Unflappings

Purpose

With any firewall and gateway, the issue of a single point of failure is always present. In order to mitigate this Common Address Redundancy Protocol was invented for the BSD world. For those of you coming from a Cisco or other network gear manufacturer, this functions at a high level the same as VRRP or HSRP. The main difference seen with pfSense is the ability to sync configurations using pfsync. This tutorial should provide an overview of configuring this setup within pfSense and showing effects of downtime on the system.

First of all we have the general layout of this sample setup.

Continue Reading »

Recently pfSense 2.0 was released into beta stages, and as an avid 1.2.x line user, I was eager to check it out. I did still want the ability to rollback to a previous version if things were too unstable, so I configured dual booting the stable 1.2.x line with the experimental 2.0 build. Note this should also work for any other versions in the future, but these two are just used as an example.

• Back up current configuration of stable system. Make sure you have the config.xml file handy to upload since you will actually need to re-install the system if you do not already have correctly sized slices.
• Boot stable pfSense media. It actually does not matter which is used, but for the sake of example stable comes first.
• Select to (i) install to the local hard disk.
• Select < Custom Install > as shown below after configuring keyboard and display.

• Next select the hard disk you would like to use to install the system. You may install over several drives if you wish using the same general idea, the only difference is where you place partitions. I am using a single drive setup here for simplicity and commonality.

Continue Reading »

If you are using pfSense (and possibly FreeBSD for that matter) you may have run into the problem of VLAN interfaces not responding after a reboot or interface creation. This leads to serious problems when this is your main router platform, as independent network segments are unable to communication.

Symptoms of this include:

• Systems can ARP the MAC address of the network card, but are unable to ping it.
• pfSense with Realtek RTL8110SC NIC responds to DHCP or any other layer 2 system but does not respond on layer 3.
• Realtek RTL8110SC instability issues and inconsistent VLAN state.

The fix  for this is much less than ideal, but it works in a pinch and in most situations where absolute performance is not the key, but rather making things stable till another workaround (or suggested hardware replacement) comes up.

#ifconfig rex promisc

Where “reX” is reO, re1, etc… or whatever the name of your parent interface. Doing this on a per-vlan level will not help. Please be aware there are performance hits to this tactic, as each packet seen on the interface will be passed to the CPU, not just the ones destined for it.  It may be quick and dirty, but it works. If anyone has an alternate suggestion on why this happens, please chime in.

This tutorial will show you how to manage your computers remotely while on the go with your Droid. This is helpful especially while on the go. You can now monitor your active torrents or grab an important file your forgot to sync while on the move and while at the office. If you need help setting up a VPN on your home network, stay tuned to this site as a follow up article will be written soon.

On you Motorola Droid (Android 2.0 and 2.1)
1. Navigate to the menu and click “Settings”
2. Click “Wireless and Networks”
3. Click “VPN Settings” and click “Add VPN”
4. For this example we will be using a PPTP vpn. If you have another type of VPN set up at school, work or home, the directions will differ slightly.
5. After clicking “PPTP VPN”, give the VPN a name, this can be anything
6. In the box that says “set VPN server”, this is where you are going to inset a dns name or an ip. If you are unsure what the name is, contact your work or school to see if their is some kind of document. If this is a home VPN, you can get a DNS name through dynamic DNS.

http://www.dyndns.com/

7. For this example, I will use “MytestVPNname.selfip.com”
8. If encryption is enabled on the VPN, be sure to check the next box
9. Make sure you have cell service (3G not required but recomended) and click connect. The droid should bring up a notification stating that you are successfully connected.

So now that you are connected to the VPN, you can access any computer remotely on that network in whcih you have credentials for. The best way to do this is to head to the marketplace on your Droid and download the free version of Remote Desktop. This will allow you to RDC into any machine on the VPN network as stated before, allowing you to monitor your torrents, stream music, or grab an important file from work while on the go. The RDC program I have been using is “Remote RDP Demo”.

Below are listed some of the best practice guidelines for installing and configuring Citrix Xen Desktop 3.0 in a new environment. Some of the information is miscellaneous, but I hope these notes help someone.

• Uninstall Web Interface and IIS from Desktop Delivery Controller
  • Less overhead on these systems
  • Must use an existing web server infrastructure
  • SETUP.EXE -nosites
  • Suggested to uninstall if already installed
• Separate Farm Master and Desktop Delivery Controller
  • When there are multiple servers, separate these roles.
  • Farm master is best to control its own roles and not worry about being Desktop Delivery Controller
  • Ensure that a particular server is chosen to be Farm Master
  • Ensure that unnecessary duties are not performed by that server
• Server Preference Settings
  • Master: Server are preferentially chosen as Farm Master
  • Backup: Chosen when Master is unavailable
  • Member: When all else fails, this can become the Farm Master
• Farm Master Selection
  • Farm masters have the logic for launching sessions
  • Its recommended to have the Master be its own server, everything else should be Member servers
  • Web interface servers should point to Member servers
• Configure Delivery Controller Selection
  • For some reason we have to do this in the registry.
  • HKLM\Software\Citrix\IMA\RUNTIME\UseRegistrySetting set to DWORD of 1
  • HKLM\Software\Citrix\IMA\RUNTIME\MasterRanking
  • DWORD value, 1 for Master, 2 for Backup, 3 for Member
• Throttling Commands to the Hosting Infrastructure
  • Suggested that the pool management service traffic on the Desktop Delivery Controller and the hosting infrastructure is throttled to 10% of the total pool
  • This is primarily to keep power cycling commands to a minimum which would otherwise overload the infrastructure.
  • To configure:
  • C:\Program Files\Citrix\VmManagement\CdsPoolMgr.exe.config
  • Add the following:
  • <add =key=”MaximumTransitionRate” value=”10″ />
  • This is made under <appSettings> and the value of 10 is arbitrary, it should be tuned for a situation.
  • Save the file and restart the Desktop Delivery Controller
• Scaling the Desktop Delivery Controller
  • Desktop Delivery Zone Master is a single bottleneck and can not be scaled out for a desktop group
  • Citrix says 3000 desktops per group is a good limit
  • Upgrading to a bigger/badder machine is a good plan if you have large requirements
• Scaling the Provisioning Server
  • Disk bound scaling
  • Put Write Cache files on separate LUNs from the vDisk
  • Get yourself a high performance storage system
  • Basically just make sure your storage solution is quick
• Scalability by component
  • Desktops per XenDesktop Group: 3000
  • Tested Logon Rate: 1500 over 5 min
  • vDisk per XenServer: up to 28
  • Provisioning Server for Desktops:  500VM’s per machine when using local cache files
• Planning Security Considerations
  • Install AV, Firewall usage, network securing, user privilege lockdown , etc..
  • Users who are Administrators on virtual desktops can
  • Have full control over this desktop
  • Potentially view other’s information on this desktop if it is pooled rather than assigned
  • Control/Monitor network traffic
  • Install malicious software
• Desktop Delivery Controller Requirements
  • Windows Server 2003 SP2
  • Windows Server 2003 R2
  • Terminal services in application mode, no CAL’s needed
  • IIS version 6.0 (For Web Interface Only)
  • .NET Framework 3.5
  • JRE 1.5.0_15
  • MS J#  2.0 Redistributable Package Second Edition
  • IE 5.0 or later
  • 400MB for DDC Software
• Data Store Database Requirements
  • Microsoft Access (Basically unusable except in tiny installations)
  • Microsoft SQL Server 2000 SP4 and above
  • Oracle Enterprise 10.2.0.1.0
• License Server Requirements
  • Windows 2000, 2003, 2008
  • 30 MB disk
• License Management Console
  • IE5.0 or greater
  • IIS 5.0, 6.0, 7.0
  • Server 2008 needs ASP.NET, Windows Authentication security role, IIS 6 Management Compatibility role
  • Tomcat 4.1.24
  • Apache HTTP Server 2.0.49
• Active Directory
  • No schema changes are needed
  • Each Farm needs an OU
  • Controllers Security Group Created
    • Computer Account of all controllers must  be a member of this security group
    • This is done by default
    • Service Connection Point
      • Farm Meta Info
      • Registration Services Container
        • One SCP object for each controller in the farm
        • Updated on each startup
        • Permissions must match to get rid of security groups which are added automatically by installing.
          • Should contain the computer accounts for the delivery controllers in the farm
          • By default installation sets up permissions so that controllers have write access to their SCP, make sure permissions are set that only trusted admins can change SCP info
          • Replication of new information could take some time
          • Valid forward and reverse DNS is required and up to date
• User Types
  • Task Workers
  • Data entry, standard tasks that do not require personalized desktop
  • Call center staff
    • Knowledge Workers
    • Personalized desktop and software
    • Close experience to personal desktop
• Access Modes
  • Full-Screen-Only
  • Focused on virtual desktop, fits full screen and cannot interact with local desktop
    • Window View
    • Good for multiple virtual desktops
    • Can interact with remote and local desktops
    • Flexible viewing
      • Multiple Monitor support
      • 8 total
      • Identical screen resolutions required
      • 1024×768 x 8 monitors (24bpp)
      • No configuration required, except to physically arrange desktop in a rectangle
• Web Connectivity
  • Desktop Appliance Connector Site
  • http://DesktopDeliveryControllerName/Citrix/DesktopAppliance
    • XenDesktop Services site
    • http://DesktopDeliveryControllerName/Citrix/PNAgent
      • XenDesktop Site
      • http://DesktopDeliveryControllerName/