Blog

Latest Technical Notes

Case Study – Server Replacement and Upgrade

We were recently approached by a solicitors, based in Staines, Middlesex. They asked us to perform a full review of the network, and make suggestions on how to improve the existing setup.

The Problem

The customer was worried the server was out of date, and was running slowly. They had to reboot the server frequently when there was access problems, and they thought that there was a problem with the hardware as a result. The server room was untidy and there were lots of computers setup and running in the room.

Review: Hardware

The customer was using an outdated HP Proliant ML350 G6, and the warranty for the server had expired a number of years ago. Although properly specified, with enough storage space and system RAM, if this main server failed, there would be a long amount of downtime until it could be returned to proper service.

In addition to this, the customer had two physical machines setup for remote access. This was because their LOB (line of business) applications did not support remote access with Microsoft Remote Desktop Services. The machines that were being logged into were also old, and were slow to access.

We recommended that the server be replaced with a newer model, with next-business-day warranty. This would mean that if the server failed, a technician would be on site from the manufacturer the next day the replace any faulty parts. In our opinion, this is absolutely mandatory for the main server in any business.

After reviewing the amount of storage space required, we suggested a Dell PowerEdge T130. These are inexpensive servers, which can still be well specified for small business use.

Review: Operating Systems

The server was running Windows Server Standard 2008, with although out of date did not need to be completely replaced. This is still supported by Microsoft until 2020.

The remote access machines were running retail copies of Windows 7 Professional. Again, these did not need replacement, as Windows 7 is still supported by Microsoft until 2020.

We suggested no change to the operating systems that are in use, but to purchase the server with Windows Server 2012 R2, to allow for a future upgrade of the domain.

Our Solution

It was clear that virtualising the existing environment was the correct way to go. The old hardware being used could be eliminated, saving space, maintenance overheads and energy. The server room would be much tidier also.

Work Carried Out

We installed Windows Server 2012R2 on the new Dell server, and the Hyper-V role was installed. We were then ready to virtualise the existing physical devices.

Working with the customer we identified all of the user accounts and computers that were still in use on the server. We renamed all of the existing client workstations from the automatically generated DESKTOP-3847393 type names, to easily identifiable DESK-1, DESK-2 etc. These computer names were updated in Active Directory, and were physically labelled on site.

Once this cleanup task had been complete, we were ready to virtualise the server. Once this task was complete, the existing server was powered off, and disconnected from the network.

We then had a virtual copy of the server running, with the existing server intact, as a backup of the configuration and data before the work took place. In a worst-case-scenario situation, this could be reconnected and the server returned to service.

We then cleaned up the server, removing HP drivers and proprietary monitoring utilities. This left a much cleaner installation of Windows Server, with just the key software installed to allow the server to function.

After this second cleanup task, we then virtualised the two remote access machines. The physical machines were then turned off, and decomissioned.

So – from 3 physical devices, all unmaintained and out of warranty, to one new physical server, with more memory and storage space.

I am most proud of the fact that all of this work was completed with zero downtime in working hours for the customer. As soon as the server was virtualised, it took over from the existing server.

Improvements made

  • Improved flexibility. If the customer has need for another remote access machine, one can be setup in matter of minutes by remote access, with no need to go on site.
  • Significant energy savings. Only one device needs to be running instead of 3.
  • Improved disaster recovery. If there is a hardware fault with the server, this will be repaired by the manufacturer, next business day.
  • Better Upgrade Path. Additional RAM and storage space can be more cheaply added if required.
read more
DamianCase Study – Server Replacement and Upgrade

Automatically Delete Call Recordings in FreePBX

A simple script to delete call recordings. Note that this has been designed to work hand-in-hand with our other script, that coverts the recordings to MP3 to save space: FreePBX – convert WAV call recordings to MP3

You can easily modify the script to delete call recordings that are in WAV format, or for different periods of time, by altering the “*.mp3” to “*.wav” and by modifying the +365 to +30 +60 +90 etc.


#!/bin/bash
# A script to delete old FreePBX call recordings
# Version 1 - 2016/12/08
#
# Changelog
# v1 - Initial Version
#
# Copyright Jaytag Computer Limited 2016 - www.jaytag.co.uk
#
# You may use or modify this script as you wish as long as this copyright
# message remains. Redistribution prohibited.
#
# Find all recordings older than 365 days and delete
find /var/spool/asterisk/monitor -name "*.mp3" -mtime +365 -delete

read more
DamianAutomatically Delete Call Recordings in FreePBX

Case Study – Router Upgrade – from 8Mbps to 200Mbps

We were approached by a client in central London to help with their internet connection. Although they had upgraded to Virgin Media’s 200MB/s DOCSIS3 service from a standard ADSL connection, they were still getting poor broadband speeds.

Old Hardware

As soon as we visited the site, the problem became apparent. They were using a Netgear FVS318v3 – this is a very out of date unit, that has a maximum throughput of 11.5Mbps. See the technical specifications here for a blast from the past: fvs318v3

Here is the speedtest with the Netgear FVS318v3:
wan-speed-test-before

It’s clear that this Netgear firewall/router is a real weak link in the chain.

We have seen many clients using older networking hardware – especially older firewalls, routers and switches. The problem is, that just like PCs, Laptops and Servers though, the performance of newer hardware is light-years ahead of the older equipment. Keeping old equipment in place can therefore be a false economy.

To compare: the Netgear FVS318v3 has a 200MHz CPU, and 16MB of RAM. It has 10/100 network ports, which limit the maximum connectivity speed. Newer firewalls and routers have much faster CPUs, more RAM, and tend to have 100/1000 network ports, which means more advanced functionality can be built in, and faster connectivity is available out-of-the box.

In this client’s case, the solution was clear – replace the firewall/router with a more modern unit.

New Hardware

We immediately thought of the MikroTik RB2011. However, this has recently been replaced with a newer model, the RB3011. See here for more information: https://routerboard.com/RB3011UIAS-RM

The throughput is much, much higher for this unit, compared to the Netgear. It maxes out at more than 3000Mbps – or realistically with firewall rules in place, around 800Mbps. This is more than ample for a 200Mbps connection, with space for future growth.

Here is the speedtest with the MikroTik RB3011:
wan-speed-test-afterA massive, massive improvement. The cost of the new firewall/router around £140 is well worth it for the leap in performance.

read more
DamianCase Study – Router Upgrade – from 8Mbps to 200Mbps

Windows 10 – Don’t Miss Out!

Microsoft has confirmed that Windows 10’s free upgrade offer will expire on July 29, 2016. After that, you’ll have to pay £100 to upgrade on any computer that hasn’t already made the leap.

We know not everyone wants to upgrade to Windows 10 right now, and that’s fine. But did you know that Windows 7 has already ended the mainstream support cycle?

This means that Windows 7 will only receive security updates, and nothing else.

New features such as Cortana, the Windows App Store, and Bitlocker encryption aren’t available with Windows 7 Pro, so upgrading now is a good opportunity to gain access to these features, which you would otherwise pay for with Windows 7.

The vast majority of applications will work perfectly with Windows 10, just as they did with Windows 7.

We have been using Windows 10 in our offices now (as have man of our other customers) since the release date last year, and have nothing but positive words to say about it:

  • Faster boot times compared to Windows 7 – from a normal 30 seconds boot time to just 10 seconds
  • Improved driver compatibility – more things ‘just work’
  • Improved stability – less crashes and downtime
  • Great new features, like build in hard drive encryption

If you would like to take advantage of the free upgrade offer, but want advice on how to proceed, contact us now for a free rundown of the upgrade process.

read more
DamianWindows 10 – Don’t Miss Out!

FreePBX – convert WAV call recordings to MP3 v2

An updated version of our script to bulk convert wav call recordings to mp3 as mentioned here.

This version may be redistributed freely, as long as the copyright message remains.
#!/bin/bash
# A Script to Convert FreePBX call recordings from WAV to MP3
# Also updates the CDR database, for correct downloads through the web UI
# Version 2 - 2016/04/15
#
# Changelog
# v2 - Skip broken files (but show an error message)
# v1 - Initial version
#
# Copyright Jaytag Computer Limited 2016 - www.jaytag.co.uk
#
# You may use or modify this script as you wish as long as this copyright
# message remains. Redistribution is permitted.

# Set the Asterisk Recording Directory
recorddir="/var/spool/asterisk/monitor/"

# Start the Loop
for wavfile in `find $recorddir -name \*.wav`; do

# Make Variables from the WAV file names
wavfilenopath="$(echo $wavfile | sed 's/.*\///')"
mp3file="$(echo $wavfile | sed s/".wav"/".mp3"/)"
mp3filenopath="$(echo $mp3file | sed 's/.*\///')"

# Convert the WAV files to MP3, exit with an error message if the conversion fails
nice lame -b 16 -m m -q 9-resample "$wavfile" "$mp3file" && rm -frv $wavfile || echo "$wavfile encoding failed"

# Update the CDR Database, only if conversion is sucessful
if [ -e "$mp3file" ] then
mysql -u root -s -N -D asteriskcdrdb<<<"UPDATE cdr SET recordingfile='$mp3filenopath' WHERE recordingfile = '$wavfilenopath'"
echo "DBUPDATE -------------------------------------------------------"
echo "DBUPDATE - $wavfilenopath changed to $mp3filenopath in CDR DB"
echo "DBUPDATE -------------------------------------------------------"
fi

# On-Screen display of variables for debugging/logging
# echo ""
# echo "File -------------------------------------------------------"
# echo "Wav File : " $wavfile
# echo "Wav No Path : " $wavfilenopath
# echo "MP3 File : " $mp3file
# echo "MP3 No Path : " $mp3filenopath
# echo "End File ---------------------------------------------------"
# echo ""

# End the Loop
done

read more
DamianFreePBX – convert WAV call recordings to MP3 v2

Monitoring Asterisk With Observium

On the Asterisk server, ensure xinetd is installed

yum -y install xinetd
service xinetd start

Create an Observium agent for xinetd

nano /etc/xinetd.d/observium_agent

Add this to the file

service app-asterisk
{
type = UNLISTED
port = 36602
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/bin/observium_agent/asterisk

# Don’t be too verbose. Don’t log every check. This might be
# commented out for debugging. If this option is commented out
# the default options will be used for this service.
log_on_success =

disable = no
}

Create the executable that xinetd will call when Observium connects

mkdir /usr/bin/observium_agent
nano /usr/bin/observium_agent/asterisk

Add this to the file

#!/bin/bash

####### Asterisk Telephony Server
if [ -a /usr/sbin/asterisk ] then
echo ‘<<<app-asterisk>>>’
ACTIVECHAN=$(asterisk -rx ‘core show channels’ | grep ‘active channels’ | cut -d’ ‘ -f1)
ACTIVECALL=$(asterisk -rx ‘core show channels’ | grep ‘active call’ | cut -d’ ‘ -f1)
IAXCHANNELS=$(asterisk -rx ‘iax2 show channels’ | grep active | cut -d’ ‘ -f1)
SIPCHANNELS=$(asterisk -rx ‘sip show channels’ | grep active | cut -d’ ‘ -f1)
SIPTOTALPEERS=$(asterisk -rx ‘sip show peers’ | grep ‘sip peers’ | cut -d’ ‘ -f1)
SIPONLINE=$(asterisk -rx ‘sip show peers’ | grep -o ‘[0-9]* online’ | head -1 | cut -d’ ‘ -f1)
IAXTOTALPEERS=$(asterisk -rx ‘iax2 show peers’ | grep ‘iax2 peers’ | cut -d’ ‘ -f1)
IAXONLINE=$(asterisk -rx ‘iax2 show peers’ | grep -o ‘[0-9]* online’ | head -1 | cut -d’ ‘ -f1)

echo “activechan:$ACTIVECHAN”
echo “activecall:$ACTIVECALL”
echo “iaxchannels:$IAXCHANNELS”
echo “sipchannels:$SIPCHANNELS”
echo “sippeers:$SIPTOTALPEERS”
echo “sippeersonline:$SIPONLINE”
echo “iaxpeers:$IAXTOTALPEERS”
echo “iaxpeersonline:$IAXONLINE”

fi

Set the script as executable and restart xinetd

chmod +x /usr/bin/observium_agent/asterisk
service xinetd restart

In Observium, go to the server and select Settings > Properties
Enable Modules > unix-agent
Set Agent Port to 36602 in Agent
Poll the device, and the Asterisk App will appear in the ‘Apps’ section of the device

read more
DamianMonitoring Asterisk With Observium

Get an A+ rating with Vesta on SSL Labs

We’ve recently been testing sites with the Qualys SSL Server Test here: https://www.ssllabs.com/ssltest/index.html

By default, the SSL settings on Vesta are good – but it’s not possible to get an A+ rating without making some changes to the nginx configuration files.

Although SSL Labs do give an indication as to where the SSL rating is low, it’s not very easy to see exactly what needs to be changed with nginx to get the A+ rating. The key things to improve:

  1. Limit the SSL ciphers that can be used
  2. Add HTTP Strict Transport Security with long duration
  3. Enable SSL stapling

Firstly, you have to SSH onto your vesta server, and edit the main nginx conf file:

nano /etc/nginx/nginx.conf

Then, add the following settings:

# Improved SSL settings – as suggested by jaytag.co.uk
ssl_session_cache builtin:1000 shared:SSL:10m;
add_header Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”;
add_header X-Frame-Options DENY;
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 5s;

Then save the file.

One of the warnings you will receive is “This server supports weak Diffie-Hellman (DH) key exchange parameters” so you have to generate strong DH key parameters. There is some interesting info here about the duration of calculating the primes: http://security.stackexchange.com/questions/95178/diffie-hellman-parameters-still-calculating-after-24-hours so taking their advice, we will use the -dsaparam switch to speed up the process.

mkdir /etc/pki/nginx
openssl dhparam -dsaparam -out /etc/pki/nginx/dhparam.pem 4096

If you are feeling super secure (takes a few hours to randomly generate the primes) do this instead:

openssl dhparam -out /etc/pki/nginx/dhparam.pem 4096

When complete, you can then edit the nginx parameters:

cp /home/jaytag/conf/web/snginx.conf /home/jaytag/conf/web/snginx.conf.old
nano /home/jaytag/conf/web/snginx.conf

Add in the top section after the line ssl on:

ssl_stapling on;
ssl_dhparam /etc/pki/nginx/dhparam.pem;
ssl_session_timeout 24h;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers kEECDH+AES128:kEECDH:kEDH:-3DES:kRSA+AES128:kEDH+3DES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security “max-age=31536000;”;
add_header Content-Security-Policy-Report-Only “default-src https:; script-src https: ‘unsafe-eval’ ‘unsafe-inline’; style-src https: ‘unsafe-inline’; img-src https: data:; font-src https: data:; report-uri /csp-report”;

Then save the file.

The last step is to restart nginx:

service nginx restart

Now re-test on SSL Labs. Success!

aratingSSLLabs

 

read more
DamianGet an A+ rating with Vesta on SSL Labs

Case Study – Office Move

Over the otherwise quiet Christmas period, we completed an office move for a design company, from their offices in Brixton to new offices in Clapham.

Office moves are a great oppurtunity to make changes to the way a network is setup – almost starting from a blank slate at the new offices.

The new offices were to be completely refurbished, save for data cabling.

Before the move took place, working with our colleagues at West Installations, the existing data cabling was tested, and all faulty network sockets were reterminated and tested. Some new network sockets were also installed for Video Conferencing/Presentation equipment.

A new VDSL/FTTC service was installed on site by BT Openreach (to run in parallel with the old office connection, to prevent downtime). Once installed, we then went on site to complete the Router and Switch setup.

A not-so neat network cabinet before we started:

Empty Cabinet

Note the dust sheet – the building works were still ongoing!

Unfortunately, there was no budget to re-terminate the cables at the patch cabinet end, leaving a lot of too-long cables in the cabinet.

We decided to upgrade the network infrastructure as part of the works, with a new MikroTik Router installed, along with a managed TP-Link 24 Port Gigabit network switch. This would allow for improved network performance at the site, with better security than at the old site (which used the ISP provided modem/router).

Unifi Access Points were installed throughout the office to allow for perfect wireless signal in all parts of the new offices.

Once we completed the equipment install (before cable management is installed):

All powered and live

One thing we always do when on site is label cables/power plugs as we go along to make identification easier when there are 100 more patch cables in the cabinet:

Detailing of Labelling

Detail of Cable Labeling:

Detail of Labelling 2

It’s all in the detail!

Of course, at the new offices, we kept some things the same – the network SSID and Key for example – this meant the wireless was working without any configuration changes on the laptop machines.

Also, the network subnet was kept the same, so that any devices with static IP addressing would work immediately when connected to the network.

Once all of the equipment was setup and installed, we then assisted with the relocation of the desktop machines and NAS device from the old office between Christmas and New Year.

Thanks to the works before the move date, there were no issues whatsoever on the move day itself. All setup and working for the 4th of January!

read more
DamianCase Study – Office Move

Case Study – Network Upgrade and Tidy

We recently completed a network upgrade and tidy for a training company in South London.

The problem points:

  1. Poor performance of the internet router – often crashed
  2. Poor wireless signal
  3. No VPN access, or unstable VPN access
  4. Messy network cabinet, making diagnosis of faults difficult.

After visiting site, we found this:

Network Cabinet 1

Even though the customer had a rack cabinet, the equipment was laying on the bottom, and the wireless access point was inside the cabinet – that explains the poor wireless signal!

After discussing the requirements with the customer, we decided to consolidate some of the networking devices (router, network switch) and replace them with rack mount items.

We went with a MikroTik Cloud Router Switch – allowing fast ethernet connections in the office (gigabit ethernet) and a powerful firewall/router, to allow for remote monitoring and management. Of course, all of the usual VPN protocols are supported.

For the wireless connection, the existing TP-Link wireless access point was replaced with a Unifi UAP, to again allow for easier remote management of the wireless network that was in place.

A guest network was setup for the client, so that the main working network was isolated from visiting clients who needed wireless access.

There was a significant improvement in the network cabinet alone at the mid-way point:

Network Cabinet 2

Note this is before we ceiling mounted the access point!

Once this was completed with the Unifi supplied mounting brackets (made easier by the suspended ceiling):

UAP Ceiling

In the the customer ended up with:

  1. Improved signal strength for the wireless in all areas
  2. Improved security for the network (as the guest wireless was isolated from the main network)
  3. A tidier network cabinet, with more easily managed connectivity
  4. A powerful, remotely managed router/switch to allow reliable VPN access
read more
DamianCase Study – Network Upgrade and Tidy