"The Blu Tree"

Knowledge. Shared.

Websense Cloud Security – Users stopped appearing in reports

Posted by on 24 Feb, 2015 in Security, Websense | 1 comment


  • Websense Cloud Security Installed and Configured
  • Websense endpoint installed on users machines.
  • Users and groups synced up from Active Directory using DirSyncClient (DSC)



Users stopped appearing in the Websense reports catalogue and if you run any reports from the reports builder they do not appear in the results



Log into the Triton portal. Select Account > End Users > Search for all users ending with nosuchdomain.autoregistration.proxy. Delete all users ending with nosuchdomain and run another DSC to make sure there are no more nosuchdomain users appearing.  Wait about 10-15 minutes and the users should start appearing in the reports.

Read More

Microsoft – Licencing

Posted by on 18 Feb, 2015 in Licencing, Microsoft | 0 comments

We were audited last year by Microsoft as we were on the software assurance (SA) program and our 3 year agreement was coming to an end. Speaking to a Microsoft licensing specialist during the audit I found out some interesting information about licensing Microsoft Software. Some I already knew others I did not. This post may be useful if you are being audited or looking to purchase software. Only some of the information below was relevant to the company I work for but thought I would add everything I found out as it may help someone in the future.


Physical/Virtual Server Licences


If you purchase a server licence (e.g. server 2012 standard open/SA licence) most people know that you are licenced to install the operating system on a physical server with up to 2 CPUs. You can also use that licence on a Virtual platform such as VMware to create two virtual servers (on the same host).


VDA Licences


If you are on the software assurance program and you have purchased the Microsoft Professional Desktop Platform (Which includes OS, Office, Core CAL suite). This includes licences for you to also run a virtual instance of Windows Desktop OS at no additional charge as being on the SA program includes a VDI licence. Once the SA finishes and you do not renew your SA subscription then you either have to remove the virtual desktop images or pay a VDI licence for every physical desktop/user that wants to connect to the virtual instance. So if you have 20 users that may connect to a single virtual windows 8 VM now and again then you need to buy 20 VDI licences which are quite expensive (about £90 per user/device per year)


Virtual Servers with Multiple Hosts and Shared Storage


This is one of the most interesting bits of information I found from the Microsoft licencing specialist. If you have let’s say you have 2 hosts with shared storage and you have 5 server 2008/2012 VM’s running on each host. With SA you are allowed to move the VM’s (i.e. vMotion/HA failover) as many times as you like. You also need to licence the VM for each host. Example, if you have 2 hosts and you purchase a server 2008/2012 licence. The licence allows you 2 VM instances. But you need to Licence the VM for each host as you can move the VM from host to host so where you could have 2 VM’s running on a single host, if you have 2 hosts with shared storage you can only have a single VM with the 2 VM licences (One licence per host).

If you terminate your SA subscription or you don’t have SA and you purchase open licences then you can only move a VM from one host to another every 90 days. So if a host fails and the HA failover kicks in then you will have 10 VM’s running on a single host. When the failed host is repaired you are not allowed to move the VM’s back until the 90 days has been reached! You could move them back and Microsoft will not know unless they ask for you Virtual hypervisor log files. However if you want to make sure you are covered then the way to go is to purchase Windows server Datacentre edition for each host. This is because the data centre edition allows you to run as many VM’s as you like on each host and according to the specialist I spoke to is not effected by the 90 day limit.


SharePoint – On premise


Before moving to Office 365 we were trialling SharePoint internally. What I found was that if you are going to be hosting SharePoint yourselves internally then you need to be aware that you will need a SQL CAL for each user that will be using SharePoint and also have a SharePoint CAL.


Terminal Server CAL’s


If you have Terminal Server then Terminal Server CAL’s are required for every user that will use the terminal server. So if you have a 50 employees and a single terminal server which they may log into now and again but only about 5 users will ever be on the server at the same time then you still need to purchase 50 CAL’s.




This post only covers a tiny bit of the very large world of Microsoft licences so it does not cover everything about licensing and all the benefits of a SA subscription. However if you are taking part in the SAM audit or looking at not renewing your SA subscription. Then it may help in your decision.


As Microsoft licences are constantly changing make sure you check with a licensing specialist with what you require before purchasing/renewing any licences as the below maybe incorrect at time of reading.


Useful Links:


 Core Cal Suite








Software Assurance






Read More

Juniper Netscreen – Route traffic through another firewall

Posted by on 18 Feb, 2015 in Firewalls, Juniper, Security | 1 comment


Office A – Juniper Netscreen SSG5 (Static IP)

Office B – Juniper Netscreen SSG5 (Dynamic IP)

Both offices are connected to one another via a VPN tunnel using the SSG5


I came across an issue recently where we had remote hosted servers locked down to a certain IP address (Office A) and we needed office B to access those servers from there office using the Dynamic IP. The way I found around this was to redirect certain traffic over the VPN from office B to Office A, then display the IP as the Static IP from office A to access the servers.


I won’t go through setting up the VPN between the offices as I am assuming this is already done with the following settings.

  • The VPNs are setup using tunnels
  • The VPNs are working in both directions
  • The Policies used are set to allow ANY service through for this test setup.


Office A


  • Login into the Juniper and select Policy > Policies.
  • In the from dropdown select untrust. From the To dropdown select untrust and then click New.
    • Source Address: Select the as the office B LAN.
    • Destination LAN: Select Any (or to make it more secure create an Address List for the hosted servers and select them).
    • Service: Select the required service (i.e. RDP) or select ANY to allow everthing through.
    • Logging: enable this setting
    • Click Advanced
      • Source Translation: Tick this option
      • (DIP on): Select None (Use Egress Interface IP)
      • Enable any other relevant settings you require.
      • Click OK
      • Click OK


  • Office B


  • Select Network > Routing > Destination
  • Click New (Top Right Corner)
    • IP Address/Netmask: Enter the external server IP and mask. If it is a single IP use the mask as 32
    • Gateway: Enable this option
    • Interface: Select the interface as the tunnel interface for the VPN to Office A.
    • Gateway IP Address: Enter the internal IP of the Juniper Netscreen for Office A
    • Permanent: Enable this option
    • Description: I would enter a description here such as the hosted server name
    • Click OK


You should have access to the hosted server now. You could if you wanted direct all traffic over the VPN by adding the IP Address/Netmask as

Read More