Microsoft EVO launch

Microsoft UK EVO Launch

Let’s get one thing straight. Over the last twelve-or-so years I’ve built a reasonably-successful career out of working with Microsoft products. At times, I’ve even been accused of bias towards Microsoft; however, I don’t exclusively use Microsoft products. I’m also aware that I’ve been fairly critical of Microsoft of late – but that’s because I am “not backwards in coming forwards” – i.e. I will say what I think. One of those times was a recent blog post about Office Groove 2007 and at the time I chose not to name the Microsoft presenter in question (so I won’t now either); however for an organisation that claims to crave feedback, my comments, written on blog with a relatively-small readership, do seem to have touched a raw nerve. Regardless of the comments I made on that particular presentation, I will also give credit where credit is due – the majority of Microsoft events I attend are informative and generally represent a good use of my time.

I spent today at Ready for a New Day: Microsoft’s Launch of Exchange, Vista and Office (EVO) (there was an earlier UK business launch event held at Arsenal FC’s Emirates Stadium, to coincide with the US launch at NASDAQ) – I’m pleased to say that it was well worth it (and I know that a lot of hard work went into a day where PowerPoint was dumped in favour of back-to-back demonstrations).

Despite being critical of the Windows Vista marketing message (clear, confident and connected), I’ve commented in the past that Windows Vista does have a lot to offer. I’ve also been impressed with Office 2007 (although the ribbon interface does take some getting used to; once you get the hang of it, everything works well) and since last April I’ve wanted to write lots about Exchange Server 2007 but was prevented by NDA (Exchange Server 2007 was released to manufacturing last week and I consider it to be just about the most exciting new version of Exchange Server since the original v4.0 launch in 1996 – more on that in a moment – I’m not alone as it seems that Gartner are pretty fired up about Exchange Server 2007 too).

The event was introduced by Phil Cross, Microsoft UK’s Audience Marketing Manager, who first took a look at the history of Windows, Office and Exchange and whilst it’s a bit of a diversion from the topic of this blog post, it represents a nice trip back down memory lane.

It seems that technology doesn’t always help us to do our work and according to a survey conducted by Microsoft and YouGov, in this ever-connected world, almost 40% of respondents admit to working extended hours and around 25% regularly work through lunch – despite the all-pervasive IT that’s supposed to make life easier. Also interesting is what has been important to information workers over the last 30-or-so years: in the 1970s, 32% considered a telephone on their desk to be the ultimate status symbol and 23% craved access to a computer terminal; by the 1990s the ‘phone was ubiquitous and 56% considered a PC to be essential; and in 2000 58% of respondents consider e-mailed to be an essential business tool.

Looking back to the early 90s, Microsoft MS-DOS 6.22 and Microsoft Windows for Workgroups 3.1 were the desktop operating system and windowing environments of choice, with Microsoft and IBM still working out the future of LAN Manager and OS/2.

In 1993, Microsoft’s UK server business was worth just £6m, of which £5m was revenue from Microsoft Mail. SQL Server cost £100,000 and needed to run on OS/2 and there were only three Microsoft server products (NT Server, SQL Server and Mail). Today, Microsoft has around 30 server products and the associated revenue in the UK is around £800m.

Just 10 years ago, in 1996, Microsoft launched Exchange Server – of particular relevance to me as it was the first time I worked with Microsoft. At the time, Phil Cross was the UK Product Manager and I worked for ICL, one of the Microsoft Solution Providers who joined Microsoft on the UK launch tour (I probably still have a t-shirt with our tour dates but I remember driving a van around the country with our presentation materials as we took a stand to every Microsoft event and ran our own events on the days in between).

I’m not going to repeat the whole day’s worth of presentations, but some of the key messages from the day appear below, with demonstrations structured around 4 key tracks, introduced by Eileen Brown:

  • Simplify how people work together.
  • Help protect and manage content.
  • Find information and improve business insight.
  • Reduce IT costs and improve security.

Looking firstly at simplifying how people work together, Jane Lewis demonstrated:

  • Outlook autoconfiguration – creating a profile based on just the user’s e-mail address, auto-populated from Active Directory.
  • Office Groove 2007 – quickly setting up a collaborative workspace and inviting an external contact, then synchronising changes as they collaborated on documents before finally uploading the content to Windows SharePoint Services for long-term storage.
  • Exchange Server 2007 proxying links to internal document shares to allow access without a VPN connection and providing web-ready document viewing (HTML rendering of documents, so that no temporary files are left behind when accessed via a public PC).
  • The ever-improving Outlook Web Access – now richer than ever – and unified messaging, with voicemail in the Inbox, along with the ability to add notes for searching and indexing voice messages and finally, self-service PIN reset for voicemail access.

Jason Langridge followed this up with demonstrations of some of Microsoft’s mobile technology including:

  • The Windows Vista Mobility Center (for quick and easy switches to PC configurations – e.g. presentation mode).
  • Outlook Mobile, including folder access, global address list lookup and spell-checking.
  • Word Mobile, with full support for document formatting.
  • Excel Mobile, with the ability to summarise data in charts.
  • PowerPoint Mobile, with read only access to presentations, including animations.
  • Setting up a new device, then seeing the application of device policies including mandatory passwords and the ability to wipe a device remotely.
  • Exchange Server 2007 self-service management of connected devices including a log of device interaction with the server, the ability to remove devices from the list, password display and remote wipe capabilities.
  • The Windows Mobile Device Center – replacing ActiveSync and built into Windows Vista, managed via Active Directory and allowing access to device settings (partnerships/synchronisation settings), file transfer, as well as the ability to tag and rate pictures, music and video.
  • Finally, Jason demonstrated OneNote Mobile, creating meeting notes with embedded pictures and audio.

Some key facts from Jason’s presentation included:

  • In the UK, 90% of 9-year-olds and above have a mobile phone (we actually have move handsets than there are people… I carry two and so do many others that I know!).
  • 250m PCs will be sold this year, but this is eclipsed by the 1.5bn mobile devices.
  • The Samsung BlackJack has 4 times the power of a PC from just 5 years ago with HSDPA allowing 1.8Mbps access to data.
  • Microsoft supports 46,000 mobile users using just 8 HP ProLiant DL350 servers (it could be less if it wasn’t for the requirement to provide global coverage and resilience).

The next demonstration was given by Arthur Pounder of the Microsoft Unified Communications User Group UK and the Microsoft Messaging and Mobility User Group UK, who started out by explaining the difference between unified messaging (an asynchronous technology from the combination of voicemail and e-mail) and unified communications (synchronous communications with multiple parties simultaneously) before demonstrating how instant messaging (IM) and presence awareness reach new levels in the forthcoming Office Communications Server 2007 (formerly Live Communications Server) and Office Communicator 2007 with multiparty conferencing and voice over IP (VOIP). Arthur demonstrated:

  • Replying to an e-mail with an instant message (reply or reply all).
  • Inclusion of formatted data (from Excel) within an instant message.
  • Multiple levels of presence (i.e. sharing some contact details with certain individuals but not all).
  • Documents with smart tags indicating presence information where a name is recognised in Active Directory.
  • Enabling VOIP on an organisational or per-user basis, including the routing of calls across the corporate network until they reach a break-out point.
  • Policies for control of conferencing settings as well as archival and call detail records for IM, conferencing and VOIP.
  • Intelligent IM filter, including URL filtering and file-type filtering.

Moving on to the protection and management of content (brought to every IT Manager’s attention with the recent theft of a laptop, containing millions of customers’ personal details, from the home of a Nationwide Building Society employee), Andy Malone from Quality Training showed how the forthcoming Longhorn Server product implements network access protection (describing it as analogous to a nightclub bouncer enforcing standards for dress) through the Network Policy Server and a number of health validators. He continued by examining Windows Vista’s user account control and the Windows Firewall with advanced security, which now supports, domain, public and private profiles for both inbound and outbound rules, along with connection security and monitoring. Andy then went on to look at the current beta of Forefront client security, analysing and reporting on the security of PCs across the enterprise, as well as Exchange Hosted Services (a development of the anti-spam and anti-malware technologies acquired with FrontBridge) and Forefront for Microsoft Exchange with real-time capture and incident reporting. Finally, Andy showed Outlook 2007 disabling links in suspicious messages as well as Internet Explorer 7’s anti-phishing filter (using a demonstration phishing site).

Brett Johnson is one of my favourite Microsoft speakers – charismatic and full of energy – and, in the first of two Exchange Server 2007 sessions, he examined some of the controls that can be put in place from the view of compliance and records management, in the process highlighting that:

  • Exchange Server 2007 is available as a 32-bit application for test purposes only and only the 64-bit version is supported by Microsoft.
  • Many organisations have an issue relating to compliance and e-mail as mailbox restrictions lead to a proliferation of personal folder (.PST) files spread around the network, with consequential issues of management.
  • With Exchange Server 2003, message journalling (sending a copy of every message sent to a particular mailbox or mail-enabled document store) was either on or off – and it affects server performance. Exchange Server 2007 allows message journalling to be set at the per-user or per-group level within the hub transport as well as controlling the scope to global, internal or external messages.
  • The Exchange Server 2007 Exchange System Manager gives details of the equivalent PowerShell command at the end of each GUI operation.
  • Managed content folders can be used to control the placement of messages within a mailbox – e.g. expiring Exchange voicemail messages to a particular folder after a number of days (a similar function has been possible in Outlook, but appears to be more granular and is configured by the Exchange administrator).
  • Each message can be assigned a message classification (e.g. confidential) and new classifications can be created to, for example, mark a message as being suitable for a particular audience (e.g. internal account use only).

In the last session before lunch, Jessica Gruber took a look at protecting corporate intellectual property (IP). Unfortunately, despite Jessica’s offers of huge thanks when something worked, the demo gods were not with Jessica but she soldiered on and used her witty responses to keep the audience on her side. I have no doubts that had it not been for an incorrect system clock (and consequential Kerberos authentication issues) from a previous demonstration (used to avoid product activation – proving that even Microsoft has problems with keys!) which made life extremely difficult for Jessica, she would have been able to completely demonstrate:

  • Exchange Server 2007’s hub transport role being used to create an ethical firewall within an organisation (preventing one part of the organisation from communicating with another) and control what happens to the associated messages (e.g. bounce with a custom reply).
  • Even though information rights management (IRM) and rights management services (RMS) are not new Microsoft technologies, Exchange Server 2007 pre-processes the tasks (rather than relying on the client to implement them).
  • Device installation restrictions within group policy (e.g. to prevent the installation of a USB key or to control the ability to write to CD/DVD).
  • Application of information management policies within SharePoint to enable auditing, expiration, etc.
  • SharePoint allowing multiple document types within a single library.
  • The information panel within Office exposing document properties for completion (used within SharePoint to organise the data).
  • The Document Inspector, which may be used to remove internal comments, etc. prior to publication.
  • SharePoint Designer (formerly FrontPage) being used to define control the workflow around approving a document and assigning it to a particular site collection or list, without writing any code.

As the day moved on to the topic of finding information and improving business insight, Melville Thomson did a fine job of demonstrating a SharePoint dashboard with webparts connecting to BizTalk Server and SQL Server providing a sales scorecard. Using this web interface, business data can be exposed to managers who may not have Microsoft Excel on their PC, including the ability to view comments stored with data values and to drill down into the data. For more detailed analysis, the data was then opened within Excel and a pivot table used, along with conditional formatting (with new data bars and colour scales, and now understanding hierarchical data to apply a similar scheme to related cells) allowing the user to visualise the data and identify problem areas. Melville then created a chart which was active, changing dynamically along with the data exposed by the pivot table and published the results to a SharePoint library. Finally, he used the new data mining capabilities within Excel (an add-in from the forthcoming SQL Server 2005 SP2) to examine the demographics within the sales data and identify key influencers, allowing marketing to be targetted to the appropriate group of prospective customers.

I will confess that I was the guy on the front row who fell asleep in the next session (a combination of post-lunch weariness, sleep deprivation and the mention of Microsoft Project letting my mind wander to the stresses of my current assignment and immediate desire to forget it all) as Bob Walker spoke about Microsoft’s Enterprise Project and Portfolio Management products, which facilitate strategic decision making rather than focusing on task-oriented milestones.

(At this point I should make an observation – in my experience, most Project and Programme Managers are completely task-led and think a Gantt chart is a project plan. I’ve never yet worked in an organisation that uses Microsoft Project Server to co-ordinate individual plans and provide a programme-level view of operations).

Bob demonstrated:

  • Microsoft Office Portfolio Server, featuring a builder, optimiser and dashboard to allow analysis of potential projects to be balanced against available resource at a programme, project or application level.
  • Microsoft Project Server, now featuring multiple undo levels, the ability to highlight milestones and to view the impact of timescale changes using colour and reporting, with export to an Excel pivot table.
  • Microsoft Project Web Access, which runs on Windows SharePoint Services to provide a lightweight project client for others to view projects.
  • Integration of Microsoft Project with Outlook tasks and timesheets.

Next up was Rod Gordon of the Access User Group and Office User Group, who gave a very interesting demonstration of linking Microsoft Visio to a dynamic data source. In Rod’s example, he used an Excel spreadsheet of PC audit data to link it to a Visio diagram with an office floor layout. Key features of the demonstration included:

  • Use of the control and shift keys with the mouse to drag a box around an area of the diagram to zoom in on and a pan and zoom window to drag the selected area and highlight different sections of the diagram.
  • Using Visio’s data menu to link a Visio diagram to source data from a number of sources including Microsoft Access, Excel, SQL Server and Windows SharePoint Services.
  • Selection of data within the external data pane and dragging/dropping it onto the appropriate shape in order to create a link (alternatively, by setting a primary key and populating just that field for each shape, the data can be automatically linked). Once the link has been created, a simple right click on the shape allows the associated data to be viewed and the shape can have conditional formatting defined in order to highlight certain conditions.
  • Editing of source data with a manual (or periodical) refresh of the corresponding data in Visio.
  • Use of multi-layered diagrams to expose different layers for viewing/printing.

The last topic area of the day was focused on reducing IT costs and improving security and another friendly face from Microsoft UK, Steve Lamb, gave a short demonstration of some of Windows Vista’s security features including:

  • BitLocker, which encrypts the hard disk such that a key is required to start up the computer (stored on a USB key, within the computer’s trusted platform module, or entered manually). Using a drive analysis tool (diskscape.exe), Steve showed how an encrypted hard disk looks the same throughout, whereas a non-encrypted drive has definite areas of data that can be detected.
  • The Application Compatibility Manager (replacing the Application Compatibility Toolkit), which now incorporates community feedback on the steps required to make a particular application run successfully on a modern Windows system.
  • The Business Desktop Deployment (BDD) deployment workbench, which allows the customisation of Windows images to choose the appropriate operating system version, integrate new drivers, create new builds, edit default settings using the Windows System Image Manager and finally prepare the build for deployment using a single server, deployment share, removable media or the Microsoft SMS Operating System Deployment (OSD) feature pack.
  • Demonstration of a program’s ability to inflict malware on a system running as a Windows XP Administrator, Windows XP unprivileged user, Windows Vista user (by default unprivileged) and Windows Vista user running with elevated permissions, at which point User Account Control (UAC) intervened.
  • (Did we tell you that Internet Explorer 7 has new anti-phishing capabilities?)

Next up was Brett Johnson, continuing his Exchange Server 2007 theme by looking at Exchange Server efficiency:

  • Exchange System Manager 2007 is based on the new MMC 3.0 console and exposes more properties in each view – making it easier to find what is required.
  • Exchange Server 2007 actually has three default levels of administration – organisation, server and user (e.g. create a mailbox and make limited changes). In effect, the Active Directory and Exchange Server administration roles combine to allow flexibility in managing the organisation’s e-mail infrastructure.
  • Resources (e.g. rooms and equipment) now have their own mailbox type (not just customised user mailboxes).
  • There are 4 main server roles in Exchange Server 2007 – mailbox, hub transport, client access, and unified messaging (there is also a fifth role – edge services – but that is deployed on a separate server – generally inside the DMZ).
  • Exchange Server logfiles are now 1MB in size (down from 5MB).
  • Exchange Server 2007 offers two new forms of resilient architecture:
  • Local continuous replication (LCR) creates a second copy of the database and log files (e.g. on a separate storage system) for local resilience.
  • Clustered continuous replication (CCR) extends this capability to span multiple cluster nodes.
  • Hub transport rules can be used to customise message flow (e.g. Jessica Gruber’s earlier creation of an ethical firewall, or adding a disclaimer message to all e-mail.
  • The Exchange Server Best Practice Analyzer (ExBPA) is now available, along with various Microsoft Product Support Services (PSS) tools within Exchange System Manager. Quoting Brett, “We are making this product a cinch to use”.
  • PowerShell (I still can’t stand that name) offers powerful scripting capabilities, including the ability to perform Exchange Server functions from the command line, using one of the many commandlets provided by Microsoft. It’s also possible to create a log of PowerShell activities using the start-transcript command.
  • The last demonstration was from Adam Shepherd, looking at how Windows Vista improves operational efficiency:

    • There are 700 new group policy settings in Windows Vista (e.g. new settings to deploy printers via GPO or enforce power management).
    • After deliberately sabotaging a system by using the Windows Recovery Environment to rename a core system file, Windows Vista detected the fault and repaired it at reboot time.
    • The Windows diagnostics infrastructure can be used to warn of impending faults (e.g. utilising the SMART technology in modern hard disks).
    • The entire hard disk from a Windows Vista system can be backed up to a virtual hard disk (.VHD) file for later recovery.
    • Windows Vista includes guided help, with options to watch as the computer performs the operation or to be guided on a step-by-step basis. What I found really impressive is that the Windows Automated Installation Kit (WAIK) includes a guided help studio for creation of custom guided help routines in little more than a few clicks, recorded with a task recorder.

    In all the event was PowerPoint light and demo-heavy – with a huge amount of resource involved and a lot of hard work. I found it very worthwhile (although the format wouldn’t suit all events – it’s sometimes good to have the PowerPoint slides as a takeaway).

    It was interesting to hear James O’Neill comment to a couple of attendees that the event was originally targetted at Microsoft’s enterprise customers but was later opened to a larger audience after a lack of interest (opening the floodgates and leading to an event with very low levels of “no-show”). It seems to me that Microsoft Exchange Server 2007, Microsoft Windows Vista and Microsoft Office 2007 are all remarkably advanced products with a lot to offer and today’s demonstrations just scraped the surface. Quoting Steve Ballmer, “These are game-changing products. It’s an incredible step forward for business computing in a year of unprecedented innovation from Microsoft”.

    Considering Windows Vista in isolation may not be a convincing argument for an upgrade but once you add Exchange Server 2007 and the 2007 Office System into the mix then there is plenty of scope for using IT to support new ways of working (maybe even reducing those long hours). Find out more, by following the links below or check out one of the upcoming Microsoft TechNet UK Technical Roadshow 2007 events:

    Introduction to virtualisation

    When thinking of IT security, there are a few names which immediately come to mind. One of these is Bruce Schneier, another is Rafal Lukawiecki and another is Steve Gibson. I recently began to listen to Steve Gibson’s Security Now podcast with Leo Laporte and originally I thought a security podcast would be dull – although it does seem to me that this one is as often about new hardware and software technologies as it is about security – but I was pleased to discover that it’s enjoyable listening as Steve does a very good job of describing security issues in basic terms (he can be very outspoken though and does sometimes let himself down on his broader knowledge of the non-security elements).

    I’ve written a lot on this blog about virtualisation technologies but never really covered the basics of what virtualisation is. I had thought of writing a blog post on the topic but, as there are a number of Security Now podcasts that do a better job, I recommend listening to (or reading the transcript for):

    Security Now episode 50: Introduction to virtualisation (transcript).

    I found this particularly interesting, describing the history of virtualisation technology, from 1960s IBM mainframes right up to the present day. If that whetted your appetite then the following episodes may also be interesting:

    Security Now episode 53: Virtualisation part 2 (transcript).
    Security Now episode 54: Blue pill (transcript).
    Security Now episode 55: Application sandboxes (transcript).
    Security Now episode 57: Virtual PC (transcript).
    Security Now episode 59: Parallels (transcript).

    I should point out though that I did notice a few errors:

    It’s a shame that these errors crept in as it would have a huge effect on the overall positioning of Microsoft’s virtualisation products in the Virtual PC podcast (episode 57). Having said that, Virtual Server does has a number of issues when it comes to managing it in a cross-platform environment – it may have a web interface but it relies on ActiveX (so, requires Internet Explorer on Windows) and the Virtual Machine Remote Control (VMRC) client is not available for non-Windows platforms (despite using port 5900, suggesting it may be related to VNC, I can’t seem to get it working using a VNC client).

    VMware may well have a more advanced product set (with Workstation, Virtual Infrastructure 3 and VirtualCenter 2) but from my experiences of dealing with the company it seems that they are going through some growing pains and I am sure that Microsoft will catch up over time. What seems to be certain, is that virtualisation is more than just the buzzword of 2006.

    Ripping analogue recordings using GarageBand and iTunes

    In common with many people, I’m in the process of digitising my music collection – and my collection is not small. At last count I had something like 250 compact discs (CDs), 500 CD singles and a couple of hundred compact cassettes and MiniDiscs as well as some vinyl, a few VHS cassettes and digital versatile discs (DVDs).

    Of course, ripping CDs is no big deal – iTunes takes the pain out of that for me (I rip as 192kbps MP3s – maybe not the ultimate quality, although good enough for most people’s ears) but the analogue content is not so easy. Over the last week or so I’ve worked out a method to rip from analogue sources, using standard software on my Mac… this is how it works:

    1. Firstly, open GarageBand. I’d never used this package before but it’s amazing – only a few years back this sort of application would have cost thousands (and I’d have been mixing using a standard mixing desk and recording to MiniDisc, not a computer). GarageBand looks scary at first, indeed I originally used iMovie to record my analogue feed and then transferred that to GarageBand but that step is unnecessary – simply create a new real instrument track and set it to record as you play the analogue source through the line in jack on the computer.
    2. Using GarageBand, edit the recording to cut out unwanted sections, adjust volume levels, etc., then view the Podcast track and add episode artwork and other information. You can also add markers for chapters within the recording.
    3. Set the audio podcast settings to Higher Quality in the export preferences. Optionally chose a Composer Name and Album Name in the general preferences (these can be changed later in iTunes).
    4. Once the recording is complete, save it, and then either select Export Podcast to Disk… or Send Podcast to iTunes from the Share menu in GarageBand (the result is the same – an MPEG 4/AAC file with an .M4A extension – but depending on the menu item selected it will either be in the chosen folder on the disk or within the iTunes Library).
    5. Open the recording in iTunes and edit the ID3 tags using Get Info option on the File menu.

    That’s all that’s required for an AAC recording, but if you want to convert to MP3 (unfortunately this means double compression, leading to further clipping and a slight loss of quality), check that the advanced preferences in iTunes are set to import (yes, import – even though the conversion is an export process) using the MP3 Encoder at Higher Quality (192kbps). Finally, select Convert Selection to MP3 from the Advanced menu in iTunes. You can also use a similar method for Apple Lossless, AIFF or WAV conversion.

    There are a couple of extra points to note: whilst AAC supports markers for the chapters added on the Podcast track these will be lost as part of a conversion to MP3; and GarageBand recordings are limited to 1999 measures (1 hour, 6 minutes and 16 seconds at 120 beats per minute) – to capture longer recordings it is necessary to adjust the tempo (beware of the Follow Tempo & Pitch checkbox on each track/region).

    Will Vista’s 3D effects work in a virtual machine?

    As a Windows Vista beta tester who filed at least one bug report, I was recently given a complementary copy of Windows Vista Ultimate Edition (thanks Microsoft); however as I’ve been rationalising my PC infrastructure of late I only have a couple of PCs that could make full use of the visual effects in Vista – my Mac (which runs Mac OS X most of the time) and a 2.4GHz Pentium 4-based PC (which runs Windows Server 2003 and Virtual Server 2005 R2). Consequently I’ve been wondering if the best way to make use of my new Vista license (bearing in mind the restrictions of product activation should I later try to move it between PCs) would be in a virtual machine.

    It seems not, as I checked with John Howard, who is a Microsoft Program Manager for Windows virtualisation (and was formerly an IT Pro Evangelist here in the UK) as to the likelihood of ever receiving suitable VM Additions or 3D device drivers within a Windows virtualisation product.

    John kindly replied, pointing out that the S3Trio video adapter which is emulated within the Microsoft virtualisation products is nowhere near the level required to support Vista’s 3D graphics. He went on to add that there are no plans to change this within Virtual PC 2007 or Virtual Server 2005 R2 SP1, nor in Windows Server Virtualization (which is seen as a server solution and therefore unlikely to require client-focused features such as 3D graphics).

    John’s reply doesn’t fill me with hope and despite VMware’s current push into enterprise desktop virtualisation I’m not sure that their position would be any different. In the meantime, it looks as though 2D graphics will be the limit to those of us who are heavy users of virtualisation on the desktop.

    RDP backslash fix for an Apple UK keyboard

    A few days back, in my post about typing # on an Apple UK keyboard, I commented that I can’t type a backslash (\) on an RDP session to a Windows server from my Mac.

    An anonymous contact very kindly tipped me off about Ira Rainey’s backslasher system tray application which Carl Slater has mirrored on his site (alongside a very nice VW Camper and motocrossing Honda C90s!). It works fantastically on my Windows Server 2003 SP1 system using the Microsoft Remote Desktop Connection Client for Mac v1.0.3 and Mac OS X 10.4.8.

    The quick and easy way to create an SSL VPN

    A few weeks back, I mentioned to one of my colleagues that I was looking to find a secure method of getting into my home network from wherever I happen to be and he recommended his friend’s SSL VPN product – SSL-Explorer.

    I should also add that the aforementioned colleague has since taken a position with 3SP, the creators of SSL-Explorer (good luck Chris), but I have no such conflicts of interest – I’m simply writing about a product that’s I’ve found to be very useful.

    According to 3SP:

    “SSL-Explorer is the world’s first open-source, browser-based SSL VPN solution. This unique remote access solution provides users and businesses alike with a means of securely accessing network resources from outside the network perimeter using only a standard web browser.”

    The community edition of SSL-Explorer is an open source product licensed under the GNU general public license (GPL) and the enterprise edition builds on this to provide additional functionality for organisations who require enhanced features and dedicated commercial support.

    I used a (remarkably) similar product from Neoteris a few years back; however that required a dedicated appliance server and was a commercial product. There’s also the OpenSSL project but, despite earlier versions of SSL-Explorer requiring compilation using Apache Ant, the installer I used (v0.2.8_01) required no such effort and I was amazed at how quickly I was able to install SSL-Explorer onto a standard Windows server (I could also have used a Linux box). Furthermore, despite not yet being a version 1 product (and using Java, which I’m not a fan of), SSL-Explorer seems to be remarkably stable.

    Through SSL-Explorer, I can provide users with access to file shares (read-only or read-write – and the product only enumerates those folders for which the user has access), reverse proxy to internal web servers (including single sign-on to Outlook Web Access) and access internal servers (using RDP or VNC – other modules are also available). Some features require an agent to be loaded on the fly but the SSL-Explorer product is still a clientless VPN (all interaction is within a web browser). Management is via a web interface and self-signed certificates can be used (for those of us who don’t have the budget to buy third party certificates).

    I still have some issues with the remote desktop functionality from behind my employer’s proxy server; however I suspect that is related to the ISA Server configuration in use – SSL-Explorer is working perfectly from other networks. I also operate using a single NATted IP address, so if I want to forward all HTTPS traffic from my firewall to the SSL-Explorer server then I can’t do the same for any other web servers that I might like to expose to the Internet directly (at least not on the same port).

    Of course, there are other solutions that may better suit an organisation’s network or security policies; however for many smaller companies and private individuals, SSL-Explorer could be the perfect solution to remote access – it’s definitely worth a look.

    Using RIS as a TFTP server

    Earlier tonight I needed to upgrade the software on an Ethernet switch. Most network administrators will be aware that this generally requires access to a trivial file transfer protocol (TFTP) server and it’s widely believed that to set up TFTP on a Windows server requires third party software. Not so – Microsoft remote installation services (RIS) includes a built-in TFTP daemon and I found that this can be used to serve files to any TFTP client (I’ve written before about using RIS to PXE boot non-Windows images and this was a effectively a variation on the same theme).

    All that was required was to copy the binary that I needed to run on my Ethernet switch to the RIS server’s remote installation share (\\servername\RemInst). Once the file had been copied to the RIS server it was simply a case of following the switch upgrade process and supplying the appropriate TFTP server address (i.e. the IP address for the RIS server) and filename.

    More blog spam

    A few months back I had to enable comment moderation on this site to deal with the blog spam I was getting. Unfortunately, over the last few days I’ve had to delete hundreds of spam comments sent to my e-mail for moderation so, with regret, I’ve had to turn on word verification to make sure that comments are only left by humans.

    Please continue to leave comments on the blog – it’s always nice to hear when something was useful, or when someone has some additional information relating to one of my posts. I’m just sorry that I have to put these blocks in to make it harder for the ‘bots – unfortunately it also makes it harder for people to leave genuine comments too.

    Office Groove 2007 overview

    Microsoft Office

    At the risk of annoying yet more people at Microsoft after my comments in this week’s Computer Weekly, last night I attended what was probably the worst Microsoft event I’ve ever been to. To be fair to Microsoft, they are kind of pre-occupied this week… some sort of big launch happening today… something called Windows Vista and Office 2007… but this was Bad (note the capital B).

    I’m not sure if I should name the presenters – I’ll just say that there was an IT Pro Evangelist who is normally both a good presenter and who generally gives the impression of possessing detailed product knowledge (something which was sadly lacking at this event) supporting someone from the marketing side of the organisation as she gave a very superficial run through a slide deck with which she was clearly unfamiliar.

    Microsoft Office Groove 2007

    The topic was Office Groove 2007 and this was supposed to be a technical overview. To me, it felt like an unrehearsed dry run of a presentation about a product that has been bought into the company and which, based on last night’s presentation, very few Microsoft people understand. Luckily, Ray Jordan from D2i Solutions – the UK distribution partner for the original Groove Networks product line – was extremely knowledgeable and stepped in to rescue the event (although he seemed to disappear at the refreshment break – presumably embarrassed at having to answer questions from the audience to pick up on the Microsoft presenters’ shortcomings).

    For those who are not familiar, Groove Networks was a company founded in 1997 by Ray Ozzie (originally of Lotus Notes fame and now Microsoft Chief Software Architect) which specialised in collaboration products and was purchased by Microsoft in 2005. There’s some speculation as to whether Microsoft wanted the company’s products or were really after Ray Ozzie himself, but whatever the politics, Groove Virtual Office is now being absorbed into Microsoft Office.

    I used Groove Virtual Office 3.1 for a recent project and found it both useful and impressive. With the launch of Office Groove 2007, I was interested to see what Microsoft has done to the product. It seems that the product bundling has changed and there are some minor changes but on the whole it’s very similar.

    Office Groove 2007 is a team workspace application that provides for greater collaboration between customers, partners and colleagues which each user having access to a number of collaborative workspaces across a range of projects. These workspaces may be customised with a range of tools and templates to allow people to use their time effectively through offline working, yet remaining synchronised.

    Whereas users in a corporate environment are used to sharing information using file servers and intranets, once a project or other collaboration requirement crosses organisational boundaries it gets more difficult. Groove overcomes this using a highly secure yet distributed architecture whereby each workspace member synchronises changes with others and a relay server acts as a broker when workspace members are offline.

    The process of sharing a workspace involves either synchronising a local folder via Groove or creating a new XML datastore, protected using an internal PKI mechanism (with 192-bit AES encryption), then inviting others to join the workspace and sharing encryption keys between members. Each workspace member is allocated one of three roles – manager, participant or guest – and has an exact copy of the workspace. These roles can be amended within the workspace properties and the permissions assigned to each role can also be adjusted. When synchronising changes only the changed portions of the database are transmitted (a hash is calculated on the whole file and on each portion of the file – by comparing hashes it is possible to work out which portions have been modified) and because each change and the whole workspace is signed using the internal PKI (as well as all network traffic) it is impossible to inject any malicious changes.

    If a workspace member does not access the workspace for 21 days then they are uninvited – a process which involves all other members having new keys issued – effectively locking the absent member out of the workspace. If a member cannot sign in they can still work offline and access data but no changes will be synchronised. When I suggested that this was a security loophole it was pointed out to me that it is really no worse than traditional methods of sharing data (e.g. transferring files via e-mail) and that digital rights management can be applied to further protect the data (although that would remove many of the advantages of offline access to the workspace).

    In addition to controlling workspace members, Groove is able to synchronise data between devices (e.g. a home PC and a work PC) by inviting other devices into the workspace. If a conflict does occur during synchronisation, then two copies are created and the duplicate is suffixed with the username.

    Within Groove, it’s easy to identify new content as it gains an additional red flash on the icon. There’s also a communications manager which can be used to monitor the status of synchronisation.

    By default, Groove communicates using its native simple symmetrical transfer protocol (SSTP) over TCP port 2492. If this port is unavailable (e.g. blocked by a firewall) then the client and/or relay servers will encapsulate messages within standard HTTP and drop back to using HTTPS over port 443 or, as a last resort, HTTP on port 80, as described in Microsoft knowledge base article 917165.

    Each workspace can be based on a standard template or can include additional collaboration tools, including file sharing, discussion tool, calendar, forms, SharePoint files, meeting tool, notepad, pictures and a sketchpad. It’s also possible to build custom forms (or to import them from InfoPath). In addition to workspaces, Groove provides an instant messaging and presence awareness capability for workspace members. I found it strange that Microsoft should continue the use of the Groove instant messaging feature (in addition to its other IM clients) but in reality this is the lowest common denominator – it will read contact lists for both Windows Live Messenger and Office Communicator but because there are no guarantees that all workspace members will be using the same instant messaging client, building the capability into Groove neatly circumvents any connectivity issues.

    One of the main changes with Microsoft Office Groove is the product packaging – whereas the Groove Networks incarnation of the product was based around a distributed network of users and Groove’s own public (but highly secure) servers, corporate customers need to see that their data is stored on servers under their own control, with tight controls over account creation. Consequently, Microsoft have made it easier for corporate clients to run the Groove server product internally.

    In addition to the Office Groove client application, there area number of server roles – manager, relay (store and forward synchronisation and messages between workspace members as they come online but others are offline), data bridge (to allow the extension of data to other teams) and an enterprise auditing management server.

    Centralised administration is made possible using policies to apply identity and device controls (e.g. throttling bandwidth). The Groove server maintains its own account database (which can be synchronised with other directory servers) for provisioning and revoking access and this is where Groove’s heritage is obvious – it would seem reasonable to expect future versions of the product to feature tighter Active Directory integration and possibly the use of ADAM where a connection to a non-Microsoft directory is required.

    One potential issue for organisations looking at using Groove in a centralised manner is that of backing up the distributed data within Groove, because there is no central storage location and backups of local copies of the workspace can be invalidated by subsequent PKI key changes. Microsoft’s answer is that the synchronisation mechanism provides built-in protection – certainly more than is generally afforded to user data held on individual PCs.

    There is still a hosted version of the product – Office Live Groove. This allows for workspace members to use the Groove client with a public relay server; however they do not lose any or the security within the product. All communications are still signed and all data on the relay server is transient. For many organisations that do not want to maintain their own Groove server infrastructure, this is an ideal solution.

    In all, Office Groove 2007 looks to be a great product. The only problem I can see is persuading an IT Manager from a blue-chip corporate to look at a product called “Groove” (it’s probably not such an issue in a creative organisation). Maybe the usual bland Microsoft product names are not so bad after all…

    To find out more, read the Microsoft Office Groove 2007 product guide or download a trial version of Office Groove 2007 – both are available from the Microsoft website.

    VMware ESX Server and HP MSA1500 – Active/Active or Active/Passive?

    Recently, I’ve been working on a design for a virtual infrastructure, based on VMware Virtual Infrastructure 3 with HP ProLiant servers and a small SAN – an HP MSA1500cs with MSA30 (Ultra320 SCSI) and MSA20 (SATA) disk shelves.

    The MSA is intended as a stopgap solution until we have an enterprise SAN in place but it’s an inexpensive workgroup solution which will allow us to get the virtual infrastructure up and running, providing a mixture of SATA LUNs (for VCB, disk images, templates, etc.) and SCSI LUNs (for production virtual machines). The MSA’s Achilles’ heel is the controller, which only provides a single 2Gbps fibre channel connection – a serious bottleneck. Whilst two MSA1500 controllers can be used, the default configuration is active-passive; however HP now has firmware for active-active configurations when used with certain operating systems – what was unclear to me was how VMware ESX Server would see this.

    I asked the question in the VMTN community forums thread entitled Active-Active MSA controller config. with VI3 and MSA1500 and got some helpful responses indicating that an active-active configuration was possible; however as another users pointed out, the recommended most recently used (MRU) recommended path policy seemed to be at odds with VMware’s fixed path advice for active-active controller configurations.

    Thanks to the instructor on my VMware training course this week, I learned that, although the MSA controllers are active-active (i.e. they are both up and running – rather than one of them remaining in standby mode), they are not active-active from a VMware perspective – i.e. each controller can present a different set of LUNs to the ESX server but there is only one path to a LUN at any one time. Therefore, to ESX Server they are still active-passive. I also found the following on another post which seems to have been removed from the VMTN site (at least, I couldn’t get the link from Google to work) but Google had a cached copy of it:

    “The active/active description”… “seems to imply that they are active/active in the sense that both are doing work but perhaps driving different LUN’s? i.e. if you have 10 volumes defined you might have 5 driven by controller A and 5 driven by controller B. Should either A or B fail all ten are going to be driven by the surviving controller. This is active/active yes [but] this is also the definition of active/passive in ESX words (i.e. only one controller have access to one LUN at any given time).”

    Based on the above quote, it seems that MSA1500 solutions can be used with VMware products in an active-active configuration (which should, theoretically, double the throughput) but the MRU recommended path policy must be used as only one controller can access as LUN at any given time.