Category: Technology

For over ten years there has been on-going internal discussion in corporate IT departments surrounding the cost benefit to organizations of deploying a centrally managed thin-client hardware topology verses “fat client” or locally installed applications on PC’s. There was a time, about seven or eight years ago, when the argument against thin clients from a cost perspective was a futile endeavor. During this era of the late 90’s the cost of a PC was decreasing but a quality business class system ran $900 or more without a monitor.

Now with a solid, business class workstation priced at $700 or less, with a flat panel LCD display and Windows XP Pro, the cost benefit of a thin client environment must be weighed by factors that were considered unbeatable at the dawn of thin client computing. Some of these include: centralized administration, ease of deployment, license manageability and remote user access. Currently a thin client deployment using Microsoft RDP and Citrix components are far from being less expensive than the cost of a PC. I include Citrix in the equation verses standard Microsoft RDP because of the security, stability and flexibility ICA adds to the environment, such as the ability to publish individual instances of applications verses the entire desktop and the ability to overcome notorious printing issues.

One of the key costs of a Microsoft thin client deployment is the cost of running Windows 200x Terminal Server in “Application mode”. Once a Windows server is converted from “Administrative mode” each device or user that connects to the system will require a “Device” or “User” CAL (Client Access License). There’s a big difference in the two that must be taken into consideration when making the purchase from a Microsoft license reseller and setting up the terminal server. Here’s the difference:

• A Microsoft Terminal Server “User” CAL means that each domain user account that connects to a terminal server instance will permanently use a CAL. The user account can use this CAL to access any MS Terminal Server instance. This CAL can only be released from it’s bind to the user account via a call to Microsoft Licensing Support and usually only twice per CAL according to MS policy.
• A Terminal Server “Device” CAL is one that permanently ties itself to a specific workstation or hardware device (i.e. thin-client) by binding to the MAC address of the network adapter for that device. The device can use this CAL to access any MS Terminal Server instance. This CAL can only be released from it’s bind to the device via a call to Microsoft Licensing Support and usually only twice per CAL according to MS policy.

A ideal example of when to use per Device CAL’s would be in a call center environment. Several different users will sit down to the same workstations on multiple shifts. With three shifts you would have to invest in three times as many user CAL’s as Device. Alternatively a good use of per User CAL’s is for remote users of applications who may not always use the same device to access the terminal server environment.

The cost of a User CAL and Device CAL are the same. Since they tie themselves to the user account or device accessing a terminal server they are termed “non-concurrent” licenses. Generally these run approx. $70 per user for a small to medium business depending upon your relationship with your license reseller. I will not include the cost of the server OS itself because it will be assumed that a Microsoft 200x server will be in the environment regardless or architecture. However a terminal server will be more expensive than a standard file and print server due to hardware requirements. A difference of around $2000 on average.

On top of the required Microsoft licensing there are the required Citrix Presentation server licenses. Unlike the Microsoft licenses Citrix licenses are “concurrent”, meaning they do not tie to users or devices. They are pooled on a licensing server and checked out each time a user logs in to a Citrix server or “Farm”, which is a group of MS terminal servers running Citrix in a load balanced configuration for application scalability. Each Citrix license (not termed a CAL) currently costs approx. $220 per user for the standard edition of Citrix Presentation server 4.0 and $400 per user for the advanced edition which supports the load balancing scalability feature. The standard edition only supports the connection of users to one Citrix terminal server instance. One modern server with two processors and 2Gb of memory minimum can support up to 30 concurrent users (15 per processor by Citrix long running standards).For the sake of this cost analysis I will assume 30 Citrix users. I am not going to assume corporate application licensing costs or compatibility with a thin client environment because the variables are too numerous. It would be up to experienced administrators to make this assessment on an individual basis.

Total Cost Breakdown:

$320 x 30 = $9600 – ICA compatible thin client device from Wyse or HP.

$120 x 30 = $3600 – 17″ flat panel LCD monitors

$70 x 30 = $2100 – Per User or Device Terminal Server CAL’s.

$220 x 30 = $6600 – Concurrent “standard” Citrix Presentation Server 4.0 licenses.

$2000 – Additional server hardware cost for multi-session thin client support.

Approximate total for Citrix ICA thin client deployment = $27500.00 or $916.66 per user.

Approximate total for Workstation deployment = $21000.00 or $700 per user.

Clearly the base cost of hardware and OS licensing is no longer the primary benefit in selecting a thin client environment. But when additional factors, such as less desktop hardware support, are taken into consideration there are many benefits to a thin client environment including those I mentioned earlier. By no means does the falling prices of PC’s mean the end of remote application deployment. In fact I think it just means that now we’ll be able to have the best of both worlds as the PC’s replace the thin client hardware devices and remote application technologies take hold to provide reliability and ease of administration through centralized management.

And to those who think I’m forgetting to take network connectivity into consideration as a reliability factor I will only remind you that almost all corporate applications in use today require access to network files or SQL data to function any way. So never, under any circumstances, regard network reliability as anything less than an absolute necessity.

I recently learned the developer of Spellbound, the best spell checker ever for forms in Firefox 1.0, went to work for Mozilla to incorporate the extension to Firefox 2.0. Therefore there was never a compatible release for 1.5. But I found a little known forum project that has an extension that seems to work just as well.

Before installing the Spellbound 1.5 Dev extension you’ll need to install a Mozilla language dictionary. If you already had Spellbound installed before upgrading to Firefox 1.5 your existing dictionary will work.
Mozilla Dev Language Dictionaries

Just save this file to your desktop, open Tools, Extensions from the Firefox 1.5 menu and drop the downloaded file into the Extensions window. Restart Firefox.
Install Spellbound Dev 1.5

All of this is documented fact that would hold up in court.

A couple of months ago I attempted to get DSL service provisioned by Verizon into a new facility location for Pack-Rat. They screwed up and cancelled the order three times only to re-open it every time. We even paid $49.00 to have a tech go out an install the service for us. They never showed for three scheduled appointments delaying our ability to open for business by two months. In the final call I made to Verizon regarding this provisioning I was told that the installation tech that was suppose to go on-site to install the service would not be available for a “truck roll” for another week. I indicated that was not acceptable. Verizon charged us for the install, no truck rolled and the rep actually asked me if I would “like to cancel” if the option of waiting another week was not to my liking. I cancelled. Covad’s getting the business.

But that’s not as bad as it gets. 2 weeks ago I called Verizon to get order a PRI for our corporate location in DC. We already have four analog lines with them in that location. I was told by the sales rep that we would have to be referred to a sales rep and the request would be “put in queue”. 2 weeks later – no call. So I called them this morning. I was told that the request was “picked up” by Russell Noll, someone I’ve never heard from.

Is Verizon in the business of selling telecommunications or not? They are no more than another company that got so busy with a large customer base they do not care one bit about new business or customer service. May their stock drop like Bell South’s and burn into bankruptcy and corporate corruption scandals. For the record, I’ve heard their cell coverage sucks from those I know stuck on one of their plans. Probably overloaded their network in this area.

And don’t even get me started on the voice prompts when you call Verizon customer service. They are truely a company that has lost the ability to make customers happy while generating new business. They’re like Republican’s in Iraq. They won the first round of the turf battle but now they’re neck deep into something out of their control. Could this be the beginning of the end?

Had a really strange virus break out on our network yesterday. Here’s the breakdown:

Trend Micro Office Scan detected an initiation on a workstation at 12:21 PM. The virus was located in the file C:\Program Files\RealVNC\VNC4\WinVNC4.exe. This is a legitimate file and location for us as we have VNC server installed on workstations for remote admin. Trend reported the virus name as Trojan_Generic and it could not be cleaned or quarantine. It propagated through an unknown transport to random machines on the WAN in a matter of 10 minutes.

15 machines got infected before I shut down the MS Exchange services just in case it was using the address book as a transport. It didn’t seem logical that this was the propagation mechanism but the outbreak seemed to subside. We then removed VNC from the machines that got infected and I restarted the Exchange services. Two more machines were infected after this but no more. Several other workstations on the network had VNC server and the port open but were not ever infected.

One more interesting lead I have is that the machine where the outbreak initiated was the only one on the network with ports 6697 and 9234 recently opened for a custom IRC application. These have been closed. Anyone with any information about this outbreak is welcome to leave a comment.

_______________________________________________________

Update: 07-26-2006

Turns out this was a “false-positive” in Officescan virus definitions release 5.99.

Upgrading to the 6.07 definitions clears the problem.  I still think Trend Micro is the leader in the Anti-virus industry.

I had a full copy of Acrobat 6 on my machine at work. For some reason only known to Adobe it decided to start hosing and wouldn’t open any documents. It just froze a blank white box on the center of my display. So I uninstalled it and put on a copy of Acrobat 7 reader. I needed to open some documents damn it.

Acrobat 7 ran flawlessly. Once. Then any time I tried to open a subsequent document it gave me an hour glass and the Acrobat process chewed up 45-50% of my CPU with no results. What a piece of sh*#!

Flush Acrobat – Get Foxit PDF reader and never look back. Adobe should pay as much attention to these readers as they do Photoshop. And what’s to happen to all the wonderful Macromedia products now that they’ve entered the Adobe family as step-child applications? We will know shortly. Until I know I won’t give up my old copy of Dreamweaver.

I had the worst day trying to troubleshoot slow internet connection speeds with Time Warner today. Without SNMP interfaces on the 3Com OfficeConnect VPN Firewalls we use I couldn’t get a handle on where the problem was occurring. All I knew is that we didn’t have a lot of irregular traffic on any ports, the VPN stayed up (barely) and I had external URL and IP ping times as high as 2500 ms.

We’re going to be putting an SNMP compliant firewall/router at our core. Probably a 3Com Tipping Point. That will let me use PRTG Traffic Grapher to look at our bandwidth by interface in real time. Monitoring without SNMP sucks.

Last weekend I spend over 16 hours working on an Exchange mail server migration from a MS Small Business Server to a stand alone Exchange instance on a Dell PowerEdge 2850. It all went relatively smoothly by installing the second Exchange server on the network as a second instance and moving the mailboxes using the wizard. The part that took the most time was moving the Outlook Web Access configuration.

For the record, you cannot run OWA from an instance of IIS other than on the Exchange server itself. But if you have only one public IP address on the firewall/router and have port 80 going to a different web server you can still access OWA on the Exchange server by using SSL port 443. Here’s how (assumes advanced IIS knowledge):

1. Using Port Address Translation on your firewall point port 443 to the internal IP address of your Exchange server.
2. Port 80 should already be going to your primary web server via PAT entry unless your running it in a DMZ.
3. Make sure your external DNS entries contain an entry for the new “webmail” host (an A record or CNAME pointing to the public IP of your firewall/router). ex: webmail.yourdomain.com
4. Create a CNAME (alias) in your internal DNS records for “webmail” pointing to the A record for your primary IIS server.
5. Create another A record or CNAME entry in your external DNS entries to include the name of the Exchange server. ex: “exchangeserver.yourdomain.com”. You should already have this entry internally or you didn’t set up your Exchange server right.
6. On the primary (port 80) IIS server create a new site called “OWA Alias”.
7. Create a host header for this site called “webmail.yourdomain.com”.
8. In the properties of this site select “Redirect this site to another URL” to a site on port 443 (https://exchangeserver.yourdomain.com).

Now when an internal or external user goes to “webmail.yourdomain.com” they will be redirected to “https://exchangeserver.yourdomain.com”. For users outside of your LAN this will push them back out the firewall and force them to come in over port 443 to the Exchange server. Internal users who type the “webmail.yourdomain.com” into a browser will be redirected to the https://exchangeserver.yourdomain.com as well thus providing a URL required for the certificate.

Note: you should always run OWA with a certificate so make sure ones installed for the “Default” site for the instance of IIS on the Exchange server. This certificate can come from a public Certificate Authority or can be generated by Microsoft Certificate Services running on the Exchange server itself. Because of the detail involved I won’t get into certificate issuance in this post. Pay close attention to the name of the host when generating the certificate request. It should be the same as the https host name (https://exchangeserver.yourdomain.com in my example).

This article was slashdotted today and is undoubtedly getting a bazillion hits:

AMD’s Lawyers call on Skype

Skype is claiming that AMD’s dual cores aren’t sufficient to handle 10 way VOIP conference calls and Intel’s are. What a crock of SH….!!!

Maybe Skype didn’t do their homework before building corporate bias into their software (the “GetCPUID” function). Let me help them. Skype read this:

Dueling Cores: AMD vs. Intel

Or this:

CNET Prizefight: AMD vs. Intel Dual Core (cut to the chase: AMD won all 7 rounds).

And here’s a very thorough test by ExtremeTech:

“While Intel’s Pentium Extreme Edition 840 acquits itself fairly well in a number of benchmarks, there are also some disturbing trends. In some tests, such as Cinebench 2003, AMD’s X2 sees greater gains in performance than the Intel CPU. In more theoretical tests, such as Passmark’s Performance Test, Intel generally holds its own—except in floating point, where it loses by a wide margin.”

Everyone who’s done this level of testing professes that while the Hyper threading helps Intel at running multiple applications simultaneously (like 12) the AMD chips smoke Intel in single instance apps because they handle the floating point better. And when AMD invokes on-board diagonal memory addressing Intel is doomed because AMD will have a solid solution for handling 4 cores. Intel doesn’t have a chip with architecture to begin handling it so they might go to market with a 4-core chip in 2007 (Clovertown) that won’t have an on-die memory controller. “This bandwidth problem will be exacerbated by the fact that Intel still won’t have an on-die memory controller, which means that memory traffic will be flowing to all four cores over that single, dated FSB.” What’s Intel gonna do when the day comes that we want to use all flash memory without a FSB? Personally, one day I want a 19″ flat panel calculator with 200GB of flash memory and 256MB of video ram plugged straight into 8 cores. In my spare time I’ll get in Pcad and Pro-E and get it rollin’ for us.

So Skype can try to pull off a corporate partisan move and sell out to the marketing monoliths (they won’t even admit they’ve tested their software against AMD chips) and unfortunately they may succeed. This level of technology is beyond the argument of the justice system in that there is not judge or jury capable of analyzing performance results of multi-core processors to a level capable of discrediting a bogus claim such as this one made by Skype. The science and tech sector must rely on a platoon of lawyers outgunned by a lack of technological competence in society at large. Their task is monumental; to find a jury of “peers”. Does this mean everyone at Micron, Honeywell and Motorola should prepare for jury duty?