So I make it through the renewal process, which required generating a new CSR (Certificate Signing Request) for a brand new certificate from the server since the original one had a bit length of 1024 and GoDaddy only accepts 2048 to 4096 bit lenghts (this is a new requirement). After completing the process and getting the certificate installed, I got a nice helpdesk call from a user this morning who has a Centro: “SSL certificate not accepted due to possible expiration.  Check device date & time and re-sync.”

Joy oh joy, exactly what I’d been looking for, another problem and wasted time!

OK, enough sarcasm (but really, can you ever have enough?). Time for Google and Daryl Hunter from the Church IT Roundtable! Although GoDaddy auto-renewed my SSL certificate, I was actually contemplating buying one of their UCC certificates to be ready for when we went to Exchange 2007. Fortunately I read Daryl Hunter’s post about Exchange 2007 without UCC certs, and stuck with the regular certificate for now, because per Palm KB article 43375, certificates with Subject Alternate Names (SANs), such as UCC certs, are not supported at all on Palm devices (“SSL v3 certificates which rely on the Subject Alternate Name field to do load balancing across virtual site names do not work with Palm OS devices.”). So a UCC cert isn’t even an option for me, but it’s cheaper to do Daryl’s method anyway! For now I don’t have to worry about it, since I just have Exchange 2003 for now, and that’s not the present issue (but we will likely be on Exchange 2007 or Exchange 2010 by the time the certificate expires). Additionally, the same article (which has a tool for installing new trusted root certificates on some Palm OS devices–but I didn’t want to mess with touching every single Palm OS device here! And, the tool works on Windows 2000 or XP only, not Vista (and I’m sure not Windows 7 either)) specifically states that, “GoDaddy Class 2 certificates do not work with Palm OS devices.” Time to drop GoDaddy!

Daryl’s favorite SSL certificate vendor (and now, mine too!) is RapidSSL Online. They sell certificates from RapidSSL.com for $17.95 per year (or cheaper, for multiple years), and they’re single root certificates (which menas you don’t have to install intermediate certificates on your server). While RapidSSL Online is cheap, RapidSSL.com directly has a 30 day trial certificate you can sign up for to test for a month, and this is the way I went. When that certificate expires I’ll be purchasing a multi-year certificate from RapidSSL Online, but I wanted to make sure it would work, and it does! I don’t know for sure, but it appears that RapidSSL.com is the company holding the root certificate, while RapidSSL Online is either a reseller or a sub-company of the parent selling the certificates at a discount (the RapidSSL.com certificates aren’t expenive but still cost a lot more than from RapidSSL Online!). Either way, RapidSSL Online claims that their RapidSSL certificates are issued by RapidSSL.com so they should be the same (I haven’t made a purchase yet), and Daryl Hunter has used RapidSSL Online successfully for years across multiple installations.

I generated a new CSR for a new certificate, again (just like I had to do for GoDaddy). I installed the free certificate on my Exchange server’s IIS (I also then exported it and imported the .pfx file onto my ISA 2004 firewall since it does the authentication up front for external clients, but that’s a pretty unique case and in most cases you want this done on the Exchange server). They were right, it’s just a single root on the certificate, signed by Equifax! I had my Palm Centro users (two had complained by this point) try syncing again. It worked! My iPhone also works fine still, and I haven’t had any negative reports from the four Palm Pre users here either. None of my users have Windows Mobile, and my one Blackberry user connects though Blackberry Professional Server rather than with ActiveSync.

So, adios GoDaddy SSL; fortunately they will refund all but $15 of my certificate (for processing since it was issued), and I’ll still come out ahead with RapidSSL Online (GoDaddy was $60 for two years, while RapidSSL Online is only $70 for five years!).

One thing I’ll have to be careful of when I go to Exchange 2007 is that once I use Windows Server 2008 to generate the CSR, it appears I will need to go to extra pains to make sure the CSR is in Printstring format instead of UTF-8, as Palm OS doesn’t support UTF-8 certificates either (Server 2003 uses Printstring by default). Daryl located this useful post while helping me troubleshoot: Ranting about Palm Centro Versamail ActiveSync and SBS 2008. Useful info, I’m sure I’ll be going back when it’s time to renew next time and Server 2008 is in place. By then, I hope we are Palm OS-free; although I loved my Treo 600 and Treo 650 both, the web is littered with forum and blog posts from people who have SSL issues with Palm OS devices (the Palm Pre and Pixi are much more flexible and up-to-date with the Palm WebOS). I was happy GoDaddy “just worked” in the past, frustrated that they “just didn’t work” this time, and happy to save money and move to a company that’s quicker/faster/easier!

What was my solution this time? VMware Player and Windows XP! I grabbed a Windows XP virtual machine and ran it on my laptop in VMware Player, which worked just fine on Windows 7 (another reason not to run the Comcast stuff…who knows if it’s Windows 7 compatible). The biggest “issue” I had was that I had to disable all protocols bound to the LAN adapter on my laptop except for the VMware Bridge Adapter (to allow the virtual machine network access). That way the virtual machine got the DHCP and proxy settings from the cable modem when I turned it on, rather than my laptop (leaving the VM unable to connect). Once the VM had the “only” network connection, the wizard proceed normally and I got everything connected just fine (the wizard is much more streamlined than it used to be at least).

After it’s working, I just turned off the cable modem and plugged the WAN port of my wireless router into the modem, and turned it back on. Everything was smooth sailing from there. It does apparently lock to your MAC address but that is reset when the modem reboots.

Interestingly, the modem is an RCA brand modem, which is funny since I asked specifically when I talked to Comcast yesterday what brand the modem would be and they specifically said a Surfboard, which is by Motorola. Oh well, as long as it works I don’t care too much. Better than my old DLink from last time!

Now, if only Comcast would expand their trial of 16-20Mbit speeds (instead of 6Mbit) from South Bend to Indy, life would be awesome!

I’ve gotten a few draft posts written but nothing finished yet (I know it’s been a while!). However, the big news today is that Veeam Backup 3.0 was released this morning, which I already have a license for and I’m working to clean off the server that I’ll be running it on! It will definitely get a review when it’s up and running. I’m excited!

In addition to Remote Desktop, you can also open webpages (HTTP or HTTPS, using Internet Explorer or optionally the Gecko rendering engine that Firefox uses if you download xulrunner…see the instructions within mRemote). And connect to SSH sessions using PuTTY, which comes with mRemote, right inside other tabs.

There are other tools out there that do similar things. Royal TS is one, and in fact was the first one I found (see review from 4sysops here). There are others in the original 4sysops post I linked to, which compared six free RDP clients and mentioned a paid one. mRemote does everything I need in a comfortable way that I’m very pleased with, at my favorite price. It works fine with Server 2008 and Vista, and using the smartsize setting so the remote desktop fills whatever resolution is available inside the mRemote window makes for an efficient work area that’s as large as you can fit on your screen!

If you use Remote Desktop on more than just an occasional basis or to connect to more than one system, you need mRemote, or one of the other similar tools if you find it’s a better fit.

What if you’re away from your laptop or desktop and need to Remote Desktop from just about anywhere you can get cellular data coverage with AT&T? Well, you have to have an iPhone too, but I highly recommend WinAdmin for the iPhone to fill that need. That’s a review I wrote as a part of my iPhone Apps reviews over at my personal blog earlier today, and it ties in well with this full-sized mRemote companion :-) (As you might have guessed, writing about WinAdmin actually sparked the idea to blog about mRemote. They complement each other well! Seriously, I think I hear mRemote telling WinAdmin how it thinks of it fondly as a younger brother, whenever my iPhone is next to my laptop :-)

The obligatory “why I haven’t been blogging”: Busy playing with iPhone :-D Too much fun to waste time writing about other stuff (even writing about iPhone Apps has taken a backseat until today!), but I’ve got a few ideas planned and things to write about up ahead. For now, enjoy having a bit less in your feedreader; I know I’ve been falling quite behind in my own blogreading too! Twitter and the #citrt IRC channel are also to blame in large part, but not in a bad way. I’m not the only one; see Jason Powell’s post about it.

Why did I choose the iPhone? Well, I’m tired of my Treo 650, which is showing its age. I like the multi-touch interface, I like the data speeds, I like the screen size, and I like that, because it’s so popular, people are writing sites and apps (both!) specifically to work well on it. That means I can do more with it than with any other phone, or at least I can do so much so easily compared to other phone options right now. OK, I have to correct myself, will be able to do…gotta get the thing first! Oh yeah, and now it does Exchange ActiveSync with Push email, calendar, and contacts! That’s the one thing that made me sit up and take a look. Before, I at least told myself (and others) that I was OK giving the iPhone a pass–yes it was cool, but it wasn’t truly functional if you need Exchange access. Supposedly, that’s no longer true! It seems that the $30/mo data plan, unlike AT&T has been claiming per my previous post, works just fine with ActiveSync, which makes sense from a technical level.

It’s a 16GB black iPhone, if you were wondering, and I’m going to use it to replace my iPod Classic 80GB I think (the first Apple product I’ve ever owned) which is why I opted for the larger version; my iPod has over 20GB of podcasts and I’ll still have to pare that down to fit on the iPhone! Shouldn’t be hard; I didn’t try on the iPod because there’s plenty of space. I’m already with AT&T (but no longer in a contract), and the monthly plan will only cost me $10 per month more than what I’m already paying as part of my family’s FamilyTalk plan, so while I considered a 2G used iPhone, the 3G made enough sense given the subsidy for me.

If a laptop user establishes a VPN connection to your corporate VPN server, and doesn’t use split tunneling (in other words, from the time they’re connected, all traffic goes through the VPN as its default gateway no matter what), assuming that you’re using a VPN client that verifies the identity of the server (rather than blindly trusting DNS, which is easily spoofable on a wireless network), the user moves from the realm of insecurity into a much more secure environment, similar to being plugged into your wired network at the office. Of course, then your office WAN connection has to support everything they do, including web browsing!

However, using a free or paid “VPN” service from a company that just turns your wireless connection into a VPN-enabled “wired” connection is only going to help thwart unencrypted wifi sniffing and other such attacks. Unless you also use SSL and other encryption technologies, those services are just giving you a wired internet connection just like your home connection rather than the easier-to-sniff unencrypted wireless. It’s better than nothing, but it’s not like an encrypted pipe into your own network.

Don’t discount unencrypted wireless attacks. It’s never happened to me, but if you hop over and read some of Security Monkey’s case files at you’ll discover that there’s a lot of bad stuff going on in the world on computers :-) Those case files are slightly modified true stories from this guy’s career! His old 2005-2007 podcast episodes are worth listening to for some cool security tips and tools as well, to digress for a moment!

I don’t have a good answer; VPN connections to the office make internet run very slowly unless you have the WAN bandwidth to support fast throughput to and from all your remote users including web browsing! But that’s a much more secure way to operate. The number of ways wireless can be hijacked, sniffed, spoofed, and hacked, especially if it’s unencrypted to begin with, is downright scary! At the very least use SSL with verified certificates for anything you do of any importance (or if passwords are transmitted) on an encrypted wireless connection. As an IT guy, I can tell you (or myself) whether a particular session (POP3, IMAP, RPC over HTTP, HTTPS, etc.) is happening over an encrypted connection or not and can be careful. However, the average user is, obviously, not going to know or even care necessarily if Outlook is using POP3 unencrypted or via SSL, or using RPC over HTTPS securely. And if they log into Gmail, they’re not likely to know that although their password is always encrypted on login, their email is transmitted in the clear unless they initiate the session using SSL from the start (using https://mail.google.com/ rather than http://mail.google.com)./ Even if their email contains passwords and confirmations for other accounts!

Stuart mentioned WiTopia on his comment to Tony’s original post. I’d never heard of them before, but I’ve seen similar services to their personalVPN product. That service appears to be, like I mentioned above, just a way to get a “wired quality” connection to the internet over unsecured wireless. An admirable service and a worthy goal even with its limitations, but what caught my eye even more was their SecureMyWifi service. It’s still a wireless service but it has to do with your own on-campus wireless access. It lets you move away from using WPA with a Pre-Shared Key (PSK), also known as WPA-Personal, and use their RADIUS services to authenticate users individually to your encrypted wireless access points. It seems a bit pricey (to me–it’s currently a $99 setup fee, $99/year for one access point, and $14.95/year for each additional access point), but we have the same thing set up using Microsoft’s free (built-in on Windows Server 2003) IAS RADIUS server in-house. If you aren’t familiar with how to set it all up, the WiTopia service could be quite beneficial! They charge per access point, but at Lakeview we have a centrally-managed access points system with one controller that takes care of authentication. I assume that the WiTopia service is based on unique RADIUS keys for each access point client; since the central controller (currently running 12 access points) acts as a single client, it should look like “one” access point to the service. Whether or not this is allowed with their terms of service I have no idea; we are not likely going to use the service since I already do this in-house for free, but I would recommend reading the terms and/or contacting them if you plan on doing something similar to remain in the spirit of their offering.

1. The computer whose mouse and keyboard you want to use is the server. Install Synergy and configure the Server options, and enter Test mode (make sure to use the computer’s network name when creating “screens,” or create a pretty name with an alias that is the network name).
2. Configure the positioning of how each computer’s screen is related to the other (you have to create the link in both directions).
3. Click Start once you’ve finished with Test mode and it works.
4.  The computer you want to control with the server’s keyboard and mouse is the Client. Install Synergy on this computer, too.
5. Enter the network name of the server you already set up, and click Start. Use Test mode to see if it will connect without errors; you can then try it out to see if it works (if the server is running).
6. Click Start once you’ve finished with test mode and it works.
7. Have loads of fun!

I set this up at work, with my desktop as the server and my laptop as the client. Ta-da, now I can use my nicer mouse and Natural keyboard on my laptop, just by moving the cursor off the desktop’s screen! This is really slick.

What is it missing? Security, for one. There is no authentication between the client and server. So someone else running this software on your network could connect depending on how your computer is configured. I assume the traffic can be sniffed and interpreted, if someone were so inclined (but this would likely be difficult, on a switched LAN, and with the need to decipher mouse and keyboard controls). I imagine the keyboard would be much more useful to sniff than the mouse, which would be almost useless. On a home network, this probably isn’t an issue. At work, it depends on your co-workers: if they’re probably never heard of this software and you’re the only IT guy, it is very unlikely they would even know to look for such a thing! One way to slightly increase security would be to use a non-standard port. The default is 24800, but if you change this on the Advanced button, someone running the same software would have to do more work to figure out how to connect (don’t forget to set the same port on client and server!).

The other thing that’s missing is a polished interface. There is a GUI for Windows, but you should probably read the Using Synergy guide on their site the first time through when defining Screens and Links (positions relative to each other). Mac and Linux appear to be configured via text file only, but they do have the steps listed on their site. I haven’t tested this, but it does sound exciting to use a Windows computer’s keyboard and mouse to control a Mac or Linux machine right next to it! Or any of the other directions you could go.

With those caveats, if you have the two computers in close proximity you need to test this, I highly recommend going geek crazy and testing this. Just be sure to keep the computer equipment out from under your chin; it doesn’t generally take kindly to liquids, including drool!

Basically, because we have ISA, I can limit what particular user groups are able to do over their VPN connection, just like any other firewall rules. Very few people get file server access at all (actually, me and one guy who connects from his church laptop) over VPN. The rest are limited to Exchange server connectivity or Remote Desktop primarily, although now that we have RPC over HTTPS in place, it’s much simpler than VPN for the user and so that’s used almost exclusively for remote Outlook access now, and is as much as most people need (if they have a laptop they have an offline copy of most of their files anyway).

For those that still require remote access to their desktop at work (especially if they don’t have a church-owned laptop), I’ve been moving from VPN with Remote Desktop access (complicated to train someone to use since the connection is separate from the RDP client) to LogMeIn.com for remote access. There’s a free version and a Pro version, with remote printing and file transfer being the main additional features of Pro. The main benefit? It’s easy and just requires a web browser, it’s fast, and not very expensive (with the special we got anyway, or the free version is of course free!). I have run into an issue with a new remote user that hasn’t gotten LogMeIn to work on their own but I haven’t had a chance to troubleshoot this yet (I’m sure it relates to the steps to get the ActiveX or Firefox plugin installed for LogMeIn initially).

We have a Terminal Services server with a handful of user licenses that we use for some volunteers that need remote access from their home computer but don’t have a dedicated desktop at work. I haven’t attempted LogMeIn through Terminal Services, but I assume it wouldn’t work properly with the multiple sessions that make Terminal Services useful, and would only allow access to the console session. For this, we still use VPN, with a CD created from the CMAK along with an auto-running tutorial created with Wink that walks users through installing the VPN connectoid (which has all of the settings preset) and starting a VPN connection. Using custom commands in the CMAK connectoid, I’ve included a Remote Desktop settings file that automatically runs upon connection, automatically opening and connecting to the Terminal Server inside the VPN once it’s connected. When Remote Desktop is closed, the connectoid logs off the VPN. The integration of VPN and Remote Desktop isn’t perfect, but it’s a lot easier this way (most of the time) than trying to get people to understand connecting to the VPN first, then connecting with Remote Desktop manually, and disconnecting in reverse. The more automated the better! These VPN connections are of course limited through ISA to be allowed to connect only to the Terminal Server, and only through the RDP protocol.

One thing’s for sure: when allowing an unmanaged computer on the network, especially as unsupervised as a remote connection is, it pays from a security standpoint to keep the leash as tight as possible! And it’s the unintentional risks (spyware, viruses, etc.) more often than malicious users that cause a problem. The best part is, protecting from one helps to protect from the other (in general).

This means users can connect using the standard Microsoft VPN clients, but they can only do what you allow via firewall rules. A network administrator could have full network access if needed, while users connecting to Terminal Services could be allowed to connect using only Remote Desktop (TCP port 3389), and only to the terminal server, based on their user name.

This is great! [sarcasm]It’s so great that we’ve started using LogMeIn services for some of our remote access.[/sarcasm>]Why? Well, configuring both the VPN connectoid (even with the CMAK) and Remote Desktop, not to mention actually using them, can be a bit of a chore for some users, especially if they’re setting it up at home where it’s harder to walk them through it. LogMeIn, on the other hand, has an excellent, web-based interface, very compatible remote control, and some easy options like remote printing and file transfer that are harder to set up with plain-vanilla VPN. LogMeIn has a free version, without file transfer or remote printing, which is excellent for proving basic remote support to people like family (I should know, that’s how I use it!), or connecting to your home computer remotely (yep, that I do, too). The Pro version is normally almost $13/month per remotely-controlled PC, which is a bit pricey. They have a special going on right now, however (unknown end date) where you get 5 computers for $20/month (or more at the same price, if needed) that makes it much attractive, and I’ve switched our two heaviest non-Terminal Services users over (it wouldn’t work for Terminal Services because of the multiple sessions issue), plus myself.

They also offer a service calls LogMeIn IT Reach, for the same price (and special price) as the LogMeIn Pro service, but it is targeted towards IT users managing servers remotely. The web interface to logs, shares, users, performance stats, and more is excellent! Better in some cases than the built-in Windows tools in some cases, in my opinion. And the price, at the moment, is excellent and worth every penny, if you need more than the basic features. Just a happy customer.