The Rants of a Techie

One of the confusions when migrating from a Windows 2003 SBS Server to a Windows 2008 Server is the change in SSL certificate. They have moved from a single name SSL to the UC/SAN (Unified Communications/Subject Alternate Name) certificate. Your nice cheap SSL certificate will no longer work and you will need to purchase the more expensive and confusing UC/SAN Certificate.

It’s not that complex really all the UC/SAN Certificate does is contain alternate host names within it. It differs from a wildcard SSL as they just covered a whole domain, i.e *.upuaut.net. UC/SAN cover multiple domains.

Ok so SBS 2008. It needs a UC/SAN with the following information in it (using mydomain.com as an example with the local server called myserver.mydomain.local ) :

remote.mydomain.com (Used for the remote webplace/webmail)
autodiscover.mydomain.com (Used for the excellent autodiscover service )
myserver.mydomain.local (Used internally)
smtp.mydomain.com (Used for SSL encrypted SMTP traffic)
myserver

Making the CSR

So how do we generate the CSR (Certificate Signing Request) for this lot ?

Ok right click the Exchange console and run as administrator. Amend the command below to match and paste it in :

New-ExchangeCertificate -GenerateRequest -Path
c:\remote_mydomain_com.csr -KeySize 2048 -SubjectName "c=GB, s=Region, l=City, o=Mydomain Limited, ou=Information Technology,
cn=remote.mydomain.com" -DomainName
autodiscover.mydomain.com, myserver.mydomain.local,
smtp.mydomain.com, myserver -PrivateKeyExportable $True

Ok once this is done you need to find a nice cheap place for UC/SAN Certificates, you can get them from this site, a Go Daddy reseller in the UK for £37.05 a year.

Place your order and paste in the CSR from c:\remote_mydomain_com.csr (just open it in notepad).

When you paste it in press tab and make sure the subject alternate names all appear correctly.  Once happy let it chew around in the Go Daddy system until they authorise it (the CNAME method is pretty quick!).

In the mean time make sure you set up external DNS A records for remote.mydomain.com, smtp.mydomain.com and autodiscover.mydomain.com.

Installation

When the certificate is delivered copy it to the server.  Open the Exchange Management Shell again as administrator.

Import-ExchangeCertificate -Path C:\mydomain.cer | Enable-ExchangeCertificate -Services "SMTP, IMAP, POP, IIS"

There you go all done. Clients can now just open Outlook 2007 anywhere and enjoy the encrypted connection just by typing in their mail address and password!

When evaluating VMWare ESX or Microsoft Cluster Solutions the first question that arises is how do I get some shared storage very cheap (i.e nothing!). Well firstly you need to be looking for iSCSI. If you’re familiar with TCP/IP then iSCSI won’t be a big jump. It just takes the SCSI data and sticks it on a standard TCP/IP network.

There are some fantastic open source offerings out there such as Openfiler. Openfiler does iSCSI SANs but is in my opinion very complex to setup even for someone with alot of Linux experience, and as for making it redundant well good luck if you work it out let me know.

A commerical product that is in a different league to Openfiler is the HP/LeftHand SAN. Based on propriety HP Hardware they also do a Virtualised SAN for use with VMWare ESX and as a “laptop” demo. For the purposes of this article I’m going to use the VSA for laptop demo. It works for 30 days which should be long enough to evaluate the technology and see if its the right product for you.

What you will end up with : A simulated 3 node redundant iSCSI SAN running on one PC suitable for evaluation of VMWare ESX/Microsoft Cluster Services. Also a great demonstration of what the HP/Lefthand product can do.

What you need to begin

1/ VMWare Player. For this demo I’m using VMWare Player running on Windows Vista x64. Install it.
2/ Go here : https://h20392.www2.hp.com/portal/swdepot/searchProducts.do

Search for : HP LeftHand P4000 Virtual SAN Appliance Software
Click Recieve for trial
Download the AT004-10004.exe CMC and theVSA_SAN_iQ_8.1_Laptop_Demo_Tool_for_Vmware_AT004_10006.zip

3/ If you’re not running Vista go get the Microsoft iSCSI Initiator.

Setting Up The VSA’s Within VMPlayer

1/ Where ever you store your Virtual Machines create 3 directories called VSA1, VSA2 and VSA3.
2/ Extract the vsa_demo.zip to your recently created VSA1, then to VSA2 and to VSA3 directory.
3/ Open VMWare Player.
4/ Open -> Navigate to VSA1 directory -> Select VSA.vmx
5/ Once it’s booted up from VMWare Player Select Devices -> Network Adaptor -> Bridged.
6/ Type Start at the login -> Press Enter Twice -> Use the Arrow Keys to select Network TCP/IP Settings -> Select eth0
7/ Set hostname to VSA1. I recommend you fix the IP Address to something that works on your LAN. My LAN is 172.16.1.0/24 so I picked 172.16.1.31. Click Ok a few times. Then go back to the login. You can now minimise this you won’t be needing it again.
8/ Open another instance of VMWare player and open the VSA.vmx from the VSA2 directory. Repeat setting the hostname/IP as above to VSA2/172.16.1.32 (or whatever you choose).
9/ Open another instance of VMWare player and open the VSA.vmx from the VSA3 directory. Repeat setting the hostname/IP as above to VSA3/172.16.1.33 (or whatever you choose).
10/ It’s worth checking connectivity to all the machines at this point,check your host machine can ping the 3 VSA’s.

Setting Up the CMC

1/ On your client machine install the CMC as downloaded in step 2.It’s a Next next next installer.
2/ Ok lets make a SAN. The CMC should start into the Find Nodes Wizard, click Next, select By Subnet and Mask and hit next. Click Add, put your subnet in and press Finish. If you got it right you should see your 3 VSA’s as newly found. Press Close. If you can’t see the nodes check you set the VMPlayer network to Bridged and you can ping the nodes.
3/ From the Getting Started Launch Pad Select Management Groups, Clusters and Volume Wizards.
Click Next.

Lets Make a Volume

1/ Expand DEMOCLUSTER then Select Volumes(0) and Snapshots. Under Tasks select New Volume.
2/ Give it a name and select a size (Suggest 1Gb). Select the Advanced Tab. Here you can select the Replication level, I suggest 2-way for this demo. The VSA’s ship with 5Gb per node of space.
Note : Thin Provisioning is interesting. If you set the node size to 2Tb and select Thin provisioning it will present a 2Tb volume. You won’t be able to use 2Tb but it means less time consuming O/S reconfiguration later you can just add additional nodes to make up the space at a later date. For this example select Full Provisioning. Click Ok.

Lets Connect It!

1/ On your host machine open up the iSCSI Initiator in the control panel. On the General Tab you will see the initiator name e.g iqn.1991-05.com.microsoft:pc.mylan.local. Copy this to the clip board and go back to the CMC.
2/ Under EVALCOMPANYSAN click Servers(0). Under Server Tasks click New Server. Give it a name and a description. Paste your initiate node name in and select CHAP Not required. Deselect load balancing. Click Ok.
3/ It should Switch to the Volumes and Snapshots Tab under your new server. Click Tasks -> Assign and Unassign Volumes and Snapshots. You should now see the Volume you created earlier. Check the Assigned box.
4/ Switch back to your host PC iSCSI Initiator Properties. Select the discovery tab and Add Portal. Type in the cluster IP address you selected when setting up the cluster. I chose 172.16.1.34.Click Ok. Select the target tab you should see your volume listed as inactive. Press Log on. Click Ok.

Lets Use It!

1/ Right click My Computer -> Manage -> Disk Management.
2/ You should see a new disk. Initialise it and make a new simple volume. Perform a quick format, don’t do a full format - ever! If you full format with thin provisioning you’re in trouble

There you go a full enterprise iSCSI SAN for free in about 45 mins. In my next article I’ll demonstrate the redundancy and fail over. If you decide you like the Lefthand SAN my company are an authorised UK Reseller for the Lefthand equipment please don’t hesitate to give us a call.

Looks like my Uncle didn’t dive for cover when the Google Street view vans came by.

Fortunately he was just doing a little gardening! Privacy ? Not a chance.

This is the personal blog of Anthony Stirk, mainly designed as a filing place for all my random musings and sometimes some technical information that may be of use to you.  I work for a computer consultancy in the North of England specialising in the installation and ongoing support of Windows Small Business Server based systems. I’ve spent over 15 years working in IT but I haven’t learnt yet that having a blog probably isn’t a wise idea. I have a lovely fiancée  and a small dog. According to Wikipedia “blogs” have been around since 1999 however a chap called Tazzo beat you all too it in 1998.