I have a real disdain for level 1 tech support. I know those people work hard and that they more than likely don't get the right kind of training to support questions from people like me, but can I have a level 2 tech support pass for every company I deal with? Please!? I get irritated when I have to spend 45 minute fielding questions such as, "did you reboot the pc?"
ok... /rant off
That had to do with calling Imprivata support support earlier today. It wasn't as bad as getting asked if I rebooted the virtual machine, but the guy on the other end clearly was having a problem fully understanding what I was trying to convey to him.
I was at the end of building a Windows 7 virtual machine for a contractor of ours and for some odd reason when I would sign into the View connection server then log into this desktop, Imprivata would pop up their logon UI asking for me to put in my credentials again. Kinda annoying. So the good tech on the end of the line spent about 15 minutes trying to decipher what I was talking about so that he could put some keywords into their little KB article search engine and try to find an answer for me. Well, like always there was no KB article for my problem, so he took my info from me and told me he'd look into it. Two hours later I get an email from them stating that the solution to my problem was a registry hack to use Kerberos authentication only. "Okay... might as well try it..."
Nope, not it. So I went digging myself and found http://portals.imprivata.com/ftp/SFAttach/Credential_Provider_Wrapping.pdf
after checking out that ISXCredProvDiag tool on the virtual desktop, I saw that the VMware Agent wasn't hooked.
so I wrapped it up, rebooted and BAM... authentication passed through from the connection server. Sweet.
Imprivata OneSign Agent version: 4.5.54.54
VMware View Agent version: 5
Next solution please...
View Annoyances
I love me some linked clones and Persona Management in View. Absolute heaven. I honestly can't think of a better way to deliver a virtual desktop. That's not to say it doesn't comes with some annoyances... especially if you just use the linked clones and NOT the persona management. For example, we have a health management program for our hospital that uses java over a web browser to deliver the end product to our nursing staff. One of the little annoyances that I had with building the virtual machine in the previous post was that every time I got a new desktop and started up the web app for our health management program, I would get a prompt from JRE (Java Runtime Environment) to accept the self signed certificate the company used to sign the java program. Well, after much digging around I figured out how to install the certificate into the java store and explicitly trust it forever - therefore not needing to accept the certificate each time... overall it saves a few mouse clicks for the end user. Here are the steps:
1) copy the self-signed certificate to the folder on the machine (example: c:\java_cert\signedcert.crt)
2) if you have a default 32bit JRE 6 installation, navigate to the "c:\program files\java\jre6\bin" folder in a command prompt. Modify as necessary for 64bit installations.
3) type the following command to import the self signed certificate (again, this is for a default installation):
keytool.exe -importcert -trustcacerts -keystore "c:\program files\java\jre6\lib\security\cacerts" -storepass changeit -noprompt -alias
4) create a file in the "C:\Windows\Sun\java\deployment" folder named "deployment.config"
5) in that file put the following lines:
deployment.system.config=file\:C\:/Windows/Sun/Java/Deployment/deployment.properties
deployment.system.config.mandatory=true
*each slash is needed as the backslashes escape the colons that are next to them*
The first line points to the current deployment properties files and the second line makes it mandatory that it be used (helps with locking down java apps if needed). Setting it to "false" will tell JRE to try to use it as it launches a java app, but skip it and revert to defaults if it doesn't exist. You can read more about these files and their options here on Oracle's website: Java Deployment Guide
6) create a file in that same directory named deployment.properties (as specified in the deployment.config file) and put these lines in it:
deployment.system.security.trusted.certs=C:\\java_certs\\trusted.certs
*the double slashes are needed because the first slash escapes the second one each time.*
7) under your username, go ahead and accept and trust the cert for the java app you're trying to run.
8) do a search for "trusted.certs" under your user profile folder. (on windows 7 it's located at C:\Users\(your username here)
9) create a folder on the C: drive of the virtual machine and name it "java_certs" (the name doesn't matter, but it needs to be the same name as the folder in the deployment.properties file)
10) copy your trusted.certs file over to that new folder
Now that should be it. You should be able to run the java app in the browser for every user that logs into that machine from now on without them having to accept and trust the self signed certificate.
Do they actually need it?
We've been thinking about replacing some of our ancient computers on wheels (COWs) over at our hospital facility with wireless Wyse devices and View virtual desktops for a few months now. The current ones are ancient mobile P4 based machines that we can't really get parts for. They're set up as locked down Windows XP desktops with very minimal rights.
Since I can't really use XP any longer and our move to Windows 7 eminent, I've been working on a special Windows 7 virtual desktop for our auto logon PCs down at the hospital when I realized that, through group policy I had locked down the users so much that the only link on the start menu was to the printers...
So I asked one of my colleagues about the start button and menu... Do the users actually need it? I mean, they really only ever use the shortcuts on the desktop, and for auto logon/locked down desktops, there's really no need for it. So I set about the task to get rid of the Windows 7 Start Button/Ballon (whatever you want to call it).
I honestly searched high and low for a quick answer to the getting rid of it like through Group Policy or a dirty reg edit or what-have-you... but all I found were posts about making Windows UI API calls that hid the button - like they did with the original XP start button. My hope for doing this the easy way quickly died. Well, after attempting to editing a C# program that didn't work (I have no idea how to write C# but programming to me is pretty logical and given a little bit of time I can usually figure out what any piece of code is actually doing) that I found on one of the bigger code sharing sites with no luck, I found a simple little program called "StartKiller" from Tordex.com. Somehow, they were able to find a way to completely hide and remove both the start button and menu in windows 7... I was floored. Not only that, but it also hides the tray icon as well! I found out that just running the program at logon through group policy wasn't enough to hide the start menu and tray icon so using some procmon magic from sysinternals, I found the registry key they use on the fly to do both. I exported the key to a reg file and using the amazing program called RegToAdm (from the NUTS program package... awesome program. I haven't found a need for the other utilities yet, but RegToAdm is fantastic) to create this custom ADM file (please note - this ADM file isn't perfect and could be better):
----------------------------------------------------------------------------------------
CLASS USER
CATEGORY "Start Killer"
KEYNAME "Software\True Software\Start Killer"
POLICY "ShowTrayIcon"
EXPLAIN "This value is either 1 or 0. Set it to 1 to show the tray icon or 0 to hide it."
PART "ShowTrayIcon"
NUMERIC
VALUENAME "ShowTrayIcon"
MIN 0
MAX 1
DEFAULT 0
END PART
END POLICY
POLICY "BlockStart"
EXPLAIN "This value is either 1 or 0. Set it to 1 to disable the start menu or 0 to enable it"
PART "BlockStart"
NUMERIC
VALUENAME "BlockStart"
MIN 0
MAX 1
DEFAULT 1
END PART
END POLICY
END CATEGORY
----------------------------------------------------------------------------------------
So, setting start killer to run at logon and adding this ADM file to the user GP gave me this
Fantastic, no start menu, no worries... just find the icon on the desktop and click it (icons removed for privacy)
We're at a point with our VMware infrastructure (and the one we're about to build) that it was time to find a better anti-virus solution for the virtual machines. I am really anxious about running a full blown client in a VM with questions such as:
1) how many resources could it consume
2) how will we update the signatures on VMware View linked clone virtual desktops
3) did I mention the question about resources?
So I called up Trend to talk about their Deep Security product. I wanted to test it out to find out if it was going to be worth the trouble, as in moving away from CA (our current AV solution) or working in conjunction with it (eg. Trend gets our virtual environment and CA gets the physical). Well, we decided to try a test run on some dummy VMs and a host I could hot add to the production vSphere environment. We got everything set up (server 2008R2, a few virtual desktops, vShield Manager, VMware Tools 8.6 with the Endpoint driver) and started to install their version 7.5 (because 8.0 isn't compatible with vSphere 4.1u2 yet) and then they tell me that I can't have vShield Manager 5 installed on vSphere 4.1 because Deep Security 7.5 isn't compatible with vShield 5... really!? By the way... in a month and a half, Trend is coming out with a service pack for Deep Security 8 so that it's backwards compatible with vSphere 4.1 AND vShield 5...
So instead of dropping down to vShield v1 (which is the version for vSphere 4.1) and then re-upgrading to vShield 5, I just decided to build an entire new lab for just the Trend proof of concept.
What does two Core2Duo boxes with 8 GB of ram each and one Core2Duo box with 2 GB of RAM get you?
This:
1 server 2008R2 domain controller with DNS
2 vSphere 5 servers running
-1 vCenter Server
-1 Trend Security server
-2 Windows 7 virtual desktops
-1 vShield Manager
-1 Deep Security 8.0 virtual appliance
All built entirely in a day. We just got done with the install today and I'd have to say, I'm pretty impressed with Trend's capabilities. We'll see how it actually stands up to a thumb drive full of viruses and no connection to the internet tomorrow :P
Hello World
Cliche, I know...
But then again, doesn't everything in the tech world begin with "Hello World"?
I'd like to give the world a little introduction to me. I began my journey into the world of tech when I was very young with my dad's first ColecoVision ADAM computer system back in the early 80's. Ever since then I've been enamored with computers. I built my first one in the days of the original Pentium. My friends introduced me to DOOM when it first came out and since my dad had the fastest computer, we would spend hours tweaking his autoexec.bat and config.sys files trying to get the most juice out of that system as possible, just to play some video games. Finally my dad had enough of me messing with his system that he took me to a local computer show and with $200 we bought a Cyrix 5x86 P266 processor, a motherboard and a couple sticks of RAM - and we're talking about original SIMM's... of the 2 megabyte parity/non-parity type... oh yeah, old school baby! When it was all said and done, I had a 200MB hard drive, a pretty decent proc, 8MB of RAM and a CD-ROM. Best part was, it ended up being better than my dad's and it hasn't stopped since then... and I still have a better system than him.
I got into IT a few years back when I was working as a tech at CompUSA. I realized while I was there that being in the repair business wasn't going to get me where I wanted to be professionally. So I went back to school, got my associates in networking (Cisco style) and landed a pretty nice starter position here at my company as a tech, but I was also brought on to help with the Cisco networking.
Since I've started, things have happened pretty rapidly here (more so than I could have ever dreamed) that lead to them offering me the Network Engineer position that I'm in now. I've learned so much in my time here that I just can't keep all the information to myself any longer. When you're working in a fast paced and wholly understaffed IT department, you have to find off the wall solutions to many, many problems. I've also come up with a few myself. I've gotten the help from so many anonymous people on the internet, that I feel it was time that I started giving back. Joining one forum just wasn't enough, and I don't have time to be a part of ten, so I figured if i just started this blog and handed out my solutions to issues I've come across then maybe, just maybe, I could give back to the internet community that had given so much to me in the past.
So here I am... at The Network Core. I hope you find what you're looking for.