Someone I know came to me the other day about a consulting project that may or may not happen.   What essentially he wants done is an overhaul of IT infrastructure.   They want more automation to their operation and they deal with physical goods.  So from receiving to shipping, to everything in between they are looking to streamline.    They want to do more with less, less equipment if possible, less people if possible, less stress if possible.   In other words they want what every other company in the world wants.

Currently they have a software package that does some of this, but it doesn’t do everything they want it to be able to do.   I don’t have implicit knowledge of the package, other then I’ve created firewall rules when I was consulting with Symantec to pass the traffic.   So my first question is the scope of the project.   The person I was talking to didn’t exactly no what I meant by that.   They were more worried about the big picture ideal instead of what a consultant would need to work with.  A vision of the end goal is great, but without specific tasks to get there it definitely puts an implementer at a disadvantage.   He stated that we would have to do a sit down and discuss the issue and layout of the business process.   This is a good step, but part of why I’m writing this is to help others know the answer they should have when going into something of this magnitude.

Easy, Hard and Correct

The first question is why do you want to do this?  There are easy answers, there are hard answers, and there is correct answers to this question.    Some of the easy answers include – I want everything to work together better, we want to build to the future, and I have to spend my budget before the end of the fiscal cycle and want to try out this product.    Hard answers include we want something more manageable for our IT staff, we want it to run faster in our environment, we want something we can understand.

There are reasons that these are the easy answers and hard answers.  The first and foremost thought is to remember to sit down with a consultant or someone who understands the technology thoroughly enough before ever sitting down with a salesperson.   To sales people, these are all easy and correct answers.   They will tell you your toast can be used to transport computer network traffic with the right purchase, they are there to get your money.  It’s the one reason I can never be a salesperson.  I like people using the correct solution, not necessarily the solution that I am selling.   Even when I worked at Symantec, I knew Symantec products were not the best products for all customers.   Some customers only changed products because they had money to spend and ended up worse off for it.    Salespeople are tricky creatures that guard their bonuses like Disney guards it’s copyrights.

Easy answers are normally very vague,  they tell a salesperson of consultant that you haven’t really though to much about the problem.  You have a basic idea of what you want, but you don’t know any specifics.  The problem with the easy answers is that they are also the most expensive answers – this allows those that are implementing something to sell you what they think is best, regardless of how it will fit into your business six months down the road when they are gone.  You will have to make some decisions on your own, and this should not be listening to the best sales pitch from two competing vendors.  The best sales pitch does not necessarily equate into the best product.

Why are the hard answers difficult?  What that’s because everything is relative.   Going back to my examples can show you this.  We want something more manageable by our IT staff, well how trained is your IT staff?   Do your employees know alternative operating systems?  Does your staff only run Microsoft products?  Is this faster for your environment?  What about a year down the road and the nightmare efficient system breaks because of infrastructure changes you were forced to make?  Everything comes down to you knowing your environment and your plans for the future.   A consultant only gets a glimpse of time into your configuration and is not going to be the full time employee running this stuff.   They won’t know how your future plans could be effected if you don’t tell them your future plans.

The correct answer?  That include being as specific as possible.  Let’s say this is to implement an Exchange Server migrating from a Lotus Notes architecture.   Why would I want to do this?   Lotus Notes has been long in the process of being a headache for us.   The administrator that runs it is retiring in six months and we have other employees that could scale up quicker to learn  Exchange then Lotus Notes.   The collaborative features in exchange work in Outlook, which our company already loads on all the desktop since we have a full Microsoft Office License on all of the desktops.  About 30% of our users already use outlook to retrieve their e-mail, even though they all have the Notes client installed on their desktops also.   Being able to consolidate this would save us thousands a year since we would no longer need a support contract or license fees paid to IBM to support the old Lotus infrastructure.    The more complete and specific the answer, the better the consultant can answer your questions.

Do You Listen To Alternatives?

Even in the Exchange scenario seems complete.  How rigid are you to suggestions?  What if the consultant offers up other alternatives such as a web based e-mail solution that would still allow Exchange to connect and retrieve e-mail? While a Linux/Apache approach may be cheaper, you could also implement it on top of IIS.   Building with some other technologies you could gain all the collaborative powers of Exchange for thousands of dollars less.   Those who didn’t want to use Outlook could use a browser.  If you combine this with a secure remote access solution this would allow for a possible quicker and less bandwidth connection for telecommuters if that is where your company is going.

Knowing what your plans and how rigid they need to be help a consultant decide what avenues may be the best approach for you.  While I offered up a free solution, another consultant may offer ways to augment your current Notes infrastructure to fit your needs.  The best consultants will offer alternatives to your current line of thinking.   You do not have to listen to them, you can stay focused, but hearing how open you are is important.

Timeline

A timeline is something you should have in mind sitting down with the consultant.  He needs to know deadlines and what your expectations are.   Does this need to be done in a week or a year?  How are your current employees going to ramp up on the new solution?  While a consultant may reset your timelines to something more realistic, knowing what type of time frame you are trying to achieve is important to the success of the project.   It also tells the consultant if they are going ot need to bring in more outside help.

Breakdown of Tasks

Have you compartmentalized your tasks?  The person that contacted me was looking for a complete end to end solution, is this what best?   In a solution like that how are you going to handle the transition time?   You don’t want to migrate the whole solution at the touch of a button, since any big architecture change can effect your business continuity.  For some businesses any downtime at all is lost revenue.   A consultant wants to make this impact as minimal as possible.   Even when you do the best planning and compartmentalizing sometimes you will get stuck on a twenty-three hour conference call working through the issues of down time.   When this happens I can tell you it’s not fun.  That was also with a staged migration.

What segments of your business can be down for hours at a time?   When you can answer that you can start staging your tasks.  The tasks that can be down the longest generally should be the first ones migrated, since they should give you expectations for later tasks, and allow you to plan accordingly.   Do not re-architect the design so the whole system (no matter how small) to be done in one night if there are multiple groups effected in the transition.   Design the impact to be as small as possible.   Yes, this may increase time – which in turn increases expense, but without proper planning it may cost you more in the long run.

Cost

The question that no likes asking or giving, what is your budget for this task.  You can wait for the consultant to make a cost estimate pitch first if you like – but at some point in the conversation cost is going to come up.   Do your homework ahead of time to see how much you expect it to cost and budget accordingly.   What are you going to do if things go over budget?  If your three quarters way through a project and haev no more money to finish it, how is that going to impact you?

In Closing

This may seem like a list of things that I want as a consultant.   These are however fairly common truths on what a consultant needs to start a project properly instead of spinning their wheels.   In the next week or so I’m going to follow this up with how to spot a good consultant versus a bad one.

]]> http://creeva.com/2009/02/10/things-you-should-be-able-before-to-answer-contacting-a-consultant/feed/ 3 http://creeva.com/2008/08/09/twitter-updates-for-2008-08-09/ http://creeva.com/2008/08/09/twitter-updates-for-2008-08-09/#comments Sun, 10 Aug 2008 04:59:59 +0000 Creeva http://creeva.com/2008/08/09/twitter-updates-for-2008-08-09/

Picture from here

I get distracted when I get home from work.  I’m easily amused and have the “Ooooooooooooooooooooohhh Shiny” mentality type of distraction.  I don’t deny it.   I don’t exactly revel in it either.   By the time I actually get around to doing some of the things I need to get done, it’s late, I’m tired and cranky.   If I put things off until the weekend we end up doing stuff and getting involved (“Is that a shiny over there?”) and so things once again get overlooked.   I’m not sure I would actually sleep if I didn’t know for certainty that it helps save my job and my marriage.   So what can I do about it?

Picture from here

Things I have tried with little or no success:

• Wall Calenders
• Sticky Notes
• Todo Tasks in Outlook
• Todo Tasks on Google
• GTD sites
• Web Calenders

Nothing so far seems to work for me – I’m mundane blind.  When there is a shiny I don’t even notice the mundane.

Like many geeks, corporate types, etc.   I live and die by e-mail.   This is something I greatly increased in focus when I was a consultant.   Now I can handle literally hundreds of e-mails a day, and I can’t stand a cluttered mail box.  I normally use Gmail‘s interface just through a browser, but I’ve been known to dabble in POP3 and IMAP access (the insanity!!).  Mostly though I just use the web browser.  It’s the same at work, home, and on the go.   The one thing I hate most about my mail box, is when it get’s full.   I hate a cluttered inbox, I hate coming back and seeing more then one page of e-mail waiting for me (which does happen if there is some strange reason I don’t check my email for two days).

Picture from here

So I stumble on the idea of combining these two things, hatred of e-mail clutter and a need to get motivated and GTD, so now I’m email my tasks to myself (and now Xie has joined into the game).  The first thing when I went down this road is to send myself a daily list of tasks to do, well I tried that once in the past and that doesn’t seem to help.  Neither do reminder services, since I easily dismiss them.

The format I use when I mail myself is TODO (task) – this forces me to stare at it every time I look at my e-mail.   I’m hoping it will succesfully burn the task into my brain.   When I actually complete the task it get’s archived, thereby saving me space in my inbox.   Too many tasks and it will roll over to a second page, I would be highly annoyed if that happened.   So essentially I’m going to be GTD by annoying myself.

Meh.

But it may work.

Chicago, IL (MDW)

New York, NY (LGA)

Atlanta, GA (ATL)

Philadelphia, PA (PHL)

New York, NY (JFK)

Newark, NJ (EWR)

Chicago, IL (ORD)

So for all the rest of you that have been stranded out there waiting for your flight to take off, I take great sympathy for you.

The kids were all heroic — all but a semi-heroic member of their troupe named Eric. Eric was a whiner, a complainer, a guy who didn’t like to go along with whatever the others wanted to do. Usually, he would grudgingly agree to participate, and it would always turn out well, and Eric would be glad he joined in. He was the one thing I really didn’t like about the show.

Now, I won’t make the leap to charge that gang activity, of the Crips and Bloods variety, increased on account of these programs. That influential, I don’t believe a cartoon show could ever be. I just think that “pro-social” message was bogus and ill-conceived. End of confession.

A cowboy was herding his herd in a remote pasture when suddenly a brand-new BMW advanced out of a dust cloud towards him. The driver, a young man in a Brioni suit, Gucci shoes, Ray Ban sunglasses and YSL tie, leans out the window and asks the cowboy, “If I tell you exactly how many cows and calves you have in your herd, will you give me a calf?”

The cowboy looks at the man, obviously a yuppie, then looks at his peacefully grazing herd and calmly answers, “Sure. Why not?”

The yuppie parks his car, whips out his Dell notebook computer, connects it to his AT&T cell phone and surfs to a NASA page on the Internet, where he calls up a GPS satellite navigation system to get an exact fix on his location which he then feeds to another NASA satellite that scans the area in an ultra-high-resolution photo.

The young man then opens the digital photo in Adobe Photoshop and exports it to an image processing facility in Hamburg, Germany. Within seconds, he receives an email on his Palm Pilot
that the image has been processed and the data stored.

He then accesses a MS-SQL database through an ODBC connected Excel spreadsheet with hundreds of complex formulas. He uploads all of this data via an email on his Blackberry, and after a fewminutes, receives a response. Finally, he prints out a full-color, 150-page report on his hi-tech, miniaturized HP LaserJet printer and finally turns to the cowboy and says, “You have exactly 1586 cows and calves.”

“That’s right. Well, I guess you can take one of my calves,”says the cowboy. He watches the young man select one of the animals and looks on amused as the young man stuffs it into the
trunk of his car.

Then the cowboy says to the young man, “Hey, if I can tell you exactly what your business is, will you give me back my calf?”

The young man thinks about it for a second and then says,”Okay, why not?”

“You’re a consultant.” says the cowboy.

“Wow! That’s correct,” says the yuppie, “but how did you guess that?”

“No guessing required,” answered the cowboy. “You showed up here even though nobody called you; you want to get paid for an answer I already knew; to a question I never asked; and you
don’t know anything about my business.”

“Now give me back my DOG.”

Decisions decisions.

I kept meaning to get to this but it was a low priority for the most part – and the moments when it was a high priority I had no internet connection I could get on via another device to troubleshoot and fix it.

Theoretically the way I had been doing should have worked according to documentation online. However since this is kind of a niche use the documentation may not be up to date and some people may have already known the work around.

Since fighting this issue and making it a PITA to track down and troubleshoot I wanted to post the answer so some other hapless sould doesn’t have to endure the pain of fixing it.

I managed to get the following information from this site:

Connection Name: tzones

Data bearer: Packet data

Access point name: wap.voicestream.com

User name: N/A

Password: N/A

Authentication: Normal

Homepage: http://wap.myvoicestream.com

Advanced Settings (Handsets not equiped with WAP 2.0 may skip this section)

Proxy serv address: 216.155.165.050

Proxy port number: 8080

So I enter the proxy server into my PDA’s browser and it now works. Like I said according to the next article for straight through non-wap traffic this shouldn’t be required – so more work possible getting the laptop to connect (haven’t tried that either but will tonight….maybe).

Another thing I’m going to track down since I can’t host my own server is seeing if I can set up my PDA to use another proxy other then t-mobiles (curse Verizon for not allowing servers – btw they balked at me because I wanted a business class DSL so I could host and I gave up after trying to explain it for 3 hours – the loss of being able to VPN home is not worth the pain of enduring idiot questions like “why would you have a business class connection at a residential address”.

On a side note to show how much I use my cell phone for calls these days now that I’m no longer a consultant, my cell phone had been missing for a week. I had checked online and there was no unusual activity so I hadn’t left it in public or had it stolen. So every now again over the last week I was tearing up cushions and putting them back – only to repeat the routine a day or two later. Crawling on the floor to search the nooks and crannies of couches and cars. Finally last night out the corner of my eye I saw it – it had stayed hidden for a week under a reciept on the coffee table.

AARRRGGGG

I wrote this document for a customer back in 2005 when I was a Symantec Consultant – posting it from 2008 in the right time period.

Solutions Guide for Load Balanced NAT Issues

These are solutions to possible load balancing issue you may encounter with the Symantec Firewall load balancing methods. The assumption is problems you would encounter going from an internal network to an Internet host or network. These problems also rarely occur and are usually an issue depending on the security of the remote host.

Scenario: Multiple TCP connections on the same port leaving with different outside NAT addresses causes the remote server to reject the connection.

Example: HTTPS connections that do not use a client side cookie.

Solutions:

1. We can use stateful failover for the TCP traffic and all traffic would leave as the VIP address. The downside is some increased load on all the firewalls in the cluster.
2. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
3. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
4. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
5. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
6. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
7. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

Scenario: A connection that requires multiple TCP destination ports.

Example: Passive mode FTP (which the FTP daemon can handle this without modification; lack of a more common protocol as an example is not immediately available.)

Solutions:

1. We can use stateful failover for the TCP traffic and all traffic would leave as the VIP address. The downside is some increased load on all the firewalls in the cluster.
2. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
3. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
4. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
5. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
6. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
7. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

Scenario: A mixture of UDP and TCP traffic.

Example: This is usually seen in custom applications such as streaming media where the connection starts on TCP and migrates over to UDP for media delivery.

Solutions:

1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

Scenario: TCP and IP traffic mixture.

Example: Microsoft’s PPTP VPN. This product uses port 1723 TCP and IP type 47 to pass traffic.

Solutions:

1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

Scenario: UDP connections using multiple ports

Example: No known examples available for reference.

Solutions:

1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

Scenario: UDP and IP traffic mixture.

Example: This traffic would mostly be associated with IPSEC VPN traffic.

Solutions:

1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

Scenario: Multiple IP types only connections.

Example: No known examples available for reference.

Solutions:

1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

Scenario: A connection using TCP, UDP, and IP types all in conjunction.

Example: Older VPN connections that did not adhere to the IPSEC standard.

Solutions:

1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.