Someone I know came to me the other day about a consulting project that may or may not happen.   What essentially he wants done is an overhaul of IT infrastructure.   They want more automation to their operation and they deal with physical goods.  So from receiving to shipping, to everything in between they are looking to streamline.    They want to do more with less, less equipment if possible, less people if possible, less stress if possible.   In other words they want what every other company in the world wants.

Currently they have a software package that does some of this, but it doesn’t do everything they want it to be able to do.   I don’t have implicit knowledge of the package, other then I’ve created firewall rules when I was consulting with Symantec to pass the traffic.   So my first question is the scope of the project.   The person I was talking to didn’t exactly no what I meant by that.   They were more worried about the big picture ideal instead of what a consultant would need to work with.  A vision of the end goal is great, but without specific tasks to get there it definitely puts an implementer at a disadvantage.   He stated that we would have to do a sit down and discuss the issue and layout of the business process.   This is a good step, but part of why I’m writing this is to help others know the answer they should have when going into something of this magnitude.

Easy, Hard and Correct

The first question is why do you want to do this?  There are easy answers, there are hard answers, and there is correct answers to this question.    Some of the easy answers include – I want everything to work together better, we want to build to the future, and I have to spend my budget before the end of the fiscal cycle and want to try out this product.    Hard answers include we want something more manageable for our IT staff, we want it to run faster in our environment, we want something we can understand.

There are reasons that these are the easy answers and hard answers.  The first and foremost thought is to remember to sit down with a consultant or someone who understands the technology thoroughly enough before ever sitting down with a salesperson.   To sales people, these are all easy and correct answers.   They will tell you your toast can be used to transport computer network traffic with the right purchase, they are there to get your money.  It’s the one reason I can never be a salesperson.  I like people using the correct solution, not necessarily the solution that I am selling.   Even when I worked at Symantec, I knew Symantec products were not the best products for all customers.   Some customers only changed products because they had money to spend and ended up worse off for it.    Salespeople are tricky creatures that guard their bonuses like Disney guards it’s copyrights.

Easy answers are normally very vague,  they tell a salesperson of consultant that you haven’t really though to much about the problem.  You have a basic idea of what you want, but you don’t know any specifics.  The problem with the easy answers is that they are also the most expensive answers – this allows those that are implementing something to sell you what they think is best, regardless of how it will fit into your business six months down the road when they are gone.  You will have to make some decisions on your own, and this should not be listening to the best sales pitch from two competing vendors.  The best sales pitch does not necessarily equate into the best product.

Why are the hard answers difficult?  What that’s because everything is relative.   Going back to my examples can show you this.  We want something more manageable by our IT staff, well how trained is your IT staff?   Do your employees know alternative operating systems?  Does your staff only run Microsoft products?  Is this faster for your environment?  What about a year down the road and the nightmare efficient system breaks because of infrastructure changes you were forced to make?  Everything comes down to you knowing your environment and your plans for the future.   A consultant only gets a glimpse of time into your configuration and is not going to be the full time employee running this stuff.   They won’t know how your future plans could be effected if you don’t tell them your future plans.

The correct answer?  That include being as specific as possible.  Let’s say this is to implement an Exchange Server migrating from a Lotus Notes architecture.   Why would I want to do this?   Lotus Notes has been long in the process of being a headache for us.   The administrator that runs it is retiring in six months and we have other employees that could scale up quicker to learn  Exchange then Lotus Notes.   The collaborative features in exchange work in Outlook, which our company already loads on all the desktop since we have a full Microsoft Office License on all of the desktops.  About 30% of our users already use outlook to retrieve their e-mail, even though they all have the Notes client installed on their desktops also.   Being able to consolidate this would save us thousands a year since we would no longer need a support contract or license fees paid to IBM to support the old Lotus infrastructure.    The more complete and specific the answer, the better the consultant can answer your questions.

Do You Listen To Alternatives?

Even in the Exchange scenario seems complete.  How rigid are you to suggestions?  What if the consultant offers up other alternatives such as a web based e-mail solution that would still allow Exchange to connect and retrieve e-mail? While a Linux/Apache approach may be cheaper, you could also implement it on top of IIS.   Building with some other technologies you could gain all the collaborative powers of Exchange for thousands of dollars less.   Those who didn’t want to use Outlook could use a browser.  If you combine this with a secure remote access solution this would allow for a possible quicker and less bandwidth connection for telecommuters if that is where your company is going.

Knowing what your plans and how rigid they need to be help a consultant decide what avenues may be the best approach for you.  While I offered up a free solution, another consultant may offer ways to augment your current Notes infrastructure to fit your needs.  The best consultants will offer alternatives to your current line of thinking.   You do not have to listen to them, you can stay focused, but hearing how open you are is important.

Timeline

A timeline is something you should have in mind sitting down with the consultant.  He needs to know deadlines and what your expectations are.   Does this need to be done in a week or a year?  How are your current employees going to ramp up on the new solution?  While a consultant may reset your timelines to something more realistic, knowing what type of time frame you are trying to achieve is important to the success of the project.   It also tells the consultant if they are going ot need to bring in more outside help.

Breakdown of Tasks

Have you compartmentalized your tasks?  The person that contacted me was looking for a complete end to end solution, is this what best?   In a solution like that how are you going to handle the transition time?   You don’t want to migrate the whole solution at the touch of a button, since any big architecture change can effect your business continuity.  For some businesses any downtime at all is lost revenue.   A consultant wants to make this impact as minimal as possible.   Even when you do the best planning and compartmentalizing sometimes you will get stuck on a twenty-three hour conference call working through the issues of down time.   When this happens I can tell you it’s not fun.  That was also with a staged migration.

What segments of your business can be down for hours at a time?   When you can answer that you can start staging your tasks.  The tasks that can be down the longest generally should be the first ones migrated, since they should give you expectations for later tasks, and allow you to plan accordingly.   Do not re-architect the design so the whole system (no matter how small) to be done in one night if there are multiple groups effected in the transition.   Design the impact to be as small as possible.   Yes, this may increase time – which in turn increases expense, but without proper planning it may cost you more in the long run.

Cost

The question that no likes asking or giving, what is your budget for this task.  You can wait for the consultant to make a cost estimate pitch first if you like – but at some point in the conversation cost is going to come up.   Do your homework ahead of time to see how much you expect it to cost and budget accordingly.   What are you going to do if things go over budget?  If your three quarters way through a project and haev no more money to finish it, how is that going to impact you?

In Closing

This may seem like a list of things that I want as a consultant.   These are however fairly common truths on what a consultant needs to start a project properly instead of spinning their wheels.   In the next week or so I’m going to follow this up with how to spot a good consultant versus a bad one.

]]> http://creeva.com/2009/02/10/things-you-should-be-able-before-to-answer-contacting-a-consultant/feed/ 3 http://creeva.com/2008/12/23/money-isnt-everything/ http://creeva.com/2008/12/23/money-isnt-everything/#comments Tue, 23 Dec 2008 15:49:50 +0000 Creeva http://creeva.com/?p=3817

Picture from here

Money isn’t everything.   We treat it like is though.   Some people can’t understand when I say I don’t necessarily want more though.   I of course do want more money, but at the same time I don’t.   What I truly want is more freedom, more time, and more enjoyment from what I do.

I’ve had a couple jobs that I enjoyed more then anything else.   The first was working at a small PC shop.  It was my first break into the IT industry, in which I’ve done well climbing the ladder.   I interacted with people, I was a problem solver.  I was one of hte go to people that could fix almost anything.   I’m the type of guy that you throw problems at and I’ll swat them away like annoying insects.   It was my forte, the only thing I was really lacking at the time was high end networking.   I could make computers talk, but as I learned in my next favorite job I truly knew nothing.

The next job I can say now that I truly loved was working at Symantec’s enterprise firewall support call center.   Like the small PC shop after a year or so I came into my own and had my own groove.   After three years being on the team I had closed more tickets then anyone else in level one and level two support (I left being the team lead).    I also held the record for the most calls handled in one day.   The irony about having the most tickets closed is that 30-40% of the time I didn’t even open a ticket for the call.   Our call center software was so slow that it took 5-7 minutes to actually open and write up a ticket.  I made a deal with my managers (I’m sure some higher ups wouldn’t be happy) – that if I could handle the call in under five minutes and be almost positive that they wouldn’t be calling in on the same issue that I could just skip the ticket process.   So for volume, by the time I left I handled far above and beyond what everyone else had ever handled.    Symantec has since dicontinued the product, it lasted about another year and half after I migrated into consulting that it went kaput.  I wonder if anyone caught up to me in the call record or number of handled cases before it was gone.

This isn’t about bragging rights, I’m sure it sounds like it though.   What did both of these jobs have in common though?  They were both hectic chicken running with it’s head cut off problem squashing affairs.   I work best where I have a new issue every fifteen minutes or a nagging issue that would keep me up at night trying to solve.   As you move up the ladder you loose that.  You are working on long and engaging projects where the problem takes five minutes to engineer, yet in turn takes six months to implement.   I’m still good at what I do, but it’s not exactly the best fit for my skill set.   This in turn leads me into a spiral or more money versus more enjoyment.

Me and my Grandfather (Not a Recent Picture)

I had a conversation with my grandfather a few weeks ago, he told me how lucky it was that I had a job in today’s economy (I am), and that it would be difficult to move up in the area I lived.  I started to explain to him that I could more then likely finding a better paying job, but it may not be as stable in the long term as my current one.   I also said for the right job I would work for less then I currently do.  Somehow in his mind that didn’t compute.   In an abstraction of what he said, essentially he thought climbing the ladder should be what is important.   I told him with the right job, I would take a 20% pay reduction.  Granted that wasn’t my end goal, but for the right job in the right environment I would take my family down to the bare level where we could maintain everything.   Why?  I would be happier.

We are taught early that you need to learn so you can better then”random example”.   So you can go to college and maintain that edge and not be a janitor.   So you can get the huge house and be better then your neighbors.   If you neighbor buys a Lexus you are taught that you should buy a BMW.  It’s a mad dash to prove that your better then everyone else.   To prove that capitalism runs the world.  If we are not working to that we are either considered un-American, stupid, or lazy.   Granted I am a bit lazy, but I can work.    I was born July 4, 1976 so I don’t consider myself un-American (I’m a Constitutionalist).   I’m not stupid either.

I think this mindset first hit my family when I wanted to go to college for music performance and creative writing.   They always said I wouldn’t make any money with that.  I was seventeen and brave enough to say that if I was happy I could be living on a street corner in a box as long I was writing and playing music.   They never understood that.  If I didn’t have my wife, and a love for electronics (I didn’t have that love back then), I could probably still do it.   My life hasn’t greatly changed at the core in the last decade though when I was first with my wife.   We live essentially the same way, we have a few nicer things, a house, a car payment – but our basic lives are still the same.  I’d say the greatest difference is that we can not stand hamburger helper anymore.   I still eat the occasional cheap ass boil it  ramen, and she enjoys Kraft Macaroni and Cheese still.

Too many people in this world work for money.   Money is needed to survive (I have a friend that would argue that), but at the same time it shouldn’t be your singular goal.   When I was younger I had a certain goal financially I wanted to make, I did through different means.   I’m not at that level right now (I have no stock options to sell anymore), but it didn’t make it me any happier.   These days I write more, I play in two bands, I’m learning new instruments, and I have a baby that should arrive in the next couple months.   I’m juggling the things that make me happy with work, what if I could be blissful with my job too?  Some days I hate my job, most the time I’m just meh.   If I could get the hair pulling problem solving hectic life going again it would be great (must be my undiagnosed ADD).  If I could do it at the same pay level or better, that would be awesome.

I really need to get some more recent pictures of myself

Picture from here

Yesterday on the radio they were ranking which was the most important moments in history in which you can remember what you were doing. I found the link to the quiz they were using, which was originally put up by Slate. While I do rememebr some of the events, others seem to go by without notice. I wanted to comment on the moments that happened within my lifetime. At least it will give my future son an idea of what I thought about the events that we consider important in history. This list is not in order of importance, it’s just the descending order in the slate list.

Berlin Wall comes tumbling down – I can’t say I truly remember the actual day the Berlin Wall fell down. It was a vague thing, something that was expected for awhile that was built up over time. I could be wrong on that. The one thing I thought was kind of cool about this was the fact that at Higbee’s you could purchase pieces of the Berlin Wall in a sack. These days that type of action would make me immensely sad, it’s a sign of America’s need to profit off of an event. In retrospect how did we know that they were pieces of the actual wall?

Mount St. Helens Erupts – Though I was four I remember this. I also remember President Carter on TV so I have a good young memory. This was a scary thing to me. I think I had this thought that volcano’s didn’t exist any more, that they were something that was from the time of dinosaurs. That it could happen in real life was very scary to me. I’m sure I watched this at my grandmother’s house on her floor model console TV.

Katrina Hits New Orleans – For Hurrican Katrina Xie and I were at home, we were playing SWG and attempting to get a hold of our friend that lived in New Orleans. We managed a day or so later to get a hold of him and post a picture of his house. It was scary knowing someone that was going through the disaster. We almost went down to help but didn’t. The evacuations and such were keeping people at bay we didn’t know when to go or what to do. We both wish we had gone, but that time has now passed. We are left with what we did do.

Miracle On Ice – Ok this happened while I was alive, but I remember nothing about it.

John Lennon Shot – This is another one of those where I was alive, but I don’t remember it.

Elvis Presley Dies at 42 – I definitely don’t remember this one since I was only one year old.

San Francisco World Series Earthquake – If I had followed sports ever in my life I think I would have paid more attention to this. I do remember the earthquake and wondered if California was going to fall into the Ocean. If this was the proverbial big one. I’m influenced in that thinking because of Superman II.

Princess Diana Dies – I remember this. I also wsan’t sure what the big deal was. I know one of my uncles cried because of this. To many people Diana was the last true royalty. This was probably because she was the modern storybook princess.

Three Mile Island Nuclear Accident – Once again, I was too young and do not remember this one.

Reagan Shot – We heard about this when I was at school. Since it was a private christian school we all had a prayer session for the president. Reagan was like a god to me back then, the invulnerable most powerful man. This re-affirmed that when he survived, but I was on shaky ground at first. I was young and scared for the life of our president. To this day I still personally think he was one of four greatest presidents of the last one hundred years.

Shuttle Challenger Explodes – I was in school again when this happened. It was a big media event with the first school teacher going up with the shuttle. This was the event that shocked the nation. We got out of school early that day and I do remember being upset. For what seemed to be weeks they showed that footage on the news.

JFK Jr. Dies in a Plane Crash – I’m not sure why this made the list. I remember it, and I was sad in the abstract, but it didn’t really pull at my heart strings. Around the same time I remember John Denver dying – I think the guy that who sang with Kermit the frog being gone affected me more.

Shuttle Columbia Disintegrates on Re-entry – I woke up early that day and was watching TV in the family room in the Oregon house. I was shocked and hurt when I saw this. I started crying. I thought this was the worst disaster that I had witnessed since it would hurt human’s getting back to the stars which I felt was our future. I woke up Xie and told her, she didn’t understand why I was upset. I just was. This event truly affected me.

9/11 Attacks – I was driving to work at Symantec on the beltway and a radio announcer talked about plane hitting the trade center. I’m not sure if the second plane had hit or not at that point. I thought it was some weird joke by the disc jockey’s. It turned out it wasn’t. When I arrived at work ewe were told that if it was too much for us, then we could return home (paid). I went on with my day following events online. I called Griffaw and Xie at home to turn on the TV at home to see what was happening. We kept in contact through out the day via IM. Griffaw didn’t move form that TV for four days watching everything as it unfolded. I’ll leave my own political comments about this time out of this post.

Asian Tsunami – We didn’t watch a lot of news at this time. I was aware of the event and read about it online, but it wasn’t an in your face major thing for me.

Dale Earnhardt Dies at Daytona – Really? I don’t know why this made the list. I don’t know where I was or even if I cared at all. I don’t follow NASCAR so someone dying in a car crash is a risk that I was aware that drivers took.

There is one more I would like to do that isn’t on that list:

Kurt Cobain’s Death – I didn’t watch MTV so I wasn’t immediately informed of Kurt Cobain’s death. At this time period I didn’t even like Nirvana’s music (they are one of my favorites now). I was one of those kids the next day mocking the other kids that were crying. I understand this now though. Some people may disagree but in a way Cobain was a Lennon for our generation. A voice that spoke out and said what we were feeling. Someone who we could identify with. I have never had a living musician that I felt that way about, but I understand why everyone else was upset. Wisdom is granted with age.

If you don’t see all the video links make sure you view this a creeva.com.

One of the guys at work noticed that I wore my Vermilion Haunted School House shirt in today.  He asked me if I knew Jason (pictured) above. I explained yes, that he use to live with me in Oregon after I conned him to move out there and I got him a job at Symantec. I guess this guy worked with him at Circuit City – it’s a small world after all…….

Plus this little sidenote gave me a chance ot use that photo today…

Going further into my reviews of kiosk systems we acquired the Surferquest system here at work.   Unlike my piece on SteadyState I’m not going to have a bunch of screen shots to show you this time.   However I will give you my analysis and what I’ve found out.

The Surferquest system is an off the shelf software with minimal customization.  We ordered an evaluation unit and I was tasked to try it out.   I can say for our needs as a company that requires centralized management and control of machines in our environment that the Surferquest system was not quite a correct fit for us.

In our environment we don’t normally place a machine on our network until it is fully tested and verified secure, but this product is pretty much useless until it has a network connection.   I had to contact support and they gave me an unlock code that would allow me to make changes to installed software.  The unlock code lasted only 24 hours, but they sent me a utility later on that would allow me generate unlock codes for myself.

Almost all of the customization that can be done is performed remotely by Surferquest.  This means if there is a major application change that needs to be completed you need to contact them.   Do you wish to customization your login screen?  You must contact them or upload the images to their server.    You can not perform these changes locally on the box or locally within your environment.  Wish to change the active desktop they used?  Same steps apply as changing the login screen.

Restrictions applied to the software:

Disable Windows Updates
Remove from Start Menu:
My Music
My Pictures
Favorites
Recent Documents
Frequently Used Programs
Recent Network Docs
Network Places
Help
Run
My Documents
Configure Programs
Disable Windows Keys
Lock Taskbar
Disable Control Panel
Disable Balloon Tips
Remove OEM Link
Disable Task Manager
Disable Registry
Disable Find Files with F3 in Explorer
Prevents Control Panel, Printers, and Network and Dial-up Connections from running, and removes the corresponding menu items.
Removes Shut Down from the Start menu and disables the Shut Down button in the Windows Security dialog box.
Disable System Restore
Clears Recent Documents on Exit
Disable access to Recent Network Documents
CTRL key disabled

As you can see, though they use a different product to achieve the same goal, it has similar technology to the Microsoft Steadystate product I reviewed in part 3.

You can put the software within you domain, but the software will still be phoning home to the Surferquest company. While I’m positive that there is nothing sensitive being pushed across, like any company that you would have do remote assistance make sure you trust them in case of any possible data leakage.  The official answer is that it only sends out IP address information and the last time connected.  You can view this information on the stat web page they provide you

If the drive in the unit should fail or there is a hardware issue in need of support, no software is supplied.   You must receive new hardware from the vendor and return your old unit.  They state that turn around time is usually 24 hours.   Any remote management or patching must be performed by the vendor and is done via remote monitoring software that they have access to.    The software is caused Netsupport and it sneaks out your firewall on port 22 – now all you admins that left it open for SSH can feel silly (actually that’s how the firewall support team snuck out the corporate firewall there and back to their home computers when I worked at Symantec on that team).

Quick Notes

• Idle timeouts can be configured, but they default at 10 minutes.
• They use the Deep Freeze product to maintain their disk image
• When we received the unit PXE booting was enabled (and we didn’t have a BIOS password – they stated this was a mistake)
• The unit we received had PowerDVD installed, ironically no DVD drive (another oversight they admit)
• Unlock Steadystate there is no method for restricting USB drive usage

Box the unit shipped in

Front of the unit

Top of the unit

Rear of the unit

If you deploying this in your environment you need to make certain you can accept the security and loss of control you have over this unit compared to other machine in your environment.   I see this fitting more in the public space kiosk scenarios suchs as libraries or hotels.   Because they do lack the centralized control that you would normally deploy in corporate environments I say give this one a pass or at least look hard at what you are trying to accomplish.   For the public space this is a great product, extremely low maintenance, the ability to monetize but charging a fee (customized through the stat page),  and extremely well versed and fast techinical support.   If you want to deploy an Internet Cafe in your area this is the product for you.

The Kiosk Series:

The Kiosk Series – Part One – Choices For Your Environment

The Kiosk Series – Part Two – Management Considerations For Your Environment

The Kiosk Series – Part Three – Microsoft SteadyState vs Group Policies

One of my co-workers passed away in his sleep last night.  He was a nice guy that was always there and willing to help you out.   He was a smoking buddy for me and someone with whom I could discuss cars with.   While his loss will be missed, most people here are taking it harder then I am.   After being a pallbearer for my best friend, I’m not sure I could get upset with the loss of a co-worker/casual friend the same way ever again.

When I was working for tech support at Symantec we once had someone pass away in their cubicle.   It was almost surreal after the fact.   I knew who the guy was but he wasn’t on my team so I didn’t really talk to him. But from my understanding he was sitting there for over an hour hunched over and people thought he was asleep.   This was about 1 cubicle row over from me.   It was odd but not upsetting to me.

I can say for my co-worker that passed away last night, that I’m happy he was away from the office and hopefully passed away in his sleep.    The last conversation we had was about Dodge cars made in the 60′s and 70′s  – he also talked about how he used to tour the strip in his hometown for girls when he was a teenagers driving these cars that were destined to be the classic iconography of the American automobile.

Hopefully now he is sitting again in his 1969 Dodge Charger that he owned in his younger years and cruising that same strip.  Reliving the happiest moments of his life.   He will be missed and honored.

Kiosk System Management Strategy

There are multiple issues involved with managing a “kiosk system”.   We have to look at the problems we will face whether they are considered to be internal or external.  From a security and management scope of this document we are going to assume they are located on the company guest network.  If the machines are located within the internal network the current maintenance procedures will apply.

While this is still in the design period the final abilities of both the kiosk system and the where it falls have not been decided upon.   Until another strategy is decided upon we are going to assume that these systems will be a member of the domain.

Hotfixing and Patching: Within the internal network we currently use a mixture of WSUS, SMS, and Antivirus servers to keep computers up to date.   Something similar would have to be replicated either on the guest or DMZ network.   If it is located on the DMZ network controls would have to be in place that the communication is pushed to the client for updates instead of the client pulling the information.  If the information absolutely must be pulled, this will be addressed in the section below titled “Securing Connections”.

Break/Fix Issues: Next to the computer there will have to be a phone located so users can report any issues that a kiosk should have.   Upon receiving the call and logging it, normal break/fix procedures would apply.

Remote Desktop: Going from the DMZ to the guest network we should be able to RDP into the kiosk unit.

Remote Monitoring: For the best security standpoint all of these units should include full auditing.   The audit trail could be maintained locally with a remote server from the DMZ pulling in the logs via either a script or an off the shelf utility designed for pulling log files off of the machine.

Utilization Report: Similar to the Audit log we can get a utility that monitors the utilization with these units and pull them into the internal network.  This can be done after tracking down a third party program that allows for utilization monitoring or by parsing the audit log and turning that into a utilization report.

Seat Type: A new seat type would have to be established to accommodate the additional costs incurred from the environment set up and maintenance of these units including but not limited the additional costs possibly incurred by having a phone nearby to inform the help desk of any issues.

Security Plan: A new security plan would have to be established since there will configuration settings that do not fit into the current security plans that the company has established.  While these will fall under a site security plan, none of our existing would not be able to fit these systems under their configuration options.

Privacy Controls: Depending on the kiosk solution we go with – whether it be a login based solution where they have a full application suite or a web kiosk something must be done to maintain user privacy.   After an inactivity time (amount to be specified later) which would either clear the process from memory or log the user out of the kiosk completely depending on which kiosk method we are using in a couple methods. One would be an off the shelf software product to this, at this point I would assume we would use all of their privacy and utilization reports. Another option would be to setup a script to kill the process or automatically log out the user and utilize the screensaver in the kiosk to run this functionality and monitor idle time.

Securing Connections: If the machines must pull information from the machines in the DMZ, then the best method would be to utilize IPSEC.  This would limit the amount of ports needed and allow us to lockdown communication to only the specific server that the kiosk would need to talk to.

I’ve logged in and took out of drafted and posted all my life caching items, I’m startingto go throguh my other drafts and just feeling a little bit overwhelmed.   I have things in all sorts of different stages of draft form.  An article about my paternal grandfather is about 30% done.   A draft on my first day of work with symantec is about 10%.    I have a varied things to finish via life notes.   I have pictures I still need to scan from photo albums.

Arrrrggggg.

Then you have all the things outside of the blog and this writing that causes hassles.  I have house issues I need to worry about, pet issues, relationships issues, my laptop was crashed thanks to an automatic Hardy Heron update (fixed after 3 days of figuring it out myself thank you), community band, Gnome Conduit documentation I need to finish, and work related projects.   We’ll say that’s just a start – but geeze my life seems to be a whirlwind sometimes that doesn’t stop.

And then we’re back to the blog.   I’m actually bad.  I need to look and write on the blog more often.  It relaxes me.  It actually completesme in a Jerry Macguiresque way.  Getting more seriouswriting on my blog gives me the true fulfillment in my life that only two other things give me currently.   My wife, she is my stability, my rock, the one that inspires to be better then I am.  She has a higher view point of me then I do myself.   Even though I think she is wrong, I know her beliefs in my skills is not false from her point of view, just false from my belief in reality.   I love her deeply and compeltely.   The last thing that finishes off my triage of life and completes me is playing music in the two community bands I am a member of.

These are the three things that I attempt to focus on – to get out of draft – because it calms and centers me.  I hope the three of them are never finished.

Grrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr – WordPress

The other is on Palantir and there analysis platform which after worrying about my posts because of all the Washington D.C. hits and the hits from Palantir had me very curious. The reason is I didn’t put out anything that was more technical or more scathing then some other sites I saw after the fact when I wrote that.

It seems some of my hits seem to be from people more interested specifically in Palantir and looking for more information. I would assume that the Palantir hits were part of a bot program – but it seems some of these links originated from e-mail accounts – so they are sharing my humble story.

I do applaud Palantir on updating their screenshots – it seems they are showing off some of what they have accomplished now. The only thing I have to say to Palantir is the website has moved and some articles are now cross-posted – but I haven’t written anything new and it’s the same article you were tearing through months ago when I originally wrote the article.

The other posts that are huge is my review on the Symantec Endpoint Protection, my “Hulu – Another good Tv-Links Replacement“, and My link to TV-Links replacement sites.

I’m hoping with the launch of my new site in the next 24 hours that I start to receive a wider variety of people reading a wider variety of stuff. Until then welcome those in public servant space, in the need for Symantec help, and those looking for online video. You help keep up my readership.

From a side note while we are waiting for this to start Palantir, according to wikipedia, is an artifact from the Tolkien mythos. specifically: A palantír (sometimes translated as Seeing Stone but actually meaning “Farsighted” or “One that Sees from Afar”) is a stone that functions somewhat like a crystal ball.

Webinar started

They start with the standard thank you to their host carahsoft.

Palantir was started in 2004 by Alexander Carr (sp) and the paypal team. They pointed out that the main part of Paypal was anti fraud and that’s how they relate to the intelligence community. They spent sometime discussing Paypal and their competitors. The reason paypal succeeded compared to their competitors was that they had analysts to sort the data compared to using pure computer work. The analyst then built tools to work with the data at the conceptual level compared to the data level. This allowed the analysts to help fight fraud better then the competition which allowed them to succeed.

Paypal then looked at what areas they could fit these types of tools. They recognized that they would fit best in the high finance and the intelligence community. They worked and created tools and today’s webcast was about the intelligence community tools. Planatir is a front end and backend tool

Data Integration – takes all your records and puts them into one unified view that allows an analyst to have an easy view of unified data.

Search and Discovery – see who the user communicated with – persistent search which alerts the analyst when new information becomes available.

Link Analysis- the database includes historical and auditible revision analysis – I assume this is it help ensure the integrity of the database. Includes meta data for source, who added it, and where it came from, who updated it, essentially every step of change and data you could want. This also allows the revisioning database to look quickly at the data history. They then go on to show different views and history tracking they can utilize.

He shows how you could do different information extractions to track terrorist activities (once again using the terrorist threat to try to drive the point home /rolleyes). While this would be a great tool in general I think this could have been done another way instead of driving the terrorist angle. The data set that it can pull from is quite large and very interesting.

Very interesting drag and drop interface for entity resolution and analysis. Very Web 2.0ish but yet seems they put too much emphasis on the fisher price like interface. It’s not a bad thing just overly rounded – but I assume this may help things work faster – I have nothing to compare it to though. They are offering a video at the end so I’m not going to describe all of the interface and his interaction with it.

This does make Jim Cropcho’s discovery of a flaw in the ohio voting records a very trivial discovery for this software and makes how we maintain our records especially our voting and documents that should be private (no your phone is not really considered private sorry) otherwise data discovery with tools like this is trivial.

The platform does support plug-ins.

When asked how many entities they can handle they stated over 100 million entities – they have pulled in all of IMDB, Wikipedia – and NETFLIX!!!! – so this company is looking at user checkouts and ratings on netflix – I’m going to follow up with netflix and find out what of my private data is available to these other companies.

More links

here
here
Flash Demo

For more carahsoft webinar’s go here for sign up.

The company putting on this seminar is Carahsoft. The presenter is Monica Girolami Senior Product Marketing Manager from Symantec.

When I dialed in I was the 26th caller – so take that for whatever level of review that you want.

The speaker started only 3 minutes late.

Valued of Backup Exec 11d Agents and Options:

Agenda:
Windows Recovery Challenge
Backup Exec 11d for windows servers
Current Upgrade promotions
Questions and Answers

This is about keeping your data secure and available against malicious threats, infrastructure failures, natural disasters, and etc.

It’s about your ability for recovery not about backup *I feel I’m’ getting brainwashed

More press notes self promoting

Advantages:
Continuous Protection for exchange
Recover Critical Data in seconds
Enhanced Data Security – Encryption – 128/256 AES encryption
New Platform Support (x64 bit) -
and more….. * did they really need to add this?????

Exchange Backup old way – daily (weekly full backup) daily second backup of the mailboxes – so it’s taking twice the time. With 11d eliminates the mailbox backups – still having the ability to recover individual emails or accounts. They do this through granular recovery technology. With the continuous data protection you can continuously protect and granularly recover the data. * Roll eyes

Granular recovery requires you to have a backup up to disc – full backup would go to tape or disc.

current method of backup – sample customer – 7 hour exchange database job – mailbox backup – 23 hours – total of 30 hours. With 11d it took a total of 3 hour for everything – moving the database to tape it took a total of 5 hours. 80% reduction of time with up to the minute restoration available.

Continuous protection is now available for exchange – previously it was available for file servers. You can setup the recovery points – you can set this up down to every 15 minutes – default is 8 hours. So you could recover your system up to the last time point (down to 15 minutes ago). You can do recovery to this.

This product seems to be missing the new standard Symantec Web Interface

Active Directory Agent:

Recovery individual users, attributes, computers without reboots. Much easier then the MS method – just run a full backup job – from there you can recover the individual objects from that.
Recovers Share point databases and documents with the GRT previously mentioned

MS SQL now has continuous protection also – the agent can backup locally instead of over the network for the best continuous backup in the fastest method. 11d secures the restore selection to make sure the recovery job runs successfully.

Central Admin Server Option (CASO)- Simple Three Tier Management:

You can protect your entire environment from one location – the central admin server allows you to manage your protected servers, computers, and media servers from one location. This includes defining and distributing backup jobs, monitoring and reporting on job activity. This option was first introduced in Backup Exec 10.0

Does not require persistent architecture for remote offices
Distributed catalog architecture
simple monitoring of remote managed media server jobs

Desktop and Laptop Option – Protecting Critical work stations

5 free license with BE 11d
Continuous Protection
DLO (desktop laptop option)is ideal for a mobile work force
synchronization of users work stations
end user file retrieval
easy to manage and deploy
Licenses are available in 10 packs

Backup exec system recovery options – Do you have a disaster recovery strategy?

Formally livestate recovery – the old system recovery method was manual and was long and tedious – repair – reinstall OS – reinstall drivers – reinstall apps – re configure settings – apply journal changes – test – go live. With new method select recovery point and it can recover the entire system – only taking minutes and is more reliable with the disk based backup. Disimilar hardware recovery in minutes – enhanced P2V/V2P virtual conversion capabilities – streamlined lower priced offering of Backup Exec System Recovery 7.0.

More press quotes

Dissimilar system recovery – allows you to recover to different hardware configuration with the same data – it can even restore to a virtual machine. Backup Exec for Windows Server System Recovery Option – lower cost then the full solution – it’s a stand alone unintegrated solution – which you could run backup exec 11d on mission critical servers that would allow you to recover in just a few minutes.

Extended platform support
X64 windows media server support
Vista Support
Centralized management
NDMP support
Oracle
Linux/UNIX
DB2
Mac OSX – PPC/Intel

Free 60 day trial from www.backupexec.com
* there are even forums there WOWWEE /sarcasm off

For Exchange 2007 and Vista you need the latest Backup Exec 11d patches.

Questions and Answers:

Symantec: Please type your questions for the speaker into this chat pod.

Guest: can we ask tech questions?

Symantec: Liza, you are welcome to ask any questions. We’ll do our best to answer them. If we can’t answer them, we’ll make sure to follow up with you off line.

Guest: my back up wld not restore even if I applied sp5

Guest: with the new version does it come with tech support?

Guest: VMWARE consolidated backup support on 11d

Guest: Does the Sharepoint Agent give posting item level recovery?

Symantec: BE11d includes support if u purchased it w/ support

Guest: Running BE 11d and had need for Exchange restore of databases. I had been running D2D2T and the restore could not be done with tape. We were able to restore from disk. Could you provide best practice set up D2D2T with Exchange agent?

Guest: compare cps with cdp for exchangebackup

guest: We have had some serious issues with Lotus Notes 7.0.2 mail client and the Backup Exec remote agent, has anyone else had issues with this? The agent prevents Lotus from opening.

Guest: will cps on exchange replace brcik level backup

Rod Sellers: cps itself is very nice

Guest: We always have files being skipped in the back log in ver. 9.1. How do we prevent that? Thanks

Guest: I’m running 11d remote agents to backup my NEtware servers. I use Pre/Post options – but the Post doesn’t run. Are there any known issues around this?

Symantec: Recommend reading Exchange Best Practices wp on www.backupexec.com/save

Guest: HI, we have 400/800G tapes for our backup. Weekly we have a full backup. It is about 399G. What is the best praktice to do a full backup and do not need to use a secound tape? (incremental Backup?)

Guest: Thanks

Guest: Backup Exec 11d has been release since 11/06. How come there have been no live updates for this program?

Guest: On the topic of encryption, can Backup Exec backup laptops protected with PGP Whole Disk Encryption?

Guest: Why do they not have updated native support for NetWare and GroupWise? Not everyone runs Exchange

Symantec: Apologies everyone, slight technical problems.

Guest: On the subject of Lotus Domino, we are also having problems using the Domino option. It skips too many files.

Guest: We are using tapes. we want to convert to disk and do a virtual bkup

Symantec: Backup Exec 11d launched in Nov06 and build 11d.7170 launched March07 with support for MS Exchange 2007, MS Vista, EMC Celerra devices etc

Guest: we need to talk to u abt the conversion

Guest: is this all about MS?

Guest: AD meaning backing up individual users’ files in pcs?

guest: We have also had issues with 11d and the backup jobs not completing/failing when not being able to connect to machines assigned in the backup job. The Symantec techs also said there is a limit to the amount of machines you can have in one job, what is the limit?

Guest: We are currently using 10D, and would like to upgrade to 11D, however we are still running Exchange 5.5, with a plan to upgrade Exchange to 2003 this year.. Its my understanding that 11D does NOT support less than Exchange 2000. Am I correct here?

Guest: We have been getting weekly updates by liveupdate including SP1. Automatic doesn’t seem to work though. Try from the tools menu.

Guest: How will the desktop & laptop options work with Windows Vista? Windows Vista already has a built in snapshot for machines?

Guest: Is the automatic feature being looked at as to why is doesn’t work? Is that a feature they may take out in the next verison?

Guest: Is System Recovery like System Restore in Windows?

Guest: When is the next verison coming out?

Guest: scott, I’m just another customer. I have other priorities at my site. I just assumed it was because we were using central admin console. I do all the servers manually.

Guest: is this the IDR?

Guest: We have just upgraded to 11d. I am getting the following error message on the sever Backup Exec is running on. Backup- THC1 V-79-57344-3844 – The media server was unable to connect to the Remote Agent on machine THC1. The media server will use the local agent to try to complete the operation.Remote Agent not detected on \\THC1. The folder it is trying to backup is the Utility Partition. The rest of the server backup up fine without asking for the remote agent.

Guest: is this included in 11d?

Symantec: To get current 11d updates go to: http://seer.entsupport.symantec.com/docs/289968.htm

Guest: Does Symantec have an Archiving solution that works w/ Backup Exec? We have about 1 TB of data that needs to be archived off in a near line device that can be accessed when necessary.

Symantec: Yes, BE11d for Exchage w/ CPS eliminates Brick Level Backup

Symantec: Ceballos – Enterprise Vault http://www.symantec.com/enterprise/products/overview.jsp?pcid=2244&pvid=322_1

Guest: Is the Advanced File Open option free with 11D?

Guest: migration from 9.1 to 11d is free?

Guest: I need help in migration after the 11d comes.

Guest: Is the Advanced Open File option free with 11d?

Symantec: Frandin – Yes BE11d only supports Exchange 2K, 2K3, 2k7

Guest: how to get the ppt presentation

Guest: ok ty!

Guest: give an over view os sss

Symantec: MClark – AOFO is a purchased addonn

Guest: Is it per server?

Guest: I understand that I need a VIP Update for 11.0. Where can I get this?

Guest: please review share storage option

Symantec: live update http://seer.entsupport.symantec.com/docs/289968.htm

Guest: Could you do an overview on the Backup to Disk to Tape technologies?

Guest: Do you have a whitepaper that compares your product to others? Specifically we are using Syncsort and I want to convert but will have to do justification and any help would be appreciated.

Symantec: Agents /Options: http://www.symantec.com/enterprise/products/agents_options.jsp?pcid=2244&pvid=57_1
Symantec: Nick, today’s webcast is being recorded. A link to this recording will be available shortly on http://www.carahsoft.com/events/index.php. It will also be sent to you in a follow-up email.

Guest: how can we tell if we are current on maintenance?

Guest: can you give us teh link to the upgrade

Symantec: www.backupexec.com/save

Guest: 9.1 version support has expired. I just ordered 11d does this mean I have to order support separately?

Symantec: You can order 11d with or without support

Guest: if we have IDR in 10d, does it get upgraded to live state?

Guest: vmware review

Guest: Does BackUp Exec cover laptops encrypted with PGP Whole Disk Encryption?

Guest: presentation ppt file

Symantec: http://www.carahsoft.com/events/index.php

Guest: system recovery has to be ordered separate?

As you can see some questions went unanswered

This seminar used Adobe Acrobat Connect – this is the first time I’ve run across this remote seminar solution. I’m not too impressed with the look and feel being a spectator – maybe it is more powerful on the moderator side. Though it did have that new web 2.0 technology where you enter in your phone number and it calls you – so it has that going for it.

The seminar is scheduled to be 1 hour and 15 minutes – unless it’s a really short seminar and its only 1 minute 15 seconds – in that case I guess this is a hug waste of time.

Waiting for the moderator – we just got a message that the seminar will start in 3 minutes – 2 minutes late btw.

The presenter according to the slide is Kevin Haley, Director of Technical Product Management in the Endpoint Security Group.

Since my understanding is that replaces Symantec Anti-virus there is a drastic change as they consolidate all the products they have purchased in the past trying to get them to work cohesively.

The seminar just started only 4 minutes late.

Kevin is responsible for Symantec End Point protection.

Agenda:
Goals of the seminar
Overview of the product
Migration and Migration issues
Additional tools

Goals:

They’ve muted the participants for our own anonymity *roll eyes* – I know from experience that this is solely to not get stopped by possible trigger points that listeners may have.

We have options of typing in questions and getting them answered in real time.

Product Overview:

Symantec Endpoint Protection 11.0 and Symantec Multi-tier protections 11.0

Multi tier is the new version of SAV Enterprise Edition 8, 9, 10 – customer with upgrade protection and support with Symantec will get a free upgrade. This also includes SAV for Mac OSX.

Endpoint protection 11.0 – is the upgrade for SAV CE, SCS, Symantec Sygate Enterprise Protection, and Whole Confidence online for corporate PC’s get this in their upgrade contract

They now took a poll if we entered the beta test for Symantec Endpoint Protection – 9% did public – 20% did external and 69% did not (this was a seminar poll for the participants.

They are talking about the reasons for integrating everything

Parts

Antispyware – Leads in root kit detection and removal *unless they are keeping quiet for Sony
Antivirus

Firewall technology – taken from Symantec Client Security and Sygate

Intrusion Prevention – Behavior Based Threat protection – SONAR whole security – network traffic protection

Device Control/ Application Control

Network Access Control – add on client

New client is all bubbly and vista like – take that how you want. New help and support button allows some basic troubleshooting info in one spot. Access to windows accounts info, disk space, log files, and version information. You can also import or export policies from the client. Any client installed by default from the CD are initially self managed – if you want them to be managed by default you need to create an installation package on your management server.

You can change all policies not just the firewall based on location.

The file that tells if the client is managed or unmanaged is located in the file sylink.xml – contains also server list, certificate info, heartbeat, and communications. There is a tool to auto edit the file included on the cd for easy managed to unmanaged deployment. You could also edit this manually and the file is said to be documented.

Intrusion prevention capability – network based intrusion prevention tied into the tcp stack – generic exploit blocking from SCS and Sygate IDS which supports custom signatures – signature format is similar to Snort. Behavior blocking – proactive threat scan from whole security – innovative behavior based analysis – uniquely accurate low .004% false positive rate (testing for 2 years) via the web site and the consumer product (your enterprise beta testers) – enables broad deployment on endpoints. 20 million installations during the test – so 40 false positives for every 1 million PC’s – can also do white listing so false positives only show up once.

Stupid picture of a cookie jar with a digital camera and video camera – cookies disappear in the night and you want to catch who is doing this used camera for random images or camcorder you can review the film later but the camcorder solution is more expensive – so proactive threat scanning takes a picture of all the processes every 15 minutes and analyzes it. *is this seriously the best analogy?????????

Application Control – you can disable certain application

Device protection – block devices by type – trying to stop items like USB, infrared, Bluetooth, serial , parallel , firewire, scsi, PCMCIA – can block read/write execute on burnable media drives – can block all USB except keyboard and mouse – *I would just use a browser

Features overview
email report distribution on a schedule
centralized event logging
customizable reports
real time event viewing
notifications view
event export to SSIM or 3rd part
Embedded and MS SQL support
Client install package builder
patch and update
remote installation
import and sync with Ad
authenticate with AD
customized agent package installation
Migration from SAV, SCS, SSEP,& SNAC
Centralized Web Based console
Simplified interface for SMB and enterprise
Role Based Access
Administrative domains
Assign rights by user or group
User defined multi tier groups
RSA SecurID
Integrated management of all agent components
single console for management of AV, FW, NAC and other policies
Group based polices
- I missed the last two.

Migration

Standard migration steps so far – document, design, install architecture, migrate existing groups and policies, configure reporting, configure server/site (policies, groups, Admins, notifications etc. , create and test client packages,

Java based Management – talk to it on HTTPS (admin and client) clients can be configured for HTTP if you want unencrypted traffic- SQL database for storage.

Database contains
Group structure
policies
patches
logs
content

only replicates
Group Policies/Logs/Content

SQL can be separate from the management sever – many management servers can use a single database. Numbers are to be determined but there is basic info in the documentation – hard numbers will not be available in FCS (First Customer Shipment)

Distributed environment – multiple management servers and databases – Management servers always replicate policies and group information between them – so they will all know about ALL the clients and policies – any client can check into any server – but you can restrict that by server or server group – you can also setup a order it checks in. Logging replication is optional and they call it filtering – if you have a current architecture where all information rolls up to a master server you can still do that – or you can replicate all logs to all servers.

Supports migration from SAV, SCS, and SSEP – clients upgrade to SAV 11.0 will automatically connect to new SESM

Look and feel for reporting data is the same

First use wizard simplifies initial setup

SEPM can run on the save server as a SAV management server since they are designed to coexist since they use different executables.

Migration 1 – on same server as your SAV server
Install SEPM
Move Group and Policy info from SSE
Install SAV 11
Decommission original Parent server

Migration 2 – different server
Policies can migrate with first use wizard – other steps very similar

Reporting migration

Sav 10.1 – you can redirect clients to the new SEP 11 database for reporting.

Client installation – support to install over SAV 9-10.1, SCS 3-3.1, SEP 5.1, SPA 5.1 (don’t have to uninstall these products)

Already rolled out internally at Symantec with 5000 users

First use wizard – which will enable you to migrate your groups, policies, users to your new management server – they will not install the client automatically on a management server-so this will have to be done manually. They warn about installing the client firewall on the servers install – LOL – I can see why but I wonder how many administrators actually did that.

Content distribution

SEPM gets client updates and content from Symantec live update – clients can be patched from management server using only a small difference file that can be pushed down.

Still can get content from central internal live update server or rapid release definitions

Clients send events, operation state, and command status to the SEPM server – commands are sent to client from server, profiles, content, updates sent to client – content and updates only the different micro definitions they don’t’ have are sent instead of all the definitions each time.

Clients with a group update provider – will go to the group update provider for content (av defs, etc.)

The group update providers caches information from the SEPM server – designed for low bandwidth architectures.

Unmanaged clients can still go to live update on their own

Additional tools

http://edm.symantec.com/endpointsecurity/

http://www.symantec.com/endpointsecurity/migrate – migration information
Consulting Services and support

Goodbyes and that’s the end

Questions and Answer from the text box:+

Question: Sorry missed what said… Did you mention Macintosh would be included?
Answer: Yes, MAC will be included

Question: Will the Multi-Tier console server handle Macintosh clients?
Answer: MAC will not be managed by the SEPM console this release

Question: Will it be Vista compliant?
Answer: Yes

Question: Will the Symantec Multi-tier Protection for MAC be able to utilize the Parent Servers for Windows?
Answer: No. MAC has its own console as it stands today.

Question: Asking about the console. Will there still be a seperate console server for Macs?
Answer: Yes

Question: So there won’t be a Mac solution if we’re a SEPM customer?
Answer: MAC is included in the Multi-Tier Protection but it is managed by a seperate console and server structure

Question: What is the upgrade from SAVCE
Answer: Symantec Endpoint Protection 11.0

Question: is the full endpoint suite required, or can you still purchase products separately?
Answer: You get everything as long as you are current on maintenance.

Question: Assuming no more console?
Answer: MAC will be managed by its own console. SEPM will manage all windows clients

Question: Can you turn off various components?
Answer: Yes, you can enable and disable the features as needed.

Question: Will it have built in reporting capabilities or do we need to continue with SAV reporter?
Answer: SEPM has reporting built in.

Question: Will the SEP v11 console be able to managed legacy clients (SAV10, etc)
Answer: No. It will not manage legacy SAV clients

Question: Will this all still be in a single agent?
Answer: Yes, Single Client with all the mentioned technologies

Question: Will these products be Vista logo’d or just Vista compliant? Also will you be providing both 32bit and 64bit clients?
Answer: Yes, we will be providing both 32 and 64 bit versions of the client. Vista compliant.

Question: What? We will need to run multiple consoles? Will they all feed into SSIM?
Answer: SEPM will manage the windows clients only with this release. Yes, we will have a collector for SSIM

Question: Will we go over migrating an existing Reporting Server to the built-in reporting in SEPM?
Answer: There is a white paper that will be available as well as a migration wizard

Question: would this be red if I disabled it from management side?
Answer: Yes

Question: does the user need admin rights to execute a FIX
Answer: The fix can be run as system by the client

Question: Are there different levels of users provided in the SEPM?
Answer: Yes, administrators can have different functions and rights as configured. There is limited administration.

Question: Will the 64-bit client differ by processor type, or will the 64-bit client be universal?
Answer: Universal

Question: Current installation from CD presents you an option to choose the management server if you want to install managed. Why has that been removed?
Answer: You can create packages that are “unmanaged” still it is just a different process.

Question: can it be locked so a cleint can’t remove from a server?
Answer: Yes

Question: In previous versions, we could specify management server. This is not possible

now?
Answer: Yes. It still is possible to specify the server that will manage the client.

Question: Will the client upgrade handle all current individual components that may be installed on the desktop (SSEP, SAV10, etc.)?
Answer: Yes, absolutely

Question: Does the new policy import/export replace the usage of GRC.dat and the need to at times manually implement it.
Answer: Yes. Sylink.xml is the new file used.

Question: Will the SPEM have the ability to set security access for other users/groups to manage their servers or sites?
Answer: Yes

Question: So the sylink.xml replaces the grc.dat except it doesnt disappear once processed by the client?
Answer: Yes, exactly

Question: When will this release be available?
Answer: End of the month

Question: can you import SNORT signaturs?
Answer: No, we support REGEX and have a language similiar to snort

Question: Is there a maximum network latency value between a policy sevrer andf end client that we should consider when determine the count and location of policy servers on our global network?
Answer: We will have a scalability document for distro

Question: Does the current license also include the signature subscription for IDS?
Answer: Yes

Question: Has the port range for communication between SErvers and Clients decreased? Or will it still range from 1024-4999?
Answer: It will be SSL

Question: Will this presentation be available for download so we can share with upper management?
Answer: Via email

Question: Does the client upgrade require a reboot from version 10.x
Answer: to start the firewall but not for AV protection

Question: We currently install the SAVCE client on Windows Server OS managed by a Parent server. Which product is recommended for Windows Server OS or which components are recommeded to be disabled on Server OS?
Answer: SEP can be run on servers and clients. All technologies are portable

Question: is the management console still MMC based?
Answer: No

Question: Is there a reporting server for this similar to the SAV 10 reporting server?
Answer: No, it is integrated now.

Question: When will training be available for SEP 11?
Answer: At release

Question: will we be able to customize the white list
Answer: Yes

Question: Does Behavior blocking handle rogue keyloggers?
Answer: Yes

Question: Will the new console be able to communicate with “legacy’ SSEP agents (or, can we upgrade the SSEP-PM without requiring the SSEP agents to upgrade at the same time)?
Answer: It will support legacy SSEP clients but not SAV.

Question: so just 443 and 80
Answer: Exactly!

Question: Can specific applications be “black listed”?
Answer: Yes

Question: what are the functionality differences between Sym Endpoint Protection and Sym Multi-tier Protection?
Answer: Same technologies SMP includes email protection and MAC/linux

Question: will the clients listen on a port for server initiated communication, or is the communication only initiated by the client?
Answer: no client listen port. Client initiates all communication to the server

Question: Will SEP require SQL?
Answer: You can use SQL but the embedded (included) DB is Sybase

Question: Will mobile devices be supported? If so, what devices?
Answer: Seperate product

Question: Will the Q&A be made available after the call?
Answer: Yes

Question: any chance of getting a copy all the slides to review after the meeting?
Answer: Yes

Question: Is there an estimate available of the resource impact on a host machines due to the proactive threat scanning?
Answer: We will have this documented and available in a whitepaper
Question: Will SMS5 – Symantec Mobile Security Suite 5 integrate into SEP?
Answer: No.

Question: Do the antivirus capabilities within SEP 11 use less resources on a typical client and server? We have many problems with SAV 10 chewing up too much memory and CPU utilization, especially on virtual servers.
Answer: Yes, lower memory footprint

Question: Is there an override for the USB blocking?
Answer: Yes

Question: Can devices be blocked based on Manufacturer / Model?
Answer: No- windows class ID, not vendor class ID…..coming in the future though

Question: can usb thumb drives be blocked but other usb devices, ie scanner, printer be allowed?
Answer: Absolutely!

Question: is patch/maintenance release management going to be simplified over previous versions? (i.e. all inclusive rollups not requiring previous upgrades to a base version)?
Answer: Definitely

Question: so SMP includes the sygate firewall technology?
Answer: Yes!

Question: A new version of packager come with this – I am aware its unsupported but if new version does come with it will it be supported? If not any idea when?
Answer: Packager is gone. The packaging mechanism is the Sygate technology

Question: Will the schema be available for the database, so we can query it?
Answer: Definitely!!!

Question: Will SMSDOM (Mail Security for Domino) Still be supported as well as Premium Anti-Spam? How about for Exchange?
Answer: Yes

Question: Are the INTEL portions from previous NAV/SAV versions been eliminated altogether?
Answer: Yep

Question: Are the policies for the client available to be pushed via Group Policy in AD?
Answer: Yes

Question: can you restrict file types allowed to write to USB drives? i.e. allow MP3, but not DOC or XLS?
Answer: Yes.
Question: Can the Class ID blocking be managed by OUs, say the Director level can use usb drives, regular sales cannot?
Answer: Yes, using grouping

Question: Can individual components – say, the firewall portion – be disabled selectively? For example, we may want AV on a server but not necessarily firewall (even more specifically, for performance savings?).
Answer: YES!

Question: What version of java?
Answer: Local version

Question: how much space is required for the sql ie per machine?
Answer: DB size will vary by client count

Question: Does this version get away from storing client information in the registry?
Answer: Yep

Question: Can the management server be installed on VM?
Answer: Yep!

Question: Did he say the client port is 80?
Answer: Or 443 depending on selection by administrator

Question: is a certificate server required?
Answer: no

Question: In the current version of SAV10 Reporting, there is a vulnerability of the PHP component. Will SEPv11 provide better response to layered components that have known vulnerabilities?
Answer: Absolutely!

Question: the client/server traffic is based on port 80/443 correct? How is that going to affect clients running websites using port 80/443?
Answer: There should not be a conflict but the ports are configurable

Question: from the remediation aspect, will SAFE mode be required for a 100% detection and cleaning?
Answer: Depends on the threat. SEP 11 will clean better than SAV 10 though

Question: For replication what type of nbandwidth does it use over a WAN?
Answer: All documented in the scalability doc

Question: Since the client information is no longer in the registry how can we check AV status through scripts? Is there a WMI interface?
Answer: Some status can still be checked via the registry
Question: Since this is running on 80 or 443 is it using some type of web server underneath for communication (e.g. Tomcat/Apache/etc.)?
Answer: on the manager yes. There is a tomcat server and IIS

Question: We have encountered issues with the volume of network traffic generated by corrupted defs. How does the 11.x version address this issue?
Answer: corrupt defs should be a thing of the past.

Question: are there any JRE versions that are not supported or are recommended for the management console? Will the client itself require JRE to be installed for SEP to work?
Answer: CLient does not require JRE. The version installed is a local version specific to SEPM.

Question: will registry still use intel\landesk\virusprotect6 structure?
Answer: Nope. All intel technologies for management are gone and the registry has been changed as far as structure

Question: How can we obtain the scalability document?
Answer: It will be posted at release

Question: has sepm been certified for vm
Answer: We support VM environments. Not sure if it is certified by VM

Question: Why is this not backwards capable with SAV 10 or 9? Upgrading an entire enterprise can take a while.
Answer: Completely different management architecture.

Question: is there a method for users to alter administrative scan schedule (but not any other option)?
Answer: Yes

Question: what about Sygate 4.1?
Answer: no

Question: Will you be able to save all the old data from the SAV 10.1?
Answer: yes, migration wizard will cover this

Question: no over intall for 7.x is that correct
Answer: right

Question: OVerinstall of 10.2 for Vista supported?
Answer: yes

Question: he said that scalability doc will be available about a month after SEP 11.0 release
Answer: probably sooner
Question: when you overinstall does this require a reboot on the endpoint
Answer: Yes, but not for AV, just for the FW

Question: Will the overinstall work even if the previous client is password protected? Or will it still require a registry hack to remove?
Answer: It will work

Question: can SAV10 client groups be migrated, or is there granularity to support that type of group?
Answer: Migration wizard will allow this

Question: Does SEP support NT4.0 clients?
Answer: no
Question: does it work on vm . Currently version 10 I have on vm
Answer: Yes

Question: Is the upgrade to SAV 11 more reliable than the upgrade to SAV 10? We were forced to use NONAV to pre-clean the SAV 8 and SAV 9 systems before going to SAV 10
Answer: Yes.

Question: What is the SEPM blog URL?
Answer: https://forums.symantec.com/syment?category.id=endpoint

Question: Is the installer follow standard MSI best practices?
Answer: Yes

Question: will management server install require reboot (windows server 2003)?
Answer: no

Question: This includes central management and reporting for the FW?
Answer: Yes

Question: Any problems creating an SMS package for installing to clients?
Answer: no

Question: to install over 4.1 do you need to uninstall 4.1, reboot and install SEP or can you uninstall 4.1, install SEP and reboot?
Answer: Yes

Question: Can our TAM answer questions regarding SEP 11 yet? Or do we have to wait until the release?
Answer: Yes

Question: We run Symantec Mail Security for Exchange. If we run SEPv11 on the same box, are the defs compatible? Can they co-exist?
Answer: They can co-exist

Question: you mentioned earlier that the client initiates all contact with the server. What about Virus sweeps, updates that you want to push, do you have to wait til the next time the client checks in
Answer: No

Question: does the patch require a reboot? We have lots a 24×7 servers.
Answer: no

Question: Will the dif patch require reboots on the clients?
Answer: no

Question: No problem to run in a mixed environment, e.g. legacy clients reporting to previous management console, newer clients reporting to newer management console?
Answer: no problem with a parallel environment

Question: We are going to have a lot of language requirements (Thai, German, French, Russian, Swedish, Japannesse, Chinesse). Is there a link on your web page to the supported language versions?
Answer: It will be posted but is not right now. Should be at release time. We are localizing alot of languages

Question: For definition distribution, what is the approx size of the diff-defs? If a client has been off the network for a week or longer, what is the approx size of the diff-def?
Answer: will vary

Question: Thanks for the GUP!!
Answer: :)

Question: If a client goes to a GUP and then that client goes to another group will it still look for the GUP group A
Answer: no

Question: With ver9 and > Symantec expanded the feature set to combat spyware and malware, many customers complained of CE being bloated, memory-intensive, and causing issues with many line-of-business applications. With all these added features in this new product release can you point to any documentation related to this version benchmarks and/or performance specs compared to previous releases?
Answer: Its all documented. Check the portal

Question: will rapid release definitions be available for the Liveupdate server?
Answer: yes with LUA 2.5

Question: Not sure if this was asked. But when a client connects to a 11.0 server does it use a certificate like in the past for communications?
Answer: no

Question: Can the gups be configured as Primary, secondary, and can the clients recognize that
Answer: no

Question: when will this be available for download from the platinum site?
Answer: end of the month

Question: Thank You
Answer: You are welcome

I wrote this document for a customer back in 2005 when I was a Symantec Consultant – posting it from 2008 in the right time period.

Solutions Guide for Load Balanced NAT Issues

These are solutions to possible load balancing issue you may encounter with the Symantec Firewall load balancing methods. The assumption is problems you would encounter going from an internal network to an Internet host or network. These problems also rarely occur and are usually an issue depending on the security of the remote host.

Scenario: Multiple TCP connections on the same port leaving with different outside NAT addresses causes the remote server to reject the connection.

Example: HTTPS connections that do not use a client side cookie.

Solutions:

1. We can use stateful failover for the TCP traffic and all traffic would leave as the VIP address. The downside is some increased load on all the firewalls in the cluster.
2. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
3. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
4. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
5. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
6. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
7. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

Scenario: A connection that requires multiple TCP destination ports.

Example: Passive mode FTP (which the FTP daemon can handle this without modification; lack of a more common protocol as an example is not immediately available.)

Solutions:

1. We can use stateful failover for the TCP traffic and all traffic would leave as the VIP address. The downside is some increased load on all the firewalls in the cluster.
2. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
3. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
4. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
5. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
6. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
7. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

Scenario: A mixture of UDP and TCP traffic.

Example: This is usually seen in custom applications such as streaming media where the connection starts on TCP and migrates over to UDP for media delivery.

Solutions:

1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

Scenario: TCP and IP traffic mixture.

Example: Microsoft’s PPTP VPN. This product uses port 1723 TCP and IP type 47 to pass traffic.

Solutions:

1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

Scenario: UDP connections using multiple ports

Example: No known examples available for reference.

Solutions:

1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

Scenario: UDP and IP traffic mixture.

Example: This traffic would mostly be associated with IPSEC VPN traffic.

Solutions:

1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

Scenario: Multiple IP types only connections.

Example: No known examples available for reference.

Solutions:

1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

Scenario: A connection using TCP, UDP, and IP types all in conjunction.

Example: Older VPN connections that did not adhere to the IPSEC standard.

Solutions:

1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.