Over the past couple weeks I’ve been working with Microsoft’s System Center 2012 suite of products in our development environment. This Suite of products contains new and revised offerings for managing an enterprise IT infrastructure with a strong emphasis on the concept of a private cloud. At the center of the suite is System Center Configuration Manager 2012, which provides the framework for deploying operating systems, applications, updates, and security patches. In addition to SCCM 2012 the suite includes System Center Service Manager, Operations Manager, Orchestrator formerly called Opalis, and the new Virtual Machine Manager 2012. System Center Service Manager (SCSM) 2012 provides incident and problem management, change control and knowledge management. As you can see, SCSM acts as a service desk, ticketing system and CMDB. As with the entire suite this product focuses on providing these tools to the end user in a more efficient and user friendly manner while still providing the fundamentals required to effectively manage an IT infrastructure on ITIL and Microsoft Operations Framework best practices. Operations Manager is a network monitoring and tool which integrates with SCSM to provide insight into the health and stability of your entire environment. Most intriguing aspect to Operations Manager is its ability to monitor not just Windows based machines but Linux and SNMP devices. Most environments undoubtedly have some Linux machines usually providing mission critical applications and it was wise of Microsoft to acknowledge this and provide this ability into this product. In my opinion the most interesting product in the suite is Virtual Machine Manger 2012 which is a new offering by Microsoft. Virtual Machine Manger like the name suggests is a tool to manage the every growing virtual environment. Again Microsoft made the decision to support not only its product Hyper-V but virtualization products from others like VMware and Citrix. The last major piece of the suite is Orchestrator 2012 which was formerly called Opalis. It provides automation features through run book and workflows and integrating those into the other system center products. These products all work in conjunction with one another to provide an extensive and viable solution for any size IT environment. Microsoft’s goal was to present the end user the framework to interact with the IT infrastructure and systems through self-service portals and automation. Meanwhile alleviating some of the pressure off the IT team while still maintaining the structure needed to reduce costs and maintain business best practices. Currently these products are in RC status and are expected to be officially released within the next few months. There are several blogs and tutorials on installing and configuring these products which I’m positive do a better job than I’m capable of here. Here are some of the issues I came across and the solutions to those I discovered.

I’ll briefly outline the architecture of the development environment I used to test these solutions. For my testing I was able to use virtual machines created with VMware ESX 5 for all the required servers. During the testing there were no problems related to the VM infrastructure and compatibility issues with the system center suite. I installed all machines on Windows Server 2008 R2 Standard edition Service Pack 1 with 40 GB virtual hard drives and 4 GB of RAM dedicate to each VM. A total of 5 VM’s were used to build the testing environment, one each for Configuration and Service Manager and the SQL Database which supports all the products. Operations Manager requires two separate machines for the management console and the data warehouse role.

All the products are available from Microsoft at http://technet.microsoft.com/en-us/evalcenter/ . Microsoft even includes a download for required SQL database which the servers require access to. The first caveat to deploying and testing this solution was to use the correct Microsoft SQL build, the RC version of System Center will install only on SQL Server 2008 SP2 with CU7 or SQL Server 2008 R2 with CU4. Save yourself some headaches and build your database first and update with the supported CU for your SQL version. Once the database is completed we can begin to look at the architecture for the suite. First I installed Configuration Manager on its own individual VM. There are some great blogs out there on installing and configuring SCCM 2012 but by far the most useful one is http://www.windows-noob.com/forums/index.php?/forum/103-configuration-manager-2012-release-candidate/. Microsoft has also created this survival guide http://social.technet.microsoft.com/wiki/contents/articles/7075.system-center-2012-configuration-manager-survival-guide.aspx and provides a good collection of the quality information available. Overall the installation is pretty straightforward once you setup the user security accounts. The installer does a great job of detecting any missing dependencies before installation and providing guidance to resolving any issues. if you don’t plan ahead for the security accounts the installation and later configuration will become quite a bit more difficult and confusing. I highly recommend reading the documentation provided by Microsoft on TechNet http://technet.microsoft.com/en-us/library/hh427337.aspx and planning, creating, and assigning privileges to the accounts you will use before starting the installation. My first installation I tried to use a single administrator account and soon realized this was a bad approach to use. The only problems I encountered deploying Configuration Manager were related to permissions.

After Configuration Manger the next most logical deployment is Operations Manager. As I stated earlier, there are two required roles for the Operations Manager product, Management Server and Data Warehouse Server. The installer will walk you through the prerequisites and should be pretty self-explanatory for each of these. Of all the installations I did feel this one gave me the most grief though. The first issue which tripped me up was the SQL database. SCCM and Operations Manager can both be installed using the same data base server but require separate database instances. Additionally the new Operations Manager database instance requires the same CU update which the configuration manager database instance required. The second issue which was confusing was the Operations Manager Reporting Services option during the installation. Reporting Services must be installed on the database server itself. This is simplest when initially installing the database which is pretty standard. However the confusing part is the System Center Operations Manager Reporting Services must also be installed on the database server to take advantage of these features. I mistakenly was trying to install this option on the Operation Management Server during installation and not on the SQL server where the reporting services were installed. After correcting this mistake the installation went smoothly.

The third major installation revolves around Service Manager 2012. Again this server requires the support of a SQL database. I used the same database instance which I used for Configuration Manager. This setup did not cause any difficulty. The installation for Service Manager again requires careful thought and planning in regards to permissions and user accounts. Again I suggest the TechNet documentation as a starting point for preparation. This installation is very similar to the previous two. The other pieces, Virtual Machine Manager and Orchestrator, of the suite are very simple installations and should cause no issues if you’ve successfully deployed the previous servers. Since this was a testing environment I installed Virtual Machine Manager on the Configuration Manager Server and Orchestrator on the Service Manager Server.

Now that all the systems are installed the real fun begins in configuring and setting up the environment begins. Configuration Manager 2012 should be fairly comfortable to those who have used previous versions of the product. There a couple of major conceptual changes in regards to addition of boundary groups and the changes to the previous advertisement system. Learning these new concepts should be pretty easy as both aren’t very complex. The new architecture model for Configuration Manger is much more scalable than before. SCCM now supports a Central Administration Site (CAS) which of course acts as a central management point for Primary SCCM Servers. This allows the solution to scale and still be manageable. Distribution Points also received an update and are now capable of PXE deployment which helps the scalability. With the changes to distribution points, Secondary Sites should not need to be deployed as frequently as before. When testing Secondary Site functionality I did run into the biggest bug in my testing. One of the requirements for testing this solution was the capability to handle multiple sub domains. Initial I installed a Secondary Site for each sub domain which was not an issue. However PXE deployments would not work from a secondary site. A considerable amount of time was spent trying to troubleshoot and resolve this problem until this was discovered as a known bug and acknowledge by Microsoft as broken with as of the SCCM 2012 RC2 release. If you plan on testing out System Center 2012 I recommend registering at https://connect.microsoft.com/ and signing up for the related products and making this your first stop in troubleshooting guidance. Once the Secondary Site was ruled out as a solution, the distribution point became the logical replacement and worked per our requirements.

Previously I mentioned the Microsoft’s focus on making IT services more user centric. They accomplish this through the new portals in Configuration Manager and Service Manager. The Configuration Manager Web Application Catalog provides a web interface where users can request, install, and remove applications with or without supervisory approval. These applications are assigned based on user collections so access control can be maintained. Once this feature is installed and configured the process of install application requires very little interaction from IT staff freeing their time and resources for other projects. Service Manger also comes with the option to install a Self Service Portal based on SharePoint Foundation. This portal has a significant amount of potential however it also requires a proportionate amount of time to execute and customize. Once installed the Self Service portal can be used by your end users to create and update incidents, research common problems and solutions, request services, adding new employees and more. What really makes this portal special is that each of these requests can be linked to automated tasks using run books to execute tasks such as sending and receiving notifications for approval, or even regular activities like creating new users and provisioning resources. Obtaining this level of functionality will take some time and effort but is achievable and should offer a return. Unfortunately the portal is not very customizable without considerable effort and thus I’m afraid most won’t make use of these features because of the inability to easily manipulate the look and feel. Overall the self-service portal seems to lack the polish of the rest of the suite.

Microsoft’s decision to include support and integration of non-windows based platforms is demonstrated by Operations Manager and Virtual Machine Manager. Operations Manager provides networking monitoring via agent or agentless for the environment and includes support for several of the primary Licensed Linux distributions. Hopefully the list of support distributions grows by release time to include the community versions like Debian and CentOS, somehow that seems unlikely though. Of all the products Virtual Machine Manager has received the least amount of attention but definitely brings some interesting functions to suite. Most notable the ability to manage multi-vendor virtualized environments as one through one console. Obviously this is a smart decision to remove some of the barriers of testing or adopting a different virtualization platform and of course Microsoft is hoping that platform is Hyper-V.

System Center 2012 also includes End Point Protection (Anti Malware / Virus) and Data Protection Manager 2010, a Microsoft based backup and protection system. System Center roles and features can be used in part or as an entire solution and is an exciting and ambitious endeavor by Microsoft. From the amount of attention it’s gathering many people feel the same. Undoubtedly your organization may have deployed some or all these services and solutions but to have them all from vendor and under one license is unlikely. This type of consolidation and addition of features could be intriguing and might be worth the effort of migrating during the next refresh cycle.

Yesterday we covered how IT is evolving to become a utility.  The focus of the second part of simplyfi IT’s web-cast was directed at providing a mechanism to measure the cost of IT, or simply put, the cost per employee (CPE).  As IT complexity rises in organizations so does cost.  The model of providing ‘IT as a Service’ is geared to reduce cost without compromising the quality of service.  This also allows IT to focus on solving more complex problems with customized applications instead of provisioning a desktop. And thus drives the value of IT to a greater alignment to the business objectives and outcomes. 

Come join us to learn more about persistent threats in a global world. Advanced Persistent Threats are escalating. Are you ready?

Mobile & Cloud computing are exciting trends that are driving business growth but also bring with them increased risk. In many cases, these varied platforms being brought into the company by the business and then dropped into your lap to figure out the security impact on the company.

And the security risk is real. Here’s a few highlighted by CSO Magazine, online:

• Smart Phone (and tablet) Data breaches
• Need for better access control and identity management
• The Risk of multiple cloud tenants
• Ongoing compliance concerns
• Need and emergence for cloud standards and certifications.

And these issues are the tip of the iceberg.

Our Calcutta Netgear gateway/firewall/vpn router recently went up in fumes, literally. We couldn’t source any effective hardware replacement at a decent cost. So I started at looking at alternatives.

We had used Linux based gateways and firewalls for years, I had toyed with Linux IPsec about three years ago when we setup our initial VPN. Then it seemed too cumbersome and I couldn’t find a tool to create the VPN easily and quickly. So we bought new hardware from the US and deployed it in India and US. The FSV318 is a good router was easy to setup and hardly ever gave us any trouble till one of them passed on. We used it for everything from SNMP to VoIP. However there was no monitoring reporting or any fancy stuff.

This time around I decided to bite the bullet and decided to go pure Linux. The ipsec was built in kernel, and better supported. I referred to the instructions here.

http://www.ipsec-howto.org/x304.html

http://ipsec-tools.sourceforge.net/checklist.html

Highlevel VPN Diagram

On a high level here is what I did

• Turned off the firewall on both gateways. and enabled ip forwarding
  sysctl -w net.ipv4.ip_forward=1
• Updated the kernels and using yast.
• Updated the IPsec tools using yast.
• Configured the Security Association Database and Security Policy DB using setkey.conf
• Turned on the tunnel using setkey -f
• Tested the ssh ping http between red and blue zones. Note: routers are not able to access the opposite network directly.
• Modified /etc/sysconfig/SuSEfirewall2 and added following
  * FW_NOMASQ_NETS=”0/0,10.50.0.0/21″ on chigateway and similarly on the kolgateway.
  *FW_FORWARD=”10.50.0.0/21,10.60.8.0/21 10.60.8.0/21,10.50.0.0/24″ on both gatweays

That’s it it worked like charm.