What the hell is a PIX server?
June 29, 2011 10:04 PM Subscribe
Server Admins - Imagine you know nothing about servers, now imagine you've been put in charge of fixing a firewall and some servers that were setup about a year ago. Where do you start?
I'm new into a sales engineering role. I have a significant amount of experience in radio frequency engineering, technical project management, and some networking knowledge (think most of the way through a CCNA certification) and am halfway through a computer science degree. One of my responsibilities will be managing a "data lab". This lab has some servers setup that I've been tasked with getting operational. I need to be able to provide access to a small number of mobile devices using Blackberry Enterprise Server, Exchange ActiveSync, and Good.
From what I understand we have a pix firewall, an exchange server, and a number of additional servers (Netmotion, Good, Blackberry Enterprise Server, etc...) but there is something wrong. I know I can pull out a tray with a monitor that gives me access to the servers but that's really the extent of my knowledge.
From talking to others, we are running some version of IIS and Windows 2000. There is some sort of issue remotely accessing our PIX server. This may be a good chunk of our problems.
What I'm wondering is where should I start in troubleshooting this system? Are there any online tutorials I can use to become familiar with basic server setup and administration? I can completely scrap our setup and start over. Money is not a big issue here but bringing in a professional is pretty much off the table.
I am not by any means new to technical problems but I am 100% in the dark when it comes to servers. Assume whoever setup this lab is no longer available.
I'm new into a sales engineering role. I have a significant amount of experience in radio frequency engineering, technical project management, and some networking knowledge (think most of the way through a CCNA certification) and am halfway through a computer science degree. One of my responsibilities will be managing a "data lab". This lab has some servers setup that I've been tasked with getting operational. I need to be able to provide access to a small number of mobile devices using Blackberry Enterprise Server, Exchange ActiveSync, and Good.
From what I understand we have a pix firewall, an exchange server, and a number of additional servers (Netmotion, Good, Blackberry Enterprise Server, etc...) but there is something wrong. I know I can pull out a tray with a monitor that gives me access to the servers but that's really the extent of my knowledge.
From talking to others, we are running some version of IIS and Windows 2000. There is some sort of issue remotely accessing our PIX server. This may be a good chunk of our problems.
What I'm wondering is where should I start in troubleshooting this system? Are there any online tutorials I can use to become familiar with basic server setup and administration? I can completely scrap our setup and start over. Money is not a big issue here but bringing in a professional is pretty much off the table.
I am not by any means new to technical problems but I am 100% in the dark when it comes to servers. Assume whoever setup this lab is no longer available.
Really threw you in the deep end on this one, didn't they? The console you've got will allow you to switch between the servers (I should imagine) and you will need to log in to them before you can even start doing anything. Were you given administrator passwords and the like?
"Some sort of issue remotely accessing our PIX server" is the problem? It's a Cisco firewall and somebody wants to access the firewall remotely, or they want access through the firewall? If they want "through" then it's probably going to be a matter of opening a bunch of ports and forwarding them to a bunch of IP addresses. If it's remote access to the server itself then I don't know, there might be something in the server administration software that lets you configure that.
But, really, you need somebody to come in there, figure it out, and tell you how to do it. Why is bringing someone in "pretty much off the table"?
posted by tumid dahlia at 10:37 PM on June 29, 2011
"Some sort of issue remotely accessing our PIX server" is the problem? It's a Cisco firewall and somebody wants to access the firewall remotely, or they want access through the firewall? If they want "through" then it's probably going to be a matter of opening a bunch of ports and forwarding them to a bunch of IP addresses. If it's remote access to the server itself then I don't know, there might be something in the server administration software that lets you configure that.
But, really, you need somebody to come in there, figure it out, and tell you how to do it. Why is bringing someone in "pretty much off the table"?
posted by tumid dahlia at 10:37 PM on June 29, 2011
You seem to not really understand the problem. That's the first step in troubleshooting.
What are people attempting that they can't achieve? What is their cause of failure? Given the components, how can one rectify this?
You need to know how to try what these other people are trying so that you can test any potential solution and understand the particulars of their process.
posted by Matt Oneiros at 10:57 PM on June 29, 2011 [1 favorite]
What are people attempting that they can't achieve? What is their cause of failure? Given the components, how can one rectify this?
You need to know how to try what these other people are trying so that you can test any potential solution and understand the particulars of their process.
posted by Matt Oneiros at 10:57 PM on June 29, 2011 [1 favorite]
IAANE (I am a network engineer)
You have a PIX. A PIX is an ancient Cisco Firewall. You need a console cable, hyperterminal or putty to connect to it, and if you don't have a serial port on your systems, you will need a USB-to-Console Adapter.
Console Cable:
http://www.amazon.com/HDE-Cisco-Console-Cable-RJ45-to-DB9/dp/B000GL3MOY
Putty:
http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
USB-To-Console Adapter:
http://www.amazon.com/TRENDnet-Serial-Converter-TU-S9-Blue/dp/B0007T27H8/ref=pd_cp_e_1
Cisco gear uses "9600-8-None-1-None" for console:
http://www.cisco.com/en/US/tech/tk801/tk36/technologies_tech_note09186a0080094465.shtml
Once you get in, read this:
http://www.cisco.com/en/US/docs/security/pix/pix52/firewall/configuration/guide/commands.html#wp1025301
If you don't have the Enable Password, you are pretty much screwed and will need to do a password reset on the firewall:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_password_recovery09186a008009478b.shtml
These steps alone will take you 8-10 hours (at least!!) to get sorted out, so plan accordingly.
Start with the network, get the network sorted out, then move on to Exchange, BES and GOOD.
You have been thrown a shitheap of work, and you need some help or training. I can be available for a daily rate + travel costs, otherwise memail me and I'll help you as much as I can when I find the time. Seriously, this is not an easy undertaking, but then again, its only a dev lab so there is not as much pressure on you to get it right the first time...
posted by roboton666 at 11:36 PM on June 29, 2011 [6 favorites]
You have a PIX. A PIX is an ancient Cisco Firewall. You need a console cable, hyperterminal or putty to connect to it, and if you don't have a serial port on your systems, you will need a USB-to-Console Adapter.
Console Cable:
http://www.amazon.com/HDE-Cisco-Console-Cable-RJ45-to-DB9/dp/B000GL3MOY
Putty:
http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
USB-To-Console Adapter:
http://www.amazon.com/TRENDnet-Serial-Converter-TU-S9-Blue/dp/B0007T27H8/ref=pd_cp_e_1
Cisco gear uses "9600-8-None-1-None" for console:
http://www.cisco.com/en/US/tech/tk801/tk36/technologies_tech_note09186a0080094465.shtml
Once you get in, read this:
http://www.cisco.com/en/US/docs/security/pix/pix52/firewall/configuration/guide/commands.html#wp1025301
If you don't have the Enable Password, you are pretty much screwed and will need to do a password reset on the firewall:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_password_recovery09186a008009478b.shtml
These steps alone will take you 8-10 hours (at least!!) to get sorted out, so plan accordingly.
Start with the network, get the network sorted out, then move on to Exchange, BES and GOOD.
You have been thrown a shitheap of work, and you need some help or training. I can be available for a daily rate + travel costs, otherwise memail me and I'll help you as much as I can when I find the time. Seriously, this is not an easy undertaking, but then again, its only a dev lab so there is not as much pressure on you to get it right the first time...
posted by roboton666 at 11:36 PM on June 29, 2011 [6 favorites]
You need to start sorting things out at a very basic level. Not really an expert, but here are some things I would try to figure out if I were in your position:
1) How many servers do I have? Can I physically identify each server? What is each one supposed to be doing?
2) Do I have access credentials for every server? Can I log in to each one in some way? Does everything seem to be up and running at the hardware and OS level?
3) How is the network cabling organized? Are there any routers/switches? Is everything connected where it is supposed to be? Where is outside connectivity coming from?
4) What is the logical organization of the network? Do my servers have static IPs (they probably do)? What are they? What does routing on the inside of the lab look like? For example, can I ping every server from every other server? Can I ping the outside world from every server?
5) Is anyone providing DNS for my servers? Does it work? Are the DNS data correct?
6) Are my servers part of a Windows domain? What does the domain configuration look like? Who is allowed to access stuff on the servers?
7) What is the firewall supposed to be doing? What traffic should it be passing through? Is the firewall accessible from the outside? Are the machines that should be visible to the outside world accessible?
After you have that figured out, you'll have a pretty good idea of what you are dealing with, and you can start worrying about the applications each server is supposed to be providing (i.e Exchange, Blackberry Enterprise etc).
As a final note, be very conservative and document everything you do - you don't want to break some arcane configuration a previous administrator had patched together that is the only way to get everything working. You might find something that looks stupid or wrong - resist the temptation to correct it before you have a complete grasp of the situation.
posted by Dr Dracator at 12:25 AM on June 30, 2011 [3 favorites]
1) How many servers do I have? Can I physically identify each server? What is each one supposed to be doing?
2) Do I have access credentials for every server? Can I log in to each one in some way? Does everything seem to be up and running at the hardware and OS level?
3) How is the network cabling organized? Are there any routers/switches? Is everything connected where it is supposed to be? Where is outside connectivity coming from?
4) What is the logical organization of the network? Do my servers have static IPs (they probably do)? What are they? What does routing on the inside of the lab look like? For example, can I ping every server from every other server? Can I ping the outside world from every server?
5) Is anyone providing DNS for my servers? Does it work? Are the DNS data correct?
6) Are my servers part of a Windows domain? What does the domain configuration look like? Who is allowed to access stuff on the servers?
7) What is the firewall supposed to be doing? What traffic should it be passing through? Is the firewall accessible from the outside? Are the machines that should be visible to the outside world accessible?
After you have that figured out, you'll have a pretty good idea of what you are dealing with, and you can start worrying about the applications each server is supposed to be providing (i.e Exchange, Blackberry Enterprise etc).
As a final note, be very conservative and document everything you do - you don't want to break some arcane configuration a previous administrator had patched together that is the only way to get everything working. You might find something that looks stupid or wrong - resist the temptation to correct it before you have a complete grasp of the situation.
posted by Dr Dracator at 12:25 AM on June 30, 2011 [3 favorites]
Thirding rokusan. You're looking at a lot of ignorance, and have a lot of scope for making things worse through breaking them - either obviously-worse (OMG no BES!) or subtly-worse (allowing unfettered access to your domain controller from the Internet*).
You should get an expert in, at least to survey the landscape and highlight what's dead, dying, or on fire.
*This is a Bad Thing(tm)
posted by coriolisdave at 12:33 AM on June 30, 2011 [1 favorite]
You should get an expert in, at least to survey the landscape and highlight what's dead, dying, or on fire.
*This is a Bad Thing(tm)
posted by coriolisdave at 12:33 AM on June 30, 2011 [1 favorite]
Start at the beginning: Identify each machine. Trace all the cables and figure out where everything goes. Document this.
posted by rmd1023 at 5:33 AM on June 30, 2011 [2 favorites]
posted by rmd1023 at 5:33 AM on June 30, 2011 [2 favorites]
Yeah, this seems like a major undertaking even if you had substantive experience in both Networking and Windows Server Administration.
Each of the jobs you have been tasked with (Exchange Server Admin, Network Admin, plus auxiliary servers) can be all-consuming and you are being asked to do all of them plus integrate them with each other.
Combined with the fact that many of the components (Windows 2000, Pix firewall) are probably completely out of date and at the end of viable vendor support and you've got a Herculean task on your hands.
Nthing bringing in a outside consultant but understand that a) they won't be cheap and b) there is no guarantee that your company won't need to spend money upgrading various components of the system.
If you absolutely need to do this entirely yourself, the key is to track down any sort of documentation as to it's current config asap. If it has ever worked then that at least gives you a baseline to work from. If it has never worked then you are going to have to rebuild the setup from the ground up. It's generally better to simplify the system at first, get a small number of core components working together (exchange + basic networking) and then add additional components (firewall and auxiliary services) as needed. It is a major undertaking (hell even learning the archaic PIX firewall software syntax can take forever) but if you break it down into small components it becomes much more manageable.
But if you need to get this turned around in anything resembling a timely manner you are going to need to call in some hired guns.
posted by vuron at 6:28 AM on June 30, 2011 [1 favorite]
Each of the jobs you have been tasked with (Exchange Server Admin, Network Admin, plus auxiliary servers) can be all-consuming and you are being asked to do all of them plus integrate them with each other.
Combined with the fact that many of the components (Windows 2000, Pix firewall) are probably completely out of date and at the end of viable vendor support and you've got a Herculean task on your hands.
Nthing bringing in a outside consultant but understand that a) they won't be cheap and b) there is no guarantee that your company won't need to spend money upgrading various components of the system.
If you absolutely need to do this entirely yourself, the key is to track down any sort of documentation as to it's current config asap. If it has ever worked then that at least gives you a baseline to work from. If it has never worked then you are going to have to rebuild the setup from the ground up. It's generally better to simplify the system at first, get a small number of core components working together (exchange + basic networking) and then add additional components (firewall and auxiliary services) as needed. It is a major undertaking (hell even learning the archaic PIX firewall software syntax can take forever) but if you break it down into small components it becomes much more manageable.
But if you need to get this turned around in anything resembling a timely manner you are going to need to call in some hired guns.
posted by vuron at 6:28 AM on June 30, 2011 [1 favorite]
Agree that you are unfairly in over your head. What happened to the people that set them up and maintained them?
If you must do it on your own, just pick the most important problem and dive in head first. Where is the machine, what is plugged into it, reboot it, look at log files, get specific info as to what is and isn't working, etc.
(to access the different servers, you probably hit printscreen on the console keyboard. possibly twice. A little menu should come up allowing you to choose which machine to control.)
posted by gjc at 7:08 AM on June 30, 2011
If you must do it on your own, just pick the most important problem and dive in head first. Where is the machine, what is plugged into it, reboot it, look at log files, get specific info as to what is and isn't working, etc.
(to access the different servers, you probably hit printscreen on the console keyboard. possibly twice. A little menu should come up allowing you to choose which machine to control.)
posted by gjc at 7:08 AM on June 30, 2011
Any of the windows machines on the rack should be accessible by Remote Desktop if you know a) their names or IP addresses b) the administrator login and password. If your KVM (the thing you pull out and access the machines) is broken or you can't figure out how to work it, that'll at least get you on the servers.
The Pix, though, see above. Newer firewalls generally have internally-accessible web'based administration interfaces, but the Pix will need a terminal or console connection.
But. IT should not be the default jurisdiction of the most computer-literate person in the company. It's an actual thing; I know company owners and senior management often think it's a hobby, but it's not. There are professionals who do this work. You will be better off for dropping a grand (at least. to start) and getting one of them to come help you. It will cost you three times as much to bring someone in to fix a downed server/network.
posted by Lyn Never at 12:44 PM on June 30, 2011
The Pix, though, see above. Newer firewalls generally have internally-accessible web'based administration interfaces, but the Pix will need a terminal or console connection.
But. IT should not be the default jurisdiction of the most computer-literate person in the company. It's an actual thing; I know company owners and senior management often think it's a hobby, but it's not. There are professionals who do this work. You will be better off for dropping a grand (at least. to start) and getting one of them to come help you. It will cost you three times as much to bring someone in to fix a downed server/network.
posted by Lyn Never at 12:44 PM on June 30, 2011
Get a label-maker and some graph paper. As rmd1023 suggests, figure out what item is which server/switch/whatever...and then label it and plot it on your graph paper map. (Like you're playing dungeon!)
Meanwhile, get a good consultant in to explain what the things are. Also get their recommendations for required work: first any overdue upgrades, the the near-End-Of-Life hardware & software, and then the Nice To Haves. Make sure to get rough estimates on what each will require. (You may not hire them to do all that, but it will help you priritize ythe work when you have to do it!)
One the immediate demands have been satisfied, hit the books. Figuring out how to backup every device's configuration is a good first step, an will turn your map into a bone fide Recovery Document -- which you may well need as you learn things the hard way. :7)
Good luck, and remember: good judgement comes from experience, and experience comes from mistakes. So whenever you break something, just remind yourself that you're actually learning!
posted by wenestvedt at 12:44 PM on June 30, 2011
Meanwhile, get a good consultant in to explain what the things are. Also get their recommendations for required work: first any overdue upgrades, the the near-End-Of-Life hardware & software, and then the Nice To Haves. Make sure to get rough estimates on what each will require. (You may not hire them to do all that, but it will help you priritize ythe work when you have to do it!)
One the immediate demands have been satisfied, hit the books. Figuring out how to backup every device's configuration is a good first step, an will turn your map into a bone fide Recovery Document -- which you may well need as you learn things the hard way. :7)
Good luck, and remember: good judgement comes from experience, and experience comes from mistakes. So whenever you break something, just remind yourself that you're actually learning!
posted by wenestvedt at 12:44 PM on June 30, 2011
First thing is you have to tell us what this something wrong is.
posted by majortom1981 at 1:37 PM on June 30, 2011
posted by majortom1981 at 1:37 PM on June 30, 2011
Response by poster: Ok, so in reading this I need to provide some more information. Basically, this is a test lab setup by prior engineers and is only used for demoing wireless options such as Blackberry and Exchange Active Sync (I work for a large wireless carrier). Luckily, I did not oversell myself in this realm when I started the job but it's something I need to start learning. Basically the Blackberry's and the Droid phones using EAS aren't working and I've been tasked with fixing them.
We have an exact duplicate of this lab setup in another market and the administrator of that lab is available to help but I'm so new I'd like to get a better idea of what's there and what it will take to fix.
The nice thing is that I have complete control and if I broke something I figure the worst that happens is I have to re-install everything from scratch. Not ideal but it would be good experience as noted above.
I can identify the servers, have all the connections needed, and administration credentials so that's not an issue. What' I'm really interested in is any tutorials or places I can go to find more information on general server administration. Free is great, I can pay a bit if necessary.
In regards to bringing in an expert, the expectation is that I find someone internally or figure it out myself. There is another engineer here but his knowledge is probably just slightly above mine. While there are many experts in my organization many aren't local and will probably require travel which is not something I want to make someone do.
Just the information I've gotten here has been very helpful, thank you!
posted by Octoparrot at 9:20 PM on June 30, 2011
We have an exact duplicate of this lab setup in another market and the administrator of that lab is available to help but I'm so new I'd like to get a better idea of what's there and what it will take to fix.
The nice thing is that I have complete control and if I broke something I figure the worst that happens is I have to re-install everything from scratch. Not ideal but it would be good experience as noted above.
I can identify the servers, have all the connections needed, and administration credentials so that's not an issue. What' I'm really interested in is any tutorials or places I can go to find more information on general server administration. Free is great, I can pay a bit if necessary.
In regards to bringing in an expert, the expectation is that I find someone internally or figure it out myself. There is another engineer here but his knowledge is probably just slightly above mine. While there are many experts in my organization many aren't local and will probably require travel which is not something I want to make someone do.
Just the information I've gotten here has been very helpful, thank you!
posted by Octoparrot at 9:20 PM on June 30, 2011
This thread is closed to new comments.
You won't regret it.
posted by rokusan at 10:19 PM on June 29, 2011 [8 favorites]