The Problem
A client makes extensive use of the The Cisco Network Access Control (NAC), a.k.a. Clean Access solution for their wi-fi enabled laptops. These systems are Active Directory domain members and prior to an AD upgrade, would boot and have a user logged in within 2-3 minutes.
After the domain controllers were upgrades to Windows 2008 R2, the bootup process went from 2-3 minutes to 10-20 minutes, with the delays showing up on the “applying computer settings” and “applying user settings” notices (Windows XP clients). Event logs would show errors indicating DNS resolution had failed and similar things.
Continue reading Cisco NAC and Slow Windows Startup in Domains
SSL server certificates are mandatory for finance, e-commerce, and any site that wishes to protect data in transit. Tied to a fully qualified domain name, they also provide a level of non-repudiation. SSL in its more modern incarnation, transport layer security (TLS), is a very effective layer of security.
A quick Google search for “web server certificate” or “ssl certificate” returns companies that sell basic level certificates from USD$50 (GoDaddy) to USD$700 (rest of prices in the article are in USD) for a standard single domain and single server two year certificate. Granted, these are retail prices, but most systems engineers or security staff only deal with obtaining these certificates once every couple of years.
Continue reading The Cost of SSL – Selecting Affordable Certificates
For a very low cost, it’s easy to use StartSSL (Startcom) certificates on the Citrix NetScaler product line. This is includes the free NetScaler VPX Express edition. A lot of problems I see with others configuring the NetScaler is related to either self-signed certificates or the use of intermediate (e.g., chained) certificates.
Using a Startcom certificate allows for a trusted CA (no certificate errors) and the NetScaler makes it easy to configure intermediate certificates. We’ll go through the entire process of creating a certificate usable on the NetScaler. The process is also the same for any chained certificate.
Continue reading StartSSL (StartCom) Certificates on the Citrix NetScaler
XenDesktop 4 has raised the bar for virtual desktop (VDI) solutions. It’s now easier to provide a virtual desktop to users on differing operation systems and platforms. And having Citrix on the iPhone / iPad is just amazing eye candy too.
By default, all the tutorials for installing XenDesktop use the defaults. This means that under Windows, using a browser to connect and launch a session from web interface uses the online plug-in module. It works, provides multi-monitor capability, but has display artifacts and no nifty bar to manage USB connection and such. Besides this client, the Desktop Viewer can also be used as the default (if installed).
Continue reading Best Presentation of XenDesktop 4 on Windows
Recently I did a “few” upgrades to the home lab. Besides an upgrade to enhance shared storage for vSphere (my old NAS was at 502 days uptime), I took the opportunity to enable jumbo packets on my Dell PowerConnect 5324 and the new fire-and-forget Thecus N7700PRO NAS. As the basis for new lab infrastructure to test VMware, Hyper-V and Xen, it’s a good improvement.
Since the first use was to test some of the new features of vSphere / vCenter 4.1, I also took the opportunity to change over to ESXi from ESX. According to VMware, 4.1 is the last release of ESX, so time to get cracking with ESXi, vMA, and the differences in managing the hosts.
I wanted to take advantage of jumbo frames on my ESXi systems. However, I didn’t decide this until I’d already installed the hosts (and didn’t see an advanced option to set the management interface MTU).
Continue reading ESXi 4.1 and the 9000 Byte MTU (on vmk0)
This is an update post to reflect the differences in vCenter 4.1 vs the older vCenter 25 install. The older post can be found here.
Certain third party products such as XenDesktop respect the expiration date on the vCenter SSL certificate. The vSphere Client doesn’t mind so much, nor it appears do the vSphere (ESX/ESXi — err vSphere Hypervisor) hosts, but when your VDIs suddenly can’t be reached, it’s a bad thing. I’m sure other products may have the same issue.
By default, vCenter will create a self-signed certificate issued to “VMware default certificate“. Unlike previous vCenter installs, the certificate is valid for 10 years, but still can cause problems for third parties that want to see the proper common name (e.g., FQDN of the vCenter server).
In our case, since we’re not publishing any SSL services to the public and already have a Microsoft Certificate Authority, we can create and sign our own vCenter certificate. And just like the newer version of vCenter, we’ll set it up for 10 years too.
This can be completed in just under 15 minutes if all the prerequisites are in place. Took me an hour (including this documentation).
Continue reading Replacing vCenter 4.1 SSL Certificate with Active Directory Issued One
I’d love to use Foxit’s super fast PDF iflter for my test SharePoint 2010 setup, but at $700, it’s not going to happen. However, the Adobe one works fine, after some regedit goodness. Looking online, there are lots of articles mentioning the SharePoint beta, but not the RTM. Here are the quick steps to get it operational:
Continue reading SharePoint 2010 and PDF iFilter (Adobe)
Certain third party products such as XenDesktop respect the expiration date on the vCenter SSL certificate. The vSphere Client doesn’t mind so much, nor it appears does the ESX hosts, but when your VDIs suddenly can’t be reached, it’s a bad thing.
By default, vCenter will create a self-signed certificate with just the host name. In our case, since we’re not publishing any SSL services to the public and already have a Microsoft Certificate Authority, we can create and sign our own vCenter certificate. And just like the newer version of vCenter, we’ll set it up for 10 years too.
This can be completed in just under 15 minutes if all the prerequisites are in place. Took me an hour (including this documentation).
Continue reading Replacing vCenter 2.5 Self-Signed Certificate with Active Directory Issued One
VMware’s Update Manager has always been too complex and cumbersome for small installations. However, back in the EX 3.5 days, it at least worked. Late last year when vSphere 4 Update 1 came out, I once again tried using good ol’ Update Manager.
Continue reading vSphere 4 (ESX) Update 1 Sadness
I love OS X and every iteration has gotten better and better. But every once in a while tasks that should be simple–aren’t. Take the case of trying to add a S/MIME certificate to the Keychain.
In the past, simply double-clicking on the .p12 file would prompt for the passphrase and import it into the login chain. After getting my certificate issued by StartSSL and stored in Firefox, I exported the certificate and private key, set a passphrase, double-clicked, and….
An error has occurred. Unable to import an item. The contents of this item cannot be retrieved. You failed to provide the necessary administrator authorization. (Added so the search engines will pick this up)
Continue reading Snow Leopard Certificate Sillyness
|
|
|
