Create Facebook Schedule With Cyberoam

I’ve noticed a lot of people asking about how to schedule when a user can or can’t use Facebook. This is pretty easy to do in Cyberoam, you can either do it globally, or on a per user basis. I’ll show you how to do this on a global basis. If you want to do this on a per user basis then you just need to make individual policies for your users. The steps below can apply to any website, not just Facebook.

Step 1 – Log into your Cyberoam and go to the web filter section and select categories. Add one called “ScheduledSafeSites”. This will be for anything you want to allow during a certain time, if you want to block them name the category “ScheduledBlockedSites”. Personally I think only one for safe sites is necessary but I can see blocking say, during the day and let the night guy watch it. I went ahead and added “” to mine as an example. You can add, or whatever you want here. Just like you would add sites to any other category.

Step 2 – Check policy you want this added to and change both settings to “allow”. This is just the HTTP or HTTPS allow/deny settings.

Step 3 – Go into the Policy setting under Web Filter and open up the policy you added the category to. Click the little wrench icon next to the new category.

Step 4 – You can then select an right schedule. This particular example uses work hours, which is by default 10am to 7pm. You can go into the objects menu on the Cyberoam and edit or create any sort of schedule you want.

Step 5 – Hit ok and save your changes, your users will now only be able to get to the site when you want.

Notes: For this to work properly you need to make sure your Cyberoam’s time is correct. I’ve had a couple of instances where the time was off due to someone picking the wrong time zone during the first setup. If you are getting people who can get to the blocked site earlier than normal, go to the system menu and click on configuration. Most of the time it’s the time zone that is wrong, just find the right one.

Sometimes during the initial setup the Cyberoam appliance will figure out what time zone it’s in based on the internet IP address, but if you have a weird ISP it might find the wrong one. It isn’t entirely human error that causes this and it’s really easy to miss.

Add Hyperlinked Pictures to Outlook 2007 Signatures

I had an interesting question come up yesterday about how to put a Facebook Like button in an Outlook signature. At first I thought the obvious answer was that it was not possible. What the user was really asking though was if we could put a Facebook link button/graphic in a signature or not. I figured that was obviously yes, just paste the HTML code in the signature and that was it right?

Apparently not, according to the Google search results I got back. All the message boards I got back seemed to be in agreement that Outlook 2007 did not support HTML signatures and had these complicated workarounds that wouldn’t be useful for anyone at my organization.

I found a simpler way to add hyperlinked pictures, and its painfully obvious.

Step 1: Open Outlook 2007 and go to Tools -> Options and click the Mail Format tab, then click the “Signatures” button.
Step 2:  Either select the signature you want to change or make a new one.
Step 3: Click wherever you want your picture or icon to go.
Step 4: Click the image icon next to the hyperlink icon on the editing toolbar.

Step 5: Select your picture and insert it into the signature.
Step 6: Click on the picture you just inserted so that it is the selected Object.
Step 7: Click the hyperlink button.
Step 8: Don’t change any of the settings that come up, just put your hyperlink into the  Address Box.

Step 9: Click OK and test your signature.

Of course there are methods to make a direct html signature in Outlook and potentially make a direct like button using the Facebook API. I think this would tend to be impractical if you could even include Facebook API calls in an e-mail. So I tend to think you’d be better off just linking to a page with the like button included.



Cleanly Removing a User Profile from Windows 7

One IT trick I learned a long time ago that seems to fix a lot of problems, especially with users who’ve been in a Windows system for years, is called “Rebuilding A Profile”. The most dramatic example of problems caused by a corrupted user profile that I’ve come across was from an old engineer at the power company. He was one of those guys who’d been with the power company since anyone could remember and had used the same user profile for over a decade at that point. It had become so corrupted that he would log in, then it would make him log in again. On top of that it made his computer run extremely slow and screwed up his Outlook functionality to the point he had to enter his password twice before it would connect to exchange.

It had gone on so long that he’d assumed it was because of his position and weird security settings he had. He’d been doing this for so long that he’d never bothered to report it to IT and only when I’d replaced his computer with a new one and noticed this issue did anyone take action. It took about 30 seconds to fix.

I’ve seen other less dramatic problems like this everywhere I’ve worked and the solution is usually the same. You delete the user’s current profile and then let them log back in and Windows will rebuild it.

CAUTION: This will pretty well wipe out any and all user customization, desktop backgrounds, Outlook data, practically everything. I really only suggest this for domained networks. If you have a network where every user is a local user name don’t attempt this or it WILL cause you some problems.

First thing you need to do is find where exactly the user profile is stored. You can do this by going into Active Directory Users and Computers, right clicking on the user and clicking on Properties. Under the profiles tab, you’ll see a Profile Path box. If it’s blank, that means it’s a ‘local profile’ and stored on their computer. If it’s got something like \\servername\profiles$\username that means it’s a roaming or server-side profile and that’s where it’s at. You’ll also want to take note of where their Home directory has been mapped to, again the same thing applies, if it’s blank it’s a normal local home folder, if it’s got a location mapped it’s in the place mentioned.

Once you’ve determined this follow these steps:

Step 1 – Log them out of Windows and log into a local administrator account.

Step 2 – Go into their Home Folder and make sure you back up their Desktop, Documents, and Favorites folders. You can just move these to a temporary directory. The default place for this is in “C:\Users\Username” . You’ll want to back up those basic folders on their local machine. If the home directory is on a network share, you’ll probably only see those folders that have been redirected there and typically the three I just mentioned are what get re-mapped to a network share. Go ahead and back those up. They might have other folders they’ve made here as well, you’ll want a copy of those too.

Step 3 – The next thing you want to do AFTER you’ve got a backup of their stuff is delete their profile folder on the local machine.  This will always be the C:\Users\Username folder mentioned in step one, whether that’s where their profile is located or not.

Step 4 – If they have a roaming or network profile go ahead and delete that profile folder too. If their home folder is separate you can just leave it in most cases.

Note: If when you complete these steps the problem still isn’t fixed, it’s a good idea to repeat all this again and delete their home folder too. Just make sure to make new backups for when anything has changed.

Step 5 – Next go into the Registry Editor on that machine. You can do this by clicking the start button and just typing “Regedit” into the search box. Older versions of windows you can do this by clicking Run and entering “regedit”

Step 6 – Go to the following Key:
HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList.
You’ll see a bunch of sub folders and keys that look something like S-1-5-1533239630-186…. Obviously yours will be slightly different from mine so I will only give a random example. Click through the folders with the longer names and you’ll see they contain a key called “ProfileImagePath”. Look for one where that key’s value is the folder you deleted before. When you find it; delete that containing folder on the left (the S-1-5-21-143152534-1231432-1222 one, not the ProfileList folder). This will avoid the “Temporary Profile” error that Windows 7 is prone to have when you just delete the folders.

Step 7 – Log out of your administrator account and reboot the computer.

Step 8 – Have the user log in again. They’ll notice their desktop is mostly blank, documents are gone and so forth. Just move the files you backed up back into their proper folders and the next time they log in they’ll see them.

Step 9 – Set them up on that computer as if they were new. Get Outlook setup, replace any printers that aren’t automatically deployed, etc.

Step 10 – Have them reboot the computer after you’re done and they should be good to go.

It seems complicated but all  you are really doing is basically the following:

  1. Backing  up their stuff.
  2. Deleting their Profile files.
  3. Having them log in as if for the first time.
  4. Putting their stuff back

It’s amazing the kind of weird problems this process fixed. Typically I use this as a last resort if I can’t actually fix whatever problem they are having. The reason for this is because the system thinks they have literally logged in to that computer for the first time. If you deleted all their network paths its just like they logged into the network for the first time. So they will have to set everything up like it used to be. That means desktop layout, background picture, and everything.

If you’re a home user and have odd problems that seem to defy explanation this will work for you too. Just do the steps and ignore the part about network folders.  Back up the stuff in your Documents, Videos, Photos, Downloads, Favorites, and whatever other folders (click on your name in the start menu to see these) by copying them to an external drive.  Delete the C:\users\yourname folder (log into a separate administrator account first). Then do step 6, and then log in as yourself and put all your stuff back into the right folders (don’t just drag the folders back, actually copy the contents from the backed up ones to the new ones). This is also a quick way to reorganize your stuff too.



How to Swap out a T1 Voice Switch Shoretel

Short one today. I’ve been having a few issues with phone calls here, so after getting a new circuit and all that the problem didn’t resolve, so i’m thinking it’s our T1 switch. I wanted to make a few notes on how to go about swapping them out.

 Step 1 – First set up the switch in ShoreTel Director. You don’t need a new set of trunk groups or anything, just the new switch.

Set your switch up however you normally do, personally I use static IP addresses for my switches and program them through the serial port. Honestly you could set up DHCP reservations in your DHCP server too. You might have to enter the server IP through the console, but when it boots into the server the first time the server actually changes this, so it might not be necessary (I’ve seen it do it on a packet sniffer and yes it kept changing it to the wrong IP).

Step 2 – Make sure the T1 settings are the same on both switches as you are setting up a replacement, and you’ll be hooking the existing T1 into the new switch, not adding any additional capacity. It’s also not a bad idea to check with your phone company on these settings if you can.

You can just set up the first Trunk in the T1 switch and use “Fill Down”. Make sure they are set up on the existing trunk group, again it’s best if you don’t make a new trunk group as you’ll have to re-enter everything.

Step 3 – When you’re ready all you should have to do now is move the T1 from one to the other. I always like to unplug the old switch just to make it show “offline” and not “D-Channel Down” as that can freak out other people getting into the Director.

I like to leave the old settings in place in Director for several days when I do this just to make sure everything is fine. Once you determine the new switch works fine, just delete the old one. That’s really all there is to it.

How to Set Up Blocked and Safe Site lists In Cyberoam 10

If  you have a Cyberoam appliance you know that you can actually manage content filtering for individuals, specific machines or just about any sort of granular criteria you can think of. So I went about unblocking Facebook for several people around the office so they can use it. When I did my boss told me that he was only able to see text in his Facebook page. I searched the internet for the problem and couldn’t find a decent answer for this. So I fired up the handy packet capture diagnostic tool and found that Facebook uses another domain name for its images in its CSS files. The Cyberoam will filter out the images from and let the text through from, just like it’s supposed to if you have DatingMatrimonials or whatever Facebook is categorized under now blocked.

So to unblock Facebook entirely you need to unblock both and 

How To Setup Blocked and Safe Site Lists In Cyberoam 10

Also just in addition to that bit of information on how I set up my white and black lists in Cyberoam. I’ve done this for the probably dozen of these appliances I’ve set up for people. It makes it much easier to manage. Please keep in mind this is not a default setup.

Step 1 – Determine and implement whatever method you use for individual Authentication. Personally I use the Clientless SSO method.
Step 2 – Open up the Web Filter Section and click on Policies.
Step 3 – Don’t use any of the Cyberoam pre-loaded Web Filtering Policies, make your own new one and use one of theirs as the template. Typically I’ll use the “General Corporate Policy” as the template because it covers most of the basic categories most companies want to filter out.
Step 4 – Hit OK to save the Policy, then click the little Manage icon to the right of it so you can edit the categories.
Step 5 – Add any other categories that are missing, and change any you want to implicitly allow to “Allow” instead of “Deny”. Anything not on the list is going to be allowed by default. For instance one company I set up for wanted Gambling specifically denied, and needed the Weapons category unblocked. My own company needed JobSearch unblocked. I typically will block Cricket just because I think it’s hilarious that Cricket is a category (yes one of my acquaintances at Cyberoam told me why, it’s doubly hilarious).
Step 6 – Go ahead and save your work now and move into the Categories section.
Step 7 – Typically here I will add two categories: “Safe Sites” and “Blocked Sites”. This is a very basic black and white list set up.
Step 8 – Go back and manage your new Policy and add SafeSites to your new Policy as “Allowed All the Time” and BlockedSites as “Denied All the Time”.
Step 9 – You could also add a few more categories like “BlockedUntilNoon” and add schedules to them obviously. For instance you might want Facebook only available from 11:00 until 1:00 or something.
Step 10 – Make sure this new policy is the policy for everyone in your organization that needs this type of content filtering.

Now all you need to do to block a specific site is add it to “BlockedSites” and if you want to explicitly unblock a site, add it to “SafeSites”. My favorite example of this is Budweiser, which is an employer here, needed to be unblocked, but Alcohol is a category blocked by Policy. I added the appropriate sites to the SafeSites category and it was unblocked, but is still blocked.

You could take this a step further and make a Global Safe Sites and a Global Blocked Sites and then say Accounting Safe Sites and Human Resources Blocked sites. This would get you a bit more control over things, like if HR needs Facebook but Accounting needs it blocked, but they everyone needs MySpace blocked. Then you’d have an “Accounting Policy” and an “HR Policy”.

One other thing I like to do is make a really locked down tight policy and add it to the Firewall Rule #1, which is the “#LAN_WAN_AnyTraffic” rule. The CIPA one is a pretty good one to use for this. Just select that as the default policy. That way anyone who’s not logged in uses that but still has some small amount of internet use.