Newbie Guide to Asterisk Pitfalls

The good folks over at Nerd Vittles continue to hack away at Asterisk, and publish a terrific blog. Their May 12th posting is great. Asterisk Hell: A Minefield Navigation Guide for Newbies.

MaintainIT Project

The MaintainIT project has a focus on running public computers with an emphasis on small and rural libraries. This is a subproject of TechSoup the venerable and wonderful site for non-profit computing.

Comcast Service Agreement - BEWARE

I received an updated version of the Comcast Service Agreement for end-users. This is for our residential cable broadband service. This currently costs $67.00 per month, which includes the rental of a modem, and the applicable taxes. Speeds are 6 megs down and either 384 or 768 up...depending on who you are talking to. Comcast makes it clear that this is residential, i.e. consumer service as opposed to business service. So, you are really expected to consume.

Prohibited Users of HSI. You agree not to use HSI for operation as an Internet service provider, a server site for ftp, telnet, rlogin, e-mail hosting, "Web hosting" or other similar applications for any business enterprise, or as an end-point on a non-Comcast local area network or wide area network.
You agree to indemnify, defend and hold harmless Comcast and its affiliates, supplies, and agents against all claims and expenses (including reasonable attorney fees) arising out of any breach of this Section including, but not limited to, any claims based on or arising out of any material violation of any applicable law.

Ports are blocked for the above-named services. But now at the end, it gets more interesting...

ADDITIONAL PROVISIONS APPLICABLE TO HIGH-SPEED INTERNET SERVICE
Comcast will provide you with dynamic Internet protocol ("IP") address(es) as a component of HSI, and these IP address(es) can and do change over time. You will not alter, modify or tamper with dynamic IP address(es) assigned to you or any other customer. You agree not to use a dynamic domain name server or DNS to associate a host name with the dynamic IP address(es) for any commercial purpose.

So, this would seem to preclude business or commercial use of applications for typical home-based businesses, i.e. VoIP telephone, Videoconferencing applications, and Virtual Private Network connections.

This sucks. Imagine if you had a telephone system that not only changed your phone number on a random basis, but prohibited you from discovering the changed number and letting people know what the changes are. This is essentially the service provided by DYNDns and similar services. Even though there is no technical reason that Comcast couldn't provide permanent fixed public IP addresses in the first place, Comcast specifically states that they won't provide them, and they specifically prevent you from applying any technological means to compensate.

For my own home office, I've decided to try the Comcast commercial offering. For another ten dollars or so per month, I'm supposed to get 6 megs/768kb, 4 Exchange accounts on their servers, web server account, and of course a fixed IP address. I'm assuming this comes with an improved service level agreement.

When I asked about what was available for bandwidth, they mentioned that in towns where they are competing with Verizon FIOS (fiber to the home), they offer 16 megabits down. But only when they are competing. :-)

Setting up remote premise VoIP or Videoconferencing

The Trixbox Wiki has a number of digestible pages of advice on how to successfully deploy a VoIP application. Here are recommendations for remote sites.

Formula for the best remote telecommuter Experience

1. Use T1 internet access at the main location, not DSL or Cable.It’s worth the additional expense in order to ensure good, steady performance at your main location.
   
2. If your routers and/or firewalls support QoS features, activate them. Give priority to the SIP and RTP protocols. Consider replacing equipment that lacks VoIP-aware QoS features. See Also: How do I use QoS on my network?
3. Consider using one of our Suggested Routers with QoS on both ends of your connection.
4. If your QoS solution allows you to limit total bandwidth, set the limit to slightly less than the line speed of your internet connection. Use a DSL line speed test to determine where you should set your limits. Setting it about 5-10 Kb below your maximum speed will keep the packet buffers from filling up on your DSL/Cable modem. This will yield better overall performance.
5. Consider having two internet connections… one for your existing data application, and one for your VOIP phone and trixbox Pro servers. You can use this approach in your main location, as well as your remote locations. If you use this approach, you may not need any QoS capable equipment.
6. If possible, connect your main office and your remote office using the same internet provider. Usually performance on the same provider’s network is superior to the performance when traffic needs to traverse multiple internet backbone networks.
7. If possible, remove NAT devices between the trixbox Pro system, and the remote telecommuters.
8. If you must use a NAT configuration, consider using a “DMZ Host/Server” configuration rather than port forwarding. This uses less CPU power in the router/firewall and yields optimal performance.

   1. At the main location, the setting will forward all unknown packets to your trixbox Pro server.
   2. At the remote locations, the setting will forward all unknown incoming packets to the IP Phone.
   3. Reserve the phone’s IP address in DHCP or give the phone a static IP Address on your private network in the remote location so the IP Address does not change. If you use a static IP Address, pick one outside of your dynamic DHCP IP Address range.

9. For mission critical remote employees, consider using a fractional T1 internet service at the remote office instead of a Cable/DSL connection.

Tech Friday: Troubleshooting Windows Firewall

Tech Friday is the day when we get bogged down in technicalities.

Dynamic DNS Redux

Today I've been doing some further research on Dynamic DNS, and indeed I found out that Wednesday, I was actually playing with the Unix/Linux version of the the DynDNS updater. They have a more conventional Windows client available with a nice graphic interface. It still does the same thing as the earlier one does, and it can install as a Windows service.

Firewall Issues

The Windows XP SP2 firewall can be managed locally on the XP Workstation through the Control Panel applet, via the local Group Policy, or via a domain group policy. When running into problems with the firewall, often the first problem is to figure out just where the settings are coming from. Microsoft has provided a handy guide on troubleshooting the Windows firewall, using familiar tools like netstat and netsh. For example, the following command will display the firewall status, and show where the settings are coming from. Note the returned results in my case show that the workstation is controlled from the Domain under the Group Policy.

C:\netsh firewall show state

Firewall status:
-------------------------------------------------------------------
Profile = Domain
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Group policy version = Windows Firewall
Remote admin mode = Disable

Ports currently open on all network interfaces:
Port Protocol Version Program
-------------------------------------------------------------------
1052 UDP IPv4 C:\WINDOWS\system32\spoolsv.exe
26675 TCP IPv4 (null)
67 UDP IPv4 (null)
135 TCP IPv4 C:\WINDOWS\system32\inetsrv\inetinfo.exe
137 UDP IPv4 (null)
139 TCP IPv4 (null)
138 UDP IPv4 (null)
3389 TCP IPv4 (null)
38293 UDP IPv4 (null)
443 TCP IPv4 C:\WINDOWS\system32\inetsrv\inetinfo.exe
443 UDP IPv4 (null)
445 TCP IPv4 (null)
37674 UDP IPv4 (null)
37675 UDP IPv4 (null)
37674 TCP IPv4 (null)
2869 TCP IPv4 (null)
1900 UDP IPv4 C:\WINDOWS\system32\svchost.exe
2967 UDP IPv4 (null)
990 TCP IPv4 F:\Program Files\Microsoft ActiveSync\rapimgr.exe

Additional ports open on Local Area Connection:
Port Protocol Version
-------------------------------------------------------------------
427 UDP Any


C:\

The Microsoft network troubleshooting white paper describes several additional troubleshooting tactics and is recommended.

For a cookbook approach to the Windows command line, check out the Administrator's Pocket Consultant series title Microsoft Windows Command-Line by William R. Stanek.

Dyn DNS clients

Looking for a client for Dynamic DNS. This is a program that goes out and pings the DynDNS web service and tells it what your current IP address is.

DynDNS runs a service that will tell you what your current public IP address. This is handy...in any web browser just type http://checkip.dyndns.com.

DynDNS recommends using software clients to do updates, although the functionality is embedded in most home routers.

...[I]n practice we have found that router based clients just don't provide the same level of reliability and user experience as software clients. For this reason, our current recommendation is that customers use a software client whenever possible, even if their router has a DDNS client built into it and even if that DDNS client has been certified by us.

Using the command line version of inadyn, I tried the following which does a one-time update:

C:\DynDNS_Client>inadyn --username myname --password mypass --alias mydnsname.gotdns.com

This returns the following:

INADYN: Started 'INADYN version 1.96.2' - dynamic DNS updater.
I:INADYN: IP address for alias 'mydnsname.gotdns.com' needs update to '24.61.26.209'
I:INADYN: Alias 'mydnsname.gotdns.com' to IP '24.61.26.209' updated successful.

Now, of interest here is that the one time update does not simply execute and then return to the command line....in fact it creates a loop that executes repeatedly. By default this appears to be one minute, and what happens is that program first does an ip address update. On subsequent passes, it first sends a query to checkip.dyndns.org and compares the results with the stored IP. If they are different then it will perform another update. This is more evident if you add --verbose 5 to the command line; you'll get a printout as the program goes through the steps.

So, I'm going to try installing this as a software service on my XP workstation; and disabling it in the router.