Repost of The Open Sourcerer » Our Windows 7 Special Offer

Our Windows 7 Special Offer

This post is a “reprint” of an email we have just sent to the subscriber list for our Liberation newsletter. The audience is largely UK based businesses and public sector organisations. Should you wish to receive Liberation, you can subscribe here and please feel free to pass it on.


Today, Microsoft invite you to part with your hard-earned cash and upgrade your computers to Windows 7®. If you are one of the majority still using Windows XP, then moving to Windows 7 may not be a pleasant or inexpensive task…

Surprisingly there isn’t actually a way to upgrade your computer from Windows XP to Windows 7 in the traditional sense. You’ll need to back up all your data, re-format the hard-drive and start again from scratch.

Windows doesn’t store your documents, personal information, historical data, emails, passwords, cookies, preferences, settings etc. in one place. So backing up and rebuilding Windows computers is a very time-consuming and complicated process:

  • Work our how many licenses you need then go and pay for them
  • Buy some new storage for all the temporary backup space you’ll need
  • Back up everything on every computer
  • Install the basic operating system
  • Find and install the right hardware drivers for your machine(s). Much hardware may not yet have suitable Windows 7 drivers
  • Register and Activate each new computer, requires you to have network access
  • Find all the disks and license keys for the applications you use, then re-install them. If they are still compatible that is
  • Install & configure the drivers and software for printers and other peripherals. Many peripherals may also not yet have suitable drivers
  • Copy your data and settings etc. back to all the right places on the new system.

Plan for this process taking anywhere between 4 and 8 hours for each and every computer you have.

Gartner estimates that real migration costs will be between $1,035 & $1,930 per user from Windows XP to Windows 7.

Why can’t I upgrade?

Windows 7 Upgrades

Windows 7 Upgrades

That is a good question, and one that we have not seen a good answer to. Walt Mossberg of the Wall Street Journal asked Microsoft about upgrade paths and was sent this matrix showing all the different ways you can’t upgrade from other versions of Windows to Windows 7 (Blue = No upgrade, rip out and replace. Green = in-place upgrade).

Microsoft have also provided a document explaining the same thing in words. There is no upgrade path from any of the following operating systems:

Windows 95, Windows 98, Windows Millennium Edition, Windows XP, Windows Vista® RTM, Windows Vista Starter, Windows 7 M3, Windows 7 Beta, Windows 7 RC, or Windows 7 IDS, Windows NT® Server 4.0, Windows 2000 Server, Windows Server® 2003, Windows Server 2008, or Windows Server 2008 R2.

That’s a complete mess. What can I do then?

You could do nothing and stay on Windows XP for as long as possible. Although we think this will be a very popular choice, staying on a nearly 10 year old OS probably isn’t the best policy for a forward thinking organisation.

You do have a choice

Ubuntu Solution Provider

As you are going to have to rip out and replace your computers’ operating systems anyway, now is a real Carpe Diem opportunity to investigate an alternative (or two) whilst considering your options.

The Open Learning Centre recommends that your organisation investigates the many benefits offered by a modern Linux-based desktop operating system such as Ubuntu. As an authorised Ubuntu partner we can help your organisation with evaluation, installation, testing, migration, implementation, training and support services.

Ubuntu Desktop

Ubuntu Desktop

Ubuntu is a modern, stable, reliable and secure computing platform that includes most of the applications we all use every day, such as a compatible office suite (Word-processing, Spreadsheets, Presentations) OpenOffice.org, email and calendaring, web browsing and image manipulation tools.

Best of all, Ubuntu is free:

Ubuntu is and always will be free of charge. You do not pay any licensing fees. You can download, use and share Ubuntu with your friends, family, school or business for absolutely nothing.

The retail price for a single Windows 7 Professional license is £219.99 and it’s £229.99 for the Ultimate version. This doesn’t include applications either.

Our Offer: On-Site Ubuntu Installation and Training

The Open Learning Centre will visit your premises, install Ubuntu on a suitable computer, and provide approximately 2-3 hours (i.e approx half a working day) of professional training and advice on Ubuntu for £229.991 (inc. VAT). An outline of the training is available on our website. Please contact us to book your Introduction to Ubuntu.

Open your mind to Open Source software today

A combination of this and the radio advert at http://www.archive.org/details/LinuxAdvert combined with the next Ubuntu release (only a few days off now) and maybe there’ll be more uptake?

Taking the config from a McAfee Sidewinder for use in *something else*

I’m really learning to love the Sidewinder product line. Don’t get me wrong, it’s still got it’s foibles that make you go “Erm… OK”, but it is quite a clear step up from the Cyberguard Classic and the Secure Computing TSP device. The one area that had people stumped (that I’ve spoken to) though was how to get the config out in a way that could be re-used. The Classics used pretty standard text files everywhere, and you could just pull those out… tada, instant config. TSP had a single XML file which made extensive use of GUIDs to link hosts to groups, services to groups, host groups and service groups to rules, and so on. When we got to the Sidewinder, I made the mistake of thinking you could just do the same thing here…

Nope, Sidewinder would only export it’s policies in a securely encrypted format, that would only de-encrypt on another Sidewinder.

But hang on, what if someone wants to do a rule-base review on that box, and you don’t want to give them access to *everything*… how do you get around that then?

The simplest way seems to be to use a couple of commands, wrapped up in the TCSH foreach command, but to figure out what to select, you need to know how I got here.

There’s a command called cf which you run with administrator rights, by running srole – once you’re an admin, run the command

cf help

and this returns a list of configuration details you can do stuff with. Let’s pick one of these at random:

cf help ipaddr

This tells you that you can do cf ipaddr [add|delete|query] or at least something like that. The bit we’re most interested in right now though is query because that’ll give you some details. When I run cf ipaddr query or cf ipaddr q for short, it gives me back a bundle of lines like this:

ipaddr add name=I_Am_A_Name ipaddr=10.10.10.10 description=”
last_changed_by=’admin on Tue Jan 01 01:01:01 2001′

For those of you who know some unix syntax, you’ll realise that the indicates “ignore (or do something special with) the next character” – in this case, ignore it, because it’s the “New Line” character. You’ll recognise here that it’s saying you should add a new ipaddr object with a fixed name, fixed IP address and sets some other interesting data.

Not all of the list of things you can do stuff with is actually queryable though, so it might be worth picking and choosing what you do and don’t query. For brevity sake, here’s a list (space delimited) of the ones you can query:

accelerator acl adminuser agent antivirus appfilter audit auth burb burbgroup catgroups cert cluster cmd commandcenter config crontab daemond dhcrelay dns domain export failover fips fwregisterd gated geolocation host hostname ids ikmpd interface ipaddr iprange ips ipsec ipsresponse ipssig knownhosts lca license mvm netgroup netmap nss ntp package policy pool proxy qos reports routed server service servicegroup snmp ssl static subnet sysctl timeperiod timezone trustedsource udb ups urltranslation usergroup utt whitelist

Now, I don’t know what *all* of those do, but if you’ve spent any time wandering around the Sidewinder GUI, then you’ll recognise some of these terms – and that they participate in how the policy fits together. For a simple no-VPN policy, here’s the list (again space delimted) of things that I was most interested in:

burb burbgroup interface ipaddr iprange netgroup netmap policy proxy service servicegroup subnet

So, let’s do something useful here. We already know that we can run cf <object> query and it’ll return some data, but how would we do that for a whole bundle of these things? Re-enter stage left the foreach command. Anyone who’s done any programming knows about the for-next-loop style of loops, and some also know about the foreach loops. That’s all we’ll use here, and get something akin to a single config file (or multiple – you’ll see why in a second).

foreach fe ( burb burbgroup interface ipaddr iprange netgroup netmap policy proxy service servicegroup subnet )
cf $fe q >> config_file
end

You’ll notice that we’re putting that previous list of config options into a foreach loop, and using the variable fe when we’re using it against the cf command. You could replace config_file with config_file.$fe to ensure that you had a separate config file per object.

Run this little lot through a simple text processor (looking for the backslash character and then a new line, replace it with nothing) should give you an easy-to-parse list of objects and their variables. Of course, if you notice, those lines are also saying “add” – there’s no reason why you shouldn’t be able to prefix each of those <object> add lines with cf and paste that into your terminal to rebuild a firewall with a complete policy, but I’ll leave that as an exercise for the reader :)

Watching an interface on McAfee’s Sidewinder with Perl

Introduction

One of our requirements with one of our customers is to perform regular and routine failover tests. As the interface is not responsive to providing information about when service has failed from Primary to Secondary and back again, I have found [1] and modified this perl script to run on the SECONDARY NODE to show the interface address of one NIC every 5 seconds. I’ll also show how to slightly modify the script with different time delays and interface names. Please note, there may be much better ways of doing this. I needed something in a hurry, and this gave me what I needed. If you’ve got any better ideas, please drop me a note at jon@spriggs.org.uk or update this script yourself :)

Steps to perform

  1. SSH to the Secondary node.
  2. Check you’re not already primary with the command ifconfig em0 | grep inet this should return one line showing something like inet 1.2.3.4 netmask 0xffffff00 broadcast 1.2.3.255
  3. Please note the exact syntax of this command – perl is a tricky beast at the best of times, and if you don’t have your apostrophies and backticks in the right place, it won’t run right!

    Type this command: perl -e ‘for (;1;) {print `ifconfig em0 | grep inet`; print `date`; sleep 5}’ and press return. This loops until you press Ctrl+C, showing the line, like I showed you before starting inet and then the next line shows a date and time – this is so you don’t go crazy and think the process has stopped…

  4. Perform your action to provoke fail-over [2], which may be to unplug an interface attached to the primary firewall, reboot the firewall or unplug a switch directly attached to the firewall. In response (and after approx 1 minute, based on your HA configuration) you should now see in the script’s output, it now shows two lines – as follows:

    inet 1.2.3.4 netmask 0xffffff00 broadcast 1.2.3.255
    i
    net 1.2.3.5 netmask 0xffffff00 broadcast 1.2.3.255

  5. Perform your failback and after 1 minute or so, it should revert to just the single line – 1.2.3.4 or equivelent for your network.

Breaking down the script

Here, I’ve broken down the command before with short blocks of information about each part of the command you’re running.

perl (which is a scripting language) -e (which means “evaluate the following string in quotes”) (that’s an apostrophy – the symbol on my keyboard at least, below the @ character) for (;1;) (note, those are normal brackets – shift+9 and shift+0, which, in combination with the for and ;1; bits, means loop around the following commands forever, or until the break command is sent) { (that’s a curled brace symbol – shift and the character next to the letter P) print (sends the following string) ` (backtick – the character to the left of the 1 key – which means execute the command between two of these symbols and return the result) ifconfig em0 (get the interface configuration for the interface em0) | (the pipe or bar character – next to the letter Z) grep inet (grep is a unix command to search for strings – in this case, the string inet which identifies the IP address) `; (backtick again and then a semicolon to say stop running that command and start doing the next thing) print `date`; (print the response from the command “date” – which returns a date string – and then do the next command) sleep 5 (the sleep command waits integer X number of seconds – here 5, but you could easily say 2 or 10 here – depends on how impatient you and the project manager are!) } (curly brace – meaning to close the for loop from near the beginning) (apostropy – which instructs it to close the string that the perl interpreter is evaluating)

Notes

[1] from http://stackoverflow.com/questions/555116/repeat-a-unix-command-every-x-seconds-forever – sadly, we can’t use the watch command on a Sidewinder, as it doesn’t have it installed.
[2] Assuming your firewall is in a Primary/Standby configuration (not Standby/Standby), has enabled “Monitor link status” and has addresses to monitor with – presumably the non-HSRP addresses of your attached routers attached to that interface.

XRDP

I recently was asked how to provide an RDP session to a Linux Machine. Phoowey! I replied, you can’t RDP to a Linux box, and yet, someone I work with pointed me in the direction of XRDP – a package on Sourceforge.

I performed the following steps on a VMWare host running Ubuntu 8.10, but there’s no reason why it shouldn’t work on 9.04 or even 8.04.

Why would you want to RDP to a Linux machine? If you’ve got a windows host, you don’t always want to be running more and more different software to access that remote host – like VNC or X over SSH, so this seems like an effective solution if you don’t want your client machines to need additional software.

Some people don’t like to permit SSH through their firewalls as you can do an awful lot with a badly configured SSHd. In another situation, we have been using a device (which I don’t manage I should add) to access a development network. This device acts as a reverse proxy, and permits access to various websites, but most importantly, also proxies access to RDP systems, so this request was driven by that need.

Here’s what I did to configure up the XRDP on this Ubuntu 8.10 desktop

# apt-get install build-essential libpam0g-dev libssl-dev tightvncserver

Visit https://sourceforge.net/projects/xrdp/ then click on Download, Browse all packages, click on the latest release (currently 0.4.1), Copy the link for filename xrdp-x.x.x.tar.gz

# wget http://path/to/file/xrdp-x.x.x.tar.gz
# tar xfz xrdp-x.x.x.tar.gz
# cd xrdp-x.x.x
# make
# sudo make install
# cp /usr/local/xrdp/xrdp_control.sh /etc/init.d/
# update-rc.d -f xrdp_control.sh defaults