Techblog

When I am working with an organization to improve overall network security I start off by looking through logs and in nearly every situation the majority of attacks come from outside of North America.  My next question is “What legitimate reason would someone outside of North America have to reach your network?”, and in many situations the answer is “none”.

For those of you who find yourself in this situation here is some helpful information.

Q1: What does RIR stand for?

A1: Regional Internet Registry

Q2: What does a RIR do?

A2: IANA distrubutes /8 IPv4 address blocks to the 5 RIRs and the RIRs distribute those address’ to organizations, like ISPs, within their region.

Q3: How does this information help me improve my security?

A3:  Using the IANA Ipv4 Address Space Registry we know which RIRs have which IP Blocks.  Since ARIN managed the US, Canada, and some of the Caribbean we can block entire regions that have no legitimate reason to access your network.

Q4: What do you mean “no legitimate reason to access your network”

A4: Well if your organization only deals with customers, clients, etc within North America and Europe then anyone outside of of North America and Europe who tries to access your web servers, email servers, etc is likely doing so for a nefarious reason.

Q5:  Wouldn’t blocking entire regions be dangerous or harmful?

A5:  This depends on your organizational needs, but in most cases the network connections made from regions outside of your organizational influence are done so to harm you.  Blocking these regions is the next logical step and you are already probably blocking large quantities of IPs from these regions anyway, after you responded to a threat.  Simply put the only risk is that you would prohibit legitimate traffic, and this is why you need to ask yourself “Why would someone in X region need to legitimately connect with my network?”

Q6: What’s the benefit from doing this?

A6: If your able to block all traffic outside of ARIN coverage then you should expect to see upwards of 99% reduction in attacks and information gathering.  Very few attacks come from North America and those that do are usually coming in the form of spam, and I credit much of this to the responsiveness from the FBI.  Most countries do not chase after cyber criminals with the same tenacity the US and Canada does and as a result more criminals choose to operate from outside of the ARIN coverage area.  Even in environments that have been actively improving security there is still a sizable reduction in threats detected.

Q7:  What about people who travel outside the country?

A7:  There are several solutions available to work around this problem, but the easiest, and usually most cost effective solution, is to buy a single server who’s sole purpose is for remote access.  This will not open up access for everyday users, but if your Senior Engineer is exploring Africa when a major network outage occurs and they have access to the internet then they can simply remote into the remote system and go from there.   I also should point out that a single cloud server capable of simple remote access via a CLI can be as cheep as 10USD/month.  If you only use the server for emergency international access you could reduce this cost even more.  Just imagine any solution in the same way you currently imagine how you work VPN access or any other security zone access.  You want to block as much as you can as a general rule and then restricted access from a single access point that is heavily managed and monitored.
NOTE:  For email access anyone currently using a mobile device that connects to email via a proxy will still work.  For example if your using a blackberry service or Iphone service then users will still have access to email on their mobile device regardless of where they connect from.  If your using an internal service then you will need to place a mobile mail server that has access.  This is basically a proxy server that allows email to be served from outside the normal RIR restrictions.

By default 2008 R2 has enabled EDNS, but EDNS is not compliant with all domains as of right now.  This causes DNS failures.

Fix

To disable EDns, you can do it from the command prompt, or by editing the registry.

From the command prompt, no restart of DNS is required.  If from the registry, make sure to restart the DNS Server service.

Command prompt: 

dnscmd /config /EnableEDNSProbes 0

No restart is needed.  It takes effect immediately.

or Registry: </>

Create a DWORD called EnableEDNSProbes and set to 0 in HKLM\SYSTEM\CurrentControlSet\services\DNS\Parameters

Restart the DNS Server service for it to take effect.

Here is a link to the source of the fix:

http://weblogs.asp.net/owscott/archive/2009/09/15/windows-server-2008-r2-dns-issues.aspx

Here is the windows kb article on the issue: http://support.microsoft.com/kb/832223

If you are currently using milter-greylist for sendmail then you may have errors in your maillog indicating errors. 

The first error you may see is a {daemon_port} error. 

The next error you may see is a socket unsafe error

The final error you may see is a error indicating that milter-greylist has stopped working.

All 3 of these can be occuring without any noticable issues for users.  In my mind if you can remove an error by updating the config then you should and all 3 of these errors are because the milter-greylist documentation has a weak/broken example for the M4 file.

THE FIX:

Update your M4 milter-greylist entry to:

INPUT_MAIL_FILTER(`milter-graylist’,`S=local:/var/run/milter-greylist/milter-greylist.sock, F=T,T=S:1m;R:2m;E:3m’)dnl
define(`confMILTER_MACROS_CONNECT’,confMILTER_MACROS_CONNECT`,{daemon_port}’)dnl
define(`confMILTER_MACROS_HELO’,confMILTER_MACROS_HELO`,{verify},{client_resolve}’)dnl                                 
define(`confMILTER_MACROS_ENVRCPT’,confMILTER_MACROS_ENVRCPT`,{client_resolve}’)dnl

Please note that this entry is for the default install location for Yum/Fedora.  If you are using another unix flavor, or installed milter-greylist to run from a different location, just update the file path.

ClamAV installation on fedora is not at all simple or straight forward.  ClamAV support and wiki do not properly document the process so here are the steps you need to complete.

packages to install:

clamav-server

clamav-update

clamav-milter

clamav-milter-sysvinit

Then you need to run the bash script found here:

http://github.com/csmart/naa/blob/master/configure-clamd.sh

In the event that link dies:

#!/bin/bash

# Copyright 2009 "Christopher Smart" <m...@christophersmart.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

#This script is for installing and configuring clam-server (clamd) on Fedora

#Variables
VERSION=0.1
COUNTDOWN_TIMEOUT=5
FEDORA_RELEASE="`cat /etc/fedora-release 2>/dev/null`"
FRESHCLAM_CONF="/etc/freshclam.conf"

#These variables are set later, once we know the user
CLAMD_USER=""
CLAMD_CONFIG=""
CLAMD_SYSCONFIG=""
CLAMD_INIT=""
CLAMD_LOGROTATE=""
CLAMD_PID=""
CLAMD_LOG=""

#These variables are set later, once we know clamav-server version
CLAMD_VERSION=""
CLAMD_CONFIG_TEMPLATE=""
CLAMD_SYSCONFIG_TEMPLATE=""
CLAMD_INIT_TEMPLATE=""
CLAMD_LOGROTATE_TEMPLATE=""

#Functions
countdown() {
	i=$1
	echo "If you do NOT want to proceed, hit CTRL+C within $i seconds..."
	while [ $i -gt 0 ]
	do
		sleep 1
		echo -ne "$i.. "
		let i=i-1
	done
}

#Make this more pretty by adding an extra blank line at the beginning
echo ""

#Print help, if requested
if [ "$1" == "help" -o "$1" == "-help" -o "$1" == "--help" -o "$1" == "-h" -o "$1" == "--h" ]
then
	echo "This script configures clamav-server (clamd) on Fedora."
	echo "Version $VERSION"
	echo ""
	echo "Usage:"
	echo " $0 [option] [username] [port]"
	echo ""
	echo "Options:"
	echo " -c creates an instance, overwriting if already exists."
	echo " -r removes an instance."
	echo ""
	echo "Parameters (optional):"
	echo " [username] pass in the username you want clamd to run as, defaults to 'clamav'."
	echo " [port] pass in the port you want clamd to run on, defaults to '3310'."
	echo ""
	echo "Create example:"
	echo " $0 -c me 3311"
	echo ""
	echo "Remove example:"
	echo " $0 -r me 3311"
	echo ""
	echo "Report bugs to m...@christophersmart.com"
	echo ""
	exit 0
fi

#Check that we're running Fedora
if [ -z "$FEDORA_RELEASE" ]
then
	echo "You don't appear to be running Fedora, sorry!"
	echo "Exiting."
	echo ""
	exit 1
fi

#We're running Fedora, so make sure we're root
if [ $EUID -ne 0 ]
then
	echo "You must run this as root. Prepend sudo, or run:"
	echo "su -c '$0 [option] [username] [port]'"
	echo ""
	echo "Exiting."
	echo ""
	exit 1
else
	echo "You appear to be running `echo $FEDORA_RELEASE`, excellent."
	echo ""
fi

#Set clamd user and port
if [ "$1" != "-c" -a "$1" != "-r" ]
then
	CLAMD_USER="clamav"
	CLAMD_PORT="3310"
else
	if [ -z "$2" ]
	then
		CLAMD_USER="clamav"
	else
		CLAMD_USER="$2"
	fi

	if [ -z "$3" ]
	then
		CLAMD_PORT="3310"
	else
		CLAMD_PORT="$3"
	fi
fi

#Variables for config files, now that we know the user
CLAMD_CONFIG="/etc/clamd.d/$CLAMD_USER.conf"
CLAMD_INIT="/etc/init.d/clamd.$CLAMD_USER"
CLAMD_LOGROTATE="/etc/logrotate.d/clamd-$CLAMD_USER"
CLAMD_PID="/var/run/clamd.$CLAMD_USER"
CLAMD_LOG="/var/log/clamd.$CLAMD_USER"
CLAMD_SYSCONFIG="/etc/sysconfig/clamd.$CLAMD_USER"
CLAMD_CHKCONFIG="/sbin/chkconfig clamd.$CLAMD_USER"

#Removing existing instance of clamd for specified user, if told to do so
if [ "$1" == "-r" ]
then
	echo "**WARNING** Removing clamd instance for user '$CLAMD_USER'."
	countdown $COUNTDOWN_TIMEOUT
	echo ""
	echo "OK then, proceeding.."
	echo ""

	#Check to see if there's a configuration for that user already
	if [ ! -e $CLAMD_CONFIG ]
	then
		echo "No clamd instance found for user '$CLAMD_USER'."
		echo "Exiting."
		echo ""
		exit 1
	fi	

	#Stop and disable daemon
	$CLAMD_INIT stop &>/dev/null
	if [ $? -ne 0 ]
	then
		echo "Could not stop service, sorry."
		echo ""
		echo "Instance of clamd for user '$CLAMD_USER' NOT removed."
		echo "Exiting."
		echo ""
		exit 1
	fi

	#Turn off daemon
	$CLAMD_CHKCONFIG off &>/dev/null

	#Remove configs and logs, etc
	rm -f $CLAMD_CONFIG 2>/dev/null
	rm -f $CLAMD_INIT 2>/dev/null
	rm -f $CLAMD_LOGROTATE 2>/dev/null
	rm -rf $CLAMD_PID 2>/dev/null
	rm -f $CLAMD_LOG 2>/dev/null
	rm -f $CLAMD_SYSCONFIG 2>/dev/null
	unlink /usr/sbin/clamd.$CLAMD_USER 2>/dev/null

	#Remove user?
	if [ -n "`id $CLAMD_USER 2>/dev/null`" ]
	then
		#User exists, so ask if it should be removed
		echo -e "**WARNING** DO YOU WANT TO REMOVE THE USER FROM THE SYSTEM? (y/N): \c "
		read answer
		echo ""
		if [ "$answer" == "y" -o "$answer" == "Y" ]
		then
			#Remove user and confirm success
			echo "OK, removing user '$CLAMD_USER' from the system."
			userdel -r $CLAMD_USER 2>/dev/null
			if [ $? -eq 0 -o $? -eq 12 ]
			then
				echo "User removed successfully."
				echo ""
			else
				echo "**WARNING** Could not remove clamd user from the system. Perform manually."
				echo ""
			fi
		else
			echo "OK, user will NOT be removed."
			echo ""
		fi
	else
		echo "User does not exist in the system, not removing."
		echo ""
	fi
	echo "Instance of clamd for user '$CLAMD_USER' has been successfully removed."
	echo ""
	exit 0
fi

#Creating
echo "Configuring clamd to run as user '$CLAMD_USER' on port '$CLAMD_PORT'."
echo ""
countdown $COUNTDOWN_TIMEOUT
echo ""
echo "OK then, proceeding.."
echo ""

#Checking to see if required packages are installed or not
echo "Checking for required packages.."
if [ -n "`rpm -qa |grep clamav`" -a "`rpm -qa |grep clamav-update`" -a "`rpm -qa |grep clamav-server`" ]
then
	echo "Required packages already installed."
	echo ""
else

	#Install required packages
	echo "Installing required clamav packages.."
	echo ""
	yum -yq install clamav clamav-server clamav-update
	echo ""

	#Check that the install was successful (or already installed)
	if [ -n "`rpm -qa |grep clamav`" -a "`rpm -qa |grep clamav-update`" -a "`rpm -qa |grep clamav-server`" ]
	then
		echo "Packages successfully installed."
		echo ""
	else
		echo "Problem installing required packages, sorry."
		echo ""
		echo "Instance of clamd for user '$CLAMD_USER' NOT created successfully."
		echo "Exiting."
		echo ""
		exit 1
	fi
fi

#Get version of clamd, now that it's installed
CLAMD_VERSION="`rpm -qa |grep clamav-server |awk -F "-" {'print $3'} 2>/dev/null`"

#Variables for template files now that we know the version of clamav-server installed
CLAMD_CONFIG_TEMPLATE="/usr/share/doc/clamav-server-$CLAMD_VERSION/clamd.conf"
CLAMD_SYSCONFIG_TEMPLATE="/usr/share/doc/clamav-server-$CLAMD_VERSION/clamd.sysconfig"
CLAMD_INIT_TEMPLATE="/usr/share/doc/clamav-server-$CLAMD_VERSION/clamd.init"
CLAMD_LOGROTATE_TEMPLATE="/usr/share/doc/clamav-server-$CLAMD_VERSION/clamd.logrotate"

#Create clamav user if doesn't exist
#This should be the user who wants to talk to clamd, else user clamav must have read (and possibly write) access on the files.
echo "Checking for clamav user, '$CLAMD_USER'.."

if [ -z "`id $CLAMD_USER 2>/dev/null`" ]
then
	useradd $CLAMD_USER -r -c "User for clamd" -d /dev/null -M -s /sbin/nologin 2>/dev/null
	if [ $? -ne 0 ]
	then
		echo "Unable to create new clamd user, '$CLAMD_USER', sorry."
		echo ""
		echo "Instance of clamd for user '$CLAMD_USER' NOT created successfully."
		echo "Exiting."
		echo ""
		exit 1
	else
		echo "Created new user."
		echo ""
	fi
else
	echo "User already exists, not creating."
	echo ""
fi

#Copy and configure clamd configuration file
echo "Configuring clamd to do all the right things.."

#Check that ALL required template files exist before continuing
if [ ! -e "$CLAMD_CONFIG_TEMPLATE" -o  ! -e "$CLAMD_SYSCONFIG_TEMPLATE" -o ! -e "$CLAMD_INIT_TEMPLATE" -o ! -e "$CLAMD_LOGROTATE_TEMPLATE" ]
then
	echo "Could not find required template files under /usr/share/doc/clamav-server-$CLAMD_VERSION/, sorry."
	echo ""
	echo "Instance of clamd for user '$CLAMD_USER' NOT created successfully."
	echo "Exiting."
	echo ""
	exit 1
fi

#Check to see if an instance of clamd for user already exists
if [ -e $CLAMD_CONFIG ]
then
	echo "Instance of clamd already exists, clobbering.."
	#Stop existing daemon to enable new one
	/etc/init.d/clamd.$CLAMD_USER stop &>/dev/null
	#Remove existing config because 'cp' is aliased with -i and we don't want a prompt
	rm -f $CLAMD_CONFIG 2>/dev/null
fi

#Check to see if the port is already in use, if so, increment by one until we find something that's free
PORT_INUSE=0
while [ -n "`netstat -ltn |grep ":$CLAMD_PORT"`" ]
do
	CLAMD_PORT=$(($CLAMD_PORT+1))

	PORT_INUSE=1
done
if [ $PORT_INUSE == 1 ]
then
	echo "Port was already in use, using '$CLAMD_PORT' instead."
fi

#Make sure directory exists, which it should if clamav-server is installed (but you never know)
mkdir -p /etc/clamd.d 2>/dev/null

#Copy over the template file
cp -f $CLAMD_CONFIG_TEMPLATE $CLAMD_CONFIG 2>/dev/null
sed -i 's/clamd.<SERVICE>/clamd.'$CLAMD_USER'/' $CLAMD_CONFIG
sed -i 's/^Example/#Example/' $CLAMD_CONFIG
sed -i 's/^#LogFile/LogFile/' $CLAMD_CONFIG
sed -i 's/^#PidFile/PidFile/' $CLAMD_CONFIG
sed -i 's/^LocalSocket/#LocalSocket/' $CLAMD_CONFIG
sed -i 's/^#TCPSocket\ 3310/TCPSocket\ '$CLAMD_PORT'/' $CLAMD_CONFIG
sed -i 's/^#TCPAddr/TCPAddr/' $CLAMD_CONFIG
sed -i 's/<USER>/'$CLAMD_USER'/' $CLAMD_CONFIG
echo "Done."
echo ""

#Copy and configure clamd for log rotation
if [ -d /etc/logrotate.d ]
then
	echo "Configuring log rotation for clamd.."

	#Try to remove existing log rotate config, whether it exists or not because 'cp' is aliased with -i
	rm -f $CLAMD_LOGROTATE 2>/dev/null
	cp -f $CLAMD_LOGROTATE_TEMPLATE $CLAMD_LOGROTATE
	sed -i 's/clamd.<SERVICE>/clamd.'$CLAMD_USER'/' $CLAMD_LOGROTATE
fi
echo "Done."
echo ""

#Configuring clamd under sysconfig
echo "Configuring clamd under syconfig.."

#Try to remove existing config, whether it exists or not because 'cp' is aliased with -i
rm -f $CLAMD_SYSCONFIG 2>/dev/null

#Copy over the template file
cp -f $CLAMD_SYSCONFIG_TEMPLATE $CLAMD_SYSCONFIG 2>/dev/null
sed -i 's/<SERVICE>/'$CLAMD_USER'/' $CLAMD_SYSCONFIG
sed -i 's/^#CLAMD/'CLAMD'/' $CLAMD_SYSCONFIG
echo "Done."
echo ""

#Configuring clamd init script
echo "Configuring clamd init script.."

#Try to remove existing config, whether it exists or not because 'cp' is aliased with -i
rm -f $CLAMD_INIT 2>/dev/null

#Copy over the init script
cp -f $CLAMD_INIT_TEMPLATE $CLAMD_INIT 2>/dev/null
sed -i 's/<SERVICE>/'$CLAMD_USER'/' $CLAMD_INIT
ln -s /usr/sbin/clamd /usr/sbin/clamd.$CLAMD_USER 2>/dev/null
$CLAMD_CHKCONFIG on
#Check that was successful
if [ $? -ne 0 ]
then
	echo "Could not turn service on, sorry."
	echo "Exiting."
	echo ""
	exit 1
fi
echo "Done."
echo ""

#Configure freshclam
echo "Enabling freshclam, the clamav updater.."
sed -i 's/^Example/#Example/' $FRESHCLAM_CONF

#Should we set the proxy too, if in env?
echo "Done."
echo ""

echo "Creating required directories and starting service.."
#Setup logs
touch $CLAMD_LOG
chown $CLAMD_USER:$CLAMD_USER $CLAMD_LOG
chmod 0620 $CLAMD_LOG

#Setup run socket
mkdir $CLAMD_PID 2>/dev/null
chown $CLAMD_USER:$CLAMD_USER $CLAMD_PID/

#Start services
/etc/init.d/clamd.$CLAMD_USER start &>/dev/null
if [ $? -ne 0 ]
then
	echo "Could not start service, sorry."
	echo "Continuing."
	echo ""
fi
echo "Done."
echo ""

#Print summary
echo "The clamd service has been successfully installed and configured with:"
echo "User '$CLAMD_USER' on port '$CLAMD_PORT'."
echo ""
echo 'Have fun!'
echo ""

Now open clamav-milter.conf (/etc/mail/clamav-milter.conf)

comment out:

#Example

Add/Change:

MilterSocket /var/run/clamav-milter/clamav-milter.socket

ClamdSocket unix:/var/run/clamd.clamav/clamd.sock
ClamdSocket tcp:localhost

Now open clamd.conf (/etc/clamd.conf)

comment out:

#User <USER>

Add/Change:

LocalSocket /var/run/clamd.clamav/clamd.sock

Your services are named

THIS INSTALL = OTHER DISTROS

clamd.clamav = clamd

clamav-milter = clamav-milter

In Sendmail you need to edit the m4 file:

add/change:

INPUT_MAIL_FILTER(`clamav-milter',`S=local:/var/run/clamav-milter/clamav-milter.socket,F=T, T=S:4m;R:4m')dnl
define(`ConfINPUT_MAIL_FILTERS', `clamav-milter')dnl

At this point you will need to restart all 3 services (clamd.clamav, clamav-milter, sendmail)

Keep in mind that this process will enable clamav, but by default clamav doesn't do anything.  You will still need to configure clamav, but this process is just like any other distro.

Windows 7 Trial has been extended thru Dec 31, 2010:

http://technet.microsoft.com/en-us/evalcenter/cc442495.aspx

If you have a Cisco ASA and are having problems recieving a DHCP address there are a couple things you should know.

1) Prior to ASA version 7.2.2 (22) there is no way to assign a “client-id”.

2) client-id is a requirement for many ISPs to recieve a DHCP address.

Solution:

1) Need ASA IOS 7.2.(2).22 or higher

2) DO NOT USE ‘Cisco<MAC>-interfaxce_name-<host>’ as the client-id

3) perform the command:

Interface vlanX

dhcp client route distance 1

ip address  dhcp setroute

dhcp-client client-id interface outside

with vlanX being the correct vlan for your outside interface.

Anyone who knows me personally knows how serious I take the IPv6 change over. Here is a counter I found that shows the exhaustion to occur in Sept 2011.
http://inetcore.com/project/ipv4ec/index_en.html

Here are some other tools they have offered:

1) IPv4/IPv6 Address checker:
http://inetcore.com/project/46checker/index.html.en

2) Internet Metrics:
http://inetcore.com/project/metrics/index.html.en

3) IPv4/IPv6 Meter: (I will be adding this here as soon as I setup IPv6 here)
http://inetcore.com/project/46meter/index.html.en

Normally I do not link to other articles, but today I came accross this article and thought it was a critical piece of information for so many organizations planning for VMWare Clustering.

http://virtualfuture.info/2010/02/vsphere-cluster-max-4-esx-hosts-per-location-because-of-ha-limitations/

Here is a copy of the information incase the link dies.

vSphere cluster: max 4 ESX hosts per “location” because of HA limitations?
posted by Matthijs Haverink February 3, 2010Not a lot of info is found when you Google for manually selecting/fixing the primary HA nodes in a VMware VI or vSphere environment. Of course Duncan Epping has a couple of extremely interesting posts on Yellow-Bricks.com concerning HA even when it comes down to selecting or promoting the HA status of ESX nodes (a must read!), but I want more …

Let’s start with what I assume to know about HA:

- HA works with primary and secondary HA nodes
- The primary nodes are aware of the states and configs of all nodes in an HA cluster
- The secondary nodes depend on the primary nodes
- There is an supported limit of 5 primary HA nodes per cluster
- The first 5 ESX hosts that are added in a HA cluster are initially defined as primary HA nodes
- All the other hosts that are added to the HA cluster are configured as secondary HA nodes
- There’s a way to configure a HA node as primary or secondary, however it’s not possible to configure an ESX host as a “fixed” primary HA node:

/opt/vmware/aam/bin/Cli
AAM> promotenode (Configure host as a primary HA node)

/opt/vmware/aam/bin/Cli
AAM> demotenode (Configure host as a secondary HA node)

- One primary HA node is the Active Primary HA node; this node coordinates the restarts of the VM’s that went down with “crashed” host.
- When the Active Primary HA node goes down, another primary is (s)elected as Active Primary HA node” and takes over the coordinating role.
- A new primary is chosen when another primary is disconnected from the cluster in one of these situations:

(Re)configuring HA on a host
Disconnecting a host from the cluster (manually or by failure)
Removing a host from the cluster
In case of a HA failure
Putting a host into maintenance mode
Especially when you read the last bullet we can establish that HA roles are really dynamic in a VI/vSphere environment. This means that you have no control over the physical location of the primary and secondary roles.

And this is what my post is about:

This situation freaks me out because when you have a larger environment with a couple of possible failure domains as I’d like to call them (represented by any physically separated group of hosts within an HA cluster like different blade chassis or different server rooms) you want to have control over the placement of these HA roles.

And as I stated earlier Duncan Epping has some interesting articles like the HA deep dive and the Primary and Secondary nodes, pick one! which describe how to select a role for a host but this selection is not static; whenever a primary host is disconnected (Maintenance mode, Reconfigure HA and so on) there is a reelection and you lose control over the role placement.

So what if all 5 primaries HA nodes are on the same “possible failure domain” (say blade chassis) and that goes down? Well you just lost all your HA nodes that know what to do in case of a host-failure, so HA won’t work!

We’ll have to nuance the drama a bit: if 5 hosts of a “10 ESX host cluster” go down, you have a major issue anyway, if HA works or not, because you lost half of your capacity.

But you do have to realize that if HA is configured correctly, the 5 remaining hosts have some resources available, you have your primaries separated over the 2 locations and you have defined the start-up rules for the most important VM’s, these important VM’s will be booted up.

If you have the same situation as above but with all 5 primary HA nodes down because they were physically grouped, HA won’t work and none of the crashed VM’s will be booted up automatically!

During VMworld 2009 Marc Sevigny from VMware explained that they were looking into an option which would enable you to pick your primary hosts.This would solve the problem but until then the only solution is to keep your clusters limited to a total of 8 ESX hosts , 4 ESX hosts per “possible failure domain”.

I’m curious if I’m the only one running into this challenge; please let me know!

P.S. Special kudo’s go to Remon Lam from vminfo.nl who discovered this “feature” and reviewed the article .

I am still shocked when an organization tells me that they do not have a complete asset management solution.  Often the reason provided is cost and while OCS lacks “fancy pants” it is my product of choice for organizations trying to reduce software cost. 

OCS supports all the major Windows and Linux, including MacOS X, operating systems.  The OCS Inventory NG Server only works on server based OS, but the agent is compatible with workstation and server OS.  Windows agents can even be deployed thru GPO.

OCS is released under the GNU Public License.  Which means the product is 100% free to use.

You can see all of the information you need, and the download, here:

http://www.ocsinventory-ng.org

Blackberry (RIS) is releasing a “FREE” version of the Blackberry Enterprise Server. The express version, as it is being called, can be found here: http://na.blackberry.com/eng/services/business/server/express/

It is basically a full version. Very little is held back and most of those features are geared toward large organizations.