Admin Tips

Security Tip: Block Internet Explorer invocation of Java with Group Policy

Given the non-stop barrage of security vulnerabilities being found and exploited in Java, every Systems Administrator should disable Java for Internet Explorer or have a really good reason not to. (Don’t worry, we can still cater for you if you have specific sites that require Java!)

Unfortunately it is notoriously hard to do. Microsoft had a go but US CERT found Microsoft’s method didn’t block it completely. US CERT’s KB article provides a registry file which blocks the invocation of Java Web Start for non-trusted sites.

I’ve converted the registry file into xml files ready for importing into Group Policy registry preferences. You’ll need two, one in a user policy and one in a computer policy.
For your convenience you can download them below.

Please test before using at your own risk!

Then just add any business sites that require Java to your trusted sites list. If you want to do it through Group Policy check out Alan Burchill’s article on IE Site Zone mapping but in my experiences only a couple of people have needed sites with Java and I add them on a per-user basis.

This is a low effort, maximum gain security tip for your organisation (just make sure you test that it actually is disabling it as it should!)


Avaya SIP Trunking with 2talk New Zealand

SIP Trunking is a great option to lower the cost of your phone calls. We installed a new Avaya IP Office 500 phone system at the beginning of last year, so of course I was keen to get VoIP setup quickly through 2talk to cut the cost of calls going over our ISDN lines.

The Avaya system doesn’t seem to be particularly common in New Zealand so I couldn’t find much in the way of resources about setting up a SIP trunk on the IP 500.

A year on and we have used SIP Trunking with 2talk for the majority of our outgoing calls. Here is a configuration guide with the settings I’m using. If you know a better way of doing it, please let me know!

2talk & Firewall Configuration

Make sure your 2talk account is setup for SIP trunking, with your firewall configured to forward SIP traffic through to the phone system.
We are using the 2talk Plus SIP Trunking service, ( which uses the IP Works great in that we can lock down the firewall to that one IP, helping prevent SIP fraud and spam.

Our firewall forwards the following traffic through to the phone system:

Source Internal IP Ports Description
192.168.1.X TCP 5060, UDP 5060 VoIP SIP 192.168.1.X UDP 49152 – 53246 VoIP RTP

IP Office Line Configuration

1. Fire up the IP Office Manager and add a new SIP Line to the line groups. Here are the settings I used:
(Note, leave the ITSP domain name as if you aren’t using 2talk Plus)

2. Transport Tab

3. Under SIP URI, add at least a URI for your pilot number.
Click add, set the Local URI & Contact to your pilot 2talk number, such as, 03281XXXX.
Display name can be set to whatever you like, I have it set to Use Internal Data.

A sidenote on Line Groups

We have a bunch of ISDN & SIP channels. All of our lines are set to incoming group 0. ISDN lines are set to outgoing group 0, my pilot SIP URI is set to outgoing group 1, and the rest of the SIP URI’s are set to outgoing group 9.
This lets us route calls nicely – we want all incoming calls to be dealt with the same using Incoming Call Routing, so they all use the same group. Outgoing calls, by default I want to send those over VoIP, so our primary ARS puts outgoing calls over line group 1. Emergency calls, 0800 numbers etc, go over line group 0, ISDN.

Either add URIs in the same method for your other 2talk phone numbers, or if you are running IP Office 5.0 or higher you can setup a wildcard URI as pictured above to accept calls for any number.

5. Under the VoIP tab I have the call initiation timeout set to 2.


IP Office ARS Configuration

We have IP Office configured so we don’t have to dial any number to get an outside line – just dial the phone number straight away. This is possible because we use extension numbers starting with 7, and there are no local numbers in Christchurch beginning in 7. We also have the ISDN lines setup as a failover if VoIP is down.

To simply things I would suggest one of the following; either get the users to dial a different prefix to make a call if it isn’t working normally, or you can set up an automatic failover to PSTN using two ARS routes as shown below.

User initiated manual failover

If you dial 9 to get out, set that shortcode to go over VoIP. Then, setup another short code ‘8N’ (or similar), which forces calls over a normal phone line, so if VoIP is down people can just dial 8 to get out instead of 9. This won’t be an option for some people though, so I’ll share our configuration below.

Automatic PSTN Failover

  1. Create two ARS routes called Main and PSTN
    1. For the main ARS (VoIP), see my earlier post, IP Office New Zealand Dial Plan
    2. For PSTN, set it up like this, with line group 0 being the outgoing line group of your PSTN or backup phone lines
    3. Setup the Out of Service Route on the Main ARS to go to the PSTN ARS plan.
  2. Setup the main outgoing call shortcode, i.e. ? to Dial to the VoIP ARS line group (i.e. 50)

Now, if VoIP stops working for whatever reason the calls will go out over PSTN. Unfortunately they will take longer to go through and there will be some horrible beeps in the process which I haven’t worked out how to disable yet!


Avaya IP Office New Zealand Dial Plan (ARS)

Here is the Avaya ARS dial plan we are using with our 2talk SIP trunk.

Please note the following:

  • Line group 0 is our PSTN group, you’ll see below emergency calls and Telecom service numbers are set to go over PSTN. Freephone numbers also go over PSTN because they are free.
  • 3XXXXXX & 9XXXXXX are to allow local Christchurch calls, see Telephone numbers in New Zealand to find out the prefixes you need to add to allow local calling in your region.
  • 00XN; is for international calls, XN is a wildcard for when a number isn’t recognized – but it will wait for the 4 second timeout before the call goes through.
Code Telephone Number Feature Line Group Id
00XN; .”” Dial 1
03XXXXXXX .”” Dial 1
04XXXXXXX .”” Dial 1
06XXXXXXX .”” Dial 1
07XXXXXXX .”” Dial 1
09XXXXXXX .”” Dial 1
3XXXXXX .”” Dial 1
9XXXXXX .”” Dial 1
0800XXXXXX . Dial 0
0508XXXXXX . Dial 0
028XXXXXXXX .”” Dial 1
1XX . Dial Emergency 0
01X . Dial 0
027XXXXXXX .”” Dial 1
022XXXXXXX .”” Dial 1
029XXXXXXX .”” Dial 1
0210XXXXXXX .”” Dial 1
0212XXXXXX .”” Dial 1
021XXXXXX .”” Dial 1
0211XXXXXX .”” Dial 1
083XXX . Dial 0
01XX . Dial 0
XN . Dial 0
Admin Tips Research Tech

Installing the SQL from SBS 2008 Premium along side SBS 2003

Background: SBS 2003 Premium is running on one box. Performance is becoming poor due to increasing SQL demands, so we need to run it on a separate server. Can achieve this by purchasing A) SBS Workgroup 1 Processor Edition, or B) SBS 2008 Premium Edition & 25 CALs, (which entitles you to run SQL on a separate server) for about the same cost. But, I would prefer not to rebuild the SBS 2003 box at this stage.

After several hours of research I came across two opinions on whether we could buy SBS 2008 Premium, use the ‘second’ server part of it for a new server while leaving the existing server untouched.

Cisco Telephony

Configuring Cisco 7914 Sidecar

Cisco 7914So you’ve got your shiny new 7914 sidecar, configured all the buttons, go to boot it up and find that all the buttons just light up red!
I’ve seen many forum posts with people confused about how to get their 7914 working, and I have also had problems, so here is a guide on how to do it.



I’ve been playing around with IPv6 over the last few days; my ISP doesn’t give out IPv6 addresses yet, but thanks to Hurricane Electric I now have a /48 being routed straight to me. In theory I could subnet that /48 into 65536 subnets, each containing a ridiculous number of hosts.

This is a strange feeling after growing up with 1 routable IP address to somehow share across a whole network and having hundreds of NAT port forwards. It really should make life much easier.

But… there are a few implications. Previously in many situations we have been able to rely on NAT as a reasonably effective firewall. NAT is excellent at that. Customer ADSL/Cable routers will need to now have firewalls which many don’t… and if they do have firewalls it is almost certain they wont be managed properly.

So IPv6 end to end connectivity is all very well; but now instead of managing port forwarding there is going to need to be managing of firewalls instead. By default I am sure they will be managed by UPNP; so basically may as well not be running a firewall unless UPNP gets some security added.

Lastly, I realised IPv6 means you can no longer use the excuse of decreasing the size of broadcast domains when subnetting or using VLANs… It now will be reducing the multicast domains seeing IPv6 now uses multicast to replace the broadcast functions. I’m pretty sure most usually VLANs are more about security anyway than broadcast domains.


Affordable IP Phone Systems

Asterisk has been around for a number of years now, most tech consultants will be aware that there are open source PBX solutions that can run on your PC. However, until I discovered the Atcom IP series of Asterisk appliances, I knew I would have a hard time convincing small businesses of the benefits of VoIP.

There is a strange sense of security that goes with having a dedicated appliance for something as critical as telephony. Businesses that are used to having a phone system on the wall somewhere may not be totally comfortable having a phone system running on any old PC sitting in the server room (although this could be a safer option, as you always can drop the hard drive into another machine if something goes wrong with one).

While there have been Asterisk appliances from major names like Digium, their cost is not much cheaper than a POTS system, making migrating from a traditional phone system hard to justify. The Atcom IPxx series on the other hand which you can get the base unit for under $500, depending on how many analogue trunks and extensions you want.

I should note that it is not a trivial cost associated with moving to VoIP – if you have existing analogue phones the cheapest way will be to use ATA devices such as the Linksys SPA8000. VoIP phones start at around the $200 which soon adds up.

The ATCOM looks fairly easy to set up. There will be a learning curve, but it is definitely within the scope of in house IT staff to create new extensions, reconfigure IVR menus, if not set up the whole system from scratch.

For the price, I would buy two, and keep one as a spare that I could drop the flash card into should anything happen to the other.

The Atcom IP01 / IP04 / IP08 can handle around 30 concurrent calls, which is plenty for any small to medium business in New Zealand.

My immediate reaction when I saw this was to buy it just because it was so unbelievably cheap. Unfortunately, being a student means that isn’t quite a good enough reason to buy one.

Update: July 2009
I still haven’t tried out any of the ATCOM gear. I have to say I am nervous about the quality, I’d love to think it would be excellent, but until I have tested it I won’t know. In New Zealand of course you are probably still going to want analogue trunks instead of relying on 2talk/SIP trunks unless you have a really nice internet connection.

Admin Tips Tech

DNS Performance Test Utility

Recently I have been trying to tune the internet performance at work (and find out whether it is faster to run a DNS forwarder on our VPS hosted in a data centre, or to do queries directly to OpenDNS), and found this cross-platform tool which looks very useful for checking out query speeds of different DNS servers.

DNS Performance Test by the1silverwolf. Enjoy!


Sysprep, Standard PC, ACPI, Ghost Images

NEVER try creating a ghost or sysprep image with your source computer’s HAL set to Standard PC!
I wish I had noticed this critical point in documentation earlier:

You can deploy a Sysprep image created on a computer that uses a Standard PC, Non-ACPI PIC HAL (Hal.dll) to a computer that uses the following HAL types:
 • Standard PC, Non-ACPI PIC HAL (Hal.dll)

Cheers Microsoft, no wonder I was having so much trouble trying to get the image to work properly!

The problem arose when I thought I would be clever and prepare the Ghost Image on VMWare, then Sysprep it out using Mysysprep to select the right HAL type, but then wasted all this time trying to get it to work when it was because the VMWare image had set the HAL to Standard PC (which I was aware of, but I thought that MySysprep was able to change the HAL on deployment). I am currently running a Repair Install of XPSP3, hoping that maybe this time I will get a little further.


MacBook Pro Defects

On Monday, my MacBook Pro arrived. Fantastic piece of equipment, but that isn’t what this post is about. It didn’t take me long to notice some out of box issues that really made me mad. When one pays as much as they did for a laptop, they want it to be perfect, and with Apple’s classy products you wouldn’t expect any less than that.

First thing I noticed was a bright red stuck pixel. Fantastic! You have this great machine for photo and video editing but then it is ruined by a bright red pixel which I understand is not covered in the warranty. I know from experience that Dell would have a new laptop in the post within minutes if you rang up and explained you were a multimedia professional and couldn’t have a stuck pixel.

Stuck Pixel Close Up

It took me a couple of hours to notice the next, more worrying problem; the strip of metal along the bottom of the screen (above the hinge) was buckled, and definitely something they should be shipping without. It is very noticeable on the left side, specially when closing the screen; there is some on the right side too but not as severe.

Buckled Metal Buckled Metal Right side buckled

I called Apple yesterday, who asked me to take it into my nearest Apple Service Centre, which happened to be in Hokitika. If I get it done before Wednesday next week I believe I am entitled to ask for a replacement or repair, which I will obviously be asking for the replacement (because they wouldn’t repair the stuck pixel). I hope it doesn’t take long however, because I have the youth group ball on Saturday Night which I am DJ’ing for and could really do with it.

I hope Apple support is as good as they claim it to be.

UPDATE 10/12/06: I took it to the Apple place yesterday, who said that yes it is definitely covered under warranty. I now have to ring Renaissance on Monday morning and convince them that I need a replacement, rather than just a repair.