Status: ✅
Users don’t like to remember passwords, heck, I don’t like to remember to use passwords. I decided to upgrade all the webapps to authenticate off the domain, welcome a start to SSO. To do this I implemented the adldap php class to control authentication to each webapp. Thus, a simple GPO can control who has access to the app or not. A simple solution to a rather simple problem.
Status: ✅
Backing up across the states has worked decently well, but due to several changes a more dedicated backup solution is in order. Desiring something quick, simple and inexpensive, research revealed a company that would perfectly fit the requirements. iBackup was a perfect substitute - instead of SSH+rsync to another office, iBackup provides rsync over ssl to their data center. A few simple changes to the cron job, and backup location is thus changed.
Status: ✅
Time has come to bring another network on the VPN, and perform some more upgrades. The usual by now, I guess.
Ian and I set off for our China office out of Hong Kong, and the next day started working. Total preparation was around a month, maybe a little large, mainly due to red tape. We first acquired assistance of IBM China, who were of a great help aiding us in finding our desired Cisco. One of the most important factors, which we couldn’t resolve by purchasing the Cisco in the States, is support/warranty contracts (if the Cisco totally dies, what then). Through our contact we were also able to find some local vendors that would support Wifi and the Cisco, in case of an emergency.
Before leaving I prepared the necessary configurations for the Cisco, or at least a good guide to start from. The technician who came out tried to get things going through the built in GUI, however wasn’t have so much luck. I took over using my pre-built configuration and soon (we swapped out the old router with the Cisco during lunch) everything, including overloaded NAT, was working fine. By the time employees came back from lunch, they couldn’t notice any difference.
While the Cisco tech (who I believe is a good guy, even though I did the Cisco install) was waiting for some paper work went through and upgraded the way obsolete wifi point from WEP (which wasn’t even turned on anyways) to WPA. The reasons for this, especially connected to the VPN, are very obvious. Technically the AP wasn’t supposed to support WPA, but he found the correct Chinese firmware and it worked. This is good, as the new AP wouldn’t be coming for a little while.
Next on the list was video conferencing. The solution was the path of least resistance: Skype on a laptop. Ian took this one, setup the laptop, and tested conferencing back to the States.
On the agenda for that night was VPN. The problem with bringing the China office on the VPN is one of security. Virus’ were quite prevalent (e.g. my shared drive on my Linux laptop, to use as a sandbox, had a couple .exe files dropped into it. All with rather odd names…) – so we first ran some security audits. Nessus was a great help, as always, and we tracked down over [an UNFATHOMABLE amount of] critical holes. Picking the biggest culprits we started patching computers, removing spyware and running anti-virus. Slowly (a few days) we got the number knocked down significantly.
Lastly I hooked China up to the VPN. In order to do this safely I created some very strict access lists, to only allow outgoing communication over ports 80 and 443 (since that is all they needed at that point). Previously setup we had a webshare website (auth linked to the PDC), so no need to open any other ports.
Overall we completed what we set out to do. We made a few good contacts, achieved our goals, and once again learned more about doing I.T. overseas.
Status: ✅
Before we grow any further, a new DNS scheme is in order. Following the pattern of: citycode.domain.com - shouldn’t be too hard. A slightly stressful rename of the PDC (just one so far, still small) was in order. After that (and client computers re-associated), the routers were updated, the DNS server updated, and everything worked peachie. Not bad for a weekends worth of work.
The following sites might be helpful to configure IPSec again, or on a more complex basis:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/ipsec/conipsec.htm
Logs spiraling crazy, we run out of disk space all the time. A nifty trick to find where the disk went is to issue:
du -cks * |sort -rn |head -11
This returns where the disk usage is, and makes finding the bloated log a lot easier.
Here’s a tip for Firefox. An extension called BugMeNot enables you to right click on “general” forms and say “Login with BugMeNot.” Firefox will call the BugMeNot extension which looks up in an external database login information. For instance, www.nytimes.com requires a login, which is a great place to test it out.
Status: ✅
All is well for some disasters, but what happens if our entire office burns down? SSH+rsync to the rescue, again.
I first setup the PDC and webapp server to backup to the file server on a regular basis (PDC: incremental every day, full on Saturday). Then the file server takes those backups (including the files stored on the file server) every night and syncs them with another server across the States. In case something drastic happens, these off-site backups should be a savior.
I have a feeling we will shortly be deploying many Linux servers to perform certain actions. Maybe we will implement Asterisk to be used as a VoIP interchange between locations, maybe the backup servers will be Linux based, maybe the BDCs.
One thing that could speed up implementation at remote sites is to build live cds for certain purposes. For instance, on the file server in PDX to keep updated live cds for certain projects. Like, a BDC live cd or a backup live cd. Already setup with the most current packages (or scripts to fetch+install them). So when we get to the site we just put the CD in, click or type “load” and poof, the server is installed and configured.
These links (haven’t read all of the process) may be helpful:
A developer just showed me an interesting framework to produce python-backed sites VERY quickly. This is mainly for you Ian, it natively supports AJAX as well. Here’s the link:
I watched the demo, pretty interesting.