Feeds:
Posts
Comments

So I needed to automate some configuration tasks on a Cisco ASA firewall, and thought it will be an easy task since it has an SSH interface. But after a couple of failed tries and some searching on the web, I realized that I could not use the standard SSH command mode to access the ASA and that the only working and reliable solution out there (that I found) was on this post: “How to automate scripted commands to a Cisco ASA via ssh“. However,  it relies on the “Expect” Linux command, and in my case, I preferred to execute the script directly from the System Center Orchestrator machine, which is windows based. Some blogs mentioned the windows Plink.exe command as an option too, this solution worked but it did not allow to do validations and extra logic during the script execution, as the script is sent to the device in one block. I also found this PowerShell module “SSH from PowerShell using the SSH.NET library”  that sounded promising at first, but  works with the standard SSH command and when trying to use it, I was not able to connect to my ASA firewall.
Finally, I decided to develop my own PowerShell module base on the SSH.Net library, but unlike the above module, I will be using only the SSH shell stream to interact with the device. The tricky part of working with shell stream is that there is no notification when a command execution is completed. One way to overcome this is by checking for available data on the output stream. Most of the commands’ script are easy to handle because it is valid to assume that the command execution is completed as soon as there is something in the output stream. The problem is that this assumption is not true for long-running commands that report their progress during the execution. To support this kind of commands I needed to add support for specifying a timeout before assuming the command was completed and also allow to specify a regular expression to ignore progress messages when waiting for the command output. The module also handle cleaning extra BS(\u0008) characters from the output stream. That noise characters usually appeared when executing a long command.
Proof of concept – script to create a new network object:

Import-Module SshShell

$elevatedPrompt = "#.$"
$configPrompt = "\(config\)#.$"
$objectPrompt = "object\)#.$"

$s = New-SshSession -SshHost $asaIP -User $user -Password $password
Send-SshCommand $s "enable" -Expect "Password:"
Send-SshCommand $s "$elevatedPassword" -Expect $elevatedPrompt

Send-SshCommand $s "show run object id $objectId" -Expect $elevatedPrompt

if ($s.LastResult -match "does not exist") {
	Send-SshCommand $s "conf t" -Expect $configPrompt
	Send-SshCommand $s "object network $objectId" -Expect $objectPrompt
	Send-SshCommand $s "description $description" -Expect $objectPrompt
	Send-SshCommand $s "host $hostIP" -Expect $objectPrompt
	Send-SshCommand $s "end" -Expect $elevatedPrompt
	Send-SshCommand $s "write mem" -Expect "[OK]" -WaitUnlimitedOn "configuration\.\.\.|Cryptochecksum|copied"
}

Close-SshSession $s

Notes:

  • These PowerShell variables are prepopulated with values and have self-explanatory names: $asaIP, $user, $password, $elevatedPassword, $objectId, $description, $hostIP.
  • The value of the “Expect” parameter is a regular expression. If the result of the command doesn’t match that expression an exception will be thrown.
  • To access the result of the Send-SshCommand cmdlet you can either use the cmdlet output or use one of the session variable properties: LastResult, LastResultLine or AllResult.

To deploy the module, just copy the SshShell folder to one of the PSModulePath values (for Orchestrator server copy it to “SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\Modules”) and make sure the dll files are not blocked. The module works with PowerShell 2.0 and require .net framework 3.5.

Download the module and the source

Sending email notifications regarding a working item in Service Manager is a common requirement that doesn’t really exist out of the box. Travis had published, a while ago, a plug-in called “SCSM SendEmail”. This plug-in though filling that gap, still was missing some of the common requirements:

  • Supporting only Incident – you cannot send email notifications about a service request.
  • Adding new email template required a new workflow and manual updates to the management pack XML, which means the end user cannot do it alone.
  • There is no way to send notifications to email addresses that do not exist in the SCSM user list. In my environment, for example, I needed to send the notifications to all the email addresses in a specific field of the work item.
  • Does not provide a way to “Set First Response” or change the work item status to “Pending”
  • It has some multi users/messages reliability issues:
    • When you are trying to send the same message content again, even if you are changing the template, it will not send it and there will be no indication that the message was not sent.
    • When you are trying to send a second message while the work item is open in the console, the first message will not be sent and there will be no indication as well.
    • When you are trying to send a second message while the work item is not open in the console and before the previous sending workflow has been started, it will send two emails but both with the content of the second message.

All these issues forced me to develop a custom solution…

Read more in my company blog …

The Problem:
There are many blog posts and discussions about sending email notifications from Service Manager. Although Out-of-the-box, Service Manager has strong capabilities for notifications such as:

  • Template editor that allow the end user to insert relevant entity fields into the mail body
  • The ability to allow the end user to specify events conditions that will trigger specific notification, using a simple wizard.

What is missing is the capability to use this functionality from inside a SCSM Workflow.
There are some solutions provided by Travis (SendEmail) and German (http://scsmsource.blogspot.co.uk/2011/04/work-item-assignmentreassignment.html), however both these solutions do not allow customization to the workflow in the Authoring Tool.
In my SCSM environment I needed the capability to send notifications as part of more complex workflows and was also required to send the notification to external emails not defined in the SCSM users DB.

Read more in my company blog …

The problem:
SharePoint workflows, which are based on Microsoft WF, are a great way to automate processes that require human interaction and can be easily managed through SharePoint designer, without any custom development. But when it comes to automating IT processes, Microsoft provides us with another workflows engine called Orchestrator (part of System center). The Orchestrator has a variety of activities and integration packs that make him a powerful tool for implementing IT runbooks.
I needed a solution for users who design SharePoint’s workflows, using the SharePoint designer, to easily create workflows that will include execution of Orchestrator’s runbook. Using the SharePoint OIP (Orchestrator Integration Packs) you can monitor a SharePoint list for a change and execute a runbook as a result (as described here). However, this monitoring approach is based on pooling, so for example, if I’m using the default 30 seconds for pooling interval with the above approach for a task that is usually required once a week, it will generate more than 20,000 unnecessary queries against the SharePoint. Then, when the user will update the list’s item it will take up to 30 seconds before the workflow will start.
And so, it would seem that triggering the runbook from SharePoint will be a much better solution.

Read more in my company blog …

 

The Problem:
System Center Orchestrator 2012 exposes a data service that enables to query and execute runbooks.  But working directly with the data service is like executing a WCF service by manually composing the SOAP messages. There are no type-safe parameters, no intellisense and you need to type the exact path of the runbook or even worse, specify GUIDs . Developing and testing a code that is involved with runbooks execution quickly becomes a cumbersome and tedious task.

Read more in my company blog …

 

You can probably find several blog posts out there about remotely executing simple commands and scripts against Exchange servers, but trying to implement these examples on a “real” functional script, can introduce some annoying problems that nobody seems to mention. This was the case when I tried to develop a web page that was supposed to assist with managing a multi-tenant exchange 2010 SP2 environment. I got some startup scripts from Jacob Dixon’s blog and after some minor modifications I was able to execute them locally on the Exchange server without any problems, it was only when I tried to call these scripts from my web page that problems started:

Read more in my company blog …

Follow

Get every new post delivered to your Inbox.