Why is my PIX PDM Broken?

If you manage a Cisco PIX firewall, you may have recently run into a problem accessing the PDM (PIX Device Manager) browser-based management interface. Cisco's PDM is a Java-based tool for managing your firewall; there are a handful of things that can't be done via its graphical interface, but for the most part, many users will seldom have any reason to use anything else for configuration and management. The VPN wizard, in particular, is vastly easier to use than the dozen or so lines of arcane commands required to implement the same thing from the command line.

A couple of my clients recently had issues accessing the PDM from Windows XP and Server 2003. After authenticating successfully in both the browser and the Java window, they were presented with an empty window instead of the PDM - and a message in the status bar claiming java.security.AccessControlException: access denied.

Both clients concluded - not unreasonably - that there was some kind of authentication problem with the PIX, and that they were locked out.

In fact, the problem was not with the PIX, but with Java itself. Sun's most recent updates to the JRE (Java Runtime Environment) made changes to the behavior allowed for signed code - and caused consternation for developers and end users by breaking quite a few applets.

Installing the "release 8" update for the 1.4.2 plugin, or the "release 2" update for the 1.5.0 plugin prevented access to the PDM - and no adjustment to the security settings in Internet Explorer or Firefox could fix the issue (both Windows and Linux platforms suffer from this problem.) Applets which behaved like the PDM - launching code which performs security-restricted functions from an HTML button - were now 'broken by design' under the new stricter security model.

Those who had upgraded their Java plugin from an earlier (working) release could uninstall the latest version, and once again access the PDM. But for a new workstation or server, the latest load of Java was broken 'out of the box,' and there wasn't anything to go back to. And unless the affected user tried a Google search on the full status bar error message, there were very few clues on the nature of the problem - or the fix.

There is, in fact, a Cisco Field Notice, dated May 16th, on this issue - but unless you perform a very specific Google search, you'll probably miss it.

I almost never use a vendor's own search tool to explore a support knowledge base. Microsoft's Knowledge Base, in particular, was long notorious for the obscurity of the keywords assigned to articles. More than once, I couldn't re-locate a KB (or Q article, if you're old skool) that I knew was there, which was immensely frustrating. I finally started using site-specific Google searches: specifying a search by site:microsoft.com server 2003 dns firewall allowed me to find information that eluded the built-in tool. Microsoft, by the way, claims to have made significant improvements to the way their site search engine works. Is it better? I don't know - they trained me not to use it by returning poor results for years. Google is my friend.

Cisco does offer a product alert service which will e-mail you notices like this one when they are published, but you have to have an account with Cisco CCO - which generally means, if you're an end user, that you're carrying a SMARTnet service contract on at least one piece of Cisco equipment.

Those who don't have a SMARTnet contract on their PIX not only probably missed the alert, but also cannot implement the official fix, which is a downloadable update - 3.0(3) or 4.1(2) - to the PDM. The workaround is to uninstall the latest copy of the JRE, and download and install release 1 of the Java 1.5.0 plugin.

And, perhaps, consider springing for a SMARTnet contract on at least one of your Cisco products. It doesn't take many of these kinds of headaches for it to pay for itself.

Outlook's Compelling Autocomplete Illusion

Working with someone who had been issued a brand-new laptop last week made me consider something interesting about Microsoft Outlook - the autocomplete feature works so unobtrusively, and so well, that most users believe that it's doing something that it isn't - and can't.

Autocomplete kicks in when you begin typing in the To:, Cc:, or Bcc: fields of a message. The first character of a name or e-mail address pops up a menu of matching recipients; additional typed characters can disambiguate the list to a single entry (as soon as you've typed enough to distinguish it from all the other names and addresses.) An essentially identical feature fills out commonly used form fields in most web browsers.

It works well, and saves time and typing - especially for those of us whose number of e-mails sent per day exceeds our word-per-minute typing speed!

I've found that most users - including some very computer-savvy people - think that Outlook actually searches their address book in real time as they type. It doesn't. Instead, the first time you type in an address or name, it's added to Outlook's Nickname file. Outlook searches the file each time you begin typing an address, and creates a menu of suggestions from all the matching entries. For those who have been using Outlook for a long time, there are often so many entries that Outlook appears to be searching their entire address book, and the users don't realize (or remember) that an address doesn't autocomplete until it's been used the first time.

The rude awakening generally comes after an upgrade, or a move to a new computer. If the user's Windows profile doesn't follow them to the new computer, they'll complain that Outlook is 'broken' - because it isn't filling in all their addresses anymore. An explanation of how the feature really works - and the implication that they'll have to use each address again before it will autocomplete for them - is generally not well received.

"WHY CAN'T IT WORK LIKE THAT?"

The autocomplete feature is useful because it is near instantaneous - if it took so long to pop up suggestions that it slowed down our typing, it would cease to be a feature, and become an annoyance.

That's why it can't really search your address book in real time. I have a few hundred entries in my Contacts list; my wife easily has three times as many as I do. A reasonably fast computer, with plenty of RAM, could probably deal with my list. I doubt that it could do an acceptable job with my wife's list - unless it cached the entire list in RAM. But not everyone has a 'reasonably fast' computer - and so a significant number of Microsoft's customers would experience performance issues.

And consider another class of Microsoft's customers - exceptionally large enterprises like Boeing. Boeing has somewhere around 160,000 users on a Microsoft Exchange-based e-mail system. Imagine each user's copy of Outlook crunching through close to 200,000 possible recipients and aliases, across the network, all day long. Not only would this make the autocomplete process as slow as molasses, but it would also increase the load on the network, and really increase the load on the domain controllers.

The good news is that, with a little planning, you can move the Nickname file to a new computer. In Outlook 97, 98, and 2000, it was a .nick file; in Outlook 2002 and later, it's .NK2. Ensuring that these files get backed up, and are moved to the user's new computer, will prevent irritated users with 'broken' copies of Outlook.

SOMETIMES YOU WANT IT TO GO AWAY

On the other hand, after an e-mail migration changes the format of most or all of the addresses in an organization, or if someone moves to a new company but retains their laptop, most or all of the autocomplete entries can become invalid. You can reset the autocomplete cache (by renaming the file) to remove all the entries; the Exchange Profile Update Tool (Exprofre.exe) can do this on a wholesale basis if you are migrating hundreds or thousands of users.

It is also possible to remove individual stale or corrupted entries for Outlook 97, 98, and 2000, using the nickname.exe and ol2knick.exe tools. I'm unaware of a similar tool for Outlook 2002 and later - if you are, I'd love to hear about it.