My team is working on a rather extensive project to publish screencasts on Vista features. My first run at it is on the Media Center Music Library features to show how easy it is to organize and find your tunes in Media Center. The screencasts are designed to be short (5-10 mins max) and portable (.wmv format only for now).

I would enjoy your feedback on the screencasts!

Cheers!

This is the second in a series of Screencasts I have recently completed. This one deals with the Windows Vista Power Plans and the ease with which you can change and customize them. I can say for a fact they work too. I usually run on the High Performance plan and I can just make it through a 2.5 hour movie on the plane in that config using my Lenovo T60p on a full charge. Switching to Power Saver gives me a full 45-60 minutes more time after the movie. Sweetness.

I will be posting a few more screencasts immediately after this one. For those interested, I used TechSmith's Camtasia to capture the screen demos. Slick product. 

Vista Power Management - Power Plans

Cheers!

I am delivering a webcast today on Why to Deploy IPv6 at 9am Pacific time today...

Here are some resources that I will be referring to....

Server and Domain Isolation Site

Network Access Protection (NAP) Site

Introduction to IPv6 Whitepaper (updated January 2007)

IPv6 technical Reference Site (this is a little older but still relevant)

Internet Systems Consortium (ISC) Internet Host Survey - Record of number of hosts on the Internet every year since 1981

How Windows Vista Delivers IPv6 - An Ask the Experts session by Dale Geesey

How IPv6 Works - Architecture, Routing, Transition technologies

IPv6 Transition Technologies

DNS Client Behavior in Vista

Name of Large Numbers - Cool Wikipedia entry discussing how large numbers are named....we reference "undecillion" in the webcast....

Cheers!

I have three daughters from two previous marriages. I remarried for the final time just over a year ago. Jeanne (my wife) and I were together for 5 years before we got married. During that time we discussed a lot of things future-related that dealt with our relationship. One of those things was regarding children. She has no children of her own and didn't want any. She enjoys my children and that fulfills her motherly instinct. This was discussed many times and she convinced me that she did not want to try to have kids once we were married. I believed her. I trusted her. I married her.

I was betrayed....

My youngest daughter is 8 years old. Well out of diapers. I thought the days of getting up in the middle of the night to comfort a crying child, clean up "messes", and satisfy their hunger were long over.

Or so I thought....

About a week ago my wife comes home with the twins - Hayden and Darwyn.

And here I am at 3:30am, comforting the crying kids, cleaning up "messes", and making sure they don't go hungry....they just got back to sleep so I decided to snap a couple pictures of the new arrivals and vent my parental frustrations....

The sleeping twins...

Just not comfortable enough...

Betrayed.

Cheers!

For the longest time I have heard this question....

"I heard Harold Wong was doing a series of webcasts and I really like the others by him I have seen. How kind I find other webcasts he is delivering?" (Substitute your favorite Technet Presenter if you like)

Well now you can!  Check out the new Technet Webcasts site that allows you to sort by presenter, date, or title. This works for upcoming as well as on-demand webcasts. Version 2 is already in the works so if you have any suggestions, feel free to comment on this post and I will pass it on to our awesome operations team!

Cheers!

This screencast discusses the simplified means of removing password, cookies, and history information in IE7. There is a comparison between how we did this in IE6 and how simple it is to do now in IE7.

Dynamic Security Protection - IE7 Features

Cheers!

(subtitle - Cool and Ugh!)

I first heard about it about 3 years ago when I attended an MS sponsored event for college students at University of Southern California. I asked some of the students what cool sites they used in an attempt to go to them and try to connect with a younger audience. Facebook was by and far the most mentioned app. At the time it was not available to the public so the trail went cold.

Now, it is open to everyone and I just spent a couple hours creating my account, updating the profile, trying to locate "Friends", joining networks and (this next part was a major time suck) trying to locate interesting Groups.

Facebook looks to be interesting as a social networking application. But I have three big issues with it -

No one I personally know uses it

and

I lived most of my life in Dallas, Tx and all of my family and long term friends live there. But I now live in Redmond, WA. Why can't I be a part of two regional networks?

and

It is impossible to narrow the search criteria to easily locate groups you might be interested in joining.

I decided to add friends using my initial networks of "Microsoft" and "Seattle, WA". Few of my immediate co-workers actually live in Seattle, so I used the Microsoft network. None of my immediate co-workers are registered.

With one exception....my boss!  So as of right now I have made two friend requests - Robert Scoble (because he essentially dared the entire world to add him) and my boss.

Regions - as noted above, most of the people I know live in the Dallas area. But if i want to keep up with my friends here in the Seattle are I have to try to find a Seattle groups or groups they are a part of.

Which leads me to....

The absolutely, astoundingly, horrible filtering feature for finding groups. If there is one thing that the Yahoo!'s, Googles, and Live's of the worl have done for us, it is making things discoverable. Facebook falls flat on it's face in this area. And there really isn't any excuse for it in this day and age. I can find my interest income on my 1987 tax return faster than I can find relevant groups I am interested in on Facebook. That is probably why there are some many crap groups on Facebook - Can't find it? Make a new one!

Sorry to sound down on it. It's just that when you hear all the hype and want to take part and then run into obstacles that shouldn't even exist, it puts a big damper on things.

I am sure the people at Facebook have heard this feedback before, but if not.....well.....I send them a link to this post through their feedback mechanism.

Cheers!

ps.....not that I want to compete with Scoble, but I generally like to be accessible. Feel free to add me if you like....

I am back online after a week of ignoring my cell phone and email. I have to say, it was difficult to NOT want to check email. After so many years in the industry, giving up email for a week is not easy. I thought that going up into the mountains to a log cabin would make it easier, but it turns out that at 11,000 feet we had Dish TV in the cabins and I had two bars on my phone. You just can't get away anymore....

I was already behind on email and testing before I went on vacation so I am playing double catch up. Top that off with two more weeks of vacation starting at the end of this week (it will be a catch up on blogging, projects, email vacation) and heading up to Anchorage for a couple of days to speak to a customer and it is easy to see I won't be getting caught up quickly.

If you have sent me email, please be patient - I will get back to you. Feel free to send me a reminder if necessary....

Cheers!

It has been a hectic few weeks (well.....year!). I have been noticeably absent from the blogosphere in recent weeks. It is end of fiscal year. A whirlwind of work and personal related travel. Vacation time. And a general feeling that I didn't have much to say that someone else wasn't already blogging about. I am on vacation again - two weeks this time - but I am not traveling anywhere, so I am catching up on some posts ideas I have had in my drafts folder for a while. There will be a flurry of activity over the next few days. An number of rants. A few raves. Throw in a smattering of stuff for good measure.

You have been warned...

Cheers!

A few weeks ago I received an email with the following question.....

I want to publish an internal Exchange 2k3 server through ISA 2006. The ISA server is not multi-homed. Is it possible to allow full publication of my Exchange server ( = SMTP inbound and outbound, and OWA)?

The short answer to this is - Yes, you can - but only for OWA. Not for inbound Exchange services. Two things come to mind.

First, when it comes to network security, I am a big fan of full network segmentation. I have my own OWA and Outlook Anywhere (RPC over HTTP in Exchange 2003) services placed behind  and published through my multi-homed ISA 2006 server. For my particular network configuration it just makes sense to have everything behind ISA. I also designed my network so that ISA 2006 is doing "edge" firewalling. But ISA 2006 does introduce some improvements in the web proxy filter that can be used to publish web-based Exchange services and even SharePoint sites securely. It may make sense for your configuration to have a single homed ISA machine and use it to publish OWA & RPC/HTTP.

Second, the whole point behind publishing with ISA server is the security it can provide. I personally think that application publishing should ALWAYS be phrased as secure application publishing because that is what everyone really wants and it is what ISA Server does when deployed/configured properly. Placing the Exchange SMTP services behind a multi-homed ISA server allows you inspect the traffic going both directions and make use of the SMTP filter built into ISA. It also forces all of that SMTP traffic to go through ISA without providing another path (more on this below).

There is substantial difference between web-based OWA & RPC over HTTP access which should always be an authenticated connection and server to server SMTP communications which is generally unauthenticated, anonymous communications. The former requires some sort of credentials verification whether that be via forms based authentication, LDAP or some other security measure. You can talk directly to the mail server (Exchange in our case) or allow ISA to authenticate and inspect the traffic. Exchange alone doesn't do any payload inspection so ISA provides a measurable benefit when publishing Exchange web based services. ISA can even terminate SSL connections, inspect the payload, and then repackage it and send it on it's merry way via SSL if everything is ok. Another benefit ISA provides is the web-based traffic can be cached, providing a better experience for the client and reducing traffic on the network.

When it comes to anonymous SMTP connections it would seem to make more sense to just let the servers connect directly to each other (or even client to server). But again, ISA can act as the gatekeeper here and make use of its built in SMTP filter to inspect the incoming SMTP commands. The SMTP filter can check to make sure the SMTP commands are valid and accepted; and are the correct length (to protect against buffer overflow attacks). If things are not up to snuff, ISA can drop the connection to protect the Exchange server and log the information which can also be used to generate alerts to notify you of an attempted compromise. But SMTP connections cannot be cached like web based connections. We don't use Web Publishing rules instead we use Server Publishing Rules which are Firewall Policies designed for specific services.  

The rule of thumb is that Firewall Policies require two network interfaces. It is possible to configure a single NIC ISA machine and bind "internal" and "external" IP addresses to it and work around physical segmentation but it also compromises the bulk of the security that ISA can provide with a true physically segmented network.

Think of it this way.....

A single NIC ISA server is comparable to a movie theater where the ISA Server is the ticket booth. The goal is to get in to see a movie. Movie goers are supposed to go to the ticket booth and purchase a ticket which grants you entry to the theater. However, it is possible with a little creativity and social engineering to bypass the ticket booth all together and get into the theater unbeknownst to the ticket booth(or so I have heard). The line between the inside and outside is a little fuzzy because you only have to pass by the ticket booth to gain entry. (I think the reason movie theaters are relatively lax in this area is because they are still going to get your $20 for the soft drink and the popcorn!)

A properly configured multi-NIC ISA server is like your house where ISA is the locked front door. The goal is to get into the house. If you are outside and you want in, you have to have a key to the house. You have to pass through the door. You don't just pass by it as you can with the movie theater ticket booth. There is a definitive inside and outside. You can't walk past the booth and duck under the rope to get in.

None of this is to suggest that a single-NIC ISA system is a wide open door. It's just that ISA was not designed to be configured as a Firewall nor as a Secure Application Publishing platform using a single NIC. Single-NIC ISA 2006 systems are great for publishing web based information. There are a number of improvements over ISA 2004 that provide a greatly enhanced level of flexibility for this very purpose. Using multiple physical interfaces for firewalling and application publishing lets ISA work the way it was designed to work and will ultimately be easier to configure and maintain as well as give you all of the security features you paid for.

Repeating to emphasize - In a multi-NIC configuration there is a physical separation of the network segments. You have to pass through the ISA machine to get from one side to the other. There is no other route. This allows ISA to authenticate (if necessary) and inspect traffic dropping the undesirable stuff, log and fire off alerts if configured. With a single NIC ISA Server, the single NIC still has to be connected to a hub/switch/router that connects to the two network segments. That other device provides another path for the traffic to move along without absolutely requiring any communication with ISA. 

If you would like to read more about the security model that ISA 2006 provides and recommended configurations, I suggest the following --

ISA 2006 Firewall Core Whitepaper

ISA 2006 Security Guide

Cheers!