ActiveSync_logo
Enlarge 0 Comment

MDaemon, Airwatch and iPhones

Faced with the task of rolling out iPhones to near-100 users we thought it would be best to investigate some Mobile Device Management (MDM) vendors, trying to keep track of 100 free “find my iPhone” accounts might be achievable, but it certainly wouldn’t be fun.

We fairly quickly decided on Airwatch (http://www.air-watch.com/), relatively new to the market place in terms of MDM but cheap enough that we could give it a go without too much heartache.

At the same time as this MDaemon (our preferred e-mail server software) released an update which supported Exchange ActiveSync (if the word makes you shudder because of flashbacks of crappy PC-based synchronisation problems, fear not, it’s different): this presented us with an opportunity to roll out 100 centrally managed iPhones with vastly improved functionality and easy-of-use when compared to our previous implementation.

Continue Reading →

Project Work Shortlink

Quick: Why not to buy the iomega ix4-200r for veeam backups

In previous blog posts (Using veeam to backup the new virtual infrastructure to Iomega NAS boxes and Backup Strategies with Virtual Machines in VMware using Veeam) I mention my purchases of the iomega ix4-200r, generally I haven’t been impressed with them because they’ve been a little unreliable.

Looking at use around the net I decided that the best way to have a target for my veeam backups would be the iSCSI initiator from Windows straight onto the device, so I should provision a LUN, add it to Windows and write to it.

I tried and failed, after about a week of to’ing and fro’ing with veeam, vmware and iomega support I got to the bottom of the issue: these nas boxes are software locked to provide LUNs that are <= 2TB in size* – bearing in mind my 8 file servers each serve up anywhere between 500GB and 1TB worth of data this means that my first backup file from veeam is always going be over 2TB, making the device pretty much worthless in my environment.

*I’ve been assured that a LUN that’s exactly 2TB will work, although I can’t actually get that working in my test lab having tried it on two separate devices.

Project Work, Quick Notes Shortlink

Remote Access Options in Server 2008R2

Server 2008R2 has many different methods that allow connections to your business network from outside for whatever purposes you see fit (most often though, home working). What’s better still is that once you’ve bought your Server 2008R2 installations these specific features don’t require any extra licensing or purchase cost, all it takes is your time and willing!

The roles that I’ll mention today are:

  • Routing and Remote Access (RRAS)
  • Remote Desktop Gateway
  • Remote Desktop Web Access
  • Remote Applications (RemoteApp)

The different versions of Server 2008R2 have different levels of functionality for the roles that we’re interested in: Network Policy and Access Services and Remote Desktop Services, so you should check using this hugely cropped table that I’ve made from lifting the information found on the Microsoft website about comparing server editions by role.
Continue Reading →

Project Work Shortlink
fmip-icon-20101116
Enlarge 2 Comment

Find my iPhone can work on iPhone 3 and 3GS too

I know, it’s probably not something that we should talk about too loudly lest Apple get upset, but it’s true, you can use the “Find my iPhone” feature that apple recently made free for the iPhone 4 with your iPhone 3 and 3GS, but there’s a trick to it: you’ll need a willing friend who does have an iPhone 4 for you to borrow.

Enabling Find my iPhone on the iPhone 3 or 3GS

Continue Reading →

Project Work Shortlink

Using the Dell EQL MEM Module to simplify my backups (also, thanks again, veeam!)

Many posts cover the installation and performance benefits that come from using the Dell Multipathing Extension Module (MEM) on EqualLogic arrays (check the spoonapedia.com one), but the big difference for me was a bit of a pleasant side-effect in terms of handling backups! I’ve covered off this strategy from a high level in my previous blog post, Backup Strategies with Virtual Machines in VMware using Veeam, but I wanted to explain in a little bit of detail how I actually got there: it was down to the MEM!

Before – accessing data from within the OS

Because the file servers I’ve been working on access a lot of data (8TB worth), the original setup involved using the EqualLogic Host Integration Tools (HIT kit) from within the file server OS to access LUNs on the EQL array – this provided valuable multipath access and proved to be a very successful way of handling access to the data. The problem was that is complicated backups quite significantly, I could use veeam to backup the OSs (and I did), but I had no way of backing up the actual file data.

With various bad experiences from using market-leading backup software such as BackupExec in the past I wasn’t in a rush to go out and spend money on a software solution to handle all this file data, so I resorted to a very low-tech solution: I bought a nas box and did a nightly robocopy.

This was simple, but it was awful: the backups didn’t finish in time (they’re being taken over a 100mbit LES), they never caught up with themselves. It was a waste of time and it basically meant no backups were worth having.

After – install the MEM and let ESXi deal with it

But then the MEM came out, and essentially claimed to offer the same (if not better) performance via ESXi – no messing around with the HIT kit any more, and more importantly, a chance to re-evaluate my first decision about not using .vmdks… I changed my mind.

The first time round I did thick LUN straight into Windows, formatted as NTFS, simple. This time I re-evaluated and did a thick LUN on the EQL and then allocated thin disks in ESXi and mounted them to the file servers… This gives me greater flexibility if a disk gets close to its limits but it also now means that the extra .vmdks are picked up by veeam allowing me to replicate my previously successful backup strategy.

In summary…

Veeam now handles the file data as incremental .vmdks which means it only transfers the changes in the .vmdk files – the entire series of backups finishes over the 100mb LES in about 12 hours (which, bearing in mind I run it once a week at the weekend is ideal); the previous robocopy never finished in that amount of time: the size of the data transferred is obviously the same, but because robocopy iterated through every single file and folder for a comparison it took much longer whereas now veeam just… does it, and it was a product that I already had so didn’t require any extra spend (not to mention the money that could now be saved on not upgrading the LES to 1GB purely for the purposes of backup).

Next?

Now being quite satisfied with this setup I’m going to investigate the series of advice from ErikZandboer on optimising his ix2-200 backup speeds, specifically the post that looks at jumbo frames to target storage.

Project Work Shortlink

Apple iPhones and MDaemon E-Mail Server: Enterprise Rollout with SyncML?

MDaemon is an email server which for a while has been actively competing with Microsoft Exchange, where Exchange has a slight advantage in my opinion is with its widespread adoption into the rapidly expanding and feature-rich “smartphones in the enterprise” arena.

As blogged back in 2008 here: http://www.everything-mdaemon.com/category/mdaemon/syncml-mdaemon there are indeed some ways around this, and things are even a little better than they were then. Previously if you wanted to use your iPhone with your MDaemon server then you would have to:

  • Cope without any real enterprise-level management
  • Not have any mobile security options such as tracking or remote wiping
  • Not have any calendar or contacts information, e-mail only via IMAP (unless you tried to use the badly reviewed funambol or the better, but previously painful-to-use, Sythensis ToDo+Cal apps

Now, for the best part Apple have done an excellent job of making things better, for a start, with the introduction of iOS4 they’ve introduced multitasking, which made everything so much better because it meant that you could leave your third party calendar app open in the background so that reminders came up, bonus! (Previously this required a complicated export-to-.ics-and-read-back-into-the-iPhones-calendar-just-to-make-reminders-work game).

Apple have now additionally allowed access to the calendar on the iPhone in its entirity, which means you can do away with the third party calendar apps all together and just worry about syncronisation – so far only one app appears to have risen to this charming development: Synthesis SyncML Pro this app, and the still-available Synthesis ToDo+Cal app are now developed by http://www.plan44.ch).

Of course Apple also now let us use the “iPhone Configuration Tool” which is quite handy, it allows you to pre-configure as many profiles as you like (I configure each phone with a baseline of “corporate” settings and then an individual one with e-mail account details etc, so two in total) for each phone you plug in, it’s really good but it is currently missing some helpful features such as the inability to add and lock a mobile me account for corporate seek-and-rescue requirements.

iPhone Configuration Tool

On which note, now that Find My iPhone has been made free for iOS4 devices there’s now a way to track and remote wipe handsets, although this is a cumbersome one-at-a-time process when initially setting up.

So in short if you have MDaemon and you want to roll out iPhones I would suggest:

  1. Use the enterprise iPhone Configuration Tool from Apple to make two profiles: one containing company policies like password requirements; one containing individual settings like e-mail accounts
  2. Use Synthesis SyncML Pro for Calendar and Contact synchronisation from MDaemon
  3. Setup Apple’s Find My iPhone for each iPhone you deploy (assuming iPhone 4+)

Each phone will need a bit of manual configuration such as changing the IMAP Sent Items / Deleted Items folders; throwing in the usernames and passwords for MDaemon for Synthesis to work; and manually adding the MobileMe account information for Find My iPhone, but ultimately you’ll have a tidy enough working solution that certainly beats having to force iPhone users to load up a web page and visit webmail (WorldClient) when they want to check their calendar.

Project Work Shortlink

Backup Strategies with Virtual Machines in VMware using Veeam

A recent tweet from @win2ksrv and then retweeted by @veeam reminded me that I was going to write about the most recent backup strategy that I’d put in place using Dell EqualLogic SANs, VMware and of course, veeam, it went like this:

What is everyone’s Veeam backup strategy? What do you backup to & how do you get it offsite? Where do you place Veeam itself?

The basic setup looks like this:

The Production site has a Dell EqualLogic array and a local NAS box (that’s the black thing), the backup site which is connected via a 25mbps internet-based VPN simply has a larger NAS box (it deals with multiple sites). VMware has been used to create all the file server disks (they are .vmdks) and veeam is installed in another virtual machine using appliance mode to access the SAN.

There are essentially two main risks that we want to mitigate against here:

  1. Accidental deletion / corruption of files
  2. Complete site wipeout (i.e. full blown disaster)

Continue Reading →

Project Work Shortlink

Playing with RemoteApp in 2008R2

As you may know, Server 2008 have changed “Terminal Services”, firstly it’s been renamed to the rather catchy “Remote Desktop Services” (requiring the purchase of concurrent Remote Desktop Services Client Access Licenses); and secondly, and rather majorly, it’s implemented Remote App – a way of delivering applications to clients using remote desktop but without it looking like remote desktop.

An example

Don’t understand? Allow me to illustrate with an example then.

So you’ve got an application, like Microsoft Visio, you’ve got 20 licenses that allow for 20 concurrent uses and you want to be able to share these across an organisation, how do you do it? If you wanted a free option (i.e didn’t want to pay for Citrix or Terminal Services) then you would have a physical hot desk machine that the users would sit at when they wanted to use the application; and if you got bored of that you could use machines with remote desktop on them instead.

Why Terminal Services now, and not before?

The big change here is related to how the application can be delivered, the Remote App packaging:

  • allows for the application shortcut to be installed via .msi (so easy group policy rollout);
  • puts the application on the start menu, as if it were local;
  • allows for file extensions to be automatically associated with the remote app (which is REALLY handy);
  • means that the program runs in a “normal” application window, rather than in a whole screen-hogging remote desktop session;

The server setup

As always, this is slightly easier if you have virtual servers because you can separate the roles below into distinctly separate servers, but here’s the basic structure I’ve setup:

RemoteApp Setup Diagram

  1. Clients connect to the Connection Broker (which performs load balancing and reconnects people to the right server if they get disconnected)
  2. Using a round-robin configured DNS name (the farm name) a Remote App server (which actually has the application installed on it) is selected and a session begins
  3. The License server is configured with the purchased CALs (around £60 each) and keeps track of free / available licenses, preventing an overcommit (unlike standard CALs which are not monitored)

Any setup in 2008 will then additionally allow you to set configurable items such as the amount of time before logging someone off and releasing their license back to the pool; whether multiple connections should be merged when from the same client or same user name and so on.

Other stuff

The obvious thing that can go wrong here is licensing, you need to ensure that your remote desktop services CALs do not allow you to run over the number of licenses for any installed applications: you can’t have 20 Project 2010 Licenses, 20 Office 2010 licenses and then assume that 40 CALs will be fine, because that will allow users to open 40 copies of Project 2010 and 0 copies of Office, which would be wrong.

Once you’ve played and are happy you should also consider investigating RD Web Access to allow you to push these Remote App programs out over the internet via a webpage to end users too; or RD Gateway which if configured correctly would allow you to offer these over the internet solely using the RDP technology (so without the need for a VPN or a Web Page showing a list of applications).

Enjoy!

Project Work Shortlink

Using Network Access Quarantine for VPN Clients

The Scenario

Migrating machines from physical installations to virtual installations can be a chore, but it can also give you an opportunity to roll out new features and test new setups.

Having previously used a Microsoft Server 2003 installation to provide a free-of-charge and easy-to-maintain VPN system for employees I wanted to tighten up the security and be more specific about which users were able to connect to the VPN and what access they were allowed.

Two levels of access had already been decided upon, although not implemented in the current build of the VPN server (using Routing and Remote Access in 2003) and these were:

  1. Provide unlimited network access for company staff on company equipment
  2. Provide limited access for company staff using their personal home equipment

The intention here is that anyone with permission would be able to use any computer on the internet to connect in and perform certain functions, but to be able to browse all the data drives and have unlimited network access you would need to use a company laptop which in turn would be considerably more likely to have antivirus software on it and be up-to-date.

The upgrade

The upgrade to Server 2008 R2 gave an ideal time to test and implement the specific features that were required: two servers were being used side-by-side, the current 2003 box sat on an old 2mbps line and served all the current clients; the new 2008R2 box was on the new 25mbps line and was only serving the test clients until testing had been completed.

Despite the existence of the Microsft Server Migration tool I was unable to successfully migrate the settings from 2003 to 2008 and so had to manual re-create the VPN server in RRAS and create two policies which mirrored the above settings.

The settings
Continue Reading →

Project Work Shortlink

A template for new offices

Now that the first and largest implemtation is almost complete, I have to start thinking about producing an easy-to-understand template that allows us to build site offices in a practically identical manner. One of the main goals of this project was to be able to have a repeatable template of systems and processes that allowed us almost dump a pre-fabricated solution into a physical building, this sort of template would be tried and tested and be the first step to producing a business service of “deploy new office” – a service which until now has been very ad-hoc and piecemeal.

From a very high level there a few things you need to deploy IT systems into a new building:

  • Connectivity (Telephony and Data)
  • Hardware (Servers, Cabling, Computers)
  • Software (Client OSs, Server OSs, Applications)

Our template includes a base for things already which has come as a direct result of building up the first office: We know that a new site wants Dell EqualLogic storage so that it can use the inbuilt replication between sites (for backup etc); two servers for redundancy; an uninterruptable power supply and environmental monitoring. We know that the site needs at least 10mb of internet connectivity, but keeping in line with recent work this will actually start at 25mb, and we know that there is a need for phone lines (for staff to make calls, as well as for alarms etc). In terms of software, the Client OSs are all still going to be Windows XP, (but with a view to upgrade to 7 later on throughout) and the server OSs are going to be Windows Server 2008 R2 – the datacentre licensing here becomes a bit of a no-brainer, which I’ll explain in a follow up post.

So that’s it, that’s the start of our template for a new site office! I’ll explore the three high-level requirements in more detail in future posts.

Project Work Shortlink