ColdFusion Muse

Preparing for When You Need Me Most

In the new order of things practically no one has a server "in-house" anymore. Unless you are a large company with a heavy IT presence, it is simply easier to rent space at a data center. This works very well for the most part, but one of the nuances of this system is remote access. Most data centers have a number of different methods for providing you with remote access. In some cases they use a VPN like Cisco AnyConnect (which I think is excellent). Once you are connected to the VPN you access the server or servers via an "internal" NAT address - an unroutable address usually beginning with 192 or 10. Then you use something like RDP (remote desktop protocol) to log into the server desktop and configure the server, deploy code or whatever. In other cases the NOC might simply provide open ports to your own static IP for the services you need (like RDP, MSSQL, MySQL etc). This approach opens the NOC up to the your security, but it's certainly better than open ports.

In addition, some hosts may allow these ports to be open and trust the next layer of security to keep the bad guys out. In fact, virtually all hosts offering shared hosting or web panels etc have to offer these open ports of necessity. The Muse hates this idea. Allowing open ports for RDP (3389), SQL (1433), and especially FTP is a bit like Goliath strutting up and down daring the Israelites to challenge him. Meanwhile, all rock throwing David could think is, "how could I possibly miss that guy?" But of course there's more to the story...

Let me be clear, I do not blame hosting companies for this. For them this is the cost of doing business. They have a large percentage of customers who simply won't tolerate being inconvenienced. Plus, the shared hosting world is a razor thin margin and any form of customer service beyond an occasional email means the difference between losing money and making money. Think about it - if you are going to charge 20 dollars per month for hosting you are betting on never really having to connect with most of your customers. A single support call from a given customer makes that customer a money loser for the month.

Meanwhile, if you insist on paying only 20.00 per month for hosting I would politely suggest that you are too cheap to deserve any real support to begin with. You should be prepared to be an expert on a lot of DIY hosting questions - including security. Now the Muse isn't usually that blunt and I'm sorry if I stepped on anyone's toes. But if you work out the math you will be able to see quite clearly that a commodity host depends on volume. A customer who is a squeaky wheel will not likely be oiled. It's more likely he'll get the shaft (a mixed metaphor that works on some ironic level I suppose).

Ok... so that was a rare Muse rant. I'll get back into my diplomatic shell and let's continue. I really want to speak to those of you who have dedicated servers at a NOC. Here's the situation...

Usually your system is runs great and everything is hunky dorey. You are probably used to logging in occasionally running some patches, deploying a fix, defragging your disks etc. For the sake of argument let's suppose that without warning you get an alert in the middle of the night. The server is down! All of your attempts to fix it fail miserably. You are not equipped to troubleshoot this issue. You need help!

Naturally you reach out to the Muse or some other CF Webtools staff member. Ok ok... so maybe you tap ColdFusion Genius Mike Brunt or Super ColdFusion Mentor Charlie Areheart - the point is need outside help. Let me just stop and say that everyone needs a hand now and then. You should not feel ashamed. Indeed, if it were not for the assistance of certain people I'm sure I would still be living under the stairs eating canned sardines in a duck suit - but I digress.

The Big Question

Here's the big question. Have you prepared your system to be able to quickly give someone access? Do you have a guest username? A way of turning access on and off? Instructions for the VPN? For the DB? As a case in point, today I got a call from someone with a server down. Something had happened (I'll detail it in another post) that made connection to the DB impossible. As soon as I was logged in to the server I was able to diagnose and fix the issue (within about 5 minutes). Even though I fixed the issue in 5 minutes, it took this user 30 minutes to arrange all of the permissions and information I needed to get in and diagnose the issue.

So here's my suggestion. If you have a dedicated server (or even a shared server) you need to plan for guest access. Use the following checklist:

• A VPN account username and password (not your username and password - a separate one you can disable)
• A local SAM Account for your guest user with admin rights to the server (but not a domain account). This user should exist on each server in the system (web, db, whatever).
• A separate but fully permissions CFIDE admin user (if using enterprise) or the password to your CF Administrator.
• A database user for your DB. Note - ColdFusion servers work in tandem with database servers. It is pretty rare that I need to "only" look at the ColdFusion server or servers. They are system joined at the hip (or perhaps "at the chip").
• Ip addresses - internal and external IPs for the web, db, file etc... whatever servers are in the system.
• File locations - don't make your consultant have to "guess" or "lookup" where everything is. If there's something different about your system then make sure he or she knows about it.
• System config - many things are not obvious. Are you running imageCR3? Is the server 32bit? 64bit? What version of JVM? What version of DB Server.

If you take the time to organize these tidbits then our consultant will be able to save you downtime and the cost of floundering around trying to get connected.

Now Muse readers, perhaps some of you would like to wade in add to my checklist. What sort of things do you find you have to go hunting for when connecting to a new system?