Lync Setup

Lync requires some updates to your public DNS, and you need to assign a Lync license to users in the Office 365 Management portal. You also need to decide how to set your global Domain federation and Public IM:

Domain federation defines whether you will be able to communicate with external organizations that use Lync. You can set it to be open to all with blacklists, open to none with whitelists, or completely disabled:

Public IM determines whether you will be able to communicate with Live Messenger clients. You can only turn this on if Domain federation is also turned on:

If enabled globally, Domain federation and Public IM can be disabled at the user level.

Lync Clobbers Live Messenger

The first thing I discovered was that a few hours after turning on Domain federation and Public IM connectivity, my Live Messenger disconnected. When I tried to log back on, it told me that I could no longer use my Live ID for Live Messenger. Yup:  because my Live ID is in my own domain, when I enabled Lync Public IM for that domain, Lync took precedence and disabled Live Messenger. You can only have one or the other in the same domain. Fortunately, disabling Public IM restored my Live Messenger connection so I could continue using Live Messenger while testing Lync.

This wouldn’t be a big deal if I could replace Live Messenger with Lync. But I can’t. Read on.

Live Messenger Connects but Lync Doesn’t

One of my friends works for a Fortune 1000 company that uses Lync in-house. Communications with this friend through Live Messenger work fine. However when I tried to connect to him from Office 365 Lync, I could not, nor could he connect to me.

I expect the problem is that his company’s Domain federation is set to only allow whitelisted domains. Since my domain is not on their list, my IMs can’t get through. But they have allowed Public IM, so Live Messenger works fine.

Unfortunately I can’t just call up the IT department of a $17 billion company and ask them to add my Lync domain to their Lync federation so I can chat with my buddy. Live Messenger is my only option to communicate with this friend.

Office 365 Lync’s Weak Privacy

In Live Messenger, I’ve come to expect that anyone who wants to be a “friend” must send me a request. Only those I approve can see my presence information, status updates, etc. This is the standard behavior for social networking (Facebook, LinkedIn, etc.).

Lync, on the other hand, lets any user see the picture, presence, and status message of any other user. Users do not need to grant permission first. And this includes federated domains. So if I allow open federation from any domain, that means that any Lync user in the world, by simply entering my email address, can see whether I am online and can send me instant messages. If they don’t have my email address, Lync will help them figure it out by returning my presence info once they guess the correct address. This happens without my knowledge or approval.

It works the other way too:  I can see the status of anyone on an open Lync network, whether or not I have ever communicated with them via Lync. Here for example are a couple of Lync support engineers (I’ve hidden their last names):

Lync 2010 software does offer an Enhanced Presence Privacy Mode. When enabled, “the option to restrict presence information to contacts becomes available in the Lync 2010 Status options.” In other words, if I haven’t added the person to my Contacts list, that person couldn’t see my status (same as Live Messenger).

Unfortunately, Enhanced Presence Privacy is disabled in the Office 365 implementation of Lync, and since Office 365 does not allow PowerShell access to Lync, there is no way to change this. So the option to restrict presence information is not available in my Lync Status options:

That means the only way to hide presence information is to set Domain federation to “Disabled for all domains except those intentionally allowed.” Even then, if I were to allow federation with my friend’s Fortune 1000 company, and if their IT department allowed my domain, all 6500 people who work there would be able to see my presence without my permission.

Comparing Lync to Live Messenger

Here’s a table summarizing what I’ve learned:

Conclusion

There is no doubt that Lync has some great features for meetings, etc. that go beyond what is available in Live Messenger. A small company with several far-flung employees needing to stay in touch could benefit from these features. However, due to the connectivity and privacy limitations of Office 365 Lync, you may also need to run Live Messenger for connecting with the outside world. And if all you need is one-on-one IM and video, Live Messenger offers better connectivity and privacy—as long as you can put up with the annoying ads.

The following things worked:

• vPro (shares the network port as the OS)
• Remote Desktop
• Internet Explorer

The following things did not work:

• LogMeIn (“active but not online”)
• Dyn Updater (“Unable to refresh host list. WinHttpOpenRequet failed. There may be a problem with your WINHTTP.DLL file.”)
• GFI MAX agent (shows system offline for the last four days)

Most articles on this issue suggest a firewall as the issue, but this machine only uses the Windows Firewall, which does not block outbound connections.

Time to Connect

One post mentioned inaccurate time as a potential issue. Well I had noticed that the system clock on this machine was off by almost six years:

I figured I would fix that later, but after seeing that post, I went ahead and manually corrected the date and time, and poof! everything came back online. Huh, never would have thought that having the correct time was related to allowing programs to connect to the Internet.

For some reason, the Windows Time Service was not automatically updating the date and time. When I tried w32tm /resync, I kept getting “The computer did not resync because no time data was available.” It took repeated tries, stopping and starting the service, etc. before I finally got it to respond to the resync:

Long-Term Solution?

It remains to be seen if this is a long-term solution. When I shut down the machine, vPro (which can access the machine when it is powered off) again reported the system time as back in 2006. (The machine may need a new CMOS battery, but I’m 1000 miles away so that won’t happen soon.) After powering back up today, the date and time reverted to the correct value. If that fails again, and Windows Time is not correcting the time, I may try a third-party time sync program like the Atomic Clock Sync.

Step 1:  Tell Forefront to Allow Postini IPs

1. Go to https://admin.messaging.microsoft.com and log in to your Forefront configuration. (If you’re using Firefox and get “Server Error in ‘/’ Application”, try Internet Explorer instead.)
2. Click on the Administration tab. You should land on the Company sub-tab.
3. Set up an Inbound Connector that tells Forefront to not do any filtering on mail coming from Postini. The Help calls this an Inbound Safe Listing Scenario. See the detailed example below.
4. Click on the Domains sub-tab. Under Enabled Domains, click on your primary domain (not the yourdomain.onmicrosoft.com subdomain).
5. Next to Inbound Connectors, click on Select, choose the connector you just defined, then click on OK. This applies that connector to your domain.

In order for the Inbound Connector to handle the mail, both the Sender Domains and the Sender IP Addresses must match.

Since we want mail from any domain to be handled by the connector, set Sender Domains to *.*.

We want to only accept mail from Postini’s servers. My Postini account is on Postini’s System 7 server, so the range of IP addresses that Postini may send from is 64.18.0.0 – 64.18.15.0. That translates to CIDR 64.18.0.0/20. Unfortunately, Forefront only allows CIDRs starting from /24, so you have to specify 16 CIDRs:

64.18.0.0/24, 64.18.1.0/24, 64.18.2.0/24, 64.18.3.0/24, 64.18.4.0/24, 64.18.5.0/24, 64.18.6.0/24, 64.18.7.0/24, 64.18.8.0/24, 64.18.9.0/24, 64.18.10.0/24, 64.18.11.0/24, 64.18.12.0/24, 64.18.13.0/24, 64.18.14.0/24, 64.18.15.0/24

The other trick is to uncheck the three Filtering boxes at the bottom of the dialog. Here’s an example of the complete Inbound Filter:

Note Be sure to find out what Postini system you are on. The example above only applies to System 7.

Step 2:  Set Postini to Deliver Email to Office 365

1. If you don’t remember your Office 365 “virtual server,” use nslookup or log in to your DNS provider to get the current MX record. It should be something like “mydomain-com.mail.eo.outlook.com”. Copy that destination server to the clipboard.
2. Log in to your Postini admin page.
3. Under Orgs and Users, Choose Org “[mydomain.com] Email Config 1”.
4. Click on Inbound Servers > Delivery Manager > Edit.
5. Change the Email Servers to point to your outlook.com virtual server.

Step 3:  Update Your DNS to Point the MX to Postini

1. Log in to your public DNS provider.
2. Set the priority of the existing Office 365 MX record to 9. We’ll leave this in there for now in case the Postini routing doesn’t work.
3. Add your four Postini MX records at priorities 0 through 3.

If you still have your original signup email from Postini, your MX records are listed there. If not, you’ll need to refer to this article to figure them out. Mine look like this:

1st priority record: mcbsys.com.s7a1.psmtp.com.
2nd priority record: mcbsys.com.s7a2.psmtp.com.
3rd priority record: mcbsys.com.s7b1.psmtp.com.
4th priority record: mcbsys.com.s7b2.psmtp.com.

Step 4: Test

Give the Forefront connector 45 minutes to propagate, and the DNS at least an hour. Send yourself some emails from an outside account (Yahoo, Gmail, whatever). Assuming that they get through, check the headers to see if they went through Postini. In the chain of “Received” servers, you should see that mail was received from something like “exprod7mx181.postini.com”. You should also see Postini’s spam measurements with headers like “x-pstn-neptune” and “xpstn-levels”.

The first stop in the chain after entering the Microsoft network should show that your Inbound Connector (“X-FOPE-CONNECTOR”) was applied, and should identify the sending Postini IP address in an “X-Safelisted-IP” header. The “X-Forefront-Antispam-Report” header is still there but apparently has no effect.

Step 5:  Remove Office 365 from DNS

Once you are sure that all your mail is flowing through Postini to Office 365, you can update your public DNS to remove the priority 9 MX record left from Step 3. This will prevent spammers from directly targeting Office 365 by using out-of-sequence MX records.

Note The new Inbound Connector only handles mail that goes to your domain, which is now flowing through Postini. Mail sent directly to your Office 365 address (yourname@yourdomain.onmicrosoft.com) does not go through Postini so it still relies on Forefront for filtering.

Congratulations, your email is flowing through Postini. Look forward to a single, daily quarantine report that includes all your email aliases, and hopefully more accurate discernment of ham vs. spam.

A rep with Microsoft Partner Support spent quite a bit of time and effort trying to get to the root cause of this issue, but “no luck.” I decided to live with the annoying error messages in my daily report—then one day, after a reboot, I believe, they stopped. SBS 2008 was back to running only one backup as per schedule.

Back with a Vengeance

Then earlier this month, the issue suddenly returned, but worse: SBS was now trying to run up to five identical backup jobs at a time:

I found in this thread that at least half a dozen other users were experiencing the same issue. Fortunately, one of them had a good suggestion:  manually modify the task to prevent starting a new instance if the task is already running:

1. Open Task Scheduler.
2. Under Task Scheduler > Task Scheduler Library > Microsoft > Windows > Backup, double-click on the Microsoft-Windows-WindowsBackup task.
3. Click on the Settings tab.
4. Under If the task is already running, then the following rule applies change Run a new instance in parallel to Do not start a new instance.
5. Click on OK to save the changes.

This still doesn’t explain why the task tries to start multiple times in the first place. It’s certainly not the “SBS way” to have to manually edit the backup task in Task Scheduler. But at least it prevents multiple instances from attempting to start. A week later, I’m back to all green on my backup history:

This post has a concise guide to SPA942 BLF configuration:

How to configure BLF with a Linksys SPA942 and Asterisk 1.4

I found that I didn’t have to change the PBX in a Flash (PiaF) setup of Asterisk at all. To monitor extension 203, I just made these changes to Phone tab of the phone used by extension 200:

Notes

• The Extension is Disabled and Shared Call Appearance is private.
• The extension being monitored does not need to be defined on an Ext tab on the “remote” phone. So if the admin is on 200 and is monitoring 203, the admin does not need 203 defined on an Ext tab.
• The Short Name appears next to the line key when the phone is on hook.
• The Extended Function looks like this:
  fnc=blf+sd+cp;sub=203@$PROXY;ext=203@$PROXY
  • blf = Busy Lamp Field
  • sd = Speed Dial
  • cp = Call Pickup

Issues

• The BLF function does work. However, when the line is off hook, the Short Names are not shown. So users would have to remember which line key is for whom, or use physical labels to identify the lines.
• A quick test of transferring a call with the button failed. It could be that that requires some of the Asterisk-side modifications. I didn’t pursue this.
• BLF subscriptions may not be supported by a hosted PBX solution, where you register each extensions directly with the external provider. Since most other functions are available in a hosted solution (e.g. voip.ms), it may come down to whether it is worth running an in-house Asterisk server just to have BLF.

This is the main article I followed for setting up a site-to-site VPN:

http://www.wasagacomputers.com/home/2010/8/10/tutorial-site-to-site-vpn-using-tomato-firmware-and-openvpn.html

It seems that the last bit of his step 3, where you add 1194 to the port forwarding, is no longer required.

VPN Can’t Ping from LAN to LAN

Unfortunately after configuring the VPN, I could ping from the router to the other LAN, but I could not ping from one LAN to the other LAN. Not good!

I got lots of help from the VPN and VLAN and authors. Long story short:  the VLAN setup was not allowing packets on the local LAN to be forwarded to the VPN tunnel.

The solution is to manually add a one-line forwarding instruction to each router. The exact instruction depends on which VLAN you wan to route to which VPN tunnel.

The VLANs are listed under Advanced > VLAN. Choose the Bridge name for the VLAN you want to connect.

The tunnels are named as follows: tun11 = OpenVPN Client1, tun12 = Client2, tun21 = Server1, and tun22 = Server2. You can see which tunnel is active under Advanced > Routing. This screen shot is from my OpenVPN server:

On both the client and sever, my main LAN (that I want to share across the VPN) is on br0. The server is tun21 and the client is tun11. So on the OpenVPN server router, I ran this instruction from Tools > System:

iptables -A FORWARD -i br0 -o tun21 -j ACCEPT

and on the OpenVPN client router I ran this instruction:

iptables -A FORWARD -i br0 -o tun11 -j ACCEPT

Voila! Bi-directional ping happiness, from server’s LAN to client’s LAN and vice-versa.

To make the instructions “sticky,” save the corresponding instruction in Administration > Scripts > Firewall on each router, and reboot the router.

This functionality may eventually become “standard” or part of the GUI, but for now, a pair of simple instructions lets you use OpenVPN on a router running VLANs.

Often failed pings are related to the firewall on the target machine. For example, the Windows Firewall setup on my Server 2008 R2 only allows ICMPv4 pings on Private networks:

By temporarily disabling individual firewall profiles on the server, I found that I could ping the server if I turned off the Public firewall profile. Huh? Why does the server thing it is on a Public network?

The answer is Network Location Awareness. You’ve seen the prompt when you connect a laptop to a new wireless network:  is this a Home, Work, or Public network? Well I never saw that prompt on the server; apparently it just assumes that a new network (e.g. due to a new router) is Public, the most restrictive profile.

Note that this doesn’t affect domain-joined computers; they are automatically assigned to the Domain firewall profile. But it does affect my non-domain-joined Hyper-V server.

Change the Network Type

To tell the server it’s on a Private network, go to Network and Sharing Center, click on Public network:

Then choose Work network:

That’s it! The server now knows it’s on a Private network, and the Private firewall profile applies. As long as that profile accepts ICMP (ping) requests, you should be able to ping the server.

G.729a requires that you purchase a license if you are converting (transcoding) the audio to another codec. Although the licenses are inexpensive, I preferred to avoid the overhead of transcoding by simply passing through the G.729a packets.

“Passing through” means that both legs of the call must use G.729a. At first I hoped to be able to use the standard ulaw (G.711u) codec for all calls except those going to my ITSP. However, I eventually found that if the first leg of a call prefers ulaw, and the second leg requires G.729a, Asterisk will not go back and reinvite the first leg using G.729a (see my comment in this thread). Bottom line:  we need to set up the PBX to use G.729a on all calls, internal and external.

Setting It Up

Once that was clear, the setup was fairly simple:

1. Download the current g729 sound files from Digium:
   asterisk-core-sounds-en-g729-current.tar.gz
asterisk-extra-sounds-en-g729-current.tar.gz
   These are required for the voicemail system to work after converting to G.729.
2. On the Asterisk machine, under /var/lib/asterisk/sounds, rename the en directory to en.gsm.
3. Create a new en directory and extract the new sounds there. Recursively change the group and Owner to asterisk and the permissions to 775 to match the original “en” directory.
4. In the FreePBX admin panel, go to Tools > Config Edit. Add the following lines to sip_general_custom.conf:
   disallow=all
allow=g729
allow=ulaw
allow=alaw
allow=gsm
   That puts g729 as the first priority for the whole system.
5. From the console, open the Asterisk CLI (asterisk –r). Make a call and type sip show channels. You should see the g729 codec on both legs of the call, whether you call internally or externally. Do try all combinations to make sure that G.729a is supported throughout. If not, the call will fail and you’ll see a corresponding message in the log (Tools > Asterisk Logfiles). (Or if you a the G.729a license, the call will succeed but will be transcoded.)

Update:  Still Need to Transcode

November 5, 2011: Alas, not as easy as I thought. The above did set up G.729a pass-through on outbound calls. However, some problems remained:

• Inbound calls through the SPA3102 were still in G.711u format. Since Asterisk tried to use G.729a for the second leg, the call failed without a transcoder. Changing the SPA3102’s Preferred Codec to G729a solved that problem.
• Voicemail greetings are not available in .g729 format. Converting from .WAV to .g729, or even creating new greetings in .g729, seems to require a transcoder.
• Voicemail messages are not stored in .g729. This can be remedied by adding g729 to the list of formats in voicemail.conf, but still seems to have trouble without a transcoder.
• Rod Montgomery, Directory of Services at Digium, writes in this thread that without a transcoder, Asterisk will not be able to process audio, e.g. DTMF codes for IVR and voicemail. I’m not sure about this one—it seemed to handle the DTMF when I called internally anyway.

Bottom line, it still makes sense to set up pass-through for actual phone calls, but there are so many places that audio conversion is needed that it makes sense to get the transcoder. As Mr. Montgomery says in the post linked above, you only need as many licenses as you have simultaneous channels doing transcoding. So if you are making all calls in pass-through mode, you only need a few licenses for receiving and accessing voicemail, and possibly for IVR.

Info on transcoder licensing is available here. For testing purposes, open-source binaries are available here.

One of my goals was to set up my wireless for guest-only access, i.e. not connected to my internal LAN (which are all hard-wired connections). Here’s one way to do that.

Basically we need a separate VLAN connected only to the wireless. Although this can be accomplished from the command line, Augusto Bott (“Teaman”) has added a nice GUI for VLANs (thread), and “Toastman” has added the VLAN enhancement to his builds tagged as “VLAN”.

So download and upgrade to a Toastman build that includes the VLAN enhancement. You’ll have to find the one that suits your router. I’m using a Cisco Linksys E2000, so I upgraded to tomato-E2000-NVRAM60K-1.28.4407.1MIPSR2-Toastman-VLAN-RT-VPN.bin. Get that set up as a standard wired and wireless router sharing the same LAN. Then follow these steps to split the wireless into a separate VLAN:

1. Under Basic > Network, add a “bridge” with a new gateway IP. Enable DHCP if you want. Here I’m adding 10.0.0.1 for the new bridge 1 (br1) with DHCP enabled:

Click on Add, then click on Save at the bottom of the screen.

Note If you forget to click on Add, nothing will happen when you Save!

2. Under Advanced > VLAN:

1. Under VLAN, add VLAN ID 3 and link it to your new LAN1 (br1) bridge. Click on Add.
2. Under Wireless, change Bridge eth1 to LAN1 (br1).

If you like, you can also include some wired ports in your new VLAN; if you do, remove those ports from VLAN 1. When you’re done, click on Save at the bottom of the page.

After the router reboots, you should be able to connect to the wireless network and get on the Internet. You can even ping the gateway of the other VLAN (192.168.200.1 in my example). But you will not be able to ping or access other computers on VLAN 1.

Multiple SSIDs

Note that what we have now is a single wireless LAN with no access to the main LAN. The next step would be to have two distinct wireless LANs, that is, two SSIDs. Several routers, including the Linksys E2000 with native firmware, offer this now. The idea is to set up one wireless network (e.g. SSID “Office”) that has full access to your network, plus a separate wireless network (SSID “Office-Guest”) that can only browse the Internet. Employees use the password for “Office”, and guests can be given Internet-only access by giving them the separate password for “Office-Guest”.

Currently, multi-SSID capability for Tomato is in the “experimental” stage, so multi-SSIDs will no doubt be a Tomato feature in the future.

Update November 14, 2011 At the moment, VLAN functionality will impede your ability to set up a VPN, but there is an easy workaround:  see Set Up VLAN and Site-to-Site VPN with Tomato.

Install PostgreSQL

1. Install PostgreSQL locally. See Local PostgreSQL Installation on the Heroku site.

sudo apt-get install postgresql

As of this writing, this installs PostgreSQL 8.4, which matches the version on Heroku’s shared servers.

2. We also need libpq-dev. See this Stackoverflow article.

sudo apt-get install libpq-dev

A different article says to manually install the pg gem but I did not do that. (Well, I don’t think I did; there was a lot of trial and error in working this out.) However the gem is in my Gemfile.

# sudo gem install pg

Set Up a New Rails Project to Use PostgreSQL

Generate a new Rails project with PostgreSQL as the database. I also add –T so it won’t make a Test folder (I’ll add rspec later).

Note All instructions refer to myapp. Substitute your own application name.

cd ~/rails_projects
rails new myapp -T

--database=postgresql
cd myapp


This will create a config/database.yml file that uses PostgreSQL. The Gemfile will also load the ‘pg’ gem instead of the ’sqlite3′ gem.

Source Control

You may want to exclude database.yml from source control since it will contain passwords. If you are using git, add config/database.yml to .gitignore. If you’ve already committed with a database.yml file, use this command to remove it from source control but not from the project:

git rm --cached config/database.yml

Set up PostgreSQL

This section is cobbled together from advice in the following articles:

• Getting started with rails 3 & postgres database
• Setup Rails with Postgresql
• Creating Rails users in Postgres on Ubuntu

By default, PostgreSQL creates a postgres superuser with no password, and links that user to a new postgres system user. Our goal is to create and use a project-specific database user that does not have a corresponding system user account.

1. Change to default "postgres" admin user (will prompt for your Ubuntu password).

sudo su postgres

2. Use the psql interactive terminal to create a role that can create databases and log in (basically creates a user). Note the semicolon at the end of PostgreSQL commands! I used the password generator lat this site to create a nice long password. If you’re “stuck” in the PostgreSQL shell, try \q.

psql template1 #starts Postgres interactive shell
create role myapp with

createdb login password 'sPUKuBr6wRa36A7'; # make your own password
select * from pg_user;    # Verify user created ("\q" to exit!)
select * from pg_shadow;  # sysid and password hash listed here
\l # list databases
\q # exit Postgres shell
exit # exit "Postgres" admin user

3. By default, PostgreSQL will try to use to your Ubuntu identity for logging in to the databases, but that identity has no database rights. That’s the default “ident” authentication method.

To tell PostgreSQL to use passwords instead, we need to update the pg_hba.conf file (note "sudo" to allow opening protected file).

sudo gedit /etc/postgresql/8.4/main/pg_hba.conf

Add these four lines to pg_hba.conf, before the local all all ident line:

local postgres            myapp       md5
local "myapp_development" myapp       md5
local "myapp_test"        myapp       md5
local "myapp_production"  myapp       md5

This tells PostgreSQL to accept MD5 passwords for the new "myapp" user when connecting to the project databases. Note that we must also allow access to the default “postgres” database so rake db:create:all can later create our project databases. Also, quote database names containing a special character (underscore). See this Stackoverflow article for more info.

4. Restart PostgreSQL.

sudo /etc/init.d/postgresql-8.4 restart

5. Test logging in to the default “postgres” database as the new user.

psql postgres -U myapp

This should prompt for a password. If you immediately get the message “Ident authentication failed for user "myapp"”, the pg_hba.conf file is not right. After supplying the password, use \q to exit the Postgres shell.

6. Edit the config/database.yml file and add the password from step 2 to all three databases. Save the file. Here is an excerpt:

test:
  adapter: postgresql
  encoding: unicode
  database: myapp_test
  pool: 5
  username: myapp
  password: sPUKuBr6wRa36A7


7. Create all databases based on database.yml.

rake db:create:all

Optional:  Graphical UI for PostgreSQL

This list of PostgreSQL GUIs pointed to this list. I decided to try pgAdmin. There are advanced instructions for installing it under Ubuntu here, but all I did was run this command:

sudo apt-get install pgadmin3

After that, I started the program from Applications > Programing > pgAdmin III and clicked on the “plug” icon to create a connection. From the documentation, I learned that for a local connection, you can leave Host blank; just give it a name and the Username and Password defined above, and you’re connected!

Note that this installs pgAdmin 1.10.2. From what I can tell from the pgAdmin Change Log, that includes most of the support for PostgreSQL 8.4. A later version of pgAdmin may be required for PostgreSQL 9.1. Here’s a complicated article on installing under Ubuntu, or maybe just use the latest installer here.

For data modeling, SQL Power Architect looks promising, but I haven’t tried it yet.

When I tried to follow section 13.1.1 Installing and configuring Rails 3.1, I got errors about an older Ruby version, then about a missing ZenTest gem. I tried to follow the advice in the messages to update ruby and to run bundle install. But even after that, rails –v told me that I was still at Rails 3.0.9.

My main mistake was trying to run install Rails 3.1 in the existing sample_app folder, which includes a gemfile specifying older gem versions, including Rails 3.0.9.

I reverted my Ubuntu virtual machine and started over. Then, loosely following Read This Before Installing Rails 3.1, I got Rails 3.1. installed as follows.

# IMPORTANT:  go to root of Home folder to avoid
# using project-specific gemfile
cd ~

# Upgrade RVM from 1.6.20 to 1.8.4
rvm -v
rvm get latest
rvm reload
rvm -v

# Check installed rubies and default ruby
rvm list
# "=> ruby-1.9.2-p180"
ruby -v
# "ruby 1.9.2p180 ..."

# Check currently available version of Ruby
rvm list known
# shows 1.9.2[-p290]

# Install current Ruby (takes a while to compile)
rvm install ruby-1.9.2

# Check installed rubies and default ruby
rvm list
ruby -v

# Change default to latest version and check again
rvm --default use ruby-1.9.2-p290
rvm list
ruby -v

# Make sure RubyGems is >= 1.8.10 (security fix)
gem -v

# Check gemsets, create a default Rails 3.1 gemset, check again
rvm gemset list
rvm ruby-1.9.2@rails31 --create --default
rvm gemset list

# Check and update Rake 0.8.7 to 0.9.2 or newer
rake --version
gem update rake
rake --version

# NOW you can check and install Rails 3.1
rails –v
# "The program 'rails' is currently not installed."
gem install rails --version=3.1.0
# "file 'lib' not found" messages on ri and RDoc
# documentation packages for rails-3.1.0, but seems
# to work anyway
rails -v
# "Rails 3.1.0"

Back to the Tutorial

Now you are ready to work through the Ruby on Rails Tutorial section 13.1.1 Installing and configuring Rails 3.1. A few additions are necessary for things to go smoothly.

# Create a project-specific gemset and make it the default
rvm --create use 1.9.2@rails31_tutorial
rvm --default use 1.9.2@rails31_tutorial

# Install Rails 3.1 into to the project-specific gemset
gem install rails --version=3.1.0
rails -v

# Use "rails new" to create an app skeleton
cd ~/rails_projects
rails new sample_app_31

# bundle install won’t work until you are in project folder
cd sample_app_31

# Copy the updated gemfile below, then install/update gems
bundle install

Update January 10, 2012:  I followed most of the above instructions to update to Ruby 1.9.3 and Rails 3.1.3. However because I was updating an existing project, after updating version numbers in my gemfile loosely following this example, bundle install failed with messages about rspec-rails depending on a version of railties that was not available. It turns out bundle was trying to use old versions of some gems based on gemfile.lock. So I ran bundle update, which ignores gemfile.lock and re-loads all gems.

Gemfile Updates

Things are obviously moving fast in Rails 3.1 development. I made some changes to my gemfile to get things running right. Here is the entire file, with comments about the changes:

source 'http://rubygems.org'

gem 'rails', '3.1.0'
# 9/28/2011 Add 'therubyracer' to resolve 
#           "Could not find a JavaScript runtime."
#           See http://stackoverflow.com/questions/6282307
gem 'therubyracer'

gem 'gravatar_image_tag', '1.0.0.pre2'
# 9/28/2011:  will_paginate 3.0.2 released 9/27/2011.
#             "kludge" patch in tutorial section 13.1.3
#             no longer needed
# gem 'will_paginate', '3.0.pre2'
gem 'will_paginate', '3.0.2'
gem 'sqlite3', '1.3.4'

# Asset template engines
gem 'sass-rails', "~> 3.1.0.rc"
gem 'coffee-script'
gem 'uglifier'

gem 'jquery-rails'

group :development do
  gem 'rspec-rails', '2.6.1'
  gem 'annotate', '2.4.0'
  gem 'faker', '0.3.1'
end

group :test do
  gem 'rspec-rails', '2.6.1'
  gem 'webrat', '0.7.1'
  # 9/28/2011:  spork 0.9.0.rc9 from 6/30/2011 gets rid of
  #             some deprecation warnings at startup
  # gem 'spork', '0.9.0.rc5'
  gem 'spork', '0.9.0.rc9'
  gem 'factory_girl_rails', '1.0'

  # 9/28/2011:  Add autotest (from section 3.5 exercises)
  gem 'autotest', '4.4.6'
  gem 'autotest-rails-pure', '4.1.2'
  # gem 'autotest-fsevent', '0.2.4' # Mac OS X only
  gem 'autotest-growl', '0.2.9'
end

Once I got on site, I found that the “Replace Battery” light was blinking. For some reason there was no corresponding event in the PowerChute event log.

Of greater concern was that the unit was almost too hot to touch. When I got the battery door open, I could see the batteries bulged somewhat and were very hot. The plastic pull tab broke off when I tried to pull out the batteries. I finally managed to hook a wrench around the top and pull them out. And get this:  two hours after removing them, the batteries still felt hot! I guess I’m lucky I didn’t have flammable hydrogen gas escaping as this thread says can happen. I disconnected the two batteries from each other and left them outside overnight to cool.

Reviewing the PowerChute data log, I see that the temperature is usually around 30 Celcius (86 Fahrenheit), but starting at about 7:30am, it slowly climbed to 41 C (106 F). The temperature was 40 C when the unit reported “battery disconnected.” Is it a coincidence that 40 C is the temperature at which the fan turns on (KB article)? Perhaps some safety switch was tripped to disconnect the battery? The fuse between the batteries did not trip.

Here’s the event log, showing the “battery disconnected” event at 2:39pm:

And here’s the temperature graphed from 4:10am to 4:50pm:

How Hot Is Too Hot?

According to its specs, the DLA1500 is supposed to operate safely in an environment up to 40 C. The building where this unit is installed does not have air conditioning, but the high in San Diego that day was 71 F, so the room was well below 80 F (27 C). I understand that ventilation is important, and I’ll move the UPS to sit on top of the server tower rather than beside it, but clearly the overheating here was not due to a hot room but to a battery or controller failure.

What Should Have Happened

I am definitely concerned that this high-end UPS did not detect a failed battery or an overheating condition earlier. All I got was the “battery disconnected” warning; since the server was still up, I didn’t consider it an emergency. Fortunately, it was a convenient time, so I went on site within a couple hours and discovered the overheated unit.

Next time:  carefully check the Internal UPS Temp column in the Data Log. If it has risen 10 C in one day, consider a shutdown and get on site.

I wondered why PowerChute hadn’t warned me about the overheating. It turns out that the default setting for “UPS Internal Temperature Threshold Exceeded” event is 70 C (158 F):

Wow! If the unit is almost too hot to touch at 40 C, 70 C seems way too high.

I don’t know how accurate these internal temperature sensors are. At another location, I have an APC SU1400NET that always reports about 40 C, but its case is hardly warm to the touch.

Maybe the solution is to check the normal operating temperature for a given UPS in the Data Log, then to set PowerChute’s UPS Internal Temperature Threshold Exceeded event to trip about 5 degrees above. So if 30 C is normal, set PowerChute to 35 C. Note that this is a full shutdown event by default, but that is certainly preferable to risking a fire in the server room.

Has anyone else seen issues like this? What does PowerChute report as the typical internal temperature of your SmartUPS?

The obvious solution would seem to be adding the sending email address to the Safe Senders list in Outlook. But whenever I did that, after a short while, it would disappear again. Then when I tried it from OWA, I got this message:  “’User01@mydmain.com’ is your e-mail address or domain and can’t be added to your Safe Senders and Recipients list.”

Unfortunately there is no Why Not? button, and when I followed Click here for help, no help was available for Error ID: Ex60EC60.

Forefront and SPF Changes

I thought maybe if Forefront cleared the mail, it would be accepted by Outlook. With the help of Forefront support, I set up my third-party SMTP server’s IP address as a permitted Inbound Connector, setting Spam Filtering: Disabled.

At the suggestion of Forefront support, I also added the SMTP server’s IP address to the SPF record at my domain host.

In the email headers, I see X-Safelisted-IP: <SMTP server IP> and Received-SPF: pass, confirming that these changes are working. In fact, if Outlook is not running on my desktop, the mail is not treated as junk (as viewed in OWA). But as soon as I start Outlook, the mail is moved to Junk E-Mail.

Exchange 2010 Blocks Safe Senders

The Exchange Team published this article that explains the problem:  Exchange 2010 doesn’t allow adding your own domain to the Safe Senders list. The article says you can add your own email address, but in Office 365, even that is not allowed. The article also says to use Add-IPAllowListEntry to configure safe IPs, but that command is not supported by Office 365.

Force Spam Confidence Level

The article does hint at a workaround:  if the Spam Confidence Level (SCL) of the email is –1, Outlook will not treat it is spam.

Currently the SCL on the email that Outlook is treating as junk is 0:

MS Partner Support provided the command that I needed to force the SCL to –1:  New-TransportRule. First, start PowerShell and connect to Office 365. Then run commands like this (copy to Notepad to edit and eliminate line breaks):

# List transport rules
Get-TransportRule
# Add transport rule
New-TransportRule -Name "Allow User01@mydomain.com" -Comments "Force SCL -1 on mail from User01@mydomain.com so Outlook will not move to Junk E-Mail" -FromAddressContainsWords "User01@mydomain.com -SetSCL -1
# List transport rules
Get-TransportRule
# List new transport rule details
Get-TransportRule "Allow User01@mydomain.com" | Format-List

After running the New-TransportRule command, the SCL was in fact set to –1, and the mail no longer landed in the Junk E-Mail folder.

Note According to MS Partner Support, I could actually create a rule for my entire domain:

New-TransportRule -Name "Allow mydomain.com" -FromAddressContainsWords "mydomain.com -SetSCL -1

Since adding the entire domain could potentially allow spammers to use spoofed headers, I decided to just go with the single address.

Update December 13, 2011

I’ve discovered that you can view the spam confidence rules from within the Outlook web app:

1. From the Office 365 Admin Overview page, under Exchange Online, click on Manage.
2. On the Exchange Server 2010 options, page, make sure it says Options: Manage My Organization at the top.
3. In the left column, click on Mail Control.
4. Make sure the Rules tab is shown.
5. Highlight each rule to see the conditions and action in the right column.

You can delete rules here, and probably even add conditions to a rule. Unfortunately, you cannot create a new rule with for setting the Spam Confidence Level—that’s not one of the options in the drop-down list when creating a rule.

Finally a Tier 3 support guy asked, “Do you have a smart phone on that account? We’ve seen this since Android phones became popular.” Well yes I have a smart phone, but it’s a Windows Phone 7, which I chose mostly because of Exchange issues in Android.

Apparently the junk list on the smart phone (which I can’t see or modify) overwrites the list on the server. The tech’s suggestion was to remove the Exchange account from the phone, update the Office 365 safe senders from Outlook, then re-add the account to the phone. Sure enough, this time the new list “stuck.”

The tech said after the list should stay in sync going forward, but when I tried another bulk update, it again got clobbered. Fortunately, just turning off the phone for a few hours, without deleting the Exchange account from the phone, was enough to let me upload a new Safe Senders list.

Symptoms

On my primary Windows 7 machine, I use PGP Desktop 10.1.2 solely for manually encrypting and decrypting files and blocks of text. In Options, I have unchecked Secure Email. The log shows “PGP Messaging is disabled” but it also shows “Processing Message” on all my inbound email.

I use Outlook 2010 to access email. This worked fine with my local SBS 2008 server and Exchange 2007.

However I have recently migrated to Office 365, Microsoft’s latest cloud-based Exchange 2010 offering. I have experienced two problems:

• When I move an item in Outlook from one folder to another, it immediately appears in the Recover Deleted Items list, the hidden folder that allows recovery of permanently delete items for two weeks (by default). The same thing happens when I delete an email (which is basically just moving it to the Deleted Items folder). So, even before the item is hard-deleted, it is ready for recovery.
• When I try to recover a deleted item from Outlook (Folder tab > Recover Deleted Items), I get a popup message:  “Outlook was unable to recover some or all of the items in this folder. Make sure you have the required permissions to recover items in this folder, and try again. If the problem persists, contact your administrator.”
  
  The item is recovered in spite of the message.

Cause

I thought at first that these were Office 365 or Outlook issues, and spent hours working with Microsoft support, creating new Outlook and Windows profiles, etc. Then I discovered that stopping the “PGP SDK Service” (PGPserv.exe) makes all of the problems go away.

Apparently PGP’s email proxy, although disabled, is somehow copying every item that is moved from one folder to another in Outlook into the hidden Recover Deleted Items folder, then blocking proper access to that folder. True, moving an item does permanently delete it from the source folder, but that doesn’t mean it should be kept in Recover Deleted Items.

Workaround

A Symantec tech support rep suggested upgrading to PGP Desktop 10.2, the first version to officially support Outlook 2010. I tried that, but it did not fix the issues:  PGP Desktop still corrupts Recover Deleted Items in Outlook.

The Symantec rep’s other suggestion proved more helpful. I uninstalled PGP Desktop, then re-installed 10.1.2, following instructions in this article to exclude all functionality except NetShare. Notes:

• You need access to PGPDesktop.msi to follow the instructions, but Symantec only provides an .exe installer. To get the .msi, after an install (or before you uninstall), look for a folder beginning with “PGP” in
  %UserProfile%\AppData\Local\Temp
Copy the PGPDesktop.msi to a more permanent location—I used
  C:\ProgramData\PGP\Installer
• After an uninstall and reboot, to re-install with as few options as possible, open a command prompt and navigate to the folder where you stored PGPDesktop.msi. Run the following command (put it on one line in Notepad first):
  msiexec /I pgpdesktop.msi PGP_INSTALL_MAPI=0 PGP_INSTALL_NOTES=0 PGP_INSTALL_LSP=0 PGP_INSTALL_WDE=0 PGP_INSTALL_GROUPWISE=0 PGP_INSTALL_VDISK=0 PGP_INSTALL_MAPI_Plugin=0
• You will get warnings that the PGPDekstop.msi file is from an “unknown publisher.” Why Symantec doesn’t sign its installers, I don’t know. I just mention it so you’ll know I had the same experience.

After the reboot, you should find that PGP Desktop loads without the Mail options, and that it no longer interferes with Outlook. Of course if you want to use PGP integration for mail processing, you’ll need another solution.

Getting Mail to Leave SBS

The support manager reminded me that Office 365 offers an email alias in the mydomain.onmicrosoft.com domain. If my primary email is myuser@mydomain.com, Office 365 lets me use myuser@mydomain.onmicrosoft.com as well. I had removed that alias but was able to re-add it through the Online Exchange mailbox configuration screen, under E-Mail Options.

So the solution is still to send the email to an account outside your domain, but you can use your custom subdomain on Office 365:

Getting Outlook to Autodiscover Office 365

While editing the Service Connection Point in Active Directory Sites and Services does work, it’s probably not the “approved” way to do things.

The support manager recommended that I instead use the Exchange Management Shell to entirely remove the Autodiscover Virtual Directory using Remove-AutodiscoverVirtualDirectory. Here’s how I did that:

1. Open an elevated command prompt and back up the IIS configuration (explained here):

%windir%\system32\inetsrv\appcmd.exe add backup "Before Removing Autodiscover"

2. Open an elevated Exchange Management Shell and retrieve the current autodiscover virtual directory:

>Get-AutodiscoverVirtualDirectory | fl Name, Server, InternalUrl, Identity

Copy the Identity value to the clipboard.

3. In the Exchange Management Shell, remove the autodiscover virtual directory:

Remove-AutodiscoverVirtualDirectory –Identity <identity value retrieved above>

You will have to confirm by typing a “Y”.

4. Check that the autodiscover virtual directory is gone:

Get-AutodiscoverVirtualDirectory | fl Name, Server, InternalUrl, Identity

This should now return nothing.

5. Now, with Outlook running on a desktop, hold the Ctrl button, right-click on the Outlook icon in the system tray, and select Test E-mail AutoConfiguration. Enter your email address and password and click the Test button. The results should come from the Office 365 server.

These tests are from speedtest.net and Visualware’s VoIP test. Unless noted, I used Los Angeles servers, and all tests route through a local Cisco gigabit switch and a Netgear FVS318v1 firewall/router.

DSL Extreme

Pretty good for a 6000/768 line. Note the low 19ms ping.

Very low jitter and no packet loss leads to a “Radio quality” VoIP score.

Cox

Cox speeds varied the first day but have stabilized at around 6.5 down. The 3.2 upload is over twice the rated speed. At 33ms, ping is a higher than DSL Extreme but still pretty fast.

Jitter seems to vary a lot, testing from 1.5 to 3.7, always with no packet loss, and always in the “Standard quality” VoIP range. Time will tell how VoIP sounds subjectively.

Cox Direct to Computer

In fairness to Cox, I should mention that its speeds are much faster when connected directly to a computer. The average is over 10 down (testing against a Dallas server), and occasionally speed spikes to 25+ (probably due at least in part to Cox’s PowerBoost® feature):

As best I can tell, the bottleneck here is my old Netgear FVS318v1 router. The specs on its WAN port are only 10 Mbps, although the Cisco switch reports a 100 Mbps connection. According to posts like this one, even the later FVS318v3 with a 10/100 port still only does 12.5 Mbps from WAN to LAN. A more powerful router with a WAN-to-LAN throughput above 30Mbps would probably yield much faster results through the router.

“There was a problem processing your request.”

Ironically the only solution offered is to create a Service Request.

As I was talking to Microsoft Support, I realized that this might be similar to the Forefront login error I had been getting. There, the solution was to add the site to the list of Trusted Sites. Sure enough, once I added https://portal.microsoftonline.com to the list of Trusted Sites in Internet Explorer 8, I was able to create a Service Request using the online form.

Add to Trusted Sites

1. Under Tools > Internet Options, click on the Security tab, click on Trusted sites, then click on Sites:

2. Add https://portal.microsoftonline.com to the list of Trusted Sites.

“We apologize for the inconvenience but we have encountered an error”

The first two links on the page also give errors.

Apparently the Forefront site uses ActiveX or other restricted technologies. Once I added https://*.messaging.microsoft.com to my Trusted Sites list in Internet Explorer 8, I was able to get into the Forefront admin center.

Add to Trusted Sites

1. Under Tools > Internet Options, click on the Security tab, click on Trusted sites, then click on Sites:

2. Add https://*.messaging.microsoft.com to the list of Trusted Sites.

Session Expired Error

You can launch Forefront from the Office 365 Exchange admin area, under Mail Control > Rules, by clicking on the link Configure IP safelisting…

However, if you have been logged in to Office 365 for a while, you may get the message, “We are sorry but your session has expired”:

That’s confusing since you haven’t even started a Forefront session yet! Apparently Forefront is trying to use the Office 365 session, but the Forefront session times out much faster than the Office 365 session. You can work around this in two ways:

• Log out of Office 365, close and re-open Internet Explorer, log back in to Office 365, and immediately go to Forefront.
• Use this link to open the Forefront admin center directly:
  https://admin.messaging.microsoft.com

Update August 26, 2011 There is now an updated version of this article:

Using Office 365 in an SBS 2008 Environment, Take 2

Getting Mail to Leave SBS

As long as Exchange is running on your SBS server, it will greedily grab any outbound mail sent to your domain, without any respect for public MX records. Name resolution apparently goes through Active Directory, since there is no MX record in the internal DNS. The simplest solution? Send the email to an account outside your domain, then configure that account to forward the mail back to your (now cloud-based) main account. For the SBS daily report, you can configure this on the SBS Reports tab:

Getting Outlook to Autodiscover Office 365

This one turned out to be trickier. Even after configuring the public CNAME for autodiscover.mydomain.com to point to Office 365, when I tried to add an account to Outlook, it kept connecting to Exchange the SBS server. Office 365 requires the use of autodiscover, so manual configuration is not an option. How do I get Outlook to discover my new Office 365 account?

This article gave me the clue I needed:  in a domain environment, Outlook looks first to Active Directory to find the autodiscover location. So with some trepidation, I modified the autodiscover attribute in Active Directory. So far it seems to be working—Outlook now uses the autodiscover.mydomain.com and correctly connects to Office 365. Here’s what I did to make that happen.

1. In Active Directory Sites and Services, click on the fist line (Active Directory Sites and Services), then select View > Show Services Node from the menu.

2. Under Services, navigate to the Autodiscover node:

3. Right-click on your server name and select Properties. On the Attributes tab, find the serviceBindingInformation attribute. You will see that it points to remote.mydomain.com, which SBS’s internal DNS resolves to the server’s local IP address:

4. Change the serviceBindingInformation to point to http://autodiscover.mydomain.com:

Now when you add an account in Outlook 2010, it should use the information returned by autodiscover.mydomain.com.