Matt McCormack, MMPC Melbourne (that is the most awesomely alliterative signature block I’ve seen for a while) comments on an amusingly ironic infection detection we’ve seen from MSE:

http://blogs.technet.com/mmpc/archive/2009/10/20/vista-32-bit-black-hat-edition-2009-iso.aspx

Health Checks

I perform ISA Server Health Checks for Premier Support (via Premier Field Engineering) as part of my role.

I’ve seen something a few times recently that I thought it might be helpful to call out, while poking around in the Performance Monitor TCPv4 counter area.

The Problem

In short: Lots of TCP retransmissions per second.

Like, lots. More than 1% is annoying; any more than 5% and you pretty surely have a problem.

Recently, I’ve been seeing 20%.

That’s right, kids, according to Perfmon’s statistics, one in five TCP packets requires retransmission.

If your ISA Server seems like it might be a bit slow, and you haven’t looked yet, go look. I’ll wait. You’re interested in the TCPv4 object, specifically the Segments/sec and Segments Retransmitted/sec counters.

What I’ve seen looks like this:

The green area is TCPv4\Segments/sec. The red area is TCPv4\Segments Retransmitted/sec. They’re using the same scale.

Notice that the retransmission figures track with the overall volume.

This 20% figure has been seen across Intel and Broadcom server NICs, so I don’t think it’s specific to either vendor.

Fixing It

In at least one of the places I found this, a simple driver upgrade to the latest version available looked like it fixed the problem.

Otherwise, it could indicate a NIC issue, or a hardware issue with the switch.

If you find yourself in this situation, and do resolve it, please do post details in the comments section below.

They wanted me to post about Windows phones.

Well, I’m going to fight the power. Buck the trend. Talk about my new favourite travelling companion.

It is the surprisingly-catchily-titled Microsoft Mobile Memory Mouse 8000.

First cool feature: Magnets everywhere!

The wireless transceiver doubles as a 1GB USB stick, and has a magnetic doohickie on the end that the charge cable happily snuggles up to.

The same cable has another magnetic dock on the underside of the mouse.

Next cool feature: Use it like a wired one!

With the mouse power switch in the “off” position, I’m still happily mousing away with the cable connected.

Next cool almost-hidden feature: It does Bluetooth too!

You can select between the 2.4Ghz Wireless thingy supplied by the dongle, or regular Bluetooth connectivity with a switch under the battery cover. And since I got bluetooth fixed on my laptop, that actually makes some sense, and means that – as long as it’s charged already – I can use the mouse for a fair while without having to find the memory stick slash dongle slash cord thing.

I have no idea how I came into possession of this one, but it’s quickly replaced the (fleet of) Notebook Optical Mouse (s) that I’ve loved – yes, loved - over the years for its size, lightness and plucky go-anywhere courage.

It is, however, heavier: there’s a nice metal finish, and obviously a rechargeable battery in there, but I don’t find myself minding that much.

From the wish-it-didn’t department: 4-way scroll wheel that I’d have happily substituted for a fatter non-side-scrolling regular wheel (middle clicks are a bit sharp and rolly), and thumb buttons discreetly out of thumb’s reach on the left. I hate thumb buttons (unlike Jeff), but these are unobtrusive enough that you’re unlikely to hit them accidentally.

So perhaps I’m just getting old – and I certainly don’t play as many first person shooters as I used to, especially not on this 1.2Ghz-and-PATA-toting Dell XT – but this mouse seems to do just fine for the moment. Recommended!

Brought to you by the number 8000, and the word “shill”. :)

As I possibly misspelled or misremembered it, the PL15ws2p.dll (possible sic) file was installed as a Winsock Layered Service Provider on a couple of boxes at a customer site.

Coincidentally, these machines were Windows Server 2008 machines where we couldn’t get the Firewall Client to work properly.

We found that there was a third party LSP using:

NETSH WINSOCK SH CA > catalog.txt

And then opening catalog.txt in notepad. The properties of the Pl15ws2p.dll indicated that it was a signed DLL from American Power Corporation or similar (APC or ACP; one of those no-notes half-hours), and that it was used in some sort of management capacity.

But only one of the machines had this APC software installed on it, and the other didn’t… perhaps it got left behind when it was being uninstalled? The search engines didn’t seem to know much about it.

Either way, next step was clear:

NETSH WINSOCK RESET

To return the Windows Sockets provider list to its shiny defaults, and reboot the computer.

After that, the Firewall Client wasn’t working (which we expected).

A Repair from Not-Called-Add-Remove-Programs-Any-More-Now-It’s-Programs-And-Features-Silly fixed that up.

Cool, huh? Remember: when nothing makes sense and the configuration looks good, perhaps LSPs are to blame?

Now if only I could get my stupid Huawei 3G modem working on my Win7 laptop again (“Device attached to the system is not functioning”… thaaanks).

Yes, kids, if you’re finding that the Hyper-V performance ain’t what it used to be since installing that whizbang graphics card driver on your shiny new seven core hyperthread-and-a-halved megaturboserver thing, you might be suffering from flushes.

Read all about it here:

Video performance may decrease when a Windows Server 2008-based computer has the Hyper-V role enabled and an accelerated display adapter installed
http://support.microsoft.com/default.aspx/kb/961661

KB titles are getting ever more catchy, I think you’ll agree. So many words, and we still couldn’t find space for “is”. Ah well.

So, in short, get back to your standard VGA driver (just uninstalling the whizbang one is typically enough for that) and you’ll be sweet.

Mike from Bing posted on some SafeSearch updates to Bing, particularly around image search and video preview.

So, with the new explicit domain name (explicit.bing.net), a block is easy enough to implement with ISA Server and nothing extra.

If you’ve already got a site blocking rule enabled, all you need to do is add:

*.explicit.bing.net/*

To your blocked sites URL Set, and/or

*.explicit.bing.net

To your blocked sites Domain Name Set, if you’re using one.

If you haven’t yet configured a blocking rule for explicit Bing traffic, here’s how I just did it.

First, create a new Access Rule.

I’m calling mine “Block Explicit Sites”

Next – we want to Deny access to these locations.

Protocol selection: I’ve selected HTTP and HTTPS (not sure if HTTPS is ever used, but it’s coverage, innit?)

I’m picking All Protected Networks as the source, which covers every non-External ISA network (click Add… to see the list, then Add and Close the All Protected Networks Network Set).

For the target, we want to create a new URL set, which is probably enough to stop accidental browsing of the target domains for Web Proxy clients that aren’t doing their own name resolution, and won’t have a huge amount of DNS traffic associated with it.

I’ll call it Explicit Bing, and set the path to http://*.explicit.bing.net/*

This should apply to all subdomains, so if we end up with more specific categorization within the explicit domain at some point, it’ll automatically cover it.

Once that’s there, click OK, then add the Explicit Bing URL Set to the rule (find it under URL sets, click Add and then Close).

The Wizard should look like this:

From here, it’s just Next to apply to All Users (so it’s an anonymous blocking rule – doesn’t require authentication first in order to block someone) until the Wizard finishes.

There’s my rule:

My rule ended up at #16  in my list, so a little trick with reordering: Shift-select all 15 rules above it, and then right-click any of the selected rules, and choose Move Down.

And now, my new block rule is at #1. I do want it to be first as far as anonymous web traffic rules go, but I might, for example, want to position the Xbox rule or other rules ahead of it, depending on my traffic policy.

Enter the Change Tracking reason for later auditing…

And now it’s test time…

Right, well I can’t exactly show you the full search terms or the test results, but the images served from the explicit Bing domains were certainly blocked.

As a note – test from a client computer. The ISA Server itself may well have an “Allow CRL Downloads from any network using HTTP” System Policy rule in place which will run before any block lists. Disabling the System Policy rules and creating equivalent Access Rules that run after block lists will fix this.

Yuri’s blog explains some of the detail. But there’s slightly more subtlety to it, which I’ll try to snake-oil in front of you here:

Can I install ISA 2006 on 32-bit Windows Server 2008 ?

No, it only runs on Windows Server 2003. Okay, so technically, it also runs on Windows 2000, but if you’re installing it like that now, you should check the calendar. Windows 2000 is old, man.

Why not ISA Server 2006 on Windows 2008?

Whenever I asked that, people mumbled about TCP/IP stack changes. Sounds plausible, so I let it slide.

Well can I install ISA 2006 on 64-bit Windows Server 2008 ?

No. Wait – sort of, not really. Do you count virtualization?

What do you mean?

Hyper-V or an SVVP-validated platform. (Details on security. And the inimitable “Jim Harris” apparently pretending to be Jim Harrison. Giggle.)

Er, if I do count virtual machines?

Yes. You run it in a 32-bit Windows Server 2003 guest.

Isn’t that cheating?!

No. Well, maybe. Sorry, did you have a point there?

What about Windows Server 2003, x64 Edition?

Installing ISA on it? No. It’s 32-bit only and uses kernel-mode software; you can’t mix and match 32-bit with 64-bit k-mode drivers. Hint: I just helped you study for 070-351.

What about Service Pack 2?

X64 Edition?

Yes!

No.

You’re not being helpful.

Oh really? Your eyes are the wrong shape.

The next version of ISA Server, called Forefront Threat Management Gateway (TMG, or, I guess, Timmy to his friends (yep, I’m betting the G ends up semi-silent)), is available in its initial release in the Windows 2008 Essential Business Server thingo, which is 64-bit only.

The next standalone (i.e. non-EBS-integrated) release is currently available in Beta form, and runs exclusively on Windows Server 2008, x64 edition.

That was more helpful.

You still look funny.

Hey, why don’t your links open in new windows?

Because I think it’s nice for the reader to be able to choose whether an informational link should appear in the current frame or a new tab (or a new window).

Sometimes (probably quite often on this blog), you’ll be done with the content at the current page you’re reading, and just want to replace it with something else. Forcing a new window isn’t polite in the age of tabbed browsing.

Let the user choose.

I agree, that’s so wise. You’re like, amazing.

I know.

Bing, you say? Odd, I’m sure I’ve heard it somewhere before…

Wait! It was me!? I’d like to thank the Academy…

So, I assume I can look forward to a healthy bonus for coining the term!? Sure, the direction was apparently misguided, but the word is pure bing-y gold! Sigh.

Blog du TristanK: Inventing useful brand names since 2005.

(I’d buy Fjnorkel.com (that’s f-nyor-kul) right now, but I had to look up how to spell it twice while typing this sentence, which makes me a little concerned for how well people that didn’t make it up would remember it.)

A friend of my mother’s was introduced to me at a family barbeque, and started in. Background: lives in a nice suburban neighbourhood, sends her kids to private school.

“Lovely to see you!…

So how do you feel about working for them?” (measured tone)

Pretty good, most days?

“Microsoft is evil.”

(is-she-joking?-pause) Um, look, I think we make dumb decisions sometimes, but could I ask why you think we’re evil? Is this an EU thing?

“I read that the Bill Gates foundation was trying to find a cure for Malaria.”

(confused expression) you did say ‘evil,’ right?

“and you know what that means” (expectant eyebrow-arching)

Fewer dead people?

“Yes!” (triumphant look)

(thinking hard) I can’t see how that’s bad? Is this a theological thing?

“Well it’s for globalization, isn’t it?”

Uhm… what?

“The whole idea is that if Malaria gets eradicated, there will be more people to work in sweatshops.”

(I’d swear the whites of the eyes were in some way frothy at this point)

(Pause) Yes, I guess, that’s technically feasible in some way. Let’s just suggest that we have a programming sweat shop in the Malaria belt.

(Expectancy; exultation)

What I think you’re saying is that you’d rather that about a million people died each year, than, say, they all survived and a couple of thousand worked for very low wages.

(Derailment moment; this-isn’t-quite-the-slam-dunk-I-had-planned)

(nearly shouting) “Well, no, but curing Malaria means more cheap workers. And more cheap workers means more globalization. It’s being done for a profit motive.”

(trying to calm everyone down) Let’s just assume that you’re right and it’s all a big, costly, nefarious scheme to obtain more cheap workers. Just to be clear, I don’t think that’s the case.

Are you telling me that a profit motive that leads to survival for millions, and a small income for a few of them, is more evil than all those people dying, then? Isn’t survival a start?

“But globalization is bad! Sweatshops!”

(patience with crazy person expended) Malaria worse! Death! If you don’t live, it’s a bit awkward to say you’d like your living conditions to be improved, isn’t it?

The conversation turned to other things…

Today, an IIS 5.0 to 6.0 security advisory was released:

Vulnerability in Internet Information Services Could Allow Elevation of Privilege

http://www.microsoft.com/technet/security/advisory/971492.mspx

If you’re using WebDAV on any version prior to 7.0 (where it was completely rewritten, and released as an add-on module after ), you’ll want to read the advisory, and take appropriate action.

Mitigating factors are listed in the advisory.

Some love for my lil’ Dell Latitude XT! Dell won’t sell me a battery slice for it, but I can still glide my fingers across it creepily!

In this DuoSense Multi Touch RC Release: the pen should work as well as multitouch! No more having to pick one and stick with it! Yay!

All linked from the Download page – check the release notes (link in right hand column at top of page body) before you try them.

There’s a new MPS Reports version in town, with new features : new 64-bit friendliness, various forms of wizard-driven hotness for all the products the individual old tools used to support, etc, etc.

Call me old school if you want, but I typically prefer the convenience of “run this and send me the CAB file”, rather than “grab this, install the prerequisites, and choose the following options in the wizard, then send me the CAB file”. For newer OSs, that’s a non-issue as the pre-reqs (.Net 2.0 and Powershell) are built in; for older OSes, not so much.

A colleague sent me a set of direct download links to the old set, so I’m going to publish them here.

For whatever reason, the download pages to these editions were removed when the new version was published; personally, I’d have suggested that the new was added alongside the old – the old, for all their limitations, are well-understood and widely used.

But the files are still there, at least for the time being.

Update: Looks like the PFE edition is still available in a not-through-the-back-door way (thanks, PFE, you rock! Hey, *I* work for that organization! Yay!), and it’s the core old-school goodness you’ve come to know and love from MPS Reporting.

http://www.microsoft.com/downloads/details.aspx?familyid=00AD0EAC-720F-4441-9EF6-EA9F657B5C2F&displaylang=en

Awesome, in a word.

Max Payne® 2- The Fall of Max Payne

Wins my award for most heartbreaking game ever. With some pretty funky action along the way.

I wasn’t as much of a fan of the first one, though if you play them back to back, they run very well together.

(Though the part in MP2 that always troubled me was how the people you’re shooting at don’t get damaged per se; they just take an endless supply of bullets and get tossed around. Breaks suspension of disbelief. Well, that and the whole “Bullet Time” thing, which was done very well in this one.)

Spotted: a handy guide, to get your shiny new ADCS Web Enrollment* front end installed and pointed at your CA. With pictures and stuff. For WS2008.

http://blogs.technet.com/askds/archive/2009/04/22/how-to-configure-the-windows-server-2008-ca-web-enrollment-proxy.aspx

* SEO sic (seriously? I’d have expected one to be red-squiggled, but nope)

Rambling my way to a point

One of my most favourite “Favorites” (read: “he snarled”) in recent weeks has been the ISA Server Product Team’s Build Numbers post.

They helpfully list the version numbers of each ISA Server, um, version, along with a link to the most recent hotfix for that version. That’s so helpful.

But: In most cases, you had to use the self-service hotfix feature to get that hotfix. Which is better than calling someone, but still not quite one-click conweenyence.

And there was some useful stuff fixed in each – you can do the research (hint: research is typically along the lines of “isa server hotfix site:support.microsoft.com” in whatever search engine you use).

Back to the security update: if you look at the file list for the security updates, they look a lot like the file lists for the recent hotfixes.

(Aside from a little while ago: nice that we’re again using KB articles for file information and not just “you should read the bulletin” placeholders. Makes it easier to reliably find file version information in the one place. No idea who changed it in the first place, but my blunt message to you: that was suboptimal.)

I know you love short versions, Glenda

So, long story short, by applying the security update, you’re getting the most recent build of those binaries for your ISA Server.

Just one caveat: remember that with this patch, you’ll need to reapply it if you make any significant installation-level changes to ISA later (see the bulletin for that).