Tom Decaluwé

SuperFlow, Microsofts new way of documenting?

2010-03-15T12:20:22Z

download at:

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=f1ebfda1-da51-44cc-99cb-96ad0fd40bdf

For years Microsoft has been producing tones of documentation in the classic form of chm files and online technet articles.

This has been great for us to use when getting to know new products but it’s proven to be a pain for troubleshooting.

MS is now piloting a new way for creating more interactive and flow driven troubleshooting documents. It’s great to see the TMG team where able to pick up on this and create a sample SuperFlow for troubleshooting TMG 2010 install process.

So what does it do,

it’s a tool that gives you a per topic flowchart of what is going on. I really love this flowchart with zoom in/out principal as it gives you a great way to see how far down the configuration line you have gotten.

By clicking on the flow steps you directly get information on where to look, what to expect and what to do about error’s in that specific part of the flow. They really bundled the core info for us removing all the clutter that just makes it more difficult to read.

I hope to seem much more of these types of doc’s in the future as they give a great flow view and immediate detailed info for troubleshooting.

MS Wiki

2010-03-14T20:16:06Z

Everybody know the concepts of Wiki’s and what a great value they are as everyone can pitch in to create the most complete, accurate and reader friendly documents knowledge can buy.

MS has seen the power of the wiki and if you have not seen it yet it’s time to head out to http://social.technet.microsoft.com/wiki

You’ll also see some articles starting to pop up on my most loved topic TMG, so check them out.

http://social.technet.microsoft.com/wiki/contents/articles/troubleshooting-forefront-tmg-utl-filtering-common-issues.aspx

http://social.technet.microsoft.com/wiki/contents/articles/troubleshooting-forefront-tmg-caching.aspx

Laura Chappell’s Wireshark book get ready

2010-03-09T21:49:44Z

For anybody interested in Wireshark sniffing, it’s time to get your credit card out of you pockets an get a pre-ordered copy of Laura Chappell’s new book due for release March 29!

Have a look at the sample page and you’ll know it' will be well worth it’s money.

http://www.wiresharkbook.com/

SNMP read IfInOctets => great trend But what about the absolute throughput value?

2010-03-08T23:14:55Z

If you have ever tried to read the throughput value of an ethernet interface in and out using SNMP you may notice that it’s quite easy to get a nice trend graph using your favorite plotting tool (MRTG, zabbix,…) but when you try to get the actual throughput value the amount just never seems to be correct.

During this article I’ll try to explain how the Cisco IfInOctets and IfOutOctets work and what you need to do to get the right value.

1) What is the IfInOctets and IfOutOctets value:

The first thing you need to know is that a Cisco router holds it’s interface value in two tables IfTable and IfXTable, these are fully described in RFC1213/RFC2233.

- ifTable defines 32-bit counters for inbound and outbound octets

-ifXTable provides similar 64-bit counters, also called high capacity (HC) counters

The values we are interested in are IfInOctest, IfHCInOctest, IfOutOctest and IfHCOutOctests. For the sake of this article we will focus on the In values but know that the exact same logic also holds for the Out counters. So lets have a look at the two in Counters. Let’s have a look at what the Cisco documentation tell’s us about these two counters:

- IfInOctets: "The total number of octets received on the interface,
including framing characters. The reference OID is: 1.3.6.1.2.1.2.2.1.10

Lets query this value of interface 1/0/1 on a Cisco stacked switch and see the result

- IfHCInOctets: "The total number of octets received on the interface,
including framing characters. This object is a 64-bit
version of ifInOctets. The reference OID is: 1.3.6.1.2.1.31.1.1.1.6

Lets query this value of interface 1/0/1 on a Cisco stacked switch and see the result

As you can read, both values actually return the same data “Total number of octest received”, but we are faced with a first dilemma, you have two counters to poll, each returning a different absolute value and in some bizarre way both are giving you the Total number of octets received.

- IfInOctets 1.3.6.1.2.1.2.2.1.10

For us to understand this we need to know what the value is that is being returned. SNMP is a very basic protocol that runs on just about any network device,… The core idea behind SNMP is simplicity, generic usable and low footprint. To ensure the low footprint SNMP has very little to no intelligence built in. It just returns values you would like to monitor and relies on your toolset to harvest this data en make it usable for you.

The counter we are reading returns the amount of octets received since

- the boot of the device

- since the last rollover period

There are two concepts here that we need to explain be for the puzzle will start to fall together for you:

1) # of octets received => that means if you want to know the data throughput you will have to read the counter twice at time_slot1_value and then lets say 1 second later at time_slot2_value. To know the throughput of octets now subtract

time_slot2_value – time_slot1_value = total # of octets send

2) since the last rollover => as you can imagine the amount of octet bytes sent is just an increasing value and this number can grow really really fast. And this is where the 32bit / 64bit values come into play. In the old days with slow speed networks a 32bit value was used to store the # of octets send, once this 32bit value fill’s to it’s maximum the counter resets to Null and restarts it’s count until it reaches the maximum value again. As you can imagine on a slow speed network this 32bit value fill’s up quite gradually and rollover does not occur all that often. However on a high speed gigabit network a lot of packets are passing through the interface and a 32bit value in memory fill’s up much faster. The net problem with roll over is that at a certain point in time you will subtract time_slot1_value from time_slot2_value but time_slot2_value will be smaller than time_slot1_value thus giving you a negative net value. This is alright for trend,… analysis as long as it does not happen to often.

To give you an idea of how fast this rollover occurs:

- a 10 Mbps stream of back-to-back, full-size packets causes ifInOctets to wrap in just over 57 minutes.

- At 100 Mbps, the minimum wrap time is 5.7 minutes

- At 1 Gbps, the minimum is 34 seconds.

=> this means the 32bit value is just not good enough for modern high speed networks and you will almost always ant to resort back to the 64bit ifHCInOctets counter value.

To follow Cisco documenation: “

For interfaces that operate at 20,000,000 (20 million) bits per second or less, you must use 32-bit byte and packet counters. For interfaces that operate faster than 20 million bits per second, and slower than 650,000,000 bits per second, you must use 32-bit packet counters and 64-bit octet counters. For interfaces that operate at 650,000,000 bits/second or faster, 64-bit packet and octet counters must be used.

Correspondingly, Cisco IOS® Software does not support 64-bit counters for interface speeds of less than 20 Mbps. This means that 64-bit counters are not supported on 10 Mb Ethernet ports, only 100 Mb Fast-Ethernet and other high speed ports support 64-bit counters. “

3) Converting Octets to bits is the last part we need to understand if we want to know the bits per tick that pass through our network interface. To convert the amount of transmitted octets on the Ethernet network to bits we must multiply by 8.

The ending formula to know the #of bits being transferred between two ticks would thus be:

Value2-Value1 * 8 = # bits transferred

The configuration of this within the zabbix platform is done as illustrated below. Through the four outlined fields.

and the end result should be a great looking trend graph with correct absolute end values.

OWA keeps prompting for Username / Password => Wireshark to the rescue

2010-02-26T15:23:12Z

Yesterday evening we patched a number of servers as we where running behind on our normal patch cycle. Everything went well but this morning I got a call from our UK users that their OWA system was not working.

Our infrastructure is running exchange 2003 with one Front-End in our central datacenter and two back-end’s one in each country UK / BE.

The exchange servers are all members of the root domain but the UK users are still part of a child domain.

Belgian users where having no problem accessing there OWA, syncing the Windows mobiles,… But I got a call from UK telling me they couldn’t logon to the webmail.

1. My first reaction was to review all patches and to check if Front-End and Back-End where all running at the same patch levels,… This didn’t seem to be a problem.

2. My second thing to check was if i could actually reach the back-end OWA interface from the front-end server. To my surprise this was also giving me the auth prompt’s and ending in an Access denied.

3. My third step was to access OWA on the Back-End from a local UK client, this was working without a problem :-(

4. After checking the firewall rules between front-end / back-end I decided to fire up my trusted Wireshark and see what the f*ck was going one. And yes within seconds I had my answer.

Packet 360 gave me what I needed to know => there was a +10 minutes time skew between the Front-End and the Back-End server that was causing Kerberos to error out.

6. After updating the firewall rules to allow NTP traffic a quick net time update and kazaaam, everything was back to normal

grtz

Tom

TechNet Live Meeting - Forefront Threat Management Gateway - Technisch overzicht 18-02-2010

2010-02-16T21:26:12Z

If you are interested in TMG and the Forefront product, don’t forget to register for Thursday’s 18-02-2010 online event:

http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032439027&EventCategory=2&culture=nl-BE&CountryCode=BE

This session will be presented by MVP Paul Loonen a security specialist.

IT-Pro Chalk Talk Session

2010-02-04T12:49:49Z

IT-Talks, Pro-Exchange & Winsec are teaming up to bring you the first every Belgian IT-Pro Chalk Talk session, on Thursday 4 March 2010, the the Microsoft België offices.

During this event we will be bringing a panel of MVP’s and other leading industry experts together to answer any and all of your technical questions in a live and interative environment.

The purpose of this session is to show you how the panel thinks and analyses problems from there expertise and where possible formulate answers or research options to help you solve your real world issues.

The technologies that we will be covering during this event are:

· Exchange Server

· Office Communications Server

· Active Directory

· Security

· General networking TCP/IP

· Group policies

We offer you the option to send your questions / problems upfront by email or bring them in and ask them live.

· info@pro-exchange.be

· info@it-talks.be

· chalktalk@winsec.be

Pre-registration for this event is required at http://itprochalktalk.eventbrite.com/.

If you can’t physically make it to this event you will have the opportunity to join in through a live meeting. The details will be emailed to all registered users.

IT-Talks, Pro-Exchange & Winsec

Registratie via http://itprochalktalk.eventbrite.com/

Location

Kantoren Microsoft België

Corporate Village

Leonardo Da Vincilaan 3

1935 Zaventem (Route beschrijving)

Time

Thursday 4 March 2010 19h00 till +/- 21h00

IE zero day attack patch MS10-002 => Install Now

2010-01-23T09:38:14Z

Anyone that has been following the security landscape the past few days knows a zero day IE attack was used during the Gmail attack that took place the 12th of January and lead to the Google statement that they would consider pulling out of China.

Since then the Zero Day IE exploit that uses an invalid pointer in IE has been looked at in all detail by the good, the bad and the ugly. There is exploit code out in the wild for every to enjoy and as a result MS as released an out of band security update that you should install NOW!

Head out to your local MS update site and update your PC’s asap. It’s important to know that even though the initial issue was thought to be limited to IE6, this is not the case and you need to patch IE7 and 8 too.

http://www.update.microsoft.com

more info:

http://blogs.technet.com/sus/archive/2010/01/21/microsoft-security-bulletin-ms10-002-978207-released-today.aspx

http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx

Forefront Threat Management Gateway – technet webcast

2010-01-21T11:19:10Z

Forefront Threat Management Gateway - Technisch overzicht

Deze sessie geeft een overzicht op de Forefront TMG - en de Forefront UAG features. Gesteund door de geïntegreerde Stirling beveiligingssuite en TMG’s geavanceerde beveiligingsfeatures krijgen organisaties geïntegreerde beveiliging die werkt in de praktijk. In deze sessie presenteren we de voordelen van deze geïntegreerde aanpak en gaan we dieper in op de belangrijkste features en de ‘high level’ architectuur. Daarnaast wordt ook ingegaan op de mogelijkheden binnen UAG zoals directe toegang, het publiceren van applicaties en veelvoudige authenticatie methoden.

18 Februari – 14:00 Inschrijven

Where have i been

2009-12-31T17:49:41Z

Well it’s been a while since i was on my blog but as you can see I had a good reason.

Our first born is a great sun weighing in at 2850gr and measuring 48cm, he’s adorable and really worth all the painting and decorating i have been doing in his room for the past weeks and months.

We have called him Ernest and I hope he grows out to love computers as much as I do ;-)

Fancy searching with Search Documents

2009-11-02T21:15:06Z

The more you read and work with windows 7 (and windows vista for those still out there) the more you start to find the little things that make it great.

One of the features I have re-discovered is the advanced search and filter in explorer.

I’m a real command line geek and one of the things file explorer could never do for me is give me a great way to search and filter through files untill i know found the search documents field.

In every file explorer you have the Search Documents that gives you a very rich search syntax.

< Field>:<Value>

Lets try some examples: name:Pictures

Lets try some examples: size:<field>

When typing in a field you can set your own value or choose one of the auto completion values.

After completing a search string you can also see the interface gives you option to select additional fields.

a somewhat more complex string could look like:

size:<200 and type:.csv or type:.jpg and not name:H

Aero shake

2009-10-30T07:25:42Z

If you have been using windows 7, this might be a feature you have not found yet but it’s well worth knowing:

To reduce distraction and clutter on the desktop you can minimize all other windows except the one you are actively using by shaking the window on our desktop. Let go and shake again and you restore all windows back to the original project.

Try it and see for yourself!

Patch Vulnerabilities in SMBv2

2009-10-13T21:45:25Z

If you have not done so this month, it’s high time to put some priority down and to start patching for the SMBv2 vulnerability!

http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx

Again, i can only stress it has taken a full month before MS released the fix so make sure to read my post on how TMG protects you from 0-day vulnerabilities.

http://trycatch.be/blogs/decaluwet/archive/2009/09/29/how-tmg-protects-you-from-smbv2-0-day-vulnerability.aspx

Next It-TAlks events

2009-10-12T20:14:14Z

Event Name: "Working with Forefront Threat Management Gateway 2010 "

Topic: During this event we will focus on TMG the follow up of ISA server and all its old and new features.

Speaker: Tom Decaluwé

Event dates:Event Dates:

Event

info

It-Short talk

Date and time: Monday 26 Oktober 2009 start at 19u00 – 21u30

Location: Contributiestraat 9, 9000 Gent

Entry: Free

Focus: During this event we will focus on the theory of the new features inside the TMG project and how and why to use them in your production networks.

Full day talk

Date and time: Saturday 21 November start at 10u00 – 17u30

Location: Spes Nostra - Koning Albertstraat 50 - 8520 Kuurne

Entry: 15€ for drinks and lunch

Focus: During this event we will focus on hands on practice lab around implementing TMG in your network.

you can register for these event by sending an email to tom@decaluwe.eu, include what events you will attend, seats are limited so register ASAP!

Forefront Threat Management Gateway 2010 Release Candidate Now Available

2009-10-12T18:56:22Z

If you have not done so yet, it’s high time to get the latest TMG RC

http://blogs.technet.com/isablog/archive/2009/10/11/forefront-threat-management-gateway-2010-release-candidate-now-available.aspx