0×00000002 error when attempting to add a provisioned printer for a PC bound to the domain

An example scenario is that  only one or two PCs can’t add a server-provisioned  – be it via GPO/Group Policy Preferences or some scripted method – and on the client, the “Connect to Printer” dialog says, “no driver found.”

When you try to manually add the shared printer, the error message contains the code “0×00000002″

Odds are good that your server is a 64-bit OS, and so is the printer driver you used.
Locate and download the 32-bit version of the driver for your 32-bit version of Windows 7, and use that when adding the printer.

VPN Setup with Zyxel USG devices – Zyxel router and client VPN configuration

This is going to be a very bare-bones post. My goal is to get right to the required details without much elaboration.

Please keep in mind that setting up a working VPN configuration is typically a process, and every vendor names and handles things differently. These settings may not be the most secure options for a VPN setup but they will work. Start with a working configuration first ! And then if you wish, alter only one parameter at a time, making sure they match at both ends (Zyxel USG router/firewall and VPN client). Do your research and understand what you are changing and why.

To begin, you will need a working network setup behind a Zyxel USG router/firewall with VPN functionality, and either – for Windows client workstations, the Zyxel VPN client software – or IPSecuritas for Mac OS (note that I won’t cover the config of IPSecuritas specifically here but it should be very easy to translate).
See http://www.lobotomo.com/products/IPSecuritas/
If you do use IPSecuritas please make sure to make a donation to the
developer !

The Zyxel client VPN software can be purchased online from Amazon or  Provantage, http://www.provantage.com/zyxel-zywallvpn~7ZYX903K.htm

One vital thing to keep in mind is that if your IP schema (LAN IP address type and range) at home – or any cafe or office you visit -
matches that of your main office that you want to connect to , the VPN connection will not work.
This is VPN 101 material: Your remote IP address schema must not match that of the network you wish to make a VPN connection to.

Zyxel USG configuration:
Connect to your Zyxel as usual ( https://ip.ofyour.zyxel )
Navigate to:
Configuration, Object, Address

Create an address for your local subnet, name it: LAN1_SUBNET
Address Type: INTERFACE SUBNET
Interface: lan1

Create Address Object
Name: RemoteDynamicClient
Address Type: HOST
IP Address: 0.0.0.0

Now navigate to VPN, IPSec VPN:
VPN Gateway, choose Add
Click “Show Advanced Settings”

Enable (checkbox),
VPN Gateway Name: Dynamic_Tunnel
My Address, Interface: wan1

Peer Gateway Address:
Dynamic Address

Authentication:
Pre-Shared key. You need to make this LONG and complex.
Record it securely.

Phase 1 Settings:
SA Lifetime 86400
Negotiation Mode: Main
Proposal
Encryption: 3DES, Authentication SHA1
Key Group: DH1

Enable (checkbox) Nat Traversal & Dead Peer Detection
Note that Extended Authentication does work but move on to that only after you have the rest working.
Click OK.

Go to the “VPN Connection” tab to the left.
If it isn’t, enable “Use Policy Route to control dynamic IPSec rules”
Click Add.
Click Show Advanced Settings.
Enable (checkbox)
Connection Name: Dynamic
VPN Gateway: Site-to-site with Dynamic Peer
VPN Gateway (select): Dynamic_Tunnel (you just set this up in the steps above)

Policy:
Local Policy: LAN1_SUBNET
*Remote Policy: RemoteDynamicClient

Phase 2 Setting:
SA Lifetime: 86400
Active Protocol: Esp
Encapsulation: Tunnel
Proposal:
Encryption 3DES, Authentication SHA1

Leave the rest untouched.

Firewall
Create new rule at the top
From any to Zywall
Source Any Destination Any
Service L2TP-VPN
Allow
If you want to debug your VPN enable logging, but otherwise there’s no need.

Add rule:
IPSec_VPN to any (Excluding Zywall)
source any, destination any, allow

With a USG 20 (but not a 100),
under Routing
Add Policy Route:
Incoming L2TP_VPN source any Destination Lan1__Subnet
source any, next-hop auto, SNAT outgoing interface

Zyxel VPN Client configuration:
Install the Zyxel VPN client, a reboot will be required.
You might like to customize your taskbar to always show the Zyxel VPN icon.

Right-click where it says “VPN Configuration” on the left and choose Wizard.
Choose “A router or a VPN gateway”
Enter the external static IP of your Zyxel in question, or FQDN if appropriately configured.
Enter the PSK (pre-shared key) you set up previously and safely recorded :-)
Enter the IP private (internal) address of the remote network. This should match the IP schema for your main office that you are connecting to.
NB: Don’t try to choose a specific IP, just enter 0 for the final octet/number, ie:
192.168.12.0

Click Finish.
Now click on the listed “Gateway” on the left.
In the Authentication tab under IKE, change the settings to match those you set up under “Phase 1″ on your Zyxel:
Click Apply at the upper-left.

Now click on “Tunnel” at the left (listed just underneath Gateway).
Under Addresses, correct the Subnet maks for your Remote LAN address setup.
Under ESP, don’t change anything but confirm they match  your Phase 2 settings on your Zyxel – they will by default.
PFS: Change to DH1

Optionally, click on the Advanced tab, and under Alternate servers,
enter the IP address of your (primary) internal DNS Server at the main office you’ll be connectin to via VPN.

Click Apply at the upper-left.

Right-click the Zyxel VPN icon and choose connect.
It works ! Or, it should based on the supplied info.

Windows XP, are you still using it ?

As you should know, Microsoft will no longer be supporting Windows XP as of this month (April 2014), in that the last patch they provide will be April 8th. *

There are a great number of reasons not to ignore this issue, whether XP is still in use in at home or in a business environment. Please see http://www.pcpro.co.uk/features/386077/windows-xp-microsoft-s-ticking-time-bomb

“(Computers still running Windows XP) will be vulnerable to hackers once XP stops receiving security updates, with Microsoft warning earlier this year that hackers could use patches issued for Windows 7 or Windows 8 to scout for XP exploits.”

If you don’t already have a migration plan in place and well underway, you absolutely should ! (Picture a billboard-sized flashing neon sign and sirens for appropriate emphasis).

Here are some great tips if you are forced to eke out a few more days from your XP systems:

http://nakedsecurity.sophos.com/2014/04/01/42-days-to-go-for-xp-8-tips-if-you-arent-going-to-make-it/

Note the last item, “Get on with your personal or organisational efforts to get rid of XP.”

Please contact us at the Core Solution Group if you need help with planning and migrating away from Windows XP, including backup of your data, computer hardware upgrades or replacement, and analysis of any software you rely on – be it versions & compatibility with Windows 7 or 8, or alternatives to outdated programs that won’t run on a newer version of Windows.

*For a not-insignificant cost, some organizations may opt for Microsoft’s Custom Support, which costs $200 per year per PC, and covers only patches ranked as “critical.”

http://www.pcworld.com/article/2047768/microsoft-will-still-patch-windows-xp-for-a-select-group.html

OS X Mavericks is free, yes. But please look before you leap !

First and foremost, ensure that your Mac is compatible. You’ll want to have enough RAM (not just the minimum 2 GB, far better to go with more if you can), and ideally (we recomend) at least a 7200 RPM hard drive, better still – ideally – an SSD drive for the best responsiveness.

The listed requirements are as follows (see http://www.apple.com/osx/specs/ ):
OS X v10.6.8 or later, 2GB of memory , 8GB of available space
You’ll need an Apple ID if you don’t already have one (and you probably do if you’re using iTunes), see
https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/

The compatible hardware/model list is:
iMac (Mid 2007 or newer)
MacBook (Late 2008 Aluminum, or Early 2009 or newer)
MacBook Pro (Mid/Late 2007 or newer)
Xserve (Early 2009)”

Please – whatever you do – make sure you have a known-good, full backup (via Time Machine or your other backup method of choice) before you do anything.

It’s a good idea to read a little more about it, and Macworld has a great writeup here:
http://www.macworld.com/article/2052602/get-your-mac-ready-for-mavericks-os-x-10-9.html

iOS 7 – what you need to know

If you have an Apple iOS device that didn’t come with iOS 7, and you’re considering the update, there are some things you should keep in mind before taking the leap:

It is not possible to undo this update.

Ensure that iOS 7 is permitted for use at work if you do use it in that capacity at all. If your workplace IT has’t tested and approved it for use, and you really do need it for work purposes – even if it’s “just email” – then I recommend you don’t take the risk because you’ll be on your own if  you find out after the fact that there’s a problem.

Keep in mind that iOS 6 has obtained FIPS 140-2 validation, iOS 7 has not – not yet, and it could take some time.
If this is a requirement for you, stop now and wait.

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm

If you do go ahead: Backup your device via iTunes first.
I also recommend that you do a full power-cycle of the device prior to applying the update. Hold down the power button until a message and the slider for doing a full shutdown appears. Wait a few seconds and then use the power button to turn it back on.

There are a great many changes and some new features in iOS 7, I recommend having a read at

http://www.macstories.net/roundups/ios-7-tips-tricks-and-details/

I’m using iOS 7 without issue and so far enjoying it very much !

– David

Java in the web-browser: Disable Java if you haven’t yet

Please see

http://nakedsecurity.sophos.com/2013/02/16/facebook-admits-network-breached/

http://nakedsecurity.sophos.com/2013/02/04/another-java-update-oracle-brings-patch-tuesday-forward-to-close-in-the-wild-hole/
and
http://www.cnn.com/2013/02/15/tech/social-media/facebook-attack/

The moral of the story is: Disable Java for your browser, you probably (really) don’t need it.
For your computer at work – of course – please check with your admin(s) before attempting any changes.

If you’re running Mac OS X 10.7 or newer and keep up to date, disabling Java in your browser was probably taken care of for  you.
Additionally, you can ensure Java is disabled in Safari, by navigating (while in Safari) to the Preferences menu,  Security tab.
In Chrome, type: chrome:plugins and check that Java is disabled.

In Firefox go to Tools > Addons > Plugins

If you’re running Windows, please be sure to follow these instructions:

http://www.java.com/en/download/help/disable_browser.xml

How to install WordPress on Mountain Lion server, and migrate your WordPress setup from your old OS X Server install

Geting WordPress working on your Mountain Lion Server, or “This one goes to eleven”  ;-)

The first thing I’d like to make clear is that I’m not trying to tell you every last detail you’ll need to know. The scope of the instructions I do provide covers the key parts of the process, circumscribed by:
1) A working install of WordPress (and associated MySQL database) on an existing OS X Server,
and
2) An existing working install of 10.8 server and (working) website hosted on it.

If you have some background with OS X Server, and a modicum of experience (and comfort) working via the Terminal (“the command-line”), this isn’t particularly difficult at all. Rather, the process requires a number of very specific, correctly executed steps. It’s actually quite straightforward if you proceed with patience and precision, and in an orderly fashion.

You should have have already successfully installed WordPress on an existing instance of Mac OS X (client or Server) and configured your MySQL database appropriately for your WordPress install.
As such, you do need to already be at least somewhat comfortable working in the command-line (via the Terminal).

And now you want to hear about someone else’s success (mine) getting a WordPress site running on Mac OS X 10.8 server.
In my case, I was migrating from 10.6.8 server.

There are eleven main steps in this process. Why didn’t I make it ten ? Actually, it worked out that way as I was writing this post. I’ll take the opportunity to reference the much-loved and (and oft-quoted by me) line from the filme This is Spinal Tap, “These go to eleven“:

1. Backup of the WordPress files
2. Exporting your existing MySQL database for WordPress
3. Transfer the above files from your old server to your new one
4. Decompress and migrate the WordPress backup to the appropriate location on your new server
5. Install MySQL on your 10.8 server
6. Set up a new (empty) WordPress database in MySQL and restore your prior database backup (sql dump)
7. Download and install the latest stable version of WordPress
8. Configure your webserver & restore your WordPress config and content to the new WordPress install within your (web)site directory
9. Additional MySQL items
10. In Server.app, under Websites, click to “Enable PHP web applications”
11. Test and ensure that everything is working.

Postscript: Additional miscellany
Success !

Step One:
On your existing server, backup your WordPress installation. This is typically
going to be within your (web)site directory, in 10.6 Server this is
/Library/WebServer/Documents/<yoursite>
where <yoursite> is the name of the folder where your existing website files are housed.

cd /Library/WebServer/Documents/yoursite
sudo tar -czvf ~/WP_Content_backup_$(date +%Y%m%d).tar.gz <yourWordpressDirectory>

for example:
cd  /Library/WebServer/Documents/yoursite
sudo tar -czvf ~/WP_Content_backup_$(date +%Y%m%d).tar.gz wordpress

The above will put the backup (eg, WP_Content_backup_20121208.tar.gz) in your home directory,
which will be the home directory of the user you logged in as, via the Terminal.

Step Two:
Export your existing MySQL database for WordPress.
mysqldump --user=root --password=<pass-here> your_Wordpress_databasename | gzip -c > ~/WP_DB_backup_$(date +%Y%m%d).sql.gz
So the case of my example, the resulting filename would be WP_DB_backup_20121208.sql.gz

Step Three:
Next you’ll want to migrate both of those backup items to your new server.
I used ssh to work with either server, and scp to copy the files.
You can read up on that if you need to, but as an example,
once you’ve connected to the Mountain Lion server via ssh, run the following:

scp username@oldhost:WP_Content_backup_20121208.tar.gz .
and
scp username@oldhost:WP_DB_backup_20121208.sql.gz .

“oldhost” could be the old server’s IP address or hostname.

Leave the WordPress DB backup for now.

Step Four
Decompress the wordpress content from your former server:

sudo tar -xzvf WP_Content_backup_20121208.tar.gz

Leave the resulting “wordpress” directory where it is for now.

Step 5
Install MySQL from mysql.org:

Download MySQL from http://www.mysql.com/downloads/mysql/

It should be the fourth listing there, “Mac OS X ver. 10.6 (x86, 64-bit), DMG Archive”
I do recommend that you also download the signature and verify your download with gpg.
That’s another topic entirely, but see http://support.gpgtools.org/kb/how-to/first-steps-where-do-i-start-where-do-i-begin
and https://www.gpgtools.org/installer/index.html

Always secure your mysql installation, which you can do with the command below,
which will also ask you to create a (MySQL) root password.
Make sure you record this securely, and please don’t confuse the MySQL root user with your/the
system “root” user.

cd /usr/local/mysql
bin/mysql_secure_database

Step 6
Set up the MySQL DB for your WordPress installation:

Create an empty database for your WordPress database (db):

/usr/local/mysql/bin/mysql -u root -p

(Presuming that your database name is wordpress.db – when you’re at the mysql prompt):
grant all on wordpress_db.* to your_wordpress_username@localhost identified by 'password for your wordpress user here';

Do note that your wordpress username and password will need to be the same as they were originally,
in order to line up with your wordpress config (see the next item).

Restore your backed up WordPress MySQL database via:
mysql -u username root -p -h localhost DATA-BASE-NAME < WP_DB_backup_<DATE>.sql
eg.
mysql -u username root -p -h localhost DATA-BASE-NAME < WP_DB_backup_20121208.sql

Step 7
Download and install the current version of WordPress:

Download from http://wordpress.org/download/
and see

http://codex.Wordpress.org/Installing_Wordpress#Famous_5-Minute_Install

Step 8
Configure your webserver & restore your WordPress config and content-directory within your (web)site directory:

After installing WordPress, restore wp-config.php from your decompressed directory of your old WordPress install, or edit the stock config at
/Library/Server/Web/Data/Sites/yoursitename/wordpress/wp-config.php
to match your database name and db username and password that you set up above. See http://codex.Wordpress.org/Installing_Wordpress#Famous_5-Minute_Install
Then restore your former WordPress content to the new WordPress installation:

cd ~
mv wordpress/wp-content /Library/Server/Web/Data/Sites/yoursitename/wordpress/

Step 9
Additional MySQL setup steps:

Ensure that your mysql socket config lines up with what PHP is expecting.
Namely, /var/mysql/mysql.sock

http://support.apple.com/kb/HT4844?viewlocale=en_US&locale=en_US

From the MySQL install, copy my-dedium.cnf to /etc:
cp <path to MySQL files>/support-files/my-medium.cnf /etc/my.cnf

If you’re not sure where the support-files are (or don’t seem to have them), you can download the tar.gz version of MySQL from http://dev.mysql.com/downloads/mysql/

Look for the first item listed there, “Mac OS X ver. 10.6 (x86, 64-bit), Compressed TAR Archive”

Edit /etc/my.cnf to change the socket location (I strongly suggest you use vim or even nano and not a GUI editor):

Look for
socket          = /tmp/mysql.sock

and change it to:

socket          = /var/mysql/mysql.sock

Change the permissions for the directory in question:

sudo chown -R _mysql /var/mysql

Restart MySQL:

sudo SystemStarter restart MySQL

Ensure that you can connect to MySQL as your wordpress database user:
/usr/local/mysql/bin/mysql -u <wordpress_db_user> -p

This is the user you configured originally for your MySQL wordpress database and when prompted give the associated password
password for that user.
You should be presented with the mysql prompt:
mysql>

rather than any error message(s).

Exit mysql with:
quit
(and press return).

Step 10
Enabling PHP -
Simple enough: In Server.app, under Websites, click to “Enable PHP web applications”

Step 11
Test that everything is working.

That’s it !  :-)

Postscript – Additional miscellany:
If something isn’t working, check your logs. This is easy enough to do via the Console.app utility.
The most common cause of problems will be missing a step above, or incorrect permissions.
Both are easy to correct. Don’t panic, and get this working on a non-critical server first to ensure you’re
able to get it working.

If you run into an issue where your wordpress site appears to load but nothing actually appears,
verify the permissions for the wordpress directory in question,
and remove any extraneous ACLs if there are any.

I also recommend that you install some WordPress extensions to help protect your WordPress installation & server. Look into Login LockDown, Secure WordPress, and WordPress Firewall.

Internet Explorer Zero-Day: Don’t use IE as your browser

There’s a really VERY serious exploit for Internet Explorer. IE versions 7 to 9 in Windows XP through Win 7 are vulnerable. If you haven’t updated in a while, you really need to. Please have/make a backup, and update.

See http://nakedsecurity.sophos.com/2012/09/17/new-ie-zero-day-exploit-poison-ivy/
and
https://krebsonsecurity.com/2012/09/exploit-released-for-zero-day-in-internet-explorer/ for more info.

The only time you should really use IE is for Windows Update(s).

Sophos Anti-Virus for Mac showing two (double) menu-bar icons

For those of you using a Mac but not yet running Anti-Virus software, at this stage in the game it’s a good idea. And Sophos offers a free (for home-use) version of their product for the Mac: http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx

We recommend Sophos for Mac as it’s effective and light-weight. We implemented (the paid version) of Sophos for a client & it successfully identified and disinfected some Word files infected with a (PC) Macro-virus, while leaving the files themselves intact and fully usable.

I’ve been using Sophos for Mac at home without a hitch – until recently, that is. After an update to 10.7.4 and required reboot, the Sophos menu-bar icon was showing up double – ie, listed twice.

I navigated to my account’s Library folder and within that, the Preferences folder,
removed com.sophos.ui.plist
In my haste, I also set aside (moved to the Trash) com.sophos.sav.plist but this was probably not necessary.
Try it if removing only the com.sophos.ui.plist pref file doesn’t solve this for you.

and then used the Terminal to issue:
sudo killall -HUP SophosUIServer

when asked, you will need to be logged in as an administrator (or know how to “su” to one in the Terminal)
and the password asked for will be your existing, usual login password (for the Admin account you’re logged in with).

And the problem was solved without needing a reboot.

Symantec AntiVirus LiveUpdate – “There was an error performing the update”

Symantec Antivirus (for the Mac) LiveUpdate fails with an alert stating, “There was an error performing the update”

This occurred on a Mac OS X client workstation running Symantec AntiVirus for Mac – the Enterprise product version, not the consumer-oriented Norton AntiVirus for Mac – when attempting to run LiveUpdate.

In order to see a more helpful error message, you’d need to know to look at
/Library/Application Support/Symantec/LiveUpdate/liveupdt.log
where you’ll find the more descriptive:
"verifyCertPath():  objCertJ.buildCertPath failed to get cert path."

When I saw the above error message, it occurred to me right away that communication between the Symantec client and their servers was failing.Perhaps I might need to update a certificate by manually installing it ? The fix is easier, in fact. Update the Symantec LiveUpdate itself, which is a 4.6 MB .dmg file.

See Symantec’s article here: http://www.symantec.com/business/support/index?page=content&id=TECH154634

If you are managing your Macs centrally with Apple Remote Desktop (aka “ARD”), you can use “Send Unix command…”
to verify the LiveUpdate version on the client workstations using the following:

defaults read /Applications/Symantec\ Solutions/LiveUpdate.app/Contents/Info CFBundleGetInfoString

Using ARD, you can centrally push/distribute the updated LiveUpdate by mounting the .dmg download from Symantec, and using the package installer within.
After that, use the following command to get the client workstations to update. I suggest updating everything, rather than just (virus) definitions:

/Applications/Symantec\ Solutions/LiveUpdate.app/Contents/MacOS/LiveUpdate -liveupdatequiet YES -liveupdateautoquit YES -update LUal

The command to update definitions only is:

/Applications/Symantec\ Solutions/LiveUpdate.app/Contents/MacOS/LiveUpdate -liveupdatequiet YES -liveupdateautoquit YES -update LUdf

You can monitor some information about the update process by watching the log file (via ssh access, for example):

tail -f /Library/Application Support/Symantec/LiveUpdate/liveupdt.log

Please note that after repairing the problem (updating applying the LiveUpdate package/updating LiveUpdate itself), the update process can take a very long time ! Just let it do its thing.

Note that this problem can also occur on a Windows client where – for example -you might be trying to run LiveUpdate from a batch file or other script. See:

http://www.symantec.com/business/support/index?page=content&id=TECH167145

Note that the specific error message is the same (“verifyCertPath():  objCertJ.buildCertPath failed to get cert path”)

The most likely cause of this problem on either platform (Mac or Windows) is that the software is installed without then updating all components right away. And/or updating only virus definitions over a long period of time, without updating the program components – the the extent that the client falls too far out of date to communicate with the update server(s) correctly.