Frequently Asked Questions - BMC-IT


windows ubuntu macos xibo network zenworks android storage
  1. How do I find specific files like the last updated, the one with the longest file name, or the largest one?     [jump in page]   2020-01-27
  2. What are the recommendations for buying a new mac?     [jump in page]   2020-01-16
  3. What is the BMC-IT computer platform and how does it work?     [jump in page]   2019-10-08
  4. What should be done to introduce a new system administrator at BMC?     [jump in page]   2019-07-10
  5. We need more storage! Do you have a file server we can use?     [jump in page]   2019-07-10
  6. How does the reinstallation of Windows computers work at BMC-IT?     [jump in page]   2019-07-05
  7. How do I use Eduroam, the wireless network, in Windows?     [jump in page]   2019-06-12
  8. Is Java free or do I need a license?     [jump in page]   2019-06-05
  9. How to use the IBM Spectrum Protect (Tivoli Storage Manager aka TSM)     [jump in page]   2019-05-29
  10. How do I connect a private computer to the department network?     [jump in page]   2019-05-08
  11. How do I force activation of Windows 10 using KMS?     [jump in page]   2019-05-03
  12. How do I print on EduPrint with LPD on Windows 10?     [jump in page]   2019-04-26
  13. How do I connect to storage at Argos?     [jump in page]   2019-04-25
  14. Who is resposible for what on the BMC network? Who can help me?     [jump in page]   2019-04-11
  15. What are your plans for a common client network configuration?     [jump in page]   2019-03-22
  16. How do I install anti-virus software on macOS?     [jump in page]   2019-03-18
  17. How do I access my scans for eduPrint in Linux?     [jump in page]   2019-03-11
  18. How do I map a network drive via SMB on Windows?     [jump in page]   2019-03-08
  19. We have a server, where should we put it?     [jump in page]   2019-02-25
  20. My Internet does not work! How can I find the problem?     [jump in page]   2019-02-08
  21. What is VPN?     [jump in page]   2019-02-05
  22. How do I send bulk mail?     [jump in page]   2019-01-25
  23. Where do I store my data? How do I take backup?     [jump in page]   2019-01-22
  24. How do I mount my home directory or shared storage at HNAS?     [jump in page]   2018-12-21
  25. What is my IP-address and MAC-address?     [jump in page]   2018-12-19
  26. What is the name standard for network equipment on BMC.     [jump in page]   2018-11-13
  27. How do I start an elevated command prompt (as administrator) in Windows?     [jump in page]   2018-11-09
  28. What Internet bandwidth does the university have?     [jump in page]   2018-11-08
  29. Connect to eduroam using iPhone with iOS 10     [jump in page]   2018-10-04
  30. How do I use an Apple AirPort Time Capsule?     [jump in page]   2018-10-04
  31. Are there any desktop phones using the mobile network?     [jump in page]   2018-09-12
  32. How do I install Ubuntu?     [jump in page]   2018-09-06
  33. How do I connect to the VPN using Ubuntu?     [jump in page]   2018-08-13
  34. How do I install Adobe CC Complete (Photoshop, Illustrator...) in Windows?     [jump in page]   2018-06-11
  35. What fun things can I do with Systemd in Linux?     [jump in page]   2018-06-04
  36. How do I change the Mac computer name, host name and NetBIOS-name?     [jump in page]   2018-06-04
  37. How do I set firewall rules in Linux to block SSH?     [jump in page]   2018-06-04
  38. How do I configure my resolver on a Linux machine?     [jump in page]   2018-06-04
  39. What should I think about when adding my own network printer?     [jump in page]   2018-05-31
  40. How do I add a macOS printer at IMBIM?     [jump in page]   2018-05-22
  41. Which VLANs are at the campus BMC-router?     [jump in page]   2018-04-25
  42. What is ransomware and CryptoLocker?     [jump in page]   2018-03-23
  43. How do I configure IPMI for remote management?     [jump in page]   2018-03-20
  44. I need a new subnet and a new VLAN!     [jump in page]   2018-01-19
  45. Who is responsible for the network in the BMC server room?     [jump in page]   2018-01-19
  46. There is no wired network here - what to do?     [jump in page]   2017-12-19
  47. How do I uninstall the Zenworks agent?     [jump in page]   2017-12-14
  48. What is the point with the zone files.uu.se?     [jump in page]   2017-12-07
  49. How are the network sockets identified?     [jump in page]   2017-10-26
  50. What service levels does BMC-IT have compared to others at the university?     [jump in page]   2017-08-23
  51. How do I activate group membership in AKKA?     [jump in page]   2017-08-21
  52. What is the cost of a PC file server?     [jump in page]   2017-06-02
  53. How do I use offline files?     [jump in page]   2017-05-22
  54. How to use WinSCP to access files over SCP on Windows     [jump in page]   2017-03-31
  55. How do I activate my Office using KMS?     [jump in page]   2016-12-08
  56. Add a printer in Ubuntu 14.04     [jump in page]   2015-06-04




1. How do I find specific files like the last updated, the one with the longest file name, or the largest one?

See also: How do I compare the content of two directories?
These tools work on Linux (Ubuntu/CentOS/etc) and probably on macOS too.

Find the most recently updated file

Here is a small script that displays the most recently updated files in a directory. In the example this FAQ entry was the most recently updated!

$ find . -type f -print0 | xargs -0 -P 1 stat --format '%Y :%y %n' | sort -nr | cut -d: -f2- | head -3 2018-04-27 08:55:47.517999369 +0200 ./last.updated.file.txt 2018-04-27 08:54:07.277999790 +0200 ./last.updated.file.txt~ 2018-04-27 08:51:50.658000281 +0200 ./compare.directories.txt $ _

Find the most recently accessed file

This small script does the same, but looks for the most recently accessed file instead.

Please note that this may or may not work on different file systems. For example a network file system may be mounted noatime which means that the last accessed information is not stored. It requires a meta-data write for every accessed file which affect performance.

$ find . -type f -print0 | xargs -0 -P 1 stat --format '%X :%x %n' | sort -nr | cut -d: -f2- | head -1 2020-01-27 09:30:03.320448622 +0100 ./#last.updated.file# $ _

Find the number of files and the file with the longest file name

This little script display the number of files in the current directory, the character length of the longest file name and the name of that file. There were in total 219 files and the longest filename has 49 characters in the path was ./how.to.map.network.drive.via.SMB.on.Windows.txt.

$ find . -type f | awk 'BEGIN{N=0} {N=N+1; if ( length > L ) { L=length ;s=$0 } }END{ print N" "L" "s }' 219 49 ./how.to.map.network.drive.via.SMB.on.Windows.txt $ _

Find the files with the longest file names

This little snippet just find print the files with the longest names:

$ find . -type f | while read ; do echo ${#REPLY} $REPLY ; done | sort -nr | head -3 45 ./how.to.map.network.drive.via.SMB.on.Windows 33 ./windows.office.force.activation 30 ./win.default.printer.settings $ _

Find the largest files

This will list the largest files. It will print a list of all files, in parallell do a stat on them, sort the list and then print the largest ones.

$ find . -print0 -type f | xargs -0 stat -c "%s %n" | sort -rn | head -3 23637 ./network.8021x 20285 ./platform 18051 ./network.help $ _





2. What are the recommendations for buying a new mac?

See also: How do I order a standard computer?
See also: What's the name of the connector?

General information
Always talk to UIT before ordering a computer. That way, we minimize the risk of problems after the products have been delivered.

Apple Device Enrollment Program (DEP)
The university is part of Apple's Device Enrollment Program (DEP). When ordering a new macOS computer, you also need to order a DEP registration. To add a computer to the university Apple Device Enrollment Program (DEP) you need to place an order in Produktwebben.

About accessories
Apple has switched to using only USB-C as interface for their MacBooks, which means that old adapters no longer work. There are adapters that convert to USB-C, but the cost is about the same as getting new ones, so we suggest that you replace the adapters to follow Apple's recommendations.

You should think about whether you want a docking station on your desk or not. It reduces the number of adapters you need to connect each day. You probably need one or more adapters anyway (e.g. Apple Multiadapter HDMI and/or VGA) for your computer bag, for when you have to present something and need to connect the computer to a projector.

In addition to this, Mac users should always have an external hard drive that backs up the entire computer with TimeMachine. This hard drive should always be connected to the computer on the desk and then stored in a safe place when not in use. Don't bring it when travelling!

Please note that all prices mentioned below are subject to change!

Computer
We recommend at least Intel Core i5 with 16 GB RAM and 256 GB SSD storage or better.

Display adapters

Docking station

Network adapters

If you don’t want a docking station you need a network adapter to connect to the department network.

Display

Keyoard

Mouse and trackpad

External disk

To use with local TimeMachine backup

Lock

2.D. Option: Use Cisco software defined networks

Probably expensive, requires new equipment and is a bit more complicated than we need.

Reference: Cisco Identity Services Engine Data Sheet - Cisco

Cisco SD-Access Ordering Guide - SD-Access Platform Support Summary - Cisco

2.E. Option: Use automatically configured VLAN

Use MAC-address or login to automatically configure the VLAN on each edge switch port.

Maybe it is possible to populate the database server (RADIUS) with MAC-addresses from the BlueCat whitelists using the API. Good with integration.

1. Optional login with username and password and then select the correct VLAN based on the username. Extra security or special cases.
2. Check if the client MAC-address is in a Bluecat whitelist here at BMC (the local campus) and then select the correct VLAN: Vlan660
FarmBio
Vlan661
ILK-fkog
Vlan662
MCB-instr
Vlan663
Kemi-analut
Vlan664
Neuro
all the different local VLANs
3. Check if the client is in any whitelist at the university and pick the same VLAN for all of them: Vlan??? UU-Work
4. All others: Students, guests, private computers need to use the captive portal to login Vlan695 Netlogin

Pros:

Cons:

Unknowns:


Reference: MAC Authentication Bypass Deployment Guide - Cisco
Reference: Consolidated Platform Configuration Guide, Cisco IOS XE 15.2(6)E (Catalyst 2960-X Switch) - MAC Authentication Bypass - Cisco
Reference: Command Reference, Cisco IOS Release 15.2(2)E (Catalyst 2960, 2960-S, 2960-SF and 2960-Plus Switches) - authentication event - Cisco

Background: How does Protected Ports work on a multi-switch network

All uplinks must be normally configured as promiscuous. All downlinks must be protected. The network topology must be strictly hierarchical with all routers or servers connected via promiscuous ports on a single switch.

In this first example random clients port has been made protected. This does only work on a single switch - Computer1 and Computer2 cannot talk to each other since they are both on protected ports on a single Switch1. But protected ports on different switches can talk to each other because traffic may flow between protected and promiscuous ports on a single switch - Computer1 and Computer2 can both talk to Computer3


                     Router
                       |
         ===========Switch2===============
             |                    |
    =====Switch1=========   =====Switch3=====
     Protected  Protected      Protected
        |         |               |
     Computer1  Computer2      Computer3   

In the second example all downlinks are Protected. Traffic between Computer1 or Computer2 to Computer3 will be blocked on Switch2 because traffic cannot go between two protected ports on the same switch.


                     Router
                       |
         ===========Switch2===============
          Protected            Protected
             |                    |
    =====Switch1=========   =====Switch3=====
     Protected  Protected      Protected
        |          |              |
     Computer1  Computer2      Computer3   


Regarding the Cisco PVLAN Edge

It may be possible to use the protected ports feature on an EtherChannel group according to Configuring Protected Port for example the Cisco Catalyst C3850:

You can configure protected ports on a physical interface (for example, Gigabit Ethernet port 1) or an EtherChannel group (for example, port-channel 5). When you enable protected ports for a port channel, it is enabled for all ports in the port-channel group.

This would in theory make it possible to cascade down from a stack of distribution switch to a edge switch. However it does not seem like it is possible to use the Protected Port feature on a trunk port and not on a single VLAN in a trunk. There are two possible solutions for this:


            Router
               |
    ====Switch1=C2960S=C2960S==== (multiple VLANs)
     Pro.  Pro.  Pro.  Protected
      |     |     |   Etherchannel
    Comp1 Comp2 Comp3  |  |  |
                       |  |  |
    ======SwitchC2960S=C2960S==== (single VLAN)
     Pro.   Pro.
      |      |
     Comp4 Comp5





16. How do I install anti-virus software on macOS?

See also: What is ransomware and CryptoLocker?
See also: My computer has got a virus! What do I do?
See also: How do I change the Mac computer name, host name and NetBIOS-name?
See also: How do I connect to a file server via SMB on macOS?

Contact helpdesk@bmc.uu.se for advice.

All computers have to run adequate anti-virus software according to the rules at Uppsala University.

We recommend Symantec Endpoint Protection (SEP). Licenses for this are in most cases payed for by the department, but you must notify BMC-IT if you install on your own so that we know what is going on. Notify BMC-IT by mailing to helpdesk@bmc.uu.se

The server is run by Polacksbacken campus for the whole of the university for those who like to cooperate on this.

For this to work your computer host name must follow the Uppsala University naming scheme. This is first a three-letter-ancronym for the department, then a dash and then your serial number (or some unique identifier, if not using your serial number let us know) so that when we receive a warning we can identify the computer. As an example, a computer may be named BMC-07JD0NADJD3.

How to install

First the preparation:

  1. Make sure your computer host name follow the Uppsala University naming scheme.
  2. Notify BMC-IT what you are doing by mailing helpdesk@bmc.uu.se. Send the name of the computer.
  3. You must be located on the Uppsala University network or connect via VPN.

Then the actual installation:

  1. Open the server smb://bmcit-common.files.uu.se/BMCIT-Common in Finder
  2. Open Public
  3. Open Public Installation Files
  4. Open Symantec_Endpoint_Protection_version_14.0.2332.0100_English for Mac (ANG) Pick the directory with this or the latest version number!
  5. Download Symantec_Endpoint_Protection_version_14.0.2332.0100_English.pkg by copying it to your local computer (for example the Desktop). Pick the package with this or the latest version number!
  6. Open the package and do the installation.
  7. Reboot computer.
  8. Start application Symantec Endpoint Protection and make sure it is working as it should.

Configurations you might want to do:

Turn off notifications
(For the computer only. A report will still be sent to the server in case there is a virus found.)

  1. Click on "Notifications" in the top right corner of Finder.

  2. Click on the settings icon in the bottom right corner.

  3. Scroll down to "Symantec" in the left pane ad click on it.

  4. Choose "None" as Symantec alert style (or another style of your choice).




17. How do I access my scans for eduPrint in Linux?

See also: How do I set up eduPrint for a Linux server?

Where are the scans stored

The DFS-path to the directory where your scans are stored is smb://user.uu.se/eduPrint/Scan/USERNAME. This path works fine in macOS but may or may not work in Linux. The other official path is smb://eduprint.its.uu.se/scan.

How to access via user-space tool smbclient

Use smbclient to access your directory. But use your own username instead of mine. smbclient works like a very old school FTP-client if you remember those. It may be convenient because it is all in userspace and do not require any special privileges except access to the smbclient binary and network access.

smbclient -W USER -U jny25782 -m SMB3 //eduprint.its.uu.se/scan/ cd jny25782 ls

This works as well, without specifying a higher version of the SMB-protocol.

smbclient -W USER -U jny25782 -I eduprint.its.uu.se ///scan/ cd jny25782 ls

How to access them in Linux via kernel mount

You can mount directly on the command line like this. Use your own username and password.

sudo mount -t cifs -o username=jny25782,password=PASSWORDA,domain=user //eduprint.its.uu.se/scan/jny25782 /mnt/

You may exclude your password and be prompted instead. This works in Scientific Linux 6 (compatible with RHEL6) and CentOS 7 (compatible with RHEL7).

sudo mount -t cifs -o username=jny25782,domain=user //eduprint.its.uu.se/scan/jny25782 /mnt/

The default settings in Ubuntu 17.10 do not work. Try SMB version 2.1 like this. (Not needed anymore in 2019-03-11.)

sudo mount -t cifs -o username=jny25782,domain=user,vers=2.1 //eduprint.its.uu.se/scan/jny25782 /mnt/





18. How do I map a network drive via SMB on Windows?

See also: How do I mount my home directory or shared storage at HNAS?
See also: How do I access PCFS over SMB using smbclient?
See also: How do I use AddPrinterGUI to add printers in Windows 7/8/10 x64?
  1. Open the file explorer. Press Left Windows key together with E.
  2. Right click on my computer and choose Map network drive...

  3. Enter the network folder you would like to map. In this example \\filserver.uu.se\neuro
    Learn about server name and path to your home directory or shared storage at "HNAS" above.

  4. Enter your username and password. Please note that the Windows domain USER has to entered. Do not use my username jny25782 but your own username. Enter your password A.

Not working?

You may want to read about SMB Security Enhancements at Microsoft.



19. We have a server, where should we put it?

See also: What is the postal address for BMC-IT?
See also: Who is resposible for what on the BMC network? Who can help me?
See also: How do I buy a new computer?
See also: Do you have a virtual machine (server) I can use?
See also: Who manages IT-support for whom at BMC?
See also: Open the server room for me please
See also: Who is responsible for the network in the BMC server room?
See also: What is the cost of a PC file server?

BMC has a server room in D11:0. The room was built in 2013 and is maintained together by the IT-division (UUIT) at the university administration (UADM) and Uppsala Biomedical Centre (BMC). The management team (styrgrupp) for the BMC-hall includes the IT director of the IT-division and the director of Uppsala Biomedical Centre.

K R T
333

The server room is equipped with:


The BMC-hall-router VLANs on the normal BMC-hall-switches cannot be shared with the VLANs on the router (called the BMC-router) for the rest of the building. Contact netsupport@its.uu.se for help with network configuration for the server room.

Current rate is 60000 SEK/rack/year or 2000 SEK/U/year plus a one time fee of 5000 SEK. (This should be about the cost of production. Prices from 2015-06-05.)

For renting space in the server room, contact bmc-hall@uu.se.

Also consider renting virtual servers or using some of the shared services at the university before buying your own physical servers. Contact uppdrag@its.uu.se for renting virtual servers in the the shared VMware environment or storage. Contact UPPMAX for using the shared HPC resources for computation and storage. Check on them from time to time to see what they are up to before building something on your own to reduce the duplicated effort.

The BMC server room does not have a postal address. If you want to send packages of servers or other equipment to the server room at BMC please send to BMC-IT with your name as the recipient. (If you or your department has offices at BMC just send it to yourself at your department, do not send to BMC-IT.) Send us a mail to helpdesk@bmc.uu.se so that we know what is going on. When your package has been delivered you can pick it up at The Goods Reception and you need to show your ID.



20. My Internet does not work! How can I find the problem?

See also: How are the network sockets identified?
See also: How do I configure my resolver on a Linux machine?
See also: Some Cisco switch commands
See also: What is my IP-address and MAC-address?
See also: Who is resposible for what on the BMC network? Who can help me?

What network are you using?

  1. First check - are you trying to connect via the Wireless Network or the Wired network?

The wireless network:

  1. Do not use UpUnet-S
    Make sure you are not using UpUnet-S. UpUnet-S has a captive portal and require login. Forget that network.
  2. Connect via Eduroam
    I will not go into details regarding how to configure Eduroam, but begin to read more about it here: Internet access with eduroam
  3. Do you not have coverage?
    • In student areas - order new Wi-Fi hotspots via Netsupport. In department areas, the department has to order and pay for them.
    • Use the wired network instead.

The wired network:

  1. Do you not have a link?
    If no link, check network cable. Throw away and destroy faulty Ethernet cables, even if only the little retainer tab is broken.

  2. If the link is down - has the network socket never been used before? Or was it a very long time ago since it was last in use?
    Contact your Local IT and activate the network socket. If there has been a switch upgrade in the cross connect cabinet recently, only the patch cables for the network sockets (or rather the switch ports) that has been used in the last year has been moved over to the new switch. If that is the case the network socket has to be activated again.
  3. Is the switch out of order?
    If the network socket suddenly stopped working with no link, maybe the switch is broken. Did the network suddenly go dark in some parts of the corridor and not on others? Then this may be the case. Contact helpdesk@bmc.uu.se.
  4. Is it really the network that is broken and not the computer?
    Try the network socket with another computer that is working with another network socket. This can help to identify whether the network socket is not working or if the problem is somewhere in the computer.
  5. Is the power out in the network cabinet?
    If Internet suddenly stopped working - it does happen that the power is out. It is not very common. The cross connect cabinets are usually located in the same part of the building that the lab or office housing the network socket. So go check if power is out. Are the lights on? If the power is out, just wait, Akademiska Hus is almost always already working on it.
  6. Do you have an IP-address?
    Check with ifconfig (Mac/Linux) or ipconfig (win). The IP-address should usually begin with 130.238 if you are at the university.
  7. Do you get intermittent link flaps?
    If the link sometimes goes down but not all the time this may be the case. Maybe the switch has put the switch port in link flap error disabled and then after a timeout period turn the switch port on again. Send message to helpdesk@bmc.uu.se or netsupports@its.uu.se.
  8. Are you on the correct VLAN? (1)
    If you get a link but do not get an IP-address you may be on the wrong Vlan. You can listen on the network to see what traffic there is. Then you can quite often figure out whether you are on the correct subnet or not. This can be done in Linux with sudo tcpdump -n -i eth0 or on Mac with sudo tcpdump -n -i en0. (The network interface names may differ - check the names with ifconfig) For Windows Wireshark is a bit overkill but should work as well.
    As an administrator you can search for the MAC-address in NetDB to see how the switch port is configured.
  9. Are you on the correct VLAN? (2)
    If you have a static IP, you have link, but cannot reach the gateway you may be on wrong Vlan. This may be due to switch upgrades or wrong configuration of the switch. Se above for possible ways of diagnosing this.
  10. Does the switch have that VLAN in the trunk?
    If the VLAN is correct, the link is up but everything is silent, check if the port is the first port with that VLAN on the switch. If so then maybe the trunk is missing that particular VLAN. Let Netsupport add the VLAN to the trunk.
  11. Is the DHCP-server out of free leases?
    If you have a link but do not get an address via DHCP then perhaps the DHCP-server are out of leases for your VLAN. You must contact your Local IT (which could be helpdesk@bmc.uu.se or someone else) to check what is going on. If it looks there are free leases but when it still do not work let the Local IT send a request to servicedesk@uu.se and ask for DHCP-server-logs for that particular MAC-address.
  12. Is the computer in the whitelist?
    If this is the first time you are connecting this particular computer, maybe your computers MAC-address has not been included in the DHCP whitelist. This is a list of computers that are allowed to connect to the network. Again you must contact your Local IT (which could be helpdesk@bmc.uu.se or someone else) to check what is going on.
  13. Does the network not have a DHCP-server at all, or maybe a local one?
    You have to check how your department has set up the network. On some networks, by historical reasons, the IP adresses are still distributed manually. Please contact your local IT-support. (The local IT may be, or may not be, be BMC-IT.)
  14. Is the default gateway address wrong?
    Do you have a gateway? route print (Windows), ipconfig (Windows) netstat -nr (Mac) or route (Linux). If you got an IP-address but cannot reach the gateway maybe there are old firewall rules that are blocking your IP. Check with your Local IT (which could be helpdesk@bmc.uu.se or someone else) and then let them check with Netsupport or Security Division.
  15. Can the gateway be reached?
    Ping the gateway! First check what the default gateway is and then ping it. Example: ping 130.238.39.193...

  16. Can you reach outside the gateway (router)?
    Test to ping Google resolver ping 8.8.8.8
    If this is not working this might also be a problem with router filters or firewall rules.
  17. Does DNS resolving work?
    1. Check the configured resolvers with nslookup www.uu.se
    2. Check if you can reach the UU resolver with nslookup www.uu.se 130.238.7.10
    3. Check if you can reach Google resolver with nslookup www.uu.se 8.8.8.8 or nslookup www.uu.se 8.8.4.4
  18. Are the network settings correct on the computer?
    Check Internet settings. Here is a guide at Microsoft for Windows.

    Check DNS-server settings. The Uppsala University resolvers (nameservers aka DNS-servers) are 130.238.7.10, 130.238.4.11, 130.238.164.6. (They should have the common name resolver.uu.se.) If you are using DHCP it should look like this:

  19. Does the computer work on another IP?
    if you are using a static IP you can try to use another free IP (check with your Local IT before using another IP). If that does work then:
    1. Maybe the IP you are trying to use is already in use. Please check arpwatch/NetDB.
    2. Maybe the IP is blocked in the university firewall. Please check with Security division.
  20. Is this a virtual machine that has been cloned?
    Check that you are using a unique MAC-address and unique IP-address for the cloned virtual machine. Otherwise the cloned machines will steal the addresses from each other which will make the network work erratically.

Windows specific fixes when all else fails

  1. Reset TCP/IP-stack
    If most things look OK but the computer can not connect to Internet anyway, they maybe the TCP/IP-stack needs to be reset. In Windows 7/8/10the command for doing this (as an administrator) is netsh winsock reset. Follow up by a restart of the computer.

  2. Reset firewall rules
    To reset the firewall rules in Windows 10/8/7/Vista type netsh advfirewall reset as an administrator at the command line.

For administrators

It could be of help to find out this information about the computer for a more efficient troubleshooting:

  1. Look up the computer login logs for standard Windows clients. Search for the user and the computers. Here you can find the computer name and the username.
  2. Look up the computer name in Active Directory. In the description you can find the computer model and the MAC-address used for installation.
  3. Look up the MAC-address in NetDB. Here you can find the IP-address, swith name and switch port.
  4. Look up the MAC-address in IPAM (BlueCat). Here you can find if the computer is in a DHCP whitelist or any other DHCP-configuration related to the computer.
  5. Look up the IP-address in NetReg. Here you can find VLAN number and VLAN name and the ACL (router filter) for the VLAN.
  6. Look up the Switch and SwitchPort in the network documentation Excel-sheets at BMC. Here you can find the cross connect cabinet ID and network socket ID.
  7. Look up the MAC-address in Arptrack. Here you can find previous arpwatch log entries.




21. What is VPN?

See also: How to connect with VPN using AnyConnect in Windows
See also: How do I connect to the VPN using Ubuntu?
See also: How to connect with VPN using AnyConnect in macOS?
See also: How do I use port forwarding and SOCKS-proxy in SSH?
VPN is short for Virtual Private Network. A VPN tunnel is an encrypted connection between two places at an open network.

If you would connect to the university network without a VPN tunnel, the ISP (Internet Service Provider) you use, would see that there is data sent between your computer and the university network. The ISP would also be able to see the data that is sent and possibly intercept data.

When you connect to the university via VPN, an encrypted tunnel is created from your computer to the university VPN server. The ISP can still see that there is data sent from your computer to the university network, but they can't see the data and they can't intercept any data.





22. How do I send bulk mail?

Use Bcc in your normal mail program

  1. In this example we will use the webmail for sending the mail. First create a list of recipients in Excel.

  2. Compose a mail in the webmail, Activate the Bcc-field (click on Bcc) and then copy and paste all the recpients into the Bcc-field. Put yourself in the To-field. You do not want everyone to be able to reply all to everyone receiving the mail, do you?

  3. Write your mail and send.

Use a mailing list at Sympa

If you wish to send to the list of persons several times you maybe want to create a mailing list on the mailing list server.

You can create a mailing list for this purpose who only you can send to. Please send a message to servicedesk@uu.se and tell them what you want. Visit the Mailing list service Sympa.

Make sure only you are allowed to send to the list.

Send the bulk mail with a script

This solution requires some basic knowledge in using a text editor like Vi, Nano, Emacs or the built in TextEdit in macOS. If you do not know how to do that then this solution is not for you.

  1. Put all your recipients in a file like this, one recipient on each line and call it to.txt.

    jerker.nyberg.1@bmc.uu.se jerker.nyberg.2@bmc.uu.se jerker.nyberg.3@bmc.uu.se

  2. Create your message in a file called message.txt like this. Change the subject and the sender address.

    Subject: The subject of the mail From: persona.non.grata@example.uu.se MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=utf-8 Content-Transfer-Encoding: 8BIT Hello all, Please read this important information. Bla bla bla. Kind regards, Jerker Nyberg von Below, UU BMC

  3. Then create a script that does the sending. Call it bulkmail.sh. Change the sender address again.

    #!/bin/bash REFILE=$1 BODY=$2 if test ! -e "$BODY" ; then echo Error file $BODY does not exist exit 5 fi if test ! -e "$REFILE" ; then echo Error file $REFILE does not exist exit 5 fi cat "$REFILE" | while read RE ; do echo Sending to $RE ( echo To: $RE cat $BODY ) | /usr/sbin/sendmail -f persona.non.grata@example.uu.se "$RE" done

    Make sure the script is exacutable.

    $ chmod +x bulkmail.sh $ _

  4. Make sure you can send mail via the university mail server from your computer. If this is a macOS machine you want to set the replay host to smtp.uu.se. You do this by adding the following row to the file /etc/postfix/main.cf. This will only work when you are located on the Upppsala University network.

    relayhost = smtp.uu.se

    You may need to restart the computer after this is done.

  5. Run the script like this:

    $ ./bulkmail.sh to.txt message.txt Sending to jerker.nyberg.1@bmc.uu.se Sending to jerker.nyberg.2@bmc.uu.se Sending to jerker.nyberg.3@bmc.uu.se $ _





    23. Where do I store my data? How do I take backup?

    See also: How do I manage access to a group storage at Argos?
    See also: How do I connect to storage at Argos?
    See also: How do I order a group storage at Argos?
    See also: How do I order a personal storage at Argos?
    See also: What is ransomware and CryptoLocker?
    See also: We need more storage! Do you have a file server we can use?

    Strategy

    The general idea is to focus on where you store your data instead of how you take backup of your data. You have to be aware of where your data is stored!

    Ideally the computer should not need to be backed up - all data should be on a secure file server. If the computer breaks down it should be possible to just grab another computer, login and access the data. Most standard software and configuration should be easy to reinstall.

    Where do I put my data

    Make sure you store your data safely on a secure file server. Check with your IT support organisation which file server you should use. Recommended file servers are "HNAS" and "Argos".

    • Store your personal data in a personal storage where only you can access the data.
    • Store your group's data in a group storage where all users in the group can access the data.

    How do I work with my data?

    Mount your storage folder on your local computer and work directly with the files on the file server. If you need to access the data when not at the university, you can connect to the university network via VPN and then mount the storage folder.

    Guides for connecting to the file server and mount a storage folder on your local computer:

    But I need all my data on the client!

    Do you really? We do not recommend this, but sometimes, this is the only solution that works. In that case:

      macOS
    • Use Apple's TimeMachine to make full computer backups to a local, external drive. Please note that this is not a complete backup system. It may not protect your data against malware or ransomware, and if the computer and the external drive are at the same place when something bad happens, it might happen to both of them...
    • Also, the central service TSM can be used.
      Windows
    • We recommend using the central service TSM to take complete backups of the Windows computer.

    What do I do now?

    Check if your computer was backed up with Retrospect or Time Machine (over the network). These services are no longer available and if your computer was configured to use them you need to make sure your data is secured in another way:

      macOS
    • Start storing your data safely on a secure file server.
    • In addition to the above, the recommendation is that macOS users have a local, external hard drive that backs up the entire computer with Apple’s TimeMachine service. Since it's easy to setup and cheap to use, there is no reason to not take backup this way too. The hard drive should always be connected to the computer when in office, and then stored in a safe place when not in use. Don't bring it when travelling!
    • Also, the central backup service TSM can be used.
      Windows
    • If your Windows computer is part of the BMC-IT platform, everything that is stored on your "Desktop" and in your "Documents" folder may already be automatically synchronized to your personal storage on the file server “HNAS”, and you don't need to do anything more than make sure your data is stored in one of these folders on your computer.
    • If not, start storing your data safely on a secure file server, in a personal or group storage as mentioned above.
    • Also, the central backup service TSM can be used.





    24. How do I mount my home directory or shared storage at HNAS?

    See also: How do snapshots in the HNAS file server work?
    See also: We need more storage! Do you have a file server we can use?
    See also: How do I map a network drive via SMB on Windows?
    See also: How do I connect to a file server via SMB on macOS?
    See also: How do I mount SMB share in Linux?
    See also: How do I access my home directory?
    See also: What is the point with the zone files.uu.se?

    For Windows clients in USER-AD your home directory and the department common (public) share will automatically be mounted when you login using the drive letters below.

    This storage is in the university shared HNAS file server. Some departments also have other storage available - contact helpdesk@bmc.uu.se for details.

    1. Please select your department:

      DepartmentAcronym
      Biomedical Centre Campus Management
      Department of Cell and Molecular Biology
      Department of Medical Biochemistry and Microbiology
      Department of Medical Cell Biology
      Department of Neuroscience
      Department of Pharmaceutical Biosciences
      Department of Public Health and Caring Sciences
      International Science Programme (ISP)
      . . .
    2. Please enter your username here:


      PurposePlatformDFS-pathDirect path Driver letter
      Home directory for personal files Windows \\user.uu.se\BMCI\TLA-Users\account \\TLA-Users.files.uu.se\TLA-Users$\account X:
      Mac smb://account@user.uu.se/BMCI/TLA-Users/account smb://user\account@TLA-Users.files.uu.se/TLA-Users$/account
      Common (public) share for department,
      research groups etc.
      Windows \\user.uu.se\BMCI\TLA-Common \\TLA-Common.files.uu.se\TLA-Common$ P:
      Mac smb://account@user.uu.se/BMCI/TLA-Common smb://user\account@TLA-Common.files.uu.se/TLA-Common$
    3. Sometimes you want to mount via the command line.

      • Windows, command line version on mapping a network share:

        net use x: \\TLA-Users.files.uu.se\TLA-Users$\account /user:user\account

      • macOS, command line version on how to connect to a file server:

        mkdir ~/Desktop/account
        mount_smbfs //user;account@TLA-Users.files.uu.se/TLA-Users$/account ~/Desktop/account

      • On Linux, command line version on how to mount a CIFS file system:

        mkdir ~/Desktop/account
        sudo mount -o username=account,domain=user -t cifs //TLA-users.files.uu.se/TLA-users$/account ~/Desktop/account

    4. Also read in the SOP - Connect a Mac to HNAS (v1.0).pdf or follow the links to other FAQs above on how to use the Windows Explorer or Mac Finder GUI. Remember to use the VPN if you are connecting from outside the university network.

      Connect from Mac

    Problems with accessing the shared folders

    A common problem may be that your account has not got the correct permissions called group membership in AKKA, the university catalogue. Please then contact your department administration to get this fixed.





25. What is my IP-address and MAC-address?

See also: How to connect with VPN using AnyConnect in Windows
See also: How do I connect to the VPN using Ubuntu?
See also: How do I connect a private computer to the department network?
See also: My Internet does not work! How can I find the problem?

The easiest way to see what IP your computer or phone is currently using when contacting Internet is to go to a web page that displays it.

How to look up the local IP-address on different operating systems:

Your local IP-address may be translated into another external IP-address over a router using NAT (network address translation).

  1. macOS
  2. Linux
  3. Windows

1. macOS

On a Mac this is also displayed in System Preferences:

  1. Open the Network tab in System Preferences and go to active interface to see the IP-address. Example 130.238.39.228

  2. Open Advanced. The IP-address is displayed again.

  3. Check MAC-address in Advanced. Example a8:20:66:19:5b:b8

2. Linux

For Linux (or macOS) open a terminal and type ifconfig or ip addr list.

3. Windows

For Windows, open a command window and type ipconfig /all

Example: IP-address is 130.238.39.229 and MAC-address is 08:00:27:27:06:ad

The command getmac also display the currently used MAC-address.





26. What is the name standard for network equipment on BMC.

See also: How are the network sockets identified?
See also: What Internet bandwidth does the university have?
See also: Some Cisco switch commands

Unfortunately there are several systems still in use for naming the network equipment at BMC.

Name standardYearIntro- duced byExplanation
? 1976- BMC Naming of old terminal network blessfully forgotten.
? 1986- BMC Naming of old ethernet network blessfully forgotten.
C5:2 1998 BMC The first C5500 fast ethernet twisted pair switches were named named after the cross connect cabinets where they were located.
C5:2-2 2000 BMC With the addition of C2980 and C3500 switches, the naming included a serial number for each cabinet.

Cluster_A1-1
Cluster_A1-1-1
C1-2-2mem1
C3:3-3-Mem_1

2005 UUIT

At some point in time the switches were clustered C2950 in order to minimize the use of IP-addresses.

  1. Problem: It is getting really hard to know which switch is which with all members and clusters.

A3:1_Poe-Manager
A3:1_Poe-Manager-1
A3:1_Poe-Manager-2

2007 UUIT A new naming standard for PoE switches showed up with the need to identify the PoE capable switches.

C2960S-C6-3-319c
C2960S-C5-3_3
C2960-C6:013b
C5K-C7-3
C5K-C7-2

2007 (?) UUIT At some point in time the switch model was introduced in the name, perhaps to easier identify the switches, at least the new ones. However, several different seperators where used. When switches where not put in cross connect cabinets the room number where introduced.

MODEL HOUSE FLOOR [NUMBER]

MODEL HOUSE ROOM

BMC-A9-1-3 2011 BMC A prefix was introduced to separate BMC-switches from other switches. The switches were still named after the termination of the cables in the cross connect cabinet. The naming was:

CAMPUS HOUSE FLOOR NUMBER

  1. Problem: Do not scale to several cross cabinets (racks).
BMC-D9-3-01b-8 2013 UUIT The cross connect cabinet room number where used instead of the network socket termination rack. The idea was to use the same system all over the university.

CAMPUS HOUSE FLOOR ROOM NUMBER

  1. Problem: the cross connect cabinet rooms change house and room number even if they are vertically located above each other.
  2. Problem: the markings on the switch do not match the markings on the network socket.
BMC-D11-0-09a_48-1 2014 UUIT

Server room required naming based on racks introducing a new system:

CAMPUS HOUSE FLOOR ROOM RACK NUMBER.

  1. Problem: by only looking at the switch name it is not possible to know what VLANs are on it. The BMC-HALL switches should probably have used another prefix than BMC. Perhaps a router prefix?
BMC-C11-3-D302-3 2015 BMC

The introduction of room numbers makes it harder to figure out what switches are located in what cross connect cabinet. Introduce the rack for the cross connect cabinets like the in the server room.

CAMPUS HOUSE FLOOR RACK NUMBER.

  1. Problem: Redundant floor number, both in the FLOOR and in RACK.
  2. Problem: New flexstacked switches appearing at this time share the same network name but introduce a new physical name making it hard to identify which network socket it is.
  3. Problem: Large flexstacked switches may sit in two racks.

BMC-C1-3-D302-S-1
BMC-C11-3-D302-S1
BMC-C3-2-D202-S1

2016 UUIT

No problem, just add a number telling it is a stack and then a number for for each member in the stack! Or perhaps a slash?

CAMPUS HOUSE FLOOR RACK ROOM "S" NUMBER.

  1. Problem: Not the full room number, the room numbers are always three numbers and perhaps a letter.
  2. Problem: Redundant floor number, both in the FLOOR and in RACK.
  3. Problem: Still a bit hard to figure out what name is a switch name an what is a flexstack number...
FAL01-C7-03-301B-1 #1
FAL01-C7-03-301B-1 #2
2017 UUIT

Switches are put in DNS! Great! Unfortunatelly this introduced a new name with the FQDN and also a new name not always exactly as the old switch names due to partial rename.

Using the same naming as the Wi-Fi hotspots introducing block (kvarter) in the name via Byggnadsavdelningens register.

BLOCK HOUSE (with extra zero prefix)FLOOR ROOM NUMBER.

  1. Problem: introduce new prefix fal01- instead of bmc-
  2. Problem: the cross connect cabinet rooms change house and room number even if they are vertically located above each other.
  3. Problem: the markings on the switch do not match the markings on the network socket which references to the cross connect cabinet.
  4. Problem: The block name (fastighet / kvartetsnamn) for BMC is ROSENLUND. FALTLÄKAREN is the old Magistern or Kunskapsskolan. The plot is Kåbo 1:10.
  5. Problem: The NUMBER is not unique for each cross connect cabinet.
  6. Problem: Introduce a leading 0 in front of floor number.





27. How do I start an elevated command prompt (as administrator) in Windows?

See also: How to change language in Windows 10 Enterprise
See also: How do I activate my Office using KMS?
See also: How do I force activation of Windows 10 using KMS?
See also: How do I really delete a directory and files in Windows?
See also: How do I copy many files in Windows using Robocopy?
  1. Start a command interpreter window by entering cmd in the search prompt.

  2. Launch by pressing CTRL SHIFT and ENTER at the same time.

  3. Answer Yes to run as administrator.

    It should look like this for Windows 7:

    And like this for Windows 10:

  4. If everything works fine you are running as administrator. The Window title bar should contain the text Administrator:.

    It should look like this for Windows 7:

    It should look like this for Windows 10:

It does not work! What do I do now?

  1. Make sure you are connected to the university network. Then restart computer.

  2. Make sure you are using your employee account and not your old student account.

  3. If you need to be local administrator, send a mail to helpdesk@bmc.uu.se where you specify your computer name and your account name. We can then add you as a local administrator, after we have confirmed that it is your computer. Then restart computer.

  4. If it does not work anyway, restart computer again. When the computer restarts it should read the group policy which adds the members in a group in the Active Directory to that computers local administrators.

  5. If the group has been created and populated with members and it still do not work? Run the command gpupdate /force in a command window to force the computer to update the group policy if this was not done automatically. It may look like this. Answer y and enter to logoff. Then login and try again.





28. What Internet bandwidth does the university have?

See also: Who is resposible for what on the BMC network? Who can help me?
See also: We have a server, where should we put it?
See also: How to connect with VPN using AnyConnect in Windows
See also: How are the network sockets identified?
See also: What service levels does BMC-IT have compared to others at the university?
See also: How do I use Eduroam, the wireless network, in Windows?
See also: What is the name standard for network equipment on BMC.

Check your own bandwidth



Bredbandsskollen is a bandwidth measuring service. However, above 100 Mbit/s the service may be inaccurate regarding exact speed since it depend too much on the local computer and web browser performance. It requires Flash in the browser in order to work.

For mobile and wireless networks it is quite usually good.

Fixed network

SUNET had 2 x 40 Gbit/s connection to NORDUnet but now even more.

SunetC statistics

The Uppsala University network (UpUnet) had 2 x 10 Gbit/s bandwidth to OptoSUNET but are now connected to SunetC with 2 x 100 Gbit/s.

BMC-campus-router has 2 x 10 Gbit/s to the rest of Uppsala University network (UpUnet) for the BMC-router and 4 x 10 Gbit/s for the BMC-hall-routers.

BMC has internally in the building either 10 Gbit/s, multiple 1 Gbit/s or single 1 Gbit/s bandwidth to the cross connect cabinet distribution switches. BMC linkstatus

The network sockets at BMC are connected via either 100 Mbit/s (Fast Ethernet) or 1 Gbit/s (gigabit Ethernet) to the edge switches. If you only have Fast Ethernet and need gigabit let us know at helpdesk@bmc.uu.se. A few servers have 10 Gbit/s or multiple 1 Gbit/s.

The network in BMC is built by Cisco equipment. Over the years we seem to have acquired all possible models, but mostly C5500, C3500, C2980, C2950, C2960, C2960S, C2960X, C2960XR. Our oldest Fast Ethernet switches - C5500, C3500 and C2980 - are currently being replaced (2015).

Due to lack of personal resources this have been postponed. We will hopefully continue the upgrade in 2017-2018 and then also include replacement of all of the the C2950 and C2960 switches. Only C2960S, C2960X and C2960XR are left of the old.

New cross connect cabinets are built with 10 Gbit/s or dual 1 Gbit/s uplink and flexstacked C2960X with 1 Gbit/s to the clients. Old switches without flexstack are connected via EtherChannel to the stack or have direct connections to the router.

The idea with the network topology is that no switch failure should bring down any other switch. No single interface or transceiver (SFP/SFP+/GBIC) failure should interrupt any switch. The BMC-router is the big exception but Cisco 6500 series are in general quite reliable and can have multiple boards/interface cards. It is equipped with with redundant power supplies and is connected to a small dedicated UPS.

Wireless network

Most of the wireless access points in BMC are Cisco AP1131 with support for IEEE 802.11a/b/g up to 54 Mbit/s but in practice less. We have a few Cisco AP2602i with support for IEEE 802.11a/b/g/n which are slightly faster, but usually not above 80-100 Mbit/s since most of them are limited by their connection to 100 Mbit/s PoE Fast Ethernet anyway.




29. Connect to eduroam using iPhone with iOS 10

See also: How do I use Eduroam, the wireless network, in Windows?

Instructions how to connect to eduroam using an iPhone with iOS10.

1. First, open "Settings". Then select "Wi-Fi". Select "eduroam".

2. Enter your AKKA-id followed by "@user.uu.se" and then enter your password B.

If you have forgotten your password B you can reset it using https://akka-anv.uu.se and password A.

3. Click to trust the certificate. After this step the phone should connect to eduroam. It might take 30-60 seconds.

If it doesn't work, try to reboot the phone and repeat the procedure.

If it still doesn't work, you can try to reset the network settings (Allmänt / Nollställ / Nollställ nätverk). Beware though that if you do this you'll need to enter all Wi-Fi-passwords again on all networks.





30. How do I use an Apple AirPort Time Capsule?

See also: What is ransomware and CryptoLocker?
See also: Who is resposible for what on the BMC network? Who can help me?
See also: We need more storage! Do you have a file server we can use?
See also: What should I think about when adding my own network printer?

Please do not buy one of these for use at BMC! Your Local IT must be involved and usually do not allow these on the network. For large parts of BMC this is BMC-IT, Rudbeck-IT, IT-division/UADM/EP or Uppsala University Library and as far as I know none of us allow or recommend these. (2018-09-21)

Apple Airport Time Capsule is a great tool for a home or small office, providing simple backup, Wi-Fi hotspot and NAT-router all in one.

But we really recommend a normal external hard drive for backup. Keep one at home and one at work.

Also be aware that a backup, where the client has full write access to the backup and can erase old versions of the backup, do not protect against ransomware attacks. The attacker may destroy old backups from the compromised client.

Here is a summary what the problems may be with this kind of equipment:

NAT
SUNET and the Security and safety division at Uppsala University require that it is possible to identify which user is doing what on the network. NAT (in this level of home or small office equipment) is hiding this.

Read the Riktlinjer för säkerhetsområdet and the document UFV 2016/1944 Anskaffning och drift av IT-system in particular section 4.4 Anslutning till universitetets datornät.

DHCP-server
Apple AirPort has built in DHCP-server. When connected the wrong way (NAT-ports) to the department network the device will give IP-addresses to the other computers on the network. This will mess up the network. In the best case (when both WAN- and LAN-ports are connected at the same time to the department network) all that happens is that all traffic will pass through the Apple AirPort which will then act as a bottleneck. In the worst case (only LAN-ports are connected to department network) nothing will work and the whole department network will go down.

Wi-Fi hotspot
The Uppsala University IT-division is responsible to set up Wi-Fi-hotspots all over the Uppsala University campuses. The frequencies has been planned so that they do not interfere with each other. Even when using using a frequency that is not the same as the closest hotspot the frequency may interfere with other hotspots frequencies further away (but still in range).

Stability problems
We have been running the backups for many clients for several Mac servers using the same technology. It has shown that, although not very often, the backups using time machine over the network may go corrupt. Then the backup is not worth much. The problems may or may not be related to the use of a flaky network adapter (in particular the USB-Ethernet adapter used by Macbook Air).

Sharing the effort of building stable networks
By using the university centrally managed DHCP-server and routers it is possible try to help each other with management. Both the IT-division and the BMC-IT can help with finding problems with the network. When using this kind of small office / home office equipment it is really hard for somebody else to know what is going on. You are on your own.

It may be theoretically possible to turn off all server functions including NAT/Wi-Fi and then secure it with accounts, but it may not be worth the effort. When doing that (turn off NAT and only do Network bridge, turn off Wi-Fi) if the settings are reset by some reason, make sure that the AirPort in a reset state do not mess up the network - only attach the WAN port to the department LAN. The equipment is best used at home or at a small office.

At least these things has to be done:

  1. Turn off NAT and DHCP-functionality.
  2. Turn off Wi-Fi.
  3. Set up with account and password protection.
  4. Set up internal firewall in the equipment so that no one outside the department network can access it.
  5. If that do not work:
    1. Set a fixed IP for the device
    2. Set up the campus router filter so that no one outside the department network can access it.
  6. Actually set up both internal firewall and router filter if possible.
  7. Make sure that the firewalls are working.
  8. Make sure only the user creating the backups can access them.

This list is not guaranteed to be complete.

Our suggestion is to move the equipment to the home office for a backup when working at home. Then get another hard drive for the office.

If you need better Wi-Fi coverage contact helpdesk@bmc.uu.se and then we can together with IT-division hopefully improve the location and coverage of the Wi-Fi hotspots.

So what to do instead?

  1. Get a normal hard drive and use Time Machine on that one. Get a hard drive at home and one at work. This will take hopefully a backup of the whole computer on two different places.
  2. Store important data on a file server. Like the HNAS file server at the university.





31. Are there any desktop phones using the mobile network?

The costs for wired analog telephones are increasing compared to mobile phones. The cost for moving a mobile phone is obviously a lot smaller than for a wired phone.

Please read the pricelist for phone services at the university (in Swedish).

We have found two models of desktop phones that use the mobile telephone network (3G/UMTS)which can be bought via the university. (2018-09-11)

Do also consider a cheap and simple mobile phone for each employee.

  • Huawei F617-20 Desktop Phone Generic 818 SEK (2018-09-11)

  • Jablocom Essence Desktop Phone 1580 SEK (2018-09-11)

    Here are the same kind of mobile desktop phones at Dustin

    Please note, we cannot buy from phones from Dustin.





    32. How do I install Ubuntu?

    See also: Add a printer in Ubuntu 14.04
    See also: Print using UserCode for Ubuntu
    See also: How do I mount SMB share in Linux?
    See also: Do you have a virtual machine (server) I can use?
    See also: How do I configure my resolver on a Linux machine?

    This is documentation for a network installation of Ubuntu on the BMC network using the BMC-IT network boot menu over PXE. This applies to physical PCs or VirtualBox.

    You can always do a manuall installation. Just download the DVD from Ubuntu and install. Skip a few steps in the instructions below.

    1. Netboot the computer, usually by pressing F12 at BIOS boot time.
    2. In the PXE-boot men, start the latest and greatest Ubuntu installation. For example start a text installation of Ubuntu 18.04 Bionic Beaver x64 Mini:

      l Local Boot (default) m Memtest86 mdtmt Windows 10 Enterprise x64 (Mediatek network) c74 CentOS 7.4 x64 Netboot c73iso CentOS 7.3 x64 Minimal ISO debian74 Debian Netinstall 7.4 AMD64 sl65 Scientific Linux 6.5 x64 sl65kick Scientific Linux 6.5 x64 kickstart u1604live Ubuntu 16.04 "Xenial Xerus" x64 Mini Remix Live u1704mini Ubuntu 17.04 "Zesty Zapus" x64 Mini u1710mini Ubuntu 17.10 "Artful Aardvark" x64 Mini u1804mini Ubuntu 18.04 "Bionic Beaver" x64 Mini boot: u1804mini_

    3. Step through the text installation. Activate automatic updates.
    4. Please name the computer TLA-SERIALNUMBER where TLA is your department unique three letter ancronym and SERIALNUMBER is the computer serial number.
    5. If you want to keep the Windows installation, if there is one on the computer, you can resize the existing partitions.
    6. You can choose several different desktop environments, but I recommend to begin with the standard Ubuntu desktop. This is how the Xubuntu desktop looks like in VirtulaBox running in macOS:

    Installing in VirtualBox

    If you install in VirtualBox, remember to install the VirtualBox Guest Additions to enable shared clipboard and files between the host and guest OS.
    1. The CD is mounted automatically by VirtualBox. If everything works fine Ubuntu will find the CD and ask you for permission to install the guest additions. Just go ahead.
    2. Otherwise, tro to mount the CD via the menu in VirtualBox with Devices - Insert Guest Additions CD image.... Continue as above.
    3. And finally if the autorun does not execute but the CD has been mounted, you can manually run the installation:
      cd /media/jerker/VBOXADDITIONS_4.3.28_1003095
      sudo ./VBoxLinuxAdditions.run




    33. How do I connect to the VPN using Ubuntu?

    See also: How to connect with VPN using AnyConnect in Windows
    See also: How do I set firewall rules in Linux to block SSH?
    See also: What is my IP-address and MAC-address?
    1. First apply for the VPN-service. Go to VPN service at Medarbetarportalen and follow instructions in the section Application for VPN service.

    2. Then install the openconnect client:

      sudo apt-get install network-manager-openconnect-gnome

    3. From the menu choose Edit connections...

    4. Select Add

    5. Select the Cisco AnyConnect Compatible VPN (openconnect) connection type.

    6. Edit your connection by naming it (VPN.UU.SE in this example) and then enter the gateway vpn.uu.se:

    7. The new connection will now show up in the Network Manager menu. Open it.

    8. Enter your username and password A and if you dare select Save passwords.

    9. It worked!

    10. Check your new IP-address:

      ip addr list vpn0

    11. You can also go to websites like www.whatismyip.com to see where you are connecting from.




    34. How do I install Adobe CC Complete (Photoshop, Illustrator...) in Windows?

    See also: How much do Adobe Photoshop and Illustrator cost?
    See also: How do I sign my documents with an electronic signature?

    For Windows computers that has a Zenworks agent it is quite easy.

    1. First restart computer if it has any pending upgrades. Otherwise the installation will fail.

    2. Open the Adobe Complete application in the Zenworks window.

    3. Answer OK once.

    4. Answer OK twice.

    5. Wait a very long time (all files are around 14.5 GB) for everything to install. The files are read from a file server so you have to be connected to the university network.

    6. It is possible to open a ZENworks progress window from the status bar. Step 7 of 8 will take a very long time.

    Normally in Zenworks everything may be loaded over the Internet, but in this case, since the package is so large, for technical reasons we choose to install it directly from a file server.

    When installing the bundle a request for registration of licenses will be automatically sent to helpdesk@bmc.uu.se who will confirm the registration at appropriate group or department.

    For Windows computers that do not run the Zenworks agent, the same package can be installed by a system administrator. Also contact helpdesk@bmc.uu.se for this.

    For macOS this installation is more or less manual. Contact helpdesk@bmc.uu.se.



    35. What fun things can I do with Systemd in Linux?

    Figure out what is taking so long to start:

    # systemd-analyze blame 1min 46.945s kdump.service 13.838s network.service 873ms postfix.service 602ms dev-md126.device 285ms systemd-udev-trigger.service 258ms tuned.service 186ms systemd-fsck-root.service 55ms httpd.service ... # _

    Check how a service is doing:

    # systemctl status httpd httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2017-04-14 05:22:28 CEST; 3 weeks 5 days ago Docs: man:httpd(8) man:apachectl(8) Process: 6484 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS) Process: 14190 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful (code=exited, status=0/SUCCESS) Main PID: 6489 (httpd) Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec" CGroup: /system.slice/httpd.service 6489 /usr/sbin/httpd -DFOREGROUND 14198 /usr/sbin/httpd -DFOREGROUND 14199 /usr/sbin/httpd -DFOREGROUND 14201 /usr/sbin/httpd -DFOREGROUND 14202 /usr/sbin/httpd -DFOREGROUND 14203 /usr/sbin/httpd -DFOREGROUND Apr 14 05:22:28 bmc-pcfs2.bmc.uu.se systemd[1]: Starting The Apache HTTP Server... Apr 14 05:22:28 bmc-pcfs2.bmc.uu.se systemd[1]: Started The Apache HTTP Server. Apr 16 08:47:01 bmc-pcfs2.bmc.uu.se systemd[1]: Reloaded The Apache HTTP Server. Apr 24 05:52:36 bmc-pcfs2.bmc.uu.se systemd[1]: Reloaded The Apache HTTP Server. Apr 30 07:05:06 bmc-pcfs2.bmc.uu.se systemd[1]: Reloaded The Apache HTTP Server. May 07 08:18:32 bmc-pcfs2.bmc.uu.se systemd[1]: Reloaded The Apache HTTP Server. # _

    Start, stop and restart units (services):

    # systemctl stop httpd # systemctl start httpd # _

    Change the default device timeout for slow file systems like btrfs with a lot of snapshots: (ArchLinux Wiki about Fstab)

    # grep timeout /etc/fstab LABEL=data7 /data7/ btrfs compress,noatime,x-systemd.device-timeout=0 1 2 # _





    36. How do I change the Mac computer name, host name and NetBIOS-name?

    See also: What is my computer name in Windows?
    See also: How do I find the serial number on macOS?
    See also: How do I connect a private computer to the department network?
    See also: How do I install anti-virus software on macOS?

    In macOS, change the computer names in the system settings, in the Share (Delning) dialog.

    The university name standard begins with an identifier for each department and then a dash and a unique identifier. At BMC-IT and the departments we support we continue with the computer serial number like this:

    1. Begin with a TLA - the three letter acronym (Neuroscience - INV, Medical Biochemistry and Microbiology - IMB, Pharmaceutical biosciences - FBV, Medical Cell Biology - MCB, Uppsala Biomedical Centre - BMC, Public Health and Caring Sciences - IFV, etc)
    2. Then a dash -.
    3. Then the serial number max 11 characters (cut away the leading ones to keep the usually significant ones)
    4. The full computer name should be 15 characters or less (to not generate possible problems in old network sharing protocols like WINS... In a couple of years, when WINS is totally gone, then this rule most probably can be ignored)

    The host name is however picked up from the DHCP-server. It is used as a prompt in the command line. With dynamic DHCP the IP and the host name may change from time to time. So to get a consistent hostname set it manually like this; in this example BMC-COVFEFE is used as hostname, but please use your own instead!

    The terminal may look like this:

    $ scutil --get HostName HostName: not set $ sudo scutil --set HostName BMC-COVFEFE Password: $ sudo scutil --set ComputerName BMC-COVFEFE $ sudo scutil --set LocalHostName BMC-COVFEFE $ scutil --get HostName BMC-COVFEFE $ scutil --get ComputerName BMC-COVFEFE $ scutil --get LocalHostName BMC-COVFEFE $ _

    Also check and set the NetBIOS-name. It may or may not be the same as the computer name and host name. The default is the same as the hostname but if this has been changed before it may be something else. Change it like this:

    The NetBIOS-name can be changed in the terminal as well like this:

    $ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server NetBIOSName BMC-COVFEFE $ defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server NetBIOSName BMC-COVFEFE $ _





    37. How do I set firewall rules in Linux to block SSH?

    See also: How to connect with VPN using AnyConnect in Windows
    See also: How do I connect to the VPN using Ubuntu?

    This is an example on how to set firewall rules in Linux. The command iptables below first open incoming on port 22/tcp (SSH) for the university network and then drop all other.

    The first command (iptables) adds a rule (-A) to the input-chain (INPUT) for protcol tcp (-p tcp) on the incoming (--destination-port) port 22 for SSH (22) which has a source (-s) from the university (130.238/16) that it should accept the packets (-j ACCEPT).

    The second command just drops everything else.

    # iptables -A INPUT -p tcp --destination-port 22 -s 130.238/16 -j ACCEPT # iptables -A INPUT -p tcp --destination-port 22 -j DROP

    How to save the rules is different between different distributions. In CentOS 7 I use the command service iptables save. In Ubuntu/Debian, install the package iptables-persistent and then run the command iptables-save > /etc/iptables/rules.v4. Reboot computer to see that the firewall rules stick.

    To see the current firewall rules run this command:

    # iptables -L -n

    Also, to limit which accounts can login via SSH you can use the AllowUsers keyword in /etc/ssh/sshd_config like this:

    AllowUsers myaccount

    To allow more users:

    AllowUsers firstaccount secondaccount

    Restart or reload sshd or restart computer to use the new configuration for sshd.

    Read more about iptables at the Netfilter homepage.



    38. How do I configure my resolver on a Linux machine?

    See also: My Internet does not work! How can I find the problem?
    See also: How do I install Ubuntu?
    See also: How do I get deduplication to work in Linux?

    The university has a couple of resolvers which are referred to by resolver.uu.se.

    $ host resolver.uu.se resolver.uu.se has address 130.238.7.10 resolver.uu.se has address 130.238.164.6 resolver.uu.se has address 130.238.4.133 resolver.uu.se has IPv6 address 2001:6b0:b:215:130:238:4:133 resolver.uu.se has IPv6 address 2001:6b0:b:732:130:238:164:6 resolver.uu.se has IPv6 address 2001:6b0:b:242:130:238:7:10 $ _

    Historically the host name lookups in Linux were done by the resolver. No resolver was running and no cache existing locally in the machine. The resolvers were put in /etc/resolv.conf, either statically (manually) or via DHCP.

    The problem with this approach is that if the first in the list of external resolvers cannot be reached the timeout is defaulting to 5 seconds with 2 attempts. This means that if the first server is down there will be a timeout up to 2*5=10 seconds. When a resolver is failing most things using the network will get slow and not work very well. This can be decreased but not eliminated by adding a shorter timeout to /etc/resolv.conf:

    options timeout:1 attempts:1 rotate

    Using dnsmasq as a forwarding resolver

    Another, better, solution is to run dnsmasq in Linux. Dnsmasq will get you:

    1. Faster failover.
    2. Local cache.
    3. A well behaved client using central resolvers. (No problems with split-DNS, firewalls or router filters)

    This is how it looks like in CentOS 7 when not using NetworkManager (most common on servers) and using DHCP. It will replace the first nameserver with the local dnsmasq. This works for a server always located on the UpUnet network.

    Here we also add the Google public resolvers. But please note, if you add the those you cannot reach local split-DNS, like the Windows-domains or other local networks (RFC1918). Also check that you have access (not blocked by router filter or firewall) to the Google public resolvers before you add them.

    $ yum install dnsmasq $ echo 'resolv-file=/etc/resolv.dnsmasq' > /etc/dnsmasq.d/resolv.file $ echo 'DNS=127.0.0.1' >>/etc/sysconfig/network $ host resolver.uu.se | grep -v IPv6 | awk '{print "nameserver " $4}' >/etc/resolv.dnsmasq $ echo 'nameserver 8.8.8.8' >>/etc/resolv.dnsmasq $ echo 'nameserver 8.8.4.4' >>/etc/resolv.dnsmasq $ _

    if you are running a totally static setup without NetworkManager you need to manually add the 127.0.0.1 resolver first in resolv.conf instead of adding it to the /etc/sysconfig/network configuration file.

    $ sed -i '1i nameserver 127.0.0.1' /etc/resolv.conf $ _

    Most clients use NetworkManager. For a client moving around between networks you need to get the recommended resolvers from DHCP but also insert the dnsmasq 127.0.0.1 resolver first. NetworkManager has built in support for dnsmasq. Simply adding dns=dnsmasq to the [main] section and then restart NetworkManager should solve it.

    [main] dns=dnsmasq

    Also check that dnsmasq do not have the option bogus-priv activated in /etc/dnsmasq.conf otherwise queries about the local networks (RFC1918) will be blocked with answer NXDOMAIN in dnsmasq. These are used in the university network so they should not be blocked between client and resolver. The default in CentOS 7 is to not have bogus-priv activated which is fine. Otherwise, uncomment with:

    $ sed -i 's/\(^bogus-priv\)/#\1/1' /etc/dnsmasq.conf $ _


    Using Bind as a local resolver

    If you want to maximize reliability then nothing beats a local resolver. Just run BIND and set it up to only listen to the local machine (or local HPC cluster). On the university network, this usually requires openings in the router filters and perhaps firewalls in order to send UDP traffic in and out. Only do this if you do not want to pester the university resolvers with all your requests, like when you are running an HPC cluster connected to the USER-AD, doing statistics for a lot of webserver logs or something else similar.






    39. What should I think about when adding my own network printer?

    See also: How do I set up eduPrint for a Linux server?
    See also: What do the different symbols in BlueCat mean?
    See also: How do I use an Apple AirPort Time Capsule?
    See also: How do I use AddPrinterGUI to add printers in Windows 7/8/10 x64?
    See also: How do I add a macOS printer at IMBIM?

    Be aware that the Uppsala University already have a central printing system currently called eduPrint. Getting your own printer is in general contra productive.

    1. The printer should in general be configured to use DHCP. In order for the printer to get an IP-address thne MAC-address should be added to the DHCP-server at the network. This is in general the central IPAM-system called Bluecat.
    2. Close down any older or unused protocols on the printer that are not in use, like telnet or FTP. No other services than those to be used should be open at the printer.
    3. Set up a local firewall on the printer and only let those networks that should be able to also be able to print directly onto the printer.
    4. Check that the manufacturer has working drivers or instructions for at least macOS, Windows and Linux (RHEL/CentOS).
    5. Check that the PostScript module is added to the printer. Double check this when the computer has arrived. This makes printing on macOS work better or at some models at all.
    6. For scanning purposes, use the central mail server called smtp.uu.se. As a sender for the mail use the receivers own mail-address or create a special account for this. The sender must be accepted at the university mail servers. People receiving mail will eventually reply to this sender so the behaviour should be known - do not send everyting to a black hole for example.
    7. For searching use the catalogue LDAP-server at ldap.uu.se or maybe the Active Directory LDAP-servers at dc.user.uu.se. For the later an account is needed for access so create a function account for this.
    8. Set up logging for the printer to syslog.uu.se using the syslog protocol.
    9. Set up a unique password for the department printers. Make sure the default passwords are removed. Make sure the IT-support know about the passwords.
    10. Make sure to update the firmware on the printer regularly in order to follow normal security guidelines.




    40. How do I add a macOS printer at IMBIM?

    See also: What should I think about when adding my own network printer?
    See also: How do I change default settings for a printer in macOS?
    See also: How do I change default settings for a printer in Windows?

    Imbim has new printers since 2018-03-22. Users with macOS clients need to reinstall the printers. Remove old Imbim printers before installing new ones. Depending on your macOS version, you may need to install a printer driver before installing the printer. See instructions below.

    One of the old printers remains (D9:4). That printer can still be used as before, without any changes.

    Important! You need to be connected to the Imbim network via cable to print using these printers. If you're not, use the central printing system for the university, eduPrint!

    Remove an old printer
    • Click on "System Preferences..." in the Apple menu.
    • Click on "Printers & Scanners"
    • Click on the printer you wish to delete on the left side.
    • Click on the minus sign in the down left corner and click on "Delete Printer".
    Install printer drivers
    Install a new Imbim printer
    Click on a link below to download an installation package for all or individual Imbim printers. Run the installation package by double clicking it and follow the on screen instructions. Change default settings for a printer
    Select your computer's OS below to view instructions for how to change the default settings for a printer.



    41. Which VLANs are at the campus BMC-router?

    See also: Some Cisco switch commands
    See also: How are the network sockets identified?
    See also: Who is resposible for what on the BMC network? Who can help me?

    This list was updated in 2018-04-25.

    IT-division has a tool called NetReg for looking up which IP-addresses belong to different VLANs and vice versa all over UpUnet. Contact Netsupport for access.

    IT-division is also running NetDB - Network tracking database, that does similar things like Arptrack we are running on BMC and just like for Netreg please contact Netsupport for access.

    There is also another router pair at the BMC server room. Please check the Vlans at NetReg and NetDB mentioned above.

    VLAN numberVLAN name
    1 default
    2 Management
    3 Backbone
    4 Backbone-2
    50 WLAN
    660 FarmBio
    661 ILK-fkog
    662 MCB-instr
    663 Kemi-analyt
    664 Neuro
    665 ILK-anafarm
    666 Farmaci
    667 Ytbioteknik
    668 ILK-orgfarm
    669 eu-support
    670 Ludwig
    671 Struktbio
    672 LCB
    673 Medcellbiol
    674 IBG-kurs
    675 IMBIM
    676 Struktbio-internt
    677 Kemi
    678 BMC-Adm
    679 BMC-Gemensamt
    680 BMC-Data
    681 FKI
    682 BMC-Styr
    683 Ludwig-internt
    684 Bibliotek
    685 NatBiokemi
    686 ICM
    687 SLU-hgen
    688 Bioorgchem
    690 MedfarmDoIT
    691 SLU-mbv
    692 BMMS
    693 Neuro-micro
    694 Ventilation
    695 Netlogin
    696 BMC-Mediatek
    697 Medfarm-kansli
    698 Korint
    699 IBG-adm
    900 BMC-AD
    901 AKKIS-UU.225
    902 IHV
    903 HORS
    904 Pubcare
    905 AKKIS
    906 Farmbio-cluster
    907 BMC-signage
    908 ICM-MB
    909 IGP-Dumanski
    910 IGP-A
    911 IGP-B
    912 ICM-MB-IB
    913 ICM-MB-EN
    914 ICM-MB-IPMI
    915 Video-conf.
    916 MEDSCI-ARRAY
    917 IGP-UGC
    918 IGP-FUG
    919 UPPNEX
    931 Molmed-client
    932 Molmed-lab
    933 SciLifeAdm
    934 SciLifeLab
    935 Neuro-IPMI
    936 FarmBio-IPMI
    937 IGP-C
    938 IMV
    939 BMC-CAM
    940 BMC-PROJECTOR
    941 ISP
    942 RUD-Gemensamt




    42. What is ransomware and CryptoLocker?

    See also: Help me I get so much spam! What can I do?
    See also: My computer has got a virus! What do I do?
    See also: How to use the IBM Spectrum Protect (Tivoli Storage Manager aka TSM)
    See also: How do I use an Apple AirPort Time Capsule?
    CryptoLocker is a ransomware trojan that targets computers running Microsoft Windows.
    - Wikipedia on CryptoLocker

    CryptoLocker and TorrentLocker infects computers running Windows via seemingly innocent email with links or attachments. There has appeared other ransomwares attacking Mac too.

    Read more about ransomware, TorrentLocker and CryptoLocker on Wikipedia.

    To be infected, the receiver has in most cases actively tried to open and execute the payload. The payload may be disguised as a Word-document, a script or something that give the impression that it is innocent. Do not open files or attachments you have not requested!

    This (the example above in Microsoft Word) is not safe! Please be careful with Office files that require you to Enable Content. Enabling content may make it possible for evil macros to execute in Office allowing the attacker to take control of your computer.

    This (the example above from Windows File Explorer) is an example of an opened .zip-file. .zip-files are in itself not dangerous it is just a way of storing one or many files into one compressed file, but it may be a way to bypass other simple security checks. For example the anti virus software may warn when downloading an .exe-file but may not warn when downloading a .zip-file.

    This (the icon above) is an example of how an .js-file look like in the File Explorer. This file will run with the Windows Script Host (wscript/cscript) and execute and may download further potentially evil binaries. Windows Scripting Host also will run .jse and .wsf-files. Also note that a long file name like faktura.pdf.js may hide the real extension in File Explorer and show up as faktura.pdf which is a bit misleading. The real file name extension is hidden.

    Even though a ransomware in itself easily can be removed, the files stay encrypted, waiting for a ransom to be payed in order to get the decryption key.

    How to not get infected

    • Do not execute programs or even open attachments that random people have sent you.
    • Please don't do it.
    • If you have any suspicions regarding something you received via mail contact helpdesk@bmc.uu.se (BMC-IT).
    • Please forward the evil mail to no-spam@uu.se. Then the Uppsala University Security Division may adjust the rules for the mail filter and network firewall.

    What to do if infected

    1. Turn the computer off.
    2. Contact your local IT (helpdesk@bmc.uu.se) for help.
    3. Forward the evil mail to no-spam@uu.se so that the Uppsala University Security Division may adjust mail filter and network firewall rules.
    4. Change your passwords at the university. Change all passwords for all sites that you have automatically saved in your browser.
    5. In general, reinstall computer and restore data from backups or snapshots.

    Lessons to be learned from CryptoLocker

    • Use a file server with snapshots for storing data you do not want to lose. For example the central university HNAS file server store snapshots up to a month per default.
    • Everything locally on the computer running in the same security context as the user is not safe.
      • This means that local previous versions / snapshots are not safe, if the users can turn them off. But to have these are better than not.
      • This also means that backups like Time Machine, Cobian or similar where the system stores a copy of the files on another storage place is not safe, unless the backup storage in is snapshotted outside of the users security context.
      • If you store extra backups of your files on external USB-attached storage, do not keep it plugged in all the time. Keep a couple of them and in rotation so that you can go back to an older version.
    • Already taken backups should not be allowed to be overwritten from the client. This can be accomplished by for example using snapshots on the backup storage, like on a file server.
    • Even more advanced backup systems like TSM may not be safe since it only stores a limited number of versions of each file. If the ransomware encrypt the files and then make some small updates to the file each day, then after the limited number of days have passed, all old uncorrupted versions will be gone.

    Also read more

    Read more from Europol's European Cybercrime Centre with friends at the No More Ransom! website.

    The Uppsala University Security Division has courses in basic information security (in Swedish). Every chapters just takes 2-4 minutes. There are 16 chapters in total.



    43. How do I configure IPMI for remote management?

    See also: Who is responsible for the network in the BMC server room?

    It is generally recommended to not expose the management interface for servers to the Internet. Not only does some computers come pre-configured with a default login and password, but the embedded software may have vulnerabilities that are not patched as fast as normal operating systems or in some cases are not patched at all.

    Most servers with IPMI can change the IPMI out-of-band communication to go via a dedicated network. This is usually done in BIOS. Use a dedicated network or dedicated VLAN for this. In order to not let the servers expose them selves to each other use the Private VLAN (protected ports) feature in the switches. Read about Private VLAN in Wikipedia.

    This is how to get the current settings in Linux:

    ipmitool lan print

    Change to using DHCP instead of Static:

    ipmitool lan set 1 ipsrc dhcp

    Setting the LAN MAC Address:

    ipmitool lan set 1 macaddr 00:25:90:12:34:56

    Supermicro

    Some Supermicro servers come pre-configured with failover IPMI meaning that the out-of-band communication for IPMI will share the same network connection as the server is normally using.

    This is quite unsafe and will expose IPMI with default login and password via the normal network. This can be changed when running with these commands in Linux:

    Dedicated:

    ipmitool raw 0x30 0x70 0x0c 0x01 0x00

    Shared with LAN1:

    ipmitool raw 0x30 0x70 0x0c 0x01 0x01

    Failover:

    ipmitool raw 0x30 0x70 0x0c 0x01 0x02

    Even with correct router filters the management interface is not protected from traffic originating in the same VLAN. I addition to router filters blocking all traffic (except to clients using the management console) also set up local firewall in the management interface, for example by following these instructions.




    44. I need a new subnet and a new VLAN!

    See also: We have a server, where should we put it?
    See also: What Internet bandwidth does the university have?
    • For networks connected to the BMC-hall-routers (in the BMC D11:0 server room) contact UUIT Netsupport.
    • For networks connected to the BMC-routers (everywhere else in BMC) contact helpdesk@bmc.uu.se.
      1. First find out how many IP you need (Remember to fix DNS and perhaps DHCP)
      2. Then contact BMC-IT to see if there are any spare ranges
      3. Together with BMC-IT contact UUIT Netsupport to get new assignment




    45. Who is responsible for the network in the BMC server room?

    See also: We have a server, where should we put it?
    See also: Open the server room for me please
    See also: Which VLANs are at the campus BMC-router?
    See also: How do I configure IPMI for remote management?

    Physical Network

    Netsupport is responsible for the server room routers, the inter-rack connections and usually the top-of-rack switches.

    For the IP-layer there are several different options on how to setup the network.

    Currently the top-of-rack switches are usually connected with dual 1 Gbit/s connections to the server room routers (BMC-hall-routers). If there is a need for higher network connectivity please discuss with Netsupport.

    Securing the management networks

    Management ports for IPMI, LoM, RAID-controllers, dedicated NAS, etc are quite hard to get secure. In particular IPMI may use side-band management LAN connection. And some management controllers run their own operating system, complete with their own security problems and default passwords... This all means that the management ports has to be protected not only from the outside but maybe also from other management ports if they are located on the same network in order for an attacker not to jump between compromised systems over the management network.

    Keeping every management controller on its own VLAN of course solves this, but it use too many VLANs and is too hard to manage.

    On the BMC-IT management network in the server room (called BMC-hall-IPMI) we are using pricate VLAN (protected ports) feature in the switches to protect the management controllers from talking to each other. This is a RFC1918 network and incoming traffic there is restricted to the workstations meant for this management.

    Good Option one - your own network

    Tis option is good if you have a lot of servers in the server room, perhaps your own rack with equipment.

    The users of the server room may, if needed, order their own VLAN and subnet. This VLAN will only be available in the BMC server room. Contact and discuss this with Netsupport.

    BMC-IT will for their own servers (that BMC-IT do system administration for) have two VLANs, one network for the servers and one for the management.

    Good Option two - the shared networks

    This option is good if you need to put a single server or perhaps a small number of servers in the server room.

    There are two shared network, currently (2016-09-15) Vlan956 Public_servers_ACLed or Vlan962 Public_servers_open, which is meant for shared usage in the BMC server room, for activity that do not require their own VLAN.

    Please note that neither of these two networks have DHCP-servers activated. Neither static DHCP or dynamic DHCP. You need to set static IP on the server without using the DHCP-server.

    The BMC-hall function at the IT-division (UUIT) and BMC is responsible for allocating IP-ranges in this network.

    The normal procedure at the university is that the ones managing a network also is responsible for managing router filter (via Netsupport), perimeter firewall (via Security and safety division), DNS and DHCP (via IPAM or UUIT/Domainmaster).

    But in this network the IP-ranges have been allocated to different users in different parts of the university organisation. Each individual system administrator using the different IP-ranges is responsible for their own activity in the IP-ranges they have been allocated. This responsibility includes managing changes in the router filter and the perimeter firewall. And manage DNS and DHCP via UUIT/Domainmaster.

    Bad Option three - the BMC network

    It is possible, but Not Recommended to attach equipment to the VLANs in BMC in the server room. The switch in one of the BMC-IT racks is connected with a single 10 Gbit/s to the campus router in BMC (BMC-campus-router). Discuss this with BMC-IT. Responsible for that VLAN is the Local IT for that VLAN (which may or may not be BMC-IT).

    The only reasons we have seen for this is for example when handling old equipment with IP-related access control or using Bonjour-based services on Mac which work best over a single VLAN/Subnet.

    It is very important to not connect equipment to both the BMC-router and the BMC-hall-routers at the same time since this may lead to STP-renegotiation which will mess up the network. Don't do this.

    Bad Option four - dedicated network for a specific VLAN

    It is possible, but Not Recommended to use dedicated network to connect to a VLAN somewhere else in the university (or SLU) too. This is only meant for shorter periods during for example migration from one server room to an other. Discuss this with UUIT/Netsupport. This configuration is only meant for a limited amount of time during a migration.

    This is bad in several ways:

    • Less availability. The network will depend on not only the server room functioning (power, cooling) but also the network in the other end (power, router, switches) where the dedicated connection terminate.
    • Complicated network. The stranger the network is setup the harder it is to maintain in the long run.
    • Limited amount of fiber. The university has a limited amount of dedicated fiber. New fiber between campuses is quite expensive.
    • Risk of network loops There is a risk of STP-renegotiation when connecting network from different routers together. This may leader to longer or shorter total network outages.

    It is very important to not connect equipment to both other routers and the BMC-hall-routers at the same time since this may lead to STP-renegotiation which will mess up the network. Don't do this.






    46. There is no wired network here - what to do?

    See also: Who is resposible for what on the BMC network? Who can help me?

    Is your room running out of network sockets? Here are your options.

    This usually happens when a room was planned for less persons than currently are using it.

    • Use the wireless network
      This may not be an option because of low bandwidth and coverage. The wired network is usually more reliable than the wireless.
    • Use a long cable
      Figure out where the closest wired network socket is located and use a long cable. Do not do this excessively - try to keep the network cables in the same room.
    • Split the network socket
      It is possible to split a network socket (8 wires) into two (with 4 wires). This only works for fast ethernet (which is only using 4 wires) and not gigabit ethernet (which is using 8 wires). (The network connection has to be splitted both in the cross connect cabinet and at the network socket.)
    • Get a small switch
      We usually do not prefer a lot of small switches around in the building since the network will be quite messy to find problems in. But using switches on the desk where a single person or desk is using the switch and is aware of that the switch exists is usually fine. Do not use long cables from desktop switches to another desk.
    • Order a new socket
      A new double network socket costs around 3000 SEK but cheaper when ordering more at the same time.




    47. How do I uninstall the Zenworks agent?

    See also: What is ZENworks? How to I install applications via ZENworks application window?

    Zenworks is used for these major reasons:

    1. Do automatic installation of software and settings when the computer is deployed. Some of the effort in this is shared all over the university.
    2. May be used for remote interactive control by user request.
    3. Self-service installation of software by the users, even without local administrator privileges, and far away from the university network over the Internet.
    4. Do inventory. This may save a lot of time when we really need to find out exactly how many copies of a certain program are installed on the computers.

    The Zenworks agent load on the computer is not much on a modern computer, but if the computer is very old and slow there are a chance to notice a performance impact. In this case you might want to uninstall the Zen agent even though this will increase the load of your local IT-support. There are often other better ways of speeding up the computer:

    1. Make sure the computer has enough RAM. Upgrade to at least 8 GB RAM so that all programs fit in memory.
    2. Replace HDD with SSD. Solid state drives are a lot faster than rotating hard disk drives.
    3. Reinstall Windows. Windows-computers seem to get slower and slower over time. An extreme example was Windows Update in Windows XP that got glacially slow over time. This has been improved with later versions of Windows but it still exists.

    In the Zenworks console

    Anyway. The Zenworks agent is protected from uninstallation by the settings in Zenworks. A system administrator (contact helpdesk@bmc.uu.se) has to open the client in the Zenworks console, open Settings, open Device Management, open Zenworks Agent, choose Override the System settings and enable the option Allow users to uninstall the ZENworks Adaptive Agent.

    On the computer

    1. You have to be local administrator on the computer.
    2. Refresh the Zenworks agent in the task bar.

    3. Then on the computer open Programs and Features

    4. Find the Zenworks client and choose uninstall.

    5. Check the box Local uninstallation only.

    6. Do not keep anything. Do not retain CASA.

    7. Ok, go ahead...

    8. Wait for the Zenworks Uninstaller to complete.

    9. It will probably complain about not being able to remove everyting, but just go ahead and restart when done.

    10. Uninstall done.




    48. What is the point with the zone files.uu.se?

    See also: What is Rrsync (restricted rsync)? How do I access PCFS storage over rsync?
    See also: How do I access PCFS over SMB using smbclient?
    See also: How do I mount my home directory or shared storage at HNAS?

    The initiative for the domain files.uu.se was taken in 2015-05 by BMC in order to get an aliases to file server shares with unique names.

    For example, the file server share is named with the TLA-SHARENAME, like INV-Common. Then the CNAME will be TLA-SHARENAME.files.uu.se or INV-Common.files.uu.se pointing to the current file server where the share is located.

    The reasoning behind this is the following:

    1. Get a unique name in DNS to each file server share. This will faciliate migration of file server shares to new servers.

      We (the university) had a lot of troubles with migration from the old NetApp file server to the new HNAS file servers. This zone with an extra level of abstraction in front of the real file server names was intended as a proactive way of eliminating one part of the problem in preparation for the next file server migration. It also makes it easier for those users users (research groups or department) that wish to or have to move their share from one storage system to another.

    2. Make it work for all operating systems. There is a function in the Microsoft Active Directory (with a similar goal) called the DFS that put all file server shares in a single name space. This however do not work all the time in all operating systems, like non-AD connected Windows-clients, macOS (not all of the time), Linux (it depends a lot on the configuration it do not work for example in Ubuntu out of the box).
    3. Network agnostic Get access to the servers even from other networks where needed when the USER-AD (user.uu.se) is not accessible due to using split DNS and access restrictions, like UAS, SLU, UPPMAX, HPC-centers in Sweden and maybe mobile data. It is also not a requirement to use the university resolvers, it should work even if the local resolvers are down.




    49. How are the network sockets identified?

    See also: Which VLANs are at the campus BMC-router?
    See also: What Internet bandwidth does the university have?
    See also: My Internet does not work! How can I find the problem?
    See also: Who is resposible for what on the BMC network? Who can help me?
    See also: What is the name standard for network equipment on BMC.

    This is a double socket. The identifiers are written together on a sticker on the socket. This is how to decipher them:

    Network socket identifier Cross connect cabinet identifier
    Left socket B1.216:05 C1-D202-01-03
    Right socket B1.216:06 C1-D202-01-04

    These numbers mean that the socket is located at the B1:216 beam in the B1:2 corridor. The cross connect cabinet serving this network socket is located in C1:2 and in this case the rack called C1-D202 in the panel number 1 and socket number 3 and 4.

    Some of the sockets have room numbers instead of beam numbers where the beam numbers are not applicable.



    50. What service levels does BMC-IT have compared to others at the university?

    See also: Who manages IT-support for whom at BMC?
    See also: How do the different types of storage compare to each other?
    See also: What Internet bandwidth does the university have?
    See also: What is the cost of a PC file server?
    See also: What is the BMC-IT computer platform and how does it work?

    The different organisations at the university have different level of service in order to fullfull their missions on a cost-efficient way.

    UUIT (IT-division) provides highly available services for the whole university.

    BMC-IT is focused on providing great services for the people at the campus and is trying to keep it simple and durable.

    UPPMAX is providing the best high-performance computing environment available, but is neither focused on high-availability nor user-focused service (not the individual users, but as a collective of course).

    ServiceUUITBMC-ITUPPMAX
    Server room cooling Redundant with backup (BMC-hall) Non-redundant
    Server room fire extinguisher Yes Yes
    Server room power Dual redundant UPS. Backup diesel power generator. Dual power to each rack. Non-redundant, UPS on critical systems
    Server room network Redundant routers, in general non-redundant top-of-rack switches but redundant etherchannel to clients via flexstacked switches also available Non-redundant (redundant core network)
    Server room stand-by personel in-house Yes No
    Server room stand-by personel external techician (power, cooling) Yes
    Stand-by decision making personel, possible to order in technical personel Yes No No
    Stand-by technical personel No No No
    Vacation spread out so that somebody always on duty during work hours Yes Yes Yes
    All systems maintained by a group (not individuals) Yes Usually, but with a primary responsible person and contact Yes (Primary and secondary contact)
    Somebody among the contacts or responsble for a service always on duty. (Not vacation on the same time) Yes No No
    Redundant storage systems which handle partial failure gracefully Yes (HNAS) Yes
    Simple and small storage system with faster full restore No Yes (PCFS) No
    Maintenance window adapted to individual user groups No Yes No




    51. How do I activate group membership in AKKA?

    See also: Who is an employee and who is a student at the university?

    AKKA can control whether the user will get group membership to the AKKA-group of the group.

    For example a person employed at the BMC campus management will get membership into the group called AKKA - SI29_9 in USER-AD.

    This group control access to network home directories for the department, shared folders for the group and automatic shared areas in Medarbetarportalen.

    1. You must be personal manager for the department.
    2. Get permission from the responsible person for the group. Group membership may give access (read-write) to research data belonging to the group.
    3. Find the user in AKKA. Check current status.

    4. Check the box gruppmedlemsskap





    52. What is the cost of a PC file server?

    See also: How do the different types of storage compare to each other?
    See also: We need more storage! Do you have a file server we can use?
    See also: What service levels does BMC-IT have compared to others at the university?
    See also: We have a server, where should we put it?

    Please note! BMC-IT has a PC storage solution service. Read more in the SOP - Common service PC file server. Also note that for home directories we recommend using the IT-division HNAS file server.

    These are examples of the costs of buying and maintaining a PC file server. The example below includes a server from Supermicro and one from HP. HP includes on-site support, Supermicro do not. Please note that TSM-backup is not included in these figures! (Prices updated in September 2016.)

    • Very cheap Good for lots of data when the price has to be low.
    • Acceptable speed Good bandwidth - can receive and send 1 Gbit/s (or 10 Gbit/s with appropriate network and multiple clients). Since the drives are rotating HDD, relative SSD the latency is high and IOPS are lower. But it works fine with large files.
    • Low availability BMC-IT in general only do support during office hours. If the PC server totally breaks down (it may happen!) it will take some time to get service or spare parts or restoring from backups. Compare this with the IT-division HNAS file server which has built in redundancy.
    • Linux and Active Directory These examples uses Linux (preferably CentOS 7) as an operating system and connects to the university Active Directory and works as a file server using Samba. More complex setups than this may need extra time to set up and maintain. For example running a Windows server instead of Linux requires extra costs for licenses.

    This is a Supermicro file server with enterprise drives. Includes ship-in support from Southpole.

    Normal HP file server with enterprise drives, three year next business day on-site support from HP.

    This is a Supermicro file server with archive drices.

    Cost of a rack unit per year: 1250 (full rack) or 2000 (single machine) SEK
    Number of rack units in the server room:
    (If no new space is needed, set a 0 here)
    U
    Cost for the server with no drives: SEK
    The number of drives: drives
    Size of the drives: TB
    Number of years to run the server
    (warranty)
    years
    Cost of each drive: SEK
    The number of working hours spent each year:
    (system administration and support)
    h/year
    The cost of a working hour: SEK/h
    The part of the raw storage that is usable:
    (RAID6 (two parity drives) on five drives equals 0.6.)
    usable storage factor

    Purchase cost SEK.

    Raw storage TB.

    Usable storage TB.

    Yearly cost SEK/year over years (includes everything)

    Cost for raw disk SEK/TB/year.

    Cost for usable storage SEK/TB/year.

    Two identical file servers (one for backup using snapshots / shadow copy) would cost SEK/TB/year

    Two servers (as above) and a cold standy (no drives) would cost SEK/TB/year





    53. How do I use offline files?

    See also: How do I access my home directory?
    See also: How do I change Windows offline files disk usage?

    What are offline files?

    Short story: It lets you always have access to your files even when not connected to the file server at the Uppsala University network.

    Long story: Windows has a feature for making files on a file server available offline even when the connection to the file server is lost. The client stores the files in a offline cache. Changes in the file when offline is stored locally. When the computer or server is back online the data is synced to the server. This works well on files a single user changes but not so well on shared folders where different users make changes on the same files.

    Enable offline files

    1. New computers installed and maintained by BMC-IT has offline files already enabled.

    2. In the start-menu, type offline to find and start Enable offline files On this computer the administrator (BMC-IT) has already activated it.

    3. In the Offline Files window, click on Enable offline files.
    4. Restart computer for the changes to take effect.

    Make files or folders available offline

    1. The default settings make the folder redirected folders always available offline. This includes Desktop, My documents, AppData etc. For normal use when all data is saved in these locations.

    2. It is possible to get other folders in the home directory available offline. In Explorer, right click on a folder or file and then choose Always available offline.
    3. The shared folders with other users should not be used with offline files. It is technically possible but may lead to conflicts.

    View offline files

    1. In the window Offline files (see above) choose the button View your offline files.

    2. Here is a representation of all files available offline. Enter the different directories to see what has been picked up.

    Keeping an eye on what's going on

    1. Open the task bar notification window for offline files. It looks like a green recycle circle.

    2. Right click to for example View conflicts

    3. Since the notification did not show a warning there are no conflicts:

    Conflicts and how to handle them!

    1. However, we can provoke a conflikt.
      1. Go offline by pressing Work offline in the file explorer.

      2. Change a file on your computer.
      3. Change the same file on another computer.
      4. Then Work online again on your computer.

      5. The status notification should now show a conflict:

      6. Thge View Conflicts dialog now show the file where there is a conflict:

      7. By right-clicking on the file and show View options to resolve... Windows try to help with what to do:

      8. Keeping both versions make both show in the file explorer:





      54. How to use WinSCP to access files over SCP on Windows

      SCP is encrypted making this a relatively secure way to access files even from home or over WLAN (wireless network).

      1. Download and install WinSCP from http://winscp.net/eng/download.php or open it in ZENworks application Window.
      2. Login on the server, in this example neuro-l2.neuro.uu.se using your username and password A.

      3. Accept the host key.

      4. Access your files. This is your home directory. If this is on a file server where the group store data. you should not put stuff here.

      5. Change directory into the share for your group. On this particular server the shares are located in /data/hl, /data/kl2 etc. Go here by clicking on the / in the location and then on data.

        Or click on this little icon first and then on data.





      55. How do I activate my Office using KMS?

      See also: How do I start an elevated command prompt (as administrator) in Windows?
      See also: How do I force activation of Windows 10 using KMS?

      Microsoft Office 2010, 2013 or 2016 on Windows 7 or Windows 10 connected to the USER-AD, the university Active Directory (using the university accounts), should automatically activate on the university network.

      If it does not work or if the computer is not part of the Active Directory, follow these steps:

      1. Connect computer to the wired network at your department.
      2. Start an elevated command prompt window - run cmd (command prompt) as administrator. Please see the FAQ How do I check if I am a local administrator in Windows? on how to do this.
      3. Enter the Office installation directory (
        Office 2010 (32-bit)
        Enter the Office installation directory with typing cd c:\Program Files (x86)\Microsoft Office\Office14
        Office 2013 (32-bit)
        Enter the Office installation directory with typing cd c:\Program Files (x86)\Microsoft Office\Office15
        Office 2016 (32-bit)
        Enter the Office installation directory with typing cd c:\Program Files (x86)\Microsoft Office\Office16
        Office 2016 (64-bit)
        Enter the Office installation directory with typing cd c:\Program Files\Microsoft Office\Office16
      4. Run the activation script:
        1. First try to run the command cscript ospp.vbs /act. (Read more about this here: Tools to manage Office 2013 volume activation.)
        2. If the computer cannot find the KMS-server (you may be behind NAT in a virtual machine) you can try the command: slmgr /skms kms.user.uu.se first and then the command slmgr /ato to activate (Windows) or cscript ospp.vbs /act (just Office).

          To find the correct host (currently 2016-05-30 kms.user.uu.se) follow these instructions: How to discover Office and Windows KMS hosts via DNS and remove unauthorized instances

      5. Close the command prompt window.

      If an old version if Windows in some way managed to block the new installation, then run the EasyFix uninstall tool from Microsoft

      1. Uninstall Office 2016, Office 2013, or Office 365 from a PC using the easy fix tool (Really useful if you have an Surface Pro or any other new computer with pre-installed Office 365 that you want to get rid of!)
      2. Uninstall or remove Office

      It is possible to do a manual uninstall of Office





      56. Add a printer in Ubuntu 14.04

      See also: How do I install Ubuntu?
      See also: Print using UserCode for Ubuntu
      1. Find System Settings.

      2. Open System Settings

      3. Open Printers in System Settings

      4. Add a New Printer

      5. Expand the Network tree and see if it is browsable. Choose a way to connect. It usually does not matter. If the printer has dynamic DHCP (different IP from time to time) then use DNS-SD (Bonjour).

      6. Many printers are automatically found correct drivers for, but if not, see if you can find it in the driver database. You need to know:
        • Manufacturer
        • Model
        • Perhaps the IP-address of the printer

      7. If not found automatically, pick Maker

      8. If not found automatically, pick Model

      9. Give it a name. We recommend room number and model.

      10. Ok! Lets go! Print Test Page and press Ok.

      11. Done!

      This documentation is covered by GNU Free Documentation License. 100 ms