I’ve been using the VPN Software Hamachi for several years now and thought I would share my experiences with it.

Previous to being purchased by LogMeIn, Hamachi was a smaller company which designed this great software. It is now offered in 2 versions, the free “Basic” version and the paid “Premium” version. The premium version is currently around 3.25-4.95 a month, depending on how many licenses you need and how much you pre-pay.

The free version gives you basic VPN connectivity and allows you to control smaller networks which is great for your own personal secured network. There are some pretty cool features in the “Premium” version - to see all of them click here.

The idea is that you install Hamachi on each of your PCs which you would like to connect to your VPN. In my case, I have my Home PC, my home File Server, my Work PC and my laptop all connected. The great thing about Hamachi is you are not just limited to Windows machine - my file server is Linux and works great with Hamachi. It officially supports Windows, Linux, and OSX - so you could install it onto your Mac as well.

Once hamachi is installed, follow the directions on how to set up each client. With the first client you set up, you will want to create a new Network that will include all of your personal PCs that you wish to connect. From there, each client you add you will need to add to this network so the can all talk with each other.

After all computers are connected to the network - you have your VPN up and running. It works just like with any VPN - those IP addresses can be accessed just like the PC is on your local area network.

So, what does this mean? You can map a network drive to be a local drive, which is actually being served off of your VPN. You can connect to VNC using this IP address - which is a secure way to do this so all of your traffic is encrypted over the internet. You don’t have to worry (as much) about sending information over the internet in plain text. I even have my media server connected so that I have my entire music library available through the program of my choice (MediaMonkey).

So if you haven’t tried it already, give Hamachi a try!

For Firefox and Opera only: Use the Google Secure Pro Greasemonkey script to force these Google programs to use SSL in your browser. It changes any accesses via http to https which is supported by Google, this secures your connection between your browser and Google’s servers.

If you do any type of work using Google’s services where private data is exchanged, I would highly recommend this greasemonkey script to secure your communications!

My preferred server platform is linux. I have not yet been able to move to a linux-based system for my daily work, and trust me I’ve tried a number of times to move to a Fedora or Ubuntu desktop. Windows is still best for productivity and day-to-day tasks, as well as compatibility with other office workers. However that brings up the question of how to access resources on a linux system, securely, and easily enough to not take too much time out of your workflow.

I have previously used the free WinSCP to do this. However, much like the FTP clients of yore, you need to transfer the file to your local PC, do the actual editing on your workstation (I prefer PSPad by the way), and then transfer the file back to the server.

Windows fixed this particular issue by adding in Mapped drives, which can connect to an FTP source. This is all great, and it works fine, but it is not a secure way to transfer files which may or may not include sensitive information in them.

Recently a few programs have come out that connect to an SSH server via SFTP and map a drive on your system. The two that I have found and are viable are called Webdrive and SftpDrive. Both products offer a secure connection to your SSH server, including a mapped drive letter. Below is a short review of each product:

SftpDrive

SftpDrive is a program that does one thing and it does one thing well - it connects you to your server via SFTP. In my testing the speed was very fast, it seemed faster than my WinSCP connection even. It does not do caching, which in my mind is a good thing because it can cause problems with different versions of files moving between your system and the server source.

Their support is top notch - contacting them resulted in an immediate email back. They also have some great forums for user interaction, and the owner frequents there as well.

Price: $39 - unlimited upgrades to future versions

Webdrive

The other alternative is Webdrive. This software has a few more bells and whistles - notably:

• Ability to map WebDAV and FTP in addition to SFTP servers
• Caches remote directories locally

If you have the need to map a WebDAV or FTP connection, you can manage this right inside of this program. In this regards, this software will be a ‘one stop shop’ for mapping drives on your system.

It also can cache files on your local system. This has both advantages and disadvantages. The advantage, especially on a slower connection / link, is that when you edit a file on the drive you will actually be editing a file on your local PC, speeding up this process. The disadvantage with this, is that your server files may not be updated right away, adding a delay to when you edit a file and actually having it live on the server. This could add confusion when dealing with a configuration issue or other problem and adds a layer of complexity.

Price: $59.95 /w 1 year of upgrades, $79.95 /w 2 years of upgrades

Final Verdict
It was a close race but Sftpdrive comes out on top for my needs. Unless your organization has a need to keep mapped drives all under the same software, or you are working with a very slow connection, Sftpdrive will work fine for your needs. Also edging it closer to the win is the cheaper price, and the ability to receive upgrades to the software in the future without paying an additional fee. Using this software will increase the overall security of your day-to-day system administration tasks while reducing your time involved.

I would strongly recommend downloading a trial version of each software package and see which one fits your needs!

• WebDrive - A 20-day demo version
• SftpDrive - Get a trial 45-day key and download software

Note 1:
If you need an automated backup solution, I strongly recommend SyncBackSE. Using this backup software + Sftpdrive, you can have an automated, safe backup to an offsite location. Not only will your transfers be secure, but SyncBackSE will encrypt the contents of your backup on the remote location. This is great if you are using a server or other remote service to store your backups - although most services are reputable I wouldn’t want anyone to have access to my financial or other personal information.

Notes 2:
The faster your UPLOAD speed to the internet, the better performance you will see on your mapped SFTP drive. Currently the ISP which has the best upload speeds for the value in my area (Philadelphia) is Verizon Fios. Their lowest package offers 5mbit download, and 2mbit upload. This compares to Comcast which only offers a 384kbps upload on their basic package.

Developing web apps cross platform can be a pain sometimes, as the drivers used in Windows are typically not available (by default anyway) in linux. For example, if you are using perl based software in linux, and you need to connect to a Windows database (for example, MSDE 2000 or SQL Server)

There are two essential pieces of open source software you will need to use. The first one is UnixODBC [http://www.unixodbc.org]. This software provides the software to create an ODBC connection. Secondly, you will need the driver to connect to your Windows data source. This driver is provided by FreeTDS [http://www.freetds.org].

After installing this software according to their respective websites, if you are using perl you need to also install the module “DBD::ODBC”.

perl -MCPAN -e 'install DBD::ODBC'

You can now set up datasources in your configuration files. In my case, it would be located in /usr/local/etc/odbc.ini, but you can find the location of your driver file using the command
odbcinst -j
In addition to setting up your connection here, you can create a “DSN-less” connection using a connection string. Depending on how your system is set up, you may need to supply the connection password in your connection string anyway.

I’m not going to go over the coding of the database connection, for better instructions on how to use the UnixODBC software see their website:

• Perl ODBC Documentation
• PHP ODBC Documentation

The software I am using as a particular example is Lyris Technologies ListManager. You can synchronize your mailing lists with your database. Depending on your database software your needs will change, so you will need to talk to your software provider for specific information. The information I am providing below is for iMIS software from Advanced Solutions International (ASI).

For the connection string in ListManager, you will use the following syntax:
DRIVER=FreeTDS;SERVER=10.0.0.X;UID=dbusername;PWD=dbpassword;DATABASE=dbname;TDS_Version=8.0;Port=1433;

dbusername = database username, must have dbreader access to your database
dbpassword = password to match username
dbname = actual database name

Make sure your SERVER IP is correct, and the port for MSDE 2000 is 1433 by default. (As a gotcha, make sure any firewall installed allows connections between your servers and ports).

This allows your linux server to connect to your windows server running the database.

Additionally, you’ll need to provide the query string. I’ve found that Listmanager’s tolerance is not very good when dealing with SQL queries, for example it does not accept JOINs. You need to use an alternative method of joining tables. Refer to the Listmanager documentation to see what variables you can pull into their databases.

Below is the SQL statement for 2 different mailing lists.

Selecting a particular Committee or Section:
SELECT Name.EMAIL AS EmailAddr_, Name.FULL_NAME AS FullName_, Name.ID AS Additional_, 'H' AS MailFormat_
FROM Name, Activity, Product
WHERE Activity.ID = Name.ID AND Activity.PRODUCT_CODE = Product.PRODUCT_CODE AND Product.PRODUCT_MINOR ='TEC'
In this case, ‘TEC’ is the code used in iMIS for the committee. You use the WHERE clause to specify joins. I do not think this is the best way, but it works in this case.

To select all Active Members:
SELECT Name.EMAIL as EmailAddr_, Name.FULL_NAME as FullName_, Name.ID as Additional_, 'H' AS MailFormat_
FROM Name
WHERE ((Name.MEMBER_TYPE)='REG' Or (Name.MEMBER_TYPE)='AFF' Or (Name.MEMBER_TYPE)='HON' Or (Name.MEMBER_TYPE)='SEN') AND ((Name.STATUS)='A')

As you can see, it is not exactly simple but it is easy enough to do once you have the right software. Once your software is talking to your databases, it makes things a lot easier!

If you or your client is using an old-DOS based program to do work (for example, Wordperfect for DOS) - and you need to print to a printer which is shared on the network, you first need to map the printer to an LPT port. You do this by using the following command in a dos prompt (Start -> Run -> cmd):

net use lpt3 \\SERVER_NAME\PRINTER_NAME

You can then set up your dos program to print to lpt3 and it will be sent to that printer. To print right from the command line, you could use the following syntax:

copy c:\test.txt lpt3

You know how it goes - you are surfing along when all of a sudden you can’t view web pages and your IM client disconnects. Then you see that the wireless connection has reconnected, and everything works again. Annoying, isn’t it?

Windows XP users know this all too well if you use a static Wifi 802.11 connection. You are in range constantly, but occasionally wireless randomly loses the connection.

The culprit? Windows Wireless Zero Configuration service. To fix this, disable the service! You only need this service if you will have your PC use different wireless networks (for example, you use a portable laptop).

To disable the service, go to Start->Control Panel->Administrative Tools->Services. Scroll down to Wireless Zero Configuration, right click and Properties. Press STOP, then go to Startup Type and change to Manual, then Apply. Click OK and you are done, WZC will no longer start up at boot time.

Let’s say you just installed windows, but told it to use FAT instead of NTFS. Now you have problems because this program won’t work without permissions on the drive. Whoops! Also the Security feature will not work with FAT or FAT32, you will need NTFS for that. There is an easy way to do this:
convert c: /fs:ntfs
Replace c: with your drive name if different. It will warn you about doing this to a mounted drive, tell it N to skip doing this now. Then it will ask you if you want to do this on the next reboot. Say Y. When you reboot, it will convert the drive to NTFS.

Apache’s mod_proxy module is simply one of the best Apache modules out there. With it, you can do all sorts of things that you usually would not be able to do if you are behind a firewall or other limited network situations.

A problem that recently came up for me was how Microsoft Outlook Web Access (OWA) needs to run on an exchange server, however my linux server is the one that faces the internet (I have the firewall forward the ports to this server). I also purchased an SSL certificate for one domain, so I wanted to use this certificate to access OWA with a proper validating certificate.

All sounds well and good. Using this mod_proxy configuration should work:
ProxyPreserveHost On

#OWA
ProxyPass /exchange https://exchangserver.example.com/exchange
ProxyPassReverse /exchange https://exchangeserver.example.com/exchange
ProxyPass /Exchange https://exchangeserver.example.com/exchange
ProxyPassReverse /Exchange https://exchangeserver.example.com/exchange
ProxyPass /exchweb https://exchangeserver.example.com/exchweb
ProxyPassReverse /exchweb https://exchangeserver.example.com/exchweb
ProxyPass /public https://exchangeserver.example.com/public
ProxyPassReverse /public https://exchangeserver.example.com/public
ProxyPass /iisadmpwd https://exchangeserver.example.com/iisadmpwd
ProxyPassReverse /iisadmpwd https://exchangeserver.example.com/iisadmpwd

Problem - it works ok - except in IE it will prompt you for the password indefinately and not allow you in. In Firefox (Mozilla) it rejects your password, until you hit cancel, then enter your password and it finally allows you in.

To fix this issue, you need to disable “Integrated Windows Authentication”. In the IIS administration panel, go to the website for your exchange server (”Default site” by default) and find the exchange share (This is most likely “Exchange” and “Public”). From there, right click, go to Properties->Directory Security->Anonymous Access and Authentication Control. Make sure “Basic Authentication” is checked while “Integrated Windows Authentication” is unchecked. Do this for any other Exchange shares. This allows authentication to work OK.

Second problem… in OWA, in Internet Explorer only, when you try to view your inbox the “Loading…” message appears indefinately. Microsoft’s Knowledgebase Article 280823 has a few workarounds for this problem, none of which worked for me. OWA apparently has two modes that it runs in, “rich” and “reach” modes. The “rich” client, which it uses for Internet Explorer, can have issues when running behind a firewall. It uses http-dav components which are not passed through correctly.

Now a fix, let’s make sure all clients run in “reach” mode! Using apache, we can hard-code the User agent that will hit the Exchange server. We use the mod_header module of apache, so make sure you compile it in with –enable-headers. Note: this only works with Apache 2.0. Once you have this compiled in, let’s set the User agent:
RequestHeader set User-Agent "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7)"
You can use whatever you’d like in the user-agent string, as long as Outlook Web Access does not think it is IE, then it will serve the “reach” client.

After correcting all of the above issues, Outlook Web Access finally works in both Internet Explorer and Firefox.

More and more people seem to be using an open source mail server on linux, such as Postfix, to proxy e-mails coming in from the net and relaying them to their exchange server. I know I’ve had this type of setup since January and it has been working really well for me. It gives you the ability to do advanced spam and antivirus filtering on messages, while keeping the easy to use GUI interface for creating exchange mailboxes. When will we get a great e-mail client so we can finally ditch the Exchange/Outlook setup that most businesses rely on? I know I haven’t found a solution that comes close (I’m sorry, Evolution for Win32 needs to come a bit further, and Thunderbird isn’t even close).

Anyway, once you have this system set up (there are some great instructions here, maybe I will cover this more another day), you may wish to sync up your Exchange users with your postfix “relay users” in order to trash messages coming in who are not addressed to anyone on the Exchange server. This will free up CPU cycles on the exchange server postfix server, and also reduce some bandwidth. Fortunately, Exchange 2000 and beyond use LDAP to publish this information. You can use Perl’s Net::LDAP module to grab this information. Chris Covington put together this nice script to grab the Exchange users and post to a file, which can then be postmapped and used in relay_recipient_maps. I hope you find it as useful as I did! [Local Mirror of the Script]

There is this great software for doing remote unattended Windows installs called, well, Unattended. It allows you to boot/install different windows versions without any intervention which is great if you are doing a number of Windows installs. This is a bit different than MSFN’s Unattended install which mainly is done off of CD media. MSFN’s site is still a great source of information on these types of installs but we are focusing on the network Unattended software since we are too lazy to have to/want to physically be at the datacenter to do the installs!

If the windows included drivers.cab does not include your drivers, then once unattended (I’ll refer to the sourceforge network version of unattended from now on) installs windows, you will not be able to use the network card to access the PC any more. Therefore, you need a way to install 3rd party drivers directly into the install I386 directory on your server. This article explains the process from a CD standpoint. But let me clarify for our network Unattended install.

First you need to locate the driver that the hardware needs to be usable on this system. Once you are positive which driver the system needs, place the files into /usr/local/unattended/install/os/INSTALLDIR/I386/$OEM/$1/Drivers/DRIVERNAME
Where INSTALLDIR is the name of the windows version you are installing (w2k3 for example) and DRIVERNAME is a unique name for the driver.

Now, according to the previous article you may think that you need to modify the WINNT.SIF file in the I386 directory. However for our remote unattended install server, this file is not used. You need to modify the /usr/local/unattended/install/site/unattend.txt file.

In the [Unattended] section, add the following lines if you do not have them:

OemPreinstall = "Yes"
OemPnpDriversPath= "Drivers\DRIVERNAME;Drivers\SOMEOTHERDRIVER"
DriverSigningPolicy = Ignore

Add each driver using this syntax, separate them using the semi-colon. During the install, it will copy the files in the $OEM$\$1\Drivers directory to C:\Drivers, and because we placed the above lines in unattend.txt, Windows knows to use these drivers during the PNP phase of the install.

Also to clarify the driver types, there are 2 different kinds of drivers during the windows install. The TEXT (TXT) mode drivers are used in the initial phase of the install (like where you hit F6 to install 3rd party drivers), and then there are Plug-and-Play (PNP) mode drivers. The PNP drivers are loaded later in the install process once the system goes to set up the network configuration.

Feel free to contact me if you have any questions on this!