Is Apple so cool that their stores don’t need safety notices?

This content is 16 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Last Sunday, I was looking after the kids for the morning to give my wife some R&R. I needed to head to the shopping centre (mall) in Milton Keynes, so whilst I was there, I decided to “drop in” to the new Apple retail store (as geeks do). OK, so it’s an Apple Store – light and airy – even if it is shoehorned into a standard retail unit (this is Milton Keynes, not Regent Street!) and it sure as hell beats the old “Apple Store” in Tesco! I wanted to pick up a copy of VMware Fusion and an for my iPod so that it can remain protected when I plug it into the iPod dock in my wife’s new Volkswagen.

I managed to get the last copy of VMware Fusion but was out of luck on the invisibleSHIELD (the “genius” I spoke to had never heard of it and tried to sell me a normal case), then I made the mistake of trying to leave the store…

I already mentioned that I had my children with me but I didn’t point out that they are aged 3 and 1, and as I wanted to move at a reasonable pace, they were both riding in a double pushchair. Being just a normal retail unit, it has a small lift, at the end of a short corridor at the back of the store, but it is definitely for customer use. I wheeled in the pushchair, my son pressed the button to go down and we moved the vast distance of about 18 inches before the lift stopped and there was a feint beep. I pushed the buttons but nothing happened. I tried to open the door but it was locked. I picked up the intercom but there was no dial tone – and no-one answering. At this point I was worried. It seemed I was stuck in a lift with 2 toddlers and no obvious way to call for help.

Purely by chance I moved the pushchair and the beep stopped. Then I pushed the button and the lift began to move. It seems that the sound was an alarm that cuts in when sensors detect that the lift occupants are too close to the edge (it’s the sort of lift that has a moving platform rather than a closed “box”) but where were the safety notices? And why hadn’t the intercom worked when I picked it up? Should I have pressed another button? I don’t know – there were no instructions!

It seems that Apple expects its customers to be technical enough to work these things out for themselves. Or maybe the display of some safety notices in the lift runs contrary to the aesthetics of an Apple retail store…

Category management in Outlook 2003 and 2007

This content is 16 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Office 2007 has many improvements over previous versions but most of my colleagues use Office 2003. As I’ve had to install a virtual machine (VM) on my 64-bit desktop in order to run essential 32-bit applications (like our VPN client), I decided to stay as close to the corporate standard as possible and installed Office 2003 in the VM. One unfortunate side effect (apart from the many features that I am missing in Outlook) was the loss of the categories upon which much of my e-mail searching and filtering is based.

Earlier versions of Outlook featured something called the master category list, which could be transferred between PCs using a registry key export and import. Unfortunately, Outlook 2007 dispenses with this approach and instead stores the categories in the master store (mailbox or personal folder).

It seems that I can still search and filter on the categories that my mail was assigned to (they are just not in the master category list) but this also restricted me when adding new mail to categories.

In the end, I decided that reverting to Outlook 2003 was just too painful and I started using Outlook 2007 again to access my corporate e-mail.

The following links may be useful to anyone else who is trying to get to grips with categories in Outlook:

Hyper-V and networking

This content is 16 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

For those who have worked with hosted virtualisation (Microsoft Virtual PC and Virtual Server, VMware Workstation and Server, Parallels Desktop, etc.) and haven’t experienced hypervisor-based virtualisation, Microsoft Hyper-V is fundamentally different in a number of ways. Architecturally, it’s not dissimilar to the Xen hypervisor (in fact, there are a lot of similarities between the two) and Xen’s domain 0 is analogous to the parent partition in Hyper-V (effectively, when the Hyper-V role is added to a Windows Server 2008 computer, the hypervisor is “slid” underneath the existing Windows installation and that becomes the parent partition). Subsequent virtual machines running on Hyper-V are known as child partitions.

In this approach, a new virtual switch (vswitch) is created and the physical network adapter (pNIC) is unbound from all clients, services and protocols, except the Microsoft Virtual Network Switch Protocol. The virtual network adapters (vNICs) in the parent and child partitions connect to the vswitch. Further vswitches may be created for internal communications, or bound to additional pNICs; however only one vswitch can be bound to a particular pNIC at any one time. Virtual machines can have multiple vNICs connected to multiple vswitches. Ben Armstrong has a good explanation of Hyper-V networking (with pictures) on his blog.

One exception relates to the connection of virtual machines to wireless network adapters (not a common server scenario, but nevertheless useful when Windows Server 2008 is running on a notebook PC). The workaround is to use Internet connection sharing (ICS) on the wireless pNIC and to connect that to a vswitch configured for internal networking in Hyper-V. Effectively, the ICS connection becomes a DHCP server for the 192.168.0.0/24 network, presented via the internal vswitch and I’m pleased to find that the same principle can be applied to mobile data cards. Interestingly, Hyper-V seems quite happy to bind directly to a Bluetooth connection.

Hyper-V network connection example

Using this approach, on my system, the various network adapters are as follows:

  • Dial-up adapters, including an HSDPA/HSUPA modem which I have shared to allow a VMs to connect to mobile networks in place of wired Ethernet.
  • Local Area Connection – the pNIC in my notebook PC, bound only to to the Microsoft Virtual Network Switch Protocol.
    Wireless Network Connection – the WiFi adapter in my notebook PC (if there was WiFi connectivity where I am today then this could have been shared instead of the data card.
  • Local Area Connection 3 – the Bluetooth adapter in my notebook PC.
  • Local Area Connection 4 – the external vswitch in my Hyper-V installation, connected to the external network via the pNIC.
  • Local Area Connection 5 – another vswitch in my Hyper-V installation, operating as an internal network, but connected using the method above to the shared HSDPA/HSUPA modem.

This gives me plenty of flexibility for connectivity and has the useful side-effect of allowing me to circumvent the port security which I suspect is the cause of my frequent disconnections at work because the physical switches are configured to block any device presenting multiple MAC addresses for the same port.

Burning CDs/DVDs in Windows Server 2008

This content is 16 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

One of the downsides of running Windows Server 2008 as a workstation operating system is the lack of native CD/DVD-burning capabilities. Quite why Microsoft decided that administrators don’t need to write optical discs from servers is anybody’s guess but it’s kept me busy for the last hour or so.

First, I installed the copy of Nero 7 Essentials (v7.8.5.0) that was supplied with my notebook PC. That looked good (apart from the number of “essentials” that it provides) until I came to create a CD and found that it would only let me record to an “Image Recorder” and not to the drive in my notebook (despite having been provided by Fujitsu-Siemens with the computer, it seems that this OEM copy doesn’t work with my hardware).

Next up, I tried cdburn.exe from the Windows Server 2003 Resource Kit. That didn’t want to co-operate with my 64-bit Windows Server 2008 installation (it may work on a 32-bit installation as I used it on my previous machine with Vista).

A few years back, I wrote about Alex Fienman’s CreateCD and the latest version is called ISO Recorder. Even though v3 works on 64-bit Windows (Vista and so presumably Server 2008) it didn’t recognise my drive.

Then I stumbled across a post from Aali, who had exactly the same issue burning discs in Windows Server 2008ImgBurn (v2.4.0.0) successfully burned the .ISO that I’d created with Nero to a blank disc and could even have done the whole job for me.

ISA Server client software

This content is 16 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Fighting with ISA Server 2006, as I have been for the last few days, has given me an opportunity to refresh my knowledge of the various ISA Server clients. Actually, calling them clients is far more grandiose than is strictly necessary (only one of them involves the installation of client software), but the terminology that Microsoft uses is:

  • SecureNAT client. Any computer, with a working TCP/IP stack, pointing to the ISA Server for it’s default gateway (router) – or where the router (or series of routers) end with a router that uses the ISA server as its default gateway. This client operates at the network layer in the OSI model and therefore has no user-based access controls.
  • Web proxy client. A CERN-compliant web browser, with proxy server settings configured to point to the web proxy service on the ISA Server. This client operates at the application layer in the network stack and user-level authentication is optional.
  • Firewall client (formerly known as the WinSock proxy client). A computer running the ISA Server firewall client software to provide socket-based communications with the firewall service on the ISA Server. Operating at the transport layer, this client replaces the DLL for Windows socket (WinSock) connections so that communications between applications and their server components are routed via the the ISA Server (exceptions are configured in the local address table). It is possible to configure user-based access policy rules for firewall clients but the main advantage is that applications do not need to be firewall-aware; however there is a trade-off against the requirement to install the client software on each PC that requires access.

Further details of ISA client types are available in the Windows Server Tech Center.

Some more on using Active Directory for Linux/Mac OS X user authentication

This content is 16 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Last year I wrote a post about using Microsoft Active Directory (AD) to authenticate users on a Red Hat Enterprise Linux (RHEL) computer (and a few weeks back I followed it up for Mac OS X). This week, I’ve been re-visiting that subject, as I built a new FTP server at home and wanted to use AD for authentication.

In the process, I came across a couple of extra resources that might be useful:

As I was using an almost-new AD (not the old one that I have been tweaking for years), I found that RHEL5 (and Mac OS X 10.5) did not need me to disable digital signing of communications as recent versions of Samba include client side signing. The Samba documentation suggests that it is necessary to set client use spnego = yes in smb.conf when authenticating against a Windows Server 2003 domain controller but I did not find that to be the case with Samba v3.0.23c and Windows Server 2003 R2 with SP2 (perhaps that is the default?).

The following notes may also be useful:

  • SSH does not require any further configuration but if Samba is configured to use the default separator for domainname and username (\) then you will need to escape it – so the connection command would be ssh domainname\username@hostname.
  • This also works for FTP (ftp domainname\username@hostname) but I’ve not found a way to make a simple ftp hostname use AD for authentication.
  • Even though Linux/Unix usernames are case-sensitive, Windows ones are not, so any combination of lower and upper case is valid for domainname\username. Passwords do need to be entered in the correct case (as in Windows).

The delicate balance between IT security, supportability and usability

This content is 16 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

There is a delicate balance between IT security, supportability and usability. Just like the project management trilogy of fastest time, lowest cost and highest quality, you cannot have all three. Or can you?

Take, for example, a fictitious company with an IT-savvy user who has a business requirement to run non-standard software on his (company-supplied) notebook PC. This guy doesn’t expect support – at least not in the sense that the local IT guys will resolve technical problems with the non-standard build but he does need them to be able to do things like let his machine access the corporate network and join the domain. Why does he need that? Because without it, he has to authenticate individually for every single application. In return, he is happy to comply with company policies and to agree to run the corporate security applications (anti-virus, etc.). Everyone should be happy. Except it doesn’t work that way because the local IT guys are upset when they see something different. Something that doesn’t fit their view of the normal world – the way things should be.

I can understand that.

But our fictitious user’s problem goes a little further. In their quest to increase network security, the network administrators have done something in Cisco-land to implement port security. Moving between network segments (something you might expect to do with a laptop) needs some time for the network to catch up and allow the same MAC address to be used in a different part of the network. And then, not surprisingly, the virtual switch in the virtualisation product on this non-standard build doesn’t work when connected to the corporate LAN (it’s fine on other networks). What is left is a situation whereby anything outside the norm is effectively unsupportable.

Which leaves me thinking that the IT guys need to learn that IT is there to support the business (not the other way around).

Of course this fictitious company and IT-savvy user are real. I’ve just preserved their anonymity by not naming them here but discovering this (very real) situation has led me to believe that I don’t think company-standard notebook builds are the way to go. What we need is to think outside the box a little.

Three years ago, I blogged about using a virtual machine (VM) for my corporate applications and running this on a non-standard host OS. Technologies exist (e.g. VMware ACE) to ensure that VM can only be used in the way that it should be. It could be the other way around (i.e. to give developers a virtual machine with full admin rights and let them do their “stuff” on top of a secured base build) but in practice I’ve found it works better with the corporate applications in the VM and full control over the host. For example, I have a 64-bit Windows Server 2008 build in order to use technologies like Hyper-V (which I couldn’t do inside a virtual machine) but our corporate VPN solution requires a 32-bit Windows operating system and some of our applications only work with Internet Explorer 6 – this is easily accommodated using a virtual machine for access to those corporate applications that do not play well with my chosen client OS.

So why not take this a step further? Why do users need a company PC and a home PC? Up until now the justification has been twofold:

  • Security and supportability – clearly separating the work and personal IT elements allows each to be protected from the other for security purposes. But for many knowledge workers, life is not split so cleanly between work and play. I don’t have “work” and “home” any more. I don’t mean that my wife has kicked me out and I sleep under a desk in the office but that a large chunk of my working week is spent in my home office and that I often work at home in the evenings (less so at weekends). The 9 to 5 (or even 8 to 6) economy is no-more.
  • Ownership of an asset – “my” company-supplied notebook PC is not actually “mine”. It’s a company asset, provided for my use as long as I work for the company. When I leave, the asset, together with all associated data, is transferred back to the company.

But if work and home are no longer cleanly separated, why can’t we resolve the issue of ownership so that I can have a single PC for work and personal use?

Take a company car as an analogy – I don’t drive different cars for work and for home but I do have a car leased for me by the company (for which I am the registered keeper and that I am permitted to use privately). In the UK, many company car schemes are closing and employees are being given an allowance instead to buy or lease a personal vehicle that this then available for business use. There may be restrictions on the type of vehicle – for example, it may need to be a 4 or 5 door hatchback, saloon or estate car (hatchback, sedan or station-wagon for those of you who are reading this in other parts of the world) rather than a 2-seater sports car or a motorbike.

If you apply this model to the IT world, I could be given an allowance for buying or leasing a PC. The operating system could be Windows, Mac OS X or Linux – as long as it can run a virtual machine with the corporate applications. The IT guys can have their world where everything is a known quantity – it all lives inside a VM – where there will be no more hardware procurement to worry about and no more new PC builds when our chosen vendor updates their product line. It will need the IT guys to be able to support a particular virtualisation solution on multiple platforms but that’s not insurmountable. As for corporate security, Windows Server 2008 includes network access protection (NAP) – Cisco have an equivalent technology known as network access control (NAC) – and this can ensure that visiting PCs are quarantined until they are patched to meet the corporate security requirements.

So it seems we can have security, supportability, and usability. What is really required is for IT managers and architects to think differently.

Problems with Hyper-V, ISA Server 2006 and TCP offloading

This content is 16 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

For the last few days, I’ve been trying to get an ISA Server 2006 installation working and it’s been driving me nuts. I was pretty sure that I had my networking sorted, following Jim Harrison’s article on configuring ISA Server interface settings (although a colleague did need to point out to me that I didn’t have a static route defined on my ADSL router back to the ISA Server’s internal network – doh!) but even once this was checked there was still something up with the configuration.

My server has three NICs – a Broadcom NetXtreme Gigabit Ethernet card, connected to my Netgear ProSafe GS108 switch and two Intel PRO/100+ Management Adapters – one connected to a NetGear DS108 hub and the other disconnected at the moment but reserved for remote management of the server (the first two are both bound to Hyper-V) virtual switches.

The theory is that the Gigabit connection will be used for all my internal IT resources and the Fast Ethernet hub is just connected to the ADSL router. The server will run a few virtual machines (VMs) – the ISA Server (running with Windows Server 2003 R2 and connected to both virtual switches), another VM with Active Directory and DNS (also running Windows Server 2003 R2), my mail server and various test/development machines.

According to Microsoft:

“There are two rules to remember when setting up DNS on ISA Server. These rules apply to any Windows-based DNS configuration:

  • No matter how many network adapters you have, only assign DNS servers to a single adapter (it doesn’t matter which one). There is no need to set up DNS on all network adapters.
  • Always point DNS to either internal servers or external servers, never to both.”

[Configuring DNS Servers for ISA Server 2004]

Following this advice, my internal DNS Server is set to forward any requests that it can’t resolve to my ISP’s servers. The problem was that this DNS server couldn’t access the Internet through the ISA Server. ISA Server could ping hosts on all networks (so the network configuration was sound) and monitoring the traffic across the ISA Server showed the outbound DNS traffic on port 53 but nothing seemed to be coming back from the ISP’s DNS servers.

I checked another colleague’s working ISA Server 2006 configuration and found nothing major that was different (only an alternative DNS configuration – with the external NIC pointing to the internal DNS server where my external NIC has no DNS server specified – and the addition of the Local Host network in the source list for the Unrestricted Internet Access firewall access rule that is included in the Edge Firewall network template).

Then, after seeking advice from more colleagues and spending the entire day (and evening) on the problem, I finally cracked it…

Because the ISA Server was configured to use the internal DNS server for lookups (which, in turn, couldn’t get back through the ISA Server), nslookup domainname.tld didn’t work; however nslookup domainname.tld alternativednsserveripaddress did (e.g. nslookup www.google.com 4.2.2.2). HTTP(S) traffic seemed fine though – if I used IP addresses instead of domain names, I could access websites via the web proxy client.

Meanwhile, on the ISA Server, I could use nslookup for local name resolution but not for anything on the Internet. And pinging servers on the external side of the ISA server gave some very strange results – The first packet would receive a reply but not the subsequent ones.

After hours of Googling, I came across some good advice in a TechNet forum thread – download and run the ISA Server Best Practices Analyzer (BPA) tool. The ISA BPA presented me with a number of minor warnings (for example, that running ISA Server in a virtual environment can’t protect the underlying operating system) but two seemed particularly significant:

“Receive-side scaling (RSS) is enabled by the Windows Server operating system. If a network adapter installed on the local ISA Server computer supports RSS, ISA Server may function incorrectly. […]”

and:

“TCP-Acceleration (TCPA) is enabled by the Windows Server operating system. If a network adapter installed on the local ISA Server computer supports TCPA, ISA Server may function incorrectly. […]”

I made the registry edits to disable RSS and TCPA (Further details are available in Microsoft knowledge base articles 927695 and 936594), restarted the computer and crossed my fingers.

Even after this change, I still couldn’t successfully ping resources on the external side of the ISA Server from the private network, but I was sure I was onto something. I stopped looking for problems with ISA Server and DNS, and instead I focused my efforts on TCP Offload issues with Hyper-V. That’s when I found Stefaan Pouseele’s post about ISA Server and Windows Server 2003 service pack 2. Stefaan recommends not only disabling RSS and TCPA but also turning off TCP offload and the TCP chimney.

A big more googling and I found a TechNet Forum thread about ISA Server 2006 in a virtual environment where (Virtual PC Guy) Ben Armstrong and VistaGuyRay (Raymond Comvalius) had discussed disabling TCP offloading in the VM. As it happens, only yesterday, Ray blogged about how disabling TCP offloading in the virtual machine (not on the host) had resolved his problems with a Broadcom gigabit Ethernet adapter and Hyper-V (further details are available in Microsoft knowledge base article 888750). So, after making this change (but not doing anything with the TCP chimney) and a final reboot of my ISA server, I noticed that Windows wanted to apply some updates. That meant that name resolution was working, which in turn meant that the internal DNS server was successfully forwarding requests to the ISP servers via the ISA Server and my ADSL router. Result.

The final set of registry changes that I made were as follows:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"EnableTCPA"=dword:00000000
"EnableRSS"=dword:00000000
"DisableTaskOffload"=dword:00000001

I’ve only made the registry changes on the ISA Server at the moment and the VM running AD/DNS seems to be fine, so this might not be an issue for all virtual machines connected to the Hyper-V virtual switch bound to the Broadcom NetXtreme NIC. What does seem reasonably certain though is that Hyper-V, ISA Server 2006 and TCP offloading don’t play nicely together in this scenario.

Windows Server 2008 product activation for volume license customers

This content is 16 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

When Windows Vista was launched, I wrote a post about the volume activation (VA) 2.0 activation process. With Vista SP1, reduced functionality mode has been removed although there is still the same legal obligation to run properly-licensed copies of Windows. (Microsoft has published a Q and A sheet on the changes made to their anti-piracy programme).

A number of people have asked where they can get a 180-day evaluation copy of Windows Server 2008 and, as far as I’m aware, there isn’t one. Instead, it is possible to install the product and it will attempt online activation (there is no longer an option in setup to deselect this). If activation fails, then a 60-day grace period will commence, during which the product will have full functionality and can be activated at any time, using a key management server (KMS) if one is available, or alternatively by entering the multiple activation key (MAK) in the system properties. Re-arming is also available, allowing 3 re-arms (so up to 240 days total use before activation). That should be more than enough time for evaluation and further details are available in Microsoft knowledge base article 948472).

The day the iPhone grew up

This content is 16 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

iPhone v2.0 roadmap image
Last week, Apple quietly slipped out a software update for the iPhone (v1.1.4). No press release (not one that I can find anyway), no drama (at least when I looked last night the Apple website was trumpeting the January iPhone update – no mention of the late-February one), and no software development kit (SDK) by the end of February 2008 as promised. What was happening?

Tonight I picked up the real news (via Garry Martin and Steven Bink) – Apple is pleased with it’s market share in the US (claiming 28% of the smartphone market) and is going after the enterprise. And in order to stand any chance of getting corporates to adopt the iPhone, they have licensed Microsoft ActiveSync. This is really good news for me. No more messing around with IMAP for connection to Exchange Server – real push e-mail, calendar integration, contact synchronisation, global address list lookup, IPSec VPNs, two-factor authentication (certificate-based), enterprise Wi-Fi (WPA2/802.1x), security policy and device configuration tools, and remote wipe capabilities.

I still have some other items to add to my ideal feature list – cut/paste and a task list application for starters – but it was great to hear Apple selling the Exchange Server push e-mail architecture and pointing out how BlackBerry is “the old way”…

So, what about that much-anticipated SDK? Well, Apple is opening up the same APIs and tools that they use internally, from today. It looks pretty sweet – I reckon even I could write an iPhone native application with this (although I’ll leave Keni to tell me how it compares to developing for Windows Mobile).

Once the applications are written, how do they get onto the iPhone? Apple has announced a new online store – the AppStore, accessible from every iPhone running the next software release (not using the iTunes store as previously predicted by some – although the iTiunes client will be able to access the AppStore). Key features include wireless application download (cell network or Wi-Fi) and automatic updates and this will be the exclusive method for the distribution of iPhone applications. It’s a pretty good deal for developers too (apart from the $99 to become one): they can pick the price and take a 70% revenue share, paid monthly; there will be no credit card, hosting or marketing fees (even if the application is free); but there will be some limitations around the types of applications that will be allowed (I wonder if there will there be a conflict of interest between mobile operators and VOiP client developers?)

Finally, what’s the charging mechanism for iPhone 2.0 update that will be required to access the new applications? I was pleased, and surprised to hear that it will be a free update including both the SDK and the new enterprise capabilities and is expected to ship in late June (there will be a small charge for iPod Touch users to receive the same update).

All of a sudden, being an early iPhone adopter (and chosing a supported route rather than unlocking/jailbreaking) is not looking like such a bad move.

Links

Apple iPhone Dev Center
Q&A: Microsoft Helps Connect Apple iPhone Users to Microsoft’s Exchange Server