What are to consider?

Brand of the servers? Of course. The softwares? Sure.

Anything else?

These are three things that cross my mind.

Raid 5

If your data are important, and mostly are, than use server that support Raid, at least Raid 5.

With Raid 5, we use at least three hard disks with the same capacity (and better with the same brand and model) and configure it as one drive. If one hard disk failed, the data still can be accessible.

Without Raid 5, if you have three hard disk, and one hard disk is failed, that all the data in  that hard disk will be lost.  You need to rely on your latest backup and pray that restoring the data won’t be a problem.

Minor side with Raid 5 is that Raid 5 will use one hard disk capacity as it parity, so if you have three 1 TB  hard disks, than the total of your capacity is only 2 TB.

And also with Raid 5 , the performance is slower.

With at least Raid 5, you will have redundancy and more capacity compare to Raid 1. There is also Raid 6 that extend the Raid 5.

More about Standard Raid Levels

Hot Swap

Ok, now you use Raid 5 for your critical servers that should run 24 hours a day and 7 days a week.

If one hard disk failed, at least your server still able to run with slower performance.

Now, you still need to replace the failed hard disk with a new one. If your server support Hot Swap capabilities like most IBM xseries, than it should not be a problem. You just need to unplug the failed hard disk, wait for 30 seconds and plug in the new one. Total time should be less than one minute.

But, what if your server do not support Hot Swap?

You need to shutdown your server (when? ), open the server case if necessary, detach the cables, unplug the failed hard disk, then plug in the new disk, attach the cables, close the case then power it on again.

How much time do  you need for that?

And you need a spare time to do it, you can’t just shutdown the server on office hours, you need to do it after office hours, or maybe before office hours or maybe on weekend?

Warranty

Make sure that your servers have good support and spare parts availability.

One thing that I like the most from IBM server is their warranty and support.

While I’m working with the IBM servers, I have two mainboards problem and four failed hard disks.

The longest time it need is to replace one mainboard from the old server (very old), because they need to ship it from Singapore.

Recently I have one failed hard disk (one of the reason why I wrote this), call IBM support and describe the problem, and all they need is our machine type, serial number and the FRU of the hard disk. Then hard disk replacement already in the office in the next morning.

That what I called a good support.

If they need a month to replace a failed a broken part, that the support, the warranty is useless.

If your warranty going to expired, or already expired, you should, you must extend it. It’s not cheap, but for me, very worthed.

With IBM, you can choose 5 days support, or 7 days support. With 7 days support, if you call them on weekend, they still come.

Not sure for other brand, if they support as good as IBM. I only works with IBM brand.

Note, I’m not an employee of IBM.

She using windows vista and windows mail as her mail client. I tried to explain to her on how to solve the problem, but she still didn’t understand. Can’t blame her, she is not a computer geek, but a very good sales person.

She is at home, while I’m in the office, and her buyer waiting for the email, now what to do?

Luckily, the last time I visited her house, I downloaded a very good software called Team Viewer. I ask her to connect to the internet, and then run the team viewer software by double click the exe file, no need to install, then she get the session id and password.

And that is it.

She gave me the session id and password, I run my team viewer and than connected to her computer at no time.

Solved the problem in less than 10 minutes, the stuck email went away to her buyer.

She happy, her buyer happy, and I’m happy able to help.

For quick, and easy setup remote access software, TeamViewer really is the king. You don’t even need to install the software.

Not only for remote  access, with TeamViewer you can also chat or copy files between computers. Great for remote support.

And all of that without any cost (for home user).

TeamViewer is highly recommended software, that every support computer should have.

I’m not related in any way with Team Viewer. I am just a happy user.

But, luckily we also have local anti virus, that mainly able to detect and clean those local viruses, like pcmav and smadav.

But, compare to them, personally I like smadav most because of it small size and able to work together with mainstream anti virus. My smadav 2010 rev 8 able to work together with Symantec End Point 11.

As stated in their website

Smadav was made to clean and protect your computer from local viruses that many spread in Indonesia.

If you using anti virus like symantec, mcafee and esset, you can use smadav as second layer of protection against virus without a problem.

You can download the smadav for personal use for free in here. The website and user interface are in bahasa, but it’s will not be difficult to understand the interface because it so easy.

If you want to try pcmav, you can download it in here.

Be secure.

I’m very well aware of all Symantec Anti Virus Products, specially that I used to use Symantec Anti Virus Corporate Edition (now called Symantec EndPoint Protection) .  The best thing that I like from Symantec that even though many people complains that Symantec Anti Viruses are very slow (and I agree ) but it very stable.

And talking about viruses, I prefer slow but accurate rather that fast but there are many viruses still slip away.

But, after many successful installation of Symantec EndPoint Protection, I failed in one computer, with the error message.

symantec endpoint protection has detected that there are pending system changes that require a reboot

After search the net, it’s not Symantec problem, actually more than Microsoft problems.

The solution is quite simple.

Open regedit (you should know where and how to run regedit ), find the value PendingFileRenameOperations, then delete all the data.

The data should be like this:

\??\source file
!\??\target file

After you delete the data, now you can continue to install Symantec EndPoint Protection without anymore problem.

Lotus foundation is a “software suite” that has it own operating system based on striped Open Suse linux, and a striped down version of Lotus Domino server. It has it own anti spam and anti virus software, file sharing, firewall and even VPN server, that why I called it a software suite.

This is a software suite, so it can be installed in any hardware, but maybe some IBM Business Partner will sell it with the hardware to reduce hardware compatibilities issues.

And for the email clients, it support webmail, lotus notes clients, ms outlook and any other email clients that support pop3 an
In the advertisements, it state that it can up and running in less than 30 minutes, and it designed for small office with no IT personnel.

The suite can self configured, it mean that it will automatically detect the network infrastructure and configure it self based on it founding.

If the suite detected that there are some malfunction in part of it software, it will try to heal it self, by restore the configuration from the last backup, and it will done automatically.

In the demo, the hardware come with two sata harddisks, on for the suite and the other one for the backup. If something really bad happen, it will only take 30 minutes to restore to it default stat, and maybe another 10-30 minutes to restore from the backup.

You can get the brochure here, and the datasheet here.

I guess it true, that the suite is designed for small office that has no IT personnel, and soon I’ll be out of the job .

But even the easiest documentation can become confusing sometimes. One of them is how to enable SSL in Lotus Domino servers.

I have to read it many times until I understand the concept, so to avoid others to have my difficulties; I created this simple how to.

SSL requires certificate, while Lotus Domino support the certificate that created by third party organizations, Lotus Domino also have the capabilities to create it own certificate called Self-Certified Certificate. The problem with Self-Certified Certificate that you need to accept the certificate (trust) before you can use it, while the third party certificate already trusted.

This how to will only to discuss about how to create Self-Certified Certificate, this how to will not discuss about the certificate that created by third party organizations. The idea of self-certified certificate is that you can quickly setup your own SSL certificate.

This how to required Lotus Notes client, access to Lotus Domino server as Lotus Domino administrator, and have access to copy files to Lotus Domino server.

Server Certificate Administration Database

When you install Lotus Domino in the first place, it will automatically created a database called Server Certificate Administration. You will need this database to create your own Self-Certified Certificate. Find and open the Server Certificate Administration or certsrv.nsf in the server, if not available you can create it with the template: csrv50.ntf, give the database name certsrv.nsf

There are several options in the left menu, just ignore it. We only want to create Self-Certified Certificate, click the “Click Key Ring with Self-Certified Certificate“.

Create Key Ring

Now, there are several fields that need to be filling in. There should be enough help in the Quick Help, but to make it easier, these are the examples:

Key Ring Information

Key Ring File Name

The file name of the key ring, the key ring should have kyr extension. If you have several servers that need SSL connection, better give it more understanding name. In this example I give my file name as selfcert-st01.kyr, where st01 is my server name.

Password and Password Verify

No need to explain about it.

Distinguished Name

Common Name

The Full Qualified Domain Name (FQDN) of the server. In this example I put st01.indomino.net, because my server will be accessible with st01.indomino.net. Make sure that you can connect to your server with your FQDN.

Organization

Explain about your organization, or your company. I use indomino in the organization.

Organizational Unit (optional)

If you need to break your organization in more details, maybe based on departments or locations. I leave it blank; you can put your department or location.

City or Locality (optional)

Your city name, I put Jakarta

State or Province

Your Province, I put Jakarta

Country

Because I live in Indonesia, I put ID

Make sure everything is correct than click the big button in the bottom of the page “Create Key Ring with Self-Certified Certificate“

It will create the key ring and it will notify you that the key ring has been created.

The process will create two file names in your notes data folder, selfcert-st01.kyr and selfcert-st01.sth. The files will be located in your local drive. You need to copy both file to the Lotus Domino server in the Lotus Domino Data directory.

Enable the SSL

Now the fun part, how to enable the Self-Certified Certificate with your Lotus Domino.

1. Open your Lotus Domino directory, you have to have full access to it.
2. Find and edit your current server document configuration (If you using internet sites you have to edit or add the internet sites documents)
3. Go to Ports tab and find the SSL settings
4. In the SSL key file name field,  type your kyr file that you just created, I put selfcert-st01.kyr and just let other setting as default.
5. Now you can enable SSL in any protocols, in this how to I will enable it in HTTP protocol.
6. Go to Web tab, and find the SSL port status then change it into enable
7. Click save and close

Now you can access your website with https, use your server FQDN to access your website.

if you access your website via internet explorer or firefox, there will be an error message telling you that the certificate is not trusted, just ignore it and click continue.

To prevent this annoying pop up, you need to accept the certificate in your certificate list.

This how to accept the certificate in MS Internet Explorer.

In the address bar, there will be a message telling that the site have certificate error.

Follow these steps to add your certificate as trusted certificate.

1. Click it and click view certificate
2. Click install certificate, don’t click automatically install, click browse instead.
3. Select the trusted root certificate authority, and then click finish.
4. There will be a big warning, just ignore it and click yes.
5. Restart internet explorer, now you can access your website without certificate warning.

Now you have SSL enabled Lotus Domino server. You can use SSL not only in the HTTP, but also in Email and LDAP.

With HTTPS enabled, your users can change their own password from webmail.

]]> http://www.indomino.net/blog/2009/01/17/how-to-enable-ssl-in-lotus-domino/feed/ 3 http://www.indomino.net/blog/2008/10/07/about-domino-web-access/ http://www.indomino.net/blog/2008/10/07/about-domino-web-access/#comments Tue, 07 Oct 2008 02:47:10 +0000 bfebrian http://www.indomino.net/blog/2008/10/07/about-domino-web-access/ With Lotus Domino, we have the abilities to access our mailbox via web. First, is nothing more than quot;Hey, I can access my email via webquot; or simply webmail, and now it become ‘full features’ Lotus Notes client or iNotes (later it called Domino Web Access or DWA).
Now in Domino Web Access there are three options on how to access your mailbox via web.

• Domino Web Access
• Domino Web Access Lite
• Domino Web Access Ultra Lite

Big thanks to Gunawan’s blog who give me the news about the new web access ultra lite and how to enable it.

Domino Web Access
This is the standard web access. If your main internet browser is Internet Explorer and you have fast internet connection, than this kind of web access is the most suitable for you.
As normal Lotus Notes client, It give you more features, like preview and full access to your calendar.
I still having problem to access Domino Web Access via my Firefox 3.0.1, it still buggy. One big problem that I can’t attached any files to new email. I’m not sure if the problem is in Domino or Firefox, but I do hope that both parties can work together to solved this problem.

Domino Web Access Lite
As in the name, this web access is a liter web access version than the standard. If you have slow or medium internet connection maybe you can try this web access. It does not give you preview and full calendar functionality, but it will give you tabs for email and sidebar for calendaring.
You can easily change from full dwa to lite dwa from the right top menu.

Domino Web Access Ultra Lite
This is new since Lotus Domino 8.02, designed for mobile users with smartphone or pda. It designed to run on iphone but it run perfectly in my Opera Mini under my Nokia E61. But because of the landscape screen in Nokia E61 , the icons does not fit very well. It should fit well in any screen that in portrait mode.
As in Gunawan’s Blog you can try to access your Domino Web Access Ultra Lite via Google Chrome, but because Google Chrome is using some part of Opera engine, I think it should run in Opera browser too (it run in my Opera Mini).

Domino still support standard webmail for older internet browser or non standard internet browser (I can access webmail via Opera Mini).
For more security, it is wise to enable SSL encryption in your web server to prevent someone else hacking into your data, specially your username and password.

Now, from my consultant, I’m being told that Symantec, again, releasing a new product for security called Symantec Endpoint Security. Symantec Endpoint Security will be replacing Symantec Anti Virus Corporate Edition 10.

Why security, why not Anti Virus? Because it’s more than Anti Virus, it have:

• Anti Virus
• Anti Spyware
• Firewall
• and Intrusion Prevention

You can download a trial version of Symantec Endpoint Security in here.

This is a good news, that meant that Symantec is trying to do their best to improve their security product to protect their customer.

But, this is also a bad news for me. Why? Because I need to migrate to existing Symantec Anti Virus CE 10 to the new Symantec Endpoint Security. And that, will be NOT an easy job.

There are three version of Symantec Endpoint Security:

1. Symantec Endpoint Security pdf
2. Symantec Endpoint Security Small Business Edition pdf
3. Symantec Multi-tier Protection pdf

What suprise me that, in Symantec Endpoint Security Small Business Edition they have Symantec Mail Security for Microsoft Exchange, but Lotus Domino.

Why, I’m not sure. Symantec Mail Security for Domino only exist in Symantec Multi-tier Protection.

If you using Lotus Domino, and want to use Symantec product, than you need yo buy the most expensive product which is Symantec Multi-tier Protection, and if you use MS Exhange you can buy more cheaper product.

Now, again, I need to learn how to migrate our Anti Virus or Security software and I hope that the new software will perform better than the previous one.

Cross my fingers, and moving forward.

I just have an electrical problem, the power from electric company was down, so we have to run our servers from ups.

After a while, the ups start to drop the battery, so we start to shutdown unnecessary servers, so it give the ups more power to run.

But, it not for long, the electriciy still down and the ups battery start to drop quickly, so we decided to run ONLY the smtp server, so at least we still can receive emails.

But someone in the IT department take it very literally, he or she also pull the plug of the switches, including the main switch that connect to the servers (including smtp server)
And the smtp server is up and running.

But without the connection to the main switch, how it can receive any emails?

No one say that he or she that pull the plug of the switches, it still remain a mystery.

1. IPCop as default allow all connections to the Internet. This maybe ideal for home users but not corporate users.
2. IPCop as default not support NAT 1:1. Although we can modify the iptables script (/etc/rc.d/rc.firewall.local), but it will nice to have a gui for it similar with port forwarding and external access in Firewall menu.

Other than that, overall IPCop is good firewall, stable and easy enough to manage.

IPCop Addons
IPCop addons is a bit tricky to install. I have install many addons, while most of them install flawlessly, but a few of them cause a big problem.

A Tip
Before you add patch or add an addon, please do it your test machine and see how it’s going. I have spent an entire night to fix it after I installed an addon.

I will only talk about addons that I have a problem when installing.

BlockOut Traffic (BOT).
I have no problem when installed this addon, the installation was easy, and the configuration is very straight forward. BUT after I download and install a modified kernel that support layer7 filtering from http://www.mhaddons.tk/, BOT doesn’t works anymore.
Before the modified kernel, BOT block out any traffic successfully.

But, after the modified kernel installed, nothing is blocked.
Reinstalling BOT doesn’t solved the problem.

It seem that BOT and the modified kernel can’t work together.

Finally I had to remove BOT, and manually modify the iptables to block most of the ports.

Guardian

This one cause a very big problem. I download the latest guardian (v 2.4.9.7) from http://www.mhaddons.tk/, and when installing I receive an error. I’m not sure what kind of error, it says line error or something, but the installations process continue with no further error.
Curiosity, I reinstall the Guardian, and that cause a big problem.
Connection to the IPCop servers is blocked.
When I list the iptables rules with iptables -L command, it give me surprisingly result.

Chain INPUT (policy DROP)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination

When I try to manually run the iptables script, it give me errors about segmentation fault.

Panic, I restart the server, still give me errors about iptables segmentation fault.

I realize that IPTables got corrupted.

Then I found out that I still able to change the default policy from DROP to ACCEPT, at least I still can access the server remotely and copy files.

No connections to the net allowed unless though proxy.
Incoming and Outgoing email pending in the mail server.

I’m not sure how can I restore the corrupted IPTables.

After some trying and errors, than I manually copy files from the original iso of IPCop from /lib/iptables and /sbin and then restart.

It solved the problem.

All the iptables rules applied and run, what a relief.

I know that I need the install the new kernel that support layer 7 filtering, but I think that enough for now. I hate another surprises.
Regarding my previous tip, now I’m looking for unused, spare PC to become my test server. I will install all new addon in there first, after successfully installed, then I will installed in the live firewall.
I hope there are no more surprises.

I do now run many addons in my IPCop, and they works wonderfully, but still a test server will be great.