2014-11-27

27" iMac mid 2010: Hard drive failed, replacing with Crucial mx100 256GB.



A couple of challenges to overcome:

1) Will you be able to do the change?

Yes, really quite easy.

2) What disk will work?

Almost any modern SATA drive.

3) Should I use an SSD?

Definitely, but...

I prefer Crucial m550, mx100 or Samsung Evo and the like.

4) What other things should I know?

Thermal sensor should be shorted.
2.5 to 3.5" bracket for SSD
Bootable Yosemite USB Stick
Enable Trim

Here is the same in a longer form:



1) Will you be able to do the change (27" iMac mid 2010)?

Absolutely. It is even easier than the old white iMac that I had to do before. 

Here is the basic procedure as described by ifixit:


2) What disk will work?

Seems to be easy, any current 3.5 and 2.5" HDD and SDD. 2.5" needs a bracket if you don't want to tape it to the computer as I did.

There are many resources for finding out which one you want based on some criteria.

3) Should I use an SSD?

Definitely as the OS will benefit tremendously, I could not live without it. But then comes the question of size.

Currently 128GB is around $80. 256GB is around $115 to $140. 512GB is around $205 to $250 and 1TB is around $470.

I personally really like the idea of the fusion drive that the new iMacs come with. I have a 500GB big photo library and SSD would be a waste as well as my movie collection.

If I really wanna do movie editing and heavy duty work then I'd always go for a traditional HDD Raid 10 configuration. 

SSD drives come in many flavors and the real heavy duty drives cost to much and you should not use them up to more than something of 75 percent. Do not do constant delete and writes .....

So I would suggest to go for 256GB as the price is right and more than that, i.e. more than 150GB will not be necessary for your basic needs. If you got the money then the 512GB is worthwhile and for those others that really do not want another disk go for 1TB and then replace the computer when that one fails. 

4) What other things should I know?


Thermal sensor should be shorted, i.e. use a short piece of copper cable, twist it, make it a small U-form and then connect into the two sockets from the small connector (see iFixit guide to identify which sensor). Use clear tape to cover it and your good to go.

Don't forget your 2.5" to 3.5" inch bracket for the SSD to mount it.

Create a bootable Yosemite boot stick http://osxdaily.com/2014/10/16/make-os-x-yosemite-boot-install-drive/

Make sure to check for Trim. http://www.mactrast.com/2013/11/enable-trim-ssds-os-x-mavericks/

2014-11-25

Mobile Phone shootout: iPhone 5 (iOS 8.1.1), Nokia Lumia 830 DS (WP8.1), Motorola Moto G (KitKat 4.4.4) (developing article)

Well, to be honest, I do like to run around with three mobile phones at the same time and I also like to get my notifications and messages three times. That's just me.

I did not purchase the iPhone 6 as it was not really convincing and then I saw the Nokia Lumia at $90 with Dual SIM and a superb CPU. I took the liberty and bought it on the spot. There are some great articles about the 530 and they are correct, it is the perfect phone for the price you pay. (Warning the display is really old tech and will not be eye pleasing for most). I actually thought a whole lot about the purchase and if it's worth and why not go at the 630 DS at $140, that one has actually that much more to offer and is still cheap.

Then came lollipop and I was convinced that I should try an Android phone again. I really despised my Nexus 7; long gone.

My Son wanted to switch back to an iPhone so he got the old 5 from my wife and I took the liberty to use his Samsung Galaxy S4. (Boy was that a mistake for what's coming). I erased everything and started from scratch and used his 4.4.4 with all possible Google that I could get including Google Now launcher. You cannot believe what Android 4.4.4 with all Google and their newest version of apps do to you. You actually start liking android again! It's funny, colourful and a bit lame, yes. It still feels Androidish. Then my daughter asked for it and I had to give it away. Anyway that was good, since the real goal has been to spend the least amount of money to get a decent Android Phone that is capable of running Lollipop, i.e. will get it as soon as possible.

I never lost completely track of the Android phones and actually was mildly interested in the Nexus 5 as this phone has proven it's worth. Many of my colleagues had it and were super happy; that was until they touched the HTC M8 and since then that's their phone du jour. There was another phone the One Plus One but that was resold pretty quickly and some people eye the Xiaomi, but have not purchased it. So one phone stood out, not the huawaii cheapskate d

2014-11-20

Windows built-in troubleshooting tools and basic example

#
Name
Protocol
TCP/UDP Ports
Description
Comment
1
ping
ICMP
NA
ping 1.1.1.1

icmp echo, icmp reply between both end systems.
Can be used to test MTU with additional parameters

ping -f -l 1472 destIP


This will try to send the packet with MTU 1500.

1472 + 8 ICMP Header + 20 IP header = 1500

Reduce 1472 to lower number if you get errors until you reach the number that works.

(linux uses udp ports in the range of 30'000 to 33'000 and needs to be forced to use icmp
ping -M do -s 1472 -c 1 destIP

2
tracert
ICMP
NA
traceroute -d 1.1.1.1


icmp echo, with increasing time to live, starts with 1 and usually ends at 30.

Every system on the way to the end system should return a Time to live exceeded message and therefore you will be able to identify the IP of a machine in the path
If the end system does not respond the tool will continue to present up to 30 entries all with ****

(-d does not resolve DNS names, which can take longer. Better for trouble shooting to start with -d and then if you need the names rerun or do a dns lookup individually for the ones you want.)

3
telnet
TCP
any
telnet 1.1.1.1 3389
telnet 1.1.1.1 389

Can be used to test TCP on specified ports.
Somewhat dangerous as it can be misleading without a network trace if it really worked or not.

The behavior should be that you connect and it erases the content of the screen and you have  a blinking cursor in the top left corner. To end the session sometimes you have to quit cmd completely.
4
nslookup
UDP (+ TCP)
53
nslookup 1.1.1.1 2.3.4.5
nslookup system.com. 2.3.4.5

Can be tested to query a DNS server, default is UDP connection
first parameter is the label which can be IP or DNS name, please make use of FQDN with the . at the end then it will only do 2 queries instead of x (based on search suffixes)

2nd is the DNS server you want to test.

If you are not doing zone transfer and the answer is less than 512 Bytes (usually all single client connections are less) then it's always UDP otherwise it can be TCP
5
net view
TCP
445
net view \\1.1.1.1


6
nbtstat
UDP
137
nbtstat -A 1.1.1.1

7
netsh


netsh trace start capture=yes persistent=yes tracefile=c:\temp\capture.etl

Do your tests and then stop

netsh trace stop

The file can then be analyzed by Microsoft Message Analyzer
The directory uses in tracefile= must exist before you can start.
8
procmon


    • Start the tool,
    • immediately click on the  zoom glass
    • then disable everything except the network button.
    • under advanced select drop filtered events
    • add filters such as path contains 127.0.0.1 exclude


This tool is not installed by default, must be downloaded from live.sysinternals.com, is a Microsoft official tool now. 

If you don't stop the collection and configure the settings the tool will respond very sluggish at best.
9
Message Analzer


Microsoft Network Analysis tool (Wireshark).

But very important it captures traffic before it hits the windows firewall, whereas Wireshark will not see the packets if blocked by the windows firewall.


On Windows packet captures can be created without installing any software.
10
QRadar


Use Netflow tool to verify if packets travelled and in which direction etc.

Network Activity, you'll be able to see in real time the flows

11
hfs


Not installed by default, small executable, is a http server for download and upload.

Used to upload captures to my client for analysis.


So a test series should look something like this:

  • ipconfig /all on both
  • route print on both
  • ping
  • tracert
  • telnet (must be added, usually can be done without installation path/dvd, just add feature)
  • net view
  • nbtstat
  • nslookup

Here is an example of a test protocol where A-B communication did not work (only UDP and ICMP issue on a single system) but for the windows guys it was both ways for A and B.

Firewall was on but allowed the packets specified. System was a DC so 389 was also used, regular windows system should have TCP/3389(rdp), TCP/445(smb) open as well as UDP/137. Not going into protocol specifics there is much better material available.

Ping
C
to
A
ok


C
to
B
ok


C
to
E
ok


C
to
F
ok


C
to
D1, D2, D3
ok


A
to
C
ok


B
to
C
ok


A
to
B
FAILED


B
to
A
FAILED


B
to
E
ok
same network as A

A
to
F
ok
same network as B

With the help of netflow and or wireshark, netsh trace, message analyzer or procmon it was seen that A does not process incoming ICMP and UDP packets.

Further tests:

telnet
C
to
B
3389
ok

telnet
C
to
B
389
ok

net view
C
to
B
445
ok

nbtstat
C
to
B
UDP/137
ok








telnet
C
to
A
3389
ok

telnet
C
to
A
389
ok

net view
C
to
A
445
ok

nbtstat
C
to
A
UDP/137
ok















telnet
A
to
B
3389
ok

telnet
A
to
B
389
ok

net view
A
to
B
445
ok

ping
A
to
B
icmp
FAILED

nbtstat
A
to
B
udp/137
FAILED








same tests
A
to
E

all ok!








telnet
B
to
A
3389
ok

telnet
B
to
A
389
ok

net view
B
to
A
445
ok

ping
B
to
A
icmp
FAILED

nbtstat
B
to
A
udp/137
FAILED








same tests
B
to
F

all ok!









TCP connections A - B all work, only icmp and udp fail. Then it got weirder as dns to primary dns was also failing, as well as ICMP but not to 2nd IP of the primary DNS.



Reboot of the server solved the issue, but I would love to have nailed it down, maybe with procmon but was not sure.

2014-11-06

XenMobile WorxWeb: Browsing in enterprise environment, Proxy, SSO *Update necessary, 54.9*

Update:
54.9 breaks XenMobile Browser Session Policy due to correctly processing of policy expression!

The policy expressions are wrong and I need to find out what will be the best policy for HTTPS and HTTP to go forward. This expression is wrong as it fires for anything with Mozilla and port 443 and even IE11 has a user agent containing Mozilla: 

REQ.HTTP.HEADER User-Agent CONTAINS Mozilla || REQ.HTTP.HEADER User-Agent CONTAINS com.citrix.browser

Most probably it is only required to keep com.citrix.browser? 

Original:
Deploying Netscaler globally in a corporate environment.

Use XenMobile WorxWeb application to achieve the following:

  • Access to internal http applications (SSO)
  • Access to internal https applications
  • Access to Internet http web sites via a Proxy
  • Access to Internet https web sites via a Proxy
After many hours we got this to work correctly and this is how:


  • FullTunnel for WorxWeb is a must, otherwise HTTPS via Proxy does not work
  • create a trafficPolicy for each requirement and a policyAction

This is a short summary of the 4 traffic policies:


intranet                - http, SSO          (filter on networks and port 80)
intranet-https       - tcp                     (filter on networks)
proxy-http           - http, proxy, proxy port, SSO (filter on port 80)
proxy-https          - tcp, proxy, proxy port (filter on port 443)


Citrix has many different setup possibilities but it's hard to find the correct to achieve what you want.

In this environment there are still some challenges:

  • multi-user active directory authentication
    • solved using a single LDAP policy using UPN to a Global Catalog Server
  • SSO issues with Proxy (407 Proxy)
    • UPN looks like \user.name@company.com and if you need only NTLM format this will not work
    • Citrix has a filed SSO Name Attribute and it actually works but setting it to sAMAccountName but this ends up with NETSCALER\user.name
      • This again can be fixed with some Session policies that match an active directory group that identifies the user as being part of a domain and then set the SSO Domain, but I have not yet implemented it.
      • The SSO Name Attribute could also be another attribute but I have not found one that is like the pre Windows 2000 displayed in dsa. And a custom attribute I won't propose.
    • Ultimately in this case proxy is used with authentication bypass
  • Kerberos SSO for internal web pages not yet configured

Here are the traffic policies necessary:

add vpn trafficPolicy HTTP-TP "(REQ.HTTP.HEADER User-Agent CONTAINS Mozilla || REQ.HTTP.HEADER User-Agent CONTAINS com.citrix.browser) && REQ.TCP.DESTPORT == 80" proxy-http
add vpn trafficPolicy HTTPS-TP "(REQ.HTTP.HEADER User-Agent CONTAINS Mozilla || REQ.HTTP.HEADER User-Agent CONTAINS com.citrix.browser) && REQ.TCP.DESTPORT == 443" proxy-https
add vpn trafficPolicy intranet-tcp "(REQ.IP.DESTIP == 2.10.0.0 -netmask 255.255.0.0 || REQ.IP.DESTIP == 10.0.0.0 -netmask 255.0.0.0 || REQ.IP.DESTIP == 5.1.12.0 -netmask 255.255.255.0)" intranet-tcp
add vpn trafficPolicy intranet-http "(REQ.IP.DESTIP == 2.10.0.0 -netmask 255.255.0.0 || REQ.IP.DESTIP == 10.0.0.0 -netmask 255.0.0.0 || REQ.IP.DESTIP == 5.1.12.0 -netmask 255.255.255.0) && REQ.TCP.DESTPORT == 80" intranet-http

bind vpn vserver vpngateway -policy intranet-http -priority 40
bind vpn vserver vpngateway -policy intranet-tcp -priority 50
bind vpn vserver vpngateway -policy HTTP-TP -priority 100
bind vpn vserver vpngateway -policy HTTPS-TP -priority 110

add vpn trafficAction proxy-http http -SSO ON -kcdAccount NONE -proxy 1.2.3.4:8080
add vpn trafficAction proxy-https tcp -kcdAccount NONE -proxy 1.2.3.4:8080
add vpn trafficAction intranet-tcp tcp -kcdAccount NONE
add vpn trafficAction intranet-http http -SSO ON -kcdAccount NONE