But I didn’t. Sleep, that is.

(following on from the last post)… I was too wired. Instead, I hit the ISA newsgroups again, and picked up a couple of fascinating questions.

A couple of people had VPN problems with ISA 2004, but it turns out that the problems are different (and not obvious) – I’m still working through them with the people involved. Generally in newsgroups, I try to offer the most generally useful advice I can without getting too specific, so that if someone’s looking for a something that’s not quite identical, they’ll at least be able to gather enough information on troubleshooting or how something works that they’ll be able to build their own solution, but occasionally I’ll engage beyond that level and drill in… Different folk have different styles.

Another interesting (gotta start using a thesaurus) question covered Forms Based Authentication (FBA) for Outlook Web Access (OWA) on ISA 2004, which is a new authentication type with that release – I posted a fairly hefty chunk on what I learned to the newsgroup, and I’ll clean it up and repost it here for the Web searching crowd later.

And then there’s my day job… A busy week, a week in which the cold and flu medication threatened to control me, but a good one, and now I’m on the mend, thanks for asking. 

Now I’m off to watch Dr Who for a nice relaxing Friday evening…

ISA 2004 Access Rules: A Self-Contained Universe of Possibility

NB I’m on cold & flu medication, so please forgive me if I’m a tad scattered, or even weirder than usual. I was having fevered semi-dreams of something to do with a wireless access point, and somehow, every time I swallowed, the clients disconnected. And it was an important customer. Enough, I thought, and hit the newsgroups.

Right. Back to the topic at hand. ISA 2000 has a really straightforward (once you’ve “got it”) rule infrastructure that I’ve blogged about before (bypassing proxy authentication). At the end of the day, you get the intersection of (Any applicable protocol rules) and (Any applicable site and content rules) – they all apply to each other.

But there are many situations in which you’d really like to be able to fine-tune a rule set, so that – for example – Barry can do FTP (and, say, Telnet) to www.example.com, but can’t actually browse to www.example.com using HTTP. With ISA 2000, if the user has protocol access, then they can use that protocol to anywhere the Site and Content rules let them go. So Barry would usually end up having the same effective permissions to FTP as HTTP as Telnet as anything else…

With ISA 2004, each access rule is a self-contained universe of possibility. (Yes, I can taste the colours at the moment.)

Rules are processed in the order you specify (first match wins), and each rule contains the equivalent of a Site and Content + Protocol Rule combination in ISA 2000 speak, so you can create two rules for Barry that achieve the combination above. No mess, no fuss.

Happy sigh. Wonder if I’ll be able to sleep now.

I’m Barnacular.

That word is mine now.

Ben The Virtual PC Guy has another post on OS nostalgia. It’s starting to make me feel old!

I’m really enjoying his blogs, because – at least so far – I share similar experiences. Back in the Good Old Days, I coaxed Windows 3.0 into running in Real Mode (remember when Windows had a Real Mode?) in 640×200 CGA mono, on my 640K XT. It was an event, I can tell you. It wasn’t really useful for much once I had it running, and I never quite got the mouse support working right, but hey, it was more an experiment in “could it be done?” than productivity. With that accomplished, I went back to more achievable goals – I think Speedball 2 was the game of the moment…

Wow. Can I ramble? Yes you can!

So I’m wondering if I’m already a barnacle. Probably. I don’t think there’s much shame in being a barnacle. Anyway, looking at the referrer logs, there’s some interest from The Web Search Kids about getting old games working, so I have my post topics laid out for me! (Hmm… unless Ben beats me to it. In which case, it’s on.)

Update: Since firing up the DOS VPC I had from last year’s experiments, it seems that some of them don’t want to work in various ways (I blame my recent processor upgrade). Pity. Still, if at first you don’t succeed (and have a serious nostalgic bent) try the excellent DOSBox – it’s the other half of my nostalgic gaming toolkit.

Ben Armstrong – Virtual PC Guy – blogs about games in Virtual PC (a Ninja Feature!)

(Wild divergence warning – skip to Back To The Topic At Hand if you don’t want to read about my childhood)

I sometimes raid my collection of 200+ game CDs (yes, all purchased legally) to dig out some of the old DOS games I grew up with.

It often happens at this time of year. While growing up in England, my birthday was the cold end of Autumn; here in Oz, it’s at the warm end of Spring. The smells of Aussie Spring were something new, and different, and memorable, and I think they’re what get me onto my bi-annual nostalgia trip.

Shortly after we moved out here, (I think it was my 12th birthday), I was given the newly-released Ultima V, to play on the family 640K 10Mhz (Turbo!) PC clone (CGA in glorious shades of green) with twin 360K floppy drives (luxury!). It didn’t work immediately due to the copy protected disks claiming I wasn’t using a real one, but I ended up developing a ritual of six steps that culminated in the game running correctly every time (something like boot skipping one line in Config.sys, disable Turbo, switch to the B:, Dir, back to A:, Dir,B:, run ULTIMA, and after the title screen, I could re-enable Turbo… can anyone spot the key item there?), before eventually working out what was up, and whittling it back down to one step!

That time of year became synonymous with a gaming binge, rebelliously refusing to go outside and do “normal, healthy” things. And I fondly remember the struggles with config.sys, autoexec.bat, and (eventually) the struggle to fit everything into 40MB of hard disk space…

I apologize for my wild divergence from the topic at hand.

Back To The Topic At Hand

So anyway, Ben Armstrong (VPC PM) is blogging on running The Classics in a VirtualPC environment. He’s started with the precursors to Command and Conquer (which from memory was almost the Duke Nukem Forever of its time (this was before Strike Commander, mind you)) – Dune (by Cryo), and Dune II (by Westwood). Both were stunning, though in different ways – I got Dune II in my Command and Conquer Collector’s Edition a few years back.

I find VPC excellent for games because it emulates The Standard Hardware of the pre-Windows 95 era: A Soundblaster, an S3 video card, and nice, standard IRQs and IO port assignments. Unlike my succession of lowest-possible-cost component computers that I had to fight tooth and nail to convince to work with most games**, Virtual PC generally Just Works.

For the DOS games, you may need to brush off your leet Config.sys and Autoexec.bat hax0ring skillz to build that sexy boot menu that us late DOS-era folk remember so fondly so that games with different requirements (do The Kids these days remember that? I hope not!), or just run different VPCs for each game (oh! the sheer hedonism of it all!) instead of resorting to that most shameful of admissions of defeat: The Boot Disk.

So anyway, VirtualPC’s ability to run pretty well all the older DOS games I’ve thrown at it gets one of the rapidly-becoming-overused Ninja Feature awards. 

It's a Ninja Feature!

Now go subscribe to Ben’s blog!

** my 386 w/ 40MB hard disk and 2MB RAM didn’t have cache due to a communications difficulty with the salesperson, and the VGA monitor didn’t support the same resolutions and modes as the card; my Thunder Board wasn’t quite 100% SB compatible; the $300 Creative Music System (Game Blaster) wasn’t $500 Adlib compatible (but it often sounded better, IMHO); the Wave Blaster never quite sounded right; my 486DX2’s motherboard proved incompatible with various versions of the DOS/4GW DOS extender (Doom, TFX, Frontier, Crusader…); the list goes on…

Tablet PC: Got Collateral?

I just went out and saw Collateral.

I really enjoyed the movie, and found myself wondering if Scoble had seen it, while watching the scenes where Vincent was working on a Tablet PC.

I was trying to come up with a positive marketing message from it. “Tablet PC: Good for visiting old friends and collecting signatures”…?

Still, another good Michael Mann film…

Ninja Feature: Remote Web Workplace in SBS2003

Remote Web Workplace is (in my humble opinion) The Ninja Feature of SBS2003. In fact, it gets the inaugural EBTDF Ninja Feature award for being so cool.


It's a Ninja Feature!


Thanks to Susan Bradley for putting me on to it.


Let me say right now – if you’re using Small Business Server 2003, and you were thinking of fiddling around with TSWeb, hacked connection pages and port mappings, don’t!


Use Remote Web Workplace instead. It’s (often) as simple as “running the CEICW”, which SBS people tell me that other SBS people will understand (the Email and Internet Wizard).


What Is Remote Web Workplace?


It’s a web portal through which authenticated users can access:


 – Remote Desktop to internal WinXP Pro boxen and Terminal Servers (on tcp port 4125)
 – Outlook Web Access
 – Sharepoint (on port 444)


In short, the idea is that using one or all of the above, you can do anything you can do while in the office, from anywhere (alright, close to anywhere!).


The portal looks a lot like this when you’re connected as a user:



Now, I’m assuming everyone’s familiar with OWA; if not, there’s a plethora of information on it, ready for the searching (start at http://www.microsoft.com/exchange/owa/) – in really simple terms, it’s a browser-based version of Outlook connected to your Exchange server.


While OWA’s cool and all, the bit I’m really impressed/happy/interested with is the Remote Desktop access to internal computers. Without having to hax0r the TSWeb connection page or forward ports manually!


Not Your Father’s TSWeb


In real simple terms, RWW provides an RDP Proxy for incoming RDP connections. So the same external port can be used by multiple internal clients, which isn’t otherwise possible.


RDP is Remote Desktop Protocol. It’s the protocol that all the little TS Clients use to draw the screens from the big Terminal Servers, and also how the Remote Desktop client connects to a Windows XP Pro machine with Remote Desktop enabled.


Once you’ve got it set up, here’s how RWW works: (note: my brand-new understanding – if in doubt, believe the docs over me).


Using IE, you make an HTTPS connection to the Remote website on the SBS box (https://www.example.com/remote).


You submit your user credentials (which are protected from external snooping using SSL), and these are used to authenticate you and work out what options you’ll be given on the RWW page.


Once authenticated, you’re staring at something akin to the screenshot above.


You click the “Connect to my computer at work” item, and are presented with a list of Remote Desktop enabled computers in the Active Directory:



You pick the computer you’re interested in, and hit Connect.


What happens here is even more interesting: you’re directed to a TSWeb connection URL, the TSWeb ActiveX control fires up (it may need to be installed on the way), and then it connects to the RDP proxy on tcp port 4125 – not the regular TS port of 3389 (remote administration of the SBS box itself still happens on 3389, though).


The RDP Proxy creates a connection to the target computer, at which point you’re prompted for your username and password again to log you onto the computer (unless you’ve ticked the “Log on to selected computer” option, as above). Then, you can do whatever you want, as if you were sitting at your work PC. Magic.


I need to note at this point that you’re using straight RDP from the client to the SBS server, with RDP encryption (RC4, up to 128-bit keys) – the RDP is not additionally encrypted over an SSL tunnel – the connection to the RWW portal is made over SSL, but this is a different connection again.


This does mean that if you’re on a network that doesn’t allow 4125/tcp outbound (and let’s face it – it’s not exactly a port everyone recognizes yet), you might need to politely request that you’re allowed to use it. Please. Nice Mr Firewall Man.


More info on RWW:


For more information, start with the Support Webcast. Then set it up!


!Highly Recommended! Remote Web Workplace: The Support Webcast
http://support.microsoft.com/default.aspx?kbid=833983


(if the images seem familiar, well, that’s because they are…)


Help Your Team Work From Home (without breaking their legs)
http://www.microsoft.com/australia/smallbusiness/issues/running/productivity/home.mspx


Matt Hyunh’s mentioned RWW before – in fact, to date a whopping 50% of his blog posts have mentioned it. Might be worth watching!


It’s good. Go play.

Paint.NET Is Good (and 1.1 is out now)

I fairly frequently need to use an image editing application for random minor acts of vandalism (see links at left for examples), or just formatting and saving blog images.

I’ve had Paint.Net 1.1 RC1 installed for a while, but hadn’t remembered to try it for anything.

Today I needed to edit text in a way MSPaint couldn’t possibly accomplish, so fired PdN up to see what it could do.

Well, I’m sold. It’s cool enough for me. It looks clean, it’s intuitive, and it does layers.

If you’re in the market for a no-cost Paint replacement that doesn’t suck, give it a try! Download.

ISA 2004: FTP Uploads are off by default. Mostly.

Something I ran across before work: With ISA 2004, the FTP filter is a slightly different beast from ISA 2000.


In ISA 2000, the FTP Application Filter added two distinct protocol definitons: FTP, and FTP Download Only. You could assign permissions to either to allow a user to upload, or not.


With ISA 2004, there’s only one FTP client protocol, and left alone it defaults to read-only (eg, PUTs and DELETEs won’t work, they won’t make it to the FTP server).


This comes up in what I like to call the “gaming configuration” of ISA, where all IP traffic is allowed without being specified. It’s a no-mess, low-fuss configuration. So, the question becomes how to configure the FTP filter?


It’s easy, just hidden out of view – in Firewall Policy, get the properties of your Allow Everything rule.

Allow Everything? Why not!

Go to the Protocols tab, hit the Filtering button, and pick Configure FTP from the list.

Clicking Configure FTP

Untick “Read Only”, OK lots, Apply, you’re done. No exploding keyboards.

Dialog Envy

It’s the type of dialog that makes me glad we don’t make them from paper.


If you upgraded from ISA 2000, the filter settings are translated based on your old settings:



Q.Are application filters migrated?
A.Yes, as follows:
FTP Access filter. Protocol rules for FTP, and protocol rules applying to FTP Server are migrated to access rules with read-only disabled. Protocol rules applying to FTP download are migrated to access rules with read-only enabled.


Pasted from <http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/faq-installupgrade.mspx>


And that’s it…


[Updated 6 Jun 2005] Kevin Weilbacher notes that this happens when you upgrade SBS 2003 Premium to SP1, which includes ISA 2004 as one of its components.

Upgrade Nightmare: The Parental PC

My parents’ Celeron 800 was getting a little long in the tooth, so I figured I’d upgrade their PC as a “welcome home” present.

I got them a new AMD Sempron 2400+, 512MB DDR RAM I had left over from my last upgrade, a new Gigabyte motherboard, and a Radeon 9600SE. They had a reasonably newish hard drive, so no need to upgrade it or the case. Cheap components, but still a respectable upgrade.

I figured it’d take around two hours to upgrade the whole thing, tops, so I arranged to go around to their place at 7:30, have dinner, and then start work.

The old motherboard came out in about 20 minutes flat, and the new one went in in about 5 minutes. So far so good. About 4 cards came out, only one new card went in, and it was the optional AGP video. That’s progress.

All the components were reconnected, I had a quick run through connecting the Front Of Case stuff (power, reset, speaker, USB), and then hit the power button.

Nothing. Bugger. At this point my parents perk up and start helpfully standing nearby and watching with concerned expressions.

The CPU fan wasn’t moving, which basically says “screwup”. Still, I’ve had similar problems before, and they’ve been fixable (eg, loose expansion card, bad connection, short)…

I unplugged everything except the FOC stuff – still nothing.

Flash forward half an hour of plugging, unplugging, plugging, and so on, and I’m troubleshooting what I think is a short, part of the motherboard touching the case. It never works when screwed in, but always works when not.

I’m working through one more iteration of “screwed in”, adjusting the last screw, next to the power supply. The live, I forgot to turn the power point off power supply. The one with the soft-off switch only.

There’s a loud Zap, a flash of purple-white arc flames between screwdriver and power supply, a surprised yelp from me, and then nothing.

Smoke wisps up from the power supply, bringing with it the smell of ozone and burning component. My parents are checking I’m not shocked or anything. I’m cursing my own stupidity (keep the case grounded by being plugged in and switched OFF! Plugged in and switched OFF!), and wondering where I can get a power supply from at 9:30 at night.

My parents had had some problems with their old case while in the US, and the tech (who didn’t know what an Event Log was or what “Disk” errors meant, but was happy to recommend Windows 2000 over XP for unspecified reasons) had diagnosed the “case and power supply and motherboard” as being the problem, so had replaced it all. My folks, paranoid by my instruction, had actually had the old case shipped back here. So, I tool a look at the power supply, and – wouldn’t you know it – it’s perfect. The case on/off switch was sticky, but I guess $US300 to fix it was reasonable*.

After swapping over the power supplies, I’m able to put power through it, and also notice that I’ve misread the manual on the USB port front. So I plug the USB connector in the other way around, and whop! Power.

Then, of course, there’s the Stop 0x7B that XP puts forward when working with a completely different hardware platform, but we’re now at the point where we should have been about two hours ago.

I just reinstall XP using the Repair option (40 minutes), but it wants Activation. Bugger. I reinstall XP SP2 in Safe Mode, but it still wants activation (I thought there was meant to be a 3 day grace period post-SP2, but apparently not), and there’s no Internet connection yet.

Dreading reading numbers to someone, I call Activations on 13 20 58, and am pleasantly surprised when the whole thing is done by telephone keypad, with no mess, no fuss, and no miscommunications. No Humans, in other words.

Finally, at 11:30, we’re done. Or So I Think.

The printer, an OfficeJet T45 All-In-One Fax, Scanner, Kitchen Sink and Copier, no longer works. It bitches about a communication problem. The Print Troubleshooter can’t find a problem (and it even prints from a command prompt), it’s only the custom HP stuff that doesn’t believe the printer is connected, please try another cable.

I wandered out at about 1am, the printer still broken. I’d tried SPP, EPP, ECP, port jiggling, cable unplugging and replugging… nothing worked. The parallel port was very near the screw that got fried. Very near. Support forums seem to indicate that other motherboards have had similar issues under Windows 2000/XP with the same (aging) printer, but I’m not sure. I can never be sure.

My parents took it like losing a child. There’s something about people of that generation and printers that I just don’t understand, but there it is.

The next day, I ordered them a new one (USB- the sooner the parallel port goes away, the better) for only $200 from HP (no Fax, but they didn’t use it anyway).

So, lessons learned:

 – ALWAYS turn the power to the case off at the power socket, or the power supply, while working on the innards. Earthed-but-not-live. Earthed-but-not-live.
 – If you’re not seeming to get any power, check the USB connectors are plugged in the right way around. The manual may help.
 – Always multiply the estimated time taken to upgrade a parental unit’s computer by 3. Be happily surprised if you go under!
 – If you’re upgrading a PC, consider upgrading the printer at the same time.

Sigh. Still, it works really well now. Apart from the printer (new one isn’t delivered yet). And my parents still look at me funny.