no big deal – a few months back, I had given my parents an old laptop and now they are really getting into e-mail and the web; however it was booting very slowly because a well-intended friend of theirs had installed the popular (and free for non-commercial use) AVG Anti-Virus (along with a load of unnecessary applications) and it was performing a full scan on every boot (I had already installed Symantec AntiVirus which was working quite nicely in a far less obtrusive manner). Once I removed AVG, performance was back to normal… so much for well-intentioned friends.

The second instance was last night, when my brother said he’d applied some updates to his PC and now he couldn’t get into Excel. That was easy enough (Microsoft Office XP required the original media to complete installation of an update), but I decided to check out the general state of the PC and was a little alarmed. Because the PC is only connected to the Internet via a modem, downloading updates takes a long time – automatic updates will trickle feed and my brother had kept his anti-virus definitions up-to-date but it still needed a lot of attention. Microsoft Update told me that it would need most of the night to download it’s updates, so I took it home (disconnected everything else from my LAN as a precaution) and hooked it up to my ADSL line, before spending the next couple of hours downloading and applying 61 Microsoft updates (as well as updating AdAware SE Personal Edition, which was over 700-days out of date).

Having given the PC a clean bill of health with AdAware (luckily the dial-up connection had minimised the spyware threat and it just had 52 tracking cookies to remove), I decided to check out another tool that, ironically, an Apple support page had alerted me to the existence of – the Windows Live OneCare Safety Scan.

Other antivirus vendors have online scanners (e.g. McAfee, Symantec and Trend Micro) but the advantage of the Microsoft version is that the full scan checks for viruses, spyware, disk fragmentation, temporary files, redundant registry data, and open network ports – what would appear to be a fairly thorough healthcheck, all through one ActiveX control.

Another feature is that you can run individual scans for protection, cleaning up or tuning the system (each effectively a component of the full scan described above). Finally, for Windows Vista users, the Windows Live OneCare site also provides a beta for a Vista-aware full service safety scan.

Uncategorized

Note to ego: I am a blogger, not a journalist

Last week I wrote about how I was expecting to feature in a couple of upcoming articles for Computer Weekly and The Independent. In future, I should remember that what is said to a journalist is not always the message that makes it to paper and what is written is not always what is published!

My part in Rob Griffin’s how to blog your way to fame and fortune article was short and sweet, but that’s fine – Rob was a nice guy to chat to and getting so much information into 1500 words is always going to mean that there’s only room for a small soundbites from the likes of me. I’m also a techie, whereas the target audience for the article was a typical consumer who’s heard about blogging and wants to give it a go. The original idea was that I might feature in a case study, but in reality I’m a small-time blogger who can cover his hosting costs and buy the odd gadget with his advertising revenue – nowhere near the £2000 a month that the chosen case study (Craig Munro) says is possible. In fact, whilst that figure is theoretically possible, most bloggers won’t get near that sort of income because it would be a full-time task (and someone who can write that much original content could earn more in a proper full-time job).

Computer Weekly’s pretty interfaces alone do not make a business case was slightly disappointing. I was asked to rewrite two existing blog posts into about 500 words for publishing in Computer Weekly. After a few hours of unpaid editing and redrafting, I submitted a piece entitled Windows Vista is finally here… but XP’s not dead yet; however editorial considerations have meant that just over 500 words became just under 300. I’ll admit that what was published was much punchier than my original submission, but it inevitably lost some of the background information and slightly distorted the message (this is what I actually wrote). Still, at least I got a link back to this blog from a well-respected publisher (which may help to drive traffic to the site – a cursory glance over my web stats reveals no evidence of that yet though).

So what should be learnt from this? Firstly, that bloggers are not journalists (at least most of us aren’t). Blogging is a time-consuming creative process that can be fun but is unlikely to make you a fortune. Secondly, print media is a hard world that takes no prisoners. If you submit something for publishing, expect the final result to differ from your original creation.

Uncategorized

TalkTalk “free” broadband… here’s the catch

Carphone Warehouse subsidiary TalkTalk‘s free broadband has always sounded too good to be true to me.

Now, one of my colleagues has just alerted a large chunk of our company’s technical staff to the fact that TalkTalk throttle VPN access as if it were peer-to-peer (P2P) traffic. Powerless to cancel his 18-month contract, TalkTalk refuses to do anything to help my colleague as they state that VPN access is for business use and that they offer a residential service.

It seems to me that, for telecoms in general and specifically for broadband, you get what you pay for. I recommend PlusNet – not always great customer service (but not that bad either) but a reliable connection, both when I was on dial-up and since I switched to broadband a few years back. If all you need is a hosting provider, then get in touch with my friends at ascomi.

Anyone else having trouble with TalkTalk might be interested in the Less TalkTalk: More Service – unofficial, unaffiliated TalkTalk blog, although be warned that there are lot of frustrated (and some illiterate) people over there.

Uncategorized

Licensing implications for virtualisation

Ever since Microsoft announced its new licensing policy for virtualisation, I’ve been trying to get an answer on whether the “4 free guests with every copy of Windows Server 2003 R2 Enterprise Edition (or unlimited guests with DataCenter Edition)” applies when non-Microsoft virtualisation products are in use.

Various Microsoft representatives have indicated to me that to restrict it to Microsoft virtualisation products would not be possible but no-one seemed 100% certain on the answer and I didn’t want to place myself in the situation where I advised a client that they had sufficient Windows licenses when in fact they were under-licensed. Earlier today I found the VMware pricing and licensing FAQ: Microsoft licensing for virtualised environments which answers my question, although it is also heavily caveated:

“This document is provided solely as a convenience for VMware employees, partners, customers and prospects and does not constitute legal advice. Your review of this FAQ should not substitute for review of applicable Microsoft licensing agreements and documentation”

Basically, it looks as if the Microsoft licensing arrangements apply regardless of the virtualisation product in use – in fact you don’t even need to have Windows installed on the host server – as long as an appropriate Windows license is owned (so ESX Server users can run 4 Windows instances free of charge, provided that they also own a “spare” copy of Windows Server 2003 R2 Enterprise Edition).

Another licensing issue that’s been concerning me is VMware’s model of licensing server products such as Virtual Infrastructure 3 by pairs of physical processors (2 sockets). For example, a 4-way HP ProLiant DL585G2 with 4 dual-core AMD Opteron CPUs would need 2 licenses (2 x 2 sockets) even though there would be 8 logical CPUs. With the imminent arrival of quad-core CPUs and predictions of many more cores on future processors, I had to wonder how long this model could be sustained and VMware has provided a clue to the answer in the VMware multi-core pricing and licensing policy. Basically, it seems that 4 cores is the breakpoint:

“[VMware's] policy defines a processor for licensing purposes as up to four cores per processor.”

So, any future 8-core CPU could be expected to use up 2-processor’s worth of VMware licenses. Confused? Well, even VMware are reserving judgement:

“This policy applies only to dual- and quad-core processors. VMware will revisit its licensing policies as x86 processors with a greater number of cores become available.”

There’s more information about multicore processors on the Intel and AMD websites.

%d bloggers like this: