Network Experts

VDI (BYOD) Bring your own device

As many SMB’s rise slowly out of the recession and have begun to invest in the latest technologies, they are finding their new software and IT systems may support iPhone, iPad, Android, PC  or Mac. All this connectivity ushers in a new ways to conduct business. The variety of these devices can be used to provide better communication and flexibility in the workplace and thus improve business agility. BYOD can also provide both hard and soft returns for the organization’s IT investments. The hard returns of BYOD materialize as savings to your organization simply because it no longer has to shell out funds for the latest and greatest devices. The soft return may be happier employees and morale because they can leverage their device of choice to connect to company resources, instead of having IT and corporate dictate specific devices. It is important to point out BYOD also brings with it a host of cons that must be considered and controlled by the corporations acceptable use policy and IT security experts.

The first and foremost consideration is data security: A company must consider the pros and cons before they allow company data on an employee’s personal device. Once a company allows an employee to download data to a personal device, the company has little or no control or management of its data. This may also bring up legal issues over ownership of the data should the employer or employee relationship turn sour. For example a company’s intellectual property or contact lists could easily be harvested and brought to a competing business. There are many other variables to consider, such as a well-intentioned employee device may malfunction, damaging or deleting email or contacts on the company mail server. The employee may load an unsecure app whose goal is to leach or damage corporate data. The employee may load an app then walk into the business, connect to WiFi with a potential Trojan horse causing a devastating data loss.  For some organizations this is an acceptable risk, and steps can be taken to help mitigate some of these concerns, however for most organizations this is not tolerable.

BYOD introduces a fine line to saving money. There are additional IT and business costs in supporting multiple platforms. For example; IT must configure the company mail server to support Blackberry, iPhone, iPad and Android. IT must track and try to enforcesuggest a baseline of mobile security. This was a difficult enough task on a single platform, with BYOD this becomes 3X more difficult and time consuming. Fixing one issue for iPhone users may break something for the others.   There are also support and security benefits of supporting a single corporate platform. This conservative thinking brought stability and security to organizations for years.

So where does that leave us? Should an organization allow BYOD or not? There is no right or wrong and only an organization can choose whether the benefits can outweigh the risks. Chances are in a small organization this can be managed on an individual basis. Anything beyond a small business or a business that lives or dies by its data needs to seriously consider the implications of introducing unmanaged personal devices into their organization. However what we have discussed so far assumes an organization allows an employee devices to directly connect, sync, and interface with company assets.

Are there other options or solutions? Absolutely! VDI (Virtual Desktop Infrastructure). The industry has been virtualizing servers for years, VDI technologies are one of the hottest topics in IT. VDI leverages the benefits and investments in server virtualization and extends them to the desktop and mobile device space.  VDI software such as VMware View, Citrix XenAPP or Citrix XenDesktop allows secure data access for BYOD’s users. The biggest VDI benefit is that corporate data can be extended to all main stream devices and no actual copy of the data is stored on the device. Rather all data is stored, maintained, and secured in the organizations IT system. The VDI software client is also agnostic to the device or platform it runs on, thus eliminating the actual work in configuring the entire system to work with multiple platforms.  VDI allows the organization to maintain control over its data while still leveraging the benefits of BYOD.

SkyByte is a VMware Professional Partner and a Citrix Solution Provider.  Contact us today for a server virtualization or VDI evaluation.

SkyByte Consulting is a premier provider of Virtualization solutions and technologies.


Recently SkyByte won an RFP for a major suburban park district near Chicago. SkyByte successfully beat out four other Chicago IT firms with our design and project pricing. The park district had approximately thirty aging physical servers well beyond their effective service life. Their server room consisted of two 42U racks full of old server equipment. SkyByte proposed a four server VMware vSphere Cluster connected to a NetApp 2040 SAN. Cisco switches were chosen and NFS was utilized for the storage area network. SkyByte architected a secure DMZ along with multiple production internal networks. The project had the added benefit of centralizing all of the organizations data within the new NetApp SAN. This further improved the organizations disaster recovery options.

SkyByte installed the new VMware vSphere cluster and virtualized all the old servers from P to V. The virtualization candidates were Microsoft Exchange, four Microsoft SQL database servers, file and print servers, application servers and many F5 load balanced web servers.  Upon completion of the project all old server equipment was removed, and a complete 42U rack was removed from the room. 84U U’s of space were reduced to 15U’s. Power and cooling requirements for the data room were reduced by more then 50%. The park district gained fault tolerance, and high availability; the system is designed to continue business operations with a two host failure. The organization also gained much more flexibility within their system to meet the public's needs. Other benefits have been much better performance logging and reporting. The organization has acknowledged system performance was dramatically improved across all servers.

SkyByte has been working with Virtualization technologies since 2003. Over the last several years we have focused our infrastructure practice on server virtualization and server consolidation through the use of VMware vSphere Clusters and standalone ESX and ESXi hosts. He have aligned ourselves with NetApp and EMC for storage solutions. SkyByte has found VMware’s virtualization product suite to be vastly superior to the competing server Virtualization software such as Hyper-V and Citrix XenServer. Specifically the levels of refinement, flexibility, reliability and support are much better with the VMware products.

Contact us today for a free evaluation of what Virtualization can do for your organization. 847.574.6256 or info@skybyte.com

Recently SkyByte designed and built a new VMware vSphere Cluster centered around a NetApp FAS2040 SAN connected via NFS. We configured networking, volumes, NFS exports and export permissions on both controllers. We then began the task of mounting the NFS datastores on the VMware hosts. We were able to successfully mount all the volumes on controller 1 but when mounting them on controller 2, we would get the following error:

Problem: "error during configuration of the host. Cannot open volume" note: Once or twice we were able to get the VMware host to mount the NFS without the error,  however it would report as 0KB in size instead of it's actual size, and the datastore was completely inaccessible.

After pouring through the network settings on all the VMware hosts and SAN settings,  We figured we had a permission type error. On the NetAPP SAN we verified the VMware host IPs had read-write access to each NFS export. It took us several hours to figure out the problem. I hope this helps someone.

Solution: The problem was the Qtree security on Controller 2 was defaulted to NTFS. Navigate to Qtree's on the offending NetAPP controller and check that your Qtree security type is set to UNIX.  After making the change to each Qtree we were able to successfully mount all NFS volumes on the vSphere cluster.

SkyByte is VMware professional partner. We are well versed in ESX & ESXi virtualization cluster installation, upgrades, and migrations. Call or email us for information on VMware Virtualization Benefits.

Recently while deploying a new VMware vSphere Cluster 4.1, we experienced a persistent error when trying to run VMware Guided Consolidation: "GcServiceInstance" on Server "xyz" failed."  The problem began occurring after we had to re-ip vCenter's NIC. The status window in Guided Consolidation also would not populate. After checking that all network connectivity and VMware services I was able to find the solution:

When vCenter GC installs it creates a host file entry in the normal location: %systempath%system32/drivers/etc/hosts

Open the host file and edit the IP address with the Current IP address:

ServerName          X.X.X.X

Close vClient and re-open vClient.

• Convert eDiscovery from common industry formats
• Customize DII Load files for Summation
• Import eDiscovery into Summation
• Architect systems capable of running demanding litigation software.

Recently while performing an Microsoft Exchange Upgrade by adding a new Exchange 2010 mail server to an existing Exchange 2003 organization I came across an email routing / email security issue. This particular project planned for a short period of planned coexistence between the old 2003 exchange server and the new 2010 exchange server and thus we had the resolve the problem quickly to ensure internal email between users on both systems.  The main symptom appeared after I moved the majority of mailboxes from the old exchange 2003 server to the new exchange 2010 server. Emails flowed successfully to the Internet unrestricted.  However when sending internal email to mailboxes that still resided in the 2003 exchange server I would get the following error:

Delivery has failed to these recipients or groups:

xxxxxxx (xxxxx@xxxxxcommunity.org)
This message was rejected by the recipient e-mail system. Please check the recipient's e-mail address and try resending this message, or contact the recipient directly.

 

The following organization rejected your message: xxx.xxxxxcommunity.org.(Receiving Server)

Diagnostic information for administrators:

Generating server: xxxxx.xxxxxcommunity.org

xxxxx@xxxxxxcommunity.org
xxxxx.xxxxxxxcommunity.org #554 5.1.0 Sender Denied ##

Original message headers:

Received: from xxxx.xxxxxcommunity.org ([10.7.53.8]) by XXXXX

 ([10.7.53.8]) with mapi; Mon, 3 Jan 2011 14:00:19 -0600

Content-Type: application/ms-tnef; name="winmail.dat"

Content-Transfer-Encoding: binary

From: Darren Sieck <DarrenSieck@xxxxxxxcommunity.org>

To: "Fr. Don McLaughlin" <xxx@xxxxxxxcommunity.org>

Subject: FW: Test

Thread-Topic: Test

This error can indicate several factors:
You should check that you have routing connectors in each routing group (under the System manger on the exchange 2003 server )  and that your new server is allowed to relay on the old server (Under SMTP properties on the old server). It turns out that my routing connectors were configured properly and relaying was possible. 

Problem:
The problem was the client had configured exchange 2003’s filtering features and the server was blocking all email from the internal domain. Basically the old server thought the new server was spoofing the client’s internal domain. To resolve the situation you should disable the exchange built-in filtering altogether or use a 3^rd party SMTP email filtering product such as Websense Email Security or Ironport.

Resolution:
Navigate to the filtering settings native in Exchange 2003: Open System Manger > First Organization (or the name of your organization) > Global Settings > Message Delivery: Select properties on Message delivery and turn off or configure filters according. Most settings are under the “Connection Filtering” tab.

Recently SkyByte completed a complicated upgrade of CheckPoint Firewall 1 R61 to R70 for a large park district near Chicago. This particular firewall was at the center of the client’s network enforcing traffic to approximately 10 different locations around the suburb. The Firewall utilized a BGP WAN connection for the external Internet interface and several other internal interfaces and DMZ zones.  The production R61 enforcement point was running Checkpoint's hardened Linux platform called SPLAT and the primary management console was running Windows server 2003 32bit.  SkyByte was brought in due to its extensive experience with network firewall security. The planned upgrade consisted of all new server equipment for the enforcement point and also a VMware virtualized primary management console.  Because the client was implementing new hardware, SkyByte was able to minimize planned downtime during the upgrade. Using CheckPoint best practices; SkyByte designed an upgrade plan to R70 by building the new enforcement point and management console side by side with the R61 production system. SkyByte also provided hardware specifications for new Dell rack mounted servers that met Checkpoint’s hardware compatibility list. Before installation of the new firewall SkyByte performed extensive backups of the production system and implemented a roll back plan just in case of unforeseen problems.  After detailed testing of the new system and confirming all network security was intact, a cut over time was chosen by the customer.  The planned cut over took about 15 minutes and went very smoothly.
 
The client is very happy with their new Checkpoint environment. The new firewall hardware is much more robust and the client is enjoying the new features and network security that Checkpoint Firewall 1 R70 provides.

Recently SkyByte saw an issue with a Dell Latitude 13 laptop after installing a new SSD hard drive. The symptoms manifested during and after a Windows 7 pro 32-bit install running BIOS A01. The machine would take hours to install Windows 7 and hours trying to start the OS. After much diagnosis and trail and error we narrowed the problem down to the ATA controller. Ultimately the issue ended up being that ACHI (Advanced Host Controller Interface)  needed to be disabled and conventional ATA mode enabled in the BIOs settings. The laptop returned to lightning speed after we made the change and reinstalled Windows 7. 

In order to preserve network security you should use a secure method of administrating your Cisco ASA firewall.  The best way to manage your Cisco ASA firewall is with a secure CLI session via SSH, or via SSL and Cisco's ASDM tool. Recently I discovered that SSH is not enabled by default on Cisco ASA Firewalls like their predecessor firewalls the Cisco PIX. The reason being the Cisco ASA firewall does not ship with a crypto key for SSH by default. Therefore one must be generated.  The instructions below will help you generate a 1024 bit crypto key:

1) Log into the Cisco ASA via console or ASDM
2) On the CLI get to the enable prompt, or on the ASDM go to Tools Command Line Interface
3) On the CLI perform a conf t
4) Issue the command: crypto key generate rsa general-keys modulus 1024

Now you will need to grant access to your ASA for the SSH protocol, set a time out to the session(optional) and specify the SSH version (optional): (Issue these additional commands)

1) ssh xxx.xxx.xxx.xxx 255.255.255.255 inside
(IE. - to allow a whole subnet: ssh 10.1.1.0 255.255.255.0 inside or an individual address: ssh 10.1.1.1 255.255.255.255 inside)
2) ssh timeout 10
3) ssh version 2

To save your changes:

write mem


SkyByte is a security based service and solution provider dedicated to the delivery of secure data communications, risk management, data integrity and corporate privacy. SkyByte offers a wide array of IT consulting services such as the design and maintenance of firewalls, VPNs, LANs, WANs, VMware server virtualization, messaging systems and secure wireless networks.