I have been looking for a way to encrypt data on my ReadyNAS NV+ for the last couple of weeks and there’s nothing built in, and as of yet, no-one’s written a third party add-on that allows it to happen.

Having previously used TrueCrypt I thought I’d investigate options with that, and due to the fact that you can’t encrypt just a network share the options you’re left with are:

1. Make a TrueCrypt container on your NAS box and put all your data in that
2. Somehow hook up something iSCSI and encrypt that entire drive.

So, it turns out there is a third party iSCSI initiator, great, it’s published as a ReadyNAS plugin with instructions here, so I downloaded it and gave it a go. You need the EnableRootSSH Plugin too as you’ll need to run commands at the linux prompt to get this running properly.

I followed the instructions and tried to make a 2.7TB iSCSI drive (the size of the box) – this failed due to the fact that dd has a 2TB restriction (which I probably knew but didn’t remember) – you can in theory make larger ones using gpart but I couldn’t find it on the ReadyNAS I had.

Anyway, I tried both the options above, firstly I just made a TrueCrypt container on the NAS box (writing straight to the CIFS share) and then secondly I set up an iSCSI drive (without too many issues, mainly my own typos causing me grief) and connected to it from Windows 7, then used TrueCrypt to format it, I then did the classic iometer tests.

The results were interesting: using firmware 4.1.8 for the NV+ the difference between no encryption and TrueCrypt encryption is minimal, about 1MB/s – this is due to the fact that TrueCrypt will be doing all the work on my client machine rather than on the ReadyNAS device. Unfortunately, the iSCSI initiator performed really badly, offering speeds of approximately half that compared to just accessing files over CIFS:

You can see here that although the difference between TrueCrypt and not using TrueCrypt isn’t that huge (with TrueCrypt the results are on average about 7% slower); the difference between using the iSCSI initiator and the plain CIFS access is huge: anywhere from 38% slower to 51% slower.

The reason that I was initially concerned about using a TrueCrypt container is that I thought “oh no, it’s one file, if it becomes corrupted then I’ve lost all the data”, although realistically this is exactly what the iSCSI initiator does too, you use dd to create a single file and then share that up as an iSCSI drive, so not all that different after all. My conclusion is that I’ll just create a TrueCrypt container the size I require and use that via CIFS to achieve the encryption I’m looking for with my NV+.

Update: Just played with beta firmware 4.1.9T2 and the improvement speeds are drastic, the “normal” (no iSCSI, no TrueCrypt) CIFS speeds rose from 25MB/s to 45MB/s, using a TrueCrypt container the speed improvements aren’t quite as good, but the speeds rose from 24MB/s to 33MB/s.

Update: There is a slight bug in that the “stop” command does in fact not stop the daemon – a “ps” still shows the daemon running – from what I can tell this is because the PIDFILE is wrong, the script specifies /var/run/iscsi_target.pid the output is actually /var/run/ietd.pid – I changed the service script to match and it now starts and stops correctly.

For one of my first projects this year I’ll be looking at Application Virtualisation – streamlining application deployment by creating single executable files which can then run on any workstation, there are some obvious advantages to this such as centralised deployment and maintainance, as well as the speed at which new applications can be provisioned using such methods.

1. See all posts relating to this project

A project never really finishes, if you’re lucky you complete the initial requirements and get those signed off, and if you’re good at managing your project you’ll refuse to allow the scope creep in and mark any additional feature requests as “phase 2″ and evaluate them at a later date. One of the nice-to-haves with the deployment of iPhones was a VPN system so that you could access the internal systems when out of the office, and to date this has been in a very “test and dev” environment with access only for IT staff in a completely non-supported way.

However, I’ve found myself with a bit of time and so I started delving into the SCEP world for issuing certificates to iPhones which I would then later use to authenticate an SSL VPN connection, and here’s what I found.

Firstly, Apple’s documentation on the process is shocking, luckily Microsoft have been the better man in this instance and posted an entirely useful blog post on the subject which is available here: http://blogs.technet.com/b/askds/archive/2010/11/22/ipad-iphone-certificate-issuance.aspx.

In the section “NDES Configuration settings” on that blog post they make mention of Microsoft Patch 959193, as I have 2008R2 SP1 installed I already had the fixes available, but you should definitely consider using the HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP\UseSinglePassword setting as it will mean that you can put your challenge password into an iPhone/iPad profile and not need to change it every time.

More importantly (for me) is that there’s an additional hotfix required from Microsoft if you’re trying to do what I was trying to do, and it’s here:http://support.microsoft.com/kb/2483564. Specifically I found this because even though everything was set up correctly I kept getting an error in the NDES server’s even viewer that said: “The Network Device Enrollment Service received an http message without the “Operation” tag, or with an invalid “Operation” tag”

Do create an extra user account for your NDES service / application pools when the opportunity is given. If your NDES server isn’t your CA (and I imagine in many cases it won’t be) you’ll have to follow the post-installation instructions on 2008R2 that tell you how to use setspn.exe to delegate authority for your user account to access the CA, this is often achieved by simply bringing up a command prompt and writing:

setspn -s http/NDESSERVER domain\useraccount


If you get an error saying there’s multiple instances (which happened to me after I failed this installation the first time) then you will need to delete the old delegation before re-creating the new ones, this blog post on MSDN has a useful list of setspn commands which you can use for this purpose.

I had one additional error which was much harder to catch, after following all these guides perfectly I logged onto my server and got this in the event viewer: “The Network Device Enrollment Service cannot be started (0×80070002). The system cannot find the file specified.” as well as a nasty server fail message when I browsed to the website. If this happens to you then hopefully it’s the same issue as me and to fix it you need to log onto the machine using the account you created for NDES (i.e. not just the Administrator account).

Anyway, assuming you’ve followed the guide properly you’ll be able to navigate to http:///CertSrv/MSCEP_Admin/ and see a screen that looks a bit like this one:

And from here you can go ahead and fill in the profile on something like the iPhone Configuration Utility:

I had one remaining niggle after all of this, the thing kept failing and the event viewer KEPT showing me that “The password in the certificate request cannot be verified. It may have been used already. Obtain a new password to submit with this request.” – obviously nonsense, we know I’m using single passwords…. Turns out that when I was copying and pasting the key from the webpage it was bringing an extra white space character with it. I should have known better…

I hope I don’t get sued to high heaven for this sort of thing…

I recently translated the Portuguese subtitles from the Roam DVD (it’s a mountain biking film by The Collective) into English for a friend so I thought I’d upload them on the off-chance that one day someone happens to be looking for them, they’re not perfect but anyone’s welcome to them:

The Collective – ROAM – English

In order to do this I first needed to install the compat6x port:

cd /usr/ports/misc/compat6x/ && make install clean

I then mounted the freebsd.iso from the vmimages folder, mounted the cdrom into existing folder (/cdrom) and copied the folder to the temporary directory before extracting and installing:

mount -t cd9660 /dev/acd0 /cdrom
cp /cdrom/vmware-freebsd-tools.tar.gz /tmp
tar -xf /tmp/vmware-freebsd-tools.tar.gz
./vmware-tools-distrib/vmware-install.pl


Upon completion the installer then runs the first time required config to set up the installation.

As you will know, I’ve had no end of problems with iomega NAS boxes (and customer support for that matter), and so with a recent purchase decided to test the market again and purchase a different product.

Back in the day we had some Netgear ReadyNas boxes, little desktop units offering 2-3TB of network storage which was ideal for backups. The ReadyNas boxes weren’t special in any way, the interface was decidedly average and the software had a few quirks, but they did have one brilliant feature – they hardly ever stopped working.

So, I decided to give them a go again and have since done a direct comparison between the previously-complained-about iomega units and the newly-purchased netgear ones. There are a couple of differences you should know before you worry about the performance though: 1) the netgears are considerably more expensive; 2) the netgears come with a much better warranty.

How much more expensive? Well, I paid about £900 for an iomega ix4-200r and about £4,000 for the equivalent-size netgear. For the larger units, a fully populated ix12-300r would set you back about £4,000 whereas the equivalent netgear cost more like £9,000. The netgear 3100s come out of the box with two power supplies and two NICs, whereas the iomega only has one of each, so all together it sounds like it’s much more aimed at enterprise level customers. In addition, the netgear 3100 allows for creation of LUNs over 2TBs which was my initial complaint about the small iomega boxes.

These tests were all performed using the Microsoft iSCSI initiator from within a Windows Server 2008 R2 machine, accessing a 512GB LUN created on the devices.

So, onto the results. Using the classic iometer config file I tested for 100% read, 100% write and the Real Life 60% Random, 65% Read setups (you can download the iometer config file here), the numbers are MBps:

So, the Netgear 3100 vs the ix4-200r:

Next, the Netgear 3200 vs the ix12-300r:

I know. I’m as shocked as you are – with the smaller NAS box comparison, as you’d expect, the more expensive and reliable netgear wipes the floor with the iomega device, but when you scale up to the larger models the iomega devices start responding better again. Very strange! To make matters worse, the netgear 3200 units only have two network ports in them whereas when you upscale to the larger iomega boxes they come with four.

To illustrate the point here I’ve run the same comparison with the iomegas using 1, 2 and 4 bonded uplinks:

As you can see, tragically allowing more NICs to share the load means you can get increasingly better throughput (the iops rise in a similar fashion) whereas with the 3200 this will only be possibly with a maximum of two (yes, this is a touch unfair because I haven’t done the same test using both of the available NICs on the netgear and I should have) – but you know what? I’m still going to buy the netgear units over the iomega units just because of the horrible time I’ve had up until now.

So, in summary:

1. The 3100 is significantly better than the ix4-200r but there’s a cost implication – for on-site backups I think the 3100 will certainly become the standard choice
2. The 3200 performs well, but not as well as the ix12-300r
3. I will never buy another ix12-300r due to the history of issues I’ve had

In a previous blog post I explained that our iomega ix4-200r was a generally faulty product with little or no hope of ever making it into my good books, mainly because of the (deliberate) limitations on iSCSI LUN sizes.

After feeding this information back to the suppliers who recommended the product they gave a response which was something like “oh, yes, well, those are the small units, they’re not too good, try the larger unit instead: the ix12″.

And so we did, we bought a few ix12-300r units and configured them up appropriately, the good news is they don’t have a restriction on iSCSI LUNs that I’m bothered about – it might be set at 16TB but I’m okay with that. The bad news is, the product itself is just as unreliable and realistically can’t be used for anything sensible. We had a fault initially logged on the 13th October and as I write this on the 5th December it’s still not resolved fully.

We had devices in place for our backups as they offer really cheap storage, but actually that makes it much worse, because every time we had an issue with the device we lost all of our historical backup data, and no, it wasn’t the end of the world and yes we had copies, but it’s still really annoying to lose 14 days worth of incremental restore points just because of a hardware failure.

Here’s what happened with one of our ix12-300r units recently:

• 13th October: two disks in the ix12 stop responding and I log a call with support
• 14th October: I confirm that the disks really have stopped working
• 18th October: Replacement disks shipped
• 1st November: One of the replaced disks fails again, I contact iomega, again
• 4th November: They tell me they want to replace the midplane
• 10th November: They actually ship the midplane for replacement
• 14th November: Midplane arrives with no instructions on how to change, so I ask for some
• 15th November: I get the instructions, we do the change, now the device will not boot
• 18th November: After some to-ing and fro-ing they ship a new motherboard
• 22nd November: We replace the motherboard, it still won’t boot
• 30th November: They finally agree to ship a brand new unit, it arrives as a different model with 3TB disks in
• 30th November: The 3TB disks won’t work alongside the existing 2TB disks, we put all the old disks back in
• 1st December: After asking again I finally get a replacement disk for the one that broke originally on the 1st November
• 5th December: Drive 7 fails in the unit (a different disk)

Based on some more recommendations we’re trying out some Netgear ReadyNAS devices and I’ll post some updates as to how those compare shortly, but the fact that they come with a five year warranty (and cost a hell of a lot more) is actually very encouraging!

So the 1.0.9 version of Dell’s MEM module (ug, that’s as bad as PIN number), scratch that, of Dell’s Multipathing Extension Module for EqualLogic was released last week. I promptly ignored it for a week before reading the line that said “fully supported in production environments” (whoops) and installed it today. It wasn’t easy.

I’ve already upgraded vSphere Centre to version 5, and so I made an install package for MEM 1.0.9 (1.1EPA) – Update Manager then told me that it wasn’t required anywhere, “that can’t be right”, I thought to myself, and then realised that I needed ESXi 5.0 to install MEM; but you can’t install ESXi 5.0 while MEM1.0 (or anything pre 1.0.9) is installed. A little bit of a catch 22.

I then embarked on a whirlwind tour of command line chaos, using PowerShell to create my own installation .iso which combined the ESXi 5.0 install with the Dell MEM bundle, I uploaded that to the Update Manager and used it to upgrade two hosts, and I’m shocked to say that it worked almost perfectly, so, for the simple commands you need to use, see below!

To do all this you’ll need to download and install the vSphere PowerCLI.

So, run the VMware PowerCLI from the newly created shortcut on the start menu and do the following:

1. Connect to the vCentre instance you require:
   
   Connect-VIServer 10.20.30.40

2. Add the software images, both the offline install bundle of ESXi 5.0 and then the MEM zip file:
   
   Add-EsxSoftwareDepot -DepotUrl C:\myfolder\ESXi500-201111001.zip
   Add-EsxSoftwareDepot -DepotUrl C:\myfolder\dell-eql-mem-1.0.9.205559.zip

3. Get the Image name and the package name you want ready for the next commands, you’ll note I’ve specifically toned down the list of retrieved names for the software package because there are hundreds of them:
   
   Get-EsxImageProfile | Select Name
   Get-EsxSoftwarePackage -Name *dell* | Select Name

   
   This command should return something that looks like this:
   
Name
----
ESXi-5.0.0-20111104001-standard
ESXi-5.0.0-20111104001-no-tools

   Name
   ----
   dell-eql-routed-psp
   dell-eql-host-connection-mgr
   dell-eql-hostprofile

4. Add the three (I don’t know if you need all three, but I did) dell packages to the image:
   
   Add-EsxSoftwarePackage -ImageProfile ESXi-5.0.0-20111104001-standard -SoftwarePackage dell-eql-routed-psp
   Add-EsxSoftwarePackage -ImageProfile ESXi-5.0.0-20111104001-standard -SoftwarePackage dell-eql-host-connection-mgr
   Add-EsxSoftwarePackage -ImageProfile ESXi-5.0.0-20111104001-standard -SoftwarePackage dell-eql-hostprofile

5. And then finally export the bundle as an .iso for Update Manager (an .iso rather than a zip in this particular instance because the upgrade from 4.1 to 5 must be a complete .iso):
   
   Export-EsxImageProfile -ImageProfile ESXi-5.0.0-20111104001-standard -ExportToIso -FilePath C:\myfolder\ESXi5andMEM109.iso

You will then be able to import this .iso into Update Manager and use it in a baseline / remediate operation.

iOS5 was released at 6pm GMT yesterday (12th October 2011) – if you haven’t already upgraded your iPhone and iPad, then you should.

If you’re having issues because you’re getting “resource not found” when trying to upgrade to iOS5 or something similar-sounding, then fear not – it’s just apple’s servers being under a bit of strain, you can download the offline copy straight from the web site and then within iTunes simply do a backup and then shift-click “Restore” to browse to the offline file (remember to upgrade iTunes first though).

If you’re in charge of a fleet of iPhones I’d always recommend downloading the package first and then using it again and again on all devices to save time and internet bandwidth. You can either download it once in iTunes and then get it from:

C:\Users\smd\AppData\Roaming\Apple Computer\iTunes\iPad Software Updates
C:\Users\smd\AppData\Roaming\Apple Computer\iTunes\iPhone Software Updates

(or the equivalent place on your own system), or you can find out the URL from somewhere else such as this helpful article on osXdaily.

So here’s a brief list of the things that I’ve discovered in the last 24 hours which I’m particularly excited about:

1. The photo stream, which as we all know syncs pictures between devices, syncs to my Apple TV (update available), meaning I can screen-saver my most recent pictures automatically when I’m listening to music or whatever.
2. The addition of “find my friends”. When Google latitude was released, as an iPhone user, I was disheartened. But no more! This does exactly the same thing (only, of course, nicer): allows you to see your friends’ locations on a map in relation to your position, awesome!
3. For the iPad, Airplay mirroring: you can now airplay your iPad home screen (and any running app therefore) to an airplay receiving unit (like the apple TV)
4. LED flash for alerts – a little bit of a personal preference here, but you can make the iPhone 4 flash LED blink when you get texts and other notifications
5. Keyboard shortcuts. Go into Settings -> General -> Keyboard and you’ll see the default “omw” to “on my way!” translation. Add away for frequently used phrases that you want to be auto-corrected as you type them.

Faced with the task of rolling out iPhones to near-100 users we thought it would be best to investigate some Mobile Device Management (MDM) vendors, trying to keep track of 100 free “find my iPhone” accounts might be achievable, but it certainly wouldn’t be fun.

We fairly quickly decided on Airwatch (http://www.air-watch.com/), relatively new to the market place in terms of MDM but cheap enough that we could give it a go without too much heartache.

At the same time as this MDaemon (our preferred e-mail server software) released an update which supported Exchange ActiveSync (if the word makes you shudder because of flashbacks of crappy PC-based synchronisation problems, fear not, it’s different): this presented us with an opportunity to roll out 100 centrally managed iPhones with vastly improved functionality and easy-of-use when compared to our previous implementation.

Any MDM

If you want to get started with this, you should know that any MDM implementation will require you to be a member of Apple’s enterprise development program – this is awkward because it costs about $300 to do, but it’s also neat because it means you officially have access to beta releases of iOS which means you can test enterprise functionality and confirm things work before Apple release an update to all of your users.

It’s worth noting as well that Apple’s approach to MDM is that, ultimately, the user owns the device. You can lock down a device and install profiles and everything to your heart’s content, and you can keep your corporate data totally secure in that respect, but if a user decides to, he or she can remove the profile and be left with a blank iPhone – your data is secure, but you could easily lose the device itself. They do this because they expect in the majority of cases that you’ll be allowing users to enrol their own mobile phones, unfortunately in my case I was doing the opposite!

Airwatch

Airwatch is a cool piece of software, and it only costs £2.00 per month, per device, which makes it quite readily scalable for small-to-medium size businesses. The Airwatch interface is fairly intuitive and they have an iOS app which can be used for tracking the phone via GPS and suchlike.

Creating a profile in Airwatch gives you all the same options as in the iPhone Configuration Utility, it’s simply web based and you can push those profiles down to any enrolled device. As well as the usual remote wipe feature Airwatch boasts a more useful “un-enrol” which simply removes all the corporate information such as e-mail accounts and data from the device.

Having the profiles in a central location drastically reduces turnaround time if users require a replacement handset for whatever reason, you just enrol the phone and push down the profiles and straight away they’ve got their e-mail, calendar and contacts working.

The only issues I’ve had with Airwatch were:

• Originally I wanted to do a local install (rather than use the website as SaaS) – this proved to be impossible when we established that I was required to change my entire database collaboration first.
• They have, in the past, released new iOS apps without warning, which is fine, until you have to deal with all the incoming support calls about a pending update – this seems to be getting better.

MDaemon and Exchange ActiveSync

MDaemon then bring out Exchange ActiveSync which means that we can now automatically synchronise the calendar and contacts of a given user with the iPhone seamelessly, over-the-air, and in the background – a huge advancement on the manual sync required before. There are two ways to configure this in Airwatch and it very much depends on the first point I raised about MDM as to which you use. If you want your users to enrol their own devices, then super, you can set up a single profile which will take the user’s email address and password and create an automatic Exchange account on their iPhone for you.

If you’re rolling out a fleet of iPhones however, you’re unlikely to want that to happen and so what I did was create a profile for each user with their ActiveSync details in and their e-mail account details in (at the time of deployment we did e-mail over IMAP, and even though it is now possible over ActiveSync with MDaemon there’s no real reason to change).

An extra note on the joy of Webclips

Webclips are just little shortcuts on the iPhone’s home screen which lead to web addresses – if you deploy them via profiles (and therefore Airwatch) you can force them to launch in a full screen safari window which makes them look just like full web applications rather than web pages. It’s been a brilliant way for us to deploy information to end users such as communicating the effects of upgrading their company iPhones to iOS5. I made some nice little webclip icons that looked like this:

And when you clicked on the iOS5 one, for example, a full-screen web-page (well, actually PDF on a website) that looked like this was displayed:

iTunes: Turning on Activation-only Mode

That’s right, unfortunately I didn’t find this out until after the deployment (and it wasn’t a huge issue as I was installing apps at the same time), but iTunes has an activation only mode which you can use to just plug in an iPhone, have it unlocked and then do the next one. With iOS5 due to be released in about a week’s time this will probably stop being an issue (as we’re all going PC-free), it’s here: iTunes: Turning on Activation-only Mode.

Backups as base images

It may seem obvious too, but if you hadn’t thought about deploying with a baseline iTunes backup – do! You can set a blank iPhone up with all the required apps on it (assuming you have licenses etc) and then simply restore that backup onto multiple phones as part of a roll-out process.