Getting ISA and your Sharepoint Online Gallery to place nice . . .

Ok, this has been a little pain in my backside ever since last October . . .   You load up SBS Standard, customize the companyweb main page with a couple web parts from the Online Gallery and everything is just peachy . . .


That is until you throw in your Premium Technologies CD and load ISA.  Now your web parts aren’t working – so you decide that you’re going to try adding them again.  Nice try – when you try browsing the Online Gallery, you either get a message that the gallery doesn’t exist, or that it doesn’t contain any web parts.  Right – they were all there a few minutes ago . . . Take ISA out of the mix and voila! – the online gallery / web parts work as expected.


The official response from MS is to edit your web.config file for the Sharepoint site to include proxy information.  This is fine & dandy – but it doesn’t work.  Why?  Because the problem why this isn’t working in the first place is that ISA is denying the requests due to an authentication failure (check your ISA web proxy logs and you’ll see a 12209 error after you edit your web.config file to point to ISA’s proxy) – and there’s no way (that I’ve found at least) to provide user credentials for the proxy service in the web.config file . . .


Ok, so I’ve tried the usual suspects – I disabled required authentication for outbound web requests, edited the HTTP redirector filter to forward requests from SecureNAT & Firewall clients directly to the requested web server instead of the web proxy service, and it still fails.  I have a hunch on why this is – but haven’t taken the time to research it in depth and get proof.  I’m thinking the root of the issue is that WSS and ISA are on the same machine.  I’m guessing that if we had WSS on a member server behind ISA, we could get it to work either by having the firewall client running & editing the web.config file to use the proxy, or by configuring the member server as a SecureNAT client and tweaking the HTTP Redirector Filter as mentioned above.  Since WSS is running on the ISA server, it isn’t a Firewall or SecureNAT client (it’s default gateway is set to either your router or ISP’s gateway – not the ISA server (itself)).


So – just how in the Sam – Freakin – Hell do you get this to work?  A packet filter young grasshopper – a packet filter.  Open ISA Management and expand Servers & Arrays | | Access Policy | IP Packet Filters.  Create a new packet filter that allows outbound HTTP traffic (TCP | Local : All Ports | Remote : Fixed 80).  VOILA!  You can access your Online Gallery, and the web parts even work!  :^)


Now, it is very important to note that there is a security consideration to this workaround.  Allowing this packet filter allows any app running on your server go out on port 80 without providing user information.  However, the traffic will still be logged in your ISA IP packet filter log.  Assuming you make sure to leave IE configured to use the proxy and keep the locked down secure settings, limit browsing from you server as much as possible and follow general security guidelines, you shouldn’t have any problems.  To put this in perspective, this workaround simply tweaks your SBS so that outbound traffic on port 80 acts just like it would on SBS Standard.  All other traffic (inbound / outbound) is still subject to the more stringent ISA policies.

The latest installment of ‘Can you believe this?’

Ok, so I was in the office this afternoon and the phone rang . . . I didn’t recognize the name / number on the Caller ID, and went against my better judgement and answered it anyway . . .


Me:     “Mobitech – this is Chad:”


Caller:     “Can you FTP?”


M:    “I’m sorry, could you repeat that?”


C:    “Can you FTP?”


I’m sitting there on the phone trying to determine if this is a prank call, or someone who really doesn’t grasp technology . . .   Come to find out, they really didn’t grasp technology.  They were (supposedly) trying to upload a file to “a company” (trying to get specifics was like pulling teeth – I finally gave up trying to get any additional info).  He needed to get this file uploaded as soon as possible, he had never used FTP before and it was JUST TAKING TOO LONG!!!!    


M:   “Ok, what type of internet connection do you have?”


C:   “AOL”   (of freakin’ course)


M:   “Ok, is it a high-speed connection like cable or DSL, or do you use a modem to dial-up?”


C:   “I use my modem.  My computer is pretty old – I think my modem is a 33-something”


M:   “Do you know how big the file you are trying to upload is?”


C:   “Yeah – 196 MB”


Yes, ladies and gentlement – that is right.  This poor caller was trying to upload a 196 MB file via a dial-up connection to AO-HELL with a 33.6 modem . . .   Let that sink in . . . Wow.   No wonder it was taking too long!!!


That folks, is why you don’t answer the office phone on a Saturday afternoon . . .  especially when you have voicemail and your critical customers have your cell phone number if it’s an emergency . . .   

How tough should we get in the fight against SPAM?

Today (Tuesday 6/22/04), the Anti-Spam Technical Alliance released a set of recommendations to fight spam.  Most of these recommendations are directed at ISPs, and the primary recommendation is to cut-off internet users’ email ability if they are sending spam (whether or not they are aware of it). 


MSNBC – Spam-sending PCs could be kicked offline:
http://msnbc.msn.com/ID/5269732


Various industry estimates say that anywhere from 65 – 90% of all spam is sent via hijacked PCs.  Think about that – up to 90% of spam is being sent by hijacked PCs – Which means those people that most likely suffer the most from spam are a contributing factor to the problem at large.


I think this is the most realistic approach that actually has the potential to make a difference.  Don’t get me wrong, I don’t think any of us think that this will be the dagger that kills off spam once & for all.  In all honesty – I see the fight against spam as a rallying cry – but the recommendation addresses a larger societal issue – and that is the lack of basic PC security education & awareness among the majority of home users.  As I see it, this is a recommendation for ISPs to protect their customers – I love the analogy in the article that restricting users’ email access when they’re sending high-volumes of email is similar to your credit card company protecting you (ok, and themselves) by temporarily suspending your card and calling you if they see suspicious activity.  If this recommendation has any effect – it will be healthier home PCs – and as far as I’m concerned, that alone is worth implementing it regardless of any effect it may have on the spam epidemic . . .


Just my $0.02 . . .   :^)

I love my job!

And that is in no small part due to SBS.  There’s nothing better than getting a customer excited about SBS – to see grown adults ooh & ahh and ask all the right questions . . .


Case in point:  we recently did a network upgrade for a new client.  We replaced their Novell NetWare 3.12 server & Win98 desktops with SBS2k3 Premium, XP Pro desktops & Office 2k3 Pro, and the client is loving every minute.  The users were familiar with Outlook, but only as a stand-alone POP3 client.  When we did our post-install training and went into the functionality available in Outlook when paired with Exchange, it was almost like throwing candy to kids.  These were real end users who were genuinely excited at the prospect of sharing calendars, contacts & tasks (and a few managers thrilled with the ability to assign tasks :^)  Everyone dove right in to most of the advanced Outlook functionality, and they’re loving it.  The one spot where they’re still a little slow to pick up is the remote access (although that’s starting to come around).  The surprising gem was Sharepoint – they’ve caught on to that right away – we’ve migrated their shared project lists that were previously stored in Excel workbooks to Sharepoint lists, and they’re starting to upload various project files as well.  And I have to admit that I love the Help Desk feature of the default Companyweb . . . It’s perfect for us consultants – it allows the users to log any questions / issues / requests they may have and not have to worry about having to remember those little issues when we’re on site next.  Besides giving us a task list to work from and have a ‘heads up’ before we get on site, it also gives us the opportunity to build better relationships with our clients – especially when we get a Help Desk request with a simple solution – it gives us the chance to pick up the phone to walk the user through resolving the issue, and take the time to ask about the kids, etc.


SBS rocks for several reasons – for the customer, it can’t be beat in terms of features, price, ROI & TCO.  For the consultant / partner, it provides the tools for us to deliver a solution to our clients that consistently exceeds their expectations, and provides the tools & technologies to provides an amazing level of personalized support.  I couldn’t imagine doing what we do for our clients with regular Windows server . . .

ISA Rocks!

Ok – for anyone who has hung around microsoft.public.backoffice.smallbiz2000 and microsoft.public.windows.server.sbs, you probably realize that I’m a really big ISA fan.  While I’m not necessarily against hardware firewalls, I’m constantly irked by the people who automatically discount ISA because it isn’t a hardware firewall.  I’m so sick of the snot-nosed drivel ‘…but it runs on a Windows server and I can’t trust anything running on Windows to protect me.’  


BULL!   That just makes my blood boil.  And anyone paying attention to security trends knows that our threat vectors are increasingly from our own users versus the ‘traditional’ external hacks.  That’s one of the reasons why I love ISA – its AD integration for advanced internet access policies for user/group membership, etc.  And that’s just the tip of the iceberg for the features in ISA 2004. 


For those of you who are also big ISA fans and want a little ammo for the next time you encounter ‘that’ hardware firewall guy (and you know who I’m talking about – we’ve all got ‘em), check this article out:


ISA Firewall Fairy Tales – What Hardware Firewall Vendors Don’t Want You to Know (v1.02):
http://isaserver.org/articles/2004tales.html

Get a clue!

You know, I am constantly amazed by the number of consultants / service providers out in the wild who don’t seem to understand the concept of servicing the customer – and providing value with that service.


Perfect example – we acquired a new client a few months ago, and basically kept their archaic network functioning while we were planning to upgrade to SBS2003.  Just how archaic was this LAN?  A mix of Win95 & Win98 PCs (newest hardware was a Gateway w/ a Celeron 600) – and there were multiple Pentium 100’s still in use).  They had a Novell server (NetWare 3.12) – but apparently no one really knew how it should be used – their accounting data was on the server, but otherwise it was a P2P setup, with each user storing their files on their local HD (and sharing their entire C: drive!) . . . We took about 3 days to do the install, which consisted of installing SBS2k3 Premium (incl. ISA & SQL) on the new server, standard configuration (creating accounts, configuring backup, configuring monitoring, etc.), extended configuration (creating required security groups & additional shares, customizing logon scripts (to map drives based on security group membership), and configuring Group Policies (deploying Office 2003 Pro & Firewall Client via GPOs, configuring folder redirection, etc.) installing & configuring A/V (Trend C/S/M for SMB), and migrating each user’s data & profile from their old PC to the new server / PC (and considering this is a mechanical engineering firm (AutoCAD), there was A LOT of data to transfer :^).  


3 days – done.  Now, this client was using a severely archaic accounting system (DOS-based from 1986 – I shit you not!  I’ve got a stack of 5.25” floppies complete with copyright dates to prove it).  But they did previously use someone who extended the functionality by using extensively customized Excel spreadsheets that provided custom reports (e.g. job costing, etc.).  So, the client decides to upgrade the accounting app to the most recent version (only because the old app would not run on XP).  They enlist the services of a partner who specializes in that accounting app to assist with their migration.  As of this morning, the migration is not yet completed, and the customer is – well, let’s just say that they’re not very pleased with the accounting partner.


Why?  Well – the majority of it can be boiled down to a lack of communication.  The vendor did not do a full analysis of the client’s customized spreadsheets (that they use on a daily basis to run the business) – therefore, when they started the conversion, only then did they realize the extent of the customizations they have.  Second – for any of you that are familiar with accounting – you can imagine the complexity of moving accounting tasks from one system to another – you basically have a cut-off date where you stop entering data into the old, that data is moved to the new, and you start using the new.  The vendor provided only a matter of hours notice to the customer on when the cut off was happening (we’re going live tomorrow morning) – and in the aftermath,

Ever recognize the entertainment value of your average resume?

They’re freakin’ HILARIOUS!  Ok, ok – so I shouldn’t be laughing.  It’s just that they’re such blatantly obvious BS that I can’t help but laugh.  If you’re looking for a job, do yourself a favor – look at the objective you have on your resume (assuming you have one) – and if that objective includes the phrase ‘… to the benefit of my employer’ or something similar – remove it.  Call me crazy, but if you are applying for a job, isn’t it sort of implied that you’re expected to provide some benefit to your employer?  I’m mean, it’s not like the job applicant is doing the employer a huge favor by agreeing to be on their payroll and contribute to their overhead . . .  ;^)   Nothing against the owners of said resumes – but really, after how many years of evolution – and the resume is the best method we have for the job search?  Wow . . .


Ok, so now you’re probably wondering where in the Sam Freakin’ Hell did this topic come from, right?  Well, we’re actively searching for another tech (actually interviewed our first candidate this afternoon).  I’ll readily admit that I always HATED having to prepare / tweak my resume (although not as much as I despised writing cover letters).  Steve (one of my partners) and I have been perusing the resumes we’ve received, and I have to admit that it is very weird to be on this side of the fence . . .


But what is even more nerve-racking is the mere prospect of hiring someone – the questions are almost endless:  Will business continue so that we can keep them busy & afford their salary?  Are they going to fit with our organization – you can only tell so much during the hiring process regarding personality / troubleshooting skills / and most importantly – customer service?  Then there’s always the big factor – me.  Yes, I’ll admit it – I’m a control freak - especially when it comes to my servers.  It is naturally going to take time to build the trust to the point where I can feel confident with letting someone new have the admin passwords . . .


But on the other hand, these are good problems to have.  We’re busy and we’re growing – which is a good thing :^)   

I’ll never cease to be amazed . . .

. . . by what PCs I find in use and their condition.  From the general ‘found in use’ file:


A gateway Pentium 100 / Win95 / 32MB RAM / 4GB HD.  This PC was (and actually still is) being used for invoicing . . . nevermind that it’s slower than molasses in Januray, and it literaly takes >5 minutes for the monitor to display an image after it’s been turned on . . .


From the ‘Oh my God’ condition file:


A Toshiba Satellite laptop running WinXP Home that was so riddled with viri & malware that you could not gain access to any user session (not even Administrator in Safe Mode) . . . had to format & re-install.  Oh yeah, and this was a small mom & pop business, and ‘mom’ used this laptop to do bookkeeping – yep, you guessed it – all of the QuickBooks data on this puppy and no backup.  Luckily for them, the hard drive was still intact, so I was able to pull the HD and slave it into a PC to grab the QuickBooks data before reformatting.  And a note on the Toshiba Satellite notebooks – they’re not exactly designed to be worked on.  The only thing separating the hard drive in my Dell Inspiron 8200 from my hot little hands is a single screw.  On this Toshiba, it was 26 screws (which included removing the display) . . . Definitely not for the faint of heart . . .  :^)