Songs for the South: Microsoft Employees for the Hurricane Katrina Relief Effort

I really quarreled with me if I should post this article. But I do it because of the great music. One more word about my thoughts: I only want to have such real-life content on this website that regards me and my adjacency. Since this website is about technology and interesting things I don’t want to deal with daily news – and catastrophes are such news I don’t want to deal with on this website.

But now go and buy this album. It’s really great – and that’s not only because it’s completely made by Musicians who are also Microsoft Employees.

“This album has been made possible by the generous donation of music from 16 artists. These 16 artists (or contributing artists) are employees of Microsoft, and will receive no compensation from the sale of this album.

In soliciting content for this compilation, there were submitted many times the number of tracks than could fit on the CD. While the artists and tracks below represent the public face of this generosity, the willingness of the music community at Microsoft to contribute was immediate and significant. Thanks go to all who submitted tracks – both those on this album, and those not.”


the evilgate structure, and 802.1X

I told you about the Linksys WRT54GS-DE router I’ve bought to put an OpenWRT on it. So what’s it all about? Why would I want to have such a firewall-detour-device. And whats a firewall-detour-device anyway?

So let’s take the following situation: You are in a network that allows you to access parts of the internet. Lets say you can access every TCP Ports 21,22,80,119,139,143 and everything above 1024 (list is incomplete!). And this network you are in blocks every UDP data transfer you would like to do. Unfortunately all the interesting things want to have UDP or at least some lower TCP ports. – What to do? That’s why you need the firewall-detour-device. It passes you unfiltered internet through the filtered network.

In our case it would look like that:

As you can see there are two ways to use the firewall-detour-device (the little linksys in the picture). By standard RJ45 ethernet and by 802.11g WLAN. The most interesting case is the WLAN-use-case. But lets’s start with the OpenVPN tunnel: The first thing you need is a machine that has unfiltered internet. You now determine on what ports you can connect through your firewall to that particular server. TCP port 80 for example…now take OpenVPN and with a few lines of configuration the server is set-up. (OpenVPN gives you the ability to connect through virtually every port either UDP or TCP – you even could tunnel through a HTTP/S proxy but that’s not a subject of this article)

The client-side has to be configured accordingly – which means installing OpenWRT on the Linksys and getting OpenVPN ipkg’ed…

The last question would be how you would secure your WLAN access to the firewall-detour-device. You have heard about WPA? In our case we implemented a 802.1X Authentication System: The authentication is done by a radius server which runs on the linksys. The client (the users notebook/desktop pc) has a certificate issued by the same CA that issued the access-points certifcate, with just some XP_EXTENSIONS in the certificate (additional OIDs). On the linksys additionally runs a daemon that changes the WPA key every 3600 seconds (configurable).

So at the end you have a certificate based authentication with a radius server combined with a WPA Implementation which changes the WPA keys in a configurable interval.

A typical OpenVPN config file looks like this:

dev tun
proto udp

# TLS parms
ca [ca-certificate-PEM-format]
cert [client-certificate-PEM-format]
key [client-key-PEM-format]
dh [diffie-hellmann file]

remote [the-OpenVPN-server]

There are some how-to manuals available at the OpenWRT homepage – so I do not copy-paste them here. But there are some misconceptions about the things you have to do on a Windows Client to use a 802.1X WLAN:

You need the root-certificate (the same you used at the accesspoint the only difference is that it has to be in the DER format) and you need a client certificate with XP-Extensions in PKCS#12 format. When you have both you just have to double-click to import them. When you now connect the the 802.1X WLAN you are asked to approve the root-certificate. After that you’re probably asked to choose which client-certificate you would like to use – select your client certificate and voilá. You should be connected to the WLAN authenticated with 802.1X.

Source 1: Linksys Router is now “evilgate”
Source 2: What is WPA?
Source 3: What is 802.1X?
Source 4:

a lot storage space (not a Promise Storage Appliance)

So today it continues. After the dissappointing things that happened around the Promise VTrak m500i we started to put the other machines together to do some testing. Therefore we have:

Machine 1:

  • Pentium 4 (Prescott) 3 Ghz

  • 2 Gigabyte of RAM

  • onboard Promise(!) FastTrack 597 SATA

  • 4 Port Onboard SATA

  • 2×80 Gigabyte (Western Digital)

  • 3×250 Gigabyte (Western Digital)

  • 1xGigabit Ethernet (Broadcom)

  • Windows Server 2003 Enterprise Edition

Test-Setup (Machine 2 is not in this picture…)

the drives and behind the fans…LOUD!

a hot-swap fan and SATA cable close-up shot…

Machine 2:

  • Pentium 4 (Prescott) 3 Ghz

  • 2 Gigabyte of RAM

  • 2xPromise(!) FastTrack S150 TX4 SATA

  • 7×250 Gigabyte (Western Digital)

  • 1xGigabit Ethernet (Intel)

  • Linux 2.6.something

Machine 2 on top of Machine 1…

Machine 1 is destined to be the Documentation-Server running a Sharepoint Portal Server 2003. But we’ll do some testing with String Bean WinTarget 2.0 iSCSI Target Software. On Machine 2 the iSCSI Enterprise Target will provide access via iSCSI.

Our testing would be this: We setup a RAID5 on each machine and export this 500 Gigabyte Volume as an iSCSI Target Volume. We then benchmark this volume. After that we do this again with a RAID0 across the 3 drives. (so 750 Gigabyte Volume).

At the moment we only test with Windows on the client-side. We’re using h2benchw for this purpose.

Stay tuned for the results. Oh I almost forgot: The Promise VTrak m500i successfully synched a 1 Terabyte iSCSI Volume and I was able to mount and format this volume. The first test showed that about 66 Megabyte/s are possible on this RAID5 volume. The benchmark is running since about 2 hours – would take 6 more hours to complete. Of course we’ll also will test a stripe on the VTrak m500i.

Source 1: FastTrack S150 TX4 SATA
Source 2: String Bean WinTarget
Source 3: iSCSI Enterprise Target
Source 4: h2benchw

Promise VTrak M500i Review and News…

I wrote a short article about the lately arrived Promise m500i Storage Array and it’s not-functioning.

After we had to wait the complete weekend it was time to call the technical support again and ask for purification…well sort of :-).

The good news: The guy remembered that he talked to me. He even remembered what we talked about. That’s really not common sense when it comes to technical support. So this is a thumb-up for the support.

He sort of apologized for mistakenly kidding me on friday…but don’t be vengeful.

So he told me that there is a BETA firmware for our brand new m500i that is supposed to fix all the problems we have (at least the ones he remembered). The only thing that he needs from me beforehand was a signing under a disclaimer he would send me. Sure! Show me the disclaimer and I’ll tell you if I would sign it.

And he showed me:

Supplier is providing this Beta version Product to Customer without charge and at Customer’s specific request. Customer understands and acknowledges that this Beta version Product has not been fully tested by Supplier. This Product is provided to Customer “as is” and with Customer assuming all risk of use of the Product.

Except where prohibited by law, Supplier DISCLAIMS any and all warranties, express or implied, by statute or otherwise, regarding the Products including,without limitation, any warranties for fitness for any purpose, quality, merchantability, non-infringement, or otherwise, and any warranties arising out of a course of dealing, trade usage, or trade practice. Supplier makes no warranty or representation concerning the suitability of any Product for use with any other item. Customer assumes full responsibility for selecting Products and for ensuring that the Products selected are compatible and appropriate for use with other goods with which they will be used. Customer assumes and accepts all risk associated with procuring and using a Beta version product.

Supplier DOES NOT WARRANT that this Product is free from errors or that it will interface without any problems with purchaser’s components or computer system. It is the responsibility of the purchaser or end-user to back up its computer or otherwise save important data before installing any Product and to continue to back-up its important data regularly.

Supplier shall not be liable for the cost of procuring substitute goods or services, lost profits, unrealized savings, equipment damage, or for any other general, special, consequential, indirect, incidental, orpunitive damages, whether in contract, tort, or otherwise, notwithstanding the failure of the essential purpose of the foregoing remedy and notwithstanding that Supplier has been advised of the possibility of such damages.

Date___________ Signed ___________________

The text formatting was not made by me – it’s the original formatting of the disclaimer. Of course I told the technical-support guy that I am not willing to sign this disclaimer. To loose the software warranty in any way is not what I would consider an alternative for a brand-new 6000 Euro device.

He understood my consideration about that issue – even though he tried to convince me to sign it. I didn’t. He then wanted to call me back after he checked the alternatives with his … whoever he was talking to… he called back 10 minutes later.

The alternative would be to deal with the bugs. He even seemed to know now and finally why the array does not sync successfully: I tried to make a 3 Terabyte Logical Drive. With my firmware version the m500i only supports a maximum size of 2 Terabyte per Logical Drive. Okay that’s at least some kind of solution. So I configured a 1 Terabyte Logical Drive for testing and voil