After a few months with no development I’m pleased to announce that BlackBerry2Droid has reached version 1.0.2. With the latest version comes support for messages encoded with UCS-2 (a way of converting readable characters to numbers that pre-dates UTF-16). This results in support for languages that use non-Latin alphabets such as Cyrillic, Greek etc.

A bug where the sender/receiver of messages has also been corrected.

Support for different languages has been a long standing feature request. If it’s something you’ve found useful, please encourage others to check it out by tweeting about it or sharing it on Facebook/G+.

Head on over to the Blackberry2Droid page to download the latest version.

The post Blackberry2Droid Version 1.0.2 Released appeared first on Blog of Dave Hope.

In certain circumstances you may wish an ASA not to inspect the TCP SYN flags of packets. This is usually the case if the device will not see the return traffic, such as in the following example:

To do this, we need to first of all create an access-list containing the destination IP range we’e going to exclude from TCP SYN checks. This is an extended acl that you’ll likely have plenty of:

access-list NoSYNChecksACL extended permit tcp 172.16.0.0 255.240.0.0 172.16.0.0 255.240.0.0 log disable

Next up we create a class map to identify packets based on the ACL we’ve created:

class-map NoSYNChecksCM
  match access-list NoSYNChecksACL 

With our ACL and Class Map created we now need to decide what should happen to these packets to which we don’t see the return traffic. We’re going to tell the ASA to bypass TCP state checks ( SYN / ACK ) for traffic matching our class map.

policy-map NoSYNChecksPM
  class NoSYNChecksCM
    set connection timeout idle 0:15:00
    set connection advanced-options tcp-state-bypass

With that done, all we need to do is apply the policy to an interface:

service-policy NoSYNChecksPM interface Inside

Any traffic sourced from the inside interface, destined for addresses matched by our ACL will now not be subject to TCP state checks.

The post Cisco ASA TCP SYN Checks appeared first on Blog of Dave Hope.

Port Security is a feature of Cisco Catalyst switches which restricts the number of MAC addresses per port. The intention is to prevent users plugging in unmanaged switches to extend the network by sharing a single port. Whilst not a perfect solution as MAC addresses can be spoofed, it deters the average user.

When a device is connected to a switch port the Ethernet frame is examined and the source MAC address is recorded. If a second source MAC address is detected the switch will shut down the port to prevent multiple devices accessing the network.

Port security is enabled on a per-port basis, usually on all access ports. Enabling port security with the default options takes a single command:

Switch(config)# int fa0/1
Switch(config-if)# switchport port-security

Once enabled we can view the current state of the port:

Switch# sh port-security int fa0/1
Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

Once a device is connected and the first Ethernet frame is received the source MAC address will be recorded (learned) by the switch:

Switch# sh port-security int fa0/1
...
Last Source Address:Vlan   : 009c.02a0.4a3e:99
...

If we connect up a switch to a port with port-security enabled and add a second host the port will change to an “err-disable” state, blocking all traffic. If we check the state again two values will have changed:

Switch# sh port-security int fa0/1
...
Port Status                : Secure-shutdown
...
Security Violation Count   : 1

Once the offending device has been removed the port must be re-enabled by issuing the “shutdown” command followed by “no shutdown”.

Changing Port Security Behaviour

The default configuration options don’t suit everyone, thankfully we can adjust the way port security behaves. Cisco provide the ability to adjust the following:

• Violation Mode
  What happens when a port violation occurs
• Maximum MAC addresses
  The number of allowed MAC addresses before a violation occurs
• MAC address ageing
  How long we to wait before forgetting a learned MAC address
• Auto Recovery
  Re-enable a port after a certain period of time

Violation Mode

Configuring the violation mode allows us to tweak what happens when the number of detected MAC addresses exceeds the number we allow. We have three options:

• shutdown is the default, which err-disable and blocks all traffic
• protect allows traffic for the allowed MAC addresses but blocks all traffic from the violating MAC addresses
• restrict is as per “protect” but also generates SYSLOG messages and increases the “Security Violation Count”

Violation mode is configured on a per-port basis.

Switch(config)# int fa0/1
Switch(config-if)# switchport port-security violation restrict

Maximum MAC addresses

We can allow more than just a single MAC address on a per-port basis, this is useful if devices like computers and IP phones use the same access port.

Switch(config)# int fa0/1
Switch(config-if)# switchport port-security maximum 2

MAC address ageing

When a switch with port security receives an Ethernet frame the MAC address is recorded forever. In some situations (meeting rooms etc) you may want the MAC address to be forgotten after a period of time. Ageing (specified in minutes) is configured as follows:

Switch(config)# int fa0/1
Switch(config-if)# switchport port-security aging time 5

Auto Recovery

It can be a pain having to contact IT to shutdown and re-enable a port after a violation, so we can allow the switch to auto recover after a brief period of time. Configured at a switch level rather than per-port, automatic recovery (specified in seconds) is configured as follows:

Switch(config)# errdisable recovery cause psecure-violation
Switch(config)# errdisable recovery interval 600

The post Cisco Basics: Port Security appeared first on Blog of Dave Hope.

Address Translation commonly referred to as either NAT or PAT is the process of altering traffic as it passes through a router so that it appears to come from different addresses. Address translation is particularly useful due to the limited supply of IPv4 addresses. Networks can have a much larger number of internal-only addresses behind a smaller number (usually one) public internet address.

The translation process is performed by a router usually on the edge of a network, connecting to an internet service provider. In routed networks usually just the source and destination MAC address are changed as they pass through routers, with address translation the source IP address (and port) is also changed.

Generally speaking, there are two types of address translation:

• NAT
  Network Address Translation translates the source address to one from a list of public addresses. The downside to this approach is that for each internal host on the network you also need an external address.
• PAT
  Port Address Translation usually has a single outside IP address and alters the source port when traffic leaves the router, that way traffic can be mapped back to internal addresses

Cisco has a few different NAT configurations depending on the scenario, I’ll cover them in more detail below. Before we get started, let’s assume we have the following configuration:

! Internal interface representing a LAN
interface FastEthernet0/1
 ip address 192.168.1.1 255.255.255.0

! Outside interface representing the internet
interface FastEthernet0/2
 ip address 1.1.1.1 255.255.255.0

The first thing we need to do is specify which interface is inside our network and which is outside:

Router(config)# int Fa0/1
Router(config-if)# ip nat inside
Router(config-if)# int Fa0/2
Router(config-if)# ip nat outside

When executing the “ip nat inside/outside” commands the router may hang for a second, it’s normal behaviour. This doesn’t usually happen in Packet Tracer but may do on production devices.

Dynamic NAT

Dynamic NAT is what was traditionally NAT. Inside hosts are each translated to their own outside address. It’s referred to as dynamic because once communication stops the outside address is freed up for the next internal host.

The first step is to setup a list, or “pool” of outside addresses to be used for translation. Lets say we have 10 addresses from our outside 1.1.1.1/24 network:

Router(config)# ip nat pool DynamicNAT 1.1.1.10 1.1.1.19 netmask 255.255.255.0

With our pool of external addresses assigned, we now need to create an ACL to group together all our inside network addresses that will be translated, in this case the entire 192.168.1.0/24 network:

Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255

Finally we create the dynamic NAT configuration, using our ACL and NAT pool:

Router(config)# ip nat inside source list 1 pool DynamicNAT

If we try and access a web-server on the “outside” interface from a PC on the “inside” interface, we can see the translation taking place on the router:

Router#sh ip nat translations 
Pro  Inside global     Inside local       Outside local      Outside global
tcp 1.1.1.10:1026      192.168.1.2:1026   1.1.1.2:80         1.1.1.2:80

The next client would then get the 1.1.1.11 address and so on.

NAT Overload (PAT)

Overloading allows multiple inside IP addresses to be translated to a single outside address. This works by using the source port numebrs as a method of identifying translated inside addresses.

The first step is to create an ACL to group together all our inside network addresses that will be translated, in this case the entire 192.168.1.0/24 network:

Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255

The next and final step is to configure the router to perform the translations:

Router(config)# ip nat inside source list 1 interface FastEthernet0/2 overload

One of the easy bits of the “ip nat” command to miss is the “overload” bit, without it only the first device to send traffic will be translated.

If we try and access a web-server on the “outside” interface from a PC on the “inside” interface, we can see the translation taking place on the router:

Router#sh ip nat translations 
Pro  Inside global     Inside local       Outside local      Outside global
tcp 1.1.1.1:1025       192.168.1.2:1025   1.1.1.2:80         1.1.1.2:80

Static NAT

Static NAT maps an unspecified source address to a single IP address, typically used for port-forwarding from an external address. This works bidirectionally, so return traffic is automatically translated.

If we want to translate traffic for a web-server running on 192.168.1.100, we’d use the following command:

Router(config)# ip nat inside source static tcp 192.168.1.100 80 1.1.1.1 80

Once that’s in place, we can see the translation in place even when nothing is sending traffic.

Router#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
tcp 1.1.1.1:80         192.168.1.100:80   ---                ---

There is an additional type of NAT not mentioned herein, Overlapping NAT. Overlapping NAT is used when two networks share the same address information need to communicate. I’ll cover that another day.

The post Cisco Basics: NAT and PAT appeared first on Blog of Dave Hope.

Access lists allow you to group network objects such as IP addresses, services or users and act upon that information. They are most commonly used to permit or deny certain types of traffic though they are used for a variety of other things (filtering out routes for example).

Cisco IOS routers and switches have two types of access control list:

• Standard
  Can only filter based on source IP address
• Extended
  Can filter based on source or destination IP address, or certain Layer-4 protocols such as TCP or UDP

When configuring access control lists (ACL’s) they can be configured as either numbered on named. Numbered ACL’s can not be edited once created. To alter a numbered ACL it must be removed and re-created. Named ACL’s can be modified after creation.

How ACL’s work

Whilst access control lists are used for filtering routes, controlling debug output and other things their primary use is to act as a basic firewall, restricting what traffic can pass through a device. Once enabled, the router will examine the IP header of each packet and compare it to the ACL. Any additional tasks that a router must undertake, such as NAT/PAT and processing ACL’s will reduce its performance, so it’s important to understand how rules are processed.

Access control lists consist of rules that (generally) either permit or deny traffic, each rule sits on its own line in the ACL. At the very end of all access control lists is a line that denies any unmatched traffic, referred to as an “implicit deny”.

As traffic is received it is compared to the ACL, when it reaches a line that permits traffic processing stops and the packet is sent on its way. This makes it important to put most frequently hit rules at the top of your ACL.

To view existing access lists we can use the “show ip access-list” command:

Router# sh ip access-lists
Standard IP access list 1
    10 permit 192.168.1.0, wildcard bits 0.0.0.255

Standard ACL’s

Standard ACL’s can be created by using either names or numbers (1 through 99) using the “access-list #” command. For example, to block access for all traffic with a source address of 192.168.1.1 we would do the following:

Router(config)# access-list 1 deny 192.168.1.1
Router(config)# permit any

The final line is an important one, without it all traffic would denied rather than just 192.168.1.1. As a numbered access-list we cannot return to amend it at a later date. If we wanted to create the same ACL but with a name rather than a number we would do the following:

Router(config)# ip access-list standard DenyHost 
Router(config-std-nacl)# deny host 192.168.1.1
Router(config-std-nacl)# permit any

Notice here that the format of the command has changed slightly. Named ACL’s are created under the “ip” context, we also need to specify if it’s a standard ACL or an extended one (since there’s no number to determine that).

Extended ACL’s

Extended ACL’s are much more flexible than standard ACL’s, allowing for filtering based on more than just the source IP. With extended ACL’s we can filter based on some layer 4 information, such as source or destination port. Just like standard ACL’s they can be created using numbers (100 through 199) or using names.

As an example lets assume we have a web-server running on 192.168.1.1, with a standard ACL we would only be able to permit traffic to the IP rather than only permitting port 80.

Router(config)# ip access-list extended WebTraffic
Router(config-ext-nacl)# permit tcp any host 192.168.1.1 eq 80

The second line above specified that we’re going to permit TCP traffic, from any source address but only destined to 192.168.1.1 on port 80. All other traffic will be denied due to the implicit deny at the end of the ACL.

Applying ACL’s

Once access control lists are created they do nothing until you apply them to something. ACL’s are applied on a per interface basis and to either inbound or outbound traffic. The key to working out where to place the ACL is to think of yourself as the router, is traffic being received or sent? Once you know that you can place the ACL. It’s also important to try and apply ACL’s as close to the traffic source as possible to reduce further processing. If an ACL is going to drop traffic, it makes no sense to filter it as it leaves the router – it’s more logical to filter it as soon as the router received it.

Access control lists are applied using the “access-group” command to an interface, for example:

Router(config)# int Fa0/0
Router(config-if)# ip access-group WebTraffic in

One further point to note is that if you apply an ACL to an interface that doesn’t exist yet, all traffic will be dropped (due to the implicit deny all at the end of ACL’s).

The post Cisco Basics: Access Lists appeared first on Blog of Dave Hope.

Spanning Tree is a network protocol designed to prevent network loops. A loop exists at Layer 2 of the OSI model where there are multiple paths between any two devices. If you draw out a network diagram consisting of multiple switches, and can connect any two devices in more than one way there is potentially a loop in your network.

Loops cause problems when it comes to broadcast traffic. When a device sends a broadcast frame a switch will see it and forward the frame out of all ports except the one it received it on. With loops in the network this means that the frame will be broadcast indefinitely, as a switch will see the frame more than once.

Spanning Tree was introduced to prevent switching loops, but also allows for some redundancy in the design of a network. Spanning Tree will have a view of a network and calculates the most efficient paths between switches. Should a connection between switches fail a spare path that would have previously created a loop will become available in around a minute.

Traditionally when you plug a switch into a network it will immediately begin forwarding data, with spanning tree a device first waits to receive special frames known as BPDU’s. Each switch port will go through a series of states whilst waiting for these frames.

BPDU’s

Bridge Protocol Data Units (BDPU’s) are broadcast frames that each switch operating spanning tree sends out of all ports every 2 seconds. The broadcast frame is sent with a source MAC address of the port it gets sent from, if the switch receives the broadcast message back through a different port it immediately knows there’s a loop in the network. Based on whether BPDU’s are received or not will effect what happens next, but either way a port will progress through four states:

• Blocking
  The port is only listening out for BPDU frames and does not pass data. After 20 seconds the port changes to the Listening state
• Listening
  The port still wont pass data, but will process BPDU’s it receives and may return to the Blocking state if a loop is detected. After 15 seconds the port changes to the Learning state
• Learning
  The port still wont pass data, but populates its address table with MAC addresses. After 15 seconds the port changes to the Forwarding state
• Forwarding
  The port now passes data, but still listens for BPDUs to indicate it should shut down.

Root Bridge

For Spanning Tree to be able to understand the topology a core device must be determined, this is called the root bridge. The root bridge is set by specifying a lower priority than other switches in the network.

Once the root is known, ports are considered to be one of three types:

• Root Ports
  A port that leads directly to the root bridge
• Designated Ports
  A port on a switch that leads from the root to bridge to the edge of the network. The root bridge will have all its ports as designated ports, since they all lead to the edge of the network
• Alternative Ports
  A path that leads to the root bridge, but does not directly connect to it.

Root ports are determined based on their cost, which is based on the port speed. The higher the speed, the lower the cost. The cost is added up for each link until the root bridge is reached. The lowest cost is the one that is used as the path to the root bridge.

Types of Spanning Tree

Since its conception in 1990, spanning tree has undergone a series of improvements and revisions. The default on Cisco devices is PVST+, however there are alternatives to support differing root bridge’s per VLAN and to speed up operation:

• Rapid STP
  Provides faster convergence after a link failure by reducing the port states (no more listening state).
• Per-VLAN STP
  A Cisco proprietary protocol that runs a seperate spanning tree for each VLAN. Unfortunately it only works with Cisco’s own VLAN encapsulation method, ISL. Sometime later Cisco revised the protocol with support for the IEEE standard for VLAN encapsulation (802.1Q) and named it PVST+. PVST+ is now the default Spanning Tree operation mode for Cisco switches.
• Rapid Per-VLAN STP
  Another Cisco proprietary spanning tree operation mode that combines PVST+ with the benefits of Rapid Spanning Tree, providing STP per VLAN with rapid convergence.

Configuring spanning tree

You’ll want to use either PVST+ or rapid PVST as your spanning tree type. In the following examples we’re going to setup Rapid-PVST. The first thing to do is let our devices know the type of spanning tree we’ll be using:

Switch(config)#spanning-tree mode rapid-pvst

Next, we need to specify one switch as the root bridge on a per-vlan basis:

Switch(config)# spanning-tree vlan 10 priority 24576
Switch(config)# spanning-tree vlan 20 priority 24576

With spanning tree now configured we can verify its operation with the “show spanning-tree” command:

Switch#sh spanning-tree 
VLAN0001
  Spanning tree enabled protocol rstp
  Root ID    Priority    24577
             Address     0040.0BA3.683D
             This bridge is the root
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24577  (priority 24576 sys-id-ext 1)
             Address     0040.0BA3.683D
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/24           Desg FWD 19        128.24   P2p
Gi0/1            Desg FWD 4         128.25   P2p
Gi0/2            Desg FWD 4         128.26   P2p
Fa0/1            Desg FWD 19        128.1    P2p

This tells us that the current device is the root bridge for VLAN 1, and the costs of each port along side the status. Since this is the root bridge, all ports will be Designated

Ports. If we run the same command on an access switch on the egde of our network, we see the following:

SwitchA#sh spanning-tree
VLAN0001
  Spanning tree enabled protocol rstp
  Root ID    Priority    24577
             Address     0040.0BA3.683D
             Cost        23
             Port        1(FastEthernet0/1)
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     0001.6492.D639
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Altn FWD 19        128.1    P2p
Fa0/2            Altn BLK 19        128.2    P2p
Fa0/3            Desg FWD 19        128.3    P2p

Here we can see that this switch is some way from the root bridge, as no ports are root ports. There are two paths to the root so we have two Alternative ports. One is in blocking mode and the other is forwarding, making Fa0/1 the port that takes us to our root bridge.

And that’s about it for the basics of STP.

The post Cisco Basics: Spanning Tree appeared first on Blog of Dave Hope.

For years a company called Tools4Ever have been producing the excellent Spaceguard, providing flexible quota management for network shares. With the release of Windows Server 2008 R2 Microsoft introduced FSRM (File Server Resource Monitor), providing almost identical functionality out the box.

One of the time consuming aspects of switching to the Microsoft solution can be transferring existing quotas from Spaceguard to FSRM. Thankfully Spaceguard have an option to export the configuration, which we can parse with Powershell and create the shares.

Assuming you’ve already setup a template in FSRM and the folder structure has been migrated, the below Powershell script will read a Spaceguard export (in ASCII CSV format) and make any adjustments to the quotas so that they are identical to what was configured in Spaceguard.

#=============================================================================
# Displays a select file dialog box, returning the path to a CSV file.
#=============================================================================
function chooseCSVfile
{
	param([string]$Title,[string]$Directory,[string]$Filter="CSV Files (*.csv)|*.csv")
	[System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null
	$openFileDialog = New-Object System.Windows.Forms.OpenFileDialog
	$openFileDialog.InitialDirectory = $Directory
	$openFileDialog.Filter = $Filter
	$openFileDialog.Title = $Title
	$openFileDialog.ShowHelp = $true

	$Show = $openFileDialog.ShowDialog()

	If ($Show -eq "OK")
	{
		Return $openFileDialog.FileName
	}
	Else
	{
		Exit
	}
}

$FileName = chooseCSVfile -Title "Import a CSV file" -Directory "c:\"
$QuotaInformation = Import-Csv $FileName -Header "CurrentSize","Directory","Account","Quota","Limit"
$QuotaInformation | ft
Foreach ($Quota in $QuotaInformation)
{
	$quotaPath = $Quota.Directory
	$quotaMB = [int]($Quota.Limit)
	$quotaMB = "$($quotaMB)mb"

	Start-Process dirquota -Verb runAs -WindowStyle Hidden -ArgumentList "quota modify /Path:$quotaPath /Limit:$quotaMB" 
}

I’d recommend running this script to restore the quotas only once the user data has been migrated. DIRQUOTA has been used in the script to allow for Windows 2008R2 which does not have the Get-FSRMQuota cmdlets.

The post Migrate from Spaceguard to FSRM appeared first on Blog of Dave Hope.

I came across a somewhat unusual issue earlier this week whilst trying to setup a NAT entry to forward HTTP traffic over port 2000. The firewalls being used were a pair of Cisco ASA 5505s. The relevant configuration was pretty straightforward:

object-group service AllowedPorts
 service-object tcp eq 2000 
access-list outside-in extended permit object-group AllowedPorts any host 1.1.1.1

When trying to pass HTTP traffic to 1.1.1.1 over port 2000, the TCP connection would establish and eventually a TCP RST would be received. But no data would actually be transferred. Running the service on a port other than 2000 worked fine.

Looking at the IANA port list, port 2000 is used by Cisco SCCP. By default inspection of various protocols is enabled, including SCCP/Skinny:

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp

I decided to try disabling the inspection and see if that made a difference:

CiscoASA# conf t 
CiscoASA(config)# policy-map global_policy
CiscoASA(config-pmap)# class inspection_default 
CiscoASA(config-pmap-c)# no inspect skinny

Suddenly traffic on port 2000 works as expected. In my particular case I turned inspection back on and decided to just use a different TCP port, but this will no doubt help someone out there!

The post Cisco ASA NAT problems with TCP Port 2000 appeared first on Dave Hope.

I rely on SSH pretty heavily, be it for remotely managing a hanful of Linux systems or connecting to Cisco routers. I do this from my laptop and more recently – my phone. Rather than type passwords all the time (which can be tricky on on-screen keyboards) I decided to setup public key authentication for the Cisco routers I use.

Cisco IOS has supported public key authentication (for RSA keys only) since IOS 15. If you don’t already have a public/private RSA key-pair you can use PuttyGen (free, open-source) to generate them. If you’re a Linux user you can use the “ssh-keygen” command.

To set up RSA public key authentication, enter global configuration mode and issue the “ip ssh pubkey-chain” command. Then specify the username you want to provide a key for:

Router(config)#ip ssh pubkey-chain
Router(conf-ssh-pubkey)#username admin
Router(conf-ssh-pubkey-user)#key-string

Now, paste the data part of your public key (highlighted in red below).

ssh-rsa AAAAB.....aaa== rsa-key-20130820

If you have a key length greater than 1024 bits you’ll need to split up the data into chunks and paste it. Once you’re done just type “exit”. If you review the configuration for your device you’ll notice the full key isn’t stored – just what’s known as the “fingerprint” is stored:

Router#sh run | section ip ssh pubkey-chain
ip ssh pubkey-chain
  username admin
   key-hash ssh-rsa AA00BB11CC22DD33EE44FF55AA66BB77

Dig out your favourite SSH client (Putty, Secure CRT etc) and you’ll be able to SSH in using a public/private key-pair.

The post Public Key authentication on Cisco IOS appeared first on Dave Hope.

Over the last few weeks I’ve paid more and more attention to optimizing the performance on this website. As well as service as a blog, this site is a great place I can test techniques to keep on top of web optimization. The first thing I setup, some years ago, was Expires and Last-Modified headers to control content expiration on clients. The configuration for this is as follows:

ExpiresActive On
ExpiresDefault "access plus 1 seconds"
ExpiresByType image/x-icon "access plus 1 year"
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
ExpiresByType image/gif "access plus 1 year"
ExpiresByType font/ttf "access plus 1 year"
ExpiresByType font/woff "access plus 1 year"
ExpiresByType application/x-shockwave-flash "access plus 1 year"
ExpiresByType text/css "access plus 7 days"
ExpiresByType text/javascript "access plus 1 month"
ExpiresByType application/x-javascript "access plus 1 month"
ExpiresByType application/xhtml+xml "access plus 30 minutes"
ExpiresByType text/html "access plus 30 minutes"
Header unset ETag
Header unset Pragma
FileETag none

Because the Last-Modified header is sent, I then disable Entity Tag’s with the last three lines.

For some time, this configuration worked well, then I heard about CloudFlare. CloudFlare are a content delivery network (CDN) with a free offering.

CloudFlare take over DNS hosting – so you’ll need to point your nameservers to them and ensure that they have a copy of all DNS records for your domain. This process is painless and their setup process picks up a lot of common records just from querying your current nameservers. If you have a BIND compatible zonefile you can even upload it to make sure all records are migrated.

Once you’re confident that the DNS records are as you’d like, login to your domain registrar and update your nameservers. I use GoDaddy for this domain, from the “My Account” page navigate to your domain and click “Manage” next to the “Nameservers” heading:

Enter the nameservers CloudFlare assigned to you (rather than the ones I’ve used for my domain) and click Save. Once the change has propagated CloudFlare will be acting as a reverse proxy for your domain, caching content and delivering it from a geographic location closer to the visitor.

By default CloudFlare will cache content for a minimum of 4 hours, if you use Expires Headers correctly they will obey those and cache for longer. They also provide the ability to minify css, JavaScript and html.

A week or two on from enabling CloudFlare, their free service has knocked about 100ms off my overall load time but also reduced bandwidth and total requests by about 50%. CloudFlare also provide threat detection and prevention services, though I’m not clear on how accurate their statistics are as the numbers do seem unusually high. It’s certainly something I’ll continue to monitor.

The post Setting up CloudFlare with WordPress appeared first on Dave Hope.

I’ve written quite a lot of late about Cisco equipment, Windows servers and Website Optimization. I wanted to take a break and write up a recent rock climbing accident I was unfortunate enough to have.

A group of friends and I were climbing at Worth Matravers, we arrived fairly early (10am) and had a successful morning. I had led two routes and friends proceeded to top rope them. We had all struggled on route two on our last visits so it was a real buzz leading it on my first attempt that day. The third route we attempted was a tricky overhanging route with lots of lose rock. After a few failed attempts each we decided to move onto a fourth route.

The new route had a tricky start, the bolts were more spaced out than most of the other routes. It was probably 10ft to the first bolt and the same again to the second. A friend attempted the route before me and had clipped the first bolt but been unable to climb higher. I was one of the last to attempt it and reached the first bolt. Trying to move on and up to the second bolt I found myself unable to, looking down my shoe had got caught in the quickdraw.

For those unfamiliar with climbing shoes, they typically have a loop on the heel to allow you to pull the shoe off. This loop had somehow become clipped into the quickdraw on the first bolt. Holding on, I tried to wiggle my foot in such a way as to un-clip. I failed. After a few attempts I called out calmly “Guys, my shoe has got clipped to the draw”.

I managed to bend my shoe back in such a way that half of my foot was out of the shoe. Because of how tight climbing shoes fit I just couldn’t get my foot out. I called out again, a little more concerned this time “Guys, Help”.

At that point, I was focusing on holding on as much as getting my foot free. My arms were pumped and I was rapidly depleting finger strength. One of the friends, Simon, began to climb up to try and help. He managed to get his hand on my shoe. At that moment, I fell.

Falling, It’s an unusual feeling. For a split second I was aware of the cliff passing by very quickly. And then a loud crack as my helmet hit the rock covered ground. I was dazed for a second or two and then aware of friends standing around. Kane instructed another friend, Bill, to untie me. I started wiggling fingers and toes to check they worked. They did.

I lay there for a few minutes to make sure I was OK. Simon had me wiggle my fingers again to make sure I was actually wiggling them, and checked I wasn’t bleeding from under my helmet. I didn’t consider for a moment that just because I thought they were moving that they might not be. I asked for water and spilt most of it over my t-shirt. Looking at the cliff that had claimed my pride, my shoe was still attached.

I eventually stood up, with help, and removed my harness and helmet. Thankfully, aside from being sore I was able to walk out.

A day or so later I decided to go and visit a doctor. I had some back pain and was advised to get it checked out. I broke a rib or two (the doctor said there was no point doing an x-ray as they can’t do anything anyway). In hindsight, I should have gone straight to Accident & Emergency to get checked out.

I’m still figuring out how to prevent this happening again, in the mean time the loops on my shoes have been closed up and I’ll likely buy a pair of Velcro shoes next time.

The post Falling from 10ft hurts appeared first on Dave Hope.

Organisations can use proxy servers for various reasons; to restrict access to certain content, to cache web pages and reduce internet traffic – whatever the reason various approaches can be used:

• Explicitly specify a proxy server in applications such as Internet Explorer
• Use Proxy auto-config
• Transparently force HTTP traffic through a proxy server

This blog post will focus on the last option, transparently routing traffic through a proxy server. There are some disadvantages to this approach:

• Authentication can’t be performed on a per-user basis as the web browser is unaware that traffic is bring sent through a proxy server
• Without having client computers trust a custom CA and performing a man-in-the-middle attack on all HTTPS traffic, SSL/TLS traffic can’t be sent through the proxy

Once implemented, this will look something like the following:

The below steps assume you already have a Debian/Ubuntu server installed with a single interface. A Juniper ScreenOS based router will be used to setup policy based routing (PBR). The example in this blog post uses the following network addresses:

Corporate network: 192.168.168.0 /24
Corporate network gateway: 192.168.168.254
Trust (Internal) interface on firewall: ethernet0/0
Untrust (External) interface on firewall: ethernet0/2
Proxy server address: 192.168.168.253

Squid 3 installation and configuration

The latest version of Squid 3 (at the time of writing) is capable of acting as a transparent proxy server. To install on either Debian or Ubuntu execute the following command as root:

# aptitude install squid3

Once installed, as single word change is needed to the default configuration file. Add the keyword “transparent” to /etc/squid3/squid.conf:

http_port 3128 transparent

Configure IPTables

We’ll be using the ScreenOS device to forward traffic to our Linux server and need to use iptables to accept that traffic and pass it to Squid. To achieve that we can use a rule in the PREROUTING chain:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Don’t forget to save your updated firewall rules (iptables-save > /etc/iptables.rules). To ensure these rules are loaded at startup add the following line to /etc/network/interfaces

# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.168.253
netmask 255.255.255.0
gateway 192.168.168.254
pre-up iptables-restore < /etc/iptables.rules

Juniper Netscreen configuration

Policy Based Routing (PBR) will be used to re-route traffic destined for the internet to our internal Squid proxy server. To make use of this functionality you must be running ScreenOS 5.4 or later.

In our scenario we want to route outbound HTTP traffic from our corporate LAN to an internal server.

Extended ACLs

Extended ACLs match traffic based on IP addresses and Ports. Each ACL can contain multiple entries for different ports or addresses. The below commands create an ACL match outbound HTTP traffic from the corporate network.

set access-list extended 10 src-ip 192.168.168.0/24 dst-port 80-80 protocol tcp entry 10

We also need to create an ACL so that our proxy server traffic doesn’t get routed back to itself.

set access-list extended 20 src-ip 192.168.168.253/32 dst-port 80-80 protocol tcp entry 20

Match Groups

A match group is a collection of one or more Extended ACL’s, with a human-readable name. Create a match group named “Proxy” with an ID of 10 containing our extended ACL.

set match-group name Proxy
set match-group Proxy ext-acl 10 match-entry 10

We need to create another match group so that we can exclude systems from being routed through the proxy.

set match-group name DirectHTTP
set match-group DirectHTTP ext-acl 20 match-entry 20

Action Groups

Action groups are a set of instructions for what some traffic should do next. When multiple actions are available the first is always used. Create an action group which routes traffic to the proxy server on our internal network.

set action-group name Proxy
set action-group Proxy next-interface ethernet0/0 next-hop 192.168.168.253 action-entry 10

We now need to create another action group that routes traffic as it would do normally:

set action-group name DirectHTTP
set action-group DirectHTTP next-interface ethernet0/2 action-entry 10

Policy

A policy combines what we’ve created so far. When no policy is matched the normal routing tables are used. Create a new policy named “Proxy” with two entries. The first policy is used for direct traffic that should bypass the proxy, the second routes traffic through the proxy.

set pbr policy name Proxy
set pbr policy Proxy match-group DirectHTTP action-group DirectHTTP 10
set pbr policy Proxy match-group Proxy action-group Proxy 20
exit

The final step is to apply the policy so that it takes effect, apply the policy to the “Trust” interface.

set interface ethernet0/0 pbr Proxy

And there you have it, your outbound HTTP traffic is now being silently routed through a proxy server.

The post Using Squid and Juniper PBR as a transparent proxy appeared first on Dave Hope.

Last week I was browsing the VMware website in an attempt to figure out the certification paths available when I noticed some new certifications had launched, VMware associate. The associate certificate sits at the very start of the certification route, and is available as an on-line exam. No need to head to a testing centre.

VMware offer the associate certification in four flavours:

• Cloud (VCA-Cloud)
• Data Center Virtualization (VCA-DCV)
• End User Computing (VCA-WM)
• Network Virtualization (VCA-NV)

The most relevant for me is the Datacenter certification. After registering on the VMware website I sat through the three hour training course. The first part of the course is a high level overview, before part two which covers the VMware products available and the business problems they help solve.

The final part of the training, module 3, touches on the technical side of things. What’s required for HA,FT,DRS etc. The features you get in different vSwitches etc. The last module also introduces you to the extra products VMware offer such as vCenter Operations manager. The course seemed straightforward, especially for anyone who has used vSphere before. Just a case of committing facts to memory for anyone not already familiar with these prdocucts. One that caught me out was the introduction of vSphere Storage Appliance.

After looking over the exam blueprint I decided to dig out my Pearson vue account and book the exam. VMware are offering a voucher code to sit the exam for free before the end of September. Enter discount code VCA501 when you schedule your exam at Pearson Vue to take it for free.

The exam itself consists of 50 questions which you must answer within 75 minutes (More than enough time). From my experience I’d say that 60% of the exam is covered in the on-line course, which product to use to solve which business problem. Knowing the basic requirements is important too (shared storage for HA etc). Make sure you’re familiar with what a vSwitch is and the functionality available.

The other questions in the exam are a little bit more tricky, covering stuff that you’re expected to know from experience using vSphere. More than that I probably can’t say without breaking the VMware non disclosure agreement. Good luck with your certification process.

The post VMware Certified Associate (VCA) Exam appeared first on Dave Hope.

When using Microsoft Outlook (2007 or 2010) to automatically initiate a dial-up connection you may receive error 0x8004011d during the Send/Receive process. This problem occurs under Windows 7 when all network adapters are disconnected. Windows XP and earlier are not affected.

Outlook Connection Manager, which controls the outlook state (Disconnected, Connected or Offline), believes there is no connectivity to the Exchange server even once a dial-up connection is made. Eventually error 0x8004011d is reported.

The workaround is to ensure there is another network adapter connected, even if it has no connectivity to Exchange or other networks. This could be a Windows loopback adapter or an RJ45 loopback jack plugged into a network adapter. Alternatively manually initiating the dial-up connection before launching Microsoft Outlook will bypass the problem.

This bug has been acknowledged by Microsoft but given that it only effects dial-up connections and it’s not a security or data-loss bug it has been decided that it won’t be fixed. Outlook 2013 removed support for automatically initiating a dual-up connection so this error no longer applies there.

The post Outlook error 0x8004011d during Send/receive appeared first on Damn Technology.

Valve Software, a popular gave developer and distribution company have recently released a beta version of their own Linux distribution named SteamOS. Whilst SteamOS is designed to be a gaming-only OS, it will no doubt encourage gave developers to release games with Linux support. The release of SteamOS got me thinking about my past experiences with using Linux on the desktop and I decided to write them up.

Part I – The Miracle of Birth (2001-2003)

At some point in 2001 I installed Linux for the first time, my school had a copy of SuSE Linux Professional 7.3 that I was allowed to borrow for the night. From memory it was perhaps as many as 7 CD’s. Even back then the installer would happily partition your disk and setup LiLo (Grub became more popular later on). Dual booting Linux and Windows 2000 was straightforward, even for someone who had no prior Linux experience.

Compared to other popular distributions at the time (RedHat, Slackware and Mandrake) SuSE came with a handy configuration tool in the form of YaST. For someone without any Linux experience this meant I could configure X (using SaX2) and some other bits. Reminiscent of the Windows control panel, it made getting things up and running very straightforward.

The first hurdle I had to overcome was getting internet access. At the time I was an AOL subscriber for dial-up internet access. AOL provided freephone numbers for a fixed monthly fee compared to other ISP’s who would charge by the minute. Unfortunately AOL implemented their logon process using a proprietary protocol, making getting internet access without their Windows only software near impossible. Thankfully software was available from the community in the form of PengAOL, getting it to work was something I never accomplished.

My internet access was made even more difficult by the fact the PCI modem I had was what was referred to as a WinModem, this was essentially a device that relied on the operating system to do much of the legwork. They were not supported under Linux at the time and probably aren’t today. I persisted with Linux, but relied on Windows for all internet access.

At the time I was using KDE 2 for my desktop environment which provided a friendly experience comparable to that of Windows, if not superior. When KDE 3 RPMs’s became available for SuSE I downloaded them in Windows and copied them across for installation. I would spend far too long customising the appearance of the desktop to my liking.

Part II – Growth and Learning (2004-2008)

In 2004 I signed up for broadband, I had a whopping 0.25Mbps connection. I had a Speedtouch 330 USB modem which Linux drivers were available for. For the first time, I was connected to the internet under Linux. I spent a lot of time trying out different window managers (KDE, Gnome, Blackbox, e16 etc) and even some different distributions. A UK based company would burn a disto to CD and post it to you for a few pounds, ideal. I tried Mandrake, Fedora Core and others I’ve since forgotten.

As a teenager I loved playing games, initially relying on Wine before using a combination of Wine, Crossover Office and WineX (Later to become Cedega). Of all the game companies, id Software were brilliant at releasing Linux versions of their games shortly after mainstream release for Windows. As such, I spent lot of time playing Return to Castle Wolfenstien, Doom III and others. In 2004 I was involved in the beta testing of “Cold War”, a Spintercell esque game for Windows, Mac and Linux developed by Dreamcatcher Games. I was starting to believe that gaming on Linux was really picking up, and the year of the Linux desktop couldn’t be far away.

When not playing games I would try and teach myself 3D modelling using Blender, post-processing using GIMP and programming in PHP. If it weren’t for Linux I almost certainly wouldn’t have picked up a handful of programming languages before finishing school.

64 Bit Linux was taking off, which brought with it a new round of challenges. Getting 64bit flash to work was difficult due to binary only release from Adobe. The same was true of some proprietary video codecs used by MPLayer for video playback.

In 2005 I finished full time education and started work for a software house managing their Windows network. I ran Gentoo at home and deployed a few Linux servers at work (mostly firewalls and proxy servers running Debian).

To begin with I attempted to rely on Linux as a desktop at work, however at the time Evolution (Gnome’s e-mail client) was somewhat clunky compared to Outlook and many of the tools I needed simply wouldn’t run under Linux. Reluctantly I would end up using Windows at work.

Still interested in Linux I attended FOSDEM in 2006 with the Hampshire LUG and became even more attached, the talks on Asterix and Compiz were mind blowing. I came home with ideas for great projects. And a hangover.

Between 2007 and 2009, I used Linux as my desktop OS running Gentoo and XFCE as my desktop environment of choice. I’d stopped playing games and spent a lot of time developing applications as a learning exercise, mostly in PHP but also Java, C++ and C# (Mono).

Part III – Fighting Each Other (2009)

In early 2009 I began working on a C++ application to recover license keys from Windows computers. Born about because of a requirement at work, it began to consume a great deal of my free time. To begin with GCC and MinGW was fine, but manually creating resources for winforms and the fact some APIs were missing meant I needed a Windows development environment for the application I was writing.

Reluctantly I switched to Visual Studio for my development. Within a few months I’d left Linux behind and was once more a Windows user. I would continue to run Linux on a personal webserver, and for a home-theater PC. But it was lost as a desktop operating system.

The Middle of the Film

I’m out of touch with desktop Linux. XFCE looks to have matured well since 4.2.0 and I’m sure many of the applications I was used to have also matured. I just hope Flash support has come along way. Due to spilling coffee over my laptop it’s time to invest in a new computer and I plan on giving desktop Linux another try. Over the next few weeks I plan to blog about my experiences, watch this space.

The post My historical Linux desktop experience appeared first on Damn Technology.

When configured to use MSSQL, SEP stores data in the “sem5″ database. Depending on retention settings this can grow to a significant size. Revisions of virus definitions and installation files are stored in the dbo.BINARY_FILE table. Don’t alter this directly, instead use the SEP Management web interface.

To review the number of definition revisions kept:

1. Login to SEP Management
2. Click “Admin”
3. Click “Servers”
4. Right-Click “Local Site” and select “Edit Site Properties”
5. Click the “Live Update” tab

The default “Number of content revisions to keep” is 3.

To review the client installation packages stored:

1. Login to SEP Management
2. Click “Admin”
3. Click “Install Packages”
4. Click “Client Install Packages”

Normally there will be 3 installation packages (Windows x86, Windows x64 and an OSX package). To remove any you don’t need right-click then and select “Delete”.

Once you have made any changes to recover the space from the filesystem you will need to shrink the database:

DBCC SHRINKDATABASE( sem5, 10)

Depending on the space being recovered this may take a while to complete.

The post Symantec Endpoint Protection Database Size appeared first on Damn Technology.

A colleague of mine has recently been buying Cisco branded CF cards from eBay. At first it seemed like he was just unlucky, each card that arrived would die once plugged into a router. Some further digging yielded something quite different. Whenever a CF Card was plugged into a router it would die, but would work fine in Windows prior to that. The cards had the following on their identification sticker:

CCE256MCDS1MB11H
CIS00-01557-1E4CH
091020-P01-003

Through a process of elimination it seems that ROMmon on a Cisco 2800 series router is killing these cards. In particular devices running ROMmon equal to or newer than 12.4(13r)T5 kills them:

System Bootstrap, Version 12.4(13r)T11, RELEASE SOFTWARE (fc1)

If you chose to open up the CF card, you’ll notice it’s manufactured by a company called SimpleTech and re-branded as a Cisco card:

So there you have it, not all CF cards are created equal. Unfortunately once a CF card has been killed by ROMmon, it seems there’s no way to undo what has been done.

The post Cisco breaks compact flash cards appeared first on Damn Technology.

Assuming you have an array of computers (be it from LDAP or otherwise) you can quickly enumerate them using the WMI Win32_QuickFixEngineering class to check the most recently installed HotFix.

Whilst WSUS will likely provide much of this functionality for those using it, this may still prove useful to some.

$compList = "LONDON", "BRISBANE"
$ErrorActionPreference = "Stop";
$tblResults = New-Object System.Data.DataTable "Results"

$colA = New-Object System.Data.DataColumn ComputerName, ([string])
$colB = New-Object System.Data.DataColumn LastHotFixID, ([string])
$colC = New-Object System.Data.DataColumn LastUpdated, ([string])

$tblResults.Columns.Add( $colA )
$tblResults.Columns.Add( $colB )
$tblResults.Columns.Add( $colC )

foreach ($computer in $compList)
{
	try
	{
		$latestUpdate = Get-WMIObject -Class Win32_QuickFixEngineering -ComputerName $computer -Filter "HotFixID != 'File 1'"| ? {$_.InstalledON} |sort InstalledOn | select -last 1
		$newRow = $tblResults.newrow()
		$newRow.ComputerName = $computer
		$newRow.LastHotFixID = $latestUpdate.HotFixID
		$newRow.LastUpdated = "{0:dd/MM/yyyy}" -f [DateTime] $latestUpdate.InstalledOn.Date
		$tblResults.Rows.Add( $newRow )
	}
	catch
	{
		$computer
	}
}
$tblResults

Save the above to a file with the “ps1″ extension and adjust the $compList variable to contain the computers you wish to scan.

The only oddity in this I’ve discovered is if the updates are slipstreamed into the installation WIM they do not have an install date associated with them.

The post Get latest installed update with PowerShell appeared first on Damn Technology.

In December last year I wrote-off my laptop by pouring coffee over it. After hunting for a suitable replacement I ended up with a Lenovo X230 sporting 8GB ram and a speedy SSD. I decided it would be a good time to revisit Desktop Linux. As someone who’s used Linux on and off as a desktop OS for about ten years now, I thought I’d discuss what I consider to be its pitfalls.

As a previous Gentoo user I enjoyed using Arch. It provided similar levels of flexibility without the requirement to compile everything. For Linux users who want to try something more involved I’d definitely recommend it.

In terms of what I see as the current areas holding back desktop linux, there are as follows.

Fonts

Many linux distributions rely on open-source versions of fonts rather than using the same fonts used by Windows or OSX. Fonts such as Verdana, Tahoma, Comic Sans MS are proprietary and require a license agreement for use. This makes it difficult for Linux distributions to ship with these by default.

Older versions of some of the fonts are available. Back around the year 2000 Microsoft released these under what they called the “Core Fonts” program, allowing these to be redistributed under certain circumstances. Unfortunately due to some violations of the license Microsoft ceased the program, as a result newer versions of the fonts that feature “hinting” and other advances in rendering are not available to Linux users.

This problem seems to be compounded by poor default rendering of Freetype fonts under linux. They seem to lack the same smoothness that is available on other platforms. Some projects, such as Infinality, address this by providing patches to improve font rendering.

Suggestion: Petition Microsoft to restart the “Core Fonts” program they had back in 2000 that allowed for redistribution of fonts.

Multi-Monitor

Plug & Play support with docking stations and monitors is clumsy. Today I expect to be able to just dock my laptop and have it automatically switch to external displays. Linux has a few multi-monitor options but none of them seem to “just work” when switching between mobile and docked.

Suggestion: Make switching seamless. Xfce monitor configuration helps with this but remembering previous settings and restoring them should be easy. (I didn’t get round to testing with KDE or Gnome, so they may have solved this).

Widget Sets

One of the many strong points Linux has is flexibility. Components have traditionally been written so that they can be swapped out and replaced. In my view this is also its weakness.

A traditional Linux Desktop may consist of the X.Org display server running either the Gnome or KDE desktop environment. Unfortunately for the end-user, both of these desktop environments use a different set of API’s (widget toolkits) for drawing buttons and other elements on the screen.

If a developer chooses to write their application using the GTK toolkit (for the Gnome/XFCE desktop environment) the application is likely to look out of place on a desktop that uses KDE for other widgets. This problem gets worse when you take in Windows-Compatibility layers such as wine and mono, which draw widgets in a windows classic appearance.

Binary Packages

Applications such as Citrix Receiver are only available as a binary for certain distributions. In order to be easily installable they must be repackaged, often breaking their terms & conditions which prevents them being included in out-the-box software repositories such as apt, pacman and emerge. If these break at some point, and the packager no longer maintains them, getting things working again is a real pain.

Suggestion: Ideally software vendors should be more liberal in their repackaging rights, though I find this unlikely to happen.

In summary

I was pleasantly surprised with how far some Linux apps have come along. There are genuinely capable replacements for many Windows applications such as Adobe Lightroom, Steam and others. It appears as if gaming on Linux is still gaining traction and more developers are coming online with support.

For desktop computers, I say go for it. Give Linux a try and you’ll probably get on fine. For portable devices however, it takes some work to get a usable environment.

The post What’s holding back desktop Linux appeared first on Damn Technology.

Brocade Fiber Channel switches running FabricOS, in particular the DS-300B switches suffer from problems when trying to make use of the web based Switch Explorer. This usually results in getting an error something like the following:

The version of Java plugin needed to run the application is not installed. The page from where the plugin can be downloaded will be opened in a new window. If not, please click here: Download correct Java version.

One solution is to install Java 1.6, which is now outdated and not receiving security updates. A better approach is to use Java 1.7 and simply bypass the version check. This can be achieved by visiting the following URL:

http://IP ADDRESS/switchExplorer_installed.html

You will need to make sure the URL is added to either the Local Intranet or Trusted Sites zone in internet explorer for this to work. Unfortunately this solution will only work with Java 1.7, Java 1.8 introduces some additional security requirements which I’ve not looked into yet.

The post Brocade Java Problems appeared first on Damn Technology.