You are browsing the archive for Network.

Operations Manager 2007: Installation of Jalasoft R2

10:58 am in Uncategorized by mikeresseler

With the release of R2 from Xian IO, I had to install it for the first time last week with a customer.  The environment was on a windows server 2008 SP1 64-bit edition.  After downloading the software, I’ve started with the installation.

According to the manual (yeah, from time to time I actually read manuals ;-)) and followed the instructions:

 

First, I had to import the management packs into Operations Manager.  Because it wasn’t certain yet which MP’s will be used in the future, I decided to only import the Jalasoft Core Management packs (see screenshot)

image

After that, I had to install the XianConnectorModuleInstaller.  This .msi is found in the correct x64 or x86 (depending on your architecture) folder.

No problems so far.

Third, it was time to start the installation of the product.

image

The first screen is the tradition Welcome screen so quickly to Next

image

In the next screen, I only had to fill in the User Name and the Organization

image

Third screen, now I need to make a decision.  Because Jalasoft gives you the option to different scenario’s, it is always easy to choose this one.  So I decided to use that.  For more information on the different Scenario’s and what they do, you can always check out the manual on their website.

image

The next screen allowed me to choose the scenario.  In this particular case, it was a Single Server scenario so I could continue.  This is also the location where you can choose the installation location.  Before you press Next, make sure that you have read the prerequisites for the different parts of the software.  For easy referencing, here they are:

Microsoft Windows Server 2003 SP2:

Microsoft Windows Server 2003 SP2 is required to install the Jalasoft Xian Services.

Microsoft.NET Framework 3.0:

Microsoft.NET Framework 3.0 is required to install the Jalasoft Xian Connector for Microsoft System Center Operations Manager 2007.

Microsoft Message Queue:

Microsoft Message Queue is required for communications between the Xian Services.

Microsoft System Center Operations Manager 2007 User Interfaces or Microsoft System Center Operations Manager 2007 Management Server:

The Jalasoft Xian Connector for OpsMgr 2007 requires Microsoft System Center Operations Manager 2007 User Interfaces or Microsoft System Center Operations Manager 2007 Management Server installed in this machine.

Microsoft System Center Operations Manager 2007 User Interfaces:

The Xian UI Controls for OpsMgr 2007 require Microsoft System Center Operations Manager 2007 User Interfaces installed in this machine.

Microsoft SQL Server 2005:

The Xian Database and the Xian Data Server features require LAN connectivity to an installed Microsoft SQL Server 2005.

image

Now you need to decide where you want your database.  The installer will enumerate all SQL instances he finds.  It is also possible to change the database name if you want.

image

Now the software needs a user to run the services as.  Here it went wrong.  I always got errors saying that the account was not a member of the administrator group.  After consulting with Jalasoft support, I heard that for the installation it is necessary that UAC is off (This requires a reboot!).  So I stopped the installation, turned UAC off, restarted the server and tried again, now I could get past this window.

image

Next thing is the location of the Jalasoft Connector, the RMS server and the Management server of Operations Manager.  At this point, which I didn’t realize at that moment that it would cause problems, I saw that the installer took the IPv6 address.  So I’ve changed it to the correct IP addresses (all IPv4) and continued.

image

Again I needed to tell the software the location of a component (Jalasoft Dataserver this time) but since it was a single server installation, it was the IP of the current server.  Note that filling in the 127.0.0.1 address is not a good idea.  Use the correct IP of the server.

image

In this screen, the installer asks the preferred IP.  I choose for the IPv4 address.

image

A lot of questions, but then again, a lot of components so again an IP for the server that runs the Xian Network Manager Server (The same one in a single server scenario)

image

Starts to get annoying but also the IP address of the Task Server needs to be known

image

Finally everything is OK, so I can start installing.

The installation went quickly, there is no reboot necessary (well, actually there is, since I turned UAC back on ;-))

So I started the console for Xian and I got an error.

After reading through the documentation and unable to solve the problem myself I contacted support (again).  They told me that in some cases, with the use of IPv6, the IP addresses are not correctly registered in some configuration files and that I needed to change it manually.  Here is the procedure they gave me:

“ In some cases (for example IPv6) the IP address is not correctly registered in the configuration files of Xian. You need to that manually. Check the the following files in C:\program files\jalasoft\xian network manager io

   – Jalasoft.Xian.Services.ConnectorService.config

   – Jalasoft.Xian.Services.DataServer.config

   – Jalasoft.Xian.Services.NetworkManagerServer.config

   – Jalasoft.Xian.Services.TaskServer.config

   In these files look for the ipAddress entry name and correct the value to the ip address that you are using. Note that you cannot use localhost (127.0.0.1).

   Now restart the the jalasoft services.

After that, the program worked perfect.

Basically, I’ve learned a few things:

1) The software runs on an 2008 x64 platform

2) Watch out if IPv6 is configured.

3) Jalasoft support contacted me twice in less then 2 hours after submitting a case through the website!  So Jalasoft, if you read this, keep up the good work on your support team 😉

 

If you ever encounter these problems, I hope this post helps a little bit to install the software.

Cheers,

Mike

Management of Security?

7:05 pm in Uncategorized by mikeresseler

Last week, I’ve got the change to go to a round-table meeting with Kai Axford from Microsoft.  Kai is a Senior Security Strategist in Microsoft’s Trustworthy Computing Group.

It was a nice evening in a small restaurant somewhere in Belgium.  Normally, a security specialist from our team would have joined the meeting but because of unforeseen reasons he couldn’t make it so I had a change to go to the meeting.

Although I am interested in security, I’m certainly not a specialist.  And in the preparation of the meeting, I’ve read the blog from Steve Riley, basically the inventor of the concept of the Fortified Datacenter.

I had to admit, during the meeting, listening to Kai, who practically made the word security “cool” was great and if this guy was a sales person, he probably would sell the concept fortified datacenter to everybody.  Just imagine that whenever you start your laptop, and you have an internet connection, you would basically be on the intranet.  That means that at all times, you can access your programs, file shares, email… and at the same time you are protected by every rule of your company, without starting a VPN! If your company denies the website xyz.com in the office then, I’m very sorry,  but it will be denied when you are in the airport using the free wifi and so on and so on.  How great is that from an IT point of view :-)

Later at the evening, after listening to a lot of security questions and answers, I popped the question, from a management standpoint.  All nice and well, a lot of infrastructure changes as a project, suddenly the datacenter works, is fortified and everything is completely transparent to the end-user.  I think management would kill to have this.  But how are we (the IT-pro’s) manage this in a convenient way?  How are we going to make sure that we can keep the overview, and that we know at all times which user has access to what…  How are we going to check who had access to what at what time?

Luckily for me, Kai was prepared for this question, and he not only proposed a solution, but in my opinion this is a solution that it is basically a best practice for everything.  Here it is…

  1. All access to whatever application, file share, resource should be managed from within Active Directory.
  2. ILM should be presented within your environment, with through thought workflows to provision new users, users that change from department etc…
  3. Different management systems should be used to monitor, provision,… systems automatically, as much as possible

Of course, I’m a system center dude, so I will use as much as possible system center products, and even one more (ILMv2, soon to be released.)

Great, probably, quite a lot of ITpro’s are already convinced but how are we going to sell this investment towards our management.  Let me try to do this for you with a few pointers.

 

All access to whatever application, file share, resource should be managed from within Active Directory

Cost prize: man hours, and a good functional design.

What you need to do, is to give each access to a shared resource a dedicated security group, even multiple security groups if different access is necessary (e.g. read rights, admin rights, reporting rights…).  Give this security group a logical name and a good description.

Example:  Suppose you have a file share called “Company Branding”.  You want that every user in your company has read access to this share, because they need to use it for their presentations, sales work etc… but a few people need write rights to change if necessary, and then you have another few people who need to have full control on it.  Sounds like an everyday situation for each company.

I would create three security groups in AD:

Name Description
GG-S-CompanyBranding-Read Read Access to the CompanyBranding fileshare
GG-S-CompanyBranding-Write Write Access to the CompanyBranding Fileshare
GG-S-CompanyBranding-Full Full control to the CompanyBranding Fileshare

GG stands for Global Group (You can of course also have U(niversal)G(roup) and D(omain)L(ocal)

S stands for Security (Other option: D(istribution).

On the File share, you give the different groups the correct rights, and afterwards, the only thing you need to do is put the correct users in the correct security group.  (or other groups in these groups…)

What are the advantages?  Well basically, you will have at all times an overview who has access to which resource.  I mean, whenever an auditor (and I just had one who asked the question…) asks you to tell him or her who has access to xyz, you open up the security group(s) and show which members of have access.  Or even worse, whenever an auditor asks to show the access rights of person X.  You pop-up member off for that user, and you have a great overview.  If you have documented well, then you can make the links easy and you can prove to the auditor to which resources the user has access to.

Imagine that you do this for each and every resource you have.  (Oke, I admit, this will cost the first time a lot of work and research, but hey, afterwards, you have a complete overview of access to your resources and it is much more easy to maintain this.  If a user leaves the company, remove his memberships and case closed…)  This way, you could easily outsource the creation of new users to a helpdesk or service desk environment and give them a controlled MMC with limited AD access.  And for everything else, they can’t touch or change it.

Now a management wants to see ROI.  So let’s try to calculate this effort.

  • Investment:  Initially, this will cost you some time and will need to be thought through thoroughly.  So you will not only invest time from a system engineer, but also from some guys who are good in thinking this through functionally.  Depending on the size off the environment, and the current situation of the infrastructure, this will take more or less time.
  • Gaining’s:  Creating a user, or changing somebody’s rights will become much more faster as before.  Every resource will be greatly documented and once you have your base done, a new implementation or resource does take you evenly much time to do it with groups then to put individually rights on it.  You will even be faster with groups when you need to give access to multiple users to the new resource. 
  • Gaining’s: Documentation.  As every ITpro knows, and also any Manager, documentation is crucial.  This documentation can immediately be used for your Business Continuity Plan and for your Disaster Recovery Plan.  How cool is that…
  • Transparency:  Control your access rights from one single point.  Your Active Directory.  Making it easy to provide better security.
  • No more loss of time or controlling 20 excel sheets for who has access where.  Everything is in active directory.  You need to have a list, make an LDAP query and get the member off for your users and here you go.

 

ILM should be presented within your environment, with through thought workflows to provision new users, users that change from department etc…

I think a lot of ITpro’s know this.  They get the notification from HR that two hours later, a new guy will start in department x.  So here is your work list for the next two hours:

  • Create the user in AD
  • Create an email for this user
  • Add the user to the correct distribution lists (let’s cheat, take another user from that department because who news what this guy needs…)
  • Give him or her manually access to resources
  • Prepare his or hers laptop / desktop at the same time (If you’re lucky, you have WDS or SCCM or equivalent, otherwise, start building manually) (or worse, you just don’t have any hardware in stock 😉
  • Prepare the ICT letter for this user
  • Done

User starts, gets his things and the next five days he is sending you tons of email because he hasn’t has access to this or access to that… Which you give him or her ad hoc.  (Or, when you already have the security groups in place… ;-))

The point is, this is a terrible way of letting a user start, he or she has already a bad feeling about local IT and you started at the wrong foot.  Why, there is now man capable in doing this in 2 hours or less without making a mistake or without forgetting something.  And even if you have the best procedure in place, timing is crucial here, so you slip up.

What’s the solution for this?  ILMv2 or Information Life Cycle Management version 2 (http://www.microsoft.com/windowsserver/ilm2/default.mspx).  For me, this should be a System Center product, because it is meant to manage an environment, to “provision” identity management and to give users great self-service capabilities.  It is not out yet, but is believed to be RTM April 2009.

What can this thing do?  Basically, it gives ITpro’s the possibility to manage this information flow (such as creating a new user and adding it to the correct groups, giving it an email address and so on…) through a defined workflow (with Policy Management!)

It has policy management, credential management, user management, group management and so on.  Imagine this:

Your HR enters a new user in his or hers ERM tool.  Automatically, a workflow starts and sends out emails to the service desk where the service desk manager approves it and bam, the user is created, has an email address and resides in the correct groups.  At the same time, emails are sent to the application owners and when they approve, these users go into the correct groups and they have access.  Furthermore, application owners can change subscriptions to these groups at all times through ILM (which is embedded in a sharepoint-console).  You could make user rights and security very transparent through workflows.

ROI?

  • Costs: I don’t know pricing yet, but this will probably be a huge investment.  Also in time, because you need to create workflows that are suitable for your environment
  • Savings: No more human error, when the system is running, the users are getting the rights they need.  When a user moves to another department, it only costs one drag from department A to B and after approval of the department managers (if you want to work with approvals…) the system does his job and the user has his or hers new rights.
  • Savings: Safely give users administrative tasks, and give one place to fill in the data and put it everywhere in the correct place.  (No more filling in a user’s address on five places…)
  • Savings: Users will be more happy about Internal IT, because they arrive and everything is OK, or they change from department and they have their new rights immediately.
  • Savings: Maybe stupid, but you finally will be able to tell your manager that you don’t have all the strings in your hands anymore.  No more “GOD” ITpro.  I’ve learned that this is a huge deal!

This product is certainly something to look at when you want to have a easily and secure identity lifecycle management.  With this process, I actually provision a user quickly without an effort and flawlessly.

Microsoft, consider this to brand it as a system center product please 😉

Different management systems should be used to monitor, provision,… systems automatically, as much as possible

As said, I am a System Center lover so here comes… :-)

When you want to work with the Fortified Data Center, you should have a good overview of who is accessing what and who is changing where or what.

With a good policy, Audit Collection Services from Operations Manager 2007 is the solution.  I even had it installed with a bigger company in Belgium which is SOX compliant and this product does the job.  (Although, if you really want to use this thoroughly, consider SecureVantage also.)  There are quite some good posts on Alkin’s blog about ACS, make sure you check this out.

I’m not going to talk about the ROI about this one, I’ll keep this for another post.

Also think, that the more tools you give to your users, the more system center products you should be thinking about  (Mobile phones, self-service Hyper-V servers/desktops…) .  But again, this will be for another post.

Conclusion

Everybody is convinced of the importance of security.  And the fortified datacenter, while probably still far away is a great concept that will gain a lot of interest and popularity over the next few years.  But one thing remains the same, after the setup, it needs to be managed.  And how are you going to convince your peers of buying tools and suites for something that is not a benefit for a user.  After my meeting with Kai, I got convinced that managing this (and oke, it is actually more then security alone) is necessary to keep mistakes out of the picture.  In this post, I’ve given a few pointers what you can do to make your life as an ITpro more easier, and how you can prove to your peers that this really has an added value in your company or infrastructure.

For the Operations Manager products, a more detailed post will come, because they can do much more than only focus on this datacenter 😉

Comments / remarks are welcome

Cheers,

Mike