Hardware

Processors, graphics cards, solid state drives and much more is all in this section of the site!

With thanks to the 50 staff from across the University for attending please see below the links to the videos and PowerPoints of the day!

Direct link to Playlist – https://www.youtube.com/watch?list=PLRxbdlgJzwyjAf820T0u4GpP0E01a9LEX&v=u-GVJ_0VuRM

Slides as PowerPoint

  1 Intro (4.3 MiB, 17 hits)

  2 MDT (85.2 MiB, 27 hits)

  3 PowerShell (27.5 MiB, 12 hits)

  4 PRTG Network Monitor (47.5 MiB, 12 hits)

  5 OpenVAS (32.9 MiB, 12 hits)

  6 WSUS and Chocolatey (60.3 MiB, 9 hits)

  7 NPS and VLANs (10.7 MiB, 8 hits)

Slides as PDF

  1 Intro (2.0 MiB, 11 hits)

  2 MDT (2.2 MiB, 11 hits)

  3 PowerShell (1.8 MiB, 10 hits)

  4 PRTG Network Monitor (3.2 MiB, 13 hits)

  5 OpenVAS (2.3 MiB, 16 hits)

  6 WSUS and Chocolatey (2.9 MiB, 14 hits)

  7 NPS and VLANs (1.4 MiB, 13 hits)

Stay tuned over the coming days for the scripts that are mentioned through the video which will be linked to from this post.

If you are running an HPE Aruba (formally ProCurve) switch you may come across cases where your switch (in the example above a 5400R zl2) has multiple IP Addresses/VLANs and you need it to talk to another service (in my case syslog and sFlow receivers) on a set interface.

When this occurs you can use the ip source-interface command (make sure you are in config mode first) to define the IP Address or VLAN that you want the switch to talk out on. In my case VLAN2 which is used as the management network for the network switches (VLAN1 being the default network that switches use if multiple addresses are configured).

Not the first time I’ve run into this issue and probably won’t be the last! While building a new Windows Server 2016 (Full) Microsoft Deployment Toolkit server when attempting to run the ‘Update Deployment Share’ wizard I was getting the following error message.

Unable to mount the WIM, so the update process cannot continue.

The solution is simple; if you are running this machine on Hyper-V (presumably other Hypervisors as well) you will need to shutdown the VM, disable Secure Boot (on the VM only) and then power it back on. The next time you run the wizard it will complete as normal.

The error message in full context for reference.

=== Making sure the deployment share has the latest x86 tools ===
=== Making sure the deployment share has the latest x64 tools ===

=== Processing LiteTouchPE (x64) boot image ===

Building requested boot image profile.
Determining if any changes have been made in the boot image configuration.
No existing boot image profile found for platform x64 so a new image will be created.
Calculating hashes for requested content.
Changes have been made, boot image will be updated.
Windows PE WIM C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim will be used.
Unable to mount the WIM, so the update process cannot continue.

=== Completed processing platform x64 ===

 

=== Processing complete ===

Having recently setup OpenVAS (something I will likely blog about in further detail soon) I have found out that the default out of box deployment of Aruba-OS (formally ProCurve) supports a number of insecure SSH Algorithms with messages similar to the ones below logged even when running the latest firmware releases (YA.16.03.0004 on the 2530 series).

SSH Weak Encryption Algorithms Supported
The remote SSH server is configured to allow weak encryption algorithms.

and

SSH Weak MAC Algorithms Supported
The remote SSH server is configured to allow weak MD5 and/or 96-bit MAC algorithms.

To secure the switch simply run the following commands while logged into the switch

config
no ip ssh cipher aes128-cbc
no ip ssh cipher 3des-cbc
no ip ssh cipher aes192-cbc
no ip ssh cipher aes256-cbc
no ip ssh cipher rijndael-cbc@lysator.liu.se
no ip ssh cipher aes128-ctr
no ip ssh cipher aes192-ctr
no ip ssh mac hmac-md5
no ip ssh mac hmac-sha1-96
no ip ssh mac hmac-md5-96
write memory

Over the past year or so I’ve come to realise that although my Surface Pro 3 (i5/4GB/128GB) is an awesome machine I just don’t take it out of the house as much as I should be for fear of breaking it. On that note I’ve decided to sell it and in turn replace it with a true beast of the computing world – a Panasonic Toughpad FZ-G1 (link to Panasonic product page).

The astute of you will probably realise that bought new that is a very expensive bit of kit and such I’ve opted for (what I believe to be) a refurbished 1st generation model from Fully Rugged.

Hardware Specification

  • Intel i5-3437U Dual Core @ 1.9ghz (details on the Intel website)
  • 4GB RAM DDR3 RAM @ 1,333mhz
  • 128GB SSD
  • USB 3.0 Port
  • HDMI Port
  • Ethernet Port (see the photos below!)
  • Front and Rear Cameras
  • N class WiFi
  • Active Digitiser Pen and Capacitive Touch Screen
  • LTE Mobile Data Connectivity (WWAN)
  • 1.8m drop safe (please don’t test this!)
  • IP65 compliant (see link for more details on what this means)
  • 1.1kg in weight (yep that’s heavy compared to your iPad Air Gen 88 and no I don’t care! :))

Initial Thoughts

Thus far I am very impressed; the build quality is excellent, I may not feel tempted to drop it from 1.8m to test the specification however I’ve been out in the rain with the tablet and are it didn’t show any issues at all. Having access to a WWAN connection against using the mobile hotspot on my phone is very liberating and Windows 10 will manage connecting to the mobile network for you whenever you are away from WiFi. I haven’t done any real work on battery life as yet however I’ve used it on and off over the course of an 8 hour day and battery life didn’t drop into my head once as something to be concerned by. Resume from standby is as fast as my Surface ever was and performance running web browsing/document editing/playing UWP games is top notch (don’t expect to be gaming on it though).

Over all I am very impressed!

Gallery

While carrying out the steps to move our network devices from a flat network to one with purposeful VLANs I had changed the IP address of one of our HP CP3505 printers (using the web based management console) to discover that with the new IP I could not print to the printer over the network.
Oddly enough the web based management console was still accessible, the printer replied to PINGs and SNMP requests but would not print (that includes from Mac and PC!).

With no error messages other than ‘Error – Printing’ on the server, and nothing in the logs of the printer it seemed like this issue would not have a simple solution.

In trying to troubleshoot the issue I tried…

  • Changing the printers IP address to other options (indeed changing the IP back to its original one sorted the problem but was not what I wanted)
  • Firmware updating the printer
  • Pressing all of the ‘reset’ and ‘clear settings’ buttons I could find on the printer through the WBMC and front panel
  • Attaching a network cable between a laptop and the printer direct (no server or switches)
  • Removing the jet direct card and leaving it for 30 minutes while the printer was unplugged (oddly enough the jet direct card has a button battery which cannot be removed on it)

All to no success!

In the end and on a complete whim I changed the network settings of the printer to use DHCP instead of Manual IP, reset the printer and then set it back to Manual IP. It was evident that the IP address I had set previously had been forgotten and I set upon the task of configuring the IP address through the front panel. Long behold this worked and the printer is now happyily printing under its new IP address.

As some readers may know I currently work in Higher Education and while all of the business data is trivial to backup providing any level of backup service to students and academics is significantly harder. The challenges faced include the myriad of Operating Systems in use (Windows/OSX/Linux), the fact that the devices being backed up are inherently ‘untrusted’ (i.e. owned by the individual) and that they are often on networks (be it eduroam/public/home) that have no direct connectivity back to the internal trusted network.

Most enterprise class backup systems just aren’t suited to this kind of environment in that they cannot be securely published through a firewall or have exorbitant licencing costs for the number of devices to be protected (a few file servers vs 500+ student owned laptops).

One solution to this issue cropped up at a recent trade show where Synology were demonstrating their Synology DiskStation Manager NAS software which set itself apart from the traditional enterprise backup solutions with…

  • Support up to 16,000 users on high end models (and 2048 on the kind of model that we would consider using) with no extra licencing costs, users can have storage quotas set either by group or per user
  • Secure remote access (simply publish a single port which can be protected by HTTPS for encryption in transit)
  • Home grown backup clients for modern versions of Windows, OSX/macOS and Linux
  • On the point of OSX/macOS the backup client for Synology does not rely on Time Machine and so overcomes the issues associated with having to be on the same network as your backup device
  • Home grown Btrfs file system which auto detects (and fixes) corrupted files through metadata along with extensive snapshot support
  • Up to 32 recovery points and real-time file protection (when connected to the DiskStation)

So time for some screenshots! Below we have the initial setup of the Disk Station Manager and the installation of the client on a Windows PC.

Then restoring a file that has been deleted on the Windows PC; note that you can restore either individual files or entire folders to a point in time.

The same but for OSX…

So that’s all of the good, the only downside we have found thus far is while shared drives can be protected with encryption it is not possible to protect each individual home area (per user) with a unique encryption key thus opening up issues with data privacy. However, if you consider the following scenario…

  • A business needs to provide backup to remote workers
    • Those remote workers do not connect to the trusted network often
      • Perhaps they don’t like VPNs/DirectAccess (and so rules out using Offline Files)
    • and those remote workers do not use a commercial ‘cloud’ service to protect their data with
      • Perhaps trusting a 3rd party to host the data is not an option
    • The remote workers use OSX/macOS

…then using a Synology DiskStation should be a serious consideration for that business.

When working with a lab full of HPE ProCurve/Aruba switches (or you just want to know who is who in a stack of switches) the chassislocate CLI command comes in really handy by either blinking or holding solid the blue locator light. See the screenshots below for a little more info.

It’s that magical time of the year where…new network switches arrive! Given that the new Aruba branding has taken full control of what was ProCurve I thought I should post some photos of the new paintwork. Happy to say the colour black isn’t half bad!

Included in the images are

  • J9729A 2920-48G-PoE+
  • J9728A 2920-48G
  • J9731A 2920 2-Port 10Gbe SFP+ Module
  • J9733A 2920 2-Port Stacking Module
  • J9734A 2920 0.5m Stacking Cable

Work is coming along nicely with the Server Room, we’ve now removed the last Cisco switch from our infrastructure and the HP 5400R series switch is deployed replacing the 2530 that was in its place; over time we’ll be bringing more fibre from our edge switches into this room as well hence the number of SFP+ ports on the 5400R. The entire front of the cabinet is now populated with hardware or a blanking panel as well (panels available from Comms Express) to keep things looking tidy. I wish there were a little more that I could do with the cables coming into the 5400R however with a very narrow rack there’s not much that can be done.

Some interesting things have come out of both Rucks and PaloAlto recently in that they offer Hyper-V compatible VMs for their services which could free up a further 3U of space and remove a further 4-6 cables out of the picture.