*** Note - this is advice for Home Computers ***

Customers frequently ask us what tools we recommend to keep their PC safe. Here's our recommended list for home computers - all the tools have free versions (at least for home use) and in our opinion are better than other offerings in the space, which pretty much removes any good argument not to use them:

Anti-Virus

Yes you need an anti-virus tool - our first pick for home use is AVG Free Edition which is free for non-commercial home use - you can download version 9 here.

AVG Free is effective, but light weight so your computer still has some capacity to do the stuff you ask it to.

* A word of warning - computers run really badly with two anti-virus products installed, so if you are going to use AVG make sure you uninstall whatever you are currently running first.

Anti-Spyware

Having a dedicated piece of Anti-spyware is a good choice. Anti-virus and anti-spyware are different jobs, and combined tools don't do the job as effectively as dedicated pieces of software.

In our opinon the best tool in the space is malware bytes. There is a version you can pay for, but the free one is perfectly adequate. You can get both versions at the malware bytes web site.

A Better Browser

Your choice of web browser can make a substantial difference to the security of your PC. If you go with the mainstream choice (like Internet Explorer) you will be using the most widely targeted piece of software around. However, if you go too far from the mainstream (for example Chrome) you may find that websites don't work properly.

In our opinion the stand out product in the space is Mozilla Firefox. Needless to say it is free. It's also the second most widely used browser after Internet Explorer, so you aren't wandering too far from the mainstream.

You can download Firefox from the Mozilla website.

Internet Filtering

We think the best product in the space isn't actually a product - it's a service - Open DNS. The Open DNS project is designed to use the power of collaboration to identify potentially dangerous and offensive content on the Internet.

By configuring your PC to use the Open DNS servers you can then use their categorisation system to help keep your PC safe, and better, keep young eyes away from inappropriate content. Our blog post on Open DNS explains how it works in a little more detail and how to configure your system.

There is one other thing you should do to keep your PC safe. Backups - no one likes to hear it, but they are really important.

Backups can be approached in two ways - files only, or complete system backup. We will talk some more about these in the near future.

For quarter 4 2009 Green Light IT has once again achieved a 100% Satisfaction rating with our home service customers.

Between the first of October and the thirty first of December 2009 home service customers once again gave us a 100% satisfaction rating through our after service survey process.

Here's what some of our customers had to say about Green Light IT Home Services between October and December:

"The service and follow up contact and explanation was excellent. I would have no hesitation in going back to Green Light IT and recommending the business to others based on my experience" - Heather, Weston.

"Helpful service, prompt and clear. Will certainly recommend to others." - Luca, Richardson.

"Pickup up and drop off feature is a real plus." - William, Greenway.

"It's about time somebody provided this service." - Norman, Evatt.

"The time for pick ups in the early evening is really convenient and the next day turnaround is brilliant." - Justine, Bonython.

"I was very pleasantly surprised at the friendly and professional service and that everything was explained to me simply and clearly." - Kaye, Scullin.

Needless to say we are always pleased to hear that we are keeping our customers happy.

Green Light IT Home Services Surveys are sent to every Home Services customer. Customers are able to comment anonymously (if they wish) on our services. Our return rate is approximately 50%. Names and addresses have been changed to protect privacy but comments are faithful reproductions of customer comments.

Green Light IT will shortly be moving to our new premises in Albany Street, Fyshwick.

Our new address will be 2/1 Albany Street, Fyshwick (behind Kennards) but our phone and postal address will remain the same. We will be taking advantage of the summer lull to move into the new premises over the next couple of weeks, and anticipate operating from the new location from the 25th of January.

The new office is the former premises of an alarm monitoring company, and so has been constructed to a very high standard of physical security - in fact we have taken to calling it the bunker, but we will have to see if that name sticks. If you want to see what we are on about please feel free to drop by from the 18th of January.

And as a bookend for the year we have now met our Carbon Neutrality Policy (announced here).

At an operational level we are now carbon neutral and would urge all other businesses to consider taking a similar stand on this important issue.

Over Christmas Green Light IT will be taking a break will be closing on the 23rd of December, and re-opening on the 4th of January.

Feel free to leave us a message on the phone or drop us an email over this time. All the best for Christmas and we look forward to talking to you in 2010.

(This blog entry is for techies only)

Caching Windows Update with Squid 2.6

Windows Update has historically been a problem for Squid administrators, particularly those that want to firewall 80/443 from their network and force traffic through the proxy.

This guide will let you set up a PARENT/CHILD pair of Squid Caches in order to enforce the never_direct directives and minimise your bandwidth usage for updates. This method works, but it does require two squid proxies, either configured to run on the same system, or on separate systems.

NEVER_DIRECT

I’m going to address this directive first, since it probably doesn’t do what you think it does.

What you probably think it does:

Never go direct to the origin server, always connect with Squid and pass on the data.

What it actually does (from the Squid FAQ):

If you are behind a firewall then you can't make direct connections to the outside world, so you must use a parent cache.

You can use the never_direct access list in squid.conf to specify which requests must be forwarded to your PARENT CACHE outside the firewall, and the always_direct access list to specify which requests must not be forwarded.

The emphasis on PARENT CACHE above is mine. If you attempt to use this directive without a parent, it will give you a NO_PARENT_DIRECT error.

REQUIREMENTS

From the above, we determine that we need at least one Squid Parent instance and one Squid Child instance.

These can be two physical servers, two virtual servers, or a multiple instance configuration on one server (http://wiki.squid-cache.org/MultipleInstances). However, for simplicity and security, we used two physical servers and the Firewall shown in the diagram below is actually on the Parent.

The network layout we’ll use in this example is:

SQUID CONFIGURATION

From the above diagram, we get the following Squid configurations.

THE PARENT

The parent configuration is simple; add the bolded directives to squid.conf:

We also define:

http_port 3128 cache_dir ufs /var/spool/squid 50000 16 256 maximum_object_size 1000 MB

That is:

• the default http_port, referenced below by the child.
• a cache of 50Gb, more than enough but you may need to allocate less on a small disk.
• a maximum_object_size of 1Gb, large enough to cache any update.

Either cache may also require a “visible_hostname” directive, depending on how you have configured the underlying machine.

Also note “firewalled_clients 192.168.0.0/24” above would need to reflect your client network - we’ll call this “localnet” on the Child and this would also need to reflect your network addresses.

THE CHILD

First we need to define the Windows Update servers, and our local network. In the same place as the acl above:

acl localnet src 192.168.0.0/24 acl windowsupdate dstdomain windowsupdate.microsoft.com acl windowsupdate dstdomain au.download.windowsupdate.com acl windowsupdate dstdomain .update.microsoft.com acl windowsupdate dstdomain download.windowsupdate.com acl windowsupdate dstdomain redir.metaservices.microsoft.com acl windowsupdate dstdomain images.metaservices.microsoft.com acl windowsupdate dstdomain c.microsoft.com acl windowsupdate dstdomain www.download.windowsupdate.com acl windowsupdate dstdomain wustat.windows.com acl windowsupdate dstdomain crl.microsoft.com acl windowsupdate dstdomain sls.microsoft.com acl windowsupdate dstdomain productactivation.one.microsoft.com acl windowsupdate dstdomain ntservicepack.microsoft.com acl CONNECT method CONNECT acl wuCONNECT dstdomain www.update.microsoft.com acl wuCONNECT dstdomain sls.microsoft.com acl wuCONNECT dstdomain wpa.one.microsoft.com

Then in the http_access section:

http_access allow CONNECT wuCONNECT localnet http_access allow windowsupdate localnet

Also in this section, to force using the Parent cache:

never_direct allow localnet

We also need to define the Parent, and allow access to it:

cache_peer 10.0.0.1 parent 3128 3130 proxy-only no-query cache_peer_access 10.0.0.1 allow all

Whilst we have to specify an ICP port, we aren’t interested in checking if the Parent has the object cached as it is the only available source anyway, hence “no-query”.

We also set “proxy-only” as there is no benefit in caching the results here and on the Parent.

NB, 10.0.0.1 is the IP address of the Parent from the diagram, adjust it to match your Parent if necessary.

CLIENT CONFIGURATION

For this example the client network will need to point to this proxy server: 192.168.0.1:3128

Setting this proxy in Internet Explorer will also allow Windows to do automatic updates through the proxy.

FIREWALL CONFIGURATION

The firewall can be configured on either of the proxy servers, the main firewall, or all three if desired (perhaps because you don’t administer all those machines). However, this is outside the scope of this article.

AUTOMATIC PROXY CONFIGURATION IN WINDOWS

The next question most people ask is how to set up WPAD (Web Proxy Autodiscovery Protocol) so they don’t have to configure each Windows client on their network.

You will likely want to achieve this with a combination of DHCP and HTTP servers.

There is an excellent post explaining this by David W. Hankins at http://www.mercenary.net/blog/index.php?/archives/42-HOWTO-WPAD.html

Please read carefully however, as the default configuration will simply stop WPAD from trying DNS should DHCP fail to reply to the request as a security measure to guard against DNS poisoning.

As part of ensuring customer service we have been asking all home service customers to fill out a survey after every home service. And today, I am happy to announce the results for the first three months of Green Light IT's Home Services.

We have achieved a 100% customer satisfaction rating. Further, 100% of the customers that responded to the survey also advised that they would recommend us to family and friends.

Here a sample of some of the things our customers had to say:

"Excellent, Prompt and Efficient Service - it doesn't get better than that!" - Cathy, Isabella Plains

"Excellent Service thank you. Will definitely use you again and have recommended you to others." - Matthew, Amaroo

"Thanks for your prompt and efficient service. The computer's performance is much improved." - Lee, Mawson

"Very happy with the service. Would definitely use again in future." - Tracey, Hughes

"Greatly appreciated the pickup and drop off service. [...] The staff were very courteous and polite. We are very happy with the service. Happy to recommend to friends and family." - Peter, Fadden

"Very friendly and professional." - Warrick, Pearce

Thanks for your support folks. We are glad to know that we are meeting your needs.

We've noticed in the last few days that customers that are using Internet Explorer, and have their default home page set to "ninemsn", seem to be having some issues with Internet Explorer freezing, and not letting them type anything in.

By the looks of it "ninemsn" is giving some information to IE which is causing it to lock out for a while.

If you are affected you have three options:

1. Update Internet Explorer (new versions don't seem to be affected). You can get Internet Explorer 7 here (we aren't recommend IE8 at this stage).
2. Use Firefox instead (it is a better, more secure browser all round). Firefox Download Site.
3. Change your home page away from Ninemsn - instructions below.

Changing your home page is the quickest fix to the problem, but to some extent only a temporary one. Never the less, here is how you can do it on Windows XP, without having to re-open Internet Explorer. If you have Windows Vista you already have IE7 - if your browser is running slowly chances are it is because of viruses and spyware. You should probably book it in for a service.

To change your home page without having to open Internet Explorer (because it will freeze again) open your control panel

and choose Internet Options.

Once you have Internet Options open then choose the general tab. Your home page setting is right at the top of the window. You can either type in a new home page, or choose "Use Blank" which will just give you a blank screen. Using either a blank screen, or a minimalist home page like Google are both pretty good choices.

Here we are using a blank page:

Note your window may not look exactly like this. This is actually the IE7 dialogue. IE6 (the browser that is having trouble) is quite old - we couldn't even quickly find one to get screen shots from, so change your home page in the short term, and plan to either update to IE7, or install Firefox in the near future using one of the links above.

Hard drives are the part of your computer that stores all the information (including music, documents, spreadsheets, photos, videos and everything else) that you put onto your computer. All the information that makes it your computer. They are also, for a variety of reasons, one of the parts of your computer most prone to failure.

When they fail the results can range from a busted computer which someone needs to carefully pick the data off, through to all of your information being permanently and irretrievably lost. However, usually some, if not all information (photos, music, documents, spreadsheets etc) is lost when a hard drive fails.

Now we can talk about the odds of a computer hard drive failing after so many hours, or this percentage failing etc, but that may not necessarily give you a particularly good sense of what that means. So here's something that might seem a little more concrete. Over your lifetime of owning home computers chances are you will have at least one hard drive failure.

Think about what you keep on your computer. Do you have a copy of it? If not it's about time your got some backups started.

For home these don't need to be complicated. Something as simple as an external hard disk, or even a USB memory stick (although if you have lots of photos you will probably find they are a bit too small, but heh its something) can do the job. For a really simple backup attach your external hard drive and then copy your "My Documents" folder onto it using the procedure below. Hopefully the pictures below will make some sense out of it (Sorry for those that know this bit - not everyone does so you will just have to be patient). The "My Documents" folder will contain most of the stuff you have put onto, or created on, your computer, but there can be exceptions.

So to backup your "My Documents" folder open an explorer window grab my documents with the left mouse button:

Once "My Documents" is highlighted go to "Edit" and choose "Select All":

Once this is done all the files on the right will be highlighted. Now using your left mouse button grab the group of files on the right, and drag it to your removable disk.

Once you let go of the left mouse button the files will start copying to the new location.

If the files dissapear from their original location, or anything else seems to go wrong then you can use the undo command to reverse the last action:

Using an external hard drive for backups is a perfectly good solution (for home), provided you are disciplined about it. That "discipline" bit is often where people get into trouble. if you are worried about forgetting then the good news is that technology can help. There is software available that can make backups even easier to do (automatic in many cases).

If you think you want an automated software solution then let us know. There are some good solutions in the space that will help with making backups routine.

If you took a look at our last blog entry you might wondering what we use for backups if we don't use tape.

That's easy - we use Network Attached Storage (NAS for short).

Compared to tapes NAS have three major advantages:

1. They can keep up. Tapes are so slow that many in the industry now do what is called "Disk to Disk to Tape", where the backup is first done to another set of high speed disks, which can then slowly and ponderously stream that data to a tape drive. Getting rid of the "to Tape" bit is the next logical step.
2. Less External Dependencies. A NAS unit is a complete system that you can attach to your network and start pulling files off. A tape needs a tape drive, a semi functioning computer, driver software, backup software, and they all need to be accessible before you can start pulling off files.
3. Unlike tapes, which are a bit of an out sider from a mainstream technology perspective, NAS units use normal everday Hard Drives. So as the capacity of normal every day hard drives increase, the capacity of NAS units keeps pace. Tapes on the other hand are always playing catchup, and are usually around an order of magnitude behind in terms of cost effective storage.

Now if you are seeking a long term archive then tape is still your best bet, but that is not what most businesses are after in our experience, particularly once retention of data in programs like MYOB/QuickBooks etc is explained. Even then, NAS, which is powered up once every couple of years is probably just as good. Tape has the benefit that it can be just left to sit on the shelf for 10 years. Now, where did I leave that tape driver software...

We are going to be talking about backups over the next few weeks - we are going to be talking about backups quite a lot. More precisely we are going to be talking not only about backups, but the other less frequent but oh so important bit - recovery.

The problem with the way most businesses approach backup is that they might take some backups (might) but they have never given a whole lot of thought to the other side of the equation - recovery. And there are some sobering stats here - probably the most sobering I have come across is this one:

"93% of businesses that loss access to their critical data for 10 days or more file for bankruptcy within 1 year. 50% of them file for bankruptcy immediatelly" - US National Archives and Records Administration.

So it's not only if you can get access to your information again, it's how quickly you can do it. And that is where things start to get interesting.

To get us started on our month of DR (Disaster Recovery) here are 5 common mistakes that businesses make about backup that means when push comes to shove they can't recover:

1. As long as I have my data I'm okay

Wrong.

Access to your data is contingent on a number of other pieces of infrastructure being in place. Sometimes this is a simple as a computer with say Microsoft Office installed in which case provided you can find a computer you are probably okay. But sometimes it relies on an application server, which has had 100 patches applied to it, which no one exactly remembers, and there was some bizarre tweak that someone had to give it to make it work etc.

Can you get access to the data again - probably. Will you get access to the data again before you are out of business? Much harder to know.

2. An Online Backup Over The Internet Is Our Best Option

Usually Wrong.

Online backup solutions are targeted at home users, and small businesses. They provide handy interfaces to help you see which files you are backing up, history etc. The problem is they are driven by people who, due to their limited IT knowledge, don't actually understand which critical parts of the system need to be backed up. For example, if you are using Exchange server only the system adminstrator has the access they need to the mail store.

If your whole server packed it in exactly how long will it take your online backup company to get you a copy of your data - a day, two days, a week? Have you ever asked? Have you ever tested their ability to deliver?

Also, as 1 above just backing up your data isn't really enough.

3. We Use Tapes

Wrong.

There are so many issues with tapes it is hard to know where to start:

• You need a tape drive (seems obvious right). But what if your previous tape drive was damaged (say by a power surge) so you can't move it across to the new server you just bought. Can you still buy the type of tape drive that you had previously keeping in mind it's probably three or four years down the track? This is what we call in the industry a "depedency".
• Tapes aren't growing in capacity fast enough to keep up with modern hard drives. Time and again we see new customers which have been sold a tape drive which can't backup a tenth the capacity of their server hard disks.
• Tape drives can subtly alter the length of tapes over time so that tapes will only work with that particular tape drive. Even if you can find a replacement tape drive your tapes may not work.
• Tapes need to have the basic operating system up and going to support the correct drivers. So if you are rebuilding from scratch you need to build a basic server, then install the tape drive and software, then restore (hopefully) and then reconfigure the server.

4. If a Part Fails In Our Server We Will Be Able to Get a Replacement Part

Wrong.

The scenario is like this - components in the computer industry tend to turn over on 12-24 month timeframes. After that the big PC/server manufacturers (HP, Dell, etc) will continue to carry spares for "warranty" customers. However, chances are they wont "sell" you one of their components - they need to hold an inventory to cover the customers which did pay for warranty.

Normally parts fail after at least a couple of years in service, meaning chances are you can't buy a replacement anymore. So if you don't have a warranty you probably can't get a like for like replacement. If you can't get like for like replacement then there is an awfully good chance that you will have to rebuild the system, or at least use a time consuming process to make the new part work with the old system.

Now this isn't true for some parts, like the power supply, or a non-integrated network card. These can often be easily replaced. But for the big components - like the RAID controller, Main Board and Hard Drives, it usually is.

5. If Our Server Crashes It Will Only Take a Day or Two to replace it

Wrong.

Yes you can go to Harvey Norman and buy a PC this afternoon. Servers are a different type of beast entirely. Because there are less of them sold they haven't reached the point where they are a standard item that retailers carry.

If you are lucky, and your business is small enough you may be able to limp along on a PC for a few days, although depending on your restoration strategy it could take days to get it correctly installed.

We will be discussing some of strategies we think you should pursue over the next few blog posts. Stay tuned.

As we mentioned in our recent newsletter there is now a really quick and simple way to filter your Internet connection to:

1. Stop kids from seeing content they shouldn't.
2. Keep people away from sites they shouldn't be accessing.
3. Protect you from phishing sites and other Internet nasties.

That method is "OpenDNS.com".

Setting up OpenDNS is really easy, and will take only a few minutes. To do it for your home network or computer read on.

First - do you have just one computer or a number of computers using your Internet connection at home?

If you have just one computer then you can follow the instructions for setting up your computer. If you have a number of computers you are probably best of configuring your router so that the setting will apply to all of your computers without having to change each computer individually.

Once you have done that you are now being protected by OpenDNS at a minimal level (which just protects against phishing). However, to get the best out of OpenDNS you should now go and create an account.

After you have created an account you can adjust what sort of websites you would like to be filtered. By default you will find the category level is set to minimal which just stops known phising attacks.

There are some really easy options to choose here. For example "Low" will also filter out pornography, while moderate will filter out other adult related content. So for home, you might set this to low or moderate. You can also "customise" and choose exactly which categories you want people to be able to see, and which ones you don't.

Go and take a look - this is a really neat tool and compared to what you used to have to do to solve these sorts of problems is very simple.

If you would like to try setting it up for the office network just let us know. We can also give you a hand at home if you need some assistance.

Affirmation

Although there is not yet absolute consensus across the scientific community it is Green Light IT’s belief that, on the balance of probabilities, the earth’s climate is changing as a result of human carbon pollution. We therefore feel that as a member of the community it is our responsibility to reduce our carbon emissions.

As such, Green Light IT commits itself to achieving Carbon Neutrality for ongoing operations before the end of 2009.

Strategy

Green Light IT will achieve this goal by:

1. Purchasing sufficient green power from certified providers to cover electrical consumption.
2. Making use of appropriate, economical and fuel-efficient vehicles for company business.
3. Purchasing carbon offsets for the operation of company vehicles.
4. Reducing unnecessary use of motor vehicles.
5. Using carbon offsets where available for any corporate air travel.
6. Purchasing carbon offsets for any other on-going activities that produce carbon pollution.

Have you heard about Windows7? It is entirely likely that the new Microsoft Operating System (OS) has flown in under your radar, as its release has been kept pretty low key compared to its predecessors. Windows Vista, which was the previous instalment of Windows, was not widely used (or liked) by the IT profession. It had several flaws, quite a few security holes and massive performance issues. It seems that Windows7 is following Microsoft’s long established trend of releasing an OS that is not quite right and then a few years later releasing a “new” OS, that is a remake or upgrade of the previous one with the bugs ironed out. Windows7 is looking to be an OS that “works”.

One thing that really surprised us is that Windows7 actually has lower hardware requirements than its predecessor. This if the first time this has ever happened with Microsoft Operating System. So it is possible to use the software on lower specification machines.

As per MS’s normal mode of operation once Windows7 is released the end of life for Windows XP support will probably be quickly announced. It has not been possible to purchase any version of Windows XP retail for quite some time now and the general consensus of the IT community has been to avoid using Vista in business environments. This means that Windows7 is where we will have to go for future system upgrades.

So far the outlook is good for upgrading to Windows7. There have been relatively few complaints about the OS. It uses much less resources and therefore runs faster on the same hardware (sorry to labour the point – but this is remarkable). The UAC, or user access control (the annoying fade to black windows) that Vista used has been toned down so that it is much less obtrusive. The networking support, while still not as good as it could be, is no longer painful to use.

The biggest test will be when it comes to using the OS in a business environment. How it behaves with other machines on a large network, not the mention how it interacts with servers is yet to be seen, but currently several GLIT members are trialling the OS with some of our work machines to test it in a work environment. We realise that it is inevitable that Windows7 will have to be rolled out to business clients, so we will be testing the new OS as much as possible before we have to roll it out to a working environment. But so far, things are looking promising.

If you have even a passing interest in IT then you have no doubt by now heard about virtual servers and virtualisation, which is a technique where a number of “virtual” computers all run on the one physical system. And although you might do this on your desktop, it is mainly taking hold in the back office where a number of servers are “virtualised” and run on one piece of server hardware.

Conceptually this isn’t a new idea – we have been doing this sort of thing since mainframe days. But virtualisation for Windows and Linux systems is now becoming big business for lots of reasons. The central argument around virtualisation is a cost reduction one. This comes through in a number of ways:

• Reduction in server hardware prices – If one piece of server hardware can do the job of 10 servers you have saved yourself the cost 9 pieces of hardware.
• Savings on Environmentals – One server, even if it is running a full tilt (computers use more electricity and produce more heat when busy) will use less energy than 10 servers, and will produce less heat (so less air conditioning etc).
• Disaster Recovery Planning – Virtualisation offers some savings if you need a standby site for DR – it’s kind of complex so if you want more details ask us for an explanation.
• There may also be savings in the systems management process as virtualisation (and the tools that come with it) make certain tasks more time effective for IT staff.

That’s the good news. If virtualisation is done correctly and appropriately it can save you money. If it is done where it isn’t appropriate, is poorly executed, or if you are just unlucky it can actually cost a lot more than it saves. Picking when it is appropriate is important, and it isn’t necessarily something the person trying to sell you virtualisation will tell you. This isn’t just us saying this – a number of big shops around town have either partially, or fully rolled back virtualisation projects dues to unexpected difficulties.

So, lets consider some of the things that influence whether or not virtualisation is a good fit.

No Free Lunch

Virtualisation tends to be a good solution for situations where your servers don’t do very much. So if you have 10 web servers that sit around largely idle then using virtualisation to collapse them onto one piece of “tin” (that’s a term we use for a physical server in case you hear it in conversation) might be a good solution.

But if you have 3 database servers that are flogged within an inch of their life then you are going to have to buy a much more powerful piece of hardware if you wanted to try and collapse them. This is going to affect your Return On Investment (ROI) position.

This can lead to a shop being exposed to the laws of diminishing returns in terms of buying hardware. To break that down simply a $5,000 server won’t be twice as fast as a $2,500 desktop (although it will probably be a good bit more reliable), and a $10,000 server won’t be twice as fast as the $5,000 server. So, if you have ten $5,000 servers, which are running at full tilt, you will probably have to spend a lot more than $50,000 to achieve equivalent performance in a single piece of hardware.

However, servers are not normally run that hard, and it is this fact that tends to make virtualisation economically viable. Normally you have ten $5,000 servers, each of which run at somewhere around 10-20% of capacity. You can replace those ten servers with one $20,000 server, which isn’t as powerful, but is powerful enough.

So, virtualisation is a better prospect for servers that are lightly loaded than for systems which are heavily loaded.

Understanding the Cost Model

Saving money on hardware sounds great, but is that really where most of your costs are? To get a sense on this it’s important to understand the Total Cost of Ownership (TCO) of a server over its lifetime.

TCO is made up of the following things grouped by scale of cost:

High:

• Support (wages or fees for the people that make the server work make sure that backups work etc)
• Downtime (wages of those people that can’t work when the server is not up)
• High-end Business Specific Software.

Medium:

• Business Specific Software (CRMs, etc).

Low:

• Commodity Software (Windows etc)
• Environmentals (Electricity, Air Conditioning, Rack Space).*
• Hardware.*

We’ve put an “*” next to the costs that virtualisation will reduce. Notice anything? Now there are arguments that virtualisation can reduce support costs and downtime. There are also arguments that say it can increase both of these. Which is true? It depends on context, and to some extent on whether or not the person appraising it is trying to sell virtualisation or not.

In the worst case we have seen organsations switch substantially to virtualisation, when they paid their outsourcer a fixed fee per server per month for support. The outsourcer didn’t reduce their server support charges significantly (they argued that supporting a virtualised server was no cheaper), and the outsourcer pocketed substantial money from the “move to virtualisation” project. Worse – the virtualised servers performed worse than the previous hardware based servers. In some circumstances the customer actually needed more virtual servers than they had physical ones previously. The result of this was that the support charges of their virtualised environment was more than the support charges on the real “tin” they had before, and the hardware savings were not enough to make up for the difference.

Complexity

Virtualised environments tend to be more complex than ones with normal servers, for a number of reasons.

1. Often more complex, higher end hardware is required. Dedicate Storage Area Networks (SAN) are an obvious example here
2. Server management now has another dimension to it – which “real” server do the virtual servers exist on – this might seem trivial but we have seen it cause problems
3. Another skill set is required to support the virtualisation product.

These are the foreseeable complexity impacts from virtualisation. However, the unforseen ones are in many ways worse.

Virtualisation tends to reduce the tolerances within your environments. Some examples include high dependency on having the exact firmware revisions and drivers for particular hardware, never being able to extract the IO performance you should get, network latency blowing out when there is seemingly no explanation etc. Now, you don’t need to know what these mean particularly to assist your decision making, but you need to be aware that some of simplification that virtualisation may give you will be traded off against some fairly high end esoteric problems which will require time and effort to resolve, and may in some extreme cases not have economically viable fixes.

Mid-Range Explosion

There is another potential drawback to virtualisation with respect to costs, and not one that necessarily is immediately apparent. It starts with a phrase during the sales presentation something along the lines of “so when you need a new server you just click, drag, click, and there is a new server, and it cost you next to nothing”.

Now that seems well and good, but as we have already discussed most of the cost of owning a server comes in the support phase. So saving you some deployment costs is great, saving you some hardware costs is great, but if it leads to an uncontrolled proliferation of servers (and we’ve seen this too) the “ease” with which new servers can be deployed actually starts to hurt a business.

This is a bit of “with great power comes great responsibility” type thing. If an organisation has a mature outlook, and doesn’t create servers willy nilly, still exercises effective change control, etc etc then this ability to commission servers quickly can be a great boon. If, however, they don’t exercise effective control, servers are run up on a whim, there is no disciplined management of systems then virtualisation can become an enabler to many poor practices, and before the organisation knows it the farm of 20 servers that it had is now 50 and increasing.

So...

We are not trying to say don’t use virtualisation. Virtualisation can be a fantastic thing that does give real savings. But it is very easy to be seduced by some of the amazing features that virtualisation offer, without considering the downsides, or more importantly exactly how virtualisation is going to improve the efficiency of your organisation.

Also, at its core, virtualisation is about saving money on IT, not saving money with IT. That’s fine – in hard times everyone needs to tighten their belts, but it does perhaps reflect an industry looking inwards at its own problems and coming up with a neat gadget to suit its own needs, rather than outwards figuring out how to make other parts of the business more efficient.

So make sure you take some advice, independent of the virtualisation sales people, about where it is a good fit for your organisation.