Thursday, August 31, 2017

Creating a SIP 2 Server on Windows.

SIP2 is a protocol created and controlled by 3M

The Standard Interchange Protocol is a proprietary standard for communication between library computer systems and self-service circulation terminals. Although owned and controlled by 3M, the protocol is published and is widely used by other vendors. Version 2.0 of the protocol, known as "SIP2", is a de facto standard for library self-service applications.  This protocol will be eventually replaced with the NCIP Protocol.

This post will go though how to setup a SIP2 Server on Windows; even though setting up a SIP2 Server is relatively trivial, you need to have few things in place first before you add the SIP2 Service.

  • The server must have a connection with the ILS database.  The database we will be basing this off will be a Microsoft SQL Server.
  • An ACS profile setup for the SIP server to talk to (typically 6 characters but may vary depending on ILS)
  • You need Java Version 6 or better (I am using the latest version 8.144)
  • The SIP2 Installer Files and DLLs for your ILS
  • This will be based off Windows Server 2012 Essentials

Go to and launch the setupwin32.exe. In my case it is in C:\Users\$USERNAME\Documents\SIP Install Files\SIP1.4.108\

Install the setup I have is not for the latest version of the ILS I am working on but I do have the DLLs which I will replace in the BIN folder once the SIP Service Wrapper is installed.

Run through the installer.  All SIP connections should be saved to C:/sirsidynix/”Sip$PORT#_$name” NOTE: Make sure you make the directory first otherwise you will get an error!

Example: Sip$PORT#_hoopla

When finished go to and run modify/create the port run the setup.bat located in C:\sirsidynix\Sip$PORT#_$name\bin\setup.bat

Run the setupwin32.exe in my case C:\Users\$USERNAME\Documents\SIP Install Files\SIP1.4.108\


Install the setup for the latest version of your ILS and replace the DLL files for the latest version of your ILS; you may have to get them from your ILS Vendor.



SIP 2 Service Installer



SIP 2 Settings


Host: $DATABASE HOST/IP
Database: $DATABASE
Database Type: MS SQL Server
Database Username: $DBUSERNAME
Database Password: $DBPASSWORD
location: $LOCATION
ACS Profile: “Get the 6 character code you created or from an ILS Administrator”

Replace DLLs. with the dlls for your ILS

Start The Service.

Testing a SIP Service


To test the service on the sip server use the ACSTester.exe located in the bin directory.


click connect


type in localhost, $port (Port you just created probably something like 60xx)


Click Create Message


select “63 Patron Information” and click create message


In the patron Identifier type in “test” with no quotes and hit ok


click send message


You should see something like the screen above (unknown borrow barcode) if the test is successful.


ACS SIP2 Tester

Wednesday, August 30, 2017

How to move WSUS updates to a separate drive

To move the WSUS Server update files to a separate drive I recommend reading the following:

Specifying Where to Store Updates

Managing WSUS from the Command Line

WSUS Commands that can be used by WSUSUtil.exe

WSUSUtil.exe Commands

So I'm going to move my WSUS updates to a 500GB drive mounted as E:

Open CMD prompt and cd C:\Program Files\Update Services\Tools

run wsusutil.exe movecontent E:\ E:\wsus.log

and wait until it has completed the move.

Now the WSUS updates are now on the E Drive.

WSUS CMD TOOL

Monday, August 28, 2017

How to add a cluster node to a Hyper-V Cluster


Setting up a Microsoft Hyper-V cluster is the hard part.  If you read my post on My First Hyper-V Setup you should have a cluster setup that is working pretty well.  When the Hyper-V cluster is running adding a node is relativity trivial.  Just be aware of the Hyper-V Cluster limitations as posted by microsoft in https://technet.microsoft.com/en-us/library/jj680093(v=ws.11).aspx If you follow this post then adding a new cluster node to your Hyper-V cluster should be no problem.  If you follow this post and assuming you have everything on your cluster is in good shape this should be no problem.  You can also check out my post on Failover Cluster Communication Errors for more info

Add Hyper-V cluster node check list
  • All hardware is similar (no mixing AMD and Intel)
  • All nodes and the new node are at the same patch level
  • The new node has been added to the Active Directory
  • The new node has had the iSCSI targets added
  • The networks are all the same in the same order
iSCSI Targets
Before you add the new node I would recommend running the Cluster Validation Tool to ensure there aren't any major surprises before you add the new node.  This should take between 10 and 15 minutes to complete.  When you run this test you can run it without verifying the storage because we will verify the storage when we add the new cluster node.

When adding the new node we will want to turn off all VM guest currently running on the cluster so we can properly test the iSCSI targets on the new node we are adding.  To add then new node on the node you want to add connect it to the cluster from the failover cluster manager -> Select Node -> Add Node

Hyper-V Cluster Manager
Add Cluster Node

This will launch the Add a Node wizard.  This will allow you to add the new node to the cluster and it will run a validation test to ensure your cluster node will work properly and alert you of any issues such as Hyper-V guest components being out of date.

Hyper-V Add Node Wizard

Validation Wizard
When the wizard has successfully validated your cluster you can add your node to the cluster.

Validate Cluster Summary
Adding Node to the Cluster


End of the node wizard

New node Added to the Cluster
Adding the actual node takes no time at all it is getting everything ready that takes time, this post looks simple but it actually took over 4 hours to do all this to get the new node up to date and on the same patch level as the other nodes, adding the network, the system to the AD and iSCSI targets to the node.  It is a long process.

Friday, August 18, 2017

My First Hyper-V Cluster Setup

Microsoft Hyper-V Cluster Setup
About four years ago I began an investigation into how the organization I work for could have some sort of High Availability (HA) on a budget.  During a server room reorg some one mentioned using a new blade based system as a cluster and I took it and ran with it.  I started investigating what was required for a Microsoft Hyper-V cluster.  Since we were already using Hyper-V just on a Host basis, it made sense.  Now the rest is history, the Hyper-V cluster has been in production just over three years now running about 16 VMs on 6 nodes, and only looking at scaling the current infrastructure.

Going through and researching what it takes to run a Hyper-V cluster.  My list of requirements are as follows:

  • Systems must be the same level of hardware (can't mix AMD/INTEL)
  • All Nodes/Hosts must have all the same networks and listed in the same order (minimum of 2)
  • All Nodes/Hosts must have access to what will be the cluster storage
  • You should have a primary and secondary AD Controllers for the cluster (physical machines preferred)
  • Network settings and IP addresses on the host/nodes should be unique; compare the settings between the network adapter and the switch it connects to and make sure that no settings are in conflict.
  • The AD Controllers should be setup for DNS and DHCP Failover (DHCP Failover server 2012R2 and later) The servers in the cluster must be using Domain Name System (DNS) for name resolution. It is recommended that cluster nodes/hosts are just member servers.
  • Domain role All servers in the cluster must be in the same Active Directory domain. As a best practice, all clustered servers should have the same domain role
  • You need two or more Hosts/Nodes for a fail over cluster
I originally tried to make server 2012R2 run off SAMBA 3 for the shares but found it impossible to get working with FreeNAS as the implementations seem to be a bit different.


Current Hardware Setup:

  • 2 x Intel Atom Systems for AD Controllers.
  • 1 x AMD Blade System with 6 Nodes.
  • 2 x 3.2 Ghz 4 core nodes with 32GB Ram, Dual Gig Intel i350 LACP LAGG Network interface
  • 4 x 2.6 Ghz 8 core nodes with 32GB Ram, Dual Gig Intel i350 LACP LAGG Network interface
  • 1 x 48 port Allied Telesis Websmart Switch
  • 2 x FreeNAS NAS Appliances configured for iSCSI target shares Dual Gig Intel i350 LACP LAGG Network interface
Hyper-V Cluster Setup
Network Interfaces:

The cluster system has a total of 6 network interfaces that virtual machines will work off the host and are as follows.

Untagged VLAN 300
192.168.0.0/24 - Communication Network/NAS also includes AD Controllers for Cluster 
- Cluster/Client Communication Permitted


Tagged Vlan 301
192.168.1.0/24 - Staff Domain Infrastructure network 
- no Cluster Communication Permitted
Tagged Vlan 302
192.168.2.0/24 - Infrastructure Network (access to switches etc) 
- Cluster/Client Communication Permitted


Tagged Vlan 303 
192.168.3.0/24 - Primary Database Application
- no Cluster Communication Permitted


Tagged Vlan 304
192.168.4.0/24 - Contractor Network
- no Cluster Communication Permitted

Tagged Vlan 305
192.168.5.0/24 - Specific DMZ Communications Network
- no Cluster Communication Permitted

The Hyper-V cluster Nics are Teamed using the Intel Driver; FreeNAS does the Teaming in it's software and the switches are teamed as well and all have the VLAN tags setup as stated above.  It is important to have the networks in the same order on each of the Hyper-V Cluster Nodes otherwise you will have communication issues.  See my post on troubleshooting Hyper-V cluster communication errors.

Storage:

The FreeNAS systems are identical with a vdev mirror setups following best practices in the FreeNAS Guide linked to below.

Enterprise Level SSD x 4 480GB drives - vdev mirror 1TB capacity with multiple disk redundancy

Enterprise Level HDD x 6 4TB drives - vdev mirror  12TB capacity with multiple disk redundancy

Enterprise Level SSD x 240 GB Drive - for the zlog

Enterprise Level SSD x 120 GB Drive - For L2Arc Cache

The FreeNAS has been configured into 2 Tanks which are a set of drives setup in a vdev mirror as stated above.  For more information about freenas I recommend going through the FreeNAS Guide

The NAS has been configured as so
10GB Cluster Witness Disk
1.5 TB High Performance SSD Target
12 TB High Density HHD Target

Cluster Nodes:

As stated before the Cluster Nodes are merely members of the Cluster Active Directory which is controlled by 2 Physical Active Directory Controllers.  The Nodes have the Microsoft Cluster Roll installed and all nodes are connected to the FreeNAS iSCSI Targets.
View my video on connecting Windows to FreeNAS iSCSI Targets

Once all the the nodes are added (to get them added into a cluster you have to pass the Cluster Configuration Wizard then they will be joined to the cluster.  The Cluster shared storage that is accessible is typically C:\ClusterStorage\$DISKNAME

When you start importing your virtual machines save them to the cluster shared disks, then you can use the configure roles wizard to make the VM Guests HA.

Summary:

I've enjoyed learning about Hyper-V clustering and getting it setup and working isn't too difficult; maintaining it is pretty trivial as well.  It's not perfect but for what my organization needs it fits the bill quite nicely.  I am very proud of the work I've done, and improving the current cluster, it has scaled pretty nicely and a lot of the problems the organization had running of a single hyper-v host have gone away.  See below for some items I will need to do to improve the Hyper-V Cluster setup and some good resources for reading about Hyper-V Clustering.


Changes that need to be made:

The iSCSI targets need to be on a separate/private network from the Cluster Communication Network


Separate Cluster Quorum Disk (probably from a different NAS) for updates etc.

Setup the Cluster across multiple switches to prevent failure by a switch being down.

Fix some errors in the Cluster Validation Report I've run recently.

Good Reads


https://technet.microsoft.com/en-us/library/jj863389(v=ws.11).aspx


https://technet.microsoft.com/en-us/library/cc732181(v=ws.10).aspx


https://blogs.technet.microsoft.com/askcore/2014/02/19/configuring-windows-failover-cluster-networks/


https://technet.microsoft.com/en-us/library/hh127064.aspx


https://blogs.technet.microsoft.com/askpfeplat/2013/03/10/windows-server-2012-hyper-v-best-practices-in-easy-checklist-form/


http://www.altaro.com/hyper-v/19-best-practices-hyper-v-cluster/


https://channel9.msdn.com/Events/TechEd/Europe/2014/CDP-B335

Friday, August 11, 2017

How to make a Hyper-V Guest VM Highly Available (HA)

Make a Hyper-V Guest Highly Available (HA)
Making a Hyper-V guest highly available on a Hyper-V cluster is really pretty easy it is just buried in the beast otherwise known as Hyper-V.  On my youtube channel I go over where to find the import options.

When you import a guest into hyper-v you import the VM on to one of your Hyper-V hosts.  You should put the VM on your cluster storage disk that all your cluster nodes have access to.

For example.  On my cluster I put the guest in C:\ClusterStorage\ClusterDisk01\

Once the VM is imported on the host go to Roles -> Configure Roles

Go to Configure Roles

This will bring up the High Availability wizard.

High Availability Wizard
Select the Roll you want.  In this case we want a virtual machine.

A the virtual machine roll
This will bring up any virtual machines we don't have setup as being HA.  As you can see below we have 2.
2 Virtual Machines not configured for HA
The wizard will run if it finishes successfully you will see the following screen, where you can go the the HA report for the VM and deal with any issues that might be flagged.

A successful HA configuration

Wednesday, August 02, 2017

Creating a GMAIL SMTP Relay Server Using Ubuntu On Hyper-V

Encrypted Email
You can view my video on how to Setup an Encrypted GMAIL Relay Server using Sendmail here.  There is also a great blog post found here but I had to make some modifications to get it to work properly on my lan for other systems.

More and more we are moving to secure services that were never intended to be secure; E-Mail is one of those challenges.  Not every body supports it but we are moving to it, along with our push for https on all websites.  This post will deal with a couple of things to setup a Linux Sendmail SMTP Relay server on a Hyper-V Host using a corporate Google Apps account.  The reason for the SMTP Relay is because of an ancient piece of software that does not do SMTP Authentication so we have to setup something that can be mostly secured.


To start your going to need a google apps account, I'm using Microsoft Server 2012R2 for the Hyper-V host and Ubuntu 16.04.2 for the virtualized sendmail relay server.


To start we need to make sure we have TLS setup in our Google Apps Account.  When you login to your google account It can be found in APPS -> GSUITE -> Settings for Gmail -> Advanced Settings.  Scroll down to just above routing.



Edit Secure Transport Compliance
Now for this setup I've applied TLS to all outgoing traffic for one email address no_reply; that is the email I'll be using for the relay server.


TLS Settings
TLS Settings

Once that is all setup we can start working on our virtualized Ubuntu server.  This is a 16.04.2 LTS running on Hyper-V.  Of course verify that you have all your Hyper-V guest tools installed and enabled.  Then we are going to want to install sendmail, mailutils, and sendmail-bin


sudo apt-get install sendmail mailutils sendmail-bin
Once installed we will be working out of the /etc/mail directory.


/etc/mail directory
First make a directory call authinfo this is where we are going to create and save our file for our gmail authentication.  Inside the folder we are going to create a file called gmail-auth

inside gmail-auth we are going to have the following.

AuthInfo: "U:root" "I:youremail@domain.com" "P:PASSWORD"
so for the purposes of this example.

AuthInfo: "U:root" "I:no-reply@domain.ca" "P:ThisISmyPASSWORD"


Now we make our hash.


my location is /etc/mail/authinfo

sudo makemap hash gmail-auth < gmail-auth
/*------This is not necessary any more unless your making a------*/
secure sendmail relay for your own domain.

Now we need to make a relay-domains file edit the sendmail.mc and access files so we can do a cd ../ or /etc/mail

We will start with the relay-domains file and are going to put the domains you want to relay, just like the sample below with each domain on a separate line. more information can be found at http://www.sendmail.org/~ca/email/doc8.12/cf/m4/anti_spam.html

domain1.com
domain2.com

/*------Continue After This Point------*/

Save the file and now edit sendmail.mc


my location is /etc/mail - editing sendmail.mc

You will want to go to lines 57 and 59 in the sendmail.mc file and comment them out.


Before Commenting

After Commenting
Now we want to enable access to our access control database to blacklist networks we don't want to have access to our Sendmail relay (If there is any firewall rules allowing it which there shouldn't be)
FEATURE(`access_db'), `hash -T /etc/mail/access')dnl
We're going to come back to this guy later and blacklist the networks we don't want to have access to the relay.  You could also blacklist everything but the host you want to allow to forward.  This must be set if we are going to use relay_hosts_only.

then We are going to specify some special resolver options
https://docstore.mik.ua/orelly/other/Sendmail_3rd/1565928393_ch24-46068.html


define(`confBIND_OPTS', `WorkAroundBrokenAAAA -DNSRCH -DEFNAMES')dnl

We are going to open up our sendmail server to allow relaying of mail from other machines on our network.

UPDATE

After coming back to this after the weekend to put into production, I discovered that having the relay_hosts_only option only allows for internal emails, which it didn't when I was putting this together but it doesn't work to domains outside the organization anymore which doesn't work for what I need it to do so I had to enable FEATURE(`promiscuous_relay')dnl

I did not want to do this but I need to be able to send emails out to other addresses then my own domain.  However blacklisting in the access file does still blockout networks you don't want to access the 

/*------This is not necessary any more unless your making a------*/
secure sendmail relay for your own domain.

***/---I've made the sendmail server more secure using relay_hosts_only---/***

define(`confCR_FILE', `-o /etc/mail/relay-domains')dnl << - $=R
FEATURE(`relay_hosts_only')dnl


More information on relay_hosts_only

FEATURE(relay_hosts_only) Normally domains are listed in /etc/mail/relay-domains; any hosts in those domains match. With this feature, each host in a domain must be listed.

FEATURE(access_db) This enables the hash database /etc/mail/access to enable or disable access from individual domains (or hosts, if FEATURE(relay_hosts_only) is set).

for more options and details go to http://www.sendmail.org/~ca/email/doc8.12/cf/m4/anti_spam.html


define(`confCR_FILE', `-o /etc/mail/relay-domains')dnl << -$=R
FEATURE(`relay_hosts_only')dnl 

/*------Continue After This Point------*/

/***-----------------------------   Put the following in your sendmail.mc   -----------------------------***/

FEATURE(`promiscuous_relay')dnl 
define(`SMART_HOST',`[smtp.gmail.com]')dnl
define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl
define(`ESMTP_MAILER_ARGS', `TCP $h 587')dnl
define(`confAUTH_OPTIONS', `A p')dnl
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl


define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

FEATURE(`authinfo',`hash -o /etc/mail/authinfo/gmail-auth.db')dnl

Your sendmail.mc file should look something like this 
SENDMAIL.MC

Now save your file and edit your access file.  I changed the local connection access to reject so the server itself can't send email.

Reject Localhost


At the bottom of the access file the networks I want to blacklist.



###Custom###


Connect:192.168.1                    REJECT
Connect:172.16.4                      REJECT
Connect:172.31.248                  REJECT
Domain.com                              RELAY


Save your access file



Run sudo sendmailconfig.  This will recompile sendmail, access and restart the sendmail service.  If you get no errors then test your configuration computer on your lan that has a sendmail program like Cobian Backup.  When it successfully sends an email you should see something like the result below.


Encrypted Email Via Sendmail





How to fix CURL call imporitng an RSS feed on a site blocking CURL calls

There is a 3rd party service provider that my organization uses called bibliocommons.  They have these nice book carousels.  However the car...