Taking the Plunge

I did it.  No – hell didn’t freeze over, and no – pigs aren’t flying.  But yes, I just recently did some network reconfiguration here at the office, moving from a dual-nic SBS Premium setup with ISA 2004 to a single-nic setup with a hardware router/firewall instead.   Gasp!  The horror! . . .

I’ll admit that for a long time I thought it would be a cold day in hell before you could pull ISA from my dead hands – but I would also be lying if I didn’t tell you that I definitely had a love/hate relationship with ISA – and it usually depended on the hour as to whether I was loving it or hating it.

So what is my thinking?  You know, if someone figures that one out would you please clue me in? smile_teeth    

Like most technology decisions, this was motivated by business needs – both the business needs of our clients as well as our own business needs to profitably deliver quality services to our clients.  First – we’re seeing an increased demand in managed security with the SMB client.  Second – we are continuously looking for ways to increase productivity and gain efficiency.  Third, we’re revamping our product offerings to better line up with our core business as an MSP by adding products that allow for additional recurring revenue opportunities.

So, the big question is what did we decide on to replace ISA 2004 in our office?  CheckPoint’s Safe@Office 500W Unified Threat-Management device.  Now why did this solution win out?

1)   Affordability / Flexibility.  The CheckPoint has several base models to choose from (wired or wireless with 5/25/Unlimited clients)  And nice add-on services including gateway anti-virus, anti-spam, web content filtering, etc.  The base models make it affordable to get this device into smaller clients who wouldn’t normally consider ISA.  Additionally, the add-on services allow clients to purchase features cafeteria-style and provide us with additional recurring revenue.

2)   Efficiency in Management.  CheckPoint offers their Security Management Portal for centralized management of these devices.  Their SMP was designed and built from the ground up for target MSPs and how we work: 

      *   Everything you can configure locally via the device can also be configured centrally from the SMP.  Additionally, with the SMP we can create groups with common configurations and apply those group settings to multiple devices very quickly and easily. 

      *   The SMP also streamlines setting up site-to-site VPNs between devices.  Simply build your VPN community in the SMP and pick the devices you want to belong to that community, then the SMP will generate the necessary configuration and push out to each of the devices.  This also allows you to have IPSec VPNs between devices that can only get dynamic public IPs.  When one device’s IP changes, it notifies the SMP which automatically updates the configuration on the other devices in the VPN community. 

      *   The SMP allows you to customize both administrative and customer-facing reports, so you can change the layout, the content, and even the look and feel to match your branding.  Customer-facing reports offer a lot of nice, colorful graphs which make sense to CXO level individuals at your clients. 

      *    The SMP is available either in a hosted solution, or in a purchase and run on your own server setup.

From a technical standpoint, there are pros and cons to both ISA and the CheckPoint (or other hardware firewalls).  There are a lot of things that ISA does better than many hardware devices – primarily web publishing, with its ability to inspect http traffic and route requests based on HTTP host headers, as well as providing egress filtering that integrates with Active Directory.  Where ISA falls short is when you have a service provider who needs to efficiently manage multiple installations at different customer sites with different needs.  Sure, I could probably build a repository of management scripts, and use Level Platforms’ Managed Workplace to push those scripts out to our managed client base, but why recreate the wheel – and run the risk of having to recreate those scripts as subsequent generations of ISA are released? 

Also, I will admit that I am beginning to question the feasibility of ISA on SBS.  I still don’t fully buy in to some people’s arguments that ISA on SBS is inherently insecure.  I’m beginning to question the feasibility of ISA on SBS not because of the security implications, but of the added complexity in setup and administration.  If you look at the SMB space and the SBS customer – their needs are changing.  Two years ago we could sell an SBS Premium to a customer who relied on Exchange and file shares.  In that scenario, adding ISA to the mix wasn’t that complicated or that big of a deal.  The customers we’re encountering today are looking for much more diverse and mature solutions.  Our typical SBS-based deployment is now a multiple-server environment.  SBSers are doing more with Exchange – particularly in terms of mobility, depending on SharepPoint for workflow management, version controls and increased collaboration, instead of simply document storage.  Our SBS clients are also much more likely to be running at least one Line-Of-Business app – in our experience most likely Dynamics GP and/or Dynamics CRM.

When you start putting all of this on to one box, change management becomes a bit of a challenge to say the least.  And even us long-time ISA fans have to admit that ISA is usually the first thing to come up when we start thinking about moving services off our SBS.  But investing in another box, plus another Windows Server license, plus ISA is often hard to swallow – especially when you look at it from a customer perspective and include services to install and configure that box.  From a business standpoint, when you compare that option to a solution like the CheckPoint that offers a significantly lower entry point, provides the MSP with a mechanism to recurring revenue, and provides a pre-build solution to efficiently manage a large number of devices from one central location, and it becomes a bit of a no-brainer.

Now the question is just how well this is going to work.  We’re now at 4 days since CheckPoint has replaced ISA in our office, and so far so good.  I’ll be sure to report back on my post-ISA experiences  smile_regular

New York, New York!

Ok gang – just a quick heads up that due to a twist of fate, I am going to be presenting on SharePoint at SMB Nation East this weekend.  There’s still room if you haven’t signed up yet.  I’ll be doing a deep dive on SharePoint 3.0 – and this will not be death by PowerPoint – but live demos.

Did you know that for all of our customers who have upgraded to Office 2007, SharePoint 3.0 has been the driving force and single greatest factor in selling those upgrades?  I’ll show you why – this Friday at 1:30pm smile_regular

What ever happened to class?

Velma Kelly and Matron Mama Morton asked that question in Chicago and I’m asking it again now.


I believe in humanity.  I believe that for the most part people are inherently good and want to do the right thing.  But I also believe that the online experience has helped foster the decline of basic manners, respect, and class.  I could get in to a long-winded dissertation on why I think that is, but that is a subject for an entirely different audience and venue.


Unfortunately, we all encounter individuals in our communities (both physical and virtual) who thrive on destruction.  Their only involvement within the community is to complain, criticize, and generally undermine the community.  At no time do they make any noticeable contribution to the community.  The reasons for criticizing instead of contributing vary by individual, but most often it is some derivative of personal insecurity – lack of self esteem, fear of failure, incompetence, inexperience, etc.


As virtually anyone who frequents msmvps.com knows, the last week to ten days have been a bit choppy in terms of reliability of the site as we try to work out what exactly is causing asp.net to peg the processor on the blog server.  What most people don’t realize is what is involved with administering and maintaining the blogs:


1)  msmvps.com is a pure volunteer effort.
2)  msmvps.com is not affiliated with Microsoft in any way.
3)  msmvps.com continues to exist due to the gracious generousity and sheer strength of will from a few key individuals.
4)  msmvps.com generates a mind-boggling amount of traffic and has massive bandwidth requirements.


Since administering and maintaining msmvps.com is a volunteer effort, the blog server is at the mercy of our schedules (believe it or not, each of us actually have real jobs, families, pets, homes, etc. that require our attention).  Additionally, since msmvps.com does not have any corporate sponsorship and is a free resource for multiple communities, when it is time for an upgrade, new features, etc. for the blogs – that expense comes out of someone’s pocket.  Likewise, having the blog server on what has been dubbed “p0rn quality bandwidth” costs someone somewhere as well. 


But apparently, a few members of the community have conveniently forgotten each of these points.  They have forgotten that people are willing to share their experience and knowledge to help complete strangers and receive nothing in return – but also that there are people who not only share their knowledge and experience with complete strangers, but they are willing to pay real money from their own pockets to do so, and to provide other people with a free platform to do the same. 


As mentioned above, there are those individuals who thrive on destruction – and one such individual recently had the audacity to suggest that the instability of msmvps.com doesn’t say much for the the technical ability of MVPs.  This same individual stated flat out that it needs to be fixed, yet offered no assistance to resolve the issue.  They did not offer to take several hours out of their day to sit on the phone with Microsoft PSS or even pay for that support call.  They did not offer to volunteer their personal time to review server logs, find someone well versed in .Net to assist, or even to baby sit the server and restart services as necessary to ensure that msmvps.com was available to anyone who came looking for help.  Surprisingly enough, they did not even offer to make a cash donation towards purchasing support from Telligent to help resolve the problem.  No, all they had time for was to complain and criticize.  It’s one thing to criticize the stability of the site – because that has been less than optimal – but to go so far as to criticize the people behind the scenes who give so much of their time, knowledge, passion and cash to provide community members with a free resource that is not cluttered with ads, not censored, and freely available to anyone who needs help is not only rude and unprofessional, but is very uncouth.


So what ever happened to class?  Well, I’m here to tell you that there is hope.  It can be found many places, including Fresno, California as well as certain posts in virtually any online community regarding SBS, security, or patching.  msmvps.com would not exist without the unbelievable passion and self-less generosity of Susan Bradley.  While she may call herself wacko, and emotional, and like all of the rest of us she can get a tad over-zealous on certain issues – she is a consummate professional and truly a class act, and in my mind her passion and contributinos to community sets the bar by which all other MVPs are judged.


Now if you will be so kind as to excuse me, I have to help a friend with a blog server . . .  smile_regular

Unexpected Behavior with AutoPCC in Trend C/S/M 3.6

Ok, so that isn’t exactly a witty title for this post – but it does get to the point  smile_regular  

I’m a big fan of Trend Micro – have been since the SBS 4.5 days.  As a force of habit, when we’re rolling out a new network I always add a call to Trend’s AutoPCC utility in our default login script, which will ensure that the Trend client gets installed when new machines are joined to the domain.  While there really isn’t much benefit of leaving this entry in the login script after Trend has been deployed – I’ll admit that I have a tendency to be a bit lazy and leave it there just to save a few clicks when we’re adding new machies to a network.

Historically, there hasn’t been an issue with leaving the call to AutoPCC in the login script – you’d get the occassional restart of the Trend services on the client during login, but that was about it.  Recently, we’ve started going through the process of upgrading our clients to Trend’s Client/Server/Messaging Security 3.6 which includes support for Microsoft Vista.  A day or two after upgrading one particular client, we received a call from a user indicating they were getting a warning message on their PC.  The warning message was the Windows Security Center indicating that Anti-Virus wasn’t running.  I quickly determined that the Trend services were stopped – and naturally starting them resolved the issue.

The real surprise was when I logged in to the Trend console to verify this workstation was back online, I discovered that approximately 75% of their PCs were showing offline.  I soon discovered that the Trend services were stopped on each workstation that was showing offline, and starting the services brought them back.   Working on one of the PCs, I witnessed that the during logon, the login script was calling the AutoPCC utility – which was stopping the Trend services – but more often than not when AutoPCC completed, the services were not restarted. 

I’ve seen this behavior consistently across all of our customer sites that we have upgraded to CSM 3.6 – it seems to affect all PCs eventually, and I’ve been seeing anywhere from 25 – 75% of the PCs offline in the Trend console with local services stopped at any given time.  We never saw this with CSM 3.5 or prior.  In the mean time, we’ve resolved the issue by just removing the call to AutoPCC from the login script since we really don’t need it there any more.

Teaching an old dog new Trix

Some of you know that I’m a big fan of Trixbox – which is an VoIP solution built on the ever-popular linux-based open source Asterisk PBX.  We’ve been running it in our office for about 18 months (when it was originally Asterisk@Home).  I’ll admit that it started out more as an experiment than anything else, but we ended up liking it and using it in production, and have started selling it as well.  Admittedly, the hardware we’re running it on leaves a little to be desired, so we’re looking to replace our current hardware.  Well while doing some research, I discovered that Trixbox is now offering a Trixbox appliance:



Now you’ve got to admit, that there is just cool . . .  and would look so good in our server cabinet smile_regular