ShoreTel fail over options using Vmware – Part 1 Building a VMware Test Lab!

The most often asked question we hear among ShoreTel system administrators is how best to achieve “fail over”, assure high availability and assure business continuity? There is no simple answer to this question nor is there any one “best practice”. It is going to depend on any number of interrelated issues including budget, facilities, availability and down time goals. With unlimited funding there are many more options then there are if we have a very limited budget. Is our deployment located in a single facility or scattered across multiple sites? Do we have an onsite data center or a “cloud” or collocation facility. Can we tolerate any down time at all or are we looking for hot fail over with no service interruption?

Redundancy by itself is not sufficient to guarantee high availability or continued uninterrupted business operations. Two power supplies are always better than one (especially if they are plugged into separate electrical sources) and RAID disk arrays are more reliable than a single spinning hard disk and iSCSI may even be a better. Many system administrators have explored commercial options like Double Take with its active/active fail over strategy.

At the end of the day, our view is that multiple hosts across multiple locations in a virtual or cloud based deployment are you best options. We think VMware and Amazon are unstoppable solutions providing high availability and business continuity assurance that maximizes budget, simplifies administration and with the lowest risk. Though we will have much more to say about Amazon Web Services, especially how it can best interface with VMware, we are going to demonstrate several configuration built on the vSphere ecosystem.

In our opinion  your ShoreTel partner should have installed your deployment on VMware from the onset.  A single VMware ESXi hypervisor host running your ShoreTel HQ Server and a ShoreTel Distributed Voice Mail server with the DVM installed at the same site and at the same level as the HQ server, will provide a very effective fail over solution at the lowest possible cost.   VMware Essentials gets you ESXi and vCenter for $540, what is to think about? A single hardware host with two virtual Windows servers, a shared iSCSI data store and a copy of FreeSCO  will best any effort to run redundant HQ servers!   ShoreTel servers can fail up, so just put all of your HQ switches and Users on the DVM and if it fails, HQ will take over.  If HQ fails, no  real harm done.

Sounds like a lot of hardware complexity but we are going to demonstrate this on a lab system consisting of a single Windows Laptop! Through the miracle of VMware,  Openfiler and FreeSCO we are going to create this entire solution and use it to prove out several different “fail over” strategies that can be used to develop “high availability” options for your ShoreTel deployment.   Additionally if your are just learning VMware, this will be an excellent  “play pen” and “sand box”and learning environment,  well within the budget of any serious student of virtualization. If you can access a lap top the rest of the requirements can be obtained as open source “free ware” or evaluation software. So lets lose the excuses and get to work!

Building your “Sandbox”!

Our test environment will consist of 3 ESXi Hosts, an iSCSI data store, a CISCO compatible routers; two Windows servers; and  two XP or better Windows PC’s.  As this entire lab will be built out on a single device here is the “parts list”:

(a) Windows laptop – If you have several spare PC’s or servers that you can make use, of great but we can build out this entire test lab on a single laptop. The only requirement is that we need 16GB of RAM! as long as you can expand the memory to at least 16GB.

(b) Your first lesson in virtualization is to understand the difference between a type 1 and a type 2 hypervisor. VMware ESXi is a type 1 hypervisor and that means that it is installed on a bare metal host computer, typically an appropriately configured server.  VMware Workstation is a type 2 hypervisor meaning it is installed on top of an operating system, like Windows,  already installed on a bared metal hardware platform.  In this case, we have a laptop running Windows 8 and we are going to install VMware Workstation on top of Windows. You can download an evaluation copy of VMware Workstation from http://www.vmware.com/products/workstation/workstation and when the 90 day  evaluation is up, if you can find $249, it is our recommendation that no VoIP Engineer or Field technician should be without this a lap top running product.

(c) ESXi is a type 1 hypervisor and the really good news is it that it is still available absolutely free of charge. This will be the core of our test lab and we will build out three hosts, all running in VMware Workstation on our laptop, to support our ShoreTel deployment.

(d) Building out a ShoreTel HQ server under ESXi as a single server is what most folks do.  If you are going for high availability, however, you need to consider the size of your data store.   Even if you are only restoring a “snap shot”, the size of your data store may be the limitation that determines down time.  Rather than store the application data on the Windows server used for your ShoreTel HQ erver, we recommend that you install an iSCSI data store on your LAN.  In this way , if you have to restore the server, you will already have the data store available (this is where AWS S3 comes into play, so see our previous blog regarding backup strategies).  You can download community edition of Openfiler  the iSCSI data store we are going to deploy in this lab from http://www.openfiler.com/community/download as we will be configuring our deployment based on the availability of network area storage.

(e) One of the “must have” software tools in our Engineering laptop tool kit is a three interface router named FreeSCO!  It is pronounced “Free CISCO”as a take off on our favorite company to hate.  For those of you who ever wanted to deploy a fully functioning CISCO router from a USB drive,  down load this now from www.freesco.org or download the ova we created which is available in the member portal of the DrVoIP web site.

(f) Lastly, you will need Windows Server software, either Windows 2008 or 2012.   You can  download an evaluation copy from Microsoft at http://msdn.microsoft.com/en-us/evalcenter/dn205302.aspx if you do not have a copy kicking around your lab.

(g) Lastly, ShoreTel has never asked for our opinion but they do not make evaluation software easily available to lab environments or to students who hope to be future ShoreTel VoIP engineers.  ShoreTel software can only be legally obtained by purchasing a system or through a support agreement from either a ShoreTel partner or directly from ShoreTel TAC.  If you are a partner or covered under a support agreement, you can down load all sofware from the ShoreTel site.  The iPBX software will run license free for 45 days.   Our lab is going to make use of the ShoreTel HQ server, the ShoreTel DVM Server and several virtual Shoregear voice gateways.

The DrVoIP video demonstrates how this lab is constructed and how the various components are installed and is part of the over all VMware training material available (or soon to be posted) on the DrVoIP website.   This lab will enable you to not only become very comfortable with VMware in general, but help you explore the various options for providing high availability and business continuity to your ShoreTel deployment.

AWS S3 – a ShoreTel backup strategy!

Amazon Web Services (AWS) has a range of storage options that make them our first choice in cloud based storage solutions and an ideal location for our ShoreTel data backup. In fact, now that ShoreTel has moved to virtualized hardware for voice gateways, we have moved our entire ShoreTel deployment into the AWS EC2 environment, but that is the subject of a separate blog! AWS is an ideal solution for backing up your ShoreTel configuration. You can choose to back up to the Glacier storage service if you can stand a few hours of down time retrieving the backup files, but S3 (simple, scalable, storage) is the best solution for setting up a shared network drive to faciliate your ShoreTel Server backups.

Backups should be a regular part of your IT hygene and should automate the process of securing data offsite. Enabling AWS S3 is a very simple, cost effective and can be fully automated. You can also take advantage of other AWS services like SNS push notification services to send verificaiton and administration alerts. Given the global foot print of AWS, the growing base of AWS data and availability centers, even your backup solution can have a backup solution! AWS is an infrastructure as a service so you will still need to manage the process.  The provide facilities, but you share responsbility. For example, you wil need to find a client side solution to enable your backup. You can use an AWS provided sample API if you want to write an interface into an exsiting backup solution but most deployments can more than benefit with a simple software solution installed directly on your ShoreTel server. We recommend either the TntDrive or the Cloudberry solution, both are excellent and even have freeware and trial versions!

Opening an AWS account is very easy to accomplish and if you already have an Amazon book buying account you are already good to go! Just log into AWS, bring up the menu page and select S3 from the storage and content delivery options. It will take about two minutes to create a an S3 “bucket” and apply then apply a security profile! You will need to note your identity and security keys as they are used to “log into” your new bucket. Once the bucket is created, you can then go to your ShoreTel server and establish a shared drive using one of the client side solutions like TntDrive or Cloudberry.  (You might also want to check out the comparison of other backup solutions for Mac based computers).

The ShoreTel Data file still contains all the information you need to rebuild your system from a bare metal server and you can also make use of the ShoreTel provided backup scripts to further assist your efforts. Our standard best practice is to include AWS cloud backup as part of our ShoreTel support agreements for all DrVoIP clients so there is no reason for any company, regardless of size, not to have a current backup of their ShoreTel deployment safely stored off line!

DrVoIP will provide free ShoreTel backup for any ShoreTel system owner that asks us to do so! The DrVoIP Video walks you through the process of setting up backup using AWS S3, from bucket creation to client side install!

ShoreTel ECC MySQL rants, raves and solutions for email, chat and text (SMS) messaging!

If you have worked with ECC custom integrations for any length of time, you have build a library of solutions to work with.  Most recently you have discovered that a 32 bit application like ECC, running on a 64 bit Windows 2008 or 2012 server needs a 32 bit OBDC driver!   When you click on Data Sources in Windows, you are shocked to notice that none of the ECC database connectors are showing under the DSN tab in the OBDC data source administrator.   You then go to add a driver for that new MySQL application your client wants and install and test it connects OK.  Then you log into Contact Center Director and notice that the OBDC connector does not show up in the list of external database connections.  WTF?   Well this turns out to be a Microsoft issue, but you have to find a solution anyway!   So you learn to ignore the normal Data Source Administrator installation procedure.  Find the correct OBDC driver and download it to C:\Windows\SysWOW64 for example C:\Windows\SysWOW64\odbcad32.  (Much thanks to Tyler and Mark at ShoreTel TAC for this insight).  Clicking on this will bring up the 32 bit version of the OBDC Source Administrator and you will find that DSN now displays both your new connector and the existing ECC connectors!

Version 9 of ECC has some changes that you need to be aware of, most notable of which is the lack of support for POP email mail connectors.  IMAP is now your only option.  If you are going to create ShoreTel ECC Email connectors you will need to get the co-operation of the client IT department, most of which go nuts when you tell them that you want to turn this protocol on in their Exchange sever.  If you are using Microsoft Office 365 you have other challenges.    If you want to add CHAT then you will also need to get IT to provide you a Tomcat server!   In a deployment with an ShoreTel iPBX,  ECC and IRCC server and just cant bring myself to tell the client they need yet another instance of MySQL on yet another server!   To overcome some of these challenges and to make my life as a deployment engineer a bit more predictable, I have developed my own solution!

If I work with a client that is going to deploy ShoreTel ECC using CHAT, Email and also expects to do some SQL data dips, I prefer to provide my swiss army knife solution.  We created a Linux appliance that supports a number of required integration components that we can fully control without relying on the client IT organization.  The small 19”rack mounted appliance houses the following:

(a) Our favorite distribution of Linux;
(b) MySQL Server and Postgresql Server;
(c) Apache Server;
(d) TomCat Server;
(e) Mercury Mail:
(f) VPN, SSH and FTP servers;
(g) Webmin and phpmyadmin admin tools;
(h) php, perl and some other development tools
(I) A library of network assessment and monitoring tools;

MySQL and PostgreSQL are absolutely necessary for doing any type of external “look up” and route functions.    ShoreTel does not provide ‘root’ access to the MySQL instances running on the other three servers, so you have to do something!   Unless you want to jerk around with the clients IT organization or database team, we recommend you roll your own.   Likewise with email.  Just setup Mercury Mail to handle your ECC email accounts and be done with it.   It will cost you another C and MX record, but so what.   Most of our ECC applications need a web sever and rather than deal with TAC on what is and what is unsupported on a ShoreTel server running Microsoft IIS, just use Apache and be done with it!   To do CHAT on ShoreTel ECC you will need a Tomcat server as well.  For less money than will be wasted on professional service hours chasing other folks around so you can do you work, this is a great solution for ShoreTel ECC integrations, email and Chat!  (Since we do have root access to the vmware image ShoreTel provides for the conference server, that might also be an option.   We will take a look and update you later – DrVoIP).

 

Editing ShoreTel System Prompts or WTF is a PHR file?

“Welcome to the ShoreTel Conferencing” sounds like a commercial announcement and many system owners want it changed! After all they just paid a big whack of money to own a brand new brilliantly simple phone system! Now when they have a client conference, they sound like they transferred the call to an outside third party service!  Though it is a smart move for ShoreTel marketing efforts, it is hardly the image a system owner wants to convey to their clients!  For this reason, we are often asked to change the prompt to something that sounds more like “Welcome to mycompany conferencing”. This seems like a reasonable enough request and something that should be easy to implement, right? Yet ShoreTel professional services gets about $600-$1000 for a custom prompt!  Is there a way around this?

The fact is, that it is not very easy to modify these prompts at all! Most ShoreTel vendors can’t even find the application to play the file let alone edit it as it is not a normal wav file! The file is actually a “phrase” file and is usually found with a .phr file extension.  On the ShoreTel SA-100, for example, you will find this in ftproot directory of the HQ server in the path \Inetpub\ftproot\tsu\phr\UCB. The UCB folder contains all the .phr  files for all the languages supported by the system. When the conference appliance boots up, these files are loaded onto the sever. (For you Unix heads, the appliance is a Linux platform, and you can find the files in the ShoreTel/Lib folder by entering ls -lt *.phr after changing the directory to the ShoreTel/Lib folder).  Remember, if you edit the prompts,  you will have to recreate this change  every time you upgrade the phone system and on all servers that use the conference appliance!

In the United States the correct file is the “en-us.phr” file.  If you play this file, you will understand very quickly that this is not going to be easy! The file is actually a “library” and actually contains all the “phrases” used by the system to prompt callers with audio help. The application software has to be able to set  pointers to the correct location in the .PHR phrase file.   This is similar to a format used by Dialogic back in the 80’s that set the standard for “indexed play mode” for all telephone applications.  This indicates that a phrase file must contain a unique id for each phrase in the library, so the .PHR file is more than an audio file!  Here is a list of the phrases in the .PHR file:

thank you for calling ShoreTel conferencing goodbye
a duplicate conference has been detected you will now be transferred
a duplicate conference has been detected please try again later or contact the conference host.
you will now be disconnected
sorry the key sequence entered is invalid
The conference has ended goodbye.
sorry all resources are busy please try again later or contact the conference administrator
ringsound welcome to ShoreTel conferencing, please enter an access code then press pound.
sorry that access code is invalid please try again
the conference is currently locked, please try again later or contact the conference host
you are the only person on this conference please stay on the line
the conference host has not joined the conference please stay on the line
to turn off the music please press one
please wait while your call is connected
sorry that access code is invalid good bye
at the tone please say your name and then press pound
please wait while your call is placed into the conference
has joined the conference
has left the conference
ringsound please enter the conference hosts voice mail password then press pound
if you are the conference host then you may enter the host access code followed by pound at any time
invalid password please try again or press star to join as a participant
this scheduled conference can not be started at this time as it is to early. please start it at its scheduled start time.
this scheduled conference can not be started as it is past the scheduled start time.
to start or stop recording
press pound for
this call is being recorded
the recording has been stopped
the recording can not be stopped because desktop sharing has been enabled
the recording can not start because of insufficient disk space
the recording can not start at this time
to unmute your line press pound one
to mute or unmute all lines press pound two
your line has been muted
your line has been unmuted
all lines have been muted
all lines have been unmuted
the conference has been locked
the conference has been unlocked
to lock or unlock the conference press pound five
to raise or lower your hand press pound six
your hand has been raised
your hand has been lowered
the participant names are not available
to list the participant press pound three
to return to the conference please press star
to join the conference as a participant please press star
you have been requested to join a conference please press one to be placed into the conference
to end the conference press pound 99
this scheduled conference will end in the next five minutes
this scheduled conference is starting
the conference has not yet started
please wait

It is possible to play the file using an editor like Audacity,  which will NOT recognize the file format if you double click it.   To overcome this you must  import the file as “raw data” by setting the file attributes on the import menu.  Set encoding to to ulaw and sampling to 8000 hz.   This will enable you to play the file.   That is the simple part, the trick here is to edit the audio prompts without destroying the index which is used by the application software to know how to pull the correct prompt from the phr file!   That is why professional services gets big bucks to change the prompt and why your average ShoreTel partner will not be able to help you!  Remember ShoreTel is also going to make the voice artist used is the same as the rest of the ShoreTel prompts (though some of the files in the existing en_us.phr file are clearly male voices left over from the development team).   All in all, this is a lot of work for somebody and worth every penny you pay for it!

 

ShoreTel VPN or MPLS? What works and saves money?

An IPsec Virtual Private Network or VPN, is sometimes used as a backup route for a Wide Area Network failure.  VPN’s are typically deployed as a “tunnel” through the Internet and as such are “point to point” solutions by definition.  Unfortunately that will not get the job done for a VoIP deployment!  If you have ever deployed ShoreTel over a VPN in a multi site network that has more than two sites,  you will note that it has problems.  The first problem you will note  is that the Switch Connectivity display within the ShoreTel ShorewareDirector management portal looks like a Christmas tree.  Normally in a finally tuned network you should see all green in the connectivity display.  In an IPsec VPN network, using a “hub and spoke” implementation or “point to point” links you will see lots of Red and Yellow boxes and switch connectivity will be inconclusive at best.

Next, you will undoubtedly experience instances of “one way audio”. Again, this is because an IPsec VPN is a “point to point” solution, when you really require a fully messed solution that can handle more than unicast packet transfers. Additionally, as IPsec applies encryption based on a “shared key” so the two end points must possess the key! IPsec does not support Multicast or Broadcast and this make it less then desirable for a VoIP deployment. Unicast is when you address the source and destination IP address to a specific target device.  Broadcast is used when you must sent to all network devices because you do not know the destination address. Multicast is used when you send to a group of devices that monitor a target IP address for network management and service subscriptions. Using an IPsec point to point VPN might get your phones to register and enable you to make phone calls, but you will be plagued by network connectivity issues that will make your VoIP deployment problematic. Your technical support center or help desk phones will be constantly ringing with unhappy users and incomplete phone calls.

You don’t have to be a Network guru to understand a “hub and spoke” topology. All communications between devices at different sites (i.e. spoke end points) must traverse the hub site if they are to communicate between each other. This might work for unicast communication, but it is inefficient and invites disaster. For two sites (i.e. spokes) to communicate the have to go through the hub, unpacking and repacking, encrypting and decrypting, sharing keys before resending packets to the ultimate destination. Assuming you are using this configuration only as a backup during a real WAN disaster, this might be acceptable temporarily. Using IPsec VPN “hub and spoke” topology in a ShoreTel VoIP deployment, it is not very useful. We have two issues: first, IPsec does not support anything other than Unicast communication; and secondly “hub and spoke” is unworkable because “spoke to spoke” communication is required.

How do we solve this? Fortunately there are two strategies that fit the bill perfectly. First, GRE or ‘generic routing encapsulation’ should be used to support broadcast and multicast communications, a core component of any network deployment, especially those of a VoIP variety. Secondly, DMVPN or “dynamic multipoint virtual private network’ technology should be implemented to assure “spoke to spoke” communications. DMVPN, which employs mGRE (muti-point GRE) and Dynamic Next Hop Router Resolution protocol (DNHRP) technologies make it possible to deploy a ShoreTel VoIP solution over the public internet and achieve MPLS like connectivity at a fraction of the cost.  Given sufficient bandwidth, this should be more than adequate.

What about encryption you might ask?   ShoreTel, CISCO and most VoIP solutions provide encryption at the network and transport level anyway, so this component may not be needed.  If you are also moving data over this mesh, then you can use DMVPN in conjunction with IPsec to assure confidentiality, integrity and authentication (i.e. CIA).  The issue is that a fully meshed communications network is absolutely obtainable with VPN technology, but you have to implement the correct protocol to achieve the desired results!

WAN configuration is an exact science as is ShoreTel and CISCO VoIP technology. If you are fortunate to have that level of expertise in one individual or one vendor, then you are moving in the right direction with your VoIP deployment. If you need help in the WAN aspect of VoIP, then you need to call on DrVoIP. We can make the network.

Is there a RAT Virus in your phone system?

If you have a device on your network that you do not have root privileges for, then your entire enterprise is at risk for a Cybercrime! Do you want to know what a Trojan horse might look like? It might very well look like a Linux appliance provided by an outside manufacturer, delivered and installed on your network. This might be a network camera, firewall, phone system or monitoring device. As network security professionals we would never allow any device to be connected to our network, in which we did not have root administrative authority. IT Directors who budget for network security, intrusion prevention and detection and apply best practice to the care and feeding of their enterprise networks seem to overlook this very large potential security vulnerability. Every day, new networking equipment, appliances and hosts are connected to your network and nobody every questions the fact that you do not have root authority?

Most of the younger folks carrying an Android device have “rooted” their phone, why? Yet you will allow your company to install equipment for which you do not have root authority? Makes no sense to us? The fact is that most modern VoIP phone systems like those from ShoreTel and CISCO are delivered with key components built on Linux like platforms. These devices are placed on the network inside the firewall and perimeter security devices yet the root privilege is not available to the system owner. A very curious practice, would you not agree? Even if you have no clue about network security and hacking, would you allow someone to come into your place of business and install a “box” for which you have not access rights?

Anyone with root access could easily put programs on that appliance that could act unnoticed by network security devices. No virus protection would take note and the device would have complete access to the entire network. A common and popular hack is the RAT, a Trojan horse that can easily be placed on an unsuspecting users phone, computer, or other network device. These RAT’s or “remote access terminals” can be remotely controlled to turn on you microphone, camera and would have full access to all files and network resources. They become remotely controlled “bots” or computer zombies. The good news is that most modern virus protection will find these RAT’s if they are installed on a host computer. What about that appliance you just added to your network, the one you do not have root access privileges? You would never even know that RAT was there and you do not even have access permission to check!

Business owners, regardless of their personal level of technical savvy, need to question every device installed on their enterprise network. Who owns the box and who administers the box? Do you have root administrative authority on every device in your network? If not, why not?

Don’t Look now you’ve been hacked – part 2 (useful tools for awareness)!

Big Brother is Watching!

The thought of people being concerned that NSA is listing and monitoring their activities is a hysterically funny concept to me. Whatever you think of Edward Snowden, know that he is a day late and a dollar short. Most of these very same people that worry about the NSA, have a “Tracebook”, Twitter, Instagram or a half a dozen other social media accounts that should be significantly reducing the NSA operating budget. In fact, let’s just disband the NSA and hire Google! It seems that most of us have no issue publicly posting our most intimate details on Facebook including everything short of our Social Security numbers. Posting our current location and “checking in” so that the entire planet knows not only where we are, but what we are doing seems to be an absolutely essential public service and should also include pictures of the meal I am about to eat. How many of these same individuals are aware that every picture posted contains Meta Data that also memorializes the GPS co-ordinates and the camera type used to take the picture? I know you want to share picture of the family, but do you really want ISIS to know exactly where they live?

Useful Tools for Privacy!

As everyone is so willing to publicly disclose these personal details, it explains why so many remain ignorant of the data mining that goes on that you do not knowingly consent to. I assume we all know that Google is in the business of selling digital user profiles to advertisers? Every type an email to a friend about planning a trip to the Italy only to find your inbox now populated with travel agency “hot deals”? If your email does not fill up with travel deals to the Italy, you can bet your internet browser will now display a travel agency advertisements, “learn to speak Italian” and top Italian Restaurants on every page you view fin! Now ask me what we think about using Google Docs! We suggest that you consider DoNotTrackme extensions to your Chrome and Firefox browsers. We also recommend that you install “self-destructing cookies” and watch how many cookies are exchanged with your browser each use. Remember, we really don’t need your username and password, we need your cookies all of which are transmitted in clear text over that Starbucks wireless you have been using! All available using FireSheep!

Now if this is a vulnerability that effects individuals, what vulnerability effects enterprise level environments? Forget the notoriously leaking Windows Operating system and your hopelessly porous laptop, in the wake of the 55 Million credit card numbers stolen from Home Depot and the 45 million stolen from Target, we now have to worry about the credit card machines at the checkout counter. Actually the TJ Maxx heist was in many ways much larger! You might be considering how did the hackers get through the Firewall? As we have pointed out before, most computer network security exploitations are not executed through the firewall, they are executed by “social engineering” with the assistance of an ignorant employee or paid hit man. It is suspect that at least one of the above break ins was assisted by a third party trusted partner like the heating and air conditioning service company. Nothing like a starving janitorial night service crew to earn a few extra bucks plugging a USB device into any desktop computer releasing a new and improved malware version of BlackPOS ! Most of these stolen credit card numbers can be purchase here or on the Darknet using a Tor browser to reach silk road type websites.

It seems you can’t turn on an electronic device today without it alerting you that a software update is available for download. From the TV set, to the mobile phone, tablet and now even your car, all are subject to software updates. Do you even question what is being downloaded to your device when you do a software update? You just assume you are connecting with Apple, Amazon or Samsung? What if some evil doer was really just spoofing a software update and you just willingly downloaded a super basket of spy goodies that turn on your phone camera, activate your microphone and email snapshots to back to the mother ship. NSA, are you kidding? You would never know if it was your spouse, or employer would you? Yet millions of people do this without care, day after day and think nothing more about it. If you want to be tracked everywhere you go, risk having your most intimate communications published (just ask Jenifer Lawrence and the other celebrity Nude hack victims) just carry your Smartphone with you at all times!

Cyber-crime, next to the Ebola virus and violent terrorism is the single most economically destructive phenomenon to threaten the American way of life since the Cuban missile crisis. Yet the average business owner winces at the cost of engaging a computer network security audit and thinks that penetration testing is lovemaking foreplay. When the IT team asks for a Firewall upgrade or an increase in budget to cover a subscription to virus, spam and bot net filtering they somehow can’t justify the added expense. Educating your employees on the safe use of the Internet over WiFi should be part of the healthcare preventive medicine program, but most business will ignore “social engineering” vulnerabilities until a major data thief publicly embarrasses them.

(DrVoIP provides VoIP network readiness assessments and is a certified Network Security consultancy providing penetration testing, firewall and related security services. If you contact DrVoIP@DrVoIP.com we recommend that you use Ipredator and remember that there is a difference between being anonymous online and untraceable on online! We can help you with both.)

Looking for a UCCX Wall Board? – VSR2 has the vision!

If you have ever considered adding a Wallboard to your CISCO UCCX based Contact Center deployment, you know that the selections are slim.  There is a wealth of unsupported “freeware”  solutions on the net, generally the failed  result of someone trying to “roll there own” wallboard.   Clearly,  you always have that option if you have the time, talent and ongoing commitment to support Cisco’s follow on versions and upgrades.  To assure ongoing compatibility with CISCO, you need a dedicated development team!  Finding a vendor supported wallboard that does not cost as much as the UCCX itself, however, has been very difficult until now.   We recently had the opportunity to work with VSR2, a UK based  CISCO partner who has been building software based solutions since 2007.   The VSR2 UCCX Wallboard product offering is both an astonishing accomplishment and a must have product for any serious call center deployment.   Not only is the product exceptional, but the entire team behind the product is a real joy to work with!

The VSR2 installation is very simple, but it is generally done by a factory engineer over a remote desktop or TeamvViewer type remote connection.  The VSR2 solution runs on a Windows Server under IIS and interconnects with the UCCX over an Informix database connector.   Simply provide the usual UCCX database credentials and if there is network connectivity between your Windows Server and your UCCX server the install will be completed in less than 30 minutes, most of which is spent waiting for Microsoft!   We worked with an excellent engineer, Victor Spirin, who was very helpful in answering questions and also provided an initial over view of the systems capabilities.

We successfully tested the VSR2 on both UCCX Version 8.5 and Version 9 with no problems, or show stoppers to report.  The Wallboard is easy to customize and there is a great deal of flexibility in every aspect of the configuration.  Your can select your columns, content, color and triggers.  You can create multiple CSQ  wallboards, or Agent based wallboards.  In fact you can create a library of  wallboards and you can send supervisors links to previously created wallboards.   VSR2 has also developed other tools that are effective for Call Centers including a call recording capability, but it is the VSR2 wallboard that brings this company to the forefront!   They offer a 30 free trial and if installed, it would be hard for us to predict that it would ever be removed!   Take a look!

 

Don’t look now but you have been hacked!

Hackers at the Front Door?

Most every home and business office now has a firewall that separates your internal computer network from the wild west of the world wide internet. The good news is that firewalls have become increasingly more sophisticated and properly configured can do an excellent job in securing your internal computer network devices.  Modern firewalls now include intrusion detection and prevention, email spam filtering, website blocking and most are able to generate reports on who did what and when. They not only block evil doers from outside your network, but they police the users on the inside from accessing inappropriate resources on the outside internet. Employees can be blocked from visiting sites that can rob your business of valuable productivity time or violate some security compliance requirement.  Prime business hours is really not the time to update your Facebook page! Nor do we want our medical and financial service folks using an instant messaging service to chat with and outsider!

The Firewall is the electronic equivalent of the “front door” to your computer network and there is an endless parade of potential evil doers spray painting your doors and windows, relentlessly looking for a way in. A properly configured, managed, and regularly updated Firewall can be very effective in protecting your computer network, both in the office and at home. Behind the firewall, must desktop computers and office servers have local software based firewalls installed that also provide virus protection.  Hopefully if something does get past the firewall, the internal virus and desktop firewall solutions will provide an additional level of security.

What is a Firewall Anyway?

Firewalls are both reasonable and appropriate but here is the bad news. Most of the hacking you now hear and read about is not done by evil doers coming through your firewall! The real damage is done by those inside your network! Malicious users and dishonest employees will always a treat. There is always the treat of the unscrupulous employee swiping credit card data or passing security information for money. The real danger, however, is from users who are just ignorant of today highly sophisticated security vulnerabilities. The most honest employee can unwittingly become the source of a major security breach resulting in the loss of their own personnel data, or the personal and financial data of your customers.

Take your average laptop user as a perfect example. How many times have you gone down to Starbucks and setup shop?  Beautiful day, open air, sun and a high speed internet connection, wireless phone and it is business as usual! If I told you how easy it is to setup a “man in the middle” attack at Starbucks you would give up coffee for the rest of your life. You think you are on the Starbucks WiFi, but actually that kid in the back of the Starbucks with the Wireless Access Point attached to his USB connector, has spoofed you into thinking he is your door to the Internet. He has been monitoring every key stroke on you laptop since you logged in. In fact he now has your log in, password and most everything else on your computer.  Now when you head back to the office and plug in,  you just unleashed a bot on the company network and he will be back later tonight!

If laptops were not enough, everybody is now walking around with a Smartphone!  Did you know that your Smartphone keeps a list of all the WiFi networks you have used recently? Remember when you were down at Starbucks checking your email while waiting for that cup of coffee? Now everywhere you go your phone is sending out a beacon request that sounds like “Starbucks WiFi are you there?” hoping it will get a response and auto connect you to the internet. Remember that kid we were just talking about?  He decided to answer your beacon request with a “yeah here I am, hop on!” Just another “MITM” attack and what he can do to your Smartphone, especially those Androids makes your laptop look like Fort Knocks!

Sometimes for fun and entertainment, while sitting at a gate in an airport waiting room, I will net scan the WiFi to identify how many phones, computers and ipads are online and connected. Not saying that I would do this, but I think you could execute a Netbios attack in less the five minutes?  It is amazing how many people leave their printer an network sharing options on when they travel.  Even more people leave their “Network Neighborhood” settings  in the default configuration!  The drill is always the same:  map the network to see what hosts are connected; port scan for know vulnerabilities; out the exploit tool kit and the rest is actually getting relatively boring for the ethical hacker.  Now credit card thieves on the other hand…….

Chances are your Internet browser is worst enemy when it comes to securing your privacy.  Every website you visit, every email you send and every link you follow is being tracked by hundreds of companies. Don’t believe me?  If you are using Firefox, install an add in extension named DoNotTrackme and study what happens.  Assuming you are an average internet surfer, in less that 72 hours you will have a list of over 100 companies that have been tracking your every move on the internet!  These companies don’t work for the NSA,  but they do sell your “digital profile” to those willing to pay for the information.  Where has your GPS been? What sites did you visit, what movies did you watch, what products did you buy, what search terms did you select – all of this dutifully reported back by you and your unsuspecting employees.  Ever wonder if your competitors want to know what your viewing on line?

Voice Over IP phone systems offer an entirely new range of vulnerabilities waiting to be exploited by the unscrupulous evil doer!  We recently illustrated to a client Law Firm (as a paid intrusion detection and penetration testing consultant and with the clients permission) just how easy it is to covertly switch on a conference room based speakerphone and broadcast the entire conference to a remote observer over the internet! In fact, capturing voice packets for replay is the first trick script kiddies learn in hacking school!

VoIP, Bluetooth, WiFi, GPS, RFid, file and print sharing and even the “cloud” all add up to a list of vulnerabilities that can be easily exploited. What can you do? You need to educate yourself and develop your own “best practice” for safe computing.  You need to educate your employees and co-workers about the various vulnerabilities we all face every day as we become more “wired” and more Mobile.  Hire a competent Computer Network Security professional to do “penetration testing” on your corporate network and firewall.  It would be better to pay a professional to “hack” you, then pay to  fix it after you have been hacked!  Remember if we can touch your network, we will own your network!

(DrVoIP provides VoIP network readiness assessments and is a certified  Network Security consultancy.   If you contact DrVoIP@DrVoIP.com we recommend that you use Ipredator to do so!)

ShoreTel Virtual Trunk Switch – Configuration and License impact!

ShoreTel currently has three virtual appliances that can be used in place of the Orange ShoreGear voice gateways and conference servers.  These three virtual appliances are shipped within the ShoreTel core Server Software and consist of OVA files and ISO images.  The tree appliances consist of the phone switch; the trunk switch and the Service Appliance, a virtual replacement for the SA-100 and SA-400 conference servers.   Once they are virtualized, they install exactly like the hardware versions of the Orange ShoreGear boxes.   The only noticeable difference, is that the configuration page in the ShoreWareDirector does not seem to offer up the image of the switch as it does with the hardware version.    There are no drop down boxes for configuration of switch feature options in large part because each option is defined by the OVA file.    We note only two ISO images in the FTP root of the HQ server, so we have concluded that  the same ISO is used for the phone switch as is used for the trunk switch, the differences being set by the OVA file.

Each of the virtual devices install in a very similar manner, with little difference as it relates to the bring up under VMware.    Open the proper OVA file and the hardware is appropriately configured.  Launch the machine and you will be required to provide the normal Network configuration data and identify the location of the ShoreTel HQ/FTP server.   After the machine is configured you can log in as root, run Ifconfig to check your network card settings and note the MAC address for configuration in the ShoreWareDirector.    Then bring up the cli interface using “stcli” and you will be greeted with the familiar and easy to navigate ShoreTel Switch menu system.  You will need to add the FTP, NTP and DNS address information.   Having a primary NTP source is of critical importance especially when configuring the Service Appliance used for conferencing applications.

Now that the virtual machine is configured and running you can add it in the ShoreWareDirector.   Again aside from the lack of an orange switch image on the configuration page, it installs like any other ShoreGear device.  From a license perceptive, no harm done until you actually configure a SIP trunk.   In addition to the normal SIP trunk licenses you will need for any of the hardware gateways, the vTrunk switch will require licenses as you add trunks to the virtual appliance.   All in all this is sweet stuff and you should have a ball playing with virtual switches!  The video walks you through the entire setup! – DrVoIP@DrVoIP.com