Wednesday, January 28, 2009

A double shot of operator headspace

I'm going to tell on myself. Why would I such a thing? Because I think it's important to let people know that I can be my own worst computer user. What you are about to read is true. It may get a little technical, but follow along, and soon you won't even realize the techie parts are there. Oh yeah, it's that bad. In fact, if you're drinking something right now, you might want to swallow it before you start reading. I will not be held responsible for liquid ejecting itself from your nasal passages.... You've been warned.

I knew something was wrong when the phone call came at 1:00pm instead of 1:30pm, as I had put on my schedule. A quick glance at the confirmation email, and I was the one mistaken. The telephone conference was indeed at 1:00pm. On the phone, I had a very pleasant and helpful tech named Chris with CIPAFilter. A couple weeks ago, we received a demo unit from that company to try out their Internet content filtering, spam filtering, network traffic monitoring appliance. "Appliance" is a tech word for 'server' when 'server' sounds daunting. Plus, 'server' implies the 'appliance' will do more than just what it was programmed to do. I digress.

I plug the filter into our network. It has its own Internet address that does not match our scheme, which is normal for most 'drop-in' devices. They usually have a 'dummy' number so that the new device doesn't screw up anything on your network. If you have a wireless router at home, then you are more than familiar with the "192.168.1.1" address, most likely. If not, just keep reading...

In order for my computer to connect to the new device, I have to go into the network settings and change the information to match that of the new device. Once that's done, I fire up my web browser, type in the address of the device and enter the username and password. All is good.

Chris walks me through various settings on the device and explains how the filtering works, etc. Now, in my work environment, we already have a firewall in place that does all kinds of things (server). My main concern was that taking that server out of commission would completely disrupt our web sites, mail services, etc. No problem. We hold off on some of the features in order to keep everyone at work, well, working.

We come up with a new network address that matches our network, play with filtering settings (blocking porn, allowing blogs, that kind of thing). We walk through several screens, making various changes, updates, etc. The system is actually VERY cool and easy to use. I'm impressed with what I've seen so far.

Once we're done, Chris tells me to put a persistent ping on the device's new address and when I begin to get replies, I can log back in to the appliance. Of course, I don't remember the command for a persistent ping (I know it NOW, though), so I do the next best thing: i set it to ping 99 times. In case you're wondering, a 'ping' is a command you can issue on your computer to see if another computer is awake on your network (or on another one). for example, you can go to 'start' then 'run' then type PING YAHOO.COM and click OK and it will try to see if your computer can talk to the yahoo computers. fun, right? Maybe not. But, useful for sure. I open up a command prompt and start my 99-time ping to the device.

No reply....no reply...no reply...and so on ad infinitum (or however you spell that). I tell Chris the filter has not come up yet, and he says it can take up to two minutes, so we kibitz for a while longer. After more than three minutes, we still have no reply on the pings. So, we start to troubleshoot: Chris has me check the lights on the filter - all good. We check the wiring, just to be sure - all good. We trying pinging the device's OLD address - no reply. Then, Chris says, "Did you change the address of your own computer back to your own network?"

Well, DUH, of course not! My computer still thought it was on the other network because I did not change the settings back! Operator headspace. Once I changed my settings, that filter was chatting up a storm!

Fast forward. Now that the device is working on our network, there are some things that need to be done. So, Chris and I take a much deeper look at the settings and we talk at length about the placement of the device within our network. I have to open a path on our firewall to the device so that we can access it from outside the network. No problem. I try creating a secure socket connection to the device, but our firewall (ISA server) will not let me make that kind of connection without a certificate. Well, that doesn't make sense in the scheme of things, because each device should be able to have it's own certificate, regardless of what the firewall says. Unless, of course, you are running ISA Server. ISA requires the certificate on itself AND the device. What a pain.

I muck around enough to find a way around the problem. In a weird twist of settings, you can actually create the same connection using different terminology. Strange but true, and Chris is able to get to the device from the outside. But, he needs access to two more 'ports' before setup is complete.

A port is like an entry/exit ramp to and from the information highway. For example, when you visit a web site, it is usually on 'port 80.' Okay, so certain devices and software need to use other ports. Setting up the second port was easy. And then I hit a wall.

I poked around ISA, trying to figure out how to add this port I needed. I knew I needed to create a new port rule because that one was not already opened up (for security, the default setting is to block all ports and then open the ones you need). I poked and prodded, thought I had it, but was wrong. So, we called Jeff at Hope schools, who has a LOT more ISA experience. He comes over and we start working on the problem.

he walks me through various settings, and when we get to one particular screen, the service/port we are looking for is not there. I say, "See? I know this is where it needs to be,, but there isn't one for that port. I just need to create that port, but i don't see where you can do that!" I am frustrated. Jeff looks at the screen and says, "Well, did you click 'NEW?'" Okay, I don't know where that "NEW" button was before, but I am pretty sure that thing was NOT THERE before! Operator headspace strikes again.

I told Chris that I was having myself a PICNIC here (Problem In Chair, Not In Computer). Jeff, John, and Chris all had a nice little laugh at my expense. And, of course, once i clicked "NEW," everything fell into place.

So, you see, boys and girls, sometimes we techs have our own bouts of ID-10-T errors...

1 comment:

  1. Blog Question note related at all to this post. Why does your blog show 2 followers, but they are both me?

    ReplyDelete