House of Suns, door Alastair Reynolds

Als je niet meer weet wat je nu weer eens moet gaan lezen, lees dan House of Suns. Dit is een goed voorbeeld van harde scifi – d.w.z.: geen onmogelijkheden – die toch heel fantastisch aandoet. Post-humans, vergevorderde nanotech, intelligente ruimteschepen en een robotvolk worden opgevoerd.

houseosuns

Een spannend verhaal in de nabije en de verre toekomst van de mensheid. Het verbaast me dat House of Suns geen Hugo of Nebula gewonnen heeft; misschien moet ik eens de Gouden Vork o.i.d. gaan uitdelen.

Find out which program is using a specific port in Windows

You installed a service and it won’t run because a specific port number is already in use. You can find out which program is using it from your command line. Let’s say you want to find out which program is using port 80.

Fist, use netstat to list active TCP/IP-connections and pipe it through Find:

netstat -aon | find ":80"

Here’s what my laptop says:

TCP  0.0.0.0:80    0.0.0.0:0  LISTENING  4024
TCP  0.0.0.0:8000  0.0.0.0:0  LISTENING  4
TCP  [::]:8000     [::]:0     LISTENING  4

What we’re looking for is port 80, not 8000 so that leaves one process number, namely process number 4024.

Next, find out what process number 4024 is with the Tasklist command:

tasklist | find "4024"

My laptop says:

Skype.exe  4024 Console   1   126.148 kB

Seems like it’s Skype that’s occupying port 80.

Routing internet traffic through a site-to-site OpenVPN-connection in PfSense 2.1

In this article I’ll show you how to create a site-to-site connection using OpenVPN and how to route the internet connection of site A through site B with PfSense 2.1RC0.

ipsec-s2s-vork-00

This is effectively the same as using an IPsec site-to-site connection except that we’ll be using OpenVPN instead of IPsec. Using OpenVPN as the ‘back-end’ means we need to set up one side as a server and the other as the client. It doesn’t matter which one is which but if you are connecting more than two sites in a star topology it seems natural to use the center of the star as the server. The server also needs to have a dedicated port mapped to it if it’s behind another router, or is must reside in its DMZ.

For the purpose of this article:

  • Site A is a branch office, LAN subnet 192.168.10.0/24
  • Site B is the main office through which all internet traffic is routed, 192.168.20.0/24

 

Here’s what we’ll do:

  • Set up OpenVPN at Site B
  • Configure firewall rules at Site B
  • Set up outbound NAT at Site B
  • Set up the client at site A
  • Troubleshooting

Set up OpenVPN at Site B

From the VPN menu choose OpenVPN. On the page under the Server tab, click the + button to create a new OpenVPN server.

OpenVPN-s2s-vork-01Enter the following values:

Server Mode Peer to Peer (Shared Key)
Protocol UDP
Device Mode tun
Interface WAN
Local port 9876 1194 is the default OpenVPN port. It doesn’t hurt to change it to another number to add some security through obscurity. Pick your own number but we’ll stick to 9876 in this article.
Description Site-to-site
Shared Key Checked
Encryption algorithm AES-256-CBC (256-bit)
Hardware Crypto No Hardware Crypto Acceleration unless you have it. If in doubt, select ‘No Hardware Crypto Acceleration’.
IPv4 Tunnel Network 192.168.204.0/30 choose a subnet that’s no in use in any of your LANs. This will be used internally by OpenVPN. We’re using 192.168.204.0/30 here but any private range will do. The /30 mask is because OpenVPN will only use one IP address per site. We’re connecting two sites so two addresses will suffice. /24 will work but is overkill.
IPv6 Tunnel Network leave empty
IPv4 Local Network/s 192.168.20.0/24 Site B’s subnet
IPv6 Local Network/s leave empty
IPv4 Remote Network/s 192.168.10.0 Site A’s subnet
IPv6 Remote Network/s leave empty
Concurrent connections leave empty
Compression Check if the bulk of the data transferred will be uncompressed data, like Office documents. Leave unchecked if the bulk is already compressed, like divx films. Routers on faster hardware can compress faster.
Type-of-Service unchecked
Duplicate Connections unchecked
Advanced leave empty

OpenVPN-s2s-vork-02

Click Save.

Note that our Site-to-site OpenVPN server is now shown in the Server overview. Click the edit button to the right of the server.

OpenVPN-s2s-vork-03

Note that in the Cryptographic Settings section, a Shared Key is now shown. Copy all text in the Shared Key text field, including the first lines beginning with # and the last line ending in —–.

OpenVPN-s2s-vork-04

Configure firewall rules at Site B

From the Firewall menu, choose Rules. Open the WAN tab, unless you’re using a different interface for the VPN connection. Click on the + button to add a new rule.

OpenVPN-s2s-vork-05

Enter the following values:

Action Pass
Disabled not checked
Interface WAN
TCP/IP Version IPv4
Protocol UDP
Source any
Destination Type: WAN address
Destination port range from: (other) 9876
to: (other)
Log unchecked
Description Site-to-site VPN

OpenVPN-s2s-vork-06

Click Save and on the next page, click Apply changes.

OpenVPN-s2s-vork-07

Click on the OpenVPN tab. We’ll now add a rule to allow traffic through the OpenVPN connection. Click on the + button add a rule.

OpenVPN-s2s-vork-08Enter these values:

Action Pass
Disabled not checked
Interface OpenVPN
TCP/IP Version IPv4
Protocol any
Source any
Destination any
Log not checked
Description Allow everything through OpenVPN

OpenVPN-s2s-vork-09

Click Save and on the next page Apply Changes.

OpenVPN-s2s-vork-16

Set up outbound NAT at Site B

From the Firewall menu, choose NAT and click on the Outbound tab.
Select Manual Outbound NAT rule generation (AON – Advanced Outbound NAT) and click Save. On the next page, click Apply Changes.

OpenVPN-s2s-vork-10

A couple of rules are generated automatically but we need to add a NAT entry for Site A’s subnet. Click on the + button.

OpenVPN-s2s-vork-11Enter these values:

Do not NAT not checked
Interface WAN
Protocol any
Source Type: Network
Address: 192.168.10.0/24
Source port: leave empty
Site A’s subnet
Destination Type: any
Destination port: leave empty
Translation Address: Interface address
Port: leave empty
Static port: not checked
No XMLRPC Sync Leave empty unless you know that you need it.
Description Site A

OpenVPN-s2s-vork-12

Click Save and on the next page click Apply Changes.

OpenVPN-s2s-vork-17

Set up the client at site A

From the VPN menu choose OpenVPN and go to the Client tab. Click the + button to configure a client.

OpenVPN-s2s-vork-13Enter these values:

Disabled not checked
Server Mode Peer to Peer (Shared Key)
Protocol UDP same as Site B
Device mode tun
Interface WAN
Local port leave empty
Server host or address Site B’s public IP address or FQDN
Server port 9876 the port Site B is running the OpenVPN server on
Proxy host or address leave empty if you don’t use a proxy
Proxy port leave empty is you don’t use a proxy
Proxy authentication extra options none if you don’t use a proxy
Server host name resolution check if Site B sometimes has connectivity problems
Shared Key do not check ‘Automatically generate a shared key’ but paste the Shared Key from site B
Encryption algorithm AES-256-CBC (256-bit) same as Site B
Hardware Crypto Unless you have hardware crypto acceleration choose ‘No Hardware Crypto Acceleration’
IPv4 Tunnel Network 192.168.204.0/30 same as Site B
IPv6 Tunnel Network leave empty
IPv4 Remote Network/s 192.168.10.0/24 site A’s subnet
IPv6 Remote Network/s leave empty
Limit outgoing bandwidth leave empty unless you need it
Compression same as Site B
Type-of-Service not checked
Advanced redirect-gateway def1; This makes all traffic, including internet traffic, go through the tunnel.

OpenVPN-s2s-vork-14

Click Save.

The tunnel should now work and internet traffic should be routed from Site A through the tunnel out site B.

OpenVPN-s2s-vork-15

Troubleshooting

  • You can check the connections’ statuses from Status > OpenVPN. You can also restart the tunnels from here.
  • Check the log file at Status > System Logs > OpenVPN. If you’re getting HMAC errors, check if you copied the Shared Key correctly.
  • Make sure you are not trying to connect overlapping subnets. This goes for any tunneling system.
  • PfSense gets confused if you have multiple VPN (either OpenVPN or IPsec) configurations that use identical subnets or names so always use unique subnets and names.
  • Check Diagnostics Routes to check if your bits are going where they should.

Gedichten over nat-reflectie

Ik geef het je te doen: een gedicht schrijven over nat-reflectie (wattes?). @Ongerijmd en @KptZeiksnor kwamen met resultaten.

zeiknat

(@KptZeiksnor had gelijk.)

@Ongerijmd kwam met een episch gedicht:

Nat-reflectie

Onze held is sysadmin
ingehuurd door de directie
De opdracht was een enk’le zin:
“maak voor ons een nat-reflectie.”

“Dit wordt maatwerk,” dacht de held
De goede man verwierp confectie
En ontwierp, zo werd verteld
in één nacht de nat-reflectie.

Maar ik merk: u raakt van streek
Ja – ik hoor uw interjectie
Ik snap het al. U bent een leek
voor wat betreft de nat-reflectie.

Ik leg het uit, maar zeer summier
Een nieuwe intranetconnectie
wordt beschouwd als “niet van hier”
Daarvoor zorgt de nat-reflectie.

Let op: dit heeft ondanks de naam
niets van doen met introspectie
Wie dat denkt is onbekwaam
in de kunst van nat-reflectie.

Terug naar onze hoofdpersoon
hij accepteert geen imperfectie
zwoegend voor een karig loon
bouwt hij aan zijn nat-reflectie.

Hij werkte niet alleen voor geld
maar deed dit met genoeg affectie
en raakte daardoor zeer gesteld
op die fraaie nat-reflectie.

Hij ontdekte met een blos
aanwezigheid van een erectie
het ontstaan van deez’ kolos
weet hij aan de nat-reflectie.

Maar daardoor geïnspireerd
dacht hij aan SQL-injectie
Nooit mocht zij worden onteerd
de teerbeminde nat-reflectie.

Naarstig bouwde hij daarom
een ondoordringbare protectie
een goede firewall rondom
het netwerk met de nat-reflectie.

Uiteindelijk was het dan klaar
en na een uiterste inspectie
zeeg de held, wel meer dan gaar
teneder naast de nat-reflectie.

Bij presentatie aan de baas
zei deze: “Ach, een koerscorrectie
De opdracht was een beetje dwaas
Ik hoef hem niet, die nat-reflectie.”

De sysadmin ging door het lint
de baas bezweek aan vivisectie
De bloedplas toonde onze vrind
zijn spiegelbeeld. Natte reflectie.

Bron: http://ongerijmd.blogspot.nl/ (deeplink)

Routing internet traffic through a site-to-site IPsec tunnel in PfSense 2.1

In PfSense versions before 2.1 you could create site-to-site IPsec tunnels to connect two or more sites together. This worked fine but you couldn’t (from the web interface) route internet traffic from site A through the IPsec tunnel so that it would use site B’s internet connection.

PfSense version 2.1 introduces that possibility. In such a setup internet traffic from Site A would appear to be coming from Site B. We had to use this because a vendor would check from which public IP an incoming connection was initiated.

ipsec-s2s-vork-00

 

In this article we have two sites:

  • Site A is a branch office, LAN subnet 192.168.10.0/24
  • Site B is the main office through which all internet traffic is routed, 192.168.20.0/24

 

Here’s what we’ll do:

  • Set up the IPsec tunnel Phase 1
  • Set up the IPsec tunnel Phase 2
  • Allow IPsec traffic through the firewall
  • Configure outbound NAT
  • Troubleshooting

Set up the IPsec tunnel Phase 1

In Site A

In the VPN menu select IPsec. It opens on the Tunnels tab. Click the + button to create a new Phase 1 setup. (Make sure Enable IPsec is checked and saved.)

ipsec-s2s-vork-01

Enter these values:

Internet Protocol IPv4
Interface WAN Unless you’re using a separate OPT interface
Description Site B The site’s locality
Authentication method Mutual PSK
Negotiation mode aggressive
My identifier My IP address
Peer identifier Peer IP address
Pre-Shared Key Any long key. I got mine at https://www.grc.com/passwords.htm but be careful: if you copy a string from that site your browser may add one or two spaces at the end of the string so CHECK THE COPIED STRING before you paste it in the Pre-Shared Key field.
Policy Generation Default
Proposal Checking Default
Encryption algorithm AES 256bits Unless you have a reason to choose something else. Check this for a discussion of the options.
Hash algorithm SHA256 Unless you need something else. Check this for a discussion of the options.
DH key group 2 (1024 bit) Read this for an explanation of what this is.
Lifetime 28800
NAT Traversal Disable Turn this off unless you need it.
Dead Peer Detection Enable: 10 seconds, 5 retries Turn it off if you don’t like it.

Note: the encryption options influence the speed of the line but not very significantly. You would have to use really slow hardware to notice it. I tested a range of options and found the speed doesn’t deviate more than 5% from the values I suggest here.

ipsec-s2s-vork-02

Note that your Phase 1 entry is now shown on the IPsec page. Click Save and in the next screen click Apply Changes.

ipsec-s2s-vork-03

In Site B

Do the same as in Site A but in the Remote Gateway field enter Site A’s public IP address or FQDN and in the Description field enter ‘Site A’.

Set up the IPsec tunnel Phase 2

In Site A

Click the + button under the Phase 1 entry. It will give you an overview of all available Phase 2 entries. Since we haven’t made any yet none are shown.

ipsec-s2s-vork-05

Click the + button to create a new Phase 2.

ipsec-s2s-vork-06

Enter these values:

Mode Tunnel IPv4
Local Network Type: LAN subnet. NAT/BINAT type: None.
Remote Network 0.0.0.0/0 This tells PfSense to route everything over this interface.
Description Site B
Protocol ESP
Encryption algorithm AES 256 bits
Hash algorithm SHA256
PFS key group 2 (1024 bit)
Lifetime 3600
Automatically ping host Enter a hostname or IP address to keep the tunnel alive. In my experience this is not necessary.

ipsec-s2s-vork-07

Click Save and on the next page click Appy Changes.

In Site B

Remote Network, Type: Network
Local NetworkAddress: 0.0.0.0/0
Remote Network, Address: Site A’s LAN subnet
Use the same Phase 2 proposal and Advanced options as in Site A.

ipsec-s2s-vork-13Click Save and then Apply Changes.

Allow IPsec traffic through the firewall

The tunnel should now be operational however no traffic is allowed through it until you add a firewall rule for that. You must add the rule on both sites’ routers.

From the Firewall menu, choose Rules. Go to the IPsec tab and click the + button.

ipsec-s2s-vork-09

Set the Protocol to any and in the Description field type ‘Allow everything through IPsec tunnel’. Click Save and on the next page click Apply changes. Do this on both routers.

ipsec-s2s-vork-10

At this point the tunnel should be up and you should be able to ping from one side to the other and back. Computers in Site A haven’t got an internet connection however. This is because we still need to configure NAT for the IPsec tunnel.

Configure outbound NAT

In the default setup outbound NAT is configured automatically. We need to set it to Manual in order to add Site A’s subnet.

In Site B

From the Firewall menu, choose NAT and click the Outbound tab. Note that Mode is set to Automatic outbound NAT rule generation. Select Manual Outbound NAT rule generation and click Save. On the next page, click Apply changes.

Click the + button to open the New Mapping page.

ipsec-s2s-vork-11

As the Source Type, select Network. In the Source, Address field type Site A’s subnet: 192.168.10.0/24.

In the Description field, type ‘NAT for IPsec tunnel Site A’.

ipsec-s2s-vork-14

Click Save and on the next page, click Apply changes.

Note that the new entry is shown in the outbound NAT overview.

ipsec-s2s-vork-15

You do not need to do this on Site A’s router.
At this point Site B will have a working internet connection through the IPsec tunnel out Site B’s internet provider. Any internet traffic from Site A will look as if it were coming from Site B (see the diagram at the beginning of this article).

Troubleshooting

  • You can find out what IPsec is doing by choosing System logs in the Status menu, tab IPsec. If you find it difficult to decipher this: disable the tunnel, clear the log, enable the tunnel and see what is logged. If you find nothing special, go to System, Advanced, Miscellaneous, check IPsec Debug and start again.
  • Make sure you are not trying to connect overlapping subnets. This goes for any tunneling system.
  • One of my sites ran over a VLAN that used a subnet partly like one of the connected subnets which prevented the connection from initiating. Disabling NAT-T on the endpoint of the tunnel fixed this.
  • PfSense’s IPsec statuses do not always represent their correct states.
  • If you are absolutely convinced that it should work but it doesn’t, reboot the client you are testing on and reboot the routers. It shouldn’t be necessary but it has been known to help sometimes.
  • PfSense gets confused if you have multiple VPN (either OpenVPN or IPsec) configurations that use identical subnets or names so always use unique subnets and names.
  • Check Diagnostics, Routes to check if your bits are going where they should.

Fix NAT reflection

Now I have a public webserver in Site B. It used to be accessible from the internet. It was also accessible from within Site A because A wasn’t connected to B. Clients in Site B could reach it becasuse of NAT reflection: PfSense routes internal traffic to the webserver’s external IP address to make it look like it was coming from outside in order to disclose the website to users within Site B.

Setting up internet routing through the IPsec tunnel broke this and I needed to do this:

In the System menu, under Advanced, click the Firewall/NAT tab. Scroll down to the Network Address Translation section.

I already had NAT Reflection mode for port forwards set to Enable (NAT + Proxy) but I also needed to check Enable automatic outbound NAT for Reflection.

Under Firewall, NAT, Port Forward, I edited the port forwarding rules: I set NAT reflection to Enable (Pure NAT). I’m not sure this is necessary if NAT Reflection mode for port forwards is already set to Enable but it works.

Lord of Light, door Roger Zelazny

Wat een bijzonder boek! De schrijver zei erover dat hij bewust science fiction en fantasy heeft gemixt, gewoon om te kijken hoe dat zou gaan.

Kolonisten op een planeet hebben een manier gevonden om hun ziel naar een ander lichaam over te brengen en zijn hiermee feitelijk onsterfelijk. Als iemand aan een nieuw lichaam toe is, wordt bekeken hoe hij zijn leven heeft geleefd en aan de hand daarvan wordt hij al dan niet in een nieuwe kaste gereïncarneerd. De karakters hebben namen als Vishnu, Krishna en Mahasamatman, ook bekend als Buddha.

Het hele verhaal lijkt te bestaan uit Hindoe- en buddhistische verhalen, alleen maken de goden gebruik van technologie om hun macht te behouden.

lordoflight

Het boek bestaat uit zeven hoofdstukken die niet in chronologische volgorde staan. Het bizarre effect is dat hoofdstuk zes naadloos overgaat in hoofdstuk een en dat hoofdstuk zeven uitnodigt tot onmiddellijke herlezing van het boek, waarbij meteen allerlei andere aspecten van het verhaal duidelijk worden.

Ik ben geen fantasyliefhebber maar Lord of Light kan je prima als scifi lezen: alle magie wordt verklaard aan de hand van technologie. Zelazny brengt hiermee de Niven-variant van de derde wet van Clarke in praktijk: Clarke stelde “Elke ver genoeg gevorderde technologie is niet te onderscheiden van magie” en Niven stelde daartegenover: “Elke voldoende uitgelegde magie is niet te onderscheiden van technologie.”

Op Wikipedia staat een bijzonder uitgebreide behandeling van Lord of Light. Het is leuk om achteraf meer over de religieuze, historische en mythologische figuren waarop de personages zijn gebaseerd, te kunnen lezen. Let op: bevat een flinke hoeveelheid spoilers.

De versie die ik heb, is uit de reeks ‘SF Masterworks’ en vooralsnog blijkt die vlag de lading goed te dekken.

Powersat, door Ben Bova

In 1992 schreef Ben Bova Mars. Het was deel een van de Grand Tour-reeks, een serie science fictionverhalen waarin de lezer wordt meegenomen op een tour door het zonnestelsel. Dat leek me een erg interessante serie om te lezen, maar er waren inmiddels zestien delen en ze zijn niet in chronologische volgorde geschreven. Dat was dus even zoeken; gelukkig biedt Wikipedia een mooi overzicht.

Het chronologische deel een van de Grand Tour-reeks is Powersat en de eerste keer dat ik eraan begon, stelde me het een beetje teleur dat het geen science fiction was.

De tweede keer besloot ik toch maar door de verwachte zure appel heen te bijten omdat ik toch wel graag de rest van de reeks wou lezen en dat bleek een goeie keuze: Powersat leest als een actiefilm met een goed verhaal en een fijne dosis humor.
powersat
Het verhaal gaat over een ondernemer die een serie zonnepanelen in een baan om de Aarde wil brengen om de energie naar centrales op de grond te sturen. Powersat kwam uit in 2005; hoewel het idee van een powersat al veel ouder is, waren er toen al experimenten met deze technologie. Ik denk dat het zeer waarschijnlijk is dat we binnenkort deze vorm van energiewinning commercieel kunnen inzetten.

Strikt genomen valt Powersat daarmee in de categorie diamantharde scifi: zeer plausibel; alle technologie bestaat al maar is nog niet ingezet. Het laat vooral zien waar we over moeten nadenken voordat een dergelijke techniek kan worden ingezet.

Voor een liefhebber van scifi is Powersat geen wereldschokkende literatuur maar zeker de moeite waard omdat het leuk is om te lezen, goed in elkaar zit en het chronologische deel een is van een scifi-reeks.

Install network printers from the command line in Windows

Here’s a script to install network printers from the command line in Windows. It works on XP, Vista and 7 and I think it will in Windows 8.

You’ll need the location to the exact driver the client needs. This could be a mapped share. I used a usb key and since all machines I ran it on were identical I knew the exact volume name beforehand. If you don’t, you could get it by capturing the output of the CD command, like this:


for /f %i in ('cd') do set vol=%~di

The current volume name is then stored in the %vol% variable.

Since I needed to add three printers each time I wrote a little for-loop that called the routine to install the printer.

The location is freestyle but the convention is to ‘zoom in’ on the printer so it’s easy to find it from a list, like so: Country/Locality/Street or office/floor number/printer number. Anything will work but if you stick to (a variation on) this example your users will always be able to quickly find a nearby printer.

Here’s a TechNet Library article that explains more about Prnport.vbs.



@echo off

:: Install printer
cd /d c:\windows\system32

:: Usage:
:: Call :AddPrinter [ip address] [path to .inf driver] [driver name] [printer name] [printer location]
:: Example:
:: Call :AddPrinter 10.0.0.7 "E:\Drivers\Oce\KOAZ8JA_.inf" "Generic 36C-1SeriesPCL" "Oce copier" "NL/Rotterdam/Weena/Floor 5"

goto :eof

:AddPrinter
set ip=%1
set inf=%2
set drivername=%3
set printername=%4
set location=%5

echo Installing printer %printername%...
echo.

::Errorhandling
if [%5]==[] goto :NotEnoughParams

::Create port
cscript prnport.vbs //NoLogo //B -a -r IP_%ip% -h %ip% -o raw

::Add driver
cscript prndrvr.vbs //NoLogo //B -a -i %inf% -m %drivername%

::Install printer
cscript prnmngr.vbs //NoLogo //B -a -p %printername% -r IP_%ip% -m %drivername%

::Configure printer
cscript prncnfg.vbs //NoLogo //B -t -p %printername% -l %location%

goto :eof

:NotEnoughParams
echo Missing parameter(s)
goto :eof

Automatic signatures in Outlook through Active Directory VB logon script

If you’re an Active Directory admin sooner or later the question will come to you. We need automatic, customized signatures in Outlook for every user.

There are third party applications that do this and I understand Exchange can do this nowadays but when I wrote this script, it couldn’t and 3rd parties were too expensive or lacked features I wanted.

The fun thing about Outlook is that when you create a signature in it it scrambles your html and thus its layout. It will not keep its paws of it. The workaround is to create your own html file and point Outlook to it so it doesn’t have to save it itself.

We created a default signature in html with our logo and placeholders for phone, fax, cell number, etc. I put in [PHONE], [FAX], etc. in the placeholder. The script then pulls the info from the AD useraccount and replaces the placeholders. I used the AD logon script to do this.

Here’s how it goes when a user logs on:

  1. The default signature file is copied to the user’s computer.
  2. The user’s information is pulled from AD.
  3. The placeholders in the html signature file replaced by the info from the user account.
  4. Outlook is pointed to the signature files.

 

A strange thing to note is that Outlook signature files are actually set using Microsoft Word, which can act as Outlook’s e-mail editor.

Some users wanted a custom ‘tag line’ before their signature in e-mails so they wouldn’t have to type their names. I used the Notes field under the Telephone tab in the users’ account properties for this.

In my Domain Controller’s logon directory I made a directory called Signatures and placed all defaults (the html files and pictures) there. The script references them and the clients initially copy those files to customize them locally. As we are a Dutch organisation I had to account for multiple languages. It should be easy to adjust this script for other languages.

Also I created htm, rtf and txt versions of the signature files for each language to account for htm, rtf and plain text e-mail.

The network share mapping in the beginning of the script was to replace the previous logon script (a batch script) that just mapped a share. I left it in for reference.

The script was written for Outlook XP, 2007, 2010 and 2013, Windows XP, Vista, and 7. It should be somewhat future-proof. Outlook XP sometimes had trouble loading the logo picture and once in a while a user would call in to complain that their signature was gone. I then had to remove two very large (>1GB) files called ‘signatures’ and ‘handtekeningen’ from where there should be two directories with thoses names. This happened sporadically and the solution was simple so I never tracked the origin of the problem.

Here is the script. Note that lines may wrap here where they shouldn’t.


On Error Resume Next

' Map network drive
Set objNetwork = CreateObject("WScript.Network")
' objNetwork.MapNetworkDrive "P:" , "\\Data\data"

' Retrieve desktop and signature paths
' Retrieve user info from AD
' If they exist, backup the current signature folders
' Delete local signature folders
' Copy network signature folder to local system
' Edit user info into local signature file
' Duplicate local folder for Dutch language systems
' Set default signature in Outlook

' This is the name of the default signature, excluding any file extensions.
' For example: "strDefaultSignature = "Rotterdam-NL"
' Make sure this signature exists.

Dim strDefaultSignature
strDefaultSignature = "Rotterdam-NL"

Dim StrDefaultPhoneNr
StrDefaultPhoneNr = "010 - 123 45 67"

Dim StrFaxNL, StrFaxEN
StrFaxNL = "010 - 987 65 43"
StrFaxEN = "+31 10 987 65 43"

' Dim general variables
Dim van, naar, FldToMove

' Set some variables and some constants
Const ForReading = 1
Const ForAppending = 8

' Initiate filesystem and objects
Dim FSO, wshShell
set FSO=CreateObject("Scripting.FileSystemObject")
Set wshShell = CreateObject( "WScript.Shell" )

' Retrieve desktop and signature paths
dim StrSigPath, StrLogonServer
StrSigPath=wshShell.ExpandEnvironmentStrings("%appdata%") & "\Microsoft"
StrLogonServer=wshShell.ExpandEnvironmentStrings("%logonserver%")

strSigPathNL = StrSigPath & "\Handtekeningen\"
strSigPathEN = StrSigPath & "\Signatures\"

' Retrieve user info from AD
Set objSysInfo = CreateObject("ADSystemInfo")
strUser = objSysInfo.UserName
Set objUser = GetObject("LDAP://" & strUser)
strName = objUser.FullName
strPhone = objUser.TelephoneNumber
strMobile = objUser.Mobile
strEmail = objUser.emailaddress
strInfo = objUser.info 'Field containing extra text the user wants before signature
arrInfo=split(strInfo, vbcrlf)

' Format office phone number
if StrPhone"" then
if len(StrPhone)>9 then
if IsNumeric(StrPhone) then
StrPhone=left(StrPhone, 3) & Chr(32) & "-" & Chr(32) & mid(StrPhone,4,3) & Chr(32) & mid(StrPhone, 7, 2) & Chr(32) & mid(StrPhone, 9, 2)
else
StrPhone=StrDefaultPhoneNr
end if
else
StrPhone=StrDefaultPhoneNr
end if
else
StrPhone=StrDefaultPhoneNr
end if
StrPhoneNL = StrPhone
StrPhoneEN = "+31" & Chr(32) & right(StrPhone, len(StrPhone)-1)
StrPhoneEN = replace(StrPhoneEN, "-", "")

' Format mobile phone number
if StrMobile"" then
if len(StrMobile)>9 then
if IsNumeric(StrMobile) then
StrMobile=left(StrMobile, 2) & Chr(32) & "-" & Chr(32) & mid(StrMobile, 3, 3) & Chr(32) & mid(StrMobile, 6, 3) & Chr(32) & mid(StrMobile, 9, 2)
end if
end if
end if
StrMobileNL = StrMobile
StrMobileEN = "+31" & Chr(32) & right(StrMobile, len(StrMobile)-1)
StrMobileEN = replace(StrMobileEN, "-", "")

' Delete the signature folders if they exist
Dim DelFld, backupfld, backupmaker

if FSO.FolderExists(strSigPathNL) then
van=left(strSigPathNL, len(strSigPathNL)-1)
naar=van & "-backup"

' If no backupfolder already exists, make a backup. This will backup the user's original
' signature files and not overwrite them.

if not FSO.FolderExists(naar) then
set FldToMove=FSO.GetFolder(van)
FldToMove.Move(naar)
else
' If a signature backup folder already exists, do not overwrite it.
set DelFld=FSO.GetFolder(strSigPathNL)
DelFld.Delete true
end if
end if

if FSO.FolderExists(strSigPathEN) then
van=left(strSigPathEN, len(strSigPathEN)-1)
naar=van & "-backup"

if not FSO.FolderExists(naar) then
set FldToMove=FSO.GetFolder(van)
FldToMove.Move(naar)
else
set DelFld=FSO.GetFolder(strSigPathEN)
DelFld.Delete true
end if
end if

' Create a new signature folder
Dim MkFld
Set MkFld=FSO.CreateFolder(strSigPathEN)

' Copy contents of network signature folder
Dim NetworkSigFld, flds, subfld, files
Set NetworkSigFld=FSO.GetFolder(StrLogonServer & "\NETLOGON\Signatures")

' Copy folders
Set flds=NetworkSigFld.SubFolders
For Each subfld in flds
FSO.CopyFolder subfld, strSigPathEN
next
set flds=nothing

' Copy files
Set files=NetworkSigFld.files
For Each sigfile in files
sigfile.Copy strSigPathEN
next
set files=nothing
Set NetworkSigFld=nothing

' Edit signtature htm files
Dim LocalSigFld, SigFile, TemplateFile, StrLine, HtmFile, DelFile, ext, BaseSigFile
Set LocalSigFld=FSO.GetFolder(strSigPathEN)
set files=LocalSigFld.files
for each SigFile in files
van=strSigPathEN & SigFile.Name
if Instr(SigFile.Name, "-EN")>0 then
StrPhone = StrPhoneEN
StrFax = StrFaxEN
StrMobile = StrMobileEN
else
StrPhone = StrPhoneNL
StrFax = StrFaxNL
StrMobile = StrMobileNL
end if
ext=lcase(right(van, 4))
baseSigFile=replace(van, ext, "")
naar=baseSigFile & ".tmp"
If FSO.FileExists(strSigPath & naar) then
FSO.FileDelete strSigPath & naar
end if
FSO.MoveFile van, naar

' Replace placeholders with values
Set TemplateFile=FSO.OpenTextFile(BaseSigFile & ".tmp")
Set HtmFile=FSO.OpenTextFile(BaseSigFile & ext, ForAppending, True)

' Set logo path
Dim strLogoPath
strLogoPath=BaseSigFile & "_files\becologo.jpg"

' Add custom signature text
'#1F497D = Outlook 2010 default response color
if strInfo"" and ext=".htm" then
if inStr(strInfo, vbcrlf)>0 then
HtmFile.WriteLine("")
for linenr=1 to uBound(arrInfo)
HtmFile.WriteLine(arrInfo(linenr) & "
")
next
HtmFile.WriteLine("
")
HtmFile.WriteLine("
")
end if
end if

' Scan template file for placeholders and replace them
Do until TemplateFile.AtEndOfStream
StrLine=TemplateFile.ReadLine
strLine=replace(StrLine, "[LOGOPATH]", strLogoPath)
StrLine=replace(StrLine, "[PHONE]", strPhone)
StrLine=replace(StrLine, "[MOBILEPHONE]", strMobile)
StrLine=replace(StrLine, "[EMAIL]", strEmail)
StrLine=replace(StrLine, "[FAX]", StrFax)
StrLine=replace(StrLine, "[FULLNAME]", strName)
' Write to htm file
HtmFile.WriteLine(StrLine & VBCrLf)
Loop

set HtmFile=nothing
set TemplateFile=nothing

FSO.DeleteFile BaseSigFile & ".tmp"
next

' Copy _files directory to _bestanden directory for Dutch language systems
dim EN_name, NL_name
Set ENfolders=FSO.GetFolder(strSigPathEN)
set flds=ENfolders.SubFolders
for each subfld in flds
EN_name=subfld.name
NL_name=left(EN_name, len(EN_name)-5) & "bestanden"
FSO.CopyFolder subfld, strSigPathEN & NL_name
next
set flds=nothing
set ENfolders=nothing

' Copy Signature directory to bestanden directory for Dutch language systems
van=left(strSigPathEN, len(strSigPathEN)-1)
naar=left(strSigPathNL, len(strSigPathNL)-1)
FSO.CopyFolder van, naar

' Set signature as default in Outlook.
Set objWord = CreateObject("Word.Application")
objWord.Visible = false
Set objEmailOptions = objWord.EmailOptions
Set objSignatureObject = objEmailOptions.EmailSignature
Set objSignatureEntries = objSignatureObject.EmailSignatureEntries
objSignatureObject.NewMessageSignature = strDefaultSignature

' Stop Outlook Process or Outlook won't update
Dim StrComputer, objWMIService, colProcessList
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colProcessList = objWMIService.ExecQuery _
("SELECT * FROM Win32_Process WHERE Name = 'outlook.exe'")
For Each objProcess in colProcessList
objProcess.Terminate()
Next

' Close filesystem and Windows scripting host objects
set FSO=nothing
set wshShell=nothing

Here are the original signature files. I removed the folder containing the logo and changed the addresses. The [KEYWORDS] in the files are the literal placeholders the original files used.

The Left Hand of Darkness, door Ursula K. Le Guin

Een bijzonder boek uit 1969. De schrijfster won er de Hugo en de Nebula mee, naar mijn mening terecht. The Left Hand of Darkness staat te boek als feministische science fiction, wat het op zich al de moeite waard maakt want wat moeten we dáár nou weer onder verstaan?

Het antwoord wordt al snel duidelijk: de figuren in het boek zijn geen man of vrouw maar worden min of meer at random eens per maand een van beide, wat natuurlijk verregaande effecten op de hele maatschappij heeft. De toon is beschrijvend, niet belerend.

Ook los daarvan is het een geweldig verhaal om te lezen, over een ambassadeur van planeten in een bijzondere wereld. De veelal sociologische concepten die je voorgeschoteld krijgt, zetten aan tot opnieuw bezien van je aannames over de wereld en dat is volgens mij een kenmerk van een goed boek.

thelefthandofdarkness

De avonturen in The Left Hand of Darkness worden wel vergeleken met die van The Lord of the Rings. Hoewel ze eenzelfde karakter hebben (politiek gemengd met avontuur) is TLHD toch realistischer dan LOTR, en een flink stuk dunner.

Dit boek is een deel uit een reeks die in hetzelfde universum (Hain) speelt. De andere delen schijnen minder goed te zijn maar ik ben er wel nieuwsgierig naar geworden.

Ondanks dat het werk ruim veertig jaar oud is, doet het niet gedateerd aan. Fijne scifi. Lezen! (En daarna nog een keer en dan de analyze op Wikipedia lezen. Niet eerder i.v.m. spoilers.)