Frequently Asked Questions - BMC-IT

windows ubuntu macos xibo network zenworks android storage
  1. How do I do parallel rsync?     [jump in page]   2020-02-27
  2. How do I find specific files like the last updated, the one with the longest file name, or the largest one?     [jump in page]   2020-01-27
  3. What should be done to introduce a new system administrator at BMC?     [jump in page]   2019-07-10
  4. How do I use Eduroam, the wireless network, in Windows?     [jump in page]   2019-06-12
  5. Is Java free or do I need a license?     [jump in page]   2019-06-05
  6. How to use the IBM Spectrum Protect (Tivoli Storage Manager aka TSM)     [jump in page]   2019-05-29
  7. How do I force activation of Windows 10 using KMS?     [jump in page]   2019-05-03
  8. How do I print on EduPrint with LPD on Windows 10?     [jump in page]   2019-04-26
  9. What are your plans for a common client network configuration?     [jump in page]   2019-03-22
  10. How do I install anti-virus software on macOS?     [jump in page]   2019-03-18
  11. How do I access my scans for eduPrint in Linux?     [jump in page]   2019-03-11
  12. How do I map a network drive via SMB on Windows?     [jump in page]   2019-03-08
  13. We have a server, where should we put it?     [jump in page]   2019-02-25
  14. My Internet does not work! How can I find the problem?     [jump in page]   2019-02-08
  15. What is VPN?     [jump in page]   2019-02-05
  16. How do I send bulk mail?     [jump in page]   2019-01-25
  17. Where do I store my data? How do I take backup?     [jump in page]   2019-01-22
  18. How do I mount my home directory or shared storage at HNAS?     [jump in page]   2018-12-21
  19. What is the name standard for network equipment on BMC.     [jump in page]   2018-11-13
  20. How do I start an elevated command prompt (as administrator) in Windows?     [jump in page]   2018-11-09
  21. What Internet bandwidth does the university have?     [jump in page]   2018-11-08
  22. Connect to eduroam using iPhone with iOS 10     [jump in page]   2018-10-04
  23. How do I use an Apple AirPort Time Capsule?     [jump in page]   2018-10-04
  24. Are there any desktop phones using the mobile network?     [jump in page]   2018-09-12
  25. How do I install Ubuntu?     [jump in page]   2018-09-06
  26. How do I connect to the VPN using Ubuntu?     [jump in page]   2018-08-13
  27. How do I install Adobe CC Complete (Photoshop, Illustrator...) in Windows?     [jump in page]   2018-06-11
  28. What fun things can I do with Systemd in Linux?     [jump in page]   2018-06-04
  29. How do I change the Mac computer name, host name and NetBIOS-name?     [jump in page]   2018-06-04
  30. How do I set firewall rules in Linux to block SSH?     [jump in page]   2018-06-04
  31. How do I configure my resolver on a Linux machine?     [jump in page]   2018-06-04
  32. What should I think about when adding my own network printer?     [jump in page]   2018-05-31
  33. How do I add a macOS printer at IMBIM?     [jump in page]   2018-05-22
  34. What is ransomware and CryptoLocker?     [jump in page]   2018-03-23
  35. How do I configure IPMI for remote management?     [jump in page]   2018-03-20
  36. I need a new subnet and a new VLAN!     [jump in page]   2018-01-19
  37. Who is responsible for the network in the BMC server room?     [jump in page]   2018-01-19
  38. There is no wired network here - what to do?     [jump in page]   2017-12-19
  39. How do I uninstall the Zenworks agent?     [jump in page]   2017-12-14
  40. What is the point with the zone     [jump in page]   2017-12-07
  41. How are the network sockets identified?     [jump in page]   2017-10-26
  42. How do I activate group membership in AKKA?     [jump in page]   2017-08-21
  43. What is the cost of a PC file server?     [jump in page]   2017-06-02
  44. How to use WinSCP to access files over SCP on Windows     [jump in page]   2017-03-31
  45. Add a printer in Ubuntu 14.04     [jump in page]   2015-06-04

1. How do I do parallel rsync?

See also: How do I use the UUPEL repository?
See also: What is Rrsync (restricted rsync)? How do I access PCFS storage over rsync?
Doing normal rsync is quite simple. In the example below the files are copied from a remote server to a local directory. The flags -a are for archive, -v are for verbose and --progress is just to show what is going on.

If you know you have hard links, access control lists, extended attributes or sparse filesyou may want the flags -HAXS as well. This is usually not the case.

rsync -av --progress username@server:/directory/. /local/directory/.

This rsync is however done by a single processes and may be hitting bottlenecks in for example single CPU core performance, file system metadata latency or perhaps single process network transfer. Running several rsync processes in parallel may improve performance.

To do parallel rsync initiating from sender (pushing data), use the command parsync - a parallel rsync wrapper for large data transfers. Parsync has been packaged in the UUPEL repository.

parsync --maxload=16 --NP=12 --startdir=/tank/MOL-EXTBMC EXTBMC root@bmc-pcfs3:/tank/

In this example the directory EXTBMC in the directory /tank/MOL-EXTBMC will be synced to the host bmc-pcfs3 into the destination directory /tank/ To make parallel rsync initiating from the receiver (pulling data) is harder. One way of solving this is to:

  1. Do a initial rsync deleting all files and directories to be deleted.
  2. Sync all directories and no files.
  3. Parallel sync of all directories syncing the files in each directory.
  4. Do a final rsync.

U=username H=host SRC=/source/directory DST=/destination/directory # Delete everything that is supposed to be deleted. rsync -r --delete --existing --ignore-existing $U@$H:$SRC/. $DST/. # Sync directories but no files. rsync -a -f"+ */" -f"- *" $U@$H:$SRC/. $DST/. # For every directory, sync the files in that directory. Run 10 in parallel. find . -type d -print0 | xargs -P 10 -I {} -0 rsync -vlptgoxSH $U@$H:$SRC/{}/\* $DST/{}/. # Run a final sync with delete to make sure everything is ok. rsync -aSH --delete $U@$H:$SRC/. $DST/.

2. How do I find specific files like the last updated, the one with the longest file name, or the largest one?

See also: How do I compare the content of two directories?
These tools work on Linux (Ubuntu/CentOS/etc) and probably on macOS too.

Find the most recently updated file

Here is a small script that displays the most recently updated files in a directory. In the example this FAQ entry was the most recently updated!

$ find . -type f -print0 | xargs -0 -P 1 stat --format '%Y :%y %n' | sort -nr | cut -d: -f2- | head -3 2018-04-27 08:55:47.517999369 +0200 ./last.updated.file.txt 2018-04-27 08:54:07.277999790 +0200 ./last.updated.file.txt~ 2018-04-27 08:51:50.658000281 +0200 ./compare.directories.txt $ _

Find the most recently accessed file

This small script does the same, but looks for the most recently accessed file instead.

Please note that this may or may not work on different file systems. For example a network file system may be mounted noatime which means that the last accessed information is not stored. It requires a meta-data write for every accessed file which affect performance.

$ find . -type f -print0 | xargs -0 -P 1 stat --format '%X :%x %n' | sort -nr | cut -d: -f2- | head -1 2020-01-27 09:30:03.320448622 +0100 ./#last.updated.file# $ _

Find the number of files and the file with the longest file name

This little script display the number of files in the current directory, the character length of the longest file name and the name of that file. There were in total 219 files and the longest filename has 49 characters in the path was ./

$ find . -type f | awk 'BEGIN{N=0} {N=N+1; if ( length > L ) { L=length ;s=$0 } }END{ print N" "L" "s }' 219 49 ./ $ _

Find the files with the longest file names

This little snippet just find print the files with the longest names:

$ find . -type f | while read ; do echo ${#REPLY} $REPLY ; done | sort -nr | head -3 45 ./ 33 ./ 30 ./win.default.printer.settings $ _

Find the largest files

This will list the largest files. It will print a list of all files, in parallell do a stat on them, sort the list and then print the largest ones.

$ find . -print0 -type f | xargs -0 stat -c "%s %n" | sort -rn | head -3 23637 ./network.8021x 20285 ./platform 18051 ./ $ _

3. What should be done to introduce a new system administrator at BMC?

There are several different systems a new employee may get access to. This is not a complete list of all systems that should be given access to but rather a list of external systems that one should at least be aware of.

Some of these things have to be done before an employee start.

Some of this applies to more than just BMC so you are more than welcome to take a look. Please let us know if there are things we are missing.

Personal computer and work space

Get an office. Chair, table, network. Do you need an ergonomic adjustable table? Make a raid down to the BMC campus office supply cabinet and get some pens, a notebook, a scissor and other office stuff that you might need.

If you have a Mac, get an external hard drive to run local Time Machine backups.

Get a standard PC and/or Mac up and running with the standard installation. When you have a UU account, make sure you are a local administrator.

If you need to, get two USB-sticks, one with Windows (with MDT) and one with latest macOS so that you can reinstall computers. Be familiar with the instructions regarding reinstallation of Windows and macOS.

There is a Mac installation server available on the BMC-Data network. There is a PXE boot menu available on almost all networks where legacy (not UEFI) installations of Windows can be done. Also basic network boot options for installing CentOS, installing Ubuntu and running Memtest86 etc are available there.

Configure the computer to work with eduroam and eduPrint. Make sure it works.

Order a home directory at My Rudbeck and use the Medfarm voucher to get it for free. Make sure you can access this storage on your computer.

Try out Filr the file sync system. Install the Filr client on your computer. Understand where data is stored. Make sure you can access the data both via Filr and directly.

Let your boss order a phone, either fixed phone or mobile.

Activate your access to the VPN service by following the instructions.

Work clothing

You may get your own fancy BMC/UU hoodie at Grolls. Or whatever work clothing you need for doing your job.

Administrator access

Apply for administrator access to the Local IT organisation in the Active Directory. This will control access to USER.UU.SE\BMC and USER.UU.SE\LocalIT\BMCI in the Active Directory. The terminalserver to use is called

The group BMC Computing Department in USER-AD (sorry for the odd name of this group) control some access to different systems, including the file share \\\BMCIT-Common aka \\USER.UU.SE\BMCI\Common.

The Zenworks system for management of mainly Windows.

The Munki system (Managed software center) for list packages etc for Mac and the Munki bootstrap.

The Symantec server (just FYI).

Physical access

You need an employee key card. This will grant access to the corridors at BMC but not to other campuses.

You need a key to your office. Almost all offices at BMC campus management share the same lock and key.

After instructions, you may get access to the BMC computer room at D11:0.

The cross connect cabinets of BMC are locked with a special key which could be granted access via the BMC-administration if needed. There exists an extra key in the Nyckelpiga at the basement so one do not need a physical key all the time.

Network management systems

There are some network administrative systems that one should be aware of and maybe given access. This includes:

  1. NetDB (for IP / VLAN / Mac / Switch-port information) (Ask Netsupport for access)
  2. NetReg (for Vlan and router and router filter configuration) (you need a static IP for this on your client so fix this in the following system first...)
  3. Bluecat (the IPAM system for DNS DHCP information) (Ask Servicedesk for access)


Login at Medarbetarportalen. Here you can find for example:

  1. Sympa - mailing list server. You may want to join these mailing lists:
    Someone at BMC-IT have to add you to:
    You will be automatically added to:
  2. Primula Web - wage, vacation, sick leave, parental leave etc.
    • Send in reciepts for healthcare (visiting the doctor or prescribed medication)
    • Send in reciepts for wellness (gym membership, swimming and many other forms of wellness activities)
  3. Product Web - procurement
  4. Progdist - software licence server
  5. Akka-self service - how to change password and create guest accounts
  6. eduPrint - the printing system
  7. EasIT - the helpdesk system. This is the tool to handle support requests.

Other systems:

  1. Rudbeck-IT has a chat at
  2. BMC-IT has an old arpwatch at

Documentation to read

Read the docs in the FAQ at and SOPs at You do not have to read everything but it is good to have an idea of what it is. Of special interest may be how to reinstall computers with Windows and macOS.

There are more docs at the INV-Common share as well.

Take a look at the central IT helpdesk documentation at

Take a look at the environment and security web pages at BMC. Make sure you know the way to the recycle rooms and to the container for the combustible fraction.

New employee introduction

The university has introductions for new employees. Book in the next scheduled event!

Wellness, waste and environment at BMC

There are a gym, table tennis room, showers and sauna at BMC. Read more at BMC - health. Please note that employees at Uppsala University get a small wellness subsidy every year which can be used for gym membership and other similar activites. Also when job allows you may have one hour of wellness activities every week on paid time.

There are a couple of in-service bikes at BMC, two normal and two are electical. Lend them at the reception.

In order to learn on how to handle waste on BMC, please read the documentation.

Please note that no smoking is allowed closer than 15 meters from any university entrance.

Welcome! :-)

4. How do I use Eduroam, the wireless network, in Windows?

See also: What Internet bandwidth does the university have?
See also: Connect to eduroam using iPhone with iOS 10

For manual installation: Follow this guide using eduroam installer.

Using Windows 10: Click on the wireless-icon in the system tray and click on “eduroam” to connect.

Enter your AKKA-ID and password B. This is the only place you use password B.

For a more detailed instruction, click here to read a SOP.

5. Is Java free or do I need a license?

Clarification from the IT department regarding terms and licensing of Oracle Java

Information from the university license department

Inventory and registration of Oracle Java licenses

Oracle has announced that from January 2019, support and updates of Java 8 SE for "non General Purpose" are not provided free of charge. If Java has been downloaded from, the license terms have been accepted and installation is associated with a license fee. Oracle intends to carry out audits regarding Java utilization and it is important to acquire and register the required number of licenses for the installations concerned in order to avoid costly fines.

Registration is made in the university central license register,, by the institution's license manager/equivalent. For further information on licensing Oracle Java see also:

The registration must be completed before 2019-06-30, after which the possibility of registration is closed and a total purchase is made for the entire university of the total number of registered licenses. The license form is annual license subscription, the purchase of a license for part of the year is not allowed and the subscription period applies to the entire university. License costs are allocated per respective institution/equivalent.

If Oracle Java can be replaced by free products, this should be done. NB - if this has already been done after 2019-01-01, a license must still be registered.

Questions regarding inventory of installed software, versions, alternatives to Oracle Java etc are sent to

Questions about license registration are sent to

6. How to use the IBM Spectrum Protect (Tivoli Storage Manager aka TSM)

See also: How do I take backup of the data on my computer?
See also: How do I overwrite deleted data in Windows?
See also: Backing up via Rsync to ZFS or Btrfs snapshots
See also: What is ransomware and CryptoLocker?
See also: How do you secure delete data from the computers and servers?

IBM Spectrum Protect is the backup system run at the university at the IT-division. The software was previously known as TSM - Tivoli Storage Manager and is still referenced as both names.

Financing and pricing

The services is paid for by the users. This includes salaries for everyone involved in maintaining the system and all equipment. The costs includes a starting cost per node and (decreasing) cost per GB depending on how much data that is stored in the system. Read the pricelist.


IBM has their own documentation of TSM 7.1.3 (the latest version at 2016-04-14)


Usually on Windows-systems the backup-client is asking the server whether it should backup or not. Send a mail to backup-admin to let them know.

On Mac and Linux (and other Unix-based systems) instead the client is called at a certain point in time doing the backup like this:

dsmc incr

To put this in crontab in a Linux system first run editor for the crontab as root using emacs as an editor.

EDITOR=emacs crontab -e

Or use the default vi editor:

crontab -e

Then enter the point in time to run the backups (with the full path to the client)

1 1 * * * /usr/bin/dsmc incr

Performance with TSM

TSM store files in tapes and after a while the incremental backups will store files in several different tapes. One way of taking care of this is to instead from time to time do a selection backup or a image (block device) backup. The block device backup is harder to read back for certain files obviously.

There are several options to decrease the amount of data being sent on the wire by doing more work on the client. Inside the university network this usually it not a problem since we usually have enough bandwidth betwen the campuses and to the backup servers.

Compression yes Memoryefficientbackup yes

Examples: Query the backup...

To list what partitions (or file systems) have been backed up:

dsmc query files

To list files that have a backup date during a certain date range: (However, running with options time limits (todate, fromdate) will change the behaviour for the client and read a lot of data into RAM. With several millions of files this will be slow. Read about Classic Restore versus No Query Restore (NQR) at IBM)

The option -inactive will list both active and inactive files.

dsmc q ba -inact -fromdate=01/01/2016 -todate=01/03/2016 -subdir=yes '/blue/*'

To get summary of all files backed up and the size:

dsmc query backup '/etc/*' -subdir=yes -querysummary

To get more details, for example to see files with the wrong backupclass which still are taking up space in the backup, run this command:

dsmc query backup '/etc/*' -subdir=yes -querysummary -detail

Examples: Restoring backup...

To interactively pick and restore the files, restoring to the directory /tmp:

dsmc restore -pick '/blue/*' "/tmp/"

To also interactively pick among the inactive files when restoring:

dsmc restore -pick '/blue/*' "/tmp/" -inactive

To also restore subdirectories while restoring:

dsmc restore -pick '/blue/*' "/tmp/" -inactive -subdir=yes

To restore the state of a directory at certain different points in time. This will run the restore command each for the specified dates and restore the directory as it were at that point in time.

for i in 10 11 12 13 14 15 16 17 ; do mkdir /var/tmp/jerker.restore.2016-04-$i-12.00.00/ dsmc restore -pitd=04/$i/2016 -pitt=12:00:00 -subdir=yes '/home/jerker/*' /var/tmp/jerker.restore.2012-11-$i-12.00.00/ done

To backup everything irrespective of whether files have changed since the last backup, use the selective command:

dsmc sel '/green/home/USER/jny25782/*' -subdir=yes

Examples: Deleting old backup data...

To delete a backup (which may require extra permissions), use the delete command. This time the -pick makes it interactive.

dsmc delete backup '/archive/jerker/*' -subdir=yes -pick

To delete all inactive files:

dsmc delete backup '/archive/jerker/*' -subdir=yes -deltype=inactive

To delete all inactive files backed up during a certain date range:

dsmc delete backup -fromdate=01/01/2010 -todate=01/01/2016 '/green/home/USER/jny25782/*' -subdir=yes -deltype=inactive

With the number of files into multiple tens of millions, this may not work so well since it takes up too memory or perhaps timeout when waiting too long for the confirmation prompt unless the operator (you) are staring at the window. Use the -noprompt option and break it down inte smaller parts like this:

for i in /home/* ; do dsmc delete backup -fromdate=01/01/2010 -todate=04/01/2016 $i/'*' -subdir=yes -deltype=inactive -noprompt ; done

To delete all files from the backup, including inactive files, specify -deltype=all. Do not prompt for confirmation.

dsmc delete backup '/' -deltype=all -noprompt

This however do not delete parent directories from the backup. To remove them to, run the expire command. The position of the wildcard is described at IBM but look a bit strange, so be careful!

dsmc expire '/*' -noprompt

Different management classes:

To view the different management classes:

dsmc q mgmtclass

To list the details different backup management classes:

dsmc q mgmtclass -detail

To change class when taking backup, the new class can be specified in the file dsm.opt when including file systems:

include /myfilesystem/* TWOYEARCLASS

Please note that this may (or may not) only affect new objects created in the backup system. Manual clean up (using the method in the previous section) may have to be done.

The way I know about how to view the current backup management class is to start the graphical client: dsmj and in the menu Utilities the entry View policy information

This is a small script to list managment classes:

#!/bin/bash echo 'Management Retain Only Retain Extra Version Version' echo 'Class Version Version Data Exists Data Deleted' echo '--------------- --------------- --------------- --------------- --------------' ( dsmc q mgmtclass -detail ; echo DONE ) | grep -e 'MgmtClass Name' -e 'Retain Only Version' -e 'Retain Extra Version' -e 'Versions Data Exists' -e 'Versions Data Deleted' -e 'DONE' | ( while read A B C D E F ; do if test "$A" = "MgmtClass" -o "$A" = "DONE" ; then if test "$EXTRA" != "" -a "$ONLY" != "" ; then echo -e $MGMT'\t'$ONLY'\t'$EXTRA'\t'$EXISTS'\t'$DELETED | expand --tabs=16,32,48,64 ONLY="" EXTRA="" MGMT="" DELETED="" EXISTS="" fi MGMT=$D fi if test "$B" = "Only" ; then ONLY=$D fi if test "$B" = "Extra" ; then EXTRA=$D fi if test "$C" = "Exists...:" ; then if test "$D $E" = "No Limit" ; then EXISTS="NoLim" else EXISTS="$D" fi fi if test "$C" = "Deleted..:" ; then if test "$D $E" = "No Limit" ; then DELETED="NoLim" else DELETED="$D" fi fi done ) | sort -n --key=2,5

The output looks like this on the current (2016-05-16) classes on the domain that I are using. Note that there may be different domains with different management classes.

# ./ Management Retain Only Retain Extra Version Version Class Version Version Data Exists Data Deleted --------------- --------------- --------------- --------------- -------------- ITSDBCLASS 0 0 1 0 ORACLECLASS 0 200 3 0 ONEDAYCLASS 1 1 3 2 DAYCLASS 2 0 1 1 MONTHCLASS 9 9 8 7 TWOWEEKS 14 14 14 1 TDPDIFF 30 30 No Limit No Limit TDPDIFF-META 30 30 No Limit No Limit TDPFULL 30 30 No Limit No Limit TDPFULL-META 30 30 No Limit No Limit TDPLOGS 30 30 No Limit No Limit TDPLOGS-META 30 30 No Limit No Limit PUBCLASS 60 30 2 1 STANDARD 60 30 2 1 QUARTERCLASS 120 90 3 2 ITSCLASS 300 200 3 2 LOGCLASS 300 200 3 2 ITS_DISK 365 200 3 2 DEVCLASS 500 450 4 3 TWOYEARSCLASS 750 30 2 1 ADMCLASS 900 800 8 7 TENYEARSCLASS 4000 30 2 1 # date Fri Aug 26 13:51:51 CEST 2016 # _

This is how to Assign management class to specified directories or default.

7. How do I force activation of Windows 10 using KMS?

See also:
See also: How do I start an elevated command prompt (as administrator) in Windows?

When updating Windows Pro 7 to Windows 10 activation may fail. The name of the university KMS-server has also changed a few times, making Windows computers using the old name get unactivated.

It may look like this:

How to activate Windows

  1. Connect to the university fixed network (ethernet).
  2. First start a command window as administrator.
  3. The command slmgr.vbs /ato should try to do an automatic activation if the computer is part of the Active Directory. If it is not part if the Active Directory you need to specify the KMS-server, see below.

  4. If that do not work, try to specify the activation server first with slmgr.vbs /skms and then followed by slmgr.vbs /ato again.
  5. And if that do not work, try to reset the product key and then do an activation with the command slmgr.vbs /rearm.

  6. Display information about activation with slmgr.vbs /dli. It should look like this:

  7. You can also check when the license expires with the command slmgr.vbs /xpr.
  8. If things do not work, maybe the KMS-address has changed? You can also check the current address with the command nslookup -type=srv If that is the case, the address should be changed to the new one. Please send mail to to let us know if this is the case. In the example below both reference to the same server which is correct.

8. How do I print on EduPrint with LPD on Windows 10?

See also: How do I access my scans for eduPrint in Linux?
See also:
See also: How do I print to eduPrint using LPD on macOS?

This solution pick the LPD username from the Windows user. You must use the same username on your Windows computer as the account you are trying to print to in EduPrint. Sorry about that, but I have not find any workaround for using local accounts with other names.

  1. Start the Control Panel

  2. Enter View devices and printers

  3. Enter Add a printer

  4. Pick The printer that I want isn't listed

  5. Pick Add a local printer or network printer with manual settings and then Next

  6. Pick Create a new port: followed by Standard TCP/IP port and then Next.

  7. Enter as the Hostname or IP address and for example EduPrint LPD as the name

  8. Wait a moment for Windows to time out while detecting ports.

  9. Pick Custom and enter Settings...

  10. Pick the Protocol LPR and then enter the Queue Name eduPrint-UU, check the option LPR Byte Counting Enabled and proceed with OK

  11. Proceed with Next.

  12. Choose the manufacturer RICOH and the Printer PS Driver for Universal Print and Next.

  13. This computer already have the driver so in this case just go Next.

  14. Name the printer for example EduPrint LPD
  15. Do not share the printer and proceed with Next

  16. Yoy may please Print a test page and then Finish.

  17. If everything works fine you should now be able to enter EduPrint on the web at your job should show up.

  18. This is how the new printer looks like when following this instruction.

9. What are your plans for a common client network configuration?

On BMC we have plenty of different client networks. See FAQ about VLANs at BMC.

We where hoping that the network investigation (2016) and the new Segerstedt building (2017) would solve some of this, but it has not. Maybe BMC is unique in having so many different department from different parts of the university in the same building.

  1. Proposed solution: Use Wireless
  2. Proposed solution: Continue using the wireless
    1. Option: Large and wide VLANs for all clients aka the Segerstedt model.
    2. Option: Use Private VLAN and PVLAN Edge
    3. Option: Use only Protected Ports.
    4. Option: Use Cisco software defined networks
    5. Option: Use automatically configured VLAN


  • Minimize the time spent on activating and deactivating network ports and the time spent on changing VLANs.
  • People and computers should be able to move though the university and get their network to work in a safe and reliable way, minimizing configuration.
  • We would like to be able to give a person that is missing a computer a new computer which should start to work right away everywhere at BMC (or at the university) for that person. If a computer is broken - go get a replacement and continue to work right away.
  • We would like to add all network sockets to a single configuration that works for most users.
    • When a department is moving out of a room, set all active network ports to this configuration.
    • When renovating a new corridor, set all ports to this configuration.
    • When building a new house, set all ports to this configuration.
  • All computers should not be able to talk directly to each other. We would like to stop malware to spread directly between the computers. Somebody will plug in a home router with the a LAN-port attached to the LAN but this should not be able to take down the whole network.
  • When a switch breaks down, it is a lot easier to get a working network again. Of course the patch cables should be in the patch cable database in order to track clients, but even if they are inserted wrong it will work anyway. Plugging the patch cables in any switch with the correct common client network configuration will work.
  • The setup should be possible to use on both HP and Cisco and possibly other vendors. In particular the current model Cisco C2960X and the Cisco C2960S which it replaced should be be possible to use.
  • We need to be able to identify users and omputers. This is done today with the UUIT services Netreg and NetDB together with local BMC service Arpwatch in order to track an IP/MAC to a network socket. We are missing a central way of documenting the patch cables and the fixed cables. (On BMC this is currently documented in Excel-documents.) But if every computer and computer is authenticated (like on eduroam) that information may be used instead.

Possible problems with relying on only eduroam or a protected ports / Private VLAN network:

  • In a closed down wired network where all traffic will go up to the router even traffic that previously originated and terminated in the same switch now has to use the uplinks up to the router (L3). This is not an efficient way of using the network bandwidth. However we even today aim for keeping the servers on seperate VLAN which has to go up to the router.
  • The academic freedom may be compromised. It is not as easy as it was before to start and use a new application that previously was open on the local department network. This may be both good and bad. Zero-configuration networking using multicasts DNS and DNS service discovery (Apple Bonjour) will stop working as it did before if L2-traffic directly between clients is blocked.
  • Shared medium as wireless End-to-end encryption. It cannot be as secure as a L2-blocked wired network.

1. Possible solution: Use wireless

Let the new computers use Eduroam as the preferred network.

This may require a lot more rapid response in fixing coverage and capacity problems for the wireless network.

Cons: Shared medium. Easy to disrupt.

2. Possible solution: Continue using the wired network

2.A. Option: Large and wide VLANs for all clients aka the Segerstedt model.

Use a few big VLANs and dont worry too much.

Perhaps use DHCP Snooping.

All clients are wide open to all other clients on the VLAN.

All existing subnets could also be put in this VLAN and then no clients needs to change any settings, but then again, no security on the L2-level even if L3-level router filters stop legitimate traffic.

2.B. Option: Use Private VLAN and PVLAN Edge

Read more about Private VLAN. Get a new generation of switches that support Private VLAN. The current generation C2960S and C2960X do not support Private VLAN. Only the single C2960XR do support it. Continue using older switches as edge switches using the PVLAN Edge feature.

It looks like the I-Port on an Private VLAN can only carry a single untagged VLAN. This means that even though the simpler switches with PVLAN Edge could carry many VLANs they cannot be combined with the Private VLAN I-Ports. (Perhaps except using multiple uplinks but I do not think we want to go there.) This needs to be confirmed by testing.

It may be possible to build a hybrid network combining a backbone of distribution switches (C2960XR C3750 C3560 etc) using Private VLAN with access switches (directly connected to clients) using PVLAN Edge (C2960X C2960S etc). Connect all clients to I-Ports directly or on a hybrid network via switches with PVLAN Edge ports.

         Etherchannel                Etherchannel                  I-Port
            trunk                       I-Port                       |
            |   |                       |   |                        |
   =====C2960XR=stack=====    =====C2960S==stack=(1VLAN)===          |
         Etherchannel                Etherchannel                    |
            |   |                     Protected                      |
            |   |                       |   |                        |
   =====C2960X==(1VLAN)==     ====C2960S====(1VLAN)==    ====C2960X==(1VLAN)===
    Protected   Protected       Protected   Protected     Protected  Protected
        |           |               |           |            |          |
    Computer1   Computer2       Computer3   Computer4     Computer5  Computer6
Reference: Consolidated Platform Configuration Guide, Cisco IOS XE 15.2(6)E (Catalyst 2960-X Switch) - Configuring Private VLANs - Cisco
Reference: Cisco Catalyst 2960-X Series FAQ - Cisco

2.C. Option: Use only Protected Ports.

Only use PVLAN Edge (protected ports) feature to block traffic between clients. The problem with this solution is that because it cannot really be combined with multiple VLANs in the same uplinks unless it is used on the whole network using a switch topology with Protected Ports on the downlinks everywhere, but if this is possible on Cisco is unknown.

There is an L3-workaround for the L2-block by using local-proxy-arp, but probably not a good idea. That would in theory have been possible to run on all VLANS as is, but only L3. No L2 like zero-config networking (Apple Bonjour) will work.

See the background below for details on how to set it up. It is most probably not a practical solution.

2.D. Option: Use Cisco software defined networks

Probably expensive, requires new equipment and is a bit more complicated than we need.

Reference: Cisco Identity Services Engine Data Sheet - Cisco

Cisco SD-Access Ordering Guide - SD-Access Platform Support Summary - Cisco

2.E. Option: Use automatically configured VLAN

Use MAC-address or login to automatically configure the VLAN on each edge switch port.

Maybe it is possible to populate the database server (RADIUS) with MAC-addresses from the BlueCat whitelists using the API. Good with integration.

1. Optional login with username and password and then select the correct VLAN based on the username. Extra security or special cases.
2. Check if the client MAC-address is in a Bluecat whitelist here at BMC (the local campus) and then select the correct VLAN: Vlan660
all the different local VLANs
3. Check if the client is in any whitelist at the university and pick the same VLAN for all of them: Vlan??? UU-Work
4. All others: Students, guests, private computers need to use the captive portal to login Vlan695 Netlogin


  • Minimize later switch port administration.
  • Works with C2960X and maybe others.
  • No need to change the patch cables in order to switch a network socket from the common client network to another one.
  • Could be used all over the university.
  • Could be used also for static IP on the client, no need for DHCP (like for DHCP snooping).
  • The network configuration for a socket in used could be changed without affecting current usage which makes it possible to introduce in a smaller scale, step-by-step.


  • If only the MAC-address is used as a key then it can be faked easily. Maybe some networks can have both login and MAC.
  • This will not get rid of the old VLAN structure. But maybe after a couple of years when almost all old computers has been replaced.
  • Maybe one RADIUS-server for each campus-router is needed.


  • How to handle several campuses - must every campus have an extra RADIUS-server in order to get the list of local VLANs correct?
  • It may be possible to also login with 802.1x authentication and pick a VLAN that way, but how to efficiently pick the right VLAN is not known.
  • In theory multiple users could be added for access to a specific VLAN. As an example username jny25782@Vl664 could be used for me to connect to Vlan664.
  • A special open VLAN could be created for users where the normal router filters do not work.
  • Use USER-AD to login the computer and not the user.

Reference: MAC Authentication Bypass Deployment Guide - Cisco
Reference: Consolidated Platform Configuration Guide, Cisco IOS XE 15.2(6)E (Catalyst 2960-X Switch) - MAC Authentication Bypass - Cisco
Reference: Command Reference, Cisco IOS Release 15.2(2)E (Catalyst 2960, 2960-S, 2960-SF and 2960-Plus Switches) - authentication event - Cisco

Background: How does Protected Ports work on a multi-switch network

All uplinks must be normally configured as promiscuous. All downlinks must be protected. The network topology must be strictly hierarchical with all routers or servers connected via promiscuous ports on a single switch.

In this first example random clients port has been made protected. This does only work on a single switch - Computer1 and Computer2 cannot talk to each other since they are both on protected ports on a single Switch1. But protected ports on different switches can talk to each other because traffic may flow between protected and promiscuous ports on a single switch - Computer1 and Computer2 can both talk to Computer3

             |                    |
    =====Switch1=========   =====Switch3=====
     Protected  Protected      Protected
        |         |               |
     Computer1  Computer2      Computer3   

In the second example all downlinks are Protected. Traffic between Computer1 or Computer2 to Computer3 will be blocked on Switch2 because traffic cannot go between two protected ports on the same switch.

          Protected            Protected
             |                    |
    =====Switch1=========   =====Switch3=====
     Protected  Protected      Protected
        |          |              |
     Computer1  Computer2      Computer3   

Regarding the Cisco PVLAN Edge

It may be possible to use the protected ports feature on an EtherChannel group according to Configuring Protected Port for example the Cisco Catalyst C3850:

You can configure protected ports on a physical interface (for example, Gigabit Ethernet port 1) or an EtherChannel group (for example, port-channel 5). When you enable protected ports for a port channel, it is enabled for all ports in the port-channel group.

This would in theory make it possible to cascade down from a stack of distribution switch to a edge switch. However it does not seem like it is possible to use the Protected Port feature on a trunk port and not on a single VLAN in a trunk. There are two possible solutions for this:

  • This may require a single VLAN for each cross connect cabinet - at least 18 VLANs BMC. This means going for one quite complicated configuration to another, although Proxy ARP for the use of transparent subnet gatewaying as defined in RFC1027 Using ARP to Implement Transparent Subnet Gateways could ease things up a bit. That would mean multiple VLAN (in order to seperate the physical network) but then joining them together with Proxy ARP for the purpose of inter communication and DHCP pooling (to minimize the need for micro management of the DHCP pool size). Also Inter-VLAN Bridging may be of interest. But this is probably not a good idea.

    Reference: En introduktion till IP - Chalmers tekniska högskola (Chalmers is running Proxy-ARP ... UU did recently too, maybe still somewhere if not everything has been cleaned up.)

  • It may be possible as described above to use switches capable of Private VLAN as distribution switches and the older switches using only PVLAN Edge as access switches, connected to an I-Port. This is probably doable, but with only one VLAN, how is for example the management VLAN going to be reached?

    ====Switch1=C2960S=C2960S==== (multiple VLANs)
     Pro.  Pro.  Pro.  Protected
      |     |     |   Etherchannel
    Comp1 Comp2 Comp3  |  |  |
                       |  |  |
    ======SwitchC2960S=C2960S==== (single VLAN)
     Pro.   Pro.
      |      |
     Comp4 Comp5

10. How do I install anti-virus software on macOS?

See also: What is ransomware and CryptoLocker?
See also: My computer has got a virus! What do I do?
See also: How do I change the Mac computer name, host name and NetBIOS-name?
See also: How do I connect to a file server via SMB on macOS?

Contact for advice.

All computers have to run adequate anti-virus software according to the rules at Uppsala University.

We recommend Symantec Endpoint Protection (SEP). Licenses for this are in most cases payed for by the department, but you must notify BMC-IT if you install on your own so that we know what is going on. Notify BMC-IT by mailing to

The server is run by Polacksbacken campus for the whole of the university for those who like to cooperate on this.

For this to work your computer host name must follow the Uppsala University naming scheme. This is first a three-letter-ancronym for the department, then a dash and then your serial number (or some unique identifier, if not using your serial number let us know) so that when we receive a warning we can identify the computer. As an example, a computer may be named BMC-07JD0NADJD3.

How to install

First the preparation:

  1. Make sure your computer host name follow the Uppsala University naming scheme.
  2. Notify BMC-IT what you are doing by mailing Send the name of the computer.
  3. You must be located on the Uppsala University network or connect via VPN.

Then the actual installation:

  1. Open the server smb:// in Finder
  2. Open Public
  3. Open Public Installation Files
  4. Open Symantec_Endpoint_Protection_version_14.0.2332.0100_English for Mac (ANG) Pick the directory with this or the latest version number!
  5. Download Symantec_Endpoint_Protection_version_14.0.2332.0100_English.pkg by copying it to your local computer (for example the Desktop). Pick the package with this or the latest version number!
  6. Open the package and do the installation.
  7. Reboot computer.
  8. Start application Symantec Endpoint Protection and make sure it is working as it should.

Configurations you might want to do:

Turn off notifications
(For the computer only. A report will still be sent to the server in case there is a virus found.)

  1. Click on "Notifications" in the top right corner of Finder.

  2. Click on the settings icon in the bottom right corner.

  3. Scroll down to "Symantec" in the left pane ad click on it.

  4. Choose "None" as Symantec alert style (or another style of your choice).

11. How do I access my scans for eduPrint in Linux?

See also:

Where are the scans stored

The DFS-path to the directory where your scans are stored is smb:// This path works fine in macOS but may or may not work in Linux. The other official path is smb://

How to access via user-space tool smbclient

Use smbclient to access your directory. But use your own username instead of mine. smbclient works like a very old school FTP-client if you remember those. It may be convenient because it is all in userspace and do not require any special privileges except access to the smbclient binary and network access.

smbclient -W USER -U jny25782 -m SMB3 // cd jny25782 ls

This works as well, without specifying a higher version of the SMB-protocol.

smbclient -W USER -U jny25782 -I ///scan/ cd jny25782 ls

How to access them in Linux via kernel mount

You can mount directly on the command line like this. Use your own username and password.

sudo mount -t cifs -o username=jny25782,password=PASSWORDA,domain=user // /mnt/

You may exclude your password and be prompted instead. This works in Scientific Linux 6 (compatible with RHEL6) and CentOS 7 (compatible with RHEL7).

sudo mount -t cifs -o username=jny25782,domain=user // /mnt/

The default settings in Ubuntu 17.10 do not work. Try SMB version 2.1 like this. (Not needed anymore in 2019-03-11.)

sudo mount -t cifs -o username=jny25782,domain=user,vers=2.1 // /mnt/

12. How do I map a network drive via SMB on Windows?

See also: How do I mount my home directory or shared storage at HNAS?
See also: How do I access PCFS over SMB using smbclient?
See also: How do I use AddPrinterGUI to add printers in Windows 7/8/10 x64?
  1. Open the file explorer. Press Left Windows key together with E.
  2. Right click on my computer and choose Map network drive...

  3. Enter the network folder you would like to map. In this example \\\neuro
    Learn about server name and path to your home directory or shared storage at "HNAS" above.

  4. Enter your username and password. Please note that the Windows domain USER has to entered. Do not use my username jny25782 but your own username. Enter your password A.

Not working?

You may want to read about SMB Security Enhancements at Microsoft.

13. We have a server, where should we put it?

See also: What is the postal address for BMC-IT?
See also:
See also: How do I buy a new computer?
See also: Do you have a virtual machine (server) I can use?
See also: Who manages IT-support for whom at BMC?
See also: Open the server room for me please
See also: Who is responsible for the network in the BMC server room?
See also: What is the cost of a PC file server?

BMC has a server room in D11:0. The room was built in 2013 and is maintained together by the IT-division (UUIT) at the university administration (UADM) and Uppsala Biomedical Centre (BMC). The management team (styrgrupp) for the BMC-hall includes the IT director of the IT-division and the director of Uppsala Biomedical Centre.


The server room is equipped with:

  • Diesel backup power generator (maintained by Akademiska Hus and tested each month)
  • Dual battery banks
  • Dual UPS
  • Dual power to each rack
  • Dual routers (called the BMC-hall-routers) each with dual connections to the university backbone routers.
  • Single switch in each rack with single power and dual EtherChannel uplink (For dual network to a single server, connect to two switches and make sure these are connected to each of the two power sources)
  • In-rack cooling (Redundant supply from both district cooling from Vattenfall and tap-water from Uppsala Vatten. Redundant cooling equipment maintained by Akademiska Hus.)
  • Gigabit ethernet to each server. Dual redundant network and higher speeds can be arranged.

The BMC-hall-router VLANs on the normal BMC-hall-switches cannot be shared with the VLANs on the router (called the BMC-router) for the rest of the building. Contact for help with network configuration for the server room.

Current rate is 60000 SEK/rack/year or 2000 SEK/U/year plus a one time fee of 5000 SEK. (This should be about the cost of production. Prices from 2015-06-05.)

For renting space in the server room, contact

Also consider renting virtual servers or using some of the shared services at the university before buying your own physical servers. Contact for renting virtual servers in the the shared VMware environment or storage. Contact UPPMAX for using the shared HPC resources for computation and storage. Check on them from time to time to see what they are up to before building something on your own to reduce the duplicated effort.

The BMC server room does not have a postal address. If you want to send packages of servers or other equipment to the server room at BMC please send to BMC-IT with your name as the recipient. (If you or your department has offices at BMC just send it to yourself at your department, do not send to BMC-IT.) Send us a mail to so that we know what is going on. When your package has been delivered you can pick it up at The Goods Reception and you need to show your ID.

14. My Internet does not work! How can I find the problem?

See also: How are the network sockets identified?
See also: How do I configure my resolver on a Linux machine?
See also: Some Cisco switch commands
See also:
See also:

What network are you using?

  1. First check - are you trying to connect via the Wireless Network or the Wired network?

The wireless network:

  1. Do not use UpUnet-S
    Make sure you are not using UpUnet-S. UpUnet-S has a captive portal and require login. Forget that network.
  2. Connect via Eduroam
    I will not go into details regarding how to configure Eduroam, but begin to read more about it here: Internet access with eduroam
  3. Do you not have coverage?
    • In student areas - order new Wi-Fi hotspots via Netsupport. In department areas, the department has to order and pay for them.
    • Use the wired network instead.

The wired network:

  1. Do you not have a link?
    If no link, check network cable. Throw away and destroy faulty Ethernet cables, even if only the little retainer tab is broken.

  2. If the link is down - has the network socket never been used before? Or was it a very long time ago since it was last in use?
    Contact your Local IT and activate the network socket. If there has been a switch upgrade in the cross connect cabinet recently, only the patch cables for the network sockets (or rather the switch ports) that has been used in the last year has been moved over to the new switch. If that is the case the network socket has to be activated again.
  3. Is the switch out of order?
    If the network socket suddenly stopped working with no link, maybe the switch is broken. Did the network suddenly go dark in some parts of the corridor and not on others? Then this may be the case. Contact
  4. Is it really the network that is broken and not the computer?
    Try the network socket with another computer that is working with another network socket. This can help to identify whether the network socket is not working or if the problem is somewhere in the computer.
  5. Is the power out in the network cabinet?
    If Internet suddenly stopped working - it does happen that the power is out. It is not very common. The cross connect cabinets are usually located in the same part of the building that the lab or office housing the network socket. So go check if power is out. Are the lights on? If the power is out, just wait, Akademiska Hus is almost always already working on it.
  6. Do you have an IP-address?
    Check with ifconfig (Mac/Linux) or ipconfig (win). The IP-address should usually begin with 130.238 if you are at the university.
  7. Do you get intermittent link flaps?
    If the link sometimes goes down but not all the time this may be the case. Maybe the switch has put the switch port in link flap error disabled and then after a timeout period turn the switch port on again. Send message to or
  8. Are you on the correct VLAN? (1)
    If you get a link but do not get an IP-address you may be on the wrong Vlan. You can listen on the network to see what traffic there is. Then you can quite often figure out whether you are on the correct subnet or not. This can be done in Linux with sudo tcpdump -n -i eth0 or on Mac with sudo tcpdump -n -i en0. (The network interface names may differ - check the names with ifconfig) For Windows Wireshark is a bit overkill but should work as well.
    As an administrator you can search for the MAC-address in NetDB to see how the switch port is configured.
  9. Are you on the correct VLAN? (2)
    If you have a static IP, you have link, but cannot reach the gateway you may be on wrong Vlan. This may be due to switch upgrades or wrong configuration of the switch. Se above for possible ways of diagnosing this.
  10. Does the switch have that VLAN in the trunk?
    If the VLAN is correct, the link is up but everything is silent, check if the port is the first port with that VLAN on the switch. If so then maybe the trunk is missing that particular VLAN. Let Netsupport add the VLAN to the trunk.
  11. Is the DHCP-server out of free leases?
    If you have a link but do not get an address via DHCP then perhaps the DHCP-server are out of leases for your VLAN. You must contact your Local IT (which could be or someone else) to check what is going on. If it looks there are free leases but when it still do not work let the Local IT send a request to and ask for DHCP-server-logs for that particular MAC-address.
  12. Is the computer in the whitelist?
    If this is the first time you are connecting this particular computer, maybe your computers MAC-address has not been included in the DHCP whitelist. This is a list of computers that are allowed to connect to the network. Again you must contact your Local IT (which could be or someone else) to check what is going on.
  13. Does the network not have a DHCP-server at all, or maybe a local one?
    You have to check how your department has set up the network. On some networks, by historical reasons, the IP adresses are still distributed manually. Please contact your local IT-support. (The local IT may be, or may not be, be BMC-IT.)
  14. Is the default gateway address wrong?
    Do you have a gateway? route print (Windows), ipconfig (Windows) netstat -nr (Mac) or route (Linux). If you got an IP-address but cannot reach the gateway maybe there are old firewall rules that are blocking your IP. Check with your Local IT (which could be or someone else) and then let them check with Netsupport or Security Division.
  15. Can the gateway be reached?
    Ping the gateway! First check what the default gateway is and then ping it. Example: ping

  16. Can you reach outside the gateway (router)?
    Test to ping Google resolver ping
    If this is not working this might also be a problem with router filters or firewall rules.
  17. Does DNS resolving work?
    1. Check the configured resolvers with nslookup
    2. Check if you can reach the UU resolver with nslookup
    3. Check if you can reach Google resolver with nslookup or nslookup
  18. Are the network settings correct on the computer?
    Check Internet settings. Here is a guide at Microsoft for Windows.

    Check DNS-server settings. The Uppsala University resolvers (nameservers aka DNS-servers) are,, (They should have the common name If you are using DHCP it should look like this:

  19. Does the computer work on another IP?
    if you are using a static IP you can try to use another free IP (check with your Local IT before using another IP). If that does work then:
    1. Maybe the IP you are trying to use is already in use. Please check arpwatch/NetDB.
    2. Maybe the IP is blocked in the university firewall. Please check with Security division.
  20. Is this a virtual machine that has been cloned?
    Check that you are using a unique MAC-address and unique IP-address for the cloned virtual machine. Otherwise the cloned machines will steal the addresses from each other which will make the network work erratically.

Windows specific fixes when all else fails

  1. Reset TCP/IP-stack
    If most things look OK but the computer can not connect to Internet anyway, they maybe the TCP/IP-stack needs to be reset. In Windows 7/8/10the command for doing this (as an administrator) is netsh winsock reset. Follow up by a restart of the computer.

  2. Reset firewall rules
    To reset the firewall rules in Windows 10/8/7/Vista type netsh advfirewall reset as an administrator at the command line.

For administrators

It could be of help to find out this information about the computer for a more efficient troubleshooting:

  1. Look up the computer login logs for standard Windows clients. Search for the user and the computers. Here you can find the computer name and the username.
  2. Look up the computer name in Active Directory. In the description you can find the computer model and the MAC-address used for installation.
  3. Look up the MAC-address in NetDB. Here you can find the IP-address, swith name and switch port.
  4. Look up the MAC-address in IPAM (BlueCat). Here you can find if the computer is in a DHCP whitelist or any other DHCP-configuration related to the computer.
  5. Look up the IP-address in NetReg. Here you can find VLAN number and VLAN name and the ACL (router filter) for the VLAN.
  6. Look up the Switch and SwitchPort in the network documentation Excel-sheets at BMC. Here you can find the cross connect cabinet ID and network socket ID.
  7. Look up the MAC-address in Arptrack. Here you can find previous arpwatch log entries.

15. What is VPN?

See also: How to connect with VPN using AnyConnect in Windows
See also: How do I connect to the VPN using Ubuntu?
See also: How to connect with VPN using AnyConnect in macOS?
See also: How do I use port forwarding and SOCKS-proxy in SSH?
VPN is short for Virtual Private Network. A VPN tunnel is an encrypted connection between two places at an open network.

If you would connect to the university network without a VPN tunnel, the ISP (Internet Service Provider) you use, would see that there is data sent between your computer and the university network. The ISP would also be able to see the data that is sent and possibly intercept data.

When you connect to the university via VPN, an encrypted tunnel is created from your computer to the university VPN server. The ISP can still see that there is data sent from your computer to the university network, but they can't see the data and they can't intercept any data.

16. How do I send bulk mail?

Use Bcc in your normal mail program

  1. In this example we will use the webmail for sending the mail. First create a list of recipients in Excel.

  2. Compose a mail in the webmail, Activate the Bcc-field (click on Bcc) and then copy and paste all the recpients into the Bcc-field. Put yourself in the To-field. You do not want everyone to be able to reply all to everyone receiving the mail, do you?

  3. Write your mail and send.

Use a mailing list at Sympa

If you wish to send to the list of persons several times you maybe want to create a mailing list on the mailing list server.

You can create a mailing list for this purpose who only you can send to. Please send a message to and tell them what you want. Visit the Mailing list service Sympa.

Make sure only you are allowed to send to the list.

Send the bulk mail with a script

This solution requires some basic knowledge in using a text editor like Vi, Nano, Emacs or the built in TextEdit in macOS. If you do not know how to do that then this solution is not for you.

  1. Put all your recipients in a file like this, one recipient on each line and call it to.txt.

  2. Create your message in a file called message.txt like this. Change the subject and the sender address.

    Subject: The subject of the mail From: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=utf-8 Content-Transfer-Encoding: 8BIT Hello all, Please read this important information. Bla bla bla. Kind regards, Jerker Nyberg von Below, UU BMC

  3. Then create a script that does the sending. Call it Change the sender address again.

    #!/bin/bash REFILE=$1 BODY=$2 if test ! -e "$BODY" ; then echo Error file $BODY does not exist exit 5 fi if test ! -e "$REFILE" ; then echo Error file $REFILE does not exist exit 5 fi cat "$REFILE" | while read RE ; do echo Sending to $RE ( echo To: $RE cat $BODY ) | /usr/sbin/sendmail -f "$RE" done

    Make sure the script is exacutable.

    $ chmod +x $ _

  4. Make sure you can send mail via the university mail server from your computer. If this is a macOS machine you want to set the replay host to You do this by adding the following row to the file /etc/postfix/ This will only work when you are located on the Upppsala University network.

    relayhost =

    You may need to restart the computer after this is done.

  5. Run the script like this:

    $ ./ to.txt message.txt Sending to Sending to Sending to $ _

    17. Where do I store my data? How do I take backup?

    See also:
    See also:
    See also:
    See also:
    See also: What is ransomware and CryptoLocker?
    See also:


    The general idea is to focus on where you store your data instead of how you take backup of your data. You have to be aware of where your data is stored!

    Ideally the computer should not need to be backed up - all data should be on a secure file server. If the computer breaks down it should be possible to just grab another computer, login and access the data. Most standard software and configuration should be easy to reinstall.

    Where do I put my data

    Make sure you store your data safely on a secure file server. Check with your IT support organisation which file server you should use. Recommended file servers are "HNAS" and "Argos".

    • Store your personal data in a personal storage where only you can access the data.
    • Store your group's data in a group storage where all users in the group can access the data.

    How do I work with my data?

    Mount your storage folder on your local computer and work directly with the files on the file server. If you need to access the data when not at the university, you can connect to the university network via VPN and then mount the storage folder.

    Guides for connecting to the file server and mount a storage folder on your local computer:

    But I need all my data on the client!

    Do you really? We do not recommend this, but sometimes, this is the only solution that works. In that case:

    • Use Apple's TimeMachine to make full computer backups to a local, external drive. Please note that this is not a complete backup system. It may not protect your data against malware or ransomware, and if the computer and the external drive are at the same place when something bad happens, it might happen to both of them...
    • Also, the central service TSM can be used.
    • We recommend using the central service TSM to take complete backups of the Windows computer.

    What do I do now?

    Check if your computer was backed up with Retrospect or Time Machine (over the network). These services are no longer available and if your computer was configured to use them you need to make sure your data is secured in another way:

    • Start storing your data safely on a secure file server.
    • In addition to the above, the recommendation is that macOS users have a local, external hard drive that backs up the entire computer with Apple’s TimeMachine service. Since it's easy to setup and cheap to use, there is no reason to not take backup this way too. The hard drive should always be connected to the computer when in office, and then stored in a safe place when not in use. Don't bring it when travelling!
    • Also, the central backup service TSM can be used.
    • If your Windows computer is part of the BMC-IT platform, everything that is stored on your "Desktop" and in your "Documents" folder may already be automatically synchronized to your personal storage on the file server “HNAS”, and you don't need to do anything more than make sure your data is stored in one of these folders on your computer.
    • If not, start storing your data safely on a secure file server, in a personal or group storage as mentioned above.
    • Also, the central backup service TSM can be used.

    18. How do I mount my home directory or shared storage at HNAS?

    See also: How do snapshots in the HNAS file server work?
    See also:
    See also: How do I map a network drive via SMB on Windows?
    See also: How do I connect to a file server via SMB on macOS?
    See also: How do I mount SMB share in Linux?
    See also:
    See also: What is the point with the zone

    For Windows clients in USER-AD your home directory and the department common (public) share will automatically be mounted when you login using the drive letters below.

    This storage is in the university shared HNAS file server. Some departments also have other storage available - contact for details.

    1. Please select your department:

      Biomedical Centre Campus Management
      Department of Cell and Molecular Biology
      Department of Medical Biochemistry and Microbiology
      Department of Medical Cell Biology
      Department of Neuroscience
      Department of Pharmaceutical Biosciences
      Department of Public Health and Caring Sciences
      International Science Programme (ISP)
      . . .
    2. Please enter your username here:

      PurposePlatformDFS-pathDirect path Driver letter
      Home directory for personal files Windows \\\BMCI\TLA-Users\account \\\TLA-Users$\account X:
      Mac smb:// smb://user\$/account
      Common (public) share for department,
      research groups etc.
      Windows \\\BMCI\TLA-Common \\\TLA-Common$ P:
      Mac smb:// smb://user\$
    3. Sometimes you want to mount via the command line.

      • Windows, command line version on mapping a network share:

        net use x: \\\TLA-Users$\account /user:user\account

      • macOS, command line version on how to connect to a file server:

        mkdir ~/Desktop/account
        mount_smbfs //user;$/account ~/Desktop/account

      • On Linux, command line version on how to mount a CIFS file system:

        mkdir ~/Desktop/account
        sudo mount -o username=account,domain=user -t cifs //$/account ~/Desktop/account

    4. Also read in the SOP - Connect a Mac to HNAS (v1.0).pdf or follow the links to other FAQs above on how to use the Windows Explorer or Mac Finder GUI. Remember to use the VPN if you are connecting from outside the university network.

      Connect from Mac

    Problems with accessing the shared folders

    A common problem may be that your account has not got the correct permissions called group membership in AKKA, the university catalogue. Please then contact your department administration to get this fixed.

19. What is the name standard for network equipment on BMC.

See also: How are the network sockets identified?
See also: What Internet bandwidth does the university have?
See also: Some Cisco switch commands

Unfortunately there are several systems still in use for naming the network equipment at BMC.

Name standardYearIntro- duced byExplanation
? 1976- BMC Naming of old terminal network blessfully forgotten.
? 1986- BMC Naming of old ethernet network blessfully forgotten.
C5:2 1998 BMC The first C5500 fast ethernet twisted pair switches were named named after the cross connect cabinets where they were located.
C5:2-2 2000 BMC With the addition of C2980 and C3500 switches, the naming included a serial number for each cabinet.


2005 UUIT

At some point in time the switches were clustered C2950 in order to minimize the use of IP-addresses.

  1. Problem: It is getting really hard to know which switch is which with all members and clusters.


2007 UUIT A new naming standard for PoE switches showed up with the need to identify the PoE capable switches.


2007 (?) UUIT At some point in time the switch model was introduced in the name, perhaps to easier identify the switches, at least the new ones. However, several different seperators where used. When switches where not put in cross connect cabinets the room number where introduced.



BMC-A9-1-3 2011 BMC A prefix was introduced to separate BMC-switches from other switches. The switches were still named after the termination of the cables in the cross connect cabinet. The naming was:


  1. Problem: Do not scale to several cross cabinets (racks).
BMC-D9-3-01b-8 2013 UUIT The cross connect cabinet room number where used instead of the network socket termination rack. The idea was to use the same system all over the university.


  1. Problem: the cross connect cabinet rooms change house and room number even if they are vertically located above each other.
  2. Problem: the markings on the switch do not match the markings on the network socket.
BMC-D11-0-09a_48-1 2014 UUIT

Server room required naming based on racks introducing a new system:


  1. Problem: by only looking at the switch name it is not possible to know what VLANs are on it. The BMC-HALL switches should probably have used another prefix than BMC. Perhaps a router prefix?
BMC-C11-3-D302-3 2015 BMC

The introduction of room numbers makes it harder to figure out what switches are located in what cross connect cabinet. Introduce the rack for the cross connect cabinets like the in the server room.


  1. Problem: Redundant floor number, both in the FLOOR and in RACK.
  2. Problem: New flexstacked switches appearing at this time share the same network name but introduce a new physical name making it hard to identify which network socket it is.
  3. Problem: Large flexstacked switches may sit in two racks.


2016 UUIT

No problem, just add a number telling it is a stack and then a number for for each member in the stack! Or perhaps a slash?


  1. Problem: Not the full room number, the room numbers are always three numbers and perhaps a letter.
  2. Problem: Redundant floor number, both in the FLOOR and in RACK.
  3. Problem: Still a bit hard to figure out what name is a switch name an what is a flexstack number...
FAL01-C7-03-301B-1 #1
FAL01-C7-03-301B-1 #2
2017 UUIT

Switches are put in DNS! Great! Unfortunatelly this introduced a new name with the FQDN and also a new name not always exactly as the old switch names due to partial rename.

Using the same naming as the Wi-Fi hotspots introducing block (kvarter) in the name via Byggnadsavdelningens register.

BLOCK HOUSE (with extra zero prefix)FLOOR ROOM NUMBER.

  1. Problem: introduce new prefix fal01- instead of bmc-
  2. Problem: the cross connect cabinet rooms change house and room number even if they are vertically located above each other.
  3. Problem: the markings on the switch do not match the markings on the network socket which references to the cross connect cabinet.
  4. Problem: The block name (fastighet / kvartetsnamn) for BMC is ROSENLUND. FALTLÄKAREN is the old Magistern or Kunskapsskolan. The plot is Kåbo 1:10.
  5. Problem: The NUMBER is not unique for each cross connect cabinet.
  6. Problem: Introduce a leading 0 in front of floor number.

20. How do I start an elevated command prompt (as administrator) in Windows?

See also: How to change language in Windows 10 Enterprise
See also:
See also: How do I force activation of Windows 10 using KMS?
See also: How do I really delete a directory and files in Windows?
See also: How do I copy many files in Windows using Robocopy?
  1. Start a command interpreter window by entering cmd in the search prompt.

  2. Launch by pressing CTRL SHIFT and ENTER at the same time.

  3. Answer Yes to run as administrator.

    It should look like this for Windows 7:

    And like this for Windows 10:

  4. If everything works fine you are running as administrator. The Window title bar should contain the text Administrator:.

    It should look like this for Windows 7:

    It should look like this for Windows 10:

It does not work! What do I do now?

  1. Make sure you are connected to the university network. Then restart computer.

  2. Make sure you are using your employee account and not your old student account.

  3. If you need to be local administrator, send a mail to where you specify your computer name and your account name. We can then add you as a local administrator, after we have confirmed that it is your computer. Then restart computer.

  4. If it does not work anyway, restart computer again. When the computer restarts it should read the group policy which adds the members in a group in the Active Directory to that computers local administrators.

  5. If the group has been created and populated with members and it still do not work? Run the command gpupdate /force in a command window to force the computer to update the group policy if this was not done automatically. It may look like this. Answer y and enter to logoff. Then login and try again.

21. What Internet bandwidth does the university have?

See also:
See also: We have a server, where should we put it?
See also: How to connect with VPN using AnyConnect in Windows
See also: How are the network sockets identified?
See also:
See also: How do I use Eduroam, the wireless network, in Windows?
See also: What is the name standard for network equipment on BMC.

Check your own bandwidth

Bredbandsskollen is a bandwidth measuring service. However, above 100 Mbit/s the service may be inaccurate regarding exact speed since it depend too much on the local computer and web browser performance. It requires Flash in the browser in order to work.

For mobile and wireless networks it is quite usually good.

Fixed network

SUNET had 2 x 40 Gbit/s connection to NORDUnet but now even more.

SunetC statistics

The Uppsala University network (UpUnet) had 2 x 10 Gbit/s bandwidth to OptoSUNET but are now connected to SunetC with 2 x 100 Gbit/s.

BMC-campus-router has 2 x 10 Gbit/s to the rest of Uppsala University network (UpUnet) for the BMC-router and 4 x 10 Gbit/s for the BMC-hall-routers.

BMC has internally in the building either 10 Gbit/s, multiple 1 Gbit/s or single 1 Gbit/s bandwidth to the cross connect cabinet distribution switches. BMC linkstatus

The network sockets at BMC are connected via either 100 Mbit/s (Fast Ethernet) or 1 Gbit/s (gigabit Ethernet) to the edge switches. If you only have Fast Ethernet and need gigabit let us know at A few servers have 10 Gbit/s or multiple 1 Gbit/s.

The network in BMC is built by Cisco equipment. Over the years we seem to have acquired all possible models, but mostly C5500, C3500, C2980, C2950, C2960, C2960S, C2960X, C2960XR. Our oldest Fast Ethernet switches - C5500, C3500 and C2980 - are currently being replaced (2015).

Due to lack of personal resources this have been postponed. We will hopefully continue the upgrade in 2017-2018 and then also include replacement of all of the the C2950 and C2960 switches. Only C2960S, C2960X and C2960XR are left of the old.

New cross connect cabinets are built with 10 Gbit/s or dual 1 Gbit/s uplink and flexstacked C2960X with 1 Gbit/s to the clients. Old switches without flexstack are connected via EtherChannel to the stack or have direct connections to the router.

The idea with the network topology is that no switch failure should bring down any other switch. No single interface or transceiver (SFP/SFP+/GBIC) failure should interrupt any switch. The BMC-router is the big exception but Cisco 6500 series are in general quite reliable and can have multiple boards/interface cards. It is equipped with with redundant power supplies and is connected to a small dedicated UPS.

Wireless network

Most of the wireless access points in BMC are Cisco AP1131 with support for IEEE 802.11a/b/g up to 54 Mbit/s but in practice less. We have a few Cisco AP2602i with support for IEEE 802.11a/b/g/n which are slightly faster, but usually not above 80-100 Mbit/s since most of them are limited by their connection to 100 Mbit/s PoE Fast Ethernet anyway.

22. Connect to eduroam using iPhone with iOS 10

See also: How do I use Eduroam, the wireless network, in Windows?

Instructions how to connect to eduroam using an iPhone with iOS10.

1. First, open "Settings". Then select "Wi-Fi". Select "eduroam".

2. Enter your AKKA-id followed by "" and then enter your password B.

If you have forgotten your password B you can reset it using and password A.

3. Click to trust the certificate. After this step the phone should connect to eduroam. It might take 30-60 seconds.

If it doesn't work, try to reboot the phone and repeat the procedure.

If it still doesn't work, you can try to reset the network settings (Allmänt / Nollställ / Nollställ nätverk). Beware though that if you do this you'll need to enter all Wi-Fi-passwords again on all networks.

23. How do I use an Apple AirPort Time Capsule?

See also: What is ransomware and CryptoLocker?
See also:
See also:
See also: What should I think about when adding my own network printer?

Please do not buy one of these for use at BMC! Your Local IT must be involved and usually do not allow these on the network. For large parts of BMC this is BMC-IT, Rudbeck-IT, IT-division/UADM/EP or Uppsala University Library and as far as I know none of us allow or recommend these. (2018-09-21)

Apple Airport Time Capsule is a great tool for a home or small office, providing simple backup, Wi-Fi hotspot and NAT-router all in one.

But we really recommend a normal external hard drive for backup. Keep one at home and one at work.

Also be aware that a backup, where the client has full write access to the backup and can erase old versions of the backup, do not protect against ransomware attacks. The attacker may destroy old backups from the compromised client.

Here is a summary what the problems may be with this kind of equipment:

SUNET and the Security and safety division at Uppsala University require that it is possible to identify which user is doing what on the network. NAT (in this level of home or small office equipment) is hiding this.

Read the Riktlinjer för säkerhetsområdet and the document UFV 2016/1944 Anskaffning och drift av IT-system in particular section 4.4 Anslutning till universitetets datornät.

Apple AirPort has built in DHCP-server. When connected the wrong way (NAT-ports) to the department network the device will give IP-addresses to the other computers on the network. This will mess up the network. In the best case (when both WAN- and LAN-ports are connected at the same time to the department network) all that happens is that all traffic will pass through the Apple AirPort which will then act as a bottleneck. In the worst case (only LAN-ports are connected to department network) nothing will work and the whole department network will go down.

Wi-Fi hotspot
The Uppsala University IT-division is responsible to set up Wi-Fi-hotspots all over the Uppsala University campuses. The frequencies has been planned so that they do not interfere with each other. Even when using using a frequency that is not the same as the closest hotspot the frequency may interfere with other hotspots frequencies further away (but still in range).

Stability problems
We have been running the backups for many clients for several Mac servers using the same technology. It has shown that, although not very often, the backups using time machine over the network may go corrupt. Then the backup is not worth much. The problems may or may not be related to the use of a flaky network adapter (in particular the USB-Ethernet adapter used by Macbook Air).

Sharing the effort of building stable networks
By using the university centrally managed DHCP-server and routers it is possible try to help each other with management. Both the IT-division and the BMC-IT can help with finding problems with the network. When using this kind of small office / home office equipment it is really hard for somebody else to know what is going on. You are on your own.

It may be theoretically possible to turn off all server functions including NAT/Wi-Fi and then secure it with accounts, but it may not be worth the effort. When doing that (turn off NAT and only do Network bridge, turn off Wi-Fi) if the settings are reset by some reason, make sure that the AirPort in a reset state do not mess up the network - only attach the WAN port to the department LAN. The equipment is best used at home or at a small office.

At least these things has to be done:

  1. Turn off NAT and DHCP-functionality.
  2. Turn off Wi-Fi.
  3. Set up with account and password protection.
  4. Set up internal firewall in the equipment so that no one outside the department network can access it.
  5. If that do not work:
    1. Set a fixed IP for the device
    2. Set up the campus router filter so that no one outside the department network can access it.
  6. Actually set up both internal firewall and router filter if possible.
  7. Make sure that the firewalls are working.
  8. Make sure only the user creating the backups can access them.

This list is not guaranteed to be complete.

Our suggestion is to move the equipment to the home office for a backup when working at home. Then get another hard drive for the office.

If you need better Wi-Fi coverage contact and then we can together with IT-division hopefully improve the location and coverage of the Wi-Fi hotspots.

So what to do instead?

  1. Get a normal hard drive and use Time Machine on that one. Get a hard drive at home and one at work. This will take hopefully a backup of the whole computer on two different places.
  2. Store important data on a file server. Like the HNAS file server at the university.

24. Are there any desktop phones using the mobile network?

The costs for wired analog telephones are increasing compared to mobile phones. The cost for moving a mobile phone is obviously a lot smaller than for a wired phone.

Please read the pricelist for phone services at the university (in Swedish).

We have found two models of desktop phones that use the mobile telephone network (3G/UMTS)which can be bought via the university. (2018-09-11)

Do also consider a cheap and simple mobile phone for each employee.

  • Huawei F617-20 Desktop Phone Generic 818 SEK (2018-09-11)

  • Jablocom Essence Desktop Phone 1580 SEK (2018-09-11)

    Here are the same kind of mobile desktop phones at Dustin

    Please note, we cannot buy from phones from Dustin.

    25. How do I install Ubuntu?

    See also: Add a printer in Ubuntu 14.04
    See also: Print using UserCode for Ubuntu
    See also: How do I mount SMB share in Linux?
    See also: Do you have a virtual machine (server) I can use?
    See also: How do I configure my resolver on a Linux machine?

    This is documentation for a network installation of Ubuntu on the BMC network using the BMC-IT network boot menu over PXE. This applies to physical PCs or VirtualBox.

    You can always do a manuall installation. Just download the DVD from Ubuntu and install. Skip a few steps in the instructions below.

    1. Netboot the computer, usually by pressing F12 at BIOS boot time.
    2. In the PXE-boot men, start the latest and greatest Ubuntu installation. For example start a text installation of Ubuntu 18.04 Bionic Beaver x64 Mini:

      l Local Boot (default) m Memtest86 mdtmt Windows 10 Enterprise x64 (Mediatek network) c74 CentOS 7.4 x64 Netboot c73iso CentOS 7.3 x64 Minimal ISO debian74 Debian Netinstall 7.4 AMD64 sl65 Scientific Linux 6.5 x64 sl65kick Scientific Linux 6.5 x64 kickstart u1604live Ubuntu 16.04 "Xenial Xerus" x64 Mini Remix Live u1704mini Ubuntu 17.04 "Zesty Zapus" x64 Mini u1710mini Ubuntu 17.10 "Artful Aardvark" x64 Mini u1804mini Ubuntu 18.04 "Bionic Beaver" x64 Mini boot: u1804mini_

    3. Step through the text installation. Activate automatic updates.
    4. Please name the computer TLA-SERIALNUMBER where TLA is your department unique three letter ancronym and SERIALNUMBER is the computer serial number.
    5. If you want to keep the Windows installation, if there is one on the computer, you can resize the existing partitions.
    6. You can choose several different desktop environments, but I recommend to begin with the standard Ubuntu desktop. This is how the Xubuntu desktop looks like in VirtulaBox running in macOS:

    Installing in VirtualBox

    If you install in VirtualBox, remember to install the VirtualBox Guest Additions to enable shared clipboard and files between the host and guest OS.
    1. The CD is mounted automatically by VirtualBox. If everything works fine Ubuntu will find the CD and ask you for permission to install the guest additions. Just go ahead.
    2. Otherwise, tro to mount the CD via the menu in VirtualBox with Devices - Insert Guest Additions CD image.... Continue as above.
    3. And finally if the autorun does not execute but the CD has been mounted, you can manually run the installation:
      cd /media/jerker/VBOXADDITIONS_4.3.28_1003095
      sudo ./

    26. How do I connect to the VPN using Ubuntu?

    See also: How to connect with VPN using AnyConnect in Windows
    See also: How do I set firewall rules in Linux to block SSH?
    See also:
    1. First apply for the VPN-service. Go to VPN service at Medarbetarportalen and follow instructions in the section Application for VPN service.

    2. Then install the openconnect client:

      sudo apt-get install network-manager-openconnect-gnome

    3. From the menu choose Edit connections...

    4. Select Add

    5. Select the Cisco AnyConnect Compatible VPN (openconnect) connection type.

    6. Edit your connection by naming it (VPN.UU.SE in this example) and then enter the gateway

    7. The new connection will now show up in the Network Manager menu. Open it.

    8. Enter your username and password A and if you dare select Save passwords.

    9. It worked!

    10. Check your new IP-address:

      ip addr list vpn0

    11. You can also go to websites like to see where you are connecting from.

    27. How do I install Adobe CC Complete (Photoshop, Illustrator...) in Windows?

    See also: How much do Adobe Photoshop and Illustrator cost?
    See also: How do I sign my documents with an electronic signature?

    For Windows computers that has a Zenworks agent it is quite easy.

    1. First restart computer if it has any pending upgrades. Otherwise the installation will fail.

    2. Open the Adobe Complete application in the Zenworks window.

    3. Answer OK once.

    4. Answer OK twice.

    5. Wait a very long time (all files are around 14.5 GB) for everything to install. The files are read from a file server so you have to be connected to the university network.

    6. It is possible to open a ZENworks progress window from the status bar. Step 7 of 8 will take a very long time.

    Normally in Zenworks everything may be loaded over the Internet, but in this case, since the package is so large, for technical reasons we choose to install it directly from a file server.

    When installing the bundle a request for registration of licenses will be automatically sent to who will confirm the registration at appropriate group or department.

    For Windows computers that do not run the Zenworks agent, the same package can be installed by a system administrator. Also contact for this.

    For macOS this installation is more or less manual. Contact

    28. What fun things can I do with Systemd in Linux?

    Figure out what is taking so long to start:

    # systemd-analyze blame 1min 46.945s kdump.service 13.838s network.service 873ms postfix.service 602ms dev-md126.device 285ms systemd-udev-trigger.service 258ms tuned.service 186ms systemd-fsck-root.service 55ms httpd.service ... # _

    Check how a service is doing:

    # systemctl status httpd httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2017-04-14 05:22:28 CEST; 3 weeks 5 days ago Docs: man:httpd(8) man:apachectl(8) Process: 6484 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS) Process: 14190 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful (code=exited, status=0/SUCCESS) Main PID: 6489 (httpd) Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec" CGroup: /system.slice/httpd.service 6489 /usr/sbin/httpd -DFOREGROUND 14198 /usr/sbin/httpd -DFOREGROUND 14199 /usr/sbin/httpd -DFOREGROUND 14201 /usr/sbin/httpd -DFOREGROUND 14202 /usr/sbin/httpd -DFOREGROUND 14203 /usr/sbin/httpd -DFOREGROUND Apr 14 05:22:28 systemd[1]: Starting The Apache HTTP Server... Apr 14 05:22:28 systemd[1]: Started The Apache HTTP Server. Apr 16 08:47:01 systemd[1]: Reloaded The Apache HTTP Server. Apr 24 05:52:36 systemd[1]: Reloaded The Apache HTTP Server. Apr 30 07:05:06 systemd[1]: Reloaded The Apache HTTP Server. May 07 08:18:32 systemd[1]: Reloaded The Apache HTTP Server. # _

    Start, stop and restart units (services):

    # systemctl stop httpd # systemctl start httpd # _

    Change the default device timeout for slow file systems like btrfs with a lot of snapshots: (ArchLinux Wiki about Fstab)

    # grep timeout /etc/fstab LABEL=data7 /data7/ btrfs compress,noatime,x-systemd.device-timeout=0 1 2 # _

    29. How do I change the Mac computer name, host name and NetBIOS-name?

    See also: What is my computer name in Windows?
    See also: How do I find the serial number on macOS?
    See also:
    See also: How do I install anti-virus software on macOS?

    In macOS, change the computer names in the system settings, in the Share (Delning) dialog.

    The university name standard begins with an identifier for each department and then a dash and a unique identifier. At BMC-IT and the departments we support we continue with the computer serial number like this:

    1. Begin with a TLA - the three letter acronym (Neuroscience - INV, Medical Biochemistry and Microbiology - IMB, Pharmaceutical biosciences - FBV, Medical Cell Biology - MCB, Uppsala Biomedical Centre - BMC, Public Health and Caring Sciences - IFV, etc)
    2. Then a dash -.
    3. Then the serial number max 11 characters (cut away the leading ones to keep the usually significant ones)
    4. The full computer name should be 15 characters or less (to not generate possible problems in old network sharing protocols like WINS... In a couple of years, when WINS is totally gone, then this rule most probably can be ignored)

    The host name is however picked up from the DHCP-server. It is used as a prompt in the command line. With dynamic DHCP the IP and the host name may change from time to time. So to get a consistent hostname set it manually like this; in this example BMC-COVFEFE is used as hostname, but please use your own instead!

    The terminal may look like this:

    $ scutil --get HostName HostName: not set $ sudo scutil --set HostName BMC-COVFEFE Password: $ sudo scutil --set ComputerName BMC-COVFEFE $ sudo scutil --set LocalHostName BMC-COVFEFE $ scutil --get HostName BMC-COVFEFE $ scutil --get ComputerName BMC-COVFEFE $ scutil --get LocalHostName BMC-COVFEFE $ _

    Also check and set the NetBIOS-name. It may or may not be the same as the computer name and host name. The default is the same as the hostname but if this has been changed before it may be something else. Change it like this:

    The NetBIOS-name can be changed in the terminal as well like this:

    $ sudo defaults write /Library/Preferences/SystemConfiguration/ NetBIOSName BMC-COVFEFE $ defaults read /Library/Preferences/SystemConfiguration/ NetBIOSName BMC-COVFEFE $ _

    30. How do I set firewall rules in Linux to block SSH?

    See also: How to connect with VPN using AnyConnect in Windows
    See also: How do I connect to the VPN using Ubuntu?

    This is an example on how to set firewall rules in Linux. The command iptables below first open incoming on port 22/tcp (SSH) for the university network and then drop all other.

    The first command (iptables) adds a rule (-A) to the input-chain (INPUT) for protcol tcp (-p tcp) on the incoming (--destination-port) port 22 for SSH (22) which has a source (-s) from the university (130.238/16) that it should accept the packets (-j ACCEPT).

    The second command just drops everything else.

    # iptables -A INPUT -p tcp --destination-port 22 -s 130.238/16 -j ACCEPT # iptables -A INPUT -p tcp --destination-port 22 -j DROP

    How to save the rules is different between different distributions. In CentOS 7 I use the command service iptables save. In Ubuntu/Debian, install the package iptables-persistent and then run the command iptables-save > /etc/iptables/rules.v4. Reboot computer to see that the firewall rules stick.

    To see the current firewall rules run this command:

    # iptables -L -n

    Also, to limit which accounts can login via SSH you can use the AllowUsers keyword in /etc/ssh/sshd_config like this:

    AllowUsers myaccount

    To allow more users:

    AllowUsers firstaccount secondaccount

    Restart or reload sshd or restart computer to use the new configuration for sshd.

    Read more about iptables at the Netfilter homepage.

    31. How do I configure my resolver on a Linux machine?

    See also: My Internet does not work! How can I find the problem?
    See also: How do I install Ubuntu?
    See also: How do I get deduplication to work in Linux?

    The university has a couple of resolvers which are referred to by

    $ host has address has address has address has IPv6 address 2001:6b0:b:215:130:238:4:133 has IPv6 address 2001:6b0:b:732:130:238:164:6 has IPv6 address 2001:6b0:b:242:130:238:7:10 $ _

    Historically the host name lookups in Linux were done by the resolver. No resolver was running and no cache existing locally in the machine. The resolvers were put in /etc/resolv.conf, either statically (manually) or via DHCP.

    The problem with this approach is that if the first in the list of external resolvers cannot be reached the timeout is defaulting to 5 seconds with 2 attempts. This means that if the first server is down there will be a timeout up to 2*5=10 seconds. When a resolver is failing most things using the network will get slow and not work very well. This can be decreased but not eliminated by adding a shorter timeout to /etc/resolv.conf:

    options timeout:1 attempts:1 rotate

    Using dnsmasq as a forwarding resolver

    Another, better, solution is to run dnsmasq in Linux. Dnsmasq will get you:

    1. Faster failover.
    2. Local cache.
    3. A well behaved client using central resolvers. (No problems with split-DNS, firewalls or router filters)

    This is how it looks like in CentOS 7 when not using NetworkManager (most common on servers) and using DHCP. It will replace the first nameserver with the local dnsmasq. This works for a server always located on the UpUnet network.

    Here we also add the Google public resolvers. But please note, if you add the those you cannot reach local split-DNS, like the Windows-domains or other local networks (RFC1918). Also check that you have access (not blocked by router filter or firewall) to the Google public resolvers before you add them.

    $ yum install dnsmasq $ echo 'resolv-file=/etc/resolv.dnsmasq' > /etc/dnsmasq.d/resolv.file $ echo 'DNS=' >>/etc/sysconfig/network $ host | grep -v IPv6 | awk '{print "nameserver " $4}' >/etc/resolv.dnsmasq $ echo 'nameserver' >>/etc/resolv.dnsmasq $ echo 'nameserver' >>/etc/resolv.dnsmasq $ _

    if you are running a totally static setup without NetworkManager you need to manually add the resolver first in resolv.conf instead of adding it to the /etc/sysconfig/network configuration file.

    $ sed -i '1i nameserver' /etc/resolv.conf $ _

    Most clients use NetworkManager. For a client moving around between networks you need to get the recommended resolvers from DHCP but also insert the dnsmasq resolver first. NetworkManager has built in support for dnsmasq. Simply adding dns=dnsmasq to the [main] section and then restart NetworkManager should solve it.

    [main] dns=dnsmasq

    Also check that dnsmasq do not have the option bogus-priv activated in /etc/dnsmasq.conf otherwise queries about the local networks (RFC1918) will be blocked with answer NXDOMAIN in dnsmasq. These are used in the university network so they should not be blocked between client and resolver. The default in CentOS 7 is to not have bogus-priv activated which is fine. Otherwise, uncomment with:

    $ sed -i 's/\(^bogus-priv\)/#\1/1' /etc/dnsmasq.conf $ _

    Using Bind as a local resolver

    If you want to maximize reliability then nothing beats a local resolver. Just run BIND and set it up to only listen to the local machine (or local HPC cluster). On the university network, this usually requires openings in the router filters and perhaps firewalls in order to send UDP traffic in and out. Only do this if you do not want to pester the university resolvers with all your requests, like when you are running an HPC cluster connected to the USER-AD, doing statistics for a lot of webserver logs or something else similar.

    32. What should I think about when adding my own network printer?

    See also:
    See also: What do the different symbols in BlueCat mean?
    See also: How do I use an Apple AirPort Time Capsule?
    See also: How do I use AddPrinterGUI to add printers in Windows 7/8/10 x64?
    See also: How do I add a macOS printer at IMBIM?

    Be aware that the Uppsala University already have a central printing system currently called eduPrint. Getting your own printer is in general contra productive.

    1. The printer should in general be configured to use DHCP. In order for the printer to get an IP-address thne MAC-address should be added to the DHCP-server at the network. This is in general the central IPAM-system called Bluecat.
    2. Close down any older or unused protocols on the printer that are not in use, like telnet or FTP. No other services than those to be used should be open at the printer.
    3. Set up a local firewall on the printer and only let those networks that should be able to also be able to print directly onto the printer.
    4. Check that the manufacturer has working drivers or instructions for at least macOS, Windows and Linux (RHEL/CentOS).
    5. Check that the PostScript module is added to the printer. Double check this when the computer has arrived. This makes printing on macOS work better or at some models at all.
    6. For scanning purposes, use the central mail server called As a sender for the mail use the receivers own mail-address or create a special account for this. The sender must be accepted at the university mail servers. People receiving mail will eventually reply to this sender so the behaviour should be known - do not send everyting to a black hole for example.
    7. For searching use the catalogue LDAP-server at or maybe the Active Directory LDAP-servers at For the later an account is needed for access so create a function account for this.
    8. Set up logging for the printer to using the syslog protocol.
    9. Set up a unique password for the department printers. Make sure the default passwords are removed. Make sure the IT-support know about the passwords.
    10. Make sure to update the firmware on the printer regularly in order to follow normal security guidelines.

    33. How do I add a macOS printer at IMBIM?

    See also: What should I think about when adding my own network printer?
    See also: How do I change default settings for a printer in macOS?
    See also: How do I change default settings for a printer in Windows?

    Imbim has new printers since 2018-03-22. Users with macOS clients need to reinstall the printers. Remove old Imbim printers before installing new ones. Depending on your macOS version, you may need to install a printer driver before installing the printer. See instructions below.

    One of the old printers remains (D9:4). That printer can still be used as before, without any changes.

    Important! You need to be connected to the Imbim network via cable to print using these printers. If you're not, use the central printing system for the university, eduPrint!

    Remove an old printer
    • Click on "System Preferences..." in the Apple menu.
    • Click on "Printers & Scanners"
    • Click on the printer you wish to delete on the left side.
    • Click on the minus sign in the down left corner and click on "Delete Printer".
    Install printer drivers
    Install a new Imbim printer
    Click on a link below to download an installation package for all or individual Imbim printers. Run the installation package by double clicking it and follow the on screen instructions. Change default settings for a printer
    Select your computer's OS below to view instructions for how to change the default settings for a printer.

    34. What is ransomware and CryptoLocker?

    See also:
    See also: My computer has got a virus! What do I do?
    See also: How to use the IBM Spectrum Protect (Tivoli Storage Manager aka TSM)
    See also: How do I use an Apple AirPort Time Capsule?
    CryptoLocker is a ransomware trojan that targets computers running Microsoft Windows.
    - Wikipedia on CryptoLocker

    CryptoLocker and TorrentLocker infects computers running Windows via seemingly innocent email with links or attachments. There has appeared other ransomwares attacking Mac too.

    Read more about ransomware, TorrentLocker and CryptoLocker on Wikipedia.

    To be infected, the receiver has in most cases actively tried to open and execute the payload. The payload may be disguised as a Word-document, a script or something that give the impression that it is innocent. Do not open files or attachments you have not requested!

    This (the example above in Microsoft Word) is not safe! Please be careful with Office files that require you to Enable Content. Enabling content may make it possible for evil macros to execute in Office allowing the attacker to take control of your computer.

    This (the example above from Windows File Explorer) is an example of an opened .zip-file. .zip-files are in itself not dangerous it is just a way of storing one or many files into one compressed file, but it may be a way to bypass other simple security checks. For example the anti virus software may warn when downloading an .exe-file but may not warn when downloading a .zip-file.

    This (the icon above) is an example of how an .js-file look like in the File Explorer. This file will run with the Windows Script Host (wscript/cscript) and execute and may download further potentially evil binaries. Windows Scripting Host also will run .jse and .wsf-files. Also note that a long file name like faktura.pdf.js may hide the real extension in File Explorer and show up as faktura.pdf which is a bit misleading. The real file name extension is hidden.

    Even though a ransomware in itself easily can be removed, the files stay encrypted, waiting for a ransom to be payed in order to get the decryption key.

    How to not get infected

    • Do not execute programs or even open attachments that random people have sent you.
    • Please don't do it.
    • If you have any suspicions regarding something you received via mail contact (BMC-IT).
    • Please forward the evil mail to Then the Uppsala University Security Division may adjust the rules for the mail filter and network firewall.

    What to do if infected

    1. Turn the computer off.
    2. Contact your local IT ( for help.
    3. Forward the evil mail to so that the Uppsala University Security Division may adjust mail filter and network firewall rules.
    4. Change your passwords at the university. Change all passwords for all sites that you have automatically saved in your browser.
    5. In general, reinstall computer and restore data from backups or snapshots.

    Lessons to be learned from CryptoLocker

    • Use a file server with snapshots for storing data you do not want to lose. For example the central university HNAS file server store snapshots up to a month per default.
    • Everything locally on the computer running in the same security context as the user is not safe.
      • This means that local previous versions / snapshots are not safe, if the users can turn them off. But to have these are better than not.
      • This also means that backups like Time Machine, Cobian or similar where the system stores a copy of the files on another storage place is not safe, unless the backup storage in is snapshotted outside of the users security context.
      • If you store extra backups of your files on external USB-attached storage, do not keep it plugged in all the time. Keep a couple of them and in rotation so that you can go back to an older version.
    • Already taken backups should not be allowed to be overwritten from the client. This can be accomplished by for example using snapshots on the backup storage, like on a file server.
    • Even more advanced backup systems like TSM may not be safe since it only stores a limited number of versions of each file. If the ransomware encrypt the files and then make some small updates to the file each day, then after the limited number of days have passed, all old uncorrupted versions will be gone.

    Also read more

    Read more from Europol's European Cybercrime Centre with friends at the No More Ransom! website.

    The Uppsala University Security Division has courses in basic information security (in Swedish). Every chapters just takes 2-4 minutes. There are 16 chapters in total.

    35. How do I configure IPMI for remote management?

    See also: Who is responsible for the network in the BMC server room?

    It is generally recommended to not expose the management interface for servers to the Internet. Not only does some computers come pre-configured with a default login and password, but the embedded software may have vulnerabilities that are not patched as fast as normal operating systems or in some cases are not patched at all.

    Most servers with IPMI can change the IPMI out-of-band communication to go via a dedicated network. This is usually done in BIOS. Use a dedicated network or dedicated VLAN for this. In order to not let the servers expose them selves to each other use the Private VLAN (protected ports) feature in the switches. Read about Private VLAN in Wikipedia.

    This is how to get the current settings in Linux:

    ipmitool lan print

    Change to using DHCP instead of Static:

    ipmitool lan set 1 ipsrc dhcp

    Setting the LAN MAC Address:

    ipmitool lan set 1 macaddr 00:25:90:12:34:56


    Some Supermicro servers come pre-configured with failover IPMI meaning that the out-of-band communication for IPMI will share the same network connection as the server is normally using.

    This is quite unsafe and will expose IPMI with default login and password via the normal network. This can be changed when running with these commands in Linux:


    ipmitool raw 0x30 0x70 0x0c 0x01 0x00

    Shared with LAN1:

    ipmitool raw 0x30 0x70 0x0c 0x01 0x01


    ipmitool raw 0x30 0x70 0x0c 0x01 0x02

    Even with correct router filters the management interface is not protected from traffic originating in the same VLAN. I addition to router filters blocking all traffic (except to clients using the management console) also set up local firewall in the management interface, for example by following these instructions.

    36. I need a new subnet and a new VLAN!

    See also: We have a server, where should we put it?
    See also: What Internet bandwidth does the university have?
    • For networks connected to the BMC-hall-routers (in the BMC D11:0 server room) contact UUIT Netsupport.
    • For networks connected to the BMC-routers (everywhere else in BMC) contact
      1. First find out how many IP you need (Remember to fix DNS and perhaps DHCP)
      2. Then contact BMC-IT to see if there are any spare ranges
      3. Together with BMC-IT contact UUIT Netsupport to get new assignment

    37. Who is responsible for the network in the BMC server room?

    See also: We have a server, where should we put it?
    See also: Open the server room for me please
    See also:
    See also: How do I configure IPMI for remote management?

    Physical Network

    Netsupport is responsible for the server room routers, the inter-rack connections and usually the top-of-rack switches.

    For the IP-layer there are several different options on how to setup the network.

    Currently the top-of-rack switches are usually connected with dual 1 Gbit/s connections to the server room routers (BMC-hall-routers). If there is a need for higher network connectivity please discuss with Netsupport.

    Securing the management networks

    Management ports for IPMI, LoM, RAID-controllers, dedicated NAS, etc are quite hard to get secure. In particular IPMI may use side-band management LAN connection. And some management controllers run their own operating system, complete with their own security problems and default passwords... This all means that the management ports has to be protected not only from the outside but maybe also from other management ports if they are located on the same network in order for an attacker not to jump between compromised systems over the management network.

    Keeping every management controller on its own VLAN of course solves this, but it use too many VLANs and is too hard to manage.

    On the BMC-IT management network in the server room (called BMC-hall-IPMI) we are using pricate VLAN (protected ports) feature in the switches to protect the management controllers from talking to each other. This is a RFC1918 network and incoming traffic there is restricted to the workstations meant for this management.

    Good Option one - your own network

    Tis option is good if you have a lot of servers in the server room, perhaps your own rack with equipment.

    The users of the server room may, if needed, order their own VLAN and subnet. This VLAN will only be available in the BMC server room. Contact and discuss this with Netsupport.

    BMC-IT will for their own servers (that BMC-IT do system administration for) have two VLANs, one network for the servers and one for the management.

    Good Option two - the shared networks

    This option is good if you need to put a single server or perhaps a small number of servers in the server room.

    There are two shared network, currently (2016-09-15) Vlan956 Public_servers_ACLed or Vlan962 Public_servers_open, which is meant for shared usage in the BMC server room, for activity that do not require their own VLAN.

    Please note that neither of these two networks have DHCP-servers activated. Neither static DHCP or dynamic DHCP. You need to set static IP on the server without using the DHCP-server.

    The BMC-hall function at the IT-division (UUIT) and BMC is responsible for allocating IP-ranges in this network.

    The normal procedure at the university is that the ones managing a network also is responsible for managing router filter (via Netsupport), perimeter firewall (via Security and safety division), DNS and DHCP (via IPAM or UUIT/Domainmaster).

    But in this network the IP-ranges have been allocated to different users in different parts of the university organisation. Each individual system administrator using the different IP-ranges is responsible for their own activity in the IP-ranges they have been allocated. This responsibility includes managing changes in the router filter and the perimeter firewall. And manage DNS and DHCP via UUIT/Domainmaster.

    Bad Option three - the BMC network

    It is possible, but Not Recommended to attach equipment to the VLANs in BMC in the server room. The switch in one of the BMC-IT racks is connected with a single 10 Gbit/s to the campus router in BMC (BMC-campus-router). Discuss this with BMC-IT. Responsible for that VLAN is the Local IT for that VLAN (which may or may not be BMC-IT).

    The only reasons we have seen for this is for example when handling old equipment with IP-related access control or using Bonjour-based services on Mac which work best over a single VLAN/Subnet.

    It is very important to not connect equipment to both the BMC-router and the BMC-hall-routers at the same time since this may lead to STP-renegotiation which will mess up the network. Don't do this.

    Bad Option four - dedicated network for a specific VLAN

    It is possible, but Not Recommended to use dedicated network to connect to a VLAN somewhere else in the university (or SLU) too. This is only meant for shorter periods during for example migration from one server room to an other. Discuss this with UUIT/Netsupport. This configuration is only meant for a limited amount of time during a migration.

    This is bad in several ways:

    • Less availability. The network will depend on not only the server room functioning (power, cooling) but also the network in the other end (power, router, switches) where the dedicated connection terminate.
    • Complicated network. The stranger the network is setup the harder it is to maintain in the long run.
    • Limited amount of fiber. The university has a limited amount of dedicated fiber. New fiber between campuses is quite expensive.
    • Risk of network loops There is a risk of STP-renegotiation when connecting network from different routers together. This may leader to longer or shorter total network outages.

    It is very important to not connect equipment to both other routers and the BMC-hall-routers at the same time since this may lead to STP-renegotiation which will mess up the network. Don't do this.

    38. There is no wired network here - what to do?

    See also:

    Is your room running out of network sockets? Here are your options.

    This usually happens when a room was planned for less persons than currently are using it.

    • Use the wireless network
      This may not be an option because of low bandwidth and coverage. The wired network is usually more reliable than the wireless.
    • Use a long cable
      Figure out where the closest wired network socket is located and use a long cable. Do not do this excessively - try to keep the network cables in the same room.
    • Split the network socket
      It is possible to split a network socket (8 wires) into two (with 4 wires). This only works for fast ethernet (which is only using 4 wires) and not gigabit ethernet (which is using 8 wires). (The network connection has to be splitted both in the cross connect cabinet and at the network socket.)
    • Get a small switch
      We usually do not prefer a lot of small switches around in the building since the network will be quite messy to find problems in. But using switches on the desk where a single person or desk is using the switch and is aware of that the switch exists is usually fine. Do not use long cables from desktop switches to another desk.
    • Order a new socket
      A new double network socket costs around 3000 SEK but cheaper when ordering more at the same time.

    39. How do I uninstall the Zenworks agent?

    See also: What is ZENworks? How to I install applications via ZENworks application window?

    Zenworks is used for these major reasons:

    1. Do automatic installation of software and settings when the computer is deployed. Some of the effort in this is shared all over the university.
    2. May be used for remote interactive control by user request.
    3. Self-service installation of software by the users, even without local administrator privileges, and far away from the university network over the Internet.
    4. Do inventory. This may save a lot of time when we really need to find out exactly how many copies of a certain program are installed on the computers.

    The Zenworks agent load on the computer is not much on a modern computer, but if the computer is very old and slow there are a chance to notice a performance impact. In this case you might want to uninstall the Zen agent even though this will increase the load of your local IT-support. There are often other better ways of speeding up the computer:

    1. Make sure the computer has enough RAM. Upgrade to at least 8 GB RAM so that all programs fit in memory.
    2. Replace HDD with SSD. Solid state drives are a lot faster than rotating hard disk drives.
    3. Reinstall Windows. Windows-computers seem to get slower and slower over time. An extreme example was Windows Update in Windows XP that got glacially slow over time. This has been improved with later versions of Windows but it still exists.

    In the Zenworks console

    Anyway. The Zenworks agent is protected from uninstallation by the settings in Zenworks. A system administrator (contact has to open the client in the Zenworks console, open Settings, open Device Management, open Zenworks Agent, choose Override the System settings and enable the option Allow users to uninstall the ZENworks Adaptive Agent.

    On the computer

    1. You have to be local administrator on the computer.
    2. Refresh the Zenworks agent in the task bar.

    3. Then on the computer open Programs and Features

    4. Find the Zenworks client and choose uninstall.

    5. Check the box Local uninstallation only.

    6. Do not keep anything. Do not retain CASA.

    7. Ok, go ahead...

    8. Wait for the Zenworks Uninstaller to complete.

    9. It will probably complain about not being able to remove everyting, but just go ahead and restart when done.

    10. Uninstall done.

    40. What is the point with the zone

    See also: What is Rrsync (restricted rsync)? How do I access PCFS storage over rsync?
    See also: How do I access PCFS over SMB using smbclient?
    See also: How do I mount my home directory or shared storage at HNAS?

    The initiative for the domain was taken in 2015-05 by BMC in order to get an aliases to file server shares with unique names.

    For example, the file server share is named with the TLA-SHARENAME, like INV-Common. Then the CNAME will be or pointing to the current file server where the share is located.

    The reasoning behind this is the following:

    1. Get a unique name in DNS to each file server share. This will faciliate migration of file server shares to new servers.

      We (the university) had a lot of troubles with migration from the old NetApp file server to the new HNAS file servers. This zone with an extra level of abstraction in front of the real file server names was intended as a proactive way of eliminating one part of the problem in preparation for the next file server migration. It also makes it easier for those users users (research groups or department) that wish to or have to move their share from one storage system to another.

    2. Make it work for all operating systems. There is a function in the Microsoft Active Directory (with a similar goal) called the DFS that put all file server shares in a single name space. This however do not work all the time in all operating systems, like non-AD connected Windows-clients, macOS (not all of the time), Linux (it depends a lot on the configuration it do not work for example in Ubuntu out of the box).
    3. Network agnostic Get access to the servers even from other networks where needed when the USER-AD ( is not accessible due to using split DNS and access restrictions, like UAS, SLU, UPPMAX, HPC-centers in Sweden and maybe mobile data. It is also not a requirement to use the university resolvers, it should work even if the local resolvers are down.

    41. How are the network sockets identified?

    See also:
    See also: What Internet bandwidth does the university have?
    See also: My Internet does not work! How can I find the problem?
    See also:
    See also: What is the name standard for network equipment on BMC.

    This is a double socket. The identifiers are written together on a sticker on the socket. This is how to decipher them:

    Network socket identifier Cross connect cabinet identifier
    Left socket B1.216:05 C1-D202-01-03
    Right socket B1.216:06 C1-D202-01-04

    These numbers mean that the socket is located at the B1:216 beam in the B1:2 corridor. The cross connect cabinet serving this network socket is located in C1:2 and in this case the rack called C1-D202 in the panel number 1 and socket number 3 and 4.

    Some of the sockets have room numbers instead of beam numbers where the beam numbers are not applicable.

    42. How do I activate group membership in AKKA?

    See also: Who is an employee and who is a student at the university?

    AKKA can control whether the user will get group membership to the AKKA-group of the group.

    For example a person employed at the BMC campus management will get membership into the group called AKKA - SI29_9 in USER-AD.

    This group control access to network home directories for the department, shared folders for the group and automatic shared areas in Medarbetarportalen.

    1. You must be personal manager for the department.
    2. Get permission from the responsible person for the group. Group membership may give access (read-write) to research data belonging to the group.
    3. Find the user in AKKA. Check current status.

    4. Check the box gruppmedlemsskap

    43. What is the cost of a PC file server?

    See also:
    See also:
    See also:
    See also: We have a server, where should we put it?

    Please note! BMC-IT has a PC storage solution service. Read more in the SOP - Common service PC file server. Also note that for home directories we recommend using the IT-division HNAS file server.

    These are examples of the costs of buying and maintaining a PC file server. The example below includes a server from Supermicro and one from HP. HP includes on-site support, Supermicro do not. Please note that TSM-backup is not included in these figures! (Prices updated in September 2016.)

    • Very cheap Good for lots of data when the price has to be low.
    • Acceptable speed Good bandwidth - can receive and send 1 Gbit/s (or 10 Gbit/s with appropriate network and multiple clients). Since the drives are rotating HDD, relative SSD the latency is high and IOPS are lower. But it works fine with large files.
    • Low availability BMC-IT in general only do support during office hours. If the PC server totally breaks down (it may happen!) it will take some time to get service or spare parts or restoring from backups. Compare this with the IT-division HNAS file server which has built in redundancy.
    • Linux and Active Directory These examples uses Linux (preferably CentOS 7) as an operating system and connects to the university Active Directory and works as a file server using Samba. More complex setups than this may need extra time to set up and maintain. For example running a Windows server instead of Linux requires extra costs for licenses.

    This is a Supermicro file server with enterprise drives. Includes ship-in support from Southpole.

    Normal HP file server with enterprise drives, three year next business day on-site support from HP.

    This is a Supermicro file server with archive drices.

    Cost of a rack unit per year: 1250 (full rack) or 2000 (single machine) SEK
    Number of rack units in the server room:
    (If no new space is needed, set a 0 here)
    Cost for the server with no drives: SEK
    The number of drives: drives
    Size of the drives: TB
    Number of years to run the server
    Cost of each drive: SEK
    The number of working hours spent each year:
    (system administration and support)
    The cost of a working hour: SEK/h
    The part of the raw storage that is usable:
    (RAID6 (two parity drives) on five drives equals 0.6.)
    usable storage factor

    Purchase cost SEK.

    Raw storage TB.

    Usable storage TB.

    Yearly cost SEK/year over years (includes everything)

    Cost for raw disk SEK/TB/year.

    Cost for usable storage SEK/TB/year.

    Two identical file servers (one for backup using snapshots / shadow copy) would cost SEK/TB/year

    Two servers (as above) and a cold standy (no drives) would cost SEK/TB/year

    44. How to use WinSCP to access files over SCP on Windows

    SCP is encrypted making this a relatively secure way to access files even from home or over WLAN (wireless network).

    1. Download and install WinSCP from or open it in ZENworks application Window.
    2. Login on the server, in this example using your username and password A.

    3. Accept the host key.

    4. Access your files. This is your home directory. If this is on a file server where the group store data. you should not put stuff here.

    5. Change directory into the share for your group. On this particular server the shares are located in /data/hl, /data/kl2 etc. Go here by clicking on the / in the location and then on data.

      Or click on this little icon first and then on data.

    45. Add a printer in Ubuntu 14.04

    See also: How do I install Ubuntu?
    See also: Print using UserCode for Ubuntu
    1. Find System Settings.

    2. Open System Settings

    3. Open Printers in System Settings

    4. Add a New Printer

    5. Expand the Network tree and see if it is browsable. Choose a way to connect. It usually does not matter. If the printer has dynamic DHCP (different IP from time to time) then use DNS-SD (Bonjour).

    6. Many printers are automatically found correct drivers for, but if not, see if you can find it in the driver database. You need to know:
      • Manufacturer
      • Model
      • Perhaps the IP-address of the printer

    7. If not found automatically, pick Maker

    8. If not found automatically, pick Model

    9. Give it a name. We recommend room number and model.

    10. Ok! Lets go! Print Test Page and press Ok.

    11. Done!

    This documentation is covered by GNU Free Documentation License. 43 ms