Latest Entries »

So, 8 months since the original post; let’s see what’s changed…

Laptop Upgrades

Our newest laptops are all HP Probook 640 G1; The fourth generation and last to supersede the Elitebook 8440P whilst still fitting the HP docking stations we are using. Sooner or later we will have to bite the bullet and get some newer generation and replace some docking stations.

Printer Upgrade

The Xerox Phaser 6121MFP finally reached the end of days and got upgraded to a Xerox WorkCentre 6515N. Offering much the same features but much newer with more RAM, a faster processor and a few nice bonuses; Active Directory (LDAP) integration and duplex scanning/printing.

Version Control

Our development team have now moved from SVN to GIT. We are using GitLab Community Edition (hosted on-premise). I hope to share some of our practices and customisations soon. We feel GIT provides a more natural integration with Visual Studio and handles our collaboration better.

Support / Helpdesk / Ticket System

Over the Christmas period we wrote our own in-house helpdesk system which better fits our business. This continues to evolve each month and we hope to market it sometime in the future.

There should be a reasonable cost saving moving away from Solarwindows WebHelpDesk but we will be investing a large amount in developing the product and the biggest gains will be realised by the productivity improvements and enforced process/workflows.

Project Management

Once our in-house helpdesk system was live we quickly started work adding project managements features and moved away from Trello and Freedcamp. This will now prevent a lot of duplication previously keeping the disparate systems in sync.

Password Storage

We have now built a simple web based password manager with full and access control which we hope to market in the near future.

Internet Service Provider

After about 18 months of trying, Virgin Media Business has now been installed. The service is significantly poorer than I expected. Whilst we do often manage to achieve 100mb/s+ down and consistently 15mb/s up, the latency is poor (around 30ms) and the way they deliver static IP addresses is ridiculous (and forces you to use their router for the weird gre tunnel, you will need a minimum of 5 static IP addresses, the single IP will be assigned to the router itself and cannot be assigned to your own hardware).

We are now in a position where we want to monitor remote nodes (outside of our domain/LAN). Initially we were able to setup port forwarding on the remote network to allow traffic IN from our server to the agent on port 4700 (remembering to configure the windows firewall too). Then we hit a limitation with NetXMS server not allowing multiple nodes configured with the same ip/hostname (hopefully this will be resolved in a future release).

So we tried to flip the configuration so the remote agent connects in to our server. This proved a little challenging so i’ve documented how we got it working and some of the troubleshooting tips.

Enabling Logging

On the server server modify netxmsd.conf (on our server this was located at C:\NetXmsServer\etc). On the agent modify nxagentd.conf (on our agent this was found in C:\NetXMS\etc). Add;

LogFile = C:\path\to\log\log.txt
DebugLevel = 9

Then restart the NetXMS Core service (on the server) or NetXMS Agent service (on the agent).

**Make sure you change it back to 1 or remove it completely when you are done as the log file will grow very large, very quickly**

Creating the CA / Server Certificate

We wanted to do this with the bare minimum (most of the guides online were pages long). I was surprised there wasn’t an online tool to generate the certificate (perhaps I will build one sometime).

openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -sha256 -days 10240 -out ca.pem

When prompted for Country, State, Organization etc we just hit enter to accept the default value. We then need to combine the key and certificate (we just used Notepad++)


Make sure you have a blank line at the end of the file (and the certificate comes before the private key). You can download the pre-built certificate here

Configuring the Certificate

  • Drop the ca.pem file anywhere on the NetXMS server
  • Modify netxmsd.conf and add the following lines;
ServerCACertificate = C:\NetXmsServer\etc\cert\ca.pem
ServerCertificate = C:\NetXmsServer\etc\cert\ca.pem
ServerCertificatePassword = netxms

Notice both the CACertificate and Certifcate path point to the same file. I don’t think the password is needed at all.

  • Restart the NetXMS Core service

Creating a Tunnel / Adding a WAN Node

  • Ensure your router is configured to forward traffic received on port 4703 to your NetXMS server
  • Ensure your NetXMS server firewall is configured to allow traffic in on port 4703
  • Modify your nxagentd.conf and add the following linse;
ServerConnection = server_wan_fqdn_or_ip
  • Restart NetXMS Agent service
  • In the NetXMS server, look under Configuration, Agent Tunnel Manager
  • You should see a red entry (if you don’t, something above went wrong)
  • Right click and select Create node and bind
  • Name your node and enter for the ip/hostname and save (if the tunnel vanishes at this point, something above went wrong)

Good luck!

We have built a reporting tool for the Clover ePos which creates a text report for printing using the built-in receipt printer. The app has been through numerous iterations and the code which specifically handles alignment has always bugged me. The task seems trivial to the human mind, but when trying to code seems to throw a lot of curve balls! Here are some examples of the anticipated behavior;


So we revisited it, and I hope have now built a simpler “one size fits all” (not exactly, but considerably less conditional than before). The code accepts a string with pipe separators to determine alignment (refer to the diagram above for a bit more info) and spits out a string padded accordingly;

public static string Align(string key, int width)
            string newKey = "";
            string[] keyElements = key.Split('|');

            if (keyElements.Length == 1)
                newKey += key;
            else if (keyElements.Length == 2)
                //left align the first chunk
                newKey += keyElements[0];
                //insert blank spaces so the entire line length will be a multiple of width
                newKey += new string('.', width - ((key.Length - 1) % width));
                //insert the last chunk
                newKey += keyElements[1];
            else if (keyElements.Length == 3)
                if (keyElements[0] != "")
                    //left align the first chunk 
                    newKey += keyElements[0];
                    //and pad the rest of the line
                    newKey += new string('.', width - (keyElements[0].Length % width));
                //pad the left, center the second chunk and pad the right
                double sidePadding = width - (keyElements[1].Length % width);
                int leftPadding = (int)Math.Floor(sidePadding / 2);
                int rightPadding = (int)Math.Ceiling(sidePadding / 2);
                newKey += new string('.', leftPadding) + keyElements[1] + new string('.', rightPadding);

                if (keyElements[2] != "")
                    //pad the line
                    newKey += new string('.', width - (keyElements[2].Length % width));
                    //and right align the last chunk
                    newKey += keyElements[2];

            return newKey;

The receipt printer automatically wraps the string but we use a small method to split the string into chunks and add carriage returns/new lines for ease of use. Initially, this too was cumbersome (with loops and ifs etc), but we found a more elegant solution (avoiding re-inventing the wheel and reducing the number of lines of code- though I appreciate a loop is still occurring under the hood);

        public static string Wrap(string key, int width)
            return Regex.Replace(key, ".{" + width + "}", "$0" + Environment.NewLine);


Here’s some code we used to test the method(s);

        static void Main(string[] args)
            int width = 33;

            List keys = new List();
            keys.Add("This first part is really long|quick");
            keys.Add("The|second part is ridiculously long");
            keys.Add("The centre segment will always sit on it's own line|quick|brown");

            foreach (string key in keys)
                Console.WriteLine(new string('=', width));
                Console.WriteLine("Input: " + key);
                Console.WriteLine(new string('-', width));
                string aligned = Align(key, width);
                string wrapped = Wrap(aligned, width);


Can you think of any further way we can simplify/improve the code?

We are in the process of trialling GitLab CE but need to tweak/customise a few elements.

Our developers are configured with the “developer permission/role” which unfortunately means they cannot create new projects. To get around this, we created a user/bot with the relevant permissions and a custom HTML page which uses the API to create a new project based on the user input.

I am not familiar with the ruby/slim syntax and struggled to modify the new project page as desired. We use GoogleTagManager fairly extensively in our work so decided it would probably be easiest to implement this throughout GitLab so our customisation could all be ring-fenced within GTM,

Adding GoogleTagManager to GitLab was fairly straight forward- adding 2 lines of code to;

 sudo nano /opt/gitlab/embedded/service/gitlab-rails/app/views/layouts/_head.html.haml

…below the %head tag, two %meta tags follow then we insert our javascript tag;

- page_description brand_title unless page_description

- site_name = "GitLab"
%head{ prefix: "og:" }
  %meta{ charset: "utf-8" }
  %meta{ 'http-equiv' => 'X-UA-Compatible', content: 'IE=edge' }

    (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='$


I have truncated the javascript- please ensure you paste the full code (from between the <script> tags presented by GoogleTagManager). Please also note the importance of the whitespace at the start of each line in the .haml file (the :javascript line should have 2 spaces before and the next line 4 spaces before).

I had to to issue a restart command to see the changes reflected in the front-end;

sudo gitlab-ctl restart

That’s it!

Do note that your changes may/will likely be lost if/when you update.

I hope we didn’t miss an obvious/easy/out of the box mechanism for adding GoogleTagManager to GitLab?

After just spending a few hours trying to get RedGate SQL Monitor to monitor our Windows 2016 SQL Server in AWS I though I better record the solution!

We already had a rule in place on the AWS firewall which should allow all traffic from our office so this was unlikely to be causing an issue.

We had enabled inbound rules in the windows firewall for RPC/WMI but to rule this out we disabled the firewall entirely (temporarily) which made no difference.

We tried connecting using the IP Address and hostname. Tried using .\username hostname\username,\username and received a variety of errors including;

Number: 0x80070776
Facility: Win32
Description: The object exporter specified was not found.

Number: 0x80070005
Facility: Win32
Description: Access is denied.

The end solution was adding a record to C:\windows\system32\drivers\etc\hosts with the public IP and hostname (not fully qualified). Then I was able to connect just fine using \\hostname\root\cimv2 with the username .\username

It seems to be a NAT related issue despite the AWS server having a public IP.

Tools to run an IT Company

Inspired by, I felt it would be interesting to collate a list of the tools (i.e. hardware, software, services, etc.) that we use to run our business. I hope this will provide a good opportunity to share our feedback, review some of the tools, and address any gaps.

I’m starting with a simple list, but hope to follow up with some notes around each of the tools.



  • Ubiquiti (UBNT) – UniFi Series
    • UniFi Switch 48 (USW48)
    • UniFi Security Gateway Pro (USG)
    • UniFi AP AC (UAP)

I have been fairly impressed with all the UniFi equipment. We do run the beta controller so encounter occasional issues . We chose to deploy the EdgeRouter for clients as they’re easier to manage without the complications of the controller.


  • 1U Custom Built SuperMicro Server (running ESX 6.5.0update1)
  • Synology Rackstation (Fileserver, SFTP and DVR)

I have built half a dozen SuperMicro ESX servers over the last X years and they’ve all fared really well, providing excellent value for money. We can afford to have 2 servers (hot/cold spare) for far cheaper than an Enterprise HP/DELL equivalent (providing us a quicker turnaround in the event of failure). The biggest problem is sourcing the parts in the UK.

Similarly, I have been using Synology NAS solutions for many years and have always been impressed. We use the unit to provide in-house storage/archiving, remote backup for clients, SFTP access and as a DVR for our Hikvision IP Cameras – the only drawback being that you do have to purchase additional Surveillance Station licenses.


  • HP Elitebooks 8440p/8470p with Solid State Disks (SSD)
  • Hp Probooks 640 G1 with Solid State Disks (SSD) *Updated 06/06/18- these are the latest model which are compatible with the docking stations we have. Next time we move forward with the laptops we will have to upgrade the docking stations too*
  • HP docking stations
  • Dual Acer v226hql 21.5″ monitors.

We normally pay around £100 for the laptops and £70ish for the monitors. We have a stash of 128gb SSDs which are plenty big enough. These laptops are far from “latest generation” but are built to last and perform surprisingly well (we do some fairly serious multi-tasking). So, for under £250/user, we have a pretty impressive setup.

Tablets / Android Devices:

  • Nexus 7 (for Android development/testing)
  • Clover Flex, Mobile, Mini and Station

Our Java/Android development is currently focused on the Clover till / ePOS, hence the Clover device. These are quite hard to get hold of (having to order from the US and use a special service to forward them to the UK). The Nexus tablets have the same screen size and resolution as the Clover Mobile / Mini so provide a great platform for testing/development at a fraction of the cost!

Digital Signage:

A great bit of free software I would highly recommend. We have upgraded to the Donor’s Edition and use it each and every day. Our office screens use Microsoft SQL Server Reporting Services (SSRS) to display dashboard with key metrics and essential data to run our business.


  • Xerox Phaser 6121MFP-S
  • Xerox WorkCentre 6515N *Updated 06/06/18- the added active directory integration and duplex printing/scanning are nice touches. Let’s hope it lasts as long as the last one!*

We don’t print a lot, but when we need it, this colour laser works great. The scan to e-mail with the automatic document feeder is a life saver.

The printer has lasted for longer than I can remember, and I’ve only had to top up the toners once! I will be looking to replace it with the Xerox WorkCentre 6515N when it runs out of toner next.


  • HikVision (multiple domes and bullets)
  • Yale Wireless Smart Alarm

The HikVision cameras are very reasonably priced and provide a great resolution/quality. As mentioned above, our Synology fileserver doubles up as a DVR.

The Yale Smart Alarm is ideal; each member of staff has a unique PIN to allow audit and there is no subscription/monthly fee.


  • Cisco 7906
  • Cisco / Linksys SPA942

We pick these up from eBay for between £5 – £15 per unit. The 7906 has proved rock solid for years, but we are starting to need the additional lines and conferencing facility provided by the Linksys SPA942. Read on for information about our VOIP provider.


  • Flukso (Energy Monitoring)

I’m still looking for something better (capable of recording more channels) but until then, this device is the best fit for our needs, where we are able to graph the usage of up to 3 channels). You can read a bit more about my home Flukso setup in an earlier blog entry;


Email/Sharepoint/Onedrive/Instant Messaging:

  • Office 365 – £45.60/user/year

We use Skype for instant messaging and Exchange for our individual and shared mailboxes, as well as Onedrive and Sharepoint for information and document storage.

Microsoft support is pretty terrible but, for the price, it’s a great service.

Version Control:

  • VisualSVN (subversion) – FOC
  • GitLab Community Edition (hosted on-premise) *Updated 06/06/18- Our dev team have now moved to Git. I hope to share some of the best practices/processes and customisations we have built in due course*
  • RedGate SQL Source Control – £59/user/year

If we were to set this up today, I suspect we would use Git over SVN, but we have our history and a number of integrations with other systems in place so will need a few good reasons before we jump ship.

RedGate SQL Source Control is a great tool to add SVN integration directly into Microsoft SQL Server Management Studio (SSMS).


  • Xero – £316.80/year

I honestly don’t know how we coped before Xero. At the end of the financial year two weeks were set aside for paperwork (and this was before we had any staff/payroll to take care of). Invoices would go unpaid for 6-months without being noticed and VAT returns were a nightmare.

We now have live bank feeds into Xero and can tell real-time who owes us what, as well as having a clear picture of where money is going to/coming from, and VAT returns are simply a click of a button. Worth every penny!


  • Solarwinds WebHelpDesk – £86/user/year
  • Tickett Helpdesk *Updated 06/06/18- We have now built our own in-house helpdesk software which we hope to market sometime in the future*

We have been using WebHelpDesk since before Solarwinds took over and whilst it remains a handy tool. It has it’s limitations and becomes increasingly costs over time. A bit part of the decision was based on the Microsoft SQL Server back-end, allowing us to easily pull data on our dashboard and reports.

Project Management:

  • Trialling Trello – FOC
  • Trialling Freedcamp – FOC
  • Tickett Helpdesk *Updated 06/06/18- We have built project managements features/tools into our own in-house helpdesk software (which we hope to market sometime in the future)*


  • Timetastic – £6/user/year

Does what it says on the tin. We did trial Charlie HR, but the free service doesn’t include a holiday calendar (which in my eyes is essential).

Web hosting:

  • Amazon Web Services (AWS) – Roughly £600/year

We currently use S3 and EC2 with a single T2.Medium instance running Windows Server 2016 / SQL Server 2016. We use this to provide several in-house services as well as a number of client applications.


  • Cloudflare – FOC

A great tool, never had any issues – and it’s free!


  • XLN – £620.88/year
  • Virgin Media Business 350/15 – £600/year *Updated 06/06/18*

We were previously using Claranet, but XLN offered a good introductory rate at our new premises- never really had any issues. We have a block of 5 static IPs included in the price.

Password Storage:

  • Password Safe – FOC
  • Tickett Password Manager *Updated 06/06/18- we have now built our own in-house password manager which we hope to market in the future*

We are actively looking for a new web based tool which will provide a better audit trail but not break the bank.


  • Tel2 – £180/year

We subscribe to the Cloud 10 plan which includes 2 local numbers, 5 sip trunks for simultaneous calls, 1100 minutes (including a large number of overseas) and unlimited extensions (as well as the usual voicemail, diversion, conferencing, hunt groups, etc).

We normally use an additional £5 outside of our plan for mobile/premium rate calls.

A great service, easily configured on our Cisco/Linksys handsets.

Windows (Web) Application Development:

  • Visual Studio 2017 Community Edition – FOC
  • Android Development Studio – FOC

We have recently moved to VS2017 Community Edition and have only found a few smaller missing features from the Pro/Ultimate edition (i.e. intellitrace, code maps and references). Time will tell whether we move back to the paid for edition.

We are newer to Android/Java development. Android Studio seems to be a bit of a resource-hog/drain and getting virtual machines/emulators working seems incredibly temperamental – time will tell with this one.


  • RedGate SQL Monitor – £185/server/year
  • NetXMS – FOC

We chose NetXMS as it allows Microsoft SQL Server to be used as the database back-end, which means we can easily pull data onto our dashboard and reports.

Remote Assistance:

  • ScreenConnect – £315/year (at current exchange rate… actual fee is $420/year)

After looking at GotoMeeting, Webex, JoinMe and several others, we chose ScreenConnect (I think it mainly came down to pricing when used with multiple users). The only feature it seems to lack is a telephone conferencing facility.

Cost Summary

I have only quoted ongoing costs/license fees, not purchase prices or one-off fees. To recap, for ten users – we’re roughly looking at;

£ 456.00 – Office 365 – £45.60/user/year
£ 590.00 – RedGate SQL Source Control – £59/user/year
£ 316.80 – Xero – £316.80/year
£ 860.00 – Solarwinds WebHelpDesk – £86/user/year
£ 60.00 – Timetastic – £6/user/year
£ 600.00 – Amazon Web Services (AWS) – Roughly £600/year
£ 620.88 – XLN – £620.88/year
£ 600.00 – Virgin Media Business – £600/year
£ 180.00 – Tel2 – £180/year
£ 185.00 – RedGate SQL Monitor – £185/server/year
£ 315.00 – ScreenConnect – £315/year (at current exchange rate… actual fee is $420/year)
£3,923.68 – Total

I suspect I have missed a few too, but I will aim to update with more comments around the products/services/costs, etc.

My company provide SQL dba services and build system integrations. We use various VPN clients to connect in to most company networks but have always had issues using integrated windows (active directory) authentication with certain applications.

Launching an RDP session or browseing a network share works just fine, but if we want to connect SQL Server Management Studio to a server on the remote network using our domain credentials we have previously been stuck. Leading us to deviate from (what I feel is) best practice and create sql users.

When we build interfaces in Visual Studio they will normally run on client servers using active directory/domain service accounts. If we wanted to carry out any troubleshooting we could not accurately emulate the interface in Visual Studio (as the domain service account).

If our local machines were joined to the client domain we could either log on as the service account or run SSMS / VS as the network user, but otherwise we are out of luck…

…that was until we stumbled across the /netonly command line argument for runas.exe.

Apparently this whole time there has been a technique to launch an application using credentials which don’t exist locally or on the current/trusted domain! We now have some .bat files saved which launch our core applications using runas.exe with the /netonly argument. For example;

runas /netonly /user:remotedomain\remoteuser “C:\Program Files (x86)\Microsoft SQL Server\140\Tools\Binn\ManagementStudio\ssms.exe”

*EDIT* Furthermore, i’ve just stumbled across ShellRunAs which will integrate into windows explorer and give you the right click option to Run As (Netonly); 


I recently configured my Ubiquiti/Ubnt Unifi wireless access point to use WPA Enterprise (wpaeap) and pointed Radius at my domain controller running Network Policy Server (NPS).

I could connect fine using my Android mobile but could not connect from my laptop. Logs in the event viewer indicated an authentication issue, but this was definitely not the case.

After lots of fiddling and googling I discovered that PEAP does not work with wildcard SSL certificates. I replaced the certificate with a server specific cert and voila.

Here’s an article which shows you where to change the certificate;

I have recently switched my network configuration from 2 routed subnets;

To a single subnet;

I had hoped this would have little to no impact and be a seamless transition (how wrong I was). I have a mix of devices with both dynamic (DHCP) and static IP addresses. Those using DHCP didn’t cause much of an issues, but those configured using static addresses required the subnet mask and default gateway changing (again, fairly straight forward).

The real issue came when it came to changing my vCenter Server Appliance (VCSA) network configuration. The obvious place to look (and several articles online) pointed toward the configuration option inside the vSphere Web Client; System Configuration -> Nodes -> x ->Manage -> Settings -> Common -> Networking


Unfortunately the settings are grayed out with a message “IPv4 configuration for nic0 of this node cannot be edited post deployment.”.

Other articles pointed toward the console (alt-f2 option), vmware Appliance Management Interface (VAMI) running on https://your-vc-hostname-or-ip:5480/ or SSH; Unfortunately I couldn’t login to try any of these techniques.

Console -> Alt-F2- “Authentication failed; Invalid login or password.”
SSH- “Login incorrect”
VAMI- “Unable to authenticate user. Please try again”

This had me stumped for many hours. I was able to reset the root password (reset the VM, prevent vcsa autoboot by pressing any key when the grub bootloader appears, press p, enter the grub password (default is vmware), enter, press e, add init=/bin/bash, enter, press b then type passwd root) but still couldn’t login using the new password. I think a few issues were at play here, but eventually tracked it down to the password complexity requirement forcing the use of special characters which were in turn being transposed by RDP / vSphere (” was becoming @ and £ was becoming # etc). Once I had figured the password issue I was then able to try the techniques again;

Console -> Alt-F2 -> Configure Management Network -> IP Configurationvc_consoleNope- “Configure Management Network; Management network configuration not allowed”

Next… SSH -> /opt/vmware/share/vami/vami_config_netvc_libxml2modNope- Lots of errors stating “ImportError: No module named libxml2mod”

Finally… VAMIvmaiAgain, no joy- “Updating has been disabled”.

Eventually I decided to try the same technique i’d previously used to modify my Linux (CentOS) VMs.

I started an SSH session and modified /etc/sysconfig/network/routes (from default to and then /etc/sysconfig/network/ifcfg-eth0 (NETMASK=’′ becomes NETMASK=’′). Rebooted and voila!

After moving from my home office to a real office I decided to downgrade my premium 80/20 business fttc connection (from claranet) to a residential 40/10 service from sky.

Yesterday, the connection was changed over and I found myself with no internet. I initially thought it was because the pppoe username and password needed updating (tail /var/log/messages was showing a CHAP authentication error message) but I don’t recall ever being sent a username/password. It was then I had a flashback to many years ago having to extract the details from a router/modem in order to use them in another device. A bit of googling backed this up, but also suggested the connection doesn’t use pppoe but MPoA and was going to be even more challenging to setup;

But this article was written in 2013, surely someone has documented the process more recently? Fortunately, before starting the long-winded process I stumbled across another aritcle; However, this seemed to point to needing a different modem (such as the Draytek Vigor 13) to achieve the MPoA connection.

Before I went and bought a new modem, I thought i’d try the BT Openreach/Huawei Echolife HG12. I deleted the pppoe interface from the Edgerouter and set the address on eth0 (connected to the modem) to DHCP. Still nothing… welll both of the previous articles did state the need to add the DHCP option; send dhcp-client-identifier &quot;user|pass&quot;; so I guess it’s time to unbox the Sky router and do some packet sniffing?

I must be in luck… 2 weeks ago, a post suggested you no longer need to use logon credentials, passing anything in the dhcp-client-identifier will do the trick. The example given was;

 client-option "send dhcp-client-identifier &quot;bacons&quot;;"

So I gave it a try, but still no dice. Worth a reboot I guess? Power cycled the modem and voila, we have internet! Well, that was simpler than anticipated.


%d bloggers like this: