Bandwidth Management on SonicWall NSA 240

Recently, we expanded Public Wireless to all our campuses. We really hammer our network on the weekend when we push video across it and I didn’t want public Wi-Fi traffic to become a problem.  We have some access lists on our Cisco routers that do so time-of-day/week bandwidth throttling but it was kind of a pain to set up. So, I decided to see what I could do at the source.  I was surprised at how easy it was to implement Bandwidth Management on our public wireless using our SonicWall NSA 240.  Here’s how I did it. Your mileage may vary.

Step one. Log into your SonicWall. I know, it’s a big step.sonicWall_01Step Two. Navigate to Network –> Address Objects and create an “Object” to match your Public Wireless Traffic. Click “Add…” under Address Objects.
sonicWall_02  sonicWall_03

I created an object called “PublicWiFi-Test” for this example and matched it to traffic on network which is the IP address range of our Public Wi-Fi traffic.  You can match to a number of other identifiers as well.

sonicWall_04Step Three.  Navigate to Firewall –> Access Rules.  Change the view style to “All Rules” and then click “Add”.
sonicWall_05  sonicWall_06

Now is when we actually tell the SonicWall what we want to do with the Public Wireless Traffic. In the window that comes up fill out the fields like I have below. What we are doing is telling the firewall to process traffic that is from the LAN to the WAN, from any Service, matching the PublicWiFi-Test object that we defined earlier, to any destination.sonicWall_10On the “Advanced” tab, leave everything as the default, but check the “Create a reflexive rule” so that inbound traffic will be matched as well.
sonicWall_08On the QoS tab, change the DSCP Marking Action to “Explicit”. Then change the “Explicit DSCP Value” to “0 – Best effort/Default”.  That way, if you have some other policies downstream that mark or generate traffic with a higher DSCP (like video) the PublicWiFi traffic won’t mess with your video feed.

Now, on the Ethernet BWM tab, you will actually configure the Bandwidth Management. Check the first box and then enter a percent or Kbps value for the Guaranteed bandwidth and the Maximum Bandwidth. This first section will apply your settings to “Outbound” traffic or in Internet terms, Upload Speed. One MB should be a good cap. You can also set the “Bandwidth Priority” to 7 which is the lowest. I’m not sure which takes precedence since you already set a value in the QoS tab. Now, click the next box and set the download values. At the bottom you can check the “Enable Tracking Bandwidth Usage” if it makes you happy. Click OK and your ready to go!

sonicWall_11Step Four. You can now test your new policy out by going to a site like http://www.speakeasy.net/speedtest/ If you’ve done it right, your upload and download numbers should match the numbers you set in your policy. On my first try I had the values reversed.

So, that was easier than I thought it was going to be.  I took it one step further because we have multiple campuses with different IP schemas right now for wireless. I created more address objects and added them to an Address Group.  I then changed the setting in my policy to reference the Address Group instead of the single Address Object.  The issue I see with this is that all traffic that matches these limits will share that bandwidth cap. So, if I have 4 public clients, their bandwidth would be (2048 Kbps / 4) or 512 Kbps. I’ll have to play around with things and see how it goes. You can set the policy to a schedule so I might just have it be active on the weekends.

I hope this helps someone. If it does or you have questions, leave a comment.


Lock screen & start screensaver

Sounds like a simple task doesn’t it?  For years I have just pressed the Windows key + L and locked my computer.  But, like any proud father, I didn’t want to wait 15 minutes for the photo’s of my kids to start scrolling across my dual monitors (a great free photo screen saver for dual monitors is gPhotoShow.com). All I wanted to do was lock my computer and start my screen saver at the same time. After all, even OS X can do that with Exposé. To my surprise, there is no built in method to do that in Windows!  Even if you make a shortcut to the screen saver, when you move the mouse, it goes right back to your desktop.  So after some searching on different scripts, I came across a free app someone wrote that does the trick.  Download sslaunch.zip from this WindowsITPro.com article, extract it, and move the SaveScrn.exe file to your desktop. Now, all you have to do is double click it and your computer will lock and display your screensaver.



Local Mac User to an AD User

Local Mac User to an AD User that has the same short nameOS X 10.5.8
(Other versions may differ)

Here is the scenario. Mac User has a local account and his “Short Name” is muser and his Home Directory is muser as well. The problem is that when we join this computer to Active Directory, and Mac User logs on, it will want to make a Home Directory for him with the name of muser.

So, we have to delete the local Mac User user, but preserve his Home Directory. Then we have to move it to the network Mac User user and assign the correct permissions.

Step One. Join computer to Active Directory. There are many guides out there on how to do this. Official Apple docs http://docs.info.apple.com/article.html?path=ServerAdmin/10.5/en/c7od44.html

Step Two. Log in as a different Local Admin account than the one you want to change. If one doesn’t exist, create one. If possible, back up the users Home Directory before proceeding just to be safe. Now go into System Preferences and then Accounts. Now, unlock things and then select “Mac User”. Now click the “-“ to remove him. You want to select the middle option on the next screen which is “Do not change the home folder (The home folder remains in the Users folder.)” Click “OK” and then log out.

Step Three. Click on the “Other” option at the Login screen and log in as the network Mac User account to create his profile. When you are asked to create a mobile account, click the “Create Now” button. Log out and log back in as the local Admin account you were using in step Two.

Step Four. Open the terminal and enter the following:
sudo rm –r /Users/muser
sudo mv /Users/”muser (Deleted)” /Users/muser
sudo chown –R muser /Users/muser

If this user should be a local admin, click the “Allow user to administer this computer” box under his profile. Log out.

Step Five. Log in as the network user and all your programs, data, and settings should be moved over to the new profile.

Step Six. You may have to fix the keychain. If there is an issue with getting prompted for the keychain password, go into utilities and then click on Keychain Access. Right click on the “Login” keychain and at the bottom of the list you will see “Change Password…” Once you click it, you will be prompted for the old password and then enter a new password.

Done. Now the Mac user will be able to change their network password, be prompted when it is about to change, and most importantly, be required to use one. Your mileage may very so test out these steps in the lab first.


How to deploy an Aruba Remote Access Point (RAP) Part 2

So in part one I gave the back-story so now it’s onto getting this going. I’m using Aruba OS 5 on an Aruba 650 Controller with AP-61 access points. Your mileage may very.

If your running Aruba OS 5, you don’t need any RAP licenses with is great. Not so great if you bought them before OS 5 came out though. Good news is, they get turned into AP licenses when you upgrade to OS 5.

One more thing, since you will be deploying these access points in RAP mode, you won’t have some features. You won’t be able to tell how many people are on your system from that location so I wouldn’t go more than a few AP’s. You can’t blacklist someone. I don’t think you can do heat maps (I’ll have to try this though). Also, because we are setting these AP’s up in bridge mode, they will use the local DHCP server and if you have more than one AP, they need to be on the same Vlan. You will also have to take care of any extra security by using a local ACL on a switch or router.

Step One, log into your controller by going to https://aruba-master just to check that you have your DNS set up properly.

Step Two, navigate to Configuration –> Wireless –> AP Configuration.
Create a new AP Group by clicking on the New button. I’m giving it the name “RAP”. Click “Add” and then “Edit”.
Now, you will have to drill down to Wireless LAN –> Virtaul AP and create a new Virtual AP. Click the drop down and select –NEW – at the bottom of the list. Then, give it a name. I’m going to use “test-vap_prof” which is one I use for testing. After you click “Add”, you have to select the AAA profile and the SSID profile. You can use the same ones you used for your campus profile since you won’t change them. I’m going to use some test ones though. After you select the ones you want to use, click “Apply” in the lower right.
imageNow, drill down one level to the Virtual AP you just set up. The only setting you want to change is the “Forward mode” from “Tunnel” to “Bridge” and click “Apply”

Step Three, Set up the VPN. This is the step that kept throwing me off. Why do I need to set up a VPN connection between the AP and the controller if I’m on the local LAN? That’s just the way it is. If you don’t, the AP will never become a RAP on your AP Installation screen. This step is also what makes the controller push out the new RAP firmware to the AP. Navigate to Configuration –> Advanced Services –> VPN Services.

So, now that your on the VPN Services screen, You need to add an Address Pool. Just click “Add” under Address Pools. These addresses don’t have to be routable on your network. It’s probably better to pick ones that aren’t so you don’t have any confusion too.
Click “Done”.

Now you need to set up the IKE Secret. Under IKE Shared Secrets, click “Add”. You can keep the Subnet and Subnet Mask as quad zero ( if you don’t have any other PSK’s. Enter the IKE and then confirm it.
Click “Apply” in the lower right.

Step Four, navigate to Configuration –> Security –> Authentication to setup an internal user. Click on Internal DB on the left. Now you will see a section titled “Users” You want to add one. Click “Add User”. It will auto generate a username and password for you, but you will probably want to change to something more meaningful.
image You can leave the rest of the fields blank and click “Apply”.

Step Five. You are now ready to deploy the AP using the profile you created in step 2 and the VPN information you created in steps Three and Four. Navigate to Configuration –> Wireless –> AP Installation. Click the AP you wish to deploy as a remote AP and click “Provision”.
Now, in the AP Group filed, select from the dropdown, the AP group you set up in step Two.

In the Authentication Method section, select that you will be deploying a Remote AP by clicking the “Yes” radio button. When you do, it will allow you to fill in the IKE PSK and your user credentials you created in step Four. Make sure to uncheck the “Use Automatic Generation” box or you won’t be able to enter your username and password.

After you have that info entered, you can move on down to select the campus this AP will be deployed to (there is documentation on how to set these up in the user guide). Then, name it something meaningful, and click the “Apply and Reboot” button. The reboot will take a few minutes because that AP will get a new image pushed out to it.
image If you have done things right, you should see your new AP’s deployed and in the correct group, and have an “R” in the flag section signifying that it is a “Remote Access Point”. I’ve blotted out the IP address for the remote AP, but it will be something in the range that you setup in Step Two.

Well I hope this helps someone out there who is struggling though getting some remote access points up with their Aruba gear. This is the first enterprise class wireless system I have worked with and for the most part, it is a pretty good system. There are ones out there that make it a whole lot easier to do some of these more advanced features though.

How to deploy an Aruba Remote Access Point (RAP) Part 1

At The Chapel we put in an Aruba Wireless system last year (Aruba 650). It was a huge improvement to what we had which was a combination of Linksys and 3Com gear. We are now able to provide public and private wireless networks with just one wireless network. The enhanced management features you get with a controller based system are also huge time savers such as central updates, ability to find the number of clients on the network, and locate those clients in the building.

Well,since we liked the system and it was working for us we decided to put some access points out at our new Lake Zurich campus which didn’t have any wireless. It was easy enough to get things going, just plug the AP into the network, find it on the controller, and deploy it. Done.

Well, not quite. The Aruba system by default wants to set the AP’s up to tunnel back to the controller. This is part of what makes this system so easy to deploy. You don’t have to worry about what vlan the AP’s are on or what their IP address is. The tunnel sends all traffic back to the controller to be routed. The issue is when you have a local resource like a file server, printer, or even local internet connection, all your traffic goes back to the controller and then back to the local network.

We had a local Comcast internet connection at Lake Zurich we wanted to use without tunneling through two other campuses to get to the controller. Luckily, Aruba had a “Remote Access Point” license that was supposed to make deploying our AP-61’s easy. The key words are “supposed to”.

Aruba fails in the documentation department miserably for this RAP feature. I found out though my CDW rep that I could use my AP-61’s if I got an RAP license for each of them. (This is kind of expensive but now it is included free in the Aruba OS 5 release) Next came configuring them. I tried following the documentation but it was all based on older versions of the software and kept referencing setting up firewall rules that are only available in their PEF license which I didn’t have. They also didn’t have an example that matched my scenario of having everything on a private network. All the examples talked about using the VPN feature because you are going across the internet. I upgraded to the Aruba OS 5 which had a wizard to deploy remote AP’s but it didn’t work either.

So I tried and failed again and again. I even sent some bad configs to my AP’s that bricked them! After looking for the reset button I found out my AP’s didn’t have any! Stupid! After some research, I found out that I needed a special “Serial Over Ethernet (SoE) cable” as Aruba calls it and it had a schematic of how to make one. I gave it a try twice and couldn’t get it to work. I then had to fork out about $100 to get one from Aruba! Anyhow, they were back up and running finally but I still didn’t have the RAP feature that I wanted and paid for.

So I called up support again and got someone who seemed to kind of know what I was trying to accomplish. We did a WebEx session and were able to get things going. Because this is getting to be a long post, I’ll show how to set this up in part 2.


Simulcast, Chapel Style

I’ve wanted to do a post for a while about how we do our Simulcast services at The Chapel, so here’s how we do simulcast, Chapel style.

What is our definition of “Simulcast” you may ask? Well, it is a “Live” remote viewing of our center and side screens. I put “Live” in quotes because we time-slip the service on some DVR’s first to give us some flexibility on playback. Usually it runs 2 to 10 minutes behind live.

So, here is the list of equipment involved in capturing, encoding, sending, receiving, decoding, and playing back our Simulcast feed.

  • Capture – Cameras are Sony PMW-EX3
  • Encode/Decode - HaiVision Hai1060 chassis with two MAKO-HD cards
  • Transport - All Cisco brand switches and routers over a 25 Mb Opt-E-Man circuit from AT&T
  • Record – 360Systems for the Center HD center feed and Sony DSR-1000 for the SD side

Before we get into more technical stuff, let me explain why we do Simulcast. Shortly after moving into our new building in 2004, we started having talks about “Phase 2” of expansion to fit all the new people who were coming to The Chapel. This is a great problem to have but we hadn’t expected to have it so soon and didn’t have the money to expand quite yet. We also didn’t like the idea of more and more people driving farther and farther to go to church each week.

About that time our Sr. Pastors started having some talks with some struggling churches in the area. Two had approached us and wanted to join what God was doing through The Chapel. At that time, we also receive a large donation specifically for our multi-site campaign. A church in Barrington had built a new campus and had their old building up for sale. So, the march was on and we went from one church in one location, to one church in 4 locations in one year!
The first year we did a tape/dvd delay for one of our campuses and did “sneaker net” transport. This worked alright but the quality just wasn’t there. Also, our Sr. Pastors were getting worn out running between the 3 other campuses each weekend. Three of our campuses were also running a week delay in service but this caused other problems for our tech teams and our church members as well.

So, that is what lead up to us going to a live video simulcast on the weekends. Our pastors still preach 4 times a weekend (Twice on Saturday and twice on Sunday) but with our 4 campuses, that comes out to 10 services! Our pastor’s alternate teaching from our two large campuses which are Grayslake and Libertyville. One week, it will be live at Grayslake at the 9:00 am and simulcast everywhere else, and then it will be live at Libertyville for the 11:00 am and simulcast everywhere else. Then we switch the next weekend. Still crazy but much better than the alternatives!

So, onto the tech details that you all want to know. For cameras we use two Sony PMW-EX3 for the side iMag shots and one Sony PMW-EX3 with a different lens for the fixed center shot. All three of these cameras are HD, but we only project HD 1080i on the center screen at Libertyville and Grayslake. The screens are just so large we had to go HD to get the picture quality. The sides are Sanyo projectors that shoot 720p at Grayslake and Libertyville, and center and sides at Barrington and Mundelein.

Once the cameras capture the live service, it gets piped though what seems like an endless sea of cables and devices and then gets encoded and sent out to our other campuses. The gear we use for encoding and decoding our video is from HaiVision. At each campus we have a HaiVision 1060 chassis with two of their MAKO-HD cards. This system lets us do two simultaneous HD video streams which come out to about 15 Mbps total. Currently we send 1080i and it gets scaled at the decode sites to match the projectors.

This signal then gets sent out onto the network to our other sites on multicast addresses to reduce network traffic. We have a 25 Mb Metro-Ethernet link from AT&T between each site which has worked well for us so far. We did have to make sure our internal network was rock solid and properly configured, and work out some issues with AT&T before we were able to get a video to stay stable for up to an hour.

At the receive sites, we have two DVR’s that capture the service. We use a unit from 360Systems to capture the center HD signal and a Sony DSR-1000 that records the scaled down SD side feed. There is a DNF that is used to manually synchronize the two feeds for playback. Synchronizing the feeds is one of the hardest parts of the whole process because if you are off by even a few frames, people can tell.

For our backup, we capture the sides of the Saturday service at Grayslake or Libertyville on a Mac Pro with an HD capture card. Once the service is over on Saturday night, the video file of the side screens gets sent over the network to the other sites for a backup just in case.

So that’s it. That is how we roll. I’ll have a post coming shortly about some Cisco IOS magic we had to work to make sure our network was up to the challenge of multicast video, voice, and data. If you have any questions or comments I would love to hear them. Our simulcast solution is constantly being improved and I’ll post any new developments when they happen.


Poor iPhone Call Quality

Since I got an iPhone, one of my biggest complaints has been coverage and call quality. Like most, I get low bars and bad sounding calls a lot. What really got me ticked at my phone and AT&T was that over the past few weeks I have been getting bad call quality even when I have 5 bars! People that I am talking to on the phone can hear me fine but all I hear is garbled speech and drops.

I've heard about half of the people with iPhones that I work with complaining of the same issues so I'm going to document the steps I have taken and what has worked and not worked.

  1. Do a hard reset. If you don't know what this is, you probably haven't done it. Hold down both the "Home" and "Power" buttons at the same time until your phone goes black. (Detailed Directions)
  2. If that doesn't work (It didn't for me), then do a backup and restore in iTunes for your phone. This worked for a day or two but the bad quality came back. (Detailed Directions)
  3. Go to a corporate AT&T wireless store and get them to replace your SIM card. This shouldn't cost anything. After doing this my call quality has been MUCH better. It could very well be a coincidence, so I'm going to have to give it a few days. You can find a corporate store by going here and selecting your ZIP and "iPhone" from the box.
    Update: Still having the same problem but a little less often.
  4. If you have tried all of the above, go to the Apple store and get your phone replaced. If you go to the Apple store first, you will waste your time because they will tell you to do steps 1-3 above.
I'll let you all know if Step #3 works for me or if I'm getting a new iPhone. I'm keeping my fingers crossed.

Getting the SIM replaced sort of helped. I haven't gone in yet to get my phone replaced and I'm trying one last thing. Someone tipped me off to the fact that if you turn 3G off, your calls will magically be clear again. This has worked but obviously points to some issue with AT&T's network or a design flaw in the iPhone.