Interactive multi touch, multi projector flexible learning space

You may have read my article written in November 2011 entitled "Building an interactive multi touch surface on the cheap using a Wiimote" in which I discussed the technical build details on how to design your own multi touch surface.



Build Requirements

With the technical design out of the way the next step is determining how I could successfully integrate a multi touch surface into a school environment. After playing with some ideas on how to implement it successfully in a school environment we came up with the following requirements.

• Create an interactive learning space with 2 projectors, one traditional wall facing projector and one interactive table projector.
• It has to be easy and work consistently. In my experience if the system doesn't' "just work" then users aren't interested in attempting to use it.
• The room should remain a flexible space.

With these requirements in mind I decided it would be best to roof mount the projectors and Wiimote, this would ensure the tables could be moved if required. This also means I need to run a power source to the Wiimote with a switch to turn the power on and off.

I am going to utilize the WiiSync autoit script I previously wrote to enable users to easily connect the Wiimote via bluetooth to the computer. If you need the WiiSync script or any other technical details please see this blog post.



The Build

During the 2011 Christmas school holidays I put aside a few days for the installation, I had the power points installed by Electricians and the remainder of the installation was done in house.

We decided to reuse a decommissioned projector, previously ceiling mounted in another room, this projector will be used for table projection. Additionally we purchased a new projector, roof mount and speakers to power the wall projector.

You can click on any of the below images to enlarge them.

 The Wiimote power cable, both projector VGA cables and the audio cable are terminated here.

The wall plates installed, the on/off switch for the Wiimote is visible on top.

The Wiimote being wired with power.

The Wiimote and table projector ceiling termination. 

Ceiling mounted wall projector.

 Final installation of table projector and Wiimote.

Speaker installation.

Other installation information:

• A 4-way video splitter is used for video output to the monitor, wall projector and table projector.
• The pens we purchased are the IR Sabre, available for purchase online.
• An inexpensive bluetooth adapter is connected to the computer.
• A 5v power adapter and switch are used to power the Wiimote.

Build costs:

• Wall projector and mount - $1500
• Table projector - free (reused old decommissioned projector)
• Table projector mount - $150
• Wiimote - $50
• Wiimote power adapter - $30
• Switches and electronics - $20
• Wall conduit - $50
• Infrared pens - $36
• Bluetooth adapter - $6
• 4-way VGA splitter - $99 
• Speakers - $200
• Misc parts - $20

Total build cost:  $2161

Considering I was going to replace the wall facing projector in this space regardless, this total cost of the projector is very reasonable. Similar products available commercial such as the SMART table cost $7000+.



The room in action

Finally after hours of testing, planning and 2 days of installation the multi touch, multi projector system is complete. Click the You tube video below for a walk through.

This system has only just gone live in our environment but I am very happy with the implementation. I will report back in a few months time with a progress report on how the users are finding the system. After all if it doesn't get used or doesn't work consistently then it doesn't matter how cool great I think it is.

Uncertainty when changing to RAID 1 or RAID 10 on IBM DS3512 storage system

Big packages full of new equipment are every IT guys dream. It just so happened a while back I received boxes and boxes of hard drives to expand some LUN's on my IBM DS3512.

There is a fun side to new equipment, unboxing it, installing it and seeing how much better it is than your previous gear. On the other side of the equation is the outright scary side, when you finally press that "expand" or "change raid level" button that activates an irreversible operation on your production equipment. No matter how much preparation and testing you do, there is always some anxiety associated with making big changes.

During the Christmas holidays I planned to upgrade an existing RAID 5 array to RAID 10, this will increase the IOPS through the roof. As always I read the documentation, ran through the scenario on paper and then on a test LUN. What I couldn't work out was what would happen when I finally pressed the confirm button to change the raid level from 5 to "1 or 10".

The IBM storage manager offers the option as follows:

Change > RAID Level > 1 or 10...

This caused me some concern, while all the other raid levels were a single option (0, 3, 5, 6), 1 and 10 were bundled together as a single option. A logical person would say RAID 1 is a mirror of 2 drives, so if your raid array has an even number of drives that is 4 or more, then RAID 10 will automatically be selected. Unfortunately I am not willing to take that risk, what about obscure propriety raid levels such as 1E that might support RAID 1 in a multiple drive configuration.

After searching the IBM redbook, the user manuals and the DS System Storage manual I was unable to find a solution. IBM also wouldn't provide me an answer, telling me the issue was a configuration issue and not a hardware issue. I am sorry IBM, but the technical capabilities of a product are not a configuration issue. I wasn't asking you to configure the product for me, just what the RAID levels of your product are capable of.



Don't worry, the DS3412 only supports RAID1 with 2 drives

Finally I was able to find the answer from the local services provider that I purchased the DS3512 from. The IBM DS3412 only supports RAID 1 with 2 drives, that means:

If { you select change raid level to 1 or 10  } AND
{ The number of drives in your array is 4 or more } AND
{ The number of drives in your array is even } THEN
  It will become a RAID 10
}

So a logical approach would have given me the correct answer, but anyone working in IT knows, relying on logic often results in failure.

Accessing Twain and WIA devices via Citrix Xendesktop

In an environment such as a school there is a need to be much more flexible than a corporate entity. There is a need for more relaxed permissions, multiple users on single computers and a high level of customization.

This flexibility extends itself to the VDI farms, specifically with the ability to plug devices such as scanners into any virtual desktop and have instant access.

I was recently tasked with setting up a legacy Canon "CanoScan" device. When this device was originally released it only had a TWAIN driver but in the past 12 months a WIA driver has also been made available.



TWAIN Pain

TWAIN is now quite legacy, in fact since Photoshop CS4 Adobe has been trying to remove it from their products, offering compatibility with an optional plug-in. Adobe explains their move to remove TWAIN support from Photoshop is "Because TWAIN is an older technology that is not regularly updated for new operating systems, TWAIN often causes issues in Photoshop."

I didn't have any luck with simply passing the scanner through as a USB device and using the TWAIN driver within the VDI, applications simply didn't detect the scanner.

Fortunately for Xendesktop users Citrix has made available a TWAIN redirection option in XD 5.5. This option can be difficult to get working, depending on your Citrix client receiver version, the driver for your scanner and in which direction the wind is blowing on the day.

My advice to you is avoid TWAIN with Xendesktop if possible, try and find a WIA driver. If Twain is unavoidable you can try a few things to get it working smoothly.

• Ensure XD is at 5.5 or higher
• Ensure the HDX user policy "Client TWAIN device redirection" is enabled
• Upgrade client online plugin versions to receiver 3.0+
• Ensure you are running the latest Twain driver available

Some users have also reported having success with disabling "Client USB device redirection" all together or alternatively using the HDX user policy "Client USB device redirection rules" to deny the re-direction of just the scanner as a USB device.

For example your could add the following deny rule if your VENDOR id is 1234 and PRODUCT id is 9876.

Deny: VID=1234 PID=9876

This will block your scanner from being passed through as a USB device, allowing the TWAIN device redirection policy kicks in. I don't know on a technically level how the TWAIN device redirection works. The device doesn't appear in the device manager and no local driver is required but when you launch your scanning application the scanner works perfectly.



WIA Plea-se

Okay that was a horrible rhyming attempt, but WIA isn't so horrible to configure with Xendesktop. Actually in my case it was the exact opposite of TWAIN.

Simply grab the latest WIA driver, install it onto your virtual image, wait for your virtual desktops to update to the latest vDisk version and insert your USB scanner. Simple!

The scanner will be passed through as a USB device. pending you have USB redirection enabled or at least an "ALLOW:" rule for the scanner under the "USB redirection rules" user HDX policy. When it is inserted it will appear as a normal USB device, the driver you previously installed will kick in and then applications will detect it as a native WIA scanner.

If at all possible, go straight to WIA and save yourself some grey hairs. If WIA isn't a possibility, grab a triple espresso, put aside a few hours and start playing with settings combinations.

Spanning tapes with DPM 2010

Regardless of how great disk back is, most administrators will want to do some regular off-site bound backups to tape and often the data can be larger than a single tape. Enter tape spanning, the ability to span a single back job over multiple tapes. This isn't best practice, but if you have a single 2TB resource and only a maximum capacity of 1.6TB per tape (LTO4) you don't have many options. Either you can purchase an expensive new tape drive with higher capacity or enable spanning.

Initially I was a little taken back by the absense of any tape spanning options in the DPM 2010 GUI, in fact even the official manuals have very little reference to how tape spanning can be done.

After some digging I found that spanning will in fact kick in by default if the protection group is larger than a single tape, but DPM will only wait 1 hour for a replacement tape until the job fails. This is more than enough time for a tape loader, but if your using a manual LTO drive this could be a problem.



The Solution

The solution lies in a simple registry key.

“HKLM\Software\Microsoft\Microsoft Data Protection Manager\1.0\Prompting”

Under this key is a REG_DWORD value named "PromptingTimeOut"

The value is in milliseconds, so for each hour you want to wait, you need to multiply your value by 3600000.

For example, 4 hours * 3600000 = 14400000

Be sure you enter the value as a decimal or your wait time might be totally different than what you were hoping.

Customizing the UAG SP1 logon page

Microsoft Forefront UAG is a great product for adding a bit more security to the publishing of internal websites. The ability to screen the login process, apply some basic IDS and NAC is very handy indeed.

Users wanting to take UAG to the next level might consider customizing their login landing page, to give a more corporate feel to their external sites. Olivier Detilleux published a great tutorial explaining how this process works but unfortunately from a number of Technet posts with users asking questions articles its evident some of the detail in Olivier's article is lost on some users.



How does the customization work? 

Although the process changed with SP1, it is probably easier now than it was before.

1. Navigate to "C:\program files\Microsoft Forefront Unified Access Gateway\von\InternalSite"

2. Create your custom headertopr.gif and place it in "C:\program files\Microsoft Forefront Unified Access Gateway\von\InternalSite\Images\CustomUpdate"

3. Copy  "C:\program files\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\logo.inc" to "C:\program files\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate\logo.inc"

4. Rename "C:\program files\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate\logo.inc" to "C:\program files\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate\<trunkname><issecure 0 or 1>logo.inc"

For example if your trunk is called "OWA" and it is a https trunk, then your custom logo.inc would be called "OWA1logo.inc" with the 1 indicating https, 0 is used for http.

5. Now you need to remove the "if" scripting at the top of this file. This scripting is used in the original logo.inc to detect your custom "<trunkname><issecure 0 or 1>logo.inc" and if it is used in a custom logo.inc it will cause an error message.

To do this from the top of your custom logo.inc please remove

<%'include file for title
' xxxxxxxxxxxxxxxxxxxxxxx DO NOT EDIT THIS FILE xxxxxxxxxxxxxxxxxxxxxxxx
' A.O.detectionDOSFix - Store include file names in Application and not in Session.
if Application(g_site_name&g_secure&LOGO_INC) <> FILE_NOT_EXIST then
    include Application(g_site_name&g_secure&LOGO_INC)
else%>

 

and from the bottom of the file remove 

<%end if%> 

6. Then you can make the customizations to your custom logo.inc, such as inserting your own header image as per Olivier's tutorial.

Deploying custom Microsoft Word 2010 registry settings at logon

In december I added a blog post entited "Deploying custom Microsoft Word 2007 registry settings at logon" in which I detailed how to select, export and apply custom advanced settings for Word 2007. Since then I have moved to Office 2010 in my enviroment and to my surprise the process has changed, there are a few more steps involved in the process.



I am applying my exported settings but they arn't working

You not alone, it took me a while to work out what was going on here.

In Word 2007 the process was to open Word, set the custom advanced settings you wanted (such as picture in front of text), close word, jump into the registry and export the [HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Data\Settings] value. Then you could subsequently import it during the logon process with a logon script.

The first part of the process remains the same, but  began havinb problems when I applied the .reg file during logon. When I opened Word the settings were not applied, yet if I re-ran the patch it worked, the settings applied perfectly.

After 15 minutes of chasing my tail, I finally realized that the issue was Word needed to be started before the .reg file could be applied. This is caused by Word writing a number of registry values (and overriding the above value) when it starts for the first time per user account. So if you apply the settings before Word is launched they are resultantly wiped on the first launch.

The Resolution

The fix is quite easy, but it did take some messing around with settings combinations to work out which settings I needed and which I didn't. Obviously I don't want to export the whole Office 2010 HKCU  key as there is some imformation regarding licensing, user names, etc, that I don't want to apply to every account.

The following base settings need to be applied, they stop Word from overriding your customizations.

[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\General]

"ShownOptIn"=dword:00000001

"FirstRunTime"=dword:0151d1bc

[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Migration]

[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Migration\Office]

[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Migration\Word]

[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options]

"FirstRun"=dword:00000000

"BkgrndPag"=dword:00000001

"ATUserAdded"=dword:00000001

Furthermore to the above base settings you need you apply your customizations. For example, if you wanted to apply word advanced options such as "insert/paste picture as: in front of text", you would create a .reg file with both the above settings AND the exported [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Data\Settings] key.

For "insert/paste picture as: in front of text" option you also need the following value.

[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options]

"InsertFloating"=dword:00000001

Then you can safely apply that .reg file using a logon script and regardless if a user has started Word 2010 before or not, the settings will be applied

Certain advanced settings have additional registry values that also need applying, such as the "insert/paste picture as: in front of text" example above. If you have other settings you want to apply that arn't working when you export [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Data\Settings] I would recommend getting regshot and comparing before and after snapshots of the "HKCU\Software\Microsoft\Office\14.0 key or using a tool like procmon for live registry monitoring.

Changing locked update settings on Sophos Endpoint Security and Control 9.7

When debugging Sophos updating configurations at times you may need to regularly change the primary or secondary update settings. This can be done via the Enterprise Console but this can be slow and messy.

By default these settings are locked when you apply them via policy, restricting even administrators from manually changing them for testing.

Fortunately Sophos have included a mechanism allowing a local administrator to change these settings on an as required basis.



Unlocking the update fields

1) Open explorer to C:\ProgramData\Sophos\AutoUpdate\Config\

2) Open iconn.cfg in your favourite text editor

3) If you want to edit the primary update location look for the following heading.
[PPI.WebConfig_Primary]

4) Under the [PPI.WebConfig_Primary] heading there is a field named.

AllowLocalConfig = 0

Allowing local update changes is as simple as changing that field from 0 to 1. Easy as that, oh and Sophos, please allow https based updating soon, we NEED it!

Using Cisco Spectrum Expert and Backtrack to identify wireless anomolies

Cisco wireless controllers are great products, they allow the administrator to manage the entire wireless farm from a single console, making bulk changes and problem solving as required. Cisco recently released the clean air access points that take troubleshooting to a new level without the need for expensive spectrum analyser cards.

Recently I began receiving e-mail alerts from the wireless controller complaining of an "WiFi Invalid Channel", the exact error message was.

WCS has detected one or more alarms of category Security and severity Critical in Virtual Domain root for the following items:

Security-risk Interferer 'WiFi Invalid Channel' is detected. (2 times)

E-mail will be suppressed up to 30 minutes for these alarms.

Every 30 minutes the error would repeat, over and over again. The strange thing for this particular error was it would still alert in the middle of the night, excluding most business devices and devices like microwaves. While this wasn't affecting the clean air rating of the AP dramatically, it was continually triggering alerts and being flagged as a security issue.

After sending out an e-mail to key staff asking if any new wireless based equipment was installed recently and receiving no response I broke out the Cisco Spectrum Expert.

Detecting the problem

Fortunately the Cisco 3500i series clean air access points can be used in conjunction with Cisco Spectrum Expert software to troubleshoot issues such as this.

To do this you need to head over to Cisco.com and grab a copy of Cisco Spectrum Expert, it wasn't available in my download portal, but a quick email to Cisco resolved that.

Your AP can't service clients for the duration of the Spectrum Expert usage, so plan to do this after hours when your users won't be impacted.

After setting your AP to se-connect mode, either from the wireless controller or by connecting directly to the AP console, you can point Spectrum Expert at the AP and start analysing the results.

As soon as I fired up Spectrum Expert I was presented with the "WiFi Invalid Channel". While there is a great deal of detail, nothing definitively helped me identify what the problem device is. I tried searching in google for the exact frequency of the device but wasn't able to dig up any results.

One useful piece of information is the dBm (signal strength), that at -90.7 suggested the problem device in question was some distance from AP performing the analysis.

Where is it?

One question leads to another, I don't know what this device is, but can I find it? For this I fall back to a trusty laptop, my Alfa 500mw USB wireless adapter (RTL8187 chipset) and of course Backtrack 5 R1.

I decided to use a tool I have rarely used in the past, ssidsniff, which as its name suggests is normally used for uncovering hidden SSID's. Ssidsniff was chosen purely because I found it easier to view the BSSID and signal strength than in airodump (where BSSID's were jumping all over the screen based on the AP's current signal strength).

I quickly identified 00:00:00:00:00:00 as the problem BSSID, ssidsniff flagged it as "no identifiable channel" and "network only contains hosts" indicated by the H flag. While the valid AP's in my environment displayed as being "WPA/WPA2 capable". It may be totally different based on the device causing the problem, but it was extremely easy to identify this device as an anomaly compared to the rest of the devices.

My tracking process went as follows,

1) Starting right below the AP that originally detected the wifi invalid signal, I started ssidsniff and measured the dBm of  00:00:00:00:00:00.

2) I moved 5-10 metres in any direction then remeasure. I ctrl+c to kill ssidsniff and re-launch it every time I move to get the latest dBm. If the signal is getting stronger (which would be indicated by the dBm getting closer to 0, for example -25 is a stronger signal than -70) I keep moving in that direction, otherwise I change direction.

3) Repeat the above process until you find the highest signal strength you can, then look around.

Within about 5 minutes I had a dBm of -20, I found myself right next to a wireless microphone receiver, which funnily enough was turned on. After switching the receiver off and checking spectrum expert the invalid WiFi channel was gone, problem solved! You can then either suppress the error or replace the at fault equipment.

I am sure there are more technically amazing ways to accomplish this task but an inexpensive WiFi adapter and Backtrack was able to solve this problem perfectly.

Connecting to Lync Mobility without autodiscover DNS

Recently the long awaited release of Lync 2010 Mobility pack hit the web along with clients for Android, Windows phone and the iPhone. The setup process is a little convoluted, as with anything Lync related, but is fairly straight forward none the less.

We deployed the mobility pack with the idea of giving key staff access to the Lync client within our network boundaries. This process would involve manual installation and configuration of the Lync client on these phones and we have a tricky split-brain setup, so we purposely didn't configure the autodiscover DNS.

When we configured a test client with what we through was the correct internal URL, it just hung forever at the signing in screen. Furthermore the great logging tool for the iPhone client gave us no indication of what the problem was. Everything in the log seems normal until the last line.

Lync[231:707]  is not a valid email address.

We tested the configuration using the Test-CsMcxP2PIM powershell script which returned successful, no problems there.

The Resolution

I feel so stupid, the problem was the URL we were entering into the manual internal address field on the iPhone client. After digging for a long time we finally found the URL buried in a Microsoft TechNet article while looking for something else.

https://<IntPoolFQDN>/AutoDiscover/AutoDiscover.svc/Root

The above address is the correct URL to enter into your iPhones "internal discovery address" field if you are not using autodiscover services. As soon as we changed the configuration of the iPhone client, everything worked perfectly. This is as much a note to remind myself how stupid I am as anything.