LTS - Systems and Networking Engineering
Here's some general info about the
LTS Systems
Engineering Team at Lehigh.
Systems Engineering plans, implements and maintains computers,
Operating Systems and application software for the campus both for
academic and non-academic areas. This includes servers in multiple
data centers on and off campus, and support of cloud services. We
maintain core services that include directory integration with LDAP,
Active Directory, SAML2 SSO, and CAS SSO. We provide the highly
available infrastructure configuration that enables redundancy of
services between servers in multiple data centers.
Some useful information can be found in the LTS Knowledgebase.
Below is a list of some links that may be handy.
System Administrator Appreciation Day is the last Friday in July.
Some local tool links
- ELK Kibana
- grafana trending analysis tool
- Icinga monitoring tool
- flexlm license managers
- SSL certificate checker
- Firewall exceptions checks
- Lehigh SSL tester
- speedtest network speed tester
Lehigh Networks
- Lehigh's Primary DNS server's are at: 128.180.2.10, 128.180.1.4 and 69.7.224.17
On-Campus malware filtered dns servers are at 128.180.1.1 and 128.180.2.1 - DHCP service is from 128.180.3.4 and 128.180.3.5
- NTP time servers: ntp1.cc.lehigh.edu, ntp2.cc.lehigh.edu, ntp3.cc.lehigh.edu
- Lehigh-Guest wireless ip address ranges: 4.59.138.56/29 and 162.223.16.248/29
- LUNet III - DNS/DHCP registration program.
- FEM The Firewall Execption Manager - allows people to request firewall holes for specific purposes. These are reviewed by our CISO and if approved, all connections from off-campus (or through the firewall).
- Network Engineering Stats, tools and more.
- Network stuff Watchdog, Important Services Monitor, Network Statistics, VOIP Statistics, Printer Page Counts, VPN Statistics, Wireless usage stats, and other interesting stuff.
- Network photos - 2002 - wiring closets, equipment racks, pizza, etc.
- Network photos - 2003 - Squidward checks out computer room, equipment racks, generator and more.
- Network photos - 2004 - tracing a network connection from RBC to the internet.
- Network photos - 2007 - Some photos from the Linderman renovation.
- FindJack
- Edit WD
Lantronix sells a small device which will connect a serial port to the network. These setup directions should be followed when connecting such a device to the network. Lantronix UDS Setup Instructions
Microsoft
-
Active Directory "Faculty & Staff Windows COMPUTER OBJECT MANAGEMENT" is at
https://adcomputers.cc.lehigh.edu:4443/.
Active directory tree is AD.lehigh.edu.
- Client Service's ACT website - with lots of windows links
- Gibson Research - for various windows security tools.
- Sysinternals tools.
- Bitlocker: People can lookup their own key at: https://mbam.lehigh.edu/SelfService
CCs & Help Desk can lookup any key at: https://mbam.lehigh.edu/HelpDesk - In Mac OS X you can mount the "H: and I: drives" using cifs (home and common space shares)
in the format below (replace the sample userid's below with
yours). In Finder, use (command-K) or the Go menu, Connect to Server,
and type: smb://homefs.cc.lehigh.edu/home/dbp0/
smb://common.cc.lehigh.edu/common/ir
To access someone else's public directory as read-only use a longer for of the above, e.g. smb://homefs.cc.lehigh.edu/home/das1/public/
Note that these methods work only from on-campus networks (not lehigh-guest wireless), or when using the Lehigh VPN from off-campus.
How To configure KMS Activation without Active Directory (Windows7 Enterprise)
(If your computer is in the AD, it will automatically find the kms server and activate otherwise follow these instructions -)
- start a "cmd" window as administrator
- cd c:\windows\system32
- slmgr.vbs /skms kms.cc.lehigh.edu (point vista to correct kms server)
- slmgr.vbs /ato (activate license)
- slmgr.vbs /dlv (display license info to verify)
Licenses are valid for 180 after last contact with the license server (ie. if it's on a laptop you'll need to bring it to campus at once every 180 days, and plug it into the network to renew the license).
Office KMS Activation without Active Directory
Manually activate Office on a non-domain computer:
- start a "cmd" window as administrator
- cd to: (32-bit Office 2016:) c:\program files (x86)\microsoft office\office16\ or (for 64-bit Office 2016:) c:\program files\microsoft office\office16\
- cscript ospp.vbs /sethst:kms.cc.lehigh.edu
- cscript ospp.vbs /act
- check that you ran everything from an administrator cmd prompt.
- we currently have 2 kms hosts (kms2.cc.lehigh.edu and kms3.cc.lehigh.edu). kms.cc.lehigh.edu points to kms3.cc.lehigh.edu. Both servers listen and talk on port 1688.
- check that the system time is correct.
- eventvwr.msc /s -- look at windows application log with a source of Security-SPP, and eventid's of 12288 (request a license), and 12289 (license returned). The 12289 value will look like 0x0000000, 0x0000000, 1, 0, 50,10080, date -- the "1" part indicates that it successfully activated. You may see another response after that one that it was unable to activate which we currently think is due to a corrupted system32 dll file.
- Run slui.exe to download legitcheck.hta from microsoft and run it from an admin cmd shell. It runs some scripts from microsoft eventually displaying validity message. Try running the slmgr.vbs /ato again.
- try running "sfc /scannow" to check (repair) all the windows system files.
- Active Directory has SRV (service) dns records for the kms
servers, which you can see by running "nslookup -" (in interactive
mode)
set type=SRV
_VLMCS._tcp.ad.lehigh.edu
and it should display info for kms2 and kms3. - Check that windows update has all the updates and reboot. If a reboot is pending sometimes that blocks things from working properly.
- Microsoft MGADiag.exe diagnostic tool.
Printers
- Print website for a variety of LTS public site printing info.
- Print Select website for installing Lehigh printers queues/drivers on your machine.
- Printing Services website for submitting jobs to printing services. Also see Printing Services for info about extra services (posters, mailing, faxing, copying, scanning, banners, binding, etc.)
We have a campus wide naming convention for all printers. It is "building-rmxxx-printertype", for example the printer in the SET office is Mart8b-Rm183-Hp553. In some cases we abbreviate the building name, so look for an existing printer name if you are adding one to a building with a long name. If the building is unnamed or confusing we sometimes use a number, such as 428broadhead which refers to the street address of that building. Some printers have multiple names because a system that they are connecting with doesn't support long names. Try and always install the longname as the DNS name first, and then the short name as an alias.
Mini-Hubs and Switches
Gigabit Mini switches (March 2005)
Here's a link to CDWG's customized Lehigh page - http://www.cdwg.com/lehigh Federal Tax ID Number: #36-4230110
Mail Server
Click the link above for general info.. Mail generated by systems on campus may use our mail hub at: mail.lehigh.edu. Personal mail using lehigh gmail doesn't actually exist on campus but remains in the internet cloud. Google has Limits on outgoing mail which are documented are here - gmail sending limits. Mail storage quotas for Lehigh gmail are "unlimited storage".
How to configure Sendmail on your linux workstation to forward mail through mail.lehigh.edu. You can change the sendmail.cf file in /etc/mail/sendmail.cf or /etc/sendmail.cf such that the line that starts with DS becomes DSmail.lehigh.edu.
You can also accomplish this by adding the following line to your sendmail.mc file,
and running it through M4 to generate a new sendmail.cf file.
define(`SMART_HOST',`mail.lehigh.edu')dnl
After making these changes, you'll need to restart sendmail's daemon process.
Reload files
- For windows users, FIRST try recovering using the shadow copy feature.
https://www.lehigh.edu/reload/ - Tape reloads.
(Windows, HPC, VM's ) LTS CC Staff only.
Hard disk recovery companies
Calendars
- R25 (Registars) Room Schedule/calendaring - R25 room scheduling system
- Lehigh Google calendar
Portal
SunGard SCTEllucian Luminis 5.x Contact WMS - Greg Skinner x8-5434 or x8-5066.
- Luminis Developers Network (now hosted here at lehigh on drupal.cc.lehigh.edu)
Other servers
- SSB Banner web server ESI
- Banner Info and links ESI
- High Performance Computing Steve Anthony
- Coursesite (moodle) - Bobby Siegfried
- Debian Mirror - Keith Erekson.
CentOS Mirror - Keith Erekson. - Mailman Contact Jim Eschleman.
Accounts
- Open, Change, Forgot, DisplayUser, O365, google passwords, etc. use Accounts.
Account passwords are not expired for the months of June, July and August. - Security Stuff,
virus software and signature updates, Acceptable Use Policy. CISO Eric Zematis, Colin Foley, James Vincent.
Check out JMU's R.U.N.S.A.F.E.. - Password policy
Antivirus/Malware Software
- Online Virus Scanners
- MalwareBytes Anti-Malware software installed by group policy on AD connected windows 7 pc's.
- System Center 2012 Endpoint Protection for Faculty/Staff Replacement for MS Forefront EP.
- Microsoft Security Essentials (home use version of Endpoint protection)
- Clam AV (free AV software) This software is used by the mail server to check incoming messages for viruses. If you recieve a message that you think may contain a virus, you can submit it here as well.
- Malwr/Virus Analysis site
- VirusTotal
SSH
- MobaXterm
- Putty
Dates
To convert from windows date format (NT) to Unix date format you need to know -
Both epochs are Gregorian. 1970 - 1601 = 369. Assuming a leap year every four years, 369 / 4 = 92. However, 1700, 1800, and 1900 were NOT leap years, so 89 leap years, 280 non-leap years. 89 * 366 + 280 * 365 = 134744 days between epochs. Of course 60 * 60 * 24 = 86400 seconds per day, so 134744 * 86400 = 11644473600 = SECS_BETWEEN_EPOCHS. This result is also confirmed in the MSDN documentation on how to convert a time_t value to a win32 FILETIME. # This function will convert a windows time stamp into unix time so perl can print it. # # Windows stores time in 100 nanosecond increments since 1 January 1601. # Perl and unix use time in second increments since 1 January 1970. # 100 nanoseconds is 10**-7. 11644473600 is the number of seconds between the "epochs". # sub NTtime { $nt = shift; $t = ($nt / 10**7) - 11644473600; # print "Time is localtime $t\n"; return $t; }
Public keys and e-mail encryption
There are at least two popular methods of encryption with mail. One is using PKI (S/MIME) and the other PGP/GPG based keys. S/MIME
The PGP method requires an extension to be added to thunderbird called
enigmail, and a copy of
gpg locally installed. You'll then
need to create a private key and register it with a keyserver. This method is older and more
compatible with disparate systems.
Mailvelope is a chrome extension that uses gpg to do message encryption and decryption.
c:\gnupg\gpg --send-keys --keyserver pgp.lehigh.edu
Info about creating websites with the official Lehigh structure
Communications and Public Affairs
SSL certificates and ciphers
Lehigh has purchased wildcard ssl certificates for:
- *.lehigh.edu, *.cc.lehigh.edu for general services websites
- *.drupal.lehigh.edu for many drupal websites
- *.lib.lehigh.edu and *.ezproxy.lib.lehigh.edu for library services
- *.sites.lehigh.edu and *.web.lehigh.edu for web and mobile services
Nagios (or Icinga) has a FEM page which will have a list of machines which have firewall holes opened for them and the daily test results of a SSL scan of each machine along with a "badness" number counting the number of reported problems with the configuration.
Some websites that are handy for configuration and testing SSL ciphers:
- Cipherlist
- Lehigh SSL tester
- Qualys SSL Labs
- bettercrypto.org's Applied Crypto Hardening guide. (regularly updated)
- Mozilla Server side TLS guide and Configuration generator
- COMODO SSL Analyzer
- IIS Crypto tool
- Check your sites SSL settings + more
InCommon Federation info
The InCommon federation
serves the U.S. education and research communities, supporting a
common framework for trustworthy shared management of access to
on-line resources. Through InCommon, Identity Providers can give their
users single sign-on convenience and privacy protection, while online
Service Providers control access to their protected resources.
- Lehigh Participant Operational Practices (POP) (updated May 25, 2015)
- SimpleSAMLPHP login stats
- Lehigh's IDP entityid/metadata
Here are some Lehigh Cloud Services that use InCommon SAML2 login
- Qualtrics Survey software
- ensemble video sharing
- Educause.edu
- Collegenet graduate student admissions - review (a different page is for applicants)
- Maxient Student Conduct software (Dean of Students)
- Lehigh Catalog (currentcatalog.lehigh.edu, nextcatalog.lehigh.edu) via courseleaf.com
- Lehigh Graduate Admission (for faculty eval)
- Lehigh Graduate Admission (for student applications)
- Zimride car sharing
- Lehigh Dropbox $100/year - contact Steve Lewis (sgl3)
- Kivuto online software store for Microsoft (home use) and other software
- Lehigh Zoom online conferencing software
- Internet2 Wiki (Confluence)
- Project Muse (Library databases)
- DMPTool (Data Management Plan tool for funding)
Benchmarks and Security related websites
- CIS benchmarks https://www.cisecurity.org/
- SANS
- SANS InfoSec Diary Blog
Virtual Machines and related stuff
Many of the servers are now hosted on VMWare hosts and clusters. These all have many advantages such as snapshot capability, and high availablity (in some cases), and lower overall costs.
Annual sizing fee's for VM's in the LTS datacenter.
Small | Medium | Large | X-Large |
---|---|---|---|
100GB Storage | 100GB Storage | 100GB Storage | 100GB Storage |
4GB Memory | 8GB Memory | 16GB Memory | 32GB Memory |
2 CPU | 4 CPU | 8 CPU | 12 CPU |
$700 | $1100 | $1800 | $2900 |
* Add $100/year for each 50GB of expanded storage |