Booches.nl

WebMarshal performance problems

One of our customers is using WebMarshal for HTTP/HTTPS URL filtering and content scanning. The WebMarshall software is installed on two Microsoft ISA 2003 servers. These ISA servers are behind a Cisco Content Switch for load-balancing and redundancy purposes.

The problem with the WebMarshal is the PERFORMANCE. Internet browsing with the WebMarshal as proxy just doesn’t perform. I tried to troubleshoot the WebMarshal to check where the performance problems are coming from, but you cannot troubleshoot the software on a decent way. I disabled the Access Policies, and guess what, the performance is great. I added a allow all rule on top of every Access Policy subcategory, but no success.

I know the customer is running an old version (3.0.x), and of course if you contact the supplier, the first thing they say is: “Upgrade to the last version!!”. It seems the solution is always upgrading the last version. The second thing the supplier told us, was using Microsoft Network Load Balancing and not the Content Switches. Sadly the customer is using HP ProCurve switches, which don’t support static ARP entries. So NLB is no option.

But again, I give them the benefit of the doubt, so we will install two new servers, which are dedicated for WebMarshal software. Still the servers will be behind the Content Switch, because I believe that the Content Switches are the reason for the bad performance.

I will tell you more about the outcome of the latest version of WebMarshal on dedicated hardware. My opinion so far: “Feed the WebMarshal software to the dogs and buy something else!!!!!!!!!!”

www.booches.nl on a Synology DS107+

I wanted to buy a new USB disc for backing up all my files, but I didn’t know what to buy. A storage consultant told me about the Synology products. Together with some colleagues, we started to look at the different products. At the end we narrowed our search to the Synology DS107+. This is a NAS with a web server based on Apache and some other nice “tools”.

I started to play a little with the web server. At first I only found the option to run one single website, but I am running more than one website. So I started to look at different forums for modifying the configuration. At the end I found an article with described the way to configure the HTTPD daemon for using virtual hosts.

I took the following steps to enable the usage of virtual hosts:

1. Edit the file /usr/syno/apache/conf/httpd.conf-user
   - Unquote the line: Include conf/extra/httpd-vhosts.conf
2. Create the file /usr/syno/apache/conf/extra/httpd-vhosts.conf
   NameVirtualHost *:80

   <VirtualHost *:80>
   ServerName www.booches.nl
   DirectoryIndex index.php index.html index.htm index.shtml
   DocumentRoot /volume1/websites/www
   <Directory “/volume1/websites/www”>
   AllowOverride all
   </Directory>
   </VirtualHost>

   <VirtualHost *:80>
   ServerName os3.booches.nl
   DirectoryIndex index.php index.html index.htm index.shtml
   DocumentRoot /volume1/websites/os3
   <Directory “/volume1/websites/os3″>
   AllowOverride all
   </Directory>
   </VirtualHost>

   <VirtualHost *:80>
   ServerName www.emmastraat32.nl
   DirectoryIndex index.php index.html index.htm index.shtml
   DocumentRoot /volume1/websites/emmastraat
   <Directory “/volume1/websites/emmastraat”>
   AllowOverride all
   </Directory>
   </VirtualHost>

3. Restart the HTTPD daemon
   /usr/syno/etc/rc.d/S97apache-user.sh restart

For WordPress to work, I had to create a database in MySql. This is simple with the MySql command line queries. It has been a long time for me playing with MySql, but it was fun nevertheless (Man, I sound like a computer geek….). I create the same user credentials for the WordPress database and added them to the WordPress configuration file.

Next I re-configured the static NAT entry on my Cisco 877W router, so you all are directed to the correct inside host. Now I am wondering if the NAS works and I am especially interested in the performance of the NAS. As far as I have noticed the performance is less in comparison to my IIS web server. I give it the benefit of the doubt for the time being…..or else back to my IIS web server.

Blogging colleagues

I am not the only one from Ictivity spamming the Internet with my blog. Their are more Consultants, from different disciplines, who share their knowledge with other people. Let’s have a closer look at them.

Yellow Bricks
Recently my colleague Duncan Epping already introduced me on his personal blog. Duncan is Virtualization Consultant for Ictivity, who is specialized in VMWare. You can find his blog here.
A couple of outtakes:

Scott’s post pointed me out to the follow up of the VMotion vs Quick Migration post a week ago. I’ve already blogged about the previous articles so here my thoughts [...]
Source

Today I received the following error at a customer site when applying patch via the Update Manager:”Metadata for patch missing.” After a close inspection I noticed VirtualCenter wasn’t running on port 80 but on 81 for some reason. Opening up the ESX Firewall and restarting the VMware [...]
Source

Digipulse
Digipulse is maintained by Microsoft and Server Based Computing (SBC) Consultant Edwin Houben. A couple of outtakes of Edwin’s blog:

Citrix maintains a support article (Document ID: CTX107572) that contains a plethora of troubleshooting tools for your Citrix/Terminal Services environment. Most of the tools are targeted at Citrix [...]
Source

1. Logon as local administrator.
2. Set the “Citrix Independent Management Architecture” service to disabled in services.
3. Delete all locally stored [...]
Source

ThinStallGuru
The last know Ictivity Blogger is Edwin Friessen. Edwin is also Microsoft and SBC Consultant at Ictivity. A couple of outtakes from his blog:

possible to use drive letter L: for CD-rom one and drive letter L: for CD-rom two. Because the application runs in separated bubbles they cannot conflict each other. In this case you have to remind that the [...]
Source

One of the key reasons VMware acquired Thinstall was because we saw a gap in the current marketplace around application virtualization. The market, frankly, seemed artificially inhibited. We intend on opening [...]
Source

Port-channel configuration for VMWare

I received some e-mails from people asking for configuration examples for Cisco switch in conjunction with VMWare servers. That is why I post the configuration (I normally use) beneath. This configuration enables a 802.1Q trunk connection between the switch and the VMWare server. This configuration requires the VMWare server to use VLAN tagging. The Port-channel consist two physical GigabitEthernet interfaces.

Configuration Example:

port-channel load-balancing src-dst-ip
!
interface Port-channel1
description 802.1Q to VMWare
switchport trunk encapsulation dot1q
switchport nonegotiate
switchport mode trunk
spanning-tree portfast trunk
!
interface GigabitEthernet1/0/1
description Member Po1
switchport trunk encapsulation dot1q
switchport nonegotiate
switchport mode trunk
no cdp enable
channel-group 1 mode on
spanning-tree portfast trunk
!
interface GigabitEthernet2/0/1
description Member Po1
switchport trunk encapsulation dot1q
switchport nonegotiate
switchport mode trunk
no cdp enable
channel-group 1 mode on
spanning-tree portfast trunk

CDP is the Cisco propriatery Cisco Discovery Protocol. CDP can be usefull when trying to discover attached network components. VMWare supports CDP, so it could be enabled on the interfaces. The usage of CDP can help to see which switch port connects who which NIC on the ESX server.

Exchange 2007 with ISA 2006

Today I have be working on publishing Microsoft Exchange Outlook WebAccess and Active Sync to the Internet. We had some discussions with some Microsoft Consultants about a secure way to publish Outlook Web Access to the Internet, especially the authentication part of such a solution.

Some people are talking about publishing OWA directly to the Internet. In my opinion, this results in a major security thread, because you directly publish a TCP/80 and TCP/443 connection from the Exchange server to the Internet. An vulnerability or exploit in these services could end up in an hacker who takes over the Exchange server.

A second solution is placing a front-end server in a DMZ segment, but making the server a domain member for authentication. In my opinion still a security leak, because somebody who hacks the DMZ server has maybe the ability to hack or corrupt the Active Directory.

The third solution, and the solution we advise, is using a Microsoft ISA 2006 server as a front-end server in the DMZ. We configure a RADIUS or LDAPS (if you would like the option to change the password) connection to a RADIUS server or a domain member on the internal LAN segment. This ensures a secure way of authenticating users and even if somebody hacks the ISA server, he still hasn’t hacked a domain member server or a vulnerability in TCP/80 or TCP/443 of the Exchange server.

I have had a lot of help of an article on isaserver.org from Thomas Shinder while configuring the solution. I had some problems with publishing Active Sync. Ended up with enabling Basic Authentication on the Active Sync virtual directory (Microsoft-Server-ActiveSync).