Dear Google, since you provide no contact options, here is my problem

For many years I have used the Adsense program provided by Google to serve ads on websites that I run. In fact I was one of the earliest users. I have not earned a huge amount but have seen a regular flow of income, more than enough to provide my hosting costs.

Today I received a disturbing email, from a “no-reply” address. It reads as follows:

Hello,

This is a warning message to alert you that there is action required to bring your AdSense account into compliance with our AdSense program policies. We’ve provided additional details below, along with the actions to be taken on your part.

Affected website: sifa********.com

Example page where violation occurred: http://sifa********.com/drafted/enderby-filipina-teen-video/

Action required: Please make changes immediately to your site to follow AdSense program policies.

Current account status: Active

My first thought was that the email was not really from Google. However the email headers check out. And when I went to my Adsense dashboard I saw this:

image

OK, I thought, maybe my site has been hacked. But the domain is not mine. Nor does the IP no resolve to one that is anything to do with me. I looked up the domain, of course it is impossible to contact the registrant:

image

I traced the IP no to an ISP (UK based) and considered emailing its abuse email. However I have not visited the site and do not know if the content is legal or illegal, nor do I have any intention of visiting the site.

What about Adsense? Well, although I have this warning, the only site that shows up in my performance reports is itwriting.com. And the only domain authorized to serve ads is itwriting.com:

image

What do do then? Clearly I cannot fix the issue as it is not mine to fix. Possibly the owner of the site has entered my email address or other details as their own; I cannot prevent that.

So I need to contact Google’s Adsense team. But I cannot. In fact, I cannot contact anyone at Google. There is not even an email address I can use (I suppose the abuse email might reach someone). There are telephone numbers for the London office but all the options cut you off unless you can provide an account number as an advertiser. The people who run the websites on which many of the ads appear? Google does not care.

I am therefore taking the only option available to me, which is to post this in public.

Dear Google, the website referenced in your warning is nothing to do with me. I have no control over it. I cannot therefore take any action about it; and in fact I am offended by the implicit accusation in your email and the warning in my Adsense dashboard.

I am also disappointed that you provide no means of contact beyond a useless peer-to-peer help forum that for all I know is not even monitored by Google employees (a brief glance shows no replies from them).

I suggest that you remedy this with some emergency option for longstanding business partners.

And if this is the end of our partnership, because of my inability to respond, so be it.

Update: The problem has been mysteriously marked as “Resolved”:

image

Microsoft financials April-June 2016: on track but continued drift away from consumers

Microsoft has announced its latest financials, and I have made a quick table summarising the year-on-year comparison for the quarter. See the end of this post for what the confusing segment categories represent.

Quarter ending  June 30th 2016 vs quarter ending June 30th 2015, $millions

Segment Revenue Change Operating income Change
Productivity and Business Processes 6969 +308 3000 -167
Intelligent Cloud 6711 +415 2190 -443
More Personal Computing 8897 -346 964 +359
Corporate and Other -1963 -1943 -3074 +5384

A few observations.

Office 365 is Microsoft’s current big success. According to the company’s press release, Office 365 revenue grew 54%, which is huge. However, on-premise sales declined which meant that overall revenue growth in “Office commercial products and cloud services” was only 5%. Still, that’s a successful transition.

The picture was similar in consumer Office, with Office 365 consumer increasing by 23.1% while overall revenue grew by only 19%.

Dynamics CRM is moving to the cloud. Microsoft says that Dynamics CRM online grew by more than 2.5 times, while overall revenue grew only 6%. The maths may be deceptive, if CRM online grew from a small base, but it is a clear trend. Not to be confused with Dynamics 365, which is ERP/Business process management, though Nadella is also bullish on the latter.

Azure revenue grew 102%.  Microsoft’s cloud results are not quite as sparkling as those from Amazon Web Services, but still impressive.

Enterprise Mobility is growing. This is a suite of tools built around InTune, Microsoft’s Mobile Device Management solution.

Surface is doing OK. Revenue up 9% thanks to Surface Pro 4 and Surface Book.

Windows news is mixed. “Windows OEM non-Pro revenue grew 27% and OEM Pro 2%” says the release, which given the weak PC market is decent. Windows 10 is at 350 million active devices, which Nadella said in the earnings webcast is the fastest ever adoption rate for a new version Windows; hardly surprising given the free upgrade offer and high-pressure upgrade marketing.

Xbox news is mixed. Gaming revenue is down 9%. Xbox Live revenue grew 4% but Xbox console revenue is down.

Windows Phone dives towards oblivion. Revenue is down 71%, from a base that was already tiny.

Microsoft cares less and less about consumers. “We will deliver more value and innovation” in Windows, says Nadella, “particularly for enterprise customers.” I also note the remark in the press release that “Search advertising revenue excluding traffic acquisition costs grew 16% (up 17% in constant currency) with continued benefit from Windows 10 usage,” suggesting that part of the Windows 10 consumer strategy is to use it as a vehicle for advertising; this is known in the business as “adware” and does not encourage me; it will push canny users towards Mac or Linux. In the earnings call, Nadella said that 40% of search advertising revenue is from Windows 10 devices. “The Cortana search box has over 100 million monthly active users with 8 billion questions asked to date,” said Nadella.

A reminder of Microsoft’s segments:

Productivity and Business Processes: Office, both commercial and consumer, including retail sales, volume licenses, Office 365, Exchange, SharePoint, Skype for Business, Skype consumer, OneDrive, Outlook.com. Microsoft Dynamics including Dynamics CRM, Dynamics ERP, both online and on-premises sales.

Intelligent Cloud: Server products not mentioned above, including Windows server, SQL Server, Visual Studio, System Center, as well as Microsoft Azure.

More Personal Computing: What a daft name, more than what? Still, this includes Windows in all its non-server forms, Windows Phone both hardware and licenses, Surface hardware, gaming including Xbox, Xbox Live, and search advertising.

What to do when Outlook is stuck on “processing”

I have seen this a couple of times recently, both cases where Outlook 2016 is installed. You start Outlook, it loads plug-ins, then presents a dialog that says “Processing”.

image

It does this for a long time. What is is processing? Who knows. Will it complete in its own good time? Not sure, but for sure it takes longer than you want to wait in order to get your email.

Here is the fix that worked for me. Close Outlook by clicking the X at top right. If that doesn’t work, you can use Task Manager to end the Outlook process.

Now hold down Ctrl and click the Outlook shortcut on the taskbar, presuming it is pinned. This dialog appears:

image

Click Yes. If you get further dialogs such as First things First, click Accept:

image

In both cases I have seen, Outlook now opens immediately, though in safe mode which means no plug-ins are loaded.

Close Outlook and restart it. Again it opens quickly, this time complete with plug-ins.

What is going on here? Not sure, but it may be related to automatic updates for those of us with the Pro Plus version of Office installed via Office 365 or other entitlement.

Observation: this is poor from Microsoft. One of the issues is that showing a generic busy dialog with no indication of what the software is actually doing makes poor UI. Users are more accepting of a long process if they can see evidence of it, even if the technical details of what is displayed make no sense. Maybe something like “Verifying nodes nnn of nnn” with the number incrementing.

This would also help if in fact the software is stuck in a loop, since the user can see that nothing is really happening.

Another issue of course is that this looks like a bug. Most users will end up calling support, despite the trivial fix above.

There may be other reasons for this problem which require different fixes. If that is the case with you, apologies!

AWS Summit London 2016: no news but strong content, and a little bit of Echo

I attended day two (the developer day) of the Amazon Web Services Summit at the ExCel conference centre in London yesterday. A few quick observations.

It was a big event. I am not sure how many attended but heard “10,000” being muttered. I was there last year as well, and the growth was obvious. The exhibition has spilled out of its space to occupy part of an upper mezzanine floor as well. The main auditorium was packed.

image

Amazon does not normally announce much news at these events, and this one conformed to the pattern. It is a secretive company when it comes to future plans. The closest thing to news was when AWS UK and Ireland MD Gavin Jackson said that Amazon will go ahead with its UK region despite the referendum on leaving the EU.

CTO Dr Werner Vogels gave a keynote. It was mostly marketing which disappointed me, since Vogels is a technical guy with lots he could have said about AWS technology, but hey, this was a free event so what do you expect? That said, the latter part of the keynote was more interesting, when he talked about different models of cloud computing, and I will be writing this up for the Register shortly.

Otherwise this was a good example of a vendor technical conference, with plenty of how-to sessions that would be helpful to anyone getting started with AWS. The level of the sessions I attended was fairly high, even the ones described as “deep dive”, but you could always approach the speaker afterwards with your trickier issues. The event was just as good as some others for which you have to pay a fee.

The sessions I attended on DevOps, containers, microservices, and AWS Lambda (serverless computing) were all packed, with containers perhaps drawing the biggest crowd.

At the end of the day I went to a smaller session on programming for Amazon Echo, the home voice control device which you cannot get in the UK. The speaker refused to be drawn on when we might get it, but I suppose the fact that Amazon ran the session suggests that it will appear in the not too distant future. I found this session though-provoking. It was all about how to register a keyword with Amazon so that when a user says “Alexa what’s new with [mystuff]” then the mystuff service will be invoked. Amazon’s service will send your service the keywords (defined by you) that it detects in the question or interaction and you send back a response. The trigger word – called the Invocation Name – has to be registered with Amazon and I imagine there could be big competition for valuable ones. It is all rather limited at the moment; you cannot create a commercial service, for example, not even for ordering pizzas. Check out the Alexa Skills Kit for more.

Presuming commercial usage does come, there are some interesting issues around identity, authentication, and preventing unauthorised or inappropriate use. Echo does allow ordering from Amazon, and you can optionally set a voice PIN, but I would have thought a voice PIN is not much use if you want to stop children ordering stuff, for example, since they will hear it. If you watch your email, you would see the confirming email from Amazon and could quickly cancel if it were a problem. The security here seems weak though; it would be better to have an approval text sent to a mobile, for example, so that there is some real control.

Overall, AWS is still on a roll and I did not hear a single thing about security concerns or the risks of putting all your eggs in Amazon’s basket. I wonder if fears have gone from being over blown to under recognized? In the end these considerations are not quantifiable which makes risks hard to assess.

I could not help but contrast this AWS event to one I attended on Microsoft Azure last month. AzureCraft benefited from the presence of corporate VP Scott Guthrie but it was a tiny event in comparison to Amazon’s effort. If Microsoft is serious about competing with AWS it needs to rethink its events and put them on directly rather than working through user groups that have a narrow membership (AzureCraft was up on by the UK Azure User Group).

Fake TalkTalk Frequently Asked Questions

I use TalkTalk for broadband and landline – though I never signed up with TalkTalk, I signed up with a smaller provider that was taken over – and recently I have been plagued with calls from people claiming to be from TalkTalk, but who in fact have malicious intent. If I am busy I just put the phone down, but sometimes I chat with them for a while, to discover more about what they are trying to do.

Rather than write a long general piece about this problem, I thought the best approach would be a Q&A with answers to the best of my knowledge.

Why so many fake TalkTalk calls?

I have two landline numbers, and until recently only the non-TalkTalk number ever got called by scammers. This makes me think that the flood of TalkTalk calls is related to data stolen from the company, perhaps in October 215 or perhaps in subsequent attacks. Some victims report that scammers know their name and account number; in my case I don’t have any evidence for that. On a couple of occasions I have asked the caller to state my account number but they have given me a random number. However I do think that my telephone number is on a list of valid TalkTalk numbers that is circulating among these criminal companies.

How do I know if it is really TalkTalk?

My advice is to assume that is it not TalkTalk. If you think TalkTalk really wants to get in touch with you, put the phone down and call TalkTalk customer service, either from another number or after waiting 15 minutes to make sure that the person who called you has really terminated the call.

How does the caller know my Computer License ID?

A common part of these scripts is that the caller will show that he knows your “computer license ID” by guiding you to show it on your screen and then reading it to you. They do this by getting to you open a command window and type assoc:

image

The way this works is simple. The number you see next to .ZFSendToTarget is not a license ID. The abbreviation stands for Class ID and it is part of the plumbing of Windows, the same on every Windows PC.

What about all the malware errors and warnings on my PC?

This is a core part of the fake TalkTalk (and fake Microsoft) script. Our server has picked up warning messages from your computer, they say, and they show you a list of them.

The way this works is that the scammer guides you to open a Windows utility called Event Viewer, usually via the Run dialog (type eventvwr). Then they get you to filter it to show “Administrative events” which filters the log to show only errors and warnings.

Now, you have to agree that the number of errors and warnings Windows manages to generate is remarkable. My PC has over 9,000:

image

However, these messages are not generated by malware, nor are they broadcast to the world (or to TalkTalk servers). They are simply log entries generated by the operating system. If you have time on your hands, you can look up the reason for each one and even fix many of them; but in most cases they are just noise. Real malware, needless to say, does not make helpful logs of its activity but keeps quiet about it.

What does Fake TalkTalk really want to do?

Once your fake TalkTalk caller has persuaded you that something is wrong with your PC or router or internet connection, the next step is invariably to get remote access to your PC. They do this by guiding you to a website such as Ammyy or Logmein Rescue, and initiate a support session. These are legitimate services used by support engineers, but unfortunately if you allow someone untrustworthy to log onto your PC bad things will happen. Despite what the caller may tell you, these sessions are not just for messaging but enable the scammer to see your computer screen and even take over mouse and keyboard input.

Windows will generally warn you before you allow a remote session to start. You have to pass a dialog that says something like “Do you want to allow this app to make changes to your PC?” or similar. This warning is there for a reason! For sure say No if fake TalkTalk is on the line.

Note though that this remote control software is not in itself malware. Therefore you will see that the software that is trying to run is from a legitimate company. Unfortunately that will not protect you when someone who means you harm is at the other end of the connection.

OK, so Fake TalkTalk has a remote connection. What next?

Despite my interest in the goals of these scammers, I have never gone so far as to allow them to connect. There are ways to do this relatively safely, with an isolated virtual machine, but I have not gone that far. However I have seen reports from victims.

There is no single fake TalkTalk, but many organisations out there who do this impersonating. So the goals of these various organisations (and they are generally organisations rather than individuals) will vary.

A known scam is that the scammer will tell you a refund is due because of your slow internet connection. They show you that the sum has been paid, via a fake site, but oh dear, it is more than is due! For example, you are due £200 but have been paid £1200. Oops. Would you mind repaying the £1000 or I will be fired? So you send off £1000 but it turns out you were not paid any money at all.

Other possibilities are that your PC becomes part of a bot network, to be rented out to criminals for various purposes; or that the “engineer” finds such severe “problems” with your PC that you have to purchase their expensive anti-malware software or service; or your PC may be used to send out spam; or a small piece of software is installed that captures your keystrokes so your passwords will be sent to the scammer; or the scammer will search your documents for information they can use for identity theft.

Many possibilities, so for sure it is better not to let these scammers, or anyone you do not trust, to connect to your PC.

Who are the organisations behind Fake TalkTalk?

When I am called by TalkTalk impersonators, I notice several things. One is that the call quality is often poor, thanks to use of a cheap voice over IP connection from a far-off country. Second, I can hear many other calls taking place in the background, showing that these are not just individuals but organisations of some size. In fact, a common pattern is that three people are involved, one who initiates the call, a supervisor who makes the remote connection, and a third “engineer” who takes over once the connection is made.

One thing you can be sure of is that the are not in the UK. In fact, all the calls I have had seem to originate from outside Europe. This means of course that they are outside the scope of our regulators and difficult for police or fraud investigators to track down.

If you ask one of these callers where they are calling from, they often say they are in London. You can have some fun by asking questions like “what is the weather like in London?” or “what is the nearest tube station?”, they probably have no idea.

What is being done about this problem?

Good question. I have reported all my calls to TalkTalk, as well as using “Report abuse” forms on LogMeIn with the PIN numbers used by the criminals. On one occasion I had a scammer’s Google email address given to me; there is no way I can find to report this to Google which perhaps shows the limits of how much the company cares about our security.

I am not optimistic then that much of substance is being done or can be done. Addressing the problem at source means visiting the country where the scam is based and working with local law enforcement; even if that worked, other organisations in other countries soon pop up.

That means, for the moment, that education and warning is essential, imperfect though it is. TalkTalk, it seems to me, could do much better. Have they contacted all their customers will information and warnings? I don’t believe so. It is worried, perhaps, more about its reputation than the security of its customers.

The case of the disappearing Azure AD application registration

Some time ago I wrote a simple web application which runs on Microsoft Azure and uses Azure Active Directory for authentication. The application is used constantly and has proved reliable; however yesterday it stopped working. A quick debug session showed that the problem was an Azure AD permissions error.

In order to use Azure AD, applications have to be registered in the Azure management portal. I use the old portal for this; I am not sure that the functionality exists in the new portal yet. There is a nice how-to here.

image

One of the elements in the registration is a key which has a maximum lifetime of 2 years:

image

My application was deployed about two years ago so I went to the portal to see if it had expired.

What I found surprised me. The application was not listed at all. It had disappeared.

Instead of simply obtaining a new key and updating my application config, I had to create a new application registration and update several keys in the config, which was an annoyance.

There is a wider point here, in the whole category of dealing with “things that expire”. Some time ago, Microsoft suffered an extended Azure outage because of an expired certificate. It is a shame that Microsoft insists on a maximum 2 year lifetime for this key but does not provide a check box for “alert me when this key is about to expire”, how difficult would that be?

Problems like this also mean that things which “just work” may not continue to do so. Of course a well organised enterprise setup can deal with this type of problem, but imagine, for example, the case of a small business with an application running on Azure where the developers have gone out of business, perhaps, or are no longer available. In fact the only code I needed to change was in web.config, but I can imagine it could take some time to figure out what to do and what to change.

Mo-Fi headphones from Blue: distinctive design delivers excellent sound

I attend several trade shows during the year, and at one of these Blue was showing off its microphones and headphones. These are the world’s best headphones, said one of the representatives. I expressed some scepticism and she promised to send me a pair to try.

image

The Mo-Fi, which sells for around £249 or $349, is an unusual set of wired headphones in that it includes its own amplifier, powered by a rechargeable 1020mAh battery. It takes 3-4 hours to charge, which gives you around 12 hours of play, though if the battery runs out it is not fatal as you can also use the headphones in passive mode.

The amplifier can also be used in “On+” mode which boosts the bass slightly. Despite this feature, these headphones are designed for those who like a natural sound rather than one which exaggerates the sonics for instant appeal but later fatigue.

First impressions

When you unpack the Mo-Fi headphones from their solid cuboid box you immediately get an impression of a well-built and high quality product. This is an over the ear design with a metal frame and what I would describe as a modernist, industrial look; opinions on this will vary but personally I am more interested in the sound and the comfort. If you are looking for a svelte and elegant headset though, these will not be for you.

image

In order to achieve a good fit whatever the size of your head, Blue has put hinges on the earcups so you can tilt them inwards, reducing their distance from the headband. You can also adjust the tension on the headband to get a looser or tighter grip according to taste. I find the comfort OK though not the best; the problem is that the solidity of the design means greater weight (455g) so you notice them a bit more than a lighter and softer set. That said, I can wear them for an hour or two without strain.

Blue supply two cables, a short 1.2 meter cable for iPad and iPhone which includes volume, pause and microphone, and a 3 meter cable for other sources. There is also an adaptor for headphone amplifiers with a 1/4” jack socket, and another for aeroplane seats with the old dual jack sockets. Finally, you get a well made soft case with a carry strap.

image

There is no mention of Android phones in the short manual, but the iPhone cable works fine for microphone and pause/play. The in-cable volume controls only with Apple devices though, because of annoyingly different hardware standards.

Sound quality

The philosophy behind the Mo-Fi seems to be that most of use compromise our listening experience by using headphones or headsets that do not do justice to the music. In part this is because of inferior headphone amplifiers in many mobile devices, which the Mo-Fi’s built-in amplifier mitigates though cannot fix completely (since it is not bypassed).

I tried the Mo-Fi on a variety of devices, including Android phones, an iPad, and an audiophile headphone amplifier (Graham Slee Solo). I compared them to several other headphones and headsets, using music including classical, jazz, rock and pop. I listened to the Mo-Fi mostly with its amplifier on, but not in the on+ position.

The good news: the sound is excellent. It is clean, precise, extended in frequency response, and generally neutral in tone though with slightly recessed high frequencies.

What is the effect of the built-in amplifier? It depends. Using the external headphone amplifier, the built-in amplifier does little more than increase the volume. You can get the same result by turning up the volume in passive mode. On a phone though, the effect is more marked, and you can hear improvement in quality as well as volume. That is what you would expect.

However, while the Mo-Fi sounds good with a phone, I was surprised how much much the sound improved when using the Graham Slee amplifier. Since a Solo costs more than the Mo-Fi, perhaps that is not surprising, but it does illustrate that unfortunately there are still compromises when using a smartphone for music.

What kind of sound do you get from the Mo-FI? Since it is neutral and clean, the Mo-Fi sounds good with all kinds of music, though they are not bright, to the extent that you should avoid them if you like a bright sound. The bass I found particularly tuneful, for example on My Funny Valentine by Miles Davis, which is a rare quality. Listening to the magical Four Seasons by the Academy of St Martin in the Fields I found the Mo-Fi smooth and engaging but not quite as clear or sweet as on high-end Sennheiser headphones.

Playing By Your Side by Sade, which has deep bass that is difficult to reproduce, the Mo-Fi coped well with all the bass energy, though losing the cymbals on this track sounded slightly muted.

Death of a Bachelor by Panic! at the Disco is always an interesting track to play, thanks to its ridiculous bass extension. The Sennheiser HD 600 (about the same price as the Mo-Fi though an open back design) sounds too polite on this track, failing to reproduce the bass thunder, but in compensation sounds tuneful and clean. The Mo-Fi makes more effort to reproduce the bass but on this very demanding track it does tend to blur (a rare failing with these cans) making the tune harder to follow.

On a modern recording of Beethoven’s 5th Symphony (San Francisco Symphony Orchestra conducted by Michael Tilson Thomas), the Mo-Fi does a fine job reproducing the scale and drama of the opening movement, no trace of blurring here. It is a big sound though again slightly let down by the treble.

No, these are not the best headphones in the world, but they do deliver outstanding quality at what, in audiophile terms, is a moderate cost.

If your preferences veer towards realistic bass and a big, articulate sound you will like the Mo-Fi. If you prefer a sweet, detailed treble with lots of air and space, these might not be for you.

There is one annoyance. One is that the amplifier switch is slightly crackly on my Mo-Fi. I worry that it might get worse over time.

Blue quotes a “15Hz-20kHz” frequency response for both the amplifier and the drivers, but without any indication of how much frequency drops off at the extremes so these figures are meaningless. Impedance is 42 ohms.

Summary

The sound quality is great, but the downside is that the Mo-Fi is relatively heavy and bulky and so some that will be a considerable disadvantage, especially as it does affect the wearing comfort. I can wear the HD 600 all day, whereas after a couple of hours I wanted to remove the Mo-Fi (it might become more comfortable as it wears). The closed back design means you get good sound isolation, which is good or bad depending on how much you want to be able to hear external sounds while listening to music.

If that doesn’t put you off, the Mo-Fi is well worth a listen. It’s well made, thoughtfully packaged, and sounds better than most of its competition.

Office 365 users: beware Outlook’s mysterious Not Implemented error

Outlook broke on my laptop the other day. Well, it still received mail, but many operations threw up an error, “Not Implemented”.

It was particularly annoying that the error affected sending emails, but the error dialog only showed when I tried to force a send and receive. Therefore, emails were stuck in the outbox with no notification.

This error can indicate a corrupt installation, but in my case it was simply an Office 365 mess-up. In particular, the problem was connected to a an automatic upgrade from Office 2013 Professional Plus to Office 2016 Pro Plus, for users on Office 365 E3 subscriptions.

Users are meant to see an upgrade notification before this occurs. I don’t recall seeing this, but it is possible. I suspect my problem was related to an issue that caused Microsoft to pause “Microsoft-initiated upgrades” on May 9 2016. Perhaps I clicked the upgrade offer back in May and had forgotten about it.

As far as I was concerned, Office 2013 had not in fact been upgraded. I use Office applications by clicking shortcuts on the taskbar, and these were still for Office 2013. I had not seen any notification of an upgrade completing.

When I got the error though, I looked a little more deeply and found that I had both Office 2013 and Office 2016 (the latter described as Microsoft Office 365 Pro Plus) installed. Control Panel – Programs and Features also showed that both were installed on 16th June 2016, two days after “Microsoft-initiated upgrades resumed for computers that had downloaded the Office 2016 upgrade files prior to May 9 2016.”

The fix was simple. Remove Office 2013. This removed my taskbar shortcuts, but I could then reinstate them with the 2016 versions and everything worked.

Just a small issue perhaps; but certain aspects of this are disappointing.

One is the incorrect error message. I know raising the right error message is challenging, but it is important.

Second, I doubt the automatic upgrade is meant to leave both versions in place. Why cannot Microsoft figure out how to remove the old version, install the new one, and even preserve my taskbar shortcuts with their equivalent upgraded versions?

Using Strongswan as a VPN client – and a Windows Firewall gotcha

How do you monitor a Windows server over the internet? This one is not in Azure but an actual server, running Hyper-V of course, and the requirement is to monitor both the Hyper-V host and the VMs for things like free memory, disk space and CPU usage.

There is a nice solution called Cacti which does this, using SNMP. You just have to enable SNMP in Windows Server, install Cacti on some other server, and make sure the two can communicate on UDP port 161 (or you can configure another port).

The target server is behind a Linux firewall which has a VPN endpoint, so a good solution is to have a VPN connection between Cacti on-premises and the firewall to enable SNMP traffic over a secure tunnel. This VPN endpoint is already in use using the excellent Shrew soft VPN client, so it was just a matter of finding a suitable Linux VPN client for the VM on which I installed Cacti.

I had installed Debian Linux on a VM to run Cacti, without any GUI (I mean, who needs a GUI on a server?) so looked for a suitable command-line VPN client.  I soon gathered that the usual choice used to be Racoon but is now strongSwan – though note that both of these are more often used to set up a VPN endpoint on a server rather than as clients, though they work fine in either role.

I am sure that someone with more experience than myself in Linux VPNs and networking would have had this up and running in no time, but for me it was somewhat arduous. There are two aspects to a VPN tunnel, one of which is creating the secure tunnel and the second being the networking. StrongSwan will do most of this on your behalf, but you do need to get the configuration right in /etc/ipsec.conf and I chased down several false trails before getting it working.

One issue was that I am using XAuth authentication, and despite strongSwan supporting this I thought by default, got the error “no XAuth method found.” What worked for me was to install libstrongswan-extra-plugins and then make sure that xauth-generic.conf is set to load the xauth-generic plugin.

Next, it was not obvious to me what to put in the strongSwan left and leftsubnet key pairs. I thought the left subnet should be the subnet of my local network (192.168.255.0/24) but in fact I needed the subnet that was configured for VPN clients, in my case 192.168.40.0/24. Until I figured this out I was getting “no matching CHILD_SA config found” and “HASH N(INVAL_ID)” errors when trying to connect.

I fixed that but it still did not work. After trying various things I hit upon left=%any in ipsec.conf and got a successful connection at last.

I had a tunnel, but traffic did not pass. Now, there are two things I did to get this working. One was to put auto=route in ipsec.conf.  The docs sayroute loads a connection and installs kernel traps.” Note that the networking configuration is done not by modifying iptables rules, but through xfrm policy, and to see the current policy you type:

ip xfrm policy

in the shell. It was still not quite right.

The final step was to change left=%any to left=%defaultroute in ipsec.conf. With this last piece of magic in place, everything works.

It was not (for me) quick and easy to configure, but the result is excellent. Just type:

ipsec up [connectionname]

and the tunnel comes up almost instantly. Using snmpwalk I can verify that that traffic is flowing:

image

That said, now is the time to mention a little gotcha with the Windows Firewall for SNMP. When you install the service, Windows creates a firewall rule that opens the SNMP port (normally UDP 161) for incoming traffic, for both private and public profiles.

image

Note there is a separate rule for Domain profiles, which is a clue that something is different. That difference is the scope of the rule. By default, the rule for private and public profiles is scoped only to the local subnet, making it in effect disabled.

image

The idea I guess is to encourage you to restrict traffic to specified IPs if you access the SNMP service from outside the domain, which is good security advice. You can also configure this on the SNMP service properties. But if you are wondering why the service is no responding, this is one thing to check.